diff -Nru openssl-1.0.2g/debian/changelog openssl-1.0.2g/debian/changelog --- openssl-1.0.2g/debian/changelog 2016-04-15 04:58:01.000000000 +0000 +++ openssl-1.0.2g/debian/changelog 2021-06-28 13:05:36.000000000 +0000 @@ -1,3 +1,327 @@ +openssl (1.0.2g-1ubuntu4.20) xenial-security; urgency=medium + + * Enable X509_V_FLAG_TRUSTED_FIRST by default, such that letsencrypt + connection with the default chain remains trusted even after the + expiry of the redundant CA certificate. LP: #1928989 + + -- Dimitri John Ledkov Mon, 28 Jun 2021 14:05:36 +0100 + +openssl (1.0.2g-1ubuntu4.19) xenial-security; urgency=medium + + * SECURITY UPDATE: Integer overflow in CipherUpdate + - debian/patches/CVE-2021-23840-pre1.patch: add new EVP error codes in + crypto/evp/evp_err.c, crypto/evp/evp.h. + - debian/patches/CVE-2021-23840-pre2.patch: add a new EVP error code in + crypto/evp/evp_err.c, crypto/evp/evp.h. + - debian/patches/CVE-2021-23840.patch: don't overflow the output length + in EVP_CipherUpdate calls in crypto/evp/evp_enc.c, + crypto/evp/evp_err.c, crypto/evp/evp.h. + - CVE-2021-23840 + * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash() + - debian/patches/CVE-2021-23841.patch: fix Null pointer deref in + crypto/x509/x509_cmp.c. + - CVE-2021-23841 + + -- Marc Deslauriers Wed, 17 Feb 2021 08:14:40 -0500 + +openssl (1.0.2g-1ubuntu4.18) xenial-security; urgency=medium + + * SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref + - debian/patches/CVE-2020-1971-1.patch: use explicit tagging for + DirectoryString in crypto/x509v3/v3_genn.c. + - debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName + in crypto/x509v3/v3_genn.c. + - debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE + types don't use implicit tagging in crypto/asn1/asn1_err.c, + crypto/asn1/tasn_dec.c, crypto/asn1/asn1.h. + - debian/patches/CVE-2020-1971-4.patch: complain if we are attempting + to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c, + crypto/asn1/tasn_enc.c, crypto/asn1/asn1.h. + - debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp + in crypto/x509v3/v3nametest.c. + - CVE-2020-1971 + + -- Marc Deslauriers Wed, 02 Dec 2020 10:43:58 -0500 + +openssl (1.0.2g-1ubuntu4.17) xenial-security; urgency=medium + + * SECURITY UPDATE: Raccoon Attack + - debian/patches/CVE-2020-1968.patch: disable ciphers that reuse the + DH secret across multiple TLS connections in ssl/s3_lib.c. + - CVE-2020-1968 + + -- Marc Deslauriers Tue, 15 Sep 2020 14:13:51 -0400 + +openssl (1.0.2g-1ubuntu4.16) xenial-security; urgency=medium + + * SECURITY UPDATE: ECDSA remote timing attack + - debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or + zero cofactor, compute it in crypto/ec/ec.h, crypto/ec/ec_err.c, + crypto/ec/ec_lib.c. + - CVE-2019-1547 + * SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64 + - debian/patches/CVE-2019-1551.patch: fix an overflow bug in + rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl. + - CVE-2019-1551 + * SECURITY UPDATE: Padding Oracle issue + - debian/patches/CVE-2019-1563.patch: fix a padding oracle in + PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c, + crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c, + crypto/pkcs7/pk7_doit.c. + - CVE-2019-1563 + + -- Marc Deslauriers Wed, 27 May 2020 15:17:49 -0400 + +openssl (1.0.2g-1ubuntu4.15) xenial-security; urgency=medium + + * SECURITY UPDATE: 0-byte record padding oracle + - debian/patches/CVE-2019-1559.patch: go into the error state if a + fatal alert is sent or received in ssl/d1_pkt.c, ssl/s3_pkt.c. + - CVE-2019-1559 + + -- Marc Deslauriers Tue, 26 Feb 2019 13:16:01 -0500 + +openssl (1.0.2g-1ubuntu4.14) xenial-security; urgency=medium + + * SECURITY UPDATE: PortSmash side channel attack + - debian/patches/CVE-2018-5407.patch: fix timing vulnerability in + crypto/bn/bn_lib.c, crypto/ec/ec_mult.c. + - CVE-2018-5407 + * SECURITY UPDATE: timing side channel attack in DSA + - debian/patches/CVE-2018-0734-pre1.patch: address a timing side + channel in crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-1.patch: fix timing vulnerability in + crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-2.patch: fix mod inverse in + crypto/dsa/dsa_ossl.c. + - debian/patches/CVE-2018-0734-3.patch: add a constant time flag in + crypto/dsa/dsa_ossl.c. + - CVE-2018-0734 + + -- Marc Deslauriers Tue, 04 Dec 2018 08:38:18 -0500 + +openssl (1.0.2g-1ubuntu4.13) xenial-security; urgency=medium + + * SECURITY UPDATE: ECDSA key extraction side channel + - debian/patches/CVE-2018-0495.patch: add blinding to an ECDSA + signature in crypto/ecdsa/ecdsatest.c, crypto/ecdsa/ecs_ossl.c. + - CVE-2018-0495 + * SECURITY UPDATE: denial of service via long prime values + - debian/patches/CVE-2018-0732.patch: reject excessively large primes + in DH key generation in crypto/dh/dh_key.c. + - CVE-2018-0732 + * SECURITY UPDATE: RSA cache timing side channel attack + (previous update was incomplete) + - debian/patches/CVE-2018-0737-1.patch: replaced variable-time GCD in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-2.patch: used ERR set/pop mark in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-3.patch: consttime flag changed in + crypto/rsa/rsa_gen.c. + - debian/patches/CVE-2018-0737-4.patch: ensure BN_mod_inverse and + BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set in + crypto/rsa/rsa_gen.c. + - CVE-2018-0737 + + -- Marc Deslauriers Wed, 20 Jun 2018 07:38:22 -0400 + +openssl (1.0.2g-1ubuntu4.12) xenial-security; urgency=medium + + * SECURITY UPDATE: Cache timing side channel + - debian/patches/CVE-2018-0737.patch: ensure BN_mod_inverse + and BN_mod_exp_mont get called with BN_FLG_CONSTTIME flag set + in crypto/rsa/rsa_gen.c. + - CVE-2018-0737 + + -- Leonidas S. Barbosa Wed, 18 Apr 2018 15:35:17 -0300 + +openssl (1.0.2g-1ubuntu4.11) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS via ASN.1 types with a recursive definition + - debian/patches/CVE-2018-0739.patch: limit stack depth in + crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/tasn_dec.c. + - CVE-2018-0739 + + -- Marc Deslauriers Tue, 27 Mar 2018 14:18:33 -0400 + +openssl (1.0.2g-1ubuntu4.10) xenial-security; urgency=medium + + * SECURITY UPDATE: Read/write after SSL object in error state + - debian/patches/CVE-2017-3737-pre.patch: add test/ssltestlib.*, + add to test/Makefile. + - debian/patches/CVE-2017-3737-1.patch: don't allow read/write after + fatal error in ssl/ssl.h. + - debian/patches/CVE-2017-3737-2.patch: add test to ssl/Makefile, + ssl/fatalerrtest.c, test/Makefile. + - CVE-2017-3737 + * SECURITY UPDATE: rsaz_1024_mul_avx2 overflow bug on x86_64 + - debian/patches/CVE-2017-3738.patch: fix digit correction bug in + crypto/bn/asm/rsaz-avx2.pl. + - CVE-2017-3738 + + -- Marc Deslauriers Thu, 07 Dec 2017 13:17:37 -0500 + +openssl (1.0.2g-1ubuntu4.9) xenial-security; urgency=medium + + * SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read + - debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in + crypto/x509v3/v3_addr.c. + - CVE-2017-3735 + * SECURITY UPDATE: bn_sqrx8x_internal carry bug on x86_64 + - debian/patches/CVE-2017-3736.patch: fix carry bug in + bn_sqrx8x_internal in crypto/bn/asm/x86_64-mont5.pl. + - CVE-2017-3736 + + -- Marc Deslauriers Thu, 02 Nov 2017 11:28:46 -0400 + +openssl (1.0.2g-1ubuntu4.8) xenial; urgency=medium + + * aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths. + (LP: #1674399) + + -- William Grant Fri, 19 May 2017 18:27:58 +1000 + +openssl (1.0.2g-1ubuntu4.7) xenial; urgency=medium + + * crypto/x86*cpuid.pl: move extended feature detection. (LP: #1674399) + This fix moves extended feature detection past basic feature + detection where it belongs. 32-bit counterpart is harmonized too. + + -- Eric Desrochers Wed, 26 Apr 2017 09:08:02 -0400 + +openssl (1.0.2g-1ubuntu4.6) xenial-security; urgency=medium + + * SECURITY UPDATE: Montgomery multiplication may produce incorrect + results + - debian/patches/CVE-2016-7055.patch: fix logic in + crypto/bn/asm/x86_64-mont.pl. + - CVE-2016-7055 + * SECURITY UPDATE: DoS via warning alerts + - debian/patches/CVE-2016-8610.patch: don't allow too many consecutive + warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h, + ssl/ssl_locl.h. + - debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record + type is received in ssl/s3_pkt.c. + - CVE-2016-8610 + * SECURITY UPDATE: Truncated packet could crash via OOB read + - debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in + crypto/evp/e_rc4_hmac_md5.c. + - CVE-2017-3731 + * SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64 + - debian/patches/CVE-2017-3732.patch: fix carry bug in + bn_sqr8x_internal in crypto/bn/asm/x86_64-mont5.pl. + - CVE-2017-3732 + + -- Marc Deslauriers Mon, 30 Jan 2017 10:31:12 -0500 + +openssl (1.0.2g-1ubuntu4.5) xenial-security; urgency=medium + + * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883) + - debian/patches/CVE-2016-2182-2.patch: fix off-by-one in overflow + check in crypto/bn/bn_print.c. + + -- Marc Deslauriers Fri, 23 Sep 2016 08:00:13 -0400 + +openssl (1.0.2g-1ubuntu4.4) xenial-security; urgency=medium + + * SECURITY UPDATE: Pointer arithmetic undefined behaviour + - debian/patches/CVE-2016-2177.patch: avoid undefined pointer + arithmetic in ssl/s3_srvr.c, ssl/ssl_sess.c, ssl/t1_lib.c. + - CVE-2016-2177 + * SECURITY UPDATE: Constant time flag not preserved in DSA signing + - debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in + crypto/dsa/dsa_ossl.c. + - CVE-2016-2178 + * SECURITY UPDATE: DTLS buffered message DoS + - debian/patches/CVE-2016-2179.patch: fix queue handling in + ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c, + ssl/ssl_locl.h. + - CVE-2016-2179 + * SECURITY UPDATE: OOB read in TS_OBJ_print_bio() + - debian/patches/CVE-2016-2180.patch: fix text handling in + crypto/ts/ts_lib.c. + - CVE-2016-2180 + * SECURITY UPDATE: DTLS replay protection DoS + - debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed + records in ssl/d1_pkt.c. + - debian/patches/CVE-2016-2181-2.patch: protect against replay attacks + in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c. + - debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h. + - CVE-2016-2181 + * SECURITY UPDATE: OOB write in BN_bn2dec() + - debian/patches/CVE-2016-2182.patch: don't overflow buffer in + crypto/bn/bn_print.c. + - CVE-2016-2182 + * SECURITY UPDATE: SWEET32 Mitigation + - debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH + to MEDIUM in ssl/s3_lib.c. + - CVE-2016-2183 + * SECURITY UPDATE: Malformed SHA512 ticket DoS + - debian/patches/CVE-2016-6302.patch: sanity check ticket length in + ssl/t1_lib.c. + - CVE-2016-6302 + * SECURITY UPDATE: OOB write in MDC2_Update() + - debian/patches/CVE-2016-6303.patch: avoid overflow in + crypto/mdc2/mdc2dgst.c. + - CVE-2016-6303 + * SECURITY UPDATE: OCSP Status Request extension unbounded memory growth + - debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous + handshake in ssl/t1_lib.c. + - CVE-2016-6304 + * SECURITY UPDATE: Certificate message OOB reads + - debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c, + ssl/s3_srvr.c. + - debian/patches/CVE-2016-6306-2.patch: make message buffer slightly + larger in ssl/d1_both.c, ssl/s3_both.c. + - CVE-2016-6306 + + -- Marc Deslauriers Thu, 22 Sep 2016 08:22:22 -0400 + +openssl (1.0.2g-1ubuntu4.3) xenial; urgency=medium + + * Remove incomplete FIPS patches for now. (LP: #1614210) + (related bugs: LP: #1594748, LP: #1593953, LP: #1591797, LP: #1588524) + - debian/patches/*fips*.patch: removed. + - debian/rules: removed fips from CONFARGS. + + -- Marc Deslauriers Fri, 19 Aug 2016 13:03:55 -0400 + +openssl (1.0.2g-1ubuntu4.2) xenial; urgency=medium + + * Cherry-pick s390x assembly pack bugfix to cache capability query + results for improved performance. LP: #1601836. + * Enable asm optimisations on s390x. LP: #1602655. + + -- Dimitri John Ledkov Thu, 28 Jul 2016 15:37:07 +0300 + +openssl (1.0.2g-1ubuntu4.1) xenial-security; urgency=medium + + * SECURITY UPDATE: EVP_EncodeUpdate overflow + - debian/patches/CVE-2016-2105.patch: properly check lengths in + crypto/evp/encode.c, add documentation to + doc/crypto/EVP_EncodeInit.pod, doc/crypto/evp.pod. + - CVE-2016-2105 + * SECURITY UPDATE: EVP_EncryptUpdate overflow + - debian/patches/CVE-2016-2106.patch: fix overflow in + crypto/evp/evp_enc.c. + - CVE-2016-2106 + * SECURITY UPDATE: Padding oracle in AES-NI CBC MAC check + - debian/patches/CVE-2016-2107.patch: check that there are enough + padding characters in crypto/evp/e_aes_cbc_hmac_sha1.c, + crypto/evp/e_aes_cbc_hmac_sha256.c. + - CVE-2016-2107 + * SECURITY UPDATE: Memory corruption in the ASN.1 encoder + - debian/patches/CVE-2016-2108.patch: fix ASN1_INTEGER handling in + crypto/asn1/a_type.c, crypto/asn1/asn1.h, crypto/asn1/tasn_dec.c, + crypto/asn1/tasn_enc.c. + - CVE-2016-2108 + * SECURITY UPDATE: ASN.1 BIO excessive memory allocation + - debian/patches/CVE-2016-2109.patch: properly handle large amounts of + data in crypto/asn1/a_d2i_fp.c. + - CVE-2016-2109 + + -- Marc Deslauriers Thu, 28 Apr 2016 09:15:39 -0400 + openssl (1.0.2g-1ubuntu4) xenial; urgency=medium * Rename Fedora-imported FIPS patches to the names they have in Fedora, add diff -Nru openssl-1.0.2g/debian/patches/0b48a24ce993d1a4409d7bde26295f6df0d173cb.patch openssl-1.0.2g/debian/patches/0b48a24ce993d1a4409d7bde26295f6df0d173cb.patch --- openssl-1.0.2g/debian/patches/0b48a24ce993d1a4409d7bde26295f6df0d173cb.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/0b48a24ce993d1a4409d7bde26295f6df0d173cb.patch 2016-08-01 15:57:49.000000000 +0000 @@ -0,0 +1,210 @@ +From 0b48a24ce993d1a4409d7bde26295f6df0d173cb Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Fri, 15 Apr 2016 16:39:22 +0200 +Subject: [PATCH] s390x assembly pack: cache capability query results. + +IBM argues that in certain scenarios capability query is really +expensive. At the same time it's asserted that query results can +be safely cached, because disabling CPACF is incompatible with +reboot-free operation. + +Reviewed-by: Tim Hudson +(cherry picked from commit 670ad0fbf6ebcf113e278d8174081a7e2d2fa44c) +--- + crypto/aes/asm/aes-s390x.pl | 29 ++++++++++----------------- + crypto/modes/asm/ghash-s390x.pl | 4 +--- + crypto/s390xcpuid.S | 44 +++++++++++++++++++++++++++++++++++------ + crypto/sha/asm/sha1-s390x.pl | 7 ++----- + crypto/sha/asm/sha512-s390x.pl | 7 ++----- + 5 files changed, 53 insertions(+), 38 deletions(-) + +diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl +index e75dcd0..76ca8e5 100644 +--- a/crypto/aes/asm/aes-s390x.pl ++++ b/crypto/aes/asm/aes-s390x.pl +@@ -818,13 +818,9 @@ () + tmhl %r0,0x4000 # check for message-security assist + jz .Lekey_internal + +- lghi %r0,0 # query capability vector +- la %r1,16($sp) +- .long 0xb92f0042 # kmc %r4,%r2 +- +- llihh %r1,0x8000 +- srlg %r1,%r1,0(%r5) +- ng %r1,16($sp) ++ llihh %r0,0x8000 ++ srlg %r0,%r0,0(%r5) ++ ng %r0,48(%r1) # check kmc capability vector + jz .Lekey_internal + + lmg %r0,%r1,0($inp) # just copy 128 bits... +@@ -1444,13 +1440,10 @@ () + + llgfr $s0,%r0 + lgr $s1,%r1 +- lghi %r0,0 +- la %r1,16($sp) +- .long 0xb92d2042 # kmctr %r4,%r2,%r2 +- ++ larl %r1,OPENSSL_s390xcap_P + llihh %r0,0x8000 # check if kmctr supports the function code + srlg %r0,%r0,0($s0) +- ng %r0,16($sp) ++ ng %r0,64(%r1) # check kmctr capability vector + lgr %r0,$s0 + lgr %r1,$s1 + jz .Lctr32_km_loop +@@ -1597,12 +1590,10 @@ () + llgfr $s0,%r0 # put aside the function code + lghi $s1,0x7f + nr $s1,%r0 +- lghi %r0,0 # query capability vector +- la %r1,$tweak-16($sp) +- .long 0xb92e0042 # km %r4,%r2 +- llihh %r1,0x8000 +- srlg %r1,%r1,32($s1) # check for 32+function code +- ng %r1,$tweak-16($sp) ++ larl %r1,OPENSSL_s390xcap_P ++ llihh %r0,0x8000 ++ srlg %r0,%r0,32($s1) # check for 32+function code ++ ng %r0,32(%r1) # check km capability vector + lgr %r0,$s0 # restore the function code + la %r1,0($key1) # restore $key1 + jz .Lxts_km_vanilla +@@ -2229,7 +2220,7 @@ () + } + $code.=<<___; + .string "AES for s390x, CRYPTOGAMS by " +-.comm OPENSSL_s390xcap_P,16,8 ++.comm OPENSSL_s390xcap_P,80,8 + ___ + + $code =~ s/\`([^\`]*)\`/eval $1/gem; +diff --git a/crypto/modes/asm/ghash-s390x.pl b/crypto/modes/asm/ghash-s390x.pl +index 39096b4..be7d55f 100644 +--- a/crypto/modes/asm/ghash-s390x.pl ++++ b/crypto/modes/asm/ghash-s390x.pl +@@ -85,9 +85,7 @@ + tmhl %r0,0x4000 # check for message-security-assist + jz .Lsoft_gmult + lghi %r0,0 +- la %r1,16($sp) +- .long 0xb93e0004 # kimd %r0,%r4 +- lg %r1,24($sp) ++ lg %r1,24(%r1) # load second word of kimd capabilities vector + tmhh %r1,0x4000 # check for function 65 + jz .Lsoft_gmult + stg %r0,16($sp) # arrange 16 bytes of zero input +diff --git a/crypto/s390xcpuid.S b/crypto/s390xcpuid.S +index 0681534..d91d5bc 100644 +--- a/crypto/s390xcpuid.S ++++ b/crypto/s390xcpuid.S +@@ -5,14 +5,46 @@ + .align 16 + OPENSSL_s390x_facilities: + lghi %r0,0 +- larl %r2,OPENSSL_s390xcap_P +- stg %r0,8(%r2) +- .long 0xb2b02000 # stfle 0(%r2) ++ larl %r4,OPENSSL_s390xcap_P ++ stg %r0,8(%r4) # wipe capability vectors ++ stg %r0,16(%r4) ++ stg %r0,24(%r4) ++ stg %r0,32(%r4) ++ stg %r0,40(%r4) ++ stg %r0,48(%r4) ++ stg %r0,56(%r4) ++ stg %r0,64(%r4) ++ stg %r0,72(%r4) ++ ++ .long 0xb2b04000 # stfle 0(%r4) + brc 8,.Ldone + lghi %r0,1 +- .long 0xb2b02000 # stfle 0(%r2) ++ .long 0xb2b04000 # stfle 0(%r4) + .Ldone: +- lg %r2,0(%r2) ++ lmg %r2,%r3,0(%r4) ++ tmhl %r2,0x4000 # check for message-security-assist ++ jz .Lret ++ ++ lghi %r0,0 # query kimd capabilities ++ la %r1,16(%r4) ++ .long 0xb93e0002 # kimd %r0,%r2 ++ ++ lghi %r0,0 # query km capability vector ++ la %r1,32(%r4) ++ .long 0xb92e0042 # km %r4,%r2 ++ ++ lghi %r0,0 # query kmc capability vector ++ la %r1,48(%r4) ++ .long 0xb92f0042 # kmc %r4,%r2 ++ ++ tmhh %r3,0x0004 # check for message-security-assist-4 ++ jz .Lret ++ ++ lghi %r0,0 # query kmctr capability vector ++ la %r1,64(%r4) ++ .long 0xb92d2042 # kmctr %r4,%r2,%r2 ++ ++.Lret: + br %r14 + .size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities + +@@ -96,4 +128,4 @@ OPENSSL_cleanse: + .section .init + brasl %r14,OPENSSL_cpuid_setup + +-.comm OPENSSL_s390xcap_P,16,8 ++.comm OPENSSL_s390xcap_P,80,8 +diff --git a/crypto/sha/asm/sha1-s390x.pl b/crypto/sha/asm/sha1-s390x.pl +index 9193dda..d5cf164 100644 +--- a/crypto/sha/asm/sha1-s390x.pl ++++ b/crypto/sha/asm/sha1-s390x.pl +@@ -167,10 +167,7 @@ sub BODY_40_59 { + lg %r0,0(%r1) + tmhl %r0,0x4000 # check for message-security assist + jz .Lsoftware +- lghi %r0,0 +- la %r1,`2*$SIZE_T`($sp) +- .long 0xb93e0002 # kimd %r0,%r2 +- lg %r0,`2*$SIZE_T`($sp) ++ lg %r0,16(%r1) # check kimd capabilities + tmhh %r0,`0x8000>>$kimdfunc` + jz .Lsoftware + lghi %r0,$kimdfunc +@@ -237,7 +234,7 @@ sub BODY_40_59 { + br %r14 + .size sha1_block_data_order,.