From e18dcc63f4fae5a0df4e69a31e6c1838cbdff565 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 7 May 2019 10:30:26 +0200 Subject: [PATCH] FIPS compliance fixes --- openssl-1.1.1-evp-kdf.patch | 4 +- openssl-1.1.1-fips-crng-test.patch | 407 ++++++++++++ openssl-1.1.1-fips.patch | 952 +++++++++++++++++------------ openssl.spec | 7 +- 4 files changed, 988 insertions(+), 382 deletions(-) create mode 100644 openssl-1.1.1-fips-crng-test.patch diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 48169fa..cb10eba 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -969,7 +969,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/ + +const EVP_PKEY_METHOD tls1_prf_pkey_meth = { + EVP_PKEY_TLS1_PRF, -+ 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_kdf_init, + 0, + pkey_kdf_cleanup, @@ -999,7 +999,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/ + +const EVP_PKEY_METHOD hkdf_pkey_meth = { + EVP_PKEY_HKDF, -+ 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_kdf_init, + 0, + pkey_kdf_cleanup, diff --git a/openssl-1.1.1-fips-crng-test.patch b/openssl-1.1.1-fips-crng-test.patch new file mode 100644 index 0000000..91841f1 --- /dev/null +++ b/openssl-1.1.1-fips-crng-test.patch @@ -0,0 +1,407 @@ +diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h +--- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test 2019-05-07 08:56:33.242179136 +0200 ++++ openssl-1.1.1b/crypto/include/internal/rand_int.h 2019-05-07 09:54:14.920204875 +0200 +@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN + + void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); + ++/* CRNG test entropy filter callbacks. */ ++size_t rand_crngt_get_entropy(RAND_DRBG *drbg, ++ unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance); ++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen); ++ + /* + * RAND_POOL functions + */ +diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info +--- openssl-1.1.1b/crypto/rand/build.info.crng-test 2019-05-07 09:54:14.921204857 +0200 ++++ openssl-1.1.1b/crypto/rand/build.info 2019-05-07 09:55:22.730014705 +0200 +@@ -1,4 +1,4 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- randfile.c rand_lib.c rand_err.c rand_egd.c \ ++ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ + rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c +diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c +--- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/rand/drbg_lib.c 2019-05-07 10:04:51.753157224 +0200 +@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg; + + + /* NIST SP 800-90A DRBG recommends the use of a personalization string. */ +-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG"; ++static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING; + + static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT; + +@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu + drbg->parent = parent; + + if (parent == NULL) { ++#ifdef OPENSSL_FIPS ++ drbg->get_entropy = rand_crngt_get_entropy; ++ drbg->cleanup_entropy = rand_crngt_cleanup_entropy; ++#else + drbg->get_entropy = rand_drbg_get_entropy; + drbg->cleanup_entropy = rand_drbg_cleanup_entropy; ++#endif + #ifndef RAND_DRBG_GET_RANDOM_NONCE + drbg->get_nonce = rand_drbg_get_nonce; + drbg->cleanup_nonce = rand_drbg_cleanup_nonce; +diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c +--- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test 2019-05-07 09:54:14.925204787 +0200 ++++ openssl-1.1.1b/crypto/rand/rand_crng_test.c 2019-05-07 09:54:14.932204664 +0200 +@@ -0,0 +1,118 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests. ++ */ ++ ++#include ++#include ++#include "internal/rand_int.h" ++#include "internal/thread_once.h" ++#include "rand_lcl.h" ++ ++static RAND_POOL *crngt_pool; ++static unsigned char crngt_prev[EVP_MAX_MD_SIZE]; ++ ++int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *) ++ = &rand_crngt_get_entropy_cb; ++ ++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size) ++{ ++ int r; ++ size_t n; ++ unsigned char *p; ++ ++ n = rand_pool_acquire_entropy(crngt_pool); ++ if (n >= CRNGT_BUFSIZ) { ++ p = rand_pool_detach(crngt_pool); ++ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); ++ if (r != 0) ++ memcpy(buf, p, CRNGT_BUFSIZ); ++ rand_pool_reattach(crngt_pool, p); ++ return r; ++ } ++ return 0; ++} ++ ++void rand_crngt_cleanup(void) ++{ ++ rand_pool_free(crngt_pool); ++ crngt_pool = NULL; ++} ++ ++int rand_crngt_init(void) ++{ ++ unsigned char buf[CRNGT_BUFSIZ]; ++ ++ if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) ++ return 0; ++ if (crngt_get_entropy(buf, crngt_prev, NULL)) { ++ OPENSSL_cleanse(buf, sizeof(buf)); ++ return 1; ++ } ++ rand_crngt_cleanup(); ++ return 0; ++} ++ ++static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init) ++{ ++ return OPENSSL_init_crypto(0, NULL) ++ && rand_crngt_init() ++ && OPENSSL_atexit(&rand_crngt_cleanup); ++} ++ ++int rand_crngt_single_init(void) ++{ ++ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init); ++} ++ ++size_t rand_crngt_get_entropy(RAND_DRBG *drbg, ++ unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE]; ++ unsigned int sz; ++ RAND_POOL *pool; ++ size_t q, r = 0, s, t = 0; ++ int attempts = 3; ++ ++ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init)) ++ return 0; ++ ++ if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL) ++ return 0; ++ ++ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) { ++ s = q > sizeof(buf) ? sizeof(buf) : q; ++ if (!crngt_get_entropy(buf, md, &sz) ++ || memcmp(crngt_prev, md, sz) == 0 ++ || !rand_pool_add(pool, buf, s, s * 8)) ++ goto err; ++ memcpy(crngt_prev, md, sz); ++ t += s; ++ attempts++; ++ } ++ r = t; ++ *pout = rand_pool_detach(pool); ++err: ++ OPENSSL_cleanse(buf, sizeof(buf)); ++ rand_pool_free(pool); ++ return r; ++} ++ ++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen) ++{ ++ OPENSSL_secure_clear_free(out, outlen); ++} +diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h +--- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test 2019-05-07 08:56:33.330177674 +0200 ++++ openssl-1.1.1b/crypto/rand/rand_lcl.h 2019-05-07 09:54:14.933204647 +0200 +@@ -33,7 +33,15 @@ + # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ + # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ + +- ++/* ++ * The number of bytes that constitutes an atomic lump of entropy with respect ++ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat ++ * arbitrary, the smaller the value, the less entropy is consumed on first ++ * read but the higher the probability of the test failing by accident. ++ * ++ * The value is in bytes. ++ */ ++#define CRNGT_BUFSIZ 16 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) +@@ -44,7 +52,8 @@ + */ + # define DRBG_MAX_LENGTH INT32_MAX + +- ++/* The default nonce */ ++# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" + + /* + * Maximum allocation size for RANDOM_POOL buffers +@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG * + /* initializes the AES-CTR DRBG implementation */ + int drbg_ctr_init(RAND_DRBG *drbg); + ++/* ++ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. ++ * These need to be exposed for the unit tests. ++ */ ++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size); ++extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size); ++int rand_crngt_init(void); ++void rand_crngt_cleanup(void); ++ ++/* ++ * Expose the run once initialisation function for the unit tests because. ++ * they need to restart from scratch to validate the first block is skipped ++ * properly. ++ */ ++int rand_crngt_single_init(void); ++ + #endif +diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c +--- openssl-1.1.1b/test/drbgtest.c.crng-test 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/test/drbgtest.c 2019-05-07 10:06:24.706551561 +0200 +@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, + return t->noncelen; + } + ++ /* ++ * Disable CRNG testing if it is enabled. ++ * If the DRBG is ready or in an error state, this means an instantiate cycle ++ * for which the default personalisation string is used. ++ */ ++static int disable_crngt(RAND_DRBG *drbg) ++{ ++ static const char pers[] = DRBG_DEFAULT_PERS_STRING; ++ const int instantiate = drbg->state != DRBG_UNINITIALISED; ++ ++ if (drbg->get_entropy != rand_crngt_get_entropy) ++ return 1; ++ ++ if ((instantiate && !RAND_DRBG_uninstantiate(drbg)) ++ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy, ++ &rand_drbg_cleanup_entropy, ++ &rand_drbg_get_nonce, ++ &rand_drbg_cleanup_nonce)) ++ || (instantiate ++ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers, ++ sizeof(pers) - 1))) ++ return 0; ++ return 1; ++} ++ + static int uninstantiate(RAND_DRBG *drbg) + { + int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); +@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA + if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))) + return 0; + if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, +- kat_nonce, NULL))) { ++ kat_nonce, NULL)) ++ || !TEST_true(disable_crngt(drbg))) { + failures++; + goto err; + } +@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT + unsigned int reseed_counter_tmp; + int ret = 0; + +- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))) ++ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)) ++ || !TEST_true(disable_crngt(drbg))) + goto err; + + /* +@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void) + || !TEST_ptr_eq(private->parent, master)) + return 0; + ++ /* Disable CRNG testing for the master DRBG */ ++ if (!TEST_true(disable_crngt(master))) ++ return 0; ++ + /* uninstantiate the three global DRBGs */ + RAND_DRBG_uninstantiate(private); + RAND_DRBG_uninstantiate(public); +@@ -919,7 +950,8 @@ static int test_rand_seed(void) + size_t rand_buflen; + size_t required_seed_buflen = 0; + +- if (!TEST_ptr(master = RAND_DRBG_get0_master())) ++ if (!TEST_ptr(master = RAND_DRBG_get0_master()) ++ || !TEST_true(disable_crngt(master))) + return 0; + + #ifdef OPENSSL_RAND_SEED_NONE +@@ -968,6 +1000,95 @@ static int test_rand_add(void) + return 1; + } + ++/* ++ * A list of the FIPS DRGB types. ++ */ ++static const struct s_drgb_types { ++ int nid; ++ int flags; ++} drgb_types[] = { ++ { NID_aes_128_ctr, 0 }, ++ { NID_aes_192_ctr, 0 }, ++ { NID_aes_256_ctr, 0 }, ++}; ++ ++/* Six cases for each covers seed sizes up to 32 bytes */ ++static const size_t crngt_num_cases = 6; ++ ++static size_t crngt_case, crngt_idx; ++ ++static int crngt_entropy_cb(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size) ++{ ++ size_t i, z; ++ ++ if (!TEST_int_lt(crngt_idx, crngt_num_cases)) ++ return 0; ++ /* Generate a block of unique data unless this is the duplication point */ ++ z = crngt_idx++; ++ if (z > 0 && crngt_case == z) ++ z--; ++ for (i = 0; i < CRNGT_BUFSIZ; i++) ++ buf[i] = (unsigned char)(i + 'A' + z); ++ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); ++} ++ ++static int test_crngt(int n) ++{ ++ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases; ++ RAND_DRBG *drbg = NULL; ++ unsigned char buff[100]; ++ size_t ent; ++ int res = 0; ++ int expect; ++ ++ if (!TEST_true(rand_crngt_single_init())) ++ return 0; ++ rand_crngt_cleanup(); ++ ++ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL))) ++ return 0; ++ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ; ++ crngt_case = n % crngt_num_cases; ++ crngt_idx = 0; ++ crngt_get_entropy = &crngt_entropy_cb; ++ if (!TEST_true(rand_crngt_init())) ++ goto err; ++#ifndef OPENSSL_FIPS ++ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy, ++ &rand_crngt_cleanup_entropy, ++ &rand_drbg_get_nonce, ++ &rand_drbg_cleanup_nonce))) ++ goto err; ++#endif ++ expect = crngt_case == 0 || crngt_case > ent; ++ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect)) ++ goto err; ++ if (!expect) ++ goto fin; ++ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) ++ goto err; ++ ++ expect = crngt_case == 0 || crngt_case > 2 * ent; ++ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect)) ++ goto err; ++ if (!expect) ++ goto fin; ++ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) ++ goto err; ++ ++fin: ++ res = 1; ++err: ++ if (!res) ++ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases, ++ crngt_case, crngt_idx); ++ uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ crngt_get_entropy = &rand_crngt_get_entropy_cb; ++ return res; ++} ++ + int setup_tests(void) + { + app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); +@@ -980,5 +1101,6 @@ int setup_tests(void) + #if defined(OPENSSL_THREADS) + ADD_TEST(test_multi_thread); + #endif ++ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types)); + return 1; + } diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index c3ed6e2..adcc584 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,6 +1,6 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c ---- openssl-1.1.1b/apps/speed.c.fips 2019-02-28 11:30:06.768746376 +0100 -+++ openssl-1.1.1b/apps/speed.c 2019-02-28 11:30:06.779746172 +0100 +--- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 08:56:33.531174336 +0200 ++++ openssl-1.1.1b/apps/speed.c 2019-05-07 09:43:06.673989992 +0200 @@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { @@ -22,7 +22,22 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c dsa_doit[R_DSA_2048] = 1; continue; } -@@ -1734,15 +1737,21 @@ int speed_main(int argc, char **argv) +@@ -1640,12 +1643,12 @@ int speed_main(int argc, char **argv) + ecdh_doit[i] = 2; + continue; + } +- if (strcmp(*argv, "eddsa") == 0) { ++ if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) { + for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) + eddsa_doit[loop] = 1; + continue; + } +- if (found(*argv, eddsa_choices, &i)) { ++ if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) { + eddsa_doit[i] = 2; + continue; + } +@@ -1734,23 +1737,30 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) @@ -47,7 +62,18 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c #endif #ifndef OPENSSL_NO_EC for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) -@@ -1798,30 +1807,46 @@ int speed_main(int argc, char **argv) + ecdsa_doit[loop] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) + ecdh_doit[loop] = 1; +- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) +- eddsa_doit[loop] = 1; ++ if (!FIPS_mode()) ++ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) ++ eddsa_doit[loop] = 1; + #endif + } + for (i = 0; i < ALGOR_NUM; i++) +@@ -1798,30 +1808,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA @@ -104,7 +130,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES -@@ -2118,6 +2143,7 @@ int speed_main(int argc, char **argv) +@@ -2118,6 +2144,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); @@ -124,6 +150,18 @@ diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; +diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/cm_pmeth.c +--- openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/cmac/cm_pmeth.c 2019-05-06 14:55:32.866749109 +0200 +@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C + + const EVP_PKEY_METHOD cmac_pkey_meth = { + EVP_PKEY_CMAC, +- EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS, + pkey_cmac_init, + pkey_cmac_copy, + pkey_cmac_cleanup, diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.c --- openssl-1.1.1b/crypto/dh/dh_err.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dh/dh_err.c 2019-02-28 11:30:06.779746172 +0100 @@ -284,6 +322,27 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return 1; } +diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pmeth.c +--- openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/dh/dh_pmeth.c 2019-05-06 14:57:29.184723430 +0200 +@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + + const EVP_PKEY_METHOD dh_pkey_meth = { + EVP_PKEY_DH, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_dh_init, + pkey_dh_copy, + pkey_dh_cleanup, +@@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = { + + const EVP_PKEY_METHOD dhx_pkey_meth = { + EVP_PKEY_DHX, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_dh_init, + pkey_dh_copy, + pkey_dh_cleanup, diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_err.c --- openssl-1.1.1b/crypto/dsa/dsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dsa/dsa_err.c 2019-02-28 11:30:06.798745819 +0100 @@ -638,6 +697,15 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/ds BN_GENCB_free(pcb); if (ret) EVP_PKEY_assign_DSA(pkey, dsa); +@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX + + const EVP_PKEY_METHOD dsa_pkey_meth = { + EVP_PKEY_DSA, +- EVP_PKEY_FLAG_AUTOARGLEN, ++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_dsa_init, + pkey_dsa_copy, + pkey_dsa_cleanup, diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh_ossl.c --- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-02-28 11:30:06.801745763 +0100 @@ -772,6 +840,18 @@ diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key. ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } +diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pmeth.c +--- openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/ec/ec_pmeth.c 2019-05-06 14:47:34.651077251 +0200 +@@ -434,7 +434,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + + const EVP_PKEY_METHOD ec_pkey_meth = { + EVP_PKEY_EC, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_ec_init, + pkey_ec_copy, + pkey_ec_cleanup, diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_allc.c --- openssl-1.1.1b/crypto/evp/c_allc.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/c_allc.c 2019-02-28 11:30:06.802745744 +0100 @@ -958,8 +1038,93 @@ diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/diges if (size != NULL) diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.c --- openssl-1.1.1b/crypto/evp/e_aes.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-02-28 11:30:06.804745707 +0100 -@@ -2794,9 +2794,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX ++++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-05-06 16:32:41.631668333 +0200 +@@ -387,22 +387,33 @@ static int aesni_xts_init_key(EVP_CIPHER + return 1; + + if (key) { ++ /* The key is two half length keys in reality */ ++ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; ++ const int bits = bytes * 8; ++ ++ /* ++ * Verify that the two keys are different. ++ * ++ * This addresses Rogaway's vulnerability. ++ * See comment in aes_xts_init_key() below. ++ */ ++ if (memcmp(key, key + bytes, bytes) == 0) { ++ EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); ++ return 0; ++ } ++ + /* key_len is two AES keys */ + if (enc) { +- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ aesni_set_encrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) aesni_encrypt; + xctx->stream = aesni_xts_encrypt; + } else { +- aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ aesni_set_decrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) aesni_decrypt; + xctx->stream = aesni_xts_decrypt; + } + +- aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks2.ks); ++ aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); + xctx->xts.block2 = (block128_f) aesni_encrypt; + + xctx->xts.key1 = &xctx->ks1; +@@ -791,7 +802,21 @@ static int aes_t4_xts_init_key(EVP_CIPHE + return 1; + + if (key) { +- int bits = EVP_CIPHER_CTX_key_length(ctx) * 4; ++ /* The key is two half length keys in reality */ ++ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; ++ const int bits = bytes * 8; ++ ++ /* ++ * Verify that the two keys are different. ++ * ++ * This addresses Rogaway's vulnerability. ++ * See comment in aes_xts_init_key() below. ++ */ ++ if (memcmp(key, key + bytes, bytes) == 0) { ++ EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); ++ return 0; ++ } ++ + xctx->stream = NULL; + /* key_len is two AES keys */ + if (enc) { +@@ -808,8 +833,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE + return 0; + } + } else { +- aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) aes_t4_decrypt; + switch (bits) { + case 128: +@@ -823,9 +847,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE + } + } + +- aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks2.ks); ++ aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); + xctx->xts.block2 = (block128_f) aes_t4_encrypt; + + xctx->xts.key1 = &xctx->ks1; +@@ -2794,9 +2816,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX return 1; } @@ -972,7 +1137,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) { -@@ -2826,6 +2826,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * +@@ -2826,6 +2848,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; @@ -984,7 +1149,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) -@@ -3275,11 +3280,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX +@@ -3275,11 +3302,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX | EVP_CIPH_CUSTOM_COPY) BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, @@ -1002,7 +1167,123 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3414,6 +3422,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3313,8 +3343,33 @@ static int aes_xts_init_key(EVP_CIPHER_C + if (!iv && !key) + return 1; + +- if (key) ++ if (key) { + do { ++ /* The key is two half length keys in reality */ ++ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; ++ const int bits = bytes * 8; ++ ++ /* ++ * Verify that the two keys are different. ++ * ++ * This addresses the vulnerability described in Rogaway's ++ * September 2004 paper: ++ * ++ * "Efficient Instantiations of Tweakable Blockciphers and ++ * Refinements to Modes OCB and PMAC". ++ * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf) ++ * ++ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states ++ * that: ++ * "The check for Key_1 != Key_2 shall be done at any place ++ * BEFORE using the keys in the XTS-AES algorithm to process ++ * data with them." ++ */ ++ if (memcmp(key, key + bytes, bytes) == 0) { ++ EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); ++ return 0; ++ } ++ + #ifdef AES_XTS_ASM + xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; + #else +@@ -3324,26 +3379,20 @@ static int aes_xts_init_key(EVP_CIPHER_C + #ifdef HWAES_CAPABLE + if (HWAES_CAPABLE) { + if (enc) { +- HWAES_set_encrypt_key(key, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) HWAES_encrypt; + # ifdef HWAES_xts_encrypt + xctx->stream = HWAES_xts_encrypt; + # endif + } else { +- HWAES_set_decrypt_key(key, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) HWAES_decrypt; + # ifdef HWAES_xts_decrypt + xctx->stream = HWAES_xts_decrypt; + #endif + } + +- HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks2.ks); ++ HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); + xctx->xts.block2 = (block128_f) HWAES_encrypt; + + xctx->xts.key1 = &xctx->ks1; +@@ -3358,20 +3407,14 @@ static int aes_xts_init_key(EVP_CIPHER_C + #ifdef VPAES_CAPABLE + if (VPAES_CAPABLE) { + if (enc) { +- vpaes_set_encrypt_key(key, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) vpaes_encrypt; + } else { +- vpaes_set_decrypt_key(key, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) vpaes_decrypt; + } + +- vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks2.ks); ++ vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); + xctx->xts.block2 = (block128_f) vpaes_encrypt; + + xctx->xts.key1 = &xctx->ks1; +@@ -3381,22 +3424,19 @@ static int aes_xts_init_key(EVP_CIPHER_C + (void)0; /* terminate potentially open 'else' */ + + if (enc) { +- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ AES_set_encrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) AES_encrypt; + } else { +- AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks1.ks); ++ AES_set_decrypt_key(key, bits, &xctx->ks1.ks); + xctx->xts.block1 = (block128_f) AES_decrypt; + } + +- AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, +- EVP_CIPHER_CTX_key_length(ctx) * 4, +- &xctx->ks2.ks); ++ AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); + xctx->xts.block2 = (block128_f) AES_encrypt; + + xctx->xts.key1 = &xctx->ks1; + } while (0); ++ } + + if (iv) { + xctx->xts.key2 = &xctx->ks2; +@@ -3414,6 +3454,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1017,7 +1298,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, -@@ -3431,8 +3447,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3431,8 +3479,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | EVP_CIPH_CUSTOM_COPY) @@ -1030,7 +1311,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3697,11 +3715,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX +@@ -3697,11 +3747,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX #define aes_ccm_cleanup NULL BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, @@ -1045,7 +1326,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. typedef struct { union { -@@ -3794,7 +3812,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT +@@ -3794,7 +3844,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT return rv ? (int)rv : -1; } @@ -1176,12 +1457,21 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_ if (!ctx->cipher->init(ctx, key, iv, enc)) diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_err.c --- openssl-1.1.1b/crypto/evp/evp_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-02-28 11:30:06.805745688 +0100 -@@ -20,6 +20,7 @@ static const ERR_STRING_DATA EVP_str_fun ++++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-05-06 16:41:08.565739361 +0200 +@@ -15,11 +15,16 @@ + + static const ERR_STRING_DATA EVP_str_functs[] = { + {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), ++ "aes_t4_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"}, @@ -1201,6 +1491,17 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, +@@ -266,6 +269,10 @@ static const ERR_STRING_DATA EVP_str_rea + "wrap mode not allowed"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), + "wrong final block length"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), ++ "xts data unit is too large"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), ++ "xts duplicated keys"}, + {0, NULL} + }; + diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_lib.c --- openssl-1.1.1b/crypto/evp/evp_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/evp_lib.c 2019-02-28 11:30:06.806745670 +0100 @@ -1280,6 +1581,82 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha init512, update512, final512, +diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha3.c +--- openssl-1.1.1b/crypto/evp/m_sha3.c.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/evp/m_sha3.c 2019-05-06 16:12:23.012851747 +0200 +@@ -292,7 +292,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) + NID_sha3_##bitlen, \ + NID_RSA_SHA3_##bitlen, \ + bitlen / 8, \ +- EVP_MD_FLAG_DIGALGID_ABSENT, \ ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ + s390x_sha3_init, \ + s390x_sha3_update, \ + s390x_sha3_final, \ +@@ -305,7 +305,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) + NID_sha3_##bitlen, \ + NID_RSA_SHA3_##bitlen, \ + bitlen / 8, \ +- EVP_MD_FLAG_DIGALGID_ABSENT, \ ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ + sha3_init, \ + sha3_update, \ + sha3_final, \ +@@ -326,7 +326,7 @@ const EVP_MD *EVP_shake##bitlen(void) + NID_shake##bitlen, \ + 0, \ + bitlen / 8, \ +- EVP_MD_FLAG_XOF, \ ++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ + s390x_shake_init, \ + s390x_sha3_update, \ + s390x_shake_final, \ +@@ -340,7 +340,7 @@ const EVP_MD *EVP_shake##bitlen(void) + NID_shake##bitlen, \ + 0, \ + bitlen / 8, \ +- EVP_MD_FLAG_XOF, \ ++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ + shake_init, \ + sha3_update, \ + sha3_final, \ +@@ -364,7 +364,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) + NID_sha3_##bitlen, \ + NID_RSA_SHA3_##bitlen, \ + bitlen / 8, \ +- EVP_MD_FLAG_DIGALGID_ABSENT, \ ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ + sha3_init, \ + sha3_update, \ + sha3_final, \ +@@ -383,7 +383,7 @@ const EVP_MD *EVP_shake##bitlen(void) + NID_shake##bitlen, \ + 0, \ + bitlen / 8, \ +- EVP_MD_FLAG_XOF, \ ++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ + shake_init, \ + sha3_update, \ + sha3_final, \ +diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pmeth_lib.c +--- openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/evp/pmeth_lib.c 2019-05-06 15:11:33.207095983 +0200 +@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE + pmeth = ENGINE_get_pkey_meth(e, id); + else + #endif ++ { + pmeth = EVP_PKEY_meth_find(id); ++#ifdef OPENSSL_FIPS ++ if (!