rpms/openssl
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
7b595774f0
openssl/openssl-1.1.0-fips.patch
Tomas Mraz 1ff978b22e update to upstream version 1.1.0f 
SRP and GOST is now allowed, note that GOST support requires
  adding GOST engine which is not part of openssl anymore
2017-06-02 15:32:15 +02:00

12211 lines
460 KiB
Diff
Raw Blame History

diff -up openssl-1.1.0f/apps/speed.c.fips openssl-1.1.0f/apps/speed.c
--- openssl-1.1.0f/apps/speed.c.fips 2017-06-02 14:14:25.449420942 +0200
+++ openssl-1.1.0f/apps/speed.c 2017-06-02 14:14:25.457421131 +0200
@@ -1448,7 +1448,9 @@ int speed_main(int argc, char **argv)
}
# endif
if (strcmp(*argv, "rsa") == 0) {
- rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] =
+ if (!FIPS_mode())
+ rsa_doit[R_RSA_512] = 1;
+ rsa_doit[R_RSA_1024] =
rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] =
rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] =
rsa_doit[R_RSA_15360] = 1;
@@ -1461,7 +1463,9 @@ int speed_main(int argc, char **argv)
#endif
#ifndef OPENSSL_NO_DSA
if (strcmp(*argv, "dsa") == 0) {
- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] =
+ if (!FIPS_mode())
+ dsa_doit[R_DSA_512] = 1;
+ dsa_doit[R_DSA_1024] =
dsa_doit[R_DSA_2048] = 1;
continue;
}
@@ -1550,15 +1554,21 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
- if (i != D_EVP)
+ if (i != D_EVP &&
+ (!FIPS_mode() || (i != D_WHIRLPOOL &&
+ i != D_MD2 && i != D_MD4 &&
+ i != D_MD5 && i != D_MDC2 &&
+ i != D_RMD160)))
doit[i] = 1;
#ifndef OPENSSL_NO_RSA
for (i = 0; i < RSA_NUM; i++)
- rsa_doit[i] = 1;
+ if (!FIPS_mode() || i != R_RSA_512)
+ rsa_doit[i] = 1;
#endif
#ifndef OPENSSL_NO_DSA
for (i = 0; i < DSA_NUM; i++)
- dsa_doit[i] = 1;
+ if (!FIPS_mode() || i != R_DSA_512)
+ dsa_doit[i] = 1;
#endif
#ifndef OPENSSL_NO_EC
for (i = 0; i < EC_NUM; i++)
@@ -1607,30 +1617,46 @@ int speed_main(int argc, char **argv)
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
- Camellia_set_key(key16, 128, &camellia_ks1);
- Camellia_set_key(ckey24, 192, &camellia_ks2);
- Camellia_set_key(ckey32, 256, &camellia_ks3);
+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
+ Camellia_set_key(key16, 128, &camellia_ks1);
+ Camellia_set_key(ckey24, 192, &camellia_ks2);
+ Camellia_set_key(ckey32, 256, &camellia_ks3);
+ }
#endif
#ifndef OPENSSL_NO_IDEA
- IDEA_set_encrypt_key(key16, &idea_ks);
+ if (doit[D_CBC_IDEA]) {
+ IDEA_set_encrypt_key(key16, &idea_ks);
+ }
#endif
#ifndef OPENSSL_NO_SEED
- SEED_set_key(key16, &seed_ks);
+ if (doit[D_CBC_SEED]) {
+ SEED_set_key(key16, &seed_ks);
+ }
#endif
#ifndef OPENSSL_NO_RC4
- RC4_set_key(&rc4_ks, 16, key16);
+ if (doit[D_RC4]) {
+ RC4_set_key(&rc4_ks, 16, key16);
+ }
#endif
#ifndef OPENSSL_NO_RC2
- RC2_set_key(&rc2_ks, 16, key16, 128);
+ if (doit[D_CBC_RC2]) {
+ RC2_set_key(&rc2_ks, 16, key16, 128);
+ }
#endif
#ifndef OPENSSL_NO_RC5
- RC5_32_set_key(&rc5_ks, 16, key16, 12);
+ if (doit[D_CBC_RC5]) {
+ RC5_32_set_key(&rc5_ks, 16, key16, 12);
+ }
#endif
#ifndef OPENSSL_NO_BF
- BF_set_key(&bf_ks, 16, key16);
+ if (doit[D_CBC_BF]) {
+ BF_set_key(&bf_ks, 16, key16);
+ }
#endif
#ifndef OPENSSL_NO_CAST
- CAST_set_key(&cast_ks, 16, key16);
+ if (doit[D_CBC_CAST]) {
+ CAST_set_key(&cast_ks, 16, key16);
+ }
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
@@ -1891,6 +1917,7 @@ int speed_main(int argc, char **argv)
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
+ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
if (loopargs[i].hctx == NULL) {
BIO_printf(bio_err, "HMAC malloc failure, exiting...");
exit(1);
diff -up openssl-1.1.0f/Configure.fips openssl-1.1.0f/Configure
--- openssl-1.1.0f/Configure.fips 2017-06-02 14:14:25.455421083 +0200
+++ openssl-1.1.0f/Configure 2017-06-02 14:14:25.458421154 +0200
@@ -314,7 +314,7 @@ $config{sdirs} = [
"md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2",
"des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes",
"bn", "ec", "rsa", "dsa", "dh", "dso", "engine",
- "buffer", "bio", "stack", "lhash", "rand", "err",
+ "buffer", "bio", "stack", "lhash", "rand", "err", "fips",
"evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
"cms", "ts", "srp", "cmac", "ct", "async", "kdf"
];
diff -up openssl-1.1.0f/crypto/bn/bn_rand.c.fips openssl-1.1.0f/crypto/bn/bn_rand.c
--- openssl-1.1.0f/crypto/bn/bn_rand.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/bn/bn_rand.c 2017-06-02 14:14:25.458421154 +0200
@@ -39,9 +39,11 @@ static int bnrand(int pseudorand, BIGNUM
goto err;
}
- /* make a random number and set the top and bottom bits */
- time(&tim);
- RAND_add(&tim, sizeof(tim), 0.0);
+ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */
+ /* make a random number and set the top and bottom bits */
+ time(&tim);
+ RAND_add(&tim, sizeof(tim), 0.0);
+ }
if (RAND_bytes(buf, bytes) <= 0)
goto err;
diff -up openssl-1.1.0f/crypto/dh/dh_err.c.fips openssl-1.1.0f/crypto/dh/dh_err.c
--- openssl-1.1.0f/crypto/dh/dh_err.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dh/dh_err.c 2017-06-02 14:14:25.458421154 +0200
@@ -25,6 +25,9 @@ static ERR_STRING_DATA DH_str_functs[] =
{ERR_FUNC(DH_F_DH_CMS_DECRYPT), "dh_cms_decrypt"},
{ERR_FUNC(DH_F_DH_CMS_SET_PEERKEY), "dh_cms_set_peerkey"},
{ERR_FUNC(DH_F_DH_CMS_SET_SHARED_INFO), "dh_cms_set_shared_info"},
+ {ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
+ {ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"},
+ {ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS_EX), "DH_generate_parameters_ex"},
{ERR_FUNC(DH_F_DH_METH_DUP), "DH_meth_dup"},
{ERR_FUNC(DH_F_DH_METH_NEW), "DH_meth_new"},
{ERR_FUNC(DH_F_DH_METH_SET1_NAME), "DH_meth_set1_name"},
@@ -49,9 +52,11 @@ static ERR_STRING_DATA DH_str_reasons[]
{ERR_REASON(DH_R_INVALID_PUBKEY), "invalid public key"},
{ERR_REASON(DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
{ERR_REASON(DH_R_KEYS_NOT_SET), "keys not set"},
+ {ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
{ERR_REASON(DH_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_REASON(DH_R_NO_PARAMETERS_SET), "no parameters set"},
{ERR_REASON(DH_R_NO_PRIVATE_VALUE), "no private value"},
+ {ERR_REASON(DH_R_NON_FIPS_METHOD), "non FIPS method"},
{ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"},
{ERR_REASON(DH_R_PEER_KEY_ERROR), "peer key error"},
{ERR_REASON(DH_R_SHARED_INFO_ERROR), "shared info error"},
diff -up openssl-1.1.0f/crypto/dh/dh_gen.c.fips openssl-1.1.0f/crypto/dh/dh_gen.c
--- openssl-1.1.0f/crypto/dh/dh_gen.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dh/dh_gen.c 2017-06-02 14:14:25.458421154 +0200
@@ -16,6 +16,9 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include "dh_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
BN_GENCB *cb);
@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret,
int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
BN_GENCB *cb)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
+ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
+ return 0;
+ }
+#endif
if (ret->meth->generate_params)
return ret->meth->generate_params(ret, prime_len, generator, cb);
return dh_builtin_genparams(ret, prime_len, generator, cb);
@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret,
int g, ok = -1;
BN_CTX *ctx = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+
+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+#endif
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
diff -up openssl-1.1.0f/crypto/dh/dh_key.c.fips openssl-1.1.0f/crypto/dh/dh_key.c
--- openssl-1.1.0f/crypto/dh/dh_key.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dh/dh_key.c 2017-06-02 14:14:25.458421154 +0200
@@ -11,6 +11,9 @@
#include "internal/cryptlib.h"
#include "dh_locl.h"
#include "internal/bn_int.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
static int generate_key(DH *dh);
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
@@ -22,18 +25,32 @@ static int dh_finish(DH *dh);
int DH_generate_key(DH *dh)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
+ return 0;
+ }
+#endif
return dh->meth->generate_key(dh);
}
int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
+ return 0;
+ }
+#endif
return dh->meth->compute_key(key, pub_key, dh);
}
int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
int rv, pad;
- rv = dh->meth->compute_key(key, pub_key, dh);
+ rv = DH_compute_key(key, pub_key, dh);
if (rv <= 0)
return rv;
pad = BN_num_bytes(dh->p) - rv;
@@ -70,6 +87,14 @@ static int generate_key(DH *dh)
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()
+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
@@ -153,6 +178,13 @@ static int compute_key(unsigned char *ke
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
goto err;
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()
+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+#endif
ctx = BN_CTX_new();
if (ctx == NULL)
@@ -204,6 +236,9 @@ static int dh_bn_mod_exp(const DH *dh, B
static int dh_init(DH *dh)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
dh->flags |= DH_FLAG_CACHE_MONT_P;
return (1);
}
diff -up openssl-1.1.0f/crypto/dsa/dsa_err.c.fips openssl-1.1.0f/crypto/dsa/dsa_err.c
--- openssl-1.1.0f/crypto/dsa/dsa_err.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dsa/dsa_err.c 2017-06-02 14:14:25.458421154 +0200
@@ -21,10 +21,13 @@
static ERR_STRING_DATA DSA_str_functs[] = {
{ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
+ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
{ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
{ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},
{ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
+ {ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
+ {ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX), "DSA_generate_parameters_ex"},
{ERR_FUNC(DSA_F_DSA_METH_DUP), "DSA_meth_dup"},
{ERR_FUNC(DSA_F_DSA_METH_NEW), "DSA_meth_new"},
{ERR_FUNC(DSA_F_DSA_METH_SET1_NAME), "DSA_meth_set1_name"},
@@ -51,9 +54,12 @@ static ERR_STRING_DATA DSA_str_reasons[]
{ERR_REASON(DSA_R_DECODE_ERROR), "decode error"},
{ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"},
{ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"},
+ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"},
+ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
{ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"},
{ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_REASON(DSA_R_NO_PARAMETERS_SET), "no parameters set"},
+ {ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
{ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"},
{ERR_REASON(DSA_R_Q_NOT_PRIME), "q not prime"},
{ERR_REASON(DSA_R_SEED_LEN_SMALL),
diff -up openssl-1.1.0f/crypto/dsa/dsa_gen.c.fips openssl-1.1.0f/crypto/dsa/dsa_gen.c
--- openssl-1.1.0f/crypto/dsa/dsa_gen.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dsa/dsa_gen.c 2017-06-02 14:14:25.459421178 +0200
@@ -22,12 +22,22 @@
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "dsa_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
int DSA_generate_parameters_ex(DSA *ret, int bits,
const unsigned char *seed_in, int seed_len,
int *counter_ret, unsigned long *h_ret,
BN_GENCB *cb)
{
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
+ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
+ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
+ return 0;
+ }
+# endif
if (ret->meth->dsa_paramgen)
return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
counter_ret, h_ret, cb);
@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret,
const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
size_t qbits = EVP_MD_size(evpmd) * 8;
+# ifdef OPENSSL_FIPS
+ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd,
+ seed_in, seed_len, -1, NULL, counter_ret,
+ h_ret, cb);
+# else
return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
seed_in, seed_len, NULL, counter_ret,
h_ret, cb);
+# endif
}
}
@@ -303,7 +319,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
int *counter_ret, unsigned long *h_ret,
BN_GENCB *cb)
{
- int ok = -1;
+ int ok = 0;
unsigned char *seed = NULL, *seed_tmp = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
int mdsize;
@@ -320,6 +336,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
if (mctx == NULL)
goto err;
+# ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED);
+ goto err;
+ }
+
+ if (FIPS_mode() && (L != 1024 || N != 160) &&
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
+ (L != 3072 || N != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
+ goto err;
+ }
+# endif
+
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();
@@ -418,9 +448,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
goto err;
/* Provided seed didn't produce a prime: error */
if (seed_in) {
- ok = 0;
- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);
- goto err;
+ /* Different seed_out will indicate that seed_in
+ * did not generate primes.
+ */
+ seed_in = NULL;
}
/* do a callback call */
@@ -506,11 +537,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
if (counter >= (int)(4 * L))
break;
}
+#if 0
+ /* Cannot happen */
if (seed_in) {
ok = 0;
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
goto err;
}
+#endif
}
end:
if (!BN_GENCB_call(cb, 2, 1))
@@ -581,7 +615,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
BN_free(ret->g);
ret->g = BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
- ok = -1;
+ ok = 0;
goto err;
}
if (counter_ret != NULL)
@@ -599,3 +633,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
EVP_MD_CTX_free(mctx);
return ok;
}
+
+#ifdef OPENSSL_FIPS
+
+int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+ size_t seed_len, int idx, unsigned char *seed_out,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb)
+{
+ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len,
+ idx, seed_out, counter_ret, h_ret, cb);
+}
+
+int FIPS_dsa_paramgen_check_g(DSA *dsa)
+{
+ BN_CTX *ctx;
+ BIGNUM *tmp;
+ BN_MONT_CTX *mont = NULL;
+ int rv = -1;
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ return -1;
+ BN_CTX_start(ctx);
+ if (BN_cmp(dsa->g, BN_value_one()) <= 0)
+ return 0;
+ if (BN_cmp(dsa->g, dsa->p) >= 0)
+ return 0;
+ tmp = BN_CTX_get(ctx);
+ if (tmp == NULL)
+ goto err;
+ if ((mont=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(mont,dsa->p,ctx))
+ goto err;
+ /* Work out g^q mod p */
+ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont))
+ goto err;
+ if (!BN_cmp(tmp, BN_value_one()))
+ rv = 1;
+ else
+ rv = 0;
+ err:
+ BN_CTX_end(ctx);
+ BN_MONT_CTX_free(mont);
+ BN_CTX_free(ctx);
+ return rv;
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/dsa/dsa_key.c.fips openssl-1.1.0f/crypto/dsa/dsa_key.c
--- openssl-1.1.0f/crypto/dsa/dsa_key.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dsa/dsa_key.c 2017-06-02 14:14:25.459421178 +0200
@@ -13,10 +13,49 @@
#include <openssl/bn.h>
#include "dsa_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+
+static int fips_check_dsa(DSA *dsa)
+{
+ EVP_PKEY *pk;
+ unsigned char tbs[] = "DSA Pairwise Check Data";
+ int ret = 0;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_DSA(pk, dsa);
+
+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
+ ret = 1;
+
+ err:
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
+ fips_set_selftest_fail();
+ }
+
+ if (pk)
+ EVP_PKEY_free(pk);
+
+ return ret;
+}
+
+#endif
+
static int dsa_builtin_keygen(DSA *dsa);
int DSA_generate_key(DSA *dsa)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
+ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
+ return 0;
+ }
+#endif
if (dsa->meth->dsa_keygen)
return dsa->meth->dsa_keygen(dsa);
return dsa_builtin_keygen(dsa);
@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa)
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+#endif
+
if ((ctx = BN_CTX_new()) == NULL)
goto err;
@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa)
dsa->priv_key = priv_key;
dsa->pub_key = pub_key;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !fips_check_dsa(dsa)) {
+ dsa->pub_key = NULL;
+ dsa->priv_key = NULL;
+ goto err;
+ }
+#endif
ok = 1;
err:
diff -up openssl-1.1.0f/crypto/dsa/dsa_ossl.c.fips openssl-1.1.0f/crypto/dsa/dsa_ossl.c
--- openssl-1.1.0f/crypto/dsa/dsa_ossl.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dsa/dsa_ossl.c 2017-06-02 14:14:25.459421178 +0200
@@ -15,6 +15,9 @@
#include <openssl/sha.h>
#include "dsa_locl.h"
#include <openssl/asn1.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
@@ -56,6 +59,19 @@ static DSA_SIG *dsa_do_sign(const unsign
DSA_SIG *ret = NULL;
int rv = 0;
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
+ return NULL;
+ }
+
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
+ return NULL;
+ }
+#endif
+
m = BN_new();
xr = BN_new();
if (m == NULL || xr == NULL)
@@ -239,6 +255,18 @@ static int dsa_do_verify(const unsigned
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
return -1;
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+#endif
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
@@ -327,6 +355,9 @@ static int dsa_do_verify(const unsigned
static int dsa_init(DSA *dsa)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
dsa->flags |= DSA_FLAG_CACHE_MONT_P;
return (1);
}
diff -up openssl-1.1.0f/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.0f/crypto/dsa/dsa_pmeth.c
--- openssl-1.1.0f/crypto/dsa/dsa_pmeth.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/dsa/dsa_pmeth.c 2017-06-02 14:14:25.459421178 +0200
@@ -212,8 +212,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
BN_GENCB_free(pcb);
return 0;
}
- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
- NULL, 0, NULL, NULL, NULL, pcb);
+ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
+ NULL, 0, -1, NULL, NULL, NULL, pcb);
BN_GENCB_free(pcb);
if (ret)
EVP_PKEY_assign_DSA(pkey, dsa);
diff -up openssl-1.1.0f/crypto/ec/ecdh_ossl.c.fips openssl-1.1.0f/crypto/ec/ecdh_ossl.c
--- openssl-1.1.0f/crypto/ec/ecdh_ossl.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/ec/ecdh_ossl.c 2017-06-02 14:14:25.459421178 +0200
@@ -33,9 +33,20 @@
#include <openssl/ec.h>
#include "ec_lcl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
const EC_POINT *pub_key, const EC_KEY *ecdh)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+#endif
+
if (ecdh->group->meth->ecdh_compute_key == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
return 0;
diff -up openssl-1.1.0f/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.0f/crypto/ec/ecdsa_ossl.c
--- openssl-1.1.0f/crypto/ec/ecdsa_ossl.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/ec/ecdsa_ossl.c 2017-06-02 14:14:25.459421178 +0200
@@ -15,6 +15,10 @@
#include <openssl/ec.h>
#include "ec_lcl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
@@ -203,6 +207,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
ECDSA_SIG *ret;
const BIGNUM *priv_key;
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
+ return NULL;
+ }
+#endif
+
group = EC_KEY_get0_group(eckey);
priv_key = EC_KEY_get0_private_key(eckey);
@@ -352,6 +363,13 @@ int ossl_ecdsa_verify_sig(const unsigned
const EC_GROUP *group;
const EC_POINT *pub_key;
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
+ return NULL;
+ }
+#endif
+
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
diff -up openssl-1.1.0f/crypto/ec/ec_key.c.fips openssl-1.1.0f/crypto/ec/ec_key.c
--- openssl-1.1.0f/crypto/ec/ec_key.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/ec/ec_key.c 2017-06-02 14:14:25.459421178 +0200
@@ -177,14 +177,61 @@ int EC_KEY_up_ref(EC_KEY *r)
return ((i > 1) ? 1 : 0);
}
+#ifdef OPENSSL_FIPS
+
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+
+static int fips_check_ec(EC_KEY *key)
+{
+ EVP_PKEY *pk;
+ unsigned char tbs[] = "ECDSA Pairwise Check Data";
+ int ret = 0;
+
+ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */
+ return 1;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_EC_KEY(pk, key);
+
+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
+ ret = 1;
+
+ err:
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
+ fips_set_selftest_fail();
+ }
+ if (pk)
+ EVP_PKEY_free(pk);
+ return ret;
+}
+
+#endif
+
int EC_KEY_generate_key(EC_KEY *eckey)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(EC_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
if (eckey == NULL || eckey->group == NULL) {
ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
- if (eckey->meth->keygen != NULL)
- return eckey->meth->keygen(eckey);
+ if (eckey->meth->keygen != NULL) {
+ int rv = eckey->meth->keygen(eckey);
+#ifdef OPENSSL_FIPS
+ if (rv > 0 && FIPS_mode()) {
+ rv = fips_check_ec(eckey);
+ }
+#endif
+ return rv;
+ }
ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
return 0;
}
diff -up openssl-1.1.0f/crypto/err/err_all.c.fips openssl-1.1.0f/crypto/err/err_all.c
--- openssl-1.1.0f/crypto/err/err_all.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/err/err_all.c 2017-06-02 14:14:25.460421201 +0200
@@ -43,9 +43,6 @@
int err_load_crypto_strings_int(void)
{
if (
-#ifdef OPENSSL_FIPS
- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 ||
-#endif
#ifndef OPENSSL_NO_ERR
ERR_load_ERR_strings() == 0 || /* include error strings for SYSerr */
ERR_load_BN_strings() == 0 ||
diff -up openssl-1.1.0f/crypto/evp/c_allc.c.fips openssl-1.1.0f/crypto/evp/c_allc.c
--- openssl-1.1.0f/crypto/evp/c_allc.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/c_allc.c 2017-06-02 14:14:25.460421201 +0200
@@ -17,6 +17,9 @@
void openssl_add_all_ciphers_int(void)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_cfb1());
@@ -217,4 +220,70 @@ void openssl_add_all_ciphers_int(void)
EVP_add_cipher(EVP_chacha20_poly1305());
# endif
#endif
+#ifdef OPENSSL_FIPS
+ } else {
+# ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede3_cfb());
+
+ EVP_add_cipher(EVP_des_ede3_ofb());
+
+ EVP_add_cipher(EVP_des_ede3_cbc());
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
+
+ EVP_add_cipher(EVP_des_ede3());
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
+ EVP_add_cipher(EVP_des_ede3_wrap());
+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
+# endif
+
+# ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_ecb());
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_128_cfb());
+ EVP_add_cipher(EVP_aes_128_cfb1());
+ EVP_add_cipher(EVP_aes_128_cfb8());
+ EVP_add_cipher(EVP_aes_128_ofb());
+ EVP_add_cipher(EVP_aes_128_ctr());
+ EVP_add_cipher(EVP_aes_128_gcm());
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_192_cfb());
+ EVP_add_cipher(EVP_aes_192_cfb1());
+ EVP_add_cipher(EVP_aes_192_cfb8());
+ EVP_add_cipher(EVP_aes_192_ofb());
+ EVP_add_cipher(EVP_aes_192_ctr());
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_256_cfb());
+ EVP_add_cipher(EVP_aes_256_cfb1());
+ EVP_add_cipher(EVP_aes_256_cfb8());
+ EVP_add_cipher(EVP_aes_256_ofb());
+ EVP_add_cipher(EVP_aes_256_ctr());
+ EVP_add_cipher(EVP_aes_256_gcm());
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+# endif
+ }
+#endif
}
diff -up openssl-1.1.0f/crypto/evp/c_alld.c.fips openssl-1.1.0f/crypto/evp/c_alld.c
--- openssl-1.1.0f/crypto/evp/c_alld.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/c_alld.c 2017-06-02 14:14:25.460421201 +0200
@@ -16,6 +16,9 @@
void openssl_add_all_digests_int(void)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
#ifndef OPENSSL_NO_MD4
EVP_add_digest(EVP_md4());
#endif
@@ -46,4 +49,15 @@ void openssl_add_all_digests_int(void)
EVP_add_digest(EVP_blake2b512());
EVP_add_digest(EVP_blake2s256());
#endif
+#ifdef OPENSSL_FIPS
+ } else {
+ EVP_add_digest(EVP_sha1());
+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+ }
+#endif
}
diff -up openssl-1.1.0f/crypto/evp/digest.c.fips openssl-1.1.0f/crypto/evp/digest.c
--- openssl-1.1.0f/crypto/evp/digest.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/digest.c 2017-06-02 14:14:25.460421201 +0200
@@ -14,6 +14,9 @@
#include <openssl/engine.h>
#include "internal/evp_int.h"
#include "evp_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
/* This call frees resources associated with the context */
int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
@@ -61,6 +64,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
{
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
#ifndef OPENSSL_NO_ENGINE
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
@@ -114,6 +123,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
}
#endif
if (ctx->digest != type) {
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (!(type->flags & EVP_MD_FLAG_FIPS)
+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
+#endif
if (ctx->digest && ctx->digest->ctx_size) {
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
ctx->md_data = NULL;
@@ -145,6 +163,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
return ctx->update(ctx, data, count);
}
@@ -162,6 +183,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
{
int ret;
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
ret = ctx->digest->final(ctx, md);
if (size != NULL)
diff -up openssl-1.1.0f/crypto/evp/e_aes.c.fips openssl-1.1.0f/crypto/evp/e_aes.c
--- openssl-1.1.0f/crypto/evp/e_aes.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/e_aes.c 2017-06-02 14:14:25.460421201 +0200
@@ -1261,9 +1261,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
return 1;
}
-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
+ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
+ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
{
@@ -1309,6 +1309,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
+ && arg < 12)
+ return 0;
+# endif
/* Allocate memory for IV if needed */
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
@@ -1769,11 +1774,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
| EVP_CIPH_CUSTOM_COPY)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+ CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+ CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+ CUSTOM_FLAGS)
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
@@ -1908,6 +1916,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
return 0;
if (!out || !in || len < AES_BLOCK_SIZE)
return 0;
+# ifdef OPENSSL_FIPS
+ /* Requirement of SP800-38E */
+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
+ (len > (1UL << 20) * 16)) {
+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
+ return 0;
+ }
+# endif
if (xctx->stream)
(*xctx->stream) (in, out, len,
xctx->xts.key1, xctx->xts.key2,
@@ -1925,8 +1941,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
| EVP_CIPH_CUSTOM_COPY)
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
@@ -2189,11 +2207,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
#define aes_ccm_cleanup NULL
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
typedef struct {
union {
@@ -2286,7 +2304,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
return rv ? (int)rv : -1;
}
-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
diff -up openssl-1.1.0f/crypto/evp/e_des3.c.fips openssl-1.1.0f/crypto/evp/e_des3.c
--- openssl-1.1.0f/crypto/evp/e_des3.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/e_des3.c 2017-06-02 14:14:25.461421225 +0200
@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
# define des_ede3_cbc_cipher des_ede_cbc_cipher
# define des_ede3_ecb_cipher des_ede_ecb_cipher
BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
+ des3_ctrl)
BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
+ NULL, des3_ctrl)
BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
+ NULL, des3_ctrl)
static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
diff -up openssl-1.1.0f/crypto/evp/e_null.c.fips openssl-1.1.0f/crypto/evp/e_null.c
--- openssl-1.1.0f/crypto/evp/e_null.c.fips 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/e_null.c 2017-06-02 14:14:25.461421225 +0200
@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
const unsigned char *in, size_t inl);
static const EVP_CIPHER n_cipher = {
NID_undef,
- 1, 0, 0, 0,
+ 1, 0, 0,
+ EVP_CIPH_FLAG_FIPS,
null_init_key,
null_cipher,
NULL,
diff -up openssl-1.1.0f/crypto/evp/evp_enc.c.fips openssl-1.1.0f/crypto/evp/evp_enc.c
--- openssl-1.1.0f/crypto/evp/evp_enc.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/evp_enc.c 2017-06-02 14:14:25.461421225 +0200
@@ -16,10 +16,19 @@
#include <openssl/engine.h>
#include "internal/evp_int.h"
#include "evp_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
{
- if (c == NULL)
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
+ if (c == NULL)
return 1;
if (c->cipher != NULL) {
if (c->cipher->cleanup && !c->cipher->cleanup(c))
@@ -38,6 +47,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED);
+ return NULL;
+ }
+#endif
return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
}
@@ -65,6 +80,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
enc = 1;
ctx->encrypt = enc;
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
#ifndef OPENSSL_NO_ENGINE
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
@@ -134,7 +155,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
}
ctx->key_len = cipher->key_len;
/* Preserve wrap enable flag, zero everything else */
- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW;
if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
ctx->cipher = NULL;
@@ -193,6 +214,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
return 0;
}
}
+#ifdef OPENSSL_FIPS
+ /* After 'key' is set no further parameters changes are permissible.