-sha1_block_data_order + .string "SHA1 block transform for s390x, CRYPTOGAMS by " +-.comm OPENSSL_s390xcap_P,16,8 ++.comm OPENSSL_s390xcap_P,80,8 + ___ + + $code =~ s/\`([^\`]*)\`/eval $1/gem; +diff --git a/crypto/sha/asm/sha512-s390x.pl b/crypto/sha/asm/sha512-s390x.pl +index 079a3fc..9c10e4e 100644 +--- a/crypto/sha/asm/sha512-s390x.pl ++++ b/crypto/sha/asm/sha512-s390x.pl +@@ -240,10 +240,7 @@ sub BODY_16_XX { + lg %r0,0(%r1) + tmhl %r0,0x4000 # check for message-security assist + jz .Lsoftware +- lghi %r0,0 +- la %r1,`2*$SIZE_T`($sp) +- .long 0xb93e0002 # kimd %r0,%r2 +- lg %r0,`2*$SIZE_T`($sp) ++ lg %r0,16(%r1) # check kimd capabilities + tmhh %r0,`0x8000>>$kimdfunc` + jz .Lsoftware + lghi %r0,$kimdfunc +@@ -311,7 +308,7 @@ sub BODY_16_XX { + br %r14 + .size $Func,.-$Func + .string "SHA${label} block transform for s390x, CRYPTOGAMS by " +-.comm OPENSSL_s390xcap_P,16,8 ++.comm OPENSSL_s390xcap_P,80,8 + ___ + + $code =~ s/\`([^\`]*)\`/eval $1/gem; diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2105.patch openssl-1.0.2g/debian/patches/CVE-2016-2105.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2105.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2105.patch 2016-04-28 13:27:44.000000000 +0000 @@ -0,0 +1,219 @@ +Description: fix EVP_EncodeUpdate overflow +Origin: backport, 700daeecb890721176bd23effc4166221cdd0271 +Origin: backport, 29188216f818e5b34f3b17ee8ed31e8336f3817e +Origin: backport, f332816ef87556b7e89b98206c14df1f128b6d9f + +Index: openssl-1.0.2g/crypto/evp/encode.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/evp/encode.c 2016-03-01 08:35:05.000000000 -0500 ++++ openssl-1.0.2g/crypto/evp/encode.c 2016-04-28 08:28:05.784347101 -0400 +@@ -151,13 +151,13 @@ + const unsigned char *in, int inl) + { + int i, j; +- unsigned int total = 0; ++ size_t total = 0; + + *outl = 0; + if (inl <= 0) + return; + OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); +- if ((ctx->num + inl) < ctx->length) { ++ if (ctx->length - ctx->num > inl) { + memcpy(&(ctx->enc_data[ctx->num]), in, inl); + ctx->num += inl; + return; +@@ -174,7 +174,7 @@ + *out = '\0'; + total = j + 1; + } +- while (inl >= ctx->length) { ++ while (inl >= ctx->length && total <= INT_MAX) { + j = EVP_EncodeBlock(out, in, ctx->length); + in += ctx->length; + inl -= ctx->length; +@@ -183,6 +183,11 @@ + *out = '\0'; + total += j + 1; + } ++ if (total > INT_MAX) { ++ /* Too much output data! */ ++ *outl = 0; ++ return; ++ } + if (inl != 0) + memcpy(&(ctx->enc_data[0]), in, inl); + ctx->num = inl; +Index: openssl-1.0.2g/doc/crypto/EVP_EncodeInit.pod +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2g/doc/crypto/EVP_EncodeInit.pod 2016-04-28 08:28:05.784347101 -0400 +@@ -0,0 +1,145 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_ENCODE_CTX_new, EVP_ENCODE_CTX_free, EVP_ENCODE_CTX_num, EVP_EncodeInit, ++EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock, EVP_DecodeInit, ++EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock - EVP base 64 encode/decode ++routines ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void); ++ void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx); ++ int EVP_ENCODE_CTX_num(EVP_ENCODE_CTX *ctx); ++ void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); ++ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, ++ const unsigned char *in, int inl); ++ void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); ++ int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n); ++ ++ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx); ++ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, ++ const unsigned char *in, int inl); ++ int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned ++ char *out, int *outl); ++ int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n); ++ ++=head1 DESCRIPTION ++ ++The EVP encode routines provide a high level interface to base 64 encoding and ++decoding. Base 64 encoding converts binary data into a printable form that uses ++the characters A-Z, a-z, 0-9, "+" and "/" to represent the data. For every 3 ++bytes of binary data provided approximately 4 bytes of base 64 encoded data will ++be produced (see below). If the input data length is not a multiple of 3 then ++the output data will be padded at the end using the "=" character. ++ ++EVP_ENCODE_CTX_new() allocates, initializes and returns a context to be used for ++the encode/decode functions. ++ ++EVP_ENCODE_CTX_free() cleans up an encode/decode context B and frees up the ++space allocated to it. ++ ++Encoding of binary base 64 data is performed in blocks of 48 input bytes (or ++less for the final block). For each 48 byte input block encoded 64 bytes of base ++64 data is output plus an additional newline character (i.e. 65 bytes in total). ++The final block (which may be less than 48 bytes) will output 4 bytes for every ++3 bytes of input. If the data length is not divisible by 3 then a full 4 bytes ++is still output for the final 1 or 2 bytes of input. Similarly a newline ++character will also be output. ++ ++EVP_EncodeInit() initialises B for the start of a new encoding operation. ++ ++EVP_EncodeUpdate() encode B bytes of data found in the buffer pointed to by ++B. The output is stored in the buffer B and the number of bytes output ++is stored in B<*outl>. It is the caller's responsibility to ensure that the ++buffer at B is sufficiently large to accommodate the output data. Only full ++blocks of data (48 bytes) will be immediately processed and output by this ++function. Any remainder is held in the B object and will be processed by a ++subsequent call to EVP_EncodeUpdate() or EVP_EncodeFinal(). To calculate the ++required size of the output buffer add together the value of B with the ++amount of unprocessed data held in B and divide the result by 48 (ignore ++any remainder). This gives the number of blocks of data that will be processed. ++Ensure the output buffer contains 65 bytes of storage for each block, plus an ++additional byte for a NUL terminator. EVP_EncodeUpdate() may be called ++repeatedly to process large amounts of input data. In the event of an error ++EVP_EncodeUpdate() will set B<*outl> to 0. ++ ++EVP_EncodeFinal() must be called at the end of an encoding operation. It will ++process any partial block of data remaining in the B object. The output ++data will be stored in B and the length of the data written will be stored ++in B<*outl>. It is the caller's responsibility to ensure that B is ++sufficiently large to accommodate the output data which will never be more than ++65 bytes plus an additional NUL terminator (i.e. 66 bytes in total). ++ ++EVP_ENCODE_CTX_num() will return the number of as yet unprocessed bytes still to ++be encoded or decoded that are pending in the B object. ++ ++EVP_EncodeBlock() encodes a full block of input data in B and of length ++B and stores it in B. For every 3 bytes of input provided 4 bytes of ++output data will be produced. If B is not divisible by 3 then the block is ++encoded as a final block of data and the output is padded such that it is always ++divisible by 4. Additionally a NUL terminator character will be added. For ++example if 16 bytes of input data is provided then 24 bytes of encoded data is ++created plus 1 byte for a NUL terminator (i.e. 25 bytes in total). The length of ++the data generated I the NUL terminator is returned from the function. ++ ++EVP_DecodeInit() initialises B for the start of a new decoding operation. ++ ++EVP_DecodeUpdate() decodes B bytes of data found in the buffer pointed to ++by B. The output is stored in the buffer B and the number of bytes ++output is stored in B<*outl>. It is the caller's responsibility to ensure that ++the buffer at B is sufficiently large to accommodate the output data. This ++function will attempt to decode as much data as possible in 4 byte chunks. Any ++whitespace, newline or carriage return characters are ignored. Any partial chunk ++of unprocessed data (1, 2 or 3 bytes) that remains at the end will be held in ++the B object and processed by a subsequent call to EVP_DecodeUpdate(). If ++any illegal base 64 characters are encountered or if the base 64 padding ++character "=" is encountered in the middle of the data then the function returns ++-1 to indicate an error. A return value of 0 or 1 indicates successful ++processing of the data. A return value of 0 additionally indicates that the last ++input data characters processed included the base 64 padding character "=" and ++therefore no more non-padding character data is expected to be processed. For ++every 4 valid base 64 bytes processed (ignoring whitespace, carriage returns and ++line feeds), 3 bytes of binary output data will be produced (or less at the end ++of the data where the padding character "=" has been used). ++ ++EVP_DecodeFinal() must be called at the end of a decoding operation. If there ++is any unprocessed data still in B then the input data must not have been ++a multiple of 4 and therefore an error has occurred. The function will return -1 ++in this case. Otherwise the function returns 1 on success. ++ ++EVP_DecodeBlock() will decode the block of B bytes of base 64 data contained ++in B and store the result in B. Any leading whitespace will be trimmed as ++will any trailing whitespace, newlines, carriage returns or EOF characters. ++After such trimming the length of the data in B must be divisbile by 4. For ++every 4 input bytes exactly 3 output bytes will be produced. The output will be ++padded with 0 bits if necessary to ensure that the output is always 3 bytes for ++every 4 input bytes. This function will return the length of the data decoded or ++-1 on error. ++ ++=head1 RETURN VALUES ++ ++EVP_ENCODE_CTX_new() returns a pointer to the newly allocated EVP_ENCODE_CTX ++object or NULL on error. ++ ++EVP_ENCODE_CTX_num() returns the number of bytes pending encoding or decoding in ++B. ++ ++EVP_EncodeBlock() returns the number of bytes encoded excluding the NUL ++terminator. ++ ++EVP_DecodeUpdate() returns -1 on error and 0 or 1 on success. If 0 is returned ++then no more non-padding base 64 characters are expected. ++ ++EVP_DecodeFinal() returns -1 on error or 1 on success. ++ ++EVP_DecodeBlock() returns the length of the data decoded or -1 on error. ++ ++=head1 SEE ALSO ++ ++L ++ ++=cut +Index: openssl-1.0.2g/doc/crypto/evp.pod +=================================================================== +--- openssl-1.0.2g.orig/doc/crypto/evp.pod 2016-03-01 08:35:53.000000000 -0500 ++++ openssl-1.0.2g/doc/crypto/evp.pod 2016-04-28 08:29:21.721392234 -0400 +@@ -63,6 +63,10 @@ + + Algorithms are loaded with L. + ++The LI<...>|EVP_EncodeInit(3)> and ++LI<...>|EVP_EncodeInit(3)> functions implement base 64 encoding ++and decoding. ++ + All the symmetric algorithms (ciphers), digests and asymmetric algorithms + (public key algorithms) can be replaced by L modules providing alternative + implementations. If ENGINE implementations of ciphers or digests are registered +@@ -85,6 +89,7 @@ + L, + L, + L, ++L, + L, + L, + L, diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2106.patch openssl-1.0.2g/debian/patches/CVE-2016-2106.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2106.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2106.patch 2016-04-28 12:30:19.000000000 +0000 @@ -0,0 +1,57 @@ +From 3e17fe7e40ed2eeb4f0892d376ac40d279780aa9 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 3 Mar 2016 23:36:23 +0000 +Subject: [PATCH] Fix encrypt overflow + +An overflow can occur in the EVP_EncryptUpdate function. If an attacker is +able to supply very large amounts of input data after a previous call to +EVP_EncryptUpdate with a partial block then a length check can overflow +resulting in a heap corruption. + +Following an analysis of all OpenSSL internal usage of the +EVP_EncryptUpdate function all usage is one of two forms. + +The first form is like this: +EVP_EncryptInit() +EVP_EncryptUpdate() + +i.e. where the EVP_EncryptUpdate() call is known to be the first called +function after an EVP_EncryptInit(), and therefore that specific call +must be safe. + +The second form is where the length passed to EVP_EncryptUpdate() can be +seen from the code to be some small value and therefore there is no +possibility of an overflow. + +Since all instances are one of these two forms, I believe that there can +be no overflows in internal code due to this problem. + +It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() +in certain code paths. Also EVP_CipherUpdate() is a synonym for +EVP_EncryptUpdate(). Therefore I have checked all instances of these +calls too, and came to the same conclusion, i.e. there are no instances +in internal usage where an overflow could occur. + +This could still represent a security issue for end user code that calls +this function directly. + +CVE-2016-2106 + +Issue reported by Guido Vranken. +--- + crypto/evp/evp_enc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/evp/evp_enc.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/evp/evp_enc.c 2016-04-28 08:30:17.350157350 -0400 ++++ openssl-1.0.2g/crypto/evp/evp_enc.c 2016-04-28 08:30:17.346157295 -0400 +@@ -410,7 +410,7 @@ + bl = ctx->cipher->block_size; + OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); + if (i != 0) { +- if (i + inl < bl) { ++ if (bl - i > inl) { + memcpy(&(ctx->buf[i]), in, inl); + ctx->buf_len += inl; + *outl = 0; diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2107.patch openssl-1.0.2g/debian/patches/CVE-2016-2107.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2107.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2107.patch 2016-04-28 13:47:05.000000000 +0000 @@ -0,0 +1,55 @@ +Backport of: + +From 9e79d38892dc30c874934e0aef7409d31d4bf37f Mon Sep 17 00:00:00 2001 +From: Kurt Roeckx +Date: Sat, 16 Apr 2016 23:08:56 +0200 +Subject: [PATCH] Check that we have enough padding characters. + +CVE-2016-2107 +--- + crypto/evp/e_aes_cbc_hmac_sha1.c | 3 +++ + crypto/evp/e_aes_cbc_hmac_sha256.c | 3 +++ + 2 files changed, 6 insertions(+), 0 deletions(-) + +Index: openssl-1.0.2g/crypto/evp/e_aes_cbc_hmac_sha1.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/evp/e_aes_cbc_hmac_sha1.c 2016-04-28 08:31:10.142883065 -0400 ++++ openssl-1.0.2g/crypto/evp/e_aes_cbc_hmac_sha1.c 2016-04-28 08:31:48.411408885 -0400 +@@ -60,6 +60,7 @@ + # include + # include + # include "modes_lcl.h" ++# include "constant_time_locl.h" + + # ifndef EVP_CIPH_FLAG_AEAD_CIPHER + # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 +@@ -578,6 +579,8 @@ + maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); + maxpad &= 255; + ++ ret &= constant_time_ge(maxpad, pad); ++ + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); + mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); + inp_len &= mask; +Index: openssl-1.0.2g/crypto/evp/e_aes_cbc_hmac_sha256.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/evp/e_aes_cbc_hmac_sha256.c 2016-04-28 08:31:10.142883065 -0400 ++++ openssl-1.0.2g/crypto/evp/e_aes_cbc_hmac_sha256.c 2016-04-28 08:31:59.211557246 -0400 +@@ -60,6 +60,7 @@ + # include + # include + # include "modes_lcl.h" ++# include "constant_time_locl.h" + + # ifndef EVP_CIPH_FLAG_AEAD_CIPHER + # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 +@@ -589,6 +590,8 @@ + maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); + maxpad &= 255; + ++ ret &= constant_time_ge(maxpad, pad); ++ + inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); + mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); + inp_len &= mask; diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2108.patch openssl-1.0.2g/debian/patches/CVE-2016-2108.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2108.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2108.patch 2016-04-28 13:38:26.000000000 +0000 @@ -0,0 +1,91 @@ +Description: fix Memory corruption in the ASN.1 encoder +Origin: backport, c5e4bc81c5a142cab7f46f69824fa35367999ee8 +Origin: backport, ddf29e9b413a12b778ae39d3682b99da201540b1 + +Index: openssl-1.0.2g/crypto/asn1/a_type.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/a_type.c 2016-04-28 09:07:48.943260538 -0400 ++++ openssl-1.0.2g/crypto/asn1/a_type.c 2016-04-28 09:07:48.939260479 -0400 +@@ -126,9 +126,7 @@ + result = 0; /* They do not have content. */ + break; + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + case V_ASN1_BIT_STRING: + case V_ASN1_OCTET_STRING: + case V_ASN1_SEQUENCE: +Index: openssl-1.0.2g/crypto/asn1/asn1.h +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/asn1.h 2016-04-28 09:07:48.943260538 -0400 ++++ openssl-1.0.2g/crypto/asn1/asn1.h 2016-04-28 09:07:48.939260479 -0400 +@@ -96,13 +96,11 @@ + # define V_ASN1_OTHER -3/* used in ASN1_TYPE */ + # define V_ASN1_ANY -4/* used in ASN1 template code */ + +-# define V_ASN1_NEG 0x100/* negative flag */ +- + # define V_ASN1_UNDEF -1 ++/* ASN.1 tag values */ + # define V_ASN1_EOC 0 + # define V_ASN1_BOOLEAN 1 /**/ + # define V_ASN1_INTEGER 2 +-# define V_ASN1_NEG_INTEGER (2 | V_ASN1_NEG) + # define V_ASN1_BIT_STRING 3 + # define V_ASN1_OCTET_STRING 4 + # define V_ASN1_NULL 5 +@@ -111,7 +109,6 @@ + # define V_ASN1_EXTERNAL 8 + # define V_ASN1_REAL 9 + # define V_ASN1_ENUMERATED 10 +-# define V_ASN1_NEG_ENUMERATED (10 | V_ASN1_NEG) + # define V_ASN1_UTF8STRING 12 + # define V_ASN1_SEQUENCE 16 + # define V_ASN1_SET 17 +@@ -129,6 +126,17 @@ + # define V_ASN1_GENERALSTRING 27 /**/ + # define V_ASN1_UNIVERSALSTRING 28 /**/ + # define V_ASN1_BMPSTRING 30 ++ ++/* ++ * NB the constants below are used internally by ASN1_INTEGER ++ * and ASN1_ENUMERATED to indicate the sign. They are *not* on ++ * the wire tag values. ++ */ ++ ++# define V_ASN1_NEG 0x100 ++# define V_ASN1_NEG_INTEGER (2 | V_ASN1_NEG) ++# define V_ASN1_NEG_ENUMERATED (10 | V_ASN1_NEG) ++ + /* For use with d2i_ASN1_type_bytes() */ + # define B_ASN1_NUMERICSTRING 0x0001 + # define B_ASN1_PRINTABLESTRING 0x0002 +Index: openssl-1.0.2g/crypto/asn1/tasn_dec.