(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) { ++ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS); ++ return NULL; ++ } ++#endif ++ } + + if (pmeth == NULL) { + #ifndef OPENSSL_NO_ENGINE diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/build.info --- openssl-1.1.1b/crypto/fips/build.info.fips 2019-02-28 11:30:06.806745670 +0100 +++ openssl-1.1.1b/crypto/fips/build.info 2019-02-28 11:30:06.806745670 +0100 @@ -1291,7 +1668,7 @@ diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/b + fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ -+ fips_enc.c fips_md.c fips_dh_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_ers.c + +PROGRAMS_NO_INST=\ + fips_standalone_hmac @@ -2329,7 +2706,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/cry + int rv = 1; + + for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { -+ cipher = FIPS_get_cipherbynid(t->nid); ++ cipher = EVP_get_cipherbynid(t->nid); + if (!cipher) { + rv = -1; + goto err; @@ -3405,7 +3782,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/ +{ + const EVP_MD *md; + DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ md = FIPS_get_digestbynid(dctx->type); ++ md = EVP_get_digestbynid(dctx->type); + if (!md) + return -2; + switch (dctx->type) { @@ -7683,203 +8060,10 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/cr +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_enc.c.fips openssl-1.1.1b/crypto/fips/fips_enc.c ---- openssl-1.1.1b/crypto/fips/fips_enc.c.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_enc.c 2019-02-28 11:30:06.814745521 +0100 -@@ -0,0 +1,189 @@ -+/* fipe/evp/fips_enc.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+const EVP_CIPHER *FIPS_get_cipherbynid(int nid) -+{ -+ switch (nid) { -+ case NID_aes_128_cbc: -+ return EVP_aes_128_cbc(); -+ -+ case NID_aes_128_ccm: -+ return EVP_aes_128_ccm(); -+ -+ case NID_aes_128_cfb1: -+ return EVP_aes_128_cfb1(); -+ -+ case NID_aes_128_cfb128: -+ return EVP_aes_128_cfb128(); -+ -+ case NID_aes_128_cfb8: -+ return EVP_aes_128_cfb8(); -+ -+ case NID_aes_128_ctr: -+ return EVP_aes_128_ctr(); -+ -+ case NID_aes_128_ecb: -+ return EVP_aes_128_ecb(); -+ -+ case NID_aes_128_gcm: -+ return EVP_aes_128_gcm(); -+ -+ case NID_aes_128_ofb128: -+ return EVP_aes_128_ofb(); -+ -+ case NID_aes_128_xts: -+ return EVP_aes_128_xts(); -+ -+ case NID_aes_192_cbc: -+ return EVP_aes_192_cbc(); -+ -+ case NID_aes_192_ccm: -+ return EVP_aes_192_ccm(); -+ -+ case NID_aes_192_cfb1: -+ return EVP_aes_192_cfb1(); -+ -+ case NID_aes_192_cfb128: -+ return EVP_aes_192_cfb128(); -+ -+ case NID_aes_192_cfb8: -+ return EVP_aes_192_cfb8(); -+ -+ case NID_aes_192_ctr: -+ return EVP_aes_192_ctr(); -+ -+ case NID_aes_192_ecb: -+ return EVP_aes_192_ecb(); -+ -+ case NID_aes_192_gcm: -+ return EVP_aes_192_gcm(); -+ -+ case NID_aes_192_ofb128: -+ return EVP_aes_192_ofb(); -+ -+ case NID_aes_256_cbc: -+ return EVP_aes_256_cbc(); -+ -+ case NID_aes_256_ccm: -+ return EVP_aes_256_ccm(); -+ -+ case NID_aes_256_cfb1: -+ return EVP_aes_256_cfb1(); -+ -+ case NID_aes_256_cfb128: -+ return EVP_aes_256_cfb128(); -+ -+ case NID_aes_256_cfb8: -+ return EVP_aes_256_cfb8(); -+ -+ case NID_aes_256_ctr: -+ return EVP_aes_256_ctr(); -+ -+ case NID_aes_256_ecb: -+ return EVP_aes_256_ecb(); -+ -+ case NID_aes_256_gcm: -+ return EVP_aes_256_gcm(); -+ -+ case NID_aes_256_ofb128: -+ return EVP_aes_256_ofb(); -+ -+ case NID_aes_256_xts: -+ return EVP_aes_256_xts(); -+ -+ case NID_des_ede_ecb: -+ return EVP_des_ede(); -+ -+ case NID_des_ede3_ecb: -+ return EVP_des_ede3(); -+ -+ case NID_des_ede3_cbc: -+ return EVP_des_ede3_cbc(); -+ -+ case NID_des_ede3_cfb1: -+ return EVP_des_ede3_cfb1(); -+ -+ case NID_des_ede3_cfb64: -+ return EVP_des_ede3_cfb64(); -+ -+ case NID_des_ede3_cfb8: -+ return EVP_des_ede3_cfb8(); -+ -+ case NID_des_ede3_ofb64: -+ return EVP_des_ede3_ofb(); -+ -+ case NID_des_ede_cbc: -+ return EVP_des_ede_cbc(); -+ -+ case NID_des_ede_cfb64: -+ return EVP_des_ede_cfb64(); -+ -+ case NID_des_ede_ofb64: -+ return EVP_des_ede_ofb(); -+ -+ default: -+ return NULL; -+ -+ } -+} diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/fips_err.h ---- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-02-28 11:30:06.815745503 +0100 -@@ -0,0 +1,196 @@ +--- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-05-06 16:08:46.792598211 +0200 ++++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-05-06 16:19:56.403993551 +0200 +@@ -0,0 +1,197 @@ +/* crypto/fips_err.h */ +/* ==================================================================== + * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. @@ -7981,6 +8165,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/f + {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"}, + {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"}, + {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, @@ -8300,158 +8485,10 @@ diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/ +} +# endif +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_md.c.fips openssl-1.1.1b/crypto/fips/fips_md.c ---- openssl-1.1.1b/crypto/fips/fips_md.c.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_md.c 2019-02-28 11:30:06.815745503 +0100 -@@ -0,0 +1,144 @@ -+/* fips/evp/fips_md.