diff -Nru openssl-1.0.2g/debian/changelog openssl-1.0.2g/debian/changelog --- openssl-1.0.2g/debian/changelog 2016-04-13 06:48:24.000000000 +0000 +++ openssl-1.0.2g/debian/changelog 2016-04-15 04:58:01.000000000 +0000 @@ -1,3 +1,11 @@ +openssl (1.0.2g-1ubuntu4) xenial; urgency=medium + + * Rename Fedora-imported FIPS patches to the names they have in Fedora, add + correct "Origin:" tags, and move Ubuntu modifications in them into + openssl-1.0.2g-ubuntu-fips-cleanup.patch. + + -- Joy Latten Fri, 15 Apr 2016 06:58:01 +0200 + openssl (1.0.2g-1ubuntu3) xenial; urgency=medium * Add fips support to openssl, LP: #1553309 diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch 2016-04-15 04:56:29.000000000 +0000 @@ -0,0 +1,187 @@ +commit ebd8bb4303c805a4c8c20d39ac73af8d51dc2818 +Author: Joy Latten +Date: Wed Apr 13 22:38:57 2016 -0500 + + From: Joy Latten + Description: [PATCH 4/6] Additional fips 140-2 compliance changes + Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 + Forwarded: not needed + Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git + +diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c +index 29621c9..e5de012 100644 +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -60,6 +60,8 @@ + #include + #include + #include ++#include ++#include + #include "fips_locl.h" + + #ifdef OPENSSL_FIPS +@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t len) + } + + # define HMAC_PREFIX "." +-# define HMAC_SUFFIX ".hmac" ++# ifndef HMAC_SUFFIX ++# define HMAC_SUFFIX ".hmac" ++# endif + # define READ_BUFFER_LENGTH 16384 + + static char *make_hmac_path(const char *origpath) +@@ -279,20 +283,14 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) + return rv; + } + +-static int FIPSCHECK_verify(const char *libname, const char *symbolname) ++static int FIPSCHECK_verify(const char *path) + { +- char path[PATH_MAX + 1]; +- int rv; ++ int rv = 0; + FILE *hf; + char *hmacpath, *p; + char *hmac = NULL; + size_t n; + +- rv = get_library_path(libname, symbolname, path, sizeof(path)); +- +- if (rv < 0) +- return 0; +- + hmacpath = make_hmac_path(path); + if (hmacpath == NULL) + return 0; +@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *libname, const char *symbolname) + return 1; + } + ++static int verify_checksums(void) ++{ ++ int rv; ++ char path[PATH_MAX + 1]; ++ char *p; ++ ++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl ++ are in the same directory */ ++ ++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, ++ "FIPS_mode_set", path, sizeof(path)); ++ if (rv < 0) ++ return 0; ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ ++ /* replace libcrypto with libssl */ ++ while ((p = strstr(path, "libcrypto.so")) != NULL) { ++ p = stpcpy(p, "libssl"); ++ memmove(p, p + 3, strlen(p + 2)); ++ } ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ return 1; ++} ++ ++# ifndef FIPS_MODULE_PATH ++# define FIPS_MODULE_PATH "/etc/system-fips" ++# endif ++ ++int FIPS_module_installed(void) ++{ ++ int rv; ++ rv = access(FIPS_MODULE_PATH, F_OK); ++ if (rv < 0 && errno != ENOENT) ++ rv = 0; ++ ++ /* Installed == true */ ++ return !rv; ++} ++ + int FIPS_module_mode_set(int onoff, const char *auth) + { + int ret = 0; +@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, const char *auth) + } + # endif + +- if (!FIPSCHECK_verify +- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) { +- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, +- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); +- fips_selftest_fail = 1; +- ret = 0; +- goto end; +- } +- +- if (!FIPSCHECK_verify +- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) { ++ if (!verify_checksums()) { + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, + FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; +diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h +index 30668c1..9777a73 100644 +--- a/crypto/fips/fips.h ++++ b/crypto/fips/fips.h +@@ -74,6 +74,7 @@ extern "C" { + + int FIPS_module_mode_set(int onoff, const char *auth); + int FIPS_module_mode(void); ++ int FIPS_module_installed(void); + const void *FIPS_rand_check(void); + int FIPS_selftest(void); + int FIPS_selftest_failed(void); +diff --git a/crypto/o_init.c b/crypto/o_init.c +index 2f754ef..a235755 100644 +--- a/crypto/o_init.c ++++ b/crypto/o_init.c +@@ -72,6 +72,9 @@ static void init_fips_mode(void) + char buf[2] = "0"; + int fd; + ++ /* Ensure the selftests always run */ ++ FIPS_mode_set(1); ++ + if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { +@@ -83,8 +86,12 @@ static void init_fips_mode(void) + * otherwise.. + */ + +- if (buf[0] == '1') { +- FIPS_mode_set(1); ++ if (buf[0] != '1') { ++ /* drop down to non-FIPS mode if it is not requested */ ++ FIPS_mode_set(0); ++ } else { ++ /* abort if selftest failed */ ++ FIPS_selftest_check(); + } + } + #endif +@@ -94,13 +101,16 @@ static void init_fips_mode(void) + * sets FIPS callbacks + */ + +-void OPENSSL_init_library(void) ++void __attribute__ ((constructor)) OPENSSL_init_library(void) + { + static int done = 0; + if (done) + return; + done = 1; + #ifdef OPENSSL_FIPS ++ if (!FIPS_module_installed()) { ++ return; ++ } + RAND_init_fips(); + init_fips_mode(); + if (!FIPS_mode()) { diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch 2016-04-15 04:56:29.000000000 +0000 @@ -0,0 +1,1948 @@ +commit 8571bf5fd200656c222d3f27738c31bace246e4d +Author: Joy Latten +Date: Thu Apr 14 01:11:50 2016 -0500 + + From: Joy Latten + Decription: [Patch 2/6] Add fips 140-2 support for EC. + Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 + Forwarded: not-needed + Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git + +diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c +index 5a832ba..010bd5f 100644 +--- a/crypto/ec/ec_cvt.c ++++ b/crypto/ec/ec_cvt.c +@@ -82,10 +82,6 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, + const EC_METHOD *meth; + EC_GROUP *ret; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return FIPS_ec_group_new_curve_gfp(p, a, b, ctx); +-#endif + #if defined(OPENSSL_BN_ASM_MONT) + /* + * This might appear controversial, but the fact is that generic +@@ -160,10 +156,6 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, + const EC_METHOD *meth; + EC_GROUP *ret; + +-# ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return FIPS_ec_group_new_curve_gf2m(p, a, b, ctx); +-# endif + meth = EC_GF2m_simple_method(); + + ret = EC_GROUP_new(meth); +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index bc94ab5..d3fd257 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -64,9 +64,6 @@ + #include + #include "ec_lcl.h" + #include +-#ifdef OPENSSL_FIPS +-# include +-#endif + + EC_KEY *EC_KEY_new(void) + { +@@ -227,6 +224,38 @@ int EC_KEY_up_ref(EC_KEY *r) + return ((i > 1) ? 1 : 0); + } + ++#ifdef OPENSSL_FIPS ++ ++# include ++# include ++# include ++ ++static int fips_check_ec(EC_KEY *key) ++{ ++ EVP_PKEY *pk; ++ unsigned char tbs[] = "ECDSA Pairwise Check Data"; ++ int ret = 0; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_EC_KEY(pk, key); ++ ++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) ++ ret = 1; ++ ++ err: ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); ++ fips_set_selftest_fail(); ++ } ++ if (pk) ++ EVP_PKEY_free(pk); ++ return ret; ++} ++ ++#endif ++ + int EC_KEY_generate_key(EC_KEY *eckey) + { + int ok = 0; +@@ -235,8 +264,10 @@ int EC_KEY_generate_key(EC_KEY *eckey) + EC_POINT *pub_key = NULL; + + #ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return FIPS_ec_key_generate_key(eckey); ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } + #endif + + if (!eckey || !eckey->group) { +@@ -277,6 +308,14 @@ int EC_KEY_generate_key(EC_KEY *eckey) + eckey->priv_key = priv_key; + eckey->pub_key = pub_key; + ++#ifdef OPENSSL_FIPS ++ if (!fips_check_ec(eckey)) { ++ eckey->priv_key = NULL; ++ eckey->pub_key = NULL; ++ goto err; ++ } ++#endif ++ + ok = 1; + + err: +@@ -414,10 +453,12 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, + goto err; + } + /* +- * Check if retrieved coordinates match originals: if not values are out +- * of range. ++ * Check if retrieved coordinates match originals and are less ++ * than field order: if not values are out of range. + */ +- if (BN_cmp(x, tx) || BN_cmp(y, ty)) { ++ if (BN_cmp(x, tx) || BN_cmp(y, ty) ++ || (BN_cmp(x, &key->group->field) >= 0) ++ || (BN_cmp(y, &key->group->field) >= 0)) { + ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, + EC_R_COORDINATES_OUT_OF_RANGE); + goto err; +diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c +index b2de7fa..bc9fd47 100644 +--- a/crypto/ec/ecp_mont.c ++++ b/crypto/ec/ecp_mont.c +@@ -63,10 +63,6 @@ + + #include + +-#ifdef OPENSSL_FIPS +-# include +-#endif +- + #include "ec_lcl.h" + + const EC_METHOD *EC_GFp_mont_method(void) +@@ -111,11 +107,6 @@ const EC_METHOD *EC_GFp_mont_method(void) + ec_GFp_mont_field_set_to_one + }; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return fips_ec_gfp_mont_method(); +-#endif +- + return &ret; + } + +diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c +index 3944e24..dbd2558 100644 +--- a/crypto/ec/ecp_nist.c ++++ b/crypto/ec/ecp_nist.c +@@ -67,10 +67,6 @@ + #include + #include "ec_lcl.h" + +-#ifdef OPENSSL_FIPS +-# include +-#endif +- + const EC_METHOD *EC_GFp_nist_method(void) + { + static const EC_METHOD ret = { +@@ -113,11 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void) + 0 /* field_set_to_one */ + }; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return fips_ec_gfp_nist_method(); +-#endif +- + return &ret; + } + +diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c +index 2b84821..b0e69cb 100644 +--- a/crypto/ec/ecp_smpl.c ++++ b/crypto/ec/ecp_smpl.c +@@ -66,10 +66,6 @@ + #include + #include + +-#ifdef OPENSSL_FIPS +-# include +-#endif +- + #include "ec_lcl.h" + + const EC_METHOD *EC_GFp_simple_method(void) +@@ -114,11 +110,6 @@ const EC_METHOD *EC_GFp_simple_method(void) + 0 /* field_set_to_one */ + }; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return fips_ec_gfp_simple_method(); +-#endif +- + return &ret; + } + +@@ -187,6 +178,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, + return 0; + } + ++ if (BN_num_bits(p) < 256) { ++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); ++ return 0; ++ } ++ + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) +diff --git a/crypto/ecdh/ecdhtest.c b/crypto/ecdh/ecdhtest.c +index 2fe2c66..4d6594a 100644 +--- a/crypto/ecdh/ecdhtest.c ++++ b/crypto/ecdh/ecdhtest.c +@@ -501,11 +501,13 @@ int main(int argc, char *argv[]) + goto err; + + /* NIST PRIME CURVES TESTS */ ++# if 0 + if (!test_ecdh_curve + (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) + goto err; + if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) + goto err; ++# endif + if (!test_ecdh_curve + (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) + goto err; +@@ -536,13 +538,14 @@ int main(int argc, char *argv[]) + if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) + goto err; + # endif ++# if 0 + if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256)) + goto err; + if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384)) + goto err; + if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512)) + goto err; +- ++# endif + ret = 0; + + err: +diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c +index cbc21d1..aa7954a 100644 +--- a/crypto/ecdh/ech_lib.c ++++ b/crypto/ecdh/ech_lib.c +@@ -93,14 +93,7 @@ void ECDH_set_default_method(const ECDH_METHOD *meth) + const ECDH_METHOD *ECDH_get_default_method(void) + { + if (!default_ECDH_method) { +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return FIPS_ecdh_openssl(); +- else +- return ECDH_OpenSSL(); +-#else + default_ECDH_method = ECDH_OpenSSL(); +-#endif + } + return default_ECDH_method; + } +diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c +index df115cc..3908dfa 100644 +--- a/crypto/ecdh/ech_ossl.c ++++ b/crypto/ecdh/ech_ossl.c +@@ -78,6 +78,10 @@ + #include + #include + ++#ifdef OPENSSL_FIPS ++# include ++#endif ++ + static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, + EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, +@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = { + NULL, /* init */ + NULL, /* finish */ + #endif +- 0, /* flags */ ++ ECDH_FLAG_FIPS_METHOD, /* flags */ + NULL /* app_data */ + }; + +@@ -119,6 +123,13 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, + size_t buflen, len; + unsigned char *buf = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++#endif ++ + if (outlen > INT_MAX) { + ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of, + * anyway */ +diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c +index 0f301f8..0d12f71 100644 +--- a/crypto/ecdsa/ecdsatest.c ++++ b/crypto/ecdsa/ecdsatest.c +@@ -138,11 +138,14 @@ int restore_rand(void) + } + + static int fbytes_counter = 0; +-static const char *numbers[8] = { ++static const char *numbers[10] = { ++ "651056770906015076056810763456358567190100156695615665659", + "651056770906015076056810763456358567190100156695615665659", + "6140507067065001063065065565667405560006161556565665656654", + "8763001015071075675010661307616710783570106710677817767166" + "71676178726717", ++ "8763001015071075675010661307616710783570106710677817767166" ++ "71676178726717", + "7000000175690566466555057817571571075705015757757057795755" + "55657156756655", + "1275552191113212300012030439187146164646146646466749494799", +@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num) + int ret; + BIGNUM *tmp = NULL; + +- if (fbytes_counter >= 8) ++ if (fbytes_counter >= 10) + return 0; + tmp = BN_new(); + if (!tmp) +@@ -532,8 +535,10 @@ int main(void) + RAND_seed(rnd_seed, sizeof(rnd_seed)); + + /* the tests */ ++# if 0 + if (!x9_62_tests(out)) + goto err; ++# endif + if (!test_builtin(out)) + goto err; + +diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c +index 8dc1dda..24ef566 100644 +--- a/crypto/ecdsa/ecs_lib.c ++++ b/crypto/ecdsa/ecs_lib.c +@@ -80,14 +80,7 @@ void ECDSA_set_default_method(const ECDSA_METHOD *meth) + const ECDSA_METHOD *ECDSA_get_default_method(void) + { + if (!default_ECDSA_method) { +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return FIPS_ecdsa_openssl(); +- else +- return ECDSA_OpenSSL(); +-#else + default_ECDSA_method = ECDSA_OpenSSL(); +-#endif + } + return default_ECDSA_method; + } +diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c +index dd76960..d81cf6b 100644 +--- a/crypto/ecdsa/ecs_ossl.c ++++ b/crypto/ecdsa/ecs_ossl.c +@@ -60,6 +60,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++# include ++#endif + + static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, + const BIGNUM *, const BIGNUM *, +@@ -78,7 +81,7 @@ static ECDSA_METHOD openssl_ecdsa_meth = { + NULL, /* init */ + NULL, /* finish */ + #endif +- 0, /* flags */ ++ ECDSA_FLAG_FIPS_METHOD, /* flags */ + NULL /* app_data */ + }; + +@@ -245,6 +248,13 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, + ECDSA_DATA *ecdsa; + const BIGNUM *priv_key; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_ECDSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++#endif ++ + ecdsa = ecdsa_check(eckey); + group = EC_KEY_get0_group(eckey); + priv_key = EC_KEY_get0_private_key(eckey); +@@ -358,6 +368,13 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, + const EC_GROUP *group; + const EC_POINT *pub_key; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_ECDSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++#endif ++ + /* check input values */ + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || + (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { +diff --git a/crypto/evp/m_ecdsa.c b/crypto/evp/m_ecdsa.c +index 803d314..2830069 100644 +--- a/crypto/evp/m_ecdsa.c ++++ b/crypto/evp/m_ecdsa.c +@@ -136,7 +136,7 @@ static const EVP_MD ecdsa_md = { + NID_ecdsa_with_SHA1, + NID_ecdsa_with_SHA1, + SHA_DIGEST_LENGTH, +- EVP_MD_FLAG_PKEY_DIGEST, ++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS, + init, + update, + final, +diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile +index b997426..0b54447 100644 +--- a/crypto/fips/Makefile ++++ b/crypto/fips/Makefile +@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_se + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ + fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ +- fips_cmac_selftest.c fips_enc.c fips_md.c ++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c + + LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ + fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ + fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ + fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ +- fips_cmac_selftest.o fips_enc.o fips_md.o ++ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o + + LIBCRYPTO=-L.. -lcrypto + +@@ -119,6 +119,21 @@ fips_aes_selftest.o: ../../include/openssl/ossl_typ.h + fips_aes_selftest.o: ../../include/openssl/safestack.h + fips_aes_selftest.o: ../../include/openssl/stack.h + fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c ++fips_cmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++fips_cmac_selftest.o: ../../include/openssl/cmac.h ++fips_cmac_selftest.o: ../../include/openssl/crypto.h ++fips_cmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ++fips_cmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h ++fips_cmac_selftest.o: ../../include/openssl/lhash.h ++fips_cmac_selftest.o: ../../include/openssl/obj_mac.h ++fips_cmac_selftest.o: ../../include/openssl/objects.h ++fips_cmac_selftest.o: ../../include/openssl/opensslconf.h ++fips_cmac_selftest.o: ../../include/openssl/opensslv.h ++fips_cmac_selftest.o: ../../include/openssl/ossl_typ.h ++fips_cmac_selftest.o: ../../include/openssl/safestack.h ++fips_cmac_selftest.o: ../../include/openssl/stack.h ++fips_cmac_selftest.o: ../../include/openssl/symhacks.h fips_cmac_selftest.c ++fips_cmac_selftest.o: fips_locl.h + fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h + fips_des_selftest.o: ../../include/openssl/crypto.h + fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +@@ -232,6 +247,46 @@ fips_dsa_selftest.o: ../../include/openssl/safestack.h + fips_dsa_selftest.o: ../../include/openssl/stack.h + fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c + fips_dsa_selftest.o: fips_locl.h ++fips_ecdh_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++fips_ecdh_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h ++fips_ecdh_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h ++fips_ecdh_selftest.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h ++fips_ecdh_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h ++fips_ecdh_selftest.o: ../../include/openssl/lhash.h ++fips_ecdh_selftest.o: ../../include/openssl/obj_mac.h ++fips_ecdh_selftest.o: ../../include/openssl/objects.h ++fips_ecdh_selftest.o: ../../include/openssl/opensslconf.h ++fips_ecdh_selftest.o: ../../include/openssl/opensslv.h ++fips_ecdh_selftest.o: ../../include/openssl/ossl_typ.h ++fips_ecdh_selftest.o: ../../include/openssl/safestack.h ++fips_ecdh_selftest.o: ../../include/openssl/stack.h ++fips_ecdh_selftest.o: ../../include/openssl/symhacks.h fips_ecdh_selftest.c ++fips_ecdh_selftest.o: fips_locl.h ++fips_ecdsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++fips_ecdsa_selftest.o: ../../include/openssl/bn.h ++fips_ecdsa_selftest.o: ../../include/openssl/crypto.h ++fips_ecdsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h ++fips_ecdsa_selftest.o: ../../include/openssl/ecdsa.h ++fips_ecdsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h ++fips_ecdsa_selftest.o: ../../include/openssl/fips.h ++fips_ecdsa_selftest.o: ../../include/openssl/lhash.h ++fips_ecdsa_selftest.o: ../../include/openssl/obj_mac.h ++fips_ecdsa_selftest.o: ../../include/openssl/objects.h ++fips_ecdsa_selftest.o: ../../include/openssl/opensslconf.h ++fips_ecdsa_selftest.o: ../../include/openssl/opensslv.h ++fips_ecdsa_selftest.o: ../../include/openssl/ossl_typ.h ++fips_ecdsa_selftest.o: ../../include/openssl/safestack.h ++fips_ecdsa_selftest.o: ../../include/openssl/stack.h ++fips_ecdsa_selftest.o: ../../include/openssl/symhacks.h fips_ecdsa_selftest.c ++fips_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++fips_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ++fips_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h ++fips_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h ++fips_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ++fips_enc.o: ../../include/openssl/opensslconf.h ++fips_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ++fips_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ++fips_enc.o: ../../include/openssl/symhacks.h fips_enc.c + fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h + fips_hmac_selftest.o: ../../include/openssl/crypto.h + fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +@@ -246,6 +301,15 @@ fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h + fips_hmac_selftest.o: ../../include/openssl/safestack.h + fips_hmac_selftest.o: ../../include/openssl/stack.h + fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c ++fips_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++fips_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ++fips_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h ++fips_md.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h ++fips_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ++fips_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h ++fips_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h ++fips_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ++fips_md.o: fips_md.c + fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h + fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h + fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +diff --git a/crypto/fips/cavs/fips_ecdhvs.c b/crypto/fips/cavs/fips_ecdhvs.c +new file mode 100644 +index 0000000..be9d8d8 +--- /dev/null ++++ b/crypto/fips/cavs/fips_ecdhvs.c +@@ -0,0 +1,456 @@ ++/* fips/ecdh/fips_ecdhvs.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#define OPENSSL_FIPSAPI ++#include ++ ++#ifndef OPENSSL_FIPS ++# include ++ ++int main(int argc, char **argv) ++{ ++ printf("No FIPS ECDH support\n"); ++ return (0); ++} ++#else ++ ++# include ++# include ++# include ++# include ++# include ++# include ++# include ++# include ++ ++# include "fips_utl.h" ++ ++static const EVP_MD *eparse_md(char *line) ++{ ++ char *p; ++ if (line[0] != '[' || line[1] != 'E') ++ return NULL; ++ p = strchr(line, '-'); ++ if (!p) ++ return NULL; ++ line = p + 1; ++ p = strchr(line, ']'); ++ if (!p) ++ return NULL; ++ *p = 0; ++ p = line; ++ while (isspace(*p)) ++ p++; ++ if (!strcmp(p, "SHA1")) ++ return EVP_sha1(); ++ else if (!strcmp(p, "SHA224")) ++ return EVP_sha224(); ++ else if (!strcmp(p, "SHA256")) ++ return EVP_sha256(); ++ else if (!strcmp(p, "SHA384")) ++ return EVP_sha384(); ++ else if (!strcmp(p, "SHA512")) ++ return EVP_sha512(); ++ else ++ return NULL; ++} ++ ++static int lookup_curve2(char *cname) ++{ ++ char *p; ++ p = strchr(cname, ']'); ++ if (!p) { ++ fprintf(stderr, "Parse error: missing ]\n"); ++ return NID_undef; ++ } ++ *p = 0; ++ ++ if (!strcmp(cname, "B-163")) ++ return NID_sect163r2; ++ if (!strcmp(cname, "B-233")) ++ return NID_sect233r1; ++ if (!strcmp(cname, "B-283")) ++ return NID_sect283r1; ++ if (!strcmp(cname, "B-409")) ++ return NID_sect409r1; ++ if (!strcmp(cname, "B-571")) ++ return NID_sect571r1; ++ if (!strcmp(cname, "K-163")) ++ return NID_sect163k1; ++ if (!strcmp(cname, "K-233")) ++ return NID_sect233k1; ++ if (!strcmp(cname, "K-283")) ++ return NID_sect283k1; ++ if (!strcmp(cname, "K-409")) ++ return NID_sect409k1; ++ if (!strcmp(cname, "K-571")) ++ return NID_sect571k1; ++ if (!strcmp(cname, "P-192")) ++ return NID_X9_62_prime192v1; ++ if (!strcmp(cname, "P-224")) ++ return NID_secp224r1; ++ if (!strcmp(cname, "P-256")) ++ return NID_X9_62_prime256v1; ++ if (!strcmp(cname, "P-384")) ++ return NID_secp384r1; ++ if (!strcmp(cname, "P-521")) ++ return NID_secp521r1; ++ ++ fprintf(stderr, "Unknown Curve name %s\n", cname); ++ return NID_undef; ++} ++ ++static int lookup_curve(char *cname) ++{ ++ char *p; ++ p = strchr(cname, ':'); ++ if (!p) { ++ fprintf(stderr, "Parse error: missing :\n"); ++ return NID_undef; ++ } ++ cname = p + 1; ++ while (isspace(*cname)) ++ cname++; ++ return lookup_curve2(cname); ++} ++ ++static EC_POINT *make_peer(EC_GROUP *group, BIGNUM *x, BIGNUM *y) ++{ ++ EC_POINT *peer; ++ int rv; ++ BN_CTX *c; ++ peer = EC_POINT_new(group); ++ if (!peer) ++ return NULL; ++ c = BN_CTX_new(); ++ if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ++ == NID_X9_62_prime_field) ++ rv = EC_POINT_set_affine_coordinates_GFp(group, peer, x, y, c); ++ else ++# ifdef OPENSSL_NO_EC2M ++ { ++ fprintf(stderr, "ERROR: GF2m not supported\n"); ++ exit(1); ++ } ++# else ++ rv = EC_POINT_set_affine_coordinates_GF2m(group, peer, x, y, c); ++# endif ++ ++ BN_CTX_free(c); ++ if (rv) ++ return peer; ++ EC_POINT_free(peer); ++ return NULL; ++} ++ ++static int ec_print_key(FILE *out, EC_KEY *key, int add_e, int exout) ++{ ++ const EC_POINT *pt; ++ const EC_GROUP *grp; ++ const EC_METHOD *meth; ++ int rv; ++ BIGNUM *tx, *ty; ++ const BIGNUM *d = NULL; ++ BN_CTX *ctx; ++ ctx = BN_CTX_new(); ++ if (!ctx) ++ return 0; ++ tx = BN_CTX_get(ctx); ++ ty = BN_CTX_get(ctx); ++ if (!tx || !ty) ++ return 0; ++ grp = EC_KEY_get0_group(key); ++ pt = EC_KEY_get0_public_key(key); ++ if (exout) ++ d = EC_KEY_get0_private_key(key); ++ meth = EC_GROUP_method_of(grp); ++ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) ++ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, tx, ty, ctx); ++ else ++# ifdef OPENSSL_NO_EC2M ++ { ++ fprintf(stderr, "ERROR: GF2m not supported\n"); ++ exit(1); ++ } ++# else ++ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, tx, ty, ctx); ++# endif ++ ++ if (add_e) { ++ do_bn_print_name(out, "QeIUTx", tx); ++ do_bn_print_name(out, "QeIUTy", ty); ++ if (d) ++ do_bn_print_name(out, "QeIUTd", d); ++ } else { ++ do_bn_print_name(out, "QIUTx", tx); ++ do_bn_print_name(out, "QIUTy", ty); ++ if (d) ++ do_bn_print_name(out, "QIUTd", d); ++ } ++ ++ BN_CTX_free(ctx); ++ ++ return rv; ++ ++} ++ ++static void ec_output_Zhash(FILE *out, int exout, EC_GROUP *group, ++ BIGNUM *ix, BIGNUM *iy, BIGNUM *id, BIGNUM *cx, ++ BIGNUM *cy, const EVP_MD *md, ++ unsigned char *rhash, size_t rhashlen) ++{ ++ EC_KEY *ec = NULL; ++ EC_POINT *peerkey = NULL; ++ unsigned char *Z; ++ unsigned char chash[EVP_MAX_MD_SIZE]; ++ int Zlen; ++ ec = EC_KEY_new(); ++ EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH); ++ EC_KEY_set_group(ec, group); ++ peerkey = make_peer(group, cx, cy); ++ if (rhash == NULL) { ++ if (md) ++ rhashlen = M_EVP_MD_size(md); ++ EC_KEY_generate_key(ec); ++ ec_print_key(out, ec, md ? 1 : 0, exout); ++ } else { ++ EC_KEY_set_public_key_affine_coordinates(ec, ix, iy); ++ EC_KEY_set_private_key(ec, id); ++ } ++ Zlen = (EC_GROUP_get_degree(group) + 7) / 8; ++ Z = OPENSSL_malloc(Zlen); ++ if (!Z) ++ exit(1); ++ ECDH_compute_key(Z, Zlen, peerkey, ec, 0); ++ if (md) { ++ if (exout) ++ OutputValue("Z", Z, Zlen, out, 0); ++ FIPS_digest(Z, Zlen, chash, NULL, md); ++ OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0); ++ if (rhash) { ++ fprintf(out, "Result = %s\n", ++ memcmp(chash, rhash, rhashlen) ? "F" : "P"); ++ } ++ } else ++ OutputValue("ZIUT", Z, Zlen, out, 0); ++ OPENSSL_cleanse(Z, Zlen); ++ OPENSSL_free(Z); ++ EC_KEY_free(ec); ++ EC_POINT_free(peerkey); ++} ++ ++# ifdef FIPS_ALGVS ++int fips_ecdhvs_main(int argc, char **argv) ++# else ++int main(int argc, char **argv) ++# endif ++{ ++ char **args = argv + 1; ++ int argn = argc - 1; ++ FILE *in, *out; ++ char buf[2048], lbuf[2048]; ++ unsigned char *rhash = NULL; ++ long rhashlen; ++ BIGNUM *cx = NULL, *cy = NULL; ++ BIGNUM *id = NULL, *ix = NULL, *iy = NULL; ++ const EVP_MD *md = NULL; ++ EC_GROUP *group = NULL; ++ char *keyword = NULL, *value = NULL; ++ int do_verify = -1, exout = 0; ++ int rv = 1; ++ ++ int curve_nids[5] = { 0, 0, 0, 0, 0 }; ++ int param_set = -1; ++ ++ fips_algtest_init(); ++ ++ if (argn && !strcmp(*args, "ecdhver")) { ++ do_verify = 1; ++ args++; ++ argn--; ++ } else if (argn && !strcmp(*args, "ecdhgen")) { ++ do_verify = 0; ++ args++; ++ argn--; ++ } ++ ++ if (argn && !strcmp(*args, "-exout")) { ++ exout = 1; ++ args++; ++ argn--; ++ } ++ ++ if (do_verify == -1) { ++ fprintf(stderr, "%s [ecdhver|ecdhgen|] [-exout] (infile outfile)\n", ++ argv[0]); ++ exit(1); ++ } ++ ++ if (argn == 2) { ++ in = fopen(*args, "r"); ++ if (!in) { ++ fprintf(stderr, "Error opening input file\n"); ++ exit(1); ++ } ++ out = fopen(args[1], "w"); ++ if (!out) { ++ fprintf(stderr, "Error opening output file\n"); ++ exit(1); ++ } ++ } else if (argn == 0) { ++ in = stdin; ++ out = stdout; ++ } else { ++ fprintf(stderr, "%s [dhver|dhgen|] [-exout] (infile outfile)\n", ++ argv[0]); ++ exit(1); ++ } ++ ++ while (fgets(buf, sizeof(buf), in) != NULL) { ++ fputs(buf, out); ++ if (buf[0] == '[' && buf[1] == 'E') { ++ int c = buf[2]; ++ if (c < 'A' || c > 'E') ++ goto parse_error; ++ param_set = c - 'A'; ++ /* If just [E?] then initial paramset */ ++ if (buf[3] == ']') ++ continue; ++ if (group) ++ EC_GROUP_free(group); ++ group = EC_GROUP_new_by_curve_name(curve_nids[c - 'A']); ++ } ++ if (strlen(buf) > 10 && !strncmp(buf, "[Curve", 6)) { ++ int nid; ++ if (param_set == -1) ++ goto parse_error; ++ nid = lookup_curve(buf); ++ if (nid == NID_undef) ++ goto parse_error; ++ curve_nids[param_set] = nid; ++ } ++ ++ if (strlen(buf) > 4 && buf[0] == '[' && buf[2] == '-') { ++ int nid = lookup_curve2(buf + 1); ++ if (nid == NID_undef) ++ goto parse_error; ++ if (group) ++ EC_GROUP_free(group); ++ group = EC_GROUP_new_by_curve_name(nid); ++ if (!group) { ++ fprintf(stderr, "ERROR: unsupported curve %s\n", buf + 1); ++ return 1; ++ } ++ } ++ ++ if (strlen(buf) > 6 && !strncmp(buf, "[E", 2)) { ++ md = eparse_md(buf); ++ if (md == NULL) ++ goto parse_error; ++ continue; ++ } ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ continue; ++ if (!strcmp(keyword, "QeCAVSx") || !strcmp(keyword, "QCAVSx")) { ++ if (!do_hex2bn(&cx, value)) ++ goto parse_error; ++ } else if (!strcmp(keyword, "QeCAVSy") || !strcmp(keyword, "QCAVSy")) { ++ if (!do_hex2bn(&cy, value)) ++ goto parse_error; ++ if (do_verify == 0) ++ ec_output_Zhash(out, exout, group, ++ NULL, NULL, NULL, ++ cx, cy, md, rhash, rhashlen); ++ } else if (!strcmp(keyword, "deIUT")) { ++ if (!do_hex2bn(&id, value)) ++ goto parse_error; ++ } else if (!strcmp(keyword, "QeIUTx")) { ++ if (!do_hex2bn(&ix, value)) ++ goto parse_error; ++ } else if (!strcmp(keyword, "QeIUTy")) { ++ if (!do_hex2bn(&iy, value)) ++ goto parse_error; ++ } else if (!strcmp(keyword, "CAVSHashZZ")) { ++ if (!md) ++ goto parse_error; ++ rhash = hex2bin_m(value, &rhashlen); ++ if (!rhash || rhashlen != M_EVP_MD_size(md)) ++ goto parse_error; ++ ec_output_Zhash(out, exout, group, ix, iy, id, cx, cy, ++ md, rhash, rhashlen); ++ } ++ } ++ rv = 0; ++ parse_error: ++ if (id) ++ BN_free(id); ++ if (ix) ++ BN_free(ix); ++ if (iy) ++ BN_free(iy); ++ if (cx) ++ BN_free(cx); ++ if (cy) ++ BN_free(cy); ++ if (group) ++ EC_GROUP_free(group); ++ if (in && in != stdin) ++ fclose(in); ++ if (out && out != stdout) ++ fclose(out); ++ if (rv) ++ fprintf(stderr, "Error Parsing request file\n"); ++ return rv; ++} ++ ++#endif +diff --git a/crypto/fips/cavs/fips_ecdsavs.c b/crypto/fips/cavs/fips_ecdsavs.c +new file mode 100644 +index 0000000..4d85fce +--- /dev/null ++++ b/crypto/fips/cavs/fips_ecdsavs.c +@@ -0,0 +1,486 @@ ++/* fips/ecdsa/fips_ecdsavs.