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/tasn_dec.c 2016-04-28 09:07:48.943260538 -0400 ++++ openssl-1.0.2g/crypto/asn1/tasn_dec.c 2016-04-28 09:07:48.939260479 -0400 +@@ -901,9 +901,7 @@ + break; + + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + tint = (ASN1_INTEGER **)pval; + if (!c2i_ASN1_INTEGER(tint, &cont, len)) + goto err; +Index: openssl-1.0.2g/crypto/asn1/tasn_enc.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/tasn_enc.c 2016-04-28 09:07:48.943260538 -0400 ++++ openssl-1.0.2g/crypto/asn1/tasn_enc.c 2016-04-28 09:07:48.939260479 -0400 +@@ -611,9 +611,7 @@ + break; + + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + /* + * These are all have the same content format as ASN1_INTEGER + */ diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2109.patch openssl-1.0.2g/debian/patches/CVE-2016-2109.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2109.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2109.patch 2016-04-28 13:07:55.000000000 +0000 @@ -0,0 +1,87 @@ +Backport of: + +From c62981390d6cf9e3d612c489b8b77c2913b25807 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Mon, 11 Apr 2016 13:57:20 +0100 +Subject: [PATCH] Harden ASN.1 BIO handling of large amounts of data. + +If the ASN.1 BIO is presented with a large length field read it in +chunks of increasing size checking for EOF on each read. This prevents +small files allocating excessive amounts of data. + +CVE-2016-2109 + +Thanks to Brian Carpenter for reporting this issue. + +Reviewed-by: Viktor Dukhovni +--- + crypto/asn1/a_d2i_fp.c | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +Index: openssl-1.0.2d/crypto/asn1/a_d2i_fp.c +=================================================================== +--- openssl-1.0.2d.orig/crypto/asn1/a_d2i_fp.c 2016-04-28 08:45:39.255414005 -0400 ++++ openssl-1.0.2d/crypto/asn1/a_d2i_fp.c 2016-04-28 08:45:39.251413945 -0400 +@@ -141,6 +141,7 @@ + #endif + + #define HEADER_SIZE 8 ++#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024) + static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) + { + BUF_MEM *b; +@@ -217,29 +218,44 @@ + /* suck in c.slen bytes of data */ + want = c.slen; + if (want > (len - off)) { ++ size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE; ++ + want -= (len - off); + if (want > INT_MAX /* BIO_read takes an int length */ || + len + want < len) { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); + goto err; + } +- if (!BUF_MEM_grow_clean(b, len + want)) { +- ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); +- goto err; +- } + while (want > 0) { +- i = BIO_read(in, &(b->data[len]), want); +- if (i <= 0) { +- ASN1err(ASN1_F_ASN1_D2I_READ_BIO, +- ASN1_R_NOT_ENOUGH_DATA); ++ /* ++ * Read content in chunks of increasing size ++ * so we can return an error for EOF without ++ * having to allocate the entire content length ++ * in one go. ++ */ ++ size_t chunk = want > chunk_max ? chunk_max : want; ++ ++ if (!BUF_MEM_grow_clean(b, len + chunk)) { ++ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); + goto err; + } ++ want -= chunk; ++ while (chunk > 0) { ++ i = BIO_read(in, &(b->data[len]), chunk); ++ if (i <= 0) { ++ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ++ ASN1_R_NOT_ENOUGH_DATA); ++ goto err; ++ } + /* + * This can't overflow because |len+want| didn't + * overflow. + */ +- len += i; +- want -= i; ++ len += i; ++ chunk -= i; ++ } ++ if (chunk_max < INT_MAX/2) ++ chunk_max *= 2; + } + } + if (off + c.slen < off) { diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2177.patch openssl-1.0.2g/debian/patches/CVE-2016-2177.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2177.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2177.patch 2016-09-22 12:12:47.000000000 +0000 @@ -0,0 +1,276 @@ +From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 May 2016 11:10:26 +0100 +Subject: [PATCH] Avoid some undefined pointer arithmetic + +A common idiom in the codebase is: + +if (p + len > limit) +{ + return; /* Too long */ +} + +Where "p" points to some malloc'd data of SIZE bytes and +limit == p + SIZE + +"len" here could be from some externally supplied data (e.g. from a TLS +message). + +The rules of C pointer arithmetic are such that "p + len" is only well +defined where len <= SIZE. Therefore the above idiom is actually +undefined behaviour. + +For example this could cause problems if some malloc implementation +provides an address for "p" such that "p + len" actually overflows for +values of len that are too big and therefore p + len < limit! + +Issue reported by Guido Vranken. + +CVE-2016-2177 + +Reviewed-by: Rich Salz +--- + ssl/s3_srvr.c | 14 +++++++------- + ssl/ssl_sess.c | 2 +- + ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++-------------------------- + 3 files changed, 38 insertions(+), 34 deletions(-) + +Index: openssl-1.0.2g/ssl/s3_srvr.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_srvr.c 2016-09-22 08:12:43.223237581 -0400 ++++ openssl-1.0.2g/ssl/s3_srvr.c 2016-09-22 08:12:43.219237535 -0400 +@@ -980,7 +980,7 @@ + + session_length = *(p + SSL3_RANDOM_SIZE); + +- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { ++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -998,7 +998,7 @@ + /* get the session-id */ + j = *(p++); + +- if (p + j > d + n) { ++ if ((d + n) - p < j) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1054,14 +1054,14 @@ + + if (SSL_IS_DTLS(s)) { + /* cookie stuff */ +- if (p + 1 > d + n) { ++ if ((d + n) - p < 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + cookie_len = *(p++); + +- if (p + cookie_len > d + n) { ++ if ((d + n ) - p < cookie_len) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1131,7 +1131,7 @@ + } + } + +- if (p + 2 > d + n) { ++ if ((d + n ) - p < 2) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1145,7 +1145,7 @@ + } + + /* i bytes of cipher data + 1 byte for compression length later */ +- if ((p + i + 1) > (d + n)) { ++ if ((d + n) - p < i + 1) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +@@ -1211,7 +1211,7 @@ + + /* compression */ + i = *(p++); +- if ((p + i) > (d + n)) { ++ if ((d + n) - p < i) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +Index: openssl-1.0.2g/ssl/ssl_sess.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/ssl_sess.c 2016-09-22 08:12:43.223237581 -0400 ++++ openssl-1.0.2g/ssl/ssl_sess.c 2016-09-22 08:12:43.219237535 -0400 +@@ -573,7 +573,7 @@ + int r; + #endif + +- if (session_id + len > limit) { ++ if (limit - session_id < len) { + fatal = 1; + goto err; + } +Index: openssl-1.0.2g/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/t1_lib.c 2016-09-22 08:12:43.223237581 -0400 ++++ openssl-1.0.2g/ssl/t1_lib.c 2016-09-22 08:12:43.219237535 -0400 +@@ -1866,11 +1866,11 @@ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + +- if (data >= (limit - 2)) ++ if (limit - data <= 2) + return; + data += 2; + +- if (data > (limit - 4)) ++ if (limit - data < 4) + return; + n2s(data, type); + n2s(data, size); +@@ -1878,7 +1878,7 @@ + if (type != TLSEXT_TYPE_server_name) + return; + +- if (data + size > limit) ++ if (limit - data < size) + return; + data += size; + +@@ -1886,7 +1886,7 @@ + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + +- if (data + len1 + len2 != limit) ++ if (limit - data != (int)(len1 + len2)) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; +@@ -1895,7 +1895,7 @@ + } else { + const size_t len = sizeof(kSafariExtensionsBlock); + +- if (data + len != limit) ++ if (limit - data != (int)(len)) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; +@@ -2019,19 +2019,19 @@ + if (data == limit) + goto ri_check; + +- if (data > (limit - 2)) ++ if (limit - data < 2) + goto err; + + n2s(data, len); + +- if (data + len != limit) ++ if (limit - data != len) + goto err; + +- while (data <= (limit - 4)) { ++ while (limit - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (limit)) ++ if (limit - data < size) + goto err; + # if 0 + fprintf(stderr, "Received extension type %d size %d\n", type, size); +@@ -2443,18 +2443,18 @@ + if (s->hit || s->cert->srv_ext.meths_count == 0) + return 1; + +- if (data >= limit - 2) ++ if (limit - data <= 2) + return 1; + n2s(data, len); + +- if (data > limit - len) ++ if (limit - data < len) + return 1; + +- while (data <= limit - 4) { ++ while (limit - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > limit) ++ if (limit - data < size) + return 1; + if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) + return 0; +@@ -2540,20 +2540,20 @@ + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + # endif + +- if (data >= (d + n - 2)) ++ if ((d + n) - data <= 2) + goto ri_check; + + n2s(data, length); +- if (data + length != d + n) { ++ if ((d + n) - data != length) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + +- while (data <= (d + n - 4)) { ++ while ((d + n) - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (d + n)) ++ if ((d + n) - data < size) + goto ri_check; + + if (s->tlsext_debug_cb) +@@ -3273,29 +3273,33 @@ + /* Skip past DTLS cookie */ + if (SSL_IS_DTLS(s)) { + i = *(p++); +- p += i; +- if (p >= limit) ++ ++ if (limit - p <= i) + return -1; ++ ++ p += i; + } + /* Skip past cipher list */ + n2s(p, i); +- p += i; +- if (p >= limit) ++ if (limit - p <= i) + return -1; ++ p += i; ++ + /* Skip past compression algorithm list */ + i = *(p++); +- p += i; +- if (p > limit) ++ if (limit - p < i) + return -1; ++ p += i; ++ + /* Now at start of extensions */ +- if ((p + 2) >= limit) ++ if (limit - p <= 2) + return 0; + n2s(p, i); +- while ((p + 4) <= limit) { ++ while (limit - p >= 4) { + unsigned short type, size; + n2s(p, type); + n2s(p, size); +- if (p + size > limit) ++ if (limit - p < size) + return 0; + if (type == TLSEXT_TYPE_session_ticket) { + int r; diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2178-1.patch openssl-1.0.2g/debian/patches/CVE-2016-2178-1.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2178-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2178-1.patch 2016-09-22 12:12:51.000000000 +0000 @@ -0,0 +1,49 @@ +From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001 +From: Cesar Pereida +Date: Mon, 23 May 2016 12:45:25 +0300 +Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME + +Operations in the DSA signing algorithm should run in constant time in +order to avoid side channel attacks. A flaw in the OpenSSL DSA +implementation means that a non-constant time codepath is followed for +certain operations. This has been demonstrated through a cache-timing +attack to be sufficient for an attacker to recover the private DSA key. + +CVE-2016-2178 + +Reviewed-by: Richard Levitte +Reviewed-by: Matt Caswell +--- + crypto/dsa/dsa_ossl.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c +index efc4f1b..b29eb4b 100644 +--- a/crypto/dsa/dsa_ossl.c ++++ b/crypto/dsa/dsa_ossl.c +@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + if (!BN_rand_range(&k, dsa->q)) + goto err; + while (BN_is_zero(&k)) ; +- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { +- BN_set_flags(&k, BN_FLG_CONSTTIME); +- } + + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, +@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + } + + K = &kq; ++ ++ BN_set_flags(K, BN_FLG_CONSTTIME); + } else { + K = &k; + } ++ + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, + dsa->method_mont_p); + if (!BN_mod(r, r, dsa->q, ctx)) +-- +1.9.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2178-2.patch openssl-1.0.2g/debian/patches/CVE-2016-2178-2.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2178-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2178-2.patch 2016-09-22 12:12:55.000000000 +0000 @@ -0,0 +1,55 @@ +From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 7 Jun 2016 09:12:51 +0100 +Subject: [PATCH] More fix DSA, preserve BN_FLG_CONSTTIME + +The previous "fix" still left "k" exposed to constant time problems in +the later BN_mod_inverse() call. Ensure both k and kq have the +BN_FLG_CONSTTIME flag set at the earliest opportunity after creation. + +CVE-2016-2178 + +Reviewed-by: Rich Salz +--- + crypto/dsa/dsa_ossl.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c +index b29eb4b..58013a4 100644 +--- a/crypto/dsa/dsa_ossl.c ++++ b/crypto/dsa/dsa_ossl.c +@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + do + if (!BN_rand_range(&k, dsa->q)) + goto err; +- while (BN_is_zero(&k)) ; ++ while (BN_is_zero(&k)); ++ ++ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { ++ BN_set_flags(&k, BN_FLG_CONSTTIME); ++ } ++ + + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, +@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + if (!BN_copy(&kq, &k)) + goto err; + ++ BN_set_flags(&kq, BN_FLG_CONSTTIME); ++ + /* + * We do not want timing information to leak the length of k, so we + * compute g^k using an equivalent exponent of fixed length. (This +@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + } + + K = &kq; +- +- BN_set_flags(K, BN_FLG_CONSTTIME); + } else { + K = &k; + } +-- +1.9.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2179.patch openssl-1.0.2g/debian/patches/CVE-2016-2179.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2179.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2179.patch 2016-09-22 12:13:05.000000000 +0000 @@ -0,0 +1,250 @@ +From 26f2c5774f117aea588e8f31fad38bcf14e83bec Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 30 Jun 2016 13:17:08 +0100 +Subject: [PATCH] Fix DTLS buffered message DoS attack + +DTLS can handle out of order record delivery. Additionally since +handshake messages can be bigger than will fit into a single packet, the +messages can be fragmented across multiple records (as with normal TLS). +That means that the messages can arrive mixed up, and we have to +reassemble them. We keep a queue of buffered messages that are "from the +future", i.e. messages we're not ready to deal with yet but have arrived +early. The messages held there may not be full yet - they could be one +or more fragments that are still in the process of being reassembled. + +The code assumes that we will eventually complete the reassembly and +when that occurs the complete message is removed from the queue at the +point that we need to use it. + +However, DTLS is also tolerant of packet loss. To get around that DTLS +messages can be retransmitted. If we receive a full (non-fragmented) +message from the peer after previously having received a fragment of +that message, then we ignore the message in the queue and just use the +non-fragmented version. At that point the queued message will never get +removed. + +Additionally the peer could send "future" messages that we never get to +in order to complete the handshake. Each message has a sequence number +(starting from 0). We will accept a message fragment for the current +message sequence number, or for any sequence up to 10 into the future. +However if the Finished message has a sequence number of 2, anything +greater than that in the queue is just left there. + +So, in those two ways we can end up with "orphaned" data in the queue +that will never get removed - except when the connection is closed. At +that point all the queues are flushed. + +An attacker could seek to exploit this by filling up the queues with +lots of large messages that are never going to be used in order to +attempt a DoS by memory exhaustion. + +I will assume that we are only concerned with servers here. It does not +seem reasonable to be concerned about a memory exhaustion attack on a +client. They are unlikely to process enough connections for this to be +an issue. + +A "long" handshake with many messages might be 5 messages long (in the +incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange, +CertificateVerify, Finished. So this would be message sequence numbers 0 +to 4. Additionally we can buffer up to 10 messages in the future. +Therefore the maximum number of messages that an attacker could send +that could get orphaned would typically be 15. + +The maximum size that a DTLS message is allowed to be is defined by +max_cert_list, which by default is 100k. Therefore the maximum amount of +"orphaned" memory per connection is 1500k. + +Message sequence numbers get reset after the Finished message, so +renegotiation will not extend the maximum number of messages that can be +orphaned per connection. + +As noted above, the queues do get cleared when the connection is closed. +Therefore in order to mount an effective attack, an attacker would have +to open many simultaneous connections. + +Issue reported by Quan Luo. + +CVE-2016-2179 + +Reviewed-by: Richard Levitte +--- + ssl/d1_both.c | 32 ++++++++++++++++---------------- + ssl/d1_clnt.c | 1 + + ssl/d1_lib.c | 37 ++++++++++++++++++++++++++----------- + ssl/d1_srvr.c | 3 ++- + ssl/ssl_locl.h | 3 ++- + 5 files changed, 47 insertions(+), 29 deletions(-) + +Index: openssl-1.0.2g/ssl/d1_both.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_both.c 2016-09-22 08:13:02.963468834 -0400 ++++ openssl-1.0.2g/ssl/d1_both.c 2016-09-22 08:13:02.955468741 -0400 +@@ -618,11 +618,23 @@ + int al; + + *ok = 0; +- item = pqueue_peek(s->d1->buffered_messages); +- if (item == NULL) +- return 0; ++ do { ++ item = pqueue_peek(s->d1->buffered_messages); ++ if (item == NULL) ++ return 0; ++ ++ frag = (hm_fragment *)item->data; ++ ++ if (frag->msg_header.seq < s->d1->handshake_read_seq) { ++ /* This is a stale message that has been buffered so clear it */ ++ pqueue_pop(s->d1->buffered_messages); ++ dtls1_hm_fragment_free(frag); ++ pitem_free(item); ++ item = NULL; ++ frag = NULL; ++ } ++ } while (item == NULL); + +- frag = (hm_fragment *)item->data; + + /* Don't return if reassembly still in progress */ + if (frag->reassembly != NULL) +@@ -1296,18 +1308,6 @@ + return ret; + } + +-/* call this function when the buffered messages are no longer needed */ +-void dtls1_clear_record_buffer(SSL *s) +-{ +- pitem *item; +- +- for (item = pqueue_pop(s->d1->sent_messages); +- item != NULL; item = pqueue_pop(s->d1->sent_messages)) { +- dtls1_hm_fragment_free((hm_fragment *)item->data); +- pitem_free(item); +- } +-} +- + unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p, + unsigned char mt, unsigned long len, + unsigned long frag_off, +Index: openssl-1.0.2g/ssl/d1_clnt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_clnt.c 2016-09-22 08:13:02.963468834 -0400 ++++ openssl-1.0.2g/ssl/d1_clnt.c 2016-09-22 08:13:02.959468787 -0400 +@@ -769,6 +769,7 @@ + /* done with handshaking */ + s->d1->handshake_read_seq = 0; + s->d1->next_handshake_write_seq = 0; ++ dtls1_clear_received_buffer(s); + goto end; + /* break; */ + +Index: openssl-1.0.2g/ssl/d1_lib.