From 9189f03055d4d55949fb897a1049b800327a312f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Jul 25 2018 16:15:19 +0000 Subject: update to the latest 1.1.1 beta version --- diff --git a/.gitignore b/.gitignore index c5509e6..8bacadc 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.0f-hobbled.tar.xz /openssl-1.1.0g-hobbled.tar.xz /openssl-1.1.0h-hobbled.tar.xz +/openssl-1.1.1-pre8-hobbled.tar.xz diff --git a/ec_curve.c b/ec_curve.c index abee205..7303fe9 100644 --- a/ec_curve.c +++ b/ec_curve.c @@ -1,5 +1,6 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,26 +8,12 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * The elliptic curve binary polynomial software is originally written by - * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * - */ - #include #include "ec_lcl.h" #include #include #include -#include "e_os.h" +#include "internal/nelem.h" typedef struct { int field_type, /* either NID_X9_62_prime_field or @@ -350,6 +337,8 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve) } #endif + EC_GROUP_set_curve_name(group, curve.nid); + if ((P = EC_POINT_new(group)) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); goto err; @@ -415,8 +404,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) return NULL; } - EC_GROUP_set_curve_name(ret, nid); - return ret; } diff --git a/ectest.c b/ectest.c index de00680..c3ac7c6 100644 --- a/ectest.c +++ b/ectest.c @@ -1,5 +1,6 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,38 +8,10 @@ * https://www.openssl.org/source/license.html */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * Portions of the attached software ("Contribution") are developed by - * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. - * - * The Contribution is licensed pursuant to the OpenSSL open source - * license provided above. - * - * The elliptic curve binary polynomial software is originally written by - * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * - */ - -#include -#include -#ifdef FLAT_INC -# include "e_os.h" -#else -# include "../e_os.h" -#endif -#include -#include - -#ifdef OPENSSL_NO_EC -int main(int argc, char *argv[]) -{ - puts("Elliptic curves are disabled."); - return 0; -} -#else +#include "internal/nelem.h" +#include "testutil.h" +#ifndef OPENSSL_NO_EC # include # ifndef OPENSSL_NO_ENGINE # include @@ -50,119 +23,80 @@ int main(int argc, char *argv[]) # include # include -# if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12) -/* suppress "too big too optimize" warning */ -# pragma warning(disable:4959) -# endif - -# define ABORT do { \ - fflush(stdout); \ - fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \ - ERR_print_errors_fp(stderr); \ - EXIT(1); \ -} while (0) - -# define TIMING_BASE_PT 0 -# define TIMING_RAND_PT 1 -# define TIMING_SIMUL 2 +static size_t crv_len = 0; +static EC_builtin_curve *curves = NULL; /* test multiplication with group order, long and negative scalars */ -static void group_order_tests(EC_GROUP *group) +static int group_order_tests(EC_GROUP *group) { - BIGNUM *n1, *n2, *order; - EC_POINT *P = EC_POINT_new(group); - EC_POINT *Q = EC_POINT_new(group); - EC_POINT *R = EC_POINT_new(group); - EC_POINT *S = EC_POINT_new(group); - BN_CTX *ctx = BN_CTX_new(); - int i; - - n1 = BN_new(); - n2 = BN_new(); - order = BN_new(); - fprintf(stdout, "verify group order ..."); - fflush(stdout); - if (!EC_GROUP_get_order(group, order, ctx)) - ABORT; - if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - ABORT; - if (!EC_POINT_is_at_infinity(group, Q)) - ABORT; - fprintf(stdout, "."); - fflush(stdout); - if (!EC_GROUP_precompute_mult(group, ctx)) - ABORT; - if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - ABORT; - if (!EC_POINT_is_at_infinity(group, Q)) - ABORT; - fprintf(stdout, " ok\n"); - fprintf(stdout, "long/negative scalar tests "); + BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL; + EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL; + BN_CTX *ctx = NULL; + int i = 0, r = 0; + + if (!TEST_ptr(n1 = BN_new()) + || !TEST_ptr(n2 = BN_new()) + || !TEST_ptr(order = BN_new()) + || !TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) + || !TEST_ptr(S = EC_POINT_new(group))) + goto err; + + if (!TEST_true(EC_GROUP_get_order(group, order, ctx)) + || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, Q)) + || !TEST_true(EC_GROUP_precompute_mult(group, ctx)) + || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, Q))) + goto err; + for (i = 1; i <= 2; i++) { const BIGNUM *scalars[6]; const EC_POINT *points[6]; - fprintf(stdout, i == 1 ? - "allowing precomputation ... " : - "without precomputation ... "); - if (!BN_set_word(n1, i)) - ABORT; - /* - * If i == 1, P will be the predefined generator for which - * EC_GROUP_precompute_mult has set up precomputation. - */ - if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) - ABORT; - - if (!BN_one(n1)) - ABORT; - /* n1 = 1 - order */ - if (!BN_sub(n1, n1, order)) - ABORT; - if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) - ABORT; - if (0 != EC_POINT_cmp(group, Q, P, ctx)) - ABORT; - - /* n2 = 1 + order */ - if (!BN_add(n2, order, BN_value_one())) - ABORT; - if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - ABORT; - if (0 != EC_POINT_cmp(group, Q, P, ctx)) - ABORT; - - /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ - if (!BN_mul(n2, n1, n2, ctx)) - ABORT; - if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - ABORT; - if (0 != EC_POINT_cmp(group, Q, P, ctx)) - ABORT; + if (!TEST_true(BN_set_word(n1, i)) + /* + * If i == 1, P will be the predefined generator for which + * EC_GROUP_precompute_mult has set up precomputation. + */ + || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) + || !TEST_true(BN_one(n1)) + /* n1 = 1 - order */ + || !TEST_true(BN_sub(n1, n1, order)) + || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) + + /* n2 = 1 + order */ + || !TEST_true(BN_add(n2, order, BN_value_one())) + || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) + + /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ + || !TEST_true(BN_mul(n2, n1, n2, ctx)) + || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) + goto err; /* n2 = order^2 - 1 */ BN_set_negative(n2, 0); - if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - ABORT; - /* Add P to verify the result. */ - if (!EC_POINT_add(group, Q, Q, P, ctx)) - ABORT; - if (!EC_POINT_is_at_infinity(group, Q)) - ABORT; - - /* Exercise EC_POINTs_mul, including corner cases. */ - if (EC_POINT_is_at_infinity(group, P)) - ABORT; + if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) + /* Add P to verify the result. */ + || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, Q)) + + /* Exercise EC_POINTs_mul, including corner cases. */ + || !TEST_false(EC_POINT_is_at_infinity(group, P))) + goto err; scalars[0] = scalars[1] = BN_value_one(); points[0] = points[1] = P; - if (!EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) - ABORT; - if (!EC_POINT_dbl(group, S, points[0], ctx)) - ABORT; - if (0 != EC_POINT_cmp(group, R, S, ctx)) - ABORT; + if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) + || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx))) + goto err; scalars[0] = n1; points[0] = Q; /* => infinity */ @@ -176,13 +110,16 @@ static void group_order_tests(EC_GROUP *group) points[4] = P; /* => P */ scalars[5] = n2; points[5] = Q; /* => infinity */ - if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) - ABORT; - if (!EC_POINT_is_at_infinity(group, P)) - ABORT; + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, P))) + goto err; } - fprintf(stdout, "ok\n"); + r = 1; +err: + if (r == 0 && i != 0) + TEST_info(i == 1 ? "allowing precomputation" : + "without precomputation"); EC_POINT_free(P); EC_POINT_free(Q); EC_POINT_free(R); @@ -191,427 +128,306 @@ static void group_order_tests(EC_GROUP *group) BN_free(n2); BN_free(order); BN_CTX_free(ctx); + return r; } -static void prime_field_tests(void) +static int prime_field_tests(void) { BN_CTX *ctx = NULL; - BIGNUM *p, *a, *b; - EC_GROUP *group; - EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = - NULL, *P_384 = NULL, *P_521 = NULL; - EC_POINT *P, *Q, *R; - BIGNUM *x, *y, *z, *yplusone; + BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL; + EC_GROUP *group = NULL, *tmp = NULL; + EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, + *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; + EC_POINT *P = NULL, *Q = NULL, *R = NULL; + BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL; + const EC_POINT *points[4]; + const BIGNUM *scalars[4]; unsigned char buf[100]; - size_t i, len; + size_t len, r = 0; int k; - ctx = BN_CTX_new(); - if (!ctx) - ABORT; - - p = BN_new(); - a = BN_new(); - b = BN_new(); - if (!p || !a || !b) - ABORT; - - group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use - * EC_GROUP_new_curve_GFp so - * that the library gets to - * choose the EC_METHOD */ - if (!group) - ABORT; - - P = EC_POINT_new(group); - Q = EC_POINT_new(group); - R = EC_POINT_new(group); - if (!P || !Q || !R) - ABORT; - - x = BN_new(); - y = BN_new(); - z = BN_new(); - yplusone = BN_new(); - if (x == NULL || y == NULL || z == NULL || yplusone == NULL) - ABORT; + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) + /* + * applications should use EC_GROUP_new_curve_GFp so + * that the library gets to choose the EC_METHOD + */ + || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method())) + || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group))) + || !TEST_true(EC_GROUP_copy(tmp, group))) + goto err; + EC_GROUP_free(group); + group = tmp; + tmp = NULL; + + buf[0] = 0; + if (!TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(z = BN_new()) + || !TEST_ptr(yplusone = BN_new())) + goto err; /* Curve P-224 (FIPS PUB 186-2, App. 6) */ - if (!BN_hex2bn - (&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) - ABORT; - if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - ABORT; - if (!BN_hex2bn - (&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) - ABORT; - if (!BN_hex2bn - (&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) - ABORT; - if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) - ABORT; - - if (!BN_hex2bn - (&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) - ABORT; - if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) - ABORT; - if (EC_POINT_is_on_curve(group, P, ctx) <= 0) - ABORT; - if (!BN_hex2bn - (&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) - ABORT; - if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) - ABORT; - - if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) - ABORT; - fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x"); - BN_print_fp(stdout, x); - fprintf(stdout, "\n y = 0x"); - BN_print_fp(stdout, y); - fprintf(stdout, "\n"); + if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFF000000000000000000000001")) + || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) + || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256" + "5044B0B7D7BFD8BA270B39432355FFB4")) + || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) + || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9" + "4A03C1D356C21122343280D6115C1D21")) + || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, + ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFF16A2E0B8F03E13DD29455C5C2A3D")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-224 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); /* G_y value taken from the standard: */ - if (!BN_hex2bn - (&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) - ABORT; - if (0 != BN_cmp(y, z)) - ABORT; - - if (!BN_add(yplusone, y, BN_value_one())) - ABORT; + if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6" + "CD4375A05A07476444D5819985007E34")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) /* * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, * and therefore setting the coordinates should fail. */ - if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) - ABORT; - - fprintf(stdout, "verify degree ..."); - if (EC_GROUP_get_degree(group) != 224) - ABORT; - fprintf(stdout, " ok\n"); - - group_order_tests(group); - - if ((P_224 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) - ABORT; - if (!EC_GROUP_copy(P_224, group)) - ABORT; + || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x, + yplusone, ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 224) + || !group_order_tests(group) + || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group))) + || !TEST_true(EC_GROUP_copy(P_224, group)) /* Curve P-256 (FIPS PUB 186-2, App. 6) */ - if (!BN_hex2bn - (&p, - "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) - ABORT; - if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - ABORT; - if (!BN_hex2bn - (&a, - "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) - ABORT; - if (!BN_hex2bn - (&b, - "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) - ABORT; - if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) - ABORT; - - if (!BN_hex2bn - (&x, - "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) - ABORT; - if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) - ABORT; - if (EC_POINT_is_on_curve(group, P, ctx) <= 0) - ABORT; - if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" - "84F3B9CAC2FC632551")) - ABORT; - if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) - ABORT; - - if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) - ABORT; - fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x"); - BN_print_fp(stdout, x); - fprintf(stdout, "\n y = 0x"); - BN_print_fp(stdout, y); - fprintf(stdout, "\n"); + || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000" + "00000000FFFFFFFFFFFFFFFFFFFFFFFF")) + || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000" + "00000000FFFFFFFFFFFFFFFFFFFFFFFC")) + || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC" + "651D06B0CC53B0F63BCE3C3E27D2604B")) + || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) + + || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2" + "77037D812DEB33A0F4A13945D898C296")) + || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, + ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF" + "BCE6FAADA7179E84F3B9CAC2FC632551")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-256 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); /* G_y value taken from the standard: */ - if (!BN_hex2bn - (&z, - "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) - ABORT; - if (0 != BN_cmp(y, z)) - ABORT; - - if (!BN_add(yplusone, y, BN_value_one())) - ABORT; + if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" + "2BCE33576B315ECECBB6406837BF51F5")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) /* * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, * and therefore setting the coordinates should fail. */ - if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) - ABORT; - - fprintf(stdout, "verify degree ..."); - if (EC_GROUP_get_degree(group) != 256) - ABORT; - fprintf(stdout, " ok\n"); - - group_order_tests(group); - - if ((P_256 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) - ABORT; - if (!EC_GROUP_copy(P_256, group)) - ABORT; + || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x, + yplusone, ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 256) + || !group_order_tests(group) + || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group))) + || !TEST_true(EC_GROUP_copy(P_256, group)) /* Curve P-384 (FIPS PUB 186-2, App. 6) */ - if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) - ABORT; - if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - ABORT; - if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) - ABORT; - if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141" - "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) - ABORT; - if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) - ABORT; - - if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B" - "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) - ABORT; - if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) - ABORT; - if (EC_POINT_is_on_curve(group, P, ctx) <= 0) - ABORT; - if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) - ABORT; - if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) - ABORT; - - if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) - ABORT; - fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x"); - BN_print_fp(stdout, x); - fprintf(stdout, "\n y = 0x"); - BN_print_fp(stdout, y); - fprintf(stdout, "\n"); + || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFF")) + || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFC")) + || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19" + "181D9C6EFE8141120314088F5013875A" + "C656398D8A2ED19D2A85C8EDD3EC2AEF")) + || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) + + || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74" + "6E1D3B628BA79B9859F741E082542A38" + "5502F25DBF55296C3A545E3872760AB7")) + || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, + ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFC7634D81F4372DDF" + "581A0DB248B0A77AECEC196ACCC52973")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-384 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); /* G_y value taken from the standard: */ - if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14" - "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) - ABORT; - if (0 != BN_cmp(y, z)) - ABORT; - - if (!BN_add(yplusone, y, BN_value_one())) - ABORT; + if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29" + "F8F41DBD289A147CE9DA3113B5F0B8C0" + "0A60B1CE1D7E819D7A431D7C90EA0E5F")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) /* * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, * and therefore setting the coordinates should fail. */ - if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) - ABORT; - - fprintf(stdout, "verify degree ..."); - if (EC_GROUP_get_degree(group) != 384) - ABORT; - fprintf(stdout, " ok\n"); - - group_order_tests(group); - - if ((P_384 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) - ABORT; - if (!EC_GROUP_copy(P_384, group)) - ABORT; + || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x, + yplusone, ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 384) + || !group_order_tests(group) + || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group))) + || !TEST_true(EC_GROUP_copy(P_384, group)) /* Curve P-521 (FIPS PUB 186-2, App. 6) */ - - if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) - ABORT; - if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - ABORT; - if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) - ABORT; - if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B" - "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573" - "DF883D2C34F1EF451FD46B503F00")) - ABORT; - if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) - ABORT; - - if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F" - "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B" - "3C1856A429BF97E7E31C2E5BD66")) - ABORT; - if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) - ABORT; - if (EC_POINT_is_on_curve(group, P, ctx) <= 0) - ABORT; - if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" - "C9B8899C47AEBB6FB71E91386409")) - ABORT; - if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) - ABORT; - - if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) - ABORT; - fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x"); - BN_print_fp(stdout, x); - fprintf(stdout, "\n y = 0x"); - BN_print_fp(stdout, y); - fprintf(stdout, "\n"); + || !TEST_true(BN_hex2bn(&p, "1FF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")) + || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "1FF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC")) + || !TEST_true(BN_hex2bn(&b, "051" + "953EB9618E1C9A1F929A21A0B68540EE" + "A2DA725B99B315F3B8B489918EF109E1" + "56193951EC7E937B1652C0BD3BB1BF07" + "3573DF883D2C34F1EF451FD46B503F00")) + || !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) + || !TEST_true(BN_hex2bn(&x, "C6" + "858E06B70404E9CD9E3ECB662395B442" + "9C648139053FB521F828AF606B4D3DBA" + "A14B5E77EFE75928FE1DC127A2FFA8DE" + "3348B3C1856A429BF97E7E31C2E5BD66")) + || !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, + ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(BN_hex2bn(&z, "1FF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA" + "51868783BF2F966B7FCC0148F709A5D0" + "3BB5C9B8899C47AEBB6FB71E91386409")) + || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) + || !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))) + goto err; + + TEST_info("NIST curve P-521 -- Generator"); + test_output_bignum("x", x); + test_output_bignum("y", y); /* G_y value taken from the standard: */ - if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579" - "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C" - "7086A272C24088BE94769FD16650")) - ABORT; - if (0 != BN_cmp(y, z)) - ABORT; - - if (!BN_add(yplusone, y, BN_value_one())) - ABORT; + if (!TEST_true(BN_hex2bn(&z, "118" + "39296A789A3BC0045C8A5FB42C7D1BD9" + "98F54449579B446817AFBD17273E662C" + "97EE72995EF42640C550B9013FAD0761" + "353C7086A272C24088BE94769FD16650")) + || !TEST_BN_eq(y, z) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) /* * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, * and therefore setting the coordinates should fail. */ - if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) - ABORT; - - fprintf(stdout, "verify degree ..."); - if (EC_GROUP_get_degree(group) != 521) - ABORT; - fprintf(stdout, " ok\n"); - - group_order_tests(group); - - if ((P_521 = EC_GROUP_new(EC_GROUP_method_of(group))) == NULL) - ABORT; - if (!EC_GROUP_copy(P_521, group)) - ABORT; + || !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x, + yplusone, ctx)) + || !TEST_int_eq(EC_GROUP_get_degree(group), 521) + || !group_order_tests(group) + || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group))) + || !TEST_true(EC_GROUP_copy(P_521, group)) /* more tests using the last curve */ /* Restore the point that got mangled in the (x, y + 1) test. */ - if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) - ABORT; - - if (!EC_POINT_copy(Q, P)) - ABORT; - if (EC_POINT_is_at_infinity(group, Q)) - ABORT; - if (!EC_POINT_dbl(group, P, P, ctx)) - ABORT; - if (EC_POINT_is_on_curve(group, P, ctx) <= 0) - ABORT; - if (!EC_POINT_invert(group, Q, ctx)) - ABORT; /* P = -2Q */ - - if (!EC_POINT_add(group, R, P, Q, ctx)) - ABORT; - if (!EC_POINT_add(group, R, R, Q, ctx)) - ABORT; - if (!EC_POINT_is_at_infinity(group, R)) - ABORT; /* R = P + 2Q */ - - { - const EC_POINT *points[4]; - const BIGNUM *scalars[4]; - BIGNUM *scalar3; - - if (EC_POINT_is_at_infinity(group, Q)) - ABORT; - points[0] = Q; - points[1] = Q; - points[2] = Q; - points[3] = Q; - - if (!EC_GROUP_get_order(group, z, ctx)) - ABORT; - if (!BN_add(y, z, BN_value_one())) - ABORT; - if (BN_is_odd(y)) - ABORT; - if (!BN_rshift1(y, y)) - ABORT; - scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ - scalars[1] = y; - - fprintf(stdout, "combined multiplication ..."); - fflush(stdout); - - /* z is still the group order */ - if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - ABORT; - if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) - ABORT; - if (0 != EC_POINT_cmp(group, P, R, ctx)) - ABORT; - if (0 != EC_POINT_cmp(group, R, Q, ctx)) - ABORT; - - fprintf(stdout, "."); - fflush(stdout); - - if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) - ABORT; - if (!BN_add(z, z, y)) - ABORT; - BN_set_negative(z, 1); - scalars[0] = y; - scalars[1] = z; /* z = -(order + y) */ - - if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - ABORT; - if (!EC_POINT_is_at_infinity(group, P)) - ABORT; - - fprintf(stdout, "."); - fflush(stdout); - - if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) - ABORT; - if (!BN_add(z, x, y)) - ABORT; - BN_set_negative(z, 1); - scalars[0] = x; - scalars[1] = y; - scalars[2] = z; /* z = -(x+y) */ - - scalar3 = BN_new(); - if (!scalar3) - ABORT; - BN_zero(scalar3); - scalars[3] = scalar3; - - if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) - ABORT; - if (!EC_POINT_is_at_infinity(group, P)) - ABORT; - - fprintf(stdout, " ok\n\n"); - - BN_free(scalar3); - } - + || !TEST_true(EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) + || !TEST_true(EC_POINT_copy(Q, P)) + || !TEST_false(EC_POINT_is_at_infinity(group, Q)) + || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) + || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) + || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ + || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) + || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ + || !TEST_false(EC_POINT_is_at_infinity(group, Q))) + goto err; + points[0] = Q; + points[1] = Q; + points[2] = Q; + points[3] = Q; + + if (!TEST_true(EC_GROUP_get_order(group, z, ctx)) + || !TEST_true(BN_add(y, z, BN_value_one())) + || !TEST_BN_even(y) + || !TEST_true(BN_rshift1(y, y))) + goto err; + scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ + scalars[1] = y; + + TEST_note("combined multiplication ..."); + + /* z is still the group order */ + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) + || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)) + || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) + || !TEST_true(BN_add(z, z, y))) + goto err; + BN_set_negative(z, 1); + scalars[0] = y; + scalars[1] = z; /* z = -(order + y) */ + + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, P)) + || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) + || !TEST_true(BN_add(z, x, y))) + goto err; + BN_set_negative(z, 1); + scalars[0] = x; + scalars[1] = y; + scalars[2] = z; /* z = -(x+y) */ + + if (!TEST_ptr(scalar3 = BN_new())) + goto err; + BN_zero(scalar3); + scalars[3] = scalar3; + + if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) + || !TEST_true(EC_POINT_is_at_infinity(group, P))) + goto err; + + TEST_note(" ok\n"); + + + r = 1; +err: BN_CTX_free(ctx); BN_free(p); BN_free(a); BN_free(b); EC_GROUP_free(group); + EC_GROUP_free(tmp); EC_POINT_free(P); EC_POINT_free(Q); EC_POINT_free(R); @@ -619,82 +435,46 @@ static void prime_field_tests(void) BN_free(y); BN_free(z); BN_free(yplusone); + BN_free(scalar3); EC_GROUP_free(P_224); EC_GROUP_free(P_256); EC_GROUP_free(P_384); EC_GROUP_free(P_521); - + return r; } -static void internal_curve_test(void) +static int internal_curve_test(int n) { - EC_builtin_curve *curves = NULL; - size_t crv_len = 0, n = 0; - int ok = 1; + EC_GROUP *group = NULL; + int nid = curves[n].nid; - crv_len = EC_get_builtin_curves(NULL, 0); - curves = OPENSSL_malloc(sizeof(*curves) * crv_len); - if (curves == NULL) - return; - - if (!EC_get_builtin_curves(curves, crv_len)) { - OPENSSL_free(curves); - return; + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { + TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n", + OBJ_nid2sn(nid)); + return 0; } - - fprintf(stdout, "testing internal curves: "); - - for (n = 0; n < crv_len; n++) { - EC_GROUP *group = NULL; - int nid = curves[n].nid; - if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) { - ok = 0; - fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with" - " curve %s\n", OBJ_nid2sn(nid)); - /* try next curve */ - continue; - } - if (!EC_GROUP_check(group, NULL)) { - ok = 0; - fprintf(stdout, "\nEC_GROUP_check() failed with" - " curve %s\n", OBJ_nid2sn(nid)); - EC_GROUP_free(group); - /* try the next curve */ - continue; - } - fprintf(stdout, "."); - fflush(stdout); + if (!TEST_true(EC_GROUP_check(group, NULL))) { + TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid)); EC_GROUP_free(group); + return 0; } - if (ok) - fprintf(stdout, " ok\n\n"); - else { - fprintf(stdout, " failed\n\n"); - ABORT; - } + EC_GROUP_free(group); + return 1; +} - /* Test all built-in curves and let the library choose the EC_METHOD */ - for (n = 0; n < crv_len; n++) { - EC_GROUP *group = NULL; - int nid = curves[n].nid; - /* - * Skip for X25519 because low level operations such as EC_POINT_mul() - * are not supported for this curve - */ - if (nid == NID_X25519) - continue; - fprintf(stdout, "%s:\n", OBJ_nid2sn(nid)); - fflush(stdout); - if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) { - ABORT; - } - group_order_tests(group); - EC_GROUP_free(group); - } +static int internal_curve_test_method(int n) +{ + int r, nid = curves[n].nid; + EC_GROUP *group; - OPENSSL_free(curves); - return; + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { + TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); + return 0; + } + r = group_order_tests(group); + EC_GROUP_free(group); + return r; } # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 @@ -715,6 +495,29 @@ struct nistp_test_params { static const struct nistp_test_params nistp_tests_params[] = { { + /* P-224 */ + EC_GFp_nistp224_method, + 224, + /* p */ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", + /* a */ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", + /* b */ + "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", + /* Qx */ + "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", + /* Qy */ + "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", + /* Gx */ + "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", + /* Gy */ + "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", + /* order */ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", + /* d */ + "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", + }, + { /* P-256 */ EC_GFp_nistp256_method, 256, @@ -742,160 +545,165 @@ static const struct nistp_test_params nistp_tests_params[] = { EC_GFp_nistp521_method, 521, /* p */ - "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "1ff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", /* a */ - "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", + "1ff" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", /* b */ - "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", + "051" + "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1" + "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", /* Qx */ - "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", + "0098" + "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e" + "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", /* Qy */ - "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", + "0164" + "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8" + "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", /* Gx */ - "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", + "c6" + "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" + "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", /* Gy */ - "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", + "118" + "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" + "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", /* order */ - "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", + "1ff" + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa" + "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", /* d */ - "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", + "0100" + "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee" + "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", }, }; -static void nistp_single_test(const struct nistp_test_params *test) +static int nistp_single_test(int idx) { - BN_CTX *ctx; - BIGNUM *p, *a, *b, *x, *y, *n, *m, *order, *yplusone; - EC_GROUP *NISTP; - EC_POINT *G, *P, *Q, *Q_CHECK; - - fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", - test->degree); - ctx = BN_CTX_new(); - p = BN_new(); - a = BN_new(); - b = BN_new(); - x = BN_new(); - y = BN_new(); - m = BN_new(); - n = BN_new(); - order = BN_new(); - yplusone = BN_new(); - - NISTP = EC_GROUP_new(test->meth()); - if (!NISTP) - ABORT; - if (!BN_hex2bn(&p, test->p)) - ABORT; - if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - ABORT; - if (!BN_hex2bn(&a, test->a)) - ABORT; - if (!BN_hex2bn(&b, test->b)) - ABORT; - if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) - ABORT; - G = EC_POINT_new(NISTP); - P = EC_POINT_new(NISTP); - Q = EC_POINT_new(NISTP); - Q_CHECK = EC_POINT_new(NISTP); - if (!BN_hex2bn(&x, test->Qx)) - ABORT; - if (!BN_hex2bn(&y, test->Qy)) - ABORT; - if (!BN_add(yplusone, y, BN_value_one())) - ABORT; + const struct nistp_test_params *test = nistp_tests_params + idx; + BN_CTX *ctx = NULL; + BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; + BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL; + EC_GROUP *NISTP = NULL; + EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL; + int r = 0; + + TEST_note("NIST curve P-%d (optimised implementation):", + test->degree); + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(m = BN_new()) + || !TEST_ptr(n = BN_new()) + || !TEST_ptr(order = BN_new()) + || !TEST_ptr(yplusone = BN_new()) + + || !TEST_ptr(NISTP = EC_GROUP_new(test->meth())) + || !TEST_true(BN_hex2bn(&p, test->p)) + || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, test->a)) + || !TEST_true(BN_hex2bn(&b, test->b)) + || !TEST_true(EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) + || !TEST_ptr(G = EC_POINT_new(NISTP)) + || !TEST_ptr(P = EC_POINT_new(NISTP)) + || !TEST_ptr(Q = EC_POINT_new(NISTP)) + || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP)) + || !TEST_true(BN_hex2bn(&x, test->Qx)) + || !TEST_true(BN_hex2bn(&y, test->Qy)) + || !TEST_true(BN_add(yplusone, y, BN_value_one())) /* * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, * and therefore setting the coordinates should fail. */ - if (EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, yplusone, ctx)) - ABORT; - if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) - ABORT; - if (!BN_hex2bn(&x, test->Gx)) - ABORT; - if (!BN_hex2bn(&y, test->Gy)) - ABORT; - if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) - ABORT; - if (!BN_hex2bn(&order, test->order)) - ABORT; - if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) - ABORT; - - fprintf(stdout, "verify degree ... "); - if (EC_GROUP_get_degree(NISTP) != test->degree) - ABORT; - fprintf(stdout, "ok\n"); - - fprintf(stdout, "NIST test vectors ... "); - if (!BN_hex2bn(&n, test->d)) - ABORT; + || !TEST_false(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, + yplusone, ctx)) + || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, + ctx)) + || !TEST_true(BN_hex2bn(&x, test->Gx)) + || !TEST_true(BN_hex2bn(&y, test->Gy)) + || !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) + || !TEST_true(BN_hex2bn(&order, test->order)) + || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) + || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree)) + goto err; + + TEST_note("NIST test vectors ... "); + if (!TEST_true(BN_hex2bn(&n, test->d))) + goto err; /* fixed point multiplication */ EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; /* random point multiplication */ EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; - - /* set generator to P = 2*G, where G is the standard generator */ - if (!EC_POINT_dbl(NISTP, P, G, ctx)) - ABORT; - if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) - ABORT; - /* set the scalar to m=n/2, where n is the NIST test scalar */ - if (!BN_rshift(m, n, 1)) - ABORT; + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) + + /* set generator to P = 2*G, where G is the standard generator */ + || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx)) + || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) + /* set the scalar to m=n/2, where n is the NIST test scalar */ + || !TEST_true(BN_rshift(m, n, 1))) + goto err; /* test the non-standard generator */ /* fixed point multiplication */ EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; /* random point multiplication */ EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) /* * We have not performed precomputation so have_precompute mult should be * false */ - if (EC_GROUP_have_precompute_mult(NISTP)) - ABORT; + || !TEST_false(EC_GROUP_have_precompute_mult(NISTP)) /* now repeat all tests with precomputation */ - if (!EC_GROUP_precompute_mult(NISTP, ctx)) - ABORT; - if (!EC_GROUP_have_precompute_mult(NISTP)) - ABORT; + || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx)) + || !TEST_true(EC_GROUP_have_precompute_mult(NISTP))) + goto err; /* fixed point multiplication */ EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; /* random point multiplication */ EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) /* reset generator */ - if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) - ABORT; + || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))) + goto err; /* fixed point multiplication */ EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; /* random point multiplication */ EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - ABORT; - - fprintf(stdout, "ok\n"); - group_order_tests(NISTP); + if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) + goto err; + + /* regression test for felem_neg bug */ + if (!TEST_true(BN_set_word(m, 32)) + || !TEST_true(BN_set_word(n, 31)) + || !TEST_true(EC_POINT_copy(P, G)) + || !TEST_true(EC_POINT_invert(NISTP, P, ctx)) + || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx)) + || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx))) + goto err; + + r = group_order_tests(NISTP); +err: EC_GROUP_free(NISTP); EC_POINT_free(G); EC_POINT_free(P); @@ -911,77 +719,125 @@ static void nistp_single_test(const struct nistp_test_params *test) BN_free(order); BN_free(yplusone); BN_CTX_free(ctx); + return r; } +# endif -static void nistp_tests() -{ - unsigned i; +static const unsigned char p521_named[] = { + 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, +}; - for (i = 0; i < OSSL_NELEM(nistp_tests_params); i++) { - nistp_single_test(&nistp_tests_params[i]); - } -} -# endif +static const unsigned char p521_explicit[] = { + 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, + 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72, + 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09, + 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0, + 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, + 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00, + 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17, + 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04, + 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e, + 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f, + 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, + 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, + 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, + 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, + 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, + 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, + 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, + 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, + 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, + 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, + 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, + 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, + 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, +}; -static void parameter_test(void) +static int parameter_test(void) { - EC_GROUP *group, *group2; - ECPARAMETERS *ecparameters; + EC_GROUP *group = NULL, *group2 = NULL; + ECPARAMETERS *ecparameters = NULL; + unsigned char *buf = NULL; + int r = 0, len; + + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1)) + || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) + || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) + || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) + goto err; - fprintf(stderr, "\ntesting ecparameters conversion ..."); + EC_GROUP_free(group); + group = NULL; - group = EC_GROUP_new_by_curve_name(NID_secp384r1); - if (!group) - ABORT; + /* Test the named curve encoding, which should be default. */ + if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1)) + || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) + || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named))) + goto err; - ecparameters = EC_GROUP_get_ecparameters(group, NULL); - if (!ecparameters) - ABORT; - group2 = EC_GROUP_new_from_ecparameters(ecparameters); - if (!group2) - ABORT; - if (EC_GROUP_cmp(group, group2, NULL)) - ABORT; + OPENSSL_free(buf); + buf = NULL; - fprintf(stderr, " ok\n"); + /* + * Test the explicit encoding. P-521 requires correctly zero-padding the + * curve coefficients. + */ + EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); + if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) + || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit))) + goto err; + r = 1; +err: EC_GROUP_free(group); EC_GROUP_free(group2); ECPARAMETERS_free(ecparameters); + OPENSSL_free(buf); + return r; } +#endif -static const char rnd_seed[] = - "string to make the random number generator think it has entropy"; - -int main(int argc, char *argv[]) +int setup_tests(void) { - char *p; - - p = getenv("OPENSSL_DEBUG_MEMORY"); - if (p != NULL && strcmp(p, "on") == 0) - CRYPTO_set_mem_debug(1); - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - - RAND_seed(rnd_seed, sizeof(rnd_seed)); /* or BN_generate_prime may fail */ +#ifndef OPENSSL_NO_EC + crv_len = EC_get_builtin_curves(NULL, 0); + if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) + || !TEST_true(EC_get_builtin_curves(curves, crv_len))) + return 0; - prime_field_tests(); - puts(""); + ADD_TEST(parameter_test); + ADD_TEST(prime_field_tests); # ifndef OPENSSL_NO_EC2M - char2_field_tests(); + ADD_TEST(char2_field_tests); + ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); # endif # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - nistp_tests(); + ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); # endif - /* test the internal curves */ - internal_curve_test(); - - parameter_test(); - -#ifndef OPENSSL_NO_CRYPTO_MDEBUG - if (CRYPTO_mem_leaks_fp(stderr) <= 0) - return 1; + ADD_ALL_TESTS(internal_curve_test, crv_len); + ADD_ALL_TESTS(internal_curve_test_method, crv_len); #endif - - return 0; + return 1; } + +void cleanup_tests(void) +{ +#ifndef OPENSSL_NO_EC + OPENSSL_free(curves); #endif +} diff --git a/openssl-1.1.0-algo-doc.patch b/openssl-1.1.0-algo-doc.patch deleted file mode 100644 index 460d2c2..0000000 --- a/openssl-1.1.0-algo-doc.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod ---- openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc 2017-01-26 15:49:18.784947229 +0100 -+++ openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod 2017-01-26 15:52:46.458556068 +0100 -@@ -152,7 +152,7 @@ corresponding OBJECT IDENTIFIER or NID_u - EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and - EVP_MD_CTX_block_size() return the digest or block size in bytes. - --EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(), -+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(), EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), - EVP_mdc2(), EVP_ripemd160(), EVP_blake2b512(), and EVP_blake2s256() return - pointers to the corresponding EVP_MD structures. - -diff -up openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod ---- openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc 2017-01-26 14:10:24.000000000 +0100 -+++ openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod 2017-01-26 15:49:18.784947229 +0100 -@@ -108,6 +108,32 @@ EVP_chacha20, EVP_chacha20_poly1305 - EV - int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); - int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); - -+ const EVP_CIPHER *EVP_des_ede3(void); -+ const EVP_CIPHER *EVP_des_ede3_ecb(void); -+ const EVP_CIPHER *EVP_des_ede3_cfb64(void); -+ const EVP_CIPHER *EVP_des_ede3_cfb1(void); -+ const EVP_CIPHER *EVP_des_ede3_cfb8(void); -+ const EVP_CIPHER *EVP_des_ede3_ofb(void); -+ const EVP_CIPHER *EVP_des_ede3_cbc(void); -+ const EVP_CIPHER *EVP_aes_128_ecb(void); -+ const EVP_CIPHER *EVP_aes_128_cbc(void); -+ const EVP_CIPHER *EVP_aes_128_cfb1(void); -+ const EVP_CIPHER *EVP_aes_128_cfb8(void); -+ const EVP_CIPHER *EVP_aes_128_cfb128(void); -+ const EVP_CIPHER *EVP_aes_128_ofb(void); -+ const EVP_CIPHER *EVP_aes_192_ecb(void); -+ const EVP_CIPHER *EVP_aes_192_cbc(void); -+ const EVP_CIPHER *EVP_aes_192_cfb1(void); -+ const EVP_CIPHER *EVP_aes_192_cfb8(void); -+ const EVP_CIPHER *EVP_aes_192_cfb128(void); -+ const EVP_CIPHER *EVP_aes_192_ofb(void); -+ const EVP_CIPHER *EVP_aes_256_ecb(void); -+ const EVP_CIPHER *EVP_aes_256_cbc(void); -+ const EVP_CIPHER *EVP_aes_256_cfb1(void); -+ const EVP_CIPHER *EVP_aes_256_cfb8(void); -+ const EVP_CIPHER *EVP_aes_256_cfb128(void); -+ const EVP_CIPHER *EVP_aes_256_ofb(void); -+ - =head1 DESCRIPTION - - The EVP cipher routines are a high level interface to certain diff --git a/openssl-1.1.0-bio-fd-preserve-nl.patch b/openssl-1.1.0-bio-fd-preserve-nl.patch deleted file mode 100644 index 0050115..0000000 --- a/openssl-1.1.0-bio-fd-preserve-nl.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -up openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl openssl-1.1.0c/crypto/bio/bss_fd.c ---- openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl 2016-11-10 15:03:44.000000000 +0100 -+++ openssl-1.1.0c/crypto/bio/bss_fd.c 2016-12-22 14:36:16.730740423 +0100 -@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i - char *ptr = buf; - char *end = buf + size - 1; - -- while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n')) -- ptr++; -+ while (ptr < end && fd_read(bp, ptr, 1) > 0) { -+ if (*ptr++ == '\n') -+ break; -+ } - - ptr[0] = '\0'; - -diff -up openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl openssl-1.1.0c/doc/crypto/BIO_read.pod ---- openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl 2016-11-10 15:03:45.000000000 +0100 -+++ openssl-1.1.0c/doc/crypto/BIO_read.pod 2016-12-22 14:37:22.731245197 +0100 -@@ -23,7 +23,8 @@ in B. Usually this operation will a - from the BIO of maximum length B. There are exceptions to this, - however; for example, BIO_gets() on a digest BIO will calculate and - return the digest and other BIOs may not support BIO_gets() at all. --The returned string is always NUL-terminated. -+The returned string is always NUL-terminated and the '\n' is preserved -+if present in the input data. - - BIO_write() attempts to write B bytes from B to BIO B. - diff --git a/openssl-1.1.0-build.patch b/openssl-1.1.0-build.patch deleted file mode 100644 index 7565642..0000000 --- a/openssl-1.1.0-build.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl ---- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200 -+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200 -@@ -553,7 +553,7 @@ uninstall_runtime: - install_man_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @echo "*** Installing manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) - - uninstall_man_docs: -@@ -565,7 +565,7 @@ uninstall_man_docs: - install_html_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @echo "*** Installing HTML manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(HTMLDIR) --type=html - - uninstall_html_docs: -diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf ---- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200 -+++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200 -@@ -662,6 +662,7 @@ sub vms_info { - cflags => add("-m64 -DL_ENDIAN"), - perlasm_scheme => "linux64le", - shared_ldflag => add("-m64"), -+ multilib => "64", - }, - - "linux-armv4" => { -@@ -702,6 +703,7 @@ sub vms_info { - "linux-aarch64" => { - inherit_from => [ "linux-generic64", asm("aarch64_asm") ], - perlasm_scheme => "linux64", -+ multilib => "64", - }, - "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 - inherit_from => [ "linux-generic32", asm("aarch64_asm") ], -diff -up openssl-1.1.0h/engines/afalg/e_afalg.c.build openssl-1.1.0h/engines/afalg/e_afalg.c ---- openssl-1.1.0h/engines/afalg/e_afalg.c.build 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/engines/afalg/e_afalg.c 2018-06-19 16:56:20.150950529 +0200 -@@ -36,14 +36,25 @@ void engine_load_afalg_int(void) - } - #else - --# include - # include - # include - --# include - # include - # include - -+# define timespec linux_timespec -+# define timeval linux_timeval -+# define itimerspec linux_itimerspec -+# define sigset_t linux_sigset_type -+# include -+# include -+ -+# ifndef _LINUX_TIME_H -+# undef timespec -+# undef timeval -+# undef itimerspec -+# undef sigset_t -+# endif - # include "e_afalg.h" - - # define AFALG_LIB_NAME "AFALG" -diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt ---- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100 -+++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100 -@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D - - PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC - --Derive=Alice-25519 --PeerKey=Bob-25519-PUBLIC --SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -- --Derive=Bob-25519 --PeerKey=Alice-25519-PUBLIC --SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -- - # Illegal sign/verify operations with X25519 key - - Sign=Alice-25519 -@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR - Function = EVP_PKEY_verify_init - Reason = operation not supported for this keytype - -+Derive=Alice-25519 -+PeerKey=Bob-25519-PUBLIC -+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -+ -+Derive=Bob-25519 -+PeerKey=Alice-25519-PUBLIC -+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -+ - ## ECDH Tests: test with randomly generated keys for all the listed curves - - diff --git a/openssl-1.1.0-cc-reqs.patch b/openssl-1.1.0-cc-reqs.patch deleted file mode 100644 index 05e0edd..0000000 --- a/openssl-1.1.0-cc-reqs.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0h/crypto/rsa/rsa_gen.c ---- openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-29 14:37:53.405048562 +0200 -@@ -86,6 +86,12 @@ static int rsa_builtin_keygen(RSA *rsa, - if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) - goto err; - -+ /* prepare minimum p and q difference */ -+ if (!BN_one(r3)) -+ goto err; -+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100)) -+ goto err; -+ - if (BN_copy(rsa->e, e_value) == NULL) - goto err; - -@@ -118,7 +124,9 @@ static int rsa_builtin_keygen(RSA *rsa, - do { - if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) - goto err; -- } while (BN_cmp(rsa->p, rsa->q) == 0); -+ if (!BN_sub(r2, rsa->q, rsa->p)) -+ goto err; -+ } while (BN_ucmp(r2, r3) <= 0); - if (!BN_sub(r2, rsa->q, BN_value_one())) - goto err; - ERR_set_mark(); diff --git a/openssl-1.1.0-chil-fixes.patch b/openssl-1.1.0-chil-fixes.patch deleted file mode 100644 index 363d05f..0000000 --- a/openssl-1.1.0-chil-fixes.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up openssl-1.1.0-pre6/engines/e_chil.c.chil openssl-1.1.0-pre6/engines/e_chil.c ---- openssl-1.1.0-pre6/engines/e_chil.c.chil 2016-08-04 16:00:47.000000000 +0200 -+++ openssl-1.1.0-pre6/engines/e_chil.c 2016-08-05 16:50:13.860588775 +0200 -@@ -1195,6 +1195,11 @@ static int hwcrhk_insert_card(const char - UI *ui; - void *callback_data = NULL; - UI_METHOD *ui_method = NULL; -+ /* Despite what the documentation says prompt_info can be -+ * an empty string. -+ */ -+ if (prompt_info && !*prompt_info) -+ prompt_info = NULL; - - if (cactx) { - if (cactx->ui_method) diff --git a/openssl-1.1.0-disable-ssl3.patch b/openssl-1.1.0-disable-ssl3.patch deleted file mode 100644 index 8dd6aa2..0000000 --- a/openssl-1.1.0-disable-ssl3.patch +++ /dev/null @@ -1,85 +0,0 @@ -diff -up openssl-1.1.0h/apps/s_client.c.disable-ssl3 openssl-1.1.0h/apps/s_client.c ---- openssl-1.1.0h/apps/s_client.c.disable-ssl3 2018-03-29 14:38:39.612133765 +0200 -+++ openssl-1.1.0h/apps/s_client.c 2018-03-29 14:41:51.309635904 +0200 -@@ -1489,6 +1489,9 @@ int s_client_main(int argc, char **argv) - if (!config_ctx(cctx, ssl_args, ctx)) - goto end; - -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration \"%s\"\n", -diff -up openssl-1.1.0h/apps/s_server.c.disable-ssl3 openssl-1.1.0h/apps/s_server.c ---- openssl-1.1.0h/apps/s_server.c.disable-ssl3 2018-03-29 14:38:39.613133788 +0200 -+++ openssl-1.1.0h/apps/s_server.c 2018-03-29 14:42:27.313481477 +0200 -@@ -1619,6 +1619,9 @@ int s_server_main(int argc, char *argv[] - if (!config_ctx(cctx, ssl_args, ctx)) - goto end; - -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration \"%s\"\n", -diff -up openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0h/ssl/ssl_lib.c ---- openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/ssl/ssl_lib.c 2018-03-29 14:38:39.614133811 +0200 -@@ -2653,6 +2653,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - * or by using the SSL_CONF library. - */ - ret->options |= SSL_OP_NO_COMPRESSION; -+ /* -+ * Disable SSLv3 by default. Applications can -+ * re-enable it by configuring -+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ * or by using the SSL_CONF library. -+ */ -+ ret->options |= SSL_OP_NO_SSLv3; - - ret->tlsext_status_type = -1; - -diff -up openssl-1.1.0h/test/ssl_test.c.disable-ssl3 openssl-1.1.0h/test/ssl_test.c ---- openssl-1.1.0h/test/ssl_test.c.disable-ssl3 2018-03-29 14:38:39.615133835 +0200 -+++ openssl-1.1.0h/test/ssl_test.c 2018-03-29 14:43:37.893139086 +0200 -@@ -277,6 +277,7 @@ static int execute_test(SSL_TEST_FIXTURE - SSL_TEST_SERVERNAME_CB_NONE) { - server2_ctx = SSL_CTX_new(TLS_server_method()); - TEST_check(server2_ctx != NULL); -+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3); - } - client_ctx = SSL_CTX_new(TLS_client_method()); - TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION)); -@@ -290,11 +291,15 @@ static int execute_test(SSL_TEST_FIXTURE - TLS_MAX_VERSION)); - TEST_check(resume_server_ctx != NULL); - TEST_check(resume_client_ctx != NULL); -+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3); - } - } - - TEST_check(server_ctx != NULL); - TEST_check(client_ctx != NULL); -+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); - - TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0); - -diff -up openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 openssl-1.1.0h/test/ssltest_old.c ---- openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 2018-03-27 15:50:41.000000000 +0200 -+++ openssl-1.1.0h/test/ssltest_old.c 2018-03-29 14:38:39.615133835 +0200 -@@ -1460,6 +1460,11 @@ int main(int argc, char *argv[]) - ERR_print_errors(bio_err); - goto end; - } -+ -+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3); -+ - /* - * Since we will use low security ciphersuites and keys for testing set - * security level to zero by default. Tests can override this by adding diff --git a/openssl-1.1.0-ec-curves.patch b/openssl-1.1.0-ec-curves.patch deleted file mode 100644 index d6bd022..0000000 --- a/openssl-1.1.0-ec-curves.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff -up openssl-1.1.0e/apps/speed.c.curves openssl-1.1.0e/apps/speed.c ---- openssl-1.1.0e/apps/speed.c.curves 2017-02-16 12:58:20.000000000 +0100 -+++ openssl-1.1.0e/apps/speed.c 2017-02-16 15:46:22.271504354 +0100 -@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = { - #define R_EC_X25519 16 - #ifndef OPENSSL_NO_EC - static OPT_PAIR ecdsa_choices[] = { -- {"ecdsap160", R_EC_P160}, -- {"ecdsap192", R_EC_P192}, - {"ecdsap224", R_EC_P224}, - {"ecdsap256", R_EC_P256}, - {"ecdsap384", R_EC_P384}, - {"ecdsap521", R_EC_P521}, -- {"ecdsak163", R_EC_K163}, -- {"ecdsak233", R_EC_K233}, -- {"ecdsak283", R_EC_K283}, -- {"ecdsak409", R_EC_K409}, -- {"ecdsak571", R_EC_K571}, -- {"ecdsab163", R_EC_B163}, -- {"ecdsab233", R_EC_B233}, -- {"ecdsab283", R_EC_B283}, -- {"ecdsab409", R_EC_B409}, -- {"ecdsab571", R_EC_B571}, - {NULL} - }; - - static OPT_PAIR ecdh_choices[] = { -- {"ecdhp160", R_EC_P160}, -- {"ecdhp192", R_EC_P192}, - {"ecdhp224", R_EC_P224}, - {"ecdhp256", R_EC_P256}, - {"ecdhp384", R_EC_P384}, - {"ecdhp521", R_EC_P521}, -- {"ecdhk163", R_EC_K163}, -- {"ecdhk233", R_EC_K233}, -- {"ecdhk283", R_EC_K283}, -- {"ecdhk409", R_EC_K409}, -- {"ecdhk571", R_EC_K571}, -- {"ecdhb163", R_EC_B163}, -- {"ecdhb233", R_EC_B233}, -- {"ecdhb283", R_EC_B283}, -- {"ecdhb409", R_EC_B409}, -- {"ecdhb571", R_EC_B571}, - {"ecdhx25519", R_EC_X25519}, - {NULL} - }; -diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp_smpl.c ---- openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves 2017-02-16 12:58:21.000000000 +0100 -+++ openssl-1.1.0e/crypto/ec/ecp_smpl.c 2017-02-16 15:46:22.264504188 +0100 -@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO - return 0; - } - -+ if (BN_num_bits(p) < 224) { -+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -+ return 0; -+ } -+ - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) -diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c ---- openssl-1.1.0e/test/ecdsatest.c.curves 2017-02-16 12:58:24.000000000 +0100 -+++ openssl-1.1.0e/test/ecdsatest.c 2017-02-16 15:46:22.250503857 +0100 -@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out) - if (!change_rand()) - goto x962_err; - -+#if 0 - if (!x9_62_test_internal(out, NID_X9_62_prime192v1, - "3342403536405981729393488334694600415596881826869351677613", - "5735822328888155254683894997897571951568553642892029982342")) -@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out) - "3238135532097973577080787768312505059318910517550078427819" - "78505179448783")) - goto x962_err; -+#endif - # ifndef OPENSSL_NO_EC2M - if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1, - "87194383164871543355722284926904419997237591535066528048", diff --git a/openssl-1.1.0-fips.patch b/openssl-1.1.0-fips.patch deleted file mode 100644 index 48509de..0000000 --- a/openssl-1.1.0-fips.patch +++ /dev/null @@ -1,12252 +0,0 @@ -diff -up openssl-1.1.0h/apps/speed.c.fips openssl-1.1.0h/apps/speed.c ---- openssl-1.1.0h/apps/speed.c.fips 2018-03-29 14:44:24.617236431 +0200 -+++ openssl-1.1.0h/apps/speed.c 2018-03-29 15:02:42.171996191 +0200 -@@ -1447,7 +1447,9 @@ int speed_main(int argc, char **argv) - if (strcmp(*argv, "openssl") == 0) - continue; - if (strcmp(*argv, "rsa") == 0) { -- rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] = -+ if (!FIPS_mode()) -+ rsa_doit[R_RSA_512] = 1; -+ rsa_doit[R_RSA_1024] = - rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] = - rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] = - rsa_doit[R_RSA_15360] = 1; -@@ -1460,7 +1462,9 @@ int speed_main(int argc, char **argv) - #endif - #ifndef OPENSSL_NO_DSA - if (strcmp(*argv, "dsa") == 0) { -- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] = -+ if (!FIPS_mode()) -+ dsa_doit[R_DSA_512] = 1; -+ dsa_doit[R_DSA_1024] = - dsa_doit[R_DSA_2048] = 1; - continue; - } -@@ -1549,15 +1553,21 @@ int speed_main(int argc, char **argv) - /* No parameters; turn on everything. */ - if ((argc == 0) && !doit[D_EVP]) { - for (i = 0; i < ALGOR_NUM; i++) -- if (i != D_EVP) -+ if (i != D_EVP && -+ (!FIPS_mode() || (i != D_WHIRLPOOL && -+ i != D_MD2 && i != D_MD4 && -+ i != D_MD5 && i != D_MDC2 && -+ i != D_RMD160))) - doit[i] = 1; - #ifndef OPENSSL_NO_RSA - for (i = 0; i < RSA_NUM; i++) -- rsa_doit[i] = 1; -+ if (!FIPS_mode() || i != R_RSA_512) -+ rsa_doit[i] = 1; - #endif - #ifndef OPENSSL_NO_DSA - for (i = 0; i < DSA_NUM; i++) -- dsa_doit[i] = 1; -+ if (!FIPS_mode() || i != R_DSA_512) -+ dsa_doit[i] = 1; - #endif - #ifndef OPENSSL_NO_EC - for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) -@@ -1606,30 +1616,46 @@ int speed_main(int argc, char **argv) - AES_set_encrypt_key(key24, 192, &aes_ks2); - AES_set_encrypt_key(key32, 256, &aes_ks3); - #ifndef OPENSSL_NO_CAMELLIA -- Camellia_set_key(key16, 128, &camellia_ks1); -- Camellia_set_key(ckey24, 192, &camellia_ks2); -- Camellia_set_key(ckey32, 256, &camellia_ks3); -+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { -+ Camellia_set_key(key16, 128, &camellia_ks1); -+ Camellia_set_key(ckey24, 192, &camellia_ks2); -+ Camellia_set_key(ckey32, 256, &camellia_ks3); -+ } - #endif - #ifndef OPENSSL_NO_IDEA -- IDEA_set_encrypt_key(key16, &idea_ks); -+ if (doit[D_CBC_IDEA]) { -+ IDEA_set_encrypt_key(key16, &idea_ks); -+ } - #endif - #ifndef OPENSSL_NO_SEED -- SEED_set_key(key16, &seed_ks); -+ if (doit[D_CBC_SEED]) { -+ SEED_set_key(key16, &seed_ks); -+ } - #endif - #ifndef OPENSSL_NO_RC4 -- RC4_set_key(&rc4_ks, 16, key16); -+ if (doit[D_RC4]) { -+ RC4_set_key(&rc4_ks, 16, key16); -+ } - #endif - #ifndef OPENSSL_NO_RC2 -- RC2_set_key(&rc2_ks, 16, key16, 128); -+ if (doit[D_CBC_RC2]) { -+ RC2_set_key(&rc2_ks, 16, key16, 128); -+ } - #endif - #ifndef OPENSSL_NO_RC5 -- RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ if (doit[D_CBC_RC5]) { -+ RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ } - #endif - #ifndef OPENSSL_NO_BF -- BF_set_key(&bf_ks, 16, key16); -+ if (doit[D_CBC_BF]) { -+ BF_set_key(&bf_ks, 16, key16); -+ } - #endif - #ifndef OPENSSL_NO_CAST -- CAST_set_key(&cast_ks, 16, key16); -+ if (doit[D_CBC_CAST]) { -+ CAST_set_key(&cast_ks, 16, key16); -+ } - #endif - #ifndef SIGALRM - # ifndef OPENSSL_NO_DES -@@ -1890,6 +1916,7 @@ int speed_main(int argc, char **argv) - - for (i = 0; i < loopargs_len; i++) { - loopargs[i].hctx = HMAC_CTX_new(); -+ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - if (loopargs[i].hctx == NULL) { - BIO_printf(bio_err, "HMAC malloc failure, exiting..."); - exit(1); -diff -up openssl-1.1.0h/Configure.fips openssl-1.1.0h/Configure ---- openssl-1.1.0h/Configure.fips 2018-03-29 14:44:24.624236595 +0200 -+++ openssl-1.1.0h/Configure 2018-03-29 14:44:24.628236689 +0200 -@@ -314,7 +314,7 @@ $config{sdirs} = [ - "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", - "des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes", - "bn", "ec", "rsa", "dsa", "dh", "dso", "engine", -- "buffer", "bio", "stack", "lhash", "rand", "err", -+ "buffer", "bio", "stack", "lhash", "rand", "err", "fips", - "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", - "cms", "ts", "srp", "cmac", "ct", "async", "kdf" - ]; -diff -up openssl-1.1.0h/crypto/bn/bn_rand.c.fips openssl-1.1.0h/crypto/bn/bn_rand.c ---- openssl-1.1.0h/crypto/bn/bn_rand.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/bn/bn_rand.c 2018-03-29 14:44:24.628236689 +0200 -@@ -39,9 +39,11 @@ static int bnrand(int pseudorand, BIGNUM - goto err; - } - -- /* make a random number and set the top and bottom bits */ -- time(&tim); -- RAND_add(&tim, sizeof(tim), 0.0); -+ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */ -+ /* make a random number and set the top and bottom bits */ -+ time(&tim); -+ RAND_add(&tim, sizeof(tim), 0.0); -+ } - - if (RAND_bytes(buf, bytes) <= 0) - goto err; -diff -up openssl-1.1.0h/crypto/dh/dh_err.c.fips openssl-1.1.0h/crypto/dh/dh_err.c ---- openssl-1.1.0h/crypto/dh/dh_err.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dh/dh_err.c 2018-03-29 14:44:24.628236689 +0200 -@@ -25,6 +25,9 @@ static ERR_STRING_DATA DH_str_functs[] = - {ERR_FUNC(DH_F_DH_CMS_DECRYPT), "dh_cms_decrypt"}, - {ERR_FUNC(DH_F_DH_CMS_SET_PEERKEY), "dh_cms_set_peerkey"}, - {ERR_FUNC(DH_F_DH_CMS_SET_SHARED_INFO), "dh_cms_set_shared_info"}, -+ {ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"}, -+ {ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"}, -+ {ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS_EX), "DH_generate_parameters_ex"}, - {ERR_FUNC(DH_F_DH_METH_DUP), "DH_meth_dup"}, - {ERR_FUNC(DH_F_DH_METH_NEW), "DH_meth_new"}, - {ERR_FUNC(DH_F_DH_METH_SET1_NAME), "DH_meth_set1_name"}, -@@ -49,9 +52,11 @@ static ERR_STRING_DATA DH_str_reasons[] - {ERR_REASON(DH_R_INVALID_PUBKEY), "invalid public key"}, - {ERR_REASON(DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"}, - {ERR_REASON(DH_R_KEYS_NOT_SET), "keys not set"}, -+ {ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, - {ERR_REASON(DH_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_REASON(DH_R_NO_PARAMETERS_SET), "no parameters set"}, - {ERR_REASON(DH_R_NO_PRIVATE_VALUE), "no private value"}, -+ {ERR_REASON(DH_R_NON_FIPS_METHOD), "non FIPS method"}, - {ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, - {ERR_REASON(DH_R_PEER_KEY_ERROR), "peer key error"}, - {ERR_REASON(DH_R_SHARED_INFO_ERROR), "shared info error"}, -diff -up openssl-1.1.0h/crypto/dh/dh_gen.c.fips openssl-1.1.0h/crypto/dh/dh_gen.c ---- openssl-1.1.0h/crypto/dh/dh_gen.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dh/dh_gen.c 2018-03-29 14:44:24.628236689 +0200 -@@ -16,6 +16,9 @@ - #include "internal/cryptlib.h" - #include - #include "dh_locl.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static int dh_builtin_genparams(DH *ret, int prime_len, int generator, - BN_GENCB *cb); -@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret, - int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, - BN_GENCB *cb) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) -+ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - if (ret->meth->generate_params) - return ret->meth->generate_params(ret, prime_len, generator, cb); - return dh_builtin_genparams(ret, prime_len, generator, cb); -@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret, - int g, ok = -1; - BN_CTX *ctx = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { -+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -diff -up openssl-1.1.0h/crypto/dh/dh_key.c.fips openssl-1.1.0h/crypto/dh/dh_key.c ---- openssl-1.1.0h/crypto/dh/dh_key.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dh/dh_key.c 2018-03-29 14:44:24.628236689 +0200 -@@ -11,6 +11,9 @@ - #include "internal/cryptlib.h" - #include "dh_locl.h" - #include "internal/bn_int.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static int generate_key(DH *dh); - static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -@@ -22,18 +25,32 @@ static int dh_finish(DH *dh); - - int DH_generate_key(DH *dh) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) -+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - return dh->meth->generate_key(dh); - } - - int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) -+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - return dh->meth->compute_key(key, pub_key, dh); - } - - int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { - int rv, pad; -- rv = dh->meth->compute_key(key, pub_key, dh); -+ rv = DH_compute_key(key, pub_key, dh); - if (rv <= 0) - return rv; - pad = BN_num_bytes(dh->p) - rv; -@@ -82,6 +99,14 @@ static int generate_key(DH *dh) - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() -+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ return 0; -+ } -+#endif -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -@@ -165,6 +190,13 @@ static int compute_key(unsigned char *ke - DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); - goto err; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() -+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif - - ctx = BN_CTX_new(); - if (ctx == NULL) -@@ -216,6 +248,9 @@ static int dh_bn_mod_exp(const DH *dh, B - - static int dh_init(DH *dh) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dh->flags |= DH_FLAG_CACHE_MONT_P; - return (1); - } -diff -up openssl-1.1.0h/crypto/dsa/dsa_err.c.fips openssl-1.1.0h/crypto/dsa/dsa_err.c ---- openssl-1.1.0h/crypto/dsa/dsa_err.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dsa/dsa_err.c 2018-03-29 14:44:24.628236689 +0200 -@@ -21,10 +21,13 @@ - static ERR_STRING_DATA DSA_str_functs[] = { - {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, - {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"}, -+ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"}, - {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"}, - {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"}, - {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"}, - {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"}, -+ {ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"}, -+ {ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX), "DSA_generate_parameters_ex"}, - {ERR_FUNC(DSA_F_DSA_METH_DUP), "DSA_meth_dup"}, - {ERR_FUNC(DSA_F_DSA_METH_NEW), "DSA_meth_new"}, - {ERR_FUNC(DSA_F_DSA_METH_SET1_NAME), "DSA_meth_set1_name"}, -@@ -51,9 +54,12 @@ static ERR_STRING_DATA DSA_str_reasons[] - {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"}, - {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"}, - {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"}, -+ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"}, -+ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, - {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"}, - {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_REASON(DSA_R_NO_PARAMETERS_SET), "no parameters set"}, -+ {ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, - {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, - {ERR_REASON(DSA_R_Q_NOT_PRIME), "q not prime"}, - {ERR_REASON(DSA_R_SEED_LEN_SMALL), -diff -up openssl-1.1.0h/crypto/dsa/dsa_gen.c.fips openssl-1.1.0h/crypto/dsa/dsa_gen.c ---- openssl-1.1.0h/crypto/dsa/dsa_gen.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dsa/dsa_gen.c 2018-03-29 14:44:24.628236689 +0200 -@@ -22,12 +22,22 @@ - #include - #include - #include "dsa_locl.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - int DSA_generate_parameters_ex(DSA *ret, int bits, - const unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, - BN_GENCB *cb) - { -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) -+ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) { -+ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); -+ return 0; -+ } -+# endif - if (ret->meth->dsa_paramgen) - return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, - counter_ret, h_ret, cb); -@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret, - const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); - size_t qbits = EVP_MD_size(evpmd) * 8; - -+# ifdef OPENSSL_FIPS -+ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd, -+ seed_in, seed_len, -1, NULL, counter_ret, -+ h_ret, cb); -+# else - return dsa_builtin_paramgen(ret, bits, qbits, evpmd, - seed_in, seed_len, NULL, counter_ret, - h_ret, cb); -+# endif - } - } - -@@ -303,7 +319,7 @@ int dsa_builtin_paramgen2(DSA *ret, size - int *counter_ret, unsigned long *h_ret, - BN_GENCB *cb) - { -- int ok = -1; -+ int ok = 0; - unsigned char *seed = NULL, *seed_tmp = NULL; - unsigned char md[EVP_MAX_MD_SIZE]; - int mdsize; -@@ -320,6 +336,20 @@ int dsa_builtin_paramgen2(DSA *ret, size - if (mctx == NULL) - goto err; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (FIPS_mode() && (L != 1024 || N != 160) && -+ (L != 2048 || N != 224) && (L != 2048 || N != 256) && -+ (L != 3072 || N != 256)) { -+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID); -+ goto err; -+ } -+# endif -+ - if (evpmd == NULL) { - if (N == 160) - evpmd = EVP_sha1(); -@@ -420,9 +450,10 @@ int dsa_builtin_paramgen2(DSA *ret, size - goto err; - /* Provided seed didn't produce a prime: error */ - if (seed_in) { -- ok = 0; -- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME); -- goto err; -+ /* Different seed_out will indicate that seed_in -+ * did not generate primes. -+ */ -+ seed_in = NULL; - } - - /* do a callback call */ -@@ -508,11 +539,14 @@ int dsa_builtin_paramgen2(DSA *ret, size - if (counter >= (int)(4 * L)) - break; - } -+#if 0 -+ /* Cannot happen */ - if (seed_in) { - ok = 0; - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); - goto err; - } -+#endif - } - end: - if (!BN_GENCB_call(cb, 2, 1)) -@@ -583,7 +617,7 @@ int dsa_builtin_paramgen2(DSA *ret, size - BN_free(ret->g); - ret->g = BN_dup(g); - if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { -- ok = -1; -+ ok = 0; - goto err; - } - if (counter_ret != NULL) -@@ -601,3 +635,53 @@ int dsa_builtin_paramgen2(DSA *ret, size - EVP_MD_CTX_free(mctx); - return ok; - } -+ -+#ifdef OPENSSL_FIPS -+ -+int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, -+ const EVP_MD *evpmd, const unsigned char *seed_in, -+ size_t seed_len, int idx, unsigned char *seed_out, -+ int *counter_ret, unsigned long *h_ret, -+ BN_GENCB *cb) -+{ -+ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len, -+ idx, seed_out, counter_ret, h_ret, cb); -+} -+ -+int FIPS_dsa_paramgen_check_g(DSA *dsa) -+{ -+ BN_CTX *ctx; -+ BIGNUM *tmp; -+ BN_MONT_CTX *mont = NULL; -+ int rv = -1; -+ -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ return -1; -+ BN_CTX_start(ctx); -+ if (BN_cmp(dsa->g, BN_value_one()) <= 0) -+ return 0; -+ if (BN_cmp(dsa->g, dsa->p) >= 0) -+ return 0; -+ tmp = BN_CTX_get(ctx); -+ if (tmp == NULL) -+ goto err; -+ if ((mont=BN_MONT_CTX_new()) == NULL) -+ goto err; -+ if (!BN_MONT_CTX_set(mont,dsa->p,ctx)) -+ goto err; -+ /* Work out g^q mod p */ -+ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont)) -+ goto err; -+ if (!BN_cmp(tmp, BN_value_one())) -+ rv = 1; -+ else -+ rv = 0; -+ err: -+ BN_CTX_end(ctx); -+ BN_MONT_CTX_free(mont); -+ BN_CTX_free(ctx); -+ return rv; -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/dsa/dsa_key.c.fips openssl-1.1.0h/crypto/dsa/dsa_key.c ---- openssl-1.1.0h/crypto/dsa/dsa_key.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dsa/dsa_key.c 2018-03-29 14:44:24.628236689 +0200 -@@ -13,10 +13,49 @@ - #include - #include "dsa_locl.h" - -+#ifdef OPENSSL_FIPS -+# include -+# include "internal/fips_int.h" -+ -+static int fips_check_dsa(DSA *dsa) -+{ -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "DSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_DSA(pk, dsa); -+ -+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) -+ ret = 1; -+ -+ err: -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED); -+ fips_set_selftest_fail(); -+ } -+ -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+} -+ -+#endif -+ - static int dsa_builtin_keygen(DSA *dsa); - - int DSA_generate_key(DSA *dsa) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) -+ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { -+ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); -+ return 0; -+ } -+#endif - if (dsa->meth->dsa_keygen) - return dsa->meth->dsa_keygen(dsa); - return dsa_builtin_keygen(dsa); -@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa) - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { -+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - -@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa) - - dsa->priv_key = priv_key; - dsa->pub_key = pub_key; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !fips_check_dsa(dsa)) { -+ dsa->pub_key = NULL; -+ dsa->priv_key = NULL; -+ goto err; -+ } -+#endif - ok = 1; - - err: -diff -up openssl-1.1.0h/crypto/dsa/dsa_ossl.c.fips openssl-1.1.0h/crypto/dsa/dsa_ossl.c ---- openssl-1.1.0h/crypto/dsa/dsa_ossl.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dsa/dsa_ossl.c 2018-03-29 14:44:24.629236712 +0200 -@@ -15,6 +15,9 @@ - #include - #include "dsa_locl.h" - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); - static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, -@@ -68,6 +71,19 @@ static DSA_SIG *dsa_do_sign(const unsign - DSA_SIG *ret = NULL; - int rv = 0; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+ -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); -+ return NULL; -+ } -+#endif -+ - m = BN_new(); - xr = BN_new(); - if (m == NULL || xr == NULL) -@@ -266,6 +282,18 @@ static int dsa_do_verify(const unsigned - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); - return -1; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+#endif - - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); -@@ -354,6 +382,9 @@ static int dsa_do_verify(const unsigned - - static int dsa_init(DSA *dsa) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dsa->flags |= DSA_FLAG_CACHE_MONT_P; - return (1); - } -diff -up openssl-1.1.0h/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.0h/crypto/dsa/dsa_pmeth.c ---- openssl-1.1.0h/crypto/dsa/dsa_pmeth.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/dsa/dsa_pmeth.c 2018-03-29 14:44:24.629236712 +0200 -@@ -212,8 +212,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT - BN_GENCB_free(pcb); - return 0; - } -- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, -- NULL, 0, NULL, NULL, NULL, pcb); -+ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd, -+ NULL, 0, -1, NULL, NULL, NULL, pcb); - BN_GENCB_free(pcb); - if (ret) - EVP_PKEY_assign_DSA(pkey, dsa); -diff -up openssl-1.1.0h/crypto/ec/ecdh_ossl.c.fips openssl-1.1.0h/crypto/ec/ecdh_ossl.c ---- openssl-1.1.0h/crypto/ec/ecdh_ossl.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/ec/ecdh_ossl.c 2018-03-29 14:44:24.629236712 +0200 -@@ -33,9 +33,20 @@ - #include - #include "ec_lcl.h" - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, - const EC_POINT *pub_key, const EC_KEY *ecdh) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - if (ecdh->group->meth->ecdh_compute_key == NULL) { - ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); - return 0; -diff -up openssl-1.1.0h/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.0h/crypto/ec/ecdsa_ossl.c ---- openssl-1.1.0h/crypto/ec/ecdsa_ossl.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/ec/ecdsa_ossl.c 2018-03-29 14:44:24.629236712 +0200 -@@ -15,6 +15,10 @@ - #include - #include "ec_lcl.h" - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, - unsigned char *sig, unsigned int *siglen, - const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) -@@ -217,6 +221,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns - ECDSA_SIG *ret; - const BIGNUM *priv_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif -+ - group = EC_KEY_get0_group(eckey); - priv_key = EC_KEY_get0_private_key(eckey); - -@@ -366,6 +377,13 @@ int ossl_ecdsa_verify_sig(const unsigned - const EC_GROUP *group; - const EC_POINT *pub_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif -+ - /* check input values */ - if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || - (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -diff -up openssl-1.1.0h/crypto/ec/ec_key.c.fips openssl-1.1.0h/crypto/ec/ec_key.c ---- openssl-1.1.0h/crypto/ec/ec_key.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/ec/ec_key.c 2018-03-29 14:44:24.630236736 +0200 -@@ -177,14 +177,61 @@ int EC_KEY_up_ref(EC_KEY *r) - return ((i > 1) ? 1 : 0); - } - -+#ifdef OPENSSL_FIPS -+ -+# include -+# include "internal/fips_int.h" -+ -+static int fips_check_ec(EC_KEY *key) -+{ -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "ECDSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */ -+ return 1; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_EC_KEY(pk, key); -+ -+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) -+ ret = 1; -+ -+ err: -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); -+ fips_set_selftest_fail(); -+ } -+ if (pk) -+ EVP_PKEY_free(pk); -+ return ret; -+} -+ -+#endif -+ - int EC_KEY_generate_key(EC_KEY *eckey) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(EC_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif - if (eckey == NULL || eckey->group == NULL) { - ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } -- if (eckey->meth->keygen != NULL) -- return eckey->meth->keygen(eckey); -+ if (eckey->meth->keygen != NULL) { -+ int rv = eckey->meth->keygen(eckey); -+#ifdef OPENSSL_FIPS -+ if (rv > 0 && FIPS_mode()) { -+ rv = fips_check_ec(eckey); -+ } -+#endif -+ return rv; -+ } - ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); - return 0; - } -diff -up openssl-1.1.0h/crypto/err/err_all.c.fips openssl-1.1.0h/crypto/err/err_all.c ---- openssl-1.1.0h/crypto/err/err_all.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/err/err_all.c 2018-03-29 14:44:24.630236736 +0200 -@@ -43,9 +43,6 @@ - int err_load_crypto_strings_int(void) - { - if ( --#ifdef OPENSSL_FIPS -- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 || --#endif - #ifndef OPENSSL_NO_ERR - ERR_load_ERR_strings() == 0 || /* include error strings for SYSerr */ - ERR_load_BN_strings() == 0 || -diff -up openssl-1.1.0h/crypto/evp/c_allc.c.fips openssl-1.1.0h/crypto/evp/c_allc.c ---- openssl-1.1.0h/crypto/evp/c_allc.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/c_allc.c 2018-03-29 14:44:24.630236736 +0200 -@@ -17,6 +17,9 @@ - void openssl_add_all_ciphers_int(void) - { - -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cfb()); - EVP_add_cipher(EVP_des_cfb1()); -@@ -217,4 +220,70 @@ void openssl_add_all_ciphers_int(void) - EVP_add_cipher(EVP_chacha20_poly1305()); - # endif - #endif -+#ifdef OPENSSL_FIPS -+ } else { -+# ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede3_cfb()); -+ -+ EVP_add_cipher(EVP_des_ede3_ofb()); -+ -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3"); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3"); -+ -+ EVP_add_cipher(EVP_des_ede3()); -+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB"); -+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb"); -+ EVP_add_cipher(EVP_des_ede3_wrap()); -+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap"); -+# endif -+ -+# ifndef OPENSSL_NO_AES -+ EVP_add_cipher(EVP_aes_128_ecb()); -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_128_cfb()); -+ EVP_add_cipher(EVP_aes_128_cfb1()); -+ EVP_add_cipher(EVP_aes_128_cfb8()); -+ EVP_add_cipher(EVP_aes_128_ofb()); -+ EVP_add_cipher(EVP_aes_128_ctr()); -+ EVP_add_cipher(EVP_aes_128_gcm()); -+ EVP_add_cipher(EVP_aes_128_xts()); -+ EVP_add_cipher(EVP_aes_128_ccm()); -+ EVP_add_cipher(EVP_aes_128_wrap()); -+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); -+ EVP_add_cipher(EVP_aes_128_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); -+ EVP_add_cipher(EVP_aes_192_ecb()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_192_cfb()); -+ EVP_add_cipher(EVP_aes_192_cfb1()); -+ EVP_add_cipher(EVP_aes_192_cfb8()); -+ EVP_add_cipher(EVP_aes_192_ofb()); -+ EVP_add_cipher(EVP_aes_192_ctr()); -+ EVP_add_cipher(EVP_aes_192_gcm()); -+ EVP_add_cipher(EVP_aes_192_ccm()); -+ EVP_add_cipher(EVP_aes_192_wrap()); -+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); -+ EVP_add_cipher(EVP_aes_192_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); -+ EVP_add_cipher(EVP_aes_256_ecb()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_256_cfb()); -+ EVP_add_cipher(EVP_aes_256_cfb1()); -+ EVP_add_cipher(EVP_aes_256_cfb8()); -+ EVP_add_cipher(EVP_aes_256_ofb()); -+ EVP_add_cipher(EVP_aes_256_ctr()); -+ EVP_add_cipher(EVP_aes_256_gcm()); -+ EVP_add_cipher(EVP_aes_256_xts()); -+ EVP_add_cipher(EVP_aes_256_ccm()); -+ EVP_add_cipher(EVP_aes_256_wrap()); -+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap"); -+ EVP_add_cipher(EVP_aes_256_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); -+# endif -+ } -+#endif - } -diff -up openssl-1.1.0h/crypto/evp/c_alld.c.fips openssl-1.1.0h/crypto/evp/c_alld.c ---- openssl-1.1.0h/crypto/evp/c_alld.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/c_alld.c 2018-03-29 14:44:24.630236736 +0200 -@@ -16,6 +16,9 @@ - - void openssl_add_all_digests_int(void) - { -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_MD4 - EVP_add_digest(EVP_md4()); - #endif -@@ -46,4 +49,15 @@ void openssl_add_all_digests_int(void) - EVP_add_digest(EVP_blake2b512()); - EVP_add_digest(EVP_blake2s256()); - #endif -+#ifdef OPENSSL_FIPS -+ } else { -+ EVP_add_digest(EVP_sha1()); -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+ } -+#endif - } -diff -up openssl-1.1.0h/crypto/evp/digest.c.fips openssl-1.1.0h/crypto/evp/digest.c ---- openssl-1.1.0h/crypto/evp/digest.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/digest.c 2018-03-29 14:44:24.630236736 +0200 -@@ -14,6 +14,9 @@ - #include - #include "internal/evp_int.h" - #include "evp_locl.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - /* This call frees resources associated with the context */ - int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) -@@ -61,6 +64,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons - int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) - { - EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif - #ifndef OPENSSL_NO_ENGINE - /* - * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -114,6 +123,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c - } - #endif - if (ctx->digest != type) { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (!(type->flags & EVP_MD_FLAG_FIPS) -+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { -+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ return 0; -+ } -+ } -+#endif - if (ctx->digest && ctx->digest->ctx_size) { - OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); - ctx->md_data = NULL; -@@ -145,6 +163,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c - - int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - return ctx->update(ctx, data, count); - } - -@@ -162,6 +183,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, - { - int ret; - -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); - ret = ctx->digest->final(ctx, md); - if (size != NULL) -diff -up openssl-1.1.0h/crypto/evp/e_aes.c.fips openssl-1.1.0h/crypto/evp/e_aes.c ---- openssl-1.1.0h/crypto/evp/e_aes.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/e_aes.c 2018-03-29 14:44:24.631236760 +0200 -@@ -1263,9 +1263,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX - return 1; - } - --BLOCK_CIPHER_generic_pack(NID_aes, 128, 0) -- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0) -- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0) -+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) -+ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) -+ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) - - static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) - { -@@ -1311,6 +1311,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * - case EVP_CTRL_AEAD_SET_IVLEN: - if (arg <= 0) - return 0; -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) -+ && arg < 12) -+ return 0; -+# endif - /* Allocate memory for IV if needed */ - if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { - if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c)) -@@ -1771,11 +1776,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX - | EVP_CIPH_CUSTOM_COPY) - - BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - - static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - { -@@ -1910,6 +1918,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX - return 0; - if (!out || !in || len < AES_BLOCK_SIZE) - return 0; -+# ifdef OPENSSL_FIPS -+ /* Requirement of SP800-38E */ -+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && -+ (len > (1UL << 20) * 16)) { -+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); -+ return 0; -+ } -+# endif - if (xctx->stream) - (*xctx->stream) (in, out, len, - xctx->xts.key1, xctx->xts.key2, -@@ -1927,8 +1943,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX - | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ - | EVP_CIPH_CUSTOM_COPY) - --BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS) -- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) -+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, -+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) -+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, -+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) - - static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - { -@@ -2192,11 +2210,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX - #define aes_ccm_cleanup NULL - - BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - - typedef struct { - union { -@@ -2289,7 +2307,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT - return rv ? (int)rv : -1; - } - --#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \ -+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \ - | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ - | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) - -diff -up openssl-1.1.0h/crypto/evp/e_des3.c.fips openssl-1.1.0h/crypto/evp/e_des3.c ---- openssl-1.1.0h/crypto/evp/e_des3.