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+/* ==================================================================== -+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+/* Minimal standalone FIPS versions of Digest operations */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+const EVP_MD *FIPS_get_digestbynid(int nid) -+{ -+ switch (nid) { -+ case NID_sha1: -+ return EVP_sha1(); -+ -+ case NID_sha224: -+ return EVP_sha224(); -+ -+ case NID_sha256: -+ return EVP_sha256(); -+ -+ case NID_sha384: -+ return EVP_sha384(); -+ -+ case NID_sha512: -+ return EVP_sha512(); -+ -+ default: -+ return NULL; -+ } -+} diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/fips_post.c ---- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-02-28 11:30:06.816745484 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-02-28 11:30:06.816745484 +0100 -@@ -0,0 +1,222 @@ +--- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-05-06 16:08:46.794598177 +0200 ++++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-05-06 16:08:46.794598177 +0200 +@@ -0,0 +1,224 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * @@ -8533,6 +8570,8 @@ diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/ + rv = 0; + if (!FIPS_selftest_sha2()) + rv = 0; ++ if (!FIPS_selftest_sha3()) ++ rv = 0; + if (!FIPS_selftest_hmac()) + rv = 0; + if (!FIPS_selftest_cmac()) @@ -9462,9 +9501,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/cryp + +#endif /* def OPENSSL_FIPS */ diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_sha_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-02-28 11:30:06.817745466 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-02-28 11:30:06.816745484 +0100 -@@ -0,0 +1,138 @@ +--- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-05-06 16:08:46.795598159 +0200 ++++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-05-06 17:35:40.211316880 +0200 +@@ -0,0 +1,223 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -9602,6 +9641,91 @@ diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/cryp + return 1; +} + ++static const unsigned char msg_sha3_256[] = { ++ 0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6, ++ 0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f, ++ 0x35, 0x23 ++}; ++ ++static const unsigned char dig_sha3_256[] = { ++ 0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21, ++ 0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0, ++ 0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78, ++ 0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed ++}; ++ ++static const unsigned char msg_sha3_512[] = { ++ 0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73, ++ 0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f, ++ 0x05, 0xf4 ++}; ++ ++static const unsigned char dig_sha3_512[] = { ++ 0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2, ++ 0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a, ++ 0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f, ++ 0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4, ++ 0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd, ++ 0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e, ++ 0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c, ++ 0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac ++}; ++ ++static const unsigned char msg_shake_128[] = { ++ 0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f, ++ 0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4, ++ 0x28, 0x98 ++}; ++ ++static const unsigned char dig_shake_128[] = { ++ 0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a, ++ 0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x75 ++}; ++ ++static const unsigned char msg_shake_256[] = { ++ 0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6, ++ 0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23, ++ 0x9b, 0xfc ++}; ++ ++static const unsigned char dig_shake_256[] = { ++ 0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5, ++ 0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f, ++ 0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd, ++ 0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf ++}; ++ ++int FIPS_selftest_sha3(void) ++{ ++ unsigned char md[SHA512_DIGEST_LENGTH]; ++ ++ EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL); ++ if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL); ++ if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL); ++ if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL); ++ if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ return 1; ++} ++ +#endif diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c --- openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips 2019-02-28 11:30:06.817745466 +0100 @@ -9751,10 +9875,22 @@ diff -up openssl-1.1.1b/crypto/hmac/hmac.c.fips openssl-1.1.1b/crypto/hmac/hmac. reset = 1; j = EVP_MD_block_size(md); if (!ossl_assert(j <= (int)sizeof(ctx->key))) +diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/hm_pmeth.c +--- openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/crypto/hmac/hm_pmeth.c 2019-05-06 14:56:01.123257022 +0200 +@@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C + + const EVP_PKEY_METHOD hmac_pkey_meth = { + EVP_PKEY_HMAC, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_hmac_init, + pkey_hmac_copy, + pkey_hmac_cleanup, diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h --- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100 +++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -9849,10 +9985,6 @@ diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/c + +void fips_set_selftest_fail(void); + -+const EVP_MD *FIPS_get_digestbynid(int nid); -+ -+const EVP_CIPHER *FIPS_get_cipherbynid(int nid); -+ +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +#endif @@ -10676,6 +10808,27 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; +diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rsa_pmeth.c +--- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips 2019-05-06 14:48:26.514174053 +0200 ++++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-06 14:45:46.732956649 +0200 +@@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + + const EVP_PKEY_METHOD rsa_pkey_meth = { + EVP_PKEY_RSA, +- EVP_PKEY_FLAG_AUTOARGLEN, ++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_rsa_init, + pkey_rsa_copy, + pkey_rsa_cleanup, +@@ -838,7 +838,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c + + const EVP_PKEY_METHOD rsa_pss_pkey_meth = { + EVP_PKEY_RSA_PSS, +- EVP_PKEY_FLAG_AUTOARGLEN, ++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_rsa_init, + pkey_rsa_copy, + pkey_rsa_cleanup, diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa_sign.c --- openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_sign.c 2019-02-28 11:30:06.819745428 +0100 @@ -10875,12 +11028,20 @@ diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openss # if OPENSSL_API_COMPAT < 0x10100000L diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/openssl/evperr.h --- openssl-1.1.1b/include/openssl/evperr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/evperr.h 2019-02-28 11:30:06.821745391 +0100 -@@ -25,6 +25,7 @@ int ERR_load_EVP_strings(void); ++++ openssl-1.1.1b/include/openssl/evperr.h 2019-05-06 16:40:21.324571446 +0200 +@@ -20,11 +20,15 @@ int ERR_load_EVP_strings(void); + * EVP function codes. + */ + # define EVP_F_AESNI_INIT_KEY 165 ++# define EVP_F_AESNI_XTS_INIT_KEY 233 + # define EVP_F_AES_GCM_CTRL 196 + # define EVP_F_AES_INIT_KEY 133 # define EVP_F_AES_OCB_CIPHER 169 # define EVP_F_AES_T4_INIT_KEY 178 ++# define EVP_F_AES_T4_XTS_INIT_KEY 234 # define EVP_F_AES_WRAP_CIPHER 170 -+# define EVP_F_AES_XTS_CIPHER 300 ++# define EVP_F_AES_XTS_CIPHER 229 ++# define EVP_F_AES_XTS_INIT_KEY 235 # define EVP_F_ALG_MODULE_INIT 177 # define EVP_F_ARIA_CCM_INIT_KEY 175 # define EVP_F_ARIA_GCM_CTRL 197 @@ -10900,10 +11061,31 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope # define EVP_R_UNKNOWN_CIPHER 160 # define EVP_R_UNKNOWN_DIGEST 161 # define EVP_R_UNKNOWN_OPTION 169 +@@ -190,5 +193,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_UNSUPPORTED_SALT_TYPE 126 + # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 + # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 ++# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 ++# define EVP_R_XTS_DUPLICATED_KEYS 192 + + #endif +diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openssl/evp.h +--- openssl-1.1.1b/include/openssl/evp.h.fips 2019-02-26 15:15:30.000000000 +0100 ++++ openssl-1.1.1b/include/openssl/evp.h 2019-05-06 14:54:13.213136281 +0200 +@@ -1319,6 +1319,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP + */ + # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 + ++/* Downstream modification, large value to avoid conflict */ ++# define EVP_PKEY_FLAG_FIPS 0x4000 ++ + const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); + EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); + void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/openssl/fips.h ---- openssl-1.1.1b/include/openssl/fips.h.fips 2019-02-28 11:30:06.821745391 +0100 -+++ openssl-1.1.1b/include/openssl/fips.h 2019-02-28 11:30:06.821745391 +0100 -@@ -0,0 +1,186 @@ +--- openssl-1.1.1b/include/openssl/fips.h.fips 2019-05-06 16:08:46.800598073 +0200 ++++ openssl-1.1.1b/include/openssl/fips.h 2019-05-06 16:43:12.874549821 +0200 +@@ -0,0 +1,187 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -11019,6 +11201,7 @@ diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/opens +# define FIPS_F_FIPS_RAND_SET_METHOD 126 +# define FIPS_F_FIPS_RAND_STATUS 127 +# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101 ++# define FIPS_F_FIPS_SELFTEST 150 +# define FIPS_F_FIPS_SELFTEST_AES 110 +# define FIPS_F_FIPS_SELFTEST_AES_CCM 145 +# define FIPS_F_FIPS_SELFTEST_AES_GCM 129 @@ -11550,6 +11733,17 @@ diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c goto end; if (!TEST_int_eq(h, 2)) goto end; +diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt +--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips 2019-05-06 16:08:46.857597085 +0200 ++++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-06 16:35:37.917563292 +0200 +@@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000 + IV = 00000000000000000000000000000000 + Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 + Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e ++Result = KEY_SET_ERROR + + Cipher = aes-128-xts + Key = 1111111111111111111111111111111122222222222222222222222222222222 diff -up openssl-1.1.1b/util/libcrypto.num.fips openssl-1.1.1b/util/libcrypto.num --- openssl-1.1.1b/util/libcrypto.num.fips 2019-02-28 11:30:06.824745335 +0100 +++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 11:33:54.284516991 +0100 diff --git a/openssl.spec b/openssl.spec index 2e3cbdb..1814eed 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1b -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -64,6 +64,7 @@ Patch50: openssl-1.1.1-ssh-kdf.patch # Backported fixes including security fixes Patch51: openssl-1.1.1-upstream-sync.patch Patch52: openssl-1.1.1-s390x-update.patch +Patch53: openssl-1.1.1-fips-crng-test.patch License: OpenSSL URL: http://www.openssl.org/ @@ -162,6 +163,7 @@ cp %{SOURCE13} test/ %patch50 -p1 -b .ssh-kdf %patch51 -p1 -b .upstream-sync %patch52 -p1 -b .s390x-update +%patch53 -p1 -b .crng-test %build @@ -448,6 +450,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Tue May 7 2019 Tomáš Mráz 1.1.1b-8 +- FIPS compliance fixes + * Mon May 6 2019 Tomáš Mráz 1.1.1b-7 - add S390x chacha20-poly1305 assembler support from master branch