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#define OPENSSL_FIPSAPI ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++ ++int main(int argc, char **argv) ++{ ++ printf("No FIPS ECDSA support\n"); ++ return (0); ++} ++#else ++ ++# include ++# include ++# include ++# include ++# include ++# include ++# include "fips_utl.h" ++ ++# include ++ ++static int elookup_curve(char *in, char *curve_name, const EVP_MD **pmd) ++{ ++ char *cname, *p; ++ /* Copy buffer as we will change it */ ++ strcpy(curve_name, in); ++ cname = curve_name + 1; ++ p = strchr(cname, ']'); ++ if (!p) { ++ fprintf(stderr, "Parse error: missing ]\n"); ++ return NID_undef; ++ } ++ *p = 0; ++ p = strchr(cname, ','); ++ if (p) { ++ if (!pmd) { ++ fprintf(stderr, "Parse error: unexpected digest\n"); ++ return NID_undef; ++ } ++ *p = 0; ++ p++; ++ ++ if (!strcmp(p, "SHA-1")) ++ *pmd = EVP_sha1(); ++ else if (!strcmp(p, "SHA-224")) ++ *pmd = EVP_sha224(); ++ else if (!strcmp(p, "SHA-256")) ++ *pmd = EVP_sha256(); ++ else if (!strcmp(p, "SHA-384")) ++ *pmd = EVP_sha384(); ++ else if (!strcmp(p, "SHA-512")) ++ *pmd = EVP_sha512(); ++ else { ++ fprintf(stderr, "Unknown digest %s\n", p); ++ return NID_undef; ++ } ++ } else if (pmd) ++ *pmd = EVP_sha1(); ++ ++ if (!strcmp(cname, "B-163")) ++ return NID_sect163r2; ++ if (!strcmp(cname, "B-233")) ++ return NID_sect233r1; ++ if (!strcmp(cname, "B-283")) ++ return NID_sect283r1; ++ if (!strcmp(cname, "B-409")) ++ return NID_sect409r1; ++ if (!strcmp(cname, "B-571")) ++ return NID_sect571r1; ++ if (!strcmp(cname, "K-163")) ++ return NID_sect163k1; ++ if (!strcmp(cname, "K-233")) ++ return NID_sect233k1; ++ if (!strcmp(cname, "K-283")) ++ return NID_sect283k1; ++ if (!strcmp(cname, "K-409")) ++ return NID_sect409k1; ++ if (!strcmp(cname, "K-571")) ++ return NID_sect571k1; ++ if (!strcmp(cname, "P-192")) ++ return NID_X9_62_prime192v1; ++ if (!strcmp(cname, "P-224")) ++ return NID_secp224r1; ++ if (!strcmp(cname, "P-256")) ++ return NID_X9_62_prime256v1; ++ if (!strcmp(cname, "P-384")) ++ return NID_secp384r1; ++ if (!strcmp(cname, "P-521")) ++ return NID_secp521r1; ++ ++ fprintf(stderr, "Unknown Curve name %s\n", cname); ++ return NID_undef; ++} ++ ++static int ec_get_pubkey(EC_KEY *key, BIGNUM *x, BIGNUM *y) ++{ ++ const EC_POINT *pt; ++ const EC_GROUP *grp; ++ const EC_METHOD *meth; ++ int rv; ++ BN_CTX *ctx; ++ ctx = BN_CTX_new(); ++ if (!ctx) ++ return 0; ++ grp = EC_KEY_get0_group(key); ++ pt = EC_KEY_get0_public_key(key); ++ meth = EC_GROUP_method_of(grp); ++ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) ++ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, x, y, ctx); ++ else ++# ifdef OPENSSL_NO_EC2M ++ { ++ fprintf(stderr, "ERROR: GF2m not supported\n"); ++ exit(1); ++ } ++# else ++ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, x, y, ctx); ++# endif ++ ++ BN_CTX_free(ctx); ++ ++ return rv; ++ ++} ++ ++static int KeyPair(FILE *in, FILE *out) ++{ ++ char buf[2048], lbuf[2048]; ++ char *keyword, *value; ++ int curve_nid = NID_undef; ++ int i, count; ++ BIGNUM *Qx = NULL, *Qy = NULL; ++ const BIGNUM *d = NULL; ++ EC_KEY *key = NULL; ++ Qx = BN_new(); ++ Qy = BN_new(); ++ while (fgets(buf, sizeof buf, in) != NULL) { ++ if (*buf == '[' && buf[2] == '-') { ++ if (buf[2] == '-') ++ curve_nid = elookup_curve(buf, lbuf, NULL); ++ fputs(buf, out); ++ continue; ++ } ++ if (!parse_line(&keyword, &value, lbuf, buf)) { ++ fputs(buf, out); ++ continue; ++ } ++ if (!strcmp(keyword, "N")) { ++ count = atoi(value); ++ ++ for (i = 0; i < count; i++) { ++ ++ key = EC_KEY_new_by_curve_name(curve_nid); ++ if (!EC_KEY_generate_key(key)) { ++ fprintf(stderr, "Error generating key\n"); ++ return 0; ++ } ++ ++ if (!ec_get_pubkey(key, Qx, Qy)) { ++ fprintf(stderr, "Error getting public key\n"); ++ return 0; ++ } ++ ++ d = EC_KEY_get0_private_key(key); ++ ++ do_bn_print_name(out, "d", d); ++ do_bn_print_name(out, "Qx", Qx); ++ do_bn_print_name(out, "Qy", Qy); ++ fputs(RESP_EOL, out); ++ EC_KEY_free(key); ++ ++ } ++ ++ } ++ ++ } ++ BN_free(Qx); ++ BN_free(Qy); ++ return 1; ++} ++ ++static int PKV(FILE *in, FILE *out) ++{ ++ ++ char buf[2048], lbuf[2048]; ++ char *keyword, *value; ++ int curve_nid = NID_undef; ++ BIGNUM *Qx = NULL, *Qy = NULL; ++ EC_KEY *key = NULL; ++ while (fgets(buf, sizeof buf, in) != NULL) { ++ fputs(buf, out); ++ if (*buf == '[' && buf[2] == '-') { ++ curve_nid = elookup_curve(buf, lbuf, NULL); ++ if (curve_nid == NID_undef) ++ return 0; ++ ++ } ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ continue; ++ if (!strcmp(keyword, "Qx")) { ++ if (!do_hex2bn(&Qx, value)) { ++ fprintf(stderr, "Invalid Qx value\n"); ++ return 0; ++ } ++ } ++ if (!strcmp(keyword, "Qy")) { ++ int rv; ++ if (!do_hex2bn(&Qy, value)) { ++ fprintf(stderr, "Invalid Qy value\n"); ++ return 0; ++ } ++ key = EC_KEY_new_by_curve_name(curve_nid); ++ no_err = 1; ++ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy); ++ no_err = 0; ++ EC_KEY_free(key); ++ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F"); ++ } ++ ++ } ++ BN_free(Qx); ++ BN_free(Qy); ++ return 1; ++} ++ ++static int SigGen(FILE *in, FILE *out) ++{ ++ char buf[2048], lbuf[2048]; ++ char *keyword, *value; ++ unsigned char *msg; ++ int curve_nid = NID_undef; ++ long mlen; ++ BIGNUM *Qx = NULL, *Qy = NULL; ++ EC_KEY *key = NULL; ++ ECDSA_SIG *sig = NULL; ++ const EVP_MD *digest = NULL; ++ Qx = BN_new(); ++ Qy = BN_new(); ++ while (fgets(buf, sizeof buf, in) != NULL) { ++ fputs(buf, out); ++ if (*buf == '[') { ++ curve_nid = elookup_curve(buf, lbuf, &digest); ++ if (curve_nid == NID_undef) ++ return 0; ++ } ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ continue; ++ if (!strcmp(keyword, "Msg")) { ++ msg = hex2bin_m(value, &mlen); ++ if (!msg) { ++ fprintf(stderr, "Invalid Message\n"); ++ return 0; ++ } ++ ++ key = EC_KEY_new_by_curve_name(curve_nid); ++ if (!EC_KEY_generate_key(key)) { ++ fprintf(stderr, "Error generating key\n"); ++ return 0; ++ } ++ ++ if (!ec_get_pubkey(key, Qx, Qy)) { ++ fprintf(stderr, "Error getting public key\n"); ++ return 0; ++ } ++ ++ sig = FIPS_ecdsa_sign(key, msg, mlen, digest); ++ ++ if (!sig) { ++ fprintf(stderr, "Error signing message\n"); ++ return 0; ++ } ++ ++ do_bn_print_name(out, "Qx", Qx); ++ do_bn_print_name(out, "Qy", Qy); ++ do_bn_print_name(out, "R", sig->r); ++ do_bn_print_name(out, "S", sig->s); ++ ++ EC_KEY_free(key); ++ OPENSSL_free(msg); ++ FIPS_ecdsa_sig_free(sig); ++ ++ } ++ ++ } ++ BN_free(Qx); ++ BN_free(Qy); ++ return 1; ++} ++ ++static int SigVer(FILE *in, FILE *out) ++{ ++ char buf[2048], lbuf[2048]; ++ char *keyword, *value; ++ unsigned char *msg = NULL; ++ int curve_nid = NID_undef; ++ long mlen; ++ BIGNUM *Qx = NULL, *Qy = NULL; ++ EC_KEY *key = NULL; ++ ECDSA_SIG sg, *sig = &sg; ++ const EVP_MD *digest = NULL; ++ sig->r = NULL; ++ sig->s = NULL; ++ while (fgets(buf, sizeof buf, in) != NULL) { ++ fputs(buf, out); ++ if (*buf == '[') { ++ curve_nid = elookup_curve(buf, lbuf, &digest); ++ if (curve_nid == NID_undef) ++ return 0; ++ } ++ if (!parse_line(&keyword, &value, lbuf, buf)) ++ continue; ++ if (!strcmp(keyword, "Msg")) { ++ msg = hex2bin_m(value, &mlen); ++ if (!msg) { ++ fprintf(stderr, "Invalid Message\n"); ++ return 0; ++ } ++ } ++ ++ if (!strcmp(keyword, "Qx")) { ++ if (!do_hex2bn(&Qx, value)) { ++ fprintf(stderr, "Invalid Qx value\n"); ++ return 0; ++ } ++ } ++ if (!strcmp(keyword, "Qy")) { ++ if (!do_hex2bn(&Qy, value)) { ++ fprintf(stderr, "Invalid Qy value\n"); ++ return 0; ++ } ++ } ++ if (!strcmp(keyword, "R")) { ++ if (!do_hex2bn(&sig->r, value)) { ++ fprintf(stderr, "Invalid R value\n"); ++ return 0; ++ } ++ } ++ if (!strcmp(keyword, "S")) { ++ int rv; ++ if (!do_hex2bn(&sig->s, value)) { ++ fprintf(stderr, "Invalid S value\n"); ++ return 0; ++ } ++ key = EC_KEY_new_by_curve_name(curve_nid); ++ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy); ++ ++ if (rv != 1) { ++ fprintf(stderr, "Error setting public key\n"); ++ return 0; ++ } ++ ++ no_err = 1; ++ rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig); ++ EC_KEY_free(key); ++ if (msg) ++ OPENSSL_free(msg); ++ no_err = 0; ++ ++ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F"); ++ } ++ ++ } ++ if (sig->r) ++ BN_free(sig->r); ++ if (sig->s) ++ BN_free(sig->s); ++ if (Qx) ++ BN_free(Qx); ++ if (Qy) ++ BN_free(Qy); ++ return 1; ++} ++ ++# ifdef FIPS_ALGVS ++int fips_ecdsavs_main(int argc, char **argv) ++# else ++int main(int argc, char **argv) ++# endif ++{ ++ FILE *in = NULL, *out = NULL; ++ const char *cmd = argv[1]; ++ int rv = 0; ++ fips_algtest_init(); ++ ++ if (argc == 4) { ++ in = fopen(argv[2], "r"); ++ if (!in) { ++ fprintf(stderr, "Error opening input file\n"); ++ exit(1); ++ } ++ out = fopen(argv[3], "w"); ++ if (!out) { ++ fprintf(stderr, "Error opening output file\n"); ++ exit(1); ++ } ++ } else if (argc == 2) { ++ in = stdin; ++ out = stdout; ++ } ++ ++ if (!cmd) { ++ fprintf(stderr, "fips_ecdsavs [KeyPair|PKV|SigGen|SigVer]\n"); ++ return 1; ++ } ++ if (!strcmp(cmd, "KeyPair")) ++ rv = KeyPair(in, out); ++ else if (!strcmp(cmd, "PKV")) ++ rv = PKV(in, out); ++ else if (!strcmp(cmd, "SigVer")) ++ rv = SigVer(in, out); ++ else if (!strcmp(cmd, "SigGen")) ++ rv = SigGen(in, out); ++ else { ++ fprintf(stderr, "Unknown command %s\n", cmd); ++ return 1; ++ } ++ ++ if (argc == 4) { ++ fclose(in); ++ fclose(out); ++ } ++ ++ if (rv <= 0) { ++ fprintf(stderr, "Error running %s\n", cmd); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++#endif +diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h +index 792781e..30668c1 100644 +--- a/crypto/fips/fips.h ++++ b/crypto/fips/fips.h +@@ -93,6 +93,8 @@ extern "C" { + void FIPS_corrupt_dsa(void); + void FIPS_corrupt_dsa_keygen(void); + int FIPS_selftest_dsa(void); ++ int FIPS_selftest_ecdsa(void); ++ int FIPS_selftest_ecdh(void); + void FIPS_corrupt_rng(void); + void FIPS_rng_stick(void); + void FIPS_x931_stick(int onoff); +diff --git a/crypto/fips/fips_ecdh_selftest.c b/crypto/fips/fips_ecdh_selftest.c +new file mode 100644 +index 0000000..8cad5ad +--- /dev/null ++++ b/crypto/fips/fips_ecdh_selftest.c +@@ -0,0 +1,242 @@ ++/* fips/ecdh/fips_ecdh_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2011. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++# include "fips_locl.h" ++ ++static const unsigned char p256_qcavsx[] = { ++ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, ++ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, ++ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 ++}; ++ ++static const unsigned char p256_qcavsy[] = { ++ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, ++ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, ++ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e ++}; ++ ++static const unsigned char p256_qiutx[] = { ++ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, ++ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, ++ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f ++}; ++ ++static const unsigned char p256_qiuty[] = { ++ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, ++ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, ++ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 ++}; ++ ++static const unsigned char p256_qiutd[] = { ++ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, ++ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, ++ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 ++}; ++ ++static const unsigned char p256_ziut[] = { ++ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, ++ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, ++ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f ++}; ++ ++typedef struct { ++ int curve; ++ const unsigned char *x1; ++ size_t x1len; ++ const unsigned char *y1; ++ size_t y1len; ++ const unsigned char *d1; ++ size_t d1len; ++ const unsigned char *x2; ++ size_t x2len; ++ const unsigned char *y2; ++ size_t y2len; ++ const unsigned char *z; ++ size_t zlen; ++} ECDH_SELFTEST_DATA; ++ ++# define make_ecdh_test(nid, pr) { nid, \ ++ pr##_qiutx, sizeof(pr##_qiutx), \ ++ pr##_qiuty, sizeof(pr##_qiuty), \ ++ pr##_qiutd, sizeof(pr##_qiutd), \ ++ pr##_qcavsx, sizeof(pr##_qcavsx), \ ++ pr##_qcavsy, sizeof(pr##_qcavsy), \ ++ pr##_ziut, sizeof(pr##_ziut) } ++ ++static ECDH_SELFTEST_DATA test_ecdh_data[] = { ++ make_ecdh_test(NID_X9_62_prime256v1, p256), ++}; ++ ++int FIPS_selftest_ecdh(void) ++{ ++ EC_KEY *ec1 = NULL, *ec2 = NULL; ++ const EC_POINT *ecp = NULL; ++ BIGNUM *x = NULL, *y = NULL, *d = NULL; ++ unsigned char *ztmp = NULL; ++ int rv = 1; ++ size_t i; ++ ++ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { ++ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; ++ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) ++ continue; ++ ztmp = OPENSSL_malloc(ecd->zlen); ++ ++ x = BN_bin2bn(ecd->x1, ecd->x1len, x); ++ y = BN_bin2bn(ecd->y1, ecd->y1len, y); ++ d = BN_bin2bn(ecd->d1, ecd->d1len, d); ++ ++ if (!x || !y || !d || !ztmp) { ++ rv = -1; ++ goto err; ++ } ++ ++ ec1 = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec1) { ++ rv = -1; ++ goto err; ++ } ++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!EC_KEY_set_private_key(ec1, d)) { ++ rv = -1; ++ goto err; ++ } ++ ++ x = BN_bin2bn(ecd->x2, ecd->x2len, x); ++ y = BN_bin2bn(ecd->y2, ecd->y2len, y); ++ ++ if (!x || !y) { ++ rv = -1; ++ goto err; ++ } ++ ++ ec2 = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec2) { ++ rv = -1; ++ goto err; ++ } ++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { ++ rv = -1; ++ goto err; ++ } ++ ++ ecp = EC_KEY_get0_public_key(ec2); ++ if (!ecp) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) ++ ztmp[0] ^= 0x1; ++ ++ if (memcmp(ztmp, ecd->z, ecd->zlen)) { ++ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); ++ rv = 0; ++ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) ++ goto err; ++ ++ EC_KEY_free(ec1); ++ ec1 = NULL; ++ EC_KEY_free(ec2); ++ ec2 = NULL; ++ OPENSSL_free(ztmp); ++ ztmp = NULL; ++ } ++ ++ err: ++ ++ if (x) ++ BN_clear_free(x); ++ if (y) ++ BN_clear_free(y); ++ if (d) ++ BN_clear_free(d); ++ if (ec1) ++ EC_KEY_free(ec1); ++ if (ec2) ++ EC_KEY_free(ec2); ++ if (ztmp) ++ OPENSSL_free(ztmp); ++ ++ return rv; ++ ++} ++ ++#endif +diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c +new file mode 100644 +index 0000000..4ce6e81 +--- /dev/null ++++ b/crypto/fips/fips_ecdsa_selftest.c +@@ -0,0 +1,165 @@ ++/* fips/ecdsa/fips_ecdsa_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2011. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++static const char P_256_name[] = "ECDSA P-256"; ++ ++static const unsigned char P_256_d[] = { ++ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, ++ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, ++ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 ++}; ++ ++static const unsigned char P_256_qx[] = { ++ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, ++ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, ++ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 ++}; ++ ++static const unsigned char P_256_qy[] = { ++ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, ++ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, ++ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb ++}; ++ ++typedef struct { ++ int curve; ++ const char *name; ++ const unsigned char *x; ++ size_t xlen; ++ const unsigned char *y; ++ size_t ylen; ++ const unsigned char *d; ++ size_t dlen; ++} EC_SELFTEST_DATA; ++ ++# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ ++ pr##_qx, sizeof(pr##_qx), \ ++ pr##_qy, sizeof(pr##_qy), \ ++ pr##_d, sizeof(pr##_d)} ++ ++static EC_SELFTEST_DATA test_ec_data[] = { ++ make_ecdsa_test(NID_X9_62_prime256v1, P_256), ++}; ++ ++int FIPS_selftest_ecdsa() ++{ ++ EC_KEY *ec = NULL; ++ BIGNUM *x = NULL, *y = NULL, *d = NULL; ++ EVP_PKEY *pk = NULL; ++ int rv = 0; ++ size_t i; ++ ++ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { ++ EC_SELFTEST_DATA *ecd = test_ec_data + i; ++ ++ x = BN_bin2bn(ecd->x, ecd->xlen, x); ++ y = BN_bin2bn(ecd->y, ecd->ylen, y); ++ d = BN_bin2bn(ecd->d, ecd->dlen, d); ++ ++ if (!x || !y || !d) ++ goto err; ++ ++ ec = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec) ++ goto err; ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) ++ goto err; ++ ++ if (!EC_KEY_set_private_key(ec, d)) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_EC_KEY(pk, ec); ++ ++ if (!fips_pkey_signature_test(pk, NULL, 0, ++ NULL, 0, EVP_sha256(), 0, ecd->name)) ++ goto err; ++ } ++ ++ rv = 1; ++ ++ err: ++ ++ if (x) ++ BN_clear_free(x); ++ if (y) ++ BN_clear_free(y); ++ if (d) ++ BN_clear_free(d); ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (ec) ++ EC_KEY_free(ec); ++ ++ return rv; ++ ++} ++ ++#endif +diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c +index 629f5c2..b9354db 100644 +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -95,8 +95,12 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_rsa()) + rv = 0; ++ if (!FIPS_selftest_ecdsa()) ++ rv = 0; + if (!FIPS_selftest_dsa()) + rv = 0; ++ if (!FIPS_selftest_ecdh()) ++ rv = 0; + return rv; + } + diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch 2016-04-15 04:56:29.000000000 +0000 @@ -0,0 +1,32 @@ +commit a1bbf7c63dc208b24fde36521b31160ef8fc6016 +Author: Joy Latten +Date: Wed Apr 13 18:06:25 2016 -0500 + + From: Joy Latten + Description: [PATCH 3/6] Allow MD5 for fips. + Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 + Forwarded: not-needed + Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git + +diff --git a/crypto/md5/md5_dgst.c b/crypto/md5/md5_dgst.c +index 0a28b9b..0c86a49 100644 +--- a/crypto/md5/md5_dgst.c ++++ b/crypto/md5/md5_dgst.c +@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL_VERSION_PTEXT; + #define INIT_DATA_C (unsigned long)0x98badcfeL + #define INIT_DATA_D (unsigned long)0x10325476L + +-nonfips_md_init(MD5) ++int MD5_Init(MD5_CTX *c) ++#ifdef OPENSSL_FIPS ++{ ++ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) ++ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!"); ++ return private_MD5_Init(c); ++} ++ ++int private_MD5_Init(MD5_CTX *c) ++#endif + { + memset(c, 0, sizeof(*c)); + c->A = INIT_DATA_A; diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch 2016-04-15 04:56:29.000000000 +0000 @@ -0,0 +1,1374 @@ +commit be78d827c798d847bf5664f3d30f3f5ecbf214dd +Author: Joy Latten +Date: Wed Apr 13 22:58:04 2016 -0500 + + From: Joy Latten + Description: [PATCH 5/6] More fips 140-2 requirements + Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 + Forwarded: not-needed + Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git + +diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h +index 7ae5079..cd08b18 100644 +--- a/crypto/dh/dh.h ++++ b/crypto/dh/dh.h +@@ -78,6 +78,7 @@ + # endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 ++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 + + # define DH_FLAG_CACHE_MONT_P 0x01 + +diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c +index 4fcb16b..db9f700 100644 +--- a/crypto/dh/dh_gen.c ++++ b/crypto/dh/dh_gen.c +@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + return 0; + } + +- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { ++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { + DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); + goto err; + } +diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h +index 7c78c5a..4abe46c 100644 +--- a/crypto/dsa/dsa.h ++++ b/crypto/dsa/dsa.h +@@ -89,6 +89,7 @@ + # endif + + # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 ++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024) + + # define DSA_FLAG_CACHE_MONT_P 0x01 + /* +@@ -251,9 +252,9 @@ int DSAparams_print_fp(FILE *fp, const DSA *x); + int DSA_print_fp(FILE *bp, const DSA *x, int off); + # endif + +-# define DSS_prime_checks 50 ++# define DSS_prime_checks 64 + /* +- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of ++ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of + * Rabin-Miller + */ + # define DSA_is_prime(n, callback, cb_arg) \ +diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c +index 96c4c09..ca86915 100644 +--- a/crypto/dsa/dsa_gen.c ++++ b/crypto/dsa/dsa_gen.c +@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, + } + + if (FIPS_module_mode() && +- (bits != 1024 || qbits != 160) && +- (bits != 2048 || qbits != 224) && +- (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) { ++ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024 ++ || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048 ++ || qbits != ++ 256) ++ && (bits != 3072 || qbits != 256)) { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); + goto err; + } +diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c +index e1307b0..f235fce 100644 +--- a/crypto/dsa/dsa_key.c ++++ b/crypto/dsa/dsa_key.c +@@ -120,7 +120,7 @@ static int dsa_builtin_keygen(DSA *dsa) + + # ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) +- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { ++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { + DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); + goto err; + } +diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile +index 0b54447..8d4bf9a 100644 +--- a/crypto/fips/Makefile ++++ b/crypto/fips/Makefile +@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_se + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ + fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ +- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c ++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \ ++ fips_dh_selftest.c + + LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ + fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ + fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ + fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ +- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o ++ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \ ++ fips_dh_selftest.o + + LIBCRYPTO=-L.. -lcrypto + +diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c +index e5de012..c4602e2 100644 +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -418,26 +418,24 @@ int FIPS_module_mode_set(int onoff, const char *auth) + ret = 0; + goto end; + } +- OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */ +- OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */ + } + # endif + +- if (!verify_checksums()) { +- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, +- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; + goto end; + } + +- if (FIPS_selftest()) +- fips_set_mode(onoff); +- else { ++ if (!verify_checksums()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; + } ++ ++ fips_set_mode(onoff); + ret = 1; + goto end; + } +diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h +index 9777a73..8c9be43 100644 +--- a/crypto/fips/fips.h ++++ b/crypto/fips/fips.h +@@ -96,6 +96,7 @@ extern "C" { + int FIPS_selftest_dsa(void); + int FIPS_selftest_ecdsa(void); + int FIPS_selftest_ecdh(void); ++ int FIPS_selftest_dh(void); + void FIPS_corrupt_rng(void); + void FIPS_rng_stick(void); + void FIPS_x931_stick(int onoff); +diff --git a/crypto/fips/fips_dh_selftest.c b/crypto/fips/fips_dh_selftest.c +new file mode 100644 +index 0000000..2b1eb25 +--- /dev/null ++++ b/crypto/fips/fips_dh_selftest.c +@@ -0,0 +1,162 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 2013 Red Hat, Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++static const unsigned char dh_test_2048_p[] = { ++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, ++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, ++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, ++ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, ++ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, ++ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, ++ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, ++ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, ++ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, ++ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, ++ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, ++ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, ++ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, ++ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, ++ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, ++ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, ++ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, ++ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, ++ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, ++ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, ++ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, ++ 0x4B, 0xD8, 0x37, 0xEB ++}; ++ ++static const unsigned char dh_test_2048_g[] = { ++ 0x02 ++}; ++ ++static const unsigned char dh_test_2048_pub_key[] = { ++ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, ++ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, ++ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, ++ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, ++ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, ++ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, ++ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, ++ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, ++ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, ++ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, ++ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, ++ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, ++ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, ++ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, ++ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, ++ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, ++ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, ++ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, ++ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, ++ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, ++ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, ++ 0x36, 0x9E, 0xDA, 0xD2 ++}; ++ ++static const unsigned char dh_test_2048_priv_key[] = { ++ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, ++ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, ++ 0xEC, 0x55, 0xF6, 0xCC ++}; ++ ++int FIPS_selftest_dh() ++{ ++ DH *dh = NULL; ++ int ret = 0; ++ void *pub_key = NULL; ++ int len; ++ ++ dh = DH_new(); ++ ++ if (dh == NULL) ++ goto err; ++ ++ fips_load_key_component(dh, p, dh_test_2048); ++ fips_load_key_component(dh, g, dh_test_2048); ++ /* note that the private key is much shorter than normally used ++ * but still g ** priv_key > p ++ */ ++ fips_load_key_component(dh, priv_key, dh_test_2048); ++ ++ if (DH_generate_key(dh) <= 0) ++ goto err; ++ ++ len = BN_num_bytes(dh->pub_key); ++ if ((pub_key = OPENSSL_malloc(len)) == NULL) ++ goto err; ++ BN_bn2bin(dh->pub_key, pub_key); ++ ++ if (len != sizeof(dh_test_2048_pub_key) || ++ memcmp(pub_key, dh_test_2048_pub_key, len) != 0) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (dh) ++ DH_free(dh); ++ ++ OPENSSL_free(pub_key); ++ return ret; ++} ++#endif +diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c +index b9354db..2b19651 100644 +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -99,6 +99,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_dsa()) + rv = 0; ++ if (!FIPS_selftest_dh()) ++ rv = 0; + if (!FIPS_selftest_ecdh()) + rv = 0; + return rv; +diff --git a/crypto/fips/fips_rsa_selftest.c b/crypto/fips/fips_rsa_selftest.c +index e87fbda..3f918b7 100644 +--- a/crypto/fips/fips_rsa_selftest.c ++++ b/crypto/fips/fips_rsa_selftest.c +@@ -60,68 +60,107 @@ + #ifdef OPENSSL_FIPS + + static const unsigned char n[] = +- "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" +- "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" +- "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" +- "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" +- "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" +- "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" +- "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" +- "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB"; ++ "\x00\xc9\xd5\x6d\x9d\x90\xdb\x43\xd6\x02\xed\x96\x88\x13\x8a" ++ "\xb2\xbf\x6e\xa1\x06\x10\xb2\x78\x37\xa7\x14\xa8\xff\xdd\x00" ++ "\xdd\xb4\x93\xa0\x45\xcc\x96\x90\xed\xad\xa9\xdd\xc4\xd6\xca" ++ "\x0c\xf0\xed\x4f\x72\x5e\x21\x49\x9a\x18\x12\x15\x8f\x90\x5a" ++ "\xdb\xb6\x33\x99\xa3\xe6\xb4\xf0\xc4\x97\x21\x26\xbb\xe3\xba" ++ "\xf2\xff\xa0\x72\xda\x89\x63\x8e\x8b\x3e\x08\x9d\x92\x2a\xbe" ++ "\x16\xe1\x43\x15\xfc\x57\xc7\x1f\x09\x11\x67\x1c\xa9\x96\xd1" ++ "\x8b\x3e\x80\x93\xc1\x59\xd0\x6d\x39\xf2\xac\x95\xcc\x10\x75" ++ "\xe9\x31\x24\xd1\x43\xaf\x68\x52\x4b\xe7\x16\xd7\x49\x65\x6f" ++ "\x26\xc0\x86\xad\xc0\x07\x0a\xc1\xe1\x2f\x87\x85\x86\x3b\xdc" ++ "\x5a\x99\xbe\xe9\xf9\xb9\xe9\x82\x27\x51\x04\x15\xab\x06\x0e" ++ "\x76\x5a\x28\x8d\x92\xbd\xc5\xb5\x7b\xa8\xdf\x4e\x47\xa2\xc1" ++ "\xe7\x52\xbf\x47\xf7\x62\xe0\x3a\x6f\x4d\x6a\x4d\x4e\xd4\xb9" ++ "\x59\x69\xfa\xb2\x14\xc1\xee\xe6\x2f\x95\xcd\x94\x72\xae\xe4" ++ "\xdb\x18\x9a\xc4\xcd\x70\xbd\xee\x31\x16\xb7\x49\x65\xac\x40" ++ "\x19\x0e\xb5\x6d\x83\xf1\x36\xbb\x08\x2f\x2e\x4e\x92\x62\xa4" ++ "\xff\x50\xdb\x20\x45\xa2\xeb\x16\x7a\xf2\xd5\x28\xc1\xfd\x4e" "\x03\x71"; + + static int corrupt_rsa; + + static int setrsakey(RSA *key) + { +- static const unsigned char e[] = "\x11"; ++ static const unsigned char e[] = "\x01\x00\x01"; + + static const unsigned char d[] = +- "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" +- "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" +- "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" +- "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" +- "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" +- "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" +- "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" +- "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" +- "\xC1"; ++ "\x36\x27\x3d\xb1\xf9\x1b\xdb\xa7\xa0\x41\x7f\x12\x23\xac\x23" ++ "\x29\x99\xd5\x3a\x7b\x60\x67\x41\x07\x63\x53\xb4\xd2\xe7\x58" ++ "\x95\x0a\xc7\x05\xf3\x4e\xb2\xb4\x12\xd4\x70\xdc\x4f\x85\x06" ++ "\xd3\xdd\xd8\x63\x27\x3e\x67\x31\x21\x24\x39\x04\xbc\x06\xa4" ++ "\xcc\xce\x2b\x7a\xfe\x7b\xad\xde\x11\x6e\xa3\xa5\xe6\x04\x53" ++ "\x0e\xa3\x4e\x2d\xb4\x8f\x31\xbf\xca\x75\x25\x52\x02\x85\xde" ++ "\x3d\xb2\x72\x43\xb2\x89\x8a\x9a\x34\x41\x26\x3f\x9a\x67\xbe" ++ "\xa4\x96\x7b\x0e\x75\xba\xa6\x93\xd5\xb8\xd8\xb8\x57\xf2\x4b" ++ "\x0f\x14\x81\xd1\x57\x4e\xf6\x45\x4c\xa6\x3b\xd0\x70\xca\xd3" ++ "\x9d\x55\xde\x22\x05\xe7\x8e\x28\x4d\xee\x11\xcf\xb6\x67\x76" ++ "\x09\xd3\xe3\x3c\x13\xf9\x99\x34\x10\x7b\xec\x81\x38\xf0\xb6" ++ "\x34\x9c\x9b\x50\x6f\x0b\x91\x81\x4d\x89\x94\x04\x7b\xf0\x3c" ++ "\xf4\xb1\xb2\x00\x48\x8d\x5a\x8f\x88\x9e\xc5\xab\x3a\x9e\x44" ++ "\x3f\x54\xe7\xd9\x6e\x47\xaa\xa1\xbd\x40\x46\x31\xf9\xf0\x34" ++ "\xb6\x04\xe1\x2b\x5b\x73\x86\xdd\x3a\x92\x1b\x71\xc7\x3f\x32" ++ "\xe5\xc3\xc2\xab\xa1\x7e\xbf\xa4\x52\xa0\xb0\x68\x90\xd1\x20" ++ "\x12\x79\xe9\xd7\xc9\x40\xba\xf2\x19\xc7\xa5\x00\x92\x86\x0d" "\x01"; + + static const unsigned char p[] = +- "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" +- "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" +- "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" +- "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" +- "\x99"; ++ "\x00\xfc\x5c\x6e\x16\xce\x1f\x03\x7b\xcd\xf7\xb3\x72\xb2\x8f" ++ "\x16\x72\xb8\x56\xae\xf7\xcd\x67\xd8\x4e\x7d\x07\xaf\xd5\x43" ++ "\x26\xc3\x35\xbe\x43\x8f\x4e\x2f\x1c\x43\x4e\x6b\xd2\xb2\xec" ++ "\x52\x6d\x97\x52\x2b\xcc\x5c\x3a\x6b\xf4\x14\xc6\x74\xda\x66" ++ "\x38\x1c\x7a\x3f\x84\x2f\xe3\xf9\x5a\xb8\x65\x69\x46\x06\xa3" ++ "\x37\x79\xb2\xa1\x5b\x58\xed\x5e\xa7\x5f\x8c\x65\x66\xbb\xd1" ++ "\x24\x36\xe6\x37\xa7\x3d\x49\x77\x8a\x8c\x34\xd8\x69\x29\xf3" ++ "\x4d\x58\x22\xb0\x51\x24\xb6\x40\xa8\x86\x59\x0a\xb7\xba\x5c" ++ "\x97\xda\x57\xe8\x36\xda\x7a\x9c\xad"; + + static const unsigned char q[] = +- "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" +- "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" +- "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" +- "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" +- "\x03"; ++ "\x00\xcc\xbe\x7b\x09\x69\x06\xee\x45\xbf\x88\x47\x38\xa8\xf8" ++ "\x17\xe5\xb6\xba\x67\x55\xe3\xe8\x05\x8b\xb8\xe2\x53\xd6\x8e" ++ "\xef\x2c\xe7\x4f\x4a\xf7\x4e\x26\x8d\x85\x0b\x3f\xec\xc3\x1c" ++ "\xd4\xeb\xec\x6a\xc8\x72\x2a\x25\x7d\xfd\xa6\x77\x96\xf0\x1e" ++ "\xcd\x28\x57\xf8\x37\x30\x75\x6b\xbd\xd4\x7b\x0c\x87\xc5\x6c" ++ "\x87\x40\xa5\xbb\x27\x2c\x78\xc9\x74\x5a\x54\x5b\x0b\x30\x6f" ++ "\x44\x4a\xfa\x71\xe4\x21\x61\x66\xf9\xee\x65\xde\x7c\x04\xd7" ++ "\xfd\xa9\x15\x5b\x7f\xe2\x7a\xba\x69\x86\x72\xa6\x06\x8d\x9b" ++ "\x90\x55\x60\x9e\x4c\x5d\xa9\xb6\x55"; + + static const unsigned char dmp1[] = +- "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" +- "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" +- "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" +- "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; ++ "\x7a\xd6\x12\xd0\x0e\xec\x91\xa9\x85\x8b\xf8\x50\xf0\x11\x2e" ++ "\x00\x11\x32\x40\x60\x66\x1f\x11\xee\xc2\x75\x27\x65\x4b\x16" ++ "\x67\x16\x95\xd2\x14\xc3\x1d\xb3\x48\x1f\xb7\xe4\x0b\x2b\x74" ++ "\xc3\xdb\x50\x27\xf9\x85\x3a\xfa\xa9\x08\x23\xc1\x65\x3d\x34" ++ "\x3a\xc8\x56\x7a\x65\x45\x36\x6e\xae\x2a\xce\x9f\x43\x43\xd7" ++ "\x10\xe9\x9e\x18\xf4\xa4\x35\xda\x8a\x6b\xb0\x3f\xdd\x53\xe3" ++ "\xa8\xc5\x4e\x79\x9d\x1f\x51\x8c\xa2\xca\x66\x3c\x6a\x2a\xff" ++ "\x8e\xd2\xf3\xb7\xcb\x82\xda\xde\x2c\xe6\xd2\x8c\xb3\xad\xb6" ++ "\x4c\x95\x55\x76\xbd\xc9\xc8\xd1"; + + static const unsigned char dmq1[] = +- "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" +- "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" +- "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" +- "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; ++ "\x00\x83\x23\x1d\xbb\x11\x42\x17\x2b\x25\x5a\x2c\x03\xe6\x75" ++ "\xc1\x18\xa8\xc9\x0b\x96\xbf\xba\xc4\x92\x91\x80\xa5\x22\x2f" ++ "\xba\x91\x90\x36\x01\x56\x15\x00\x2c\x74\xa2\x97\xf7\x15\xa1" ++ "\x49\xdf\x32\x35\xd2\xdd\x0c\x91\xa6\xf8\xe7\xbe\x81\x36\x9b" ++ "\x03\xdc\x6b\x3b\xd8\x5d\x79\x57\xe0\xe6\x4f\x49\xdf\x4c\x5c" ++ "\x0e\xe5\x21\x41\x95\xfd\xad\xff\x9a\x3e\xa0\xf9\x0f\x59\x9e" ++ "\x6a\xa7\x7b\x71\xa7\x24\x9a\x36\x52\xae\x97\x20\xc1\x5e\x78" ++ "\xd9\x47\x8b\x1e\x67\xf2\xaf\x98\xe6\x2d\xef\x10\xd7\xf1\xab" ++ "\x49\xee\xe5\x4b\x7e\xae\x1f\x1d\x61"; + + static const unsigned char iqmp[] = +- "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" +- "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" +- "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" +- "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" +- "\xF7"; ++ "\x23\x96\xc1\x91\x17\x5e\x0a\x83\xd2\xdc\x7b\x69\xb2\x59\x1d" ++ "\x33\x58\x52\x3f\x18\xc7\x09\x50\x1c\xb9\xa1\xbb\x4c\xa2\x38" ++ "\x40\x4c\x9a\x8e\xfe\x9c\x90\x92\xd0\x71\x9f\x89\x99\x50\x91" ++ "\x1f\x34\x8b\x74\x53\x11\x11\x4a\x70\xe2\xf7\x30\xd8\x8c\x80" ++ "\xe1\xcc\x9f\xf1\x63\x17\x1a\x7d\x67\x29\x4c\xcb\x4e\x74\x7b" ++ "\xe0\x3e\x9e\x2f\xf4\x67\x8f\xec\xb9\x5c\x00\x1e\x7e\xa2\x7b" ++ "\x92\xc9\x6f\x4c\xe4\x0e\xf9\x48\x63\xcd\x50\x22\x5d\xbf\xb6" ++ "\x9d\x01\x33\x6a\xf4\x50\xbe\x86\x98\x4f\xca\x3f\x3a\xfa\xcf" ++ "\x07\x40\xc4\xaa\xad\xae\xbe\xbf"; + + key->n = BN_bin2bn(n, sizeof(n) - 1, key->n); + if (corrupt_rsa) +- BN_set_bit(key->n, 1024); ++ BN_set_bit(key->n, 2048); + key->e = BN_bin2bn(e, sizeof(e) - 1, key->e); + key->d = BN_bin2bn(d, sizeof(d) - 1, key->d); + key->p = BN_bin2bn(p, sizeof(p) - 1, key->p); +@@ -145,200 +184,292 @@ static const unsigned char kat_tbs[] = + "OpenSSL FIPS 140-2 Public Key RSA KAT"; + + static const unsigned char kat_RSA_PSS_SHA1[] = { +- 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F, +- 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB, +- 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3, +- 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C, +- 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7, +- 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5, +- 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45, +- 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31, +- 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8, +- 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84, +- 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9 ++ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3, ++ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B, ++ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84, ++ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B, ++ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9, ++ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19, ++ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98, ++ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5, ++ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4, ++ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A, ++ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70, ++ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1, ++ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C, ++ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF, ++ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99, ++ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45, ++ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF, ++ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F, ++ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01, ++ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC, ++ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05, ++ 0xCE, 0x08, 0x1D, 0x89 + }; + + static const unsigned char kat_RSA_PSS_SHA224[] = { +- 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7, +- 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA, +- 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57, +- 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89, +- 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE, +- 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22, +- 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5, +- 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49, +- 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D, +- 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00, +- 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0 ++ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA, ++ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3, ++ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3, ++ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3, ++ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7, ++ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53, ++ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A, ++ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE, ++ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06, ++ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08, ++ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D, ++ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07, ++ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70, ++ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64, ++ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17, ++ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69, ++ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97, ++ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D, ++ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5, ++ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B, ++ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD, ++ 0x2D, 0x84, 0x03, 0xB7 + }; + + static const unsigned char kat_RSA_PSS_SHA256[] = { +- 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89, +- 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F, +- 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28, +- 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E, +- 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05, +- 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA, +- 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6, +- 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F, +- 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D, +- 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6, +- 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C ++ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, ++ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, ++ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, ++ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, ++ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, ++ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, ++ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, ++ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, ++ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, ++ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, ++ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, ++ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, ++ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, ++ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, ++ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, ++ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, ++ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, ++ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, ++ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, ++ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, ++ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, ++ 0x2B, 0x31, 0xB9, 0x7D + }; + + static const unsigned char kat_RSA_PSS_SHA384[] = { +- 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2, +- 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E, +- 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD, +- 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F, +- 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C, +- 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB, +- 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F, +- 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89, +- 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F, +- 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55, +- 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1 ++ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D, ++ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03, ++ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27, ++ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC, ++ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1, ++ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6, ++ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA, ++ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB, ++ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3, ++ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5, ++ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70, ++ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E, ++ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C, ++ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0, ++ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62, ++ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07, ++ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88, ++ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7, ++ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5, ++ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D, ++ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF, ++ 0x90, 0xD2, 0xA6, 0x2B + }; + + static const unsigned char kat_RSA_PSS_SHA512[] = { +- 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C, +- 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A, +- 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD, +- 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39, +- 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7, +- 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61, +- 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13, +- 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63, +- 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE, +- 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88, +- 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B ++ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32, ++ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06, ++ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D, ++ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B, ++ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D, ++ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44, ++ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B, ++ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D, ++ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD, ++ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C, ++ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1, ++ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A, ++ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE, ++ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D, ++ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F, ++ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF, ++ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F, ++ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94, ++ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE, ++ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A, ++ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0, ++ 0x17, 0x2C, 0x13, 0xE0 + }; + + static const unsigned char kat_RSA_SHA1[] = { +- 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, +- 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, +- 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF, +- 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, +- 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, +- 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, +- 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E, +- 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, +- 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, +- 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, +- 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 ++ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA, ++ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C, ++ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE, ++ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94, ++ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08, ++ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC, ++ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0, ++ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54, ++ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F, ++ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A, ++ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF, ++ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD, ++ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8, ++ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5, ++ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F, ++ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF, ++ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60, ++ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9, ++ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC, ++ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37, ++ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF, ++ 0x27, 0x90, 0xE2, 0x01 + }; + + static const unsigned char kat_RSA_SHA224[] = { +- 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9, +- 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D, +- 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89, +- 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD, +- 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5, +- 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC, +- 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B, +- 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2, +- 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35, +- 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC, +- 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D ++ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86, ++ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8, ++ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89, ++ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39, ++ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3, ++ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E, ++ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8, ++ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4, ++ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66, ++ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6, ++ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC, ++ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9, ++ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53, ++ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA, ++ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45, ++ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC, ++ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33, ++ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5, ++ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8, ++ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83, ++ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B, ++ 0xDB, 0x70, 0x00, 0xF6 + }; + + static const unsigned char kat_RSA_SHA256[] = { +- 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23, +- 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23, +- 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35, +- 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E, +- 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18, +- 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30, +- 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A, +- 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38, +- 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA, +- 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90, +- 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A ++ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, ++ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, ++ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, ++ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, ++ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, ++ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, ++ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, ++ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, ++ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, ++ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, ++ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, ++ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, ++ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, ++ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, ++ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, ++ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, ++ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, ++ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, ++ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, ++ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, ++ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, ++ 0x47, 0x9D, 0x18, 0xD7 + }; + + static const unsigned char kat_RSA_SHA384[] = { +- 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F, +- 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7, +- 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C, +- 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55, +- 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF, +- 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2, +- 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C, +- 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD, +- 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1, +- 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04, +- 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF ++ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00, ++ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D, ++ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2, ++ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B, ++ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF, ++ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1, ++ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C, ++ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E, ++ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76, ++ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4, ++ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9, ++ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4, ++ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56, ++ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39, ++ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00, ++ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F, ++ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D, ++ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26, ++ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9, ++ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD, ++ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4, ++ 0x7E, 0x37, 0x1D, 0x96 + }; + + static const unsigned char kat_RSA_SHA512[] = { +- 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF, +- 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A, +- 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1, +- 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8, +- 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5, +- 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B, +- 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6, +- 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05, +- 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D, +- 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91, +- 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84 ++ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3, ++ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F, ++ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02, ++ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B, ++ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3, ++ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1, ++ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79, ++ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1, ++ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E, ++ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1, ++ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED, ++ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE, ++ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69, ++ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2, ++ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F, ++ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3, ++ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B, ++ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86, ++ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F, ++ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A, ++ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E, ++ 0x43, 0xA8, 0x34, 0x0A + }; + +-static const unsigned char kat_RSA_X931_SHA1[] = { +- 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF, +- 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75, +- 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC, +- 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97, +- 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6, +- 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19, +- 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7, +- 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99, +- 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76, +- 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67, +- 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49 +-}; ++static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, ++ int ptlen) ++{ ++ unsigned char *ctbuf = NULL, *ptbuf = NULL; ++ int ret = 0; ++ int len; + +-static const unsigned char kat_RSA_X931_SHA256[] = { +- 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89, +- 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD, +- 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF, +- 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B, +- 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B, +- 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98, +- 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC, +- 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C, +- 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD, +- 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC, +- 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80 +-}; ++ ctbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ctbuf) ++ goto err; + +-static const unsigned char kat_RSA_X931_SHA384[] = { +- 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B, +- 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB, +- 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3, +- 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6, +- 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31, +- 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1, +- 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79, +- 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF, +- 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35, +- 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D, +- 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28 +-}; ++ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); ++ if (len <= 0) ++ goto err; ++ /* Check ciphertext doesn't match plaintext */ ++ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) ++ goto err; + +-static const unsigned char kat_RSA_X931_SHA512[] = { +- 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63, +- 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC, +- 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7, +- 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28, +- 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5, +- 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF, +- 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0, +- 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09, +- 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C, +- 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B, +- 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3 +-}; ++ ptbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ptbuf) ++ goto err; ++ ++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); ++ if (len != ptlen) ++ goto err; ++ if (memcmp(ptbuf, plaintext, len)) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (ctbuf) ++ OPENSSL_free(ctbuf); ++ if (ptbuf) ++ OPENSSL_free(ptbuf); ++ return ret; ++} + + int FIPS_selftest_rsa() + { +@@ -352,7 +483,7 @@ int FIPS_selftest_rsa() + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + +- EVP_PKEY_assign_RSA(pk, key); ++ EVP_PKEY_set1_RSA(pk, key); + + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA1, sizeof(kat_RSA_SHA1), +@@ -406,29 +537,7 @@ int FIPS_selftest_rsa() + EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS")) + goto err; + +- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, +- kat_RSA_X931_SHA1, +- sizeof(kat_RSA_X931_SHA1), EVP_sha1(), +- EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931")) +- goto err; +- /* NB: SHA224 not supported in X9.31 */ +- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, +- kat_RSA_X931_SHA256, +- sizeof(kat_RSA_X931_SHA256), EVP_sha256(), +- EVP_MD_CTX_FLAG_PAD_X931, +- "RSA SHA256 X931")) +- goto err; +- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, +- kat_RSA_X931_SHA384, +- sizeof(kat_RSA_X931_SHA384), EVP_sha384(), +- EVP_MD_CTX_FLAG_PAD_X931, +- "RSA SHA384 X931")) +- goto err; +- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, +- kat_RSA_X931_SHA512, +- sizeof(kat_RSA_X931_SHA512), EVP_sha512(), +- EVP_MD_CTX_FLAG_PAD_X931, +- "RSA SHA512 X931")) ++ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) + goto err; + + ret = 1; +@@ -436,7 +545,7 @@ int FIPS_selftest_rsa() + err: + if (pk) + EVP_PKEY_free(pk); +- else if (key) ++ if (key) + RSA_free(key); + return ret; + } +diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h +index f9fda3e..93b9896 100644 +--- a/crypto/rand/rand_lcl.h ++++ b/crypto/rand/rand_lcl.h +@@ -112,7 +112,7 @@ + #ifndef HEADER_RAND_LCL_H + # define HEADER_RAND_LCL_H + +-# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */ ++# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */ + + # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) + # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index 88a78d3..adf572f 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen, + double entropy) + { + RAND_SSLeay()->add(in, inlen, entropy); ++ if (FIPS_rand_status()) { ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); ++ FIPS_drbg_reseed(ctx, NULL, 0); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ } + return 1; + } + + static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen) + { + RAND_SSLeay()->seed(in, inlen); ++ if (FIPS_rand_status()) { ++ CRYPTO_w_lock(CRYPTO_LOCK_RAND); ++ FIPS_drbg_reseed(ctx, NULL, 0); ++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); ++ } + return 1; + } + +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index c6c0a75..675f645 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -1,5 +1,6 @@ + /* crypto/rsa/rsa_gen.c */ + /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) ++ * Copyright (C) 2013 Red Hat, Inc. + * All rights reserved. + * + * This package is an SSL implementation written +@@ -169,6 +170,259 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) + return rsa_builtin_keygen(rsa, bits, e_value, cb); + } + ++#ifdef OPENSSL_FIPS ++static int FIPS_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, ++ BN_GENCB *cb) ++{ ++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; ++ BIGNUM local_r0, local_d, local_p; ++ BIGNUM *pr0, *d, *p; ++ BN_CTX *ctx = NULL; ++ int ok = -1; ++ int i; ++ int n = 0; ++ int test = 0; ++ int pbits = bits / 2; ++ ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if ((pbits & 0xFF) ++ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048 ++ && bits != 3072)) { ++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ BN_CTX_start(ctx); ++ r0 = BN_CTX_get(ctx); ++ r1 = BN_CTX_get(ctx); ++ r2 = BN_CTX_get(ctx); ++ r3 = BN_CTX_get(ctx); ++ ++ if (r3 == NULL) ++ goto err; ++ ++ /* We need the RSA components non-NULL */ ++ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->d && ((rsa->d = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->p && ((rsa->p = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->q && ((rsa->q = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) ++ goto err; ++ ++ if (!BN_set_word(r0, RSA_F4)) ++ goto err; ++ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { ++ ok = 0; /* we set our own err */ ++ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); ++ goto err; ++ } ++ ++ /* prepare approximate minimum p and q */ ++ if (!BN_set_word(r0, 0xB504F334)) ++ goto err; ++ if (!BN_lshift(r0, r0, pbits - 32)) ++ goto err; ++ ++ /* prepare minimum p and q difference */ ++ if (!BN_one(r3)) ++ goto err; ++ if (!BN_lshift(r3, r3, pbits - 100)) ++ goto err; ++ ++ BN_copy(rsa->e, e_value); ++ ++ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) ++ test = 1; ++ ++ retry: ++ /* generate p and q */ ++ for (i = 0; i < 5 * pbits; i++) { ++ ploop: ++ if (!test) ++ if (!BN_rand(rsa->p, pbits, 0, 1)) ++ goto err; ++ if (BN_cmp(rsa->p, r0) < 0) { ++ if (test) ++ goto err; ++ goto ploop; ++ } ++ ++ if (!BN_sub(r2, rsa->p, BN_value_one())) ++ goto err; ++ if (!BN_gcd(r1, r2, rsa->e, ctx)) ++ goto err; ++ if (BN_is_one(r1)) { ++ int r; ++ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, ++ cb); ++ if (r == -1 || (test && r <= 0)) ++ goto err; ++ if (r > 0) ++ break; ++ } ++ ++ if (!BN_GENCB_call(cb, 2, n++)) ++ goto err; ++ } ++ ++ if (!BN_GENCB_call(cb, 3, 0)) ++ goto err; ++ ++ if (i >= 5 * pbits) ++ /* prime not found */ ++ goto err; ++ ++ for (i = 0; i < 5 * pbits; i++) { ++ qloop: ++ if (!test) ++ if (!BN_rand(rsa->q, pbits, 0, 1)) ++ goto err; ++ if (BN_cmp(rsa->q, r0) < 0) { ++ if (test) ++ goto err; ++ goto qloop; ++ } ++ if (!BN_sub(r2, rsa->q, rsa->p)) ++ goto err; ++ if (BN_ucmp(r2, r3) <= 0) { ++ if (test) ++ goto err; ++ goto qloop; ++ } ++ ++ if (!BN_sub(r2, rsa->q, BN_value_one())) ++ goto err; ++ if (!BN_gcd(r1, r2, rsa->e, ctx)) ++ goto err; ++ if (BN_is_one(r1)) { ++ int r; ++ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, ++ cb); ++ if (r == -1 || (test && r <= 0)) ++ goto err; ++ if (r > 0) ++ break; ++ } ++ ++ if (!BN_GENCB_call(cb, 2, n++)) ++ goto err; ++ } ++ ++ if (!BN_GENCB_call(cb, 3, 1)) ++ goto err; ++ ++ if (i >= 5 * pbits) ++ /* prime not found */ ++ goto err; ++ ++ if (test) { ++ /* do not try to calculate the remaining key values */ ++ BN_clear(rsa->n); ++ ok = 1; ++ goto err; ++ } ++ ++ if (BN_cmp(rsa->p, rsa->q) < 0) { ++ tmp = rsa->p; ++ rsa->p = rsa->q; ++ rsa->q = tmp; ++ } ++ ++ /* calculate n */ ++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) ++ goto err; ++ ++ /* calculate d */ ++ if (!BN_sub(r1, rsa->p, BN_value_one())) ++ goto err; /* p-1 */ ++ if (!BN_sub(r2, rsa->q, BN_value_one())) ++ goto err; /* q-1 */ ++ ++ if (!BN_gcd(r0, r1, r2, ctx)) ++ goto err; ++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { ++ pr0 = &local_r0; ++ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); ++ } else ++ pr0 = r0; ++ if (!BN_div(r0, NULL, r1, pr0, ctx)) ++ goto err; ++ if (!BN_mul(r0, r0, r2, ctx)) ++ goto err; /* lcm(p-1, q-1) */ ++ ++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { ++ pr0 = &local_r0; ++ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); ++ } else ++ pr0 = r0; ++ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) ++ goto err; /* d */ ++ ++ if (BN_num_bits(rsa->d) < pbits) ++ goto retry; /* d is too small */ ++ ++ /* set up d for correct BN_FLG_CONSTTIME flag */ ++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { ++ d = &local_d; ++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); ++ } else ++ d = rsa->d; ++ ++ /* calculate d mod (p-1) */ ++ if (!BN_mod(rsa->dmp1, d, r1, ctx)) ++ goto err; ++ ++ /* calculate d mod (q-1) */ ++ if (!BN_mod(rsa->dmq1, d, r2, ctx)) ++ goto err; ++ ++ /* calculate inverse of q mod p */ ++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { ++ p = &local_p; ++ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); ++ } else ++ p = rsa->p; ++ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) ++ goto err; ++ ++ if (fips_rsa_pairwise_fail) ++ BN_add_word(rsa->n, 1); ++ ++ if (!fips_check_rsa(rsa)) ++ goto err; ++ ++ ok = 1; ++ err: ++ if (ok == -1) { ++ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); ++ ok = 0; ++ } ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } ++ ++ return ok; ++} ++#endif ++ + static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + BN_GENCB *cb) + { +@@ -180,15 +434,11 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + + #ifdef OPENSSL_FIPS + if (FIPS_module_mode()) { +- if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); +- return 0; +- } +- + if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { + FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); + return 0; + } ++ return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb); + } + #endif + +@@ -317,16 +567,6 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) + goto err; + +-#ifdef OPENSSL_FIPS +- if (FIPS_module_mode()) { +- if (fips_rsa_pairwise_fail) +- BN_add_word(rsa->n, 1); +- +- if (!fips_check_rsa(rsa)) +- goto err; +- } +-#endif +- + ok = 1; + err: + if (ok == -1) { +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 514fcb3..ec15996 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, + return ret; + } + ++int private_tls1_PRF(long digest_mask, ++ const void *seed1, int seed1_len, ++ const void *seed2, int seed2_len, ++ const void *seed3, int seed3_len, ++ const void *seed4, int seed4_len, ++ const void *seed5, int seed5_len, ++ const unsigned char *sec, int slen, ++ unsigned char *out1, unsigned char *out2, int olen) ++{ ++ return tls1_PRF(digest_mask, ++ seed1, seed1_len, ++ seed2, seed2_len, ++ seed3, seed3_len, ++ seed4, seed4_len, ++ seed5, seed5_len, sec, slen, out1, out2, olen); ++} ++ + static int tls1_generate_key_block(SSL *s, unsigned char *km, + unsigned char *tmp, int num) + { diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ctor.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ctor.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ctor.patch 2016-04-12 20:32:08.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ctor.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,183 +0,0 @@ -From: Joy Latten -Description: [PATCH 4/6] Additional fips 140-2 compliance changes -Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 -Forwarded: not needed -Origin: vendor, http://dl.fedoraproject.org/pub/fedora/linux/development - -diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c -index aac1553..c1cdd2b 100644 ---- a/crypto/fips/fips.c -+++ b/crypto/fips/fips.c -@@ -60,6 +60,8 @@ - #include - #include - #include -+#include -+#include - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t len) - } - - # define HMAC_PREFIX "." --# define HMAC_SUFFIX ".hmac" -+# ifndef HMAC_SUFFIX -+# define HMAC_SUFFIX ".hmac" -+# endif - # define READ_BUFFER_LENGTH 16384 - - static char *make_hmac_path(const char *origpath) -@@ -279,20 +283,14 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) - return rv; - } - --static int FIPSCHECK_verify(const char *libname, const char *symbolname) -+static int FIPSCHECK_verify(const char *path) - { -- char path[PATH_MAX + 1]; -- int rv; -+ int rv = 0; - FILE *hf; - char *hmacpath, *p; - char *hmac = NULL; - size_t n; - -- rv = get_library_path(libname, symbolname, path, sizeof(path)); -- -- if (rv < 0) -- return 0; -- - hmacpath = make_hmac_path(path); - if (hmacpath == NULL) - return 0; -@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *libname, const char *symbolname) - return 1; - } - -+static int verify_checksums(void) -+{ -+ int rv; -+ char path[PATH_MAX + 1]; -+ char *p; -+ -+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl -+ are in the same directory */ -+ -+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, -+ "FIPS_mode_set", path, sizeof(path)); -+ if (rv < 0) -+ return 0; -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ -+ /* replace libcrypto with libssl */ -+ while ((p = strstr(path, "libcrypto.so")) != NULL) { -+ p = stpcpy(p, "libssl"); -+ memmove(p, p + 3, strlen(p + 2)); -+ } -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ return 1; -+} -+ -+# ifndef FIPS_MODULE_PATH -+# define FIPS_MODULE_PATH "/etc/system-fips" -+# endif -+ -+int FIPS_module_installed(void) -+{ -+ int rv; -+ rv = access(FIPS_MODULE_PATH, F_OK); -+ if (rv < 0 && errno != ENOENT) -+ rv = 0; -+ -+ /* Installed == true */ -+ return !rv; -+} -+ - int FIPS_module_mode_set(int onoff, const char *auth) - { - int ret = 0; -@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, const char *auth) - } - # endif - -- if (!FIPSCHECK_verify -- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) { -- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -- fips_selftest_fail = 1; -- ret = 0; -- goto end; -- } -- -- if (!FIPSCHECK_verify -- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) { -+ if (!verify_checksums()) { - FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, - FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index 06836bf..fcc3e1c 100644 ---- a/crypto/fips/fips.h -+++ b/crypto/fips/fips.h -@@ -74,6 +74,7 @@ extern "C" { - - int FIPS_module_mode_set(int onoff, const char *auth); - int FIPS_module_mode(void); -+ int FIPS_module_installed(void); - const void *FIPS_rand_check(void); - int FIPS_selftest(void); - int FIPS_selftest_failed(void); -diff --git a/crypto/o_init.c b/crypto/o_init.c -index 2f754ef..a235755 100644 ---- a/crypto/o_init.c -+++ b/crypto/o_init.c -@@ -72,6 +72,9 @@ static void init_fips_mode(void) - char buf[2] = "0"; - int fd; - -+ /* Ensure the selftests always run */ -+ FIPS_mode_set(1); -+ - if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { - buf[0] = '1'; - } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -@@ -83,8 +86,12 @@ static void init_fips_mode(void) - * otherwise.. - */ - -- if (buf[0] == '1') { -- FIPS_mode_set(1); -+ if (buf[0] != '1') { -+ /* drop down to non-FIPS mode if it is not requested */ -+ FIPS_mode_set(0); -+ } else { -+ /* abort if selftest failed */ -+ FIPS_selftest_check(); - } - } - #endif -@@ -94,13 +101,16 @@ static void init_fips_mode(void) - * sets FIPS callbacks - */ - --void OPENSSL_init_library(void) -+void __attribute__ ((constructor)) OPENSSL_init_library(void) - { - static int done = 0; - if (done) - return; - done = 1; - #ifdef OPENSSL_FIPS -+ if (!FIPS_module_installed()) { -+ return; -+ } - RAND_init_fips(); - init_fips_mode(); - if (!FIPS_mode()) { diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ec.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ec.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ec.patch 2016-04-12 20:31:12.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-ec.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,517 +0,0 @@ -From: Joy Latten -Decription: [Patch 2/6] Add fips 140-2 support for EC. -Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 -Forwarded: not-needed -Origin: vendor, http://dl.fedoraproject.org/pub/fedora/linux/development - -diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c -index 5b27b91..3d7c3b8 100644 ---- a/crypto/ec/ec2_smpl.c -+++ b/crypto/ec/ec2_smpl.c -@@ -124,11 +124,6 @@ const EC_METHOD *EC_GF2m_simple_method(void) - 0 /* field_set_to_one */ - }; - --# ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gf2m_simple_method(); --# endif -- - return &ret; - } - -diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c -index 6dbe9d8..fb4424d 100644 ---- a/crypto/ec/ec_curve.c -+++ b/crypto/ec/ec_curve.c -@@ -3162,10 +3162,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) - size_t i; - EC_GROUP *ret = NULL; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_group_new_by_curve_name(nid); --#endif - if (nid <= 0) - return NULL; - -diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c -index 5a832ba..010bd5f 100644 ---- a/crypto/ec/ec_cvt.c -+++ b/crypto/ec/ec_cvt.c -@@ -82,10 +82,6 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, - const EC_METHOD *meth; - EC_GROUP *ret; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_group_new_curve_gfp(p, a, b, ctx); --#endif - #if defined(OPENSSL_BN_ASM_MONT) - /* - * This might appear controversial, but the fact is that generic -@@ -160,10 +156,6 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, - const EC_METHOD *meth; - EC_GROUP *ret; - --# ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_group_new_curve_gf2m(p, a, b, ctx); --# endif - meth = EC_GF2m_simple_method(); - - ret = EC_GROUP_new(meth); -diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c -index bc94ab5..d3fd257 100644 ---- a/crypto/ec/ec_key.c -+++ b/crypto/ec/ec_key.c -@@ -64,9 +64,6 @@ - #include - #include "ec_lcl.h" - #include --#ifdef OPENSSL_FIPS --# include --#endif - - EC_KEY *EC_KEY_new(void) - { -@@ -227,6 +224,38 @@ int EC_KEY_up_ref(EC_KEY *r) - return ((i > 1) ? 1 : 0); - } - -+#ifdef OPENSSL_FIPS -+ -+# include -+# include -+# include -+ -+static int fips_check_ec(EC_KEY *key) -+{ -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "ECDSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_EC_KEY(pk, key); -+ -+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) -+ ret = 1; -+ -+ err: -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); -+ fips_set_selftest_fail(); -+ } -+ if (pk) -+ EVP_PKEY_free(pk); -+ return ret; -+} -+ -+#endif -+ - int EC_KEY_generate_key(EC_KEY *eckey) - { - int ok = 0; -@@ -235,8 +264,10 @@ int EC_KEY_generate_key(EC_KEY *eckey) - EC_POINT *pub_key = NULL; - - #ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_key_generate_key(eckey); -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } - #endif - - if (!eckey || !eckey->group) { -@@ -277,6 +308,14 @@ int EC_KEY_generate_key(EC_KEY *eckey) - eckey->priv_key = priv_key; - eckey->pub_key = pub_key; - -+#ifdef OPENSSL_FIPS -+ if (!fips_check_ec(eckey)) { -+ eckey->priv_key = NULL; -+ eckey->pub_key = NULL; -+ goto err; -+ } -+#endif -+ - ok = 1; - - err: -@@ -414,10 +453,12 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, - goto err; - } - /* -- * Check if retrieved coordinates match originals: if not values are out -- * of range. -+ * Check if retrieved coordinates match originals and are less -+ * than field order: if not values are out of range. - */ -- if (BN_cmp(x, tx) || BN_cmp(y, ty)) { -+ if (BN_cmp(x, tx) || BN_cmp(y, ty) -+ || (BN_cmp(x, &key->group->field) >= 0) -+ || (BN_cmp(y, &key->group->field) >= 0)) { - ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, - EC_R_COORDINATES_OUT_OF_RANGE); - goto err; -diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c -index b2de7fa..bc9fd47 100644 ---- a/crypto/ec/ecp_mont.c -+++ b/crypto/ec/ecp_mont.c -@@ -63,10 +63,6 @@ - - #include - --#ifdef OPENSSL_FIPS --# include --#endif -- - #include "ec_lcl.h" - - const EC_METHOD *EC_GFp_mont_method(void) -@@ -111,11 +107,6 @@ const EC_METHOD *EC_GFp_mont_method(void) - ec_GFp_mont_field_set_to_one - }; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gfp_mont_method(); --#endif -- - return &ret; - } - -diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c -index 3944e24..dbd2558 100644 ---- a/crypto/ec/ecp_nist.c -+++ b/crypto/ec/ecp_nist.c -@@ -67,10 +67,6 @@ - #include - #include "ec_lcl.h" - --#ifdef OPENSSL_FIPS --# include --#endif -- - const EC_METHOD *EC_GFp_nist_method(void) - { - static const EC_METHOD ret = { -@@ -113,11 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void) - 0 /* field_set_to_one */ - }; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gfp_nist_method(); --#endif -- - return &ret; - } - -diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c -index 2b84821..b0e69cb 100644 ---- a/crypto/ec/ecp_smpl.c -+++ b/crypto/ec/ecp_smpl.c -@@ -66,10 +66,6 @@ - #include - #include - --#ifdef OPENSSL_FIPS --# include --#endif -- - #include "ec_lcl.h" - - const EC_METHOD *EC_GFp_simple_method(void) -@@ -114,11 +110,6 @@ const EC_METHOD *EC_GFp_simple_method(void) - 0 /* field_set_to_one */ - }; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gfp_simple_method(); --#endif -- - return &ret; - } - -@@ -187,6 +178,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, - return 0; - } - -+ if (BN_num_bits(p) < 256) { -+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -+ return 0; -+ } -+ - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) -diff --git a/crypto/ecdh/ecdhtest.c b/crypto/ecdh/ecdhtest.c -index 2fe2c66..4d6594a 100644 ---- a/crypto/ecdh/ecdhtest.c -+++ b/crypto/ecdh/ecdhtest.c -@@ -501,11 +501,13 @@ int main(int argc, char *argv[]) - goto err; - - /* NIST PRIME CURVES TESTS */ -+# if 0 - if (!test_ecdh_curve - (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) - goto err; - if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) - goto err; -+# endif - if (!test_ecdh_curve - (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) - goto err; -@@ -536,13 +538,14 @@ int main(int argc, char *argv[]) - if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) - goto err; - # endif -+# if 0 - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512)) - goto err; -- -+# endif - ret = 0; - - err: -diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c -index cbc21d1..aa7954a 100644 ---- a/crypto/ecdh/ech_lib.c -+++ b/crypto/ecdh/ech_lib.c -@@ -93,14 +93,7 @@ void ECDH_set_default_method(const ECDH_METHOD *meth) - const ECDH_METHOD *ECDH_get_default_method(void) - { - if (!default_ECDH_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ecdh_openssl(); -- else -- return ECDH_OpenSSL(); --#else - default_ECDH_method = ECDH_OpenSSL(); --#endif - } - return default_ECDH_method; - } -diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c -index df115cc..3908dfa 100644 ---- a/crypto/ecdh/ech_ossl.c -+++ b/crypto/ecdh/ech_ossl.c -@@ -78,6 +78,10 @@ - #include - #include - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, - EC_KEY *ecdh, - void *(*KDF) (const void *in, size_t inlen, -@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = { - NULL, /* init */ - NULL, /* finish */ - #endif -- 0, /* flags */ -+ ECDH_FLAG_FIPS_METHOD, /* flags */ - NULL /* app_data */ - }; - -@@ -119,6 +123,13 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, - size_t buflen, len; - unsigned char *buf = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - if (outlen > INT_MAX) { - ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of, - * anyway */ -diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c -index 0f301f8..0d12f71 100644 ---- a/crypto/ecdsa/ecdsatest.c -+++ b/crypto/ecdsa/ecdsatest.c -@@ -138,11 +138,14 @@ int restore_rand(void) - } - - static int fbytes_counter = 0; --static const char *numbers[8] = { -+static const char *numbers[10] = { -+ "651056770906015076056810763456358567190100156695615665659", - "651056770906015076056810763456358567190100156695615665659", - "6140507067065001063065065565667405560006161556565665656654", - "8763001015071075675010661307616710783570106710677817767166" - "71676178726717", -+ "8763001015071075675010661307616710783570106710677817767166" -+ "71676178726717", - "7000000175690566466555057817571571075705015757757057795755" - "55657156756655", - "1275552191113212300012030439187146164646146646466749494799", -@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num) - int ret; - BIGNUM *tmp = NULL; - -- if (fbytes_counter >= 8) -+ if (fbytes_counter >= 10) - return 0; - tmp = BN_new(); - if (!tmp) -@@ -532,8 +535,10 @@ int main(void) - RAND_seed(rnd_seed, sizeof(rnd_seed)); - - /* the tests */ -+# if 0 - if (!x9_62_tests(out)) - goto err; -+# endif - if (!test_builtin(out)) - goto err; - -diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c -index 8dc1dda..24ef566 100644 ---- a/crypto/ecdsa/ecs_lib.c -+++ b/crypto/ecdsa/ecs_lib.c -@@ -80,14 +80,7 @@ void ECDSA_set_default_method(const ECDSA_METHOD *meth) - const ECDSA_METHOD *ECDSA_get_default_method(void) - { - if (!default_ECDSA_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ecdsa_openssl(); -- else -- return ECDSA_OpenSSL(); --#else - default_ECDSA_method = ECDSA_OpenSSL(); --#endif - } - return default_ECDSA_method; - } -diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c -index dd76960..d81cf6b 100644 ---- a/crypto/ecdsa/ecs_ossl.c -+++ b/crypto/ecdsa/ecs_ossl.c -@@ -60,6 +60,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, - const BIGNUM *, const BIGNUM *, -@@ -78,7 +81,7 @@ static ECDSA_METHOD openssl_ecdsa_meth = { - NULL, /* init */ - NULL, /* finish */ - #endif -- 0, /* flags */ -+ ECDSA_FLAG_FIPS_METHOD, /* flags */ - NULL /* app_data */ - }; - -@@ -245,6 +248,13 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, - ECDSA_DATA *ecdsa; - const BIGNUM *priv_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif -+ - ecdsa = ecdsa_check(eckey); - group = EC_KEY_get0_group(eckey); - priv_key = EC_KEY_get0_private_key(eckey); -@@ -358,6 +368,13 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, - const EC_GROUP *group; - const EC_POINT *pub_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - /* check input values */ - if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || - (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -diff --git a/crypto/evp/m_ecdsa.c b/crypto/evp/m_ecdsa.c -index 803d314..2830069 100644 ---- a/crypto/evp/m_ecdsa.c -+++ b/crypto/evp/m_ecdsa.c -@@ -136,7 +136,7 @@ static const EVP_MD ecdsa_md = { - NID_ecdsa_with_SHA1, - NID_ecdsa_with_SHA1, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_DIGEST, -+ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS, - init, - update, - final, -diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile -index d5f9ec3..f2802e4 100644 ---- a/crypto/fips/Makefile -+++ b/crypto/fips/Makefile -@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_se - fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ - fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ - fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -- fips_cmac_selftest.c fips_enc.c fips_md.c -+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c - - LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ - fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ - fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ - fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ -- fips_cmac_selftest.o fips_enc.o fips_md.o -+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o - - LIBCRYPTO=-L.. -lcrypto - -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index deaa0b5..06836bf 100644 ---- a/crypto/fips/fips.h -+++ b/crypto/fips/fips.h -@@ -93,6 +93,8 @@ extern "C" { - void FIPS_corrupt_dsa(void); - void FIPS_corrupt_dsa_keygen(void); - int FIPS_selftest_dsa(void); -+ int FIPS_selftest_ecdsa(void); -+ int FIPS_selftest_ecdh(void); - void FIPS_corrupt_rng(void); - void FIPS_rng_stick(void); - void FIPS_x931_stick(int onoff); -diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c -index c5fd889..f410c9e 100644 ---- a/crypto/fips/fips_post.c -+++ b/crypto/fips/fips_post.c -@@ -95,8 +95,12 @@ int FIPS_selftest(void) - rv = 0; - if (!FIPS_selftest_rsa()) - rv = 0; -+ if (!FIPS_selftest_ecdsa()) -+ rv = 0; - if (!FIPS_selftest_dsa()) - rv = 0; -+ if (!FIPS_selftest_ecdh()) -+ rv = 0; - return rv; - } - diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-md5-allow.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-md5-allow.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-md5-allow.patch 2016-04-12 20:31:39.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips-md5-allow.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,28 +0,0 @@ -From: Joy Latten -Description: [PATCH 3/6] Allow MD5 for fips. -Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 -Forwarded: not-needed -Origin: vendor, http://dl.fedoraproject.org/pub/fedora/linux/development/ - -diff --git a/crypto/md5/md5_dgst.c b/crypto/md5/md5_dgst.c -index 0a28b9b..0c86a49 100644 ---- a/crypto/md5/md5_dgst.c -+++ b/crypto/md5/md5_dgst.c -@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL_VERSION_PTEXT; - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --nonfips_md_init(MD5) -+int MD5_Init(MD5_CTX *c) -+#ifdef OPENSSL_FIPS -+{ -+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) -+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!"); -+ return private_MD5_Init(c); -+} -+ -+int private_MD5_Init(MD5_CTX *c) -+#endif - { - memset(c, 0, sizeof(*c)); - c->A = INIT_DATA_A; diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch 2016-04-12 20:30:34.