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/e_des3.c 2018-03-29 14:44:24.631236760 +0200 -@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, - # define des_ede3_cbc_cipher des_ede_cbc_cipher - # define des_ede3_ecb_cipher des_ede_ecb_cipher - BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, -- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, -- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) -+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | -+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL, -+ des3_ctrl) - - BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, -- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, -- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) -+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | -+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, -+ NULL, des3_ctrl) - - BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, -- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, -- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) -+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | -+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, -+ NULL, des3_ctrl) - - static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) -diff -up openssl-1.1.0h/crypto/evp/e_null.c.fips openssl-1.1.0h/crypto/evp/e_null.c ---- openssl-1.1.0h/crypto/evp/e_null.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/e_null.c 2018-03-29 14:44:24.631236760 +0200 -@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c - const unsigned char *in, size_t inl); - static const EVP_CIPHER n_cipher = { - NID_undef, -- 1, 0, 0, 0, -+ 1, 0, 0, -+ EVP_CIPH_FLAG_FIPS, - null_init_key, - null_cipher, - NULL, -diff -up openssl-1.1.0h/crypto/evp/evp_enc.c.fips openssl-1.1.0h/crypto/evp/evp_enc.c ---- openssl-1.1.0h/crypto/evp/evp_enc.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/evp_enc.c 2018-03-29 14:44:24.631236760 +0200 -@@ -16,10 +16,19 @@ - #include - #include "internal/evp_int.h" - #include "evp_locl.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c) - { -- if (c == NULL) -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif -+ if (c == NULL) - return 1; - if (c->cipher != NULL) { - if (c->cipher->cleanup && !c->cipher->cleanup(c)) -@@ -38,6 +47,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX - - EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif - return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); - } - -@@ -66,6 +81,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct - enc = 1; - ctx->encrypt = enc; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif - #ifndef OPENSSL_NO_ENGINE - /* - * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -135,7 +156,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct - } - ctx->key_len = cipher->key_len; - /* Preserve wrap enable flag, zero everything else */ -- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; -+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW; - if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { - if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { - ctx->cipher = NULL; -@@ -194,6 +215,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct - return 0; - } - } -+#ifdef OPENSSL_FIPS -+ /* After 'key' is set no further parameters changes are permissible. -+ * So only check for non FIPS enabling at this point. -+ */ -+ if (key && FIPS_mode()) { -+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) -+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) { -+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ return 0; -+ } -+ } -+#endif - - if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { - if (!ctx->cipher->init(ctx, key, iv, enc)) -diff -up openssl-1.1.0h/crypto/evp/evp_err.c.fips openssl-1.1.0h/crypto/evp/evp_err.c ---- openssl-1.1.0h/crypto/evp/evp_err.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/evp_err.c 2018-03-29 14:44:24.631236760 +0200 -@@ -24,6 +24,7 @@ static ERR_STRING_DATA EVP_str_functs[] - {ERR_FUNC(EVP_F_AES_OCB_CIPHER), "aes_ocb_cipher"}, - {ERR_FUNC(EVP_F_AES_T4_INIT_KEY), "aes_t4_init_key"}, - {ERR_FUNC(EVP_F_AES_WRAP_CIPHER), "aes_wrap_cipher"}, -+ {ERR_FUNC(EVP_F_AES_XTS_CIPHER), "aes_xts_cipher"}, - {ERR_FUNC(EVP_F_ALG_MODULE_INIT), "alg_module_init"}, - {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "camellia_init_key"}, - {ERR_FUNC(EVP_F_CHACHA20_POLY1305_CTRL), "chacha20_poly1305_ctrl"}, -@@ -111,6 +112,7 @@ static ERR_STRING_DATA EVP_str_reasons[] - {ERR_REASON(EVP_R_DECODE_ERROR), "decode error"}, - {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES), "different key types"}, - {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS), "different parameters"}, -+ {ERR_REASON(EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, - {ERR_REASON(EVP_R_ERROR_LOADING_SECTION), "error loading section"}, - {ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE), "error setting fips mode"}, - {ERR_REASON(EVP_R_EXPECTING_AN_HMAC_KEY), "expecting an hmac key"}, -@@ -150,6 +152,7 @@ static ERR_STRING_DATA EVP_str_reasons[] - {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"}, - {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"}, - {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, -+ {ERR_REASON(EVP_R_TOO_LARGE), "too large"}, - {ERR_REASON(EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, - {ERR_REASON(EVP_R_UNKNOWN_DIGEST), "unknown digest"}, - {ERR_REASON(EVP_R_UNKNOWN_OPTION), "unknown option"}, -diff -up openssl-1.1.0h/crypto/evp/evp_lib.c.fips openssl-1.1.0h/crypto/evp/evp_lib.c ---- openssl-1.1.0h/crypto/evp/evp_lib.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/evp_lib.c 2018-03-29 14:44:24.631236760 +0200 -@@ -180,6 +180,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C - int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, unsigned int inl) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - return ctx->cipher->do_cipher(ctx, out, in, inl); - } - -diff -up openssl-1.1.0h/crypto/evp/m_sha1.c.fips openssl-1.1.0h/crypto/evp/m_sha1.c ---- openssl-1.1.0h/crypto/evp/m_sha1.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/evp/m_sha1.c 2018-03-29 15:04:23.512375176 +0200 -@@ -94,7 +94,7 @@ static const EVP_MD sha1_md = { - NID_sha1, - NID_sha1WithRSAEncryption, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init, - update, - final, -@@ -144,7 +144,7 @@ static const EVP_MD sha224_md = { - NID_sha224, - NID_sha224WithRSAEncryption, - SHA224_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init224, - update224, - final224, -@@ -163,7 +163,7 @@ static const EVP_MD sha256_md = { - NID_sha256, - NID_sha256WithRSAEncryption, - SHA256_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init256, - update256, - final256, -@@ -213,7 +213,7 @@ static const EVP_MD sha384_md = { - NID_sha384, - NID_sha384WithRSAEncryption, - SHA384_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init384, - update384, - final384, -@@ -232,7 +232,7 @@ static const EVP_MD sha512_md = { - NID_sha512, - NID_sha512WithRSAEncryption, - SHA512_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init512, - update512, - final512, -diff -up openssl-1.1.0h/crypto/fips/build.info.fips openssl-1.1.0h/crypto/fips/build.info ---- openssl-1.1.0h/crypto/fips/build.info.fips 2018-03-29 14:44:24.632236783 +0200 -+++ openssl-1.1.0h/crypto/fips/build.info 2018-03-29 14:44:24.632236783 +0200 -@@ -0,0 +1,15 @@ -+LIBS=../../libcrypto -+SOURCE[../../libcrypto]=\ -+ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ -+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ -+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ -+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ -+ fips_enc.c fips_md.c fips_dh_selftest.c fips_ers.c -+ -+PROGRAMS_NO_INST=\ -+ fips_standalone_hmac -+ -+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c -+INCLUDE[fips_standalone_hmac]=../../include -+DEPEND[fips_standalone_hmac]=../../libcrypto -diff -up openssl-1.1.0h/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_aes_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_aes_selftest.c.fips 2018-03-29 14:44:24.632236783 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_aes_selftest.c 2018-03-29 14:44:24.632236783 +0200 -@@ -0,0 +1,372 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+# include "internal/fips_int.h" -+#endif -+ -+#ifdef OPENSSL_FIPS -+static const struct { -+ const unsigned char key[16]; -+ const unsigned char plaintext[16]; -+ const unsigned char ciphertext[16]; -+} tests[] = { -+ { -+ { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, { -+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, -+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, { -+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30, -+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},}; -+ -+int FIPS_selftest_aes() -+{ -+ int n; -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ for (n = 0; n < 1; ++n) { -+ unsigned char key[16]; -+ -+ memcpy(key, tests[n].key, sizeof(key)); -+ if (fips_cipher_test(ctx, EVP_aes_128_ecb(), -+ key, NULL, -+ tests[n].plaintext, -+ tests[n].ciphertext, 16) <= 0) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED); -+ return ret; -+} -+ -+/* AES-CCM test data from NIST public test vectors */ -+ -+static const unsigned char ccm_key[] = { -+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6, -+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8 -+}; -+ -+static const unsigned char ccm_nonce[] = { -+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7 -+}; -+ -+static const unsigned char ccm_adata[] = { -+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7, -+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5, -+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4 -+}; -+ -+static const unsigned char ccm_pt[] = { -+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f, -+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10 -+}; -+ -+static const unsigned char ccm_ct[] = { -+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2, -+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd -+}; -+ -+static const unsigned char ccm_tag[] = { -+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44, -+ 0x14, 0xdb, 0x50, 0x6d -+}; -+ -+int FIPS_selftest_aes_ccm(void) -+{ -+ int ret = 0; -+ unsigned char out[128], tag[16]; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, -+ sizeof(ccm_nonce), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, -+ sizeof(ccm_tag), NULL)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct)) -+ goto err; -+ -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag)) -+ goto err; -+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag)) -+ || memcmp(out, ccm_ct, sizeof(ccm_ct))) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, -+ sizeof(ccm_nonce), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt)) -+ goto err; -+ -+ if (memcmp(out, ccm_pt, sizeof(ccm_pt))) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } else -+ return ret; -+ -+} -+ -+/* AES-GCM test data from NIST public test vectors */ -+ -+static const unsigned char gcm_key[] = { -+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66, -+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69, -+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f -+}; -+ -+static const unsigned char gcm_iv[] = { -+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84 -+}; -+ -+static const unsigned char gcm_pt[] = { -+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea, -+ 0xcc, 0x2b, 0xf2, 0xa5 -+}; -+ -+static const unsigned char gcm_aad[] = { -+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43, -+ 0x7f, 0xec, 0x78, 0xde -+}; -+ -+static const unsigned char gcm_ct[] = { -+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e, -+ 0xb9, 0xf2, 0x17, 0x36 -+}; -+ -+static const unsigned char gcm_tag[] = { -+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62, -+ 0x98, 0xf7, 0x7e, 0x0c -+}; -+ -+int FIPS_selftest_aes_gcm(void) -+{ -+ int ret = 0; -+ unsigned char out[128], tag[16]; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ memset(tag, 0, sizeof(tag)); -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, -+ sizeof(gcm_iv), NULL)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) -+ goto err; -+ -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) -+ goto err; -+ -+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16)) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, -+ sizeof(gcm_iv), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) -+ goto err; -+ -+ if (memcmp(out, gcm_pt, 16)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } else -+ return ret; -+ -+} -+ -+static const unsigned char XTS_128_key[] = { -+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38, -+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18, -+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f -+}; -+ -+static const unsigned char XTS_128_i[] = { -+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01, -+ 0x3e, 0x76, 0x8a, 0xd5 -+}; -+ -+static const unsigned char XTS_128_pt[] = { -+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39, -+ 0x07, 0x90, 0x31, 0x1c -+}; -+ -+static const unsigned char XTS_128_ct[] = { -+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5, -+ 0xbe, 0x47, 0x1c, 0x63 -+}; -+ -+static const unsigned char XTS_256_key[] = { -+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f, -+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7, -+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd, -+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3, -+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39, -+ 0x2c, 0xf4, 0x1b, 0x08 -+}; -+ -+static const unsigned char XTS_256_i[] = { -+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, -+ 0xa9, 0xf8, 0x75, 0x64 -+}; -+ -+static const unsigned char XTS_256_pt[] = { -+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8, -+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3, -+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e -+}; -+ -+static const unsigned char XTS_256_ct[] = { -+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34, -+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a, -+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb -+}; -+ -+int FIPS_selftest_aes_xts() -+{ -+ int ret = 1; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ if (fips_cipher_test(ctx, EVP_aes_128_xts(), -+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct, -+ sizeof(XTS_128_pt)) <= 0) -+ ret = 0; -+ -+ if (fips_cipher_test(ctx, EVP_aes_256_xts(), -+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct, -+ sizeof(XTS_256_pt)) <= 0) -+ ret = 0; -+ -+ EVP_CIPHER_CTX_free(ctx); -+ -+ err: -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED); -+ return ret; -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips.c.fips openssl-1.1.0h/crypto/fips/fips.c ---- openssl-1.1.0h/crypto/fips/fips.c.fips 2018-03-29 14:44:24.632236783 +0200 -+++ openssl-1.1.0h/crypto/fips/fips.c 2018-03-29 14:44:24.632236783 +0200 -@@ -0,0 +1,526 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#define _GNU_SOURCE -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+# include -+# include "internal/thread_once.h" -+ -+# ifndef PATH_MAX -+# define PATH_MAX 1024 -+# endif -+ -+static int fips_selftest_fail = 0; -+static int fips_mode = 0; -+static int fips_started = 0; -+ -+static int fips_is_owning_thread(void); -+static int fips_set_owning_thread(void); -+static int fips_clear_owning_thread(void); -+ -+static CRYPTO_RWLOCK *fips_lock = NULL; -+static CRYPTO_RWLOCK *fips_owning_lock = NULL; -+static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT; -+ -+DEFINE_RUN_ONCE_STATIC(do_fips_lock_init) -+{ -+ fips_lock = CRYPTO_THREAD_lock_new(); -+ fips_owning_lock = CRYPTO_THREAD_lock_new(); -+ return fips_lock != NULL && fips_owning_lock != NULL; -+} -+ -+# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) -+# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) -+# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) -+# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock) -+ -+static void fips_set_mode(int onoff) -+{ -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_started) { -+ if (!owning_thread) -+ fips_w_lock(); -+ fips_mode = onoff; -+ if (!owning_thread) -+ fips_w_unlock(); -+ } -+} -+ -+int FIPS_module_mode(void) -+{ -+ int ret = 0; -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_started) { -+ if (!owning_thread) -+ fips_r_lock(); -+ ret = fips_mode; -+ if (!owning_thread) -+ fips_r_unlock(); -+ } -+ return ret; -+} -+ -+/* just a compat symbol - return NULL */ -+int FIPS_selftest_failed(void) -+{ -+ int ret = 0; -+ if (fips_started) { -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (!owning_thread) -+ fips_r_lock(); -+ ret = fips_selftest_fail; -+ if (!owning_thread) -+ fips_r_unlock(); -+ } -+ return ret; -+} -+ -+/* Selftest failure fatal exit routine. This will be called -+ * during *any* cryptographic operation. It has the minimum -+ * overhead possible to avoid too big a performance hit. -+ */ -+ -+void FIPS_selftest_check(void) -+{ -+ if (fips_selftest_fail) { -+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE"); -+ } -+} -+ -+void fips_set_selftest_fail(void) -+{ -+ fips_selftest_fail = 1; -+} -+ -+/* we implement what libfipscheck does ourselves */ -+ -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, -+ size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen - 1); -+ path[pathlen - 1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+ -+static const char conv[] = "0123456789abcdef"; -+ -+static char *bin2hex(void *buf, size_t len) -+{ -+ char *hex, *p; -+ unsigned char *src = buf; -+ -+ hex = malloc(len * 2 + 1); -+ if (hex == NULL) -+ return NULL; -+ -+ p = hex; -+ -+ while (len > 0) { -+ unsigned c; -+ -+ c = *src; -+ src++; -+ -+ *p = conv[c >> 4]; -+ ++p; -+ *p = conv[c & 0x0f]; -+ ++p; -+ --len; -+ } -+ *p = '\0'; -+ return hex; -+} -+ -+# define HMAC_PREFIX "." -+# ifndef HMAC_SUFFIX -+# define HMAC_SUFFIX ".hmac" -+# endif -+# define READ_BUFFER_LENGTH 16384 -+ -+static char *make_hmac_path(const char *origpath) -+{ -+ char *path, *p; -+ const char *fn; -+ -+ path = -+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); -+ if (path == NULL) { -+ return NULL; -+ } -+ -+ fn = strrchr(origpath, '/'); -+ if (fn == NULL) { -+ fn = origpath; -+ } else { -+ ++fn; -+ } -+ -+ strncpy(path, origpath, fn - origpath); -+ p = path + (fn - origpath); -+ p = stpcpy(p, HMAC_PREFIX); -+ p = stpcpy(p, fn); -+ p = stpcpy(p, HMAC_SUFFIX); -+ -+ return path; -+} -+ -+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) -+{ -+ FILE *f = NULL; -+ int rv = -1; -+ unsigned char rbuf[READ_BUFFER_LENGTH]; -+ size_t len; -+ unsigned int hlen; -+ HMAC_CTX *c; -+ -+ c = HMAC_CTX_new(); -+ if (c == NULL) -+ return rv; -+ -+ f = fopen(path, "r"); -+ -+ if (f == NULL) { -+ goto end; -+ } -+ -+ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) { -+ goto end; -+ } -+ -+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) { -+ if (HMAC_Update(c, rbuf, len) <= 0) { -+ goto end; -+ } -+ } -+ -+ len = sizeof(rbuf); -+ /* reuse rbuf for hmac */ -+ if (HMAC_Final(c, rbuf, &hlen) <= 0) { -+ goto end; -+ } -+ -+ *buf = malloc(hlen); -+ if (*buf == NULL) { -+ goto end; -+ } -+ -+ *hmaclen = hlen; -+ -+ memcpy(*buf, rbuf, hlen); -+ -+ rv = 0; -+ end: -+ HMAC_CTX_free(c); -+ -+ if (f) -+ fclose(f); -+ -+ return rv; -+} -+ -+static int FIPSCHECK_verify(const char *path) -+{ -+ int rv = 0; -+ FILE *hf; -+ char *hmacpath, *p; -+ char *hmac = NULL; -+ size_t n; -+ -+ hmacpath = make_hmac_path(path); -+ if (hmacpath == NULL) -+ return 0; -+ -+ hf = fopen(hmacpath, "r"); -+ if (hf == NULL) { -+ free(hmacpath); -+ return 0; -+ } -+ -+ if (getline(&hmac, &n, hf) > 0) { -+ void *buf; -+ size_t hmaclen; -+ char *hex; -+ -+ if ((p = strchr(hmac, '\n')) != NULL) -+ *p = '\0'; -+ -+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { -+ rv = -4; -+ goto end; -+ } -+ -+ if ((hex = bin2hex(buf, hmaclen)) == NULL) { -+ free(buf); -+ rv = -5; -+ goto end; -+ } -+ -+ if (strcmp(hex, hmac) != 0) { -+ rv = -1; -+ } -+ free(buf); -+ free(hex); -+ } else { -+ rv = -1; -+ } -+ -+ end: -+ free(hmac); -+ free(hmacpath); -+ fclose(hf); -+ -+ if (rv < 0) -+ return 0; -+ -+ /* check successful */ -+ return 1; -+} -+ -+static int verify_checksums(void) -+{ -+ int rv; -+ char path[PATH_MAX + 1]; -+ char *p; -+ -+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl -+ are in the same directory */ -+ -+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, -+ "FIPS_mode_set", path, sizeof(path)); -+ if (rv < 0) -+ return 0; -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ -+ /* replace libcrypto with libssl */ -+ while ((p = strstr(path, "libcrypto.so")) != NULL) { -+ p = stpcpy(p, "libssl"); -+ memmove(p, p + 3, strlen(p + 2)); -+ } -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ return 1; -+} -+ -+# ifndef FIPS_MODULE_PATH -+# define FIPS_MODULE_PATH "/etc/system-fips" -+# endif -+ -+int FIPS_module_installed(void) -+{ -+ int rv; -+ rv = access(FIPS_MODULE_PATH, F_OK); -+ if (rv < 0 && errno != ENOENT) -+ rv = 0; -+ -+ /* Installed == true */ -+ return !rv; -+} -+ -+int FIPS_module_mode_set(int onoff) -+{ -+ int ret = 0; -+ -+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init)) -+ return NULL; -+ -+ fips_w_lock(); -+ fips_started = 1; -+ fips_set_owning_thread(); -+ -+ if (onoff) { -+ -+ fips_selftest_fail = 0; -+ -+ /* Don't go into FIPS mode twice, just so we can do automagic -+ seeding */ -+ if (FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FIPS_MODE_ALREADY_SET); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+# ifdef OPENSSL_IA32_SSE2 -+ { -+ extern unsigned int OPENSSL_ia32cap_P[2]; -+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) != -+ (1 << 25 | 1 << 26)) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_UNSUPPORTED_PLATFORM); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ } -+# endif -+ -+ if (!FIPS_selftest()) { -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+ if (!verify_checksums()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+ fips_set_mode(onoff); -+ ret = 1; -+ goto end; -+ } -+ fips_set_mode(0); -+ fips_selftest_fail = 0; -+ ret = 1; -+ end: -+ fips_clear_owning_thread(); -+ fips_w_unlock(); -+ return ret; -+} -+ -+static CRYPTO_THREAD_ID fips_threadid; -+static int fips_thread_set = 0; -+ -+static int fips_is_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_THREAD_read_lock(fips_owning_lock); -+ if (fips_thread_set) { -+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); -+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) -+ ret = 1; -+ } -+ CRYPTO_THREAD_unlock(fips_owning_lock); -+ } -+ return ret; -+} -+ -+int fips_set_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_THREAD_write_lock(fips_owning_lock); -+ if (!fips_thread_set) { -+ fips_threadid = CRYPTO_THREAD_get_current_id(); -+ ret = 1; -+ fips_thread_set = 1; -+ } -+ CRYPTO_THREAD_unlock(fips_owning_lock); -+ } -+ return ret; -+} -+ -+int fips_clear_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_THREAD_write_lock(fips_owning_lock); -+ if (fips_thread_set) { -+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); -+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) -+ fips_thread_set = 0; -+ } -+ CRYPTO_THREAD_unlock(fips_owning_lock); -+ } -+ return ret; -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c.fips 2018-03-29 14:44:24.632236783 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_cmac_selftest.c 2018-03-29 14:44:24.632236783 +0200 -@@ -0,0 +1,156 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include "internal/fips_int.h" -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+typedef struct { -+ int nid; -+ const unsigned char key[EVP_MAX_KEY_LENGTH]; -+ size_t keysize; -+ const unsigned char msg[64]; -+ size_t msgsize; -+ const unsigned char mac[32]; -+ size_t macsize; -+} CMAC_KAT; -+ -+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */ -+static const CMAC_KAT vector[] = { -+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */ -+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3, -+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128, -+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c, -+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e, -+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98, -+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256, -+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32}, -+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */ -+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9, -+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86, -+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192, -+ {0x0}, 0, -+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef, -+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128, -+ }, -+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */ -+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe, -+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14, -+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf, -+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256, -+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb, -+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08, -+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88, -+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84, -+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96, -+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384, -+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40, -+ }, -+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */ -+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37, -+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5, -+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192, -+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e, -+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2, -+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0, -+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256, -+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64, -+ }, -+}; -+ -+int FIPS_selftest_cmac() -+{ -+ size_t n, outlen; -+ unsigned char out[32]; -+ const EVP_CIPHER *cipher; -+ CMAC_CTX *ctx = CMAC_CTX_new(); -+ const CMAC_KAT *t; -+ int rv = 1; -+ -+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { -+ cipher = FIPS_get_cipherbynid(t->nid); -+ if (!cipher) { -+ rv = -1; -+ goto err; -+ } -+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) { -+ rv = -1; -+ goto err; -+ } -+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!CMAC_Final(ctx, out, &outlen)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) { -+ rv = 0; -+ } -+ } -+ -+ err: -+ CMAC_CTX_free(ctx); -+ -+ if (rv == -1) { -+ rv = 0; -+ } -+ if (!rv) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED); -+ -+ return rv; -+} -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_des_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_des_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_des_selftest.c.fips 2018-03-29 14:44:24.632236783 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_des_selftest.c 2018-03-29 14:44:24.632236783 +0200 -@@ -0,0 +1,133 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+# include "internal/fips_int.h" -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static const struct { -+ const unsigned char key[16]; -+ const unsigned char plaintext[8]; -+ const unsigned char ciphertext[8]; -+} tests2[] = { -+ { -+ { -+ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec, -+ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, { -+ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, { -+ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd} -+ }, { -+ { -+ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34, -+ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, { -+ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, { -+ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},} -+}; -+ -+static const struct { -+ const unsigned char key[24]; -+ const unsigned char plaintext[8]; -+ const unsigned char ciphertext[8]; -+} tests3[] = { -+ { -+ { -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, -+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, { -+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, { -+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, { -+ { -+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE, -+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, -+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, { -+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, { -+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},}; -+ -+int FIPS_selftest_des() -+{ -+ int n, ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ -+ for (n = 0; n < 2; ++n) { -+ unsigned char plaintext[8]; -+ -+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext)); -+ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(), -+ tests2[n].key, NULL, -+ plaintext, tests2[n].ciphertext, 8)) -+ goto err; -+ } -+ -+ /* Encrypt/decrypt with 3DES and compare to known answers */ -+ for (n = 0; n < 2; ++n) { -+ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(), -+ tests3[n].key, NULL, -+ tests3[n].plaintext, tests3[n].ciphertext, 8)) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED); -+ -+ return ret; -+} -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_dh_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_dh_selftest.c.fips 2018-03-29 14:44:24.633236807 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_dh_selftest.c 2018-03-29 14:44:24.633236807 +0200 -@@ -0,0 +1,180 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 2013 Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static const unsigned char dh_test_2048_p[] = { -+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, -+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, -+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, -+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, -+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, -+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, -+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, -+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, -+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, -+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, -+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, -+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, -+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, -+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, -+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, -+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, -+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, -+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, -+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, -+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, -+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, -+ 0x4B, 0xD8, 0x37, 0xEB -+}; -+ -+static const unsigned char dh_test_2048_g[] = { -+ 0x02 -+}; -+ -+static const unsigned char dh_test_2048_pub_key[] = { -+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, -+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, -+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, -+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, -+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, -+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, -+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, -+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, -+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, -+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, -+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, -+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, -+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, -+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, -+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, -+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, -+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, -+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, -+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, -+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, -+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, -+ 0x36, 0x9E, 0xDA, 0xD2 -+}; -+ -+static const unsigned char dh_test_2048_priv_key[] = { -+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, -+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, -+ 0xEC, 0x55, 0xF6, 0xCC -+}; -+ -+int FIPS_selftest_dh() -+{ -+ DH *dh = NULL; -+ int ret = 0; -+ void *pub_key_bin = NULL; -+ int len; -+ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; -+ const BIGNUM *pub_key; -+ -+ fips_load_key_component(p, dh_test_2048); -+ fips_load_key_component(g, dh_test_2048); -+ /* note that the private key is much shorter than normally used -+ * but still g ** priv_key > p -+ */ -+ fips_load_key_component(priv_key, dh_test_2048); -+ if ((tmp_pub_key = BN_new()) == NULL) -+ goto err; -+ -+ dh = DH_new(); -+ -+ if (dh == NULL) -+ goto err; -+ -+ DH_set0_pqg(dh, p, NULL, g); -+ DH_set0_key(dh, tmp_pub_key, priv_key); -+ -+ if (DH_generate_key(dh) <= 0) -+ goto err; -+ -+ DH_get0_key(dh, &pub_key, NULL); -+ -+ if (pub_key == NULL) -+ goto err; -+ -+ len = BN_num_bytes(pub_key); -+ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL) -+ goto err; -+ BN_bn2bin(pub_key, pub_key_bin); -+ -+ if (len != sizeof(dh_test_2048_pub_key) || -+ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (dh) -+ DH_free(dh); -+ else { -+ BN_free(p); -+ BN_free(g); -+ BN_free(priv_key); -+ BN_free(tmp_pub_key); -+ } -+ -+ OPENSSL_free(pub_key_bin); -+ return ret; -+} -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c ---- openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c.fips 2018-03-29 14:44:24.633236807 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_drbg_ctr.c 2018-03-29 14:44:24.633236807 +0200 -@@ -0,0 +1,415 @@ -+/* fips/rand/fips_drbg_ctr.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+static void inc_128(DRBG_CTR_CTX * cctx) -+{ -+ int i; -+ unsigned char c; -+ unsigned char *p = cctx->V + 15; -+ for (i = 0; i < 16; i++) { -+ c = *p; -+ c++; -+ *p = c; -+ if (c) -+ return; -+ p--; -+ } -+} -+ -+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in, -+ size_t inlen) -+{ -+ size_t i, n; -+ /* Any zero padding will have no effect on the result as we -+ * are XORing. So just process however much input we have. -+ */ -+ -+ if (!in || !inlen) -+ return; -+ -+ if (inlen < cctx->keylen) -+ n = inlen; -+ else -+ n = cctx->keylen; -+ -+ for (i = 0; i < n; i++) -+ cctx->K[i] ^= in[i]; -+ if (inlen <= cctx->keylen) -+ return; -+ -+ n = inlen - cctx->keylen; -+ /* Should never happen */ -+ if (n > 16) -+ n = 16; -+ for (i = 0; i < 16; i++) -+ cctx->V[i] ^= in[i + cctx->keylen]; -+} -+ -+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */ -+ -+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out, -+ const unsigned char *in) -+{ -+ int i; -+ for (i = 0; i < 16; i++) -+ out[i] ^= in[i]; -+ AES_encrypt(out, out, &cctx->df_ks); -+#if 0 -+ fprintf(stderr, "BCC in+out\n"); -+ BIO_dump_fp(stderr, in, 16); -+ BIO_dump_fp(stderr, out, 16); -+#endif -+} -+ -+/* Handle several BCC operations for as much data as we need for K and X */ -+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in) -+{ -+ ctr_BCC_block(cctx, cctx->KX, in); -+ ctr_BCC_block(cctx, cctx->KX + 16, in); -+ if (cctx->keylen != 16) -+ ctr_BCC_block(cctx, cctx->KX + 32, in); -+} -+ -+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: -+ * see 10.4.2 stage 7. -+ */ -+static void ctr_BCC_init(DRBG_CTR_CTX * cctx) -+{ -+ memset(cctx->KX, 0, 48); -+ memset(cctx->bltmp, 0, 16); -+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); -+ cctx->bltmp[3] = 1; -+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); -+ if (cctx->keylen != 16) { -+ cctx->bltmp[3] = 2; -+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); -+ } -+} -+ -+/* Process several blocks into BCC algorithm, some possibly partial */ -+static void ctr_BCC_update(DRBG_CTR_CTX * cctx, -+ const unsigned char *in, size_t inlen) -+{ -+ if (!in || !inlen) -+ return; -+ /* If we have partial block handle it first */ -+ if (cctx->bltmp_pos) { -+ size_t left = 16 - cctx->bltmp_pos; -+ /* If we now have a complete block process it */ -+ if (inlen >= left) { -+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); -+ ctr_BCC_blocks(cctx, cctx->bltmp); -+ cctx->bltmp_pos = 0; -+ inlen -= left; -+ in += left; -+ } -+ } -+ /* Process zero or more complete blocks */ -+ while (inlen >= 16) { -+ ctr_BCC_blocks(cctx, in); -+ in += 16; -+ inlen -= 16; -+ } -+ /* Copy any remaining partial block to the temporary buffer */ -+ if (inlen > 0) { -+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); -+ cctx->bltmp_pos += inlen; -+ } -+} -+ -+static void ctr_BCC_final(DRBG_CTR_CTX * cctx) -+{ -+ if (cctx->bltmp_pos) { -+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); -+ ctr_BCC_blocks(cctx, cctx->bltmp); -+ } -+} -+ -+static void ctr_df(DRBG_CTR_CTX * cctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len) -+{ -+ size_t inlen; -+ unsigned char *p = cctx->bltmp; -+ static unsigned char c80 = 0x80; -+ -+ ctr_BCC_init(cctx); -+ if (!in1) -+ in1len = 0; -+ if (!in2) -+ in2len = 0; -+ if (!in3) -+ in3len = 0; -+ inlen = in1len + in2len + in3len; -+ /* Initialise L||N in temporary block */ -+ *p++ = (inlen >> 24) & 0xff; -+ *p++ = (inlen >> 16) & 0xff; -+ *p++ = (inlen >> 8) & 0xff; -+ *p++ = inlen & 0xff; -+ /* NB keylen is at most 32 bytes */ -+ *p++ = 0; -+ *p++ = 0; -+ *p++ = 0; -+ *p = (unsigned char)((cctx->keylen + 16) & 0xff); -+ cctx->bltmp_pos = 8; -+ ctr_BCC_update(cctx, in1, in1len); -+ ctr_BCC_update(cctx, in2, in2len); -+ ctr_BCC_update(cctx, in3, in3len); -+ ctr_BCC_update(cctx, &c80, 1); -+ ctr_BCC_final(cctx); -+ /* Set up key K */ -+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); -+ /* X follows key K */ -+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); -+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); -+ if (cctx->keylen != 16) -+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); -+#if 0 -+ fprintf(stderr, "Output of ctr_df:\n"); -+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16); -+#endif -+} -+ -+/* NB the no-df Update in SP800-90 specifies a constant input length -+ * of seedlen, however other uses of this algorithm pad the input with -+ * zeroes if necessary and have up to two parameters XORed together, -+ * handle both cases in this function instead. -+ */ -+ -+static void ctr_Update(DRBG_CTX *dctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *nonce, size_t noncelen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ /* ks is already setup for correct key */ -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->K, &cctx->ks); -+ /* If keylen longer than 128 bits need extra encrypt */ -+ if (cctx->keylen != 16) { -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); -+ } -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->V, &cctx->ks); -+ /* If 192 bit key part of V is on end of K */ -+ if (cctx->keylen == 24) { -+ memcpy(cctx->V + 8, cctx->V, 8); -+ memcpy(cctx->V, cctx->K + 24, 8); -+ } -+ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ /* If no input reuse existing derived value */ -+ if (in1 || nonce || in2) -+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); -+ /* If this a reuse input in1len != 0 */ -+ if (in1len) -+ ctr_XOR(cctx, cctx->KX, dctx->seedlen); -+ } else { -+ ctr_XOR(cctx, in1, in1len); -+ ctr_XOR(cctx, in2, in2len); -+ } -+ -+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); -+#if 0 -+ fprintf(stderr, "K+V after update is:\n"); -+ BIO_dump_fp(stderr, cctx->K, cctx->keylen); -+ BIO_dump_fp(stderr, cctx->V, 16); -+#endif -+} -+ -+static int drbg_ctr_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *nonce, size_t noncelen, -+ const unsigned char *pers, size_t perslen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ memset(cctx->K, 0, sizeof(cctx->K)); -+ memset(cctx->V, 0, sizeof(cctx->V)); -+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); -+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen); -+ return 1; -+} -+ -+static int drbg_ctr_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *adin, size_t adinlen) -+{ -+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0); -+ return 1; -+} -+ -+static int drbg_ctr_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adinlen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ if (adin && adinlen) { -+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); -+ /* This means we reuse derived value */ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ adin = NULL; -+ adinlen = 1; -+ } -+ } else -+ adinlen = 0; -+ -+ for (;;) { -+ inc_128(cctx); -+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { -+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks); -+ dctx->lb_valid = 1; -+ continue; -+ } -+ if (outlen < 16) { -+ /* Use K as temp space as it will be updated */ -+ AES_encrypt(cctx->V, cctx->K, &cctx->ks); -+ if (!fips_drbg_cprng_test(dctx, cctx->K)) -+ return 0; -+ memcpy(out, cctx->K, outlen); -+ break; -+ } -+ AES_encrypt(cctx->V, out, &cctx->ks); -+ if (!fips_drbg_cprng_test(dctx, out)) -+ return 0; -+ out += 16; -+ outlen -= 16; -+ if (outlen == 0) -+ break; -+ } -+ -+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); -+ -+ return 1; -+ -+} -+ -+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx) -+{ -+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX)); -+ return 1; -+} -+ -+int fips_drbg_ctr_init(DRBG_CTX *dctx) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ -+ size_t keylen; -+ -+ switch (dctx->type) { -+ case NID_aes_128_ctr: -+ keylen = 16; -+ break; -+ -+ case NID_aes_192_ctr: -+ keylen = 24; -+ break; -+ -+ case NID_aes_256_ctr: -+ keylen = 32; -+ break; -+ -+ default: -+ return -2; -+ } -+ -+ dctx->instantiate = drbg_ctr_instantiate; -+ dctx->reseed = drbg_ctr_reseed; -+ dctx->generate = drbg_ctr_generate; -+ dctx->uninstantiate = drbg_ctr_uninstantiate; -+ -+ cctx->keylen = keylen; -+ dctx->strength = keylen * 8; -+ dctx->blocklength = 16; -+ dctx->seedlen = keylen + 16; -+ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ /* df initialisation */ -+ static unsigned char df_key[32] = { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, -+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f -+ }; -+ /* Set key schedule for df_key */ -+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); -+ -+ dctx->min_entropy = cctx->keylen; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ } else { -+ dctx->min_entropy = dctx->seedlen; -+ dctx->max_entropy = dctx->seedlen; -+ /* Nonce not used */ -+ dctx->min_nonce = 0; -+ dctx->max_nonce = 0; -+ dctx->max_pers = dctx->seedlen; -+ dctx->max_adin = dctx->seedlen; -+ } -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff -up openssl-1.1.0h/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_hash.c ---- openssl-1.1.0h/crypto/fips/fips_drbg_hash.c.fips 2018-03-29 14:44:24.633236807 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_drbg_hash.c 2018-03-29 14:44:24.633236807 +0200 -@@ -0,0 +1,361 @@ -+/* fips/rand/fips_drbg_hash.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include "internal/fips_int.h" -+#include -+#include "fips_rand_lcl.h" -+ -+/* This is Hash_df from SP 800-90 10.4.1 */ -+ -+static int hash_df(DRBG_CTX *dctx, unsigned char *out, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len, -+ const unsigned char *in4, size_t in4len) -+{ -+ EVP_MD_CTX *mctx = dctx->d.hash.mctx; -+ unsigned char *vtmp = dctx->d.hash.vtmp; -+ unsigned char tmp[6]; -+ /* Standard only ever needs seedlen bytes which is always less than -+ * maximum permitted so no need to check length. -+ */ -+ size_t outlen = dctx->seedlen; -+ tmp[0] = 1; -+ tmp[1] = ((outlen * 8) >> 24) & 0xff; -+ tmp[2] = ((outlen * 8) >> 16) & 0xff; -+ tmp[3] = ((outlen * 8) >> 8) & 0xff; -+ tmp[4] = (outlen * 8) & 0xff; -+ if (!in1) { -+ tmp[5] = (unsigned char)in1len; -+ in1 = tmp + 5; -+ in1len = 1; -+ } -+ for (;;) { -+ if (!FIPS_digestinit(mctx, dctx->d.hash.md)) -+ return 0; -+ if (!FIPS_digestupdate(mctx, tmp, 5)) -+ return 0; -+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len)) -+ return 0; -+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len)) -+ return 0; -+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len)) -+ return 0; -+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len)) -+ return 0; -+ if (outlen < dctx->blocklength) { -+ if (!FIPS_digestfinal(mctx, vtmp, NULL)) -+ return 0; -+ memcpy(out, vtmp, outlen); -+ OPENSSL_cleanse(vtmp, dctx->blocklength); -+ return 1; -+ } else if (!FIPS_digestfinal(mctx, out, NULL)) -+ return 0; -+ -+ outlen -= dctx->blocklength; -+ if (outlen == 0) -+ return 1; -+ tmp[0]++; -+ out += dctx->blocklength; -+ } -+} -+ -+/* Add an unsigned buffer to the buf value, storing the result in buf. For -+ * this algorithm the length of input never exceeds the seed length. -+ */ -+ -+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf, -+ unsigned char *in, size_t inlen) -+{ -+ size_t i = inlen; -+ const unsigned char *q; -+ unsigned char c, *p; -+ p = buf + dctx->seedlen; -+ q = in + inlen; -+ -+ OPENSSL_assert(i <= dctx->seedlen); -+ -+ /* Special case: zero length, just increment buffer */ -+ if (i) -+ c = 0; -+ else -+ c = 1; -+ -+ while (i) { -+ int r; -+ p--; -+ q--; -+ r = *p + *q + c; -+ /* Carry */ -+ if (r > 0xff) -+ c = 1; -+ else -+ c = 0; -+ *p = r & 0xff; -+ i--; -+ } -+ -+ i = dctx->seedlen - inlen; -+ -+ /* If not adding whole buffer handle final carries */ -+ if (c && i) { -+ do { -+ p--; -+ c = *p; -+ c++; -+ *p = c; -+ if (c) -+ return; -+ } while (i--); -+ } -+} -+ -+/* Finalise and add hash to V */ -+ -+static int ctx_add_md(DRBG_CTX *dctx) -+{ -+ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL)) -+ return 0; -+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength); -+ return 1; -+} -+ -+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ if (outlen == 0) -+ return 1; -+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen); -+ for (;;) { -+ FIPS_digestinit(hctx->mctx, hctx->md); -+ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen); -+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { -+ FIPS_digestfinal(hctx->mctx, dctx->lb, NULL); -+ dctx->lb_valid = 1; -+ } else if (outlen < dctx->blocklength) { -+ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL); -+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp)) -+ return 0; -+ memcpy(out, hctx->vtmp, outlen); -+ return 1; -+ } else { -+ FIPS_digestfinal(hctx->mctx, out, NULL); -+ if (!fips_drbg_cprng_test(dctx, out)) -+ return 0; -+ outlen -= dctx->blocklength; -+ if (outlen == 0) -+ return 1; -+ out += dctx->blocklength; -+ } -+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0); -+ } -+} -+ -+static int drbg_hash_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *nonce, size_t nonce_len, -+ const unsigned char *pstr, size_t pstr_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ if (!hash_df(dctx, hctx->V, -+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0)) -+ return 0; -+ if (!hash_df(dctx, hctx->C, -+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) -+ return 0; -+ -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after instantiate:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ /* V about to be updated so use C as output instead */ -+ if (!hash_df(dctx, hctx->C, -+ NULL, 1, hctx->V, dctx->seedlen, -+ ent, ent_len, adin, adin_len)) -+ return 0; -+ memcpy(hctx->V, hctx->C, dctx->seedlen); -+ if (!hash_df(dctx, hctx->C, NULL, 0, -+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) -+ return 0; -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after reseed:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ EVP_MD_CTX *mctx = hctx->mctx; -+ unsigned char tmp[4]; -+ if (adin && adin_len) { -+ tmp[0] = 2; -+ if (!FIPS_digestinit(mctx, hctx->md)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, tmp, 1)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, adin, adin_len)) -+ return 0; -+ if (!ctx_add_md(dctx)) -+ return 0; -+ } -+ if (!hash_gen(dctx, out, outlen)) -+ return 0; -+ -+ tmp[0] = 3; -+ if (!FIPS_digestinit(mctx, hctx->md)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, tmp, 1)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) -+ return 0; -+ -+ if (!ctx_add_md(dctx)) -+ return 0; -+ -+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen); -+ -+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff; -+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff; -+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff; -+ tmp[3] = dctx->reseed_counter & 0xff; -+ ctx_add_buf(dctx, hctx->V, tmp, 4); -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after generate:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_uninstantiate(DRBG_CTX *dctx) -+{ -+ EVP_MD_CTX_free(dctx->d.hash.mctx); -+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX)); -+ return 1; -+} -+ -+int fips_drbg_hash_init(DRBG_CTX *dctx) -+{ -+ const EVP_MD *md; -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ md = FIPS_get_digestbynid(dctx->type); -+ if (!md) -+ return -2; -+ switch (dctx->type) { -+ case NID_sha1: -+ dctx->strength = 128; -+ break; -+ -+ case NID_sha224: -+ dctx->strength = 192; -+ break; -+ -+ default: -+ dctx->strength = 256; -+ break; -+ } -+ -+ dctx->instantiate = drbg_hash_instantiate; -+ dctx->reseed = drbg_hash_reseed; -+ dctx->generate = drbg_hash_generate; -+ dctx->uninstantiate = drbg_hash_uninstantiate; -+ -+ dctx->d.hash.md = md; -+ hctx->mctx = EVP_MD_CTX_new(); -+ if (hctx->mctx == NULL) -+ return -1; -+ -+ /* These are taken from SP 800-90 10.1 table 2 */ -+ -+ dctx->blocklength = EVP_MD_size(md); -+ if (dctx->blocklength > 32) -+ dctx->seedlen = 111; -+ else -+ dctx->seedlen = 55; -+ -+ dctx->min_entropy = dctx->strength / 8; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff -up openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c ---- openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c.fips 2018-03-29 14:44:24.633236807 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_drbg_hmac.c 2018-03-29 14:44:24.633236807 +0200 -@@ -0,0 +1,272 @@ -+/* fips/rand/fips_drbg_hmac.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+static int drbg_hmac_update(DRBG_CTX *dctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len) -+{ -+ static unsigned char c0 = 0, c1 = 1; -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ HMAC_CTX *hctx = hmac->hctx; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ if (!HMAC_Update(hctx, &c0, 1)) -+ return 0; -+ if (in1len && !HMAC_Update(hctx, in1, in1len)) -+ return 0; -+ if (in2len && !HMAC_Update(hctx, in2, in2len)) -+ return 0; -+ if (in3len && !HMAC_Update(hctx, in3, in3len)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->K, NULL)) -+ return 0; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ -+ if (!in1len && !in2len && !in3len) -+ return 1; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ if (!HMAC_Update(hctx, &c1, 1)) -+ return 0; -+ if (in1len && !HMAC_Update(hctx, in1, in1len)) -+ return 0; -+ if (in2len && !HMAC_Update(hctx, in2, in2len)) -+ return 0; -+ if (in3len && !HMAC_Update(hctx, in3, in3len)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->K, NULL)) -+ return 0; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ -+ return 1; -+ -+} -+ -+static int drbg_hmac_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *nonce, size_t nonce_len, -+ const unsigned char *pstr, size_t pstr_len) -+{ -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ memset(hmac->K, 0, dctx->blocklength); -+ memset(hmac->V, 1, dctx->blocklength); -+ if (!drbg_hmac_update(dctx, -+ ent, ent_len, nonce, nonce_len, pstr, pstr_len)) -+ return 0; -+ -+#ifdef HMAC_DRBG_TRACE -+ fprintf(stderr, "K+V after instantiate:\n"); -+ hexprint(stderr, hmac->K, hmac->blocklength); -+ hexprint(stderr, hmac->V, hmac->blocklength); -+#endif -+ return 1; -+} -+ -+static int drbg_hmac_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *adin, size_t adin_len) -+{ -+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0)) -+ return 0; -+ -+#ifdef HMAC_DRBG_TRACE -+ { -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ fprintf(stderr, "K+V after reseed:\n"); -+ hexprint(stderr, hmac->K, hmac->blocklength); -+ hexprint(stderr, hmac->V, hmac->blocklength); -+ } -+#endif -+ return 1; -+} -+ -+static int drbg_hmac_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ HMAC_CTX *hctx = hmac->hctx; -+ const unsigned char *Vtmp = hmac->V; -+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) -+ return 0; -+ for (;;) { -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength)) -+ return 0; -+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { -+ if (!HMAC_Final(hctx, dctx->lb, NULL)) -+ return 0; -+ dctx->lb_valid = 1; -+ Vtmp = dctx->lb; -+ continue; -+ } else if (outlen > dctx->blocklength) { -+ if (!HMAC_Final(hctx, out, NULL)) -+ return 0; -+ if (!fips_drbg_cprng_test(dctx, out)) -+ return 0; -+ Vtmp = out; -+ } else { -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ if (!fips_drbg_cprng_test(dctx, hmac->V)) -+ return 0; -+ memcpy(out, hmac->V, outlen); -+ break; -+ } -+ out += dctx->blocklength; -+ outlen -= dctx->blocklength; -+ } -+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) -+ return 0; -+ -+ return 1; -+} -+ -+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx) -+{ -+ HMAC_CTX_free(dctx->d.hmac.hctx); -+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX)); -+ return 1; -+} -+ -+int fips_drbg_hmac_init(DRBG_CTX *dctx) -+{ -+ const EVP_MD *md = NULL; -+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac; -+ dctx->strength = 256; -+ switch (dctx->type) { -+ case NID_hmacWithSHA1: -+ md = EVP_sha1(); -+ dctx->strength = 128; -+ break; -+ -+ case NID_hmacWithSHA224: -+ md = EVP_sha224(); -+ dctx->strength = 192; -+ break; -+ -+ case NID_hmacWithSHA256: -+ md = EVP_sha256(); -+ break; -+ -+ case NID_hmacWithSHA384: -+ md = EVP_sha384(); -+ break; -+ -+ case NID_hmacWithSHA512: -+ md = EVP_sha512(); -+ break; -+ -+ default: -+ dctx->strength = 0; -+ return -2; -+ } -+ dctx->instantiate = drbg_hmac_instantiate; -+ dctx->reseed = drbg_hmac_reseed; -+ dctx->generate = drbg_hmac_generate; -+ dctx->uninstantiate = drbg_hmac_uninstantiate; -+ hctx->hctx = HMAC_CTX_new(); -+ if (hctx->hctx == NULL) -+ return -1; -+ hctx->md = md; -+ dctx->blocklength = M_EVP_MD_size(md); -+ dctx->seedlen = M_EVP_MD_size(md); -+ -+ dctx->min_entropy = dctx->strength / 8; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff -up openssl-1.1.0h/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_lib.c ---- openssl-1.1.0h/crypto/fips/fips_drbg_lib.c.fips 2018-03-29 14:44:24.633236807 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_drbg_lib.c 2018-03-29 14:44:24.633236807 +0200 -@@ -0,0 +1,555 @@ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include "internal/fips_int.h" -+#include -+#include "fips_locl.h" -+#include "fips_rand_lcl.h" -+ -+/* Support framework for SP800-90 DRBGs */ -+ -+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) -+{ -+ int rv; -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ dctx->xflags = flags; -+ dctx->type = type; -+ -+ dctx->iflags = 0; -+ dctx->entropy_blocklen = 0; -+ dctx->health_check_cnt = 0; -+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL; -+ -+ rv = fips_drbg_hash_init(dctx); -+ -+ if (rv == -2) -+ rv = fips_drbg_ctr_init(dctx); -+ if (rv == -2) -+ rv = fips_drbg_hmac_init(dctx); -+ -+ if (rv <= 0) { -+ if (rv == -2) -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE); -+ else -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG); -+ } -+ -+ /* If not in test mode run selftests on DRBG of the same type */ -+ -+ if (!(dctx->xflags & DRBG_FLAG_TEST)) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); -+ return 0; -+ } -+ } -+ -+ return rv; -+} -+ -+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) -+{ -+ DRBG_CTX *dctx; -+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); -+ if (!dctx) { -+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE); -+ return NULL; -+ } -+ -+ if (type == 0) { -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->type = 0; -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ return dctx; -+ } -+ -+ if (FIPS_drbg_init(dctx, type, flags) <= 0) { -+ OPENSSL_free(dctx); -+ return NULL; -+ } -+ -+ return dctx; -+} -+ -+void FIPS_drbg_free(DRBG_CTX *dctx) -+{ -+ if (dctx->uninstantiate) -+ dctx->uninstantiate(dctx); -+ /* Don't free up default DRBG */ -+ if (dctx == FIPS_get_default_drbg()) { -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->type = 0; -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ } else { -+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d)); -+ OPENSSL_free(dctx); -+ } -+} -+ -+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ unsigned char *tout, *p; -+ size_t bl = dctx->entropy_blocklen, rv; -+ if (!dctx->get_entropy) -+ return 0; -+ if (dctx->xflags & DRBG_FLAG_TEST || !bl) -+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); -+ rv = dctx->get_entropy(dctx, &tout, entropy + bl, -+ min_len + bl, max_len + bl); -+ if (tout == NULL) -+ return 0; -+ *pout = tout + bl; -+ if (rv < (min_len + bl) || (rv % bl)) -+ return 0; -+ /* Compare consecutive blocks for continuous PRNG test */ -+ for (p = tout; p < tout + rv - bl; p += bl) { -+ if (!memcmp(p, p + bl, bl)) { -+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK); -+ return 0; -+ } -+ } -+ rv -= bl; -+ if (rv > max_len) -+ return max_len; -+ return rv; -+} -+ -+static void fips_cleanup_entropy(DRBG_CTX *dctx, -+ unsigned char *out, size_t olen) -+{ -+ size_t bl; -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ bl = 0; -+ else -+ bl = dctx->entropy_blocklen; -+ /* Call cleanup with original arguments */ -+ dctx->cleanup_entropy(dctx, out - bl, olen + bl); -+} -+ -+int FIPS_drbg_instantiate(DRBG_CTX *dctx, -+ const unsigned char *pers, size_t perslen) -+{ -+ size_t entlen = 0, noncelen = 0; -+ unsigned char *nonce = NULL, *entropy = NULL; -+ -+#if 0 -+ /* Put here so error script picks them up */ -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, -+ FIPS_R_PERSONALISATION_STRING_TOO_LONG); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED); -+#endif -+ -+ int r = 0; -+ -+ if (perslen > dctx->max_pers) { -+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG; -+ goto end; -+ } -+ -+ if (!dctx->instantiate) { -+ r = FIPS_R_DRBG_NOT_INITIALISED; -+ goto end; -+ } -+ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else -+ r = FIPS_R_ALREADY_INSTANTIATED; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_ERROR; -+ -+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, -+ dctx->min_entropy, dctx->max_entropy); -+ -+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { -+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; -+ goto end; -+ } -+ -+ if (dctx->max_nonce > 0 && dctx->get_nonce) { -+ noncelen = dctx->get_nonce(dctx, &nonce, -+ dctx->strength / 2, -+ dctx->min_nonce, dctx->max_nonce); -+ -+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { -+ r = FIPS_R_ERROR_RETRIEVING_NONCE; -+ goto end; -+ } -+ -+ } -+ -+ if (!dctx->instantiate(dctx, -+ entropy, entlen, nonce, noncelen, pers, perslen)) { -+ r = FIPS_R_ERROR_INSTANTIATING_DRBG; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_READY; -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) -+ dctx->reseed_counter = 1; -+ -+ end: -+ -+ if (entropy && dctx->cleanup_entropy) -+ fips_cleanup_entropy(dctx, entropy, entlen); -+ -+ if (nonce && dctx->cleanup_nonce) -+ dctx->cleanup_nonce(dctx, nonce, noncelen); -+ -+ if (dctx->status == DRBG_STATUS_READY) -+ return 1; -+ -+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r); -+ -+ return 0; -+ -+} -+ -+static int drbg_reseed(DRBG_CTX *dctx, -+ const unsigned char *adin, size_t adinlen, int hcheck) -+{ -+ unsigned char *entropy = NULL; -+ size_t entlen = 0; -+ int r = 0; -+ -+#if 0 -+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED); -+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); -+#endif -+ if (dctx->status != DRBG_STATUS_READY -+ && dctx->status != DRBG_STATUS_RESEED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else if (dctx->status == DRBG_STATUS_UNINITIALISED) -+ r = FIPS_R_NOT_INSTANTIATED; -+ goto end; -+ } -+ -+ if (!adin) -+ adinlen = 0; -+ else if (adinlen > dctx->max_adin) { -+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_ERROR; -+ /* Peform health check on all reseed operations if not a prediction -+ * resistance request and not in test mode. -+ */ -+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ r = FIPS_R_SELFTEST_FAILURE; -+ goto end; -+ } -+ } -+ -+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, -+ dctx->min_entropy, dctx->max_entropy); -+ -+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { -+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; -+ goto end; -+ } -+ -+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen)) -+ goto end; -+ -+ dctx->status = DRBG_STATUS_READY; -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) -+ dctx->reseed_counter = 1; -+ end: -+ -+ if (entropy && dctx->cleanup_entropy) -+ fips_cleanup_entropy(dctx, entropy, entlen); -+ -+ if (dctx->status == DRBG_STATUS_READY) -+ return 1; -+ -+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_DRBG_RESEED, r); -+ -+ return 0; -+} -+ -+int FIPS_drbg_reseed(DRBG_CTX *dctx, -+ const unsigned char *adin, size_t adinlen) -+{ -+ return drbg_reseed(dctx, adin, adinlen, 1); -+} -+ -+static int fips_drbg_check(DRBG_CTX *dctx) -+{ -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ return 1; -+ dctx->health_check_cnt++; -+ if (dctx->health_check_cnt >= dctx->health_check_interval) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, -+ int prediction_resistance, -+ const unsigned char *adin, size_t adinlen) -+{ -+ int r = 0; -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (!fips_drbg_check(dctx)) -+ return 0; -+ -+ if (dctx->status != DRBG_STATUS_READY -+ && dctx->status != DRBG_STATUS_RESEED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else if (dctx->status == DRBG_STATUS_UNINITIALISED) -+ r = FIPS_R_NOT_INSTANTIATED; -+ goto end; -+ } -+ -+ if (outlen > dctx->max_request) { -+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG; -+ return 0; -+ } -+ -+ if (adinlen > dctx->max_adin) { -+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; -+ goto end; -+ } -+ -+ if (dctx->iflags & DRBG_CUSTOM_RESEED) -+ dctx->generate(dctx, NULL, outlen, NULL, 0); -+ else if (dctx->reseed_counter >= dctx->reseed_interval) -+ dctx->status = DRBG_STATUS_RESEED; -+ -+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { -+ /* If prediction resistance request don't do health check */ -+ int hcheck = prediction_resistance ? 0 : 1; -+ -+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) { -+ r = FIPS_R_RESEED_ERROR; -+ goto end; -+ } -+ adin = NULL; -+ adinlen = 0; -+ } -+ -+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) { -+ r = FIPS_R_GENERATE_ERROR; -+ dctx->status = DRBG_STATUS_ERROR; -+ goto end; -+ } -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) { -+ if (dctx->reseed_counter >= dctx->reseed_interval) -+ dctx->status = DRBG_STATUS_RESEED; -+ else -+ dctx->reseed_counter++; -+ } -+ -+ end: -+ if (r) { -+ if (!(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx) -+{ -+ int rv; -+ if (!dctx->uninstantiate) -+ rv = 1; -+ else -+ rv = dctx->uninstantiate(dctx); -+ /* Although we'd like to cleanse here we can't because we have to -+ * test the uninstantiate really zeroes the data. -+ */ -+ memset(&dctx->d, 0, sizeof(dctx->d)); -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ /* If method has problems uninstantiating, return error */ -+ return rv; -+} -+ -+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, -+ size_t (*get_entropy) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_entropy) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ size_t entropy_blocklen, -+ size_t (*get_nonce) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, size_t min_len, -+ size_t max_len), -+ void (*cleanup_nonce) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen)) -+{ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) -+ return 0; -+ dctx->entropy_blocklen = entropy_blocklen; -+ dctx->get_entropy = get_entropy; -+ dctx->cleanup_entropy = cleanup_entropy; -+ dctx->get_nonce = get_nonce; -+ dctx->cleanup_nonce = cleanup_nonce; -+ return 1; -+} -+ -+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, -+ size_t (*get_adin) (DRBG_CTX *ctx, -+ unsigned char **pout), -+ void (*cleanup_adin) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ int (*rand_seed_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num), -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, int num, -+ double entropy)) -+{ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) -+ return 0; -+ dctx->get_adin = get_adin; -+ dctx->cleanup_adin = cleanup_adin; -+ dctx->rand_seed_cb = rand_seed_cb; -+ dctx->rand_add_cb = rand_add_cb; -+ return 1; -+} -+ -+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx) -+{ -+ return dctx->app_data; -+} -+ -+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data) -+{ -+ dctx->app_data = app_data; -+} -+ -+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx) -+{ -+ return dctx->blocklength; -+} -+ -+int FIPS_drbg_get_strength(DRBG_CTX *dctx) -+{ -+ return dctx->strength; -+} -+ -+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval) -+{ -+ dctx->health_check_interval = interval; -+} -+ -+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval) -+{ -+ dctx->reseed_interval = interval; -+} -+ -+static int drbg_stick = 0; -+ -+void FIPS_drbg_stick(int onoff) -+{ -+ drbg_stick = onoff; -+} -+ -+/* Continuous DRBG utility function */ -+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out) -+{ -+ /* No CPRNG in test mode */ -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ return 1; -+ /* Check block is valid: should never happen */ -+ if (dctx->lb_valid == 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR); -+ fips_set_selftest_fail(); -+ return 0; -+ } -+ if (drbg_stick) -+ memcpy(dctx->lb, out, dctx->blocklength); -+ /* Check against last block: fail if match */ -+ if (!memcmp(dctx->lb, out, dctx->blocklength)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK); -+ fips_set_selftest_fail(); -+ return 0; -+ } -+ /* Save last block for next comparison */ -+ memcpy(dctx->lb, out, dctx->blocklength); -+ return 1; -+} -diff -up openssl-1.1.0h/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_rand.c ---- openssl-1.1.0h/crypto/fips/fips_drbg_rand.c.fips 2018-03-29 14:44:24.633236807 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_drbg_rand.c 2018-03-29 14:44:24.633236807 +0200 -@@ -0,0 +1,183 @@ -+/* fips/rand/fips_drbg_rand.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include "internal/thread_once.h" -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */ -+ -+/* Since we only have one global PRNG used at any time in OpenSSL use a global -+ * variable to store context. -+ */ -+ -+static DRBG_CTX ossl_dctx; -+ -+static CRYPTO_RWLOCK *fips_rand_lock = NULL; -+static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT; -+ -+DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init) -+{ -+ fips_rand_lock = CRYPTO_THREAD_lock_new(); -+ return fips_rand_lock != NULL; -+} -+ -+DRBG_CTX *FIPS_get_default_drbg(void) -+{ -+ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init)) -+ return NULL; -+ return &ossl_dctx; -+} -+ -+static int fips_drbg_bytes(unsigned char *out, int count) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int rv = 0; -+ unsigned char *adin = NULL; -+ size_t adinlen = 0; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ do { -+ size_t rcnt; -+ if (count > (int)dctx->max_request) -+ rcnt = dctx->max_request; -+ else -+ rcnt = count; -+ if (dctx->get_adin) { -+ adinlen = dctx->get_adin(dctx, &adin); -+ if (adinlen && !adin) { -+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES, -+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); -+ goto err; -+ } -+ } -+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen); -+ if (adin) { -+ if (dctx->cleanup_adin) -+ dctx->cleanup_adin(dctx, adin, adinlen); -+ adin = NULL; -+ } -+ if (!rv) -+ goto err; -+ out += rcnt; -+ count -= rcnt; -+ } -+ while (count); -+ rv = 1; -+ err: -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return rv; -+} -+ -+static int fips_drbg_pseudo(unsigned char *out, int count) -+{ -+ if (fips_drbg_bytes(out, count) <= 0) -+ return -1; -+ return 1; -+} -+ -+static int fips_drbg_status(void) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int rv; -+ CRYPTO_THREAD_read_lock(fips_rand_lock); -+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0; -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return rv; -+} -+ -+static void fips_drbg_cleanup(void) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ FIPS_drbg_uninstantiate(dctx); -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+} -+ -+static int fips_drbg_seed(const void *seed, int seedlen) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ if (dctx->rand_seed_cb) -+ return dctx->rand_seed_cb(dctx, seed, seedlen); -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return 1; -+} -+ -+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ if (dctx->rand_add_cb) -+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return 1; -+} -+ -+static const RAND_METHOD rand_drbg_meth = { -+ fips_drbg_seed, -+ fips_drbg_bytes, -+ fips_drbg_cleanup, -+ fips_drbg_add, -+ fips_drbg_pseudo, -+ fips_drbg_status -+}; -+ -+const RAND_METHOD *FIPS_drbg_method(void) -+{ -+ return &rand_drbg_meth; -+} -diff -up openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c.fips 2018-03-29 14:44:24.634236830 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_drbg_selftest.c 2018-03-29 14:44:24.634236830 +0200 -@@ -0,0 +1,828 @@ -+/* fips/rand/fips_drbg_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+#include "fips_locl.h" -+ -+#include "fips_drbg_selftest.h" -+ -+typedef struct { -+ int post; -+ int nid; -+ unsigned int flags; -+ -+ /* KAT data for no PR */ -+ const unsigned char *ent; -+ size_t entlen; -+ const unsigned char *nonce; -+ size_t noncelen; -+ const unsigned char *pers; -+ size_t perslen; -+ const unsigned char *adin; -+ size_t adinlen; -+ const unsigned char *entreseed; -+ size_t entreseedlen; -+ const unsigned char *adinreseed; -+ size_t adinreseedlen; -+ const unsigned char *adin2; -+ size_t adin2len; -+ const unsigned char *kat; -+ size_t katlen; -+ const unsigned char *kat2; -+ size_t kat2len; -+ -+ /* KAT data for PR */ -+ const unsigned char *ent_pr; -+ size_t entlen_pr; -+ const unsigned char *nonce_pr; -+ size_t noncelen_pr; -+ const unsigned char *pers_pr; -+ size_t perslen_pr; -+ const unsigned char *adin_pr; -+ size_t adinlen_pr; -+ const unsigned char *entpr_pr; -+ size_t entprlen_pr; -+ const unsigned char *ading_pr; -+ size_t adinglen_pr; -+ const unsigned char *entg_pr; -+ size_t entglen_pr; -+ const unsigned char *kat_pr; -+ size_t katlen_pr; -+ const unsigned char *kat2_pr; -+ size_t kat2len_pr; -+ -+} DRBG_SELFTEST_DATA; -+ -+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \ -+ pr##_entropyinput, sizeof(pr##_entropyinput), \ -+ pr##_nonce, sizeof(pr##_nonce), \ -+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \ -+ pr##_additionalinput, sizeof(pr##_additionalinput), \ -+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ -+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ -+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \ -+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ -+ pr##_returnedbits, sizeof(pr##_returnedbits), \ -+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ -+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \ -+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ -+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ -+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ -+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ -+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ -+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ -+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \ -+ } -+ -+#define make_drbg_test_data_df(nid, pr, p) \ -+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p) -+ -+#define make_drbg_test_data_ec(curve, md, pr, p) \ -+ make_drbg_test_data((curve << 16) | md , 0, pr, p) -+ -+static DRBG_SELFTEST_DATA drbg_test[] = { -+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), -+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), -+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), -+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0), -+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0), -+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1), -+ make_drbg_test_data(NID_sha1, 0, sha1, 0), -+ make_drbg_test_data(NID_sha224, 0, sha224, 0), -+ make_drbg_test_data(NID_sha256, 0, sha256, 1), -+ make_drbg_test_data(NID_sha384, 0, sha384, 0), -+ make_drbg_test_data(NID_sha512, 0, sha512, 0), -+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0), -+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0), -+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1), -+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0), -+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0), -+ {0, 0, 0} -+}; -+ -+typedef struct { -+ const unsigned char *ent; -+ size_t entlen; -+ int entcnt; -+ const unsigned char *nonce; -+ size_t noncelen; -+ int noncecnt; -+} TEST_ENT; -+ -+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); -+ *pout = (unsigned char *)t->ent; -+ t->entcnt++; -+ return t->entlen; -+} -+ -+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); -+ *pout = (unsigned char *)t->nonce; -+ t->noncecnt++; -+ return t->noncelen; -+} -+ -+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, -+ int quick) -+{ -+ TEST_ENT t; -+ int rv = 0; -+ size_t adinlen; -+ unsigned char randout[1024]; -+ -+ /* Initial test without PR */ -+ -+ /* Instantiate DRBG with test entropy, nonce and personalisation -+ * string. -+ */ -+ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, &t); -+ -+ t.ent = td->ent; -+ t.entlen = td->entlen; -+ t.nonce = td->nonce; -+ t.noncelen = td->noncelen; -+ t.entcnt = 0; -+ t.noncecnt = 0; -+ -+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) -+ goto err; -+ -+ /* Note for CTR without DF some additional input values -+ * ignore bytes after the keylength: so reduce adinlen -+ * to half to ensure invalid data is fed in. -+ */ -+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) -+ adinlen = td->adinlen / 2; -+ else -+ adinlen = td->adinlen; -+ -+ /* Generate with no PR and verify output matches expected data */ -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen)) -+ goto err; -+ -+ if (memcmp(randout, td->kat, td->katlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE); -+ goto err2; -+ } -+ /* If abbreviated POST end of test */ -+ if (quick) { -+ rv = 1; -+ goto err; -+ } -+ /* Reseed DRBG with test entropy and additional input */ -+ t.ent = td->entreseed; -+ t.entlen = td->entreseedlen; -+ -+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen)) -+ goto err; -+ -+ /* Generate with no PR and verify output matches expected data */ -+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, -+ td->adin2, td->adin2len)) -+ goto err; -+ -+ if (memcmp(randout, td->kat2, td->kat2len)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE); -+ goto err2; -+ } -+ -+ FIPS_drbg_uninstantiate(dctx); -+ -+ /* Now test with PR */ -+ -+ /* Instantiate DRBG with test entropy, nonce and personalisation -+ * string. -+ */ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, &t); -+ -+ t.ent = td->ent_pr; -+ t.entlen = td->entlen_pr; -+ t.nonce = td->nonce_pr; -+ t.noncelen = td->noncelen_pr; -+ t.entcnt = 0; -+ t.noncecnt = 0; -+ -+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr)) -+ goto err; -+ -+ /* Now generate with PR: we need to supply entropy as this will -+ * perform a reseed operation. Check output matches expected value. -+ */ -+ -+ t.ent = td->entpr_pr; -+ t.entlen = td->entprlen_pr; -+ -+ /* Note for CTR without DF some additional input values -+ * ignore bytes after the keylength: so reduce adinlen -+ * to half to ensure invalid data is fed in. -+ */ -+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) -+ adinlen = td->adinlen_pr / 2; -+ else -+ adinlen = td->adinlen_pr; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1, -+ td->adin_pr, adinlen)) -+ goto err; -+ -+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE); -+ goto err2; -+ } -+ -+ /* Now generate again with PR: supply new entropy again. -+ * Check output matches expected value. -+ */ -+ -+ t.ent = td->entg_pr; -+ t.entlen = td->entglen_pr; -+ -+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1, -+ td->ading_pr, td->adinglen_pr)) -+ goto err; -+ -+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE); -+ goto err2; -+ } -+ /* All OK, test complete */ -+ rv = 1; -+ -+ err: -+ if (rv == 0) -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED); -+ err2: -+ FIPS_drbg_uninstantiate(dctx); -+ -+ return rv; -+ -+} -+ -+/* Initialise a DRBG based on selftest data */ -+ -+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t) -+{ -+ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, t); -+ -+ t->ent = td->ent; -+ t->entlen = td->entlen; -+ t->nonce = td->nonce; -+ t->noncelen = td->noncelen; -+ t->entcnt = 0; -+ t->noncecnt = 0; -+ return 1; -+} -+ -+/* Initialise and instantiate DRBG based on selftest data */ -+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, -+ TEST_ENT * t) -+{ -+ if (!do_drbg_init(dctx, td, t)) -+ return 0; -+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) -+ return 0; -+ -+ return 1; -+} -+ -+/* This function performs extensive error checking as required by SP800-90. -+ * Induce several failure modes and check an error condition is set. -+ * This function along with fips_drbg_single_kat peforms the health checking -+ * operation. -+ */ -+ -+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td) -+{ -+ unsigned char randout[1024]; -+ TEST_ENT t; -+ size_t i; -+ unsigned int reseed_counter_tmp; -+ unsigned char *p = (unsigned char *)dctx; -+ -+ /* Initialise DRBG */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ /* Don't report induced errors */ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Personalisation string tests */ -+ -+ /* Test detection of too large personlisation string */ -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Entropy source tests */ -+ -+ /* Test entropy source failure detecion: i.e. returns no data */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Try to generate output from uninstantiated DRBG */ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_GENERATE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Test insufficient entropy */ -+ -+ t.entlen = dctx->min_entropy - 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test too much entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->max_entropy + 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Nonce tests */ -+ -+ /* Test too small nonce */ -+ -+ if (dctx->min_nonce) { -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.noncelen = dctx->min_nonce - 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_NONCE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ } -+ -+ /* Test too large nonce */ -+ -+ if (dctx->max_nonce) { -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.noncelen = dctx->max_nonce + 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_NONCE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ } -+ -+ /* Instantiate with valid data. */ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ -+ /* Check generation is now OK */ -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Request too much data for one request */ -+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Try too large additional input */ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, dctx->max_adin + 1)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Check prediction resistance request fails if entropy source -+ * failure. -+ */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Instantiate again with valid data */ -+ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ /* Test reseed counter works */ -+ /* Save initial reseed counter */ -+ reseed_counter_tmp = dctx->reseed_counter; -+ /* Set reseed counter to beyond interval */ -+ dctx->reseed_counter = dctx->reseed_interval; -+ -+ /* Generate output and check entropy has been requested for reseed */ -+ t.entcnt = 0; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ if (t.entcnt != 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); -+ goto err; -+ } -+ /* Check reseed counter has been reset */ -+ if (dctx->reseed_counter != reseed_counter_tmp + 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Check prediction resistance request fails if entropy source -+ * failure. -+ */ -+ -+ t.entlen = 0; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ /* Test reseed counter works */ -+ /* Save initial reseed counter */ -+ reseed_counter_tmp = dctx->reseed_counter; -+ /* Set reseed counter to beyond interval */ -+ dctx->reseed_counter = dctx->reseed_interval; -+ -+ /* Generate output and check entropy has been requested for reseed */ -+ t.entcnt = 0; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ if (t.entcnt != 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); -+ goto err; -+ } -+ /* Check reseed counter has been reset */ -+ if (dctx->reseed_counter != reseed_counter_tmp + 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Explicit reseed tests */ -+ -+ /* Test explicit reseed with too large additional input */ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Test explicit reseed with entropy source failure */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test explicit reseed with too much entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->max_entropy + 1; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test explicit reseed with too little entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->min_entropy - 1; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ p = (unsigned char *)&dctx->d; -+ /* Standard says we have to check uninstantiate really zeroes -+ * the data... -+ */ -+ for (i = 0; i < sizeof(dctx->d); i++) { -+ if (*p != 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR); -+ goto err; -+ } -+ p++; -+ } -+ -+ return 1; -+ -+ err: -+ /* A real error as opposed to an induced one: underlying function will -+ * indicate the error. -+ */ -+ if (!