+ * So only check for non FIPS enabling at this point.
+ */
+ if (key && FIPS_mode()) {
+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
+#endif
if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
if (!ctx->cipher->init(ctx, key, iv, enc))
diff -up openssl-1.1.0f/crypto/evp/evp_err.c.fips openssl-1.1.0f/crypto/evp/evp_err.c
--- openssl-1.1.0f/crypto/evp/evp_err.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/evp_err.c 2017-06-02 14:14:25.461421225 +0200
@@ -24,6 +24,7 @@ static ERR_STRING_DATA EVP_str_functs[]
{ERR_FUNC(EVP_F_AES_OCB_CIPHER), "aes_ocb_cipher"},
{ERR_FUNC(EVP_F_AES_T4_INIT_KEY), "aes_t4_init_key"},
{ERR_FUNC(EVP_F_AES_WRAP_CIPHER), "aes_wrap_cipher"},
+ {ERR_FUNC(EVP_F_AES_XTS_CIPHER), "aes_xts_cipher"},
{ERR_FUNC(EVP_F_ALG_MODULE_INIT), "alg_module_init"},
{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "camellia_init_key"},
{ERR_FUNC(EVP_F_CHACHA20_POLY1305_CTRL), "chacha20_poly1305_ctrl"},
@@ -109,6 +110,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
{ERR_REASON(EVP_R_DECODE_ERROR), "decode error"},
{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES), "different key types"},
{ERR_REASON(EVP_R_DIFFERENT_PARAMETERS), "different parameters"},
+ {ERR_REASON(EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},
{ERR_REASON(EVP_R_ERROR_LOADING_SECTION), "error loading section"},
{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE), "error setting fips mode"},
{ERR_REASON(EVP_R_EXPECTING_AN_HMAC_KEY), "expecting an hmac key"},
@@ -144,6 +146,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
{ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"},
{ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"},
{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
+ {ERR_REASON(EVP_R_TOO_LARGE), "too large"},
{ERR_REASON(EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
{ERR_REASON(EVP_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_REASON(EVP_R_UNKNOWN_OPTION), "unknown option"},
diff -up openssl-1.1.0f/crypto/evp/evp_lib.c.fips openssl-1.1.0f/crypto/evp/evp_lib.c
--- openssl-1.1.0f/crypto/evp/evp_lib.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/evp_lib.c 2017-06-02 14:14:25.461421225 +0200
@@ -180,6 +180,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
return ctx->cipher->do_cipher(ctx, out, in, inl);
}
diff -up openssl-1.1.0f/crypto/evp/m_sha1.c.fips openssl-1.1.0f/crypto/evp/m_sha1.c
--- openssl-1.1.0f/crypto/evp/m_sha1.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/evp/m_sha1.c 2017-06-02 14:14:25.461421225 +0200
@@ -94,7 +94,7 @@ static const EVP_MD sha1_md = {
NID_sha1,
NID_sha1WithRSAEncryption,
SHA_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init,
update,
final,
@@ -139,7 +139,7 @@ static const EVP_MD sha224_md = {
NID_sha224,
NID_sha224WithRSAEncryption,
SHA224_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init224,
update256,
final256,
@@ -158,7 +158,7 @@ static const EVP_MD sha256_md = {
NID_sha256,
NID_sha256WithRSAEncryption,
SHA256_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init256,
update256,
final256,
@@ -198,7 +198,7 @@ static const EVP_MD sha384_md = {
NID_sha384,
NID_sha384WithRSAEncryption,
SHA384_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init384,
update512,
final512,
@@ -217,7 +217,7 @@ static const EVP_MD sha512_md = {
NID_sha512,
NID_sha512WithRSAEncryption,
SHA512_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init512,
update512,
final512,
diff -up openssl-1.1.0f/crypto/fips/build.info.fips openssl-1.1.0f/crypto/fips/build.info
--- openssl-1.1.0f/crypto/fips/build.info.fips 2017-06-02 14:14:25.461421225 +0200
+++ openssl-1.1.0f/crypto/fips/build.info 2017-06-02 14:14:25.461421225 +0200
@@ -0,0 +1,15 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=\
+ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+ fips_enc.c fips_md.c fips_dh_selftest.c fips_ers.c
+
+PROGRAMS_NO_INST=\
+ fips_standalone_hmac
+
+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
+INCLUDE[fips_standalone_hmac]=../../include
+DEPEND[fips_standalone_hmac]=../../libcrypto
diff -up openssl-1.1.0f/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_aes_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_aes_selftest.c.fips 2017-06-02 14:14:25.462421248 +0200
+++ openssl-1.1.0f/crypto/fips/fips_aes_selftest.c 2017-06-02 14:14:25.462421248 +0200
@@ -0,0 +1,372 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+#endif
+
+#ifdef OPENSSL_FIPS
+static const struct {
+ const unsigned char key[16];
+ const unsigned char plaintext[16];
+ const unsigned char ciphertext[16];
+} tests[] = {
+ {
+ {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
+
+int FIPS_selftest_aes()
+{
+ int n;
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ for (n = 0; n < 1; ++n) {
+ unsigned char key[16];
+
+ memcpy(key, tests[n].key, sizeof(key));
+ if (fips_cipher_test(ctx, EVP_aes_128_ecb(),
+ key, NULL,
+ tests[n].plaintext,
+ tests[n].ciphertext, 16) <= 0)
+ goto err;
+ }
+ ret = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ if (ret == 0)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
+ return ret;
+}
+
+/* AES-CCM test data from NIST public test vectors */
+
+static const unsigned char ccm_key[] = {
+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
+};
+
+static const unsigned char ccm_nonce[] = {
+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
+};
+
+static const unsigned char ccm_adata[] = {
+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
+};
+
+static const unsigned char ccm_pt[] = {
+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
+};
+
+static const unsigned char ccm_ct[] = {
+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
+};
+
+static const unsigned char ccm_tag[] = {
+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
+ 0x14, 0xdb, 0x50, 0x6d
+};
+
+int FIPS_selftest_aes_ccm(void)
+{
+ int ret = 0;
+ unsigned char out[128], tag[16];
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ memset(out, 0, sizeof(out));
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
+ sizeof(ccm_nonce), NULL))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
+ sizeof(ccm_tag), NULL))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
+ goto err;
+
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
+ goto err;
+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
+ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
+ goto err;
+
+ memset(out, 0, sizeof(out));
+
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
+ sizeof(ccm_nonce), NULL))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
+ goto err;
+
+ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ } else
+ return ret;
+
+}
+
+/* AES-GCM test data from NIST public test vectors */
+
+static const unsigned char gcm_key[] = {
+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
+};
+
+static const unsigned char gcm_iv[] = {
+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
+};
+
+static const unsigned char gcm_pt[] = {
+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
+ 0xcc, 0x2b, 0xf2, 0xa5
+};
+
+static const unsigned char gcm_aad[] = {
+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
+ 0x7f, 0xec, 0x78, 0xde
+};
+
+static const unsigned char gcm_ct[] = {
+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
+ 0xb9, 0xf2, 0x17, 0x36
+};
+
+static const unsigned char gcm_tag[] = {
+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
+ 0x98, 0xf7, 0x7e, 0x0c
+};
+
+int FIPS_selftest_aes_gcm(void)
+{
+ int ret = 0;
+ unsigned char out[128], tag[16];
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ memset(out, 0, sizeof(out));
+ memset(tag, 0, sizeof(tag));
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
+ sizeof(gcm_iv), NULL))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
+ goto err;
+
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
+ goto err;
+
+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
+ goto err;
+
+ memset(out, 0, sizeof(out));
+
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
+ sizeof(gcm_iv), NULL))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
+ goto err;
+
+ if (memcmp(out, gcm_pt, 16))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ } else
+ return ret;
+
+}
+
+static const unsigned char XTS_128_key[] = {
+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
+};
+
+static const unsigned char XTS_128_i[] = {
+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
+ 0x3e, 0x76, 0x8a, 0xd5
+};
+
+static const unsigned char XTS_128_pt[] = {
+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
+ 0x07, 0x90, 0x31, 0x1c
+};
+
+static const unsigned char XTS_128_ct[] = {
+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
+ 0xbe, 0x47, 0x1c, 0x63
+};
+
+static const unsigned char XTS_256_key[] = {
+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
+ 0x2c, 0xf4, 0x1b, 0x08
+};
+
+static const unsigned char XTS_256_i[] = {
+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
+ 0xa9, 0xf8, 0x75, 0x64
+};
+
+static const unsigned char XTS_256_pt[] = {
+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
+};
+
+static const unsigned char XTS_256_ct[] = {
+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
+};
+
+int FIPS_selftest_aes_xts()
+{
+ int ret = 1;
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ if (fips_cipher_test(ctx, EVP_aes_128_xts(),
+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
+ sizeof(XTS_128_pt)) <= 0)
+ ret = 0;
+
+ if (fips_cipher_test(ctx, EVP_aes_256_xts(),
+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
+ sizeof(XTS_256_pt)) <= 0)
+ ret = 0;
+
+ EVP_CIPHER_CTX_free(ctx);
+
+ err:
+ if (ret == 0)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
+ return ret;
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips.c.fips openssl-1.1.0f/crypto/fips/fips.c
--- openssl-1.1.0f/crypto/fips/fips.c.fips 2017-06-02 14:14:25.462421248 +0200
+++ openssl-1.1.0f/crypto/fips/fips.c 2017-06-02 14:14:25.462421248 +0200
@@ -0,0 +1,526 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include <openssl/rand.h>
+#include <openssl/fips_rand.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+#include <openssl/hmac.h>
+#include <openssl/rsa.h>
+#include <string.h>
+#include <limits.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+# include <openssl/fips.h>
+# include "internal/thread_once.h"
+
+# ifndef PATH_MAX
+# define PATH_MAX 1024
+# endif
+
+static int fips_selftest_fail = 0;
+static int fips_mode = 0;
+static int fips_started = 0;
+
+static int fips_is_owning_thread(void);
+static int fips_set_owning_thread(void);
+static int fips_clear_owning_thread(void);
+
+static CRYPTO_RWLOCK *fips_lock = NULL;
+static CRYPTO_RWLOCK *fips_owning_lock = NULL;
+static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT;
+
+DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)
+{
+ fips_lock = CRYPTO_THREAD_lock_new();
+ fips_owning_lock = CRYPTO_THREAD_lock_new();
+ return fips_lock != NULL && fips_owning_lock != NULL;
+}
+
+# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock)
+# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock)
+# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock)
+# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock)
+
+static void fips_set_mode(int onoff)
+{
+ int owning_thread = fips_is_owning_thread();
+
+ if (fips_started) {
+ if (!owning_thread)
+ fips_w_lock();
+ fips_mode = onoff;
+ if (!owning_thread)
+ fips_w_unlock();
+ }
+}
+
+int FIPS_module_mode(void)
+{
+ int ret = 0;
+ int owning_thread = fips_is_owning_thread();
+
+ if (fips_started) {
+ if (!owning_thread)
+ fips_r_lock();
+ ret = fips_mode;
+ if (!owning_thread)
+ fips_r_unlock();
+ }
+ return ret;
+}
+
+/* just a compat symbol - return NULL */
+int FIPS_selftest_failed(void)
+{
+ int ret = 0;
+ if (fips_started) {
+ int owning_thread = fips_is_owning_thread();
+
+ if (!owning_thread)
+ fips_r_lock();
+ ret = fips_selftest_fail;
+ if (!owning_thread)
+ fips_r_unlock();
+ }
+ return ret;
+}
+
+/* Selftest failure fatal exit routine. This will be called
+ * during *any* cryptographic operation. It has the minimum
+ * overhead possible to avoid too big a performance hit.
+ */
+
+void FIPS_selftest_check(void)
+{
+ if (fips_selftest_fail) {
+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
+ }
+}
+
+void fips_set_selftest_fail(void)
+{
+ fips_selftest_fail = 1;
+}
+
+/* we implement what libfipscheck does ourselves */
+
+static int
+get_library_path(const char *libname, const char *symbolname, char *path,
+ size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rv = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
+
+ sym = dlsym(dl, symbolname);
+
+ if (sym != NULL && dladdr(sym, &info)) {
+ strncpy(path, info.dli_fname, pathlen - 1);
+ path[pathlen - 1] = '\0';
+ rv = 0;
+ }
+
+ dlclose(dl);
+
+ return rv;
+}
+
+static const char conv[] = "0123456789abcdef";
+
+static char *bin2hex(void *buf, size_t len)
+{
+ char *hex, *p;
+ unsigned char *src = buf;
+
+ hex = malloc(len * 2 + 1);
+ if (hex == NULL)
+ return NULL;
+
+ p = hex;
+
+ while (len > 0) {
+ unsigned c;
+
+ c = *src;
+ src++;
+
+ *p = conv[c >> 4];
+ ++p;
+ *p = conv[c & 0x0f];
+ ++p;
+ --len;
+ }
+ *p = '\0';
+ return hex;
+}
+
+# define HMAC_PREFIX "."
+# ifndef HMAC_SUFFIX
+# define HMAC_SUFFIX ".hmac"
+# endif
+# define READ_BUFFER_LENGTH 16384
+
+static char *make_hmac_path(const char *origpath)
+{
+ char *path, *p;
+ const char *fn;
+
+ path =
+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
+ if (path == NULL) {
+ return NULL;
+ }
+
+ fn = strrchr(origpath, '/');
+ if (fn == NULL) {
+ fn = origpath;
+ } else {
+ ++fn;
+ }
+
+ strncpy(path, origpath, fn - origpath);
+ p = path + (fn - origpath);
+ p = stpcpy(p, HMAC_PREFIX);
+ p = stpcpy(p, fn);
+ p = stpcpy(p, HMAC_SUFFIX);
+
+ return path;
+}
+
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+ FILE *f = NULL;
+ int rv = -1;
+ unsigned char rbuf[READ_BUFFER_LENGTH];
+ size_t len;
+ unsigned int hlen;
+ HMAC_CTX *c;
+
+ c = HMAC_CTX_new();
+ if (c == NULL)
+ return rv;
+
+ f = fopen(path, "r");
+
+ if (f == NULL) {
+ goto end;
+ }
+
+ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) {
+ goto end;
+ }
+
+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
+ if (HMAC_Update(c, rbuf, len) <= 0) {
+ goto end;
+ }
+ }
+
+ len = sizeof(rbuf);
+ /* reuse rbuf for hmac */
+ if (HMAC_Final(c, rbuf, &hlen) <= 0) {
+ goto end;
+ }
+
+ *buf = malloc(hlen);
+ if (*buf == NULL) {
+ goto end;
+ }
+
+ *hmaclen = hlen;
+
+ memcpy(*buf, rbuf, hlen);
+
+ rv = 0;
+ end:
+ HMAC_CTX_free(c);
+
+ if (f)
+ fclose(f);
+
+ return rv;
+}
+
+static int FIPSCHECK_verify(const char *path)
+{
+ int rv = 0;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+
+ hf = fopen(hmacpath, "r");
+ if (hf == NULL) {
+ free(hmacpath);
+ return 0;
+ }
+
+ if (getline(&hmac, &n, hf) > 0) {
+ void *buf;
+ size_t hmaclen;
+ char *hex;
+
+ if ((p = strchr(hmac, '\n')) != NULL)
+ *p = '\0';
+
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
+ rv = -4;
+ goto end;
+ }
+
+ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
+ free(buf);
+ rv = -5;
+ goto end;
+ }
+
+ if (strcmp(hex, hmac) != 0) {
+ rv = -1;
+ }
+ free(buf);
+ free(hex);
+ } else {
+ rv = -1;
+ }
+
+ end:
+ free(hmac);
+ free(hmacpath);
+ fclose(hf);
+
+ if (rv < 0)
+ return 0;
+
+ /* check successful */
+ return 1;
+}
+
+static int verify_checksums(void)
+{
+ int rv;
+ char path[PATH_MAX + 1];
+ char *p;
+
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
+ are in the same directory */
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
+ "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ return 0;
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+
+ /* replace libcrypto with libssl */
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
+ p = stpcpy(p, "libssl");
+ memmove(p, p + 3, strlen(p + 2));
+ }
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+ return 1;
+}
+
+# ifndef FIPS_MODULE_PATH
+# define FIPS_MODULE_PATH "/etc/system-fips"
+# endif
+
+int FIPS_module_installed(void)
+{
+ int rv;
+ rv = access(FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+}
+
+int FIPS_module_mode_set(int onoff)
+{
+ int ret = 0;
+
+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
+ return NULL;
+
+ fips_w_lock();
+ fips_started = 1;
+ fips_set_owning_thread();
+
+ if (onoff) {
+
+ fips_selftest_fail = 0;
+
+ /* Don't go into FIPS mode twice, just so we can do automagic
+ seeding */
+ if (FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FIPS_MODE_ALREADY_SET);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+# ifdef OPENSSL_IA32_SSE2
+ {
+ extern unsigned int OPENSSL_ia32cap_P[2];
+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
+ (1 << 25 | 1 << 26)) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_UNSUPPORTED_PLATFORM);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+ }
+# endif
+
+ if (!FIPS_selftest()) {
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+ if (!verify_checksums()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+ fips_set_mode(onoff);
+ ret = 1;
+ goto end;
+ }
+ fips_set_mode(0);
+ fips_selftest_fail = 0;
+ ret = 1;
+ end:
+ fips_clear_owning_thread();
+ fips_w_unlock();
+ return ret;
+}
+
+static CRYPTO_THREAD_ID fips_threadid;
+static int fips_thread_set = 0;
+
+static int fips_is_owning_thread(void)
+{
+ int ret = 0;
+
+ if (fips_started) {
+ CRYPTO_THREAD_read_lock(fips_owning_lock);
+ if (fips_thread_set) {
+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
+ ret = 1;
+ }
+ CRYPTO_THREAD_unlock(fips_owning_lock);
+ }
+ return ret;
+}
+
+int fips_set_owning_thread(void)
+{
+ int ret = 0;
+
+ if (fips_started) {
+ CRYPTO_THREAD_write_lock(fips_owning_lock);
+ if (!fips_thread_set) {
+ fips_threadid = CRYPTO_THREAD_get_current_id();
+ ret = 1;
+ fips_thread_set = 1;
+ }
+ CRYPTO_THREAD_unlock(fips_owning_lock);
+ }
+ return ret;
+}
+
+int fips_clear_owning_thread(void)
+{
+ int ret = 0;
+
+ if (fips_started) {
+ CRYPTO_THREAD_write_lock(fips_owning_lock);
+ if (fips_thread_set) {
+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
+ fips_thread_set = 0;
+ }
+ CRYPTO_THREAD_unlock(fips_owning_lock);
+ }
+ return ret;
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_cmac_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_cmac_selftest.c.fips 2017-06-02 14:14:25.462421248 +0200
+++ openssl-1.1.0f/crypto/fips/fips_cmac_selftest.c 2017-06-02 14:14:25.462421248 +0200
@@ -0,0 +1,156 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include "internal/fips_int.h"
+#include <openssl/cmac.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+typedef struct {
+ int nid;
+ const unsigned char key[EVP_MAX_KEY_LENGTH];
+ size_t keysize;
+ const unsigned char msg[64];
+ size_t msgsize;
+ const unsigned char mac[32];
+ size_t macsize;
+} CMAC_KAT;
+
+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
+static const CMAC_KAT vector[] = {
+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
+ {0x0}, 0,
+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
+ },
+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
+ },
+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
+ },
+};
+
+int FIPS_selftest_cmac()
+{
+ size_t n, outlen;
+ unsigned char out[32];
+ const EVP_CIPHER *cipher;
+ CMAC_CTX *ctx = CMAC_CTX_new();
+ const CMAC_KAT *t;
+ int rv = 1;
+
+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
+ cipher = FIPS_get_cipherbynid(t->nid);
+ if (!cipher) {
+ rv = -1;
+ goto err;
+ }
+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
+ rv = -1;
+ goto err;
+ }
+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!CMAC_Final(ctx, out, &outlen)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
+ rv = 0;
+ }
+ }
+
+ err:
+ CMAC_CTX_free(ctx);
+
+ if (rv == -1) {
+ rv = 0;
+ }
+ if (!rv)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
+
+ return rv;
+}
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_des_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_des_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_des_selftest.c.fips 2017-06-02 14:14:25.462421248 +0200
+++ openssl-1.1.0f/crypto/fips/fips_des_selftest.c 2017-06-02 14:14:25.462421248 +0200
@@ -0,0 +1,133 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+#endif
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_FIPS
+
+static const struct {
+ const unsigned char key[16];
+ const unsigned char plaintext[8];
+ const unsigned char ciphertext[8];
+} tests2[] = {
+ {
+ {
+ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
+ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
+ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
+ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
+ }, {
+ {
+ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
+ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
+ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
+ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
+};
+
+static const struct {
+ const unsigned char key[24];
+ const unsigned char plaintext[8];
+ const unsigned char ciphertext[8];
+} tests3[] = {
+ {
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
+ {
+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
+
+int FIPS_selftest_des()
+{
+ int n, ret = 0;
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
+ for (n = 0; n < 2; ++n) {
+ unsigned char plaintext[8];
+
+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
+ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(),
+ tests2[n].key, NULL,
+ plaintext, tests2[n].ciphertext, 8))
+ goto err;
+ }
+
+ /* Encrypt/decrypt with 3DES and compare to known answers */
+ for (n = 0; n < 2; ++n) {
+ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(),
+ tests3[n].key, NULL,
+ tests3[n].plaintext, tests3[n].ciphertext, 8))
+ goto err;
+ }
+ ret = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ if (ret == 0)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
+
+ return ret;
+}
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_dh_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_dh_selftest.c.fips 2017-06-02 14:14:25.462421248 +0200
+++ openssl-1.1.0f/crypto/fips/fips_dh_selftest.c 2017-06-02 14:14:25.462421248 +0200
@@ -0,0 +1,180 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2013 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+static const unsigned char dh_test_2048_p[] = {
+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,
+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,
+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,
+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,
+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,
+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,
+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,
+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,
+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,
+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,
+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,
+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,
+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,
+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,
+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,
+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,
+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,
+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,
+ 0x4B, 0xD8, 0x37, 0xEB
+};
+
+static const unsigned char dh_test_2048_g[] = {
+ 0x02
+};
+
+static const unsigned char dh_test_2048_pub_key[] = {
+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,
+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,
+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,
+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,
+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,
+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,
+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,
+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,
+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,
+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,
+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,
+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,
+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,
+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,
+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,
+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,
+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,
+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,
+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,
+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,
+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,
+ 0x36, 0x9E, 0xDA, 0xD2
+};
+
+static const unsigned char dh_test_2048_priv_key[] = {
+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,
+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,
+ 0xEC, 0x55, 0xF6, 0xCC
+};
+
+int FIPS_selftest_dh()
+{
+ DH *dh = NULL;
+ int ret = 0;
+ void *pub_key_bin = NULL;
+ int len;
+ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL;
+ const BIGNUM *pub_key;
+
+ fips_load_key_component(p, dh_test_2048);
+ fips_load_key_component(g, dh_test_2048);
+ /* note that the private key is much shorter than normally used
+ * but still g ** priv_key > p
+ */
+ fips_load_key_component(priv_key, dh_test_2048);
+ if ((tmp_pub_key = BN_new()) == NULL)
+ goto err;
+
+ dh = DH_new();
+
+ if (dh == NULL)
+ goto err;
+
+ DH_set0_pqg(dh, p, NULL, g);
+ DH_set0_key(dh, tmp_pub_key, priv_key);
+
+ if (DH_generate_key(dh) <= 0)
+ goto err;
+
+ DH_get0_key(dh, &pub_key, NULL);
+
+ if (pub_key == NULL)
+ goto err;
+
+ len = BN_num_bytes(pub_key);
+ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL)
+ goto err;
+ BN_bn2bin(pub_key, pub_key_bin);
+
+ if (len != sizeof(dh_test_2048_pub_key) ||
+ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0)
+ goto err;
+
+ ret = 1;
+
+ err:
+ if (dh)
+ DH_free(dh);
+ else {
+ BN_free(p);
+ BN_free(g);
+ BN_free(priv_key);
+ BN_free(tmp_pub_key);
+ }
+
+ OPENSSL_free(pub_key_bin);
+ return ret;
+}
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.0f/crypto/fips/fips_drbg_ctr.c
--- openssl-1.1.0f/crypto/fips/fips_drbg_ctr.c.fips 2017-06-02 14:14:25.463421272 +0200
+++ openssl-1.1.0f/crypto/fips/fips_drbg_ctr.c 2017-06-02 14:14:25.463421272 +0200
@@ -0,0 +1,415 @@
+/* fips/rand/fips_drbg_ctr.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+static void inc_128(DRBG_CTR_CTX * cctx)
+{
+ int i;
+ unsigned char c;
+ unsigned char *p = cctx->V + 15;
+ for (i = 0; i < 16; i++) {
+ c = *p;
+ c++;
+ *p = c;
+ if (c)
+ return;
+ p--;
+ }
+}
+
+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
+ size_t inlen)
+{
+ size_t i, n;
+ /* Any zero padding will have no effect on the result as we
+ * are XORing. So just process however much input we have.