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch 2016-04-15 04:56:29.000000000 +0000 @@ -1,15 +1,19 @@ -From: Joy Latten -Description: [PATCH 1/6] Add FIPS 140-2 support and define OPENSSL_FIPS -Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 -Forwarded: not-needed -Origin: vendor, http://dl.fedoraproject.org/pub/fedora/linux/development/ ---- -Add fips 140-2 selftest and crypto changes for fips mode. - - adds the required selftest; run on initialization - - define OPENSSL_FIPS via Configure - - add FIPS_mode & FIPS_mode_set for apps to query and/or enable fips mode - - various crypto changes when in fips mode for compliance - Note: Does not enable fips mode since hmac integrity check not included. +commit 5ca3772ed217a5e64070b0bc0124554fde145655 +Author: Joy Latten +Date: Wed Apr 13 16:51:04 2016 -0500 + + From: Joy Latten + Description: [PATCH 1/6] Add FIPS 140-2 support and define OPENSSL_FIPS + Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 + Forwarded: not-needed + Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/ + --- + Add fips 140-2 selftest and crypto changes for fips mode. + - adds the required selftest; run on initialization + - define OPENSSL_FIPS via Configure + - add FIPS_mode & FIPS_mode_set for apps to query and/or enable fips mode + - various crypto changes when in fips mode for compliance + Note: Does not enable fips mode since hmac integrity check not included. diff --git a/Configure b/Configure index 571aefc..1fcc34e 100755 @@ -613,7 +617,7 @@ {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"}, diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c -index 15f3bb4..5847247 100644 +index 15f3bb4..96c4c09 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -91,6 +91,16 @@ @@ -679,7 +683,7 @@ + BIGNUM *g = NULL, *q = NULL, *p = NULL; + size_t qsize = qbits >> 3; + BN_CTX *ctx = NULL; -+ ++ +# ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED); @@ -703,19 +707,19 @@ + memcpy(seed, seed_in, seed_len); + else + seed_len = 0; -+ ++ + if ((ctx = BN_CTX_new()) == NULL) + goto err; -+ ++ + BN_CTX_start(ctx); -+ ++ + if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd, + seed, seed_len, &p, &q, counter_ret, cb)) + goto err; -+ ++ + if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb)) + goto err; -+ ++ + ok = 1; + err: + if (ok) { @@ -2317,10 +2321,10 @@ EVP_PKEY_CTX_free(pkctx); diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile new file mode 100644 -index 0000000..d5f9ec3 +index 0000000..b997426 --- /dev/null +++ b/crypto/fips/Makefile -@@ -0,0 +1,374 @@ +@@ -0,0 +1,341 @@ +# +# OpenSSL/crypto/fips/Makefile +# @@ -2339,7 +2343,7 @@ +TEST=fips_test_suite.c fips_randtest.c +APPS= + -+#PROGRAM= fips_standalone_hmac ++PROGRAM= fips_standalone_hmac +EXE= $(PROGRAM)$(EXE_EXT) + +LIB=$(TOP)/libcrypto.a @@ -2442,21 +2446,6 @@ +fips_aes_selftest.o: ../../include/openssl/safestack.h +fips_aes_selftest.o: ../../include/openssl/stack.h +fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c -+fips_cmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_cmac_selftest.o: ../../include/openssl/cmac.h -+fips_cmac_selftest.o: ../../include/openssl/crypto.h -+fips_cmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_cmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_cmac_selftest.o: ../../include/openssl/lhash.h -+fips_cmac_selftest.o: ../../include/openssl/obj_mac.h -+fips_cmac_selftest.o: ../../include/openssl/objects.h -+fips_cmac_selftest.o: ../../include/openssl/opensslconf.h -+fips_cmac_selftest.o: ../../include/openssl/opensslv.h -+fips_cmac_selftest.o: ../../include/openssl/ossl_typ.h -+fips_cmac_selftest.o: ../../include/openssl/safestack.h -+fips_cmac_selftest.o: ../../include/openssl/stack.h -+fips_cmac_selftest.o: ../../include/openssl/symhacks.h fips_cmac_selftest.c -+fips_cmac_selftest.o: fips_locl.h +fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +fips_des_selftest.o: ../../include/openssl/crypto.h +fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h @@ -2570,15 +2559,6 @@ +fips_dsa_selftest.o: ../../include/openssl/stack.h +fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c +fips_dsa_selftest.o: fips_locl.h -+fips_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -+fips_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -+fips_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -+fips_enc.o: ../../include/openssl/opensslconf.h -+fips_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -+fips_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -+fips_enc.o: ../../include/openssl/symhacks.h fips_enc.c +fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +fips_hmac_selftest.o: ../../include/openssl/crypto.h +fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h @@ -2593,15 +2573,6 @@ +fips_hmac_selftest.o: ../../include/openssl/safestack.h +fips_hmac_selftest.o: ../../include/openssl/stack.h +fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c -+fips_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -+fips_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_md.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -+fips_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -+fips_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -+fips_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h -+fips_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -+fips_md.o: fips_md.c +fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h +fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h @@ -2697,7 +2668,7 @@ +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c new file mode 100644 -index 0000000..aac1553 +index 0000000..29621c9 --- /dev/null +++ b/crypto/fips/fips.c @@ -0,0 +1,483 @@ @@ -2709,7 +2680,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -3186,7 +3157,7 @@ +#endif diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h new file mode 100644 -index 0000000..deaa0b5 +index 0000000..792781e --- /dev/null +++ b/crypto/fips/fips.h @@ -0,0 +1,278 @@ @@ -3198,7 +3169,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -3470,7 +3441,7 @@ +#endif diff --git a/crypto/fips/fips_aes_selftest.c b/crypto/fips/fips_aes_selftest.c new file mode 100644 -index 0000000..ee2a4f1 +index 0000000..612ca5e --- /dev/null +++ b/crypto/fips/fips_aes_selftest.c @@ -0,0 +1,365 @@ @@ -3482,7 +3453,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -3841,7 +3812,7 @@ +#endif diff --git a/crypto/fips/fips_cmac_selftest.c b/crypto/fips/fips_cmac_selftest.c new file mode 100644 -index 0000000..02b75c3 +index 0000000..9e75ec9 --- /dev/null +++ b/crypto/fips/fips_cmac_selftest.c @@ -0,0 +1,156 @@ @@ -3853,7 +3824,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -3896,11 +3867,11 @@ + +#include +#include ++#include +#include ++#include "fips_locl.h" + +#ifdef OPENSSL_FIPS -+#include -+#include "fips_locl.h" +typedef struct { + int nid; + const unsigned char key[EVP_MAX_KEY_LENGTH]; @@ -4003,7 +3974,7 @@ +#endif diff --git a/crypto/fips/fips_des_selftest.c b/crypto/fips/fips_des_selftest.c new file mode 100644 -index 0000000..191d5b8 +index 0000000..0743904 --- /dev/null +++ b/crypto/fips/fips_des_selftest.c @@ -0,0 +1,138 @@ @@ -4015,7 +3986,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -4147,10 +4118,10 @@ +#endif diff --git a/crypto/fips/fips_drbg_ctr.c b/crypto/fips/fips_drbg_ctr.c new file mode 100644 -index 0000000..749655b +index 0000000..a830b2c --- /dev/null +++ b/crypto/fips/fips_drbg_ctr.c -@@ -0,0 +1,419 @@ +@@ -0,0 +1,415 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4163,7 +4134,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -4207,9 +4178,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS -+ +#include +#include +#include "fips_rand_lcl.h" @@ -4569,13 +4537,12 @@ + + return 1; +} -+#endif diff --git a/crypto/fips/fips_drbg_hash.c b/crypto/fips/fips_drbg_hash.c new file mode 100644 -index 0000000..93c1f3d +index 0000000..b19420a --- /dev/null +++ b/crypto/fips/fips_drbg_hash.c -@@ -0,0 +1,361 @@ +@@ -0,0 +1,358 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4588,7 +4555,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -4634,8 +4601,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include +#include +#include "fips_rand_lcl.h" @@ -4936,13 +4901,12 @@ + + return 1; +} -+#endif diff --git a/crypto/fips/fips_drbg_hmac.c b/crypto/fips/fips_drbg_hmac.c new file mode 100644 -index 0000000..f9eba4c +index 0000000..105db12 --- /dev/null +++ b/crypto/fips/fips_drbg_hmac.c -@@ -0,0 +1,273 @@ +@@ -0,0 +1,270 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4955,7 +4919,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -5002,8 +4966,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include +#include +#include "fips_rand_lcl.h" @@ -5215,13 +5177,12 @@ + + return 1; +} -+#endif diff --git a/crypto/fips/fips_drbg_lib.c b/crypto/fips/fips_drbg_lib.c new file mode 100644 -index 0000000..a999b21 +index 0000000..1a71322 --- /dev/null +++ b/crypto/fips/fips_drbg_lib.c -@@ -0,0 +1,556 @@ +@@ -0,0 +1,553 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ @@ -5233,7 +5194,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -5277,8 +5238,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include +#include "fips_locl.h" +#include "fips_rand_lcl.h" @@ -5777,13 +5736,12 @@ + memcpy(dctx->lb, out, dctx->blocklength); + return 1; +} -+#endif diff --git a/crypto/fips/fips_drbg_rand.c b/crypto/fips/fips_drbg_rand.c new file mode 100644 -index 0000000..9cd693c +index 0000000..43600dd --- /dev/null +++ b/crypto/fips/fips_drbg_rand.c -@@ -0,0 +1,169 @@ +@@ -0,0 +1,166 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -5796,7 +5754,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -5840,8 +5798,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include +#include +#include "fips_rand_lcl.h" @@ -5952,13 +5908,12 @@ +{ + return &rand_drbg_meth; +} -+#endif diff --git a/crypto/fips/fips_drbg_selftest.c b/crypto/fips/fips_drbg_selftest.c new file mode 100644 -index 0000000..cc4e61a +index 0000000..1397202 --- /dev/null +++ b/crypto/fips/fips_drbg_selftest.c -@@ -0,0 +1,830 @@ +@@ -0,0 +1,827 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -5971,7 +5926,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -6015,8 +5970,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include +#include "fips_rand_lcl.h" +#include "fips_locl.h" @@ -6788,10 +6741,9 @@ + FIPS_drbg_free(dctx); + return rv; +} -+#endif diff --git a/crypto/fips/fips_drbg_selftest.h b/crypto/fips/fips_drbg_selftest.h new file mode 100644 -index 0000000..bb28152 +index 0000000..ccc1898 --- /dev/null +++ b/crypto/fips/fips_drbg_selftest.h @@ -0,0 +1,1791 @@ @@ -6803,7 +6755,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -8588,7 +8540,7 @@ +}; diff --git a/crypto/fips/fips_dsa_selftest.c b/crypto/fips/fips_dsa_selftest.c new file mode 100644 -index 0000000..819efcd +index 0000000..4c0da82 --- /dev/null +++ b/crypto/fips/fips_dsa_selftest.c @@ -0,0 +1,192 @@ @@ -8600,7 +8552,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -8644,13 +8596,13 @@ +#include +#include +#include ++#include +#include +#include +#include ++#include "fips_locl.h" + +#ifdef OPENSSL_FIPS -+#include -+#include "fips_locl.h" + +static const unsigned char dsa_test_2048_p[] = { + 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, @@ -8786,10 +8738,10 @@ +#endif diff --git a/crypto/fips/fips_enc.c b/crypto/fips/fips_enc.c new file mode 100644 -index 0000000..fa3e6fb +index 0000000..a1427b9 --- /dev/null +++ b/crypto/fips/fips_enc.c -@@ -0,0 +1,192 @@ +@@ -0,0 +1,189 @@ +/* fipe/evp/fips_enc.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -8797,21 +8749,21 @@ + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. -+ * ++ * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * ++ * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. -+ * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: @@ -8826,10 +8778,10 @@ + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * ++ * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -8841,7 +8793,7 @@ + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. -+ * ++ * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence @@ -8852,8 +8804,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include + +const EVP_CIPHER *FIPS_get_cipherbynid(int nid) @@ -8981,10 +8931,9 @@ + + } +} -+#endif diff --git a/crypto/fips/fips_hmac_selftest.c b/crypto/fips/fips_hmac_selftest.c new file mode 100644 -index 0000000..3089843 +index 0000000..ca46450 --- /dev/null +++ b/crypto/fips/fips_hmac_selftest.c @@ -0,0 +1,134 @@ @@ -8996,7 +8945,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -9124,7 +9073,7 @@ +#endif diff --git a/crypto/fips/fips_locl.h b/crypto/fips/fips_locl.h new file mode 100644 -index 0000000..3c3d1bb +index 0000000..40f873b --- /dev/null +++ b/crypto/fips/fips_locl.h @@ -0,0 +1,71 @@ @@ -9136,7 +9085,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -9201,10 +9150,10 @@ +#endif diff --git a/crypto/fips/fips_md.c b/crypto/fips/fips_md.c new file mode 100644 -index 0000000..4a8f2e4 +index 0000000..ef3a439 --- /dev/null +++ b/crypto/fips/fips_md.c -@@ -0,0 +1,147 @@ +@@ -0,0 +1,144 @@ +/* fips/evp/fips_md.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -9212,21 +9161,21 @@ + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. -+ * ++ * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * ++ * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. -+ * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: @@ -9241,10 +9190,10 @@ + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * ++ * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -9256,7 +9205,7 @@ + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. -+ * ++ * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence @@ -9270,7 +9219,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -9325,8 +9274,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include + +const EVP_MD *FIPS_get_digestbynid(int nid) @@ -9351,10 +9298,9 @@ + return NULL; + } +} -+#endif diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c new file mode 100644 -index 0000000..c5fd889 +index 0000000..629f5c2 --- /dev/null +++ b/crypto/fips/fips_post.c @@ -0,0 +1,201 @@ @@ -9366,7 +9312,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -9561,7 +9507,7 @@ +#endif diff --git a/crypto/fips/fips_rand.c b/crypto/fips/fips_rand.c new file mode 100644 -index 0000000..74d31f0 +index 0000000..c5060a2 --- /dev/null +++ b/crypto/fips/fips_rand.c @@ -0,0 +1,428 @@ @@ -9573,7 +9519,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -9646,11 +9592,11 @@ +# endif +#endif +#include -+ -+#ifdef OPENSSL_FIPS +#include +#include "fips_locl.h" + ++#ifdef OPENSSL_FIPS ++ +void *OPENSSL_stderr(void); + +# define AES_BLOCK_LENGTH 16 @@ -9995,7 +9941,7 @@ +#endif diff --git a/crypto/fips/fips_rand.h b/crypto/fips/fips_rand.h new file mode 100644 -index 0000000..3b44e7d +index 0000000..e78eb35 --- /dev/null +++ b/crypto/fips/fips_rand.h @@ -0,0 +1,163 @@ @@ -10007,7 +9953,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -10164,7 +10110,7 @@ +#endif diff --git a/crypto/fips/fips_rand_lcl.h b/crypto/fips/fips_rand_lcl.h new file mode 100644 -index 0000000..352803f +index 0000000..0a1d251 --- /dev/null +++ b/crypto/fips/fips_rand_lcl.h @@ -0,0 +1,213 @@ @@ -10180,7 +10126,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -10383,10 +10329,10 @@ +#define M_EVP_MD_size EVP_MD_size diff --git a/crypto/fips/fips_rand_lib.c b/crypto/fips/fips_rand_lib.c new file mode 100644 -index 0000000..a2054a0 +index 0000000..6f2ccc6 --- /dev/null +++ b/crypto/fips/fips_rand_lib.c -@@ -0,0 +1,184 @@ +@@ -0,0 +1,181 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * @@ -10395,7 +10341,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -10439,8 +10385,6 @@ +#include +#include +#include -+ -+#ifdef OPENSSL_FIPS +#include +#include +#include "e_os.h" @@ -10570,10 +10514,9 @@ + } + return 0; +} -+#endif diff --git a/crypto/fips/fips_rand_selftest.c b/crypto/fips/fips_rand_selftest.c new file mode 100644 -index 0000000..4087357 +index 0000000..d88fdf7 --- /dev/null +++ b/crypto/fips/fips_rand_selftest.c @@ -0,0 +1,176 @@ @@ -10585,7 +10528,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -10628,13 +10571,13 @@ + +#include +#include -+#include -+ -+#ifdef OPENSSL_FIPS +#include ++#include +#include +#include "fips_locl.h" + ++#ifdef OPENSSL_FIPS ++ +typedef struct { + unsigned char DT[16]; + unsigned char V[16]; @@ -10755,7 +10698,7 @@ +#endif diff --git a/crypto/fips/fips_randtest.c b/crypto/fips/fips_randtest.c new file mode 100644 -index 0000000..8c4a1fc +index 0000000..283f5bd --- /dev/null +++ b/crypto/fips/fips_randtest.c @@ -0,0 +1,247 @@ @@ -10765,21 +10708,21 @@ + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. -+ * ++ * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * ++ * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. -+ * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: @@ -10794,7 +10737,7 @@ + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * @@ -10809,7 +10752,7 @@ + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. -+ * ++ * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence @@ -10823,7 +10766,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -11008,7 +10951,7 @@ +#endif diff --git a/crypto/fips/fips_rsa_selftest.c b/crypto/fips/fips_rsa_selftest.c new file mode 100644 -index 0000000..3b4af76 +index 0000000..e87fbda --- /dev/null +++ b/crypto/fips/fips_rsa_selftest.c @@ -0,0 +1,444 @@ @@ -11020,7 +10963,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -11458,7 +11401,7 @@ +#endif /* def OPENSSL_FIPS */ diff --git a/crypto/fips/fips_rsa_x931g.c b/crypto/fips/fips_rsa_x931g.c new file mode 100644 -index 0000000..2891dae +index 0000000..c70e272 --- /dev/null +++ b/crypto/fips/fips_rsa_x931g.c @@ -0,0 +1,273 @@ @@ -11469,21 +11412,21 @@ + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. -+ * ++ * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * ++ * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. -+ * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: @@ -11498,10 +11441,10 @@ + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * ++ * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -11513,7 +11456,7 @@ + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. -+ * ++ * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence @@ -11593,7 +11536,7 @@ + return 2; + } + -+ /* Since both primes are set we can now calculate all remaining ++ /* Since both primes are set we can now calculate all remaining + * components. + */ + @@ -11737,7 +11680,7 @@ +} diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c new file mode 100644 -index 0000000..52dda4d +index 0000000..446ddd9 --- /dev/null +++ b/crypto/fips/fips_sha_selftest.c @@ -0,0 +1,145 @@ @@ -11749,7 +11692,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -11888,7 +11831,7 @@ +#endif diff --git a/crypto/fips/fips_standalone_hmac.c b/crypto/fips/fips_standalone_hmac.c new file mode 100644 -index 0000000..0864c48 +index 0000000..ffc3411 --- /dev/null +++ b/crypto/fips/fips_standalone_hmac.c @@ -0,0 +1,268 @@ @@ -11900,7 +11843,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in @@ -12162,10 +12105,10 @@ +} diff --git a/crypto/fips/fips_test_suite.c b/crypto/fips/fips_test_suite.c new file mode 100644 -index 0000000..d86351c +index 0000000..1e4b69c --- /dev/null +++ b/crypto/fips/fips_test_suite.c -@@ -0,0 +1,633 @@ +@@ -0,0 +1,639 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * @@ -12205,7 +12148,7 @@ +#else + +# include -+/* # include "fips_utl.h" */ ++# include "fips_utl.h" + +/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext +*/ @@ -12631,11 +12574,6 @@ + return msg; +} + -+static void test_msg(const char *msg, int result) -+{ -+ printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!")); -+} -+ +int main(int argc, char **argv) +{ + @@ -12712,7 +12650,8 @@ + /* Non-Approved cryptographic operation + */ + printf("1. Non-Approved cryptographic operation test...\n"); -+ test_msg("\ta. Included algorithm (D-H)...", dh_test()); ++ printf("\ta. Included algorithm (D-H)..."); ++ printf(dh_test()? "successful\n" : Fail("FAILED!\n")); + + /* Power-up self test + */ @@ -12720,7 +12659,7 @@ + printf("2. Automatic power-up self test..."); + if (!FIPS_mode_set(1)) { + do_print_errors(); -+ printf("%s\n", Fail("FAILED!")); ++ printf(Fail("FAILED!\n")); + exit(1); + } + printf("successful\n"); @@ -12733,65 +12672,75 @@ + + /* AES encryption/decryption + */ -+ test_msg("3. AES encryption/decryption", FIPS_aes_test()); ++ printf("3. AES encryption/decryption..."); ++ printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n")); + + /* RSA key generation and encryption/decryption + */ -+ test_msg("4. RSA key generation and encryption/decryption", -+ FIPS_rsa_test(bad_rsa)); ++ printf("4. RSA key generation and encryption/decryption..."); ++ printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n")); + + /* DES-CBC encryption/decryption + */ -+ test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test()); ++ printf("5. DES-ECB encryption/decryption..."); ++ printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n")); + + /* DSA key generation and signature validation + */ -+ test_msg("6. DSA key generation and signature validation", -+ FIPS_dsa_test(bad_dsa)); ++ printf("6. DSA key generation and signature validation..."); ++ printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n")); + + /* SHA-1 hash + */ -+ test_msg("7a. SHA-1 hash", FIPS_sha1_test()); ++ printf("7a. SHA-1 hash..."); ++ printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n")); + + /* SHA-256 hash + */ -+ test_msg("7b. SHA-256 hash", FIPS_sha256_test()); ++ printf("7b. SHA-256 hash..."); ++ printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n")); + + /* SHA-512 hash + */ -+ test_msg("7c. SHA-512 hash", FIPS_sha512_test()); ++ printf("7c. SHA-512 hash..."); ++ printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n")); + + /* HMAC-SHA-1 hash + */ -+ test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test()); ++ printf("7d. HMAC-SHA-1 hash..."); ++ printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n")); + + /* HMAC-SHA-224 hash + */ -+ test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test()); ++ printf("7e. HMAC-SHA-224 hash..."); ++ printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n")); + + /* HMAC-SHA-256 hash + */ -+ test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test()); ++ printf("7f. HMAC-SHA-256 hash..."); ++ printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n")); + + /* HMAC-SHA-384 hash + */ -+ test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test()); ++ printf("7g. HMAC-SHA-384 hash..."); ++ printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n")); + + /* HMAC-SHA-512 hash + */ -+ test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test()); ++ printf("7h. HMAC-SHA-512 hash..."); ++ printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n")); + + /* Non-Approved cryptographic operation + */ + printf("8. Non-Approved cryptographic operation test...\n"); -+ printf("\ta. Included algorithm (D-H)...%s\n", -+ dh_test()? "successful as expected\n" ++ printf("\ta. Included algorithm (D-H)..."); ++ printf(dh_test()? "successful as expected\n" + : Fail("failed INCORRECTLY!\n")); + + /* Zeroization + */ -+ printf("9. Zero-ization...\n\t%s\n", -+ Zeroize()? "\tsuccessful as expected" ++ printf("9. Zero-ization...\n"); ++ printf(Zeroize()? "\tsuccessful as expected\n" + : Fail("\tfailed INCORRECTLY!\n")); + + printf("\nAll tests completed with %d errors\n", Error); @@ -13016,10 +12965,10 @@ + OPENSSL_init_library(); +} diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in -index 7a1c85d..814e4ee 100644 +index 7a1c85d..e86ec45 100644 --- a/crypto/opensslconf.h.in +++ b/crypto/opensslconf.h.in -@@ -1,5 +1,21 @@ +@@ -1,5 +1,20 @@ /* crypto/opensslconf.h.in */ +#ifdef OPENSSL_DOING_MAKEDEPEND @@ -13027,9 +12976,8 @@ +/* Include any symbols here that have to be explicitly set to enable a feature + * that should be visible to makedepend. + * -+ * [Our "make depend" doesn't actually look at this, we use actual build -+ * settings. Instead; we want to make it easy to remove subdirectories with -+ * disabled algorithms.] ++ * [Our "make depend" doesn't actually look at this, we use actual build settings ++ * instead; we want to make it easy to remove subdirectories with disabled algorithms.] + */ + +#ifndef OPENSSL_FIPS @@ -13042,22 +12990,18 @@ #undef I386_ONLY diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c -index 9e0064e..f443cf9 100644 +index 9e0064e..9d6b8b0 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c -@@ -391,7 +391,14 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) +@@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); crypto_lock_rand = 1; - if (!initialized) { -+ /* always poll for external entropy in FIPS mode, drbg provides the ++ /* always poll for external entropy in FIPS mode, drbg provides the + * expansion + */ -+#ifdef OPENSSL_FIPS + if (!initialized || FIPS_module_mode()) { -+#else -+ if (!initialized) { -+#endif RAND_poll(); initialized = 1; } @@ -13841,26 +13785,6 @@ { memset(c, 0, sizeof(*c)); return (1); -diff --git a/openssl.ld b/openssl.ld -index 8d40f31..dcbfdac 100644 ---- a/openssl.ld -+++ b/openssl.ld -@@ -4617,5 +4617,15 @@ OPENSSL_1.0.2g { - global: - SRP_VBASE_get1_by_user; - SRP_user_pwd_free; -+ OPENSSL_init_library; -+ private_BF_set_key; -+ private_CAST_set_key; -+ private_idea_set_encrypt_key; -+ private_SEED_set_key; -+ private_RC2_set_key; -+ private_RC4_set_key; -+ private_AES_set_encrypt_key; -+ private_AES_set_decrypt_key; -+ private_Camellia_set_key; - } OPENSSL_1.0.2; - diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index e6f515f..34c0ab9 100644 --- a/ssl/ssl_algs.c diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-new-fips-reqs.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-new-fips-reqs.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-new-fips-reqs.patch 2016-04-12 20:32:42.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-new-fips-reqs.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,1787 +0,0 @@ -From: Joy Latten -Description: [PATCH 5/6] More fips 140-2 requirements -Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 -Forwarded: not-needed -Origin: vendor, https://dl.fedoraproject.org/pub/fedora/linux/development - -diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h -index 7ae5079..cd08b18 100644 ---- a/crypto/dh/dh.h -+++ b/crypto/dh/dh.h -@@ -78,6 +78,7 @@ - # endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 - - # define DH_FLAG_CACHE_MONT_P 0x01 - -diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c -index 4fcb16b..db9f700 100644 ---- a/crypto/dh/dh_gen.c -+++ b/crypto/dh/dh_gen.c -@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, - return 0; - } - -- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { - DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); - goto err; - } -diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h -index 7c78c5a..4abe46c 100644 ---- a/crypto/dsa/dsa.h -+++ b/crypto/dsa/dsa.h -@@ -89,6 +89,7 @@ - # endif - - # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024) - - # define DSA_FLAG_CACHE_MONT_P 0x01 - /* -@@ -251,9 +252,9 @@ int DSAparams_print_fp(FILE *fp, const DSA *x); - int DSA_print_fp(FILE *bp, const DSA *x, int off); - # endif - --# define DSS_prime_checks 50 -+# define DSS_prime_checks 64 - /* -- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of -+ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of - * Rabin-Miller - */ - # define DSA_is_prime(n, callback, cb_arg) \ -diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c -index 5847247..cd6a64c 100644 ---- a/crypto/dsa/dsa_gen.c -+++ b/crypto/dsa/dsa_gen.c -@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - } - - if (FIPS_module_mode() && -- (bits != 1024 || qbits != 160) && -- (bits != 2048 || qbits != 224) && -- (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) { -+ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024 -+ || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048 -+ || qbits != -+ 256) -+ && (bits != 3072 || qbits != 256)) { - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); - goto err; - } -diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c -index e1307b0..f235fce 100644 ---- a/crypto/dsa/dsa_key.c -+++ b/crypto/dsa/dsa_key.c -@@ -120,7 +120,7 @@ static int dsa_builtin_keygen(DSA *dsa) - - # ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { - DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } -diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile -index f2802e4..9c48503 100644 ---- a/crypto/fips/Makefile -+++ b/crypto/fips/Makefile -@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_se - fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ - fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ - fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c -+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \ -+ fips_dh_selftest.c - - LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ - fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ - fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ - fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ -- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o -+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \ -+ fips_dh_selftest.o - - LIBCRYPTO=-L.. -lcrypto - -diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c -index c1cdd2b..07d6ece 100644 ---- a/crypto/fips/fips.c -+++ b/crypto/fips/fips.c -@@ -418,26 +418,24 @@ int FIPS_module_mode_set(int onoff, const char *auth) - ret = 0; - goto end; - } -- OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */ -- OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */ - } - # endif - -- if (!verify_checksums()) { -- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -+ if (!FIPS_selftest()) { - fips_selftest_fail = 1; - ret = 0; - goto end; - } - -- if (FIPS_selftest()) -- fips_set_mode(onoff); -- else { -+ if (!verify_checksums()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; - } -+ -+ fips_set_mode(onoff); - ret = 1; - goto end; - } -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index fcc3e1c..38f0783 100644 ---- a/crypto/fips/fips.h -+++ b/crypto/fips/fips.h -@@ -96,6 +96,7 @@ extern "C" { - int FIPS_selftest_dsa(void); - int FIPS_selftest_ecdsa(void); - int FIPS_selftest_ecdh(void); -+ int FIPS_selftest_dh(void); - void FIPS_corrupt_rng(void); - void FIPS_rng_stick(void); - void FIPS_x931_stick(int onoff); -diff --git a/crypto/fips/fips_dh_selftest.c b/crypto/fips/fips_dh_selftest.c -new file mode 100644 -index 0000000..91fe48d ---- /dev/null -+++ b/crypto/fips/fips_dh_selftest.c -@@ -0,0 +1,162 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 2013 Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+#include -+#include "fips_locl.h" -+ -+static const unsigned char dh_test_2048_p[] = { -+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, -+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, -+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, -+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, -+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, -+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, -+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, -+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, -+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, -+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, -+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, -+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, -+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, -+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, -+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, -+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, -+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, -+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, -+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, -+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, -+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, -+ 