(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR); -+ FIPS_drbg_uninstantiate(dctx); -+ return 0; -+ -+} -+ -+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags) -+{ -+ DRBG_SELFTEST_DATA *td; -+ flags |= DRBG_FLAG_TEST; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (td->nid == nid && td->flags == flags) { -+ if (!fips_drbg_single_kat(dctx, td, 0)) -+ return 0; -+ return fips_drbg_error_check(dctx, td); -+ } -+ } -+ return 0; -+} -+ -+int FIPS_drbg_health_check(DRBG_CTX *dctx) -+{ -+ int rv; -+ DRBG_CTX *tctx = NULL; -+ tctx = FIPS_drbg_new(0, 0); -+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ if (!tctx) -+ return 0; -+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags); -+ if (tctx) -+ FIPS_drbg_free(tctx); -+ if (rv) -+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ else -+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ if (!rv) -+ dctx->status = DRBG_STATUS_ERROR; -+ else -+ dctx->health_check_cnt = 0; -+ return rv; -+} -+ -+int FIPS_selftest_drbg(void) -+{ -+ DRBG_CTX *dctx; -+ DRBG_SELFTEST_DATA *td; -+ int rv = 1; -+ dctx = FIPS_drbg_new(0, 0); -+ if (!dctx) -+ return 0; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (td->post != 1) -+ continue; -+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 1; -+ if (!fips_drbg_single_kat(dctx, td, 1)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 0; -+ } -+ FIPS_drbg_free(dctx); -+ return rv; -+} -+ -+int FIPS_selftest_drbg_all(void) -+{ -+ DRBG_CTX *dctx; -+ DRBG_SELFTEST_DATA *td; -+ int rv = 1; -+ dctx = FIPS_drbg_new(0, 0); -+ if (!dctx) -+ return 0; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 1; -+ if (!fips_drbg_single_kat(dctx, td, 0)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_drbg_error_check(dctx, td)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 0; -+ } -+ FIPS_drbg_free(dctx); -+ return rv; -+} -diff -up openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h ---- openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h.fips 2018-03-29 14:44:24.634236830 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_drbg_selftest.h 2018-03-29 14:44:24.634236830 +0200 -@@ -0,0 +1,1791 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+/* Selftest and health check data for the SP800-90 DRBG */ -+ -+#define __fips_constseg -+ -+/* AES-128 use df PR */ -+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = { -+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, -+ 0xc8, 0xdb, 0xff, 0x12 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = { -+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = { -+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, -+ 0xd7, 0xd7, 0x01, 0x67 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_additionalinput[] = { -+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, -+ 0x9a, 0x47, 0x08, 0x76 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { -+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, -+ 0x09, 0xfb, 0xa3, 0xb6 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { -+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, -+ 0x66, 0x1c, 0xea, 0x5b -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = { -+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, -+ 0x3f, 0x5e, 0x31, 0x06 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { -+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, -+ 0xa7, 0xe3, 0xa8, 0x67 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = { -+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, -+ 0x0f, 0x38, 0x43, 0xc6 -+}; -+ -+/* AES-128 use df No PR */ -+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = { -+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, -+ 0x9d, 0x7d, 0x1c, 0x9b -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = { -+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_personalizationstring[] = { -+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, -+ 0x38, 0x66, 0xba, 0x1b -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = { -+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, -+ 0xb5, 0xe2, 0xb2, 0x41 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = { -+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, -+ 0xe7, 0x57, 0x11, 0xb4 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_entropyinputreseed[] = { -+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, -+ 0xc7, 0xc4, 0x9e, 0x39 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_additionalinputreseed[] = { -+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, -+ 0xc8, 0x93, 0xfa, 0x84 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = { -+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, -+ 0x06, 0x0c, 0x15, 0x2c -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = { -+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, -+ 0x46, 0x81, 0xc7, 0x19 -+}; -+ -+/* AES-192 use df PR */ -+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = { -+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, -+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = { -+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, -+ 0xd1, 0x80, 0x78, 0xfa -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = { -+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, -+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, -+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_additionalinput[] = { -+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, -+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, -+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { -+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, -+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { -+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, -+ 0x19, 0x30, 0x6b, 0x67 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = { -+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, -+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, -+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { -+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, -+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = { -+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, -+ 0x7e, 0x1a, 0x2b, 0x83 -+}; -+ -+/* AES-192 use df No PR */ -+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = { -+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, -+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = { -+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, -+ 0x77, 0xd7, 0x41, 0x0e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_personalizationstring[] = { -+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, -+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, -+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = { -+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, -+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, -+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = { -+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, -+ 0xb7, 0xed, 0xe9, 0xea -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_entropyinputreseed[] = { -+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, -+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_additionalinputreseed[] = { -+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, -+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, -+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = { -+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, -+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, -+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = { -+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, -+ 0x1a, 0xf9, 0x13, 0x28 -+}; -+ -+/* AES-256 use df PR */ -+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = { -+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, -+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, -+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = { -+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, -+ 0x2b, 0x36, 0xff, 0xa4 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = { -+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, -+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, -+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_additionalinput[] = { -+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, -+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, -+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { -+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, -+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, -+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { -+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, -+ 0x17, 0xab, 0x3c, 0x7a -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = { -+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, -+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, -+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { -+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, -+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, -+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = { -+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, -+ 0xd9, 0xe2, 0x97, 0x00 -+}; -+ -+/* AES-256 use df No PR */ -+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = { -+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, -+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, -+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = { -+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, -+ 0x4c, 0x44, 0x84, 0x40 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_personalizationstring[] = { -+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, -+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, -+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = { -+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, -+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, -+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = { -+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, -+ 0x28, 0x0c, 0x3b, 0xc1 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_entropyinputreseed[] = { -+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, -+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, -+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_additionalinputreseed[] = { -+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, -+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, -+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = { -+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, -+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, -+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = { -+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, -+ 0xfa, 0xfd, 0x35, 0x5e -+}; -+ -+/* AES-128 no df PR */ -+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = { -+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, -+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, -+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = { -+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = { -+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, -+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, -+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_additionalinput[] = { -+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, -+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, -+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { -+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, -+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, -+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { -+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, -+ 0xaf, 0x19, 0x32, 0x16 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = { -+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, -+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, -+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { -+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, -+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, -+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = { -+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, -+ 0x57, 0x82, 0x33, 0xaf -+}; -+ -+/* AES-128 no df No PR */ -+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = { -+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, -+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, -+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = { -+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_personalizationstring[] = { -+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, -+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, -+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = { -+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, -+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, -+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = { -+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, -+ 0xed, 0x3e, 0x65, 0xc2 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_entropyinputreseed[] = { -+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, -+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, -+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_additionalinputreseed[] = { -+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, -+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, -+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = { -+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, -+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, -+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = { -+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, -+ 0x81, 0x37, 0x19, 0xd4 -+}; -+ -+/* AES-192 no df PR */ -+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = { -+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, -+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, -+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, -+ 0x17, 0x1f, 0x8d, 0x9a -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = { -+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, -+ 0x61, 0x5c, 0xee, 0x0f -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = { -+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, -+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, -+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, -+ 0x57, 0x2e, 0xe7, 0x55 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_additionalinput[] = { -+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, -+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, -+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, -+ 0xe2, 0xd0, 0x0c, 0x2f -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { -+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, -+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, -+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, -+ 0x1d, 0x30, 0xb3, 0x78 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { -+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, -+ 0x7e, 0x3e, 0x0c, 0x26 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = { -+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, -+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, -+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, -+ 0x0c, 0x4b, 0xee, 0x6e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { -+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, -+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, -+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, -+ 0x8e, 0x0a, 0x83, 0xdf -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = { -+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, -+ 0xb9, 0xa1, 0x21, 0x68 -+}; -+ -+/* AES-192 no df No PR */ -+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = { -+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, -+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, -+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, -+ 0x94, 0xc3, 0x59, 0x63 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = { -+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, -+ 0x29, 0xfd, 0x45, 0x71 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_personalizationstring[] = { -+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, -+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, -+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, -+ 0x3b, 0x88, 0xce, 0x35 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = { -+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, -+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, -+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, -+ 0x3e, 0xbe, 0xd4, 0x8e -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = { -+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, -+ 0x45, 0xe7, 0x4a, 0xc5 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_entropyinputreseed[] = { -+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, -+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, -+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, -+ 0x9b, 0xcb, 0x7e, 0x75 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_additionalinputreseed[] = { -+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, -+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, -+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, -+ 0x5d, 0x7a, 0x25, 0x79 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = { -+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, -+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, -+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, -+ 0x91, 0x6a, 0xe3, 0x5f -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = { -+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, -+ 0x66, 0x67, 0x2c, 0x92 -+}; -+ -+/* AES-256 no df PR */ -+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = { -+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, -+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, -+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, -+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = { -+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, -+ 0xcc, 0x4b, 0xee, 0x2e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = { -+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, -+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, -+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, -+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_additionalinput[] = { -+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, -+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, -+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, -+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { -+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, -+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, -+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, -+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { -+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, -+ 0x79, 0x60, 0x93, 0xcf -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = { -+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, -+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, -+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, -+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { -+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, -+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, -+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, -+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = { -+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, -+ 0x2d, 0x5f, 0x4a, 0x46 -+}; -+ -+/* AES-256 no df No PR */ -+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = { -+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, -+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, -+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, -+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = { -+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, -+ 0x43, 0x96, 0xb9, 0xf0 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_personalizationstring[] = { -+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, -+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, -+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, -+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = { -+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, -+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, -+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, -+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = { -+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, -+ 0xd2, 0x25, 0x75, 0x0e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_entropyinputreseed[] = { -+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, -+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, -+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, -+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_additionalinputreseed[] = { -+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, -+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, -+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, -+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = { -+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, -+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, -+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, -+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = { -+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, -+ 0xf6, 0x02, 0x32, 0xe2 -+}; -+ -+/* SHA-1 PR */ -+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = { -+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2, -+ 0x31, 0xa5, 0x91, 0x13 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_nonce[] = { -+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = { -+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60, -+ 0xda, 0xea, 0x77, 0x52 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = { -+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22, -+ 0x6a, 0x51, 0xe3, 0xf8 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = { -+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9, -+ 0xcb, 0xa9, 0x36, 0x7a -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = { -+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e, -+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = { -+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99, -+ 0x16, 0x03, 0x19, 0x47 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = { -+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2, -+ 0xae, 0xcd, 0x8c, 0xc4 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = { -+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6, -+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87 -+}; -+ -+/* SHA-1 No PR */ -+__fips_constseg static const unsigned char sha1_entropyinput[] = { -+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9, -+ 0xe2, 0x7f, 0x4c, 0x7b -+}; -+ -+__fips_constseg static const unsigned char sha1_nonce[] = { -+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14 -+}; -+ -+__fips_constseg static const unsigned char sha1_personalizationstring[] = { -+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76, -+ 0x28, 0xec, 0x6d, 0xca -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinput[] = { -+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35, -+ 0xc0, 0x72, 0xca, 0x28 -+}; -+ -+__fips_constseg static const unsigned char sha1_int_returnedbits[] = { -+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72, -+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea -+}; -+ -+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = { -+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96, -+ 0xd6, 0x99, 0x27, 0xed -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = { -+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda, -+ 0x84, 0x3d, 0xd4, 0xc0 -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinput2[] = { -+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e, -+ 0x52, 0x65, 0xcd, 0x96 -+}; -+ -+__fips_constseg static const unsigned char sha1_returnedbits[] = { -+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce, -+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7 -+}; -+ -+/* SHA-224 PR */ -+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = { -+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75, -+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_nonce[] = { -+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = { -+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0, -+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = { -+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88, -+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = { -+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1, -+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = { -+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a, -+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1, -+ 0x54, 0x60, 0xee, 0x6a -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = { -+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52, -+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = { -+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77, -+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = { -+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20, -+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e, -+ 0xdd, 0x11, 0x4c, 0xc4 -+}; -+ -+/* SHA-224 No PR */ -+__fips_constseg static const unsigned char sha224_entropyinput[] = { -+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29, -+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb -+}; -+ -+__fips_constseg static const unsigned char sha224_nonce[] = { -+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0 -+}; -+ -+__fips_constseg static const unsigned char sha224_personalizationstring[] = { -+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda, -+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinput[] = { -+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00, -+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f -+}; -+ -+__fips_constseg static const unsigned char sha224_int_returnedbits[] = { -+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa, -+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20, -+ 0x55, 0x22, 0x9a, 0xad -+}; -+ -+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = { -+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5, -+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17 -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = { -+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6, -+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19 -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinput2[] = { -+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d, -+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6 -+}; -+ -+__fips_constseg static const unsigned char sha224_returnedbits[] = { -+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b, -+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a, -+ 0x3b, 0xa7, 0x5c, 0x93 -+}; -+ -+/* SHA-256 PR */ -+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = { -+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4, -+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb, -+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_nonce[] = { -+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d, -+ 0x2b, 0x91, 0x4d, 0x38 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = { -+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56, -+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48, -+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = { -+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac, -+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5, -+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = { -+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8, -+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94, -+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = { -+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2, -+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7, -+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = { -+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b, -+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43, -+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = { -+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2, -+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d, -+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = { -+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3, -+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64, -+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2 -+}; -+ -+/* SHA-256 No PR */ -+__fips_constseg static const unsigned char sha256_entropyinput[] = { -+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5, -+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7, -+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c -+}; -+ -+__fips_constseg static const unsigned char sha256_nonce[] = { -+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5, -+ 0x5d, 0x6f, 0x6d, 0x35 -+}; -+ -+__fips_constseg static const unsigned char sha256_personalizationstring[] = { -+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde, -+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20, -+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinput[] = { -+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4, -+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a, -+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87 -+}; -+ -+__fips_constseg static const unsigned char sha256_int_returnedbits[] = { -+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1, -+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e, -+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76 -+}; -+ -+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = { -+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d, -+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34, -+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = { -+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda, -+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac, -+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8 -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinput2[] = { -+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15, -+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3, -+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda -+}; -+ -+__fips_constseg static const unsigned char sha256_returnedbits[] = { -+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d, -+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd, -+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3 -+}; -+ -+/* SHA-384 PR */ -+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = { -+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24, -+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55, -+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_nonce[] = { -+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd, -+ 0x38, 0x3e, 0x2e, 0x56 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = { -+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96, -+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d, -+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = { -+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39, -+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06, -+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = { -+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64, -+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc, -+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = { -+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f, -+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45, -+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b, -+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = { -+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2, -+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03, -+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = { -+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7, -+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90, -+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = { -+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb, -+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12, -+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53, -+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66 -+}; -+ -+/* SHA-384 No PR */ -+__fips_constseg static const unsigned char sha384_entropyinput[] = { -+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69, -+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d, -+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4 -+}; -+ -+__fips_constseg static const unsigned char sha384_nonce[] = { -+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77, -+ 0x44, 0xaf, 0x2f, 0x09 -+}; -+ -+__fips_constseg static const unsigned char sha384_personalizationstring[] = { -+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb, -+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca, -+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1 -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinput[] = { -+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb, -+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02, -+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48 -+}; -+ -+__fips_constseg static const unsigned char sha384_int_returnedbits[] = { -+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04, -+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63, -+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa, -+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a -+}; -+ -+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = { -+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2, -+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27, -+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = { -+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f, -+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e, -+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22 -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinput2[] = { -+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea, -+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2, -+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94 -+}; -+ -+__fips_constseg static const unsigned char sha384_returnedbits[] = { -+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd, -+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9, -+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54, -+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7 -+}; -+ -+/* SHA-512 PR */ -+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = { -+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f, -+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2, -+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_nonce[] = { -+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67, -+ 0x88, 0xc7, 0xa2, 0xc4 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = { -+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff, -+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07, -+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = { -+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce, -+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22, -+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = { -+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80, -+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e, -+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = { -+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50, -+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae, -+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5, -+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95, -+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53, -+ 0xe2, 0xc6, 0x8b, 0xc3 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = { -+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4, -+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40, -+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = { -+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5, -+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34, -+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = { -+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51, -+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93, -+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80, -+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7, -+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd, -+ 0x67, 0xf7, 0x68, 0xdd -+}; -+ -+/* SHA-512 No PR */ -+__fips_constseg static const unsigned char sha512_entropyinput[] = { -+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17, -+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56, -+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd -+}; -+ -+__fips_constseg static const unsigned char sha512_nonce[] = { -+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31, -+ 0x5a, 0x64, 0xf0, 0xf7 -+}; -+ -+__fips_constseg static const unsigned char sha512_personalizationstring[] = { -+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7, -+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b, -+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0 -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinput[] = { -+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad, -+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97, -+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34 -+}; -+ -+__fips_constseg static const unsigned char sha512_int_returnedbits[] = { -+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd, -+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9, -+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56, -+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19, -+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04, -+ 0x28, 0xd4, 0x39, 0x9a -+}; -+ -+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = { -+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49, -+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82, -+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = { -+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29, -+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6, -+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20 -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinput2[] = { -+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85, -+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42, -+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92 -+}; -+ -+__fips_constseg static const unsigned char sha512_returnedbits[] = { -+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27, -+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32, -+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b, -+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63, -+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2, -+ 0x68, 0xde, 0x42, 0xb5 -+}; -+ -+/* HMAC SHA-1 PR */ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = { -+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc, -+ 0x2c, 0x18, 0x17, 0x1b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = { -+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha1_pr_personalizationstring[] = { -+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85, -+ 0x80, 0xe2, 0x7f, 0x2a -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = { -+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f, -+ 0xd7, 0xbb, 0x42, 0x09 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = { -+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63, -+ 0x23, 0x87, 0x2a, 0xed -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = { -+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f, -+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = { -+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58, -+ 0xa0, 0x4b, 0x93, 0x6e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = { -+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c, -+ 0x0f, 0xff, 0x2e, 0xaf -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = { -+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16, -+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8 -+}; -+ -+/* HMAC SHA-1 No PR */ -+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = { -+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40, -+ 0x17, 0xfe, 0x47, 0x70 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_nonce[] = { -+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = { -+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00, -+ 0x72, 0xf7, 0xd3, 0x5e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = { -+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb, -+ 0xbb, 0xe3, 0xaa, 0xea -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = { -+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11, -+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = { -+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f, -+ 0x86, 0x52, 0x6d, 0x9c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = { -+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92, -+ 0x79, 0xc5, 0x82, 0x28 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = { -+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3, -+ 0x8a, 0xca, 0xa4, 0x7f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = { -+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d, -+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0 -+}; -+ -+/* HMAC SHA-224 PR */ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = { -+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07, -+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = { -+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_pr_personalizationstring[] = { -+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed, -+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = { -+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21, -+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = { -+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad, -+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = { -+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38, -+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13, -+ 0x41, 0xfe, 0x99, 0xf2 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = { -+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17, -+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = { -+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f, -+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = { -+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7, -+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03, -+ 0x6d, 0xd8, 0x9e, 0x72 -+}; -+ -+/* HMAC SHA-224 No PR */ -+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = { -+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54, -+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_nonce[] = { -+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_personalizationstring[] = { -+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b, -+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = { -+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6, -+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = { -+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42, -+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c, -+ 0xcd, 0xd6, 0xa9, 0xcc -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = { -+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95, -+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_additionalinputreseed[] = { -+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20, -+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = { -+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3, -+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = { -+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85, -+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e, -+ 0x45, 0x84, 0xa8, 0x94 -+}; -+ -+/* HMAC SHA-256 PR */ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = { -+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea, -+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca, -+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = { -+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15, -+ 0xaa, 0xd3, 0x30, 0x9a -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_pr_personalizationstring[] = { -+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24, -+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d, -+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = { -+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9, -+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18, -+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = { -+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79, -+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36, -+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = { -+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2, -+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef, -+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = { -+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8, -+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e, -+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = { -+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a, -+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74, -+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = { -+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0, -+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91, -+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e -+}; -+ -+/* HMAC SHA-256 No PR */ -+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = { -+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35, -+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d, -+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_nonce[] = { -+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e, -+ 0xc7, 0xfc, 0xc2, 0x01 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_personalizationstring[] = { -+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7, -+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65, -+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = { -+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c, -+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda, -+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = { -+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d, -+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25, -+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = { -+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7, -+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9, -+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_additionalinputreseed[] = { -+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3, -+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3, -+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = { -+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f, -+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8, -+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = { -+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3, -+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26, -+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0 -+}; -+ -+/* HMAC SHA-384 PR */ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = { -+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5, -+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1, -+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = { -+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59, -+ 0xee, 0x16, 0xc9, 0xde -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_pr_personalizationstring[] = { -+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4, -+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47, -+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = { -+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f, -+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda, -+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = { -+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0, -+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56, -+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = { -+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6, -+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6, -+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd, -+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = { -+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2, -+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff, -+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = { -+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1, -+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94, -+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = { -+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76, -+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b, -+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d, -+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75 -+}; -+ -+/* HMAC SHA-384 No PR */ -+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = { -+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3, -+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1, -+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_nonce[] = { -+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1, -+ 0x38, 0xe3, 0xeb, 0x62 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_personalizationstring[] = { -+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5, -+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62, -+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = { -+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81, -+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58, -+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = { -+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31, -+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b, -+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b, -+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = { -+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48, -+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9, -+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_additionalinputreseed[] = { -+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c, -+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92, -+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = { -+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf, -+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d, -+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = { -+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19, -+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed, -+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74, -+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb -+}; -+ -+/* HMAC SHA-512 PR */ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = { -+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b, -+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba, -+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = { -+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b, -+ 0x86, 0xea, 0xaf, 0xa2 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_pr_personalizationstring[] = { -+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24, -+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02, -+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = { -+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92, -+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c, -+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = { -+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc, -+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03, -+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = { -+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56, -+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c, -+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd, -+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50, -+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35, -+ 0x05, 0x17, 0xbe, 0x0d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = { -+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08, -+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c, -+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = { -+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71, -+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe, -+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = { -+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35, -+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21, -+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4, -+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3, -+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00, -+ 0xb6, 0xaf, 0xbc, 0xd3 -+}; -+ -+/* HMAC SHA-512 No PR */ -+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = { -+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa, -+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe, -+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_nonce[] = { -+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e, -+ 0xd9, 0xaf, 0x43, 0x3c -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_personalizationstring[] = { -+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f, -+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01, -+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = { -+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5, -+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d, -+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = { -+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90, -+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18, -+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b, -+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34, -+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1, -+ 0xb1, 0x57, 0x69, 0xe8 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = { -+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41, -+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca, -+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_additionalinputreseed[] = { -+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a, -+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86, -+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = { -+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5, -+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb, -+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = { -+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f, -+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a, -+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25, -+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d, -+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, -+ 0xc2, 0xd6, 0xfd, 0xa5 -+}; -diff -up openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c.fips 2018-03-29 14:44:24.634236830 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_dsa_selftest.c 2018-03-29 14:44:24.634236830 +0200 -@@ -0,0 +1,195 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include "internal/fips_int.h" -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static const unsigned char dsa_test_2048_p[] = { -+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, -+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62, -+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59, -+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6, -+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3, -+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52, -+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7, -+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a, -+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1, -+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03, -+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40, -+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34, -+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e, -+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b, -+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1, -+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7, -+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6, -+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57, -+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54, -+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a, -+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7, -+ 0xdb, 0xa0, 0x69, 0xe9 -+}; -+ -+static const unsigned char dsa_test_2048_q[] = { -+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a, -+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56, -+ 0x74, 0x41, 0xa0, 0xa5 -+}; -+ -+static const unsigned char dsa_test_2048_g[] = { -+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5, -+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8, -+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19, -+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba, -+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b, -+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a, -+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53, -+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b, -+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5, -+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a, -+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e, -+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23, -+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96, -+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7, -+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16, -+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a, -+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f, -+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95, -+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69, -+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e, -+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91, -+ 0xb3, 0xc2, 0xa9, 0x66 -+}; -+ -+static const unsigned char dsa_test_2048_pub_key[] = { -+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60, -+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb, -+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64, -+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44, -+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c, -+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c, -+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2, -+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c, -+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71, -+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c, -+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99, -+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75, -+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e, -+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc, -+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf, -+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90, -+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d, -+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d, -+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07, -+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3, -+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93, -+ 0xf7, 0xda, 0xb1, 0x4f -+}; -+ -+static const unsigned char dsa_test_2048_priv_key[] = { -+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91, -+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00, -+ 0xec, 0x55, 0xf6, 0xcc -+}; -+ -+int FIPS_selftest_dsa() -+{ -+ DSA *dsa = NULL; -+ EVP_PKEY *pk = NULL; -+ int ret = -1; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; -+ -+ fips_load_key_component(p, dsa_test_2048); -+ fips_load_key_component(q, dsa_test_2048); -+ fips_load_key_component(g, dsa_test_2048); -+ fips_load_key_component(pub_key, dsa_test_2048); -+ fips_load_key_component(priv_key, dsa_test_2048); -+ -+ dsa = DSA_new(); -+ -+ if (dsa == NULL) -+ goto err; -+ -+ DSA_set0_pqg(dsa, p, q, g); -+ -+ DSA_set0_key(dsa, pub_key, priv_key); -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_DSA(pk, dsa); -+ -+ if (!fips_pkey_signature_test(pk, NULL, 0, -+ NULL, 0, EVP_sha256(), 0, "DSA SHA256")) -+ goto err; -+ ret = 1; -+ -+ err: -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (dsa) -+ DSA_free(dsa); -+ else { -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ BN_free(pub_key); -+ BN_free(priv_key); -+ } -+ return ret; -+} -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_ecdh_selftest.c 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,242 @@ -+/* fips/ecdh/fips_ecdh_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+# include "fips_locl.h" -+ -+static const unsigned char p256_qcavsx[] = { -+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, -+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, -+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 -+}; -+ -+static const unsigned char p256_qcavsy[] = { -+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, -+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, -+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e -+}; -+ -+static const unsigned char p256_qiutx[] = { -+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, -+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, -+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f -+}; -+ -+static const unsigned char p256_qiuty[] = { -+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, -+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, -+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 -+}; -+ -+static const unsigned char p256_qiutd[] = { -+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, -+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, -+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 -+}; -+ -+static const unsigned char p256_ziut[] = { -+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, -+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, -+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f -+}; -+ -+typedef struct { -+ int curve; -+ const unsigned char *x1; -+ size_t x1len; -+ const unsigned char *y1; -+ size_t y1len; -+ const unsigned char *d1; -+ size_t d1len; -+ const unsigned char *x2; -+ size_t x2len; -+ const unsigned char *y2; -+ size_t y2len; -+ const unsigned char *z; -+ size_t zlen; -+} ECDH_SELFTEST_DATA; -+ -+# define make_ecdh_test(nid, pr) { nid, \ -+ pr##_qiutx, sizeof(pr##_qiutx), \ -+ pr##_qiuty, sizeof(pr##_qiuty), \ -+ pr##_qiutd, sizeof(pr##_qiutd), \ -+ pr##_qcavsx, sizeof(pr##_qcavsx), \ -+ pr##_qcavsy, sizeof(pr##_qcavsy), \ -+ pr##_ziut, sizeof(pr##_ziut) } -+ -+static ECDH_SELFTEST_DATA test_ecdh_data[] = { -+ make_ecdh_test(NID_X9_62_prime256v1, p256), -+}; -+ -+int FIPS_selftest_ecdh(void) -+{ -+ EC_KEY *ec1 = NULL, *ec2 = NULL; -+ const EC_POINT *ecp = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ unsigned char *ztmp = NULL; -+ int rv = 1; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { -+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; -+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) -+ continue; -+ ztmp = OPENSSL_malloc(ecd->zlen); -+ -+ x = BN_bin2bn(ecd->x1, ecd->x1len, x); -+ y = BN_bin2bn(ecd->y1, ecd->y1len, y); -+ d = BN_bin2bn(ecd->d1, ecd->d1len, d); -+ -+ if (!x || !y || !d || !ztmp) { -+ rv = -1; -+ goto err; -+ } -+ -+ ec1 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec1) { -+ rv = -1; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!EC_KEY_set_private_key(ec1, d)) { -+ rv = -1; -+ goto err; -+ } -+ -+ x = BN_bin2bn(ecd->x2, ecd->x2len, x); -+ y = BN_bin2bn(ecd->y2, ecd->y2len, y); -+ -+ if (!x || !y) { -+ rv = -1; -+ goto err; -+ } -+ -+ ec2 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec2) { -+ rv = -1; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { -+ rv = -1; -+ goto err; -+ } -+ -+ ecp = EC_KEY_get0_public_key(ec2); -+ if (!ecp) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) -+ ztmp[0] ^= 0x1; -+ -+ if (memcmp(ztmp, ecd->z, ecd->zlen)) { -+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); -+ rv = 0; -+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) -+ goto err; -+ -+ EC_KEY_free(ec1); -+ ec1 = NULL; -+ EC_KEY_free(ec2); -+ ec2 = NULL; -+ OPENSSL_free(ztmp); -+ ztmp = NULL; -+ } -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (ec1) -+ EC_KEY_free(ec1); -+ if (ec2) -+ EC_KEY_free(ec2); -+ if (ztmp) -+ OPENSSL_free(ztmp); -+ -+ return rv; -+ -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_ecdsa_selftest.c 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,166 @@ -+/* fips/ecdsa/fips_ecdsa_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include "internal/fips_int.h" -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static const char P_256_name[] = "ECDSA P-256"; -+ -+static const unsigned char P_256_d[] = { -+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, -+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, -+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 -+}; -+ -+static const unsigned char P_256_qx[] = { -+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, -+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, -+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 -+}; -+ -+static const unsigned char P_256_qy[] = { -+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, -+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, -+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb -+}; -+ -+typedef struct { -+ int curve; -+ const char *name; -+ const unsigned char *x; -+ size_t xlen; -+ const unsigned char *y; -+ size_t ylen; -+ const unsigned char *d; -+ size_t dlen; -+} EC_SELFTEST_DATA; -+ -+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ -+ pr##_qx, sizeof(pr##_qx), \ -+ pr##_qy, sizeof(pr##_qy), \ -+ pr##_d, sizeof(pr##_d)} -+ -+static EC_SELFTEST_DATA test_ec_data[] = { -+ make_ecdsa_test(NID_X9_62_prime256v1, P_256), -+}; -+ -+int FIPS_selftest_ecdsa() -+{ -+ EC_KEY *ec = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ EVP_PKEY *pk = NULL; -+ int rv = 0; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { -+ EC_SELFTEST_DATA *ecd = test_ec_data + i; -+ -+ x = BN_bin2bn(ecd->x, ecd->xlen, x); -+ y = BN_bin2bn(ecd->y, ecd->ylen, y); -+ d = BN_bin2bn(ecd->d, ecd->dlen, d); -+ -+ if (!x || !y || !d) -+ goto err; -+ -+ ec = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec) -+ goto err; -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) -+ goto err; -+ -+ if (!EC_KEY_set_private_key(ec, d)) -+ goto err; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_EC_KEY(pk, ec); -+ -+ if (!fips_pkey_signature_test(pk, NULL, 0, -+ NULL, 0, EVP_sha256(), 0, ecd->name)) -+ goto err; -+ } -+ -+ rv = 1; -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (ec) -+ EC_KEY_free(ec); -+ -+ return rv; -+ -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_enc.c.fips openssl-1.1.0h/crypto/fips/fips_enc.c ---- openssl-1.1.0h/crypto/fips/fips_enc.c.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_enc.c 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,189 @@ -+/* fipe/evp/fips_enc.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+const EVP_CIPHER *FIPS_get_cipherbynid(int nid) -+{ -+ switch (nid) { -+ case NID_aes_128_cbc: -+ return EVP_aes_128_cbc(); -+ -+ case NID_aes_128_ccm: -+ return EVP_aes_128_ccm(); -+ -+ case NID_aes_128_cfb1: -+ return EVP_aes_128_cfb1(); -+ -+ case NID_aes_128_cfb128: -+ return EVP_aes_128_cfb128(); -+ -+ case NID_aes_128_cfb8: -+ return EVP_aes_128_cfb8(); -+ -+ case NID_aes_128_ctr: -+ return EVP_aes_128_ctr(); -+ -+ case NID_aes_128_ecb: -+ return EVP_aes_128_ecb(); -+ -+ case NID_aes_128_gcm: -+ return EVP_aes_128_gcm(); -+ -+ case NID_aes_128_ofb128: -+ return EVP_aes_128_ofb(); -+ -+ case NID_aes_128_xts: -+ return EVP_aes_128_xts(); -+ -+ case NID_aes_192_cbc: -+ return EVP_aes_192_cbc(); -+ -+ case NID_aes_192_ccm: -+ return EVP_aes_192_ccm(); -+ -+ case NID_aes_192_cfb1: -+ return EVP_aes_192_cfb1(); -+ -+ case NID_aes_192_cfb128: -+ return EVP_aes_192_cfb128(); -+ -+ case NID_aes_192_cfb8: -+ return EVP_aes_192_cfb8(); -+ -+ case NID_aes_192_ctr: -+ return EVP_aes_192_ctr(); -+ -+ case NID_aes_192_ecb: -+ return EVP_aes_192_ecb(); -+ -+ case NID_aes_192_gcm: -+ return EVP_aes_192_gcm(); -+ -+ case NID_aes_192_ofb128: -+ return EVP_aes_192_ofb(); -+ -+ case NID_aes_256_cbc: -+ return EVP_aes_256_cbc(); -+ -+ case NID_aes_256_ccm: -+ return EVP_aes_256_ccm(); -+ -+ case NID_aes_256_cfb1: -+ return EVP_aes_256_cfb1(); -+ -+ case NID_aes_256_cfb128: -+ return EVP_aes_256_cfb128(); -+ -+ case NID_aes_256_cfb8: -+ return EVP_aes_256_cfb8(); -+ -+ case NID_aes_256_ctr: -+ return EVP_aes_256_ctr(); -+ -+ case NID_aes_256_ecb: -+ return EVP_aes_256_ecb(); -+ -+ case NID_aes_256_gcm: -+ return EVP_aes_256_gcm(); -+ -+ case NID_aes_256_ofb128: -+ return EVP_aes_256_ofb(); -+ -+ case NID_aes_256_xts: -+ return EVP_aes_256_xts(); -+ -+ case NID_des_ede_ecb: -+ return EVP_des_ede(); -+ -+ case NID_des_ede3_ecb: -+ return EVP_des_ede3(); -+ -+ case NID_des_ede3_cbc: -+ return EVP_des_ede3_cbc(); -+ -+ case NID_des_ede3_cfb1: -+ return EVP_des_ede3_cfb1(); -+ -+ case NID_des_ede3_cfb64: -+ return EVP_des_ede3_cfb64(); -+ -+ case NID_des_ede3_cfb8: -+ return EVP_des_ede3_cfb8(); -+ -+ case NID_des_ede3_ofb64: -+ return EVP_des_ede3_ofb(); -+ -+ case NID_des_ede_cbc: -+ return EVP_des_ede_cbc(); -+ -+ case NID_des_ede_cfb64: -+ return EVP_des_ede_cfb64(); -+ -+ case NID_des_ede_ofb64: -+ return EVP_des_ede_ofb(); -+ -+ default: -+ return NULL; -+ -+ } -+} -diff -up openssl-1.1.0h/crypto/fips/fips_err.h.fips openssl-1.1.0h/crypto/fips/fips_err.h ---- openssl-1.1.0h/crypto/fips/fips_err.h.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_err.h 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,196 @@ -+/* crypto/fips_err.h */ -+/* ==================================================================== -+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+/* -+ * NOTE: this file was auto generated by the mkerr.pl script: any changes -+ * made to it will be overwritten when the script next updates this file, -+ * only reason strings will be preserved. -+ */ -+ -+#include -+#include -+#include -+ -+/* BEGIN ERROR CODES */ -+#ifndef OPENSSL_NO_ERR -+ -+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0) -+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason) -+ -+static ERR_STRING_DATA FIPS_str_functs[] = { -+ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"}, -+ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"}, -+ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"}, -+ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, -+ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, -+ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, -+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"}, -+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"}, -+ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"}, -+ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"}, -+ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"}, -+ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"}, -+ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"}, -+ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, -+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, -+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"}, -+ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"}, -+ {0, NULL} -+}; -+ -+static ERR_STRING_DATA FIPS_str_reasons[] = { -+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), -+ "additional input error undetected"}, -+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG), -+ "additional input too long"}, -+ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"}, -+ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, -+ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, -+ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, -+ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), -+ "entropy not requested for reseed"}, -+ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, -+ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"}, -+ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"}, -+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), -+ "error retrieving additional input"}, -+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"}, -+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"}, -+ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH), -+ "fingerprint does not match"}, -+ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"}, -+ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"}, -+ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"}, -+ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"}, -+ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED), -+ "generate error undetected"}, -+ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, -+ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"}, -+ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"}, -+ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"}, -+ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"}, -+ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"}, -+ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"}, -+ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"}, -+ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"}, -+ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"}, -+ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"}, -+ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED), -+ "personalisation error undetected"}, -+ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG), -+ "personalisation string too long"}, -+ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, -+ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, -+ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), -+ "request length error undetected"}, -+ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), -+ "request too large for drbg"}, -+ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"}, -+ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"}, -+ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"}, -+ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"}, -+ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"}, -+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"}, -+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), -+ "uninstantiate zeroise error"}, -+ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"}, -+ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"}, -+ {0, NULL} -+}; -+ -+#endif -+ -+int ERR_load_FIPS_strings(void) -+{ -+#ifndef OPENSSL_NO_ERR -+ -+ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { -+ ERR_load_strings(0, FIPS_str_functs); -+ ERR_load_strings(0, FIPS_str_reasons); -+ } -+#endif -+ return 1; -+} -diff -up openssl-1.1.0h/crypto/fips/fips_ers.c.fips openssl-1.1.0h/crypto/fips/fips_ers.c ---- openssl-1.1.0h/crypto/fips/fips_ers.c.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_ers.c 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,7 @@ -+#include -+ -+#ifdef OPENSSL_FIPS -+# include "fips_err.h" -+#else -+static void *dummy = &dummy; -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_hmac_selftest.c 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,134 @@ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+typedef struct { -+ const EVP_MD *(*alg) (void); -+ const char *key, *iv; -+ unsigned char kaval[EVP_MAX_MD_SIZE]; -+} HMAC_KAT; -+ -+static const HMAC_KAT vector[] = { -+ {EVP_sha1, -+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19, -+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c, -+ 0xc6, 0xc7, 0x5d, 0x24} -+ }, -+ {EVP_sha224, -+ /* just keep extending the above... */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb, -+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa, -+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b, -+ 0x8c, 0x8d, 0x12, 0xc7} -+ }, -+ {EVP_sha256, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09, -+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34, -+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38, -+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9} -+ }, -+ {EVP_sha384, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad, -+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6, -+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04, -+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f, -+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50, -+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f} -+ }, -+ {EVP_sha512, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41, -+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac, -+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0, -+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68, -+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f, -+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7, -+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45, -+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05} -+ }, -+}; -+ -+int FIPS_selftest_hmac() -+{ -+ int n; -+ unsigned int outlen; -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ const EVP_MD *md; -+ const HMAC_KAT *t; -+ -+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { -+ md = (*t->alg) (); -+ HMAC(md, t->key, strlen(t->key), -+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen); -+ -+ if (memcmp(out, t->kaval, outlen)) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ } -+ return 1; -+} -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_locl.h.fips openssl-1.1.0h/crypto/fips/fips_locl.h ---- openssl-1.1.0h/crypto/fips/fips_locl.h.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_locl.h 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,71 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+# define FIPS_MAX_CIPHER_TEST_SIZE 32 -+# define fips_load_key_component(comp, pre) \ -+ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \ -+ if (!comp) \ -+ goto err -+ -+# define fips_post_started(id, subid, ex) 1 -+# define fips_post_success(id, subid, ex) 1 -+# define fips_post_failed(id, subid, ex) 1 -+# define fips_post_corrupt(id, subid, ex) 1 -+# define fips_post_status() 1 -+ -+# ifdef __cplusplus -+} -+# endif -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_md.c.fips openssl-1.1.0h/crypto/fips/fips_md.c ---- openssl-1.1.0h/crypto/fips/fips_md.c.fips 2018-03-29 14:44:24.635236854 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_md.c 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,144 @@ -+/* fips/evp/fips_md.