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_lib.c 2016-09-22 08:13:02.963468834 -0400 ++++ openssl-1.0.2g/ssl/d1_lib.c 2016-09-22 08:13:02.959468787 -0400 +@@ -170,7 +170,6 @@ + static void dtls1_clear_queues(SSL *s) + { + pitem *item = NULL; +- hm_fragment *frag = NULL; + DTLS1_RECORD_DATA *rdata; + + while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) { +@@ -191,28 +190,44 @@ + pitem_free(item); + } + ++ while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) { ++ rdata = (DTLS1_RECORD_DATA *)item->data; ++ if (rdata->rbuf.buf) { ++ OPENSSL_free(rdata->rbuf.buf); ++ } ++ OPENSSL_free(item->data); ++ pitem_free(item); ++ } ++ ++ dtls1_clear_received_buffer(s); ++ dtls1_clear_sent_buffer(s); ++} ++ ++void dtls1_clear_received_buffer(SSL *s) ++{ ++ pitem *item = NULL; ++ hm_fragment *frag = NULL; ++ + while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) { + frag = (hm_fragment *)item->data; + dtls1_hm_fragment_free(frag); + pitem_free(item); + } ++} ++ ++void dtls1_clear_sent_buffer(SSL *s) ++{ ++ pitem *item = NULL; ++ hm_fragment *frag = NULL; + + while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) { + frag = (hm_fragment *)item->data; + dtls1_hm_fragment_free(frag); + pitem_free(item); + } +- +- while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) { +- rdata = (DTLS1_RECORD_DATA *)item->data; +- if (rdata->rbuf.buf) { +- OPENSSL_free(rdata->rbuf.buf); +- } +- OPENSSL_free(item->data); +- pitem_free(item); +- } + } + ++ + void dtls1_free(SSL *s) + { + ssl3_free(s); +@@ -456,7 +471,7 @@ + BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, + &(s->d1->next_timeout)); + /* Clear retransmission buffer */ +- dtls1_clear_record_buffer(s); ++ dtls1_clear_sent_buffer(s); + } + + int dtls1_check_timeout_num(SSL *s) +Index: openssl-1.0.2g/ssl/d1_srvr.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_srvr.c 2016-09-22 08:13:02.963468834 -0400 ++++ openssl-1.0.2g/ssl/d1_srvr.c 2016-09-22 08:13:02.959468787 -0400 +@@ -313,7 +313,7 @@ + case SSL3_ST_SW_HELLO_REQ_B: + + s->shutdown = 0; +- dtls1_clear_record_buffer(s); ++ dtls1_clear_sent_buffer(s); + dtls1_start_timer(s); + ret = ssl3_send_hello_request(s); + if (ret <= 0) +@@ -894,6 +894,7 @@ + /* next message is server hello */ + s->d1->handshake_write_seq = 0; + s->d1->next_handshake_write_seq = 0; ++ dtls1_clear_received_buffer(s); + goto end; + /* break; */ + +Index: openssl-1.0.2g/ssl/ssl_locl.h +=================================================================== +--- openssl-1.0.2g.orig/ssl/ssl_locl.h 2016-09-22 08:13:02.963468834 -0400 ++++ openssl-1.0.2g/ssl/ssl_locl.h 2016-09-22 08:13:02.959468787 -0400 +@@ -1237,7 +1237,8 @@ + unsigned long frag_off, int *found); + int dtls1_get_queue_priority(unsigned short seq, int is_ccs); + int dtls1_retransmit_buffered_messages(SSL *s); +-void dtls1_clear_record_buffer(SSL *s); ++void dtls1_clear_received_buffer(SSL *s); ++void dtls1_clear_sent_buffer(SSL *s); + void dtls1_get_message_header(unsigned char *data, + struct hm_header_st *msg_hdr); + void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2180.patch openssl-1.0.2g/debian/patches/CVE-2016-2180.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2180.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2180.patch 2016-09-22 12:13:09.000000000 +0000 @@ -0,0 +1,39 @@ +From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Thu, 21 Jul 2016 15:24:16 +0100 +Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio(). + +TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result +as a null terminated buffer. The length value returned is the total +length the complete text reprsentation would need not the amount of +data written. + +CVE-2016-2180 + +Thanks to Shi Lei for reporting this bug. + +Reviewed-by: Matt Caswell +(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a) +--- + crypto/ts/ts_lib.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c +index c51538a..e0f1063 100644 +--- a/crypto/ts/ts_lib.c ++++ b/crypto/ts/ts_lib.c +@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj) + { + char obj_txt[128]; + +- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); +- BIO_write(bio, obj_txt, len); +- BIO_write(bio, "\n", 1); ++ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); ++ BIO_printf(bio, "%s\n", obj_txt); + + return 1; + } +-- +1.9.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2181-1.patch openssl-1.0.2g/debian/patches/CVE-2016-2181-1.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2181-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2181-1.patch 2016-09-22 12:13:13.000000000 +0000 @@ -0,0 +1,86 @@ +From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Jul 2016 11:46:26 +0100 +Subject: [PATCH] Fix DTLS unprocessed records bug + +During a DTLS handshake we may get records destined for the next epoch +arrive before we have processed the CCS. In that case we can't decrypt or +verify the record yet, so we buffer it for later use. When we do receive +the CCS we work through the queue of unprocessed records and process them. + +Unfortunately the act of processing wipes out any existing packet data +that we were still working through. This includes any records from the new +epoch that were in the same packet as the CCS. We should only process the +buffered records if we've not got any data left. + +Reviewed-by: Richard Levitte +--- + ssl/d1_pkt.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c +index fe30ec7..1fb119d 100644 +--- a/ssl/d1_pkt.c ++++ b/ssl/d1_pkt.c +@@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) + static int dtls1_process_buffered_records(SSL *s) + { + pitem *item; ++ SSL3_BUFFER *rb; + + item = pqueue_peek(s->d1->unprocessed_rcds.q); + if (item) { +@@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s) + if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) + return (1); /* Nothing to do. */ + ++ rb = &s->s3->rbuf; ++ ++ if (rb->left > 0) { ++ /* ++ * We've still got data from the current packet to read. There could ++ * be a record from the new epoch in it - so don't overwrite it ++ * with the unprocessed records yet (we'll do it when we've ++ * finished reading the current packet). ++ */ ++ return 1; ++ } ++ ++ + /* Process all the records. */ + while (pqueue_peek(s->d1->unprocessed_rcds.q)) { + dtls1_get_unprocessed_record(s); +@@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s) + + rr = &(s->s3->rrec); + ++ again: + /* + * The epoch may have changed. If so, process all the pending records. + * This is a non-blocking operation. +@@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s) + return 1; + + /* get something from the wire */ +- again: + /* check if we have the header */ + if ((s->rstate != SSL_ST_READ_BODY) || + (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { +@@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, + if (rr->epoch == s->d1->r_epoch) + return &s->d1->bitmap; + +- /* Only HM and ALERT messages can be from the next epoch */ ++ /* ++ * Only HM and ALERT messages can be from the next epoch and only if we ++ * have already processed all of the unprocessed records from the last ++ * epoch ++ */ + else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && ++ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch && + (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { + *is_next_epoch = 1; + return &s->d1->next_bitmap; +-- +1.9.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2181-2.patch openssl-1.0.2g/debian/patches/CVE-2016-2181-2.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2181-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2181-2.patch 2016-09-22 12:13:21.000000000 +0000 @@ -0,0 +1,226 @@ +From 3884b47b7c255c2e94d9b387ee83c7e8bb981258 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Jul 2016 12:04:37 +0100 +Subject: [PATCH] Fix DTLS replay protection + +The DTLS implementation provides some protection against replay attacks +in accordance with RFC6347 section 4.1.2.6. + +A sliding "window" of valid record sequence numbers is maintained with +the "right" hand edge of the window set to the highest sequence number we +have received so far. Records that arrive that are off the "left" hand +edge of the window are rejected. Records within the window are checked +against a list of records received so far. If we already received it then +we also reject the new record. + +If we have not already received the record, or the sequence number is off +the right hand edge of the window then we verify the MAC of the record. +If MAC verification fails then we discard the record. Otherwise we mark +the record as received. If the sequence number was off the right hand edge +of the window, then we slide the window along so that the right hand edge +is in line with the newly received sequence number. + +Records may arrive for future epochs, i.e. a record from after a CCS being +sent, can arrive before the CCS does if the packets get re-ordered. As we +have not yet received the CCS we are not yet in a position to decrypt or +validate the MAC of those records. OpenSSL places those records on an +unprocessed records queue. It additionally updates the window immediately, +even though we have not yet verified the MAC. This will only occur if +currently in a handshake/renegotiation. + +This could be exploited by an attacker by sending a record for the next +epoch (which does not have to decrypt or have a valid MAC), with a very +large sequence number. This means the right hand edge of the window is +moved very far to the right, and all subsequent legitimate packets are +dropped causing a denial of service. + +A similar effect can be achieved during the initial handshake. In this +case there is no MAC key negotiated yet. Therefore an attacker can send a +message for the current epoch with a very large sequence number. The code +will process the record as normal. If the hanshake message sequence number +(as opposed to the record sequence number that we have been talking about +so far) is in the future then the injected message is bufferred to be +handled later, but the window is still updated. Therefore all subsequent +legitimate handshake records are dropped. This aspect is not considered a +security issue because there are many ways for an attacker to disrupt the +initial handshake and prevent it from completing successfully (e.g. +injection of a handshake message will cause the Finished MAC to fail and +the handshake to be aborted). This issue comes about as a result of trying +to do replay protection, but having no integrity mechanism in place yet. +Does it even make sense to have replay protection in epoch 0? That +issue isn't addressed here though. + +This addressed an OCAP Audit issue. + +CVE-2016-2181 + +Reviewed-by: Richard Levitte +--- + ssl/d1_pkt.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++------------ + ssl/ssl.h | 1 + + ssl/ssl_err.c | 4 +++- + 3 files changed, 52 insertions(+), 13 deletions(-) + +Index: openssl-1.0.2g/ssl/d1_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_pkt.c 2016-09-22 08:13:19.507662507 -0400 ++++ openssl-1.0.2g/ssl/d1_pkt.c 2016-09-22 08:13:19.507662507 -0400 +@@ -194,7 +194,7 @@ + #endif + static int dtls1_buffer_record(SSL *s, record_pqueue *q, + unsigned char *priority); +-static int dtls1_process_record(SSL *s); ++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap); + + /* copy buffered record into SSL structure */ + static int dtls1_copy_record(SSL *s, pitem *item) +@@ -320,13 +320,18 @@ + { + pitem *item; + SSL3_BUFFER *rb; ++ SSL3_RECORD *rr; ++ DTLS1_BITMAP *bitmap; ++ unsigned int is_next_epoch; ++ int replayok = 1; + + item = pqueue_peek(s->d1->unprocessed_rcds.q); + if (item) { + /* Check if epoch is current. */ + if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) +- return (1); /* Nothing to do. */ ++ return 1; /* Nothing to do. */ + ++ rr = &s->s3->rrec; + rb = &s->s3->rbuf; + + if (rb->left > 0) { +@@ -343,11 +348,41 @@ + /* Process all the records. */ + while (pqueue_peek(s->d1->unprocessed_rcds.q)) { + dtls1_get_unprocessed_record(s); +- if (!dtls1_process_record(s)) +- return (0); ++ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); ++ if (bitmap == NULL) { ++ /* ++ * Should not happen. This will only ever be NULL when the ++ * current record is from a different epoch. But that cannot ++ * be the case because we already checked the epoch above ++ */ ++ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, ++ ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++#ifndef OPENSSL_NO_SCTP ++ /* Only do replay check if no SCTP bio */ ++ if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) ++#endif ++ { ++ /* ++ * Check whether this is a repeat, or aged record. We did this ++ * check once already when we first received the record - but ++ * we might have updated the window since then due to ++ * records we subsequently processed. ++ */ ++ replayok = dtls1_record_replay_check(s, bitmap); ++ } ++ ++ if (!replayok || !dtls1_process_record(s, bitmap)) { ++ /* dump this record */ ++ rr->length = 0; ++ s->packet_length = 0; ++ continue; ++ } ++ + if (dtls1_buffer_record(s, &(s->d1->processed_rcds), + s->s3->rrec.seq_num) < 0) +- return -1; ++ return 0; + } + } + +@@ -358,7 +393,7 @@ + s->d1->processed_rcds.epoch = s->d1->r_epoch; + s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; + +- return (1); ++ return 1; + } + + #if 0 +@@ -405,7 +440,7 @@ + + #endif + +-static int dtls1_process_record(SSL *s) ++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) + { + int i, al; + int enc_err; +@@ -565,6 +600,10 @@ + + /* we have pulled in a full packet so zero things */ + s->packet_length = 0; ++ ++ /* Mark receipt of record. */ ++ dtls1_record_bitmap_update(s, bitmap); ++ + return (1); + + f_err: +@@ -600,7 +639,7 @@ + * The epoch may have changed. If so, process all the pending records. + * This is a non-blocking operation. + */ +- if (dtls1_process_buffered_records(s) < 0) ++ if (!dtls1_process_buffered_records(s)) + return -1; + + /* if we're renegotiating, then there may be buffered records */ +@@ -735,20 +774,17 @@ + if (dtls1_buffer_record + (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) + return -1; +- /* Mark receipt of record. */ +- dtls1_record_bitmap_update(s, bitmap); + } + rr->length = 0; + s->packet_length = 0; + goto again; + } + +- if (!dtls1_process_record(s)) { ++ if (!dtls1_process_record(s, bitmap)) { + rr->length = 0; + s->packet_length = 0; /* dump this record */ + goto again; /* get another record */ + } +- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */ + + return (1); + +Index: openssl-1.0.2g/ssl/ssl.h +=================================================================== +--- openssl-1.0.2g.orig/ssl/ssl.h 2016-09-22 08:13:19.507662507 -0400 ++++ openssl-1.0.2g/ssl/ssl.h 2016-09-22 08:13:19.507662507 -0400 +@@ -2623,6 +2623,7 @@ + # define SSL_F_DTLS1_HEARTBEAT 305 + # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 + # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 ++# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404 + # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 + # define SSL_F_DTLS1_PROCESS_RECORD 257 + # define SSL_F_DTLS1_READ_BYTES 258 +Index: openssl-1.0.2g/ssl/ssl_err.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/ssl_err.c 2016-09-22 08:13:19.507662507 -0400 ++++ openssl-1.0.2g/ssl/ssl_err.c 2016-09-22 08:13:19.507662507 -0400 +@@ -93,6 +93,8 @@ + {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"}, + {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "dtls1_output_cert_chain"}, + {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"}, ++ {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS), ++ "DTLS1_PROCESS_BUFFERED_RECORDS"}, + {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), + "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"}, + {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"}, diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2181-3.patch openssl-1.0.2g/debian/patches/CVE-2016-2181-3.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2181-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2181-3.patch 2016-09-22 12:13:29.000000000 +0000 @@ -0,0 +1,25 @@ +From 26aebca74e38ae09f673c2045cc8e2ef762d265a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 17 Aug 2016 17:55:36 +0100 +Subject: [PATCH] Update function error code + +A function error code needed updating due to merge issues. + +Reviewed-by: Richard Levitte +--- + ssl/ssl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/ssl/ssl.h +=================================================================== +--- openssl-1.0.2g.orig/ssl/ssl.h 2016-09-22 08:13:27.067750968 -0400 ++++ openssl-1.0.2g/ssl/ssl.h 2016-09-22 08:13:27.063750920 -0400 +@@ -2623,7 +2623,7 @@ + # define SSL_F_DTLS1_HEARTBEAT 305 + # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 + # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 +-# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404 ++# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424 + # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 + # define SSL_F_DTLS1_PROCESS_RECORD 257 + # define SSL_F_DTLS1_READ_BYTES 258 diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2182-2.patch openssl-1.0.2g/debian/patches/CVE-2016-2182-2.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2182-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2182-2.patch 2016-09-23 12:00:08.000000000 +0000 @@ -0,0 +1,39 @@ +From 67e11f1d44b85758f01b4905d64c4c49476c1db5 Mon Sep 17 00:00:00 2001 +From: Kazuki Yamaguchi +Date: Mon, 22 Aug 2016 02:36:36 +0900 +Subject: [PATCH] Fix overflow check in BN_bn2dec() + +Fix an off by one error in the overflow check added by 07bed46f332fc +("Check for errors in BN_bn2dec()"). + +Reviewed-by: Stephen Henson +Reviewed-by: Matt Caswell +(cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30) +--- + crypto/bn/bn_print.