0x4B, 0xD8, 0x37, 0xEB -+}; -+ -+static const unsigned char dh_test_2048_g[] = { -+ 0x02 -+}; -+ -+static const unsigned char dh_test_2048_pub_key[] = { -+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, -+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, -+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, -+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, -+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, -+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, -+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, -+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, -+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, -+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, -+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, -+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, -+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, -+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, -+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, -+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, -+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, -+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, -+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, -+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, -+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, -+ 0x36, 0x9E, 0xDA, 0xD2 -+}; -+ -+static const unsigned char dh_test_2048_priv_key[] = { -+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, -+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, -+ 0xEC, 0x55, 0xF6, 0xCC -+}; -+ -+int FIPS_selftest_dh() -+{ -+ DH *dh = NULL; -+ int ret = 0; -+ void *pub_key = NULL; -+ int len; -+ -+ dh = DH_new(); -+ -+ if (dh == NULL) -+ goto err; -+ -+ fips_load_key_component(dh, p, dh_test_2048); -+ fips_load_key_component(dh, g, dh_test_2048); -+ /* note that the private key is much shorter than normally used -+ * but still g ** priv_key > p -+ */ -+ fips_load_key_component(dh, priv_key, dh_test_2048); -+ -+ if (DH_generate_key(dh) <= 0) -+ goto err; -+ -+ len = BN_num_bytes(dh->pub_key); -+ if ((pub_key = OPENSSL_malloc(len)) == NULL) -+ goto err; -+ BN_bn2bin(dh->pub_key, pub_key); -+ -+ if (len != sizeof(dh_test_2048_pub_key) || -+ memcmp(pub_key, dh_test_2048_pub_key, len) != 0) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (dh) -+ DH_free(dh); -+ -+ OPENSSL_free(pub_key); -+ return ret; -+} -+#endif -diff --git a/crypto/fips/fips_ecdh_selftest.c b/crypto/fips/fips_ecdh_selftest.c -new file mode 100644 -index 0000000..775fc9f ---- /dev/null -+++ b/crypto/fips/fips_ecdh_selftest.c -@@ -0,0 +1,240 @@ -+/* fips/ecdh/fips_ecdh_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+#include -+# include "fips_locl.h" -+ -+static const unsigned char p256_qcavsx[] = { -+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, -+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, -+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 -+}; -+ -+static const unsigned char p256_qcavsy[] = { -+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, -+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, -+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e -+}; -+ -+static const unsigned char p256_qiutx[] = { -+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, -+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, -+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f -+}; -+ -+static const unsigned char p256_qiuty[] = { -+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, -+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, -+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 -+}; -+ -+static const unsigned char p256_qiutd[] = { -+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, -+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, -+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 -+}; -+ -+static const unsigned char p256_ziut[] = { -+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, -+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, -+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f -+}; -+ -+typedef struct { -+ int curve; -+ const unsigned char *x1; -+ size_t x1len; -+ const unsigned char *y1; -+ size_t y1len; -+ const unsigned char *d1; -+ size_t d1len; -+ const unsigned char *x2; -+ size_t x2len; -+ const unsigned char *y2; -+ size_t y2len; -+ const unsigned char *z; -+ size_t zlen; -+} ECDH_SELFTEST_DATA; -+ -+# define make_ecdh_test(nid, pr) { nid, \ -+ pr##_qiutx, sizeof(pr##_qiutx), \ -+ pr##_qiuty, sizeof(pr##_qiuty), \ -+ pr##_qiutd, sizeof(pr##_qiutd), \ -+ pr##_qcavsx, sizeof(pr##_qcavsx), \ -+ pr##_qcavsy, sizeof(pr##_qcavsy), \ -+ pr##_ziut, sizeof(pr##_ziut) } -+ -+static ECDH_SELFTEST_DATA test_ecdh_data[] = { -+ make_ecdh_test(NID_X9_62_prime256v1, p256), -+}; -+ -+int FIPS_selftest_ecdh(void) -+{ -+ EC_KEY *ec1 = NULL, *ec2 = NULL; -+ const EC_POINT *ecp = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ unsigned char *ztmp = NULL; -+ int rv = 1; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { -+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; -+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) -+ continue; -+ ztmp = OPENSSL_malloc(ecd->zlen); -+ -+ x = BN_bin2bn(ecd->x1, ecd->x1len, x); -+ y = BN_bin2bn(ecd->y1, ecd->y1len, y); -+ d = BN_bin2bn(ecd->d1, ecd->d1len, d); -+ -+ if (!x || !y || !d || !ztmp) { -+ rv = -1; -+ goto err; -+ } -+ -+ ec1 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec1) { -+ rv = -1; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!EC_KEY_set_private_key(ec1, d)) { -+ rv = -1; -+ goto err; -+ } -+ -+ x = BN_bin2bn(ecd->x2, ecd->x2len, x); -+ y = BN_bin2bn(ecd->y2, ecd->y2len, y); -+ -+ if (!x || !y) { -+ rv = -1; -+ goto err; -+ } -+ -+ ec2 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec2) { -+ rv = -1; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { -+ rv = -1; -+ goto err; -+ } -+ -+ ecp = EC_KEY_get0_public_key(ec2); -+ if (!ecp) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) -+ ztmp[0] ^= 0x1; -+ -+ if (memcmp(ztmp, ecd->z, ecd->zlen)) { -+ rv = 0; -+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) -+ goto err; -+ -+ EC_KEY_free(ec1); -+ ec1 = NULL; -+ EC_KEY_free(ec2); -+ ec2 = NULL; -+ OPENSSL_free(ztmp); -+ ztmp = NULL; -+ } -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (ec1) -+ EC_KEY_free(ec1); -+ if (ec2) -+ EC_KEY_free(ec2); -+ if (ztmp) -+ OPENSSL_free(ztmp); -+ -+ return rv; -+ -+} -+ -+#endif -diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c -new file mode 100644 -index 0000000..3fd35ae ---- /dev/null -+++ b/crypto/fips/fips_ecdsa_selftest.c -@@ -0,0 +1,165 @@ -+/* fips/ecdsa/fips_ecdsa_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+#include -+ -+static const char P_256_name[] = "ECDSA P-256"; -+ -+static const unsigned char P_256_d[] = { -+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, -+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, -+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 -+}; -+ -+static const unsigned char P_256_qx[] = { -+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, -+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, -+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 -+}; -+ -+static const unsigned char P_256_qy[] = { -+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, -+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, -+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb -+}; -+ -+typedef struct { -+ int curve; -+ const char *name; -+ const unsigned char *x; -+ size_t xlen; -+ const unsigned char *y; -+ size_t ylen; -+ const unsigned char *d; -+ size_t dlen; -+} EC_SELFTEST_DATA; -+ -+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ -+ pr##_qx, sizeof(pr##_qx), \ -+ pr##_qy, sizeof(pr##_qy), \ -+ pr##_d, sizeof(pr##_d)} -+ -+static EC_SELFTEST_DATA test_ec_data[] = { -+ make_ecdsa_test(NID_X9_62_prime256v1, P_256), -+}; -+ -+int FIPS_selftest_ecdsa() -+{ -+ EC_KEY *ec = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ EVP_PKEY *pk = NULL; -+ int rv = 0; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { -+ EC_SELFTEST_DATA *ecd = test_ec_data + i; -+ -+ x = BN_bin2bn(ecd->x, ecd->xlen, x); -+ y = BN_bin2bn(ecd->y, ecd->ylen, y); -+ d = BN_bin2bn(ecd->d, ecd->dlen, d); -+ -+ if (!x || !y || !d) -+ goto err; -+ -+ ec = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec) -+ goto err; -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) -+ goto err; -+ -+ if (!EC_KEY_set_private_key(ec, d)) -+ goto err; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_EC_KEY(pk, ec); -+ -+ if (!fips_pkey_signature_test(pk, NULL, 0, -+ NULL, 0, EVP_sha256(), 0, ecd->name)) -+ goto err; -+ } -+ -+ rv = 1; -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (ec) -+ EC_KEY_free(ec); -+ -+ return rv; -+ -+} -+ -+#endif -diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c -index f410c9e..de1dd4d 100644 ---- a/crypto/fips/fips_post.c -+++ b/crypto/fips/fips_post.c -@@ -99,6 +99,8 @@ int FIPS_selftest(void) - rv = 0; - if (!FIPS_selftest_dsa()) - rv = 0; -+ if (!FIPS_selftest_dh()) -+ rv = 0; - if (!FIPS_selftest_ecdh()) - rv = 0; - return rv; -diff --git a/crypto/fips/fips_rsa_selftest.c b/crypto/fips/fips_rsa_selftest.c -index 3b4af76..d625c05 100644 ---- a/crypto/fips/fips_rsa_selftest.c -+++ b/crypto/fips/fips_rsa_selftest.c -@@ -60,68 +60,107 @@ - #ifdef OPENSSL_FIPS - - static const unsigned char n[] = -- "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" -- "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" -- "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" -- "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" -- "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" -- "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" -- "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" -- "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB"; -+ "\x00\xc9\xd5\x6d\x9d\x90\xdb\x43\xd6\x02\xed\x96\x88\x13\x8a" -+ "\xb2\xbf\x6e\xa1\x06\x10\xb2\x78\x37\xa7\x14\xa8\xff\xdd\x00" -+ "\xdd\xb4\x93\xa0\x45\xcc\x96\x90\xed\xad\xa9\xdd\xc4\xd6\xca" -+ "\x0c\xf0\xed\x4f\x72\x5e\x21\x49\x9a\x18\x12\x15\x8f\x90\x5a" -+ "\xdb\xb6\x33\x99\xa3\xe6\xb4\xf0\xc4\x97\x21\x26\xbb\xe3\xba" -+ "\xf2\xff\xa0\x72\xda\x89\x63\x8e\x8b\x3e\x08\x9d\x92\x2a\xbe" -+ "\x16\xe1\x43\x15\xfc\x57\xc7\x1f\x09\x11\x67\x1c\xa9\x96\xd1" -+ "\x8b\x3e\x80\x93\xc1\x59\xd0\x6d\x39\xf2\xac\x95\xcc\x10\x75" -+ "\xe9\x31\x24\xd1\x43\xaf\x68\x52\x4b\xe7\x16\xd7\x49\x65\x6f" -+ "\x26\xc0\x86\xad\xc0\x07\x0a\xc1\xe1\x2f\x87\x85\x86\x3b\xdc" -+ "\x5a\x99\xbe\xe9\xf9\xb9\xe9\x82\x27\x51\x04\x15\xab\x06\x0e" -+ "\x76\x5a\x28\x8d\x92\xbd\xc5\xb5\x7b\xa8\xdf\x4e\x47\xa2\xc1" -+ "\xe7\x52\xbf\x47\xf7\x62\xe0\x3a\x6f\x4d\x6a\x4d\x4e\xd4\xb9" -+ "\x59\x69\xfa\xb2\x14\xc1\xee\xe6\x2f\x95\xcd\x94\x72\xae\xe4" -+ "\xdb\x18\x9a\xc4\xcd\x70\xbd\xee\x31\x16\xb7\x49\x65\xac\x40" -+ "\x19\x0e\xb5\x6d\x83\xf1\x36\xbb\x08\x2f\x2e\x4e\x92\x62\xa4" -+ "\xff\x50\xdb\x20\x45\xa2\xeb\x16\x7a\xf2\xd5\x28\xc1\xfd\x4e" "\x03\x71"; - - static int corrupt_rsa; - - static int setrsakey(RSA *key) - { -- static const unsigned char e[] = "\x11"; -+ static const unsigned char e[] = "\x01\x00\x01"; - - static const unsigned char d[] = -- "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" -- "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" -- "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" -- "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" -- "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" -- "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" -- "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" -- "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" -- "\xC1"; -+ "\x36\x27\x3d\xb1\xf9\x1b\xdb\xa7\xa0\x41\x7f\x12\x23\xac\x23" -+ "\x29\x99\xd5\x3a\x7b\x60\x67\x41\x07\x63\x53\xb4\xd2\xe7\x58" -+ "\x95\x0a\xc7\x05\xf3\x4e\xb2\xb4\x12\xd4\x70\xdc\x4f\x85\x06" -+ "\xd3\xdd\xd8\x63\x27\x3e\x67\x31\x21\x24\x39\x04\xbc\x06\xa4" -+ "\xcc\xce\x2b\x7a\xfe\x7b\xad\xde\x11\x6e\xa3\xa5\xe6\x04\x53" -+ "\x0e\xa3\x4e\x2d\xb4\x8f\x31\xbf\xca\x75\x25\x52\x02\x85\xde" -+ "\x3d\xb2\x72\x43\xb2\x89\x8a\x9a\x34\x41\x26\x3f\x9a\x67\xbe" -+ "\xa4\x96\x7b\x0e\x75\xba\xa6\x93\xd5\xb8\xd8\xb8\x57\xf2\x4b" -+ "\x0f\x14\x81\xd1\x57\x4e\xf6\x45\x4c\xa6\x3b\xd0\x70\xca\xd3" -+ "\x9d\x55\xde\x22\x05\xe7\x8e\x28\x4d\xee\x11\xcf\xb6\x67\x76" -+ "\x09\xd3\xe3\x3c\x13\xf9\x99\x34\x10\x7b\xec\x81\x38\xf0\xb6" -+ "\x34\x9c\x9b\x50\x6f\x0b\x91\x81\x4d\x89\x94\x04\x7b\xf0\x3c" -+ "\xf4\xb1\xb2\x00\x48\x8d\x5a\x8f\x88\x9e\xc5\xab\x3a\x9e\x44" -+ "\x3f\x54\xe7\xd9\x6e\x47\xaa\xa1\xbd\x40\x46\x31\xf9\xf0\x34" -+ "\xb6\x04\xe1\x2b\x5b\x73\x86\xdd\x3a\x92\x1b\x71\xc7\x3f\x32" -+ "\xe5\xc3\xc2\xab\xa1\x7e\xbf\xa4\x52\xa0\xb0\x68\x90\xd1\x20" -+ "\x12\x79\xe9\xd7\xc9\x40\xba\xf2\x19\xc7\xa5\x00\x92\x86\x0d" "\x01"; - - static const unsigned char p[] = -- "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" -- "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" -- "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" -- "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" -- "\x99"; -+ "\x00\xfc\x5c\x6e\x16\xce\x1f\x03\x7b\xcd\xf7\xb3\x72\xb2\x8f" -+ "\x16\x72\xb8\x56\xae\xf7\xcd\x67\xd8\x4e\x7d\x07\xaf\xd5\x43" -+ "\x26\xc3\x35\xbe\x43\x8f\x4e\x2f\x1c\x43\x4e\x6b\xd2\xb2\xec" -+ "\x52\x6d\x97\x52\x2b\xcc\x5c\x3a\x6b\xf4\x14\xc6\x74\xda\x66" -+ "\x38\x1c\x7a\x3f\x84\x2f\xe3\xf9\x5a\xb8\x65\x69\x46\x06\xa3" -+ "\x37\x79\xb2\xa1\x5b\x58\xed\x5e\xa7\x5f\x8c\x65\x66\xbb\xd1" -+ "\x24\x36\xe6\x37\xa7\x3d\x49\x77\x8a\x8c\x34\xd8\x69\x29\xf3" -+ "\x4d\x58\x22\xb0\x51\x24\xb6\x40\xa8\x86\x59\x0a\xb7\xba\x5c" -+ "\x97\xda\x57\xe8\x36\xda\x7a\x9c\xad"; - - static const unsigned char q[] = -- "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" -- "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" -- "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" -- "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" -- "\x03"; -+ "\x00\xcc\xbe\x7b\x09\x69\x06\xee\x45\xbf\x88\x47\x38\xa8\xf8" -+ "\x17\xe5\xb6\xba\x67\x55\xe3\xe8\x05\x8b\xb8\xe2\x53\xd6\x8e" -+ "\xef\x2c\xe7\x4f\x4a\xf7\x4e\x26\x8d\x85\x0b\x3f\xec\xc3\x1c" -+ "\xd4\xeb\xec\x6a\xc8\x72\x2a\x25\x7d\xfd\xa6\x77\x96\xf0\x1e" -+ "\xcd\x28\x57\xf8\x37\x30\x75\x6b\xbd\xd4\x7b\x0c\x87\xc5\x6c" -+ "\x87\x40\xa5\xbb\x27\x2c\x78\xc9\x74\x5a\x54\x5b\x0b\x30\x6f" -+ "\x44\x4a\xfa\x71\xe4\x21\x61\x66\xf9\xee\x65\xde\x7c\x04\xd7" -+ "\xfd\xa9\x15\x5b\x7f\xe2\x7a\xba\x69\x86\x72\xa6\x06\x8d\x9b" -+ "\x90\x55\x60\x9e\x4c\x5d\xa9\xb6\x55"; - - static const unsigned char dmp1[] = -- "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" -- "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" -- "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" -- "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; -+ "\x7a\xd6\x12\xd0\x0e\xec\x91\xa9\x85\x8b\xf8\x50\xf0\x11\x2e" -+ "\x00\x11\x32\x40\x60\x66\x1f\x11\xee\xc2\x75\x27\x65\x4b\x16" -+ "\x67\x16\x95\xd2\x14\xc3\x1d\xb3\x48\x1f\xb7\xe4\x0b\x2b\x74" -+ "\xc3\xdb\x50\x27\xf9\x85\x3a\xfa\xa9\x08\x23\xc1\x65\x3d\x34" -+ "\x3a\xc8\x56\x7a\x65\x45\x36\x6e\xae\x2a\xce\x9f\x43\x43\xd7" -+ "\x10\xe9\x9e\x18\xf4\xa4\x35\xda\x8a\x6b\xb0\x3f\xdd\x53\xe3" -+ "\xa8\xc5\x4e\x79\x9d\x1f\x51\x8c\xa2\xca\x66\x3c\x6a\x2a\xff" -+ "\x8e\xd2\xf3\xb7\xcb\x82\xda\xde\x2c\xe6\xd2\x8c\xb3\xad\xb6" -+ "\x4c\x95\x55\x76\xbd\xc9\xc8\xd1"; - - static const unsigned char dmq1[] = -- "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" -- "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" -- "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" -- "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; -+ "\x00\x83\x23\x1d\xbb\x11\x42\x17\x2b\x25\x5a\x2c\x03\xe6\x75" -+ "\xc1\x18\xa8\xc9\x0b\x96\xbf\xba\xc4\x92\x91\x80\xa5\x22\x2f" -+ "\xba\x91\x90\x36\x01\x56\x15\x00\x2c\x74\xa2\x97\xf7\x15\xa1" -+ "\x49\xdf\x32\x35\xd2\xdd\x0c\x91\xa6\xf8\xe7\xbe\x81\x36\x9b" -+ "\x03\xdc\x6b\x3b\xd8\x5d\x79\x57\xe0\xe6\x4f\x49\xdf\x4c\x5c" -+ "\x0e\xe5\x21\x41\x95\xfd\xad\xff\x9a\x3e\xa0\xf9\x0f\x59\x9e" -+ "\x6a\xa7\x7b\x71\xa7\x24\x9a\x36\x52\xae\x97\x20\xc1\x5e\x78" -+ "\xd9\x47\x8b\x1e\x67\xf2\xaf\x98\xe6\x2d\xef\x10\xd7\xf1\xab" -+ "\x49\xee\xe5\x4b\x7e\xae\x1f\x1d\x61"; - - static const unsigned char iqmp[] = -- "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" -- "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" -- "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" -- "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" -- "\xF7"; -+ "\x23\x96\xc1\x91\x17\x5e\x0a\x83\xd2\xdc\x7b\x69\xb2\x59\x1d" -+ "\x33\x58\x52\x3f\x18\xc7\x09\x50\x1c\xb9\xa1\xbb\x4c\xa2\x38" -+ "\x40\x4c\x9a\x8e\xfe\x9c\x90\x92\xd0\x71\x9f\x89\x99\x50\x91" -+ "\x1f\x34\x8b\x74\x53\x11\x11\x4a\x70\xe2\xf7\x30\xd8\x8c\x80" -+ "\xe1\xcc\x9f\xf1\x63\x17\x1a\x7d\x67\x29\x4c\xcb\x4e\x74\x7b" -+ "\xe0\x3e\x9e\x2f\xf4\x67\x8f\xec\xb9\x5c\x00\x1e\x7e\xa2\x7b" -+ "\x92\xc9\x6f\x4c\xe4\x0e\xf9\x48\x63\xcd\x50\x22\x5d\xbf\xb6" -+ "\x9d\x01\x33\x6a\xf4\x50\xbe\x86\x98\x4f\xca\x3f\x3a\xfa\xcf" -+ "\x07\x40\xc4\xaa\xad\xae\xbe\xbf"; - - key->n = BN_bin2bn(n, sizeof(n) - 1, key->n); - if (corrupt_rsa) -- BN_set_bit(key->n, 1024); -+ BN_set_bit(key->n, 2048); - key->e = BN_bin2bn(e, sizeof(e) - 1, key->e); - key->d = BN_bin2bn(d, sizeof(d) - 1, key->d); - key->p = BN_bin2bn(p, sizeof(p) - 1, key->p); -@@ -145,200 +184,292 @@ static const unsigned char kat_tbs[] = - "OpenSSL FIPS 140-2 Public Key RSA KAT"; - - static const unsigned char kat_RSA_PSS_SHA1[] = { -- 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F, -- 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB, -- 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3, -- 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C, -- 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7, -- 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5, -- 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45, -- 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31, -- 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8, -- 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84, -- 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9 -+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3, -+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B, -+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84, -+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B, -+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9, -+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19, -+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98, -+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5, -+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4, -+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A, -+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70, -+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1, -+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C, -+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF, -+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99, -+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45, -+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF, -+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F, -+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01, -+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC, -+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05, -+ 0xCE, 0x08, 0x1D, 0x89 - }; - - static const unsigned char kat_RSA_PSS_SHA224[] = { -- 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7, -- 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA, -- 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57, -- 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89, -- 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE, -- 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22, -- 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5, -- 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49, -- 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D, -- 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00, -- 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0 -+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA, -+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3, -+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3, -+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3, -+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7, -+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53, -+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A, -+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE, -+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06, -+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08, -+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D, -+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07, -+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70, -+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64, -+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17, -+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69, -+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97, -+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D, -+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5, -+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B, -+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD, -+ 0x2D, 0x84, 0x03, 0xB7 - }; - - static const unsigned char kat_RSA_PSS_SHA256[] = { -- 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89, -- 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F, -- 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28, -- 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E, -- 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05, -- 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA, -- 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6, -- 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F, -- 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D, -- 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6, -- 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C -+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, -+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, -+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, -+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, -+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, -+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, -+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, -+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, -+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, -+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, -+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, -+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, -+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, -+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, -+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, -+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, -+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, -+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, -+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, -+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, -+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, -+ 0x2B, 0x31, 0xB9, 0x7D - }; - - static const unsigned char kat_RSA_PSS_SHA384[] = { -- 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2, -- 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E, -- 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD, -- 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F, -- 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C, -- 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB, -- 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F, -- 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89, -- 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F, -- 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55, -- 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1 -+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D, -+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03, -+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27, -+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC, -+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1, -+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6, -+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA, -+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB, -+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3, -+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5, -+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70, -+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E, -+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C, -+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0, -+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62, -+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07, -+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88, -+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7, -+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5, -+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D, -+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF, -+ 0x90, 0xD2, 0xA6, 0x2B - }; - - static const unsigned char kat_RSA_PSS_SHA512[] = { -- 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C, -- 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A, -- 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD, -- 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39, -- 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7, -- 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61, -- 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13, -- 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63, -- 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE, -- 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88, -- 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B -+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32, -+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06, -+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D, -+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B, -+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D, -+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44, -+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B, -+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D, -+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD, -+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C, -+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1, -+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A, -+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE, -+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D, -+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F, -+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF, -+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F, -+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94, -+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE, -+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A, -+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0, -+ 0x17, 0x2C, 0x13, 0xE0 - }; - - static const unsigned char kat_RSA_SHA1[] = { -- 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, -- 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, -- 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF, -- 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, -- 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, -- 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, -- 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E, -- 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, -- 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, -- 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, -- 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 -+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA, -+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C, -+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE, -+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94, -+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08, -+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC, -+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0, -+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54, -+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F, -+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A, -+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF, -+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD, -+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8, -+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5, -+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F, -+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF, -+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60, -+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9, -+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC, -+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37, -+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF, -+ 0x27, 0x90, 0xE2, 0x01 - }; - - static const unsigned char kat_RSA_SHA224[] = { -- 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9, -- 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D, -- 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89, -- 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD, -- 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5, -- 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC, -- 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B, -- 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2, -- 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35, -- 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC, -- 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D -+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86, -+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8, -+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89, -+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39, -+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3, -+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E, -+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8, -+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4, -+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66, -+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6, -+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC, -+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9, -+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53, -+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA, -+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45, -+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC, -+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33, -+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5, -+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8, -+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83, -+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B, -+ 0xDB, 0x70, 0x00, 0xF6 - }; - - static const unsigned char kat_RSA_SHA256[] = { -- 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23, -- 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23, -- 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35, -- 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E, -- 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18, -- 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30, -- 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A, -- 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38, -- 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA, -- 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90, -- 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A -+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, -+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, -+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, -+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, -+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, -+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, -+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, -+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, -+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, -+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, -+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, -+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, -+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, -+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, -+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, -+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, -+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, -+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, -+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, -+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, -+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, -+ 0x47, 0x9D, 0x18, 0xD7 - }; - - static const unsigned char kat_RSA_SHA384[] = { -- 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F, -- 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7, -- 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C, -- 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55, -- 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF, -- 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2, -- 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C, -- 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD, -- 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1, -- 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04, -- 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF -+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00, -+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D, -+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2, -+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B, -+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF, -+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1, -+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C, -+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E, -+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76, -+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4, -+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9, -+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4, -+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56, -+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39, -+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00, -+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F, -+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D, -+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26, -+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9, -+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD, -+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4, -+ 0x7E, 0x37, 0x1D, 0x96 - }; - - static const unsigned char kat_RSA_SHA512[] = { -- 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF, -- 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A, -- 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1, -- 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8, -- 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5, -- 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B, -- 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6, -- 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05, -- 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D, -- 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91, -- 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84 -+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3, -+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F, -+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02, -+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B, -+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3, -+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1, -+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79, -+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1, -+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E, -+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1, -+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED, -+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE, -+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69, -+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2, -+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F, -+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3, -+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B, -+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86, -+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F, -+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A, -+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E, -+ 0x43, 0xA8, 0x34, 0x0A - }; - --static const unsigned char kat_RSA_X931_SHA1[] = { -- 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF, -- 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75, -- 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC, -- 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97, -- 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6, -- 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19, -- 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7, -- 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99, -- 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76, -- 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67, -- 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49 --}; -+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, -+ int ptlen) -+{ -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int ret = 0; -+ int len; - --static const unsigned char kat_RSA_X931_SHA256[] = { -- 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89, -- 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD, -- 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF, -- 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B, -- 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B, -- 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98, -- 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC, -- 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C, -- 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD, -- 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC, -- 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80 --}; -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; - --static const unsigned char kat_RSA_X931_SHA384[] = { -- 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B, -- 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB, -- 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3, -- 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6, -- 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31, -- 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1, -- 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79, -- 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF, -- 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35, -- 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D, -- 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28 --}; -+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) -+ goto err; - --static const unsigned char kat_RSA_X931_SHA512[] = { -- 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63, -- 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC, -- 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7, -- 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28, -- 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5, -- 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF, -- 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0, -- 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09, -- 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C, -- 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B, -- 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3 --}; -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ptbuf) -+ goto err; -+ -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != ptlen) -+ goto err; -+ if (memcmp(ptbuf, plaintext, len)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ return ret; -+} - - int FIPS_selftest_rsa() - { -@@ -352,7 +483,7 @@ int FIPS_selftest_rsa() - if ((pk = EVP_PKEY_new()) == NULL) - goto err; - -- EVP_PKEY_assign_RSA(pk, key); -+ EVP_PKEY_set1_RSA(pk, key); - - if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_SHA1, sizeof(kat_RSA_SHA1), -@@ -406,29 +537,7 @@ int FIPS_selftest_rsa() - EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS")) - goto err; - -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA1, -- sizeof(kat_RSA_X931_SHA1), EVP_sha1(), -- EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931")) -- goto err; -- /* NB: SHA224 not supported in X9.31 */ -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA256, -- sizeof(kat_RSA_X931_SHA256), EVP_sha256(), -- EVP_MD_CTX_FLAG_PAD_X931, -- "RSA SHA256 X931")) -- goto err; -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA384, -- sizeof(kat_RSA_X931_SHA384), EVP_sha384(), -- EVP_MD_CTX_FLAG_PAD_X931, -- "RSA SHA384 X931")) -- goto err; -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA512, -- sizeof(kat_RSA_X931_SHA512), EVP_sha512(), -- EVP_MD_CTX_FLAG_PAD_X931, -- "RSA SHA512 X931")) -+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) - goto err; - - ret = 1; -@@ -436,7 +545,7 @@ int FIPS_selftest_rsa() - err: - if (pk) - EVP_PKEY_free(pk); -- else if (key) -+ if (key) - RSA_free(key); - return ret; - } -diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h -index f9fda3e..93b9896 100644 ---- a/crypto/rand/rand_lcl.h -+++ b/crypto/rand/rand_lcl.h -@@ -112,7 +112,7 @@ - #ifndef HEADER_RAND_LCL_H - # define HEADER_RAND_LCL_H - --# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */ -+# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */ - - # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) - # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index 88a78d3..adf572f 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen, - double entropy) - { - RAND_SSLeay()->add(in, inlen, entropy); -+ if (FIPS_rand_status()) { -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ FIPS_drbg_reseed(ctx, NULL, 0); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ } - return 1; - } - - static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen) - { - RAND_SSLeay()->seed(in, inlen); -+ if (FIPS_rand_status()) { -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ FIPS_drbg_reseed(ctx, NULL, 0); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ } - return 1; - } - -diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c -index c6c0a75..675f645 100644 ---- a/crypto/rsa/rsa_gen.c -+++ b/crypto/rsa/rsa_gen.c -@@ -1,5 +1,6 @@ - /* crypto/rsa/rsa_gen.c */ - /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * Copyright (C) 2013 Red Hat, Inc. - * All rights reserved. - * - * This package is an SSL implementation written -@@ -169,6 +170,259 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - return rsa_builtin_keygen(rsa, bits, e_value, cb); - } - -+#ifdef OPENSSL_FIPS -+static int FIPS_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -+ BN_GENCB *cb) -+{ -+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; -+ BIGNUM local_r0, local_d, local_p; -+ BIGNUM *pr0, *d, *p; -+ BN_CTX *ctx = NULL; -+ int ok = -1; -+ int i; -+ int n = 0; -+ int test = 0; -+ int pbits = bits / 2; -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if ((pbits & 0xFF) -+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048 -+ && bits != 3072)) { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ BN_CTX_start(ctx); -+ r0 = BN_CTX_get(ctx); -+ r1 = BN_CTX_get(ctx); -+ r2 = BN_CTX_get(ctx); -+ r3 = BN_CTX_get(ctx); -+ -+ if (r3 == NULL) -+ goto err; -+ -+ /* We need the RSA components non-NULL */ -+ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->d && ((rsa->d = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->p && ((rsa->p = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->q && ((rsa->q = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) -+ goto err; -+ -+ if (!BN_set_word(r0, RSA_F4)) -+ goto err; -+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { -+ ok = 0; /* we set our own err */ -+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); -+ goto err; -+ } -+ -+ /* prepare approximate minimum p and q */ -+ if (!BN_set_word(r0, 0xB504F334)) -+ goto err; -+ if (!BN_lshift(r0, r0, pbits - 32)) -+ goto err; -+ -+ /* prepare minimum p and q difference */ -+ if (!BN_one(r3)) -+ goto err; -+ if (!BN_lshift(r3, r3, pbits - 100)) -+ goto err; -+ -+ BN_copy(rsa->e, e_value); -+ -+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) -+ test = 1; -+ -+ retry: -+ /* generate p and q */ -+ for (i = 0; i < 5 * pbits; i++) { -+ ploop: -+ if (!test) -+ if (!BN_rand(rsa->p, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->p, r0) < 0) { -+ if (test) -+ goto err; -+ goto ploop; -+ } -+ -+ if (!BN_sub(r2, rsa->p, BN_value_one())) -+ goto err; -+ if (!BN_gcd(r1, r2, rsa->e, ctx)) -+ goto err; -+ if (BN_is_one(r1)) { -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } -+ -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 0)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ for (i = 0; i < 5 * pbits; i++) { -+ qloop: -+ if (!test) -+ if (!BN_rand(rsa->q, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->q, r0) < 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ if (!BN_sub(r2, rsa->q, rsa->p)) -+ goto err; -+ if (BN_ucmp(r2, r3) <= 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; -+ if (!BN_gcd(r1, r2, rsa->e, ctx)) -+ goto err; -+ if (BN_is_one(r1)) { -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } -+ -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 1)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ if (test) { -+ /* do not try to calculate the remaining key values */ -+ BN_clear(rsa->n); -+ ok = 1; -+ goto err; -+ } -+ -+ if (BN_cmp(rsa->p, rsa->q) < 0) { -+ tmp = rsa->p; -+ rsa->p = rsa->q; -+ rsa->q = tmp; -+ } -+ -+ /* calculate n */ -+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) -+ goto err; -+ -+ /* calculate d */ -+ if (!BN_sub(r1, rsa->p, BN_value_one())) -+ goto err; /* p-1 */ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; /* q-1 */ -+ -+ if (!BN_gcd(r0, r1, r2, ctx)) -+ goto err; -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ pr0 = &local_r0; -+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); -+ } else -+ pr0 = r0; -+ if (!BN_div(r0, NULL, r1, pr0, ctx)) -+ goto err; -+ if (!BN_mul(r0, r0, r2, ctx)) -+ goto err; /* lcm(p-1, q-1) */ -+ -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ pr0 = &local_r0; -+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); -+ } else -+ pr0 = r0; -+ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) -+ goto err; /* d */ -+ -+ if (BN_num_bits(rsa->d) < pbits) -+ goto retry; /* d is too small */ -+ -+ /* set up d for correct BN_FLG_CONSTTIME flag */ -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ d = &local_d; -+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -+ } else -+ d = rsa->d; -+ -+ /* calculate d mod (p-1) */ -+ if (!BN_mod(rsa->dmp1, d, r1, ctx)) -+ goto err; -+ -+ /* calculate d mod (q-1) */ -+ if (!BN_mod(rsa->dmq1, d, r2, ctx)) -+ goto err; -+ -+ /* calculate inverse of q mod p */ -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ p = &local_p; -+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); -+ } else -+ p = rsa->p; -+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) -+ goto err; -+ -+ if (fips_rsa_pairwise_fail) -+ BN_add_word(rsa->n, 1); -+ -+ if (!fips_check_rsa(rsa)) -+ goto err; -+ -+ ok = 1; -+ err: -+ if (ok == -1) { -+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); -+ ok = 0; -+ } -+ if (ctx != NULL) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ -+ return ok; -+} -+#endif -+ - static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - BN_GENCB *cb) - { -@@ -180,15 +434,11 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - - #ifdef OPENSSL_FIPS - if (FIPS_module_mode()) { -- if (FIPS_selftest_failed()) { -- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); -- return 0; -- } -- - if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { - FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); - return 0; - } -+ return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb); - } - #endif - -@@ -317,16 +567,6 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) - goto err; - --#ifdef OPENSSL_FIPS -- if (FIPS_module_mode()) { -- if (fips_rsa_pairwise_fail) -- BN_add_word(rsa->n, 1); -- -- if (!fips_check_rsa(rsa)) -- goto err; -- } --#endif -- - ok = 1; - err: - if (ok == -1) { -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 514fcb3..ec15996 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, - return ret; - } - -+int private_tls1_PRF(long digest_mask, -+ const void *seed1, int seed1_len, -+ const void *seed2, int seed2_len, -+ const void *seed3, int seed3_len, -+ const void *seed4, int seed4_len, -+ const void *seed5, int seed5_len, -+ const unsigned char *sec, int slen, -+ unsigned char *out1, unsigned char *out2, int olen) -+{ -+ return tls1_PRF(digest_mask, -+ seed1, seed1_len, -+ seed2, seed2_len, -+ seed3, seed3_len, -+ seed4, seed4_len, -+ seed5, seed5_len, sec, slen, out1, out2, olen); -+} -+ - static int tls1_generate_key_block(SSL *s, unsigned char *km, - unsigned char *tmp, int num) - { diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch 2016-04-12 20:33:22.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch 2016-04-15 04:56:29.000000000 +0000 @@ -1,12 +1,15 @@ -From: Joy Latten -Description: [PATCH 6/6] Use upstream algorithms and cleanup compiler warnings. -Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 -Forwarded: not-needed +commit f13fe282dfde82d0b079805beacd0ccf8905af3a +Author: Joy Latten +Date: Thu Apr 14 02:14:18 2016 -0500 + + From: Joy Latten + Description: [PATCH 6/6] Use upstream algorithms and cleanup compiler warnings. + Forwarded: not-needed -Use the DSA, DSA2 and error codes from upstream openssl for fips; allow all the -EC curves from upstream; use fips_utl.h from upstream; remove fips prngs that -are no longer allowed; cleanup compiler warnings; add additional tests from -upstream to fips_test-suite. + Use the DSA, DSA2, error codes, and EC curves from upstream openssl for fips; + use fips_utl.h from upstream; remove fips prngs from Makefile since fips + no longer allows them; cleanup compiler warnings; add additional tests from + upstream to fips-test-suite. diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index 4abe46c..45e1472 100644 @@ -114,7 +117,7 @@ }; diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c -index cd6a64c..40a73bc 100644 +index ca86915..40a73bc 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -84,21 +84,9 @@ @@ -183,7 +186,7 @@ + int counter = 0; + int r = 0; BN_CTX *ctx = NULL; -- +- -# ifdef OPENSSL_FIPS + unsigned int h = 2; +#ifdef OPENSSL_FIPS @@ -199,12 +202,8 @@ - 256) - && (bits != 3072 || qbits != 256)) { - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); -+ if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && ((bits != 1024 || qbits != 160) && (bits != 2048 || qbits != 224) -+ && (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256))) { -+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } +- goto err; +- } -# endif - if (seed_len && (seed_len < (size_t)qsize)) - seed_in = NULL; /* seed buffer too small -- ignore */ @@ -215,19 +214,23 @@ - memcpy(seed, seed_in, seed_len); - else - seed_len = 0; -- +- - if ((ctx = BN_CTX_new()) == NULL) - goto err; -- +- - BN_CTX_start(ctx); -- +- - if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd, - seed, seed_len, &p, &q, counter_ret, cb)) -- goto err; -- ++ if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) ++ && ((bits != 1024 || qbits != 160) && (bits != 2048 || qbits != 224) ++ && (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256))) { ++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); + goto err; +- - if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb)) - goto err; -- +- - ok = 1; - err: - if (ok) { @@ -252,7 +255,7 @@ - if (ctx) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); -- } + } - return ok; -} - @@ -802,7 +805,7 @@ } if (h != 2) { diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c -index 3d7c3b8..d5cb4a9 100644 +index 5b27b91..d5cb4a9 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -73,10 +73,6 @@ @@ -816,8 +819,20 @@ const EC_METHOD *EC_GF2m_simple_method(void) { static const EC_METHOD ret = { +@@ -124,11 +120,6 @@ const EC_METHOD *EC_GF2m_simple_method(void) + 0 /* field_set_to_one */ + }; + +-# ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return fips_ec_gf2m_simple_method(); +-# endif +- + return &ret; + } + diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c -index fb4424d..81846ec 100644 +index 6dbe9d8..81846ec 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -75,10 +75,6 @@ @@ -831,6 +846,17 @@ typedef struct { int field_type, /* either NID_X9_62_prime_field or * NID_X9_62_characteristic_two_field */ +@@ -3162,10 +3158,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) + size_t i; + EC_GROUP *ret = NULL; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return FIPS_ec_group_new_by_curve_name(nid); +-#endif + if (nid <= 0) + return NULL; + diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index b0e69cb..6edb60a 100644 --- a/crypto/ec/ecp_smpl.c @@ -904,10 +930,10 @@ FIPS_ERROR_IGNORED("Cipher update"); return 0; diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile -index 9c48503..7d5e0e3 100644 +index 8d4bf9a..3fef7c9 100644 --- a/crypto/fips/Makefile +++ b/crypto/fips/Makefile -@@ -13,30 +13,33 @@ AR= ar r +@@ -13,21 +13,21 @@ AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile @@ -915,37 +941,25 @@ +TEST=fips_test_suite.c APPS= - #PROGRAM= fips_standalone_hmac +-PROGRAM= fips_standalone_hmac ++#PROGRAM= fips_standalone_hmac EXE= $(PROGRAM)$(EXE_EXT) LIB=$(TOP)/libcrypto.a -LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \ -- fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ -- fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ -- fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \ -- fips_dh_selftest.c +LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ -+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ -+ fips_rand.c fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c \ -+ fips_drbg_hash.c fips_drbg_hmac.c fips_drbg_lib.c fips_drbg_rand.c \ -+ fips_drbg_selftest.c fips_rand_lib.c fips_cmac_selftest.c \ -+ fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \ -+ fips_dh_selftest.c + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ + fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \ + fips_dh_selftest.c -LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ -- fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ -- fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ -- fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ -- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \ -- fips_dh_selftest.o +LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o \ -+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o \ -+ fips_rand.o fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o \ -+ fips_drbg_hash.o fips_drbg_hmac.o fips_drbg_lib.o fips_drbg_rand.o \ -+ fips_drbg_selftest.o fips_rand_lib.o fips_cmac_selftest.o \ -+ fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \ -+ fips_dh_selftest.o + fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ + fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ + fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ +@@ -36,7 +36,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_se LIBCRYPTO=-L.. -lcrypto @@ -956,7 +970,7 @@ EXHEADER= fips.h fips_rand.h HEADER= $(EXHEADER) diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c -index 07d6ece..689e8e5 100644 +index c4602e2..2a63bd5 100644 --- a/crypto/fips/fips.c +++ b/crypto/fips/fips.c @@ -371,21 +371,6 @@ static int verify_checksums(void) @@ -999,7 +1013,7 @@ fips_w_unlock(); return ret; diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index 38f0783..d572806 100644 +index 8c9be43..d39204d 100644 --- a/crypto/fips/fips.h +++ b/crypto/fips/fips.h @@ -92,7 +92,6 @@ extern "C" { @@ -1215,11 +1229,158 @@ # ifdef __cplusplus } +diff --git a/crypto/fips/fips_cmac_selftest.c b/crypto/fips/fips_cmac_selftest.c +index 9e75ec9..3955c35 100644 +--- a/crypto/fips/fips_cmac_selftest.c ++++ b/crypto/fips/fips_cmac_selftest.c +@@ -49,11 +49,12 @@ + + #include + #include +-#include + #include +-#include "fips_locl.h" + + #ifdef OPENSSL_FIPS ++#include ++#include "fips_locl.h" ++ + typedef struct { + int nid; + const unsigned char key[EVP_MAX_KEY_LENGTH]; +diff --git a/crypto/fips/fips_dh_selftest.c b/crypto/fips/fips_dh_selftest.c +index 2b1eb25..e205bad 100644 +--- a/crypto/fips/fips_dh_selftest.c ++++ b/crypto/fips/fips_dh_selftest.c +@@ -51,13 +51,13 @@ + #include + #include + #include +-#include + #include + #include + #include +-#include "fips_locl.h" + + #ifdef OPENSSL_FIPS ++#include ++#include "fips_locl.h" + + static const unsigned char dh_test_2048_p[] = { + 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, +diff --git a/crypto/fips/fips_drbg_ctr.c b/crypto/fips/fips_drbg_ctr.c +index a830b2c..11b5f92 100644 +--- a/crypto/fips/fips_drbg_ctr.c ++++ b/crypto/fips/fips_drbg_ctr.c +@@ -54,6 +54,8 @@ + #include + #include + #include ++ ++#ifdef OPENSSL_FIPS + #include + #include + #include "fips_rand_lcl.h" +@@ -413,3 +415,4 @@ int fips_drbg_ctr_init(DRBG_CTX *dctx) + + return 1; + } ++#endif +diff --git a/crypto/fips/fips_drbg_hash.c b/crypto/fips/fips_drbg_hash.c +index b19420a..176a9e6 100644 +--- a/crypto/fips/fips_drbg_hash.c ++++ b/crypto/fips/fips_drbg_hash.c +@@ -56,6 +56,8 @@ + #include + #include + #include ++ ++#ifdef OPENSSL_FIPS + #include + #include + #include "fips_rand_lcl.h" +@@ -356,3 +358,4 @@ int fips_drbg_hash_init(DRBG_CTX *dctx) + + return 1; + } ++#endif +diff --git a/crypto/fips/fips_drbg_hmac.c b/crypto/fips/fips_drbg_hmac.c +index 105db12..7e1bfc3 100644 +--- a/crypto/fips/fips_drbg_hmac.c ++++ b/crypto/fips/fips_drbg_hmac.c +@@ -57,6 +57,8 @@ + #include + #include + #include ++ ++#ifdef OPENSSL_FIPS + #include + #include + #include "fips_rand_lcl.h" +@@ -268,3 +270,4 @@ int fips_drbg_hmac_init(DRBG_CTX *dctx) + + return 1; + } ++#endif +diff --git a/crypto/fips/fips_drbg_lib.c b/crypto/fips/fips_drbg_lib.c +index 1a71322..d8c7407 100644 +--- a/crypto/fips/fips_drbg_lib.c ++++ b/crypto/fips/fips_drbg_lib.c +@@ -53,6 +53,8 @@ + #include + #include + #include ++ ++#ifdef OPENSSL_FIPS + #include + #include "fips_locl.h" + #include "fips_rand_lcl.h" +@@ -551,3 +553,4 @@ int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out) + memcpy(dctx->lb, out, dctx->blocklength); + return 1; + } ++#endif +diff --git a/crypto/fips/fips_drbg_rand.c b/crypto/fips/fips_drbg_rand.c +index 43600dd..bb523c8 100644 +--- a/crypto/fips/fips_drbg_rand.c ++++ b/crypto/fips/fips_drbg_rand.c +@@ -55,6 +55,8 @@ + #include + #include + #include ++ ++#ifdef OPENSSL_FIPS + #include + #include "fips_rand_lcl.h" + +@@ -164,3 +166,4 @@ const RAND_METHOD *FIPS_drbg_method(void) + { + return &rand_drbg_meth; + } ++#endif diff --git a/crypto/fips/fips_drbg_selftest.c b/crypto/fips/fips_drbg_selftest.c -index cc4e61a..7a5b1a0 100644 +index 1397202..7a5b1a0 100644 --- a/crypto/fips/fips_drbg_selftest.c +++ b/crypto/fips/fips_drbg_selftest.c -@@ -758,16 +758,11 @@ int FIPS_drbg_health_check(DRBG_CTX *dctx) +@@ -10,7 +10,7 @@ + * are met: + * + * 1. Redistributions of source code must retain the above copyright +- * notice, this list of conditions and the following disclaimer. ++ * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in +@@ -54,6 +54,8 @@ + #include + #include + #include ++ ++#ifdef OPENSSL_FIPS + #include + #include "fips_rand_lcl.h" + #include "fips_locl.h" +@@ -756,16 +758,11 @@ int FIPS_drbg_health_check(DRBG_CTX *dctx) int rv; DRBG_CTX *tctx = NULL; tctx = FIPS_drbg_new(0, 0); @@ -1236,7 +1397,7 @@ if (!rv) dctx->status = DRBG_STATUS_ERROR; else -@@ -786,15 +781,10 @@ int FIPS_selftest_drbg(void) +@@ -784,15 +781,10 @@ int FIPS_selftest_drbg(void) for (td = drbg_test; td->nid != 0; td++) { if (td->post != 1) continue; @@ -1252,7 +1413,7 @@ } FIPS_drbg_free(dctx); return rv; -@@ -809,20 +799,14 @@ int FIPS_selftest_drbg_all(void) +@@ -807,21 +799,16 @@ int FIPS_selftest_drbg_all(void) if (!dctx) return 0; for (td = drbg_test; td->nid != 0; td++) { @@ -1273,8 +1434,75 @@ } FIPS_drbg_free(dctx); return rv; + } ++#endif +diff --git a/crypto/fips/fips_dsa_selftest.c b/crypto/fips/fips_dsa_selftest.c +index 4c0da82..521c346 100644 +--- a/crypto/fips/fips_dsa_selftest.c ++++ b/crypto/fips/fips_dsa_selftest.c +@@ -50,13 +50,13 @@ + #include + #include + #include +-#include + #include + #include + #include +-#include "fips_locl.h" + + #ifdef OPENSSL_FIPS ++#include ++#include "fips_locl.h" + + static const unsigned char dsa_test_2048_p[] = { + 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, +diff --git a/crypto/fips/fips_ecdh_selftest.c b/crypto/fips/fips_ecdh_selftest.c +index 8cad5ad..2b7341e 100644 +--- a/crypto/fips/fips_ecdh_selftest.c ++++ b/crypto/fips/fips_ecdh_selftest.c +@@ -58,13 +58,13 @@ + #include + #include + #include +-#include + #include + #include + #include + + #ifdef OPENSSL_FIPS + ++#include + # include "fips_locl.h" + + static const unsigned char p256_qcavsx[] = { +@@ -207,7 +207,6 @@ int FIPS_selftest_ecdh(void) + ztmp[0] ^= 0x1; + + if (memcmp(ztmp, ecd->z, ecd->zlen)) { +- fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); + rv = 0; + } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) + goto err; +diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c +index 4ce6e81..a654582 100644 +--- a/crypto/fips/fips_ecdsa_selftest.c ++++ b/crypto/fips/fips_ecdsa_selftest.c +@@ -58,12 +58,12 @@ + #include + #include + #include +-#include + #include + #include + #include + + #ifdef OPENSSL_FIPS ++#include + + static const char P_256_name[] = "ECDSA P-256"; + diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c -index de1dd4d..210ffff 100644 +index 2b19651..9ca4b20 100644 --- a/crypto/fips/fips_post.c +++ b/crypto/fips/fips_post.c @@ -72,9 +72,7 @@ int FIPS_selftest(void) @@ -1289,7 +1517,7 @@ rv = 0; if (!FIPS_selftest_sha2()) diff --git a/crypto/fips/fips_rand.c b/crypto/fips/fips_rand.c -index 74d31f0..ac6e0db 100644 +index c5060a2..cc2254a 100644 --- a/crypto/fips/fips_rand.c +++ b/crypto/fips/fips_rand.c @@ -60,10 +60,6 @@ @@ -1303,10 +1531,11 @@ #if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) # include #endif -@@ -84,154 +80,6 @@ - #include +@@ -83,154 +79,8 @@ #include "fips_locl.h" + #ifdef OPENSSL_FIPS +- -void *OPENSSL_stderr(void); - -# define AES_BLOCK_LENGTH 16 @@ -1454,11 +1683,12 @@ - memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); - return 1; -} -- ++#include ++#include "fips_locl.h" + void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) { - # ifdef OPENSSL_SYS_WIN32 -@@ -292,137 +140,4 @@ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) +@@ -292,137 +142,4 @@ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) buf[15] = (unsigned char)((pid >> 24) & 0xff); # endif } @@ -1597,7 +1827,7 @@ - #endif diff --git a/crypto/fips/fips_rand.h b/crypto/fips/fips_rand.h -index 3b44e7d..41d4889 100644 +index e78eb35..e25e57c 100644 --- a/crypto/fips/fips_rand.h +++ b/crypto/fips/fips_rand.h @@ -61,19 +61,7 @@ @@ -1638,7 +1868,7 @@ # ifdef __cplusplus } diff --git a/crypto/fips/fips_rand_lcl.h b/crypto/fips/fips_rand_lcl.h -index 352803f..d5b016c 100644 +index 0a1d251..5aff0bb 100644 --- a/crypto/fips/fips_rand_lcl.h +++ b/crypto/fips/fips_rand_lcl.h @@ -205,8 +205,6 @@ int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); @@ -1651,10 +1881,18 @@ #define FIPS_digestupdate EVP_DigestUpdate #define FIPS_digestfinal EVP_DigestFinal diff --git a/crypto/fips/fips_rand_lib.c b/crypto/fips/fips_rand_lib.c -index a2054a0..aa93547 100644 +index 6f2ccc6..ab35ee0 100644 --- a/crypto/fips/fips_rand_lib.c +++ b/crypto/fips/fips_rand_lib.c -@@ -75,8 +75,6 @@ int FIPS_rand_set_method(const RAND_METHOD *meth) +@@ -50,6 +50,7 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS + #include + #include + #include "e_os.h" +@@ -73,8 +74,6 @@ int FIPS_rand_set_method(const RAND_METHOD *meth) if (!fips_rand_bits) { if (meth == FIPS_drbg_method()) fips_approved_rand_meth = 1; @@ -1663,7 +1901,7 @@ else { fips_approved_rand_meth = 0; if (FIPS_module_mode()) { -@@ -171,8 +169,6 @@ int FIPS_rand_strength(void) +@@ -169,8 +168,6 @@ int FIPS_rand_strength(void) return fips_rand_bits; if (fips_approved_rand_meth == 1) return FIPS_drbg_get_strength(FIPS_get_default_drbg()); @@ -1672,443 +1910,13 @@ else if (fips_approved_rand_meth == 0) { if (FIPS_module_mode()) return 0; -diff --git a/crypto/fips/fips_rand_selftest.c b/crypto/fips/fips_rand_selftest.c -deleted file mode 100644 -index 4087357..0000000 ---- a/crypto/fips/fips_rand_selftest.c -+++ /dev/null -@@ -1,176 +0,0 @@ --/* ==================================================================== -- * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * 1. Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * -- * 3. All advertising materials mentioning features or use of this -- * software must display the following acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -- * -- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -- * endorse or promote products derived from this software without -- * prior written permission. For written permission, please contact -- * openssl-core@openssl.org. -- * -- * 5. Products derived from this software may not be called "OpenSSL" -- * nor may "OpenSSL" appear in their names without prior written -- * permission of the OpenSSL Project. -- * -- * 6. Redistributions of any form whatsoever must retain the following -- * acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -- * -- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -- * OF THE POSSIBILITY OF SUCH DAMAGE. -- * -- */ -- --#include --#include --#include -- --#ifdef OPENSSL_FIPS --#include --#include --#include "fips_locl.h" -- --typedef struct { -- unsigned char DT[16]; -- unsigned char V[16]; -- unsigned char R[16]; --} AES_PRNG_TV; -- --/* The following test vectors are taken directly from the RGNVS spec */ -- --static unsigned char aes_128_key[16] = -- { 0xf3, 0xb1, 0x66, 0x6d, 0x13, 0x60, 0x72, 0x42, -- 0xed, 0x06, 0x1c, 0xab, 0xb8, 0xd4, 0x62, 0x02 --}; -- --static AES_PRNG_TV aes_128_tv = { -- /* DT */ -- {0xe6, 0xb3, 0xbe, 0x78, 0x2a, 0x23, 0xfa, 0x62, -- 0xd7, 0x1d, 0x4a, 0xfb, 0xb0, 0xe9, 0x22, 0xf9}, -- /* V */ -- {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, -- /* R */ -- {0x59, 0x53, 0x1e, 0xd1, 0x3b, 0xb0, 0xc0, 0x55, -- 0x84, 0x79, 0x66, 0x85, 0xc1, 0x2f, 0x76, 0x41} --}; -- --static unsigned char aes_192_key[24] = -- { 0x15, 0xd8, 0x78, 0x0d, 0x62, 0xd3, 0x25, 0x6e, -- 0x44, 0x64, 0x10, 0x13, 0x60, 0x2b, 0xa9, 0xbc, -- 0x4a, 0xfb, 0xca, 0xeb, 0x4c, 0x8b, 0x99, 0x3b --}; -- --static AES_PRNG_TV aes_192_tv = { -- /* DT */ -- {0x3f, 0xd8, 0xff, 0xe8, 0x80, 0x69, 0x8b, 0xc1, -- 0xbf, 0x99, 0x7d, 0xa4, 0x24, 0x78, 0xf3, 0x4b}, -- /* V */ -- {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, -- /* R */ -- {0x17, 0x07, 0xd5, 0x28, 0x19, 0x79, 0x1e, 0xef, -- 0xa5, 0x0c, 0xbf, 0x25, 0xe5, 0x56, 0xb4, 0x93} --}; -- --static unsigned char aes_256_key[32] = -- { 0x6d, 0x14, 0x06, 0x6c, 0xb6, 0xd8, 0x21, 0x2d, -- 0x82, 0x8d, 0xfa, 0xf2, 0x7a, 0x03, 0xb7, 0x9f, -- 0x0c, 0xc7, 0x3e, 0xcd, 0x76, 0xeb, 0xee, 0xb5, -- 0x21, 0x05, 0x8c, 0x4f, 0x31, 0x7a, 0x80, 0xbb --}; -- --static AES_PRNG_TV aes_256_tv = { -- /* DT */ -- {0xda, 0x3a, 0x41, 0xec, 0x1d, 0xa3, 0xb0, 0xd5, -- 0xf2, 0xa9, 0x4e, 0x34, 0x74, 0x8e, 0x9e, 0x88}, -- /* V */ -- {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, -- /* R */ -- {0x35, 0xc7, 0xef, 0xa7, 0x78, 0x4d, 0x29, 0xbc, -- 0x82, 0x79, 0x99, 0xfb, 0xd0, 0xb3, 0x3b, 0x72} --}; -- --void FIPS_corrupt_rng() --{ -- aes_192_tv.V[0]++; --} -- --# define fips_x931_test(key, tv) \ -- do_x931_test(key, sizeof key, &tv) -- --static int do_x931_test(unsigned char *key, int keylen, AES_PRNG_TV * tv) --{ -- unsigned char R[16], V[16]; -- int rv = 1; -- memcpy(V, tv->V, sizeof(V)); -- if (!FIPS_x931_set_key(key, keylen)) -- return 0; -- if (!fips_post_started(FIPS_TEST_X931, keylen, NULL)) -- return 1; -- if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL)) -- V[0]++; -- FIPS_x931_seed(V, 16); -- FIPS_x931_set_dt(tv->DT); -- FIPS_x931_bytes(R, 16); -- if (memcmp(R, tv->R, 16)) { -- fips_post_failed(FIPS_TEST_X931, keylen, NULL); -- rv = 0; -- } else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL)) -- return 0; -- return rv; --} -- --int FIPS_selftest_x931() --{ -- int rv = 1; -- FIPS_x931_reset(); -- if (!FIPS_x931_test_mode()) { -- FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED); -- return 0; -- } -- if (!fips_x931_test(aes_128_key, aes_128_tv)) -- rv = 0; -- if (!fips_x931_test(aes_192_key, aes_192_tv)) -- rv = 0; -- if (!fips_x931_test(aes_256_key, aes_256_tv)) -- rv = 0; -- FIPS_x931_reset(); -- if (!rv) -- FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED); -- return rv; --} -- --int FIPS_selftest_rng(void) --{ -- return FIPS_selftest_x931(); --} -- --#endif -diff --git a/crypto/fips/fips_randtest.c b/crypto/fips/fips_randtest.c -deleted file mode 100644 -index 8c4a1fc..0000000 ---- a/crypto/fips/fips_randtest.c -+++ /dev/null -@@ -1,247 +0,0 @@ --/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -- * All rights reserved. -- * -- * This package is an SSL implementation written -- * by Eric Young (eay@cryptsoft.com). -- * The implementation was written so as to conform with Netscapes SSL. -- * -- * This library is free for commercial and non-commercial use as long as -- * the following conditions are aheared to. The following conditions -- * apply to all code found in this distribution, be it the RC4, RSA, -- * lhash, DES, etc., code; not just the SSL code. The SSL documentation -- * included with this distribution is covered by the same copyright terms -- * except that the holder is Tim Hudson (tjh@cryptsoft.com). -- * -- * Copyright remains Eric Young's, and as such any Copyright notices in -- * the code are not to be removed. -- * If this package is used in a product, Eric Young should be given attribution -- * as the author of the parts of the library used. -- * This can be in the form of a textual message at program startup or -- * in documentation (online or textual) provided with the package. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * 1. Redistributions of source code must retain the copyright -- * notice, this list of conditions and the following disclaimer. -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in the -- * documentation and/or other materials provided with the distribution. -- * 3. All advertising materials mentioning features or use of this software -- * must display the following acknowledgement: -- * "This product includes cryptographic software written by -- * Eric Young (eay@cryptsoft.com)" -- * The word 'cryptographic' can be left out if the rouines from the library -- * being used are not cryptographic related :-). -- * 4. If you include any Windows specific code (or a derivative thereof) from -- * the apps directory (application code) you must include an acknowledgement: -- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -- * -- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -- * SUCH DAMAGE. -- * -- * The licence and distribution terms for any publically available version or -- * derivative of this code cannot be changed. i.e. this code cannot simply be -- * copied and put under another distribution licence -- * [including the GNU Public Licence.] -- */ --/* ==================================================================== -- * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * 1. Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * -- * 3. All advertising materials mentioning features or use of this -- * software must display the following acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -- * -- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -- * endorse or promote products derived from this software without -- * prior written permission. For written permission, please contact -- * openssl-core@openssl.org. -- * -- * 5. Products derived from this software may not be called "OpenSSL" -- * nor may "OpenSSL" appear in their names without prior written -- * permission of the OpenSSL Project. -- * -- * 6. Redistributions of any form whatsoever must retain the following -- * acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -- * -- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -- * OF THE POSSIBILITY OF SUCH DAMAGE. -- * -- */ -- --#include --#include --#include --#include --#include --#include --#include --#include -- --#include "e_os.h" -- --#ifndef OPENSSL_FIPS --int main(int argc, char *argv[]) --{ -- printf("No FIPS RAND support\n"); -- return (0); --} -- --#else -- --# include "fips_utl.h" --# include -- --typedef struct { -- unsigned char DT[16]; -- unsigned char V[16]; -- unsigned char R[16]; --} AES_PRNG_MCT; -- --static const unsigned char aes_128_mct_key[16] = -- { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5, -- 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48 --}; -- --static const AES_PRNG_MCT aes_128_mct_tv = { -- /* DT */ -- {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b, -- 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac}, -- /* V */ -- {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97, -- 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1}, -- /* R */ -- {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb, -- 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73} --}; -- --static const unsigned char aes_192_mct_key[24] = -- { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73, -- 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91, -- 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a --}; -- --static const AES_PRNG_MCT aes_192_mct_tv = { -- /* DT */ -- {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9, -- 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52}, -- /* V */ -- {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64, -- 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d}, -- /* R */ -- {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21, -- 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47} --}; -- --static const unsigned char aes_256_mct_key[32] = -- { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a, -- 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0, -- 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d, -- 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50 --}; -- --static const AES_PRNG_MCT aes_256_mct_tv = { -- /* DT */ -- {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee, -- 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c}, -- /* V */ -- {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1, -- 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca}, -- /* R */ -- {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1, -- 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d} --}; -- --static void dump(const unsigned char *b, int n) --{ -- while (n-- > 0) { -- printf(" %02x", *b++); -- } --} -- --static void compare(const unsigned char *result, -- const unsigned char *expected, int n) --{ -- int i; -- -- for (i = 0; i < n; ++i) -- if (result[i] != expected[i]) { -- puts("Random test failed, got:"); -- dump(result, n); -- puts("\n expected:"); -- dump(expected, n); -- putchar('\n'); -- EXIT(1); -- } --} -- --static void run_test(const unsigned char *key, int keylen, -- const AES_PRNG_MCT * tv) --{ -- unsigned char buf[16], dt[16]; -- int i, j; -- FIPS_x931_reset(); -- FIPS_x931_test_mode(); -- FIPS_x931_set_key(key, keylen); -- FIPS_x931_seed(tv->V, 16); -- memcpy(dt, tv->DT, 16); -- for (i = 0; i < 10000; i++) { -- FIPS_x931_set_dt(dt); -- FIPS_x931_bytes(buf, 16); -- /* Increment DT */ -- for (j = 15; j >= 0; j--) { -- dt[j]++; -- if (dt[j]) -- break; -- } -- } -- -- compare(buf, tv->R, 16); --} -- --int main() --{ -- run_test(aes_128_mct_key, 16, &aes_128_mct_tv); -- printf("FIPS PRNG test 1 done\n"); -- run_test(aes_192_mct_key, 24, &aes_192_mct_tv); -- printf("FIPS PRNG test 2 done\n"); -- run_test(aes_256_mct_key, 32, &aes_256_mct_tv); -- printf("FIPS PRNG test 3 done\n"); -- return 0; --} -- --#endif +@@ -179,3 +176,4 @@ int FIPS_rand_strength(void) + } + return 0; + } ++#endif diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c -index 52dda4d..b567b8e 100644 +index 446ddd9..3f4ca12 100644 --- a/crypto/fips/fips_sha_selftest.c +++ b/crypto/fips/fips_sha_selftest.c @@ -129,13 +129,13 @@ int FIPS_selftest_sha2(void) @@ -2128,7 +1936,7 @@ } diff --git a/crypto/fips/fips_test_suite.c b/crypto/fips/fips_test_suite.c -index d86351c..5ab0458 100644 +index 1e4b69c..5ab0458 100644 --- a/crypto/fips/fips_test_suite.c +++ b/crypto/fips/fips_test_suite.c @@ -27,6 +27,8 @@ @@ -2140,15 +1948,6 @@ #ifndef OPENSSL_FIPS int main(int argc, char *argv[]) -@@ -37,7 +39,7 @@ int main(int argc, char *argv[]) - #else - - # include --/* # include "fips_utl.h" */ -+# include "fips_utl.h" - - /* AES: encrypt and decrypt known plaintext, verify result matches original plaintext - */ @@ -65,6 +67,48 @@ static int FIPS_aes_test(void) return ret; } @@ -2609,7 +2408,15 @@ static int Error; const char *Fail(const char *msg) { -@@ -471,10 +802,11 @@ static void test_msg(const char *msg, int result) +@@ -463,13 +794,19 @@ const char *Fail(const char *msg) + return msg; + } + ++static void test_msg(const char *msg, int result) ++{ ++ printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!")); ++} ++ int main(int argc, char **argv) { @@ -2623,7 +2430,7 @@ printf("\tFIPS-mode test application\n\n"); -@@ -512,20 +844,16 @@ int main(int argc, char **argv) +@@ -507,20 +844,16 @@ int main(int argc, char **argv) ("DSA key generation and signature validation with corrupted key...\n"); bad_dsa = 1; no_exit = 1; @@ -2650,7 +2457,22 @@ } else { printf("Bad argument \"%s\"\n", argv[1]); exit(1); -@@ -556,17 +884,19 @@ int main(int argc, char **argv) +@@ -539,8 +872,7 @@ int main(int argc, char **argv) + /* Non-Approved cryptographic operation + */ + printf("1. Non-Approved cryptographic operation test...\n"); +- printf("\ta. Included algorithm (D-H)..."); +- printf(dh_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("\ta. Included algorithm (D-H)...", dh_test()); + + /* Power-up self test + */ +@@ -548,90 +880,109 @@ int main(int argc, char **argv) + printf("2. Automatic power-up self test..."); + if (!FIPS_mode_set(1)) { + do_print_errors(); +- printf(Fail("FAILED!\n")); ++ printf("%s\n", Fail("FAILED!")); exit(1); } printf("successful\n"); @@ -2665,19 +2487,82 @@ /* AES encryption/decryption */ - test_msg("3. AES encryption/decryption", FIPS_aes_test()); - +- printf("3. AES encryption/decryption..."); +- printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("3. AES encryption/decryption", FIPS_aes_test()); ++ + /* AES GCM encryption/decryption + */ + test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test()); -+ + /* RSA key generation and encryption/decryption */ - test_msg("4. RSA key generation and encryption/decryption", -@@ -613,19 +943,46 @@ int main(int argc, char **argv) +- printf("4. RSA key generation and encryption/decryption..."); +- printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n")); ++ test_msg("4. RSA key generation and encryption/decryption", ++ FIPS_rsa_test(bad_rsa)); + + /* DES-CBC encryption/decryption + */ +- printf("5. DES-ECB encryption/decryption..."); +- printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test()); + + /* DSA key generation and signature validation + */ +- printf("6. DSA key generation and signature validation..."); +- printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n")); ++ test_msg("6. DSA key generation and signature validation", ++ FIPS_dsa_test(bad_dsa)); + + /* SHA-1 hash */ - test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test()); +- printf("7a. SHA-1 hash..."); +- printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7a. SHA-1 hash", FIPS_sha1_test()); + /* SHA-256 hash + */ +- printf("7b. SHA-256 hash..."); +- printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7b. SHA-256 hash", FIPS_sha256_test()); + + /* SHA-512 hash + */ +- printf("7c. SHA-512 hash..."); +- printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7c. SHA-512 hash", FIPS_sha512_test()); + + /* HMAC-SHA-1 hash + */ +- printf("7d. HMAC-SHA-1 hash..."); +- printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test()); + + /* HMAC-SHA-224 hash + */ +- printf("7e. HMAC-SHA-224 hash..."); +- printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test()); + + /* HMAC-SHA-256 hash + */ +- printf("7f. HMAC-SHA-256 hash..."); +- printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test()); + + /* HMAC-SHA-384 hash + */ +- printf("7g. HMAC-SHA-384 hash..."); +- printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test()); + + /* HMAC-SHA-512 hash + */ +- printf("7h. HMAC-SHA-512 hash..."); +- printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n")); ++ test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test()); ++ + /* CMAC-AES-128 hash + */ + test_msg("8a. CMAC-AES-128 hash", FIPS_cmac_aes128_test()); @@ -2693,20 +2578,23 @@ + /* CMAC-TDEA-3 hash + */ + test_msg("8d. CMAC-TDEA-3 hash", FIPS_cmac_tdea3_test()); -+ + /* Non-Approved cryptographic operation */ - printf("8. Non-Approved cryptographic operation test...\n"); +- printf("\ta. Included algorithm (D-H)..."); +- printf(dh_test()? "successful as expected\n" + printf("9. Non-Approved cryptographic operation test...\n"); - printf("\ta. Included algorithm (D-H)...%s\n", - dh_test()? "successful as expected\n" ++ printf("\ta. Included algorithm (D-H)...%s\n", ++ dh_test()? "successful as expected\n" : Fail("failed INCORRECTLY!\n")); /* Zeroization */ -- printf("9. Zero-ization...\n\t%s\n", +- printf("9. Zero-ization...\n"); +- printf(Zeroize()? "\tsuccessful as expected\n" + printf("10. Zero-ization...\n\t%s\n", - Zeroize()? "\tsuccessful as expected" ++ Zeroize()? "\tsuccessful as expected" : Fail("\tfailed INCORRECTLY!\n")); + printf("11. Complete DRBG health check...\n"); @@ -2723,6 +2611,354 @@ printf("\nAll tests completed with %d errors\n", Error); return Error ? 1 : 0; } +diff --git a/crypto/fips/fips_utl.h b/crypto/fips/fips_utl.h +new file mode 100644 +index 0000000..0b289bf +--- /dev/null ++++ b/crypto/fips/fips_utl.h +@@ -0,0 +1,342 @@ ++/* ==================================================================== ++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++void do_print_errors(void) ++ { ++ const char *file, *data; ++ int line, flags; ++ unsigned long l; ++ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags))) ++ { ++ fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d" ++ ":file=%s:line=%d:%s\n", ++ l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l), ++ file, line, flags & ERR_TXT_STRING ? data : ""); ++ } ++ } ++ ++int hex2bin(const char *in, unsigned char *out) ++ { ++ int n1, n2; ++ unsigned char ch; ++ ++ for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; ) ++ { /* first byte */ ++ if ((in[n1] >= '0') && (in[n1] <= '9')) ++ ch = in[n1++] - '0'; ++ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) ++ ch = in[n1++] - 'A' + 10; ++ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) ++ ch = in[n1++] - 'a' + 10; ++ else ++ return -1; ++ if(!in[n1]) ++ { ++ out[n2++]=ch; ++ break; ++ } ++ out[n2] = ch << 4; ++ /* second byte */ ++ if ((in[n1] >= '0') && (in[n1] <= '9')) ++ ch = in[n1++] - '0'; ++ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) ++ ch = in[n1++] - 'A' + 10; ++ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) ++ ch = in[n1++] - 'a' + 10; ++ else ++ return -1; ++ out[n2++] |= ch; ++ } ++ return n2; ++ } ++ ++unsigned char *hex2bin_m(const char *in, long *plen) ++ { ++ unsigned char *p; ++ p = OPENSSL_malloc((strlen(in) + 1)/2); ++ *plen = hex2bin(in, p); ++ return p; ++ } ++ ++int do_hex2bn(BIGNUM **pr, const char *in) ++ { ++ unsigned char *p; ++ long plen; ++ int r = 0; ++ p = hex2bin_m(in, &plen); ++ if (!p) ++ return 0; ++ if (!*pr) ++ *pr = BN_new(); ++ if (!*pr) ++ return 0; ++ if (BN_bin2bn(p, plen, *pr)) ++ r = 1; ++ OPENSSL_free(p); ++ return r; ++ } ++ ++int do_bn_print(FILE *out, BIGNUM *bn) ++ { ++ int len, i; ++ unsigned char *tmp; ++ len = BN_num_bytes(bn); ++ if (len == 0) ++ { ++ fputs("00", out); ++ return 1; ++ } ++ ++ tmp = OPENSSL_malloc(len); ++ if (!tmp) ++ { ++ fprintf(stderr, "Memory allocation error\n"); ++ return 0; ++ } ++ BN_bn2bin(bn, tmp); ++ for (i = 0; i < len; i++) ++ fprintf(out, "%02x", tmp[i]); ++ OPENSSL_free(tmp); ++ return 1; ++ } ++ ++int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn) ++ { ++ int r; ++ fprintf(out, "%s = ", name); ++ r = do_bn_print(out, bn); ++ if (!r) ++ return 0; ++ fputs("\n", out); ++ return 1; ++ } ++ ++int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf) ++ { ++ char *keyword, *value, *p, *q; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no '=' exit */ ++ if (!p) ++ return 0; ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ *pkw = keyword; ++ *pval = value; ++ return 1; ++ } ++ ++BIGNUM *hex2bn(const char *in) ++ { ++ BIGNUM *p=NULL; ++ ++ if (!do_hex2bn(&p, in)) ++ return NULL; ++ ++ return p; ++ } ++ ++int bin2hex(const unsigned char *in,int len,char *out) ++ { ++ int n1, n2; ++ unsigned char ch; ++ ++ for (n1=0,n2=0 ; n1 < len ; ++n1) ++ { ++ ch=in[n1] >> 4; ++ if (ch <= 0x09) ++ out[n2++]=ch+'0'; ++ else ++ out[n2++]=ch-10+'a'; ++ ch=in[n1] & 0x0f; ++ if(ch <= 0x09) ++ out[n2++]=ch+'0'; ++ else ++ out[n2++]=ch-10+'a'; ++ } ++ out[n2]='\0'; ++ return n2; ++ } ++ ++void pv(const char *tag,const unsigned char *val,int len) ++ { ++ char obuf[2048]; ++ ++ bin2hex(val,len,obuf); ++ printf("%s = %s\n",tag,obuf); ++ } ++ ++/* To avoid extensive changes to test program at this stage just convert ++ * the input line into an acceptable form. Keyword lines converted to form ++ * "keyword = value\n" no matter what white space present, all other lines ++ * just have leading and trailing space removed. ++ */ ++ ++int tidy_line(char *linebuf, char *olinebuf) ++ { ++ char *keyword, *value, *p, *q; ++ strcpy(linebuf, olinebuf); ++ keyword = linebuf; ++ /* Skip leading space */ ++ while (isspace((unsigned char)*keyword)) ++ keyword++; ++ /* Look for = sign */ ++ p = strchr(linebuf, '='); ++ ++ /* If no '=' just chop leading, trailing ws */ ++ if (!p) ++ { ++ p = keyword + strlen(keyword) - 1; ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ strcpy(olinebuf, keyword); ++ strcat(olinebuf, "\n"); ++ return 1; ++ } ++ ++ q = p - 1; ++ ++ /* Remove trailing space */ ++ while (isspace((unsigned char)*q)) ++ *q-- = 0; ++ ++ *p = 0; ++ value = p + 1; ++ ++ /* Remove leading space from value */ ++ while (isspace((unsigned char)*value)) ++ value++; ++ ++ /* Remove trailing space from value */ ++ p = value + strlen(value) - 1; ++ ++ while (*p == '\n' || isspace((unsigned char)*p)) ++ *p-- = 0; ++ ++ strcpy(olinebuf, keyword); ++ strcat(olinebuf, " = "); ++ strcat(olinebuf, value); ++ strcat(olinebuf, "\n"); ++ ++ return 1; ++ } ++ ++/* NB: this return the number of _bits_ read */ ++int bint2bin(const char *in, int len, unsigned char *out) ++ { ++ int n; ++ ++ memset(out,0,len); ++ for(n=0 ; n < len ; ++n) ++ if(in[n] == '1') ++ out[n/8]|=(0x80 >> (n%8)); ++ return len; ++ } ++ ++int bin2bint(const unsigned char *in,int len,char *out) ++ { ++ int n; ++ ++ for(n=0 ; n < len ; ++n) ++ out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0'; ++ return n; ++ } ++ ++/*-----------------------------------------------*/ ++ ++void PrintValue(char *tag, unsigned char *val, int len) ++{ ++#if VERBOSE ++ char obuf[2048]; ++ int olen; ++ olen = bin2hex(val, len, obuf); ++ printf("%s = %.*s\n", tag, olen, obuf); ++#endif ++} ++ ++void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode) ++ { ++ char obuf[2048]; ++ int olen; ++ ++ if(bitmode) ++ olen=bin2bint(val,len,obuf); ++ else ++ olen=bin2hex(val,len,obuf); ++ ++ fprintf(rfp, "%s = %.*s\n", tag, olen, obuf); ++#if VERBOSE ++ printf("%s = %.*s\n", tag, olen, obuf); ++#endif ++ } diff --git a/crypto/o_init.c b/crypto/o_init.c index a235755..ffcf39b 100644 --- a/crypto/o_init.c @@ -2935,3 +3171,23 @@ int SHA_Init(SHA_CTX *c); int SHA_Update(SHA_CTX *c, const void *data, size_t len); int SHA_Final(unsigned char *md, SHA_CTX *c); +diff --git a/openssl.ld b/openssl.ld +index 8d40f31..dcbfdac 100644 +--- a/openssl.ld ++++ b/openssl.ld +@@ -4617,5 +4617,15 @@ OPENSSL_1.0.2g { + global: + SRP_VBASE_get1_by_user; + SRP_user_pwd_free; ++ OPENSSL_init_library; ++ private_BF_set_key; ++ private_CAST_set_key; ++ private_idea_set_encrypt_key; ++ private_SEED_set_key; ++ private_RC2_set_key; ++ private_RC4_set_key; ++ private_AES_set_encrypt_key; ++ private_AES_set_decrypt_key; ++ private_Camellia_set_key; + } OPENSSL_1.0.2; + diff -Nru openssl-1.0.2g/debian/patches/series openssl-1.0.2g/debian/patches/series --- openssl-1.0.2g/debian/patches/series 2016-04-12 20:33:22.000000000 +0000 +++ openssl-1.0.2g/debian/patches/series 2016-04-15 04:56:29.000000000 +0000 @@ -20,8 +20,8 @@ no-sslv3.patch arm64-aarch64_asm.patch openssl-1.0.2g-fips.patch -openssl-1.0.2g-fips-ec.patch -openssl-1.0.2g-fips-md5-allow.patch -openssl-1.0.2g-fips-ctor.patch -openssl-1.0.2g-new-fips-reqs.patch +openssl-1.0.2a-fips-ec.patch +openssl-1.0.2a-fips-md5-allow.patch +openssl-1.0.2a-fips-ctor.patch +openssl-1.0.2f-new-fips-reqs.patch openssl-1.0.2g-ubuntu-fips-cleanup.patch