+ */
+
+ if (!in || !inlen)
+ return;
+
+ if (inlen < cctx->keylen)
+ n = inlen;
+ else
+ n = cctx->keylen;
+
+ for (i = 0; i < n; i++)
+ cctx->K[i] ^= in[i];
+ if (inlen <= cctx->keylen)
+ return;
+
+ n = inlen - cctx->keylen;
+ /* Should never happen */
+ if (n > 16)
+ n = 16;
+ for (i = 0; i < 16; i++)
+ cctx->V[i] ^= in[i + cctx->keylen];
+}
+
+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
+
+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
+ const unsigned char *in)
+{
+ int i;
+ for (i = 0; i < 16; i++)
+ out[i] ^= in[i];
+ AES_encrypt(out, out, &cctx->df_ks);
+#if 0
+ fprintf(stderr, "BCC in+out\n");
+ BIO_dump_fp(stderr, in, 16);
+ BIO_dump_fp(stderr, out, 16);
+#endif
+}
+
+/* Handle several BCC operations for as much data as we need for K and X */
+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
+{
+ ctr_BCC_block(cctx, cctx->KX, in);
+ ctr_BCC_block(cctx, cctx->KX + 16, in);
+ if (cctx->keylen != 16)
+ ctr_BCC_block(cctx, cctx->KX + 32, in);
+}
+
+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
+ * see 10.4.2 stage 7.
+ */
+static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
+{
+ memset(cctx->KX, 0, 48);
+ memset(cctx->bltmp, 0, 16);
+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
+ cctx->bltmp[3] = 1;
+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
+ if (cctx->keylen != 16) {
+ cctx->bltmp[3] = 2;
+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
+ }
+}
+
+/* Process several blocks into BCC algorithm, some possibly partial */
+static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
+ const unsigned char *in, size_t inlen)
+{
+ if (!in || !inlen)
+ return;
+ /* If we have partial block handle it first */
+ if (cctx->bltmp_pos) {
+ size_t left = 16 - cctx->bltmp_pos;
+ /* If we now have a complete block process it */
+ if (inlen >= left) {
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
+ ctr_BCC_blocks(cctx, cctx->bltmp);
+ cctx->bltmp_pos = 0;
+ inlen -= left;
+ in += left;
+ }
+ }
+ /* Process zero or more complete blocks */
+ while (inlen >= 16) {
+ ctr_BCC_blocks(cctx, in);
+ in += 16;
+ inlen -= 16;
+ }
+ /* Copy any remaining partial block to the temporary buffer */
+ if (inlen > 0) {
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
+ cctx->bltmp_pos += inlen;
+ }
+}
+
+static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
+{
+ if (cctx->bltmp_pos) {
+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
+ ctr_BCC_blocks(cctx, cctx->bltmp);
+ }
+}
+
+static void ctr_df(DRBG_CTR_CTX * cctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *in3, size_t in3len)
+{
+ size_t inlen;
+ unsigned char *p = cctx->bltmp;
+ static unsigned char c80 = 0x80;
+
+ ctr_BCC_init(cctx);
+ if (!in1)
+ in1len = 0;
+ if (!in2)
+ in2len = 0;
+ if (!in3)
+ in3len = 0;
+ inlen = in1len + in2len + in3len;
+ /* Initialise L||N in temporary block */
+ *p++ = (inlen >> 24) & 0xff;
+ *p++ = (inlen >> 16) & 0xff;
+ *p++ = (inlen >> 8) & 0xff;
+ *p++ = inlen & 0xff;
+ /* NB keylen is at most 32 bytes */
+ *p++ = 0;
+ *p++ = 0;
+ *p++ = 0;
+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
+ cctx->bltmp_pos = 8;
+ ctr_BCC_update(cctx, in1, in1len);
+ ctr_BCC_update(cctx, in2, in2len);
+ ctr_BCC_update(cctx, in3, in3len);
+ ctr_BCC_update(cctx, &c80, 1);
+ ctr_BCC_final(cctx);
+ /* Set up key K */
+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
+ /* X follows key K */
+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
+ if (cctx->keylen != 16)
+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
+#if 0
+ fprintf(stderr, "Output of ctr_df:\n");
+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
+#endif
+}
+
+/* NB the no-df Update in SP800-90 specifies a constant input length
+ * of seedlen, however other uses of this algorithm pad the input with
+ * zeroes if necessary and have up to two parameters XORed together,
+ * handle both cases in this function instead.
+ */
+
+static void ctr_Update(DRBG_CTX *dctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *nonce, size_t noncelen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+ /* ks is already setup for correct key */
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+ /* If keylen longer than 128 bits need extra encrypt */
+ if (cctx->keylen != 16) {
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
+ }
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
+ /* If 192 bit key part of V is on end of K */
+ if (cctx->keylen == 24) {
+ memcpy(cctx->V + 8, cctx->V, 8);
+ memcpy(cctx->V, cctx->K + 24, 8);
+ }
+
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
+ /* If no input reuse existing derived value */
+ if (in1 || nonce || in2)
+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
+ /* If this a reuse input in1len != 0 */
+ if (in1len)
+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
+ } else {
+ ctr_XOR(cctx, in1, in1len);
+ ctr_XOR(cctx, in2, in2len);
+ }
+
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+#if 0
+ fprintf(stderr, "K+V after update is:\n");
+ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
+ BIO_dump_fp(stderr, cctx->V, 16);
+#endif
+}
+
+static int drbg_ctr_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *nonce, size_t noncelen,
+ const unsigned char *pers, size_t perslen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+ memset(cctx->K, 0, sizeof(cctx->K));
+ memset(cctx->V, 0, sizeof(cctx->V));
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
+ return 1;
+}
+
+static int drbg_ctr_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *adin, size_t adinlen)
+{
+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
+ return 1;
+}
+
+static int drbg_ctr_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adinlen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+ if (adin && adinlen) {
+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+ /* This means we reuse derived value */
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
+ adin = NULL;
+ adinlen = 1;
+ }
+ } else
+ adinlen = 0;
+
+ for (;;) {
+ inc_128(cctx);
+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
+ dctx->lb_valid = 1;
+ continue;
+ }
+ if (outlen < 16) {
+ /* Use K as temp space as it will be updated */
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+ if (!fips_drbg_cprng_test(dctx, cctx->K))
+ return 0;
+ memcpy(out, cctx->K, outlen);
+ break;
+ }
+ AES_encrypt(cctx->V, out, &cctx->ks);
+ if (!fips_drbg_cprng_test(dctx, out))
+ return 0;
+ out += 16;
+ outlen -= 16;
+ if (outlen == 0)
+ break;
+ }
+
+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+
+ return 1;
+
+}
+
+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
+{
+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
+ return 1;
+}
+
+int fips_drbg_ctr_init(DRBG_CTX *dctx)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+
+ size_t keylen;
+
+ switch (dctx->type) {
+ case NID_aes_128_ctr:
+ keylen = 16;
+ break;
+
+ case NID_aes_192_ctr:
+ keylen = 24;
+ break;
+
+ case NID_aes_256_ctr:
+ keylen = 32;
+ break;
+
+ default:
+ return -2;
+ }
+
+ dctx->instantiate = drbg_ctr_instantiate;
+ dctx->reseed = drbg_ctr_reseed;
+ dctx->generate = drbg_ctr_generate;
+ dctx->uninstantiate = drbg_ctr_uninstantiate;
+
+ cctx->keylen = keylen;
+ dctx->strength = keylen * 8;
+ dctx->blocklength = 16;
+ dctx->seedlen = keylen + 16;
+
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
+ /* df initialisation */
+ static unsigned char df_key[32] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+ };
+ /* Set key schedule for df_key */
+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
+
+ dctx->min_entropy = cctx->keylen;
+ dctx->max_entropy = DRBG_MAX_LENGTH;
+ dctx->min_nonce = dctx->min_entropy / 2;
+ dctx->max_nonce = DRBG_MAX_LENGTH;
+ dctx->max_pers = DRBG_MAX_LENGTH;
+ dctx->max_adin = DRBG_MAX_LENGTH;
+ } else {
+ dctx->min_entropy = dctx->seedlen;
+ dctx->max_entropy = dctx->seedlen;
+ /* Nonce not used */
+ dctx->min_nonce = 0;
+ dctx->max_nonce = 0;
+ dctx->max_pers = dctx->seedlen;
+ dctx->max_adin = dctx->seedlen;
+ }
+
+ dctx->max_request = 1 << 16;
+ dctx->reseed_interval = 1 << 24;
+
+ return 1;
+}
diff -up openssl-1.1.0f/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.0f/crypto/fips/fips_drbg_hash.c
--- openssl-1.1.0f/crypto/fips/fips_drbg_hash.c.fips 2017-06-02 14:14:25.463421272 +0200
+++ openssl-1.1.0f/crypto/fips/fips_drbg_hash.c 2017-06-02 14:14:25.463421272 +0200
@@ -0,0 +1,361 @@
+/* fips/rand/fips_drbg_hash.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include "internal/fips_int.h"
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+/* This is Hash_df from SP 800-90 10.4.1 */
+
+static int hash_df(DRBG_CTX *dctx, unsigned char *out,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *in3, size_t in3len,
+ const unsigned char *in4, size_t in4len)
+{
+ EVP_MD_CTX *mctx = dctx->d.hash.mctx;
+ unsigned char *vtmp = dctx->d.hash.vtmp;
+ unsigned char tmp[6];
+ /* Standard only ever needs seedlen bytes which is always less than
+ * maximum permitted so no need to check length.
+ */
+ size_t outlen = dctx->seedlen;
+ tmp[0] = 1;
+ tmp[1] = ((outlen * 8) >> 24) & 0xff;
+ tmp[2] = ((outlen * 8) >> 16) & 0xff;
+ tmp[3] = ((outlen * 8) >> 8) & 0xff;
+ tmp[4] = (outlen * 8) & 0xff;
+ if (!in1) {
+ tmp[5] = (unsigned char)in1len;
+ in1 = tmp + 5;
+ in1len = 1;
+ }
+ for (;;) {
+ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
+ return 0;
+ if (!FIPS_digestupdate(mctx, tmp, 5))
+ return 0;
+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
+ return 0;
+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
+ return 0;
+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
+ return 0;
+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
+ return 0;
+ if (outlen < dctx->blocklength) {
+ if (!FIPS_digestfinal(mctx, vtmp, NULL))
+ return 0;
+ memcpy(out, vtmp, outlen);
+ OPENSSL_cleanse(vtmp, dctx->blocklength);
+ return 1;
+ } else if (!FIPS_digestfinal(mctx, out, NULL))
+ return 0;
+
+ outlen -= dctx->blocklength;
+ if (outlen == 0)
+ return 1;
+ tmp[0]++;
+ out += dctx->blocklength;
+ }
+}
+
+/* Add an unsigned buffer to the buf value, storing the result in buf. For
+ * this algorithm the length of input never exceeds the seed length.
+ */
+
+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
+ unsigned char *in, size_t inlen)
+{
+ size_t i = inlen;
+ const unsigned char *q;
+ unsigned char c, *p;
+ p = buf + dctx->seedlen;
+ q = in + inlen;
+
+ OPENSSL_assert(i <= dctx->seedlen);
+
+ /* Special case: zero length, just increment buffer */
+ if (i)
+ c = 0;
+ else
+ c = 1;
+
+ while (i) {
+ int r;
+ p--;
+ q--;
+ r = *p + *q + c;
+ /* Carry */
+ if (r > 0xff)
+ c = 1;
+ else
+ c = 0;
+ *p = r & 0xff;
+ i--;
+ }
+
+ i = dctx->seedlen - inlen;
+
+ /* If not adding whole buffer handle final carries */
+ if (c && i) {
+ do {
+ p--;
+ c = *p;
+ c++;
+ *p = c;
+ if (c)
+ return;
+ } while (i--);
+ }
+}
+
+/* Finalise and add hash to V */
+
+static int ctx_add_md(DRBG_CTX *dctx)
+{
+ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
+ return 0;
+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
+ return 1;
+}
+
+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ if (outlen == 0)
+ return 1;
+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
+ for (;;) {
+ FIPS_digestinit(hctx->mctx, hctx->md);
+ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen);
+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
+ FIPS_digestfinal(hctx->mctx, dctx->lb, NULL);
+ dctx->lb_valid = 1;
+ } else if (outlen < dctx->blocklength) {
+ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL);
+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
+ return 0;
+ memcpy(out, hctx->vtmp, outlen);
+ return 1;
+ } else {
+ FIPS_digestfinal(hctx->mctx, out, NULL);
+ if (!fips_drbg_cprng_test(dctx, out))
+ return 0;
+ outlen -= dctx->blocklength;
+ if (outlen == 0)
+ return 1;
+ out += dctx->blocklength;
+ }
+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
+ }
+}
+
+static int drbg_hash_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *pstr, size_t pstr_len)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ if (!hash_df(dctx, hctx->V,
+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
+ return 0;
+ if (!hash_df(dctx, hctx->C,
+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
+ return 0;
+
+#ifdef HASH_DRBG_TRACE
+ fprintf(stderr, "V+C after instantiate:\n");
+ hexprint(stderr, hctx->V, dctx->seedlen);
+ hexprint(stderr, hctx->C, dctx->seedlen);
+#endif
+ return 1;
+}
+
+static int drbg_hash_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adin_len)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ /* V about to be updated so use C as output instead */
+ if (!hash_df(dctx, hctx->C,
+ NULL, 1, hctx->V, dctx->seedlen,
+ ent, ent_len, adin, adin_len))
+ return 0;
+ memcpy(hctx->V, hctx->C, dctx->seedlen);
+ if (!hash_df(dctx, hctx->C, NULL, 0,
+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
+ return 0;
+#ifdef HASH_DRBG_TRACE
+ fprintf(stderr, "V+C after reseed:\n");
+ hexprint(stderr, hctx->V, dctx->seedlen);
+ hexprint(stderr, hctx->C, dctx->seedlen);
+#endif
+ return 1;
+}
+
+static int drbg_hash_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adin_len)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ EVP_MD_CTX *mctx = hctx->mctx;
+ unsigned char tmp[4];
+ if (adin && adin_len) {
+ tmp[0] = 2;
+ if (!FIPS_digestinit(mctx, hctx->md))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, tmp, 1))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, adin, adin_len))
+ return 0;
+ if (!ctx_add_md(dctx))
+ return 0;
+ }
+ if (!hash_gen(dctx, out, outlen))
+ return 0;
+
+ tmp[0] = 3;
+ if (!FIPS_digestinit(mctx, hctx->md))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, tmp, 1))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
+ return 0;
+
+ if (!ctx_add_md(dctx))
+ return 0;
+
+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
+
+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
+ tmp[3] = dctx->reseed_counter & 0xff;
+ ctx_add_buf(dctx, hctx->V, tmp, 4);
+#ifdef HASH_DRBG_TRACE
+ fprintf(stderr, "V+C after generate:\n");
+ hexprint(stderr, hctx->V, dctx->seedlen);
+ hexprint(stderr, hctx->C, dctx->seedlen);
+#endif
+ return 1;
+}
+
+static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
+{
+ EVP_MD_CTX_free(dctx->d.hash.mctx);
+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
+ return 1;
+}
+
+int fips_drbg_hash_init(DRBG_CTX *dctx)
+{
+ const EVP_MD *md;
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ md = FIPS_get_digestbynid(dctx->type);
+ if (!md)
+ return -2;
+ switch (dctx->type) {
+ case NID_sha1:
+ dctx->strength = 128;
+ break;
+
+ case NID_sha224:
+ dctx->strength = 192;
+ break;
+
+ default:
+ dctx->strength = 256;
+ break;
+ }
+
+ dctx->instantiate = drbg_hash_instantiate;
+ dctx->reseed = drbg_hash_reseed;
+ dctx->generate = drbg_hash_generate;
+ dctx->uninstantiate = drbg_hash_uninstantiate;
+
+ dctx->d.hash.md = md;
+ hctx->mctx = EVP_MD_CTX_new();
+ if (hctx->mctx == NULL)
+ return -1;
+
+ /* These are taken from SP 800-90 10.1 table 2 */
+
+ dctx->blocklength = EVP_MD_size(md);
+ if (dctx->blocklength > 32)
+ dctx->seedlen = 111;
+ else
+ dctx->seedlen = 55;
+
+ dctx->min_entropy = dctx->strength / 8;
+ dctx->max_entropy = DRBG_MAX_LENGTH;
+
+ dctx->min_nonce = dctx->min_entropy / 2;
+ dctx->max_nonce = DRBG_MAX_LENGTH;
+
+ dctx->max_pers = DRBG_MAX_LENGTH;
+ dctx->max_adin = DRBG_MAX_LENGTH;
+
+ dctx->max_request = 1 << 16;
+ dctx->reseed_interval = 1 << 24;
+
+ return 1;
+}
diff -up openssl-1.1.0f/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.0f/crypto/fips/fips_drbg_hmac.c
--- openssl-1.1.0f/crypto/fips/fips_drbg_hmac.c.fips 2017-06-02 14:14:25.463421272 +0200
+++ openssl-1.1.0f/crypto/fips/fips_drbg_hmac.c 2017-06-02 14:14:25.463421272 +0200
@@ -0,0 +1,272 @@
+/* fips/rand/fips_drbg_hmac.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/aes.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+static int drbg_hmac_update(DRBG_CTX *dctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *in3, size_t in3len)
+{
+ static unsigned char c0 = 0, c1 = 1;
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ HMAC_CTX *hctx = hmac->hctx;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+ if (!HMAC_Update(hctx, &c0, 1))
+ return 0;
+ if (in1len && !HMAC_Update(hctx, in1, in1len))
+ return 0;
+ if (in2len && !HMAC_Update(hctx, in2, in2len))
+ return 0;
+ if (in3len && !HMAC_Update(hctx, in3, in3len))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->K, NULL))
+ return 0;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->V, NULL))
+ return 0;
+
+ if (!in1len && !in2len && !in3len)
+ return 1;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+ if (!HMAC_Update(hctx, &c1, 1))
+ return 0;
+ if (in1len && !HMAC_Update(hctx, in1, in1len))
+ return 0;
+ if (in2len && !HMAC_Update(hctx, in2, in2len))
+ return 0;
+ if (in3len && !HMAC_Update(hctx, in3, in3len))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->K, NULL))
+ return 0;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->V, NULL))
+ return 0;
+
+ return 1;
+
+}
+
+static int drbg_hmac_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *pstr, size_t pstr_len)
+{
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ memset(hmac->K, 0, dctx->blocklength);
+ memset(hmac->V, 1, dctx->blocklength);
+ if (!drbg_hmac_update(dctx,
+ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
+ return 0;
+
+#ifdef HMAC_DRBG_TRACE
+ fprintf(stderr, "K+V after instantiate:\n");
+ hexprint(stderr, hmac->K, hmac->blocklength);
+ hexprint(stderr, hmac->V, hmac->blocklength);
+#endif
+ return 1;
+}
+
+static int drbg_hmac_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adin_len)
+{
+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
+ return 0;
+
+#ifdef HMAC_DRBG_TRACE
+ {
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ fprintf(stderr, "K+V after reseed:\n");
+ hexprint(stderr, hmac->K, hmac->blocklength);
+ hexprint(stderr, hmac->V, hmac->blocklength);
+ }
+#endif
+ return 1;
+}
+
+static int drbg_hmac_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adin_len)
+{
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ HMAC_CTX *hctx = hmac->hctx;
+ const unsigned char *Vtmp = hmac->V;
+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
+ return 0;
+ for (;;) {
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
+ return 0;
+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
+ if (!HMAC_Final(hctx, dctx->lb, NULL))
+ return 0;
+ dctx->lb_valid = 1;
+ Vtmp = dctx->lb;
+ continue;
+ } else if (outlen > dctx->blocklength) {
+ if (!HMAC_Final(hctx, out, NULL))
+ return 0;
+ if (!fips_drbg_cprng_test(dctx, out))
+ return 0;
+ Vtmp = out;
+ } else {
+ if (!HMAC_Final(hctx, hmac->V, NULL))
+ return 0;
+ if (!fips_drbg_cprng_test(dctx, hmac->V))
+ return 0;
+ memcpy(out, hmac->V, outlen);
+ break;
+ }
+ out += dctx->blocklength;
+ outlen -= dctx->blocklength;
+ }
+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
+ return 0;
+
+ return 1;
+}
+
+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
+{
+ HMAC_CTX_free(dctx->d.hmac.hctx);
+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
+ return 1;
+}
+
+int fips_drbg_hmac_init(DRBG_CTX *dctx)
+{
+ const EVP_MD *md = NULL;
+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
+ dctx->strength = 256;
+ switch (dctx->type) {
+ case NID_hmacWithSHA1:
+ md = EVP_sha1();
+ dctx->strength = 128;
+ break;
+
+ case NID_hmacWithSHA224:
+ md = EVP_sha224();
+ dctx->strength = 192;
+ break;
+
+ case NID_hmacWithSHA256:
+ md = EVP_sha256();
+ break;
+
+ case NID_hmacWithSHA384:
+ md = EVP_sha384();
+ break;
+
+ case NID_hmacWithSHA512:
+ md = EVP_sha512();
+ break;
+
+ default:
+ dctx->strength = 0;
+ return -2;
+ }
+ dctx->instantiate = drbg_hmac_instantiate;
+ dctx->reseed = drbg_hmac_reseed;
+ dctx->generate = drbg_hmac_generate;
+ dctx->uninstantiate = drbg_hmac_uninstantiate;
+ hctx->hctx = HMAC_CTX_new();
+ if (hctx->hctx == NULL)
+ return -1;
+ hctx->md = md;
+ dctx->blocklength = M_EVP_MD_size(md);
+ dctx->seedlen = M_EVP_MD_size(md);
+
+ dctx->min_entropy = dctx->strength / 8;
+ dctx->max_entropy = DRBG_MAX_LENGTH;
+
+ dctx->min_nonce = dctx->min_entropy / 2;
+ dctx->max_nonce = DRBG_MAX_LENGTH;
+
+ dctx->max_pers = DRBG_MAX_LENGTH;
+ dctx->max_adin = DRBG_MAX_LENGTH;
+
+ dctx->max_request = 1 << 16;
+ dctx->reseed_interval = 1 << 24;
+
+ return 1;
+}
diff -up openssl-1.1.0f/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.0f/crypto/fips/fips_drbg_lib.c
--- openssl-1.1.0f/crypto/fips/fips_drbg_lib.c.fips 2017-06-02 14:14:25.463421272 +0200
+++ openssl-1.1.0f/crypto/fips/fips_drbg_lib.c 2017-06-02 14:14:25.463421272 +0200
@@ -0,0 +1,555 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include "internal/fips_int.h"
+#include <openssl/fips_rand.h>
+#include "fips_locl.h"
+#include "fips_rand_lcl.h"
+
+/* Support framework for SP800-90 DRBGs */
+
+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
+{
+ int rv;
+ memset(dctx, 0, sizeof(DRBG_CTX));
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ dctx->xflags = flags;
+ dctx->type = type;
+
+ dctx->iflags = 0;
+ dctx->entropy_blocklen = 0;
+ dctx->health_check_cnt = 0;
+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
+
+ rv = fips_drbg_hash_init(dctx);
+
+ if (rv == -2)
+ rv = fips_drbg_ctr_init(dctx);
+ if (rv == -2)
+ rv = fips_drbg_hmac_init(dctx);
+
+ if (rv <= 0) {
+ if (rv == -2)
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
+ else
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
+ }
+
+ /* If not in test mode run selftests on DRBG of the same type */
+
+ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
+ if (!FIPS_drbg_health_check(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
+ return 0;
+ }
+ }
+
+ return rv;
+}
+
+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
+{
+ DRBG_CTX *dctx;
+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
+ if (!dctx) {
+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ if (type == 0) {
+ memset(dctx, 0, sizeof(DRBG_CTX));
+ dctx->type = 0;
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ return dctx;
+ }
+
+ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
+ OPENSSL_free(dctx);
+ return NULL;
+ }
+
+ return dctx;
+}
+
+void FIPS_drbg_free(DRBG_CTX *dctx)
+{
+ if (dctx->uninstantiate)
+ dctx->uninstantiate(dctx);
+ /* Don't free up default DRBG */
+ if (dctx == FIPS_get_default_drbg()) {
+ memset(dctx, 0, sizeof(DRBG_CTX));
+ dctx->type = 0;
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ } else {
+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
+ OPENSSL_free(dctx);
+ }
+}
+
+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ unsigned char *tout, *p;
+ size_t bl = dctx->entropy_blocklen, rv;
+ if (!dctx->get_entropy)
+ return 0;
+ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
+ min_len + bl, max_len + bl);
+ if (tout == NULL)
+ return 0;
+ *pout = tout + bl;
+ if (rv < (min_len + bl) || (rv % bl))
+ return 0;
+ /* Compare consecutive blocks for continuous PRNG test */
+ for (p = tout; p < tout + rv - bl; p += bl) {
+ if (!memcmp(p, p + bl, bl)) {
+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
+ return 0;
+ }
+ }
+ rv -= bl;
+ if (rv > max_len)
+ return max_len;
+ return rv;
+}
+
+static void fips_cleanup_entropy(DRBG_CTX *dctx,
+ unsigned char *out, size_t olen)
+{
+ size_t bl;
+ if (dctx->xflags & DRBG_FLAG_TEST)
+ bl = 0;
+ else
+ bl = dctx->entropy_blocklen;
+ /* Call cleanup with original arguments */
+ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
+}
+
+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
+ const unsigned char *pers, size_t perslen)
+{
+ size_t entlen = 0, noncelen = 0;
+ unsigned char *nonce = NULL, *entropy = NULL;
+
+#if 0
+ /* Put here so error script picks them up */
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
+ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
+#endif
+
+ int r = 0;
+
+ if (perslen > dctx->max_pers) {
+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
+ goto end;
+ }
+
+ if (!dctx->instantiate) {
+ r = FIPS_R_DRBG_NOT_INITIALISED;
+ goto end;
+ }
+
+ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = FIPS_R_IN_ERROR_STATE;
+ else
+ r = FIPS_R_ALREADY_INSTANTIATED;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_ERROR;
+
+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
+ dctx->min_entropy, dctx->max_entropy);
+
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
+ goto end;
+ }
+
+ if (dctx->max_nonce > 0 && dctx->get_nonce) {
+ noncelen = dctx->get_nonce(dctx, &nonce,
+ dctx->strength / 2,
+ dctx->min_nonce, dctx->max_nonce);
+
+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
+ r = FIPS_R_ERROR_RETRIEVING_NONCE;
+ goto end;
+ }
+
+ }
+
+ if (!dctx->instantiate(dctx,
+ entropy, entlen, nonce, noncelen, pers, perslen)) {
+ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_READY;
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
+ dctx->reseed_counter = 1;
+
+ end:
+
+ if (entropy && dctx->cleanup_entropy)
+ fips_cleanup_entropy(dctx, entropy, entlen);
+
+ if (nonce && dctx->cleanup_nonce)
+ dctx->cleanup_nonce(dctx, nonce, noncelen);
+
+ if (dctx->status == DRBG_STATUS_READY)
+ return 1;
+
+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
+
+ return 0;
+
+}
+
+static int drbg_reseed(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen, int hcheck)
+{
+ unsigned char *entropy = NULL;
+ size_t entlen = 0;
+ int r = 0;
+
+#if 0
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
+#endif
+ if (dctx->status != DRBG_STATUS_READY
+ && dctx->status != DRBG_STATUS_RESEED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = FIPS_R_IN_ERROR_STATE;
+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
+ r = FIPS_R_NOT_INSTANTIATED;
+ goto end;
+ }
+
+ if (!adin)
+ adinlen = 0;
+ else if (adinlen > dctx->max_adin) {
+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_ERROR;
+ /* Peform health check on all reseed operations if not a prediction
+ * resistance request and not in test mode.