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c +index b44403e..a9ff271 100644 +--- a/crypto/bn/bn_print.c ++++ b/crypto/bn/bn_print.c +@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a) + if (BN_is_negative(t)) + *p++ = '-'; + +- i = 0; + while (!BN_is_zero(t)) { ++ if (lp - bn_data >= bn_data_num) ++ goto err; + *lp = BN_div_word(t, BN_DEC_CONV); + if (*lp == (BN_ULONG)-1) + goto err; + lp++; +- if (lp - bn_data >= bn_data_num) +- goto err; + } + lp--; + /* +-- +1.9.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2182.patch openssl-1.0.2g/debian/patches/CVE-2016-2182.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2182.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2182.patch 2016-09-22 12:13:32.000000000 +0000 @@ -0,0 +1,65 @@ +From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Fri, 5 Aug 2016 14:26:03 +0100 +Subject: [PATCH] Check for errors in BN_bn2dec() + +If an oversize BIGNUM is presented to BN_bn2dec() it can cause +BN_div_word() to fail and not reduce the value of 't' resulting +in OOB writes to the bn_data buffer and eventually crashing. + +Fix by checking return value of BN_div_word() and checking writes +don't overflow buffer. + +Thanks to Shi Lei for reporting this bug. + +CVE-2016-2182 + +Reviewed-by: Tim Hudson +(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) + +Conflicts: + crypto/bn/bn_print.c +--- + crypto/bn/bn_print.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c +index bfa31ef..b44403e 100644 +--- a/crypto/bn/bn_print.c ++++ b/crypto/bn/bn_print.c +@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) + char *p; + BIGNUM *t = NULL; + BN_ULONG *bn_data = NULL, *lp; ++ int bn_data_num; + + /*- + * get an upper bound for the length of the decimal integer +@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) + */ + i = BN_num_bits(a) * 3; + num = (i / 10 + i / 1000 + 1) + 1; +- bn_data = +- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); +- buf = (char *)OPENSSL_malloc(num + 3); ++ bn_data_num = num / BN_DEC_NUM + 1; ++ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); ++ buf = OPENSSL_malloc(num + 3); + if ((buf == NULL) || (bn_data == NULL)) { + BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); + goto err; +@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) + i = 0; + while (!BN_is_zero(t)) { + *lp = BN_div_word(t, BN_DEC_CONV); ++ if (*lp == (BN_ULONG)-1) ++ goto err; + lp++; ++ if (lp - bn_data >= bn_data_num) ++ goto err; + } + lp--; + /* +-- +1.9.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-2183.patch openssl-1.0.2g/debian/patches/CVE-2016-2183.patch --- openssl-1.0.2g/debian/patches/CVE-2016-2183.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-2183.patch 2016-09-22 12:16:52.000000000 +0000 @@ -0,0 +1,174 @@ +Backport of: + +From 0fff5065884d5ac61123a604bbcee30a53c808ff Mon Sep 17 00:00:00 2001 +From: Rich Salz +Date: Thu, 18 Aug 2016 09:26:52 -0400 +Subject: [PATCH] SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Emilia Käsper +--- + CHANGES | 4 ++++ + ssl/s3_lib.c | 34 +++++++++++++++++----------------- + 2 files changed, 21 insertions(+), 17 deletions(-) + +Index: openssl-1.0.2g/ssl/s3_lib.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_lib.c 2016-09-22 08:13:43.947948389 -0400 ++++ openssl-1.0.2g/ssl/s3_lib.c 2016-09-22 08:16:27.957870534 -0400 +@@ -329,7 +329,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -382,7 +382,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -434,7 +434,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -487,7 +487,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -539,7 +539,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -625,7 +625,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -712,7 +712,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -778,7 +778,7 @@ + SSL_3DES, + SSL_MD5, + SSL_SSLV3, +- SSL_NOT_EXP | SSL_HIGH, ++ SSL_NOT_EXP | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -1728,7 +1728,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2120,7 +2120,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2200,7 +2200,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2280,7 +2280,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2360,7 +2360,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2440,7 +2440,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, ++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2490,7 +2490,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH, ++ SSL_NOT_EXP | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2506,7 +2506,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH, ++ SSL_NOT_EXP | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, +@@ -2522,7 +2522,7 @@ + SSL_3DES, + SSL_SHA1, + SSL_TLSV1, +- SSL_NOT_EXP | SSL_HIGH, ++ SSL_NOT_EXP | SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, + 112, + 168, diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6302.patch openssl-1.0.2g/debian/patches/CVE-2016-6302.patch --- openssl-1.0.2g/debian/patches/CVE-2016-6302.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-6302.patch 2016-09-22 12:17:11.000000000 +0000 @@ -0,0 +1,48 @@ +From baaabfd8fdcec04a691695fad9a664bea43202b6 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 23 Aug 2016 18:14:54 +0100 +Subject: [PATCH] Sanity check ticket length. + +If a ticket callback changes the HMAC digest to SHA512 the existing +sanity checks are not sufficient and an attacker could perform a DoS +attack with a malformed ticket. Add additional checks based on +HMAC size. + +Thanks to Shi Lei for reporting this bug. + +CVE-2016-6302 + +Reviewed-by: Rich Salz +--- + ssl/t1_lib.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +Index: openssl-1.0.2g/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/t1_lib.c 2016-09-22 08:17:08.254345045 -0400 ++++ openssl-1.0.2g/ssl/t1_lib.c 2016-09-22 08:17:08.250344999 -0400 +@@ -3367,9 +3367,7 @@ + HMAC_CTX hctx; + EVP_CIPHER_CTX ctx; + SSL_CTX *tctx = s->initial_ctx; +- /* Need at least keyname + iv + some encrypted data */ +- if (eticklen < 48) +- return 2; ++ + /* Initialize session ticket encryption and HMAC contexts */ + HMAC_CTX_init(&hctx); + EVP_CIPHER_CTX_init(&ctx); +@@ -3403,6 +3401,13 @@ + if (mlen < 0) { + goto err; + } ++ /* Sanity check ticket length: must exceed keyname + IV + HMAC */ ++ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { ++ HMAC_CTX_cleanup(&hctx); ++ EVP_CIPHER_CTX_cleanup(&ctx); ++ return 2; ++ } ++ + eticklen -= mlen; + /* Check HMAC of encrypted ticket */ + if (HMAC_Update(&hctx, etick, eticklen) <= 0 diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6303.patch openssl-1.0.2g/debian/patches/CVE-2016-6303.patch --- openssl-1.0.2g/debian/patches/CVE-2016-6303.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-6303.patch 2016-09-22 12:17:15.000000000 +0000 @@ -0,0 +1,31 @@ +From 1027ad4f34c30b8585592764b9a670ba36888269 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Fri, 19 Aug 2016 23:28:29 +0100 +Subject: [PATCH] Avoid overflow in MDC2_Update() + +Thanks to Shi Lei for reporting this issue. + +CVE-2016-6303 + +Reviewed-by: Matt Caswell +(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07) +--- + crypto/mdc2/mdc2dgst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c +index 6615cf8..2dce493 100644 +--- a/crypto/mdc2/mdc2dgst.c ++++ b/crypto/mdc2/mdc2dgst.c +@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len) + + i = c->num; + if (i != 0) { +- if (i + len < MDC2_BLOCK) { ++ if (len < MDC2_BLOCK - i) { + /* partial block */ + memcpy(&(c->data[i]), in, len); + c->num += (int)len; +-- +1.9.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6304.patch openssl-1.0.2g/debian/patches/CVE-2016-6304.patch --- openssl-1.0.2g/debian/patches/CVE-2016-6304.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-6304.patch 2016-09-22 12:17:23.000000000 +0000 @@ -0,0 +1,67 @@ +From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 9 Sep 2016 10:08:45 +0100 +Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth + +A malicious client can send an excessively large OCSP Status Request +extension. If that client continually requests renegotiation, +sending a large OCSP Status Request extension each time, then there will +be unbounded memory growth on the server. This will eventually lead to a +Denial Of Service attack through memory exhaustion. Servers with a +default configuration are vulnerable even if they do not support OCSP. +Builds using the "no-ocsp" build time option are not affected. + +I have also checked other extensions to see if they suffer from a similar +problem but I could not find any other issues. + +CVE-2016-6304 + +Issue reported by Shi Lei. + +Reviewed-by: Rich Salz +--- + ssl/t1_lib.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +Index: openssl-1.0.2g/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/t1_lib.c 2016-09-22 08:17:21.226497629 -0400 ++++ openssl-1.0.2g/ssl/t1_lib.c 2016-09-22 08:17:21.222497582 -0400 +@@ -2282,6 +2282,23 @@ + size -= 2; + if (dsize > size) + goto err; ++ ++ /* ++ * We remove any OCSP_RESPIDs from a previous handshake ++ * to prevent unbounded memory growth - CVE-2016-6304 ++ */ ++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, ++ OCSP_RESPID_free); ++ if (dsize > 0) { ++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); ++ if (s->tlsext_ocsp_ids == NULL) { ++ *al = SSL_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } else { ++ s->tlsext_ocsp_ids = NULL; ++ } ++ + while (dsize > 0) { + OCSP_RESPID *id; + int idsize; +@@ -2301,13 +2318,6 @@ + OCSP_RESPID_free(id); + goto err; + } +- if (!s->tlsext_ocsp_ids +- && !(s->tlsext_ocsp_ids = +- sk_OCSP_RESPID_new_null())) { +- OCSP_RESPID_free(id); +- *al = SSL_AD_INTERNAL_ERROR; +- return 0; +- } + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { + OCSP_RESPID_free(id); + *al = SSL_AD_INTERNAL_ERROR; diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch --- openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-6306-1.patch 2016-09-22 12:17:31.000000000 +0000 @@ -0,0 +1,66 @@ +From ff553f837172ecb2b5c8eca257ec3c5619a4b299 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Sat, 17 Sep 2016 12:36:58 +0100 +Subject: [PATCH] Fix small OOB reads. + +In ssl3_get_client_certificate, ssl3_get_server_certificate and +ssl3_get_certificate_request check we have enough room +before reading a length. + +Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs. + +CVE-2016-6306 + +Reviewed-by: Richard Levitte +Reviewed-by: Matt Caswell +--- + ssl/s3_clnt.c | 11 +++++++++++ + ssl/s3_srvr.c | 6 ++++++ + 2 files changed, 17 insertions(+) + +Index: openssl-1.0.2g/ssl/s3_clnt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_clnt.c 2016-09-22 08:17:29.414593899 -0400 ++++ openssl-1.0.2g/ssl/s3_clnt.c 2016-09-22 08:17:29.410593851 -0400 +@@ -1216,6 +1216,12 @@ + goto f_err; + } + for (nc = 0; nc < llen;) { ++ if (nc + 3 > llen) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ++ SSL_R_CERT_LENGTH_MISMATCH); ++ goto f_err; ++ } + n2l3(p, l); + if ((l + nc + 3) > llen) { + al = SSL_AD_DECODE_ERROR; +@@ -2167,6 +2173,11 @@ + } + + for (nc = 0; nc < llen;) { ++ if (nc + 2 > llen) { ++ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); ++ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG); ++ goto err; ++ } + n2s(p, l); + if ((l + nc + 2) > llen) { + if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) +Index: openssl-1.0.2g/ssl/s3_srvr.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_srvr.c 2016-09-22 08:17:29.414593899 -0400 ++++ openssl-1.0.2g/ssl/s3_srvr.c 2016-09-22 08:17:29.410593851 -0400 +@@ -3213,6 +3213,12 @@ + goto f_err; + } + for (nc = 0; nc < llen;) { ++ if (nc + 3 > llen) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ++ SSL_R_CERT_LENGTH_MISMATCH); ++ goto f_err; ++ } + n2l3(p, l); + if ((l + nc + 3) > llen) { + al = SSL_AD_DECODE_ERROR; diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-6306-2.patch openssl-1.0.2g/debian/patches/CVE-2016-6306-2.patch --- openssl-1.0.2g/debian/patches/CVE-2016-6306-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-6306-2.patch 2016-09-22 12:22:09.000000000 +0000 @@ -0,0 +1,52 @@ +Backport of: + +From 006a788c84e541c8920dd2ad85fb62b52185c519 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Wed, 21 Sep 2016 13:26:01 +0100 +Subject: [PATCH] Make message buffer slightly larger than message. + +Grow TLS/DTLS 16 bytes more than strictly necessary as a precaution against +OOB reads. In most cases this will have no effect because the message buffer +will be large enough already. + +Reviewed-by: Matt Caswell +--- + ssl/d1_both.c | 5 ++++- + ssl/s3_both.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/ssl/d1_both.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_both.c 2016-09-22 08:17:38.670702686 -0400 ++++ openssl-1.0.2g/ssl/d1_both.c 2016-09-22 08:17:38.666702640 -0400 +@@ -581,9 +581,12 @@ + /* + * msg_len is limited to 2^24, but is effectively checked against max + * above ++ * ++ * Make buffer slightly larger than message length as a precaution ++ * against small OOB reads e.g. CVE-2016-6306 + */ + if (!BUF_MEM_grow_clean +- (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { ++ (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) { + SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); + return SSL_AD_INTERNAL_ERROR; + } +Index: openssl-1.0.2g/ssl/s3_both.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_both.c 2016-09-22 08:17:38.670702686 -0400 ++++ openssl-1.0.2g/ssl/s3_both.c 2016-09-22 08:21:30.269412365 -0400 +@@ -420,7 +420,11 @@ + SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE); + goto f_err; + } +- if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4)) { ++ /* ++ * Make buffer slightly larger than message length as a precaution ++ * against small OOB reads e.g. CVE-2016-6306 ++ */ ++ if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4 + 16)) { + SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); + goto err; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-7055.patch openssl-1.0.2g/debian/patches/CVE-2016-7055.patch --- openssl-1.0.2g/debian/patches/CVE-2016-7055.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-7055.patch 2017-01-30 15:30:38.000000000 +0000 @@ -0,0 +1,36 @@ +From 57c4b9f6a2f800b41ce2836986fe33640f6c3f8a Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Sun, 6 Nov 2016 18:33:17 +0100 +Subject: [PATCH] bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity). + +Reviewed-by: Rich Salz +(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a) +--- + crypto/bn/asm/x86_64-mont.pl | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +Index: openssl-1.0.2g/crypto/bn/asm/x86_64-mont.pl +=================================================================== +--- openssl-1.0.2g.orig/crypto/bn/asm/x86_64-mont.pl 2017-01-30 08:57:54.325146408 -0500 ++++ openssl-1.0.2g/crypto/bn/asm/x86_64-mont.pl 2017-01-30 08:57:54.321146356 -0500 +@@ -1073,18 +1073,17 @@ + mulx 2*8($aptr),%r15,%r13 # ... + adox -3*8($tptr),%r11 + adcx %r15,%r12 +- adox $zero,%r12 ++ adox -2*8($tptr),%r12 + adcx $zero,%r13 ++ adox $zero,%r13 + + mov $bptr,8(%rsp) # off-load &b[i] +- .byte 0x67 + mov $mi,%r15 + imulq 24(%rsp),$mi # "t[0]"*n0 + xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0 + + mulx 3*8($aptr),%rax,%r14 + mov $mi,%rdx +- adox -2*8($tptr),%r12 + adcx %rax,%r13 + adox -1*8($tptr),%r13 + adcx $zero,%r14 diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-8610-2.patch openssl-1.0.2g/debian/patches/CVE-2016-8610-2.patch --- openssl-1.0.2g/debian/patches/CVE-2016-8610-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-8610-2.patch 2017-01-30 15:30:56.000000000 +0000 @@ -0,0 +1,47 @@ +From f1185392189641014dca94f3fe7834bccb5f4c16 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 2 Nov 2016 22:26:17 +0000 +Subject: [PATCH] Fail if an unrecognised record type is received +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but +TLS 1.2 says you MUST send an unexpected message alert. We swap to the +TLS 1.2 behaviour for all protocol versions to prevent issues where no +progress is being made and the peer continually sends unrecognised record +types, using up resources processing them. + +Issue reported by 郭志攀 + +Reviewed-by: Tim Hudson +--- + ssl/s3_pkt.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +Index: openssl-1.0.2g/ssl/s3_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_pkt.c 2017-01-30 09:06:44.567907227 -0500 ++++ openssl-1.0.2g/ssl/s3_pkt.c 2017-01-30 09:06:44.563907176 -0500 +@@ -1593,16 +1593,13 @@ + + switch (rr->type) { + default: +-#ifndef OPENSSL_NO_TLS + /* +- * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give +- * an unexpected message alert. ++ * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but ++ * TLS 1.2 says you MUST send an unexpected message alert. We use the ++ * TLS 1.2 behaviour for all protocol versions to prevent issues where ++ * no progress is being made and the peer continually sends unrecognised ++ * record types, using up resources processing them. + */ +- if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) { +- rr->length = 0; +- goto start; +- } +-#endif + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); + goto f_err; diff -Nru openssl-1.0.2g/debian/patches/CVE-2016-8610.patch openssl-1.0.2g/debian/patches/CVE-2016-8610.patch --- openssl-1.0.2g/debian/patches/CVE-2016-8610.