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+/* ==================================================================== -+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+/* Minimal standalone FIPS versions of Digest operations */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+const EVP_MD *FIPS_get_digestbynid(int nid) -+{ -+ switch (nid) { -+ case NID_sha1: -+ return EVP_sha1(); -+ -+ case NID_sha224: -+ return EVP_sha224(); -+ -+ case NID_sha256: -+ return EVP_sha256(); -+ -+ case NID_sha384: -+ return EVP_sha384(); -+ -+ case NID_sha512: -+ return EVP_sha512(); -+ -+ default: -+ return NULL; -+ } -+} -diff -up openssl-1.1.0h/crypto/fips/fips_post.c.fips openssl-1.1.0h/crypto/fips/fips_post.c ---- openssl-1.1.0h/crypto/fips/fips_post.c.fips 2018-03-29 14:44:24.636236877 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_post.c 2018-03-29 14:44:24.635236854 +0200 -@@ -0,0 +1,222 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+/* Power on self test (POST) support functions */ -+ -+# include -+# include "internal/fips_int.h" -+# include "fips_locl.h" -+ -+/* Run all selftests */ -+int FIPS_selftest(void) -+{ -+ int rv = 1; -+ if (!FIPS_selftest_drbg()) -+ rv = 0; -+ if (!FIPS_selftest_sha1()) -+ rv = 0; -+ if (!FIPS_selftest_sha2()) -+ rv = 0; -+ if (!FIPS_selftest_hmac()) -+ rv = 0; -+ if (!FIPS_selftest_cmac()) -+ rv = 0; -+ if (!FIPS_selftest_aes()) -+ rv = 0; -+ if (!FIPS_selftest_aes_ccm()) -+ rv = 0; -+ if (!FIPS_selftest_aes_gcm()) -+ rv = 0; -+ if (!FIPS_selftest_aes_xts()) -+ rv = 0; -+ if (!FIPS_selftest_des()) -+ rv = 0; -+ if (!FIPS_selftest_rsa()) -+ rv = 0; -+ if (!FIPS_selftest_ecdsa()) -+ rv = 0; -+ if (!FIPS_selftest_dsa()) -+ rv = 0; -+ if (!FIPS_selftest_dh()) -+ rv = 0; -+ if (!FIPS_selftest_ecdh()) -+ rv = 0; -+ return rv; -+} -+ -+/* Generalized public key test routine. Signs and verifies the data -+ * supplied in tbs using mesage digest md and setting option digest -+ * flags md_flags. If the 'kat' parameter is not NULL it will -+ * additionally check the signature matches it: a known answer test -+ * The string "fail_str" is used for identification purposes in case -+ * of failure. If "pkey" is NULL just perform a message digest check. -+ */ -+ -+int fips_pkey_signature_test(EVP_PKEY *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, unsigned int katlen, -+ const EVP_MD *digest, unsigned int flags, -+ const char *fail_str) -+{ -+ int ret = 0; -+ unsigned char sigtmp[256], *sig = sigtmp; -+ size_t siglen = sizeof(sigtmp); -+ EVP_MD_CTX *mctx; -+ EVP_PKEY_CTX *pctx; -+ -+ if (digest == NULL) -+ digest = EVP_sha256(); -+ -+ mctx = EVP_MD_CTX_new(); -+ -+ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA) -+ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) { -+ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey))); -+ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey)); -+ } -+ if (!sig || ! mctx) { -+ EVP_MD_CTX_free(mctx); -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ if (tbslen == -1) -+ tbslen = strlen((char *)tbs); -+ -+ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0) -+ goto error; -+ -+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { -+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); -+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); -+ } -+ -+ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0) -+ goto error; -+ -+ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) -+ goto error; -+ -+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) -+ goto error; -+ -+ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0) -+ goto error; -+ -+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { -+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); -+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); -+ } -+ -+ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0) -+ goto error; -+ -+ ret = EVP_DigestVerifyFinal(mctx, sig, siglen); -+ -+ error: -+ if (sig != sigtmp) -+ OPENSSL_free(sig); -+ EVP_MD_CTX_free(mctx); -+ if (ret <= 0) { -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE); -+ if (fail_str) -+ ERR_add_error_data(2, "Type=", fail_str); -+ return 0; -+ } -+ return 1; -+} -+ -+/* Generalized symmetric cipher test routine. Encrypt data, verify result -+ * against known answer, decrypt and compare with original plaintext. -+ */ -+ -+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, int len) -+{ -+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ -+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); -+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); -+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); -+ -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) -+ return 0; -+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0) -+ return 0; -+ if (memcmp(citmp, ciphertext, len)) -+ return 0; -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) -+ return 0; -+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0) -+ return 0; -+ if (memcmp(pltmp, plaintext, len)) -+ return 0; -+ return 1; -+} -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.0h/crypto/fips/fips_rand_lcl.h ---- openssl-1.1.0h/crypto/fips/fips_rand_lcl.h.fips 2018-03-29 14:44:24.636236877 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_rand_lcl.h 2018-03-29 14:44:24.636236877 +0200 -@@ -0,0 +1,209 @@ -+/* fips/rand/fips_rand_lcl.h */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; -+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; -+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; -+ -+/* 888 bits from 10.1 table 2 */ -+#define HASH_PRNG_MAX_SEEDLEN 111 -+ -+struct drbg_hash_ctx_st { -+ const EVP_MD *md; -+ EVP_MD_CTX *mctx; -+ unsigned char V[HASH_PRNG_MAX_SEEDLEN]; -+ unsigned char C[HASH_PRNG_MAX_SEEDLEN]; -+ /* Temporary value storage: should always exceed max digest length */ -+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; -+}; -+ -+struct drbg_hmac_ctx_st { -+ const EVP_MD *md; -+ HMAC_CTX *hctx; -+ unsigned char K[EVP_MAX_MD_SIZE]; -+ unsigned char V[EVP_MAX_MD_SIZE]; -+}; -+ -+struct drbg_ctr_ctx_st { -+ AES_KEY ks; -+ size_t keylen; -+ unsigned char K[32]; -+ unsigned char V[16]; -+ /* Temp variables used by derivation function */ -+ AES_KEY df_ks; -+ AES_KEY df_kxks; -+ /* Temporary block storage used by ctr_df */ -+ unsigned char bltmp[16]; -+ size_t bltmp_pos; -+ unsigned char KX[48]; -+}; -+ -+/* DRBG internal flags */ -+ -+/* Functions shouldn't call err library */ -+#define DRBG_FLAG_NOERR 0x1 -+/* Custom reseed checking */ -+#define DRBG_CUSTOM_RESEED 0x2 -+ -+/* DRBG status values */ -+/* not initialised */ -+#define DRBG_STATUS_UNINITIALISED 0 -+/* ok and ready to generate random bits */ -+#define DRBG_STATUS_READY 1 -+/* reseed required */ -+#define DRBG_STATUS_RESEED 2 -+/* fatal error condition */ -+#define DRBG_STATUS_ERROR 3 -+ -+/* A default maximum length: larger than any reasonable value used in pratice */ -+ -+#define DRBG_MAX_LENGTH 0x7ffffff0 -+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes -+ * so use max digest length. -+ */ -+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE -+ -+#define DRBG_HEALTH_INTERVAL (1 << 24) -+ -+/* DRBG context structure */ -+ -+struct drbg_ctx_st { -+ /* First types common to all implementations */ -+ /* DRBG type: a NID for the underlying algorithm */ -+ int type; -+ /* Various external flags */ -+ unsigned int xflags; -+ /* Various internal use only flags */ -+ unsigned int iflags; -+ /* Used for periodic health checks */ -+ int health_check_cnt, health_check_interval; -+ -+ /* The following parameters are setup by mechanism drbg_init() call */ -+ int strength; -+ size_t blocklength; -+ size_t max_request; -+ -+ size_t min_entropy, max_entropy; -+ size_t min_nonce, max_nonce; -+ size_t max_pers, max_adin; -+ unsigned int reseed_counter; -+ unsigned int reseed_interval; -+ size_t seedlen; -+ int status; -+ /* Application data: typically used by test get_entropy */ -+ void *app_data; -+ /* Implementation specific structures */ -+ union { -+ DRBG_HASH_CTX hash; -+ DRBG_HMAC_CTX hmac; -+ DRBG_CTR_CTX ctr; -+ } d; -+ /* Initialiase PRNG and setup callbacks below */ -+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags); -+ /* Intantiate PRNG */ -+ int (*instantiate) (DRBG_CTX *ctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *nonce, size_t noncelen, -+ const unsigned char *pers, size_t perslen); -+ /* reseed */ -+ int (*reseed) (DRBG_CTX *ctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *adin, size_t adinlen); -+ /* generat output */ -+ int (*generate) (DRBG_CTX *ctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adinlen); -+ /* uninstantiate */ -+ int (*uninstantiate) (DRBG_CTX *ctx); -+ -+ /* Entropy source block length */ -+ size_t entropy_blocklen; -+ -+ /* entropy gathering function */ -+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len); -+ /* Indicates we have finished with entropy buffer */ -+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ -+ /* nonce gathering function */ -+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len); -+ /* Indicates we have finished with nonce buffer */ -+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ -+ /* Continuous random number test temporary area */ -+ /* Last block */ -+ unsigned char lb[EVP_MAX_MD_SIZE]; -+ /* set if lb is valid */ -+ int lb_valid; -+ -+ /* Callbacks used when called through RAND interface */ -+ /* Get any additional input for generate */ -+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout); -+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ /* Callback for RAND_seed(), RAND_add() */ -+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num); -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, int num, double entropy); -+}; -+ -+int fips_drbg_ctr_init(DRBG_CTX *dctx); -+int fips_drbg_hash_init(DRBG_CTX *dctx); -+int fips_drbg_hmac_init(DRBG_CTX *dctx); -+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags); -+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); -+ -+#define FIPS_digestinit EVP_DigestInit -+#define FIPS_digestupdate EVP_DigestUpdate -+#define FIPS_digestfinal EVP_DigestFinal -+#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.1.0h/crypto/fips/fips_rand_lib.c.fips openssl-1.1.0h/crypto/fips/fips_rand_lib.c ---- openssl-1.1.0h/crypto/fips/fips_rand_lib.c.fips 2018-03-29 14:44:24.636236877 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_rand_lib.c 2018-03-29 14:44:24.636236877 +0200 -@@ -0,0 +1,234 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't -+ be defined and gettimeofday() won't be declared with strict compilers -+ like DEC C in ANSI C mode. */ -+#ifndef _XOPEN_SOURCE_EXTENDED -+# define _XOPEN_SOURCE_EXTENDED 1 -+#endif -+ -+#include -+#include -+#include -+#include -+#include "internal/fips_int.h" -+#include -+#include "e_os.h" -+ -+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) -+# include -+#endif -+#if defined(OPENSSL_SYS_VXWORKS) -+# include -+#endif -+#ifndef OPENSSL_SYS_WIN32 -+# ifdef OPENSSL_UNISTD -+# include OPENSSL_UNISTD -+# else -+# include -+# endif -+#endif -+ -+/* FIPS API for PRNG use. Similar to RAND functionality but without -+ * ENGINE and additional checking for non-FIPS rand methods. -+ */ -+ -+static const RAND_METHOD *fips_rand_meth = NULL; -+static int fips_approved_rand_meth = 0; -+static int fips_rand_bits = 0; -+ -+/* Allows application to override number of bits and uses non-FIPS methods */ -+void FIPS_rand_set_bits(int nbits) -+{ -+ fips_rand_bits = nbits; -+} -+ -+int FIPS_rand_set_method(const RAND_METHOD *meth) -+{ -+ if (!fips_rand_bits) { -+ if (meth == FIPS_drbg_method()) -+ fips_approved_rand_meth = 1; -+ else { -+ fips_approved_rand_meth = 0; -+ if (FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ } -+ } -+ fips_rand_meth = meth; -+ return 1; -+} -+ -+const RAND_METHOD *FIPS_rand_get_method(void) -+{ -+ return fips_rand_meth; -+} -+ -+void FIPS_rand_reset(void) -+{ -+ if (fips_rand_meth && fips_rand_meth->cleanup) -+ fips_rand_meth->cleanup(); -+} -+ -+int FIPS_rand_seed(const void *buf, int num) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->seed) -+ fips_rand_meth->seed(buf, num); -+ return 1; -+} -+ -+int FIPS_rand_bytes(unsigned char *buf, int num) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->bytes) -+ return fips_rand_meth->bytes(buf, num); -+ return 0; -+} -+ -+int FIPS_rand_status(void) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->status) -+ return fips_rand_meth->status(); -+ return 0; -+} -+ -+/* Return instantiated strength of PRNG. For DRBG this is an internal -+ * parameter. Any other type of PRNG is not approved and returns 0 in -+ * FIPS mode and maximum 256 outside FIPS mode. -+ */ -+ -+int FIPS_rand_strength(void) -+{ -+ if (fips_rand_bits) -+ return fips_rand_bits; -+ if (fips_approved_rand_meth == 1) -+ return FIPS_drbg_get_strength(FIPS_get_default_drbg()); -+ else if (fips_approved_rand_meth == 0) { -+ if (FIPS_module_mode()) -+ return 0; -+ else -+ return 256; -+ } -+ return 0; -+} -+ -+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) -+{ -+# ifdef OPENSSL_SYS_WIN32 -+ FILETIME ft; -+# elif defined(OPENSSL_SYS_VXWORKS) -+ struct timespec ts; -+# else -+ struct timeval tv; -+# endif -+ -+# ifndef GETPID_IS_MEANINGLESS -+ unsigned long pid; -+# endif -+ -+# ifdef OPENSSL_SYS_WIN32 -+ GetSystemTimeAsFileTime(&ft); -+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff); -+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff); -+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff); -+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff); -+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff); -+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff); -+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff); -+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff); -+# elif defined(OPENSSL_SYS_VXWORKS) -+ clock_gettime(CLOCK_REALTIME, &ts); -+ buf[0] = (unsigned char)(ts.tv_sec & 0xff); -+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff); -+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff); -+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff); -+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff); -+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff); -+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff); -+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff); -+# else -+ gettimeofday(&tv, NULL); -+ buf[0] = (unsigned char)(tv.tv_sec & 0xff); -+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff); -+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff); -+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff); -+ buf[4] = (unsigned char)(tv.tv_usec & 0xff); -+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff); -+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff); -+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff); -+# endif -+ buf[8] = (unsigned char)(*pctr & 0xff); -+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff); -+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff); -+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff); -+ -+ (*pctr)++; -+ -+# ifndef GETPID_IS_MEANINGLESS -+ pid = (unsigned long)getpid(); -+ buf[12] = (unsigned char)(pid & 0xff); -+ buf[13] = (unsigned char)((pid >> 8) & 0xff); -+ buf[14] = (unsigned char)((pid >> 16) & 0xff); -+ buf[15] = (unsigned char)((pid >> 24) & 0xff); -+# endif -+} -+ -diff -up openssl-1.1.0h/crypto/fips/fips_randtest.c.fips openssl-1.1.0h/crypto/fips/fips_randtest.c ---- openssl-1.1.0h/crypto/fips/fips_randtest.c.fips 2018-03-29 14:44:24.636236877 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_randtest.c 2018-03-29 14:44:24.636236877 +0200 -@@ -0,0 +1,247 @@ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "e_os.h" -+ -+#ifndef OPENSSL_FIPS -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS RAND support\n"); -+ return (0); -+} -+ -+#else -+ -+# include "fips_utl.h" -+# include -+ -+typedef struct { -+ unsigned char DT[16]; -+ unsigned char V[16]; -+ unsigned char R[16]; -+} AES_PRNG_MCT; -+ -+static const unsigned char aes_128_mct_key[16] = -+ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5, -+ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48 -+}; -+ -+static const AES_PRNG_MCT aes_128_mct_tv = { -+ /* DT */ -+ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b, -+ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac}, -+ /* V */ -+ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97, -+ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1}, -+ /* R */ -+ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb, -+ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73} -+}; -+ -+static const unsigned char aes_192_mct_key[24] = -+ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73, -+ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91, -+ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a -+}; -+ -+static const AES_PRNG_MCT aes_192_mct_tv = { -+ /* DT */ -+ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9, -+ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52}, -+ /* V */ -+ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64, -+ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d}, -+ /* R */ -+ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21, -+ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47} -+}; -+ -+static const unsigned char aes_256_mct_key[32] = -+ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a, -+ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0, -+ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d, -+ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50 -+}; -+ -+static const AES_PRNG_MCT aes_256_mct_tv = { -+ /* DT */ -+ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee, -+ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c}, -+ /* V */ -+ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1, -+ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca}, -+ /* R */ -+ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1, -+ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d} -+}; -+ -+static void dump(const unsigned char *b, int n) -+{ -+ while (n-- > 0) { -+ printf(" %02x", *b++); -+ } -+} -+ -+static void compare(const unsigned char *result, -+ const unsigned char *expected, int n) -+{ -+ int i; -+ -+ for (i = 0; i < n; ++i) -+ if (result[i] != expected[i]) { -+ puts("Random test failed, got:"); -+ dump(result, n); -+ puts("\n expected:"); -+ dump(expected, n); -+ putchar('\n'); -+ EXIT(1); -+ } -+} -+ -+static void run_test(const unsigned char *key, int keylen, -+ const AES_PRNG_MCT * tv) -+{ -+ unsigned char buf[16], dt[16]; -+ int i, j; -+ FIPS_x931_reset(); -+ FIPS_x931_test_mode(); -+ FIPS_x931_set_key(key, keylen); -+ FIPS_x931_seed(tv->V, 16); -+ memcpy(dt, tv->DT, 16); -+ for (i = 0; i < 10000; i++) { -+ FIPS_x931_set_dt(dt); -+ FIPS_x931_bytes(buf, 16); -+ /* Increment DT */ -+ for (j = 15; j >= 0; j--) { -+ dt[j]++; -+ if (dt[j]) -+ break; -+ } -+ } -+ -+ compare(buf, tv->R, 16); -+} -+ -+int main() -+{ -+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv); -+ printf("FIPS PRNG test 1 done\n"); -+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv); -+ printf("FIPS PRNG test 2 done\n"); -+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv); -+ printf("FIPS PRNG test 3 done\n"); -+ return 0; -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c.fips 2018-03-29 14:44:24.636236877 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_rsa_selftest.c 2018-03-29 14:44:24.636236877 +0200 -@@ -0,0 +1,578 @@ -+/* ==================================================================== -+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+# include "internal/fips_int.h" -+#endif -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static int setrsakey(RSA *key) -+{ -+ static const unsigned char keydata_n[] = { -+ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a, -+ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00, -+ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca, -+ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a, -+ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba, -+ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe, -+ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1, -+ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75, -+ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f, -+ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc, -+ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e, -+ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1, -+ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9, -+ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4, -+ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40, -+ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4, -+ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e, -+ 0x03, 0x71 -+ }; -+ -+ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 }; -+ -+ static const unsigned char keydata_d[] = { -+ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23, -+ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58, -+ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06, -+ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4, -+ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53, -+ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde, -+ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe, -+ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b, -+ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3, -+ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76, -+ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6, -+ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c, -+ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44, -+ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34, -+ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32, -+ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20, -+ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d, -+ 0x01 -+ }; -+ -+ static const unsigned char keydata_p[] = { -+ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f, -+ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43, -+ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec, -+ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66, -+ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3, -+ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1, -+ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3, -+ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c, -+ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad -+ }; -+ -+ static const unsigned char keydata_q[] = { -+ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8, -+ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e, -+ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c, -+ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e, -+ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c, -+ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f, -+ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7, -+ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b, -+ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55 -+ }; -+ -+ static const unsigned char keydata_dmp1[] = { -+ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e, -+ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16, -+ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74, -+ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34, -+ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7, -+ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3, -+ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff, -+ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6, -+ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1 -+ }; -+ -+ static const unsigned char keydata_dmq1[] = { -+ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75, -+ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f, -+ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1, -+ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b, -+ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c, -+ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e, -+ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78, -+ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab, -+ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61 -+ }; -+ -+ static const unsigned char keydata_iqmp[] = { -+ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d, -+ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38, -+ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91, -+ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80, -+ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b, -+ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b, -+ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6, -+ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf, -+ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf -+ }; -+ -+ int rv = 0; -+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; -+ -+ fips_load_key_component(n, keydata); -+ fips_load_key_component(e, keydata); -+ fips_load_key_component(d, keydata); -+ fips_load_key_component(p, keydata); -+ fips_load_key_component(q, keydata); -+ fips_load_key_component(dmp1, keydata); -+ fips_load_key_component(dmq1, keydata); -+ fips_load_key_component(iqmp, keydata); -+ -+ RSA_set0_key(key, n, e, d); -+ RSA_set0_factors(key, p, q); -+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp); -+ -+ rv = 1; -+err: -+ if (!rv) { -+ BN_free(n); -+ BN_free(e); -+ BN_free(d); -+ BN_free(p); -+ BN_free(q); -+ BN_free(dmp1); -+ BN_free(dmq1); -+ BN_free(iqmp); -+ } -+ return rv; -+} -+ -+/* Known Answer Test (KAT) data for the above RSA private key signing -+ * kat_tbs. -+ */ -+ -+static const unsigned char kat_tbs[] = -+ "OpenSSL FIPS 140-2 Public Key RSA KAT"; -+ -+static const unsigned char kat_RSA_PSS_SHA1[] = { -+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3, -+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B, -+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84, -+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B, -+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9, -+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19, -+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98, -+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5, -+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4, -+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A, -+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70, -+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1, -+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C, -+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF, -+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99, -+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45, -+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF, -+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F, -+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01, -+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC, -+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05, -+ 0xCE, 0x08, 0x1D, 0x89 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA224[] = { -+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA, -+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3, -+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3, -+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3, -+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7, -+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53, -+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A, -+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE, -+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06, -+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08, -+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D, -+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07, -+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70, -+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64, -+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17, -+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69, -+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97, -+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D, -+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5, -+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B, -+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD, -+ 0x2D, 0x84, 0x03, 0xB7 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA256[] = { -+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, -+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, -+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, -+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, -+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, -+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, -+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, -+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, -+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, -+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, -+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, -+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, -+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, -+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, -+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, -+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, -+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, -+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, -+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, -+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, -+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, -+ 0x2B, 0x31, 0xB9, 0x7D -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA384[] = { -+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D, -+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03, -+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27, -+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC, -+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1, -+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6, -+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA, -+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB, -+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3, -+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5, -+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70, -+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E, -+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C, -+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0, -+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62, -+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07, -+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88, -+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7, -+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5, -+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D, -+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF, -+ 0x90, 0xD2, 0xA6, 0x2B -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA512[] = { -+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32, -+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06, -+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D, -+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B, -+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D, -+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44, -+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B, -+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D, -+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD, -+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C, -+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1, -+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A, -+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE, -+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D, -+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F, -+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF, -+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F, -+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94, -+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE, -+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A, -+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0, -+ 0x17, 0x2C, 0x13, 0xE0 -+}; -+ -+static const unsigned char kat_RSA_SHA1[] = { -+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA, -+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C, -+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE, -+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94, -+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08, -+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC, -+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0, -+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54, -+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F, -+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A, -+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF, -+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD, -+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8, -+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5, -+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F, -+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF, -+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60, -+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9, -+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC, -+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37, -+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF, -+ 0x27, 0x90, 0xE2, 0x01 -+}; -+ -+static const unsigned char kat_RSA_SHA224[] = { -+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86, -+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8, -+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89, -+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39, -+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3, -+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E, -+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8, -+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4, -+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66, -+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6, -+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC, -+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9, -+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53, -+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA, -+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45, -+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC, -+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33, -+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5, -+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8, -+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83, -+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B, -+ 0xDB, 0x70, 0x00, 0xF6 -+}; -+ -+static const unsigned char kat_RSA_SHA256[] = { -+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, -+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, -+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, -+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, -+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, -+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, -+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, -+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, -+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, -+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, -+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, -+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, -+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, -+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, -+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, -+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, -+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, -+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, -+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, -+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, -+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, -+ 0x47, 0x9D, 0x18, 0xD7 -+}; -+ -+static const unsigned char kat_RSA_SHA384[] = { -+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00, -+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D, -+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2, -+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B, -+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF, -+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1, -+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C, -+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E, -+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76, -+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4, -+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9, -+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4, -+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56, -+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39, -+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00, -+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F, -+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D, -+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26, -+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9, -+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD, -+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4, -+ 0x7E, 0x37, 0x1D, 0x96 -+}; -+ -+static const unsigned char kat_RSA_SHA512[] = { -+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3, -+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F, -+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02, -+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B, -+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3, -+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1, -+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79, -+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1, -+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E, -+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1, -+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED, -+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE, -+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69, -+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2, -+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F, -+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3, -+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B, -+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86, -+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F, -+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A, -+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E, -+ 0x43, 0xA8, 0x34, 0x0A -+}; -+ -+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, -+ int ptlen) -+{ -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int ret = 0; -+ int len; -+ -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; -+ -+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) -+ goto err; -+ -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ptbuf) -+ goto err; -+ -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != ptlen) -+ goto err; -+ if (memcmp(ptbuf, plaintext, len)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ return ret; -+} -+ -+int FIPS_selftest_rsa() -+{ -+ int ret = 0; -+ RSA *key; -+ EVP_PKEY *pk = NULL; -+ -+ if ((key = RSA_new()) == NULL) -+ goto err; -+ -+ if (!setrsakey(key)) -+ goto err; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_RSA(pk, key); -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1), -+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA1 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224), -+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA224 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256), -+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA256 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384), -+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA384 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512), -+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA512 PKCS#1")) -+ goto err; -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), -+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, -+ "RSA SHA1 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA224, -+ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA256, -+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA384, -+ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA512, -+ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS")) -+ goto err; -+ -+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (pk) -+ EVP_PKEY_free(pk); -+ if (key) -+ RSA_free(key); -+ return ret; -+} -+ -+#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.1.0h/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.0h/crypto/fips/fips_sha_selftest.c ---- openssl-1.1.0h/crypto/fips/fips_sha_selftest.c.fips 2018-03-29 14:44:24.636236877 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_sha_selftest.c 2018-03-29 14:44:24.636236877 +0200 -@@ -0,0 +1,138 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+static const char test[][60] = { -+ "", -+ "abc", -+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -+}; -+ -+static const unsigned char ret[][SHA_DIGEST_LENGTH] = { -+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, -+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09}, -+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, -+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d}, -+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae, -+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1}, -+}; -+ -+int FIPS_selftest_sha1() -+{ -+ int n; -+ -+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) { -+ unsigned char md[SHA_DIGEST_LENGTH]; -+ -+ EVP_Digest(test[n], strlen(test[n]), md, NULL, -+ EVP_sha1(), NULL); -+ if (memcmp(md, ret[n], sizeof md)) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+static const unsigned char msg_sha256[] = -+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30, -+ 0xfc -+}; -+ -+static const unsigned char dig_sha256[] = -+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b, -+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01, -+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83, -+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a -+}; -+ -+static const unsigned char msg_sha512[] = -+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7, -+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd -+}; -+ -+static const unsigned char dig_sha512[] = -+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16, -+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44, -+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0, -+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f, -+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38, -+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04, -+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1, -+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 -+}; -+ -+int FIPS_selftest_sha2(void) -+{ -+ unsigned char md[SHA512_DIGEST_LENGTH]; -+ -+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); -+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); -+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c ---- openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c.fips 2018-03-29 14:44:24.636236877 +0200 -+++ openssl-1.1.0h/crypto/fips/fips_standalone_hmac.c 2018-03-29 14:44:24.636236877 +0200 -@@ -0,0 +1,127 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+int main(int argc, char **argv) -+{ -+#ifdef OPENSSL_FIPS -+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ int n, binary = 0; -+ -+ if (argc < 2) { -+ fprintf(stderr, "%s []+\n", argv[0]); -+ exit(1); -+ } -+ -+ n = 1; -+ if (!strcmp(argv[n], "-binary")) { -+ n++; -+ binary = 1; /* emit binary fingerprint... */ -+ } -+ -+ for (; n < argc; ++n) { -+ FILE *f = fopen(argv[n], "rb"); -+ HMAC_CTX *hmac_ctx; -+ unsigned char mac[EVP_MAX_MD_SIZE]; -+ unsigned int len; -+ unsigned int i; -+ -+ if (!f) { -+ perror(argv[n]); -+ exit(2); -+ } -+ hmac_ctx = HMAC_CTX_new(); -+ if (!hmac_ctx) -+ exit(3); -+ -+ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) { -+ fprintf(stderr, "HMAC SHA256 initialization failed.\n"); -+ exit(4); -+ } -+ -+ for (;;) { -+ char buf[1024]; -+ size_t l = fread(buf, 1, sizeof buf, f); -+ -+ if (l == 0) { -+ if (ferror(f)) { -+ perror(argv[n]); -+ exit(3); -+ } else -+ break; -+ } -+ if (HMAC_Update(hmac_ctx, buf, l) <= 0) { -+ fprintf(stderr, "HMAC_Update() failed.\n"); -+ exit(4); -+ } -+ } -+ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) { -+ fprintf(stderr, "HMAC_Final() failed.\n"); -+ exit(4); -+ } -+ -+ if (binary) { -+ fwrite(mac, len, 1, stdout); -+ break; /* ... for single(!) file */ -+ } -+ -+/* printf("HMAC-SHA1(%s)= ",argv[n]); */ -+ for (i = 0; i < len; ++i) -+ printf("%02x", mac[i]); -+ printf("\n"); -+ } -+#endif -+ return 0; -+} -diff -up openssl-1.1.0h/crypto/hmac/hmac.c.fips openssl-1.1.0h/crypto/hmac/hmac.c ---- openssl-1.1.0h/crypto/hmac/hmac.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/hmac/hmac.c 2018-03-29 14:44:24.636236877 +0200 -@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo - } - - if (key != NULL) { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) -+ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) -+ goto err; -+#endif - reset = 1; - j = EVP_MD_block_size(md); - OPENSSL_assert(j <= (int)sizeof(ctx->key)); -diff -up openssl-1.1.0h/crypto/include/internal/fips_int.h.fips openssl-1.1.0h/crypto/include/internal/fips_int.h ---- openssl-1.1.0h/crypto/include/internal/fips_int.h.fips 2018-03-29 14:44:24.637236901 +0200 -+++ openssl-1.1.0h/crypto/include/internal/fips_int.h 2018-03-29 14:44:24.637236901 +0200 -@@ -0,0 +1,101 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+# error FIPS is disabled. -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+int FIPS_module_mode_set(int onoff); -+int FIPS_module_mode(void); -+int FIPS_module_installed(void); -+int FIPS_selftest_sha1(void); -+int FIPS_selftest_sha2(void); -+int FIPS_selftest_aes_ccm(void); -+int FIPS_selftest_aes_gcm(void); -+int FIPS_selftest_aes_xts(void); -+int FIPS_selftest_aes(void); -+int FIPS_selftest_des(void); -+int FIPS_selftest_rsa(void); -+int FIPS_selftest_dsa(void); -+int FIPS_selftest_ecdsa(void); -+int FIPS_selftest_ecdh(void); -+int FIPS_selftest_dh(void); -+void FIPS_drbg_stick(int onoff); -+int FIPS_selftest_hmac(void); -+int FIPS_selftest_drbg(void); -+int FIPS_selftest_cmac(void); -+ -+int fips_pkey_signature_test(EVP_PKEY *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, -+ unsigned int katlen, -+ const EVP_MD *digest, -+ unsigned int md_flags, const char *fail_str); -+ -+int fips_cipher_test(EVP_CIPHER_CTX *ctx, -+ const EVP_CIPHER *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, int len); -+ -+void fips_set_selftest_fail(void); -+ -+const EVP_MD *FIPS_get_digestbynid(int nid); -+ -+const EVP_CIPHER *FIPS_get_cipherbynid(int nid); -+ -+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); -+ -+#endif -diff -up openssl-1.1.0h/crypto/o_fips.c.fips openssl-1.1.0h/crypto/o_fips.c ---- openssl-1.1.0h/crypto/o_fips.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/o_fips.c 2018-03-29 14:44:24.637236901 +0200 -@@ -9,7 +9,10 @@ - - #include "internal/cryptlib.h" - #ifdef OPENSSL_FIPS -+# include - # include -+# include -+# include "internal/fips_int.h" - #endif - - int FIPS_mode(void) -@@ -24,7 +27,15 @@ int FIPS_mode(void) - int FIPS_mode_set(int r) - { - #ifdef OPENSSL_FIPS -- return FIPS_module_mode_set(r); -+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ -+ return 1; -+ if (!FIPS_module_mode_set(r)) -+ return 0; -+ if (r) -+ RAND_set_rand_method(FIPS_rand_get_method()); -+ else -+ RAND_set_rand_method(NULL); -+ return 1; - #else - if (r == 0) - return 1; -diff -up openssl-1.1.0h/crypto/o_init.c.fips openssl-1.1.0h/crypto/o_init.c ---- openssl-1.1.0h/crypto/o_init.c.fips 2018-03-27 15:50:38.000000000 +0200 -+++ openssl-1.1.0h/crypto/o_init.c 2018-03-29 14:44:24.637236901 +0200 -@@ -7,11 +7,50 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - #ifdef OPENSSL_FIPS --# include -+# include -+# include -+# include -+# include -+# include -+# include - # include -+# include -+# include "internal/fips_int.h" -+ -+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" -+ -+static void init_fips_mode(void) -+{ -+ char buf[2] = "0"; -+ int fd; -+ -+ /* Ensure the selftests always run */ -+ FIPS_mode_set(1); -+ -+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ buf[0] = '1'; -+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -+ close(fd); -+ } -+ /* Failure reading the fips mode switch file means just not -+ * switching into FIPS mode. We would break too many things -+ * otherwise.. -+ */ -+ -+ if (buf[0] != '1') { -+ /* drop down to non-FIPS mode if it is not requested */ -+ FIPS_mode_set(0); -+ } else { -+ /* abort if selftest failed */ -+ FIPS_selftest_check(); -+ } -+} - #endif - - /* -@@ -19,16 +58,29 @@ - * sets FIPS callbacks - */ - --void OPENSSL_init(void) -+void __attribute__ ((constructor)) OPENSSL_init_library(void) - { - static int done = 0; - if (done) - return; - done = 1; - #ifdef OPENSSL_FIPS -- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock); -- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); -- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); -+ if (!FIPS_module_installed()) { -+ return; -+ } - RAND_init_fips(); -+ init_fips_mode(); -+ if (!FIPS_mode()) { -+ /* Clean up prematurely set default rand method */ -+ RAND_set_rand_method(NULL); -+ } -+#endif -+#if 0 -+ fprintf(stderr, "Called OPENSSL_init\n"); - #endif - } -+ -+void OPENSSL_init(void) -+{ -+ OPENSSL_init_library(); -+} -diff -up openssl-1.1.0h/crypto/rand/md_rand.c.fips openssl-1.1.0h/crypto/rand/md_rand.c ---- openssl-1.1.0h/crypto/rand/md_rand.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rand/md_rand.c 2018-03-29 14:44:24.637236901 +0200 -@@ -360,7 +360,7 @@ static int rand_bytes(unsigned char *buf - CRYPTO_THREAD_unlock(rand_tmp_lock); - crypto_lock_rand = 1; - -- if (!initialized) { -+ if (!initialized || FIPS_mode()) { - RAND_poll(); - initialized = 1; - } -diff -up openssl-1.1.0h/crypto/rand/rand_err.c.fips openssl-1.1.0h/crypto/rand/rand_err.c ---- openssl-1.1.0h/crypto/rand/rand_err.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rand/rand_err.c 2018-03-29 14:44:24.637236901 +0200 -@@ -20,10 +20,13 @@ - - static ERR_STRING_DATA RAND_str_functs[] = { - {ERR_FUNC(RAND_F_RAND_BYTES), "RAND_bytes"}, -+ {ERR_FUNC(RAND_F_RAND_INIT_FIPS), "RAND_init_fips"}, - {0, NULL} - }; - - static ERR_STRING_DATA RAND_str_reasons[] = { -+ {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG), "error initialising DRBG"}, -+ {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG), "error instantiating DRBG"}, - {ERR_REASON(RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"}, - {0, NULL} - }; -diff -up openssl-1.1.0h/crypto/rand/rand_lcl.h.fips openssl-1.1.0h/crypto/rand/rand_lcl.h ---- openssl-1.1.0h/crypto/rand/rand_lcl.h.fips 2018-03-29 14:44:24.359230371 +0200 -+++ openssl-1.1.0h/crypto/rand/rand_lcl.h 2018-03-29 14:44:24.637236901 +0200 -@@ -10,7 +10,7 @@ - #ifndef HEADER_RAND_LCL_H - # define HEADER_RAND_LCL_H - --# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */ -+# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */ - - # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) - # define USE_SHA1_RAND -diff -up openssl-1.1.0h/crypto/rand/rand_lib.c.fips openssl-1.1.0h/crypto/rand/rand_lib.c ---- openssl-1.1.0h/crypto/rand/rand_lib.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rand/rand_lib.c 2018-03-29 14:44:24.637236901 +0200 -@@ -18,6 +18,8 @@ - #ifdef OPENSSL_FIPS - # include - # include -+# include "rand_lcl.h" -+# include "internal/fips_int.h" - #endif - - #ifndef OPENSSL_NO_ENGINE -@@ -162,3 +164,127 @@ int RAND_status(void) - return meth->status(); - return 0; - } -+ -+#ifdef OPENSSL_FIPS -+ -+/* -+ * FIPS DRBG initialisation code. This sets up the DRBG for use by the rest -+ * of OpenSSL. -+ */ -+ -+/* -+ * Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather -+ * entropy internally through RAND_poll(). -+ */ -+ -+static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ /* Round up request to multiple of block size */ -+ min_len = ((min_len + 19) / 20) * 20; -+ *pout = OPENSSL_malloc(min_len); -+ if (!*pout) -+ return 0; -+ if (RAND_OpenSSL()->bytes(*pout, min_len) <= 0) { -+ OPENSSL_free(*pout); -+ *pout = NULL; -+ return 0; -+ } -+ return min_len; -+} -+ -+static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen) -+{ -+ if (out) { -+ OPENSSL_cleanse(out, olen); -+ OPENSSL_free(out); -+ } -+} -+ -+/* -+ * Set "additional input" when generating random data. This uses the current -+ * PID, a time value and a counter. -+ */ -+ -+static size_t drbg_get_adin(DRBG_CTX *ctx, unsigned char **pout) -+{ -+ /* Use of static variables is OK as this happens under a lock */ -+ static unsigned char buf[16]; -+ static unsigned long counter; -+ FIPS_get_timevec(buf, &counter); -+ *pout = buf; -+ return sizeof(buf); -+} -+ -+/* -+ * RAND_add() and RAND_seed() pass through to OpenSSL PRNG so it is -+ * correctly seeded by RAND_poll(). -+ */ -+ -+static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen, -+ double entropy) -+{ -+ RAND_OpenSSL()->add(in, inlen, entropy); -+ if (FIPS_rand_status()) { -+ FIPS_drbg_reseed(ctx, NULL, 0); -+ } -+ return 1; -+} -+ -+static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen) -+{ -+ RAND_OpenSSL()->seed(in, inlen); -+ if (FIPS_rand_status()) { -+ FIPS_drbg_reseed(ctx, NULL, 0); -+ } -+ return 1; -+} -+ -+# ifndef OPENSSL_DRBG_DEFAULT_TYPE -+# define OPENSSL_DRBG_DEFAULT_TYPE NID_aes_256_ctr -+# endif -+# ifndef OPENSSL_DRBG_DEFAULT_FLAGS -+# define OPENSSL_DRBG_DEFAULT_FLAGS DRBG_FLAG_CTR_USE_DF -+# endif -+ -+static int fips_drbg_type = OPENSSL_DRBG_DEFAULT_TYPE; -+static int fips_drbg_flags = OPENSSL_DRBG_DEFAULT_FLAGS; -+ -+void RAND_set_fips_drbg_type(int type, int flags) -+{ -+ fips_drbg_type = type; -+ fips_drbg_flags = flags; -+} -+ -+int RAND_init_fips(void) -+{ -+ DRBG_CTX *dctx; -+ size_t plen; -+ unsigned char pers[32], *p; -+ -+ dctx = FIPS_get_default_drbg(); -+ if (dctx == NULL || -+ FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0) { -+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INITIALISING_DRBG); -+ return 0; -+ } -+ -+ FIPS_drbg_set_callbacks(dctx, -+ drbg_get_entropy, drbg_free_entropy, 20, -+ drbg_get_entropy, drbg_free_entropy); -+ FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0, -+ drbg_rand_seed, drbg_rand_add); -+ /* Personalisation string: a string followed by date time vector */ -+ strcpy((char *)pers, "OpenSSL DRBG2.0"); -+ plen = drbg_get_adin(dctx, &p); -+ memcpy(pers + 16, p, plen); -+ -+ if (FIPS_drbg_instantiate(dctx, pers, sizeof(pers)) <= 0) { -+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INSTANTIATING_DRBG); -+ return 0; -+ } -+ FIPS_rand_set_method(FIPS_drbg_method()); -+ return 1; -+} -+ -+#endif -diff -up openssl-1.1.0h/crypto/rsa/rsa_crpt.c.fips openssl-1.1.0h/crypto/rsa/rsa_crpt.c ---- openssl-1.1.0h/crypto/rsa/rsa_crpt.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rsa/rsa_crpt.c 2018-03-29 14:44:24.637236901 +0200 -@@ -28,24 +28,52 @@ int RSA_size(const RSA *r) - int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, - RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); -+ return -1; -+ } -+#endif - return (rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding)); - } - - int RSA_private_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, -+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); -+ return -1; -+ } -+#endif - return (rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding)); - } - - int RSA_private_decrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); -+ return -1; -+ } -+#endif - return (rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding)); - } - - int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, - RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, -+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); -+ return -1; -+ } -+#endif - return (rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding)); - } - -diff -up openssl-1.1.0h/crypto/rsa/rsa_err.c.fips openssl-1.1.0h/crypto/rsa/rsa_err.c ---- openssl-1.1.0h/crypto/rsa/rsa_err.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rsa/rsa_err.c 2018-03-29 14:44:24.638236924 +0200 -@@ -21,6 +21,7 @@ - static ERR_STRING_DATA RSA_str_functs[] = { - {ERR_FUNC(RSA_F_CHECK_PADDING_MD), "check_padding_md"}, - {ERR_FUNC(RSA_F_ENCODE_PKCS1), "encode_pkcs1"}, -+ {ERR_FUNC(RSA_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"}, - {ERR_FUNC(RSA_F_INT_RSA_VERIFY), "int_rsa_verify"}, - {ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "old_rsa_priv_decode"}, - {ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "pkey_rsa_ctrl"}, -@@ -33,6 +34,7 @@ static ERR_STRING_DATA RSA_str_functs[] - {ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"}, - {ERR_FUNC(RSA_F_RSA_CHECK_KEY_EX), "RSA_check_key_ex"}, - {ERR_FUNC(RSA_F_RSA_CMS_DECRYPT), "rsa_cms_decrypt"}, -+ {ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"}, - {ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "rsa_item_verify"}, - {ERR_FUNC(RSA_F_RSA_METH_DUP), "RSA_meth_dup"}, - {ERR_FUNC(RSA_F_RSA_METH_NEW), "RSA_meth_new"}, -@@ -76,8 +78,14 @@ static ERR_STRING_DATA RSA_str_functs[] - {ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, - {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, - {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "rsa_priv_encode"}, -+ {ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"}, -+ {ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"}, - {ERR_FUNC(RSA_F_RSA_PSS_TO_CTX), "rsa_pss_to_ctx"}, - {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "rsa_pub_decode"}, -+ {ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"}, -+ {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, -+ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"}, -+ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"}, - {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, - {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, - {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), -@@ -135,10 +143,13 @@ static ERR_STRING_DATA RSA_str_reasons[] - {ERR_REASON(RSA_R_LAST_OCTET_INVALID), "last octet invalid"}, - {ERR_REASON(RSA_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, -+ {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, - {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING), - "null before block missing"}, - {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q), "n does not equal p q"}, - {ERR_REASON(RSA_R_OAEP_DECODING_ERROR), "oaep decoding error"}, -+ {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), -+ "operation not allowed in FIPS mode"}, - {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), - "operation not supported for this keytype"}, - {ERR_REASON(RSA_R_PADDING_CHECK_FAILED), "padding check failed"}, -diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips openssl-1.1.0h/crypto/rsa/rsa_gen.c ---- openssl-1.1.0h/crypto/rsa/rsa_gen.c.fips 2018-06-08 14:56:32.413411585 +0200 -+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-06-18 14:51:57.773846354 +0200 -@@ -18,6 +18,75 @@ - #include "internal/cryptlib.h" - #include - #include "rsa_locl.h" -+#ifdef OPENSSL_FIPS -+# include -+# include "internal/fips_int.h" -+ -+int fips_check_rsa(RSA *rsa) -+{ -+ const unsigned char tbs[] = "RSA Pairwise Check Data"; -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int len, ret = 0; -+ EVP_PKEY *pk; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_RSA(pk, rsa); -+ -+ /* Perform pairwise consistency signature test */ -+ if (!fips_pkey_signature_test(pk, tbs, -1, -+ NULL, 0, EVP_sha1(), -+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) -+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), -+ EVP_MD_CTX_FLAG_PAD_X931, NULL) -+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), -+ EVP_MD_CTX_FLAG_PAD_PSS, NULL)) -+ goto err; -+ /* Now perform pairwise consistency encrypt/decrypt test */ -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; -+ -+ len = -+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, -+ RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) -+ goto err; -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ -+ if (!ptbuf) -+ goto err; -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != (sizeof(tbs) - 1)) -+ goto err; -+ if (memcmp(ptbuf, tbs, len)) -+ goto err; -+ -+ ret = 1; -+ -+ if (!ptbuf) -+ goto err; -+ -+ err: -+ if (ret == 0) { -+ fips_set_selftest_fail(); -+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED); -+ } -+ -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+} -+#endif - - static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - BN_GENCB *cb); -@@ -31,11 +100,281 @@ static int rsa_builtin_keygen(RSA *rsa, - */ - int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); -+ return 0; -+ } -+#endif - if (rsa->meth->rsa_keygen) - return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); - return rsa_builtin_keygen(rsa, bits, e_value, cb); - } - -+#ifdef OPENSSL_FIPS -+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -+ BN_GENCB *cb) -+{ -+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; -+ BN_CTX *ctx = NULL; -+ int ok = -1; -+ int i; -+ int n = 0; -+ int test = 0; -+ int pbits = bits / 2; -+ unsigned long error = 0; -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if ((pbits & 0xFF) -+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) { -+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ BN_CTX_start(ctx); -+ r0 = BN_CTX_get(ctx); -+ r1 = BN_CTX_get(ctx); -+ r2 = BN_CTX_get(ctx); -+ r3 = BN_CTX_get(ctx); -+ -+ if (r3 == NULL) -+ goto err; -+ -+ /* We need the RSA components non-NULL */ -+ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) -+ goto err; -+ -+ if (!BN_set_word(r0, RSA_F4)) -+ goto err; -+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { -+ ok = 0; /* we set our own err */ -+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); -+ goto err; -+ } -+ -+ /* prepare approximate minimum p and q */ -+ if (!BN_set_word(r0, 0xB504F334)) -+ goto err; -+ if (!BN_lshift(r0, r0, pbits - 32)) -+ goto err; -+ -+ /* prepare minimum p and q difference */ -+ if (!BN_one(r3)) -+ goto err; -+ if (!BN_lshift(r3, r3, pbits - 100)) -+ goto err; -+ -+ BN_copy(rsa->e, e_value); -+ -+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) -+ test = 1; -+ -+ BN_set_flags(r0, BN_FLG_CONSTTIME); -+ BN_set_flags(r1, BN_FLG_CONSTTIME); -+ BN_set_flags(r2, BN_FLG_CONSTTIME); -+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); -+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); -+ -+ retry: -+ /* generate p and q */ -+ for (i = 0; i < 5 * pbits; i++) { -+ ploop: -+ if (!test) -+ if (!BN_rand(rsa->p, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->p, r0) < 0) { -+ if (test) -+ goto err; -+ goto ploop; -+ } -+ -+ if (!BN_sub(r2, rsa->p, BN_value_one())) -+ goto err; -+ ERR_set_mark(); -+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { -+ /* GCD == 1 since inverse exists */ -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } else { -+ error = ERR_peek_last_error(); -+ if (ERR_GET_LIB(error) == ERR_LIB_BN -+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { -+ /* GCD != 1 */ -+ ERR_pop_to_mark(); -+ } else { -+ goto err; -+ } -+ } -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 0)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ for (i = 0; i < 5 * pbits; i++) { -+ qloop: -+ if (!test) -+ if (!BN_rand(rsa->q, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->q, r0) < 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ if (!BN_sub(r2, rsa->q, rsa->p)) -+ goto err; -+ if (BN_ucmp(r2, r3) <= 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; -+ ERR_set_mark(); -+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { -+ /* GCD == 1 since inverse exists */ -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } else { -+ error = ERR_peek_last_error(); -+ if (ERR_GET_LIB(error) == ERR_LIB_BN -+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { -+ /* GCD != 1 */ -+ ERR_pop_to_mark(); -+ } else { -+ goto err; -+ } -+ } -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 1)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ if (test) { -+ /* do not try to calculate the remaining key values */ -+ BN_clear(rsa->n); -+ ok = 1; -+ goto err; -+ } -+ -+ if (BN_cmp(rsa->p, rsa->q) < 0) { -+ tmp = rsa->p; -+ rsa->p = rsa->q; -+ rsa->q = tmp; -+ } -+ -+ /* calculate n */ -+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) -+ goto err; -+ -+ /* calculate d */ -+ if (!BN_sub(r1, rsa->p, BN_value_one())) -+ goto err; /* p-1 */ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; /* q-1 */ -+ -+ /* note that computing gcd is not safe to timing attacks */ -+ if (!BN_gcd(r0, r1, r2, ctx)) -+ goto err; -+ -+ { -+ if (!BN_div(r0, NULL, r1, r0, ctx)) -+ goto err; -+ -+ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */ -+ goto err; -+ -+ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */ -+ goto err; -+ } -+ -+ if (BN_num_bits(rsa->d) < pbits) -+ goto retry; /* d is too small */ -+ -+ { -+ BIGNUM *d = BN_new(); -+ -+ if (d == NULL) -+ goto err; -+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -+ -+ if (/* calculate d mod (p-1) */ -+ !BN_mod(rsa->dmp1, d, r1, ctx) -+ /* calculate d mod (q-1) */ -+ || !BN_mod(rsa->dmq1, d, r2, ctx)) { -+ BN_free(d); -+ goto err; -+ } -+ /* We MUST free d before any further use of rsa->d */ -+ BN_free(d); -+ } -+ -+ /* calculate inverse of q mod p */ -+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) -+ goto err; -+ -+ if (!fips_check_rsa(rsa)) -+ goto err; -+ -+ ok = 1; -+ err: -+ if (ok == -1) { -+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); -+ ok = 0; -+ } -+ if (ctx != NULL) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ -+ return ok; -+} -+#endif -+ - static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - BN_GENCB *cb) - { -@@ -44,6 +383,16 @@ static int rsa_builtin_keygen(RSA *rsa, - BN_CTX *ctx = NULL; - unsigned long error = 0; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); -+ return 0; -+ } -+ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb); -+ } -+#endif -+ - /* - * When generating ridiculously small keys, we can get stuck - * continually regenerating the same prime values. -diff -up openssl-1.1.0h/crypto/rsa/rsa_lib.c.fips openssl-1.1.0h/crypto/rsa/rsa_lib.c ---- openssl-1.1.0h/crypto/rsa/rsa_lib.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rsa/rsa_lib.c 2018-03-29 14:44:24.638236924 +0200 -@@ -32,6 +32,12 @@ int RSA_set_method(RSA *rsa, const RSA_M - * to deal with which ENGINE it comes from. - */ - const RSA_METHOD *mtmp; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD); -+ return 0; -+ } -+#endif - mtmp = rsa->meth; - if (mtmp->finish) - mtmp->finish(rsa); -@@ -64,7 +70,6 @@ RSA *RSA_new_method(ENGINE *engine) - - ret->meth = RSA_get_default_method(); - #ifndef OPENSSL_NO_ENGINE -- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; - if (engine) { - if (!ENGINE_init(engine)) { - RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB); -@@ -81,8 +86,19 @@ RSA *RSA_new_method(ENGINE *engine) - } - } - #endif -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD); -+# ifndef OPENSSL_NO_ENGINE -+ if (ret->engine) -+ ENGINE_finish(ret->engine); -+# endif -+ OPENSSL_free(ret); -+ return NULL; -+ } -+#endif - -- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; -+ ret->flags = ret->meth->flags; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { - goto err; - } -diff -up openssl-1.1.0h/crypto/rsa/rsa_ossl.c.fips openssl-1.1.0h/crypto/rsa/rsa_ossl.c ---- openssl-1.1.0h/crypto/rsa/rsa_ossl.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rsa/rsa_ossl.c 2018-03-29 14:44:24.638236924 +0200 -@@ -11,6 +11,10 @@ - #include "internal/bn_int.h" - #include "rsa_locl.h" - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); - static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, -@@ -45,6 +49,12 @@ static const RSA_METHOD *default_RSA_met - - void RSA_set_default_method(const RSA_METHOD *meth) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD); -+ return; -+ } -+#endif - default_RSA_meth = meth; - } - -@@ -66,6 +76,22 @@ static int rsa_ossl_public_encrypt(int f - unsigned char *buf = NULL; - BN_CTX *ctx = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { - RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; -@@ -245,6 +271,22 @@ static int rsa_ossl_private_encrypt(int - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -504,6 +562,22 @@ static int rsa_ossl_public_decrypt(int f - unsigned char *buf = NULL; - BN_CTX *ctx = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { - RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; -diff -up openssl-1.1.0h/crypto/rsa/rsa_sign.c.fips openssl-1.1.0h/crypto/rsa/rsa_sign.c ---- openssl-1.1.0h/crypto/rsa/rsa_sign.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/rsa/rsa_sign.c 2018-03-29 14:44:24.638236924 +0200 -@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch - unsigned char *tmps = NULL; - const unsigned char *encoded = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); -+ return 0; -+ } -+#endif - if (rsa->meth->rsa_sign) { - return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); - } -@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch - RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); - goto err; - } -- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa, -- RSA_PKCS1_PADDING); -+ /* NB: call underlying method directly to avoid FIPS blocking */ -+ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa, -+ RSA_PKCS1_PADDING) : 0; - if (encrypt_len <= 0) - goto err; - -diff -up openssl-1.1.0h/crypto/sha/sha_locl.h.fips openssl-1.1.0h/crypto/sha/sha_locl.h ---- openssl-1.1.0h/crypto/sha/sha_locl.h.fips 2018-03-29 14:44:24.237227506 +0200 -+++ openssl-1.1.0h/crypto/sha/sha_locl.h 2018-03-29 14:44:24.638236924 +0200 -@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c - - int HASH_INIT(SHA_CTX *c) - { -+#if defined(OPENSSL_FIPS) -+ FIPS_selftest_check(); -+#endif - memset(c, 0, sizeof(*c)); - c->h0 = INIT_DATA_h0; - c->h1 = INIT_DATA_h1; -diff -up openssl-1.1.0h/crypto/sha/sha256.c.fips openssl-1.1.0h/crypto/sha/sha256.c ---- openssl-1.1.0h/crypto/sha/sha256.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/sha/sha256.c 2018-03-29 14:44:24.639236948 +0200 -@@ -18,6 +18,9 @@ - - int SHA224_Init(SHA256_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - memset(c, 0, sizeof(*c)); - c->h[0] = 0xc1059ed8UL; - c->h[1] = 0x367cd507UL; -@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c) - - int SHA256_Init(SHA256_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - memset(c, 0, sizeof(*c)); - c->h[0] = 0x6a09e667UL; - c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.1.0h/crypto/sha/sha512.c.fips openssl-1.1.0h/crypto/sha/sha512.c ---- openssl-1.1.0h/crypto/sha/sha512.c.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/crypto/sha/sha512.c 2018-03-29 14:44:24.639236948 +0200 -@@ -62,6 +62,9 @@ - - int SHA384_Init(SHA512_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - c->h[0] = U64(0xcbbb9d5dc1059ed8); - c->h[1] = U64(0x629a292a367cd507); - c->h[2] = U64(0x9159015a3070dd17); -@@ -80,6 +83,9 @@ int SHA384_Init(SHA512_CTX *c) - - int SHA512_Init(SHA512_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - c->h[0] = U64(0x6a09e667f3bcc908); - c->h[1] = U64(0xbb67ae8584caa73b); - c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod.fips openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod ---- openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod.fips 2018-03-27 15:50:39.000000000 +0200 -+++ openssl-1.1.0h/doc/crypto/DSA_generate_parameters.pod 2018-03-29 14:44:24.639236948 +0200 -@@ -29,8 +29,10 @@ B is the length of the prime p to - For lengths under 2048 bits, the length of q is 160 bits; for lengths - greater than or equal to 2048 bits, the length of q is set to 256 bits. - --If B is NULL, the primes will be generated at random. --If B is less than the length of q, an error is returned. -+If B is NULL, or it does not generate primes, the primes will be -+generated at random. -+If B is less than the length of q, an error is returned -+if old DSA parameter generation method is used as a backend. - - DSA_generate_parameters_ex() places the iteration count in - *B and a counter used for finding a generator in -diff -up openssl-1.1.0h/include/openssl/crypto.h.fips openssl-1.1.0h/include/openssl/crypto.h ---- openssl-1.1.0h/include/openssl/crypto.h.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/include/openssl/crypto.h 2018-03-29 14:44:24.640236971 +0200 -@@ -336,6 +336,11 @@ int OPENSSL_isservice(void); - int FIPS_mode(void); - int FIPS_mode_set(int r); - -+# ifdef OPENSSL_FIPS -+/* die if FIPS selftest failed */ -+void FIPS_selftest_check(void); -+# endif -+ - void OPENSSL_init(void); - - struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result); -diff -up openssl-1.1.0h/include/openssl/dh.h.fips openssl-1.1.0h/include/openssl/dh.h ---- openssl-1.1.0h/include/openssl/dh.h.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/include/openssl/dh.h 2018-03-29 14:44:24.640236971 +0200 -@@ -30,6 +30,7 @@ extern "C" { - # endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 - - # define DH_FLAG_CACHE_MONT_P 0x01 - -@@ -325,6 +326,9 @@ int ERR_load_DH_strings(void); - # define DH_F_DH_CMS_DECRYPT 114 - # define DH_F_DH_CMS_SET_PEERKEY 115 - # define DH_F_DH_CMS_SET_SHARED_INFO 116 -+# define DH_F_DH_COMPUTE_KEY 203 -+# define DH_F_DH_GENERATE_KEY 202 -+# define DH_F_DH_GENERATE_PARAMETERS_EX 201 - # define DH_F_DH_METH_DUP 117 - # define DH_F_DH_METH_NEW 118 - # define DH_F_DH_METH_SET1_NAME 119 -@@ -346,10 +350,12 @@ int ERR_load_DH_strings(void); - # define DH_R_DECODE_ERROR 104 - # define DH_R_INVALID_PUBKEY 102 - # define DH_R_KDF_PARAMETER_ERROR 112 -+# define DH_R_KEY_SIZE_TOO_SMALL 201 - # define DH_R_KEYS_NOT_SET 108 - # define DH_R_MODULUS_TOO_LARGE 103 - # define DH_R_NO_PARAMETERS_SET 107 - # define DH_R_NO_PRIVATE_VALUE 100 -+# define DH_R_NON_FIPS_METHOD 202 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 - # define DH_R_SHARED_INFO_ERROR 113 -diff -up openssl-1.1.0h/include/openssl/dsa.h.fips openssl-1.1.0h/include/openssl/dsa.h ---- openssl-1.1.0h/include/openssl/dsa.h.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/include/openssl/dsa.h 2018-03-29 14:44:24.641236994 +0200 -@@ -36,6 +36,7 @@ extern "C" { - # endif - - # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048 - - # define DSA_FLAG_CACHE_MONT_P 0x01 - # if OPENSSL_API_COMPAT < 0x10100000L -@@ -146,9 +147,9 @@ int DSAparams_print_fp(FILE *fp, const D - int DSA_print_fp(FILE *bp, const DSA *x, int off); - # endif - --# define DSS_prime_checks 50 -+# define DSS_prime_checks 64 - /* -- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of -+ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of - * Rabin-Miller - */ - # define DSA_is_prime(n, callback, cb_arg) \ -@@ -241,8 +242,11 @@ int ERR_load_DSA_strings(void); - /* Function codes. */ - # define DSA_F_DSAPARAMS_PRINT 100 - # define DSA_F_DSAPARAMS_PRINT_FP 101 -+# define DSA_F_DSA_BUILTIN_KEYGEN 202 - # define DSA_F_DSA_BUILTIN_PARAMGEN 125 - # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 -+# define DSA_F_DSA_GENERATE_KEY 201 -+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 - # define DSA_F_DSA_DO_SIGN 112 - # define DSA_F_DSA_DO_VERIFY 113 - # define DSA_F_DSA_METH_DUP 127 -@@ -269,9 +273,12 @@ int ERR_load_DSA_strings(void); - # define DSA_R_DECODE_ERROR 104 - # define DSA_R_INVALID_DIGEST_TYPE 106 - # define DSA_R_INVALID_PARAMETERS 112 -+# define DSA_R_KEY_SIZE_INVALID 201 -+# define DSA_R_KEY_SIZE_TOO_SMALL 202 - # define DSA_R_MISSING_PARAMETERS 101 - # define DSA_R_MODULUS_TOO_LARGE 103 - # define DSA_R_NO_PARAMETERS_SET 107 -+# define DSA_R_NON_FIPS_DSA_METHOD 200 - # define DSA_R_PARAMETER_ENCODING_ERROR 105 - # define DSA_R_Q_NOT_PRIME 113 - # define DSA_R_SEED_LEN_SMALL 110 -diff -up openssl-1.1.0h/include/openssl/evp.h.fips openssl-1.1.0h/include/openssl/evp.h ---- openssl-1.1.0h/include/openssl/evp.h.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/include/openssl/evp.h 2018-03-29 14:44:24.641236994 +0200 -@@ -1461,6 +1461,7 @@ int ERR_load_EVP_strings(void); - # define EVP_F_AES_OCB_CIPHER 169 - # define EVP_F_AES_T4_INIT_KEY 178 - # define EVP_F_AES_WRAP_CIPHER 170 -+# define EVP_F_AES_XTS_CIPHER 200 - # define EVP_F_ALG_MODULE_INIT 177 - # define EVP_F_CAMELLIA_INIT_KEY 159 - # define EVP_F_CHACHA20_POLY1305_CTRL 182 -@@ -1539,6 +1540,7 @@ int ERR_load_EVP_strings(void); - # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 - # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 - # define EVP_R_DECODE_ERROR 114 -+# define EVP_R_DISABLED_FOR_FIPS 200 - # define EVP_R_DIFFERENT_KEY_TYPES 101 - # define EVP_R_DIFFERENT_PARAMETERS 153 - # define EVP_R_ERROR_LOADING_SECTION 165 -@@ -1575,6 +1577,7 @@ int ERR_load_EVP_strings(void); - # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 - # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 - # define EVP_R_PUBLIC_KEY_NOT_RSA 106 -+# define EVP_R_TOO_LARGE 201 - # define EVP_R_UNKNOWN_CIPHER 160 - # define EVP_R_UNKNOWN_DIGEST 161 - # define EVP_R_UNKNOWN_OPTION 169 -diff -up openssl-1.1.0h/include/openssl/fips.h.fips openssl-1.1.0h/include/openssl/fips.h ---- openssl-1.1.0h/include/openssl/fips.h.fips 2018-03-29 14:44:24.641236994 +0200 -+++ openssl-1.1.0h/include/openssl/fips.h 2018-03-29 14:44:24.641236994 +0200 -@@ -0,0 +1,186 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+# error FIPS is disabled. -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+ int FIPS_selftest(void); -+ int FIPS_selftest_failed(void); -+ int FIPS_selftest_drbg_all(void); -+ -+ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, -+ const EVP_MD *evpmd, const unsigned char *seed_in, -+ size_t seed_len, int idx, unsigned char *seed_out, -+ int *counter_ret, unsigned long *h_ret, -+ BN_GENCB *cb); -+ int FIPS_dsa_paramgen_check_g(DSA *dsa); -+ -+/* BEGIN ERROR CODES */ -+/* The following lines are auto generated by the script mkerr.pl. Any changes -+ * made after this point may be overwritten when the script is next run. -+ */ -+ int ERR_load_FIPS_strings(void); -+ -+/* Error codes for the FIPS functions. */ -+ -+/* Function codes. */ -+# define FIPS_F_DH_BUILTIN_GENPARAMS 100 -+# define FIPS_F_DRBG_RESEED 121 -+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107 -+# define FIPS_F_DSA_DO_SIGN 102 -+# define FIPS_F_DSA_DO_VERIFY 103 -+# define FIPS_F_EVP_CIPHER_CTX_NEW 137 -+# define FIPS_F_EVP_CIPHER_CTX_RESET 122 -+# define FIPS_F_ECDH_COMPUTE_KEY 123 -+# define FIPS_F_EVP_CIPHERINIT_EX 124 -+# define FIPS_F_EVP_DIGESTINIT_EX 125 -+# define FIPS_F_FIPS_CHECK_DSA 104 -+# define FIPS_F_FIPS_CHECK_EC 142 -+# define FIPS_F_FIPS_CHECK_RSA 106 -+# define FIPS_F_FIPS_DRBG_BYTES 131 -+# define FIPS_F_FIPS_DRBG_CHECK 146 -+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132 -+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136 -+# define FIPS_F_FIPS_DRBG_GENERATE 134 -+# define FIPS_F_FIPS_DRBG_INIT 135 -+# define FIPS_F_FIPS_DRBG_INSTANTIATE 138 -+# define FIPS_F_FIPS_DRBG_NEW 139 -+# define FIPS_F_FIPS_DRBG_RESEED 140 -+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141 -+# define FIPS_F_FIPS_GET_ENTROPY 147 -+# define FIPS_F_FIPS_MODULE_MODE_SET 108 -+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 -+# define FIPS_F_FIPS_RAND_BYTES 114 -+# define FIPS_F_FIPS_RAND_SEED 128 -+# define FIPS_F_FIPS_RAND_SET_METHOD 126 -+# define FIPS_F_FIPS_RAND_STATUS 127 -+# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101 -+# define FIPS_F_FIPS_SELFTEST_AES 110 -+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145 -+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129 -+# define FIPS_F_FIPS_SELFTEST_AES_XTS 144 -+# define FIPS_F_FIPS_SELFTEST_CMAC 130 -+# define FIPS_F_FIPS_SELFTEST_DES 111 -+# define FIPS_F_FIPS_SELFTEST_DSA 112 -+# define FIPS_F_FIPS_SELFTEST_ECDSA 133 -+# define FIPS_F_FIPS_SELFTEST_HMAC 113 -+# define FIPS_F_FIPS_SELFTEST_SHA1 115 -+# define FIPS_F_FIPS_SELFTEST_SHA2 105 -+# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 -+# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 -+# define FIPS_F_RSA_BUILTIN_KEYGEN 116 -+# define FIPS_F_RSA_OSSL_INIT 149 -+# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 -+# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118 -+# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119 -+# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120 -+ -+/* Reason codes. */ -+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 -+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125 -+# define FIPS_R_ALREADY_INSTANTIATED 134 -+# define FIPS_R_DRBG_NOT_INITIALISED 152 -+# define FIPS_R_DRBG_STUCK 103 -+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 -+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 -+# define FIPS_R_ENTROPY_SOURCE_STUCK 142 -+# define FIPS_R_ERROR_INITIALISING_DRBG 115 -+# define FIPS_R_ERROR_INSTANTIATING_DRBG 127 -+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124 -+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 -+# define FIPS_R_ERROR_RETRIEVING_NONCE 140 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 -+# define FIPS_R_FIPS_MODE_ALREADY_SET 102 -+# define FIPS_R_FIPS_SELFTEST_FAILED 106 -+# define FIPS_R_FUNCTION_ERROR 116 -+# define FIPS_R_GENERATE_ERROR 137 -+# define FIPS_R_GENERATE_ERROR_UNDETECTED 118 -+# define FIPS_R_INSTANTIATE_ERROR 119 -+# define FIPS_R_INTERNAL_ERROR 121 -+# define FIPS_R_INVALID_KEY_LENGTH 109 -+# define FIPS_R_IN_ERROR_STATE 123 -+# define FIPS_R_KEY_TOO_SHORT 108 -+# define FIPS_R_NONCE_ERROR_UNDETECTED 149 -+# define FIPS_R_NON_FIPS_METHOD 100 -+# define FIPS_R_NOPR_TEST1_FAILURE 145 -+# define FIPS_R_NOPR_TEST2_FAILURE 146 -+# define FIPS_R_NOT_INSTANTIATED 126 -+# define FIPS_R_PAIRWISE_TEST_FAILED 107 -+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 -+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 -+# define FIPS_R_PR_TEST1_FAILURE 147 -+# define FIPS_R_PR_TEST2_FAILURE 148 -+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 -+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 -+# define FIPS_R_RESEED_COUNTER_ERROR 132 -+# define FIPS_R_RESEED_ERROR 133 -+# define FIPS_R_SELFTEST_FAILED 101 -+# define FIPS_R_SELFTEST_FAILURE 135 -+# define FIPS_R_TEST_FAILURE 117 -+# define FIPS_R_UNINSTANTIATE_ERROR 141 -+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 -+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 -+# define FIPS_R_UNSUPPORTED_PLATFORM 113 -+ -+# ifdef __cplusplus -+} -+# endif -+#endif -diff -up openssl-1.1.0h/include/openssl/fips_rand.h.fips openssl-1.1.0h/include/openssl/fips_rand.h ---- openssl-1.1.0h/include/openssl/fips_rand.h.fips 2018-03-29 14:44:24.641236994 +0200 -+++ openssl-1.1.0h/include/openssl/fips_rand.h 2018-03-29 14:44:24.641236994 +0200 -@@ -0,0 +1,145 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifndef HEADER_FIPS_RAND_H -+# define HEADER_FIPS_RAND_H -+ -+# include -+# include -+# include -+# include -+ -+# ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ typedef struct drbg_ctx_st DRBG_CTX; -+/* DRBG external flags */ -+/* Flag for CTR mode only: use derivation function ctr_df */ -+# define DRBG_FLAG_CTR_USE_DF 0x1 -+/* PRNG is in test state */ -+# define DRBG_FLAG_TEST 0x2 -+ -+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags); -+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags); -+ int FIPS_drbg_instantiate(DRBG_CTX *dctx, -+ const unsigned char *pers, size_t perslen); -+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, -+ size_t adinlen); -+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, -+ int prediction_resistance, -+ const unsigned char *adin, size_t adinlen); -+ -+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); -+ void FIPS_drbg_free(DRBG_CTX *dctx); -+ -+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, -+ size_t (*get_entropy) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_entropy) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ size_t entropy_blocklen, -+ size_t (*get_nonce) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_nonce) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen)); -+ -+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, -+ size_t (*get_adin) (DRBG_CTX *ctx, -+ unsigned char -+ **pout), -+ void (*cleanup_adin) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ int (*rand_seed_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num), -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num, -+ double entropy)); -+ -+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx); -+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data); -+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx); -+ int FIPS_drbg_get_strength(DRBG_CTX *dctx); -+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval); -+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval); -+ -+ int FIPS_drbg_health_check(DRBG_CTX *dctx); -+ -+ DRBG_CTX *FIPS_get_default_drbg(void); -+ const RAND_METHOD *FIPS_drbg_method(void); -+ -+ int FIPS_rand_set_method(const RAND_METHOD *meth); -+ const RAND_METHOD *FIPS_rand_get_method(void); -+ -+ void FIPS_rand_set_bits(int nbits); -+ -+ int FIPS_rand_strength(void); -+ -+/* 1.0.0 compat functions */ -+ int FIPS_rand_seed(const void *buf, int num); -+ int FIPS_rand_bytes(unsigned char *out, int outlen); -+ void FIPS_rand_reset(void); -+ int FIPS_rand_status(void); -+# ifdef __cplusplus -+} -+# endif -+# endif -+#endif -diff -up openssl-1.1.0h/include/openssl/opensslconf.h.in.fips openssl-1.1.0h/include/openssl/opensslconf.h.in ---- openssl-1.1.0h/include/openssl/opensslconf.h.in.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/include/openssl/opensslconf.h.in 2018-03-29 14:44:24.642237018 +0200 -@@ -136,6 +136,11 @@ extern "C" { - - #define RC4_INT {- $config{rc4_int} -} - -+/* Always build FIPS module */ -+#ifndef OPENSSL_FIPS -+# define OPENSSL_FIPS -+#endif -+ - #ifdef __cplusplus - } - #endif -diff -up openssl-1.1.0h/include/openssl/rand.h.fips openssl-1.1.0h/include/openssl/rand.h ---- openssl-1.1.0h/include/openssl/rand.h.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/include/openssl/rand.h 2018-03-29 14:44:24.642237018 +0200 -@@ -67,6 +67,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void - DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) - #endif - -+# ifdef OPENSSL_FIPS -+void RAND_set_fips_drbg_type(int type, int flags); -+int RAND_init_fips(void); -+# endif -+ - /* BEGIN ERROR CODES */ - /* - * The following lines are auto generated by the script mkerr.pl. Any changes -@@ -79,8 +84,11 @@ int ERR_load_RAND_strings(void); - - /* Function codes. */ - # define RAND_F_RAND_BYTES 100 -+# define RAND_F_RAND_INIT_FIPS 200 - - /* Reason codes. */ -+# define RAND_R_ERROR_INITIALISING_DRBG 200 -+# define RAND_R_ERROR_INSTANTIATING_DRBG 201 - # define RAND_R_PRNG_NOT_SEEDED 100 - - # ifdef __cplusplus -diff -up openssl-1.1.0h/include/openssl/rsa.h.fips openssl-1.1.0h/include/openssl/rsa.h ---- openssl-1.1.0h/include/openssl/rsa.h.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/include/openssl/rsa.h 2018-03-29 14:44:24.642237018 +0200 -@@ -463,6 +463,7 @@ int ERR_load_RSA_strings(void); - /* Function codes. */ - # define RSA_F_CHECK_PADDING_MD 140 - # define RSA_F_ENCODE_PKCS1 146 -+# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 - # define RSA_F_INT_RSA_VERIFY 145 - # define RSA_F_OLD_RSA_PRIV_DECODE 147 - # define RSA_F_PKEY_RSA_CTRL 143 -@@ -475,6 +476,7 @@ int ERR_load_RSA_strings(void); - # define RSA_F_RSA_CHECK_KEY 123 - # define RSA_F_RSA_CHECK_KEY_EX 160 - # define RSA_F_RSA_CMS_DECRYPT 159 -+# define RSA_F_RSA_GENERATE_KEY_EX 204 - # define RSA_F_RSA_ITEM_VERIFY 148 - # define RSA_F_RSA_METH_DUP 161 - # define RSA_F_RSA_METH_NEW 162 -@@ -509,9 +511,15 @@ int ERR_load_RSA_strings(void); - # define RSA_F_RSA_PRINT 115 - # define RSA_F_RSA_PRINT_FP 116 - # define RSA_F_RSA_PRIV_ENCODE 138 -+# define RSA_F_RSA_PRIVATE_DECRYPT 200 -+# define RSA_F_RSA_PRIVATE_ENCRYPT 201 - # define RSA_F_RSA_PSS_TO_CTX 155 - # define RSA_F_RSA_PUB_DECODE 139 -+# define RSA_F_RSA_PUBLIC_DECRYPT 202 -+# define RSA_F_RSA_PUBLIC_ENCRYPT 203 - # define RSA_F_RSA_SETUP_BLINDING 136 -+# define RSA_F_RSA_SET_DEFAULT_METHOD 205 -+# define RSA_F_RSA_SET_METHOD 204 - # define RSA_F_RSA_SIGN 117 - # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 - # define RSA_F_RSA_VERIFY 119 -@@ -558,9 +566,11 @@ int ERR_load_RSA_strings(void); - # define RSA_R_LAST_OCTET_INVALID 134 - # define RSA_R_MODULUS_TOO_LARGE 105 - # define RSA_R_NO_PUBLIC_EXPONENT 140 -+# define RSA_R_NON_FIPS_RSA_METHOD 200 - # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 - # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 - # define RSA_R_OAEP_DECODING_ERROR 121 -+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 - # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 - # define RSA_R_PADDING_CHECK_FAILED 114 - # define RSA_R_PKCS_DECODING_ERROR 159 -diff -up openssl-1.1.0h/ssl/ssl_ciph.c.fips openssl-1.1.0h/ssl/ssl_ciph.c ---- openssl-1.1.0h/ssl/ssl_ciph.c.fips 2018-03-29 14:44:24.625236619 +0200 -+++ openssl-1.1.0h/ssl/ssl_ciph.c 2018-03-29 14:44:24.643237042 +0200 -@@ -404,7 +404,8 @@ void ssl_load_ciphers(void) - } - } - /* Make sure we can access MD5 and SHA1 */ -- OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL); -+ if (!FIPS_mode()) -+ OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL); - OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL); - - disabled_mkey_mask = 0; -@@ -687,7 +688,7 @@ static void ssl_cipher_collect_ciphers(c - /* drop those that use any of that is not available */ - if (c == NULL || !c->valid) - continue; -- if (FIPS_mode() && (c->algo_strength & SSL_FIPS)) -+ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS)) - continue; - if ((c->algorithm_mkey & disabled_mkey) || - (c->algorithm_auth & disabled_auth) || -diff -up openssl-1.1.0h/ssl/ssl_init.c.fips openssl-1.1.0h/ssl/ssl_init.c ---- openssl-1.1.0h/ssl/ssl_init.c.fips 2018-03-27 15:50:40.000000000 +0200 -+++ openssl-1.1.0h/ssl/ssl_init.c 2018-03-29 14:44:24.643237042 +0200 -@@ -28,6 +28,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas - fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " - "Adding SSL ciphers and digests\n"); - #endif -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif -+ - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cbc()); - EVP_add_cipher(EVP_des_ede3_cbc()); -@@ -84,6 +88,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas - EVP_add_digest(EVP_sha256()); - EVP_add_digest(EVP_sha384()); - EVP_add_digest(EVP_sha512()); -+#ifdef OPENSSL_FIPS -+ } else { -+# ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+# endif -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_128_gcm()); -+ EVP_add_cipher(EVP_aes_256_gcm()); -+ EVP_add_cipher(EVP_aes_128_ccm()); -+ EVP_add_cipher(EVP_aes_256_ccm()); -+# ifndef OPENSSL_NO_MD5 -+ /* needed even in the FIPS mode for TLS-1.0 */ -+ EVP_add_digest(EVP_md5_sha1()); -+# endif -+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+ } -+#endif - #ifndef OPENSSL_NO_COMP - # ifdef OPENSSL_INIT_DEBUG - fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -diff -up openssl-1.1.0h/ssl/ssl_lib.c.fips openssl-1.1.0h/ssl/ssl_lib.c ---- openssl-1.1.0h/ssl/ssl_lib.c.fips 2018-03-29 14:44:24.625236619 +0200 -+++ openssl-1.1.0h/ssl/ssl_lib.c 2018-03-29 14:44:24.643237042 +0200 -@@ -2588,13 +2588,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - if (ret->param == NULL) - goto err; - -- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { -- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); -- goto err2; -- } -- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { -- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); -- goto err2; -+ if (!FIPS_mode()) { -+ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { -+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); -+ goto err2; -+ } -+ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { -+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); -+ goto err2; -+ } -+ } else { -+ ret->min_proto_version = TLS1_VERSION; - } - - if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) -diff -up openssl-1.1.0h/test/dsatest.c.fips openssl-1.1.0h/test/dsatest.c ---- openssl-1.1.0h/test/dsatest.c.fips 2018-03-27 15:50:41.000000000 +0200 -+++ openssl-1.1.0h/test/dsatest.c 2018-03-29 14:44:24.644237065 +0200 -@@ -32,41 +32,42 @@ int main(int argc, char *argv[]) - - static int dsa_cb(int p, int n, BN_GENCB *arg); - --/* -- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS -- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 -- */ - static unsigned char seed[20] = { -- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40, -- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, -+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62, -+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3, - }; - - static unsigned char out_p[] = { -- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, -- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, -- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, -- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, -- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, -- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, -- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, -- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, -+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E, -+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99, -+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD, -+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB, -+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18, -+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B, -+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E, -+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD, -+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93, -+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D, -+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F, - }; - - static unsigned char out_q[] = { -- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, -- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, -- 0xda, 0xce, 0x91, 0x5f, -+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B, -+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87, - }; - - static unsigned char out_g[] = { -- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, -- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, -- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, -- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, -- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, -- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, -- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, -- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, -+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C, -+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE, -+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36, -+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13, -+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C, -+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D, -+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9, -+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F, -+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E, -+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41, -+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29, - }; - - static const unsigned char str1[] = "12345678901234567890"; -@@ -102,7 +103,7 @@ int main(int argc, char **argv) - goto end; - - BN_GENCB_set(cb, dsa_cb, bio_err); -- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512, -+ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024, - seed, 20, - &counter, - &h, cb)) -@@ -116,8 +117,8 @@ int main(int argc, char **argv) - BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h); - - DSA_print(bio_err, dsa, 0); -- if (counter != 105) { -- BIO_printf(bio_err, "counter should be 105\n"); -+ if (counter != 239) { -+ BIO_printf(bio_err, "counter should be 239\n"); - goto end; - } - if (h != 2) { -diff -up openssl-1.1.0h/util/libcrypto.num.fips openssl-1.1.0h/util/libcrypto.num ---- openssl-1.1.0h/util/libcrypto.num.fips 2018-03-27 15:50:41.000000000 +0200 -+++ openssl-1.1.0h/util/libcrypto.num 2018-03-29 18:06:26.962651662 +0200 -@@ -4232,5 +4232,40 @@ ZINT64_it - ZINT64_it 4215 1_1_0f EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: - CRYPTO_secure_clear_free 4315 1_1_0g EXIST::FUNCTION: - EVP_PKEY_set1_engine 4347 1_1_0g EXIST::FUNCTION:ENGINE --OCSP_resp_get0_signer 4374 1_1_0h EXIST::FUNCTION:OCSP -+FIPS_drbg_reseed 4348 1_1_0g EXIST::FUNCTION: -+FIPS_selftest_check 4349 1_1_0g EXIST::FUNCTION: -+FIPS_rand_set_method 4350 1_1_0g EXIST::FUNCTION: -+FIPS_get_default_drbg 4351 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_reseed_interval 4352 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_app_data 4353 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_method 4354 1_1_0g EXIST::FUNCTION: -+FIPS_rand_status 4355 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_instantiate 4356 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_callbacks 4357 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_new 4358 1_1_0g EXIST::FUNCTION: -+FIPS_dsa_paramgen_check_g 4359 1_1_0g EXIST::FUNCTION: -+FIPS_selftest 4360 1_1_0g EXIST::FUNCTION: -+FIPS_rand_set_bits 4361 1_1_0g EXIST::FUNCTION: -+FIPS_rand_bytes 4362 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_get_app_data 4363 1_1_0g EXIST::FUNCTION: -+FIPS_selftest_failed 4364 1_1_0g EXIST::FUNCTION: -+FIPS_dsa_builtin_paramgen2 4365 1_1_0g EXIST::FUNCTION: -+FIPS_rand_reset 4366 1_1_0g EXIST::FUNCTION: -+ERR_load_FIPS_strings 4367 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_generate 4368 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_uninstantiate 4369 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_check_interval 4370 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_free 4371 1_1_0g EXIST::FUNCTION: -+FIPS_selftest_drbg_all 4372 1_1_0g EXIST::FUNCTION: -+FIPS_rand_get_method 4373 1_1_0g EXIST::FUNCTION: -+RAND_set_fips_drbg_type 4374 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_health_check 4375 1_1_0g EXIST::FUNCTION: -+RAND_init_fips 4376 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_rand_callbacks 4377 1_1_0g EXIST::FUNCTION: -+FIPS_rand_seed 4378 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_get_strength 4379 1_1_0g EXIST::FUNCTION: -+FIPS_rand_strength 4380 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_get_blocklength 4381 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_init 4382 1_1_0g EXIST::FUNCTION: -+OCSP_resp_get0_signer 4384 1_1_0h EXIST::FUNCTION:OCSP - X509_get0_authority_key_id 4448 1_1_0h EXIST::FUNCTION: -diff -up openssl-1.1.0h/util/mkdef.pl.fips openssl-1.1.0h/util/mkdef.pl ---- openssl-1.1.0h/util/mkdef.pl.fips 2018-03-27 15:50:41.000000000 +0200 -+++ openssl-1.1.0h/util/mkdef.pl 2018-03-29 14:44:24.644237065 +0200 -@@ -311,6 +311,8 @@ $crypto.