+ */
+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
+ if (!FIPS_drbg_health_check(dctx)) {
+ r = FIPS_R_SELFTEST_FAILURE;
+ goto end;
+ }
+ }
+
+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
+ dctx->min_entropy, dctx->max_entropy);
+
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
+ goto end;
+ }
+
+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
+ goto end;
+
+ dctx->status = DRBG_STATUS_READY;
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
+ dctx->reseed_counter = 1;
+ end:
+
+ if (entropy && dctx->cleanup_entropy)
+ fips_cleanup_entropy(dctx, entropy, entlen);
+
+ if (dctx->status == DRBG_STATUS_READY)
+ return 1;
+
+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_DRBG_RESEED, r);
+
+ return 0;
+}
+
+int FIPS_drbg_reseed(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen)
+{
+ return drbg_reseed(dctx, adin, adinlen, 1);
+}
+
+static int fips_drbg_check(DRBG_CTX *dctx)
+{
+ if (dctx->xflags & DRBG_FLAG_TEST)
+ return 1;
+ dctx->health_check_cnt++;
+ if (dctx->health_check_cnt >= dctx->health_check_interval) {
+ if (!FIPS_drbg_health_check(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen)
+{
+ int r = 0;
+
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ if (!fips_drbg_check(dctx))
+ return 0;
+
+ if (dctx->status != DRBG_STATUS_READY
+ && dctx->status != DRBG_STATUS_RESEED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = FIPS_R_IN_ERROR_STATE;
+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
+ r = FIPS_R_NOT_INSTANTIATED;
+ goto end;
+ }
+
+ if (outlen > dctx->max_request) {
+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
+ return 0;
+ }
+
+ if (adinlen > dctx->max_adin) {
+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
+ goto end;
+ }
+
+ if (dctx->iflags & DRBG_CUSTOM_RESEED)
+ dctx->generate(dctx, NULL, outlen, NULL, 0);
+ else if (dctx->reseed_counter >= dctx->reseed_interval)
+ dctx->status = DRBG_STATUS_RESEED;
+
+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
+ /* If prediction resistance request don't do health check */
+ int hcheck = prediction_resistance ? 0 : 1;
+
+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
+ r = FIPS_R_RESEED_ERROR;
+ goto end;
+ }
+ adin = NULL;
+ adinlen = 0;
+ }
+
+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
+ r = FIPS_R_GENERATE_ERROR;
+ dctx->status = DRBG_STATUS_ERROR;
+ goto end;
+ }
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
+ if (dctx->reseed_counter >= dctx->reseed_interval)
+ dctx->status = DRBG_STATUS_RESEED;
+ else
+ dctx->reseed_counter++;
+ }
+
+ end:
+ if (r) {
+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
+ return 0;
+ }
+
+ return 1;
+}
+
+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
+{
+ int rv;
+ if (!dctx->uninstantiate)
+ rv = 1;
+ else
+ rv = dctx->uninstantiate(dctx);
+ /* Although we'd like to cleanse here we can't because we have to
+ * test the uninstantiate really zeroes the data.
+ */
+ memset(&dctx->d, 0, sizeof(dctx->d));
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ /* If method has problems uninstantiating, return error */
+ return rv;
+}
+
+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
+ size_t (*get_entropy) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy,
+ size_t min_len,
+ size_t max_len),
+ void (*cleanup_entropy) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ size_t entropy_blocklen,
+ size_t (*get_nonce) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy, size_t min_len,
+ size_t max_len),
+ void (*cleanup_nonce) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen))
+{
+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
+ return 0;
+ dctx->entropy_blocklen = entropy_blocklen;
+ dctx->get_entropy = get_entropy;
+ dctx->cleanup_entropy = cleanup_entropy;
+ dctx->get_nonce = get_nonce;
+ dctx->cleanup_nonce = cleanup_nonce;
+ return 1;
+}
+
+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
+ size_t (*get_adin) (DRBG_CTX *ctx,
+ unsigned char **pout),
+ void (*cleanup_adin) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ int (*rand_seed_cb) (DRBG_CTX *ctx,
+ const void *buf,
+ int num),
+ int (*rand_add_cb) (DRBG_CTX *ctx,
+ const void *buf, int num,
+ double entropy))
+{
+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
+ return 0;
+ dctx->get_adin = get_adin;
+ dctx->cleanup_adin = cleanup_adin;
+ dctx->rand_seed_cb = rand_seed_cb;
+ dctx->rand_add_cb = rand_add_cb;
+ return 1;
+}
+
+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
+{
+ return dctx->app_data;
+}
+
+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
+{
+ dctx->app_data = app_data;
+}
+
+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
+{
+ return dctx->blocklength;
+}
+
+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
+{
+ return dctx->strength;
+}
+
+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
+{
+ dctx->health_check_interval = interval;
+}
+
+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
+{
+ dctx->reseed_interval = interval;
+}
+
+static int drbg_stick = 0;
+
+void FIPS_drbg_stick(int onoff)
+{
+ drbg_stick = onoff;
+}
+
+/* Continuous DRBG utility function */
+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
+{
+ /* No CPRNG in test mode */
+ if (dctx->xflags & DRBG_FLAG_TEST)
+ return 1;
+ /* Check block is valid: should never happen */
+ if (dctx->lb_valid == 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
+ fips_set_selftest_fail();
+ return 0;
+ }
+ if (drbg_stick)
+ memcpy(dctx->lb, out, dctx->blocklength);
+ /* Check against last block: fail if match */
+ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
+ fips_set_selftest_fail();
+ return 0;
+ }
+ /* Save last block for next comparison */
+ memcpy(dctx->lb, out, dctx->blocklength);
+ return 1;
+}
diff -up openssl-1.1.0f/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.0f/crypto/fips/fips_drbg_rand.c
--- openssl-1.1.0f/crypto/fips/fips_drbg_rand.c.fips 2017-06-02 14:14:25.463421272 +0200
+++ openssl-1.1.0f/crypto/fips/fips_drbg_rand.c 2017-06-02 14:14:25.463421272 +0200
@@ -0,0 +1,183 @@
+/* fips/rand/fips_drbg_rand.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include "internal/thread_once.h"
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
+
+/* Since we only have one global PRNG used at any time in OpenSSL use a global
+ * variable to store context.
+ */
+
+static DRBG_CTX ossl_dctx;
+
+static CRYPTO_RWLOCK *fips_rand_lock = NULL;
+static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT;
+
+DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init)
+{
+ fips_rand_lock = CRYPTO_THREAD_lock_new();
+ return fips_rand_lock != NULL;
+}
+
+DRBG_CTX *FIPS_get_default_drbg(void)
+{
+ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init))
+ return NULL;
+ return &ossl_dctx;
+}
+
+static int fips_drbg_bytes(unsigned char *out, int count)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ int rv = 0;
+ unsigned char *adin = NULL;
+ size_t adinlen = 0;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ do {
+ size_t rcnt;
+ if (count > (int)dctx->max_request)
+ rcnt = dctx->max_request;
+ else
+ rcnt = count;
+ if (dctx->get_adin) {
+ adinlen = dctx->get_adin(dctx, &adin);
+ if (adinlen && !adin) {
+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
+ goto err;
+ }
+ }
+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
+ if (adin) {
+ if (dctx->cleanup_adin)
+ dctx->cleanup_adin(dctx, adin, adinlen);
+ adin = NULL;
+ }
+ if (!rv)
+ goto err;
+ out += rcnt;
+ count -= rcnt;
+ }
+ while (count);
+ rv = 1;
+ err:
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return rv;
+}
+
+static int fips_drbg_pseudo(unsigned char *out, int count)
+{
+ if (fips_drbg_bytes(out, count) <= 0)
+ return -1;
+ return 1;
+}
+
+static int fips_drbg_status(void)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ int rv;
+ CRYPTO_THREAD_read_lock(fips_rand_lock);
+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return rv;
+}
+
+static void fips_drbg_cleanup(void)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ FIPS_drbg_uninstantiate(dctx);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+}
+
+static int fips_drbg_seed(const void *seed, int seedlen)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ if (dctx->rand_seed_cb)
+ return dctx->rand_seed_cb(dctx, seed, seedlen);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return 1;
+}
+
+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ if (dctx->rand_add_cb)
+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return 1;
+}
+
+static const RAND_METHOD rand_drbg_meth = {
+ fips_drbg_seed,
+ fips_drbg_bytes,
+ fips_drbg_cleanup,
+ fips_drbg_add,
+ fips_drbg_pseudo,
+ fips_drbg_status
+};
+
+const RAND_METHOD *FIPS_drbg_method(void)
+{
+ return &rand_drbg_meth;
+}
diff -up openssl-1.1.0f/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_drbg_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_drbg_selftest.c.fips 2017-06-02 14:14:25.464421296 +0200
+++ openssl-1.1.0f/crypto/fips/fips_drbg_selftest.c 2017-06-02 14:14:25.464421296 +0200
@@ -0,0 +1,828 @@
+/* fips/rand/fips_drbg_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+#include "fips_locl.h"
+
+#include "fips_drbg_selftest.h"
+
+typedef struct {
+ int post;
+ int nid;
+ unsigned int flags;
+
+ /* KAT data for no PR */
+ const unsigned char *ent;
+ size_t entlen;
+ const unsigned char *nonce;
+ size_t noncelen;
+ const unsigned char *pers;
+ size_t perslen;
+ const unsigned char *adin;
+ size_t adinlen;
+ const unsigned char *entreseed;
+ size_t entreseedlen;
+ const unsigned char *adinreseed;
+ size_t adinreseedlen;
+ const unsigned char *adin2;
+ size_t adin2len;
+ const unsigned char *kat;
+ size_t katlen;
+ const unsigned char *kat2;
+ size_t kat2len;
+
+ /* KAT data for PR */
+ const unsigned char *ent_pr;
+ size_t entlen_pr;
+ const unsigned char *nonce_pr;
+ size_t noncelen_pr;
+ const unsigned char *pers_pr;
+ size_t perslen_pr;
+ const unsigned char *adin_pr;
+ size_t adinlen_pr;
+ const unsigned char *entpr_pr;
+ size_t entprlen_pr;
+ const unsigned char *ading_pr;
+ size_t adinglen_pr;
+ const unsigned char *entg_pr;
+ size_t entglen_pr;
+ const unsigned char *kat_pr;
+ size_t katlen_pr;
+ const unsigned char *kat2_pr;
+ size_t kat2len_pr;
+
+} DRBG_SELFTEST_DATA;
+
+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
+ pr##_entropyinput, sizeof(pr##_entropyinput), \
+ pr##_nonce, sizeof(pr##_nonce), \
+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
+ pr##_additionalinput, sizeof(pr##_additionalinput), \
+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
+ pr##_returnedbits, sizeof(pr##_returnedbits), \
+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
+ }
+
+#define make_drbg_test_data_df(nid, pr, p) \
+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
+
+#define make_drbg_test_data_ec(curve, md, pr, p) \
+ make_drbg_test_data((curve << 16) | md , 0, pr, p)
+
+static DRBG_SELFTEST_DATA drbg_test[] = {
+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
+ make_drbg_test_data(NID_sha1, 0, sha1, 0),
+ make_drbg_test_data(NID_sha224, 0, sha224, 0),
+ make_drbg_test_data(NID_sha256, 0, sha256, 1),
+ make_drbg_test_data(NID_sha384, 0, sha384, 0),
+ make_drbg_test_data(NID_sha512, 0, sha512, 0),
+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
+ {0, 0, 0}
+};
+
+typedef struct {
+ const unsigned char *ent;
+ size_t entlen;
+ int entcnt;
+ const unsigned char *nonce;
+ size_t noncelen;
+ int noncecnt;
+} TEST_ENT;
+
+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
+ *pout = (unsigned char *)t->ent;
+ t->entcnt++;
+ return t->entlen;
+}
+
+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
+ *pout = (unsigned char *)t->nonce;
+ t->noncecnt++;
+ return t->noncelen;
+}
+
+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
+ int quick)
+{
+ TEST_ENT t;
+ int rv = 0;
+ size_t adinlen;
+ unsigned char randout[1024];
+
+ /* Initial test without PR */
+
+ /* Instantiate DRBG with test entropy, nonce and personalisation
+ * string.
+ */
+
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ return 0;
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
+ return 0;
+
+ FIPS_drbg_set_app_data(dctx, &t);
+
+ t.ent = td->ent;
+ t.entlen = td->entlen;
+ t.nonce = td->nonce;
+ t.noncelen = td->noncelen;
+ t.entcnt = 0;
+ t.noncecnt = 0;
+
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
+ goto err;
+
+ /* Note for CTR without DF some additional input values
+ * ignore bytes after the keylength: so reduce adinlen
+ * to half to ensure invalid data is fed in.
+ */
+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
+ adinlen = td->adinlen / 2;
+ else
+ adinlen = td->adinlen;
+
+ /* Generate with no PR and verify output matches expected data */
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
+ goto err;
+
+ if (memcmp(randout, td->kat, td->katlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
+ goto err2;
+ }
+ /* If abbreviated POST end of test */
+ if (quick) {
+ rv = 1;
+ goto err;
+ }
+ /* Reseed DRBG with test entropy and additional input */
+ t.ent = td->entreseed;
+ t.entlen = td->entreseedlen;
+
+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
+ goto err;
+
+ /* Generate with no PR and verify output matches expected data */
+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
+ td->adin2, td->adin2len))
+ goto err;
+
+ if (memcmp(randout, td->kat2, td->kat2len)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
+ goto err2;
+ }
+
+ FIPS_drbg_uninstantiate(dctx);
+
+ /* Now test with PR */
+
+ /* Instantiate DRBG with test entropy, nonce and personalisation
+ * string.
+ */
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ return 0;
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
+ return 0;
+
+ FIPS_drbg_set_app_data(dctx, &t);
+
+ t.ent = td->ent_pr;
+ t.entlen = td->entlen_pr;
+ t.nonce = td->nonce_pr;
+ t.noncelen = td->noncelen_pr;
+ t.entcnt = 0;
+ t.noncecnt = 0;
+
+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
+ goto err;
+
+ /* Now generate with PR: we need to supply entropy as this will
+ * perform a reseed operation. Check output matches expected value.
+ */
+
+ t.ent = td->entpr_pr;
+ t.entlen = td->entprlen_pr;
+
+ /* Note for CTR without DF some additional input values
+ * ignore bytes after the keylength: so reduce adinlen
+ * to half to ensure invalid data is fed in.
+ */
+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
+ adinlen = td->adinlen_pr / 2;
+ else
+ adinlen = td->adinlen_pr;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
+ td->adin_pr, adinlen))
+ goto err;
+
+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
+ goto err2;
+ }
+
+ /* Now generate again with PR: supply new entropy again.
+ * Check output matches expected value.
+ */
+
+ t.ent = td->entg_pr;
+ t.entlen = td->entglen_pr;
+
+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
+ td->ading_pr, td->adinglen_pr))
+ goto err;
+
+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
+ goto err2;
+ }
+ /* All OK, test complete */
+ rv = 1;
+
+ err:
+ if (rv == 0)
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
+ err2:
+ FIPS_drbg_uninstantiate(dctx);
+
+ return rv;
+
+}
+
+/* Initialise a DRBG based on selftest data */
+
+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
+{
+
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ return 0;
+
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
+ return 0;
+
+ FIPS_drbg_set_app_data(dctx, t);
+
+ t->ent = td->ent;
+ t->entlen = td->entlen;
+ t->nonce = td->nonce;
+ t->noncelen = td->noncelen;
+ t->entcnt = 0;
+ t->noncecnt = 0;
+ return 1;
+}
+
+/* Initialise and instantiate DRBG based on selftest data */
+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
+ TEST_ENT * t)
+{
+ if (!do_drbg_init(dctx, td, t))
+ return 0;
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
+ return 0;
+
+ return 1;
+}
+
+/* This function performs extensive error checking as required by SP800-90.
+ * Induce several failure modes and check an error condition is set.
+ * This function along with fips_drbg_single_kat peforms the health checking
+ * operation.
+ */
+
+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
+{
+ unsigned char randout[1024];
+ TEST_ENT t;
+ size_t i;
+ unsigned int reseed_counter_tmp;
+ unsigned char *p = (unsigned char *)dctx;
+
+ /* Initialise DRBG */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ /* Don't report induced errors */
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ /* Personalisation string tests */
+
+ /* Test detection of too large personlisation string */
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Entropy source tests */
+
+ /* Test entropy source failure detecion: i.e. returns no data */
+
+ t.entlen = 0;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Try to generate output from uninstantiated DRBG */
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_GENERATE_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ /* Test insufficient entropy */
+
+ t.entlen = dctx->min_entropy - 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Test too much entropy */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.entlen = dctx->max_entropy + 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Nonce tests */
+
+ /* Test too small nonce */
+
+ if (dctx->min_nonce) {
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.noncelen = dctx->min_nonce - 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_NONCE_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ }
+
+ /* Test too large nonce */
+
+ if (dctx->max_nonce) {
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.noncelen = dctx->max_nonce + 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_NONCE_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ }
+
+ /* Instantiate with valid data. */
+ if (!do_drbg_instantiate(dctx, td, &t))
+ goto err;
+
+ /* Check generation is now OK */
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ /* Request too much data for one request */
+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Try too large additional input */
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, dctx->max_adin + 1)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Check prediction resistance request fails if entropy source
+ * failure.
+ */
+
+ t.entlen = 0;
+
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Instantiate again with valid data */
+
+ if (!do_drbg_instantiate(dctx, td, &t))
+ goto err;
+ /* Test reseed counter works */
+ /* Save initial reseed counter */
+ reseed_counter_tmp = dctx->reseed_counter;
+ /* Set reseed counter to beyond interval */
+ dctx->reseed_counter = dctx->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entcnt = 0;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen))
+ goto err;
+ if (t.entcnt != 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
+ goto err;
+ }
+ /* Check reseed counter has been reset */
+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Check prediction resistance request fails if entropy source
+ * failure.
+ */
+
+ t.entlen = 0;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ if (!do_drbg_instantiate(dctx, td, &t))
+ goto err;
+ /* Test reseed counter works */
+ /* Save initial reseed counter */
+ reseed_counter_tmp = dctx->reseed_counter;
+ /* Set reseed counter to beyond interval */
+ dctx->reseed_counter = dctx->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entcnt = 0;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen))
+ goto err;
+ if (t.entcnt != 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
+ goto err;
+ }
+ /* Check reseed counter has been reset */
+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Explicit reseed tests */
+
+ /* Test explicit reseed with too large additional input */
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Test explicit reseed with entropy source failure */
+
+ t.entlen = 0;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Test explicit reseed with too much entropy */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.entlen = dctx->max_entropy + 1;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Test explicit reseed with too little entropy */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.entlen = dctx->min_entropy - 1;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ p = (unsigned char *)&dctx->d;
+ /* Standard says we have to check uninstantiate really zeroes
+ * the data...
+ */
+ for (i = 0; i < sizeof(dctx->d); i++) {
+ if (*p != 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
+ goto err;
+ }
+ p++;
+ }
+
+ return 1;
+
+ err:
+ /* A real error as opposed to an induced one: underlying function will
+ * indicate the error.