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2016-8610.patch 2017-01-30 15:30:50.000000000 +0000 @@ -0,0 +1,121 @@ +Backport of: + +From 22646a075e75991b4e8f5d67171e45a6aead5b48 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 21 Sep 2016 14:48:16 +0100 +Subject: [PATCH] Don't allow too many consecutive warning alerts + +Certain warning alerts are ignored if they are received. This can mean that +no progress will be made if one peer continually sends those warning alerts. +Implement a count so that we abort the connection if we receive too many. + +Issue reported by Shi Lei. + +Reviewed-by: Rich Salz +--- + ssl/d1_pkt.c | 15 +++++++++++++++ + ssl/s3_pkt.c | 15 +++++++++++++++ + ssl/ssl.h | 1 + + ssl/ssl_locl.h | 4 ++++ + 4 files changed, 35 insertions(+) + +Index: openssl-1.0.2g/ssl/d1_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_pkt.c 2017-01-30 08:58:09.497340570 -0500 ++++ openssl-1.0.2g/ssl/d1_pkt.c 2017-01-30 08:58:09.493340519 -0500 +@@ -928,6 +928,13 @@ + goto start; + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->cert->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1194,6 +1201,14 @@ + + if (alert_level == SSL3_AL_WARNING) { + s->s3->warn_alert = alert_descr; ++ ++ s->cert->alert_count++; ++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + #ifndef OPENSSL_NO_SCTP + /* +Index: openssl-1.0.2g/ssl/s3_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_pkt.c 2017-01-30 08:58:09.497340570 -0500 ++++ openssl-1.0.2g/ssl/s3_pkt.c 2017-01-30 08:58:09.493340519 -0500 +@@ -1229,6 +1229,13 @@ + return (ret); + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->cert->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1443,6 +1450,14 @@ + + if (alert_level == SSL3_AL_WARNING) { + s->s3->warn_alert = alert_descr; ++ ++ s->cert->alert_count++; ++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + return (0); +Index: openssl-1.0.2g/ssl/ssl.h +=================================================================== +--- openssl-1.0.2g.orig/ssl/ssl.h 2017-01-30 08:58:09.497340570 -0500 ++++ openssl-1.0.2g/ssl/ssl.h 2017-01-30 08:58:09.493340519 -0500 +@@ -3115,6 +3115,7 @@ + # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 + # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 + # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 ++# define SSL_R_TOO_MANY_WARN_ALERTS 409 + # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 + # define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 + # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313 +Index: openssl-1.0.2g/ssl/ssl_locl.h +=================================================================== +--- openssl-1.0.2g.orig/ssl/ssl_locl.h 2017-01-30 08:58:09.497340570 -0500 ++++ openssl-1.0.2g/ssl/ssl_locl.h 2017-01-30 08:58:56.101936709 -0500 +@@ -584,6 +584,8 @@ + */ + # define SSL_EXT_FLAG_SENT 0x2 + ++# define MAX_WARN_ALERT_COUNT 5 ++ + typedef struct { + custom_ext_method *meths; + size_t meths_count; +@@ -687,6 +689,8 @@ + custom_ext_methods cli_ext; + custom_ext_methods srv_ext; + int references; /* >1 only if SSL_copy_session_id is used */ ++ /* Count of the number of consecutive warning alerts received */ ++ unsigned int alert_count; + } CERT; + + typedef struct sess_cert_st { diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3731.patch openssl-1.0.2g/debian/patches/CVE-2017-3731.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3731.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3731.patch 2017-01-30 15:31:03.000000000 +0000 @@ -0,0 +1,37 @@ +From 51d009043670a627d6abe66894126851cf3690e9 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Thu, 19 Jan 2017 00:17:30 +0100 +Subject: [PATCH] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Reviewed-by: Rich Salz +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: openssl-1.0.2g/crypto/evp/e_rc4_hmac_md5.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/evp/e_rc4_hmac_md5.c 2017-01-30 09:00:24.447065656 -0500 ++++ openssl-1.0.2g/crypto/evp/e_rc4_hmac_md5.c 2017-01-30 09:00:24.443065605 -0500 +@@ -267,6 +267,8 @@ + len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) { ++ if (len < MD5_DIGEST_LENGTH) ++ return -1; + len -= MD5_DIGEST_LENGTH; + p[arg - 2] = len >> 8; + p[arg - 1] = len; diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3732.patch openssl-1.0.2g/debian/patches/CVE-2017-3732.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3732.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3732.patch 2017-01-30 15:31:07.000000000 +0000 @@ -0,0 +1,67 @@ +From 760d04342a495ee86bf5adc71a91d126af64397f Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Sat, 21 Jan 2017 21:30:49 +0100 +Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal. + +CVE-2017-3732 + +Reviewed-by: Rich Salz +--- + crypto/bn/asm/x86_64-mont5.pl | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +Index: openssl-1.0.2g/crypto/bn/asm/x86_64-mont5.pl +=================================================================== +--- openssl-1.0.2g.orig/crypto/bn/asm/x86_64-mont5.pl 2017-01-30 09:00:37.207228597 -0500 ++++ openssl-1.0.2g/crypto/bn/asm/x86_64-mont5.pl 2017-01-30 09:00:37.203228545 -0500 +@@ -1866,6 +1866,7 @@ + + .align 32 + .L8x_tail_done: ++ xor %rax,%rax + add (%rdx),%r8 # can this overflow? + adc \$0,%r9 + adc \$0,%r10 +@@ -1873,10 +1874,8 @@ + adc \$0,%r12 + adc \$0,%r13 + adc \$0,%r14 +- adc \$0,%r15 # can't overflow, because we +- # started with "overhung" part +- # of multiplication +- xor %rax,%rax ++ adc \$0,%r15 ++ adc \$0,%rax + + neg $carry + .L8x_no_tail: +@@ -3262,6 +3261,7 @@ + + .align 32 + .Lsqrx8x_tail_done: ++ xor %rax,%rax + add 24+8(%rsp),%r8 # can this overflow? + adc \$0,%r9 + adc \$0,%r10 +@@ -3269,10 +3269,8 @@ + adc \$0,%r12 + adc \$0,%r13 + adc \$0,%r14 +- adc \$0,%r15 # can't overflow, because we +- # started with "overhung" part +- # of multiplication +- mov $carry,%rax # xor %rax,%rax ++ adc \$0,%r15 ++ adc \$0,%rax + + sub 16+8(%rsp),$carry # mov 16(%rsp),%cf + .Lsqrx8x_no_tail: # %cf is 0 if jumped here +@@ -3287,7 +3285,7 @@ + adc 8*5($tptr),%r13 + adc 8*6($tptr),%r14 + adc 8*7($tptr),%r15 +- adc %rax,%rax # top-most carry ++ adc \$0,%rax # top-most carry + + mov 32+8(%rsp),%rbx # n0 + mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8" diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3735.patch openssl-1.0.2g/debian/patches/CVE-2017-3735.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3735.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3735.patch 2017-11-02 15:28:38.000000000 +0000 @@ -0,0 +1,39 @@ +From 31c8b265591a0aaa462a1f3eb5770661aaac67db Mon Sep 17 00:00:00 2001 +From: Rich Salz +Date: Tue, 22 Aug 2017 11:44:41 -0400 +Subject: [PATCH] Avoid out-of-bounds read + +Fixes CVE 2017-3735 + +Reviewed-by: Kurt Roeckx +(Merged from https://github.com/openssl/openssl/pull/4276) + +(cherry picked from commit b23171744b01e473ebbfd6edad70c1c3825ffbcd) +--- + crypto/x509v3/v3_addr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c +index 1290dec..af080a0 100644 +--- a/crypto/x509v3/v3_addr.c ++++ b/crypto/x509v3/v3_addr.c +@@ -130,10 +130,12 @@ static int length_from_afi(const unsigned afi) + */ + unsigned int v3_addr_get_afi(const IPAddressFamily *f) + { +- return ((f != NULL && +- f->addressFamily != NULL && f->addressFamily->data != NULL) +- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) +- : 0); ++ if (f == NULL ++ || f->addressFamily == NULL ++ || f->addressFamily->data == NULL ++ || f->addressFamily->length < 2) ++ return 0; ++ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; + } + + /* +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3736.patch openssl-1.0.2g/debian/patches/CVE-2017-3736.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3736.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3736.patch 2017-11-02 15:28:42.000000000 +0000 @@ -0,0 +1,40 @@ +From 38d600147331d36e74174ebbd4008b63188b321b Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Thu, 17 Aug 2017 21:08:57 +0200 +Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal. + +Credit to OSS-Fuzz for finding this. + +CVE-2017-3736 + +Reviewed-by: Rich Salz +--- + crypto/bn/asm/x86_64-mont5.pl | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/crypto/bn/asm/x86_64-mont5.pl +=================================================================== +--- openssl-1.0.2g.orig/crypto/bn/asm/x86_64-mont5.pl 2017-11-02 11:22:37.839716578 -0400 ++++ openssl-1.0.2g/crypto/bn/asm/x86_64-mont5.pl 2017-11-02 11:22:37.839716578 -0400 +@@ -2977,11 +2977,19 @@ $code.=<<___; + + .align 32 + .Lsqrx8x_break: +- sub 16+8(%rsp),%r8 # consume last carry ++ xor $zero,$zero ++ sub 16+8(%rsp),%rbx # mov 16(%rsp),%cf ++ adcx $zero,%r8 + mov 24+8(%rsp),$carry # initial $tptr, borrow $carry ++ adcx $zero,%r9 + mov 0*8($aptr),%rdx # a[8], modulo-scheduled +- xor %ebp,%ebp # xor $zero,$zero ++ adc \$0,%r10 + mov %r8,0*8($tptr) ++ adc \$0,%r11 ++ adc \$0,%r12 ++ adc \$0,%r13 ++ adc \$0,%r14 ++ adc \$0,%r15 + cmp $carry,$tptr # cf=0, of=0 + je .Lsqrx8x_outer_loop + diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3737-1.patch 2017-12-07 18:17:22.000000000 +0000 @@ -0,0 +1,47 @@ +From 898fb884b706aaeb283de4812340bb0bde8476dc Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 29 Nov 2017 14:04:01 +0000 +Subject: [PATCH] Don't allow read/write after fatal error + +OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" +mechanism. The intent was that if a fatal error occurred during a handshake +then OpenSSL would move into the error state and would immediately fail if +you attempted to continue the handshake. This works as designed for the +explicit handshake functions (SSL_do_handshake(), SSL_accept() and +SSL_connect()), however due to a bug it does not work correctly if +SSL_read() or SSL_write() is called directly. In that scenario, if the +handshake fails then a fatal error will be returned in the initial function +call. If SSL_read()/SSL_write() is subsequently called by the application +for the same SSL object then it will succeed and the data is passed without +being decrypted/encrypted directly from the SSL/TLS record layer. + +In order to exploit this issue an attacker would have to trick an +application into behaving incorrectly by issuing an SSL_read()/SSL_write() +after having already received a fatal error. + +Thanks to David Benjamin (Google) for reporting this issue and suggesting +this fix. + +CVE-2017-3737 + +Reviewed-by: Rich Salz +--- + ssl/ssl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/ssl.h b/ssl/ssl.h +index 90aeb0c..3cf96a2 100644 +--- a/ssl/ssl.h ++++ b/ssl/ssl.h +@@ -1727,7 +1727,7 @@ extern "C" { + # define SSL_ST_BEFORE 0x4000 + # define SSL_ST_OK 0x03 + # define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) +-# define SSL_ST_ERR 0x05 ++# define SSL_ST_ERR (0x05|SSL_ST_INIT) + + # define SSL_CB_LOOP 0x01 + # define SSL_CB_EXIT 0x02 +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3737-2.patch 2017-12-07 19:15:12.000000000 +0000 @@ -0,0 +1,242 @@ +Backport of: + +From c7383fb5f21aa3451f76bb98bdd5a96b070a2c47 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 29 Nov 2017 13:56:15 +0000 +Subject: [PATCH] Add a test for CVE-2017-3737 + +Test reading/writing to an SSL object after a fatal error has been +detected. + +Reviewed-by: Rich Salz +--- + ssl/Makefile | 3 +- + ssl/fatalerrtest.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + test/Makefile | 35 +++++++++++++++-- + 3 files changed, 142 insertions(+), 5 deletions(-) + create mode 100644 ssl/fatalerrtest.c + +Index: openssl-1.0.2g/ssl/Makefile +=================================================================== +--- openssl-1.0.2g.orig/ssl/Makefile 2017-12-07 14:14:46.757872550 -0500 ++++ openssl-1.0.2g/ssl/Makefile 2017-12-07 14:14:46.757872550 -0500 +@@ -15,7 +15,8 @@ KRB5_INCLUDES= + CFLAGS= $(INCLUDES) $(CFLAG) + + GENERAL=Makefile README ssl-lib.com install.com +-TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c ++TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c \ ++ fatalerrtest.c + APPS= + + LIB=$(TOP)/libssl.a +Index: openssl-1.0.2g/ssl/fatalerrtest.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2g/ssl/fatalerrtest.c 2017-12-07 14:14:46.757872550 -0500 +@@ -0,0 +1,109 @@ ++/* ++ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include "ssltestlib.h" ++ ++int main(int argc, char *argv[]) ++{ ++ SSL_CTX *sctx, *cctx; ++ SSL *sssl, *cssl; ++ const char *msg = "Dummy"; ++ BIO *err = NULL, *wbio = NULL; ++ int ret = 1, len; ++ char buf[80]; ++ unsigned char dummyrec[] = { ++ 0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y' ++ }; ++ ++ if (argc != 3) { ++ printf("Incorrect number of parameters\n"); ++ return 1; ++ } ++ ++ SSL_library_init(); ++ SSL_load_error_strings(); ++ err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); ++ CRYPTO_malloc_debug_init(); ++ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); ++ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ++ ++ if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx, ++ argv[1], argv[2])) { ++ printf("Failed to create SSL_CTX pair\n"); ++ goto err; ++ } ++ ++ /* ++ * Deliberately set the cipher lists for client and server to be different ++ * to force a handshake failure. ++ */ ++ if (!SSL_CTX_set_cipher_list(sctx, "AES128-SHA") ++ || !SSL_CTX_set_cipher_list(cctx, "AES256-SHA")) { ++ printf("Failed to set cipher lists\n"); ++ goto err; ++ } ++ ++ if (!create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL)) { ++ printf("Failed to create SSL objectx\n"); ++ goto err; ++ } ++ ++ wbio = SSL_get_wbio(cssl); ++ if (wbio == NULL) { ++ printf("Unexpected NULL bio received\n"); ++ goto err; ++ } ++ ++ if (create_ssl_connection(sssl, cssl)) { ++ printf("Unexpected success creating a connection\n"); ++ goto err; ++ } ++ ++ ERR_clear_error(); ++ ++ /* Inject a plaintext record from client to server */ ++ if (BIO_write(wbio, dummyrec, sizeof(dummyrec)) <= 0) { ++ printf("Unexpected failure injecting dummy record\n"); ++ goto err; ++ } ++ ++ /* SSL_read()/SSL_write should fail because of a previous fatal error */ ++ if ((len = SSL_read(sssl, buf, sizeof(buf - 1))) > 0) { ++ buf[len] = '\0'; ++ printf("Unexpected success reading data: %s\n", buf); ++ goto err; ++ } ++ if (SSL_write(sssl, msg, strlen(msg)) > 0) { ++ printf("Unexpected success writing data\n"); ++ goto err; ++ } ++ ++ ret = 0; ++ err: ++ SSL_free(sssl); ++ SSL_free(cssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ERR_print_errors_fp(stderr); ++ ++ if (ret) { ++ printf("Fatal err test: FAILED\n"); ++ } ++ ++ ERR_free_strings(); ++ ERR_remove_thread_state(NULL); ++ EVP_cleanup(); ++ CRYPTO_cleanup_all_ex_data(); ++ CRYPTO_mem_leaks(err); ++ BIO_free(err); ++ ++ return ret; ++} +Index: openssl-1.0.2g/test/Makefile +=================================================================== +--- openssl-1.0.2g.orig/test/Makefile 2017-12-07 14:14:46.757872550 -0500 ++++ openssl-1.0.2g/test/Makefile 2017-12-07 14:15:01.518055205 -0500 +@@ -71,6 +71,7 @@ CONSTTIMETEST= constant_time_test + VERIFYEXTRATEST= verify_extra_test + CLIENTHELLOTEST= clienthellotest + SSLV2CONFTEST = sslv2conftest ++FATALERRTEST = fatalerrtest + + TESTS= alltests + +@@ -84,7 +85,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_ + $(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \ + $(ASN1TEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) \ + $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \ +- $(CLIENTHELLOTEST)$(EXE_EXT) $(SSLV2CONFTEST)$(EXE_EXT) ++ $(CLIENTHELLOTEST)$(EXE_EXT) $(SSLV2CONFTEST)$(EXE_EXT) $(FATALERRTEST)$(EXE_EXT) + + # $(METHTEST)$(EXE_EXT) + +@@ -98,7 +99,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES + $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ + $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \ + $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \ +- $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ssltestlib.o ++ $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ssltestlib.o $(FATALERRTEST).o + + SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ + $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ +@@ -109,7 +110,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATES + $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ + $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \ + $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \ +- $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ssltestlib.c ++ $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ssltestlib.c $(FATALERRTEST).c + + EXHEADER= + HEADER= testutil.h ssltestlib.h $(EXHEADER) +@@ -153,7 +154,8 @@ alltests: \ + test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ + test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \ + test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \ +- test_constant_time test_verify_extra test_clienthello test_sslv2conftest ++ test_constant_time test_verify_extra test_clienthello test_sslv2conftest \ ++ test_fatalerr + + test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt + ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt +@@ -362,6 +364,10 @@ test_clienthello: $(CLIENTHELLOTEST)$(EX + @echo $(START) $@ + ../util/shlib_wrap.sh ./$(CLIENTHELLOTEST) + ++test_fatalerr: $(FATALERRTEST)$(EXE_EXT) ++ @echo $(START) $@ ++ ../util/shlib_wrap.sh ./$(FATALERRTEST) ../apps/server.pem ../apps/server.pem ++ + test_sslv2conftest: $(SSLV2CONFTEST)$(EXE_EXT) + @echo $(START) $@ + ../util/shlib_wrap.sh ./$(SSLV2CONFTEST) +@@ -543,6 +549,9 @@ $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEX + $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o + @target=$(CLIENTHELLOTEST) $(BUILD_CMD) + ++$(FATALERRTEST)$(EXE_EXT): $(FATALERRTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO) ++ @target=$(FATALERRTEST); exobj=ssltestlib.o; $(BUILD_CMD) ++ + $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o + @target=$(SSLV2CONFTEST) $(BUILD_CMD) + +@@ -717,6 +726,25 @@ exptest.o: ../include/openssl/opensslcon + exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h + exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h + exptest.o: ../include/openssl/symhacks.h exptest.c ++fatalerrtest.o: ../include/openssl/asn1.h ../include/openssl/bio.h ++fatalerrtest.o: ../include/openssl/buffer.h ../include/openssl/comp.h ++fatalerrtest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h ++fatalerrtest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ++fatalerrtest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ++fatalerrtest.o: ../include/openssl/err.h ../include/openssl/evp.h ++fatalerrtest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h ++fatalerrtest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ++fatalerrtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ++fatalerrtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ++fatalerrtest.o: ../include/openssl/pem.h ../include/openssl/pem2.h ++fatalerrtest.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h ++fatalerrtest.o: ../include/openssl/safestack.h ../include/openssl/sha.h ++fatalerrtest.