=" include/openssl/modes.h"; - $crypto.=" include/openssl/async.h"; - $crypto.=" include/openssl/ct.h"; - $crypto.=" include/openssl/kdf.h"; -+$crypto.=" include/openssl/fips.h"; -+$crypto.=" include/openssl/fips_rand.h"; - - my $symhacks="include/openssl/symhacks.h"; - diff --git a/openssl-1.1.0-manfix.patch b/openssl-1.1.0-manfix.patch deleted file mode 100644 index 53fc603..0000000 --- a/openssl-1.1.0-manfix.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff -up openssl-1.1.0g/doc/apps/ec.pod.manfix openssl-1.1.0g/doc/apps/ec.pod ---- openssl-1.1.0g/doc/apps/ec.pod.manfix 2017-11-02 15:29:04.000000000 +0100 -+++ openssl-1.1.0g/doc/apps/ec.pod 2017-11-03 16:09:31.714027145 +0100 -@@ -101,10 +101,6 @@ prints out the public, private key compo - - this option prevents output of the encoded version of the key. - --=item B<-modulus> -- --this option prints out the value of the public key component of the key. -- - =item B<-pubin> - - by default a private key is read from the input file: with this option a -diff -up openssl-1.1.0g/doc/apps/openssl.pod.manfix openssl-1.1.0g/doc/apps/openssl.pod ---- openssl-1.1.0g/doc/apps/openssl.pod.manfix 2017-11-02 15:29:04.000000000 +0100 -+++ openssl-1.1.0g/doc/apps/openssl.pod 2017-11-03 16:11:48.478245311 +0100 -@@ -170,7 +170,7 @@ Create or examine a Netscape certificate - - Online Certificate Status Protocol utility. - --=item L|passwd(1)> -+=item L|sslpasswd(1)> - - Generation of hashed passwords. - -@@ -198,7 +198,7 @@ Public key algorithm parameter managemen - - Public key algorithm cryptographic operation utility. - --=item L|rand(1)> -+=item L|sslrand(1)> - - Generate pseudo-random bytes. - -@@ -432,13 +432,13 @@ L, L, L - L, L, - L, L, L, L, L, - L, L, L, --L, - L, L, L, - L, L, L, --L, L, L, L, -+L, L, L, - L, L, - L, L, L, - L, L, L, -+L, L, - L, - L, L, L, - L, L, L diff --git a/openssl-1.1.0-missing-quotes.patch b/openssl-1.1.0-missing-quotes.patch deleted file mode 100644 index 3fb8784..0000000 --- a/openssl-1.1.0-missing-quotes.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up openssl-1.1.0h/util/dofile.pl.missing-quotes openssl-1.1.0h/util/dofile.pl ---- openssl-1.1.0h/util/dofile.pl.missing-quotes 2018-03-27 15:50:41.000000000 +0200 -+++ openssl-1.1.0h/util/dofile.pl 2018-04-03 11:59:36.742091742 +0200 -@@ -99,9 +99,9 @@ package main; - # This adds quotes (") around the given string, and escapes any $, @, \, - # " and ' by prepending a \ to them. - sub quotify1 { -- my $s = my $orig = shift @_; -+ my $s = shift @_; - $s =~ s/([\$\@\\"'])/\\$1/g; -- $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s; -+ '"'.$s.'"'; - } - - # quotify_l LIST diff --git a/openssl-1.1.0-secure-getenv.patch b/openssl-1.1.0-secure-getenv.patch deleted file mode 100644 index 2fb8ae6..0000000 --- a/openssl-1.1.0-secure-getenv.patch +++ /dev/null @@ -1,139 +0,0 @@ -diff -up openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_api.c ---- openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100 -+++ openssl-1.1.0g/crypto/conf/conf_api.c 2017-11-03 16:12:31.826265323 +0100 -@@ -9,6 +9,8 @@ - - /* Part of the code in here was originally in conf.c, which is now removed */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - #include -@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf, - if (v != NULL) - return (v->value); - if (strcmp(section, "ENV") == 0) { -- p = getenv(name); -+ p = secure_getenv(name); - if (p != NULL) - return (p); - } -@@ -95,7 +97,7 @@ char *_CONF_get_string(const CONF *conf, - else - return (NULL); - } else -- return (getenv(name)); -+ return (secure_getenv(name)); - } - - static unsigned long conf_value_hash(const CONF_VALUE *v) -diff -up openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_mod.c ---- openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100 -+++ openssl-1.1.0g/crypto/conf/conf_mod.c 2017-11-03 16:12:31.827265347 +0100 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - #include -@@ -478,7 +480,7 @@ char *CONF_get1_default_config_file(void - char *file; - int len; - -- file = getenv("OPENSSL_CONF"); -+ file = secure_getenv("OPENSSL_CONF"); - if (file) - return OPENSSL_strdup(file); - -diff -up openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0g/crypto/engine/eng_list.c ---- openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100 -+++ openssl-1.1.0g/crypto/engine/eng_list.c 2017-11-03 16:12:31.827265347 +0100 -@@ -13,6 +13,8 @@ - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "eng_int.h" - - /* -@@ -322,7 +324,7 @@ ENGINE *ENGINE_by_id(const char *id) - * Prevent infinite recursion if we're looking for the dynamic engine. - */ - if (strcmp(id, "dynamic")) { -- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0) -+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) - load_dir = ENGINESDIR; - iterator = ENGINE_by_id("dynamic"); - if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || -diff -up openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv openssl-1.1.0g/crypto/rand/randfile.c ---- openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100 -+++ openssl-1.1.0g/crypto/rand/randfile.c 2017-11-03 16:12:31.827265347 +0100 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "internal/cryptlib.h" - - #include -@@ -317,10 +319,10 @@ const char *RAND_file_name(char *buf, si - if (OPENSSL_issetugid() != 0) { - use_randfile = 0; - } else { -- s = getenv("RANDFILE"); -+ s = secure_getenv("RANDFILE"); - if (s == NULL || *s == '\0') { - use_randfile = 0; -- s = getenv("HOME"); -+ s = secure_getenv("HOME"); - } - } - #endif -diff -up openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0g/crypto/x509/by_dir.c ---- openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100 -+++ openssl-1.1.0g/crypto/x509/by_dir.c 2017-11-03 16:12:31.827265347 +0100 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - #include -@@ -78,7 +80,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in - switch (cmd) { - case X509_L_ADD_DIR: - if (argl == X509_FILETYPE_DEFAULT) { -- dir = (char *)getenv(X509_get_default_cert_dir_env()); -+ dir = (char *)secure_getenv(X509_get_default_cert_dir_env()); - if (dir) - ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); - else -diff -up openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv openssl-1.1.0g/crypto/x509/by_file.c ---- openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100 -+++ openssl-1.1.0g/crypto/x509/by_file.c 2017-11-03 16:14:13.230649686 +0100 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - #include -@@ -47,7 +49,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { -- file = getenv(X509_get_default_cert_file_env()); -+ file = secure_getenv(X509_get_default_cert_file_env()); - if (file) - ok = (X509_load_cert_crl_file(ctx, file, - X509_FILETYPE_PEM) != 0); diff --git a/openssl-1.1.0-silent-rnd-write.patch b/openssl-1.1.0-silent-rnd-write.patch deleted file mode 100644 index da4137c..0000000 --- a/openssl-1.1.0-silent-rnd-write.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssl-1.1.0h/apps/app_rand.c.silent-rnd-write openssl-1.1.0h/apps/app_rand.c ---- openssl-1.1.0h/apps/app_rand.c.silent-rnd-write 2018-03-27 15:50:37.000000000 +0200 -+++ openssl-1.1.0h/apps/app_rand.c 2018-03-29 15:27:24.597891091 +0200 -@@ -91,6 +91,7 @@ long app_RAND_load_files(char *name) - int app_RAND_write_file(const char *file) - { - char buffer[200]; -+ const char *origfile = file; - - if (egdsocket || !seeded) - /* -@@ -103,8 +104,10 @@ int app_RAND_write_file(const char *file - if (file == NULL) - file = RAND_file_name(buffer, sizeof(buffer)); - if (file == NULL || !RAND_write_file(file)) { -- BIO_printf(bio_err, "unable to write 'random state'\n"); -- return 0; -+ if (origfile != NULL) { -+ BIO_printf(bio_err, "unable to write 'random state'\n"); -+ return 0; -+ } - } - return 1; - } diff --git a/openssl-1.1.0-system-cipherlist.patch b/openssl-1.1.0-system-cipherlist.patch deleted file mode 100644 index 9f63162..0000000 --- a/openssl-1.1.0-system-cipherlist.patch +++ /dev/null @@ -1,317 +0,0 @@ -diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0e/Configurations/unix-Makefile.tmpl ---- openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist 2017-02-16 16:15:38.658931413 +0100 -+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 16:15:38.675931806 +0100 -@@ -161,6 +161,10 @@ MANDIR=$(INSTALLTOP)/share/man - DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) - HTMLDIR=$(DOCDIR)/html - -+{- output_off() if $config{system_ciphers_file} eq ""; "" -} -+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\"" -+{- output_on() if $config{system_ciphers_file} eq ""; "" -} -+ - # MANSUFFIX is for the benefit of anyone who may want to have a suffix - # appended after the manpage file section number. "ssl" is popular, - # resulting in files such as config.5ssl rather than config.5. -@@ -171,7 +175,7 @@ HTMLSUFFIX=html - - CROSS_COMPILE= {- $config{cross_compile_prefix} -} - CC= $(CROSS_COMPILE){- $target{cc} -} --CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -} -+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"\$(SYSTEM_CIPHERS_FILE_DEFINE)","-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -} - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -} - LDFLAGS= {- $target{lflags} -} - PLIB_LDFLAGS= {- $target{plib_lflags} -} -diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure ---- openssl-1.1.0e/Configure.system-cipherlist 2017-02-16 12:58:20.000000000 +0100 -+++ openssl-1.1.0e/Configure 2017-02-16 16:15:38.679931899 +0100 -@@ -18,7 +18,7 @@ use if $^O ne "VMS", 'File::Glob' => qw/ - - # see INSTALL for instructions. - --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; - - # Options: - # -@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no- - # This becomes the value of OPENSSLDIR in Makefile and in C. - # (Default: PREFIX/ssl) - # -+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM -+# cipher is specified (default). -+# - # --cross-compile-prefix Add specified prefix to binutils components. - # - # --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for -@@ -293,6 +296,7 @@ $config{openssldir}=""; - $config{processor}=""; - $config{libdir}=""; - $config{cross_compile_prefix}=""; -+$config{system_ciphers_file}=""; - $config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/"; - my $nofipscanistercheck=0; - $config{baseaddr}="0xFB00000"; -@@ -718,6 +722,10 @@ while (@argvcopy) - { - $config{baseaddr}="$1"; - } -+ elsif (/^--system-ciphers-file=(.*)$/) -+ { -+ $config{system_ciphers_file}=$1; -+ } - elsif (/^--cross-compile-prefix=(.*)$/) - { - $config{cross_compile_prefix}=$1; -@@ -851,6 +859,8 @@ if ($target =~ m/^CygWin32(-.*)$/) { - $target = "Cygwin".$1; - } - -+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/; -+ - foreach (sort (keys %disabled)) - { - $config{options} .= " no-$_"; -diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/doc/apps/ciphers.pod ---- openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist 2017-02-16 12:58:22.000000000 +0100 -+++ openssl-1.1.0e/doc/apps/ciphers.pod 2017-02-16 16:37:14.043219953 +0100 -@@ -181,6 +181,15 @@ As of OpenSSL 1.0.0, the B cipher s - - The cipher suites not enabled by B, currently B. - -+=item B -+ -+The list of enabled cipher suites will be loaded from the system crypto policy -+configuration file B. -+See also L. -+This is the default behavior unless an application explicitly sets a cipher -+list. If used in a cipher list configuration value this string must be at the -+beginning of the cipher list, otherwise it will not be recognized. -+ - =item B - - "high" encryption cipher suites. This currently means those with key lengths -diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/include/openssl/ssl.h ---- openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist 2017-02-16 12:58:23.000000000 +0100 -+++ openssl-1.1.0e/include/openssl/ssl.h 2017-02-16 16:15:38.676931830 +0100 -@@ -201,6 +201,11 @@ extern "C" { - * throwing out anonymous and unencrypted ciphersuites! (The latter are not - * actually enabled by ALL, but "ALL:RSA" would enable some of them.) - */ -+# ifdef SYSTEM_CIPHERS_FILE -+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" -+# else -+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST -+# endif - - /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ - # define SSL_SENT_SHUTDOWN 1 -diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_ciph.c ---- openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist 2017-02-16 12:58:23.000000000 +0100 -+++ openssl-1.1.0e/ssl/ssl_ciph.c 2017-02-16 16:15:38.691932177 +0100 -@@ -1289,6 +1289,50 @@ static int check_suiteb_cipher_list(cons - } - #endif - -+#ifdef SYSTEM_CIPHERS_FILE -+static char *load_system_str(const char *suffix) -+{ -+ FILE *fp; -+ char buf[1024]; -+ char *new_rules; -+ unsigned len, slen; -+ -+ fp = fopen(SYSTEM_CIPHERS_FILE, "r"); -+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { -+ /* cannot open or file is empty */ -+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); -+ } -+ -+ if (fp) -+ fclose(fp); -+ -+ slen = strlen(suffix); -+ len = strlen(buf); -+ -+ if (buf[len - 1] == '\n') { -+ len--; -+ buf[len] = 0; -+ } -+ if (buf[len - 1] == '\r') { -+ len--; -+ buf[len] = 0; -+ } -+ -+ new_rules = OPENSSL_malloc(len + slen + 1); -+ if (new_rules == 0) -+ return NULL; -+ -+ memcpy(new_rules, buf, len); -+ if (slen > 0) { -+ memcpy(&new_rules[len], suffix, slen); -+ len += slen; -+ } -+ new_rules[len] = 0; -+ -+ return new_rules; -+} -+#endif -+ - STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) - **cipher_list, STACK_OF(SSL_CIPHER) - **cipher_list_by_id, -@@ -1296,19 +1341,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - { - int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; - uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac; -- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; -+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list; - const char *rule_p; - CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; - const SSL_CIPHER **ca_list = NULL; -+#ifdef SYSTEM_CIPHERS_FILE -+ char *new_rules = NULL; -+ -+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { -+ char *p = rule_str + 14; -+ -+ new_rules = load_system_str(p); -+ rule_str = new_rules; -+ } -+#endif - - /* - * Return with error if nothing to do. - */ - if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) -- return NULL; -+ goto end; - #ifndef OPENSSL_NO_EC - if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) -- return NULL; -+ goto end; - #endif - - /* -@@ -1331,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); -- return (NULL); /* Failure */ -+ goto end; - } - - ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1401,8 +1456,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - * in force within each class - */ - if (!ssl_cipher_strength_sort(&head, &tail)) { -- OPENSSL_free(co_list); -- return NULL; -+ goto end; - } - - /* -@@ -1447,9 +1501,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; - ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); - if (ca_list == NULL) { -- OPENSSL_free(co_list); - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); -- return (NULL); /* Failure */ -+ goto end; - } - ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, - disabled_mkey, disabled_auth, disabled_enc, -@@ -1475,8 +1528,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - OPENSSL_free(ca_list); /* Not needed anymore */ - - if (!ok) { /* Rule processing failure */ -- OPENSSL_free(co_list); -- return (NULL); -+ goto end; - } - - /* -@@ -1484,8 +1536,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - * if we cannot get one. - */ - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { -- OPENSSL_free(co_list); -- return (NULL); -+ goto end; - } - - /* -@@ -1496,21 +1547,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - if (curr->active - && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { - if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { -- OPENSSL_free(co_list); - sk_SSL_CIPHER_free(cipherstack); -- return NULL; -+ cipherstack = NULL; -+ goto end; - } - #ifdef CIPHER_DEBUG - fprintf(stderr, "<%s>\n", curr->cipher->name); - #endif - } - } -- OPENSSL_free(co_list); /* Not needed any longer */ - - tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) { - sk_SSL_CIPHER_free(cipherstack); -- return NULL; -+ cipherstack = NULL; -+ goto end; - } - sk_SSL_CIPHER_free(*cipher_list); - *cipher_list = cipherstack; -@@ -1520,6 +1571,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp); - - sk_SSL_CIPHER_sort(*cipher_list_by_id); -+ -+ end: -+ OPENSSL_free(co_list); -+#ifdef SYSTEM_CIPHERS_FILE -+ OPENSSL_free(new_rules); -+#endif - return (cipherstack); - } - -diff -up openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0e/ssl/ssl_lib.c ---- openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist 2017-02-16 16:15:38.673931760 +0100 -+++ openssl-1.1.0e/ssl/ssl_lib.c 2017-02-16 16:15:38.692932200 +0100 -@@ -509,7 +509,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx - - sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), - &(ctx->cipher_list_by_id), -- SSL_DEFAULT_CIPHER_LIST, ctx->cert); -+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { - SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); - return (0); -@@ -2403,7 +2403,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - #endif - if (!ssl_create_cipher_list(ret->method, - &ret->cipher_list, &ret->cipher_list_by_id, -- SSL_DEFAULT_CIPHER_LIST, ret->cert) -+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) - || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; -diff -up openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist openssl-1.1.0e/test/cipherlist_test.c ---- openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist 2017-02-16 12:58:24.000000000 +0100 -+++ openssl-1.1.0e/test/cipherlist_test.c 2017-02-16 16:15:38.677931853 +0100 -@@ -190,7 +190,9 @@ int main(int argc, char **argv) - { - int result = 0; - -+#ifndef SYSTEM_CIPHERS_FILE - ADD_TEST(test_default_cipherlist_implicit); -+#endif - ADD_TEST(test_default_cipherlist_explicit); - - result = run_tests(argv[0]); diff --git a/openssl-1.1.0-version-add-engines.patch b/openssl-1.1.0-version-add-engines.patch deleted file mode 100644 index f4b7cf9..0000000 --- a/openssl-1.1.0-version-add-engines.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up openssl-1.1.0h/apps/version.c.version-add-engines openssl-1.1.0h/apps/version.c ---- openssl-1.1.0h/apps/version.c.version-add-engines 2018-03-27 15:50:37.000000000 +0200 -+++ openssl-1.1.0h/apps/version.c 2018-03-29 14:33:30.732879537 +0200 -@@ -52,7 +52,7 @@ int version_main(int argc, char **argv) - { - int ret = 1, dirty = 0; - int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; -- int engdir = 0; -+ int engdir = 0, engines = 0; - char *prog; - OPTION_CHOICE o; - -@@ -90,7 +90,7 @@ opthelp: - dirty = version = 1; - break; - case OPT_A: -- options = cflags = version = date = platform = dir = engdir = 1; -+ options = cflags = version = date = platform = dir = engdir = engines = 1; - break; - } - } -@@ -139,6 +139,16 @@ opthelp: - printf("%s\n", OpenSSL_version(OPENSSL_DIR)); - if (engdir) - printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR)); -+ if (engines) { -+ ENGINE *e; -+ printf("engines: "); -+ e = ENGINE_get_first(); -+ while (e) { -+ printf("%s ", ENGINE_get_id(e)); -+ e = ENGINE_get_next(e); -+ } -+ printf("\n"); -+ } - ret = 0; - end: - return (ret); diff --git a/openssl-1.1.1-build.patch b/openssl-1.1.1-build.patch new file mode 100644 index 0000000..cfe20f6 --- /dev/null +++ b/openssl-1.1.1-build.patch @@ -0,0 +1,40 @@ +diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200 ++++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200 +@@ -680,7 +680,7 @@ uninstall_runtime: + install_man_docs: + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(ECHO) "*** Installing manpages" +- $(PERL) $(SRCDIR)/util/process_docs.pl \ ++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ + --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) + + uninstall_man_docs: +@@ -692,7 +692,7 @@ uninstall_man_docs: + install_html_docs: + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(ECHO) "*** Installing HTML manpages" +- $(PERL) $(SRCDIR)/util/process_docs.pl \ ++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ + --destdir=$(DESTDIR)$(HTMLDIR) --type=html + + uninstall_html_docs: +diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf +--- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200 ++++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200 +@@ -693,6 +693,7 @@ my %targets = ( + cxxflags => add("-m64"), + lib_cppflags => add("-DL_ENDIAN"), + perlasm_scheme => "linux64le", ++ multilib => "64", + }, + + "linux-armv4" => { +@@ -733,6 +734,7 @@ my %targets = ( + "linux-aarch64" => { + inherit_from => [ "linux-generic64", asm("aarch64_asm") ], + perlasm_scheme => "linux64", ++ multilib => "64", + }, + "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 + inherit_from => [ "linux-generic32", asm("aarch64_asm") ], diff --git a/openssl-1.1.1-disable-ssl3.patch b/openssl-1.1.1-disable-ssl3.patch new file mode 100644 index 0000000..19acdd1 --- /dev/null +++ b/openssl-1.1.1-disable-ssl3.patch @@ -0,0 +1,89 @@ +diff -up openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_client.c +--- openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200 ++++ openssl-1.1.1-pre8/apps/s_client.c 2018-07-16 18:16:40.070186323 +0200 +@@ -1681,6 +1681,9 @@ int s_client_main(int argc, char **argv) + if (sdebug) + ssl_ctx_security_debug(ctx, sdebug); + ++ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); ++ + if (!config_ctx(cctx, ssl_args, ctx)) + goto end; + +diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_server.c +--- openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200 ++++ openssl-1.1.1-pre8/apps/s_server.c 2018-07-16 18:17:17.300055551 +0200 +@@ -1760,6 +1760,9 @@ int s_server_main(int argc, char *argv[] + if (sdebug) + ssl_ctx_security_debug(ctx, sdebug); + ++ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) ++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); ++ + if (!config_ctx(cctx, ssl_args, ctx)) + goto end; + +diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c +--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200 +@@ -3016,6 +3016,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + */ + ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT; + ++ /* ++ * Disable SSLv3 by default. Applications can ++ * re-enable it by configuring ++ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); ++ * or by using the SSL_CONF API. ++ */ ++ ret->options |= SSL_OP_NO_SSLv3; ++ + ret->ext.status_type = TLSEXT_STATUSTYPE_nothing; + + /* +diff -up openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 openssl-1.1.1-pre8/test/ssl_test.c +--- openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200 ++++ openssl-1.1.1-pre8/test/ssl_test.c 2018-07-16 18:18:34.806865121 +0200 +@@ -443,6 +443,7 @@ static int test_handshake(int idx) + SSL_TEST_SERVERNAME_CB_NONE) { + if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method()))) + goto err; ++ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3); + if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, + TLS_MAX_VERSION))) + goto err; +@@ -464,6 +465,8 @@ static int test_handshake(int idx) + if (!TEST_ptr(resume_server_ctx) + || !TEST_ptr(resume_client_ctx)) + goto err; ++ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3); + } + } + +@@ -477,6 +480,9 @@ static int test_handshake(int idx) + || !TEST_int_gt(CONF_modules_load(conf, test_app, 0), 0)) + goto err; + ++ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); ++ + if (!SSL_CTX_config(server_ctx, "server") + || !SSL_CTX_config(client_ctx, "client")) { + goto err; +diff -up openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 openssl-1.1.1-pre8/test/ssltest_old.c +--- openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200 ++++ openssl-1.1.1-pre8/test/ssltest_old.c 2018-07-16 18:08:20.002487676 +0200 +@@ -1358,6 +1358,11 @@ int main(int argc, char *argv[]) + ERR_print_errors(bio_err); + goto end; + } ++ ++ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3); ++ + /* + * Since we will use low security ciphersuites and keys for testing set + * security level to zero by default. Tests can override this by adding diff --git a/openssl-1.1.1-ec-curves.patch b/openssl-1.1.1-ec-curves.patch new file mode 100644 index 0000000..b26263f --- /dev/null +++ b/openssl-1.1.1-ec-curves.patch @@ -0,0 +1,94 @@ +diff -up openssl-1.1.1-pre8/apps/speed.c.curves openssl-1.1.1-pre8/apps/speed.c +--- openssl-1.1.1-pre8/apps/speed.c.curves 2018-07-17 08:48:56.106625020 +0200 ++++ openssl-1.1.1-pre8/apps/speed.c 2018-07-17 08:50:07.526521809 +0200 +@@ -511,56 +511,20 @@ static double rsa_results[RSA_NUM][2]; + #define R_EC_X448 23 + #ifndef OPENSSL_NO_EC + static OPT_PAIR ecdsa_choices[] = { +- {"ecdsap160", R_EC_P160}, +- {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, + {"ecdsap521", R_EC_P521}, +- {"ecdsak163", R_EC_K163}, +- {"ecdsak233", R_EC_K233}, +- {"ecdsak283", R_EC_K283}, +- {"ecdsak409", R_EC_K409}, +- {"ecdsak571", R_EC_K571}, +- {"ecdsab163", R_EC_B163}, +- {"ecdsab233", R_EC_B233}, +- {"ecdsab283", R_EC_B283}, +- {"ecdsab409", R_EC_B409}, +- {"ecdsab571", R_EC_B571}, +- {"ecdsabrp256r1", R_EC_BRP256R1}, +- {"ecdsabrp256t1", R_EC_BRP256T1}, +- {"ecdsabrp384r1", R_EC_BRP384R1}, +- {"ecdsabrp384t1", R_EC_BRP384T1}, +- {"ecdsabrp512r1", R_EC_BRP512R1}, +- {"ecdsabrp512t1", R_EC_BRP512T1} + }; + # define ECDSA_NUM OSSL_NELEM(ecdsa_choices) + + static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */ + + static const OPT_PAIR ecdh_choices[] = { +- {"ecdhp160", R_EC_P160}, +- {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, + {"ecdhp521", R_EC_P521}, +- {"ecdhk163", R_EC_K163}, +- {"ecdhk233", R_EC_K233}, +- {"ecdhk283", R_EC_K283}, +- {"ecdhk409", R_EC_K409}, +- {"ecdhk571", R_EC_K571}, +- {"ecdhb163", R_EC_B163}, +- {"ecdhb233", R_EC_B233}, +- {"ecdhb283", R_EC_B283}, +- {"ecdhb409", R_EC_B409}, +- {"ecdhb571", R_EC_B571}, +- {"ecdhbrp256r1", R_EC_BRP256R1}, +- {"ecdhbrp256t1", R_EC_BRP256T1}, +- {"ecdhbrp384r1", R_EC_BRP384R1}, +- {"ecdhbrp384t1", R_EC_BRP384T1}, +- {"ecdhbrp512r1", R_EC_BRP512R1}, +- {"ecdhbrp512t1", R_EC_BRP512T1}, + {"ecdhx25519", R_EC_X25519}, + {"ecdhx448", R_EC_X448} + }; +diff -up openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c +--- openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c.curves 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/ec/ecp_smpl.c 2018-07-17 08:48:56.107625044 +0200 +@@ -141,6 +141,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO + return 0; + } + ++ if (BN_num_bits(p) < 224) { ++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); ++ return 0; ++ } ++ + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) +diff -up openssl-1.1.1-pre8/test/ecdsatest.c.curves openssl-1.1.1-pre8/test/ecdsatest.c +--- openssl-1.1.1-pre8/test/ecdsatest.c.curves 2018-06-20 16:48:14.000000000 +0200 ++++ openssl-1.1.1-pre8/test/ecdsatest.c 2018-07-17 08:48:56.107625044 +0200 +@@ -173,6 +173,7 @@ static int x9_62_tests(void) + if (!change_rand()) + goto x962_err; + ++#if 0 + if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1, + "3342403536405981729393488334694600415596881826869351677613", + "5735822328888155254683894997897571951568553642892029982342"))) +@@ -183,6 +184,7 @@ static int x9_62_tests(void) + "3238135532097973577080787768312505059318910517550078427819" + "78505179448783"))) + goto x962_err; ++#endif + + # ifndef OPENSSL_NO_EC2M + if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1, diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch new file mode 100644 index 0000000..9f32b03 --- /dev/null +++ b/openssl-1.1.1-fips.patch @@ -0,0 +1,12153 @@ +diff -up openssl-1.1.1-pre8/apps/speed.c.fips openssl-1.1.1-pre8/apps/speed.c +--- openssl-1.1.1-pre8/apps/speed.c.fips 2018-07-25 17:26:58.393624416 +0200 ++++ openssl-1.1.1-pre8/apps/speed.c 2018-07-25 17:26:58.402624632 +0200 +@@ -1550,7 +1550,8 @@ int speed_main(int argc, char **argv) + continue; + if (strcmp(*argv, "rsa") == 0) { + for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) +- rsa_doit[loop] = 1; ++ if (!FIPS_mode() || loop != R_RSA_512) ++ rsa_doit[loop] = 1; + continue; + } + if (found(*argv, rsa_choices, &i)) { +@@ -1560,7 +1561,9 @@ int speed_main(int argc, char **argv) + #endif + #ifndef OPENSSL_NO_DSA + if (strcmp(*argv, "dsa") == 0) { +- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] = ++ if (!FIPS_mode()) ++ dsa_doit[R_DSA_512] = 1; ++ dsa_doit[R_DSA_1024] = + dsa_doit[R_DSA_2048] = 1; + continue; + } +@@ -1683,15 +1686,21 @@ int speed_main(int argc, char **argv) + /* No parameters; turn on everything. */ + if ((argc == 0) && !doit[D_EVP]) { + for (i = 0; i < ALGOR_NUM; i++) +- if (i != D_EVP) ++ if (i != D_EVP && ++ (!FIPS_mode() || (i != D_WHIRLPOOL && ++ i != D_MD2 && i != D_MD4 && ++ i != D_MD5 && i != D_MDC2 && ++ i != D_RMD160))) + doit[i] = 1; + #ifndef OPENSSL_NO_RSA + for (i = 0; i < RSA_NUM; i++) +- rsa_doit[i] = 1; ++ if (!FIPS_mode() || i != R_RSA_512) ++ rsa_doit[i] = 1; + #endif + #ifndef OPENSSL_NO_DSA + for (i = 0; i < DSA_NUM; i++) +- dsa_doit[i] = 1; ++ if (!FIPS_mode() || i != R_DSA_512) ++ dsa_doit[i] = 1; + #endif + #ifndef OPENSSL_NO_EC + for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) +@@ -1745,30 +1754,46 @@ int speed_main(int argc, char **argv) + AES_set_encrypt_key(key24, 192, &aes_ks2); + AES_set_encrypt_key(key32, 256, &aes_ks3); + #ifndef OPENSSL_NO_CAMELLIA +- Camellia_set_key(key16, 128, &camellia_ks1); +- Camellia_set_key(ckey24, 192, &camellia_ks2); +- Camellia_set_key(ckey32, 256, &camellia_ks3); ++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { ++ Camellia_set_key(key16, 128, &camellia_ks1); ++ Camellia_set_key(ckey24, 192, &camellia_ks2); ++ Camellia_set_key(ckey32, 256, &camellia_ks3); ++ } + #endif + #ifndef OPENSSL_NO_IDEA +- IDEA_set_encrypt_key(key16, &idea_ks); ++ if (doit[D_CBC_IDEA]) { ++ IDEA_set_encrypt_key(key16, &idea_ks); ++ } + #endif + #ifndef OPENSSL_NO_SEED +- SEED_set_key(key16, &seed_ks); ++ if (doit[D_CBC_SEED]) { ++ SEED_set_key(key16, &seed_ks); ++ } + #endif + #ifndef OPENSSL_NO_RC4 +- RC4_set_key(&rc4_ks, 16, key16); ++ if (doit[D_RC4]) { ++ RC4_set_key(&rc4_ks, 16, key16); ++ } + #endif + #ifndef OPENSSL_NO_RC2 +- RC2_set_key(&rc2_ks, 16, key16, 128); ++ if (doit[D_CBC_RC2]) { ++ RC2_set_key(&rc2_ks, 16, key16, 128); ++ } + #endif + #ifndef OPENSSL_NO_RC5 +- RC5_32_set_key(&rc5_ks, 16, key16, 12); ++ if (doit[D_CBC_RC5]) { ++ RC5_32_set_key(&rc5_ks, 16, key16, 12); ++ } + #endif + #ifndef OPENSSL_NO_BF +- BF_set_key(&bf_ks, 16, key16); ++ if (doit[D_CBC_BF]) { ++ BF_set_key(&bf_ks, 16, key16); ++ } + #endif + #ifndef OPENSSL_NO_CAST +- CAST_set_key(&cast_ks, 16, key16); ++ if (doit[D_CBC_CAST]) { ++ CAST_set_key(&cast_ks, 16, key16); ++ } + #endif + #ifndef SIGALRM + # ifndef OPENSSL_NO_DES +@@ -2059,6 +2084,7 @@ int speed_main(int argc, char **argv) + + for (i = 0; i < loopargs_len; i++) { + loopargs[i].hctx = HMAC_CTX_new(); ++ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + if (loopargs[i].hctx == NULL) { + BIO_printf(bio_err, "HMAC malloc failure, exiting..."); + exit(1); +diff -up openssl-1.1.1-pre8/Configure.fips openssl-1.1.1-pre8/Configure +--- openssl-1.1.1-pre8/Configure.fips 2018-07-25 17:26:58.399624560 +0200 ++++ openssl-1.1.1-pre8/Configure 2018-07-25 17:26:58.402624632 +0200 +@@ -306,7 +306,7 @@ $config{sdirs} = [ + "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", + "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", + "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", +- "buffer", "bio", "stack", "lhash", "rand", "err", ++ "buffer", "bio", "stack", "lhash", "rand", "err", "fips", + "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", + "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" + ]; +diff -up openssl-1.1.1-pre8/crypto/dh/dh_err.c.fips openssl-1.1.1-pre8/crypto/dh/dh_err.c +--- openssl-1.1.1-pre8/crypto/dh/dh_err.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dh/dh_err.c 2018-07-25 17:26:58.402624632 +0200 +@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), + "dh_cms_set_shared_info"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, +@@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas + {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), + "not suitable generator"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, +diff -up openssl-1.1.1-pre8/crypto/dh/dh_gen.c.fips openssl-1.1.1-pre8/crypto/dh/dh_gen.c +--- openssl-1.1.1-pre8/crypto/dh/dh_gen.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dh/dh_gen.c 2018-07-25 17:26:58.402624632 +0200 +@@ -16,6 +16,9 @@ + #include "internal/cryptlib.h" + #include + #include "dh_locl.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + BN_GENCB *cb); +@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret, + int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, + BN_GENCB *cb) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) ++ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif + if (ret->meth->generate_params) + return ret->meth->generate_params(ret, prime_len, generator, cb); + return dh_builtin_genparams(ret, prime_len, generator, cb); +@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret, + int g, ok = -1; + BN_CTX *ctx = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { ++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +diff -up openssl-1.1.1-pre8/crypto/dh/dh_key.c.fips openssl-1.1.1-pre8/crypto/dh/dh_key.c +--- openssl-1.1.1-pre8/crypto/dh/dh_key.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dh/dh_key.c 2018-07-25 17:26:58.402624632 +0200 +@@ -11,6 +11,9 @@ + #include "internal/cryptlib.h" + #include "dh_locl.h" + #include "internal/bn_int.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + static int generate_key(DH *dh); + static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); +@@ -22,18 +25,32 @@ static int dh_finish(DH *dh); + + int DH_generate_key(DH *dh) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) ++ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif + return dh->meth->generate_key(dh); + } + + int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) ++ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif + return dh->meth->compute_key(key, pub_key, dh); + } + + int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) + { + int rv, pad; +- rv = dh->meth->compute_key(key, pub_key, dh); ++ rv = DH_compute_key(key, pub_key, dh); + if (rv <= 0) + return rv; + pad = BN_num_bytes(dh->p) - rv; +@@ -82,6 +99,14 @@ static int generate_key(DH *dh) + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() ++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); + return 0; +@@ -170,6 +195,13 @@ static int compute_key(unsigned char *ke + DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); + goto err; + } ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() ++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { ++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif + + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -221,6 +253,9 @@ static int dh_bn_mod_exp(const DH *dh, B + + static int dh_init(DH *dh) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + dh->flags |= DH_FLAG_CACHE_MONT_P; + return 1; + } +diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_err.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_err.c +--- openssl-1.1.1-pre8/crypto/dsa/dsa_err.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dsa/dsa_err.c 2018-07-25 17:26:58.402624632 +0200 +@@ -16,12 +16,15 @@ + static const ERR_STRING_DATA DSA_str_functs[] = { + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0), + "dsa_builtin_paramgen"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0), + "dsa_builtin_paramgen2"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, +@@ -51,9 +54,12 @@ static const ERR_STRING_DATA DSA_str_rea + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE), + "invalid digest type"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, +diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c +--- openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dsa/dsa_gen.c 2018-07-25 17:26:58.403624656 +0200 +@@ -22,12 +22,22 @@ + #include + #include + #include "dsa_locl.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + int DSA_generate_parameters_ex(DSA *ret, int bits, + const unsigned char *seed_in, int seed_len, + int *counter_ret, unsigned long *h_ret, + BN_GENCB *cb) + { ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) ++ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) { ++ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); ++ return 0; ++ } ++# endif + if (ret->meth->dsa_paramgen) + return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, + counter_ret, h_ret, cb); +@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret, + const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); + size_t qbits = EVP_MD_size(evpmd) * 8; + ++# ifdef OPENSSL_FIPS ++ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd, ++ seed_in, seed_len, -1, NULL, counter_ret, ++ h_ret, cb); ++# else + return dsa_builtin_paramgen(ret, bits, qbits, evpmd, + seed_in, seed_len, NULL, counter_ret, + h_ret, cb); ++# endif + } + } + +@@ -310,7 +326,7 @@ int dsa_builtin_paramgen2(DSA *ret, size + int *counter_ret, unsigned long *h_ret, + BN_GENCB *cb) + { +- int ok = -1; ++ int ok = 0; + unsigned char *seed = NULL, *seed_tmp = NULL; + unsigned char md[EVP_MAX_MD_SIZE]; + int mdsize; +@@ -327,6 +343,20 @@ int dsa_builtin_paramgen2(DSA *ret, size + if (mctx == NULL) + goto err; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (FIPS_mode() && (L != 1024 || N != 160) && ++ (L != 2048 || N != 224) && (L != 2048 || N != 256) && ++ (L != 3072 || N != 256)) { ++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID); ++ goto err; ++ } ++# endif ++ + if (evpmd == NULL) { + if (N == 160) + evpmd = EVP_sha1(); +@@ -427,9 +457,10 @@ int dsa_builtin_paramgen2(DSA *ret, size + goto err; + /* Provided seed didn't produce a prime: error */ + if (seed_in) { +- ok = 0; +- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME); +- goto err; ++ /* Different seed_out will indicate that seed_in ++ * did not generate primes. ++ */ ++ seed_in = NULL; + } + + /* do a callback call */ +@@ -515,11 +546,14 @@ int dsa_builtin_paramgen2(DSA *ret, size + if (counter >= (int)(4 * L)) + break; + } ++#if 0 ++ /* Cannot happen */ + if (seed_in) { + ok = 0; + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); + goto err; + } ++#endif + } + end: + if (!BN_GENCB_call(cb, 2, 1)) +@@ -590,7 +624,7 @@ int dsa_builtin_paramgen2(DSA *ret, size + BN_free(ret->g); + ret->g = BN_dup(g); + if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { +- ok = -1; ++ ok = 0; + goto err; + } + if (counter_ret != NULL) +@@ -608,3 +642,53 @@ int dsa_builtin_paramgen2(DSA *ret, size + EVP_MD_CTX_free(mctx); + return ok; + } ++ ++#ifdef OPENSSL_FIPS ++ ++int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, ++ const EVP_MD *evpmd, const unsigned char *seed_in, ++ size_t seed_len, int idx, unsigned char *seed_out, ++ int *counter_ret, unsigned long *h_ret, ++ BN_GENCB *cb) ++{ ++ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len, ++ idx, seed_out, counter_ret, h_ret, cb); ++} ++ ++int FIPS_dsa_paramgen_check_g(DSA *dsa) ++{ ++ BN_CTX *ctx; ++ BIGNUM *tmp; ++ BN_MONT_CTX *mont = NULL; ++ int rv = -1; ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ return -1; ++ BN_CTX_start(ctx); ++ if (BN_cmp(dsa->g, BN_value_one()) <= 0) ++ return 0; ++ if (BN_cmp(dsa->g, dsa->p) >= 0) ++ return 0; ++ tmp = BN_CTX_get(ctx); ++ if (tmp == NULL) ++ goto err; ++ if ((mont=BN_MONT_CTX_new()) == NULL) ++ goto err; ++ if (!BN_MONT_CTX_set(mont,dsa->p,ctx)) ++ goto err; ++ /* Work out g^q mod p */ ++ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont)) ++ goto err; ++ if (!BN_cmp(tmp, BN_value_one())) ++ rv = 1; ++ else ++ rv = 0; ++ err: ++ BN_CTX_end(ctx); ++ BN_MONT_CTX_free(mont); ++ BN_CTX_free(ctx); ++ return rv; ++} ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_key.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_key.c +--- openssl-1.1.1-pre8/crypto/dsa/dsa_key.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dsa/dsa_key.c 2018-07-25 17:26:58.403624656 +0200 +@@ -13,10 +13,49 @@ + #include + #include "dsa_locl.h" + ++#ifdef OPENSSL_FIPS ++# include ++# include "internal/fips_int.h" ++ ++static int fips_check_dsa(DSA *dsa) ++{ ++ EVP_PKEY *pk; ++ unsigned char tbs[] = "DSA Pairwise Check Data"; ++ int ret = 0; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_DSA(pk, dsa); ++ ++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) ++ ret = 1; ++ ++ err: ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED); ++ fips_set_selftest_fail(); ++ } ++ ++ if (pk) ++ EVP_PKEY_free(pk); ++ ++ return ret; ++} ++ ++#endif ++ + static int dsa_builtin_keygen(DSA *dsa); + + int DSA_generate_key(DSA *dsa) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) ++ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { ++ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); ++ return 0; ++ } ++#endif + if (dsa->meth->dsa_keygen) + return dsa->meth->dsa_keygen(dsa); + return dsa_builtin_keygen(dsa); +@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa) + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { ++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif ++ + if ((ctx = BN_CTX_new()) == NULL) + goto err; + +@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa) + + dsa->priv_key = priv_key; + dsa->pub_key = pub_key; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !fips_check_dsa(dsa)) { ++ dsa->pub_key = NULL; ++ dsa->priv_key = NULL; ++ goto err; ++ } ++#endif + ok = 1; + + err: +diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c +--- openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dsa/dsa_ossl.c 2018-07-25 17:26:58.403624656 +0200 +@@ -13,6 +13,9 @@ + #include + #include "dsa_locl.h" + #include ++#ifdef OPENSSL_FIPS ++# include ++#endif + + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); + static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, +@@ -66,6 +69,19 @@ static DSA_SIG *dsa_do_sign(const unsign + DSA_SIG *ret = NULL; + int rv = 0; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++ ++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { ++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); ++ return NULL; ++ } ++#endif ++ + m = BN_new(); + xr = BN_new(); + if (m == NULL || xr == NULL) +@@ -264,6 +280,18 @@ static int dsa_do_verify(const unsigned + DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); + return -1; + } ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++ ++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { ++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++#endif + + if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { + DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); +@@ -352,6 +380,9 @@ static int dsa_do_verify(const unsigned + + static int dsa_init(DSA *dsa) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + dsa->flags |= DSA_FLAG_CACHE_MONT_P; + return 1; + } +diff -up openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c +--- openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/dsa/dsa_pmeth.c 2018-07-25 17:26:58.403624656 +0200 +@@ -221,8 +221,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT + BN_GENCB_free(pcb); + return 0; + } +- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, +- NULL, 0, NULL, NULL, NULL, pcb); ++ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd, ++ NULL, 0, -1, NULL, NULL, NULL, pcb); + BN_GENCB_free(pcb); + if (ret) + EVP_PKEY_assign_DSA(pkey, dsa); +diff -up openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c +--- openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/ec/ecdh_ossl.c 2018-07-25 17:26:58.403624656 +0200 +@@ -19,9 +19,20 @@ + #include + #include "ec_lcl.h" + ++#ifdef OPENSSL_FIPS ++# include ++#endif ++ + int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, + const EC_POINT *pub_key, const EC_KEY *ecdh) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++#endif ++ + if (ecdh->group->meth->ecdh_compute_key == NULL) { + ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); + return 0; +diff -up openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c +--- openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/ec/ecdsa_ossl.c 2018-07-25 17:26:58.403624656 +0200 +@@ -15,6 +15,10 @@ + #include + #include "ec_lcl.h" + ++#ifdef OPENSSL_FIPS ++# include ++#endif ++ + int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, + unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) +@@ -204,6 +208,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + ECDSA_SIG *ret; + const BIGNUM *priv_key; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++#endif ++ + group = EC_KEY_get0_group(eckey); + priv_key = EC_KEY_get0_private_key(eckey); + +@@ -408,6 +419,13 @@ int ossl_ecdsa_verify_sig(const unsigned + const EC_GROUP *group; + const EC_POINT *pub_key; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++#endif ++ + /* check input values */ + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || + (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { +diff -up openssl-1.1.1-pre8/crypto/ec/ec_key.c.fips openssl-1.1.1-pre8/crypto/ec/ec_key.c +--- openssl-1.1.1-pre8/crypto/ec/ec_key.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/ec/ec_key.c 2018-07-25 17:26:58.403624656 +0200 +@@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY + return eckey->engine; + } + ++#ifdef OPENSSL_FIPS ++ ++# include ++# include "internal/fips_int.h" ++ ++static int fips_check_ec(EC_KEY *key) ++{ ++ EVP_PKEY *pk; ++ unsigned char tbs[] = "ECDSA Pairwise Check Data"; ++ int ret = 0; ++ ++ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */ ++ return 1; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_EC_KEY(pk, key); ++ ++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) ++ ret = 1; ++ ++ err: ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); ++ fips_set_selftest_fail(); ++ } ++ if (pk) ++ EVP_PKEY_free(pk); ++ return ret; ++} ++ ++#endif ++ + int EC_KEY_generate_key(EC_KEY *eckey) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED); ++ return 0; ++ } ++#endif + if (eckey == NULL || eckey->group == NULL) { + ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } +- if (eckey->meth->keygen != NULL) +- return eckey->meth->keygen(eckey); ++ if (eckey->meth->keygen != NULL) { ++ int rv = eckey->meth->keygen(eckey); ++ ++#ifdef OPENSSL_FIPS ++ if (rv > 0 && FIPS_mode()) { ++ rv = fips_check_ec(eckey); ++ } ++#endif ++ return rv; ++ } + ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); + return 0; + } +diff -up openssl-1.1.1-pre8/crypto/evp/c_allc.c.fips openssl-1.1.1-pre8/crypto/evp/c_allc.c +--- openssl-1.1.1-pre8/crypto/evp/c_allc.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/c_allc.c 2018-07-25 17:26:58.404624680 +0200 +@@ -17,6 +17,9 @@ + void openssl_add_all_ciphers_int(void) + { + ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) { ++#endif + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); +@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void) + EVP_add_cipher(EVP_chacha20_poly1305()); + # endif + #endif ++#ifdef OPENSSL_FIPS ++ } else { ++# ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede3_cfb()); ++ ++ EVP_add_cipher(EVP_des_ede3_ofb()); ++ ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3"); ++ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3"); ++ ++ EVP_add_cipher(EVP_des_ede3()); ++ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB"); ++ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb"); ++ EVP_add_cipher(EVP_des_ede3_wrap()); ++ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap"); ++# endif ++ ++# ifndef OPENSSL_NO_AES ++ EVP_add_cipher(EVP_aes_128_ecb()); ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_128_cfb()); ++ EVP_add_cipher(EVP_aes_128_cfb1()); ++ EVP_add_cipher(EVP_aes_128_cfb8()); ++ EVP_add_cipher(EVP_aes_128_ofb()); ++ EVP_add_cipher(EVP_aes_128_ctr()); ++ EVP_add_cipher(EVP_aes_128_gcm()); ++ EVP_add_cipher(EVP_aes_128_xts()); ++ EVP_add_cipher(EVP_aes_128_ccm()); ++ EVP_add_cipher(EVP_aes_128_wrap()); ++ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); ++ EVP_add_cipher(EVP_aes_128_wrap_pad()); ++ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); ++ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); ++ EVP_add_cipher(EVP_aes_192_ecb()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_192_cfb()); ++ EVP_add_cipher(EVP_aes_192_cfb1()); ++ EVP_add_cipher(EVP_aes_192_cfb8()); ++ EVP_add_cipher(EVP_aes_192_ofb()); ++ EVP_add_cipher(EVP_aes_192_ctr()); ++ EVP_add_cipher(EVP_aes_192_gcm()); ++ EVP_add_cipher(EVP_aes_192_ccm()); ++ EVP_add_cipher(EVP_aes_192_wrap()); ++ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); ++ EVP_add_cipher(EVP_aes_192_wrap_pad()); ++ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); ++ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); ++ EVP_add_cipher(EVP_aes_256_ecb()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++ EVP_add_cipher(EVP_aes_256_cfb()); ++ EVP_add_cipher(EVP_aes_256_cfb1()); ++ EVP_add_cipher(EVP_aes_256_cfb8()); ++ EVP_add_cipher(EVP_aes_256_ofb()); ++ EVP_add_cipher(EVP_aes_256_ctr()); ++ EVP_add_cipher(EVP_aes_256_gcm()); ++ EVP_add_cipher(EVP_aes_256_xts()); ++ EVP_add_cipher(EVP_aes_256_ccm()); ++ EVP_add_cipher(EVP_aes_256_wrap()); ++ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap"); ++ EVP_add_cipher(EVP_aes_256_wrap_pad()); ++ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); ++ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); ++# endif ++ } ++#endif + } +diff -up openssl-1.1.1-pre8/crypto/evp/c_alld.c.fips openssl-1.1.1-pre8/crypto/evp/c_alld.c +--- openssl-1.1.1-pre8/crypto/evp/c_alld.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/c_alld.c 2018-07-25 17:26:58.404624680 +0200 +@@ -16,6 +16,9 @@ + + void openssl_add_all_digests_int(void) + { ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) { ++#endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); + #endif +@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void) + EVP_add_digest(EVP_sha3_512()); + EVP_add_digest(EVP_shake128()); + EVP_add_digest(EVP_shake256()); ++#ifdef OPENSSL_FIPS ++ } else { ++ EVP_add_digest(EVP_md5_sha1()); ++ EVP_add_digest(EVP_sha1()); ++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++ EVP_add_digest(EVP_sha512_224()); ++ EVP_add_digest(EVP_sha512_256()); ++ EVP_add_digest(EVP_sha3_224()); ++ EVP_add_digest(EVP_sha3_256()); ++ EVP_add_digest(EVP_sha3_384()); ++ EVP_add_digest(EVP_sha3_512()); ++ EVP_add_digest(EVP_shake128()); ++ EVP_add_digest(EVP_shake256()); ++ } ++#endif + } +diff -up openssl-1.1.1-pre8/crypto/evp/digest.c.fips openssl-1.1.1-pre8/crypto/evp/digest.c +--- openssl-1.1.1-pre8/crypto/evp/digest.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/digest.c 2018-07-25 17:26:58.404624680 +0200 +@@ -14,6 +14,9 @@ + #include + #include "internal/evp_int.h" + #include "evp_locl.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + /* This call frees resources associated with the context */ + int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) +@@ -61,6 +64,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) + { + EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++#endif + #ifndef OPENSSL_NO_ENGINE + /* + * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so +@@ -114,6 +123,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c + } + #endif + if (ctx->digest != type) { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (!(type->flags & EVP_MD_FLAG_FIPS) ++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { ++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); ++ return 0; ++ } ++ } ++#endif + if (ctx->digest && ctx->digest->ctx_size) { + OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); + ctx->md_data = NULL; +@@ -145,6 +163,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c + + int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + return ctx->update(ctx, data, count); + } + +@@ -162,6 +183,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, + { + int ret; + ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); + ret = ctx->digest->final(ctx, md); + if (size != NULL) +diff -up openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips openssl-1.1.1-pre8/crypto/evp/e_aes.c +--- openssl-1.1.1-pre8/crypto/evp/e_aes.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/e_aes.c 2018-07-25 17:26:58.404624680 +0200 +@@ -2776,9 +2776,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX + return 1; + } + +-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0) +- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0) +- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0) ++BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) ++ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) ++ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) + + static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) + { +@@ -2824,6 +2824,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * + case EVP_CTRL_AEAD_SET_IVLEN: + if (arg <= 0) + return 0; ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) ++ && arg < 12) ++ return 0; ++# endif + /* Allocate memory for IV if needed */ + if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { + if (gctx->iv != c->iv) +@@ -3273,11 +3278,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + | EVP_CIPH_CUSTOM_COPY) + + BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + + static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { +@@ -3412,6 +3420,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX + return 0; + if (!out || !in || len < AES_BLOCK_SIZE) + return 0; ++# ifdef OPENSSL_FIPS ++ /* Requirement of SP800-38E */ ++ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && ++ (len > (1UL << 20) * 16)) { ++ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); ++ return 0; ++ } ++# endif + if (xctx->stream) + (*xctx->stream) (in, out, len, + xctx->xts.key1, xctx->xts.key2, +@@ -3429,8 +3445,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX + | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ + | EVP_CIPH_CUSTOM_COPY) + +-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS) +- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) ++BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, ++ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) ++ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, ++ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) + + static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { +@@ -3695,11 +3713,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX + #define aes_ccm_cleanup NULL + + BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + + typedef struct { + union { +@@ -3792,7 +3810,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT + return rv ? (int)rv : -1; + } + +-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \ ++#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \ + | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ + | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) + +diff -up openssl-1.1.1-pre8/crypto/evp/e_des3.c.fips openssl-1.1.1-pre8/crypto/evp/e_des3.c +--- openssl-1.1.1-pre8/crypto/evp/e_des3.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/e_des3.c 2018-07-25 17:26:58.405624704 +0200 +@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, + # define des_ede3_cbc_cipher des_ede_cbc_cipher + # define des_ede3_ecb_cipher des_ede_ecb_cipher + BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, +- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, +- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) ++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | ++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL, ++ des3_ctrl) + + BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, +- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, +- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) ++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | ++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, ++ NULL, des3_ctrl) + + BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, +- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, +- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) ++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | ++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, ++ NULL, des3_ctrl) + + static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +diff -up openssl-1.1.1-pre8/crypto/evp/e_null.c.fips openssl-1.1.1-pre8/crypto/evp/e_null.c +--- openssl-1.1.1-pre8/crypto/evp/e_null.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/e_null.c 2018-07-25 17:26:58.405624704 +0200 +@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c + const unsigned char *in, size_t inl); + static const EVP_CIPHER n_cipher = { + NID_undef, +- 1, 0, 0, 0, ++ 1, 0, 0, ++ EVP_CIPH_FLAG_FIPS, + null_init_key, + null_cipher, + NULL, +diff -up openssl-1.1.1-pre8/crypto/evp/evp_enc.c.fips openssl-1.1.1-pre8/crypto/evp/evp_enc.c +--- openssl-1.1.1-pre8/crypto/evp/evp_enc.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/evp_enc.c 2018-07-25 17:26:58.405624704 +0200 +@@ -17,10 +17,19 @@ + #include + #include "internal/evp_int.h" + #include "evp_locl.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c) + { +- if (c == NULL) ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++#endif ++ if (c == NULL) + return 1; + if (c->cipher != NULL) { + if (c->cipher->cleanup && !c->cipher->cleanup(c)) +@@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX + + EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++#endif + return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); + } + +@@ -67,6 +82,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + enc = 1; + ctx->encrypt = enc; + } ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++#endif + #ifndef OPENSSL_NO_ENGINE + /* + * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so +@@ -136,7 +157,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + } + ctx->key_len = cipher->key_len; + /* Preserve wrap enable flag, zero everything else */ +- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; ++ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW; + if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { + ctx->cipher = NULL; +@@ -195,6 +216,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + return 0; + } + } ++#ifdef OPENSSL_FIPS ++ /* After 'key' is set no further parameters changes are permissible. ++ * So only check for non FIPS enabling at this point. ++ */ ++ if (key && FIPS_mode()) { ++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) ++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) { ++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); ++ return 0; ++ } ++ } ++#endif + + if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { + if (!ctx->cipher->init(ctx, key, iv, enc)) +diff -up openssl-1.1.1-pre8/crypto/evp/evp_err.c.fips openssl-1.1.1-pre8/crypto/evp/evp_err.c +--- openssl-1.1.1-pre8/crypto/evp/evp_err.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/evp_err.c 2018-07-25 17:26:58.405624704 +0200 +@@ -20,6 +20,7 @@ static const ERR_STRING_DATA EVP_str_fun + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"}, +@@ -177,6 +178,7 @@ static const ERR_STRING_DATA EVP_str_rea + "different key types"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), + "different parameters"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), + "error loading section"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), +@@ -239,6 +241,7 @@ static const ERR_STRING_DATA EVP_str_rea + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), + "private key encode error"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, +diff -up openssl-1.1.1-pre8/crypto/evp/evp_lib.c.fips openssl-1.1.1-pre8/crypto/evp/evp_lib.c +--- openssl-1.1.1-pre8/crypto/evp/evp_lib.c.fips 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/evp_lib.c 2018-07-25 17:26:58.405624704 +0200 +@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C + int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + return ctx->cipher->do_cipher(ctx, out, in, inl); + } + +diff -up openssl-1.1.1-pre8/crypto/evp/m_sha1.c.fips openssl-1.1.1-pre8/crypto/evp/m_sha1.c +--- openssl-1.1.1-pre8/crypto/evp/m_sha1.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/evp/m_sha1.c 2018-07-25 17:26:58.405624704 +0200 +@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { + NID_sha1, + NID_sha1WithRSAEncryption, + SHA_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init, + update, + final, +@@ -145,7 +145,7 @@ static const EVP_MD sha224_md = { + NID_sha224, + NID_sha224WithRSAEncryption, + SHA224_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init224, + update224, + final224, +@@ -164,7 +164,7 @@ static const EVP_MD sha256_md = { + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init256, + update256, + final256, +@@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = { + NID_sha512_224, + NID_sha512_224WithRSAEncryption, + SHA224_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init512_224, + update512, + final512, +@@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = { + NID_sha512_256, + NID_sha512_256WithRSAEncryption, + SHA256_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init512_256, + update512, + final512, +@@ -262,7 +262,7 @@ static const EVP_MD sha384_md = { + NID_sha384, + NID_sha384WithRSAEncryption, + SHA384_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init384, + update384, + final384, +@@ -281,7 +281,7 @@ static const EVP_MD sha512_md = { + NID_sha512, + NID_sha512WithRSAEncryption, + SHA512_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init512, + update512, + final512, +diff -up openssl-1.1.1-pre8/crypto/fips/build.info.fips openssl-1.1.1-pre8/crypto/fips/build.info +--- openssl-1.1.1-pre8/crypto/fips/build.info.fips 2018-07-25 17:26:58.405624704 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/build.info 2018-07-25 17:26:58.405624704 +0200 +@@ -0,0 +1,15 @@ ++LIBS=../../libcrypto ++SOURCE[../../libcrypto]=\ ++ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ ++ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ ++ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ ++ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ ++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ ++ fips_enc.c fips_md.c fips_dh_selftest.c fips_ers.c ++ ++PROGRAMS_NO_INST=\ ++ fips_standalone_hmac ++ ++SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c ++INCLUDE[fips_standalone_hmac]=../../include ++DEPEND[fips_standalone_hmac]=../../libcrypto +diff -up openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_aes_selftest.c 2018-07-25 17:26:58.405624704 +0200 +@@ -0,0 +1,372 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++# include "internal/fips_int.h" ++#endif ++ ++#ifdef OPENSSL_FIPS ++static const struct { ++ const unsigned char key[16]; ++ const unsigned char plaintext[16]; ++ const unsigned char ciphertext[16]; ++} tests[] = { ++ { ++ { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, { ++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, ++ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, { ++0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30, ++ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},}; ++ ++int FIPS_selftest_aes() ++{ ++ int n; ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ for (n = 0; n < 1; ++n) { ++ unsigned char key[16]; ++ ++ memcpy(key, tests[n].key, sizeof(key)); ++ if (fips_cipher_test(ctx, EVP_aes_128_ecb(), ++ key, NULL, ++ tests[n].plaintext, ++ tests[n].ciphertext, 16) <= 0) ++ goto err; ++ } ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED); ++ return ret; ++} ++ ++/* AES-CCM test data from NIST public test vectors */ ++ ++static const unsigned char ccm_key[] = { ++ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6, ++ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8 ++}; ++ ++static const unsigned char ccm_nonce[] = { ++ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7 ++}; ++ ++static const unsigned char ccm_adata[] = { ++ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7, ++ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5, ++ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4 ++}; ++ ++static const unsigned char ccm_pt[] = { ++ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f, ++ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10 ++}; ++ ++static const unsigned char ccm_ct[] = { ++ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2, ++ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd ++}; ++ ++static const unsigned char ccm_tag[] = { ++ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44, ++ 0x14, 0xdb, 0x50, 0x6d ++}; ++ ++int FIPS_selftest_aes_ccm(void) ++{ ++ int ret = 0; ++ unsigned char out[128], tag[16]; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, ++ sizeof(ccm_nonce), NULL)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, ++ sizeof(ccm_tag), NULL)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct)) ++ goto err; ++ ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag)) ++ goto err; ++ if (memcmp(tag, ccm_tag, sizeof(ccm_tag)) ++ || memcmp(out, ccm_ct, sizeof(ccm_ct))) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, ++ sizeof(ccm_nonce), NULL)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt)) ++ goto err; ++ ++ if (memcmp(out, ccm_pt, sizeof(ccm_pt))) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } else ++ return ret; ++ ++} ++ ++/* AES-GCM test data from NIST public test vectors */ ++ ++static const unsigned char gcm_key[] = { ++ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66, ++ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69, ++ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f ++}; ++ ++static const unsigned char gcm_iv[] = { ++ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84 ++}; ++ ++static const unsigned char gcm_pt[] = { ++ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea, ++ 0xcc, 0x2b, 0xf2, 0xa5 ++}; ++ ++static const unsigned char gcm_aad[] = { ++ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43, ++ 0x7f, 0xec, 0x78, 0xde ++}; ++ ++static const unsigned char gcm_ct[] = { ++ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e, ++ 0xb9, 0xf2, 0x17, 0x36 ++}; ++ ++static const unsigned char gcm_tag[] = { ++ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62, ++ 0x98, 0xf7, 0x7e, 0x0c ++}; ++ ++int FIPS_selftest_aes_gcm(void) ++{ ++ int ret = 0; ++ unsigned char out[128], tag[16]; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ memset(tag, 0, sizeof(tag)); ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, ++ sizeof(gcm_iv), NULL)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) ++ goto err; ++ ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) ++ goto err; ++ ++ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16)) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, ++ sizeof(gcm_iv), NULL)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) ++ goto err; ++ ++ if (memcmp(out, gcm_pt, 16)) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } else ++ return ret; ++ ++} ++ ++static const unsigned char XTS_128_key[] = { ++ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38, ++ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18, ++ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f ++}; ++ ++static const unsigned char XTS_128_i[] = { ++ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01, ++ 0x3e, 0x76, 0x8a, 0xd5 ++}; ++ ++static const unsigned char XTS_128_pt[] = { ++ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39, ++ 0x07, 0x90, 0x31, 0x1c ++}; ++ ++static const unsigned char XTS_128_ct[] = { ++ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5, ++ 0xbe, 0x47, 0x1c, 0x63 ++}; ++ ++static const unsigned char XTS_256_key[] = { ++ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f, ++ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7, ++ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd, ++ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3, ++ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39, ++ 0x2c, 0xf4, 0x1b, 0x08 ++}; ++ ++static const unsigned char XTS_256_i[] = { ++ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, ++ 0xa9, 0xf8, 0x75, 0x64 ++}; ++ ++static const unsigned char XTS_256_pt[] = { ++ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8, ++ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3, ++ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e ++}; ++ ++static const unsigned char XTS_256_ct[] = { ++ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34, ++ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a, ++ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb ++}; ++ ++int FIPS_selftest_aes_xts() ++{ ++ int ret = 1; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ if (fips_cipher_test(ctx, EVP_aes_128_xts(), ++ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct, ++ sizeof(XTS_128_pt)) <= 0) ++ ret = 0; ++ ++ if (fips_cipher_test(ctx, EVP_aes_256_xts(), ++ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct, ++ sizeof(XTS_256_pt)) <= 0) ++ ret = 0; ++ ++ EVP_CIPHER_CTX_free(ctx); ++ ++ err: ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED); ++ return ret; ++} ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips.c.fips openssl-1.1.1-pre8/crypto/fips/fips.c +--- openssl-1.1.1-pre8/crypto/fips/fips.c.fips 2018-07-25 17:26:58.406624728 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips.c 2018-07-25 17:26:58.406624728 +0200 +@@ -0,0 +1,526 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#define _GNU_SOURCE ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++# include ++# include "internal/thread_once.h" ++ ++# ifndef PATH_MAX ++# define PATH_MAX 1024 ++# endif ++ ++static int fips_selftest_fail = 0; ++static int fips_mode = 0; ++static int fips_started = 0; ++ ++static int fips_is_owning_thread(void); ++static int fips_set_owning_thread(void); ++static int fips_clear_owning_thread(void); ++ ++static CRYPTO_RWLOCK *fips_lock = NULL; ++static CRYPTO_RWLOCK *fips_owning_lock = NULL; ++static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT; ++ ++DEFINE_RUN_ONCE_STATIC(do_fips_lock_init) ++{ ++ fips_lock = CRYPTO_THREAD_lock_new(); ++ fips_owning_lock = CRYPTO_THREAD_lock_new(); ++ return fips_lock != NULL && fips_owning_lock != NULL; ++} ++ ++# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) ++# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) ++# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) ++# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock) ++ ++static void fips_set_mode(int onoff) ++{ ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_started) { ++ if (!owning_thread) ++ fips_w_lock(); ++ fips_mode = onoff; ++ if (!owning_thread) ++ fips_w_unlock(); ++ } ++} ++ ++int FIPS_module_mode(void) ++{ ++ int ret = 0; ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_started) { ++ if (!owning_thread) ++ fips_r_lock(); ++ ret = fips_mode; ++ if (!owning_thread) ++ fips_r_unlock(); ++ } ++ return ret; ++} ++ ++/* just a compat symbol - return NULL */ ++int FIPS_selftest_failed(void) ++{ ++ int ret = 0; ++ if (fips_started) { ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (!owning_thread) ++ fips_r_lock(); ++ ret = fips_selftest_fail; ++ if (!owning_thread) ++ fips_r_unlock(); ++ } ++ return ret; ++} ++ ++/* Selftest failure fatal exit routine. This will be called ++ * during *any* cryptographic operation. It has the minimum ++ * overhead possible to avoid too big a performance hit. ++ */ ++ ++void FIPS_selftest_check(void) ++{ ++ if (fips_selftest_fail) { ++ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ } ++} ++ ++void fips_set_selftest_fail(void) ++{ ++ fips_selftest_fail = 1; ++} ++ ++/* we implement what libfipscheck does ourselves */ ++ ++static int ++get_library_path(const char *libname, const char *symbolname, char *path, ++ size_t pathlen) ++{ ++ Dl_info info; ++ void *dl, *sym; ++ int rv = -1; ++ ++ dl = dlopen(libname, RTLD_LAZY); ++ if (dl == NULL) { ++ return -1; ++ } ++ ++ sym = dlsym(dl, symbolname); ++ ++ if (sym != NULL && dladdr(sym, &info)) { ++ strncpy(path, info.dli_fname, pathlen - 1); ++ path[pathlen - 1] = '\0'; ++ rv = 0; ++ } ++ ++ dlclose(dl); ++ ++ return rv; ++} ++ ++static const char conv[] = "0123456789abcdef"; ++ ++static char *bin2hex(void *buf, size_t len) ++{ ++ char *hex, *p; ++ unsigned char *src = buf; ++ ++ hex = malloc(len * 2 + 1); ++ if (hex == NULL) ++ return NULL; ++ ++ p = hex; ++ ++ while (len > 0) { ++ unsigned c; ++ ++ c = *src; ++ src++; ++ ++ *p = conv[c >> 4]; ++ ++p; ++ *p = conv[c & 0x0f]; ++ ++p; ++ --len; ++ } ++ *p = '\0'; ++ return hex; ++} ++ ++# define HMAC_PREFIX "." ++# ifndef HMAC_SUFFIX ++# define HMAC_SUFFIX ".hmac" ++# endif ++# define READ_BUFFER_LENGTH 16384 ++ ++static char *make_hmac_path(const char *origpath) ++{ ++ char *path, *p; ++ const char *fn; ++ ++ path = ++ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); ++ if (path == NULL) { ++ return NULL; ++ } ++ ++ fn = strrchr(origpath, '/'); ++ if (fn == NULL) { ++ fn = origpath; ++ } else { ++ ++fn; ++ } ++ ++ strncpy(path, origpath, fn - origpath); ++ p = path + (fn - origpath); ++ p = stpcpy(p, HMAC_PREFIX); ++ p = stpcpy(p, fn); ++ p = stpcpy(p, HMAC_SUFFIX); ++ ++ return path; ++} ++ ++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ ++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) ++{ ++ FILE *f = NULL; ++ int rv = -1; ++ unsigned char rbuf[READ_BUFFER_LENGTH]; ++ size_t len; ++ unsigned int hlen; ++ HMAC_CTX *c; ++ ++ c = HMAC_CTX_new(); ++ if (c == NULL) ++ return rv; ++ ++ f = fopen(path, "r"); ++ ++ if (f == NULL) { ++ goto end; ++ } ++ ++ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) { ++ goto end; ++ } ++ ++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) { ++ if (HMAC_Update(c, rbuf, len) <= 0) { ++ goto end; ++ } ++ } ++ ++ len = sizeof(rbuf); ++ /* reuse rbuf for hmac */ ++ if (HMAC_Final(c, rbuf, &hlen) <= 0) { ++ goto end; ++ } ++ ++ *buf = malloc(hlen); ++ if (*buf == NULL) { ++ goto end; ++ } ++ ++ *hmaclen = hlen; ++ ++ memcpy(*buf, rbuf, hlen); ++ ++ rv = 0; ++ end: ++ HMAC_CTX_free(c); ++ ++ if (f) ++ fclose(f); ++ ++ return rv; ++} ++ ++static int FIPSCHECK_verify(const char *path) ++{ ++ int rv = 0; ++ FILE *hf; ++ char *hmacpath, *p; ++ char *hmac = NULL; ++ size_t n; ++ ++ hmacpath = make_hmac_path(path); ++ if (hmacpath == NULL) ++ return 0; ++ ++ hf = fopen(hmacpath, "r"); ++ if (hf == NULL) { ++ free(hmacpath); ++ return 0; ++ } ++ ++ if (getline(&hmac, &n, hf) > 0) { ++ void *buf; ++ size_t hmaclen; ++ char *hex; ++ ++ if ((p = strchr(hmac, '\n')) != NULL) ++ *p = '\0'; ++ ++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { ++ rv = -4; ++ goto end; ++ } ++ ++ if ((hex = bin2hex(buf, hmaclen)) == NULL) { ++ free(buf); ++ rv = -5; ++ goto end; ++ } ++ ++ if (strcmp(hex, hmac) != 0) { ++ rv = -1; ++ } ++ free(buf); ++ free(hex); ++ } else { ++ rv = -1; ++ } ++ ++ end: ++ free(hmac); ++ free(hmacpath); ++ fclose(hf); ++ ++ if (rv < 0) ++ return 0; ++ ++ /* check successful */ ++ return 1; ++} ++ ++static int verify_checksums(void) ++{ ++ int rv; ++ char path[PATH_MAX + 1]; ++ char *p; ++ ++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl ++ are in the same directory */ ++ ++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, ++ "FIPS_mode_set", path, sizeof(path)); ++ if (rv < 0) ++ return 0; ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ ++ /* replace libcrypto with libssl */ ++ while ((p = strstr(path, "libcrypto.so")) != NULL) { ++ p = stpcpy(p, "libssl"); ++ memmove(p, p + 3, strlen(p + 2)); ++ } ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ return 1; ++} ++ ++# ifndef FIPS_MODULE_PATH ++# define FIPS_MODULE_PATH "/etc/system-fips" ++# endif ++ ++int FIPS_module_installed(void) ++{ ++ int rv; ++ rv = access(FIPS_MODULE_PATH, F_OK); ++ if (rv < 0 && errno != ENOENT) ++ rv = 0; ++ ++ /* Installed == true */ ++ return !rv; ++} ++ ++int FIPS_module_mode_set(int onoff) ++{ ++ int ret = 0; ++ ++ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init)) ++ return NULL; ++ ++ fips_w_lock(); ++ fips_started = 1; ++ fips_set_owning_thread(); ++ ++ if (onoff) { ++ ++ fips_selftest_fail = 0; ++ ++ /* Don't go into FIPS mode twice, just so we can do automagic ++ seeding */ ++ if (FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FIPS_MODE_ALREADY_SET); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++# ifdef OPENSSL_IA32_SSE2 ++ { ++ extern unsigned int OPENSSL_ia32cap_P[2]; ++ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) != ++ (1 << 25 | 1 << 26)) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_UNSUPPORTED_PLATFORM); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ } ++# endif ++ ++ if (!FIPS_selftest()) { ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ++ if (!verify_checksums()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ++ fips_set_mode(onoff); ++ ret = 1; ++ goto end; ++ } ++ fips_set_mode(0); ++ fips_selftest_fail = 0; ++ ret = 1; ++ end: ++ fips_clear_owning_thread(); ++ fips_w_unlock(); ++ return ret; ++} ++ ++static CRYPTO_THREAD_ID fips_threadid; ++static int fips_thread_set = 0; ++ ++static int fips_is_owning_thread(void) ++{ ++ int ret = 0; ++ ++ if (fips_started) { ++ CRYPTO_THREAD_read_lock(fips_owning_lock); ++ if (fips_thread_set) { ++ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); ++ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) ++ ret = 1; ++ } ++ CRYPTO_THREAD_unlock(fips_owning_lock); ++ } ++ return ret; ++} ++ ++int fips_set_owning_thread(void) ++{ ++ int ret = 0; ++ ++ if (fips_started) { ++ CRYPTO_THREAD_write_lock(fips_owning_lock); ++ if (!fips_thread_set) { ++ fips_threadid = CRYPTO_THREAD_get_current_id(); ++ ret = 1; ++ fips_thread_set = 1; ++ } ++ CRYPTO_THREAD_unlock(fips_owning_lock); ++ } ++ return ret; ++} ++ ++int fips_clear_owning_thread(void) ++{ ++ int ret = 0; ++ ++ if (fips_started) { ++ CRYPTO_THREAD_write_lock(fips_owning_lock); ++ if (fips_thread_set) { ++ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); ++ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) ++ fips_thread_set = 0; ++ } ++ CRYPTO_THREAD_unlock(fips_owning_lock); ++ } ++ return ret; ++} ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_cmac_selftest.c 2018-07-25 17:26:58.406624728 +0200 +@@ -0,0 +1,156 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include "internal/fips_int.h" ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++typedef struct { ++ int nid; ++ const unsigned char key[EVP_MAX_KEY_LENGTH]; ++ size_t keysize; ++ const unsigned char msg[64]; ++ size_t msgsize; ++ const unsigned char mac[32]; ++ size_t macsize; ++} CMAC_KAT; ++ ++/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */ ++static const CMAC_KAT vector[] = { ++ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */ ++ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3, ++ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128, ++ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c, ++ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e, ++ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98, ++ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256, ++ {0xfb, 0xfe, 0xa4, 0x1b,}, 32}, ++ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */ ++ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9, ++ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86, ++ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192, ++ {0x0}, 0, ++ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef, ++ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128, ++ }, ++ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */ ++ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe, ++ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14, ++ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf, ++ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256, ++ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb, ++ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08, ++ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88, ++ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84, ++ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96, ++ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384, ++ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40, ++ }, ++ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */ ++ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37, ++ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5, ++ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192, ++ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e, ++ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2, ++ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0, ++ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256, ++ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64, ++ }, ++}; ++ ++int FIPS_selftest_cmac() ++{ ++ size_t n, outlen; ++ unsigned char out[32]; ++ const EVP_CIPHER *cipher; ++ CMAC_CTX *ctx = CMAC_CTX_new(); ++ const CMAC_KAT *t; ++ int rv = 1; ++ ++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { ++ cipher = FIPS_get_cipherbynid(t->nid); ++ if (!cipher) { ++ rv = -1; ++ goto err; ++ } ++ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) { ++ rv = -1; ++ goto err; ++ } ++ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!CMAC_Final(ctx, out, &outlen)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) { ++ rv = 0; ++ } ++ } ++ ++ err: ++ CMAC_CTX_free(ctx); ++ ++ if (rv == -1) { ++ rv = 0; ++ } ++ if (!rv) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED); ++ ++ return rv; ++} ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_des_selftest.c 2018-07-25 17:26:58.406624728 +0200 +@@ -0,0 +1,133 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++# include "internal/fips_int.h" ++#endif ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++static const struct { ++ const unsigned char key[16]; ++ const unsigned char plaintext[8]; ++ const unsigned char ciphertext[8]; ++} tests2[] = { ++ { ++ { ++ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec, ++ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, { ++ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, { ++ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd} ++ }, { ++ { ++ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34, ++ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, { ++ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, { ++ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},} ++}; ++ ++static const struct { ++ const unsigned char key[24]; ++ const unsigned char plaintext[8]; ++ const unsigned char ciphertext[8]; ++} tests3[] = { ++ { ++ { ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, ++ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, { ++ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, { ++ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, { ++ { ++ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE, ++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, ++ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, { ++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, { ++0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},}; ++ ++int FIPS_selftest_des() ++{ ++ int n, ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ ++ for (n = 0; n < 2; ++n) { ++ unsigned char plaintext[8]; ++ ++ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext)); ++ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(), ++ tests2[n].key, NULL, ++ plaintext, tests2[n].ciphertext, 8)) ++ goto err; ++ } ++ ++ /* Encrypt/decrypt with 3DES and compare to known answers */ ++ for (n = 0; n < 2; ++n) { ++ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(), ++ tests3[n].key, NULL, ++ tests3[n].plaintext, tests3[n].ciphertext, 8)) ++ goto err; ++ } ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED); ++ ++ return ret; ++} ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c.fips 2018-07-25 17:26:58.406624728 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_dh_selftest.c 2018-07-25 17:26:58.406624728 +0200 +@@ -0,0 +1,180 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 2013 Red Hat, Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++static const unsigned char dh_test_2048_p[] = { ++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, ++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, ++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, ++ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, ++ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, ++ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, ++ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, ++ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, ++ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, ++ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, ++ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, ++ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, ++ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, ++ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, ++ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, ++ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, ++ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, ++ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, ++ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, ++ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, ++ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, ++ 0x4B, 0xD8, 0x37, 0xEB ++}; ++ ++static const unsigned char dh_test_2048_g[] = { ++ 0x02 ++}; ++ ++static const unsigned char dh_test_2048_pub_key[] = { ++ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, ++ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, ++ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, ++ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, ++ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, ++ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, ++ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, ++ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, ++ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, ++ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, ++ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, ++ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, ++ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, ++ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, ++ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, ++ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, ++ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, ++ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, ++ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, ++ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, ++ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, ++ 0x36, 0x9E, 0xDA, 0xD2 ++}; ++ ++static const unsigned char dh_test_2048_priv_key[] = { ++ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, ++ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, ++ 0xEC, 0x55, 0xF6, 0xCC ++}; ++ ++int FIPS_selftest_dh() ++{ ++ DH *dh = NULL; ++ int ret = 0; ++ void *pub_key_bin = NULL; ++ int len; ++ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; ++ const BIGNUM *pub_key; ++ ++ fips_load_key_component(p, dh_test_2048); ++ fips_load_key_component(g, dh_test_2048); ++ /* note that the private key is much shorter than normally used ++ * but still g ** priv_key > p ++ */ ++ fips_load_key_component(priv_key, dh_test_2048); ++ if ((tmp_pub_key = BN_new()) == NULL) ++ goto err; ++ ++ dh = DH_new(); ++ ++ if (dh == NULL) ++ goto err; ++ ++ DH_set0_pqg(dh, p, NULL, g); ++ DH_set0_key(dh, tmp_pub_key, priv_key); ++ ++ if (DH_generate_key(dh) <= 0) ++ goto err; ++ ++ DH_get0_key(dh, &pub_key, NULL); ++ ++ if (pub_key == NULL) ++ goto err; ++ ++ len = BN_num_bytes(pub_key); ++ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL) ++ goto err; ++ BN_bn2bin(pub_key, pub_key_bin); ++ ++ if (len != sizeof(dh_test_2048_pub_key) || ++ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (dh) ++ DH_free(dh); ++ else { ++ BN_free(p); ++ BN_free(g); ++ BN_free(priv_key); ++ BN_free(tmp_pub_key); ++ } ++ ++ OPENSSL_free(pub_key_bin); ++ return ret; ++} ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c +--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c.fips 2018-07-25 17:26:58.406624728 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_ctr.c 2018-07-25 17:26:58.406624728 +0200 +@@ -0,0 +1,415 @@ ++/* fips/rand/fips_drbg_ctr.