+ */
+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
+ FIPS_drbg_uninstantiate(dctx);
+ return 0;
+
+}
+
+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
+{
+ DRBG_SELFTEST_DATA *td;
+ flags |= DRBG_FLAG_TEST;
+ for (td = drbg_test; td->nid != 0; td++) {
+ if (td->nid == nid && td->flags == flags) {
+ if (!fips_drbg_single_kat(dctx, td, 0))
+ return 0;
+ return fips_drbg_error_check(dctx, td);
+ }
+ }
+ return 0;
+}
+
+int FIPS_drbg_health_check(DRBG_CTX *dctx)
+{
+ int rv;
+ DRBG_CTX *tctx = NULL;
+ tctx = FIPS_drbg_new(0, 0);
+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
+ if (!tctx)
+ return 0;
+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
+ if (tctx)
+ FIPS_drbg_free(tctx);
+ if (rv)
+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
+ else
+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
+ if (!rv)
+ dctx->status = DRBG_STATUS_ERROR;
+ else
+ dctx->health_check_cnt = 0;
+ return rv;
+}
+
+int FIPS_selftest_drbg(void)
+{
+ DRBG_CTX *dctx;
+ DRBG_SELFTEST_DATA *td;
+ int rv = 1;
+ dctx = FIPS_drbg_new(0, 0);
+ if (!dctx)
+ return 0;
+ for (td = drbg_test; td->nid != 0; td++) {
+ if (td->post != 1)
+ continue;
+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 1;
+ if (!fips_drbg_single_kat(dctx, td, 1)) {
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
+ rv = 0;
+ continue;
+ }
+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 0;
+ }
+ FIPS_drbg_free(dctx);
+ return rv;
+}
+
+int FIPS_selftest_drbg_all(void)
+{
+ DRBG_CTX *dctx;
+ DRBG_SELFTEST_DATA *td;
+ int rv = 1;
+ dctx = FIPS_drbg_new(0, 0);
+ if (!dctx)
+ return 0;
+ for (td = drbg_test; td->nid != 0; td++) {
+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 1;
+ if (!fips_drbg_single_kat(dctx, td, 0)) {
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
+ rv = 0;
+ continue;
+ }
+ if (!fips_drbg_error_check(dctx, td)) {
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
+ rv = 0;
+ continue;
+ }
+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 0;
+ }
+ FIPS_drbg_free(dctx);
+ return rv;
+}
diff -up openssl-1.1.0f/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.0f/crypto/fips/fips_drbg_selftest.h
--- openssl-1.1.0f/crypto/fips/fips_drbg_selftest.h.fips 2017-06-02 14:14:25.465421319 +0200
+++ openssl-1.1.0f/crypto/fips/fips_drbg_selftest.h 2017-06-02 14:14:25.465421319 +0200
@@ -0,0 +1,1791 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/* Selftest and health check data for the SP800-90 DRBG */
+
+#define __fips_constseg
+
+/* AES-128 use df PR */
+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
+ 0xc8, 0xdb, 0xff, 0x12
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
+ 0xd7, 0xd7, 0x01, 0x67
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
+ 0x9a, 0x47, 0x08, 0x76
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
+ 0x09, 0xfb, 0xa3, 0xb6
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
+ 0x66, 0x1c, 0xea, 0x5b
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
+ 0x3f, 0x5e, 0x31, 0x06
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
+ 0xa7, 0xe3, 0xa8, 0x67
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
+ 0x0f, 0x38, 0x43, 0xc6
+};
+
+/* AES-128 use df No PR */
+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
+ 0x9d, 0x7d, 0x1c, 0x9b
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_personalizationstring[] = {
+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
+ 0x38, 0x66, 0xba, 0x1b
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
+ 0xb5, 0xe2, 0xb2, 0x41
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
+ 0xe7, 0x57, 0x11, 0xb4
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
+ 0xc7, 0xc4, 0x9e, 0x39
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
+ 0xc8, 0x93, 0xfa, 0x84
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
+ 0x06, 0x0c, 0x15, 0x2c
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
+ 0x46, 0x81, 0xc7, 0x19
+};
+
+/* AES-192 use df PR */
+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
+ 0xd1, 0x80, 0x78, 0xfa
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
+ 0x19, 0x30, 0x6b, 0x67
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
+ 0x7e, 0x1a, 0x2b, 0x83
+};
+
+/* AES-192 use df No PR */
+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
+ 0x77, 0xd7, 0x41, 0x0e
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_personalizationstring[] = {
+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
+ 0xb7, 0xed, 0xe9, 0xea
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
+ 0x1a, 0xf9, 0x13, 0x28
+};
+
+/* AES-256 use df PR */
+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
+ 0x2b, 0x36, 0xff, 0xa4
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
+ 0x17, 0xab, 0x3c, 0x7a
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
+ 0xd9, 0xe2, 0x97, 0x00
+};
+
+/* AES-256 use df No PR */
+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
+ 0x4c, 0x44, 0x84, 0x40
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_personalizationstring[] = {
+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
+ 0x28, 0x0c, 0x3b, 0xc1
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
+ 0xfa, 0xfd, 0x35, 0x5e
+};
+
+/* AES-128 no df PR */
+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
+ 0xaf, 0x19, 0x32, 0x16
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
+ 0x57, 0x82, 0x33, 0xaf
+};
+
+/* AES-128 no df No PR */
+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_personalizationstring[] = {
+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
+ 0xed, 0x3e, 0x65, 0xc2
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
+ 0x81, 0x37, 0x19, 0xd4
+};
+
+/* AES-192 no df PR */
+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
+ 0x17, 0x1f, 0x8d, 0x9a
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
+ 0x61, 0x5c, 0xee, 0x0f
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
+ 0x57, 0x2e, 0xe7, 0x55
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
+ 0xe2, 0xd0, 0x0c, 0x2f
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
+ 0x1d, 0x30, 0xb3, 0x78
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
+ 0x7e, 0x3e, 0x0c, 0x26
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
+ 0x0c, 0x4b, 0xee, 0x6e
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
+ 0x8e, 0x0a, 0x83, 0xdf
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
+ 0xb9, 0xa1, 0x21, 0x68
+};
+
+/* AES-192 no df No PR */
+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
+ 0x94, 0xc3, 0x59, 0x63
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
+ 0x29, 0xfd, 0x45, 0x71
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_personalizationstring[] = {
+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
+ 0x3b, 0x88, 0xce, 0x35
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
+ 0x3e, 0xbe, 0xd4, 0x8e
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
+ 0x45, 0xe7, 0x4a, 0xc5
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
+ 0x9b, 0xcb, 0x7e, 0x75
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
+ 0x5d, 0x7a, 0x25, 0x79
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
+ 0x91, 0x6a, 0xe3, 0x5f
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
+ 0x66, 0x67, 0x2c, 0x92
+};
+
+/* AES-256 no df PR */
+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
+ 0xcc, 0x4b, 0xee, 0x2e
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
+ 0x79, 0x60, 0x93, 0xcf
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
+ 0x2d, 0x5f, 0x4a, 0x46
+};
+
+/* AES-256 no df No PR */
+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
+ 0x43, 0x96, 0xb9, 0xf0
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_personalizationstring[] = {
+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
+ 0xd2, 0x25, 0x75, 0x0e
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
+ 0xf6, 0x02, 0x32, 0xe2
+};
+
+/* SHA-1 PR */
+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
+ 0x31, 0xa5, 0x91, 0x13
+};
+
+__fips_constseg static const unsigned char sha1_pr_nonce[] = {
+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
+};
+
+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
+ 0xda, 0xea, 0x77, 0x52
+};
+
+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
+ 0x6a, 0x51, 0xe3, 0xf8
+};
+
+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
+ 0xcb, 0xa9, 0x36, 0x7a
+};
+
+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
+};
+
+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
+ 0x16, 0x03, 0x19, 0x47
+};
+
+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
+ 0xae, 0xcd, 0x8c, 0xc4
+};
+
+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
+};
+
+/* SHA-1 No PR */
+__fips_constseg static const unsigned char sha1_entropyinput[] = {
+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
+ 0xe2, 0x7f, 0x4c, 0x7b
+};
+
+__fips_constseg static const unsigned char sha1_nonce[] = {
+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
+};
+
+__fips_constseg static const unsigned char sha1_personalizationstring[] = {
+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
+ 0x28, 0xec, 0x6d, 0xca
+};
+
+__fips_constseg static const unsigned char sha1_additionalinput[] = {
+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
+ 0xc0, 0x72, 0xca, 0x28
+};
+
+__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
+};
+
+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
+ 0xd6, 0x99, 0x27, 0xed
+};
+
+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
+ 0x84, 0x3d, 0xd4, 0xc0
+};
+
+__fips_constseg static const unsigned char sha1_additionalinput2[] = {
+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
+ 0x52, 0x65, 0xcd, 0x96
+};
+
+__fips_constseg static const unsigned char sha1_returnedbits[] = {
+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
+};
+
+/* SHA-224 PR */
+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
+};
+
+__fips_constseg static const unsigned char sha224_pr_nonce[] = {
+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
+};
+
+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
+};
+
+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
+};
+
+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
+};
+
+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
+ 0x54, 0x60, 0xee, 0x6a
+};
+
+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
+};
+
+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
+};
+
+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
+ 0xdd, 0x11, 0x4c, 0xc4
+};
+
+/* SHA-224 No PR */
+__fips_constseg static const unsigned char sha224_entropyinput[] = {
+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
+};
+
+__fips_constseg static const unsigned char sha224_nonce[] = {
+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
+};
+
+__fips_constseg static const unsigned char sha224_personalizationstring[] = {
+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
+};
+
+__fips_constseg static const unsigned char sha224_additionalinput[] = {
+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
+};
+
+__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
+ 0x55, 0x22, 0x9a, 0xad
+};
+
+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
+};
+
+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
+};
+
+__fips_constseg static const unsigned char sha224_additionalinput2[] = {
+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
+};
+
+__fips_constseg static const unsigned char sha224_returnedbits[] = {
+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
+ 0x3b, 0xa7, 0x5c, 0x93
+};
+
+/* SHA-256 PR */
+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
+};
+
+__fips_constseg static const unsigned char sha256_pr_nonce[] = {
+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
+ 0x2b, 0x91, 0x4d, 0x38
+};
+
+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
+};
+
+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
+};
+
+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
+};
+
+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
+};
+
+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
+};
+
+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
+};
+
+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
+};
+
+/* SHA-256 No PR */
+__fips_constseg static const unsigned char sha256_entropyinput[] = {
+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
+};
+
+__fips_constseg static const unsigned char sha256_nonce[] = {
+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
+ 0x5d, 0x6f, 0x6d, 0x35
+};
+
+__fips_constseg static const unsigned char sha256_personalizationstring[] = {
+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
+};
+
+__fips_constseg static const unsigned char sha256_additionalinput[] = {
+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
+};
+
+__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
+};
+
+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
+};
+
+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
+};
+
+__fips_constseg static const unsigned char sha256_additionalinput2[] = {
+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
+};
+
+__fips_constseg static const unsigned char sha256_returnedbits[] = {
+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
+};
+
+/* SHA-384 PR */
+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
+};
+
+__fips_constseg static const unsigned char sha384_pr_nonce[] = {
+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
+ 0x38, 0x3e, 0x2e, 0x56
+};
+
+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
+};
+
+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
+};
+
+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
+};
+
+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
+};
+
+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
+};
+
+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
+};
+
+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
+};
+
+/* SHA-384 No PR */
+__fips_constseg static const unsigned char sha384_entropyinput[] = {
+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
+};
+
+__fips_constseg static const unsigned char sha384_nonce[] = {
+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
+ 0x44, 0xaf, 0x2f, 0x09
+};
+
+__fips_constseg static const unsigned char sha384_personalizationstring[] = {
+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
+};
+
+__fips_constseg static const unsigned char sha384_additionalinput[] = {
+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
+};
+
+__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
+};
+
+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
+};
+
+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
+};
+
+__fips_constseg static const unsigned char sha384_additionalinput2[] = {
+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
+};
+
+__fips_constseg static const unsigned char sha384_returnedbits[] = {
+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
+};
+
+/* SHA-512 PR */
+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
+};
+
+__fips_constseg static const unsigned char sha512_pr_nonce[] = {
+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
+ 0x88, 0xc7, 0xa2, 0xc4
+};
+
+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
+};
+
+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
+};
+
+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
+};
+
+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
+ 0xe2, 0xc6, 0x8b, 0xc3
+};
+
+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
+};
+
+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
+};
+
+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
+ 0x67, 0xf7, 0x68, 0xdd
+};
+
+/* SHA-512 No PR */
+__fips_constseg static const unsigned char sha512_entropyinput[] = {
+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
+};
+
+__fips_constseg static const unsigned char sha512_nonce[] = {
+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
+ 0x5a, 0x64, 0xf0, 0xf7
+};
+
+__fips_constseg static const unsigned char sha512_personalizationstring[] = {
+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
+};
+
+__fips_constseg static const unsigned char sha512_additionalinput[] = {
+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
+};
+
+__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
+ 0x28, 0xd4, 0x39, 0x9a
+};
+
+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
+};
+
+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
+};
+
+__fips_constseg static const unsigned char sha512_additionalinput2[] = {
+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
+};
+
+__fips_constseg static const unsigned char sha512_returnedbits[] = {
+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
+ 0x68, 0xde, 0x42, 0xb5
+};
+
+/* HMAC SHA-1 PR */
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
+ 0x2c, 0x18, 0x17, 0x1b
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
+ 0x80, 0xe2, 0x7f, 0x2a
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
+ 0xd7, 0xbb, 0x42, 0x09
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
+ 0x23, 0x87, 0x2a, 0xed
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
+ 0xa0, 0x4b, 0x93, 0x6e
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
+ 0x0f, 0xff, 0x2e, 0xaf
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
+};
+
+/* HMAC SHA-1 No PR */
+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
+ 0x17, 0xfe, 0x47, 0x70
+};
+
+__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
+};
+
+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
+ 0x72, 0xf7, 0xd3, 0x5e
+};
+
+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
+ 0xbb, 0xe3, 0xaa, 0xea
+};
+
+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
+};
+
+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
+ 0x86, 0x52, 0x6d, 0x9c
+};
+
+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
+ 0x79, 0xc5, 0x82, 0x28
+};
+
+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
+ 0x8a, 0xca, 0xa4, 0x7f
+};
+
+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
+};
+
+/* HMAC SHA-224 PR */
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
+ 0x41, 0xfe, 0x99, 0xf2
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
+ 0x6d, 0xd8, 0x9e, 0x72
+};
+
+/* HMAC SHA-224 No PR */
+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
+};
+
+__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha224_personalizationstring[] = {
+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
+};
+
+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
+};
+
+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
+ 0xcd, 0xd6, 0xa9, 0xcc
+};
+
+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha224_additionalinputreseed[] = {
+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
+};
+
+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
+};
+
+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
+ 0x45, 0x84, 0xa8, 0x94
+};
+
+/* HMAC SHA-256 PR */
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
+ 0xaa, 0xd3, 0x30, 0x9a
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
+};
+
+/* HMAC SHA-256 No PR */
+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
+};
+
+__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
+ 0xc7, 0xfc, 0xc2, 0x01
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha256_personalizationstring[] = {
+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
+};
+
+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
+};
+
+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
+};
+
+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha256_additionalinputreseed[] = {
+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
+};
+
+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
+};
+
+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
+};
+
+/* HMAC SHA-384 PR */
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
+ 0xee, 0x16, 0xc9, 0xde
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
+};
+
+/* HMAC SHA-384 No PR */
+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
+};
+
+__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
+ 0x38, 0xe3, 0xeb, 0x62
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha384_personalizationstring[] = {
+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
+};
+
+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
+};
+
+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
+};
+
+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha384_additionalinputreseed[] = {
+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
+};
+
+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
+};
+
+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
+};
+
+/* HMAC SHA-512 PR */
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
+ 0x86, 0xea, 0xaf, 0xa2
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
+ 0x05, 0x17, 0xbe, 0x0d
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
+ 0xb6, 0xaf, 0xbc, 0xd3
+};
+
+/* HMAC SHA-512 No PR */
+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
+};
+
+__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
+ 0xd9, 0xaf, 0x43, 0x3c
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha512_personalizationstring[] = {
+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
+};
+
+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
+};
+
+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
+ 0xb1, 0x57, 0x69, 0xe8
+};
+
+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha512_additionalinputreseed[] = {
+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
+};
+
+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
+};
+
+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
+ 0xc2, 0xd6, 0xfd, 0xa5
+};
diff -up openssl-1.1.0f/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_dsa_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_dsa_selftest.c.fips 2017-06-02 14:14:25.465421319 +0200
+++ openssl-1.1.0f/crypto/fips/fips_dsa_selftest.c 2017-06-02 14:14:25.465421319 +0200
@@ -0,0 +1,195 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
+#include <openssl/fips.h>
+#include "internal/fips_int.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+static const unsigned char dsa_test_2048_p[] = {
+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
+ 0xdb, 0xa0, 0x69, 0xe9
+};
+
+static const unsigned char dsa_test_2048_q[] = {
+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
+ 0x74, 0x41, 0xa0, 0xa5
+};
+
+static const unsigned char dsa_test_2048_g[] = {
+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
+ 0xb3, 0xc2, 0xa9, 0x66
+};
+
+static const unsigned char dsa_test_2048_pub_key[] = {
+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
+ 0xf7, 0xda, 0xb1, 0x4f
+};
+
+static const unsigned char dsa_test_2048_priv_key[] = {
+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
+ 0xec, 0x55, 0xf6, 0xcc
+};
+
+int FIPS_selftest_dsa()
+{
+ DSA *dsa = NULL;
+ EVP_PKEY *pk = NULL;
+ int ret = -1;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
+
+ fips_load_key_component(p, dsa_test_2048);
+ fips_load_key_component(q, dsa_test_2048);
+ fips_load_key_component(g, dsa_test_2048);
+ fips_load_key_component(pub_key, dsa_test_2048);
+ fips_load_key_component(priv_key, dsa_test_2048);
+
+ dsa = DSA_new();
+
+ if (dsa == NULL)
+ goto err;
+
+ DSA_set0_pqg(dsa, p, q, g);
+
+ DSA_set0_key(dsa, pub_key, priv_key);
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_assign_DSA(pk, dsa);
+
+ if (!fips_pkey_signature_test(pk, NULL, 0,
+ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
+ goto err;
+ ret = 1;
+
+ err:
+ if (pk)
+ EVP_PKEY_free(pk);
+ else if (dsa)
+ DSA_free(dsa);
+ else {
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ }
+ return ret;
+}
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_ecdh_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_ecdh_selftest.c.fips 2017-06-02 14:14:25.465421319 +0200
+++ openssl-1.1.0f/crypto/fips/fips_ecdh_selftest.c 2017-06-02 14:14:25.465421319 +0200
@@ -0,0 +1,242 @@
+/* fips/ecdh/fips_ecdh_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2011.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#ifdef OPENSSL_FIPS
+
+# include "fips_locl.h"
+
+static const unsigned char p256_qcavsx[] = {
+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,
+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,
+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50
+};
+
+static const unsigned char p256_qcavsy[] = {
+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,
+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,
+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e
+};
+
+static const unsigned char p256_qiutx[] = {
+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,
+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,
+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f
+};
+
+static const unsigned char p256_qiuty[] = {
+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,
+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,
+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8
+};
+
+static const unsigned char p256_qiutd[] = {
+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,
+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,
+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8
+};
+
+static const unsigned char p256_ziut[] = {
+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,
+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,
+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f
+};
+
+typedef struct {
+ int curve;
+ const unsigned char *x1;
+ size_t x1len;
+ const unsigned char *y1;
+ size_t y1len;
+ const unsigned char *d1;
+ size_t d1len;
+ const unsigned char *x2;
+ size_t x2len;
+ const unsigned char *y2;
+ size_t y2len;
+ const unsigned char *z;
+ size_t zlen;
+} ECDH_SELFTEST_DATA;
+
+# define make_ecdh_test(nid, pr) { nid, \
+ pr##_qiutx, sizeof(pr##_qiutx), \
+ pr##_qiuty, sizeof(pr##_qiuty), \
+ pr##_qiutd, sizeof(pr##_qiutd), \
+ pr##_qcavsx, sizeof(pr##_qcavsx), \
+ pr##_qcavsy, sizeof(pr##_qcavsy), \
+ pr##_ziut, sizeof(pr##_ziut) }
+
+static ECDH_SELFTEST_DATA test_ecdh_data[] = {
+ make_ecdh_test(NID_X9_62_prime256v1, p256),
+};
+
+int FIPS_selftest_ecdh(void)
+{
+ EC_KEY *ec1 = NULL, *ec2 = NULL;
+ const EC_POINT *ecp = NULL;
+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
+ unsigned char *ztmp = NULL;
+ int rv = 1;
+ size_t i;
+
+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
+ continue;
+ ztmp = OPENSSL_malloc(ecd->zlen);
+
+ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
+ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
+ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
+
+ if (!x || !y || !d || !ztmp) {
+ rv = -1;
+ goto err;
+ }
+
+ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec1) {
+ rv = -1;
+ goto err;
+ }
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!EC_KEY_set_private_key(ec1, d)) {
+ rv = -1;
+ goto err;
+ }
+
+ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
+ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
+
+ if (!x || !y) {
+ rv = -1;
+ goto err;
+ }
+
+ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec2) {
+ rv = -1;
+ goto err;
+ }
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
+ rv = -1;
+ goto err;
+ }
+
+ ecp = EC_KEY_get0_public_key(ec2);
+ if (!ecp) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
+ ztmp[0] ^= 0x1;
+
+ if (memcmp(ztmp, ecd->z, ecd->zlen)) {
+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
+ rv = 0;
+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
+ goto err;
+
+ EC_KEY_free(ec1);
+ ec1 = NULL;
+ EC_KEY_free(ec2);
+ ec2 = NULL;
+ OPENSSL_free(ztmp);
+ ztmp = NULL;
+ }
+
+ err:
+
+ if (x)
+ BN_clear_free(x);
+ if (y)
+ BN_clear_free(y);
+ if (d)
+ BN_clear_free(d);
+ if (ec1)
+ EC_KEY_free(ec1);
+ if (ec2)
+ EC_KEY_free(ec2);
+ if (ztmp)
+ OPENSSL_free(ztmp);
+
+ return rv;
+
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_ecdsa_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_ecdsa_selftest.c.fips 2017-06-02 14:14:25.465421319 +0200
+++ openssl-1.1.0f/crypto/fips/fips_ecdsa_selftest.c 2017-06-02 14:14:25.465421319 +0200
@@ -0,0 +1,166 @@
+/* fips/ecdsa/fips_ecdsa_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2011.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/fips.h>
+#include "internal/fips_int.h"
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#ifdef OPENSSL_FIPS
+
+static const char P_256_name[] = "ECDSA P-256";
+
+static const unsigned char P_256_d[] = {
+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
+};
+
+static const unsigned char P_256_qx[] = {
+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
+};
+
+static const unsigned char P_256_qy[] = {
+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
+};
+
+typedef struct {
+ int curve;
+ const char *name;
+ const unsigned char *x;
+ size_t xlen;
+ const unsigned char *y;
+ size_t ylen;
+ const unsigned char *d;
+ size_t dlen;
+} EC_SELFTEST_DATA;
+
+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
+ pr##_qx, sizeof(pr##_qx), \
+ pr##_qy, sizeof(pr##_qy), \
+ pr##_d, sizeof(pr##_d)}
+
+static EC_SELFTEST_DATA test_ec_data[] = {
+ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
+};
+
+int FIPS_selftest_ecdsa()
+{
+ EC_KEY *ec = NULL;
+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
+ EVP_PKEY *pk = NULL;
+ int rv = 0;
+ size_t i;
+
+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
+ EC_SELFTEST_DATA *ecd = test_ec_data + i;
+
+ x = BN_bin2bn(ecd->x, ecd->xlen, x);
+ y = BN_bin2bn(ecd->y, ecd->ylen, y);
+ d = BN_bin2bn(ecd->d, ecd->dlen, d);
+
+ if (!x || !y || !d)
+ goto err;
+
+ ec = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec)
+ goto err;
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
+ goto err;
+
+ if (!EC_KEY_set_private_key(ec, d))
+ goto err;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_assign_EC_KEY(pk, ec);
+
+ if (!fips_pkey_signature_test(pk, NULL, 0,
+ NULL, 0, EVP_sha256(), 0, ecd->name))
+ goto err;
+ }
+
+ rv = 1;
+
+ err:
+
+ if (x)
+ BN_clear_free(x);
+ if (y)
+ BN_clear_free(y);
+ if (d)
+ BN_clear_free(d);
+ if (pk)
+ EVP_PKEY_free(pk);
+ else if (ec)
+ EC_KEY_free(ec);
+
+ return rv;
+
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_enc.c.fips openssl-1.1.0f/crypto/fips/fips_enc.c
--- openssl-1.1.0f/crypto/fips/fips_enc.c.fips 2017-06-02 14:14:25.466421343 +0200
+++ openssl-1.1.0f/crypto/fips/fips_enc.c 2017-06-02 14:14:25.466421343 +0200
@@ -0,0 +1,189 @@
+/* fipe/evp/fips_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+
+const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
+{
+ switch (nid) {
+ case NID_aes_128_cbc:
+ return EVP_aes_128_cbc();
+
+ case NID_aes_128_ccm:
+ return EVP_aes_128_ccm();
+
+ case NID_aes_128_cfb1:
+ return EVP_aes_128_cfb1();
+
+ case NID_aes_128_cfb128:
+ return EVP_aes_128_cfb128();
+
+ case NID_aes_128_cfb8:
+ return EVP_aes_128_cfb8();
+
+ case NID_aes_128_ctr:
+ return EVP_aes_128_ctr();
+
+ case NID_aes_128_ecb:
+ return EVP_aes_128_ecb();
+
+ case NID_aes_128_gcm:
+ return EVP_aes_128_gcm();
+
+ case NID_aes_128_ofb128:
+ return EVP_aes_128_ofb();
+
+ case NID_aes_128_xts:
+ return EVP_aes_128_xts();
+
+ case NID_aes_192_cbc:
+ return EVP_aes_192_cbc();
+
+ case NID_aes_192_ccm:
+ return EVP_aes_192_ccm();
+
+ case NID_aes_192_cfb1:
+ return EVP_aes_192_cfb1();
+
+ case NID_aes_192_cfb128:
+ return EVP_aes_192_cfb128();
+
+ case NID_aes_192_cfb8:
+ return EVP_aes_192_cfb8();
+
+ case NID_aes_192_ctr:
+ return EVP_aes_192_ctr();
+
+ case NID_aes_192_ecb:
+ return EVP_aes_192_ecb();
+
+ case NID_aes_192_gcm:
+ return EVP_aes_192_gcm();
+
+ case NID_aes_192_ofb128:
+ return EVP_aes_192_ofb();
+
+ case NID_aes_256_cbc:
+ return EVP_aes_256_cbc();
+
+ case NID_aes_256_ccm:
+ return EVP_aes_256_ccm();
+
+ case NID_aes_256_cfb1:
+ return EVP_aes_256_cfb1();
+
+ case NID_aes_256_cfb128:
+ return EVP_aes_256_cfb128();
+
+ case NID_aes_256_cfb8:
+ return EVP_aes_256_cfb8();
+
+ case NID_aes_256_ctr:
+ return EVP_aes_256_ctr();
+
+ case NID_aes_256_ecb:
+ return EVP_aes_256_ecb();
+
+ case NID_aes_256_gcm:
+ return EVP_aes_256_gcm();
+
+ case NID_aes_256_ofb128:
+ return EVP_aes_256_ofb();
+
+ case NID_aes_256_xts:
+ return EVP_aes_256_xts();
+
+ case NID_des_ede_ecb:
+ return EVP_des_ede();
+
+ case NID_des_ede3_ecb:
+ return EVP_des_ede3();
+
+ case NID_des_ede3_cbc:
+ return EVP_des_ede3_cbc();
+
+ case NID_des_ede3_cfb1:
+ return EVP_des_ede3_cfb1();
+
+ case NID_des_ede3_cfb64:
+ return EVP_des_ede3_cfb64();
+
+ case NID_des_ede3_cfb8:
+ return EVP_des_ede3_cfb8();
+
+ case NID_des_ede3_ofb64:
+ return EVP_des_ede3_ofb();
+
+ case NID_des_ede_cbc:
+ return EVP_des_ede_cbc();
+
+ case NID_des_ede_cfb64:
+ return EVP_des_ede_cfb64();
+
+ case NID_des_ede_ofb64:
+ return EVP_des_ede_ofb();
+
+ default:
+ return NULL;
+
+ }
+}
diff -up openssl-1.1.0f/crypto/fips/fips_err.h.fips openssl-1.1.0f/crypto/fips/fips_err.h
--- openssl-1.1.0f/crypto/fips/fips_err.h.fips 2017-06-02 14:14:25.466421343 +0200
+++ openssl-1.1.0f/crypto/fips/fips_err.h 2017-06-02 14:14:25.466421343 +0200
@@ -0,0 +1,196 @@
+/* crypto/fips_err.h */
+/* ====================================================================
+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0)
+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason)
+
+static ERR_STRING_DATA FIPS_str_functs[] = {
+ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"},
+ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"},
+ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},
+ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
+ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},
+ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"},
+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"},
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"},
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"},
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"},
+ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"},
+ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"},
+ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},
+ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
+ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"},
+ {0, NULL}
+};
+
+static ERR_STRING_DATA FIPS_str_reasons[] = {
+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED),
+ "additional input error undetected"},
+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG),
+ "additional input too long"},
+ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"},
+ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"},
+ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"},
+ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"},
+ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),
+ "entropy not requested for reseed"},
+ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"},
+ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},
+ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
+ "error retrieving additional input"},
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"},
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"},
+ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),
+ "fingerprint does not match"},
+ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"},
+ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"},
+ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"},
+ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"},
+ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),
+ "generate error undetected"},
+ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"},
+ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"},
+ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"},
+ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"},
+ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"},
+ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"},
+ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"},
+ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"},
+ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"},
+ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"},
+ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"},
+ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),
+ "personalisation error undetected"},
+ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),
+ "personalisation string too long"},
+ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"},
+ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"},
+ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),
+ "request length error undetected"},
+ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),
+ "request too large for drbg"},
+ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"},
+ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"},
+ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"},
+ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"},
+ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"},
+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"},
+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),
+ "uninstantiate zeroise error"},
+ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"},
+ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"},
+ {0, NULL}
+};
+
+#endif
+
+int ERR_load_FIPS_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+
+ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) {
+ ERR_load_strings(0, FIPS_str_functs);
+ ERR_load_strings(0, FIPS_str_reasons);
+ }
+#endif
+ return 1;
+}
diff -up openssl-1.1.0f/crypto/fips/fips_ers.c.fips openssl-1.1.0f/crypto/fips/fips_ers.c
--- openssl-1.1.0f/crypto/fips/fips_ers.c.fips 2017-06-02 14:14:25.466421343 +0200
+++ openssl-1.1.0f/crypto/fips/fips_ers.c 2017-06-02 14:14:25.466421343 +0200
@@ -0,0 +1,7 @@
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_FIPS
+# include "fips_err.h"
+#else
+static void *dummy = &dummy;
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_hmac_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_hmac_selftest.c.fips 2017-06-02 14:14:25.466421343 +0200
+++ openssl-1.1.0f/crypto/fips/fips_hmac_selftest.c 2017-06-02 14:14:25.466421343 +0200
@@ -0,0 +1,134 @@
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+#include <openssl/hmac.h>
+
+#ifdef OPENSSL_FIPS
+typedef struct {
+ const EVP_MD *(*alg) (void);
+ const char *key, *iv;
+ unsigned char kaval[EVP_MAX_MD_SIZE];
+} HMAC_KAT;
+
+static const HMAC_KAT vector[] = {
+ {EVP_sha1,
+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
+ 0xc6, 0xc7, 0x5d, 0x24}
+ },
+ {EVP_sha224,
+ /* just keep extending the above... */
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
+ 0x8c, 0x8d, 0x12, 0xc7}
+ },
+ {EVP_sha256,
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
+ },
+ {EVP_sha384,
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
+ },
+ {EVP_sha512,
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
+ },
+};
+
+int FIPS_selftest_hmac()
+{
+ int n;
+ unsigned int outlen;
+ unsigned char out[EVP_MAX_MD_SIZE];
+ const EVP_MD *md;
+ const HMAC_KAT *t;
+
+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
+ md = (*t->alg) ();
+ HMAC(md, t->key, strlen(t->key),
+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
+
+ if (memcmp(out, t->kaval, outlen)) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+ }
+ return 1;
+}
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_locl.h.fips openssl-1.1.0f/crypto/fips/fips_locl.h
--- openssl-1.1.0f/crypto/fips/fips_locl.h.fips 2017-06-02 14:14:25.466421343 +0200
+++ openssl-1.1.0f/crypto/fips/fips_locl.h 2017-06-02 14:14:25.466421343 +0200
@@ -0,0 +1,71 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef OPENSSL_FIPS
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define FIPS_MAX_CIPHER_TEST_SIZE 32
+# define fips_load_key_component(comp, pre) \
+ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \
+ if (!comp) \
+ goto err
+
+# define fips_post_started(id, subid, ex) 1
+# define fips_post_success(id, subid, ex) 1
+# define fips_post_failed(id, subid, ex) 1
+# define fips_post_corrupt(id, subid, ex) 1
+# define fips_post_status() 1
+
+# ifdef __cplusplus
+}
+# endif
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_md.c.fips openssl-1.1.0f/crypto/fips/fips_md.c
--- openssl-1.1.0f/crypto/fips/fips_md.c.fips 2017-06-02 14:14:25.466421343 +0200
+++ openssl-1.1.0f/crypto/fips/fips_md.c 2017-06-02 14:14:25.466421343 +0200
@@ -0,0 +1,144 @@
+/* fips/evp/fips_md.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Minimal standalone FIPS versions of Digest operations */
+
+#define OPENSSL_FIPSAPI
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+
+const EVP_MD *FIPS_get_digestbynid(int nid)
+{
+ switch (nid) {
+ case NID_sha1:
+ return EVP_sha1();
+
+ case NID_sha224:
+ return EVP_sha224();
+
+ case NID_sha256:
+ return EVP_sha256();
+
+ case NID_sha384:
+ return EVP_sha384();
+
+ case NID_sha512:
+ return EVP_sha512();
+
+ default:
+ return NULL;
+ }
+}
diff -up openssl-1.1.0f/crypto/fips/fips_post.c.fips openssl-1.1.0f/crypto/fips/fips_post.c
--- openssl-1.1.0f/crypto/fips/fips_post.c.fips 2017-06-02 14:14:25.466421343 +0200
+++ openssl-1.1.0f/crypto/fips/fips_post.c 2017-06-02 14:14:25.466421343 +0200
@@ -0,0 +1,222 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+#include <openssl/fips_rand.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+#include <openssl/hmac.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <string.h>
+#include <limits.h>
+
+#ifdef OPENSSL_FIPS
+
+/* Power on self test (POST) support functions */
+
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+# include "fips_locl.h"
+
+/* Run all selftests */
+int FIPS_selftest(void)
+{
+ int rv = 1;
+ if (!FIPS_selftest_drbg())
+ rv = 0;
+ if (!FIPS_selftest_sha1())
+ rv = 0;
+ if (!FIPS_selftest_sha2())
+ rv = 0;
+ if (!FIPS_selftest_hmac())
+ rv = 0;
+ if (!FIPS_selftest_cmac())
+ rv = 0;
+ if (!FIPS_selftest_aes())
+ rv = 0;
+ if (!FIPS_selftest_aes_ccm())
+ rv = 0;
+ if (!FIPS_selftest_aes_gcm())
+ rv = 0;
+ if (!FIPS_selftest_aes_xts())
+ rv = 0;
+ if (!FIPS_selftest_des())
+ rv = 0;
+ if (!FIPS_selftest_rsa())
+ rv = 0;
+ if (!FIPS_selftest_ecdsa())
+ rv = 0;
+ if (!FIPS_selftest_dsa())
+ rv = 0;
+ if (!FIPS_selftest_dh())
+ rv = 0;
+ if (!FIPS_selftest_ecdh())
+ rv = 0;
+ return rv;
+}
+
+/* Generalized public key test routine. Signs and verifies the data
+ * supplied in tbs using mesage digest md and setting option digest
+ * flags md_flags. If the 'kat' parameter is not NULL it will
+ * additionally check the signature matches it: a known answer test
+ * The string "fail_str" is used for identification purposes in case
+ * of failure. If "pkey" is NULL just perform a message digest check.