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ++fatalerrtest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ++fatalerrtest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ++fatalerrtest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ++fatalerrtest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ++fatalerrtest.o: fatalerrtest.c ssltestlib.h + heartbeat_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h + heartbeat_test.o: ../include/openssl/buffer.h ../include/openssl/comp.h + heartbeat_test.o: ../include/openssl/crypto.h ../include/openssl/dsa.h diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3737-pre.patch 2017-12-07 19:14:42.000000000 +0000 @@ -0,0 +1,809 @@ +From 48e8df6e399ec1bef53500457f16b54d798198d3 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Jul 2016 11:36:10 +0100 +Subject: [PATCH] Back port ssltestlib code to 1.0.2 + +Enables the testing of DTLS code in 1.0.2 + +Reviewed-by: Richard Levitte +--- + .gitignore | 1 + + test/ssltestlib.c | 687 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + test/ssltestlib.h | 36 +++ + 3 files changed, 724 insertions(+) + create mode 100644 test/ssltestlib.c + create mode 100644 test/ssltestlib.h + +Index: openssl-1.0.2g/test/ssltestlib.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2g/test/ssltestlib.c 2017-12-07 14:13:22.916839708 -0500 +@@ -0,0 +1,687 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++ ++#include "ssltestlib.h" ++ ++#define SSL_IS_DTLS(s) (s->method->version == DTLS_ANY_VERSION \ ++ || s->method->version == DTLS1_2_VERSION \ ++ || s->method->version == DTLS1_VERSION) ++ ++static int tls_dump_new(BIO *bi); ++static int tls_dump_free(BIO *a); ++static int tls_dump_read(BIO *b, char *out, int outl); ++static int tls_dump_write(BIO *b, const char *in, int inl); ++static long tls_dump_ctrl(BIO *b, int cmd, long num, void *ptr); ++static int tls_dump_gets(BIO *bp, char *buf, int size); ++static int tls_dump_puts(BIO *bp, const char *str); ++ ++/* Choose a sufficiently large type likely to be unused for this custom BIO */ ++# define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER) ++ ++# define BIO_TYPE_MEMPACKET_TEST 0x81 ++ ++static BIO_METHOD method_tls_dump = { ++ BIO_TYPE_TLS_DUMP_FILTER, ++ "TLS dump filter", ++ tls_dump_write, ++ tls_dump_read, ++ tls_dump_puts, ++ tls_dump_gets, ++ tls_dump_ctrl, ++ tls_dump_new, ++ tls_dump_free ++}; ++ ++BIO_METHOD *bio_f_tls_dump_filter(void) ++{ ++ return &method_tls_dump; ++} ++ ++static int tls_dump_new(BIO *bio) ++{ ++ bio->init = 1; ++ return 1; ++} ++ ++static int tls_dump_free(BIO *bio) ++{ ++ bio->init = 0; ++ ++ return 1; ++} ++ ++static void copy_flags(BIO *bio) ++{ ++ int flags; ++ BIO *next = BIO_next(bio); ++ ++ flags = BIO_test_flags(next, BIO_FLAGS_SHOULD_RETRY | BIO_FLAGS_RWS); ++ BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY | BIO_FLAGS_RWS); ++ BIO_set_flags(bio, flags); ++} ++ ++#define RECORD_CONTENT_TYPE 0 ++#define RECORD_VERSION_HI 1 ++#define RECORD_VERSION_LO 2 ++#define RECORD_EPOCH_HI 3 ++#define RECORD_EPOCH_LO 4 ++#define RECORD_SEQUENCE_START 5 ++#define RECORD_SEQUENCE_END 10 ++#define RECORD_LEN_HI 11 ++#define RECORD_LEN_LO 12 ++ ++#define MSG_TYPE 0 ++#define MSG_LEN_HI 1 ++#define MSG_LEN_MID 2 ++#define MSG_LEN_LO 3 ++#define MSG_SEQ_HI 4 ++#define MSG_SEQ_LO 5 ++#define MSG_FRAG_OFF_HI 6 ++#define MSG_FRAG_OFF_MID 7 ++#define MSG_FRAG_OFF_LO 8 ++#define MSG_FRAG_LEN_HI 9 ++#define MSG_FRAG_LEN_MID 10 ++#define MSG_FRAG_LEN_LO 11 ++ ++ ++static void dump_data(const char *data, int len) ++{ ++ int rem, i, content, reclen, msglen, fragoff, fraglen, epoch; ++ unsigned char *rec; ++ ++ printf("---- START OF PACKET ----\n"); ++ ++ rem = len; ++ rec = (unsigned char *)data; ++ ++ while (rem > 0) { ++ if (rem != len) ++ printf("*\n"); ++ printf("*---- START OF RECORD ----\n"); ++ if (rem < DTLS1_RT_HEADER_LENGTH) { ++ printf("*---- RECORD TRUNCATED ----\n"); ++ break; ++ } ++ content = rec[RECORD_CONTENT_TYPE]; ++ printf("** Record Content-type: %d\n", content); ++ printf("** Record Version: %02x%02x\n", ++ rec[RECORD_VERSION_HI], rec[RECORD_VERSION_LO]); ++ epoch = (rec[RECORD_EPOCH_HI] << 8) | rec[RECORD_EPOCH_LO]; ++ printf("** Record Epoch: %d\n", epoch); ++ printf("** Record Sequence: "); ++ for (i = RECORD_SEQUENCE_START; i <= RECORD_SEQUENCE_END; i++) ++ printf("%02x", rec[i]); ++ reclen = (rec[RECORD_LEN_HI] << 8) | rec[RECORD_LEN_LO]; ++ printf("\n** Record Length: %d\n", reclen); ++ ++ /* Now look at message */ ++ rec += DTLS1_RT_HEADER_LENGTH; ++ rem -= DTLS1_RT_HEADER_LENGTH; ++ if (content == SSL3_RT_HANDSHAKE) { ++ printf("**---- START OF HANDSHAKE MESSAGE FRAGMENT ----\n"); ++ if (epoch > 0) { ++ printf("**---- HANDSHAKE MESSAGE FRAGMENT ENCRYPTED ----\n"); ++ } else if (rem < DTLS1_HM_HEADER_LENGTH ++ || reclen < DTLS1_HM_HEADER_LENGTH) { ++ printf("**---- HANDSHAKE MESSAGE FRAGMENT TRUNCATED ----\n"); ++ } else { ++ printf("*** Message Type: %d\n", rec[MSG_TYPE]); ++ msglen = (rec[MSG_LEN_HI] << 16) | (rec[MSG_LEN_MID] << 8) ++ | rec[MSG_LEN_LO]; ++ printf("*** Message Length: %d\n", msglen); ++ printf("*** Message sequence: %d\n", ++ (rec[MSG_SEQ_HI] << 8) | rec[MSG_SEQ_LO]); ++ fragoff = (rec[MSG_FRAG_OFF_HI] << 16) ++ | (rec[MSG_FRAG_OFF_MID] << 8) ++ | rec[MSG_FRAG_OFF_LO]; ++ printf("*** Message Fragment offset: %d\n", fragoff); ++ fraglen = (rec[MSG_FRAG_LEN_HI] << 16) ++ | (rec[MSG_FRAG_LEN_MID] << 8) ++ | rec[MSG_FRAG_LEN_LO]; ++ printf("*** Message Fragment len: %d\n", fraglen); ++ if (fragoff + fraglen > msglen) ++ printf("***---- HANDSHAKE MESSAGE FRAGMENT INVALID ----\n"); ++ else if(reclen < fraglen) ++ printf("**---- HANDSHAKE MESSAGE FRAGMENT TRUNCATED ----\n"); ++ else ++ printf("**---- END OF HANDSHAKE MESSAGE FRAGMENT ----\n"); ++ } ++ } ++ if (rem < reclen) { ++ printf("*---- RECORD TRUNCATED ----\n"); ++ rem = 0; ++ } else { ++ rec += reclen; ++ rem -= reclen; ++ printf("*---- END OF RECORD ----\n"); ++ } ++ } ++ printf("---- END OF PACKET ----\n\n"); ++ fflush(stdout); ++} ++ ++static int tls_dump_read(BIO *bio, char *out, int outl) ++{ ++ int ret; ++ BIO *next = BIO_next(bio); ++ ++ ret = BIO_read(next, out, outl); ++ copy_flags(bio); ++ ++ if (ret > 0) { ++ dump_data(out, ret); ++ } ++ ++ return ret; ++} ++ ++static int tls_dump_write(BIO *bio, const char *in, int inl) ++{ ++ int ret; ++ BIO *next = BIO_next(bio); ++ ++ ret = BIO_write(next, in, inl); ++ copy_flags(bio); ++ ++ return ret; ++} ++ ++static long tls_dump_ctrl(BIO *bio, int cmd, long num, void *ptr) ++{ ++ long ret; ++ BIO *next = BIO_next(bio); ++ ++ if (next == NULL) ++ return 0; ++ ++ switch (cmd) { ++ case BIO_CTRL_DUP: ++ ret = 0L; ++ break; ++ default: ++ ret = BIO_ctrl(next, cmd, num, ptr); ++ break; ++ } ++ return ret; ++} ++ ++static int tls_dump_gets(BIO *bio, char *buf, int size) ++{ ++ /* We don't support this - not needed anyway */ ++ return -1; ++} ++ ++static int tls_dump_puts(BIO *bio, const char *str) ++{ ++ return tls_dump_write(bio, str, strlen(str)); ++} ++ ++ ++typedef struct mempacket_st { ++ unsigned char *data; ++ int len; ++ unsigned int num; ++ unsigned int type; ++} MEMPACKET; ++ ++/* ++ * These defines would normally be auto-generated and in safestack.h...but this ++ * is just for tests so its probably not an appropriate place ++ */ ++# define sk_MEMPACKET_new(cmp) SKM_sk_new(MEMPACKET, (cmp)) ++# define sk_MEMPACKET_new_null() SKM_sk_new_null(MEMPACKET) ++# define sk_MEMPACKET_free(st) SKM_sk_free(MEMPACKET, (st)) ++# define sk_MEMPACKET_num(st) SKM_sk_num(MEMPACKET, (st)) ++# define sk_MEMPACKET_value(st, i) SKM_sk_value(MEMPACKET, (st), (i)) ++# define sk_MEMPACKET_set(st, i, val) SKM_sk_set(MEMPACKET, (st), (i), (val)) ++# define sk_MEMPACKET_zero(st) SKM_sk_zero(MEMPACKET, (st)) ++# define sk_MEMPACKET_push(st, val) SKM_sk_push(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_unshift(st, val) SKM_sk_unshift(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_find(st, val) SKM_sk_find(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_find_ex(st, val) SKM_sk_find_ex(MEMPACKET, (st), (val)) ++# define sk_MEMPACKET_delete(st, i) SKM_sk_delete(MEMPACKET, (st), (i)) ++# define sk_MEMPACKET_delete_ptr(st, ptr) SKM_sk_delete_ptr(MEMPACKET, (st), (ptr)) ++# define sk_MEMPACKET_insert(st, val, i) SKM_sk_insert(MEMPACKET, (st), (val), (i)) ++# define sk_MEMPACKET_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MEMPACKET, (st), (cmp)) ++# define sk_MEMPACKET_dup(st) SKM_sk_dup(MEMPACKET, st) ++# define sk_MEMPACKET_pop_free(st, free_func) SKM_sk_pop_free(MEMPACKET, (st), (free_func)) ++# define sk_MEMPACKET_deep_copy(st, copy_func, free_func) SKM_sk_deep_copy(MEMPACKET, (st), (copy_func), (free_func)) ++# define sk_MEMPACKET_shift(st) SKM_sk_shift(MEMPACKET, (st)) ++# define sk_MEMPACKET_pop(st) SKM_sk_pop(MEMPACKET, (st)) ++# define sk_MEMPACKET_sort(st) SKM_sk_sort(MEMPACKET, (st)) ++# define sk_MEMPACKET_is_sorted(st) SKM_sk_is_sorted(MEMPACKET, (st)) ++ ++static void mempacket_free(MEMPACKET *pkt) ++{ ++ if (pkt->data != NULL) ++ OPENSSL_free(pkt->data); ++ OPENSSL_free(pkt); ++} ++ ++typedef struct mempacket_test_ctx_st { ++ STACK_OF(MEMPACKET) *pkts; ++ unsigned int epoch; ++ unsigned int currrec; ++ unsigned int currpkt; ++ unsigned int lastpkt; ++ unsigned int noinject; ++} MEMPACKET_TEST_CTX; ++ ++static int mempacket_test_new(BIO *bi); ++static int mempacket_test_free(BIO *a); ++static int mempacket_test_read(BIO *b, char *out, int outl); ++static int mempacket_test_write(BIO *b, const char *in, int inl); ++static long mempacket_test_ctrl(BIO *b, int cmd, long num, void *ptr); ++static int mempacket_test_gets(BIO *bp, char *buf, int size); ++static int mempacket_test_puts(BIO *bp, const char *str); ++ ++static BIO_METHOD method_mempacket_test = { ++ BIO_TYPE_MEMPACKET_TEST, ++ "Mem Packet Test", ++ mempacket_test_write, ++ mempacket_test_read, ++ mempacket_test_puts, ++ mempacket_test_gets, ++ mempacket_test_ctrl, ++ mempacket_test_new, ++ mempacket_test_free ++}; ++ ++BIO_METHOD *bio_s_mempacket_test(void) ++{ ++ return &method_mempacket_test; ++} ++ ++static int mempacket_test_new(BIO *bio) ++{ ++ MEMPACKET_TEST_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); ++ if (ctx == NULL) ++ return 0; ++ memset(ctx, 0, sizeof(*ctx)); ++ ++ ctx->pkts = sk_MEMPACKET_new_null(); ++ if (ctx->pkts == NULL) { ++ OPENSSL_free(ctx); ++ return 0; ++ } ++ bio->init = 1; ++ bio->ptr = ctx; ++ return 1; ++} ++ ++static int mempacket_test_free(BIO *bio) ++{ ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ ++ sk_MEMPACKET_pop_free(ctx->pkts, mempacket_free); ++ OPENSSL_free(ctx); ++ bio->ptr = NULL; ++ bio->init = 0; ++ ++ return 1; ++} ++ ++/* Record Header values */ ++#define EPOCH_HI 4 ++#define EPOCH_LO 5 ++#define RECORD_SEQUENCE 10 ++#define RECORD_LEN_HI 11 ++#define RECORD_LEN_LO 12 ++ ++#define STANDARD_PACKET 0 ++ ++static int mempacket_test_read(BIO *bio, char *out, int outl) ++{ ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ MEMPACKET *thispkt; ++ unsigned char *rec; ++ int rem; ++ unsigned int seq, offset, len, epoch; ++ ++ BIO_clear_retry_flags(bio); ++ ++ thispkt = sk_MEMPACKET_value(ctx->pkts, 0); ++ if (thispkt == NULL || thispkt->num != ctx->currpkt) { ++ /* Probably run out of data */ ++ BIO_set_retry_read(bio); ++ return -1; ++ } ++ sk_MEMPACKET_shift(ctx->pkts); ++ ctx->currpkt++; ++ ++ if (outl > thispkt->len) ++ outl = thispkt->len; ++ ++ if (thispkt->type != INJECT_PACKET_IGNORE_REC_SEQ) { ++ /* ++ * Overwrite the record sequence number. We strictly number them in ++ * the order received. Since we are actually a reliable transport ++ * we know that there won't be any re-ordering. We overwrite to deal ++ * with any packets that have been injected ++ */ ++ rem = thispkt->len; ++ rec = thispkt->data; ++ while (rem > 0) { ++ if (rem < DTLS1_RT_HEADER_LENGTH) { ++ return -1; ++ } ++ epoch = (rec[EPOCH_HI] << 8) | rec[EPOCH_LO]; ++ if (epoch != ctx->epoch) { ++ ctx->epoch = epoch; ++ ctx->currrec = 0; ++ } ++ seq = ctx->currrec; ++ offset = 0; ++ do { ++ rec[RECORD_SEQUENCE - offset] = seq & 0xFF; ++ seq >>= 8; ++ offset++; ++ } while (seq > 0); ++ ctx->currrec++; ++ ++ len = ((rec[RECORD_LEN_HI] << 8) | rec[RECORD_LEN_LO]) ++ + DTLS1_RT_HEADER_LENGTH; ++ ++ rec += len; ++ rem -= len; ++ } ++ } ++ ++ memcpy(out, thispkt->data, outl); ++ ++ mempacket_free(thispkt); ++ ++ return outl; ++} ++ ++int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, ++ int type) ++{ ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ MEMPACKET *thispkt, *looppkt, *nextpkt; ++ int i; ++ ++ if (ctx == NULL) ++ return -1; ++ ++ /* We only allow injection before we've started writing any data */ ++ if (pktnum >= 0) { ++ if (ctx->noinject) ++ return -1; ++ } else { ++ ctx->noinject = 1; ++ } ++ ++ thispkt = OPENSSL_malloc(sizeof(MEMPACKET)); ++ if (thispkt == NULL) ++ return -1; ++ ++ thispkt->data = OPENSSL_malloc(inl); ++ if (thispkt->data == NULL) { ++ mempacket_free(thispkt); ++ return -1; ++ } ++ ++ memcpy(thispkt->data, in, inl); ++ thispkt->len = inl; ++ thispkt->num = (pktnum >= 0) ? (unsigned int)pktnum : ctx->lastpkt; ++ thispkt->type = type; ++ ++ for(i = 0; (looppkt = sk_MEMPACKET_value(ctx->pkts, i)) != NULL; i++) { ++ /* Check if we found the right place to insert this packet */ ++ if (looppkt->num > thispkt->num) { ++ if (sk_MEMPACKET_insert(ctx->pkts, thispkt, i) == 0) { ++ mempacket_free(thispkt); ++ return -1; ++ } ++ /* If we're doing up front injection then we're done */ ++ if (pktnum >= 0) ++ return inl; ++ /* ++ * We need to do some accounting on lastpkt. We increment it first, ++ * but it might now equal the value of injected packets, so we need ++ * to skip over those ++ */ ++ ctx->lastpkt++; ++ do { ++ i++; ++ nextpkt = sk_MEMPACKET_value(ctx->pkts, i); ++ if (nextpkt != NULL && nextpkt->num == ctx->lastpkt) ++ ctx->lastpkt++; ++ else ++ return inl; ++ } while(1); ++ } else if(looppkt->num == thispkt->num) { ++ if (!ctx->noinject) { ++ /* We injected two packets with the same packet number! */ ++ return -1; ++ } ++ ctx->lastpkt++; ++ thispkt->num++; ++ } ++ } ++ /* ++ * We didn't find any packets with a packet number equal to or greater than ++ * this one, so we just add it onto the end ++ */ ++ if (!sk_MEMPACKET_push(ctx->pkts, thispkt)) { ++ mempacket_free(thispkt); ++ return -1; ++ } ++ ++ if (pktnum < 0) ++ ctx->lastpkt++; ++ ++ return inl; ++} ++ ++static int mempacket_test_write(BIO *bio, const char *in, int inl) ++{ ++ return mempacket_test_inject(bio, in, inl, -1, STANDARD_PACKET); ++} ++ ++static long mempacket_test_ctrl(BIO *bio, int cmd, long num, void *ptr) ++{ ++ long ret = 1; ++ MEMPACKET_TEST_CTX *ctx = bio->ptr; ++ MEMPACKET *thispkt; ++ ++ switch (cmd) { ++ case BIO_CTRL_EOF: ++ ret = (long)(sk_MEMPACKET_num(ctx->pkts) == 0); ++ break; ++ case BIO_CTRL_GET_CLOSE: ++ ret = bio->shutdown; ++ break; ++ case BIO_CTRL_SET_CLOSE: ++ bio->shutdown = (int)num; ++ break; ++ case BIO_CTRL_WPENDING: ++ ret = 0L; ++ break; ++ case BIO_CTRL_PENDING: ++ thispkt = sk_MEMPACKET_value(ctx->pkts, 0); ++ if (thispkt == NULL) ++ ret = 0; ++ else ++ ret = thispkt->len; ++ break; ++ case BIO_CTRL_FLUSH: ++ ret = 1; ++ break; ++ case BIO_CTRL_RESET: ++ case BIO_CTRL_DUP: ++ case BIO_CTRL_PUSH: ++ case BIO_CTRL_POP: ++ default: ++ ret = 0; ++ break; ++ } ++ return ret; ++} ++ ++static int mempacket_test_gets(BIO *bio, char *buf, int size) ++{ ++ /* We don't support this - not needed anyway */ ++ return -1; ++} ++ ++static int mempacket_test_puts(BIO *bio, const char *str) ++{ ++ return mempacket_test_write(bio, str, strlen(str)); ++} ++ ++int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, ++ SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, ++ char *privkeyfile) ++{ ++ SSL_CTX *serverctx = NULL; ++ SSL_CTX *clientctx = NULL; ++ ++ serverctx = SSL_CTX_new(sm); ++ clientctx = SSL_CTX_new(cm); ++ if (serverctx == NULL || clientctx == NULL) { ++ printf("Failed to create SSL_CTX\n"); ++ goto err; ++ } ++ ++ if (SSL_CTX_use_certificate_file(serverctx, certfile, ++ SSL_FILETYPE_PEM) <= 0) { ++ printf("Failed to load server certificate\n"); ++ goto err; ++ } ++ if (SSL_CTX_use_PrivateKey_file(serverctx, privkeyfile, ++ SSL_FILETYPE_PEM) <= 0) { ++ printf("Failed to load server private key\n"); ++ } ++ if (SSL_CTX_check_private_key(serverctx) <= 0) { ++ printf("Failed to check private key\n"); ++ goto err; ++ } ++ ++ *sctx = serverctx; ++ *cctx = clientctx; ++ ++ return 1; ++ err: ++ SSL_CTX_free(serverctx); ++ SSL_CTX_free(clientctx); ++ return 0; ++} ++ ++#define MAXLOOPS 100000 ++ ++/* ++ * NOTE: Transfers control of the BIOs - this function will free them on error ++ */ ++int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, ++ SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio) ++{ ++ SSL *serverssl, *clientssl; ++ BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL; ++ ++ serverssl = SSL_new(serverctx); ++ clientssl = SSL_new(clientctx); ++ ++ if (serverssl == NULL || clientssl == NULL) { ++ printf("Failed to create SSL object\n"); ++ goto error; ++ } ++ ++ if (SSL_IS_DTLS(clientssl)) { ++ s_to_c_bio = BIO_new(bio_s_mempacket_test()); ++ c_to_s_bio = BIO_new(bio_s_mempacket_test());; ++ } else { ++ s_to_c_bio = BIO_new(BIO_s_mem()); ++ c_to_s_bio = BIO_new(BIO_s_mem()); ++ } ++ if (s_to_c_bio == NULL || c_to_s_bio == NULL) { ++ printf("Failed to create mem BIOs\n"); ++ goto error; ++ } ++ ++ if (s_to_c_fbio != NULL) ++ s_to_c_bio = BIO_push(s_to_c_fbio, s_to_c_bio); ++ if (c_to_s_fbio != NULL) ++ c_to_s_bio = BIO_push(c_to_s_fbio, c_to_s_bio); ++ if (s_to_c_bio == NULL || c_to_s_bio == NULL) { ++ printf("Failed to create chained BIOs\n"); ++ goto error; ++ } ++ ++ /* Set Non-blocking IO behaviour */ ++ BIO_set_mem_eof_return(s_to_c_bio, -1); ++ BIO_set_mem_eof_return(c_to_s_bio, -1); ++ ++ /* Up ref these as we are passing them to two SSL objects */ ++ CRYPTO_add(&s_to_c_bio->references, 1, CRYPTO_LOCK_BIO); ++ CRYPTO_add(&c_to_s_bio->references, 1, CRYPTO_LOCK_BIO); ++ ++ SSL_set_bio(serverssl, c_to_s_bio, s_to_c_bio); ++ SSL_set_bio(clientssl, s_to_c_bio, c_to_s_bio); ++ ++ /* BIOs will now be freed when SSL objects are freed */ ++ s_to_c_bio = c_to_s_bio = NULL; ++ s_to_c_fbio = c_to_s_fbio = NULL; ++ ++ *sssl = serverssl; ++ *cssl = clientssl; ++ ++ return 1; ++ ++ error: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ BIO_free(s_to_c_bio); ++ BIO_free(c_to_s_bio); ++ BIO_free(s_to_c_fbio); ++ BIO_free(c_to_s_fbio); ++ ++ return 0; ++} ++ ++int create_ssl_connection(SSL *serverssl, SSL *clientssl) ++{ ++ int retc = -1, rets = -1, err, abortctr = 0; ++ ++ do { ++ err = SSL_ERROR_WANT_WRITE; ++ while (retc <= 0 && err == SSL_ERROR_WANT_WRITE) { ++ retc = SSL_connect(clientssl); ++ if (retc <= 0) ++ err = SSL_get_error(clientssl, retc); ++ } ++ ++ if (retc <= 0 && err != SSL_ERROR_WANT_READ) { ++ printf("SSL_connect() failed %d, %d\n", retc, err); ++ return 0; ++ } ++ ++ err = SSL_ERROR_WANT_WRITE; ++ while (rets <= 0 && err == SSL_ERROR_WANT_WRITE) { ++ rets = SSL_accept(serverssl); ++ if (rets <= 0) ++ err = SSL_get_error(serverssl, rets); ++ } ++ ++ if (rets <= 0 && err != SSL_ERROR_WANT_READ) { ++ printf("SSL_accept() failed %d, %d\n", retc, err); ++ return 0; ++ } ++ if (++abortctr == MAXLOOPS) { ++ printf("No progress made\n"); ++ return 0; ++ } ++ } while (retc <=0 || rets <= 0); ++ ++ return 1; ++} +Index: openssl-1.0.2g/test/ssltestlib.