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++ ++static void inc_128(DRBG_CTR_CTX * cctx) ++{ ++ int i; ++ unsigned char c; ++ unsigned char *p = cctx->V + 15; ++ for (i = 0; i < 16; i++) { ++ c = *p; ++ c++; ++ *p = c; ++ if (c) ++ return; ++ p--; ++ } ++} ++ ++static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in, ++ size_t inlen) ++{ ++ size_t i, n; ++ /* Any zero padding will have no effect on the result as we ++ * are XORing. So just process however much input we have. ++ */ ++ ++ if (!in || !inlen) ++ return; ++ ++ if (inlen < cctx->keylen) ++ n = inlen; ++ else ++ n = cctx->keylen; ++ ++ for (i = 0; i < n; i++) ++ cctx->K[i] ^= in[i]; ++ if (inlen <= cctx->keylen) ++ return; ++ ++ n = inlen - cctx->keylen; ++ /* Should never happen */ ++ if (n > 16) ++ n = 16; ++ for (i = 0; i < 16; i++) ++ cctx->V[i] ^= in[i + cctx->keylen]; ++} ++ ++/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */ ++ ++static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out, ++ const unsigned char *in) ++{ ++ int i; ++ for (i = 0; i < 16; i++) ++ out[i] ^= in[i]; ++ AES_encrypt(out, out, &cctx->df_ks); ++#if 0 ++ fprintf(stderr, "BCC in+out\n"); ++ BIO_dump_fp(stderr, in, 16); ++ BIO_dump_fp(stderr, out, 16); ++#endif ++} ++ ++/* Handle several BCC operations for as much data as we need for K and X */ ++static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in) ++{ ++ ctr_BCC_block(cctx, cctx->KX, in); ++ ctr_BCC_block(cctx, cctx->KX + 16, in); ++ if (cctx->keylen != 16) ++ ctr_BCC_block(cctx, cctx->KX + 32, in); ++} ++ ++/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: ++ * see 10.4.2 stage 7. ++ */ ++static void ctr_BCC_init(DRBG_CTR_CTX * cctx) ++{ ++ memset(cctx->KX, 0, 48); ++ memset(cctx->bltmp, 0, 16); ++ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); ++ cctx->bltmp[3] = 1; ++ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); ++ if (cctx->keylen != 16) { ++ cctx->bltmp[3] = 2; ++ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); ++ } ++} ++ ++/* Process several blocks into BCC algorithm, some possibly partial */ ++static void ctr_BCC_update(DRBG_CTR_CTX * cctx, ++ const unsigned char *in, size_t inlen) ++{ ++ if (!in || !inlen) ++ return; ++ /* If we have partial block handle it first */ ++ if (cctx->bltmp_pos) { ++ size_t left = 16 - cctx->bltmp_pos; ++ /* If we now have a complete block process it */ ++ if (inlen >= left) { ++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); ++ ctr_BCC_blocks(cctx, cctx->bltmp); ++ cctx->bltmp_pos = 0; ++ inlen -= left; ++ in += left; ++ } ++ } ++ /* Process zero or more complete blocks */ ++ while (inlen >= 16) { ++ ctr_BCC_blocks(cctx, in); ++ in += 16; ++ inlen -= 16; ++ } ++ /* Copy any remaining partial block to the temporary buffer */ ++ if (inlen > 0) { ++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); ++ cctx->bltmp_pos += inlen; ++ } ++} ++ ++static void ctr_BCC_final(DRBG_CTR_CTX * cctx) ++{ ++ if (cctx->bltmp_pos) { ++ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); ++ ctr_BCC_blocks(cctx, cctx->bltmp); ++ } ++} ++ ++static void ctr_df(DRBG_CTR_CTX * cctx, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *in3, size_t in3len) ++{ ++ size_t inlen; ++ unsigned char *p = cctx->bltmp; ++ static unsigned char c80 = 0x80; ++ ++ ctr_BCC_init(cctx); ++ if (!in1) ++ in1len = 0; ++ if (!in2) ++ in2len = 0; ++ if (!in3) ++ in3len = 0; ++ inlen = in1len + in2len + in3len; ++ /* Initialise L||N in temporary block */ ++ *p++ = (inlen >> 24) & 0xff; ++ *p++ = (inlen >> 16) & 0xff; ++ *p++ = (inlen >> 8) & 0xff; ++ *p++ = inlen & 0xff; ++ /* NB keylen is at most 32 bytes */ ++ *p++ = 0; ++ *p++ = 0; ++ *p++ = 0; ++ *p = (unsigned char)((cctx->keylen + 16) & 0xff); ++ cctx->bltmp_pos = 8; ++ ctr_BCC_update(cctx, in1, in1len); ++ ctr_BCC_update(cctx, in2, in2len); ++ ctr_BCC_update(cctx, in3, in3len); ++ ctr_BCC_update(cctx, &c80, 1); ++ ctr_BCC_final(cctx); ++ /* Set up key K */ ++ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); ++ /* X follows key K */ ++ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); ++ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); ++ if (cctx->keylen != 16) ++ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); ++#if 0 ++ fprintf(stderr, "Output of ctr_df:\n"); ++ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16); ++#endif ++} ++ ++/* NB the no-df Update in SP800-90 specifies a constant input length ++ * of seedlen, however other uses of this algorithm pad the input with ++ * zeroes if necessary and have up to two parameters XORed together, ++ * handle both cases in this function instead. ++ */ ++ ++static void ctr_Update(DRBG_CTX *dctx, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *nonce, size_t noncelen) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ /* ks is already setup for correct key */ ++ inc_128(cctx); ++ AES_encrypt(cctx->V, cctx->K, &cctx->ks); ++ /* If keylen longer than 128 bits need extra encrypt */ ++ if (cctx->keylen != 16) { ++ inc_128(cctx); ++ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); ++ } ++ inc_128(cctx); ++ AES_encrypt(cctx->V, cctx->V, &cctx->ks); ++ /* If 192 bit key part of V is on end of K */ ++ if (cctx->keylen == 24) { ++ memcpy(cctx->V + 8, cctx->V, 8); ++ memcpy(cctx->V, cctx->K + 24, 8); ++ } ++ ++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { ++ /* If no input reuse existing derived value */ ++ if (in1 || nonce || in2) ++ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); ++ /* If this a reuse input in1len != 0 */ ++ if (in1len) ++ ctr_XOR(cctx, cctx->KX, dctx->seedlen); ++ } else { ++ ctr_XOR(cctx, in1, in1len); ++ ctr_XOR(cctx, in2, in2len); ++ } ++ ++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); ++#if 0 ++ fprintf(stderr, "K+V after update is:\n"); ++ BIO_dump_fp(stderr, cctx->K, cctx->keylen); ++ BIO_dump_fp(stderr, cctx->V, 16); ++#endif ++} ++ ++static int drbg_ctr_instantiate(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *nonce, size_t noncelen, ++ const unsigned char *pers, size_t perslen) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ memset(cctx->K, 0, sizeof(cctx->K)); ++ memset(cctx->V, 0, sizeof(cctx->V)); ++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); ++ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen); ++ return 1; ++} ++ ++static int drbg_ctr_reseed(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *adin, size_t adinlen) ++{ ++ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0); ++ return 1; ++} ++ ++static int drbg_ctr_generate(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adinlen) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ if (adin && adinlen) { ++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); ++ /* This means we reuse derived value */ ++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { ++ adin = NULL; ++ adinlen = 1; ++ } ++ } else ++ adinlen = 0; ++ ++ for (;;) { ++ inc_128(cctx); ++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { ++ AES_encrypt(cctx->V, dctx->lb, &cctx->ks); ++ dctx->lb_valid = 1; ++ continue; ++ } ++ if (outlen < 16) { ++ /* Use K as temp space as it will be updated */ ++ AES_encrypt(cctx->V, cctx->K, &cctx->ks); ++ if (!fips_drbg_cprng_test(dctx, cctx->K)) ++ return 0; ++ memcpy(out, cctx->K, outlen); ++ break; ++ } ++ AES_encrypt(cctx->V, out, &cctx->ks); ++ if (!fips_drbg_cprng_test(dctx, out)) ++ return 0; ++ out += 16; ++ outlen -= 16; ++ if (outlen == 0) ++ break; ++ } ++ ++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); ++ ++ return 1; ++ ++} ++ ++static int drbg_ctr_uninstantiate(DRBG_CTX *dctx) ++{ ++ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX)); ++ return 1; ++} ++ ++int fips_drbg_ctr_init(DRBG_CTX *dctx) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ ++ size_t keylen; ++ ++ switch (dctx->type) { ++ case NID_aes_128_ctr: ++ keylen = 16; ++ break; ++ ++ case NID_aes_192_ctr: ++ keylen = 24; ++ break; ++ ++ case NID_aes_256_ctr: ++ keylen = 32; ++ break; ++ ++ default: ++ return -2; ++ } ++ ++ dctx->instantiate = drbg_ctr_instantiate; ++ dctx->reseed = drbg_ctr_reseed; ++ dctx->generate = drbg_ctr_generate; ++ dctx->uninstantiate = drbg_ctr_uninstantiate; ++ ++ cctx->keylen = keylen; ++ dctx->strength = keylen * 8; ++ dctx->blocklength = 16; ++ dctx->seedlen = keylen + 16; ++ ++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { ++ /* df initialisation */ ++ static unsigned char df_key[32] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f ++ }; ++ /* Set key schedule for df_key */ ++ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); ++ ++ dctx->min_entropy = cctx->keylen; ++ dctx->max_entropy = DRBG_MAX_LENGTH; ++ dctx->min_nonce = dctx->min_entropy / 2; ++ dctx->max_nonce = DRBG_MAX_LENGTH; ++ dctx->max_pers = DRBG_MAX_LENGTH; ++ dctx->max_adin = DRBG_MAX_LENGTH; ++ } else { ++ dctx->min_entropy = dctx->seedlen; ++ dctx->max_entropy = dctx->seedlen; ++ /* Nonce not used */ ++ dctx->min_nonce = 0; ++ dctx->max_nonce = 0; ++ dctx->max_pers = dctx->seedlen; ++ dctx->max_adin = dctx->seedlen; ++ } ++ ++ dctx->max_request = 1 << 16; ++ dctx->reseed_interval = 1 << 24; ++ ++ return 1; ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c +--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c.fips 2018-07-25 17:26:58.406624728 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_hash.c 2018-07-25 17:26:58.406624728 +0200 +@@ -0,0 +1,361 @@ ++/* fips/rand/fips_drbg_hash.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include "internal/fips_int.h" ++#include ++#include "fips_rand_lcl.h" ++ ++/* This is Hash_df from SP 800-90 10.4.1 */ ++ ++static int hash_df(DRBG_CTX *dctx, unsigned char *out, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *in3, size_t in3len, ++ const unsigned char *in4, size_t in4len) ++{ ++ EVP_MD_CTX *mctx = dctx->d.hash.mctx; ++ unsigned char *vtmp = dctx->d.hash.vtmp; ++ unsigned char tmp[6]; ++ /* Standard only ever needs seedlen bytes which is always less than ++ * maximum permitted so no need to check length. ++ */ ++ size_t outlen = dctx->seedlen; ++ tmp[0] = 1; ++ tmp[1] = ((outlen * 8) >> 24) & 0xff; ++ tmp[2] = ((outlen * 8) >> 16) & 0xff; ++ tmp[3] = ((outlen * 8) >> 8) & 0xff; ++ tmp[4] = (outlen * 8) & 0xff; ++ if (!in1) { ++ tmp[5] = (unsigned char)in1len; ++ in1 = tmp + 5; ++ in1len = 1; ++ } ++ for (;;) { ++ if (!FIPS_digestinit(mctx, dctx->d.hash.md)) ++ return 0; ++ if (!FIPS_digestupdate(mctx, tmp, 5)) ++ return 0; ++ if (in1 && !FIPS_digestupdate(mctx, in1, in1len)) ++ return 0; ++ if (in2 && !FIPS_digestupdate(mctx, in2, in2len)) ++ return 0; ++ if (in3 && !FIPS_digestupdate(mctx, in3, in3len)) ++ return 0; ++ if (in4 && !FIPS_digestupdate(mctx, in4, in4len)) ++ return 0; ++ if (outlen < dctx->blocklength) { ++ if (!FIPS_digestfinal(mctx, vtmp, NULL)) ++ return 0; ++ memcpy(out, vtmp, outlen); ++ OPENSSL_cleanse(vtmp, dctx->blocklength); ++ return 1; ++ } else if (!FIPS_digestfinal(mctx, out, NULL)) ++ return 0; ++ ++ outlen -= dctx->blocklength; ++ if (outlen == 0) ++ return 1; ++ tmp[0]++; ++ out += dctx->blocklength; ++ } ++} ++ ++/* Add an unsigned buffer to the buf value, storing the result in buf. For ++ * this algorithm the length of input never exceeds the seed length. ++ */ ++ ++static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf, ++ unsigned char *in, size_t inlen) ++{ ++ size_t i = inlen; ++ const unsigned char *q; ++ unsigned char c, *p; ++ p = buf + dctx->seedlen; ++ q = in + inlen; ++ ++ OPENSSL_assert(i <= dctx->seedlen); ++ ++ /* Special case: zero length, just increment buffer */ ++ if (i) ++ c = 0; ++ else ++ c = 1; ++ ++ while (i) { ++ int r; ++ p--; ++ q--; ++ r = *p + *q + c; ++ /* Carry */ ++ if (r > 0xff) ++ c = 1; ++ else ++ c = 0; ++ *p = r & 0xff; ++ i--; ++ } ++ ++ i = dctx->seedlen - inlen; ++ ++ /* If not adding whole buffer handle final carries */ ++ if (c && i) { ++ do { ++ p--; ++ c = *p; ++ c++; ++ *p = c; ++ if (c) ++ return; ++ } while (i--); ++ } ++} ++ ++/* Finalise and add hash to V */ ++ ++static int ctx_add_md(DRBG_CTX *dctx) ++{ ++ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL)) ++ return 0; ++ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength); ++ return 1; ++} ++ ++static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ if (outlen == 0) ++ return 1; ++ memcpy(hctx->vtmp, hctx->V, dctx->seedlen); ++ for (;;) { ++ FIPS_digestinit(hctx->mctx, hctx->md); ++ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen); ++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { ++ FIPS_digestfinal(hctx->mctx, dctx->lb, NULL); ++ dctx->lb_valid = 1; ++ } else if (outlen < dctx->blocklength) { ++ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL); ++ if (!fips_drbg_cprng_test(dctx, hctx->vtmp)) ++ return 0; ++ memcpy(out, hctx->vtmp, outlen); ++ return 1; ++ } else { ++ FIPS_digestfinal(hctx->mctx, out, NULL); ++ if (!fips_drbg_cprng_test(dctx, out)) ++ return 0; ++ outlen -= dctx->blocklength; ++ if (outlen == 0) ++ return 1; ++ out += dctx->blocklength; ++ } ++ ctx_add_buf(dctx, hctx->vtmp, NULL, 0); ++ } ++} ++ ++static int drbg_hash_instantiate(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *nonce, size_t nonce_len, ++ const unsigned char *pstr, size_t pstr_len) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ if (!hash_df(dctx, hctx->V, ++ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0)) ++ return 0; ++ if (!hash_df(dctx, hctx->C, ++ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) ++ return 0; ++ ++#ifdef HASH_DRBG_TRACE ++ fprintf(stderr, "V+C after instantiate:\n"); ++ hexprint(stderr, hctx->V, dctx->seedlen); ++ hexprint(stderr, hctx->C, dctx->seedlen); ++#endif ++ return 1; ++} ++ ++static int drbg_hash_reseed(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *adin, size_t adin_len) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ /* V about to be updated so use C as output instead */ ++ if (!hash_df(dctx, hctx->C, ++ NULL, 1, hctx->V, dctx->seedlen, ++ ent, ent_len, adin, adin_len)) ++ return 0; ++ memcpy(hctx->V, hctx->C, dctx->seedlen); ++ if (!hash_df(dctx, hctx->C, NULL, 0, ++ hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) ++ return 0; ++#ifdef HASH_DRBG_TRACE ++ fprintf(stderr, "V+C after reseed:\n"); ++ hexprint(stderr, hctx->V, dctx->seedlen); ++ hexprint(stderr, hctx->C, dctx->seedlen); ++#endif ++ return 1; ++} ++ ++static int drbg_hash_generate(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adin_len) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ EVP_MD_CTX *mctx = hctx->mctx; ++ unsigned char tmp[4]; ++ if (adin && adin_len) { ++ tmp[0] = 2; ++ if (!FIPS_digestinit(mctx, hctx->md)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, tmp, 1)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, adin, adin_len)) ++ return 0; ++ if (!ctx_add_md(dctx)) ++ return 0; ++ } ++ if (!hash_gen(dctx, out, outlen)) ++ return 0; ++ ++ tmp[0] = 3; ++ if (!FIPS_digestinit(mctx, hctx->md)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, tmp, 1)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) ++ return 0; ++ ++ if (!ctx_add_md(dctx)) ++ return 0; ++ ++ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen); ++ ++ tmp[0] = (dctx->reseed_counter >> 24) & 0xff; ++ tmp[1] = (dctx->reseed_counter >> 16) & 0xff; ++ tmp[2] = (dctx->reseed_counter >> 8) & 0xff; ++ tmp[3] = dctx->reseed_counter & 0xff; ++ ctx_add_buf(dctx, hctx->V, tmp, 4); ++#ifdef HASH_DRBG_TRACE ++ fprintf(stderr, "V+C after generate:\n"); ++ hexprint(stderr, hctx->V, dctx->seedlen); ++ hexprint(stderr, hctx->C, dctx->seedlen); ++#endif ++ return 1; ++} ++ ++static int drbg_hash_uninstantiate(DRBG_CTX *dctx) ++{ ++ EVP_MD_CTX_free(dctx->d.hash.mctx); ++ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX)); ++ return 1; ++} ++ ++int fips_drbg_hash_init(DRBG_CTX *dctx) ++{ ++ const EVP_MD *md; ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ md = FIPS_get_digestbynid(dctx->type); ++ if (!md) ++ return -2; ++ switch (dctx->type) { ++ case NID_sha1: ++ dctx->strength = 128; ++ break; ++ ++ case NID_sha224: ++ dctx->strength = 192; ++ break; ++ ++ default: ++ dctx->strength = 256; ++ break; ++ } ++ ++ dctx->instantiate = drbg_hash_instantiate; ++ dctx->reseed = drbg_hash_reseed; ++ dctx->generate = drbg_hash_generate; ++ dctx->uninstantiate = drbg_hash_uninstantiate; ++ ++ dctx->d.hash.md = md; ++ hctx->mctx = EVP_MD_CTX_new(); ++ if (hctx->mctx == NULL) ++ return -1; ++ ++ /* These are taken from SP 800-90 10.1 table 2 */ ++ ++ dctx->blocklength = EVP_MD_size(md); ++ if (dctx->blocklength > 32) ++ dctx->seedlen = 111; ++ else ++ dctx->seedlen = 55; ++ ++ dctx->min_entropy = dctx->strength / 8; ++ dctx->max_entropy = DRBG_MAX_LENGTH; ++ ++ dctx->min_nonce = dctx->min_entropy / 2; ++ dctx->max_nonce = DRBG_MAX_LENGTH; ++ ++ dctx->max_pers = DRBG_MAX_LENGTH; ++ dctx->max_adin = DRBG_MAX_LENGTH; ++ ++ dctx->max_request = 1 << 16; ++ dctx->reseed_interval = 1 << 24; ++ ++ return 1; ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c +--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c.fips 2018-07-25 17:26:58.407624752 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_hmac.c 2018-07-25 17:26:58.407624752 +0200 +@@ -0,0 +1,272 @@ ++/* fips/rand/fips_drbg_hmac.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++ ++static int drbg_hmac_update(DRBG_CTX *dctx, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *in3, size_t in3len) ++{ ++ static unsigned char c0 = 0, c1 = 1; ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ HMAC_CTX *hctx = hmac->hctx; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ if (!HMAC_Update(hctx, &c0, 1)) ++ return 0; ++ if (in1len && !HMAC_Update(hctx, in1, in1len)) ++ return 0; ++ if (in2len && !HMAC_Update(hctx, in2, in2len)) ++ return 0; ++ if (in3len && !HMAC_Update(hctx, in3, in3len)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->K, NULL)) ++ return 0; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->V, NULL)) ++ return 0; ++ ++ if (!in1len && !in2len && !in3len) ++ return 1; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ if (!HMAC_Update(hctx, &c1, 1)) ++ return 0; ++ if (in1len && !HMAC_Update(hctx, in1, in1len)) ++ return 0; ++ if (in2len && !HMAC_Update(hctx, in2, in2len)) ++ return 0; ++ if (in3len && !HMAC_Update(hctx, in3, in3len)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->K, NULL)) ++ return 0; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->V, NULL)) ++ return 0; ++ ++ return 1; ++ ++} ++ ++static int drbg_hmac_instantiate(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *nonce, size_t nonce_len, ++ const unsigned char *pstr, size_t pstr_len) ++{ ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ memset(hmac->K, 0, dctx->blocklength); ++ memset(hmac->V, 1, dctx->blocklength); ++ if (!drbg_hmac_update(dctx, ++ ent, ent_len, nonce, nonce_len, pstr, pstr_len)) ++ return 0; ++ ++#ifdef HMAC_DRBG_TRACE ++ fprintf(stderr, "K+V after instantiate:\n"); ++ hexprint(stderr, hmac->K, hmac->blocklength); ++ hexprint(stderr, hmac->V, hmac->blocklength); ++#endif ++ return 1; ++} ++ ++static int drbg_hmac_reseed(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *adin, size_t adin_len) ++{ ++ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0)) ++ return 0; ++ ++#ifdef HMAC_DRBG_TRACE ++ { ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ fprintf(stderr, "K+V after reseed:\n"); ++ hexprint(stderr, hmac->K, hmac->blocklength); ++ hexprint(stderr, hmac->V, hmac->blocklength); ++ } ++#endif ++ return 1; ++} ++ ++static int drbg_hmac_generate(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adin_len) ++{ ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ HMAC_CTX *hctx = hmac->hctx; ++ const unsigned char *Vtmp = hmac->V; ++ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) ++ return 0; ++ for (;;) { ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength)) ++ return 0; ++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { ++ if (!HMAC_Final(hctx, dctx->lb, NULL)) ++ return 0; ++ dctx->lb_valid = 1; ++ Vtmp = dctx->lb; ++ continue; ++ } else if (outlen > dctx->blocklength) { ++ if (!HMAC_Final(hctx, out, NULL)) ++ return 0; ++ if (!fips_drbg_cprng_test(dctx, out)) ++ return 0; ++ Vtmp = out; ++ } else { ++ if (!HMAC_Final(hctx, hmac->V, NULL)) ++ return 0; ++ if (!fips_drbg_cprng_test(dctx, hmac->V)) ++ return 0; ++ memcpy(out, hmac->V, outlen); ++ break; ++ } ++ out += dctx->blocklength; ++ outlen -= dctx->blocklength; ++ } ++ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) ++ return 0; ++ ++ return 1; ++} ++ ++static int drbg_hmac_uninstantiate(DRBG_CTX *dctx) ++{ ++ HMAC_CTX_free(dctx->d.hmac.hctx); ++ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX)); ++ return 1; ++} ++ ++int fips_drbg_hmac_init(DRBG_CTX *dctx) ++{ ++ const EVP_MD *md = NULL; ++ DRBG_HMAC_CTX *hctx = &dctx->d.hmac; ++ dctx->strength = 256; ++ switch (dctx->type) { ++ case NID_hmacWithSHA1: ++ md = EVP_sha1(); ++ dctx->strength = 128; ++ break; ++ ++ case NID_hmacWithSHA224: ++ md = EVP_sha224(); ++ dctx->strength = 192; ++ break; ++ ++ case NID_hmacWithSHA256: ++ md = EVP_sha256(); ++ break; ++ ++ case NID_hmacWithSHA384: ++ md = EVP_sha384(); ++ break; ++ ++ case NID_hmacWithSHA512: ++ md = EVP_sha512(); ++ break; ++ ++ default: ++ dctx->strength = 0; ++ return -2; ++ } ++ dctx->instantiate = drbg_hmac_instantiate; ++ dctx->reseed = drbg_hmac_reseed; ++ dctx->generate = drbg_hmac_generate; ++ dctx->uninstantiate = drbg_hmac_uninstantiate; ++ hctx->hctx = HMAC_CTX_new(); ++ if (hctx->hctx == NULL) ++ return -1; ++ hctx->md = md; ++ dctx->blocklength = M_EVP_MD_size(md); ++ dctx->seedlen = M_EVP_MD_size(md); ++ ++ dctx->min_entropy = dctx->strength / 8; ++ dctx->max_entropy = DRBG_MAX_LENGTH; ++ ++ dctx->min_nonce = dctx->min_entropy / 2; ++ dctx->max_nonce = DRBG_MAX_LENGTH; ++ ++ dctx->max_pers = DRBG_MAX_LENGTH; ++ dctx->max_adin = DRBG_MAX_LENGTH; ++ ++ dctx->max_request = 1 << 16; ++ dctx->reseed_interval = 1 << 24; ++ ++ return 1; ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c +--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c.fips 2018-07-25 17:26:58.407624752 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_lib.c 2018-07-25 17:26:58.407624752 +0200 +@@ -0,0 +1,555 @@ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include "internal/fips_int.h" ++#include ++#include "fips_locl.h" ++#include "fips_rand_lcl.h" ++ ++/* Support framework for SP800-90 DRBGs */ ++ ++int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) ++{ ++ int rv; ++ memset(dctx, 0, sizeof(DRBG_CTX)); ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ dctx->xflags = flags; ++ dctx->type = type; ++ ++ dctx->iflags = 0; ++ dctx->entropy_blocklen = 0; ++ dctx->health_check_cnt = 0; ++ dctx->health_check_interval = DRBG_HEALTH_INTERVAL; ++ ++ rv = fips_drbg_hash_init(dctx); ++ ++ if (rv == -2) ++ rv = fips_drbg_ctr_init(dctx); ++ if (rv == -2) ++ rv = fips_drbg_hmac_init(dctx); ++ ++ if (rv <= 0) { ++ if (rv == -2) ++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE); ++ else ++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG); ++ } ++ ++ /* If not in test mode run selftests on DRBG of the same type */ ++ ++ if (!(dctx->xflags & DRBG_FLAG_TEST)) { ++ if (!FIPS_drbg_health_check(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); ++ return 0; ++ } ++ } ++ ++ return rv; ++} ++ ++DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) ++{ ++ DRBG_CTX *dctx; ++ dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); ++ if (!dctx) { ++ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE); ++ return NULL; ++ } ++ ++ if (type == 0) { ++ memset(dctx, 0, sizeof(DRBG_CTX)); ++ dctx->type = 0; ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ return dctx; ++ } ++ ++ if (FIPS_drbg_init(dctx, type, flags) <= 0) { ++ OPENSSL_free(dctx); ++ return NULL; ++ } ++ ++ return dctx; ++} ++ ++void FIPS_drbg_free(DRBG_CTX *dctx) ++{ ++ if (dctx->uninstantiate) ++ dctx->uninstantiate(dctx); ++ /* Don't free up default DRBG */ ++ if (dctx == FIPS_get_default_drbg()) { ++ memset(dctx, 0, sizeof(DRBG_CTX)); ++ dctx->type = 0; ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ } else { ++ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d)); ++ OPENSSL_free(dctx); ++ } ++} ++ ++static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ unsigned char *tout, *p; ++ size_t bl = dctx->entropy_blocklen, rv; ++ if (!dctx->get_entropy) ++ return 0; ++ if (dctx->xflags & DRBG_FLAG_TEST || !bl) ++ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); ++ rv = dctx->get_entropy(dctx, &tout, entropy + bl, ++ min_len + bl, max_len + bl); ++ if (tout == NULL) ++ return 0; ++ *pout = tout + bl; ++ if (rv < (min_len + bl) || (rv % bl)) ++ return 0; ++ /* Compare consecutive blocks for continuous PRNG test */ ++ for (p = tout; p < tout + rv - bl; p += bl) { ++ if (!memcmp(p, p + bl, bl)) { ++ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK); ++ return 0; ++ } ++ } ++ rv -= bl; ++ if (rv > max_len) ++ return max_len; ++ return rv; ++} ++ ++static void fips_cleanup_entropy(DRBG_CTX *dctx, ++ unsigned char *out, size_t olen) ++{ ++ size_t bl; ++ if (dctx->xflags & DRBG_FLAG_TEST) ++ bl = 0; ++ else ++ bl = dctx->entropy_blocklen; ++ /* Call cleanup with original arguments */ ++ dctx->cleanup_entropy(dctx, out - bl, olen + bl); ++} ++ ++int FIPS_drbg_instantiate(DRBG_CTX *dctx, ++ const unsigned char *pers, size_t perslen) ++{ ++ size_t entlen = 0, noncelen = 0; ++ unsigned char *nonce = NULL, *entropy = NULL; ++ ++#if 0 ++ /* Put here so error script picks them up */ ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, ++ FIPS_R_PERSONALISATION_STRING_TOO_LONG); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED); ++#endif ++ ++ int r = 0; ++ ++ if (perslen > dctx->max_pers) { ++ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG; ++ goto end; ++ } ++ ++ if (!dctx->instantiate) { ++ r = FIPS_R_DRBG_NOT_INITIALISED; ++ goto end; ++ } ++ ++ if (dctx->status != DRBG_STATUS_UNINITIALISED) { ++ if (dctx->status == DRBG_STATUS_ERROR) ++ r = FIPS_R_IN_ERROR_STATE; ++ else ++ r = FIPS_R_ALREADY_INSTANTIATED; ++ goto end; ++ } ++ ++ dctx->status = DRBG_STATUS_ERROR; ++ ++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, ++ dctx->min_entropy, dctx->max_entropy); ++ ++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { ++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; ++ goto end; ++ } ++ ++ if (dctx->max_nonce > 0 && dctx->get_nonce) { ++ noncelen = dctx->get_nonce(dctx, &nonce, ++ dctx->strength / 2, ++ dctx->min_nonce, dctx->max_nonce); ++ ++ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { ++ r = FIPS_R_ERROR_RETRIEVING_NONCE; ++ goto end; ++ } ++ ++ } ++ ++ if (!dctx->instantiate(dctx, ++ entropy, entlen, nonce, noncelen, pers, perslen)) { ++ r = FIPS_R_ERROR_INSTANTIATING_DRBG; ++ goto end; ++ } ++ ++ dctx->status = DRBG_STATUS_READY; ++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) ++ dctx->reseed_counter = 1; ++ ++ end: ++ ++ if (entropy && dctx->cleanup_entropy) ++ fips_cleanup_entropy(dctx, entropy, entlen); ++ ++ if (nonce && dctx->cleanup_nonce) ++ dctx->cleanup_nonce(dctx, nonce, noncelen); ++ ++ if (dctx->status == DRBG_STATUS_READY) ++ return 1; ++ ++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r); ++ ++ return 0; ++ ++} ++ ++static int drbg_reseed(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen, int hcheck) ++{ ++ unsigned char *entropy = NULL; ++ size_t entlen = 0; ++ int r = 0; ++ ++#if 0 ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED); ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); ++#endif ++ if (dctx->status != DRBG_STATUS_READY ++ && dctx->status != DRBG_STATUS_RESEED) { ++ if (dctx->status == DRBG_STATUS_ERROR) ++ r = FIPS_R_IN_ERROR_STATE; ++ else if (dctx->status == DRBG_STATUS_UNINITIALISED) ++ r = FIPS_R_NOT_INSTANTIATED; ++ goto end; ++ } ++ ++ if (!adin) ++ adinlen = 0; ++ else if (adinlen > dctx->max_adin) { ++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; ++ goto end; ++ } ++ ++ dctx->status = DRBG_STATUS_ERROR; ++ /* Peform health check on all reseed operations if not a prediction ++ * resistance request and not in test mode. ++ */ ++ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) { ++ if (!FIPS_drbg_health_check(dctx)) { ++ r = FIPS_R_SELFTEST_FAILURE; ++ goto end; ++ } ++ } ++ ++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, ++ dctx->min_entropy, dctx->max_entropy); ++ ++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { ++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; ++ goto end; ++ } ++ ++ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen)) ++ goto end; ++ ++ dctx->status = DRBG_STATUS_READY; ++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) ++ dctx->reseed_counter = 1; ++ end: ++ ++ if (entropy && dctx->cleanup_entropy) ++ fips_cleanup_entropy(dctx, entropy, entlen); ++ ++ if (dctx->status == DRBG_STATUS_READY) ++ return 1; ++ ++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_DRBG_RESEED, r); ++ ++ return 0; ++} ++ ++int FIPS_drbg_reseed(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen) ++{ ++ return drbg_reseed(dctx, adin, adinlen, 1); ++} ++ ++static int fips_drbg_check(DRBG_CTX *dctx) ++{ ++ if (dctx->xflags & DRBG_FLAG_TEST) ++ return 1; ++ dctx->health_check_cnt++; ++ if (dctx->health_check_cnt >= dctx->health_check_interval) { ++ if (!FIPS_drbg_health_check(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE); ++ return 0; ++ } ++ } ++ return 1; ++} ++ ++int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen) ++{ ++ int r = 0; ++ ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (!fips_drbg_check(dctx)) ++ return 0; ++ ++ if (dctx->status != DRBG_STATUS_READY ++ && dctx->status != DRBG_STATUS_RESEED) { ++ if (dctx->status == DRBG_STATUS_ERROR) ++ r = FIPS_R_IN_ERROR_STATE; ++ else if (dctx->status == DRBG_STATUS_UNINITIALISED) ++ r = FIPS_R_NOT_INSTANTIATED; ++ goto end; ++ } ++ ++ if (outlen > dctx->max_request) { ++ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG; ++ return 0; ++ } ++ ++ if (adinlen > dctx->max_adin) { ++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; ++ goto end; ++ } ++ ++ if (dctx->iflags & DRBG_CUSTOM_RESEED) ++ dctx->generate(dctx, NULL, outlen, NULL, 0); ++ else if (dctx->reseed_counter >= dctx->reseed_interval) ++ dctx->status = DRBG_STATUS_RESEED; ++ ++ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { ++ /* If prediction resistance request don't do health check */ ++ int hcheck = prediction_resistance ? 0 : 1; ++ ++ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) { ++ r = FIPS_R_RESEED_ERROR; ++ goto end; ++ } ++ adin = NULL; ++ adinlen = 0; ++ } ++ ++ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) { ++ r = FIPS_R_GENERATE_ERROR; ++ dctx->status = DRBG_STATUS_ERROR; ++ goto end; ++ } ++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) { ++ if (dctx->reseed_counter >= dctx->reseed_interval) ++ dctx->status = DRBG_STATUS_RESEED; ++ else ++ dctx->reseed_counter++; ++ } ++ ++ end: ++ if (r) { ++ if (!(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++int FIPS_drbg_uninstantiate(DRBG_CTX *dctx) ++{ ++ int rv; ++ if (!dctx->uninstantiate) ++ rv = 1; ++ else ++ rv = dctx->uninstantiate(dctx); ++ /* Although we'd like to cleanse here we can't because we have to ++ * test the uninstantiate really zeroes the data. ++ */ ++ memset(&dctx->d, 0, sizeof(dctx->d)); ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ /* If method has problems uninstantiating, return error */ ++ return rv; ++} ++ ++int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, ++ size_t (*get_entropy) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_entropy) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t entropy_blocklen, ++ size_t (*get_nonce) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, size_t min_len, ++ size_t max_len), ++ void (*cleanup_nonce) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen)) ++{ ++ if (dctx->status != DRBG_STATUS_UNINITIALISED) ++ return 0; ++ dctx->entropy_blocklen = entropy_blocklen; ++ dctx->get_entropy = get_entropy; ++ dctx->cleanup_entropy = cleanup_entropy; ++ dctx->get_nonce = get_nonce; ++ dctx->cleanup_nonce = cleanup_nonce; ++ return 1; ++} ++ ++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, ++ size_t (*get_adin) (DRBG_CTX *ctx, ++ unsigned char **pout), ++ void (*cleanup_adin) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ int (*rand_seed_cb) (DRBG_CTX *ctx, ++ const void *buf, ++ int num), ++ int (*rand_add_cb) (DRBG_CTX *ctx, ++ const void *buf, int num, ++ double entropy)) ++{ ++ if (dctx->status != DRBG_STATUS_UNINITIALISED) ++ return 0; ++ dctx->get_adin = get_adin; ++ dctx->cleanup_adin = cleanup_adin; ++ dctx->rand_seed_cb = rand_seed_cb; ++ dctx->rand_add_cb = rand_add_cb; ++ return 1; ++} ++ ++void *FIPS_drbg_get_app_data(DRBG_CTX *dctx) ++{ ++ return dctx->app_data; ++} ++ ++void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data) ++{ ++ dctx->app_data = app_data; ++} ++ ++size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx) ++{ ++ return dctx->blocklength; ++} ++ ++int FIPS_drbg_get_strength(DRBG_CTX *dctx) ++{ ++ return dctx->strength; ++} ++ ++void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval) ++{ ++ dctx->health_check_interval = interval; ++} ++ ++void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval) ++{ ++ dctx->reseed_interval = interval; ++} ++ ++static int drbg_stick = 0; ++ ++void FIPS_drbg_stick(int onoff) ++{ ++ drbg_stick = onoff; ++} ++ ++/* Continuous DRBG utility function */ ++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out) ++{ ++ /* No CPRNG in test mode */ ++ if (dctx->xflags & DRBG_FLAG_TEST) ++ return 1; ++ /* Check block is valid: should never happen */ ++ if (dctx->lb_valid == 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR); ++ fips_set_selftest_fail(); ++ return 0; ++ } ++ if (drbg_stick) ++ memcpy(dctx->lb, out, dctx->blocklength); ++ /* Check against last block: fail if match */ ++ if (!memcmp(dctx->lb, out, dctx->blocklength)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK); ++ fips_set_selftest_fail(); ++ return 0; ++ } ++ /* Save last block for next comparison */ ++ memcpy(dctx->lb, out, dctx->blocklength); ++ return 1; ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c +--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c.fips 2018-07-25 17:26:58.407624752 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_rand.c 2018-07-25 17:26:58.407624752 +0200 +@@ -0,0 +1,183 @@ ++/* fips/rand/fips_drbg_rand.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include "internal/thread_once.h" ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++ ++/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */ ++ ++/* Since we only have one global PRNG used at any time in OpenSSL use a global ++ * variable to store context. ++ */ ++ ++static DRBG_CTX ossl_dctx; ++ ++static CRYPTO_RWLOCK *fips_rand_lock = NULL; ++static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT; ++ ++DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init) ++{ ++ fips_rand_lock = CRYPTO_THREAD_lock_new(); ++ return fips_rand_lock != NULL; ++} ++ ++DRBG_CTX *FIPS_get_default_drbg(void) ++{ ++ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init)) ++ return NULL; ++ return &ossl_dctx; ++} ++ ++static int fips_drbg_bytes(unsigned char *out, int count) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ int rv = 0; ++ unsigned char *adin = NULL; ++ size_t adinlen = 0; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ do { ++ size_t rcnt; ++ if (count > (int)dctx->max_request) ++ rcnt = dctx->max_request; ++ else ++ rcnt = count; ++ if (dctx->get_adin) { ++ adinlen = dctx->get_adin(dctx, &adin); ++ if (adinlen && !adin) { ++ FIPSerr(FIPS_F_FIPS_DRBG_BYTES, ++ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); ++ goto err; ++ } ++ } ++ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen); ++ if (adin) { ++ if (dctx->cleanup_adin) ++ dctx->cleanup_adin(dctx, adin, adinlen); ++ adin = NULL; ++ } ++ if (!rv) ++ goto err; ++ out += rcnt; ++ count -= rcnt; ++ } ++ while (count); ++ rv = 1; ++ err: ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return rv; ++} ++ ++static int fips_drbg_pseudo(unsigned char *out, int count) ++{ ++ if (fips_drbg_bytes(out, count) <= 0) ++ return -1; ++ return 1; ++} ++ ++static int fips_drbg_status(void) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ int rv; ++ CRYPTO_THREAD_read_lock(fips_rand_lock); ++ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0; ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return rv; ++} ++ ++static void fips_drbg_cleanup(void) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ FIPS_drbg_uninstantiate(dctx); ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++} ++ ++static int fips_drbg_seed(const void *seed, int seedlen) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ if (dctx->rand_seed_cb) ++ return dctx->rand_seed_cb(dctx, seed, seedlen); ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return 1; ++} ++ ++static int fips_drbg_add(const void *seed, int seedlen, double add_entropy) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ if (dctx->rand_add_cb) ++ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return 1; ++} ++ ++static const RAND_METHOD rand_drbg_meth = { ++ fips_drbg_seed, ++ fips_drbg_bytes, ++ fips_drbg_cleanup, ++ fips_drbg_add, ++ fips_drbg_pseudo, ++ fips_drbg_status ++}; ++ ++const RAND_METHOD *FIPS_drbg_method(void) ++{ ++ return &rand_drbg_meth; ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c.fips 2018-07-25 17:26:58.407624752 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.c 2018-07-25 17:26:58.407624752 +0200 +@@ -0,0 +1,828 @@ ++/* fips/rand/fips_drbg_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++#include "fips_locl.h" ++ ++#include "fips_drbg_selftest.h" ++ ++typedef struct { ++ int post; ++ int nid; ++ unsigned int flags; ++ ++ /* KAT data for no PR */ ++ const unsigned char *ent; ++ size_t entlen; ++ const unsigned char *nonce; ++ size_t noncelen; ++ const unsigned char *pers; ++ size_t perslen; ++ const unsigned char *adin; ++ size_t adinlen; ++ const unsigned char *entreseed; ++ size_t entreseedlen; ++ const unsigned char *adinreseed; ++ size_t adinreseedlen; ++ const unsigned char *adin2; ++ size_t adin2len; ++ const unsigned char *kat; ++ size_t katlen; ++ const unsigned char *kat2; ++ size_t kat2len; ++ ++ /* KAT data for PR */ ++ const unsigned char *ent_pr; ++ size_t entlen_pr; ++ const unsigned char *nonce_pr; ++ size_t noncelen_pr; ++ const unsigned char *pers_pr; ++ size_t perslen_pr; ++ const unsigned char *adin_pr; ++ size_t adinlen_pr; ++ const unsigned char *entpr_pr; ++ size_t entprlen_pr; ++ const unsigned char *ading_pr; ++ size_t adinglen_pr; ++ const unsigned char *entg_pr; ++ size_t entglen_pr; ++ const unsigned char *kat_pr; ++ size_t katlen_pr; ++ const unsigned char *kat2_pr; ++ size_t kat2len_pr; ++ ++} DRBG_SELFTEST_DATA; ++ ++#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \ ++ pr##_entropyinput, sizeof(pr##_entropyinput), \ ++ pr##_nonce, sizeof(pr##_nonce), \ ++ pr##_personalizationstring, sizeof(pr##_personalizationstring), \ ++ pr##_additionalinput, sizeof(pr##_additionalinput), \ ++ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ ++ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ ++ pr##_additionalinput2, sizeof(pr##_additionalinput2), \ ++ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ ++ pr##_returnedbits, sizeof(pr##_returnedbits), \ ++ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ ++ pr##_pr_nonce, sizeof(pr##_pr_nonce), \ ++ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ ++ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ ++ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ ++ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ ++ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ ++ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ ++ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \ ++ } ++ ++#define make_drbg_test_data_df(nid, pr, p) \ ++ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p) ++ ++#define make_drbg_test_data_ec(curve, md, pr, p) \ ++ make_drbg_test_data((curve << 16) | md , 0, pr, p) ++ ++static DRBG_SELFTEST_DATA drbg_test[] = { ++ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), ++ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), ++ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), ++ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0), ++ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0), ++ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1), ++ make_drbg_test_data(NID_sha1, 0, sha1, 0), ++ make_drbg_test_data(NID_sha224, 0, sha224, 0), ++ make_drbg_test_data(NID_sha256, 0, sha256, 1), ++ make_drbg_test_data(NID_sha384, 0, sha384, 0), ++ make_drbg_test_data(NID_sha512, 0, sha512, 0), ++ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0), ++ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0), ++ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1), ++ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0), ++ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0), ++ {0, 0, 0} ++}; ++ ++typedef struct { ++ const unsigned char *ent; ++ size_t entlen; ++ int entcnt; ++ const unsigned char *nonce; ++ size_t noncelen; ++ int noncecnt; ++} TEST_ENT; ++ ++static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); ++ *pout = (unsigned char *)t->ent; ++ t->entcnt++; ++ return t->entlen; ++} ++ ++static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); ++ *pout = (unsigned char *)t->nonce; ++ t->noncecnt++; ++ return t->noncelen; ++} ++ ++static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, ++ int quick) ++{ ++ TEST_ENT t; ++ int rv = 0; ++ size_t adinlen; ++ unsigned char randout[1024]; ++ ++ /* Initial test without PR */ ++ ++ /* Instantiate DRBG with test entropy, nonce and personalisation ++ * string. ++ */ ++ ++ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) ++ return 0; ++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ return 0; ++ ++ FIPS_drbg_set_app_data(dctx, &t); ++ ++ t.ent = td->ent; ++ t.entlen = td->entlen; ++ t.nonce = td->nonce; ++ t.noncelen = td->noncelen; ++ t.entcnt = 0; ++ t.noncecnt = 0; ++ ++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) ++ goto err; ++ ++ /* Note for CTR without DF some additional input values ++ * ignore bytes after the keylength: so reduce adinlen ++ * to half to ensure invalid data is fed in. ++ */ ++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) ++ adinlen = td->adinlen / 2; ++ else ++ adinlen = td->adinlen; ++ ++ /* Generate with no PR and verify output matches expected data */ ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen)) ++ goto err; ++ ++ if (memcmp(randout, td->kat, td->katlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE); ++ goto err2; ++ } ++ /* If abbreviated POST end of test */ ++ if (quick) { ++ rv = 1; ++ goto err; ++ } ++ /* Reseed DRBG with test entropy and additional input */ ++ t.ent = td->entreseed; ++ t.entlen = td->entreseedlen; ++ ++ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen)) ++ goto err; ++ ++ /* Generate with no PR and verify output matches expected data */ ++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, ++ td->adin2, td->adin2len)) ++ goto err; ++ ++ if (memcmp(randout, td->kat2, td->kat2len)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE); ++ goto err2; ++ } ++ ++ FIPS_drbg_uninstantiate(dctx); ++ ++ /* Now test with PR */ ++ ++ /* Instantiate DRBG with test entropy, nonce and personalisation ++ * string. ++ */ ++ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) ++ return 0; ++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ return 0; ++ ++ FIPS_drbg_set_app_data(dctx, &t); ++ ++ t.ent = td->ent_pr; ++ t.entlen = td->entlen_pr; ++ t.nonce = td->nonce_pr; ++ t.noncelen = td->noncelen_pr; ++ t.entcnt = 0; ++ t.noncecnt = 0; ++ ++ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr)) ++ goto err; ++ ++ /* Now generate with PR: we need to supply entropy as this will ++ * perform a reseed operation. Check output matches expected value. ++ */ ++ ++ t.ent = td->entpr_pr; ++ t.entlen = td->entprlen_pr; ++ ++ /* Note for CTR without DF some additional input values ++ * ignore bytes after the keylength: so reduce adinlen ++ * to half to ensure invalid data is fed in. ++ */ ++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) ++ adinlen = td->adinlen_pr / 2; ++ else ++ adinlen = td->adinlen_pr; ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1, ++ td->adin_pr, adinlen)) ++ goto err; ++ ++ if (memcmp(randout, td->kat_pr, td->katlen_pr)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE); ++ goto err2; ++ } ++ ++ /* Now generate again with PR: supply new entropy again. ++ * Check output matches expected value. ++ */ ++ ++ t.ent = td->entg_pr; ++ t.entlen = td->entglen_pr; ++ ++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1, ++ td->ading_pr, td->adinglen_pr)) ++ goto err; ++ ++ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE); ++ goto err2; ++ } ++ /* All OK, test complete */ ++ rv = 1; ++ ++ err: ++ if (rv == 0) ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED); ++ err2: ++ FIPS_drbg_uninstantiate(dctx); ++ ++ return rv; ++ ++} ++ ++/* Initialise a DRBG based on selftest data */ ++ ++static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t) ++{ ++ ++ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) ++ return 0; ++ ++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ return 0; ++ ++ FIPS_drbg_set_app_data(dctx, t); ++ ++ t->ent = td->ent; ++ t->entlen = td->entlen; ++ t->nonce = td->nonce; ++ t->noncelen = td->noncelen; ++ t->entcnt = 0; ++ t->noncecnt = 0; ++ return 1; ++} ++ ++/* Initialise and instantiate DRBG based on selftest data */ ++static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, ++ TEST_ENT * t) ++{ ++ if (!do_drbg_init(dctx, td, t)) ++ return 0; ++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) ++ return 0; ++ ++ return 1; ++} ++ ++/* This function performs extensive error checking as required by SP800-90. ++ * Induce several failure modes and check an error condition is set. ++ * This function along with fips_drbg_single_kat peforms the health checking ++ * operation. ++ */ ++ ++static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td) ++{ ++ unsigned char randout[1024]; ++ TEST_ENT t; ++ size_t i; ++ unsigned int reseed_counter_tmp; ++ unsigned char *p = (unsigned char *)dctx; ++ ++ /* Initialise DRBG */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ /* Don't report induced errors */ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ /* Personalisation string tests */ ++ ++ /* Test detection of too large personlisation string */ ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_PERSONALISATION_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Entropy source tests */ ++ ++ /* Test entropy source failure detecion: i.e. returns no data */ ++ ++ t.entlen = 0; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Try to generate output from uninstantiated DRBG */ ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_GENERATE_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ /* Test insufficient entropy */ ++ ++ t.entlen = dctx->min_entropy - 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Test too much entropy */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.entlen = dctx->max_entropy + 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Nonce tests */ ++ ++ /* Test too small nonce */ ++ ++ if (dctx->min_nonce) { ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.noncelen = dctx->min_nonce - 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_NONCE_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ } ++ ++ /* Test too large nonce */ ++ ++ if (dctx->max_nonce) { ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.noncelen = dctx->max_nonce + 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_NONCE_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ } ++ ++ /* Instantiate with valid data. */ ++ if (!do_drbg_instantiate(dctx, td, &t)) ++ goto err; ++ ++ /* Check generation is now OK */ ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ /* Request too much data for one request */ ++ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Try too large additional input */ ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, dctx->max_adin + 1)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Check prediction resistance request fails if entropy source ++ * failure. ++ */ ++ ++ t.entlen = 0; ++ ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Instantiate again with valid data */ ++ ++ if (!do_drbg_instantiate(dctx, td, &t)) ++ goto err; ++ /* Test reseed counter works */ ++ /* Save initial reseed counter */ ++ reseed_counter_tmp = dctx->reseed_counter; ++ /* Set reseed counter to beyond interval */ ++ dctx->reseed_counter = dctx->reseed_interval; ++ ++ /* Generate output and check entropy has been requested for reseed */ ++ t.entcnt = 0; ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ if (t.entcnt != 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); ++ goto err; ++ } ++ /* Check reseed counter has been reset */ ++ if (dctx->reseed_counter != reseed_counter_tmp + 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Check prediction resistance request fails if entropy source ++ * failure. ++ */ ++ ++ t.entlen = 0; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ if (!do_drbg_instantiate(dctx, td, &t)) ++ goto err; ++ /* Test reseed counter works */ ++ /* Save initial reseed counter */ ++ reseed_counter_tmp = dctx->reseed_counter; ++ /* Set reseed counter to beyond interval */ ++ dctx->reseed_counter = dctx->reseed_interval; ++ ++ /* Generate output and check entropy has been requested for reseed */ ++ t.entcnt = 0; ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ if (t.entcnt != 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); ++ goto err; ++ } ++ /* Check reseed counter has been reset */ ++ if (dctx->reseed_counter != reseed_counter_tmp + 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Explicit reseed tests */ ++ ++ /* Test explicit reseed with too large additional input */ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Test explicit reseed with entropy source failure */ ++ ++ t.entlen = 0; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Test explicit reseed with too much entropy */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.entlen = dctx->max_entropy + 1; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Test explicit reseed with too little entropy */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.entlen = dctx->min_entropy - 1; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ p = (unsigned char *)&dctx->d; ++ /* Standard says we have to check uninstantiate really zeroes ++ * the data... ++ */ ++ for (i = 0; i < sizeof(dctx->d); i++) { ++ if (*p != 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR); ++ goto err; ++ } ++ p++; ++ } ++ ++ return 1; ++ ++ err: ++ /* A real error as opposed to an induced one: underlying function will ++ * indicate the error. ++ */ ++ if (!(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR); ++ FIPS_drbg_uninstantiate(dctx); ++ return 0; ++ ++} ++ ++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags) ++{ ++ DRBG_SELFTEST_DATA *td; ++ flags |= DRBG_FLAG_TEST; ++ for (td = drbg_test; td->nid != 0; td++) { ++ if (td->nid == nid && td->flags == flags) { ++ if (!fips_drbg_single_kat(dctx, td, 0)) ++ return 0; ++ return fips_drbg_error_check(dctx, td); ++ } ++ } ++ return 0; ++} ++ ++int FIPS_drbg_health_check(DRBG_CTX *dctx) ++{ ++ int rv; ++ DRBG_CTX *tctx = NULL; ++ tctx = FIPS_drbg_new(0, 0); ++ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); ++ if (!tctx) ++ return 0; ++ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags); ++ if (tctx) ++ FIPS_drbg_free(tctx); ++ if (rv) ++ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); ++ else ++ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); ++ if (!rv) ++ dctx->status = DRBG_STATUS_ERROR; ++ else ++ dctx->health_check_cnt = 0; ++ return rv; ++} ++ ++int FIPS_selftest_drbg(void) ++{ ++ DRBG_CTX *dctx; ++ DRBG_SELFTEST_DATA *td; ++ int rv = 1; ++ dctx = FIPS_drbg_new(0, 0); ++ if (!dctx) ++ return 0; ++ for (td = drbg_test; td->nid != 0; td++) { ++ if (td->post != 1) ++ continue; ++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 1; ++ if (!fips_drbg_single_kat(dctx, td, 1)) { ++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); ++ rv = 0; ++ continue; ++ } ++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 0; ++ } ++ FIPS_drbg_free(dctx); ++ return rv; ++} ++ ++int FIPS_selftest_drbg_all(void) ++{ ++ DRBG_CTX *dctx; ++ DRBG_SELFTEST_DATA *td; ++ int rv = 1; ++ dctx = FIPS_drbg_new(0, 0); ++ if (!dctx) ++ return 0; ++ for (td = drbg_test; td->nid != 0; td++) { ++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 1; ++ if (!fips_drbg_single_kat(dctx, td, 0)) { ++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); ++ rv = 0; ++ continue; ++ } ++ if (!fips_drbg_error_check(dctx, td)) { ++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); ++ rv = 0; ++ continue; ++ } ++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 0; ++ } ++ FIPS_drbg_free(dctx); ++ return rv; ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h +--- openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h.fips 2018-07-25 17:26:58.408624776 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_drbg_selftest.h 2018-07-25 17:26:58.408624776 +0200 +@@ -0,0 +1,1791 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++/* Selftest and health check data for the SP800-90 DRBG */ ++ ++#define __fips_constseg ++ ++/* AES-128 use df PR */ ++__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = { ++ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, ++ 0xc8, 0xdb, 0xff, 0x12 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = { ++ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_personalizationstring[] = { ++ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, ++ 0xd7, 0xd7, 0x01, 0x67 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_additionalinput[] = { ++ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, ++ 0x9a, 0x47, 0x08, 0x76 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { ++ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, ++ 0x09, 0xfb, 0xa3, 0xb6 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { ++ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, ++ 0x66, 0x1c, 0xea, 0x5b ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_additionalinput2[] = { ++ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, ++ 0x3f, 0x5e, 0x31, 0x06 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { ++ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, ++ 0xa7, 0xe3, 0xa8, 0x67 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = { ++ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, ++ 0x0f, 0x38, 0x43, 0xc6 ++}; ++ ++/* AES-128 use df No PR */ ++__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = { ++ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, ++ 0x9d, 0x7d, 0x1c, 0x9b ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_nonce[] = { ++ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_personalizationstring[] = { ++ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, ++ 0x38, 0x66, 0xba, 0x1b ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = { ++ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, ++ 0xb5, 0xe2, 0xb2, 0x41 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = { ++ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, ++ 0xe7, 0x57, 0x11, 0xb4 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_entropyinputreseed[] = { ++ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, ++ 0xc7, 0xc4, 0x9e, 0x39 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_additionalinputreseed[] = { ++ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, ++ 0xc8, 0x93, 0xfa, 0x84 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = { ++ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, ++ 0x06, 0x0c, 0x15, 0x2c ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = { ++ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, ++ 0x46, 0x81, 0xc7, 0x19 ++}; ++ ++/* AES-192 use df PR */ ++__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = { ++ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, ++ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = { ++ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, ++ 0xd1, 0x80, 0x78, 0xfa ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_personalizationstring[] = { ++ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, ++ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, ++ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_additionalinput[] = { ++ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, ++ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, ++ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { ++ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, ++ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { ++ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, ++ 0x19, 0x30, 0x6b, 0x67 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_additionalinput2[] = { ++ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, ++ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, ++ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { ++ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, ++ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = { ++ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, ++ 0x7e, 0x1a, 0x2b, 0x83 ++}; ++ ++/* AES-192 use df No PR */ ++__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = { ++ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, ++ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_nonce[] = { ++ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, ++ 0x77, 0xd7, 0x41, 0x0e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_personalizationstring[] = { ++ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, ++ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, ++ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = { ++ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, ++ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, ++ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = { ++ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, ++ 0xb7, 0xed, 0xe9, 0xea ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_entropyinputreseed[] = { ++ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, ++ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_additionalinputreseed[] = { ++ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, ++ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, ++ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = { ++ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, ++ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, ++ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = { ++ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, ++ 0x1a, 0xf9, 0x13, 0x28 ++}; ++ ++/* AES-256 use df PR */ ++__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = { ++ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, ++ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, ++ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = { ++ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, ++ 0x2b, 0x36, 0xff, 0xa4 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_personalizationstring[] = { ++ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, ++ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, ++ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_additionalinput[] = { ++ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, ++ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, ++ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { ++ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, ++ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, ++ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { ++ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, ++ 0x17, 0xab, 0x3c, 0x7a ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_additionalinput2[] = { ++ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, ++ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, ++ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { ++ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, ++ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, ++ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = { ++ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, ++ 0xd9, 0xe2, 0x97, 0x00 ++}; ++ ++/* AES-256 use df No PR */ ++__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = { ++ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, ++ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, ++ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_nonce[] = { ++ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, ++ 0x4c, 0x44, 0x84, 0x40 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_personalizationstring[] = { ++ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, ++ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, ++ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = { ++ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, ++ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, ++ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = { ++ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, ++ 0x28, 0x0c, 0x3b, 0xc1 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_entropyinputreseed[] = { ++ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, ++ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, ++ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_additionalinputreseed[] = { ++ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, ++ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, ++ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = { ++ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, ++ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, ++ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = { ++ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, ++ 0xfa, 0xfd, 0x35, 0x5e ++}; ++ ++/* AES-128 no df PR */ ++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = { ++ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, ++ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, ++ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = { ++ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_personalizationstring[] = { ++ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, ++ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, ++ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_additionalinput[] = { ++ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, ++ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, ++ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { ++ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, ++ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, ++ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { ++ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, ++ 0xaf, 0x19, 0x32, 0x16 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_additionalinput2[] = { ++ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, ++ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, ++ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { ++ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, ++ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, ++ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = { ++ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, ++ 0x57, 0x82, 0x33, 0xaf ++}; ++ ++/* AES-128 no df No PR */ ++__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = { ++ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, ++ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, ++ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_nonce[] = { ++ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_personalizationstring[] = { ++ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, ++ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, ++ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = { ++ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, ++ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, ++ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = { ++ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, ++ 0xed, 0x3e, 0x65, 0xc2 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_entropyinputreseed[] = { ++ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, ++ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, ++ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_additionalinputreseed[] = { ++ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, ++ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, ++ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = { ++ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, ++ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, ++ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = { ++ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, ++ 0x81, 0x37, 0x19, 0xd4 ++}; ++ ++/* AES-192 no df PR */ ++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = { ++ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, ++ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, ++ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, ++ 0x17, 0x1f, 0x8d, 0x9a ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = { ++ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, ++ 0x61, 0x5c, 0xee, 0x0f ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_personalizationstring[] = { ++ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, ++ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, ++ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, ++ 0x57, 0x2e, 0xe7, 0x55 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_additionalinput[] = { ++ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, ++ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, ++ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, ++ 0xe2, 0xd0, 0x0c, 0x2f ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { ++ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, ++ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, ++ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, ++ 0x1d, 0x30, 0xb3, 0x78 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { ++ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, ++ 0x7e, 0x3e, 0x0c, 0x26 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_additionalinput2[] = { ++ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, ++ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, ++ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, ++ 0x0c, 0x4b, 0xee, 0x6e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { ++ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, ++ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, ++ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, ++ 0x8e, 0x0a, 0x83, 0xdf ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = { ++ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, ++ 0xb9, 0xa1, 0x21, 0x68 ++}; ++ ++/* AES-192 no df No PR */ ++__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = { ++ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, ++ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, ++ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, ++ 0x94, 0xc3, 0x59, 0x63 ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_nonce[] = { ++ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, ++ 0x29, 0xfd, 0x45, 0x71 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_personalizationstring[] = { ++ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, ++ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, ++ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, ++ 0x3b, 0x88, 0xce, 0x35 ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = { ++ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, ++ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, ++ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, ++ 0x3e, 0xbe, 0xd4, 0x8e ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = { ++ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, ++ 0x45, 0xe7, 0x4a, 0xc5 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_entropyinputreseed[] = { ++ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, ++ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, ++ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, ++ 0x9b, 0xcb, 0x7e, 0x75 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_additionalinputreseed[] = { ++ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, ++ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, ++ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, ++ 0x5d, 0x7a, 0x25, 0x79 ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = { ++ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, ++ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, ++ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, ++ 0x91, 0x6a, 0xe3, 0x5f ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = { ++ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, ++ 0x66, 0x67, 0x2c, 0x92 ++}; ++ ++/* AES-256 no df PR */ ++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = { ++ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, ++ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, ++ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, ++ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = { ++ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, ++ 0xcc, 0x4b, 0xee, 0x2e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_personalizationstring[] = { ++ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, ++ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, ++ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, ++ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_additionalinput[] = { ++ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, ++ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, ++ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, ++ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { ++ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, ++ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, ++ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, ++ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { ++ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, ++ 0x79, 0x60, 0x93, 0xcf ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_additionalinput2[] = { ++ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, ++ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, ++ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, ++ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { ++ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, ++ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, ++ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, ++ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = { ++ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, ++ 0x2d, 0x5f, 0x4a, 0x46 ++}; ++ ++/* AES-256 no df No PR */ ++__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = { ++ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, ++ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, ++ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, ++ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_nonce[] = { ++ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, ++ 0x43, 0x96, 0xb9, 0xf0 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_personalizationstring[] = { ++ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, ++ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, ++ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, ++ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = { ++ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, ++ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, ++ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, ++ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = { ++ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, ++ 0xd2, 0x25, 0x75, 0x0e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_entropyinputreseed[] = { ++ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, ++ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, ++ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, ++ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_additionalinputreseed[] = { ++ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, ++ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, ++ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, ++ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = { ++ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, ++ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, ++ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, ++ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = { ++ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, ++ 0xf6, 0x02, 0x32, 0xe2 ++}; ++ ++/* SHA-1 PR */ ++__fips_constseg static const unsigned char sha1_pr_entropyinput[] = { ++ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2, ++ 0x31, 0xa5, 0x91, 0x13 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_nonce[] = { ++ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = { ++ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60, ++ 0xda, 0xea, 0x77, 0x52 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_additionalinput[] = { ++ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22, ++ 0x6a, 0x51, 0xe3, 0xf8 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = { ++ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9, ++ 0xcb, 0xa9, 0x36, 0x7a ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = { ++ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e, ++ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = { ++ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99, ++ 0x16, 0x03, 0x19, 0x47 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = { ++ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2, ++ 0xae, 0xcd, 0x8c, 0xc4 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_returnedbits[] = { ++ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6, ++ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87 ++}; ++ ++/* SHA-1 No PR */ ++__fips_constseg static const unsigned char sha1_entropyinput[] = { ++ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9, ++ 0xe2, 0x7f, 0x4c, 0x7b ++}; ++ ++__fips_constseg static const unsigned char sha1_nonce[] = { ++ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14 ++}; ++ ++__fips_constseg static const unsigned char sha1_personalizationstring[] = { ++ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76, ++ 0x28, 0xec, 0x6d, 0xca ++}; ++ ++__fips_constseg static const unsigned char sha1_additionalinput[] = { ++ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35, ++ 0xc0, 0x72, 0xca, 0x28 ++}; ++ ++__fips_constseg static const unsigned char sha1_int_returnedbits[] = { ++ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72, ++ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea ++}; ++ ++__fips_constseg static const unsigned char sha1_entropyinputreseed[] = { ++ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96, ++ 0xd6, 0x99, 0x27, 0xed ++}; ++ ++__fips_constseg static const unsigned char sha1_additionalinputreseed[] = { ++ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda, ++ 0x84, 0x3d, 0xd4, 0xc0 ++}; ++ ++__fips_constseg static const unsigned char sha1_additionalinput2[] = { ++ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e, ++ 0x52, 0x65, 0xcd, 0x96 ++}; ++ ++__fips_constseg static const unsigned char sha1_returnedbits[] = { ++ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce, ++ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7 ++}; ++ ++/* SHA-224 PR */ ++__fips_constseg static const unsigned char sha224_pr_entropyinput[] = { ++ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75, ++ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_nonce[] = { ++ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = { ++ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0, ++ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_additionalinput[] = { ++ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88, ++ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = { ++ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1, ++ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = { ++ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a, ++ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1, ++ 0x54, 0x60, 0xee, 0x6a ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = { ++ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52, ++ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = { ++ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77, ++ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_returnedbits[] = { ++ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20, ++ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e, ++ 0xdd, 0x11, 0x4c, 0xc4 ++}; ++ ++/* SHA-224 No PR */ ++__fips_constseg static const unsigned char sha224_entropyinput[] = { ++ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29, ++ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb ++}; ++ ++__fips_constseg static const unsigned char sha224_nonce[] = { ++ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0 ++}; ++ ++__fips_constseg static const unsigned char sha224_personalizationstring[] = { ++ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda, ++ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c ++}; ++ ++__fips_constseg static const unsigned char sha224_additionalinput[] = { ++ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00, ++ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f ++}; ++ ++__fips_constseg static const unsigned char sha224_int_returnedbits[] = { ++ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa, ++ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20, ++ 0x55, 0x22, 0x9a, 0xad ++}; ++ ++__fips_constseg static const unsigned char sha224_entropyinputreseed[] = { ++ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5, ++ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17 ++}; ++ ++__fips_constseg static const unsigned char sha224_additionalinputreseed[] = { ++ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6, ++ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19 ++}; ++ ++__fips_constseg static const unsigned char sha224_additionalinput2[] = { ++ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d, ++ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6 ++}; ++ ++__fips_constseg static const unsigned char sha224_returnedbits[] = { ++ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b, ++ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a, ++ 0x3b, 0xa7, 0x5c, 0x93 ++}; ++ ++/* SHA-256 PR */ ++__fips_constseg static const unsigned char sha256_pr_entropyinput[] = { ++ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4, ++ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb, ++ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_nonce[] = { ++ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d, ++ 0x2b, 0x91, 0x4d, 0x38 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = { ++ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56, ++ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48, ++ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_additionalinput[] = { ++ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac, ++ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5, ++ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = { ++ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8, ++ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94, ++ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = { ++ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2, ++ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7, ++ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = { ++ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b, ++ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43, ++ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = { ++ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2, ++ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d, ++ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_returnedbits[] = { ++ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3, ++ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64, ++ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2 ++}; ++ ++/* SHA-256 No PR */ ++__fips_constseg static const unsigned char sha256_entropyinput[] = { ++ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5, ++ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7, ++ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c ++}; ++ ++__fips_constseg static const unsigned char sha256_nonce[] = { ++ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5, ++ 0x5d, 0x6f, 0x6d, 0x35 ++}; ++ ++__fips_constseg static const unsigned char sha256_personalizationstring[] = { ++ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde, ++ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20, ++ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c ++}; ++ ++__fips_constseg static const unsigned char sha256_additionalinput[] = { ++ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4, ++ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a, ++ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87 ++}; ++ ++__fips_constseg static const unsigned char sha256_int_returnedbits[] = { ++ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1, ++ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e, ++ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76 ++}; ++ ++__fips_constseg static const unsigned char sha256_entropyinputreseed[] = { ++ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d, ++ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34, ++ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d ++}; ++ ++__fips_constseg static const unsigned char sha256_additionalinputreseed[] = { ++ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda, ++ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac, ++ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8 ++}; ++ ++__fips_constseg static const unsigned char sha256_additionalinput2[] = { ++ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15, ++ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3, ++ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda ++}; ++ ++__fips_constseg static const unsigned char sha256_returnedbits[] = { ++ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d, ++ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd, ++ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3 ++}; ++ ++/* SHA-384 PR */ ++__fips_constseg static const unsigned char sha384_pr_entropyinput[] = { ++ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24, ++ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55, ++ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_nonce[] = { ++ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd, ++ 0x38, 0x3e, 0x2e, 0x56 