+ */
+
+int fips_pkey_signature_test(EVP_PKEY *pkey,
+ const unsigned char *tbs, int tbslen,
+ const unsigned char *kat, unsigned int katlen,
+ const EVP_MD *digest, unsigned int flags,
+ const char *fail_str)
+{
+ int ret = 0;
+ unsigned char sigtmp[256], *sig = sigtmp;
+ size_t siglen = sizeof(sigtmp);
+ EVP_MD_CTX *mctx;
+ EVP_PKEY_CTX *pctx;
+
+ if (digest == NULL)
+ digest = EVP_sha256();
+
+ mctx = EVP_MD_CTX_new();
+
+ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
+ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) {
+ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey)));
+ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey));
+ }
+ if (!sig || ! mctx) {
+ EVP_MD_CTX_free(mctx);
+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (tbslen == -1)
+ tbslen = strlen((char *)tbs);
+
+ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0)
+ goto error;
+
+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
+ }
+
+ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0)
+ goto error;
+
+ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0)
+ goto error;
+
+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
+ goto error;
+
+ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0)
+ goto error;
+
+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
+ }
+
+ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0)
+ goto error;
+
+ ret = EVP_DigestVerifyFinal(mctx, sig, siglen);
+
+ error:
+ if (sig != sigtmp)
+ OPENSSL_free(sig);
+ EVP_MD_CTX_free(mctx);
+ if (ret <= 0) {
+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
+ if (fail_str)
+ ERR_add_error_data(2, "Type=", fail_str);
+ return 0;
+ }
+ return 1;
+}
+
+/* Generalized symmetric cipher test routine. Encrypt data, verify result
+ * against known answer, decrypt and compare with original plaintext.
+ */
+
+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+ const unsigned char *key,
+ const unsigned char *iv,
+ const unsigned char *plaintext,
+ const unsigned char *ciphertext, int len)
+{
+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
+
+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
+
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
+ return 0;
+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
+ return 0;
+ if (memcmp(citmp, ciphertext, len))
+ return 0;
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
+ return 0;
+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
+ return 0;
+ if (memcmp(pltmp, plaintext, len))
+ return 0;
+ return 1;
+}
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.0f/crypto/fips/fips_rand_lcl.h
--- openssl-1.1.0f/crypto/fips/fips_rand_lcl.h.fips 2017-06-02 14:14:25.467421366 +0200
+++ openssl-1.1.0f/crypto/fips/fips_rand_lcl.h 2017-06-02 14:14:25.467421366 +0200
@@ -0,0 +1,209 @@
+/* fips/rand/fips_rand_lcl.h */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
+
+/* 888 bits from 10.1 table 2 */
+#define HASH_PRNG_MAX_SEEDLEN 111
+
+struct drbg_hash_ctx_st {
+ const EVP_MD *md;
+ EVP_MD_CTX *mctx;
+ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
+ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
+ /* Temporary value storage: should always exceed max digest length */
+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
+};
+
+struct drbg_hmac_ctx_st {
+ const EVP_MD *md;
+ HMAC_CTX *hctx;
+ unsigned char K[EVP_MAX_MD_SIZE];
+ unsigned char V[EVP_MAX_MD_SIZE];
+};
+
+struct drbg_ctr_ctx_st {
+ AES_KEY ks;
+ size_t keylen;
+ unsigned char K[32];
+ unsigned char V[16];
+ /* Temp variables used by derivation function */
+ AES_KEY df_ks;
+ AES_KEY df_kxks;
+ /* Temporary block storage used by ctr_df */
+ unsigned char bltmp[16];
+ size_t bltmp_pos;
+ unsigned char KX[48];
+};
+
+/* DRBG internal flags */
+
+/* Functions shouldn't call err library */
+#define DRBG_FLAG_NOERR 0x1
+/* Custom reseed checking */
+#define DRBG_CUSTOM_RESEED 0x2
+
+/* DRBG status values */
+/* not initialised */
+#define DRBG_STATUS_UNINITIALISED 0
+/* ok and ready to generate random bits */
+#define DRBG_STATUS_READY 1
+/* reseed required */
+#define DRBG_STATUS_RESEED 2
+/* fatal error condition */
+#define DRBG_STATUS_ERROR 3
+
+/* A default maximum length: larger than any reasonable value used in pratice */
+
+#define DRBG_MAX_LENGTH 0x7ffffff0
+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
+ * so use max digest length.
+ */
+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
+
+#define DRBG_HEALTH_INTERVAL (1 << 24)
+
+/* DRBG context structure */
+
+struct drbg_ctx_st {
+ /* First types common to all implementations */
+ /* DRBG type: a NID for the underlying algorithm */
+ int type;
+ /* Various external flags */
+ unsigned int xflags;
+ /* Various internal use only flags */
+ unsigned int iflags;
+ /* Used for periodic health checks */
+ int health_check_cnt, health_check_interval;
+
+ /* The following parameters are setup by mechanism drbg_init() call */
+ int strength;
+ size_t blocklength;
+ size_t max_request;
+
+ size_t min_entropy, max_entropy;
+ size_t min_nonce, max_nonce;
+ size_t max_pers, max_adin;
+ unsigned int reseed_counter;
+ unsigned int reseed_interval;
+ size_t seedlen;
+ int status;
+ /* Application data: typically used by test get_entropy */
+ void *app_data;
+ /* Implementation specific structures */
+ union {
+ DRBG_HASH_CTX hash;
+ DRBG_HMAC_CTX hmac;
+ DRBG_CTR_CTX ctr;
+ } d;
+ /* Initialiase PRNG and setup callbacks below */
+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
+ /* Intantiate PRNG */
+ int (*instantiate) (DRBG_CTX *ctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *nonce, size_t noncelen,
+ const unsigned char *pers, size_t perslen);
+ /* reseed */
+ int (*reseed) (DRBG_CTX *ctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *adin, size_t adinlen);
+ /* generat output */
+ int (*generate) (DRBG_CTX *ctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adinlen);
+ /* uninstantiate */
+ int (*uninstantiate) (DRBG_CTX *ctx);
+
+ /* Entropy source block length */
+ size_t entropy_blocklen;
+
+ /* entropy gathering function */
+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+ /* Indicates we have finished with entropy buffer */
+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
+
+ /* nonce gathering function */
+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+ /* Indicates we have finished with nonce buffer */
+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
+
+ /* Continuous random number test temporary area */
+ /* Last block */
+ unsigned char lb[EVP_MAX_MD_SIZE];
+ /* set if lb is valid */
+ int lb_valid;
+
+ /* Callbacks used when called through RAND interface */
+ /* Get any additional input for generate */
+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
+ /* Callback for RAND_seed(), RAND_add() */
+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
+ int (*rand_add_cb) (DRBG_CTX *ctx,
+ const void *buf, int num, double entropy);
+};
+
+int fips_drbg_ctr_init(DRBG_CTX *dctx);
+int fips_drbg_hash_init(DRBG_CTX *dctx);
+int fips_drbg_hmac_init(DRBG_CTX *dctx);
+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
+
+#define FIPS_digestinit EVP_DigestInit
+#define FIPS_digestupdate EVP_DigestUpdate
+#define FIPS_digestfinal EVP_DigestFinal
+#define M_EVP_MD_size EVP_MD_size
diff -up openssl-1.1.0f/crypto/fips/fips_rand_lib.c.fips openssl-1.1.0f/crypto/fips/fips_rand_lib.c
--- openssl-1.1.0f/crypto/fips/fips_rand_lib.c.fips 2017-06-02 14:14:25.467421366 +0200
+++ openssl-1.1.0f/crypto/fips/fips_rand_lib.c 2017-06-02 14:14:25.467421366 +0200
@@ -0,0 +1,234 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
+ be defined and gettimeofday() won't be declared with strict compilers
+ like DEC C in ANSI C mode. */
+#ifndef _XOPEN_SOURCE_EXTENDED
+# define _XOPEN_SOURCE_EXTENDED 1
+#endif
+
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include "internal/fips_int.h"
+#include <openssl/fips_rand.h>
+#include "e_os.h"
+
+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
+# include <sys/time.h>
+#endif
+#if defined(OPENSSL_SYS_VXWORKS)
+# include <time.h>
+#endif
+#ifndef OPENSSL_SYS_WIN32
+# ifdef OPENSSL_UNISTD
+# include OPENSSL_UNISTD
+# else
+# include <unistd.h>
+# endif
+#endif
+
+/* FIPS API for PRNG use. Similar to RAND functionality but without
+ * ENGINE and additional checking for non-FIPS rand methods.
+ */
+
+static const RAND_METHOD *fips_rand_meth = NULL;
+static int fips_approved_rand_meth = 0;
+static int fips_rand_bits = 0;
+
+/* Allows application to override number of bits and uses non-FIPS methods */
+void FIPS_rand_set_bits(int nbits)
+{
+ fips_rand_bits = nbits;
+}
+
+int FIPS_rand_set_method(const RAND_METHOD *meth)
+{
+ if (!fips_rand_bits) {
+ if (meth == FIPS_drbg_method())
+ fips_approved_rand_meth = 1;
+ else {
+ fips_approved_rand_meth = 0;
+ if (FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ }
+ }
+ fips_rand_meth = meth;
+ return 1;
+}
+
+const RAND_METHOD *FIPS_rand_get_method(void)
+{
+ return fips_rand_meth;
+}
+
+void FIPS_rand_reset(void)
+{
+ if (fips_rand_meth && fips_rand_meth->cleanup)
+ fips_rand_meth->cleanup();
+}
+
+int FIPS_rand_seed(const void *buf, int num)
+{
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ if (fips_rand_meth && fips_rand_meth->seed)
+ fips_rand_meth->seed(buf, num);
+ return 1;
+}
+
+int FIPS_rand_bytes(unsigned char *buf, int num)
+{
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ if (fips_rand_meth && fips_rand_meth->bytes)
+ return fips_rand_meth->bytes(buf, num);
+ return 0;
+}
+
+int FIPS_rand_status(void)
+{
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ if (fips_rand_meth && fips_rand_meth->status)
+ return fips_rand_meth->status();
+ return 0;
+}
+
+/* Return instantiated strength of PRNG. For DRBG this is an internal
+ * parameter. Any other type of PRNG is not approved and returns 0 in
+ * FIPS mode and maximum 256 outside FIPS mode.
+ */
+
+int FIPS_rand_strength(void)
+{
+ if (fips_rand_bits)
+ return fips_rand_bits;
+ if (fips_approved_rand_meth == 1)
+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
+ else if (fips_approved_rand_meth == 0) {
+ if (FIPS_module_mode())
+ return 0;
+ else
+ return 256;
+ }
+ return 0;
+}
+
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
+{
+# ifdef OPENSSL_SYS_WIN32
+ FILETIME ft;
+# elif defined(OPENSSL_SYS_VXWORKS)
+ struct timespec ts;
+# else
+ struct timeval tv;
+# endif
+
+# ifndef GETPID_IS_MEANINGLESS
+ unsigned long pid;
+# endif
+
+# ifdef OPENSSL_SYS_WIN32
+ GetSystemTimeAsFileTime(&ft);
+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
+# elif defined(OPENSSL_SYS_VXWORKS)
+ clock_gettime(CLOCK_REALTIME, &ts);
+ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
+# else
+ gettimeofday(&tv, NULL);
+ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
+ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
+# endif
+ buf[8] = (unsigned char)(*pctr & 0xff);
+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
+
+ (*pctr)++;
+
+# ifndef GETPID_IS_MEANINGLESS
+ pid = (unsigned long)getpid();
+ buf[12] = (unsigned char)(pid & 0xff);
+ buf[13] = (unsigned char)((pid >> 8) & 0xff);
+ buf[14] = (unsigned char)((pid >> 16) & 0xff);
+ buf[15] = (unsigned char)((pid >> 24) & 0xff);
+# endif
+}
+
diff -up openssl-1.1.0f/crypto/fips/fips_randtest.c.fips openssl-1.1.0f/crypto/fips/fips_randtest.c
--- openssl-1.1.0f/crypto/fips/fips_randtest.c.fips 2017-06-02 14:14:25.467421366 +0200
+++ openssl-1.1.0f/crypto/fips/fips_randtest.c 2017-06-02 14:14:25.467421366 +0200
@@ -0,0 +1,247 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <openssl/rand.h>
+#include <openssl/fips_rand.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+
+#include "e_os.h"
+
+#ifndef OPENSSL_FIPS
+int main(int argc, char *argv[])
+{
+ printf("No FIPS RAND support\n");
+ return (0);
+}
+
+#else
+
+# include "fips_utl.h"
+# include <openssl/fips.h>
+
+typedef struct {
+ unsigned char DT[16];
+ unsigned char V[16];
+ unsigned char R[16];
+} AES_PRNG_MCT;
+
+static const unsigned char aes_128_mct_key[16] =
+ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
+ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
+};
+
+static const AES_PRNG_MCT aes_128_mct_tv = {
+ /* DT */
+ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
+ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
+ /* V */
+ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
+ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
+ /* R */
+ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
+ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
+};
+
+static const unsigned char aes_192_mct_key[24] =
+ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
+ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
+ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
+};
+
+static const AES_PRNG_MCT aes_192_mct_tv = {
+ /* DT */
+ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
+ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
+ /* V */
+ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
+ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
+ /* R */
+ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
+ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
+};
+
+static const unsigned char aes_256_mct_key[32] =
+ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
+ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
+ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
+ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
+};
+
+static const AES_PRNG_MCT aes_256_mct_tv = {
+ /* DT */
+ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
+ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
+ /* V */
+ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
+ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
+ /* R */
+ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
+ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
+};
+
+static void dump(const unsigned char *b, int n)
+{
+ while (n-- > 0) {
+ printf(" %02x", *b++);
+ }
+}
+
+static void compare(const unsigned char *result,
+ const unsigned char *expected, int n)
+{
+ int i;
+
+ for (i = 0; i < n; ++i)
+ if (result[i] != expected[i]) {
+ puts("Random test failed, got:");
+ dump(result, n);
+ puts("\n expected:");
+ dump(expected, n);
+ putchar('\n');
+ EXIT(1);
+ }
+}
+
+static void run_test(const unsigned char *key, int keylen,
+ const AES_PRNG_MCT * tv)
+{
+ unsigned char buf[16], dt[16];
+ int i, j;
+ FIPS_x931_reset();
+ FIPS_x931_test_mode();
+ FIPS_x931_set_key(key, keylen);
+ FIPS_x931_seed(tv->V, 16);
+ memcpy(dt, tv->DT, 16);
+ for (i = 0; i < 10000; i++) {
+ FIPS_x931_set_dt(dt);
+ FIPS_x931_bytes(buf, 16);
+ /* Increment DT */
+ for (j = 15; j >= 0; j--) {
+ dt[j]++;
+ if (dt[j])
+ break;
+ }
+ }
+
+ compare(buf, tv->R, 16);
+}
+
+int main()
+{
+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
+ printf("FIPS PRNG test 1 done\n");
+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
+ printf("FIPS PRNG test 2 done\n");
+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
+ printf("FIPS PRNG test 3 done\n");
+ return 0;
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_rsa_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_rsa_selftest.c.fips 2017-06-02 14:14:25.467421366 +0200
+++ openssl-1.1.0f/crypto/fips/fips_rsa_selftest.c 2017-06-02 14:14:25.467421366 +0200
@@ -0,0 +1,578 @@
+/* ====================================================================
+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+#endif
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/opensslconf.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+static int setrsakey(RSA *key)
+{
+ static const unsigned char keydata_n[] = {
+ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a,
+ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00,
+ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca,
+ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a,
+ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba,
+ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe,
+ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1,
+ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75,
+ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f,
+ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc,
+ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e,
+ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1,
+ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9,
+ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4,
+ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40,
+ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4,
+ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e,
+ 0x03, 0x71
+ };
+
+ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 };
+
+ static const unsigned char keydata_d[] = {
+ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23,
+ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58,
+ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06,
+ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4,
+ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53,
+ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde,
+ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe,
+ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b,
+ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3,
+ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76,
+ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6,
+ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c,
+ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44,
+ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34,
+ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32,
+ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20,
+ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d,
+ 0x01
+ };
+
+ static const unsigned char keydata_p[] = {
+ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f,
+ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43,
+ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec,
+ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66,
+ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3,
+ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1,
+ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3,
+ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c,
+ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad
+ };
+
+ static const unsigned char keydata_q[] = {
+ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8,
+ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e,
+ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c,
+ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e,
+ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c,
+ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f,
+ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7,
+ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b,
+ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55
+ };
+
+ static const unsigned char keydata_dmp1[] = {
+ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e,
+ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16,
+ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74,
+ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34,
+ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7,
+ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3,
+ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff,
+ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6,
+ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1
+ };
+
+ static const unsigned char keydata_dmq1[] = {
+ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75,
+ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f,
+ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1,
+ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b,
+ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c,
+ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e,
+ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78,
+ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab,
+ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61
+ };
+
+ static const unsigned char keydata_iqmp[] = {
+ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d,
+ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38,
+ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91,
+ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80,
+ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b,
+ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b,
+ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6,
+ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf,
+ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf
+ };
+
+ int rv = 0;
+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+
+ fips_load_key_component(n, keydata);
+ fips_load_key_component(e, keydata);
+ fips_load_key_component(d, keydata);
+ fips_load_key_component(p, keydata);
+ fips_load_key_component(q, keydata);
+ fips_load_key_component(dmp1, keydata);
+ fips_load_key_component(dmq1, keydata);
+ fips_load_key_component(iqmp, keydata);
+
+ RSA_set0_key(key, n, e, d);
+ RSA_set0_factors(key, p, q);
+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
+
+ rv = 1;
+err:
+ if (!rv) {
+ BN_free(n);
+ BN_free(e);
+ BN_free(d);
+ BN_free(p);
+ BN_free(q);
+ BN_free(dmp1);
+ BN_free(dmq1);
+ BN_free(iqmp);
+ }
+ return rv;
+}
+
+/* Known Answer Test (KAT) data for the above RSA private key signing
+ * kat_tbs.
+ */
+
+static const unsigned char kat_tbs[] =
+ "OpenSSL FIPS 140-2 Public Key RSA KAT";
+
+static const unsigned char kat_RSA_PSS_SHA1[] = {
+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
+ 0xCE, 0x08, 0x1D, 0x89
+};
+
+static const unsigned char kat_RSA_PSS_SHA224[] = {
+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
+ 0x2D, 0x84, 0x03, 0xB7
+};
+
+static const unsigned char kat_RSA_PSS_SHA256[] = {
+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
+ 0x2B, 0x31, 0xB9, 0x7D
+};
+
+static const unsigned char kat_RSA_PSS_SHA384[] = {
+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
+ 0x90, 0xD2, 0xA6, 0x2B
+};
+
+static const unsigned char kat_RSA_PSS_SHA512[] = {
+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
+ 0x17, 0x2C, 0x13, 0xE0
+};
+
+static const unsigned char kat_RSA_SHA1[] = {
+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
+ 0x27, 0x90, 0xE2, 0x01
+};
+
+static const unsigned char kat_RSA_SHA224[] = {
+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
+ 0xDB, 0x70, 0x00, 0xF6
+};
+
+static const unsigned char kat_RSA_SHA256[] = {
+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
+ 0x47, 0x9D, 0x18, 0xD7
+};
+
+static const unsigned char kat_RSA_SHA384[] = {
+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
+ 0x7E, 0x37, 0x1D, 0x96
+};
+
+static const unsigned char kat_RSA_SHA512[] = {
+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
+ 0x43, 0xA8, 0x34, 0x0A
+};
+
+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
+ int ptlen)
+{
+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
+ int ret = 0;
+ int len;
+
+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
+ if (!ctbuf)
+ goto err;
+
+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
+ if (len <= 0)
+ goto err;
+ /* Check ciphertext doesn't match plaintext */
+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
+ goto err;
+
+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
+ if (!ptbuf)
+ goto err;
+
+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
+ if (len != ptlen)
+ goto err;
+ if (memcmp(ptbuf, plaintext, len))
+ goto err;
+
+ ret = 1;
+
+ err:
+ if (ctbuf)
+ OPENSSL_free(ctbuf);
+ if (ptbuf)
+ OPENSSL_free(ptbuf);
+ return ret;
+}
+
+int FIPS_selftest_rsa()
+{
+ int ret = 0;
+ RSA *key;
+ EVP_PKEY *pk = NULL;
+
+ if ((key = RSA_new()) == NULL)
+ goto err;
+
+ if (!setrsakey(key))
+ goto err;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_RSA(pk, key);
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA1 PKCS#1"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA224 PKCS#1"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA256 PKCS#1"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA384 PKCS#1"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA512 PKCS#1"))
+ goto err;
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
+ "RSA SHA1 PSS"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA224,
+ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA256,
+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA384,
+ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
+ goto err;
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA512,
+ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
+ goto err;
+
+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
+ goto err;
+
+ ret = 1;
+
+ err:
+ if (pk)
+ EVP_PKEY_free(pk);
+ if (key)
+ RSA_free(key);
+ return ret;
+}
+
+#endif /* def OPENSSL_FIPS */
diff -up openssl-1.1.0f/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.0f/crypto/fips/fips_sha_selftest.c
--- openssl-1.1.0f/crypto/fips/fips_sha_selftest.c.fips 2017-06-02 14:14:25.467421366 +0200
+++ openssl-1.1.0f/crypto/fips/fips_sha_selftest.c 2017-06-02 14:14:25.467421366 +0200
@@ -0,0 +1,138 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+
+#ifdef OPENSSL_FIPS
+static const char test[][60] = {
+ "",
+ "abc",
+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+};
+
+static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
+};
+
+int FIPS_selftest_sha1()
+{
+ int n;
+
+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
+ unsigned char md[SHA_DIGEST_LENGTH];
+
+ EVP_Digest(test[n], strlen(test[n]), md, NULL,
+ EVP_sha1(), NULL);
+ if (memcmp(md, ret[n], sizeof md)) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static const unsigned char msg_sha256[] =
+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
+ 0xfc
+};
+
+static const unsigned char dig_sha256[] =
+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
+};
+
+static const unsigned char msg_sha512[] =
+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
+};
+
+static const unsigned char dig_sha512[] =
+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
+};
+
+int FIPS_selftest_sha2(void)
+{
+ unsigned char md[SHA512_DIGEST_LENGTH];
+
+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ return 1;
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.0f/crypto/fips/fips_standalone_hmac.c
--- openssl-1.1.0f/crypto/fips/fips_standalone_hmac.c.fips 2017-06-02 14:14:25.468421390 +0200
+++ openssl-1.1.0f/crypto/fips/fips_standalone_hmac.c 2017-06-02 14:14:25.468421390 +0200
@@ -0,0 +1,127 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/opensslconf.h>
+#include <openssl/hmac.h>
+#include <openssl/sha.h>
+
+int main(int argc, char **argv)
+{
+#ifdef OPENSSL_FIPS
+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+ int n, binary = 0;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s [<file>]+\n", argv[0]);
+ exit(1);
+ }
+
+ n = 1;
+ if (!strcmp(argv[n], "-binary")) {
+ n++;
+ binary = 1; /* emit binary fingerprint... */
+ }
+
+ for (; n < argc; ++n) {
+ FILE *f = fopen(argv[n], "rb");
+ HMAC_CTX *hmac_ctx;
+ unsigned char mac[EVP_MAX_MD_SIZE];
+ unsigned int len;
+ unsigned int i;
+
+ if (!f) {
+ perror(argv[n]);
+ exit(2);
+ }
+ hmac_ctx = HMAC_CTX_new();
+ if (!hmac_ctx)
+ exit(3);
+
+ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) {
+ fprintf(stderr, "HMAC SHA256 initialization failed.\n");
+ exit(4);
+ }
+
+ for (;;) {
+ char buf[1024];
+ size_t l = fread(buf, 1, sizeof buf, f);
+
+ if (l == 0) {
+ if (ferror(f)) {
+ perror(argv[n]);
+ exit(3);
+ } else
+ break;
+ }
+ if (HMAC_Update(hmac_ctx, buf, l) <= 0) {
+ fprintf(stderr, "HMAC_Update() failed.\n");
+ exit(4);
+ }
+ }
+ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) {
+ fprintf(stderr, "HMAC_Final() failed.\n");
+ exit(4);
+ }
+
+ if (binary) {
+ fwrite(mac, len, 1, stdout);
+ break; /* ... for single(!) file */
+ }
+
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
+ for (i = 0; i < len; ++i)
+ printf("%02x", mac[i]);
+ printf("\n");
+ }
+#endif
+ return 0;
+}
diff -up openssl-1.1.0f/crypto/hmac/hmac.c.fips openssl-1.1.0f/crypto/hmac/hmac.c
--- openssl-1.1.0f/crypto/hmac/hmac.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/hmac/hmac.c 2017-06-02 14:14:25.468421390 +0200
@@ -35,6 +35,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
}
if (key != NULL) {
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
+ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
+ goto err;
+#endif
reset = 1;
j = EVP_MD_block_size(md);
OPENSSL_assert(j <= (int)sizeof(ctx->key));
diff -up openssl-1.1.0f/crypto/include/internal/fips_int.h.fips openssl-1.1.0f/crypto/include/internal/fips_int.h
--- openssl-1.1.0f/crypto/include/internal/fips_int.h.fips 2017-06-02 14:14:25.468421390 +0200
+++ openssl-1.1.0f/crypto/include/internal/fips_int.h 2017-06-02 14:14:25.468421390 +0200
@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#include <openssl/evp.h>
+
+#ifndef OPENSSL_FIPS
+# error FIPS is disabled.
+#endif
+
+#ifdef OPENSSL_FIPS
+
+int FIPS_module_mode_set(int onoff);
+int FIPS_module_mode(void);
+int FIPS_module_installed(void);
+int FIPS_selftest_sha1(void);
+int FIPS_selftest_sha2(void);
+int FIPS_selftest_aes_ccm(void);
+int FIPS_selftest_aes_gcm(void);
+int FIPS_selftest_aes_xts(void);
+int FIPS_selftest_aes(void);
+int FIPS_selftest_des(void);
+int FIPS_selftest_rsa(void);
+int FIPS_selftest_dsa(void);
+int FIPS_selftest_ecdsa(void);
+int FIPS_selftest_ecdh(void);
+int FIPS_selftest_dh(void);
+void FIPS_drbg_stick(int onoff);
+int FIPS_selftest_hmac(void);
+int FIPS_selftest_drbg(void);
+int FIPS_selftest_cmac(void);
+
+int fips_pkey_signature_test(EVP_PKEY *pkey,
+ const unsigned char *tbs, int tbslen,
+ const unsigned char *kat,
+ unsigned int katlen,
+ const EVP_MD *digest,
+ unsigned int md_flags, const char *fail_str);
+
+int fips_cipher_test(EVP_CIPHER_CTX *ctx,
+ const EVP_CIPHER *cipher,
+ const unsigned char *key,
+ const unsigned char *iv,
+ const unsigned char *plaintext,
+ const unsigned char *ciphertext, int len);
+
+void fips_set_selftest_fail(void);
+
+const EVP_MD *FIPS_get_digestbynid(int nid);
+
+const EVP_CIPHER *FIPS_get_cipherbynid(int nid);
+
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+
+#endif
diff -up openssl-1.1.0f/crypto/o_fips.c.fips openssl-1.1.0f/crypto/o_fips.c
--- openssl-1.1.0f/crypto/o_fips.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/o_fips.c 2017-06-02 14:14:25.468421390 +0200
@@ -9,7 +9,10 @@
#include "internal/cryptlib.h"
#ifdef OPENSSL_FIPS
+# include <openssl/rand.h>
# include <openssl/fips.h>
+# include <openssl/fips_rand.h>
+# include "internal/fips_int.h"
#endif
int FIPS_mode(void)
@@ -24,7 +27,15 @@ int FIPS_mode(void)
int FIPS_mode_set(int r)
{
#ifdef OPENSSL_FIPS
- return FIPS_module_mode_set(r);
+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
+ return 1;
+ if (!FIPS_module_mode_set(r))
+ return 0;
+ if (r)
+ RAND_set_rand_method(FIPS_rand_get_method());
+ else
+ RAND_set_rand_method(NULL);
+ return 1;
#else
if (r == 0)
return 1;
diff -up openssl-1.1.0f/crypto/o_init.c.fips openssl-1.1.0f/crypto/o_init.c
--- openssl-1.1.0f/crypto/o_init.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/o_init.c 2017-06-02 14:14:25.468421390 +0200
@@ -7,11 +7,50 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <e_os.h>
#include <openssl/err.h>
#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <unistd.h>
+# include <errno.h>
+# include <stdlib.h>
# include <openssl/rand.h>
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+{
+ char buf[2] = "0";
+ int fd;
+
+ /* Ensure the selftests always run */
+ FIPS_mode_set(1);
+
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise..
+ */
+
+ if (buf[0] != '1') {
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
+ } else {
+ /* abort if selftest failed */
+ FIPS_selftest_check();
+ }
+}
#endif
/*
@@ -19,16 +58,29 @@
* sets FIPS callbacks
*/
-void OPENSSL_init(void)
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
+ if (!FIPS_module_installed()) {
+ return;
+ }
RAND_init_fips();
+ init_fips_mode();
+ if (!FIPS_mode()) {
+ /* Clean up prematurely set default rand method */
+ RAND_set_rand_method(NULL);
+ }
+#endif
+#if 0
+ fprintf(stderr, "Called OPENSSL_init\n");
#endif
}
+
+void OPENSSL_init(void)
+{
+ OPENSSL_init_library();
+}
diff -up openssl-1.1.0f/crypto/rand/md_rand.c.fips openssl-1.1.0f/crypto/rand/md_rand.c
--- openssl-1.1.0f/crypto/rand/md_rand.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rand/md_rand.c 2017-06-02 14:14:25.468421390 +0200
@@ -360,7 +360,7 @@ static int rand_bytes(unsigned char *buf
CRYPTO_THREAD_unlock(rand_tmp_lock);
crypto_lock_rand = 1;
- if (!initialized) {
+ if (!initialized || FIPS_mode()) {
RAND_poll();
initialized = 1;
}
diff -up openssl-1.1.0f/crypto/rand/rand_err.c.fips openssl-1.1.0f/crypto/rand/rand_err.c
--- openssl-1.1.0f/crypto/rand/rand_err.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rand/rand_err.c 2017-06-02 14:14:25.468421390 +0200
@@ -20,10 +20,13 @@
static ERR_STRING_DATA RAND_str_functs[] = {
{ERR_FUNC(RAND_F_RAND_BYTES), "RAND_bytes"},
+ {ERR_FUNC(RAND_F_RAND_INIT_FIPS), "RAND_init_fips"},
{0, NULL}
};
static ERR_STRING_DATA RAND_str_reasons[] = {
+ {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG), "error initialising DRBG"},
+ {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG), "error instantiating DRBG"},
{ERR_REASON(RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"},
{0, NULL}
};
diff -up openssl-1.1.0f/crypto/rand/rand_lcl.h.fips openssl-1.1.0f/crypto/rand/rand_lcl.h
--- openssl-1.1.0f/crypto/rand/rand_lcl.h.fips 2017-06-02 14:14:25.303417501 +0200
+++ openssl-1.1.0f/crypto/rand/rand_lcl.h 2017-06-02 14:14:25.468421390 +0200
@@ -10,7 +10,7 @@
#ifndef HEADER_RAND_LCL_H
# define HEADER_RAND_LCL_H
-# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
+# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */
# if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
# define USE_SHA1_RAND
diff -up openssl-1.1.0f/crypto/rand/rand_lib.c.fips openssl-1.1.0f/crypto/rand/rand_lib.c
--- openssl-1.1.0f/crypto/rand/rand_lib.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rand/rand_lib.c 2017-06-02 14:14:25.469421413 +0200
@@ -18,6 +18,8 @@
#ifdef OPENSSL_FIPS
# include <openssl/fips.h>
# include <openssl/fips_rand.h>
+# include "rand_lcl.h"
+# include "internal/fips_int.h"
#endif
#ifndef OPENSSL_NO_ENGINE
@@ -162,3 +164,127 @@ int RAND_status(void)
return meth->status();
return 0;
}
+
+#ifdef OPENSSL_FIPS
+
+/*
+ * FIPS DRBG initialisation code. This sets up the DRBG for use by the rest
+ * of OpenSSL.
+ */
+
+/*
+ * Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather
+ * entropy internally through RAND_poll().
+ */
+
+static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ /* Round up request to multiple of block size */
+ min_len = ((min_len + 19) / 20) * 20;
+ *pout = OPENSSL_malloc(min_len);
+ if (!*pout)
+ return 0;
+ if (RAND_OpenSSL()->bytes(*pout, min_len) <= 0) {
+ OPENSSL_free(*pout);
+ *pout = NULL;
+ return 0;
+ }
+ return min_len;
+}
+
+static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
+{
+ if (out) {
+ OPENSSL_cleanse(out, olen);
+ OPENSSL_free(out);
+ }
+}
+
+/*
+ * Set "additional input" when generating random data. This uses the current
+ * PID, a time value and a counter.
+ */
+
+static size_t drbg_get_adin(DRBG_CTX *ctx, unsigned char **pout)
+{
+ /* Use of static variables is OK as this happens under a lock */
+ static unsigned char buf[16];
+ static unsigned long counter;
+ FIPS_get_timevec(buf, &counter);
+ *pout = buf;
+ return sizeof(buf);
+}
+
+/*
+ * RAND_add() and RAND_seed() pass through to OpenSSL PRNG so it is
+ * correctly seeded by RAND_poll().
+ */
+
+static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen,
+ double entropy)
+{
+ RAND_OpenSSL()->add(in, inlen, entropy);
+ if (FIPS_rand_status()) {
+ FIPS_drbg_reseed(ctx, NULL, 0);
+ }
+ return 1;
+}
+
+static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
+{
+ RAND_OpenSSL()->seed(in, inlen);
+ if (FIPS_rand_status()) {
+ FIPS_drbg_reseed(ctx, NULL, 0);
+ }
+ return 1;
+}
+
+# ifndef OPENSSL_DRBG_DEFAULT_TYPE
+# define OPENSSL_DRBG_DEFAULT_TYPE NID_aes_256_ctr
+# endif
+# ifndef OPENSSL_DRBG_DEFAULT_FLAGS
+# define OPENSSL_DRBG_DEFAULT_FLAGS DRBG_FLAG_CTR_USE_DF
+# endif
+
+static int fips_drbg_type = OPENSSL_DRBG_DEFAULT_TYPE;
+static int fips_drbg_flags = OPENSSL_DRBG_DEFAULT_FLAGS;
+
+void RAND_set_fips_drbg_type(int type, int flags)
+{
+ fips_drbg_type = type;
+ fips_drbg_flags = flags;
+}
+
+int RAND_init_fips(void)
+{
+ DRBG_CTX *dctx;
+ size_t plen;
+ unsigned char pers[32], *p;
+
+ dctx = FIPS_get_default_drbg();
+ if (dctx == NULL ||
+ FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0) {
+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INITIALISING_DRBG);
+ return 0;
+ }
+
+ FIPS_drbg_set_callbacks(dctx,
+ drbg_get_entropy, drbg_free_entropy, 20,
+ drbg_get_entropy, drbg_free_entropy);
+ FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0,
+ drbg_rand_seed, drbg_rand_add);
+ /* Personalisation string: a string followed by date time vector */
+ strcpy((char *)pers, "OpenSSL DRBG2.0");
+ plen = drbg_get_adin(dctx, &p);
+ memcpy(pers + 16, p, plen);
+
+ if (FIPS_drbg_instantiate(dctx, pers, sizeof(pers)) <= 0) {
+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INSTANTIATING_DRBG);
+ return 0;
+ }
+ FIPS_rand_set_method(FIPS_drbg_method());
+ return 1;
+}
+
+#endif
diff -up openssl-1.1.0f/crypto/rsa/rsa_crpt.c.fips openssl-1.1.0f/crypto/rsa/rsa_crpt.c
--- openssl-1.1.0f/crypto/rsa/rsa_crpt.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rsa/rsa_crpt.c 2017-06-02 14:14:25.469421413 +0200
@@ -28,24 +28,52 @@ int RSA_size(const RSA *r)
int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+ return -1;
+ }
+#endif
return (rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
}
int RSA_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+#endif
return (rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
}
int RSA_private_decrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+ return -1;
+ }
+#endif
return (rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
}
int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+#endif
return (rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
}
diff -up openssl-1.1.0f/crypto/rsa/rsa_err.c.fips openssl-1.1.0f/crypto/rsa/rsa_err.c
--- openssl-1.1.0f/crypto/rsa/rsa_err.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rsa/rsa_err.c 2017-06-02 14:14:25.469421413 +0200
@@ -21,6 +21,7 @@
static ERR_STRING_DATA RSA_str_functs[] = {
{ERR_FUNC(RSA_F_CHECK_PADDING_MD), "check_padding_md"},
{ERR_FUNC(RSA_F_ENCODE_PKCS1), "encode_pkcs1"},
+ {ERR_FUNC(RSA_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
{ERR_FUNC(RSA_F_INT_RSA_VERIFY), "int_rsa_verify"},
{ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "old_rsa_priv_decode"},
{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "pkey_rsa_ctrl"},
@@ -33,6 +34,7 @@ static ERR_STRING_DATA RSA_str_functs[]
{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
{ERR_FUNC(RSA_F_RSA_CHECK_KEY_EX), "RSA_check_key_ex"},
{ERR_FUNC(RSA_F_RSA_CMS_DECRYPT), "rsa_cms_decrypt"},
+ {ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
{ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "rsa_item_verify"},
{ERR_FUNC(RSA_F_RSA_METH_DUP), "RSA_meth_dup"},
{ERR_FUNC(RSA_F_RSA_METH_NEW), "RSA_meth_new"},
@@ -76,8 +78,14 @@ static ERR_STRING_DATA RSA_str_functs[]
{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "rsa_priv_encode"},
+ {ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
+ {ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
{ERR_FUNC(RSA_F_RSA_PSS_TO_CTX), "rsa_pss_to_ctx"},
{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "rsa_pub_decode"},
+ {ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
+ {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
+ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
+ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
{ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),
@@ -135,10 +143,13 @@ static ERR_STRING_DATA RSA_str_reasons[]
{ERR_REASON(RSA_R_LAST_OCTET_INVALID), "last octet invalid"},
{ERR_REASON(RSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
+ {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"},
{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),
"null before block missing"},
{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q), "n does not equal p q"},
{ERR_REASON(RSA_R_OAEP_DECODING_ERROR), "oaep decoding error"},
+ {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),
+ "operation not allowed in FIPS mode"},
{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
"operation not supported for this keytype"},
{ERR_REASON(RSA_R_PADDING_CHECK_FAILED), "padding check failed"},
diff -up openssl-1.1.0f/crypto/rsa/rsa_gen.c.fips openssl-1.1.0f/crypto/rsa/rsa_gen.c
--- openssl-1.1.0f/crypto/rsa/rsa_gen.c.fips 2017-06-02 14:14:25.451420989 +0200
+++ openssl-1.1.0f/crypto/rsa/rsa_gen.c 2017-06-02 14:18:19.933947715 +0200
@@ -18,6 +18,75 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
#include "rsa_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+# include "internal/fips_int.h"
+
+int fips_check_rsa(RSA *rsa)
+{
+ const unsigned char tbs[] = "RSA Pairwise Check Data";
+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
+ int len, ret = 0;
+ EVP_PKEY *pk;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_RSA(pk, rsa);
+
+ /* Perform pairwise consistency signature test */
+ if (!fips_pkey_signature_test(pk, tbs, -1,
+ NULL, 0, EVP_sha1(),
+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
+ EVP_MD_CTX_FLAG_PAD_X931, NULL)
+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
+ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
+ goto err;
+ /* Now perform pairwise consistency encrypt/decrypt test */
+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
+ if (!ctbuf)
+ goto err;
+
+ len =
+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
+ RSA_PKCS1_PADDING);
+ if (len <= 0)
+ goto err;
+ /* Check ciphertext doesn't match plaintext */
+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
+ goto err;
+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
+
+ if (!ptbuf)
+ goto err;
+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
+ if (len != (sizeof(tbs) - 1))
+ goto err;
+ if (memcmp(ptbuf, tbs, len))
+ goto err;
+
+ ret = 1;
+
+ if (!ptbuf)
+ goto err;
+
+ err:
+ if (ret == 0) {
+ fips_set_selftest_fail();
+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
+ }
+
+ if (ctbuf)
+ OPENSSL_free(ctbuf);
+ if (ptbuf)
+ OPENSSL_free(ptbuf);
+ if (pk)
+ EVP_PKEY_free(pk);
+
+ return ret;
+}
+#endif
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BN_GENCB *cb);
@@ -31,11 +100,284 @@ static int rsa_builtin_keygen(RSA *rsa,
*/
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+ }
+#endif
if (rsa->meth->rsa_keygen)
return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
return rsa_builtin_keygen(rsa, bits, e_value, cb);
}
+#ifdef OPENSSL_FIPS
+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+ BN_GENCB *cb)
+{
+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
+ BN_CTX *ctx = NULL;
+ int ok = -1;
+ int i;
+ int n = 0;
+ int test = 0;
+ int pbits = bits / 2;
+
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+
+ if ((pbits & 0xFF)
+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) {
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+ r0 = BN_CTX_get(ctx);
+ r1 = BN_CTX_get(ctx);
+ r2 = BN_CTX_get(ctx);
+ r3 = BN_CTX_get(ctx);
+
+ if (r3 == NULL)
+ goto err;
+
+ /* We need the RSA components non-NULL */
+ if (!rsa->n && ((rsa->n = BN_new()) == NULL))
+ goto err;
+ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->e && ((rsa->e = BN_new()) == NULL))
+ goto err;
+ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
+ goto err;
+
+ if (!BN_set_word(r0, RSA_F4))
+ goto err;
+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {
+ ok = 0; /* we set our own err */
+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);
+ goto err;
+ }
+
+ /* prepare approximate minimum p and q */
+ if (!BN_set_word(r0, 0xB504F334))
+ goto err;
+ if (!BN_lshift(r0, r0, pbits - 32))
+ goto err;
+
+ /* prepare minimum p and q difference */
+ if (!BN_one(r3))
+ goto err;
+ if (!BN_lshift(r3, r3, pbits - 100))
+ goto err;
+
+ BN_copy(rsa->e, e_value);
+
+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
+ test = 1;
+
+ retry:
+ /* generate p and q */
+ for (i = 0; i < 5 * pbits; i++) {
+ ploop:
+ if (!test)
+ if (!BN_rand(rsa->p, pbits, 0, 1))
+ goto err;
+ if (BN_cmp(rsa->p, r0) < 0) {
+ if (test)
+ goto err;
+ goto ploop;
+ }
+
+ if (!BN_sub(r2, rsa->p, BN_value_one()))
+ goto err;
+ if (!BN_gcd(r1, r2, rsa->e, ctx))
+ goto err;
+ if (BN_is_one(r1)) {
+ int r;
+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
+ cb);
+ if (r == -1 || (test && r <= 0))
+ goto err;
+ if (r > 0)
+ break;
+ }
+
+ if (!BN_GENCB_call(cb, 2, n++))
+ goto err;
+ }
+
+ if (!BN_GENCB_call(cb, 3, 0))
+ goto err;
+
+ if (i >= 5 * pbits)
+ /* prime not found */
+ goto err;
+
+ for (i = 0; i < 5 * pbits; i++) {
+ qloop:
+ if (!test)
+ if (!BN_rand(rsa->q, pbits, 0, 1))
+ goto err;
+ if (BN_cmp(rsa->q, r0) < 0) {
+ if (test)
+ goto err;
+ goto qloop;
+ }
+ if (!BN_sub(r2, rsa->q, rsa->p))
+ goto err;
+ if (BN_ucmp(r2, r3) <= 0) {
+ if (test)
+ goto err;
+ goto qloop;
+ }
+
+ if (!BN_sub(r2, rsa->q, BN_value_one()))
+ goto err;
+ if (!BN_gcd(r1, r2, rsa->e, ctx))
+ goto err;
+ if (BN_is_one(r1)) {
+ int r;
+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
+ cb);
+ if (r == -1 || (test && r <= 0))
+ goto err;
+ if (r > 0)
+ break;
+ }
+
+ if (!BN_GENCB_call(cb, 2, n++))
+ goto err;
+ }
+
+ if (!BN_GENCB_call(cb, 3, 1))
+ goto err;
+
+ if (i >= 5 * pbits)
+ /* prime not found */
+ goto err;
+
+ if (test) {
+ /* do not try to calculate the remaining key values */
+ BN_clear(rsa->n);
+ ok = 1;
+ goto err;
+ }
+
+ if (BN_cmp(rsa->p, rsa->q) < 0) {
+ tmp = rsa->p;
+ rsa->p = rsa->q;
+ rsa->q = tmp;
+ }
+
+ /* calculate n */
+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
+ goto err;
+
+ /* calculate d */
+ if (!BN_sub(r1, rsa->p, BN_value_one()))
+ goto err; /* p-1 */
+ if (!BN_sub(r2, rsa->q, BN_value_one()))
+ goto err; /* q-1 */
+
+ if (!BN_gcd(r0, r1, r2, ctx))
+ goto err;
+
+ {
+ BIGNUM *pr0 = BN_new();
+
+ if (pr0 == NULL)
+ goto err;
+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
+
+ if (!BN_div(pr0, NULL, r1, pr0, ctx)) {
+ BN_free(pr0);
+ goto err;
+ }
+
+ if (!BN_mul(pr0, pr0, r2, ctx)) { /* lcm(p-1, q-1) */
+ BN_free(pr0);
+ goto err;
+ }
+
+ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { /* d */
+ BN_free(pr0);
+ goto err;
+ }
+
+ /* We MUST free pr0 before any further use of r0 */
+ BN_free(pr0);
+ }
+
+ if (BN_num_bits(rsa->d) < pbits)
+ goto retry; /* d is too small */
+
+ {
+ BIGNUM *d = BN_new();
+
+ if (d == NULL)
+ goto err;
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+
+ if (/* calculate d mod (p-1) */
+ !BN_mod(rsa->dmp1, d, r1, ctx)
+ /* calculate d mod (q-1) */
+ || !BN_mod(rsa->dmq1, d, r2, ctx)) {
+ BN_free(d);
+ goto err;
+ }
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
+ }
+
+ {
+ BIGNUM *p = BN_new();
+
+ if (p == NULL)
+ goto err;
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+
+ /* calculate inverse of q mod p */
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
+ BN_free(p);
+ goto err;
+ }
+ /* We MUST free p before any further use of rsa->p */
+ BN_free(p);
+ }
+
+ if (!fips_check_rsa(rsa))
+ goto err;
+
+ ok = 1;
+ err:
+ if (ok == -1) {
+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
+ ok = 0;
+ }
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
+
+ return ok;
+}
+#endif
+
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BN_GENCB *cb)
{
@@ -43,6 +385,16 @@ static int rsa_builtin_keygen(RSA *rsa,
int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
+ return 0;
+ }
+ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+#endif
+
/*
* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values.
diff -up openssl-1.1.0f/crypto/rsa/rsa_lib.c.fips openssl-1.1.0f/crypto/rsa/rsa_lib.c
--- openssl-1.1.0f/crypto/rsa/rsa_lib.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rsa/rsa_lib.c 2017-06-02 14:14:25.469421413 +0200
@@ -26,6 +26,12 @@ RSA *RSA_new(void)
void RSA_set_default_method(const RSA_METHOD *meth)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
+ return;
+ }
+#endif
default_RSA_meth = meth;
}
@@ -54,6 +60,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
* to deal with which ENGINE it comes from.