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = { ++ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96, ++ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d, ++ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_additionalinput[] = { ++ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39, ++ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06, ++ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = { ++ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64, ++ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc, ++ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = { ++ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f, ++ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45, ++ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b, ++ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = { ++ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2, ++ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03, ++ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = { ++ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7, ++ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90, ++ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_returnedbits[] = { ++ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb, ++ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12, ++ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53, ++ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66 ++}; ++ ++/* SHA-384 No PR */ ++__fips_constseg static const unsigned char sha384_entropyinput[] = { ++ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69, ++ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d, ++ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4 ++}; ++ ++__fips_constseg static const unsigned char sha384_nonce[] = { ++ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77, ++ 0x44, 0xaf, 0x2f, 0x09 ++}; ++ ++__fips_constseg static const unsigned char sha384_personalizationstring[] = { ++ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb, ++ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca, ++ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1 ++}; ++ ++__fips_constseg static const unsigned char sha384_additionalinput[] = { ++ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb, ++ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02, ++ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48 ++}; ++ ++__fips_constseg static const unsigned char sha384_int_returnedbits[] = { ++ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04, ++ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63, ++ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa, ++ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a ++}; ++ ++__fips_constseg static const unsigned char sha384_entropyinputreseed[] = { ++ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2, ++ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27, ++ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c ++}; ++ ++__fips_constseg static const unsigned char sha384_additionalinputreseed[] = { ++ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f, ++ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e, ++ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22 ++}; ++ ++__fips_constseg static const unsigned char sha384_additionalinput2[] = { ++ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea, ++ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2, ++ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94 ++}; ++ ++__fips_constseg static const unsigned char sha384_returnedbits[] = { ++ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd, ++ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9, ++ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54, ++ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7 ++}; ++ ++/* SHA-512 PR */ ++__fips_constseg static const unsigned char sha512_pr_entropyinput[] = { ++ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f, ++ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2, ++ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_nonce[] = { ++ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67, ++ 0x88, 0xc7, 0xa2, 0xc4 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = { ++ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff, ++ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07, ++ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_additionalinput[] = { ++ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce, ++ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22, ++ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = { ++ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80, ++ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e, ++ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = { ++ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50, ++ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae, ++ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5, ++ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95, ++ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53, ++ 0xe2, 0xc6, 0x8b, 0xc3 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = { ++ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4, ++ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40, ++ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = { ++ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5, ++ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34, ++ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_returnedbits[] = { ++ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51, ++ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93, ++ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80, ++ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7, ++ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd, ++ 0x67, 0xf7, 0x68, 0xdd ++}; ++ ++/* SHA-512 No PR */ ++__fips_constseg static const unsigned char sha512_entropyinput[] = { ++ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17, ++ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56, ++ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd ++}; ++ ++__fips_constseg static const unsigned char sha512_nonce[] = { ++ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31, ++ 0x5a, 0x64, 0xf0, 0xf7 ++}; ++ ++__fips_constseg static const unsigned char sha512_personalizationstring[] = { ++ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7, ++ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b, ++ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0 ++}; ++ ++__fips_constseg static const unsigned char sha512_additionalinput[] = { ++ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad, ++ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97, ++ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34 ++}; ++ ++__fips_constseg static const unsigned char sha512_int_returnedbits[] = { ++ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd, ++ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9, ++ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56, ++ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19, ++ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04, ++ 0x28, 0xd4, 0x39, 0x9a ++}; ++ ++__fips_constseg static const unsigned char sha512_entropyinputreseed[] = { ++ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49, ++ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82, ++ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee ++}; ++ ++__fips_constseg static const unsigned char sha512_additionalinputreseed[] = { ++ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29, ++ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6, ++ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20 ++}; ++ ++__fips_constseg static const unsigned char sha512_additionalinput2[] = { ++ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85, ++ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42, ++ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92 ++}; ++ ++__fips_constseg static const unsigned char sha512_returnedbits[] = { ++ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27, ++ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32, ++ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b, ++ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63, ++ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2, ++ 0x68, 0xde, 0x42, 0xb5 ++}; ++ ++/* HMAC SHA-1 PR */ ++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = { ++ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc, ++ 0x2c, 0x18, 0x17, 0x1b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = { ++ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha1_pr_personalizationstring[] = { ++ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85, ++ 0x80, 0xe2, 0x7f, 0x2a ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = { ++ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f, ++ 0xd7, 0xbb, 0x42, 0x09 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = { ++ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63, ++ 0x23, 0x87, 0x2a, 0xed ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = { ++ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f, ++ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = { ++ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58, ++ 0xa0, 0x4b, 0x93, 0x6e ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = { ++ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c, ++ 0x0f, 0xff, 0x2e, 0xaf ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = { ++ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16, ++ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8 ++}; ++ ++/* HMAC SHA-1 No PR */ ++__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = { ++ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40, ++ 0x17, 0xfe, 0x47, 0x70 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_nonce[] = { ++ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = { ++ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00, ++ 0x72, 0xf7, 0xd3, 0x5e ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = { ++ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb, ++ 0xbb, 0xe3, 0xaa, 0xea ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = { ++ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11, ++ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = { ++ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f, ++ 0x86, 0x52, 0x6d, 0x9c ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = { ++ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92, ++ 0x79, 0xc5, 0x82, 0x28 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = { ++ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3, ++ 0x8a, 0xca, 0xa4, 0x7f ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = { ++ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d, ++ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0 ++}; ++ ++/* HMAC SHA-224 PR */ ++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = { ++ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07, ++ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = { ++ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha224_pr_personalizationstring[] = { ++ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed, ++ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = { ++ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21, ++ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = { ++ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad, ++ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = { ++ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38, ++ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13, ++ 0x41, 0xfe, 0x99, 0xf2 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = { ++ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17, ++ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = { ++ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f, ++ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = { ++ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7, ++ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03, ++ 0x6d, 0xd8, 0x9e, 0x72 ++}; ++ ++/* HMAC SHA-224 No PR */ ++__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = { ++ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54, ++ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_nonce[] = { ++ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha224_personalizationstring[] = { ++ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b, ++ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = { ++ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6, ++ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = { ++ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42, ++ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c, ++ 0xcd, 0xd6, 0xa9, 0xcc ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = { ++ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95, ++ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha224_additionalinputreseed[] = { ++ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20, ++ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = { ++ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3, ++ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = { ++ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85, ++ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e, ++ 0x45, 0x84, 0xa8, 0x94 ++}; ++ ++/* HMAC SHA-256 PR */ ++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = { ++ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea, ++ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca, ++ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = { ++ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15, ++ 0xaa, 0xd3, 0x30, 0x9a ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha256_pr_personalizationstring[] = { ++ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24, ++ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d, ++ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = { ++ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9, ++ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18, ++ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = { ++ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79, ++ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36, ++ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = { ++ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2, ++ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef, ++ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = { ++ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8, ++ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e, ++ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = { ++ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a, ++ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74, ++ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = { ++ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0, ++ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91, ++ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e ++}; ++ ++/* HMAC SHA-256 No PR */ ++__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = { ++ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35, ++ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d, ++ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_nonce[] = { ++ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e, ++ 0xc7, 0xfc, 0xc2, 0x01 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha256_personalizationstring[] = { ++ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7, ++ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65, ++ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = { ++ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c, ++ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda, ++ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = { ++ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d, ++ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25, ++ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = { ++ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7, ++ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9, ++ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha256_additionalinputreseed[] = { ++ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3, ++ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3, ++ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = { ++ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f, ++ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8, ++ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = { ++ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3, ++ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26, ++ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0 ++}; ++ ++/* HMAC SHA-384 PR */ ++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = { ++ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5, ++ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1, ++ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = { ++ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59, ++ 0xee, 0x16, 0xc9, 0xde ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha384_pr_personalizationstring[] = { ++ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4, ++ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47, ++ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = { ++ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f, ++ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda, ++ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = { ++ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0, ++ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56, ++ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = { ++ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6, ++ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6, ++ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd, ++ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = { ++ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2, ++ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff, ++ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = { ++ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1, ++ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94, ++ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = { ++ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76, ++ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b, ++ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d, ++ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75 ++}; ++ ++/* HMAC SHA-384 No PR */ ++__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = { ++ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3, ++ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1, ++ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_nonce[] = { ++ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1, ++ 0x38, 0xe3, 0xeb, 0x62 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha384_personalizationstring[] = { ++ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5, ++ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62, ++ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = { ++ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81, ++ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58, ++ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = { ++ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31, ++ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b, ++ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b, ++ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = { ++ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48, ++ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9, ++ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha384_additionalinputreseed[] = { ++ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c, ++ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92, ++ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = { ++ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf, ++ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d, ++ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = { ++ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19, ++ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed, ++ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74, ++ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb ++}; ++ ++/* HMAC SHA-512 PR */ ++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = { ++ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b, ++ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba, ++ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = { ++ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b, ++ 0x86, 0xea, 0xaf, 0xa2 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha512_pr_personalizationstring[] = { ++ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24, ++ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02, ++ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = { ++ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92, ++ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c, ++ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = { ++ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc, ++ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03, ++ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = { ++ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56, ++ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c, ++ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd, ++ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50, ++ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35, ++ 0x05, 0x17, 0xbe, 0x0d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = { ++ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08, ++ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c, ++ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = { ++ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71, ++ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe, ++ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = { ++ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35, ++ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21, ++ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4, ++ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3, ++ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00, ++ 0xb6, 0xaf, 0xbc, 0xd3 ++}; ++ ++/* HMAC SHA-512 No PR */ ++__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = { ++ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa, ++ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe, ++ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_nonce[] = { ++ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e, ++ 0xd9, 0xaf, 0x43, 0x3c ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha512_personalizationstring[] = { ++ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f, ++ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01, ++ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = { ++ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5, ++ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d, ++ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = { ++ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90, ++ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18, ++ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b, ++ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34, ++ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1, ++ 0xb1, 0x57, 0x69, 0xe8 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = { ++ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41, ++ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca, ++ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha512_additionalinputreseed[] = { ++ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a, ++ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86, ++ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = { ++ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5, ++ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb, ++ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = { ++ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f, ++ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a, ++ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25, ++ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d, ++ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, ++ 0xc2, 0xd6, 0xfd, 0xa5 ++}; +diff -up openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_dsa_selftest.c 2018-07-25 17:26:58.408624776 +0200 +@@ -0,0 +1,195 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include "internal/fips_int.h" ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++static const unsigned char dsa_test_2048_p[] = { ++ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, ++ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62, ++ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59, ++ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6, ++ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3, ++ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52, ++ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7, ++ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a, ++ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1, ++ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03, ++ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40, ++ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34, ++ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e, ++ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b, ++ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1, ++ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7, ++ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6, ++ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57, ++ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54, ++ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a, ++ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7, ++ 0xdb, 0xa0, 0x69, 0xe9 ++}; ++ ++static const unsigned char dsa_test_2048_q[] = { ++ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a, ++ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56, ++ 0x74, 0x41, 0xa0, 0xa5 ++}; ++ ++static const unsigned char dsa_test_2048_g[] = { ++ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5, ++ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8, ++ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19, ++ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba, ++ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b, ++ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a, ++ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53, ++ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b, ++ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5, ++ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a, ++ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e, ++ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23, ++ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96, ++ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7, ++ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16, ++ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a, ++ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f, ++ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95, ++ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69, ++ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e, ++ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91, ++ 0xb3, 0xc2, 0xa9, 0x66 ++}; ++ ++static const unsigned char dsa_test_2048_pub_key[] = { ++ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60, ++ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb, ++ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64, ++ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44, ++ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c, ++ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c, ++ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2, ++ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c, ++ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71, ++ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c, ++ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99, ++ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75, ++ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e, ++ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc, ++ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf, ++ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90, ++ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d, ++ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d, ++ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07, ++ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3, ++ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93, ++ 0xf7, 0xda, 0xb1, 0x4f ++}; ++ ++static const unsigned char dsa_test_2048_priv_key[] = { ++ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91, ++ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00, ++ 0xec, 0x55, 0xf6, 0xcc ++}; ++ ++int FIPS_selftest_dsa() ++{ ++ DSA *dsa = NULL; ++ EVP_PKEY *pk = NULL; ++ int ret = -1; ++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; ++ ++ fips_load_key_component(p, dsa_test_2048); ++ fips_load_key_component(q, dsa_test_2048); ++ fips_load_key_component(g, dsa_test_2048); ++ fips_load_key_component(pub_key, dsa_test_2048); ++ fips_load_key_component(priv_key, dsa_test_2048); ++ ++ dsa = DSA_new(); ++ ++ if (dsa == NULL) ++ goto err; ++ ++ DSA_set0_pqg(dsa, p, q, g); ++ ++ DSA_set0_key(dsa, pub_key, priv_key); ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_DSA(pk, dsa); ++ ++ if (!fips_pkey_signature_test(pk, NULL, 0, ++ NULL, 0, EVP_sha256(), 0, "DSA SHA256")) ++ goto err; ++ ret = 1; ++ ++ err: ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (dsa) ++ DSA_free(dsa); ++ else { ++ BN_free(p); ++ BN_free(q); ++ BN_free(g); ++ BN_free(pub_key); ++ BN_free(priv_key); ++ } ++ return ret; ++} ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_ecdh_selftest.c 2018-07-25 17:26:58.408624776 +0200 +@@ -0,0 +1,242 @@ ++/* fips/ecdh/fips_ecdh_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2011. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++# include "fips_locl.h" ++ ++static const unsigned char p256_qcavsx[] = { ++ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, ++ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, ++ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 ++}; ++ ++static const unsigned char p256_qcavsy[] = { ++ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, ++ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, ++ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e ++}; ++ ++static const unsigned char p256_qiutx[] = { ++ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, ++ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, ++ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f ++}; ++ ++static const unsigned char p256_qiuty[] = { ++ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, ++ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, ++ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 ++}; ++ ++static const unsigned char p256_qiutd[] = { ++ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, ++ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, ++ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 ++}; ++ ++static const unsigned char p256_ziut[] = { ++ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, ++ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, ++ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f ++}; ++ ++typedef struct { ++ int curve; ++ const unsigned char *x1; ++ size_t x1len; ++ const unsigned char *y1; ++ size_t y1len; ++ const unsigned char *d1; ++ size_t d1len; ++ const unsigned char *x2; ++ size_t x2len; ++ const unsigned char *y2; ++ size_t y2len; ++ const unsigned char *z; ++ size_t zlen; ++} ECDH_SELFTEST_DATA; ++ ++# define make_ecdh_test(nid, pr) { nid, \ ++ pr##_qiutx, sizeof(pr##_qiutx), \ ++ pr##_qiuty, sizeof(pr##_qiuty), \ ++ pr##_qiutd, sizeof(pr##_qiutd), \ ++ pr##_qcavsx, sizeof(pr##_qcavsx), \ ++ pr##_qcavsy, sizeof(pr##_qcavsy), \ ++ pr##_ziut, sizeof(pr##_ziut) } ++ ++static ECDH_SELFTEST_DATA test_ecdh_data[] = { ++ make_ecdh_test(NID_X9_62_prime256v1, p256), ++}; ++ ++int FIPS_selftest_ecdh(void) ++{ ++ EC_KEY *ec1 = NULL, *ec2 = NULL; ++ const EC_POINT *ecp = NULL; ++ BIGNUM *x = NULL, *y = NULL, *d = NULL; ++ unsigned char *ztmp = NULL; ++ int rv = 1; ++ size_t i; ++ ++ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { ++ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; ++ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) ++ continue; ++ ztmp = OPENSSL_malloc(ecd->zlen); ++ ++ x = BN_bin2bn(ecd->x1, ecd->x1len, x); ++ y = BN_bin2bn(ecd->y1, ecd->y1len, y); ++ d = BN_bin2bn(ecd->d1, ecd->d1len, d); ++ ++ if (!x || !y || !d || !ztmp) { ++ rv = -1; ++ goto err; ++ } ++ ++ ec1 = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec1) { ++ rv = -1; ++ goto err; ++ } ++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!EC_KEY_set_private_key(ec1, d)) { ++ rv = -1; ++ goto err; ++ } ++ ++ x = BN_bin2bn(ecd->x2, ecd->x2len, x); ++ y = BN_bin2bn(ecd->y2, ecd->y2len, y); ++ ++ if (!x || !y) { ++ rv = -1; ++ goto err; ++ } ++ ++ ec2 = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec2) { ++ rv = -1; ++ goto err; ++ } ++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { ++ rv = -1; ++ goto err; ++ } ++ ++ ecp = EC_KEY_get0_public_key(ec2); ++ if (!ecp) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) ++ ztmp[0] ^= 0x1; ++ ++ if (memcmp(ztmp, ecd->z, ecd->zlen)) { ++ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); ++ rv = 0; ++ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) ++ goto err; ++ ++ EC_KEY_free(ec1); ++ ec1 = NULL; ++ EC_KEY_free(ec2); ++ ec2 = NULL; ++ OPENSSL_free(ztmp); ++ ztmp = NULL; ++ } ++ ++ err: ++ ++ if (x) ++ BN_clear_free(x); ++ if (y) ++ BN_clear_free(y); ++ if (d) ++ BN_clear_free(d); ++ if (ec1) ++ EC_KEY_free(ec1); ++ if (ec2) ++ EC_KEY_free(ec2); ++ if (ztmp) ++ OPENSSL_free(ztmp); ++ ++ return rv; ++ ++} ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c.fips 2018-07-25 17:26:58.408624776 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_ecdsa_selftest.c 2018-07-25 17:26:58.408624776 +0200 +@@ -0,0 +1,166 @@ ++/* fips/ecdsa/fips_ecdsa_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2011. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include "internal/fips_int.h" ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++static const char P_256_name[] = "ECDSA P-256"; ++ ++static const unsigned char P_256_d[] = { ++ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, ++ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, ++ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 ++}; ++ ++static const unsigned char P_256_qx[] = { ++ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, ++ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, ++ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 ++}; ++ ++static const unsigned char P_256_qy[] = { ++ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, ++ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, ++ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb ++}; ++ ++typedef struct { ++ int curve; ++ const char *name; ++ const unsigned char *x; ++ size_t xlen; ++ const unsigned char *y; ++ size_t ylen; ++ const unsigned char *d; ++ size_t dlen; ++} EC_SELFTEST_DATA; ++ ++# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ ++ pr##_qx, sizeof(pr##_qx), \ ++ pr##_qy, sizeof(pr##_qy), \ ++ pr##_d, sizeof(pr##_d)} ++ ++static EC_SELFTEST_DATA test_ec_data[] = { ++ make_ecdsa_test(NID_X9_62_prime256v1, P_256), ++}; ++ ++int FIPS_selftest_ecdsa() ++{ ++ EC_KEY *ec = NULL; ++ BIGNUM *x = NULL, *y = NULL, *d = NULL; ++ EVP_PKEY *pk = NULL; ++ int rv = 0; ++ size_t i; ++ ++ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { ++ EC_SELFTEST_DATA *ecd = test_ec_data + i; ++ ++ x = BN_bin2bn(ecd->x, ecd->xlen, x); ++ y = BN_bin2bn(ecd->y, ecd->ylen, y); ++ d = BN_bin2bn(ecd->d, ecd->dlen, d); ++ ++ if (!x || !y || !d) ++ goto err; ++ ++ ec = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec) ++ goto err; ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) ++ goto err; ++ ++ if (!EC_KEY_set_private_key(ec, d)) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_EC_KEY(pk, ec); ++ ++ if (!fips_pkey_signature_test(pk, NULL, 0, ++ NULL, 0, EVP_sha256(), 0, ecd->name)) ++ goto err; ++ } ++ ++ rv = 1; ++ ++ err: ++ ++ if (x) ++ BN_clear_free(x); ++ if (y) ++ BN_clear_free(y); ++ if (d) ++ BN_clear_free(d); ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (ec) ++ EC_KEY_free(ec); ++ ++ return rv; ++ ++} ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_enc.c.fips openssl-1.1.1-pre8/crypto/fips/fips_enc.c +--- openssl-1.1.1-pre8/crypto/fips/fips_enc.c.fips 2018-07-25 17:26:58.408624776 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_enc.c 2018-07-25 17:26:58.408624776 +0200 +@@ -0,0 +1,189 @@ ++/* fipe/evp/fips_enc.c */ ++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) ++ * All rights reserved. ++ * ++ * This package is an SSL implementation written ++ * by Eric Young (eay@cryptsoft.com). ++ * The implementation was written so as to conform with Netscapes SSL. ++ * ++ * This library is free for commercial and non-commercial use as long as ++ * the following conditions are aheared to. The following conditions ++ * apply to all code found in this distribution, be it the RC4, RSA, ++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation ++ * included with this distribution is covered by the same copyright terms ++ * except that the holder is Tim Hudson (tjh@cryptsoft.com). ++ * ++ * Copyright remains Eric Young's, and as such any Copyright notices in ++ * the code are not to be removed. ++ * If this package is used in a product, Eric Young should be given attribution ++ * as the author of the parts of the library used. ++ * This can be in the form of a textual message at program startup or ++ * in documentation (online or textual) provided with the package. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. All advertising materials mentioning features or use of this software ++ * must display the following acknowledgement: ++ * "This product includes cryptographic software written by ++ * Eric Young (eay@cryptsoft.com)" ++ * The word 'cryptographic' can be left out if the rouines from the library ++ * being used are not cryptographic related :-). ++ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * the apps directory (application code) you must include an acknowledgement: ++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ * ++ * The licence and distribution terms for any publically available version or ++ * derivative of this code cannot be changed. i.e. this code cannot simply be ++ * copied and put under another distribution licence ++ * [including the GNU Public Licence.] ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++const EVP_CIPHER *FIPS_get_cipherbynid(int nid) ++{ ++ switch (nid) { ++ case NID_aes_128_cbc: ++ return EVP_aes_128_cbc(); ++ ++ case NID_aes_128_ccm: ++ return EVP_aes_128_ccm(); ++ ++ case NID_aes_128_cfb1: ++ return EVP_aes_128_cfb1(); ++ ++ case NID_aes_128_cfb128: ++ return EVP_aes_128_cfb128(); ++ ++ case NID_aes_128_cfb8: ++ return EVP_aes_128_cfb8(); ++ ++ case NID_aes_128_ctr: ++ return EVP_aes_128_ctr(); ++ ++ case NID_aes_128_ecb: ++ return EVP_aes_128_ecb(); ++ ++ case NID_aes_128_gcm: ++ return EVP_aes_128_gcm(); ++ ++ case NID_aes_128_ofb128: ++ return EVP_aes_128_ofb(); ++ ++ case NID_aes_128_xts: ++ return EVP_aes_128_xts(); ++ ++ case NID_aes_192_cbc: ++ return EVP_aes_192_cbc(); ++ ++ case NID_aes_192_ccm: ++ return EVP_aes_192_ccm(); ++ ++ case NID_aes_192_cfb1: ++ return EVP_aes_192_cfb1(); ++ ++ case NID_aes_192_cfb128: ++ return EVP_aes_192_cfb128(); ++ ++ case NID_aes_192_cfb8: ++ return EVP_aes_192_cfb8(); ++ ++ case NID_aes_192_ctr: ++ return EVP_aes_192_ctr(); ++ ++ case NID_aes_192_ecb: ++ return EVP_aes_192_ecb(); ++ ++ case NID_aes_192_gcm: ++ return EVP_aes_192_gcm(); ++ ++ case NID_aes_192_ofb128: ++ return EVP_aes_192_ofb(); ++ ++ case NID_aes_256_cbc: ++ return EVP_aes_256_cbc(); ++ ++ case NID_aes_256_ccm: ++ return EVP_aes_256_ccm(); ++ ++ case NID_aes_256_cfb1: ++ return EVP_aes_256_cfb1(); ++ ++ case NID_aes_256_cfb128: ++ return EVP_aes_256_cfb128(); ++ ++ case NID_aes_256_cfb8: ++ return EVP_aes_256_cfb8(); ++ ++ case NID_aes_256_ctr: ++ return EVP_aes_256_ctr(); ++ ++ case NID_aes_256_ecb: ++ return EVP_aes_256_ecb(); ++ ++ case NID_aes_256_gcm: ++ return EVP_aes_256_gcm(); ++ ++ case NID_aes_256_ofb128: ++ return EVP_aes_256_ofb(); ++ ++ case NID_aes_256_xts: ++ return EVP_aes_256_xts(); ++ ++ case NID_des_ede_ecb: ++ return EVP_des_ede(); ++ ++ case NID_des_ede3_ecb: ++ return EVP_des_ede3(); ++ ++ case NID_des_ede3_cbc: ++ return EVP_des_ede3_cbc(); ++ ++ case NID_des_ede3_cfb1: ++ return EVP_des_ede3_cfb1(); ++ ++ case NID_des_ede3_cfb64: ++ return EVP_des_ede3_cfb64(); ++ ++ case NID_des_ede3_cfb8: ++ return EVP_des_ede3_cfb8(); ++ ++ case NID_des_ede3_ofb64: ++ return EVP_des_ede3_ofb(); ++ ++ case NID_des_ede_cbc: ++ return EVP_des_ede_cbc(); ++ ++ case NID_des_ede_cfb64: ++ return EVP_des_ede_cfb64(); ++ ++ case NID_des_ede_ofb64: ++ return EVP_des_ede_ofb(); ++ ++ default: ++ return NULL; ++ ++ } ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_err.h.fips openssl-1.1.1-pre8/crypto/fips/fips_err.h +--- openssl-1.1.1-pre8/crypto/fips/fips_err.h.fips 2018-07-25 17:26:58.408624776 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_err.h 2018-07-25 17:26:58.408624776 +0200 +@@ -0,0 +1,196 @@ ++/* crypto/fips_err.h */ ++/* ==================================================================== ++ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++/* ++ * NOTE: this file was auto generated by the mkerr.pl script: any changes ++ * made to it will be overwritten when the script next updates this file, ++ * only reason strings will be preserved. ++ */ ++ ++#include ++#include ++#include ++ ++/* BEGIN ERROR CODES */ ++#ifndef OPENSSL_NO_ERR ++ ++# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0) ++# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason) ++ ++static ERR_STRING_DATA FIPS_str_functs[] = { ++ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"}, ++ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"}, ++ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"}, ++ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, ++ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, ++ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, ++ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"}, ++ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"}, ++ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"}, ++ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"}, ++ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"}, ++ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"}, ++ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"}, ++ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, ++ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, ++ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"}, ++ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"}, ++ {0, NULL} ++}; ++ ++static ERR_STRING_DATA FIPS_str_reasons[] = { ++ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), ++ "additional input error undetected"}, ++ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG), ++ "additional input too long"}, ++ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"}, ++ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, ++ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, ++ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, ++ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), ++ "entropy not requested for reseed"}, ++ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, ++ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"}, ++ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), ++ "error retrieving additional input"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"}, ++ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH), ++ "fingerprint does not match"}, ++ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"}, ++ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"}, ++ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"}, ++ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"}, ++ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED), ++ "generate error undetected"}, ++ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, ++ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"}, ++ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"}, ++ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"}, ++ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"}, ++ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"}, ++ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"}, ++ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"}, ++ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"}, ++ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"}, ++ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"}, ++ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED), ++ "personalisation error undetected"}, ++ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG), ++ "personalisation string too long"}, ++ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, ++ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, ++ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), ++ "request length error undetected"}, ++ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), ++ "request too large for drbg"}, ++ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"}, ++ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"}, ++ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"}, ++ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"}, ++ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"}, ++ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"}, ++ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), ++ "uninstantiate zeroise error"}, ++ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"}, ++ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"}, ++ {0, NULL} ++}; ++ ++#endif ++ ++int ERR_load_FIPS_strings(void) ++{ ++#ifndef OPENSSL_NO_ERR ++ ++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { ++ ERR_load_strings(0, FIPS_str_functs); ++ ERR_load_strings(0, FIPS_str_reasons); ++ } ++#endif ++ return 1; ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_ers.c.fips openssl-1.1.1-pre8/crypto/fips/fips_ers.c +--- openssl-1.1.1-pre8/crypto/fips/fips_ers.c.fips 2018-07-25 17:26:58.408624776 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_ers.c 2018-07-25 17:26:58.408624776 +0200 +@@ -0,0 +1,7 @@ ++#include ++ ++#ifdef OPENSSL_FIPS ++# include "fips_err.h" ++#else ++static void *dummy = &dummy; ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c.fips 2018-07-25 17:26:58.409624800 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_hmac_selftest.c 2018-07-25 17:26:58.409624800 +0200 +@@ -0,0 +1,134 @@ ++/* ==================================================================== ++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++#endif ++#include ++ ++#ifdef OPENSSL_FIPS ++typedef struct { ++ const EVP_MD *(*alg) (void); ++ const char *key, *iv; ++ unsigned char kaval[EVP_MAX_MD_SIZE]; ++} HMAC_KAT; ++ ++static const HMAC_KAT vector[] = { ++ {EVP_sha1, ++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19, ++ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c, ++ 0xc6, 0xc7, 0x5d, 0x24} ++ }, ++ {EVP_sha224, ++ /* just keep extending the above... */ ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb, ++ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa, ++ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b, ++ 0x8c, 0x8d, 0x12, 0xc7} ++ }, ++ {EVP_sha256, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09, ++ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34, ++ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38, ++ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9} ++ }, ++ {EVP_sha384, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad, ++ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6, ++ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04, ++ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f, ++ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50, ++ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f} ++ }, ++ {EVP_sha512, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41, ++ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac, ++ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0, ++ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68, ++ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f, ++ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7, ++ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45, ++ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05} ++ }, ++}; ++ ++int FIPS_selftest_hmac() ++{ ++ int n; ++ unsigned int outlen; ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ const EVP_MD *md; ++ const HMAC_KAT *t; ++ ++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { ++ md = (*t->alg) (); ++ HMAC(md, t->key, strlen(t->key), ++ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen); ++ ++ if (memcmp(out, t->kaval, outlen)) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ } ++ return 1; ++} ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_locl.h.fips openssl-1.1.1-pre8/crypto/fips/fips_locl.h +--- openssl-1.1.1-pre8/crypto/fips/fips_locl.h.fips 2018-07-25 17:26:58.409624800 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_locl.h 2018-07-25 17:26:58.409624800 +0200 +@@ -0,0 +1,71 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#ifdef OPENSSL_FIPS ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define FIPS_MAX_CIPHER_TEST_SIZE 32 ++# define fips_load_key_component(comp, pre) \ ++ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \ ++ if (!comp) \ ++ goto err ++ ++# define fips_post_started(id, subid, ex) 1 ++# define fips_post_success(id, subid, ex) 1 ++# define fips_post_failed(id, subid, ex) 1 ++# define fips_post_corrupt(id, subid, ex) 1 ++# define fips_post_status() 1 ++ ++# ifdef __cplusplus ++} ++# endif ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_md.c.fips openssl-1.1.1-pre8/crypto/fips/fips_md.c +--- openssl-1.1.1-pre8/crypto/fips/fips_md.c.fips 2018-07-25 17:26:58.409624800 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_md.c 2018-07-25 17:26:58.409624800 +0200 +@@ -0,0 +1,144 @@ ++/* fips/evp/fips_md.c */ ++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) ++ * All rights reserved. ++ * ++ * This package is an SSL implementation written ++ * by Eric Young (eay@cryptsoft.com). ++ * The implementation was written so as to conform with Netscapes SSL. ++ * ++ * This library is free for commercial and non-commercial use as long as ++ * the following conditions are aheared to. The following conditions ++ * apply to all code found in this distribution, be it the RC4, RSA, ++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation ++ * included with this distribution is covered by the same copyright terms ++ * except that the holder is Tim Hudson (tjh@cryptsoft.com). ++ * ++ * Copyright remains Eric Young's, and as such any Copyright notices in ++ * the code are not to be removed. ++ * If this package is used in a product, Eric Young should be given attribution ++ * as the author of the parts of the library used. ++ * This can be in the form of a textual message at program startup or ++ * in documentation (online or textual) provided with the package. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. All advertising materials mentioning features or use of this software ++ * must display the following acknowledgement: ++ * "This product includes cryptographic software written by ++ * Eric Young (eay@cryptsoft.com)" ++ * The word 'cryptographic' can be left out if the rouines from the library ++ * being used are not cryptographic related :-). ++ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * the apps directory (application code) you must include an acknowledgement: ++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ * ++ * The licence and distribution terms for any publically available version or ++ * derivative of this code cannot be changed. i.e. this code cannot simply be ++ * copied and put under another distribution licence ++ * [including the GNU Public Licence.] ++ */ ++/* ==================================================================== ++ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++/* Minimal standalone FIPS versions of Digest operations */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++const EVP_MD *FIPS_get_digestbynid(int nid) ++{ ++ switch (nid) { ++ case NID_sha1: ++ return EVP_sha1(); ++ ++ case NID_sha224: ++ return EVP_sha224(); ++ ++ case NID_sha256: ++ return EVP_sha256(); ++ ++ case NID_sha384: ++ return EVP_sha384(); ++ ++ case NID_sha512: ++ return EVP_sha512(); ++ ++ default: ++ return NULL; ++ } ++} +diff -up openssl-1.1.1-pre8/crypto/fips/fips_post.c.fips openssl-1.1.1-pre8/crypto/fips/fips_post.c +--- openssl-1.1.1-pre8/crypto/fips/fips_post.c.fips 2018-07-25 17:26:58.409624800 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_post.c 2018-07-25 17:26:58.409624800 +0200 +@@ -0,0 +1,222 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++/* Power on self test (POST) support functions */ ++ ++# include ++# include "internal/fips_int.h" ++# include "fips_locl.h" ++ ++/* Run all selftests */ ++int FIPS_selftest(void) ++{ ++ int rv = 1; ++ if (!FIPS_selftest_drbg()) ++ rv = 0; ++ if (!FIPS_selftest_sha1()) ++ rv = 0; ++ if (!FIPS_selftest_sha2()) ++ rv = 0; ++ if (!FIPS_selftest_hmac()) ++ rv = 0; ++ if (!FIPS_selftest_cmac()) ++ rv = 0; ++ if (!FIPS_selftest_aes()) ++ rv = 0; ++ if (!FIPS_selftest_aes_ccm()) ++ rv = 0; ++ if (!FIPS_selftest_aes_gcm()) ++ rv = 0; ++ if (!FIPS_selftest_aes_xts()) ++ rv = 0; ++ if (!FIPS_selftest_des()) ++ rv = 0; ++ if (!FIPS_selftest_rsa()) ++ rv = 0; ++ if (!FIPS_selftest_ecdsa()) ++ rv = 0; ++ if (!FIPS_selftest_dsa()) ++ rv = 0; ++ if (!FIPS_selftest_dh()) ++ rv = 0; ++ if (!FIPS_selftest_ecdh()) ++ rv = 0; ++ return rv; ++} ++ ++/* Generalized public key test routine. Signs and verifies the data ++ * supplied in tbs using mesage digest md and setting option digest ++ * flags md_flags. If the 'kat' parameter is not NULL it will ++ * additionally check the signature matches it: a known answer test ++ * The string "fail_str" is used for identification purposes in case ++ * of failure. If "pkey" is NULL just perform a message digest check. ++ */ ++ ++int fips_pkey_signature_test(EVP_PKEY *pkey, ++ const unsigned char *tbs, int tbslen, ++ const unsigned char *kat, unsigned int katlen, ++ const EVP_MD *digest, unsigned int flags, ++ const char *fail_str) ++{ ++ int ret = 0; ++ unsigned char sigtmp[256], *sig = sigtmp; ++ size_t siglen = sizeof(sigtmp); ++ EVP_MD_CTX *mctx; ++ EVP_PKEY_CTX *pctx; ++ ++ if (digest == NULL) ++ digest = EVP_sha256(); ++ ++ mctx = EVP_MD_CTX_new(); ++ ++ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA) ++ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) { ++ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey))); ++ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey)); ++ } ++ if (!sig || ! mctx) { ++ EVP_MD_CTX_free(mctx); ++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ ++ if (tbslen == -1) ++ tbslen = strlen((char *)tbs); ++ ++ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0) ++ goto error; ++ ++ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { ++ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); ++ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); ++ } ++ ++ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0) ++ goto error; ++ ++ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) ++ goto error; ++ ++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) ++ goto error; ++ ++ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0) ++ goto error; ++ ++ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { ++ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); ++ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); ++ } ++ ++ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0) ++ goto error; ++ ++ ret = EVP_DigestVerifyFinal(mctx, sig, siglen); ++ ++ error: ++ if (sig != sigtmp) ++ OPENSSL_free(sig); ++ EVP_MD_CTX_free(mctx); ++ if (ret <= 0) { ++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE); ++ if (fail_str) ++ ERR_add_error_data(2, "Type=", fail_str); ++ return 0; ++ } ++ return 1; ++} ++ ++/* Generalized symmetric cipher test routine. Encrypt data, verify result ++ * against known answer, decrypt and compare with original plaintext. ++ */ ++ ++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ++ const unsigned char *key, ++ const unsigned char *iv, ++ const unsigned char *plaintext, ++ const unsigned char *ciphertext, int len) ++{ ++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; ++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; ++ ++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); ++ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); ++ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); ++ ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) ++ return 0; ++ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0) ++ return 0; ++ if (memcmp(citmp, ciphertext, len)) ++ return 0; ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) ++ return 0; ++ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0) ++ return 0; ++ if (memcmp(pltmp, plaintext, len)) ++ return 0; ++ return 1; ++} ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h +--- openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h.fips 2018-07-25 17:26:58.409624800 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_rand_lcl.h 2018-07-25 17:26:58.409624800 +0200 +@@ -0,0 +1,209 @@ ++/* fips/rand/fips_rand_lcl.h */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; ++typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; ++typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; ++ ++/* 888 bits from 10.1 table 2 */ ++#define HASH_PRNG_MAX_SEEDLEN 111 ++ ++struct drbg_hash_ctx_st { ++ const EVP_MD *md; ++ EVP_MD_CTX *mctx; ++ unsigned char V[HASH_PRNG_MAX_SEEDLEN]; ++ unsigned char C[HASH_PRNG_MAX_SEEDLEN]; ++ /* Temporary value storage: should always exceed max digest length */ ++ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; ++}; ++ ++struct drbg_hmac_ctx_st { ++ const EVP_MD *md; ++ HMAC_CTX *hctx; ++ unsigned char K[EVP_MAX_MD_SIZE]; ++ unsigned char V[EVP_MAX_MD_SIZE]; ++}; ++ ++struct drbg_ctr_ctx_st { ++ AES_KEY ks; ++ size_t keylen; ++ unsigned char K[32]; ++ unsigned char V[16]; ++ /* Temp variables used by derivation function */ ++ AES_KEY df_ks; ++ AES_KEY df_kxks; ++ /* Temporary block storage used by ctr_df */ ++ unsigned char bltmp[16]; ++ size_t bltmp_pos; ++ unsigned char KX[48]; ++}; ++ ++/* DRBG internal flags */ ++ ++/* Functions shouldn't call err library */ ++#define DRBG_FLAG_NOERR 0x1 ++/* Custom reseed checking */ ++#define DRBG_CUSTOM_RESEED 0x2 ++ ++/* DRBG status values */ ++/* not initialised */ ++#define DRBG_STATUS_UNINITIALISED 0 ++/* ok and ready to generate random bits */ ++#define DRBG_STATUS_READY 1 ++/* reseed required */ ++#define DRBG_STATUS_RESEED 2 ++/* fatal error condition */ ++#define DRBG_STATUS_ERROR 3 ++ ++/* A default maximum length: larger than any reasonable value used in pratice */ ++ ++#define DRBG_MAX_LENGTH 0x7ffffff0 ++/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes ++ * so use max digest length. ++ */ ++#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE ++ ++#define DRBG_HEALTH_INTERVAL (1 << 24) ++ ++/* DRBG context structure */ ++ ++struct drbg_ctx_st { ++ /* First types common to all implementations */ ++ /* DRBG type: a NID for the underlying algorithm */ ++ int type; ++ /* Various external flags */ ++ unsigned int xflags; ++ /* Various internal use only flags */ ++ unsigned int iflags; ++ /* Used for periodic health checks */ ++ int health_check_cnt, health_check_interval; ++ ++ /* The following parameters are setup by mechanism drbg_init() call */ ++ int strength; ++ size_t blocklength; ++ size_t max_request; ++ ++ size_t min_entropy, max_entropy; ++ size_t min_nonce, max_nonce; ++ size_t max_pers, max_adin; ++ unsigned int reseed_counter; ++ unsigned int reseed_interval; ++ size_t seedlen; ++ int status; ++ /* Application data: typically used by test get_entropy */ ++ void *app_data; ++ /* Implementation specific structures */ ++ union { ++ DRBG_HASH_CTX hash; ++ DRBG_HMAC_CTX hmac; ++ DRBG_CTR_CTX ctr; ++ } d; ++ /* Initialiase PRNG and setup callbacks below */ ++ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags); ++ /* Intantiate PRNG */ ++ int (*instantiate) (DRBG_CTX *ctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *nonce, size_t noncelen, ++ const unsigned char *pers, size_t perslen); ++ /* reseed */ ++ int (*reseed) (DRBG_CTX *ctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *adin, size_t adinlen); ++ /* generat output */ ++ int (*generate) (DRBG_CTX *ctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adinlen); ++ /* uninstantiate */ ++ int (*uninstantiate) (DRBG_CTX *ctx); ++ ++ /* Entropy source block length */ ++ size_t entropy_blocklen; ++ ++ /* entropy gathering function */ ++ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len); ++ /* Indicates we have finished with entropy buffer */ ++ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ ++ /* nonce gathering function */ ++ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len); ++ /* Indicates we have finished with nonce buffer */ ++ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ ++ /* Continuous random number test temporary area */ ++ /* Last block */ ++ unsigned char lb[EVP_MAX_MD_SIZE]; ++ /* set if lb is valid */ ++ int lb_valid; ++ ++ /* Callbacks used when called through RAND interface */ ++ /* Get any additional input for generate */ ++ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout); ++ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ /* Callback for RAND_seed(), RAND_add() */ ++ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num); ++ int (*rand_add_cb) (DRBG_CTX *ctx, ++ const void *buf, int num, double entropy); ++}; ++ ++int fips_drbg_ctr_init(DRBG_CTX *dctx); ++int fips_drbg_hash_init(DRBG_CTX *dctx); ++int fips_drbg_hmac_init(DRBG_CTX *dctx); ++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags); ++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); ++ ++#define FIPS_digestinit EVP_DigestInit ++#define FIPS_digestupdate EVP_DigestUpdate ++#define FIPS_digestfinal EVP_DigestFinal ++#define M_EVP_MD_size EVP_MD_size +diff -up openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c +--- openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c.fips 2018-07-25 17:26:58.409624800 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_rand_lib.c 2018-07-25 17:26:58.409624800 +0200 +@@ -0,0 +1,234 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't ++ be defined and gettimeofday() won't be declared with strict compilers ++ like DEC C in ANSI C mode. */ ++#ifndef _XOPEN_SOURCE_EXTENDED ++# define _XOPEN_SOURCE_EXTENDED 1 ++#endif ++ ++#include ++#include ++#include ++#include ++#include "internal/fips_int.h" ++#include ++#include "e_os.h" ++ ++#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) ++# include ++#endif ++#if defined(OPENSSL_SYS_VXWORKS) ++# include ++#endif ++#ifndef OPENSSL_SYS_WIN32 ++# ifdef OPENSSL_UNISTD ++# include OPENSSL_UNISTD ++# else ++# include ++# endif ++#endif ++ ++/* FIPS API for PRNG use. Similar to RAND functionality but without ++ * ENGINE and additional checking for non-FIPS rand methods. ++ */ ++ ++static const RAND_METHOD *fips_rand_meth = NULL; ++static int fips_approved_rand_meth = 0; ++static int fips_rand_bits = 0; ++ ++/* Allows application to override number of bits and uses non-FIPS methods */ ++void FIPS_rand_set_bits(int nbits) ++{ ++ fips_rand_bits = nbits; ++} ++ ++int FIPS_rand_set_method(const RAND_METHOD *meth) ++{ ++ if (!fips_rand_bits) { ++ if (meth == FIPS_drbg_method()) ++ fips_approved_rand_meth = 1; ++ else { ++ fips_approved_rand_meth = 0; ++ if (FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ } ++ } ++ fips_rand_meth = meth; ++ return 1; ++} ++ ++const RAND_METHOD *FIPS_rand_get_method(void) ++{ ++ return fips_rand_meth; ++} ++ ++void FIPS_rand_reset(void) ++{ ++ if (fips_rand_meth && fips_rand_meth->cleanup) ++ fips_rand_meth->cleanup(); ++} ++ ++int FIPS_rand_seed(const void *buf, int num) ++{ ++ if (!fips_approved_rand_meth && FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ if (fips_rand_meth && fips_rand_meth->seed) ++ fips_rand_meth->seed(buf, num); ++ return 1; ++} ++ ++int FIPS_rand_bytes(unsigned char *buf, int num) ++{ ++ if (!fips_approved_rand_meth && FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ if (fips_rand_meth && fips_rand_meth->bytes) ++ return fips_rand_meth->bytes(buf, num); ++ return 0; ++} ++ ++int FIPS_rand_status(void) ++{ ++ if (!fips_approved_rand_meth && FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ if (fips_rand_meth && fips_rand_meth->status) ++ return fips_rand_meth->status(); ++ return 0; ++} ++ ++/* Return instantiated strength of PRNG. For DRBG this is an internal ++ * parameter. Any other type of PRNG is not approved and returns 0 in ++ * FIPS mode and maximum 256 outside FIPS mode. ++ */ ++ ++int FIPS_rand_strength(void) ++{ ++ if (fips_rand_bits) ++ return fips_rand_bits; ++ if (fips_approved_rand_meth == 1) ++ return FIPS_drbg_get_strength(FIPS_get_default_drbg()); ++ else if (fips_approved_rand_meth == 0) { ++ if (FIPS_module_mode()) ++ return 0; ++ else ++ return 256; ++ } ++ return 0; ++} ++ ++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) ++{ ++# ifdef OPENSSL_SYS_WIN32 ++ FILETIME ft; ++# elif defined(OPENSSL_SYS_VXWORKS) ++ struct timespec ts; ++# else ++ struct timeval tv; ++# endif ++ ++# ifndef GETPID_IS_MEANINGLESS ++ unsigned long pid; ++# endif ++ ++# ifdef OPENSSL_SYS_WIN32 ++ GetSystemTimeAsFileTime(&ft); ++ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff); ++ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff); ++ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff); ++ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff); ++ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff); ++ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff); ++ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff); ++ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff); ++# elif defined(OPENSSL_SYS_VXWORKS) ++ clock_gettime(CLOCK_REALTIME, &ts); ++ buf[0] = (unsigned char)(ts.tv_sec & 0xff); ++ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff); ++ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff); ++ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff); ++ buf[4] = (unsigned char)(ts.tv_nsec & 0xff); ++ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff); ++ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff); ++ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff); ++# else ++ gettimeofday(&tv, NULL); ++ buf[0] = (unsigned char)(tv.tv_sec & 0xff); ++ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff); ++ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff); ++ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff); ++ buf[4] = (unsigned char)(tv.tv_usec & 0xff); ++ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff); ++ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff); ++ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff); ++# endif ++ buf[8] = (unsigned char)(*pctr & 0xff); ++ buf[9] = (unsigned char)((*pctr >> 8) & 0xff); ++ buf[10] = (unsigned char)((*pctr >> 16) & 0xff); ++ buf[11] = (unsigned char)((*pctr >> 24) & 0xff); ++ ++ (*pctr)++; ++ ++# ifndef GETPID_IS_MEANINGLESS ++ pid = (unsigned long)getpid(); ++ buf[12] = (unsigned char)(pid & 0xff); ++ buf[13] = (unsigned char)((pid >> 8) & 0xff); ++ buf[14] = (unsigned char)((pid >> 16) & 0xff); ++ buf[15] = (unsigned char)((pid >> 24) & 0xff); ++# endif ++} ++ +diff -up openssl-1.1.1-pre8/crypto/fips/fips_randtest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_randtest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_randtest.c.fips 2018-07-25 17:26:58.409624800 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_randtest.c 2018-07-25 17:26:58.409624800 +0200 +@@ -0,0 +1,247 @@ ++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) ++ * All rights reserved. ++ * ++ * This package is an SSL implementation written ++ * by Eric Young (eay@cryptsoft.com). ++ * The implementation was written so as to conform with Netscapes SSL. ++ * ++ * This library is free for commercial and non-commercial use as long as ++ * the following conditions are aheared to. The following conditions ++ * apply to all code found in this distribution, be it the RC4, RSA, ++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation ++ * included with this distribution is covered by the same copyright terms ++ * except that the holder is Tim Hudson (tjh@cryptsoft.com). ++ * ++ * Copyright remains Eric Young's, and as such any Copyright notices in ++ * the code are not to be removed. ++ * If this package is used in a product, Eric Young should be given attribution ++ * as the author of the parts of the library used. ++ * This can be in the form of a textual message at program startup or ++ * in documentation (online or textual) provided with the package. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. All advertising materials mentioning features or use of this software ++ * must display the following acknowledgement: ++ * "This product includes cryptographic software written by ++ * Eric Young (eay@cryptsoft.com)" ++ * The word 'cryptographic' can be left out if the rouines from the library ++ * being used are not cryptographic related :-). ++ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * the apps directory (application code) you must include an acknowledgement: ++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ * ++ * The licence and distribution terms for any publically available version or ++ * derivative of this code cannot be changed. i.e. this code cannot simply be ++ * copied and put under another distribution licence ++ * [including the GNU Public Licence.] ++ */ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "e_os.h" ++ ++#ifndef OPENSSL_FIPS ++int main(int argc, char *argv[]) ++{ ++ printf("No FIPS RAND support\n"); ++ return (0); ++} ++ ++#else ++ ++# include "fips_utl.h" ++# include ++ ++typedef struct { ++ unsigned char DT[16]; ++ unsigned char V[16]; ++ unsigned char R[16]; ++} AES_PRNG_MCT; ++ ++static const unsigned char aes_128_mct_key[16] = ++ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5, ++ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48 ++}; ++ ++static const AES_PRNG_MCT aes_128_mct_tv = { ++ /* DT */ ++ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b, ++ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac}, ++ /* V */ ++ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97, ++ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1}, ++ /* R */ ++ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb, ++ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73} ++}; ++ ++static const unsigned char aes_192_mct_key[24] = ++ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73, ++ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91, ++ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a ++}; ++ ++static const AES_PRNG_MCT aes_192_mct_tv = { ++ /* DT */ ++ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9, ++ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52}, ++ /* V */ ++ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64, ++ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d}, ++ /* R */ ++ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21, ++ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47} ++}; ++ ++static const unsigned char aes_256_mct_key[32] = ++ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a, ++ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0, ++ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d, ++ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50 ++}; ++ ++static const AES_PRNG_MCT aes_256_mct_tv = { ++ /* DT */ ++ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee, ++ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c}, ++ /* V */ ++ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1, ++ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca}, ++ /* R */ ++ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1, ++ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d} ++}; ++ ++static void dump(const unsigned char *b, int n) ++{ ++ while (n-- > 0) { ++ printf(" %02x", *b++); ++ } ++} ++ ++static void compare(const unsigned char *result, ++ const unsigned char *expected, int n) ++{ ++ int i; ++ ++ for (i = 0; i < n; ++i) ++ if (result[i] != expected[i]) { ++ puts("Random test failed, got:"); ++ dump(result, n); ++ puts("\n expected:"); ++ dump(expected, n); ++ putchar('\n'); ++ EXIT(1); ++ } ++} ++ ++static void run_test(const unsigned char *key, int keylen, ++ const AES_PRNG_MCT * tv) ++{ ++ unsigned char buf[16], dt[16]; ++ int i, j; ++ FIPS_x931_reset(); ++ FIPS_x931_test_mode(); ++ FIPS_x931_set_key(key, keylen); ++ FIPS_x931_seed(tv->V, 16); ++ memcpy(dt, tv->DT, 16); ++ for (i = 0; i < 10000; i++) { ++ FIPS_x931_set_dt(dt); ++ FIPS_x931_bytes(buf, 16); ++ /* Increment DT */ ++ for (j = 15; j >= 0; j--) { ++ dt[j]++; ++ if (dt[j]) ++ break; ++ } ++ } ++ ++ compare(buf, tv->R, 16); ++} ++ ++int main() ++{ ++ run_test(aes_128_mct_key, 16, &aes_128_mct_tv); ++ printf("FIPS PRNG test 1 done\n"); ++ run_test(aes_192_mct_key, 24, &aes_192_mct_tv); ++ printf("FIPS PRNG test 2 done\n"); ++ run_test(aes_256_mct_key, 32, &aes_256_mct_tv); ++ printf("FIPS PRNG test 3 done\n"); ++ return 0; ++} ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c.fips 2018-07-25 17:26:58.410624824 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_rsa_selftest.c 2018-07-25 17:26:58.410624824 +0200 +@@ -0,0 +1,578 @@ ++/* ==================================================================== ++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++# include "internal/fips_int.h" ++#endif ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++static int setrsakey(RSA *key) ++{ ++ static const unsigned char keydata_n[] = { ++ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a, ++ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00, ++ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca, ++ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a, ++ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba, ++ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe, ++ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1, ++ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75, ++ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f, ++ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc, ++ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e, ++ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1, ++ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9, ++ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4, ++ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40, ++ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4, ++ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e, ++ 0x03, 0x71 ++ }; ++ ++ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 }; ++ ++ static const unsigned char keydata_d[] = { ++ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23, ++ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58, ++ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06, ++ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4, ++ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53, ++ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde, ++ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe, ++ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b, ++ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3, ++ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76, ++ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6, ++ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c, ++ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44, ++ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34, ++ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32, ++ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20, ++ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d, ++ 0x01 ++ }; ++ ++ static const unsigned char keydata_p[] = { ++ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f, ++ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43, ++ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec, ++ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66, ++ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3, ++ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1, ++ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3, ++ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c, ++ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad ++ }; ++ ++ static const unsigned char keydata_q[] = { ++ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8, ++ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e, ++ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c, ++ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e, ++ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c, ++ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f, ++ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7, ++ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b, ++ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55 ++ }; ++ ++ static const unsigned char keydata_dmp1[] = { ++ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e, ++ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16, ++ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74, ++ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34, ++ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7, ++ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3, ++ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff, ++ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6, ++ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1 ++ }; ++ ++ static const unsigned char keydata_dmq1[] = { ++ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75, ++ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f, ++ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1, ++ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b, ++ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c, ++ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e, ++ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78, ++ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab, ++ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61 ++ }; ++ ++ static const unsigned char keydata_iqmp[] = { ++ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d, ++ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38, ++ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91, ++ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80, ++ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b, ++ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b, ++ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6, ++ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf, ++ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf ++ }; ++ ++ int rv = 0; ++ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; ++ ++ fips_load_key_component(n, keydata); ++ fips_load_key_component(e, keydata); ++ fips_load_key_component(d, keydata); ++ fips_load_key_component(p, keydata); ++ fips_load_key_component(q, keydata); ++ fips_load_key_component(dmp1, keydata); ++ fips_load_key_component(dmq1, keydata); ++ fips_load_key_component(iqmp, keydata); ++ ++ RSA_set0_key(key, n, e, d); ++ RSA_set0_factors(key, p, q); ++ RSA_set0_crt_params(key, dmp1, dmq1, iqmp); ++ ++ rv = 1; ++err: ++ if (!rv) { ++ BN_free(n); ++ BN_free(e); ++ BN_free(d); ++ BN_free(p); ++ BN_free(q); ++ BN_free(dmp1); ++ BN_free(dmq1); ++ BN_free(iqmp); ++ } ++ return rv; ++} ++ ++/* Known Answer Test (KAT) data for the above RSA private key signing ++ * kat_tbs. ++ */ ++ ++static const unsigned char kat_tbs[] = ++ "OpenSSL FIPS 140-2 Public Key RSA KAT"; ++ ++static const unsigned char kat_RSA_PSS_SHA1[] = { ++ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3, ++ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B, ++ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84, ++ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B, ++ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9, ++ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19, ++ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98, ++ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5, ++ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4, ++ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A, ++ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70, ++ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1, ++ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C, ++ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF, ++ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99, ++ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45, ++ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF, ++ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F, ++ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01, ++ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC, ++ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05, ++ 0xCE, 0x08, 0x1D, 0x89 ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA224[] = { ++ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA, ++ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3, ++ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3, ++ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3, ++ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7, ++ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53, ++ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A, ++ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE, ++ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06, ++ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08, ++ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D, ++ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07, ++ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70, ++ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64, ++ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17, ++ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69, ++ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97, ++ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D, ++ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5, ++ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B, ++ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD, ++ 0x2D, 0x84, 0x03, 0xB7 ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA256[] = { ++ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, ++ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, ++ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, ++ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, ++ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, ++ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, ++ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, ++ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, ++ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, ++ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, ++ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, ++ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, ++ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, ++ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, ++ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, ++ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, ++ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, ++ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, ++ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, ++ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, ++ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, ++ 0x2B, 0x31, 0xB9, 0x7D ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA384[] = { ++ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D, ++ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03, ++ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27, ++ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC, ++ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1, ++ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6, ++ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA, ++ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB, ++ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3, ++ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5, ++ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70, ++ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E, ++ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C, ++ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0, ++ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62, ++ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07, ++ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88, ++ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7, ++ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5, ++ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D, ++ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF, ++ 0x90, 0xD2, 0xA6, 0x2B ++}; ++ ++static const unsigned char kat_RSA_PSS_SHA512[] = { ++ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32, ++ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06, ++ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D, ++ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B, ++ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D, ++ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44, ++ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B, ++ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D, ++ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD, ++ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C, ++ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1, ++ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A, ++ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE, ++ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D, ++ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F, ++ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF, ++ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F, ++ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94, ++ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE, ++ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A, ++ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0, ++ 0x17, 0x2C, 0x13, 0xE0 ++}; ++ ++static const unsigned char kat_RSA_SHA1[] = { ++ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA, ++ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C, ++ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE, ++ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94, ++ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08, ++ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC, ++ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0, ++ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54, ++ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F, ++ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A, ++ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF, ++ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD, ++ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8, ++ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5, ++ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F, ++ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF, ++ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60, ++ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9, ++ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC, ++ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37, ++ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF, ++ 0x27, 0x90, 0xE2, 0x01 ++}; ++ ++static const unsigned char kat_RSA_SHA224[] = { ++ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86, ++ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8, ++ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89, ++ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39, ++ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3, ++ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E, ++ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8, ++ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4, ++ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66, ++ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6, ++ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC, ++ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9, ++ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53, ++ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA, ++ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45, ++ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC, ++ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33, ++ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5, ++ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8, ++ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83, ++ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B, ++ 0xDB, 0x70, 0x00, 0xF6 ++}; ++ ++static const unsigned char kat_RSA_SHA256[] = { ++ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, ++ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, ++ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, ++ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, ++ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, ++ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, ++ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, ++ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, ++ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, ++ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, ++ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, ++ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, ++ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, ++ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, ++ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, ++ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, ++ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, ++ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, ++ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, ++ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, ++ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, ++ 0x47, 0x9D, 0x18, 0xD7 ++}; ++ ++static const unsigned char kat_RSA_SHA384[] = { ++ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00, ++ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D, ++ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2, ++ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B, ++ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF, ++ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1, ++ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C, ++ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E, ++ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76, ++ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4, ++ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9, ++ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4, ++ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56, ++ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39, ++ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00, ++ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F, ++ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D, ++ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26, ++ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9, ++ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD, ++ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4, ++ 0x7E, 0x37, 0x1D, 0x96 ++}; ++ ++static const unsigned char kat_RSA_SHA512[] = { ++ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3, ++ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F, ++ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02, ++ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B, ++ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3, ++ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1, ++ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79, ++ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1, ++ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E, ++ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1, ++ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED, ++ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE, ++ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69, ++ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2, ++ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F, ++ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3, ++ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B, ++ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86, ++ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F, ++ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A, ++ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E, ++ 0x43, 0xA8, 0x34, 0x0A ++}; ++ ++static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, ++ int ptlen) ++{ ++ unsigned char *ctbuf = NULL, *ptbuf = NULL; ++ int ret = 0; ++ int len; ++ ++ ctbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ctbuf) ++ goto err; ++ ++ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); ++ if (len <= 0) ++ goto err; ++ /* Check ciphertext doesn't match plaintext */ ++ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) ++ goto err; ++ ++ ptbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ptbuf) ++ goto err; ++ ++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); ++ if (len != ptlen) ++ goto err; ++ if (memcmp(ptbuf, plaintext, len)) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (ctbuf) ++ OPENSSL_free(ctbuf); ++ if (ptbuf) ++ OPENSSL_free(ptbuf); ++ return ret; ++} ++ ++int FIPS_selftest_rsa() ++{ ++ int ret = 0; ++ RSA *key; ++ EVP_PKEY *pk = NULL; ++ ++ if ((key = RSA_new()) == NULL) ++ goto err; ++ ++ if (!setrsakey(key)) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_RSA(pk, key); ++ ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA1, sizeof(kat_RSA_SHA1), ++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA1 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA224, sizeof(kat_RSA_SHA224), ++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA224 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256), ++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA256 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA384, sizeof(kat_RSA_SHA384), ++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA384 PKCS#1")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA512, sizeof(kat_RSA_SHA512), ++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA512 PKCS#1")) ++ goto err; ++ ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), ++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, ++ "RSA SHA1 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA224, ++ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(), ++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA256, ++ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(), ++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA384, ++ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(), ++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS")) ++ goto err; ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA512, ++ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(), ++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS")) ++ goto err; ++ ++ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (pk) ++ EVP_PKEY_free(pk); ++ if (key) ++ RSA_free(key); ++ return ret; ++} ++ ++#endif /* def OPENSSL_FIPS */ +diff -up openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c +--- openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c.fips 2018-07-25 17:26:58.410624824 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_sha_selftest.c 2018-07-25 17:26:58.410624824 +0200 +@@ -0,0 +1,138 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++#endif ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++static const char test[][60] = { ++ "", ++ "abc", ++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" ++}; ++ ++static const unsigned char ret[][SHA_DIGEST_LENGTH] = { ++ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, ++ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09}, ++ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, ++ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d}, ++ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae, ++ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1}, ++}; ++ ++int FIPS_selftest_sha1() ++{ ++ int n; ++ ++ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) { ++ unsigned char md[SHA_DIGEST_LENGTH]; ++ ++ EVP_Digest(test[n], strlen(test[n]), md, NULL, ++ EVP_sha1(), NULL); ++ if (memcmp(md, ret[n], sizeof md)) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ } ++ return 1; ++} ++ ++static const unsigned char msg_sha256[] = ++ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30, ++ 0xfc ++}; ++ ++static const unsigned char dig_sha256[] = ++ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b, ++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01, ++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83, ++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a ++}; ++ ++static const unsigned char msg_sha512[] = ++ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7, ++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd ++}; ++ ++static const unsigned char dig_sha512[] = ++ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16, ++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44, ++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0, ++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f, ++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38, ++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04, ++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1, ++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 ++}; ++ ++int FIPS_selftest_sha2(void) ++{ ++ unsigned char md[SHA512_DIGEST_LENGTH]; ++ ++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); ++ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); ++ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c +--- openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c.fips 2018-07-25 17:26:58.410624824 +0200 ++++ openssl-1.1.1-pre8/crypto/fips/fips_standalone_hmac.c 2018-07-25 17:26:58.410624824 +0200 +@@ -0,0 +1,127 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++int main(int argc, char **argv) ++{ ++#ifdef OPENSSL_FIPS ++ static char key[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ int n, binary = 0; ++ ++ if (argc < 2) { ++ fprintf(stderr, "%s []+\n", argv[0]); ++ exit(1); ++ } ++ ++ n = 1; ++ if (!strcmp(argv[n], "-binary")) { ++ n++; ++ binary = 1; /* emit binary fingerprint... */ ++ } ++ ++ for (; n < argc; ++n) { ++ FILE *f = fopen(argv[n], "rb"); ++ HMAC_CTX *hmac_ctx; ++ unsigned char mac[EVP_MAX_MD_SIZE]; ++ unsigned int len; ++ unsigned int i; ++ ++ if (!f) { ++ perror(argv[n]); ++ exit(2); ++ } ++ hmac_ctx = HMAC_CTX_new(); ++ if (!hmac_ctx) ++ exit(3); ++ ++ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) { ++ fprintf(stderr, "HMAC SHA256 initialization failed.