*/
const RSA_METHOD *mtmp;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+ }
+#endif
mtmp = rsa->meth;
if (mtmp->finish)
mtmp->finish(rsa);
@@ -86,7 +98,6 @@ RSA *RSA_new_method(ENGINE *engine)
ret->meth = RSA_get_default_method();
#ifndef OPENSSL_NO_ENGINE
- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (engine) {
if (!ENGINE_init(engine)) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
@@ -103,8 +114,19 @@ RSA *RSA_new_method(ENGINE *engine)
}
}
#endif
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
+# ifndef OPENSSL_NO_ENGINE
+ if (ret->engine)
+ ENGINE_finish(ret->engine);
+# endif
+ OPENSSL_free(ret);
+ return NULL;
+ }
+#endif
- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
+ ret->flags = ret->meth->flags;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
goto err;
}
diff -up openssl-1.1.0f/crypto/rsa/rsa_ossl.c.fips openssl-1.1.0f/crypto/rsa/rsa_ossl.c
--- openssl-1.1.0f/crypto/rsa/rsa_ossl.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rsa/rsa_ossl.c 2017-06-02 14:14:25.470421437 +0200
@@ -11,6 +11,10 @@
#include "internal/bn_int.h"
#include "rsa_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
#ifndef RSA_NULL
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
@@ -56,6 +60,22 @@ static int rsa_ossl_public_encrypt(int f
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ goto err;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
@@ -235,6 +255,22 @@ static int rsa_ossl_private_encrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
@@ -370,6 +406,22 @@ static int rsa_ossl_private_decrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
@@ -494,6 +546,22 @@ static int rsa_ossl_public_decrypt(int f
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ goto err;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
diff -up openssl-1.1.0f/crypto/rsa/rsa_sign.c.fips openssl-1.1.0f/crypto/rsa/rsa_sign.c
--- openssl-1.1.0f/crypto/rsa/rsa_sign.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/rsa/rsa_sign.c 2017-06-02 14:14:25.470421437 +0200
@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch
unsigned char *tmps = NULL;
const unsigned char *encoded = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+ }
+#endif
if (rsa->meth->rsa_sign) {
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
}
@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch
RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
goto err;
}
- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa,
- RSA_PKCS1_PADDING);
+ /* NB: call underlying method directly to avoid FIPS blocking */
+ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa,
+ RSA_PKCS1_PADDING) : 0;
if (encrypt_len <= 0)
goto err;
diff -up openssl-1.1.0f/crypto/sha/sha_locl.h.fips openssl-1.1.0f/crypto/sha/sha_locl.h
--- openssl-1.1.0f/crypto/sha/sha_locl.h.fips 2017-06-02 14:14:25.232415827 +0200
+++ openssl-1.1.0f/crypto/sha/sha_locl.h 2017-06-02 14:14:25.470421437 +0200
@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c
int HASH_INIT(SHA_CTX *c)
{
+#if defined(OPENSSL_FIPS)
+ FIPS_selftest_check();
+#endif
memset(c, 0, sizeof(*c));
c->h0 = INIT_DATA_h0;
c->h1 = INIT_DATA_h1;
diff -up openssl-1.1.0f/crypto/sha/sha256.c.fips openssl-1.1.0f/crypto/sha/sha256.c
--- openssl-1.1.0f/crypto/sha/sha256.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/sha/sha256.c 2017-06-02 14:14:25.470421437 +0200
@@ -18,6 +18,9 @@
int SHA224_Init(SHA256_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
memset(c, 0, sizeof(*c));
c->h[0] = 0xc1059ed8UL;
c->h[1] = 0x367cd507UL;
@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c)
int SHA256_Init(SHA256_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
memset(c, 0, sizeof(*c));
c->h[0] = 0x6a09e667UL;
c->h[1] = 0xbb67ae85UL;
diff -up openssl-1.1.0f/crypto/sha/sha512.c.fips openssl-1.1.0f/crypto/sha/sha512.c
--- openssl-1.1.0f/crypto/sha/sha512.c.fips 2017-05-25 14:46:19.000000000 +0200
+++ openssl-1.1.0f/crypto/sha/sha512.c 2017-06-02 14:14:25.470421437 +0200
@@ -62,6 +62,9 @@
int SHA384_Init(SHA512_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
c->h[0] = U64(0xcbbb9d5dc1059ed8);
c->h[1] = U64(0x629a292a367cd507);
c->h[2] = U64(0x9159015a3070dd17);
@@ -80,6 +83,9 @@ int SHA384_Init(SHA512_CTX *c)
int SHA512_Init(SHA512_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
c->h[0] = U64(0x6a09e667f3bcc908);
c->h[1] = U64(0xbb67ae8584caa73b);
c->h[2] = U64(0x3c6ef372fe94f82b);
diff -up openssl-1.1.0f/doc/crypto/DSA_generate_parameters.pod.fips openssl-1.1.0f/doc/crypto/DSA_generate_parameters.pod
--- openssl-1.1.0f/doc/crypto/DSA_generate_parameters.pod.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/doc/crypto/DSA_generate_parameters.pod 2017-06-02 14:14:25.470421437 +0200
@@ -29,8 +29,10 @@ B<bits> is the length of the prime p to
For lengths under 2048 bits, the length of q is 160 bits; for lengths
greater than or equal to 2048 bits, the length of q is set to 256 bits.
-If B<seed> is NULL, the primes will be generated at random.
-If B<seed_len> is less than the length of q, an error is returned.
+If B<seed> is NULL, or it does not generate primes, the primes will be
+generated at random.
+If B<seed_len> is less than the length of q, an error is returned
+if old DSA parameter generation method is used as a backend.
DSA_generate_parameters_ex() places the iteration count in
*B<counter_ret> and a counter used for finding a generator in
diff -up openssl-1.1.0f/include/openssl/crypto.h.fips openssl-1.1.0f/include/openssl/crypto.h
--- openssl-1.1.0f/include/openssl/crypto.h.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/include/openssl/crypto.h 2017-06-02 14:14:25.470421437 +0200
@@ -332,6 +332,11 @@ int OPENSSL_isservice(void);
int FIPS_mode(void);
int FIPS_mode_set(int r);
+# ifdef OPENSSL_FIPS
+/* die if FIPS selftest failed */
+void FIPS_selftest_check(void);
+# endif
+
void OPENSSL_init(void);
struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
diff -up openssl-1.1.0f/include/openssl/dh.h.fips openssl-1.1.0f/include/openssl/dh.h
--- openssl-1.1.0f/include/openssl/dh.h.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/include/openssl/dh.h 2017-06-02 14:14:25.471421461 +0200
@@ -30,6 +30,7 @@ extern "C" {
# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
# define DH_FLAG_CACHE_MONT_P 0x01
@@ -325,6 +326,9 @@ int ERR_load_DH_strings(void);
# define DH_F_DH_CMS_DECRYPT 114
# define DH_F_DH_CMS_SET_PEERKEY 115
# define DH_F_DH_CMS_SET_SHARED_INFO 116
+# define DH_F_DH_COMPUTE_KEY 203
+# define DH_F_DH_GENERATE_KEY 202
+# define DH_F_DH_GENERATE_PARAMETERS_EX 201
# define DH_F_DH_METH_DUP 117
# define DH_F_DH_METH_NEW 118
# define DH_F_DH_METH_SET1_NAME 119
@@ -346,10 +350,12 @@ int ERR_load_DH_strings(void);
# define DH_R_DECODE_ERROR 104
# define DH_R_INVALID_PUBKEY 102
# define DH_R_KDF_PARAMETER_ERROR 112
+# define DH_R_KEY_SIZE_TOO_SMALL 201
# define DH_R_KEYS_NOT_SET 108
# define DH_R_MODULUS_TOO_LARGE 103
# define DH_R_NO_PARAMETERS_SET 107
# define DH_R_NO_PRIVATE_VALUE 100
+# define DH_R_NON_FIPS_METHOD 202
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
# define DH_R_SHARED_INFO_ERROR 113
diff -up openssl-1.1.0f/include/openssl/dsa.h.fips openssl-1.1.0f/include/openssl/dsa.h
--- openssl-1.1.0f/include/openssl/dsa.h.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/include/openssl/dsa.h 2017-06-02 14:14:25.471421461 +0200
@@ -36,6 +36,7 @@ extern "C" {
# endif
# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048
# define DSA_FLAG_CACHE_MONT_P 0x01
# if OPENSSL_API_COMPAT < 0x10100000L
@@ -146,9 +147,9 @@ int DSAparams_print_fp(FILE *fp, const D
int DSA_print_fp(FILE *bp, const DSA *x, int off);
# endif
-# define DSS_prime_checks 50
+# define DSS_prime_checks 64
/*
- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
+ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of
* Rabin-Miller
*/
# define DSA_is_prime(n, callback, cb_arg) \
@@ -241,8 +242,11 @@ int ERR_load_DSA_strings(void);
/* Function codes. */
# define DSA_F_DSAPARAMS_PRINT 100
# define DSA_F_DSAPARAMS_PRINT_FP 101
+# define DSA_F_DSA_BUILTIN_KEYGEN 202
# define DSA_F_DSA_BUILTIN_PARAMGEN 125
# define DSA_F_DSA_BUILTIN_PARAMGEN2 126
+# define DSA_F_DSA_GENERATE_KEY 201
+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200
# define DSA_F_DSA_DO_SIGN 112
# define DSA_F_DSA_DO_VERIFY 113
# define DSA_F_DSA_METH_DUP 127
@@ -269,9 +273,12 @@ int ERR_load_DSA_strings(void);
# define DSA_R_DECODE_ERROR 104
# define DSA_R_INVALID_DIGEST_TYPE 106
# define DSA_R_INVALID_PARAMETERS 112
+# define DSA_R_KEY_SIZE_INVALID 201
+# define DSA_R_KEY_SIZE_TOO_SMALL 202
# define DSA_R_MISSING_PARAMETERS 101
# define DSA_R_MODULUS_TOO_LARGE 103
# define DSA_R_NO_PARAMETERS_SET 107
+# define DSA_R_NON_FIPS_DSA_METHOD 200
# define DSA_R_PARAMETER_ENCODING_ERROR 105
# define DSA_R_Q_NOT_PRIME 113
# define DSA_R_SEED_LEN_SMALL 110
diff -up openssl-1.1.0f/include/openssl/evp.h.fips openssl-1.1.0f/include/openssl/evp.h
--- openssl-1.1.0f/include/openssl/evp.h.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/include/openssl/evp.h 2017-06-02 14:14:25.471421461 +0200
@@ -1458,6 +1458,7 @@ int ERR_load_EVP_strings(void);
# define EVP_F_AES_OCB_CIPHER 169
# define EVP_F_AES_T4_INIT_KEY 178
# define EVP_F_AES_WRAP_CIPHER 170
+# define EVP_F_AES_XTS_CIPHER 200
# define EVP_F_ALG_MODULE_INIT 177
# define EVP_F_CAMELLIA_INIT_KEY 159
# define EVP_F_CHACHA20_POLY1305_CTRL 182
@@ -1534,6 +1535,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133
# define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
# define EVP_R_DECODE_ERROR 114
+# define EVP_R_DISABLED_FOR_FIPS 200
# define EVP_R_DIFFERENT_KEY_TYPES 101
# define EVP_R_DIFFERENT_PARAMETERS 153
# define EVP_R_ERROR_LOADING_SECTION 165
@@ -1568,6 +1570,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
# define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
# define EVP_R_PUBLIC_KEY_NOT_RSA 106
+# define EVP_R_TOO_LARGE 201
# define EVP_R_UNKNOWN_CIPHER 160
# define EVP_R_UNKNOWN_DIGEST 161
# define EVP_R_UNKNOWN_OPTION 169
diff -up openssl-1.1.0f/include/openssl/fips.h.fips openssl-1.1.0f/include/openssl/fips.h
--- openssl-1.1.0f/include/openssl/fips.h.fips 2017-06-02 14:14:25.471421461 +0200
+++ openssl-1.1.0f/include/openssl/fips.h 2017-06-02 14:14:25.471421461 +0200
@@ -0,0 +1,186 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_FIPS
+# error FIPS is disabled.
+#endif
+
+#ifdef OPENSSL_FIPS
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+ int FIPS_selftest_drbg_all(void);
+
+ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+ size_t seed_len, int idx, unsigned char *seed_out,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb);
+ int FIPS_dsa_paramgen_check_g(DSA *dsa);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+ int ERR_load_FIPS_strings(void);
+
+/* Error codes for the FIPS functions. */
+
+/* Function codes. */
+# define FIPS_F_DH_BUILTIN_GENPARAMS 100
+# define FIPS_F_DRBG_RESEED 121
+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
+# define FIPS_F_DSA_DO_SIGN 102
+# define FIPS_F_DSA_DO_VERIFY 103
+# define FIPS_F_EVP_CIPHER_CTX_NEW 137
+# define FIPS_F_EVP_CIPHER_CTX_RESET 122
+# define FIPS_F_ECDH_COMPUTE_KEY 123
+# define FIPS_F_EVP_CIPHERINIT_EX 124
+# define FIPS_F_EVP_DIGESTINIT_EX 125
+# define FIPS_F_FIPS_CHECK_DSA 104
+# define FIPS_F_FIPS_CHECK_EC 142
+# define FIPS_F_FIPS_CHECK_RSA 106
+# define FIPS_F_FIPS_DRBG_BYTES 131
+# define FIPS_F_FIPS_DRBG_CHECK 146
+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
+# define FIPS_F_FIPS_DRBG_GENERATE 134
+# define FIPS_F_FIPS_DRBG_INIT 135
+# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
+# define FIPS_F_FIPS_DRBG_NEW 139
+# define FIPS_F_FIPS_DRBG_RESEED 140
+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
+# define FIPS_F_FIPS_GET_ENTROPY 147
+# define FIPS_F_FIPS_MODULE_MODE_SET 108
+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
+# define FIPS_F_FIPS_RAND_BYTES 114
+# define FIPS_F_FIPS_RAND_SEED 128
+# define FIPS_F_FIPS_RAND_SET_METHOD 126
+# define FIPS_F_FIPS_RAND_STATUS 127
+# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101
+# define FIPS_F_FIPS_SELFTEST_AES 110
+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
+# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
+# define FIPS_F_FIPS_SELFTEST_CMAC 130
+# define FIPS_F_FIPS_SELFTEST_DES 111
+# define FIPS_F_FIPS_SELFTEST_DSA 112
+# define FIPS_F_FIPS_SELFTEST_ECDSA 133
+# define FIPS_F_FIPS_SELFTEST_HMAC 113
+# define FIPS_F_FIPS_SELFTEST_SHA1 115
+# define FIPS_F_FIPS_SELFTEST_SHA2 105
+# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
+# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148
+# define FIPS_F_RSA_BUILTIN_KEYGEN 116
+# define FIPS_F_RSA_OSSL_INIT 149
+# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117
+# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118
+# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119
+# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120
+
+/* Reason codes. */
+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
+# define FIPS_R_ALREADY_INSTANTIATED 134
+# define FIPS_R_DRBG_NOT_INITIALISED 152
+# define FIPS_R_DRBG_STUCK 103
+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
+# define FIPS_R_ENTROPY_SOURCE_STUCK 142
+# define FIPS_R_ERROR_INITIALISING_DRBG 115
+# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
+# define FIPS_R_ERROR_RETRIEVING_NONCE 140
+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
+# define FIPS_R_FIPS_MODE_ALREADY_SET 102
+# define FIPS_R_FIPS_SELFTEST_FAILED 106
+# define FIPS_R_FUNCTION_ERROR 116
+# define FIPS_R_GENERATE_ERROR 137
+# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
+# define FIPS_R_INSTANTIATE_ERROR 119
+# define FIPS_R_INTERNAL_ERROR 121
+# define FIPS_R_INVALID_KEY_LENGTH 109
+# define FIPS_R_IN_ERROR_STATE 123
+# define FIPS_R_KEY_TOO_SHORT 108
+# define FIPS_R_NONCE_ERROR_UNDETECTED 149
+# define FIPS_R_NON_FIPS_METHOD 100
+# define FIPS_R_NOPR_TEST1_FAILURE 145
+# define FIPS_R_NOPR_TEST2_FAILURE 146
+# define FIPS_R_NOT_INSTANTIATED 126
+# define FIPS_R_PAIRWISE_TEST_FAILED 107
+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
+# define FIPS_R_PR_TEST1_FAILURE 147
+# define FIPS_R_PR_TEST2_FAILURE 148
+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
+# define FIPS_R_RESEED_COUNTER_ERROR 132
+# define FIPS_R_RESEED_ERROR 133
+# define FIPS_R_SELFTEST_FAILED 101
+# define FIPS_R_SELFTEST_FAILURE 135
+# define FIPS_R_TEST_FAILURE 117
+# define FIPS_R_UNINSTANTIATE_ERROR 141
+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
+# define FIPS_R_UNSUPPORTED_PLATFORM 113
+
+# ifdef __cplusplus
+}
+# endif
+#endif
diff -up openssl-1.1.0f/include/openssl/fips_rand.h.fips openssl-1.1.0f/include/openssl/fips_rand.h
--- openssl-1.1.0f/include/openssl/fips_rand.h.fips 2017-06-02 14:14:25.471421461 +0200
+++ openssl-1.1.0f/include/openssl/fips_rand.h 2017-06-02 14:14:25.471421461 +0200
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef HEADER_FIPS_RAND_H
+# define HEADER_FIPS_RAND_H
+
+# include <openssl/aes.h>
+# include <openssl/evp.h>
+# include <openssl/hmac.h>
+# include <openssl/rand.h>
+
+# ifdef OPENSSL_FIPS
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+ typedef struct drbg_ctx_st DRBG_CTX;
+/* DRBG external flags */
+/* Flag for CTR mode only: use derivation function ctr_df */
+# define DRBG_FLAG_CTR_USE_DF 0x1
+/* PRNG is in test state */
+# define DRBG_FLAG_TEST 0x2
+
+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
+ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
+ const unsigned char *pers, size_t perslen);
+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
+ size_t adinlen);
+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen);
+
+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
+ void FIPS_drbg_free(DRBG_CTX *dctx);
+
+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
+ size_t (*get_entropy) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy,
+ size_t min_len,
+ size_t max_len),
+ void (*cleanup_entropy) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ size_t entropy_blocklen,
+ size_t (*get_nonce) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy,
+ size_t min_len,
+ size_t max_len),
+ void (*cleanup_nonce) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen));
+
+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
+ size_t (*get_adin) (DRBG_CTX *ctx,
+ unsigned char
+ **pout),
+ void (*cleanup_adin) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ int (*rand_seed_cb) (DRBG_CTX *ctx,
+ const void *buf,
+ int num),
+ int (*rand_add_cb) (DRBG_CTX *ctx,
+ const void *buf,
+ int num,
+ double entropy));
+
+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
+ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
+
+ int FIPS_drbg_health_check(DRBG_CTX *dctx);
+
+ DRBG_CTX *FIPS_get_default_drbg(void);
+ const RAND_METHOD *FIPS_drbg_method(void);
+
+ int FIPS_rand_set_method(const RAND_METHOD *meth);
+ const RAND_METHOD *FIPS_rand_get_method(void);
+
+ void FIPS_rand_set_bits(int nbits);
+
+ int FIPS_rand_strength(void);
+
+/* 1.0.0 compat functions */
+ int FIPS_rand_seed(const void *buf, int num);
+ int FIPS_rand_bytes(unsigned char *out, int outlen);
+ void FIPS_rand_reset(void);
+ int FIPS_rand_status(void);
+# ifdef __cplusplus
+}
+# endif
+# endif
+#endif
diff -up openssl-1.1.0f/include/openssl/opensslconf.h.in.fips openssl-1.1.0f/include/openssl/opensslconf.h.in
--- openssl-1.1.0f/include/openssl/opensslconf.h.in.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/include/openssl/opensslconf.h.in 2017-06-02 14:14:25.472421484 +0200
@@ -136,6 +136,11 @@ extern "C" {
#define RC4_INT {- $config{rc4_int} -}
+/* Always build FIPS module */
+#ifndef OPENSSL_FIPS
+# define OPENSSL_FIPS
+#endif
+
#ifdef __cplusplus
}
#endif
diff -up openssl-1.1.0f/include/openssl/rand.h.fips openssl-1.1.0f/include/openssl/rand.h
--- openssl-1.1.0f/include/openssl/rand.h.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/include/openssl/rand.h 2017-06-02 14:14:25.472421484 +0200
@@ -67,6 +67,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
#endif
+# ifdef OPENSSL_FIPS
+void RAND_set_fips_drbg_type(int type, int flags);
+int RAND_init_fips(void);
+# endif
+
/* BEGIN ERROR CODES */
/*
* The following lines are auto generated by the script mkerr.pl. Any changes
@@ -79,8 +84,11 @@ int ERR_load_RAND_strings(void);
/* Function codes. */
# define RAND_F_RAND_BYTES 100
+# define RAND_F_RAND_INIT_FIPS 200
/* Reason codes. */
+# define RAND_R_ERROR_INITIALISING_DRBG 200
+# define RAND_R_ERROR_INSTANTIATING_DRBG 201
# define RAND_R_PRNG_NOT_SEEDED 100
# ifdef __cplusplus
diff -up openssl-1.1.0f/include/openssl/rsa.h.fips openssl-1.1.0f/include/openssl/rsa.h
--- openssl-1.1.0f/include/openssl/rsa.h.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/include/openssl/rsa.h 2017-06-02 14:14:25.472421484 +0200
@@ -463,6 +463,7 @@ int ERR_load_RSA_strings(void);
/* Function codes. */
# define RSA_F_CHECK_PADDING_MD 140
# define RSA_F_ENCODE_PKCS1 146
+# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206
# define RSA_F_INT_RSA_VERIFY 145
# define RSA_F_OLD_RSA_PRIV_DECODE 147
# define RSA_F_PKEY_RSA_CTRL 143
@@ -475,6 +476,7 @@ int ERR_load_RSA_strings(void);
# define RSA_F_RSA_CHECK_KEY 123
# define RSA_F_RSA_CHECK_KEY_EX 160
# define RSA_F_RSA_CMS_DECRYPT 159
+# define RSA_F_RSA_GENERATE_KEY_EX 204
# define RSA_F_RSA_ITEM_VERIFY 148
# define RSA_F_RSA_METH_DUP 161
# define RSA_F_RSA_METH_NEW 162
@@ -509,9 +511,15 @@ int ERR_load_RSA_strings(void);
# define RSA_F_RSA_PRINT 115
# define RSA_F_RSA_PRINT_FP 116
# define RSA_F_RSA_PRIV_ENCODE 138
+# define RSA_F_RSA_PRIVATE_DECRYPT 200
+# define RSA_F_RSA_PRIVATE_ENCRYPT 201
# define RSA_F_RSA_PSS_TO_CTX 155
# define RSA_F_RSA_PUB_DECODE 139
+# define RSA_F_RSA_PUBLIC_DECRYPT 202
+# define RSA_F_RSA_PUBLIC_ENCRYPT 203
# define RSA_F_RSA_SETUP_BLINDING 136
+# define RSA_F_RSA_SET_DEFAULT_METHOD 205
+# define RSA_F_RSA_SET_METHOD 204
# define RSA_F_RSA_SIGN 117
# define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
# define RSA_F_RSA_VERIFY 119
@@ -558,9 +566,11 @@ int ERR_load_RSA_strings(void);
# define RSA_R_LAST_OCTET_INVALID 134
# define RSA_R_MODULUS_TOO_LARGE 105
# define RSA_R_NO_PUBLIC_EXPONENT 140
+# define RSA_R_NON_FIPS_RSA_METHOD 200
# define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
# define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
# define RSA_R_OAEP_DECODING_ERROR 121
+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201
# define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
# define RSA_R_PADDING_CHECK_FAILED 114
# define RSA_R_PKCS_DECODING_ERROR 159
diff -up openssl-1.1.0f/ssl/ssl_ciph.c.fips openssl-1.1.0f/ssl/ssl_ciph.c
--- openssl-1.1.0f/ssl/ssl_ciph.c.fips 2017-06-02 14:14:25.456421107 +0200
+++ openssl-1.1.0f/ssl/ssl_ciph.c 2017-06-02 14:14:25.472421484 +0200
@@ -404,7 +404,8 @@ void ssl_load_ciphers(void)
}
}
/* Make sure we can access MD5 and SHA1 */
- OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
+ if (!FIPS_mode())
+ OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
disabled_mkey_mask = 0;
@@ -687,7 +688,7 @@ static void ssl_cipher_collect_ciphers(c
/* drop those that use any of that is not available */
if (c == NULL || !c->valid)
continue;
- if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
+ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))
continue;
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
diff -up openssl-1.1.0f/ssl/ssl_init.c.fips openssl-1.1.0f/ssl/ssl_init.c
--- openssl-1.1.0f/ssl/ssl_init.c.fips 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/ssl/ssl_init.c 2017-06-02 14:14:25.472421484 +0200
@@ -28,6 +28,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"Adding SSL ciphers and digests\n");
#endif
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
+
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
@@ -84,6 +88,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
EVP_add_digest(EVP_sha256());
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
+#ifdef OPENSSL_FIPS
+ } else {
+# ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede3_cbc());
+# endif
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_128_gcm());
+ EVP_add_cipher(EVP_aes_256_gcm());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_256_ccm());
+# ifndef OPENSSL_NO_MD5
+ /* needed even in the FIPS mode for TLS-1.0 */
+ EVP_add_digest(EVP_md5_sha1());
+# endif
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+ }
+#endif
#ifndef OPENSSL_NO_COMP
# ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
diff -up openssl-1.1.0f/ssl/ssl_lib.c.fips openssl-1.1.0f/ssl/ssl_lib.c
--- openssl-1.1.0f/ssl/ssl_lib.c.fips 2017-06-02 14:14:25.456421107 +0200
+++ openssl-1.1.0f/ssl/ssl_lib.c 2017-06-02 14:14:25.473421508 +0200
@@ -2413,13 +2413,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
if (ret->param == NULL)
goto err;
- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
- goto err2;
- }
- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
- goto err2;
+ if (!FIPS_mode()) {
+ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+ goto err2;
+ }
+ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+ goto err2;
+ }
+ } else {
+ ret->min_proto_version = TLS1_VERSION;
}
if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
diff -up openssl-1.1.0f/test/dsatest.c.fips openssl-1.1.0f/test/dsatest.c
--- openssl-1.1.0f/test/dsatest.c.fips 2017-05-25 14:46:21.000000000 +0200
+++ openssl-1.1.0f/test/dsatest.c 2017-06-02 14:14:25.473421508 +0200
@@ -32,41 +32,42 @@ int main(int argc, char *argv[])
static int dsa_cb(int p, int n, BN_GENCB *arg);
-/*
- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS
- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
- */
static unsigned char seed[20] = {
- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
};
static unsigned char out_p[] = {
- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
};
static unsigned char out_q[] = {
- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
- 0xda, 0xce, 0x91, 0x5f,
+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
};
static unsigned char out_g[] = {
- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
};
static const unsigned char str1[] = "12345678901234567890";
@@ -102,7 +103,7 @@ int main(int argc, char **argv)
goto end;
BN_GENCB_set(cb, dsa_cb, bio_err);
- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
+ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
seed, 20,
&counter,
&h, cb))
@@ -116,8 +117,8 @@ int main(int argc, char **argv)
BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h);
DSA_print(bio_err, dsa, 0);
- if (counter != 105) {
- BIO_printf(bio_err, "counter should be 105\n");
+ if (counter != 239) {
+ BIO_printf(bio_err, "counter should be 239\n");
goto end;
}
if (h != 2) {
diff -up openssl-1.1.0f/util/mkdef.pl.fips openssl-1.1.0f/util/mkdef.pl
--- openssl-1.1.0f/util/mkdef.pl.fips 2017-05-25 14:46:21.000000000 +0200
+++ openssl-1.1.0f/util/mkdef.pl 2017-06-02 14:14:25.473421508 +0200
@@ -298,6 +298,8 @@ $crypto.=" include/openssl/modes.h";
$crypto.=" include/openssl/async.h";
$crypto.=" include/openssl/ct.h";
$crypto.=" include/openssl/kdf.h";
+$crypto.=" include/openssl/fips.h";
+$crypto.=" include/openssl/fips_rand.h";
my $symhacks="include/openssl/symhacks.h";
Reference in New Issue View Git Blame Copy Permalink