\n"); ++ exit(4); ++ } ++ ++ for (;;) { ++ char buf[1024]; ++ size_t l = fread(buf, 1, sizeof buf, f); ++ ++ if (l == 0) { ++ if (ferror(f)) { ++ perror(argv[n]); ++ exit(3); ++ } else ++ break; ++ } ++ if (HMAC_Update(hmac_ctx, buf, l) <= 0) { ++ fprintf(stderr, "HMAC_Update() failed.\n"); ++ exit(4); ++ } ++ } ++ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) { ++ fprintf(stderr, "HMAC_Final() failed.\n"); ++ exit(4); ++ } ++ ++ if (binary) { ++ fwrite(mac, len, 1, stdout); ++ break; /* ... for single(!) file */ ++ } ++ ++/* printf("HMAC-SHA1(%s)= ",argv[n]); */ ++ for (i = 0; i < len; ++i) ++ printf("%02x", mac[i]); ++ printf("\n"); ++ } ++#endif ++ return 0; ++} +diff -up openssl-1.1.1-pre8/crypto/hmac/hmac.c.fips openssl-1.1.1-pre8/crypto/hmac/hmac.c +--- openssl-1.1.1-pre8/crypto/hmac/hmac.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/hmac/hmac.c 2018-07-25 17:26:58.410624824 +0200 +@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + } + + if (key != NULL) { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) ++ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) ++ goto err; ++#endif + reset = 1; + j = EVP_MD_block_size(md); + if (!ossl_assert(j <= (int)sizeof(ctx->key))) +diff -up openssl-1.1.1-pre8/crypto/include/internal/fips_int.h.fips openssl-1.1.1-pre8/crypto/include/internal/fips_int.h +--- openssl-1.1.1-pre8/crypto/include/internal/fips_int.h.fips 2018-07-25 17:26:58.410624824 +0200 ++++ openssl-1.1.1-pre8/crypto/include/internal/fips_int.h 2018-07-25 17:26:58.410624824 +0200 +@@ -0,0 +1,101 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++# error FIPS is disabled. ++#endif ++ ++#ifdef OPENSSL_FIPS ++ ++int FIPS_module_mode_set(int onoff); ++int FIPS_module_mode(void); ++int FIPS_module_installed(void); ++int FIPS_selftest_sha1(void); ++int FIPS_selftest_sha2(void); ++int FIPS_selftest_aes_ccm(void); ++int FIPS_selftest_aes_gcm(void); ++int FIPS_selftest_aes_xts(void); ++int FIPS_selftest_aes(void); ++int FIPS_selftest_des(void); ++int FIPS_selftest_rsa(void); ++int FIPS_selftest_dsa(void); ++int FIPS_selftest_ecdsa(void); ++int FIPS_selftest_ecdh(void); ++int FIPS_selftest_dh(void); ++void FIPS_drbg_stick(int onoff); ++int FIPS_selftest_hmac(void); ++int FIPS_selftest_drbg(void); ++int FIPS_selftest_cmac(void); ++ ++int fips_pkey_signature_test(EVP_PKEY *pkey, ++ const unsigned char *tbs, int tbslen, ++ const unsigned char *kat, ++ unsigned int katlen, ++ const EVP_MD *digest, ++ unsigned int md_flags, const char *fail_str); ++ ++int fips_cipher_test(EVP_CIPHER_CTX *ctx, ++ const EVP_CIPHER *cipher, ++ const unsigned char *key, ++ const unsigned char *iv, ++ const unsigned char *plaintext, ++ const unsigned char *ciphertext, int len); ++ ++void fips_set_selftest_fail(void); ++ ++const EVP_MD *FIPS_get_digestbynid(int nid); ++ ++const EVP_CIPHER *FIPS_get_cipherbynid(int nid); ++ ++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); ++ ++#endif +diff -up openssl-1.1.1-pre8/crypto/o_fips.c.fips openssl-1.1.1-pre8/crypto/o_fips.c +--- openssl-1.1.1-pre8/crypto/o_fips.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/o_fips.c 2018-07-25 17:26:58.410624824 +0200 +@@ -11,14 +11,25 @@ + + int FIPS_mode(void) + { ++#ifdef OPENSSL_FIPS ++ return FIPS_module_mode(); ++#else + /* This version of the library does not support FIPS mode. */ + return 0; ++#endif + } + + int FIPS_mode_set(int r) + { ++#ifdef OPENSSL_FIPS ++ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ ++ return 1; ++ if (!FIPS_module_mode_set(r)) ++ return 0; ++#else + if (r == 0) + return 1; + CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); + return 0; ++#endif + } +diff -up openssl-1.1.1-pre8/crypto/o_init.c.fips openssl-1.1.1-pre8/crypto/o_init.c +--- openssl-1.1.1-pre8/crypto/o_init.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/o_init.c 2018-07-25 17:26:58.410624824 +0200 +@@ -7,8 +7,68 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "e_os.h" + #include ++#ifdef OPENSSL_FIPS ++# include ++# include ++# include ++# include ++# include ++# include ++# include ++# include ++# include "internal/fips_int.h" ++ ++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static void init_fips_mode(void) ++{ ++ char buf[2] = "0"; ++ int fd; ++ ++ /* Ensure the selftests always run */ ++ /* XXX: TO SOLVE - premature initialization due to selftests */ ++ FIPS_mode_set(1); ++ ++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } ++ /* Failure reading the fips mode switch file means just not ++ * switching into FIPS mode. We would break too many things ++ * otherwise.. ++ */ ++ ++ if (buf[0] != '1') { ++ /* drop down to non-FIPS mode if it is not requested */ ++ FIPS_mode_set(0); ++ } else { ++ /* abort if selftest failed */ ++ FIPS_selftest_check(); ++ } ++} ++ ++/* ++ * Perform FIPS module power on selftest and automatic FIPS mode switch. ++ */ ++ ++void __attribute__ ((constructor)) OPENSSL_init_library(void) ++{ ++ static int done = 0; ++ if (done) ++ return; ++ done = 1; ++ if (!FIPS_module_installed()) { ++ return; ++ } ++ init_fips_mode(); ++} ++#endif + + /* + * Perform any essential OpenSSL initialization operations. Currently does +diff -up openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips openssl-1.1.1-pre8/crypto/rand/rand_lib.c +--- openssl-1.1.1-pre8/crypto/rand/rand_lib.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rand/rand_lib.c 2018-07-25 17:26:58.410624824 +0200 +@@ -16,6 +16,10 @@ + #include "internal/thread_once.h" + #include "rand_lcl.h" + #include "e_os.h" ++#ifdef OPENSSL_FIPS ++# include ++# include ++#endif + + #ifndef OPENSSL_NO_ENGINE + /* non-NULL if default_RAND_meth is ENGINE-provided */ +@@ -778,3 +782,15 @@ int RAND_status(void) + return meth->status(); + return 0; + } ++ ++#ifdef OPENSSL_FIPS ++void RAND_set_fips_drbg_type(int type, int flags) ++{ /* just a stub for ABI compatibility */ ++} ++ ++int RAND_init_fips(void) ++{ ++ /* just a stub for ABI compatibility */ ++ return 1; ++} ++#endif +diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c +--- openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rsa/rsa_crpt.c 2018-07-25 17:26:58.411624848 +0200 +@@ -27,24 +27,52 @@ int RSA_size(const RSA *r) + int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, + RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding); + } + + int RSA_private_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding); + } + + int RSA_private_decrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding); + } + + int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, + RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, ++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); + } + +diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_err.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_err.c +--- openssl-1.1.1-pre8/crypto/rsa/rsa_err.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rsa/rsa_err.c 2018-07-25 17:26:58.411624848 +0200 +@@ -16,6 +16,8 @@ + static const ERR_STRING_DATA RSA_str_functs[] = { + {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0), ++ "fips_rsa_builtin_keygen"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0), + "old_rsa_priv_decode"}, +@@ -32,6 +34,9 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0), ++ "RSA_generate_multi_prime_key"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"}, +@@ -90,9 +95,13 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0), +@@ -102,6 +111,8 @@ static const ERR_STRING_DATA RSA_str_fun + "RSA_verify_ASN1_OCTET_STRING"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0), + "RSA_verify_PKCS1_PSS_mgf1"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, + {0, NULL} + }; +@@ -181,6 +192,7 @@ static const ERR_STRING_DATA RSA_str_rea + "mp exponent not congruent to d"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), + "null before block missing"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), +@@ -189,6 +201,8 @@ static const ERR_STRING_DATA RSA_str_rea + "n does not equal p q"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), + "oaep decoding error"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), ++ "operation not allowed in FIPS mode"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), +@@ -224,6 +238,8 @@ static const ERR_STRING_DATA RSA_str_rea + "unsupported mask algorithm"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER), + "unsupported mask parameter"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS), ++ "unsupported parameters"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), + "unsupported signature type"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, +diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c +--- openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rsa/rsa_gen.c 2018-07-25 17:26:58.411624848 +0200 +@@ -18,6 +18,78 @@ + #include "internal/cryptlib.h" + #include + #include "rsa_locl.h" ++#ifdef OPENSSL_FIPS ++# include ++# include "internal/fips_int.h" ++ ++int fips_check_rsa(RSA *rsa) ++{ ++ const unsigned char tbs[] = "RSA Pairwise Check Data"; ++ unsigned char *ctbuf = NULL, *ptbuf = NULL; ++ int len, ret = 0; ++ EVP_PKEY *pk; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_RSA(pk, rsa); ++ ++ /* Perform pairwise consistency signature test */ ++ if (!fips_pkey_signature_test(pk, tbs, -1, ++ NULL, 0, EVP_sha1(), ++ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) ++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), ++ EVP_MD_CTX_FLAG_PAD_X931, NULL) ++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), ++ EVP_MD_CTX_FLAG_PAD_PSS, NULL)) ++ goto err; ++ /* Now perform pairwise consistency encrypt/decrypt test */ ++ ctbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ctbuf) ++ goto err; ++ ++ len = ++ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, ++ RSA_PKCS1_PADDING); ++ if (len <= 0) ++ goto err; ++ /* Check ciphertext doesn't match plaintext */ ++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) ++ goto err; ++ ptbuf = OPENSSL_malloc(RSA_size(rsa)); ++ ++ if (!ptbuf) ++ goto err; ++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); ++ if (len != (sizeof(tbs) - 1)) ++ goto err; ++ if (memcmp(ptbuf, tbs, len)) ++ goto err; ++ ++ ret = 1; ++ ++ if (!ptbuf) ++ goto err; ++ ++ err: ++ if (ret == 0) { ++ fips_set_selftest_fail(); ++ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED); ++ } ++ ++ if (ctbuf) ++ OPENSSL_free(ctbuf); ++ if (ptbuf) ++ OPENSSL_free(ptbuf); ++ if (pk) ++ EVP_PKEY_free(pk); ++ ++ return ret; ++} ++ ++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, ++ BN_GENCB *cb); ++#endif + + static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, + BN_GENCB *cb); +@@ -31,6 +103,13 @@ static int rsa_builtin_keygen(RSA *rsa, + */ + int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + if (rsa->meth->rsa_keygen != NULL) + return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); + +@@ -41,6 +120,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi + int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, + BIGNUM *e_value, BN_GENCB *cb) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + /* multi-prime is only supported with the builtin key generation */ + if (rsa->meth->rsa_multi_prime_keygen != NULL) { + return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes, +@@ -57,10 +143,285 @@ int RSA_generate_multi_prime_key(RSA *rs + else + return 0; + } +- ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (primes != 2) { ++ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS); ++ return 0; ++ } ++ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb); ++ } ++#endif + return rsa_builtin_keygen(rsa, bits, primes, e_value, cb); + } + ++#ifdef OPENSSL_FIPS ++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, ++ BN_GENCB *cb) ++{ ++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; ++ BN_CTX *ctx = NULL; ++ int ok = -1; ++ int i; ++ int n = 0; ++ int test = 0; ++ int pbits = bits / 2; ++ unsigned long error = 0; ++ ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS ++ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) { ++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); ++ return 0; ++ } ++ if ((pbits & 0xFF) != 0) { ++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ BN_CTX_start(ctx); ++ r0 = BN_CTX_get(ctx); ++ r1 = BN_CTX_get(ctx); ++ r2 = BN_CTX_get(ctx); ++ r3 = BN_CTX_get(ctx); ++ ++ if (r3 == NULL) ++ goto err; ++ ++ /* We need the RSA components non-NULL */ ++ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) ++ goto err; ++ ++ if (!BN_set_word(r0, RSA_F4)) ++ goto err; ++ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { ++ ok = 0; /* we set our own err */ ++ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); ++ goto err; ++ } ++ ++ /* prepare approximate minimum p and q */ ++ if (!BN_set_word(r0, 0xB504F334)) ++ goto err; ++ if (!BN_lshift(r0, r0, pbits - 32)) ++ goto err; ++ ++ /* prepare minimum p and q difference */ ++ if (!BN_one(r3)) ++ goto err; ++ if (!BN_lshift(r3, r3, pbits - 100)) ++ goto err; ++ ++ BN_copy(rsa->e, e_value); ++ ++ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) ++ test = 1; ++ ++ BN_set_flags(r0, BN_FLG_CONSTTIME); ++ BN_set_flags(r1, BN_FLG_CONSTTIME); ++ BN_set_flags(r2, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); ++ ++ retry: ++ /* generate p and q */ ++ for (i = 0; i < 5 * pbits; i++) { ++ ploop: ++ if (!test) ++ if (!BN_rand(rsa->p, pbits, 0, 1)) ++ goto err; ++ if (BN_cmp(rsa->p, r0) < 0) { ++ if (test) ++ goto err; ++ goto ploop; ++ } ++ ++ if (!BN_sub(r2, rsa->p, BN_value_one())) ++ goto err; ++ ERR_set_mark(); ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ ++ int r; ++ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, ++ cb); ++ if (r == -1 || (test && r <= 0)) ++ goto err; ++ if (r > 0) ++ break; ++ } else { ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_pop_to_mark(); ++ } else { ++ goto err; ++ } ++ } ++ if (!BN_GENCB_call(cb, 2, n++)) ++ goto err; ++ } ++ ++ if (!BN_GENCB_call(cb, 3, 0)) ++ goto err; ++ ++ if (i >= 5 * pbits) ++ /* prime not found */ ++ goto err; ++ ++ for (i = 0; i < 5 * pbits; i++) { ++ qloop: ++ if (!test) ++ if (!BN_rand(rsa->q, pbits, 0, 1)) ++ goto err; ++ if (BN_cmp(rsa->q, r0) < 0) { ++ if (test) ++ goto err; ++ goto qloop; ++ } ++ if (!BN_sub(r2, rsa->q, rsa->p)) ++ goto err; ++ if (BN_ucmp(r2, r3) <= 0) { ++ if (test) ++ goto err; ++ goto qloop; ++ } ++ ++ if (!BN_sub(r2, rsa->q, BN_value_one())) ++ goto err; ++ ERR_set_mark(); ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ ++ int r; ++ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, ++ cb); ++ if (r == -1 || (test && r <= 0)) ++ goto err; ++ if (r > 0) ++ break; ++ } else { ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_pop_to_mark(); ++ } else { ++ goto err; ++ } ++ } ++ if (!BN_GENCB_call(cb, 2, n++)) ++ goto err; ++ } ++ ++ if (!BN_GENCB_call(cb, 3, 1)) ++ goto err; ++ ++ if (i >= 5 * pbits) ++ /* prime not found */ ++ goto err; ++ ++ if (test) { ++ /* do not try to calculate the remaining key values */ ++ BN_clear(rsa->n); ++ ok = 1; ++ goto err; ++ } ++ ++ if (BN_cmp(rsa->p, rsa->q) < 0) { ++ tmp = rsa->p; ++ rsa->p = rsa->q; ++ rsa->q = tmp; ++ } ++ ++ /* calculate n */ ++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) ++ goto err; ++ ++ /* calculate d */ ++ if (!BN_sub(r1, rsa->p, BN_value_one())) ++ goto err; /* p-1 */ ++ if (!BN_sub(r2, rsa->q, BN_value_one())) ++ goto err; /* q-1 */ ++ ++ /* note that computing gcd is not safe to timing attacks */ ++ if (!BN_gcd(r0, r1, r2, ctx)) ++ goto err; ++ ++ { ++ if (!BN_div(r0, NULL, r1, r0, ctx)) ++ goto err; ++ ++ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */ ++ goto err; ++ ++ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */ ++ goto err; ++ } ++ ++ if (BN_num_bits(rsa->d) < pbits) ++ goto retry; /* d is too small */ ++ ++ { ++ BIGNUM *d = BN_new(); ++ ++ if (d == NULL) ++ goto err; ++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); ++ ++ if (/* calculate d mod (p-1) */ ++ !BN_mod(rsa->dmp1, d, r1, ctx) ++ /* calculate d mod (q-1) */ ++ || !BN_mod(rsa->dmq1, d, r2, ctx)) { ++ BN_free(d); ++ goto err; ++ } ++ /* We MUST free d before any further use of rsa->d */ ++ BN_free(d); ++ } ++ ++ /* calculate inverse of q mod p */ ++ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) ++ goto err; ++ ++ if (!fips_check_rsa(rsa)) ++ goto err; ++ ++ ok = 1; ++ err: ++ if (ok == -1) { ++ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); ++ ok = 0; ++ } ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } ++ ++ return ok; ++} ++#endif ++ + static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, + BN_GENCB *cb) + { +diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c +--- openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rsa/rsa_lib.c 2018-07-25 17:26:58.411624848 +0200 +@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M + * to deal with which ENGINE it comes from. + */ + const RSA_METHOD *mtmp; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { ++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + mtmp = rsa->meth; + if (mtmp->finish) + mtmp->finish(rsa); +@@ -66,7 +72,6 @@ RSA *RSA_new_method(ENGINE *engine) + + ret->meth = RSA_get_default_method(); + #ifndef OPENSSL_NO_ENGINE +- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; + if (engine) { + if (!ENGINE_init(engine)) { + RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB); +@@ -84,8 +89,19 @@ RSA *RSA_new_method(ENGINE *engine) + } + } + #endif ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) { ++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD); ++# ifndef OPENSSL_NO_ENGINE ++ if (ret->engine) ++ ENGINE_finish(ret->engine); ++# endif ++ OPENSSL_free(ret); ++ return NULL; ++ } ++#endif + +- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; ++ ret->flags = ret->meth->flags; + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { + goto err; + } +diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c +--- openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rsa/rsa_ossl.c 2018-07-25 17:26:58.411624848 +0200 +@@ -11,6 +11,10 @@ + #include "internal/bn_int.h" + #include "rsa_locl.h" + ++#ifdef OPENSSL_FIPS ++# include ++#endif ++ + static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); + static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, +@@ -46,6 +50,12 @@ static const RSA_METHOD *default_RSA_met + + void RSA_set_default_method(const RSA_METHOD *meth) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { ++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD); ++ return; ++ } ++#endif + default_RSA_meth = meth; + } + +@@ -72,6 +82,22 @@ static int rsa_ossl_public_encrypt(int f + unsigned char *buf = NULL; + BN_CTX *ctx = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { + RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; +@@ -251,6 +277,22 @@ static int rsa_ossl_private_encrypt(int + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if ((ctx = BN_CTX_new()) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -388,6 +430,22 @@ static int rsa_ossl_private_decrypt(int + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if ((ctx = BN_CTX_new()) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -513,6 +571,22 @@ static int rsa_ossl_public_decrypt(int f + unsigned char *buf = NULL; + BN_CTX *ctx = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { + RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; +diff -up openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c.fips openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c +--- openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rsa/rsa_sign.c 2018-07-25 17:26:58.411624848 +0200 +@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch + unsigned char *tmps = NULL; + const unsigned char *encoded = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + if (rsa->meth->rsa_sign) { + return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); + } +@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch + RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); + goto err; + } +- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa, +- RSA_PKCS1_PADDING); ++ /* NB: call underlying method directly to avoid FIPS blocking */ ++ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa, ++ RSA_PKCS1_PADDING) : 0; + if (encrypt_len <= 0) + goto err; + +diff -up openssl-1.1.1-pre8/crypto/sha/sha_locl.h.fips openssl-1.1.1-pre8/crypto/sha/sha_locl.h +--- openssl-1.1.1-pre8/crypto/sha/sha_locl.h.fips 2018-07-25 17:26:57.885612242 +0200 ++++ openssl-1.1.1-pre8/crypto/sha/sha_locl.h 2018-07-25 17:26:58.412624872 +0200 +@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c + + int HASH_INIT(SHA_CTX *c) + { ++#if defined(OPENSSL_FIPS) ++ FIPS_selftest_check(); ++#endif + memset(c, 0, sizeof(*c)); + c->h0 = INIT_DATA_h0; + c->h1 = INIT_DATA_h1; +diff -up openssl-1.1.1-pre8/crypto/sha/sha256.c.fips openssl-1.1.1-pre8/crypto/sha/sha256.c +--- openssl-1.1.1-pre8/crypto/sha/sha256.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/sha/sha256.c 2018-07-25 17:26:58.412624872 +0200 +@@ -18,6 +18,9 @@ + + int SHA224_Init(SHA256_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + memset(c, 0, sizeof(*c)); + c->h[0] = 0xc1059ed8UL; + c->h[1] = 0x367cd507UL; +@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c) + + int SHA256_Init(SHA256_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + memset(c, 0, sizeof(*c)); + c->h[0] = 0x6a09e667UL; + c->h[1] = 0xbb67ae85UL; +diff -up openssl-1.1.1-pre8/crypto/sha/sha512.c.fips openssl-1.1.1-pre8/crypto/sha/sha512.c +--- openssl-1.1.1-pre8/crypto/sha/sha512.c.fips 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/sha/sha512.c 2018-07-25 17:26:58.412624872 +0200 +@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) + + int SHA384_Init(SHA512_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + c->h[0] = U64(0xcbbb9d5dc1059ed8); + c->h[1] = U64(0x629a292a367cd507); + c->h[2] = U64(0x9159015a3070dd17); +@@ -116,6 +119,9 @@ int SHA384_Init(SHA512_CTX *c) + + int SHA512_Init(SHA512_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + c->h[0] = U64(0x6a09e667f3bcc908); + c->h[1] = U64(0xbb67ae8584caa73b); + c->h[2] = U64(0x3c6ef372fe94f82b); +diff -up openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod +--- openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod.fips 2018-06-20 16:48:12.000000000 +0200 ++++ openssl-1.1.1-pre8/doc/man3/DSA_generate_parameters.pod 2018-07-25 17:26:58.412624872 +0200 +@@ -30,8 +30,10 @@ B is the length of the prime p to + For lengths under 2048 bits, the length of q is 160 bits; for lengths + greater than or equal to 2048 bits, the length of q is set to 256 bits. + +-If B is NULL, the primes will be generated at random. +-If B is less than the length of q, an error is returned. ++If B is NULL, or it does not generate primes, the primes will be ++generated at random. ++If B is less than the length of q, an error is returned ++if old DSA parameter generation method is used as a backend. + + DSA_generate_parameters_ex() places the iteration count in + *B and a counter used for finding a generator in +diff -up openssl-1.1.1-pre8/include/openssl/crypto.h.fips openssl-1.1.1-pre8/include/openssl/crypto.h +--- openssl-1.1.1-pre8/include/openssl/crypto.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/crypto.h 2018-07-25 17:26:58.412624872 +0200 +@@ -338,6 +338,11 @@ int OPENSSL_isservice(void); + int FIPS_mode(void); + int FIPS_mode_set(int r); + ++# ifdef OPENSSL_FIPS ++/* die if FIPS selftest failed */ ++void FIPS_selftest_check(void); ++# endif ++ + void OPENSSL_init(void); + # ifdef OPENSSL_SYS_UNIX + void OPENSSL_fork_prepare(void); +diff -up openssl-1.1.1-pre8/include/openssl/dherr.h.fips openssl-1.1.1-pre8/include/openssl/dherr.h +--- openssl-1.1.1-pre8/include/openssl/dherr.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/dherr.h 2018-07-25 17:26:58.412624872 +0200 +@@ -32,6 +32,9 @@ int ERR_load_DH_strings(void); + # define DH_F_DH_CMS_DECRYPT 114 + # define DH_F_DH_CMS_SET_PEERKEY 115 + # define DH_F_DH_CMS_SET_SHARED_INFO 116 ++# define DH_F_DH_COMPUTE_KEY 203 ++# define DH_F_DH_GENERATE_KEY 202 ++# define DH_F_DH_GENERATE_PARAMETERS_EX 201 + # define DH_F_DH_METH_DUP 117 + # define DH_F_DH_METH_NEW 118 + # define DH_F_DH_METH_SET1_NAME 119 +@@ -69,12 +72,14 @@ int ERR_load_DH_strings(void); + # define DH_R_INVALID_PARAMETER_NID 114 + # define DH_R_INVALID_PUBKEY 102 + # define DH_R_KDF_PARAMETER_ERROR 112 ++# define DH_R_KEY_SIZE_TOO_SMALL 201 + # define DH_R_KEYS_NOT_SET 108 + # define DH_R_MISSING_PUBKEY 125 + # define DH_R_MODULUS_TOO_LARGE 103 + # define DH_R_NOT_SUITABLE_GENERATOR 120 + # define DH_R_NO_PARAMETERS_SET 107 + # define DH_R_NO_PRIVATE_VALUE 100 ++# define DH_R_NON_FIPS_METHOD 202 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 + # define DH_R_SHARED_INFO_ERROR 113 +diff -up openssl-1.1.1-pre8/include/openssl/dh.h.fips openssl-1.1.1-pre8/include/openssl/dh.h +--- openssl-1.1.1-pre8/include/openssl/dh.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/dh.h 2018-07-25 17:26:58.412624872 +0200 +@@ -31,6 +31,7 @@ extern "C" { + # endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 ++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 + + # define DH_FLAG_CACHE_MONT_P 0x01 + +diff -up openssl-1.1.1-pre8/include/openssl/dsaerr.h.fips openssl-1.1.1-pre8/include/openssl/dsaerr.h +--- openssl-1.1.1-pre8/include/openssl/dsaerr.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/dsaerr.h 2018-07-25 17:26:58.412624872 +0200 +@@ -25,8 +25,11 @@ int ERR_load_DSA_strings(void); + */ + # define DSA_F_DSAPARAMS_PRINT 100 + # define DSA_F_DSAPARAMS_PRINT_FP 101 ++# define DSA_F_DSA_BUILTIN_KEYGEN 202 + # define DSA_F_DSA_BUILTIN_PARAMGEN 125 + # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 ++# define DSA_F_DSA_GENERATE_KEY 201 ++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 + # define DSA_F_DSA_DO_SIGN 112 + # define DSA_F_DSA_DO_VERIFY 113 + # define DSA_F_DSA_METH_DUP 127 +@@ -56,9 +59,12 @@ int ERR_load_DSA_strings(void); + # define DSA_R_DECODE_ERROR 104 + # define DSA_R_INVALID_DIGEST_TYPE 106 + # define DSA_R_INVALID_PARAMETERS 112 ++# define DSA_R_KEY_SIZE_INVALID 201 ++# define DSA_R_KEY_SIZE_TOO_SMALL 202 + # define DSA_R_MISSING_PARAMETERS 101 + # define DSA_R_MODULUS_TOO_LARGE 103 + # define DSA_R_NO_PARAMETERS_SET 107 ++# define DSA_R_NON_FIPS_DSA_METHOD 200 + # define DSA_R_PARAMETER_ENCODING_ERROR 105 + # define DSA_R_Q_NOT_PRIME 113 + # define DSA_R_SEED_LEN_SMALL 110 +diff -up openssl-1.1.1-pre8/include/openssl/dsa.h.fips openssl-1.1.1-pre8/include/openssl/dsa.h +--- openssl-1.1.1-pre8/include/openssl/dsa.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/dsa.h 2018-07-25 17:26:58.413624895 +0200 +@@ -31,6 +31,7 @@ extern "C" { + # endif + + # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 ++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048 + + # define DSA_FLAG_CACHE_MONT_P 0x01 + # if OPENSSL_API_COMPAT < 0x10100000L +@@ -141,9 +142,9 @@ int DSAparams_print_fp(FILE *fp, const D + int DSA_print_fp(FILE *bp, const DSA *x, int off); + # endif + +-# define DSS_prime_checks 50 ++# define DSS_prime_checks 64 + /* +- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of ++ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of + * Rabin-Miller + */ + # define DSA_is_prime(n, callback, cb_arg) \ +diff -up openssl-1.1.1-pre8/include/openssl/evperr.h.fips openssl-1.1.1-pre8/include/openssl/evperr.h +--- openssl-1.1.1-pre8/include/openssl/evperr.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/evperr.h 2018-07-25 17:26:58.413624895 +0200 +@@ -25,6 +25,7 @@ int ERR_load_EVP_strings(void); + # define EVP_F_AES_OCB_CIPHER 169 + # define EVP_F_AES_T4_INIT_KEY 178 + # define EVP_F_AES_WRAP_CIPHER 170 ++# define EVP_F_AES_XTS_CIPHER 300 + # define EVP_F_ALG_MODULE_INIT 177 + # define EVP_F_ARIA_CCM_INIT_KEY 175 + # define EVP_F_ARIA_GCM_CTRL 197 +@@ -132,6 +133,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 + # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 + # define EVP_R_DECODE_ERROR 114 ++# define EVP_R_DISABLED_FOR_FIPS 200 + # define EVP_R_DIFFERENT_KEY_TYPES 101 + # define EVP_R_DIFFERENT_PARAMETERS 153 + # define EVP_R_ERROR_LOADING_SECTION 165 +@@ -174,6 +176,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 + # define EVP_R_PUBLIC_KEY_NOT_RSA 106 ++# define EVP_R_TOO_LARGE 201 + # define EVP_R_UNKNOWN_CIPHER 160 + # define EVP_R_UNKNOWN_DIGEST 161 + # define EVP_R_UNKNOWN_OPTION 169 +diff -up openssl-1.1.1-pre8/include/openssl/fips.h.fips openssl-1.1.1-pre8/include/openssl/fips.h +--- openssl-1.1.1-pre8/include/openssl/fips.h.fips 2018-07-25 17:26:58.413624895 +0200 ++++ openssl-1.1.1-pre8/include/openssl/fips.h 2018-07-25 17:26:58.413624895 +0200 +@@ -0,0 +1,186 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++# error FIPS is disabled. ++#endif ++ ++#ifdef OPENSSL_FIPS ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++ int FIPS_selftest(void); ++ int FIPS_selftest_failed(void); ++ int FIPS_selftest_drbg_all(void); ++ ++ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, ++ const EVP_MD *evpmd, const unsigned char *seed_in, ++ size_t seed_len, int idx, unsigned char *seed_out, ++ int *counter_ret, unsigned long *h_ret, ++ BN_GENCB *cb); ++ int FIPS_dsa_paramgen_check_g(DSA *dsa); ++ ++/* BEGIN ERROR CODES */ ++/* The following lines are auto generated by the script mkerr.pl. Any changes ++ * made after this point may be overwritten when the script is next run. ++ */ ++ int ERR_load_FIPS_strings(void); ++ ++/* Error codes for the FIPS functions. */ ++ ++/* Function codes. */ ++# define FIPS_F_DH_BUILTIN_GENPARAMS 100 ++# define FIPS_F_DRBG_RESEED 121 ++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107 ++# define FIPS_F_DSA_DO_SIGN 102 ++# define FIPS_F_DSA_DO_VERIFY 103 ++# define FIPS_F_EVP_CIPHER_CTX_NEW 137 ++# define FIPS_F_EVP_CIPHER_CTX_RESET 122 ++# define FIPS_F_ECDH_COMPUTE_KEY 123 ++# define FIPS_F_EVP_CIPHERINIT_EX 124 ++# define FIPS_F_EVP_DIGESTINIT_EX 125 ++# define FIPS_F_FIPS_CHECK_DSA 104 ++# define FIPS_F_FIPS_CHECK_EC 142 ++# define FIPS_F_FIPS_CHECK_RSA 106 ++# define FIPS_F_FIPS_DRBG_BYTES 131 ++# define FIPS_F_FIPS_DRBG_CHECK 146 ++# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132 ++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136 ++# define FIPS_F_FIPS_DRBG_GENERATE 134 ++# define FIPS_F_FIPS_DRBG_INIT 135 ++# define FIPS_F_FIPS_DRBG_INSTANTIATE 138 ++# define FIPS_F_FIPS_DRBG_NEW 139 ++# define FIPS_F_FIPS_DRBG_RESEED 140 ++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141 ++# define FIPS_F_FIPS_GET_ENTROPY 147 ++# define FIPS_F_FIPS_MODULE_MODE_SET 108 ++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 ++# define FIPS_F_FIPS_RAND_BYTES 114 ++# define FIPS_F_FIPS_RAND_SEED 128 ++# define FIPS_F_FIPS_RAND_SET_METHOD 126 ++# define FIPS_F_FIPS_RAND_STATUS 127 ++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101 ++# define FIPS_F_FIPS_SELFTEST_AES 110 ++# define FIPS_F_FIPS_SELFTEST_AES_CCM 145 ++# define FIPS_F_FIPS_SELFTEST_AES_GCM 129 ++# define FIPS_F_FIPS_SELFTEST_AES_XTS 144 ++# define FIPS_F_FIPS_SELFTEST_CMAC 130 ++# define FIPS_F_FIPS_SELFTEST_DES 111 ++# define FIPS_F_FIPS_SELFTEST_DSA 112 ++# define FIPS_F_FIPS_SELFTEST_ECDSA 133 ++# define FIPS_F_FIPS_SELFTEST_HMAC 113 ++# define FIPS_F_FIPS_SELFTEST_SHA1 115 ++# define FIPS_F_FIPS_SELFTEST_SHA2 105 ++# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 ++# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 ++# define FIPS_F_RSA_BUILTIN_KEYGEN 116 ++# define FIPS_F_RSA_OSSL_INIT 149 ++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 ++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118 ++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119 ++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120 ++ ++/* Reason codes. */ ++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 ++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125 ++# define FIPS_R_ALREADY_INSTANTIATED 134 ++# define FIPS_R_DRBG_NOT_INITIALISED 152 ++# define FIPS_R_DRBG_STUCK 103 ++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 ++# define FIPS_R_ENTROPY_SOURCE_STUCK 142 ++# define FIPS_R_ERROR_INITIALISING_DRBG 115 ++# define FIPS_R_ERROR_INSTANTIATING_DRBG 127 ++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124 ++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 ++# define FIPS_R_ERROR_RETRIEVING_NONCE 140 ++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 ++# define FIPS_R_FIPS_MODE_ALREADY_SET 102 ++# define FIPS_R_FIPS_SELFTEST_FAILED 106 ++# define FIPS_R_FUNCTION_ERROR 116 ++# define FIPS_R_GENERATE_ERROR 137 ++# define FIPS_R_GENERATE_ERROR_UNDETECTED 118 ++# define FIPS_R_INSTANTIATE_ERROR 119 ++# define FIPS_R_INTERNAL_ERROR 121 ++# define FIPS_R_INVALID_KEY_LENGTH 109 ++# define FIPS_R_IN_ERROR_STATE 123 ++# define FIPS_R_KEY_TOO_SHORT 108 ++# define FIPS_R_NONCE_ERROR_UNDETECTED 149 ++# define FIPS_R_NON_FIPS_METHOD 100 ++# define FIPS_R_NOPR_TEST1_FAILURE 145 ++# define FIPS_R_NOPR_TEST2_FAILURE 146 ++# define FIPS_R_NOT_INSTANTIATED 126 ++# define FIPS_R_PAIRWISE_TEST_FAILED 107 ++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 ++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 ++# define FIPS_R_PR_TEST1_FAILURE 147 ++# define FIPS_R_PR_TEST2_FAILURE 148 ++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 ++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 ++# define FIPS_R_RESEED_COUNTER_ERROR 132 ++# define FIPS_R_RESEED_ERROR 133 ++# define FIPS_R_SELFTEST_FAILED 101 ++# define FIPS_R_SELFTEST_FAILURE 135 ++# define FIPS_R_TEST_FAILURE 117 ++# define FIPS_R_UNINSTANTIATE_ERROR 141 ++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 ++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 ++# define FIPS_R_UNSUPPORTED_PLATFORM 113 ++ ++# ifdef __cplusplus ++} ++# endif ++#endif +diff -up openssl-1.1.1-pre8/include/openssl/fips_rand.h.fips openssl-1.1.1-pre8/include/openssl/fips_rand.h +--- openssl-1.1.1-pre8/include/openssl/fips_rand.h.fips 2018-07-25 17:26:58.413624895 +0200 ++++ openssl-1.1.1-pre8/include/openssl/fips_rand.h 2018-07-25 17:26:58.413624895 +0200 +@@ -0,0 +1,145 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#ifndef HEADER_FIPS_RAND_H ++# define HEADER_FIPS_RAND_H ++ ++# include ++# include ++# include ++# include ++ ++# ifdef OPENSSL_FIPS ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ typedef struct drbg_ctx_st DRBG_CTX; ++/* DRBG external flags */ ++/* Flag for CTR mode only: use derivation function ctr_df */ ++# define DRBG_FLAG_CTR_USE_DF 0x1 ++/* PRNG is in test state */ ++# define DRBG_FLAG_TEST 0x2 ++ ++ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags); ++ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags); ++ int FIPS_drbg_instantiate(DRBG_CTX *dctx, ++ const unsigned char *pers, size_t perslen); ++ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, ++ size_t adinlen); ++ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen); ++ ++ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); ++ void FIPS_drbg_free(DRBG_CTX *dctx); ++ ++ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, ++ size_t (*get_entropy) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_entropy) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t entropy_blocklen, ++ size_t (*get_nonce) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_nonce) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen)); ++ ++ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, ++ size_t (*get_adin) (DRBG_CTX *ctx, ++ unsigned char ++ **pout), ++ void (*cleanup_adin) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ int (*rand_seed_cb) (DRBG_CTX *ctx, ++ const void *buf, ++ int num), ++ int (*rand_add_cb) (DRBG_CTX *ctx, ++ const void *buf, ++ int num, ++ double entropy)); ++ ++ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx); ++ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data); ++ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx); ++ int FIPS_drbg_get_strength(DRBG_CTX *dctx); ++ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval); ++ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval); ++ ++ int FIPS_drbg_health_check(DRBG_CTX *dctx); ++ ++ DRBG_CTX *FIPS_get_default_drbg(void); ++ const RAND_METHOD *FIPS_drbg_method(void); ++ ++ int FIPS_rand_set_method(const RAND_METHOD *meth); ++ const RAND_METHOD *FIPS_rand_get_method(void); ++ ++ void FIPS_rand_set_bits(int nbits); ++ ++ int FIPS_rand_strength(void); ++ ++/* 1.0.0 compat functions */ ++ int FIPS_rand_seed(const void *buf, int num); ++ int FIPS_rand_bytes(unsigned char *out, int outlen); ++ void FIPS_rand_reset(void); ++ int FIPS_rand_status(void); ++# ifdef __cplusplus ++} ++# endif ++# endif ++#endif +diff -up openssl-1.1.1-pre8/include/openssl/opensslconf.h.in.fips openssl-1.1.1-pre8/include/openssl/opensslconf.h.in +--- openssl-1.1.1-pre8/include/openssl/opensslconf.h.in.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/opensslconf.h.in 2018-07-25 17:26:58.413624895 +0200 +@@ -138,6 +138,11 @@ extern "C" { + + #define RC4_INT {- $config{rc4_int} -} + ++/* Always build FIPS module */ ++#ifndef OPENSSL_FIPS ++# define OPENSSL_FIPS ++#endif ++ + #ifdef __cplusplus + } + #endif +diff -up openssl-1.1.1-pre8/include/openssl/randerr.h.fips openssl-1.1.1-pre8/include/openssl/randerr.h +--- openssl-1.1.1-pre8/include/openssl/randerr.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/randerr.h 2018-07-25 17:26:58.413624895 +0200 +@@ -35,6 +35,7 @@ int ERR_load_RAND_strings(void); + # define RAND_F_RAND_DRBG_SET 104 + # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 + # define RAND_F_RAND_DRBG_UNINSTANTIATE 118 ++# define RAND_F_RAND_INIT_FIPS 200 + # define RAND_F_RAND_LOAD_FILE 111 + # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 + # define RAND_F_RAND_POOL_ADD 103 +diff -up openssl-1.1.1-pre8/include/openssl/rand.h.fips openssl-1.1.1-pre8/include/openssl/rand.h +--- openssl-1.1.1-pre8/include/openssl/rand.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/rand.h 2018-07-25 17:26:58.413624895 +0200 +@@ -68,6 +68,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void + DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) + # endif + ++# ifdef OPENSSL_FIPS ++/* just stubs for API compatibility */ ++void RAND_set_fips_drbg_type(int type, int flags); ++int RAND_init_fips(void); ++# endif + + #ifdef __cplusplus + } +diff -up openssl-1.1.1-pre8/include/openssl/rsaerr.h.fips openssl-1.1.1-pre8/include/openssl/rsaerr.h +--- openssl-1.1.1-pre8/include/openssl/rsaerr.h.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/rsaerr.h 2018-07-25 17:26:58.413624895 +0200 +@@ -21,6 +21,7 @@ int ERR_load_RSA_strings(void); + */ + # define RSA_F_CHECK_PADDING_MD 140 + # define RSA_F_ENCODE_PKCS1 146 ++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 + # define RSA_F_INT_RSA_VERIFY 145 + # define RSA_F_OLD_RSA_PRIV_DECODE 147 + # define RSA_F_PKEY_PSS_INIT 165 +@@ -35,6 +36,8 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_CHECK_KEY_EX 160 + # define RSA_F_RSA_CMS_DECRYPT 159 + # define RSA_F_RSA_CMS_VERIFY 158 ++# define RSA_F_RSA_GENERATE_KEY_EX 204 ++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207 + # define RSA_F_RSA_ITEM_VERIFY 148 + # define RSA_F_RSA_METH_DUP 161 + # define RSA_F_RSA_METH_NEW 162 +@@ -72,10 +75,16 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_PRINT_FP 116 + # define RSA_F_RSA_PRIV_DECODE 150 + # define RSA_F_RSA_PRIV_ENCODE 138 ++# define RSA_F_RSA_PRIVATE_DECRYPT 200 ++# define RSA_F_RSA_PRIVATE_ENCRYPT 201 + # define RSA_F_RSA_PSS_GET_PARAM 151 + # define RSA_F_RSA_PSS_TO_CTX 155 + # define RSA_F_RSA_PUB_DECODE 139 ++# define RSA_F_RSA_PUBLIC_DECRYPT 202 ++# define RSA_F_RSA_PUBLIC_ENCRYPT 203 + # define RSA_F_RSA_SETUP_BLINDING 136 ++# define RSA_F_RSA_SET_DEFAULT_METHOD 205 ++# define RSA_F_RSA_SET_METHOD 204 + # define RSA_F_RSA_SIGN 117 + # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 + # define RSA_F_RSA_VERIFY 119 +@@ -132,10 +141,12 @@ int ERR_load_RSA_strings(void); + # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 + # define RSA_R_MP_R_NOT_PRIME 170 + # define RSA_R_NO_PUBLIC_EXPONENT 140 ++# define RSA_R_NON_FIPS_RSA_METHOD 200 + # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 + # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172 + # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 + # define RSA_R_OAEP_DECODING_ERROR 121 ++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 + # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 + # define RSA_R_PADDING_CHECK_FAILED 114 + # define RSA_R_PKCS_DECODING_ERROR 159 +@@ -155,6 +166,7 @@ int ERR_load_RSA_strings(void); + # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 + # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 + # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 ++# define RSA_R_UNSUPPORTED_PARAMETERS 202 + # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 + # define RSA_R_VALUE_MISSING 147 + # define RSA_R_WRONG_SIGNATURE_LENGTH 119 +diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips openssl-1.1.1-pre8/ssl/ssl_ciph.c +--- openssl-1.1.1-pre8/ssl/ssl_ciph.c.fips 2018-07-25 17:26:58.400624584 +0200 ++++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 17:26:58.414624919 +0200 +@@ -385,7 +385,7 @@ int ssl_load_ciphers(void) + } + } + /* Make sure we can access MD5 and SHA1 */ +- if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) ++ if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) + return 0; + if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL)) + return 0; +@@ -560,6 +560,9 @@ int ssl_cipher_get_evp(const SSL_SESSION + s->ssl_version < TLS1_VERSION) + return 1; + ++ if (FIPS_mode()) ++ return 1; ++ + if (c->algorithm_enc == SSL_RC4 && + c->algorithm_mac == SSL_MD5 && + (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) +@@ -668,6 +671,8 @@ static void ssl_cipher_collect_ciphers(c + /* drop those that use any of that is not available */ + if (c == NULL || !c->valid) + continue; ++ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS)) ++ continue; + if ((c->algorithm_mkey & disabled_mkey) || + (c->algorithm_auth & disabled_auth) || + (c->algorithm_enc & disabled_enc) || +@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * to the resulting precedence to the STACK_OF(SSL_CIPHER). + */ + for (curr = head; curr != NULL; curr = curr->next) { +- if (curr->active) { ++ if (curr->active ++ && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { + if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { + OPENSSL_free(co_list); + sk_SSL_CIPHER_free(cipherstack); +diff -up openssl-1.1.1-pre8/ssl/ssl_init.c.fips openssl-1.1.1-pre8/ssl/ssl_init.c +--- openssl-1.1.1-pre8/ssl/ssl_init.c.fips 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/ssl/ssl_init.c 2018-07-25 17:26:58.414624919 +0200 +@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas + fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " + "Adding SSL ciphers and digests\n"); + #endif ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) { ++#endif ++ + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cbc()); + EVP_add_cipher(EVP_des_ede3_cbc()); +@@ -87,6 +91,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas + EVP_add_digest(EVP_sha256()); + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); ++#ifdef OPENSSL_FIPS ++ } else { ++# ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++# endif ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++ EVP_add_cipher(EVP_aes_128_gcm()); ++ EVP_add_cipher(EVP_aes_256_gcm()); ++ EVP_add_cipher(EVP_aes_128_ccm()); ++ EVP_add_cipher(EVP_aes_256_ccm()); ++# ifndef OPENSSL_NO_MD5 ++ /* needed even in the FIPS mode for TLS-1.0 */ ++ EVP_add_digest(EVP_md5_sha1()); ++# endif ++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ ++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++ } ++#endif + #ifndef OPENSSL_NO_COMP + # ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " +diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.fips openssl-1.1.1-pre8/ssl/ssl_lib.c +--- openssl-1.1.1-pre8/ssl/ssl_lib.c.fips 2018-07-25 17:26:58.400624584 +0200 ++++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 17:26:58.414624919 +0200 +@@ -2885,6 +2885,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) + return NULL; + ++ if (FIPS_mode() && (meth->version < TLS1_VERSION)) { ++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE); ++ return NULL; ++ } ++ + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); + goto err; +@@ -2941,13 +2946,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + if (ret->param == NULL) + goto err; + +- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { +- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); +- goto err2; +- } +- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { +- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); +- goto err2; ++ if (!FIPS_mode()) { ++ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { ++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); ++ goto err2; ++ } ++ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { ++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); ++ goto err2; ++ } ++ } else { ++ ret->min_proto_version = TLS1_VERSION; + } + + if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) +diff -up openssl-1.1.1-pre8/test/dsatest.c.fips openssl-1.1.1-pre8/test/dsatest.c +--- openssl-1.1.1-pre8/test/dsatest.c.fips 2018-06-20 16:48:14.000000000 +0200 ++++ openssl-1.1.1-pre8/test/dsatest.c 2018-07-25 17:26:58.415624943 +0200 +@@ -24,41 +24,42 @@ + #ifndef OPENSSL_NO_DSA + static int dsa_cb(int p, int n, BN_GENCB *arg); + +-/* +- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS +- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 +- */ + static unsigned char seed[20] = { +- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40, +- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, ++ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62, ++ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3, + }; + + static unsigned char out_p[] = { +- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, +- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, +- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, +- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, +- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, +- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, +- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, +- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, ++ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E, ++ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99, ++ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD, ++ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB, ++ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18, ++ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B, ++ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E, ++ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD, ++ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93, ++ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D, ++ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F, + }; + + static unsigned char out_q[] = { +- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, +- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, +- 0xda, 0xce, 0x91, 0x5f, ++ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B, ++ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87, + }; + + static unsigned char out_g[] = { +- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, +- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, +- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, +- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, +- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, +- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, +- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, +- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, ++ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C, ++ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE, ++ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36, ++ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13, ++ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C, ++ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D, ++ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9, ++ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F, ++ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E, ++ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41, ++ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29, + }; + + static const unsigned char str1[] = "12345678901234567890"; +@@ -79,11 +80,11 @@ static int dsa_test(void) + + BN_GENCB_set(cb, dsa_cb, NULL); + if (!TEST_ptr(dsa = DSA_new()) +- || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20, ++ || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20, + &counter, &h, cb))) + goto end; + +- if (!TEST_int_eq(counter, 105)) ++ if (!TEST_int_eq(counter, 239)) + goto end; + if (!TEST_int_eq(h, 2)) + goto end; +diff -up openssl-1.1.1-pre8/util/libcrypto.num.fips openssl-1.1.1-pre8/util/libcrypto.num +--- openssl-1.1.1-pre8/util/libcrypto.num.fips 2018-06-20 16:48:15.000000000 +0200 ++++ openssl-1.1.1-pre8/util/libcrypto.num 2018-07-25 17:49:31.909043049 +0200 +@@ -4568,3 +4568,38 @@ EVP_PKEY_get_raw_private_key + EVP_PKEY_asn1_set_get_priv_key 4520 1_1_1 EXIST::FUNCTION: + EVP_PKEY_asn1_set_get_pub_key 4521 1_1_1 EXIST::FUNCTION: + EVP_PKEY_set_alias_type 4522 1_1_1 EXIST::FUNCTION: ++FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: ++FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: ++FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: ++FIPS_get_default_drbg 6351 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_reseed_interval 6352 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_app_data 6353 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_method 6354 1_1_0g EXIST::FUNCTION: ++FIPS_rand_status 6355 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_instantiate 6356 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_callbacks 6357 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_new 6358 1_1_0g EXIST::FUNCTION: ++FIPS_dsa_paramgen_check_g 6359 1_1_0g EXIST::FUNCTION: ++FIPS_selftest 6360 1_1_0g EXIST::FUNCTION: ++FIPS_rand_set_bits 6361 1_1_0g EXIST::FUNCTION: ++FIPS_rand_bytes 6362 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_get_app_data 6363 1_1_0g EXIST::FUNCTION: ++FIPS_selftest_failed 6364 1_1_0g EXIST::FUNCTION: ++FIPS_dsa_builtin_paramgen2 6365 1_1_0g EXIST::FUNCTION: ++FIPS_rand_reset 6366 1_1_0g EXIST::FUNCTION: ++ERR_load_FIPS_strings 6367 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_generate 6368 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_uninstantiate 6369 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_check_interval 6370 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_free 6371 1_1_0g EXIST::FUNCTION: ++FIPS_selftest_drbg_all 6372 1_1_0g EXIST::FUNCTION: ++FIPS_rand_get_method 6373 1_1_0g EXIST::FUNCTION: ++RAND_set_fips_drbg_type 6374 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_health_check 6375 1_1_0g EXIST::FUNCTION: ++RAND_init_fips 6376 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_rand_callbacks 6377 1_1_0g EXIST::FUNCTION: ++FIPS_rand_seed 6378 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION: ++FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: diff --git a/openssl-1.1.1-man-rename.patch b/openssl-1.1.1-man-rename.patch new file mode 100644 index 0000000..6aef549 --- /dev/null +++ b/openssl-1.1.1-man-rename.patch @@ -0,0 +1,37 @@ +diff -up openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre2/doc/man1/openssl.pod +--- openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename 2018-02-27 14:40:43.000000000 +0100 ++++ openssl-1.1.1-pre2/doc/man1/openssl.pod 2018-03-06 15:32:44.737652939 +0100 +@@ -170,7 +170,7 @@ Create or examine a Netscape certificate + + Online Certificate Status Protocol utility. + +-=item L|passwd(1)> ++=item L|sslpasswd(1)> + + Generation of hashed passwords. + +@@ -202,7 +202,7 @@ Public key algorithm cryptographic opera + + Compute prime numbers. + +-=item L|rand(1)> ++=item L|sslrand(1)> + + Generate pseudo-random bytes. + +@@ -444,13 +444,13 @@ L, L, L + L, L, + L, L, L, L, L, + L, L, L, +-L, + L, L, L, + L, L, L, L, +-L, L, L, L, ++L, L, L, + L, L, + L, L, L, + L, L, L, L, L, ++L, L, + L, + L, L, L, + L, L, L diff --git a/openssl-1.1.1-secure-getenv.patch b/openssl-1.1.1-secure-getenv.patch new file mode 100644 index 0000000..c3d14a1 --- /dev/null +++ b/openssl-1.1.1-secure-getenv.patch @@ -0,0 +1,173 @@ +diff -up openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_api.c +--- openssl-1.1.1-pre8/crypto/conf/conf_api.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/conf/conf_api.c 2018-07-16 18:01:11.708359766 +0200 +@@ -9,6 +9,8 @@ + + /* Part of the code in here was originally in conf.c, which is now removed */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "e_os.h" + #include + #include +@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf, + if (v != NULL) + return v->value; + if (strcmp(section, "ENV") == 0) { +- p = getenv(name); ++ p = secure_getenv(name); + if (p != NULL) + return p; + } +diff -up openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.1-pre8/crypto/conf/conf_mod.c +--- openssl-1.1.1-pre8/crypto/conf/conf_mod.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/conf/conf_mod.c 2018-07-16 18:02:37.308383955 +0200 +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "internal/cryptlib.h" + #include + #include +@@ -481,7 +483,7 @@ char *CONF_get1_default_config_file(void + int len; + + if (!OPENSSL_issetugid()) { +- file = getenv("OPENSSL_CONF"); ++ file = secure_getenv("OPENSSL_CONF"); + if (file) + return OPENSSL_strdup(file); + } +diff -up openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv openssl-1.1.1-pre8/crypto/ct/ct_log.c +--- openssl-1.1.1-pre8/crypto/ct/ct_log.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/ct/ct_log.c 2018-07-16 18:01:11.708359766 +0200 +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include + #include + +@@ -137,7 +139,7 @@ static int ctlog_new_from_conf(CTLOG **c + + int CTLOG_STORE_load_default_file(CTLOG_STORE *store) + { +- const char *fpath = getenv(CTLOG_FILE_EVP); ++ const char *fpath = secure_getenv(CTLOG_FILE_EVP); + + if (fpath == NULL) + fpath = CTLOG_FILE; +diff -up openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv openssl-1.1.1-pre8/crypto/engine/eng_list.c +--- openssl-1.1.1-pre8/crypto/engine/eng_list.c.secure-getenv 2018-06-20 16:48:10.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/engine/eng_list.c 2018-07-16 18:03:03.190996004 +0200 +@@ -8,6 +8,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "eng_int.h" + + /* +@@ -318,7 +320,7 @@ ENGINE *ENGINE_by_id(const char *id) + */ + if (strcmp(id, "dynamic")) { + if (OPENSSL_issetugid() +- || (load_dir = getenv("OPENSSL_ENGINES")) == NULL) ++ || (load_dir = secure_getenv("OPENSSL_ENGINES")) == NULL) + load_dir = ENGINESDIR; + iterator = ENGINE_by_id("dynamic"); + if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || +diff -up openssl-1.1.1-pre8/crypto/mem.c.secure-getenv openssl-1.1.1-pre8/crypto/mem.c +--- openssl-1.1.1-pre8/crypto/mem.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/mem.c 2018-07-16 18:01:11.709359790 +0200 +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "e_os.h" + #include "internal/cryptlib.h" + #include "internal/cryptlib_int.h" +@@ -180,11 +182,11 @@ static int shouldfail(void) + + void ossl_malloc_setup_failures(void) + { +- const char *cp = getenv("OPENSSL_MALLOC_FAILURES"); ++ const char *cp = secure_getenv("OPENSSL_MALLOC_FAILURES"); + + if (cp != NULL && (md_failstring = strdup(cp)) != NULL) + parseit(); +- if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL) ++ if ((cp = secure_getenv("OPENSSL_MALLOC_FD")) != NULL) + md_tracefd = atoi(cp); + } + #endif +diff -up openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv openssl-1.1.1-pre8/crypto/rand/randfile.c +--- openssl-1.1.1-pre8/crypto/rand/randfile.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/rand/randfile.c 2018-07-16 18:01:11.709359790 +0200 +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "internal/cryptlib.h" + + #include +@@ -264,7 +266,7 @@ const char *RAND_file_name(char *buf, si + #else + if (OPENSSL_issetugid() != 0) { + use_randfile = 0; +- } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') { ++ } else if ((s = secure_getenv("RANDFILE")) == NULL || *s == '\0') { + use_randfile = 0; + s = getenv("HOME"); + } +diff -up openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_dir.c +--- openssl-1.1.1-pre8/crypto/x509/by_dir.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/x509/by_dir.c 2018-07-16 18:03:43.355945786 +0200 +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "e_os.h" + #include "internal/cryptlib.h" + #include +@@ -73,7 +75,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in + switch (cmd) { + case X509_L_ADD_DIR: + if (argl == X509_FILETYPE_DEFAULT) { +- const char *dir = getenv(X509_get_default_cert_dir_env()); ++ const char *dir = secure_getenv(X509_get_default_cert_dir_env()); + + if (dir) + ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); +diff -up openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv openssl-1.1.1-pre8/crypto/x509/by_file.c +--- openssl-1.1.1-pre8/crypto/x509/by_file.c.secure-getenv 2018-06-20 16:48:11.000000000 +0200 ++++ openssl-1.1.1-pre8/crypto/x509/by_file.c 2018-07-16 18:01:11.709359790 +0200 +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include + #include + #include +@@ -46,7 +48,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { +- file = getenv(X509_get_default_cert_file_env()); ++ file = secure_getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file(ctx, file, + X509_FILETYPE_PEM) != 0); diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch new file mode 100644 index 0000000..98c0851 --- /dev/null +++ b/openssl-1.1.1-system-cipherlist.patch @@ -0,0 +1,310 @@ +diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-07-25 10:13:06.325232356 +0200 ++++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-25 10:18:27.067863251 +0200 +@@ -176,6 +176,10 @@ MANDIR=$(INSTALLTOP)/share/man + DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) + HTMLDIR=$(DOCDIR)/html + ++{- output_off() if $config{system_ciphers_file} eq ""; "" -} ++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\"" ++{- output_on() if $config{system_ciphers_file} eq ""; "" -} ++ + # MANSUFFIX is for the benefit of anyone who may want to have a suffix + # appended after the manpage file section number. "ssl" is popular, + # resulting in files such as config.5ssl rather than config.5. +@@ -199,6 +203,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} + CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} + CPPFLAGS={- our $cppflags1 = join(" ", + (map { "-D".$_} @{$config{CPPDEFINES}}), ++ "\$(SYSTEM_CIPHERS_FILE_DEFINE)", + (map { "-I".$_} @{$config{CPPINCLUDES}}), + @{$config{CPPFLAGS}}) -} + CFLAGS={- join(' ', @{$config{CFLAGS}}) -} +diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Configure +--- openssl-1.1.1-pre8/Configure.system-cipherlist 2018-06-20 16:48:09.000000000 +0200 ++++ openssl-1.1.1-pre8/Configure 2018-07-25 10:13:06.346232856 +0200 +@@ -21,7 +21,7 @@ use OpenSSL::Glob; + + # see INSTALL for instructions. + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + # Options: + # +@@ -38,6 +38,9 @@ my $usage="Usage: Configure [no- + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) + # ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --cross-compile-prefix Add specified prefix to binutils components. + # + # --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for +@@ -291,6 +294,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -814,6 +818,10 @@ while (@argvcopy) + push @seed_sources, $x; + } + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--cross-compile-prefix=(.*)$/) + { + $user{CROSS_COMPILE}=$1; +@@ -1000,6 +1008,8 @@ if ($target eq "HASH") { + exit 0; + } + ++chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/; ++ + print "Configuring OpenSSL version $config{version} ($config{version_num}) "; + print "for $target\n"; + +diff -up openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre8/doc/man1/ciphers.pod +--- openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist 2018-06-20 16:48:12.000000000 +0200 ++++ openssl-1.1.1-pre8/doc/man1/ciphers.pod 2018-07-25 10:13:06.346232856 +0200 +@@ -200,6 +200,15 @@ As of OpenSSL 1.0.0, the B cipher s + + The cipher suites not enabled by B, currently B. + ++=item B ++ ++The list of enabled cipher suites will be loaded from the system crypto policy ++configuration file B. ++See also L. ++This is the default behavior unless an application explicitly sets a cipher ++list. If used in a cipher list configuration value this string must be at the ++beginning of the cipher list, otherwise it will not be recognized. ++ + =item B + + "High" encryption cipher suites. This currently means those with key lengths +diff -up openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre8/include/openssl/ssl.h +--- openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/ssl.h 2018-07-25 10:13:06.346232856 +0200 +@@ -186,6 +186,11 @@ extern "C" { + * throwing out anonymous and unencrypted ciphersuites! (The latter are not + * actually enabled by ALL, but "ALL:RSA" would enable some of them.) + */ ++# ifdef SYSTEM_CIPHERS_FILE ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" ++# else ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST ++# endif + + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ + # define SSL_SENT_SHUTDOWN 1 +diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_ciph.c +--- openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 10:36:36.475896866 +0200 +@@ -9,6 +9,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include + #include + #include +@@ -1400,6 +1402,53 @@ int SSL_set_ciphersuites(SSL *s, const c + return ret; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++static char *load_system_str(const char *suffix) ++{ ++ FILE *fp; ++ char buf[1024]; ++ char *new_rules; ++ const char *ciphers_path; ++ unsigned len, slen; ++ ++ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) ++ ciphers_path = SYSTEM_CIPHERS_FILE; ++ fp = fopen(ciphers_path, "r"); ++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { ++ /* cannot open or file is empty */ ++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); ++ } ++ ++ if (fp) ++ fclose(fp); ++ ++ slen = strlen(suffix); ++ len = strlen(buf); ++ ++ if (buf[len - 1] == '\n') { ++ len--; ++ buf[len] = 0; ++ } ++ if (buf[len - 1] == '\r') { ++ len--; ++ buf[len] = 0; ++ } ++ ++ new_rules = OPENSSL_malloc(len + slen + 1); ++ if (new_rules == 0) ++ return NULL; ++ ++ memcpy(new_rules, buf, len); ++ if (slen > 0) { ++ memcpy(&new_rules[len], suffix, slen); ++ len += slen; ++ } ++ new_rules[len] = 0; ++ ++ return new_rules; ++} ++#endif ++ + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites, + STACK_OF(SSL_CIPHER) **cipher_list, +@@ -1413,15 +1462,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + const char *rule_p; + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; + const SSL_CIPHER **ca_list = NULL; ++#ifdef SYSTEM_CIPHERS_FILE ++ char *new_rules = NULL; ++ ++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { ++ char *p = rule_str + 14; ++ ++ new_rules = load_system_str(p); ++ rule_str = new_rules; ++ } ++#endif + + /* + * Return with error if nothing to do. + */ + if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) +- return NULL; ++ goto err; + #ifndef OPENSSL_NO_EC + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) +- return NULL; ++ goto err; + #endif + + /* +@@ -1444,7 +1503,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) { + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + + ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, +@@ -1510,8 +1569,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * in force within each class + */ + if (!ssl_cipher_strength_sort(&head, &tail)) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1556,9 +1614,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; + ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); + if (ca_list == NULL) { +- OPENSSL_free(co_list); + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + disabled_mkey, disabled_auth, disabled_enc, +@@ -1584,8 +1641,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + OPENSSL_free(ca_list); /* Not needed anymore */ + + if (!ok) { /* Rule processing failure */ +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1593,14 +1649,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * if we cannot get one. + */ + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); /* Not needed anymore */ ++#endif ++ + /* Add TLSv1.3 ciphers first - we always prefer those if possible */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { + if (!sk_SSL_CIPHER_push(cipherstack, + sk_SSL_CIPHER_value(tls13_ciphersuites, i))) { ++ OPENSSL_free(co_list); + sk_SSL_CIPHER_free(cipherstack); + return NULL; + } +@@ -1632,6 +1692,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + *cipher_list = cipherstack; + + return cipherstack; ++ ++err: ++ OPENSSL_free(co_list); ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); ++#endif ++ return NULL; ++ + } + + char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) +diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_lib.c +--- openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist 2018-07-25 10:13:06.347232880 +0200 ++++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 10:37:38.715394989 +0200 +@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx + ctx->tls13_ciphersuites, + &(ctx->cipher_list), + &(ctx->cipher_list_by_id), +- SSL_DEFAULT_CIPHER_LIST, ctx->cert); ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; +@@ -2931,7 +2931,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + if (!ssl_create_cipher_list(ret->method, + ret->tls13_ciphersuites, + &ret->cipher_list, &ret->cipher_list_by_id, +- SSL_DEFAULT_CIPHER_LIST, ret->cert) ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); + goto err2; +diff -up openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre8/test/cipherlist_test.c +--- openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist 2018-07-25 10:13:06.348232903 +0200 ++++ openssl-1.1.1-pre8/test/cipherlist_test.c 2018-07-25 10:39:08.887552814 +0200 +@@ -217,7 +217,9 @@ static int test_default_cipherlist_expli + + int setup_tests(void) + { ++#ifndef SYSTEM_CIPHERS_FILE + ADD_TEST(test_default_cipherlist_implicit); ++#endif + ADD_TEST(test_default_cipherlist_explicit); + return 1; + } diff --git a/openssl-1.1.1-version-add-engines.patch b/openssl-1.1.1-version-add-engines.patch new file mode 100644 index 0000000..3c3f58e --- /dev/null +++ b/openssl-1.1.1-version-add-engines.patch @@ -0,0 +1,38 @@ +diff -up openssl-1.1.1-pre8/apps/version.c.version-add-engines openssl-1.1.1-pre8/apps/version.c +--- openssl-1.1.1-pre8/apps/version.c.version-add-engines 2018-06-20 16:48:09.000000000 +0200 ++++ openssl-1.1.1-pre8/apps/version.c 2018-07-16 18:00:40.608624346 +0200 +@@ -64,7 +64,7 @@ int version_main(int argc, char **argv) + { + int ret = 1, dirty = 0, seed = 0; + int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; +- int engdir = 0; ++ int engdir = 0, engines = 0; + char *prog; + OPTION_CHOICE o; + +@@ -106,7 +106,7 @@ opthelp: + break; + case OPT_A: + seed = options = cflags = version = date = platform = dir = engdir +- = 1; ++ = engines = 1; + break; + } + } +@@ -188,6 +188,16 @@ opthelp: + #endif + printf("\n"); + } ++ if (engines) { ++ ENGINE *e; ++ printf("engines: "); ++ e = ENGINE_get_first(); ++ while (e) { ++ printf("%s ", ENGINE_get_id(e)); ++ e = ENGINE_get_next(e); ++ } ++ printf("\n"); ++ } + ret = 0; + end: + return ret; diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch new file mode 100644 index 0000000..dae63f9 --- /dev/null +++ b/openssl-1.1.1-version-override.patch @@ -0,0 +1,14 @@ +diff -up openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override openssl-1.1.1-pre8/include/openssl/opensslv.h +--- openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override 2018-06-20 16:48:13.000000000 +0200 ++++ openssl-1.1.1-pre8/include/openssl/opensslv.h 2018-07-25 11:03:29.297543392 +0200 +@@ -39,8 +39,8 @@ extern "C" { + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-# define OPENSSL_VERSION_NUMBER 0x10101008L +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018" ++# define OPENSSL_VERSION_NUMBER 0x1010100fL ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl.spec b/openssl.spec index 827f727..ff9e2f4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -19,15 +19,17 @@ %global _performance_build 1 +%global prerelease pre8 + Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.1.0h -Release: 6%{?dist} +Version: 1.1.1 +Release: 0.%{prerelease}%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}-hobbled.tar.xz +Source: openssl-%{version}-%{prerelease}-hobbled.tar.xz Source1: hobble-openssl Source2: Makefile.certificate Source6: make-dummy-cert @@ -38,30 +40,25 @@ Source11: README.FIPS Source12: ec_curve.c Source13: ectest.c # Build changes -Patch1: openssl-1.1.0-build.patch +Patch1: openssl-1.1.1-build.patch Patch2: openssl-1.1.0-defaults.patch Patch3: openssl-1.1.0-no-html.patch +Patch4: openssl-1.1.1-man-rename.patch # Bug fixes Patch21: openssl-1.1.0-issuer-hash.patch -Patch22: openssl-1.1.0-algo-doc.patch -Patch23: openssl-1.1.0-manfix.patch # Functionality changes Patch31: openssl-1.1.0-ca-dir.patch -Patch32: openssl-1.1.0-version-add-engines.patch +Patch32: openssl-1.1.1-version-add-engines.patch Patch33: openssl-1.1.0-apps-dgst.patch -Patch35: openssl-1.1.0-chil-fixes.patch -Patch36: openssl-1.1.0-secure-getenv.patch -Patch37: openssl-1.1.0-ec-curves.patch +Patch36: openssl-1.1.1-secure-getenv.patch +Patch37: openssl-1.1.1-ec-curves.patch Patch38: openssl-1.1.0-no-weak-verify.patch -Patch39: openssl-1.1.0-cc-reqs.patch -Patch40: openssl-1.1.0-disable-ssl3.patch -Patch41: openssl-1.1.0-system-cipherlist.patch -Patch42: openssl-1.1.0-fips.patch -Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch +Patch40: openssl-1.1.1-disable-ssl3.patch +Patch41: openssl-1.1.1-system-cipherlist.patch +Patch42: openssl-1.1.1-fips.patch +Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.0-weak-ciphers.patch -Patch46: openssl-1.1.0-silent-rnd-write.patch # Backported fixes including security fixes -Patch70: openssl-1.1.0-missing-quotes.patch License: OpenSSL Group: System Environment/Libraries @@ -71,6 +68,7 @@ BuildRequires: coreutils, krb5-devel, perl-interpreter, sed, zlib-devel, /usr/bi BuildRequires: lksctp-tools-devel BuildRequires: /usr/bin/rename BuildRequires: /usr/bin/pod2man +BuildRequires: /usr/sbin/sysctl BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) BuildRequires: perl(Time::HiRes) @@ -134,7 +132,7 @@ package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. %prep -%setup -q -n %{name}-%{version} +%setup -q -n %{name}-%{version}-%{prerelease} # The hobble_openssl is called here redundantly, just to be sure. # The tarball has already the sources removed. @@ -146,27 +144,22 @@ cp %{SOURCE13} test/ %patch1 -p1 -b .build %{?_rawbuild} %patch2 -p1 -b .defaults %patch3 -p1 -b .no-html %{?_rawbuild} +%patch4 -p1 -b .man-rename %patch21 -p1 -b .issuer-hash -%patch22 -p1 -b .algo-doc -%patch23 -p1 -b .manfix %patch31 -p1 -b .ca-dir %patch32 -p1 -b .version-add-engines %patch33 -p1 -b .dgst -%patch35 -p1 -b .chil %patch36 -p1 -b .secure-getenv %patch37 -p1 -b .curves %patch38 -p1 -b .no-weak-verify -%patch39 -p1 -b .cc-reqs %patch40 -p1 -b .disable-ssl3 %patch41 -p1 -b .system-cipherlist %patch42 -p1 -b .fips -%patch44 -p1 -b .preserve-nl +%patch44 -p1 -b .version-override %patch45 -p1 -b .weak-ciphers -%patch46 -p1 -b .silent-rnd-write -%patch70 -p1 -b .missing-quotes %build # Figure out which flags we want to use. @@ -246,7 +239,7 @@ export HASHBANGPERL=/usr/bin/perl zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-weak-ssl-ciphers \ - no-mdc2 no-ec2m \ + no-mdc2 no-ec2m no-sm2 \ shared ${sslarch} $RPM_OPT_FLAGS # Do not run this in a production package the FIPS symbols must be patched-in @@ -265,6 +258,13 @@ done %check # Verify that what was compiled actually works. +# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check +(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ +(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && + sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ + touch -r configdata.pm configdata.pm.new && \ + mv -f configdata.pm.new configdata.pm) + # We must revert patch31 before tests otherwise they will fail patch -p1 -R < %{PATCH31} @@ -276,6 +276,8 @@ crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion} ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY +OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE make test # Add generation of HMAC checksum of the final stripped library @@ -344,11 +346,13 @@ mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts -# Ensure the openssl.cnf timestamp is identical across builds to avoid +# Ensure the config file timestamps are identical across builds to avoid # mulitlib conflicts and unnecessary renames on upgrade touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf +touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} @@ -399,6 +403,7 @@ export LD_LIBRARY_PATH %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf +%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion} %attr(0755,root,root) %{_libdir}/libssl.so.%{version} @@ -435,6 +440,9 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Wed Jul 25 2018 Tomáš Mráz 1.1.1-0.pre8.1 +- update to the latest 1.1.1 beta version + * Fri Jul 13 2018 Fedora Release Engineering - 1:1.1.0h-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index b8fb121..1e0d81a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.0h-hobbled.tar.xz) = cba4641956d6593f5cf5164bed12fb3acfaa9c24a69d5642cc0267d0918555450a12ddeac6e02b246afa64e7019f35baa0d9302d1f06e3be5555d8340319c5e4 +SHA512 (openssl-1.1.1-pre8-hobbled.tar.xz) = eca0c8843c69fc3dcd1a27d56107368548f5674a64decc62ff48196d30485f287550bb671ca8bc48aeef482a8419462638bf152850c741e4554219230f4c4582