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.2g/test/ssltestlib.h 2017-12-07 14:13:22.916839708 -0500 +@@ -0,0 +1,36 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef HEADER_SSLTESTLIB_H ++# define HEADER_SSLTESTLIB_H ++ ++# include ++ ++int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, ++ SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, ++ char *privkeyfile); ++int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, ++ SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio); ++int create_ssl_connection(SSL *serverssl, SSL *clientssl); ++ ++/* Note: Not thread safe! */ ++BIO_METHOD *bio_f_tls_dump_filter(void); ++void bio_f_tls_dump_filter_free(void); ++ ++BIO_METHOD *bio_s_mempacket_test(void); ++void bio_s_mempacket_test_free(void); ++ ++/* Packet types - value 0 is reserved */ ++#define INJECT_PACKET 1 ++#define INJECT_PACKET_IGNORE_REC_SEQ 2 ++ ++int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, ++ int type); ++ ++#endif /* HEADER_SSLTESTLIB_H */ +Index: openssl-1.0.2g/test/Makefile +=================================================================== +--- openssl-1.0.2g.orig/test/Makefile 2017-12-07 14:13:22.920839758 -0500 ++++ openssl-1.0.2g/test/Makefile 2017-12-07 14:14:36.649747970 -0500 +@@ -98,7 +98,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES + $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ + $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \ + $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \ +- $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ++ $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o ssltestlib.o + + SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ + $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ +@@ -109,10 +109,10 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATES + $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ + $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \ + $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \ +- $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ++ $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c ssltestlib.c + + EXHEADER= +-HEADER= testutil.h $(EXHEADER) ++HEADER= testutil.h ssltestlib.h $(EXHEADER) + + ALL= $(GENERAL) $(SRC) $(HEADER) + +@@ -397,7 +397,7 @@ BUILD_CMD=shlib_target=; if [ -n "$(SHAR + fi; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ +- CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ ++ CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o $$exobj" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + link_app.$${shlib_target} + +@@ -856,6 +856,24 @@ ssltest.o: ../include/openssl/ssl3.h ../ + ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h + ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h + ssltest.o: ../include/openssl/x509v3.h ssltest.c ++ssltestlib.o: ../include/openssl/asn1.h ../include/openssl/bio.h ++ssltestlib.o: ../include/openssl/buffer.h ../include/openssl/comp.h ++ssltestlib.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h ++ssltestlib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ++ssltestlib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ++ssltestlib.o: ../include/openssl/evp.h ../include/openssl/hmac.h ++ssltestlib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h ++ssltestlib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ++ssltestlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ++ssltestlib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ++ssltestlib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ++ssltestlib.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h ++ssltestlib.o: ../include/openssl/sha.h ../include/openssl/srtp.h ++ssltestlib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ++ssltestlib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ++ssltestlib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ++ssltestlib.o: ../include/openssl/tls1.h ../include/openssl/x509.h ++ssltestlib.o: ../include/openssl/x509_vfy.h ssltestlib.c ssltestlib.h + sslv2conftest.o: ../include/openssl/asn1.h ../include/openssl/bio.h + sslv2conftest.o: ../include/openssl/buffer.h ../include/openssl/comp.h + sslv2conftest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h diff -Nru openssl-1.0.2g/debian/patches/CVE-2017-3738.patch openssl-1.0.2g/debian/patches/CVE-2017-3738.patch --- openssl-1.0.2g/debian/patches/CVE-2017-3738.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2017-3738.patch 2017-12-07 18:17:30.000000000 +0000 @@ -0,0 +1,80 @@ +From ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Fri, 24 Nov 2017 11:35:50 +0100 +Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in + rsaz_1024_mul_avx2. + +Credit to OSS-Fuzz for finding this. + +CVE-2017-3738 + +Reviewed-by: Rich Salz +--- + crypto/bn/asm/rsaz-avx2.pl | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl +index 712a77f..2b3f8b0 100755 +--- a/crypto/bn/asm/rsaz-avx2.pl ++++ b/crypto/bn/asm/rsaz-avx2.pl +@@ -239,7 +239,7 @@ $code.=<<___; + vmovdqu 32*8-128($ap), $ACC8 + + lea 192(%rsp), $tp0 # 64+128=192 +- vpbroadcastq .Land_mask(%rip), $AND_MASK ++ vmovdqu .Land_mask(%rip), $AND_MASK + jmp .LOOP_GRANDE_SQR_1024 + + .align 32 +@@ -1070,10 +1070,10 @@ $code.=<<___; + vpmuludq 32*6-128($np),$Yi,$TEMP1 + vpaddq $TEMP1,$ACC6,$ACC6 + vpmuludq 32*7-128($np),$Yi,$TEMP2 +- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3 ++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3 + vpaddq $TEMP2,$ACC7,$ACC7 + vpmuludq 32*8-128($np),$Yi,$TEMP0 +- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3 ++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3 + vpaddq $TEMP0,$ACC8,$ACC8 + + mov %rbx, %rax +@@ -1086,7 +1086,9 @@ $code.=<<___; + vmovdqu -8+32*2-128($ap),$TEMP2 + + mov $r1, %rax ++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3 + imull $n0, %eax ++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3 + and \$0x1fffffff, %eax + + imulq 16-128($ap),%rbx +@@ -1322,15 +1324,12 @@ ___ + # But as we underutilize resources, it's possible to correct in + # each iteration with marginal performance loss. But then, as + # we do it in each iteration, we can correct less digits, and +-# avoid performance penalties completely. Also note that we +-# correct only three digits out of four. This works because +-# most significant digit is subjected to less additions. ++# avoid performance penalties completely. + + $TEMP0 = $ACC9; + $TEMP3 = $Bi; + $TEMP4 = $Yi; + $code.=<<___; +- vpermq \$0, $AND_MASK, $AND_MASK + vpaddq (%rsp), $TEMP1, $ACC0 + + vpsrlq \$29, $ACC0, $TEMP1 +@@ -1763,7 +1762,7 @@ $code.=<<___; + + .align 64 + .Land_mask: +- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1 ++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff + .Lscatter_permd: + .long 0,2,4,6,7,7,7,7 + .Lgather_permd: +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0495.patch openssl-1.0.2g/debian/patches/CVE-2018-0495.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0495.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0495.patch 2018-06-20 11:37:55.000000000 +0000 @@ -0,0 +1,218 @@ +From 949ff36623eafc3523a9f91784992965018ffb05 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz +--- + CHANGES | 4 +++ + crypto/ecdsa/ecdsatest.c | 9 +++++- + crypto/ecdsa/ecs_ossl.c | 82 +++++++++++++++++++++++++++++++++++++++--------- + 3 files changed, 79 insertions(+), 16 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index f17fbbf..a3861ab 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,10 @@ +# +# Changes between 1.0.2o and 1.0.2p [xx XXX xxxx] +# +#+ *) Add blinding to an ECDSA signature to protect against side channel attacks +#+ discovered by Keegan Ryan (NCC Group). +#+ [Matt Caswell] +#+ +# *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we +# now allow empty (zero character) pass phrases. +# [Richard Levitte] +Index: openssl-1.0.2g/crypto/ecdsa/ecdsatest.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ecdsa/ecdsatest.c 2018-06-20 07:30:04.909513406 -0400 ++++ openssl-1.0.2g/crypto/ecdsa/ecdsatest.c 2018-06-20 07:30:04.905513403 -0400 +@@ -137,7 +137,7 @@ int restore_rand(void) + return 1; + } + +-static int fbytes_counter = 0; ++static int fbytes_counter = 0, use_fake = 0; + static const char *numbers[8] = { + "651056770906015076056810763456358567190100156695615665659", + "6140507067065001063065065565667405560006161556565665656654", +@@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num) + int ret; + BIGNUM *tmp = NULL; + ++ if (use_fake == 0) ++ return old_rand->bytes(buf, num); ++ ++ use_fake = 0; ++ + if (fbytes_counter >= 8) + return 0; + tmp = BN_new(); +@@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int ni + /* create the key */ + if ((key = EC_KEY_new_by_curve_name(nid)) == NULL) + goto x962_int_err; ++ use_fake = 1; + if (!EC_KEY_generate_key(key)) + goto x962_int_err; + BIO_printf(out, "."); + (void)BIO_flush(out); + /* create the signature */ ++ use_fake = 1; + signature = ECDSA_do_sign(digest, 20, key); + if (signature == NULL) + goto x962_int_err; +Index: openssl-1.0.2g/crypto/ecdsa/ecs_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ecdsa/ecs_ossl.c 2018-06-20 07:30:04.909513406 -0400 ++++ openssl-1.0.2g/crypto/ecdsa/ecs_ossl.c 2018-06-20 07:30:04.905513403 -0400 +@@ -238,6 +238,7 @@ static ECDSA_SIG *ecdsa_do_sign(const un + { + int ok = 0, i; + BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL; ++ BIGNUM *blind = NULL, *blindm = NULL; + const BIGNUM *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -255,14 +256,25 @@ static ECDSA_SIG *ecdsa_do_sign(const un + } + + ret = ECDSA_SIG_new(); +- if (!ret) { ++ if (ret == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + return NULL; + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ order = BN_CTX_get(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -301,26 +313,70 @@ static ECDSA_SIG *ecdsa_do_sign(const un + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to + * generate new kinv and r values + */ + if (in_kinv != NULL && in_r != NULL) { +- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, +- ECDSA_R_NEED_NEW_SETUP_VALUES); ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } else +@@ -335,15 +391,11 @@ static ECDSA_SIG *ecdsa_do_sign(const un + ECDSA_SIG_free(ret); + ret = NULL; + } +- if (ctx) ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- if (m) +- BN_clear_free(m); +- if (tmp) +- BN_clear_free(tmp); +- if (order) +- BN_free(order); +- if (kinv) ++ } ++ if (kinv != NULL) + BN_clear_free(kinv); + return ret; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0732.patch openssl-1.0.2g/debian/patches/CVE-2018-0732.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0732.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0732.patch 2018-06-20 11:38:01.000000000 +0000 @@ -0,0 +1,42 @@ +From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 +From: Guido Vranken +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 387558f..f235e0d 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -130,10 +130,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-1.patch 2018-12-04 13:37:51.000000000 +0000 @@ -0,0 +1,24 @@ +From 43e6a58d4991a451daf4891ff05a48735df871ac Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 29 Oct 2018 08:24:22 +1000 +Subject: [PATCH] Merge DSA reallocation timing fix CVE-2018-0734. + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7513) +--- + crypto/dsa/dsa_ossl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:46.938084461 -0500 ++++ openssl-1.0.2g/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:46.930084388 -0500 +@@ -248,7 +248,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C + goto err; + + /* Preallocate space */ +- q_bits = BN_num_bits(dsa->q); ++ q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16; + if (!BN_set_bit(&k, q_bits) + || !BN_set_bit(&l, q_bits) + || !BN_set_bit(&m, q_bits)) diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-2.patch 2018-12-04 13:37:57.000000000 +0000 @@ -0,0 +1,74 @@ +From ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Mon, 29 Oct 2018 07:18:09 +1000 +Subject: [PATCH] Merge to 1.0.2: DSA mod inverse fix. + +There is a side channel attack against the division used to calculate one of +the modulo inverses in the DSA algorithm. This change takes advantage of the +primality of the modulo and Fermat's little theorem to calculate the inverse +without leaking information. + +Thanks to Samuel Weiser for finding and reporting this. + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7512) +--- + crypto/dsa/dsa_ossl.c | 34 ++++++++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:55.130158103 -0500 ++++ openssl-1.0.2g/crypto/dsa/dsa_ossl.c 2018-12-04 08:37:55.126158067 -0500 +@@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned + DSA_SIG *sig, DSA *dsa); + static int dsa_init(DSA *dsa); + static int dsa_finish(DSA *dsa); ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx); + + static DSA_METHOD openssl_dsa_meth = { + "OpenSSL DSA method", +@@ -302,8 +304,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C + if (!BN_mod(r, r, dsa->q, ctx)) + goto err; + +- /* Compute part of 's = inv(k) (m + xr) mod q' */ +- if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL) ++ /* Compute part of 's = inv(k) (m + xr) mod q' */ ++ if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL) + goto err; + + if (*kinvp != NULL) +@@ -437,3 +439,31 @@ static int dsa_finish(DSA *dsa) + BN_MONT_CTX_free(dsa->method_mont_p); + return (1); + } ++ ++/* ++ * Compute the inverse of k modulo q. ++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to ++ * mod-exp operation. Both the exponent and modulus are public information ++ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated ++ * BIGNUM is returned which the caller must free. ++ */ ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx) ++{ ++ BIGNUM *res = NULL; ++ BIGNUM *r, e; ++ ++ if ((r = BN_new()) == NULL) ++ return NULL; ++ ++ BN_init(&e); ++ ++ if (BN_set_word(r, 2) ++ && BN_sub(&e, q, r) ++ && BN_mod_exp_mont(r, k, &e, q, ctx, NULL)) ++ res = r; ++ else ++ BN_free(r); ++ BN_free(&e); ++ return res; ++} diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-3.patch 2018-12-04 13:38:03.000000000 +0000 @@ -0,0 +1,29 @@ +From 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Thu, 1 Nov 2018 08:44:11 +1000 +Subject: [PATCH] Add a constant time flag to one of the bignums to avoid a + timing leak. + +Reviewed-by: Tim Hudson +(Merged from https://github.com/openssl/openssl/pull/7549) + +(cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) +--- + crypto/dsa/dsa_ossl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/dsa/dsa_ossl.c 2018-12-04 08:38:01.090211298 -0500 ++++ openssl-1.0.2g/crypto/dsa/dsa_ossl.c 2018-12-04 08:38:01.086211262 -0500 +@@ -264,9 +264,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { + BN_set_flags(&k, BN_FLG_CONSTTIME); ++ BN_set_flags(&l, BN_FLG_CONSTTIME); + } + +- + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, + CRYPTO_LOCK_DSA, dsa->p, ctx)) diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0734-pre1.patch 2018-12-04 13:37:41.000000000 +0000 @@ -0,0 +1,118 @@ +From b96bebacfe814deb99fb64a3ed2296d95c573600 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 1 Nov 2017 06:58:13 +1000 +Subject: [PATCH] Address a timing side channel whereby it is possible to + determine some + +information about the length of a value used in DSA operations from +a large number of signatures. + +This doesn't rate as a CVE because: + +* For the non-constant time code, there are easier ways to extract + more information. + +* For the constant time code, it requires a significant number of signatures + to leak a small amount of information. + +Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for +reporting this issue. + +Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell + +Reviewed-by: Andy Polyakov +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/4642) +--- + crypto/dsa/dsa_ossl.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c +index 58013a4..aa10dd1 100644 +--- a/crypto/dsa/dsa_ossl.c ++++ b/crypto/dsa/dsa_ossl.c +@@ -224,7 +224,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + { + BN_CTX *ctx; + BIGNUM k, kq, *K, *kinv = NULL, *r = NULL; ++ BIGNUM l, m; + int ret = 0; ++ int q_bits; + + if (!dsa->p || !dsa->q || !dsa->g) { + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); +@@ -233,6 +235,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + + BN_init(&k); + BN_init(&kq); ++ BN_init(&l); ++ BN_init(&m); + + if (ctx_in == NULL) { + if ((ctx = BN_CTX_new()) == NULL) +@@ -243,6 +247,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + if ((r = BN_new()) == NULL) + goto err; + ++ /* Preallocate space */ ++ q_bits = BN_num_bits(dsa->q); ++ if (!BN_set_bit(&k, q_bits) ++ || !BN_set_bit(&l, q_bits) ++ || !BN_set_bit(&m, q_bits)) ++ goto err; ++ + /* Get random k */ + do + if (!BN_rand_range(&k, dsa->q)) +@@ -263,24 +274,23 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + /* Compute r = (g^k mod p) mod q */ + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { +- if (!BN_copy(&kq, &k)) +- goto err; +- +- BN_set_flags(&kq, BN_FLG_CONSTTIME); +- + /* + * We do not want timing information to leak the length of k, so we +- * compute g^k using an equivalent exponent of fixed length. (This +- * is a kludge that we need because the BN_mod_exp_mont() does not +- * let us specify the desired timing behaviour.) ++ * compute G^k using an equivalent scalar of fixed bit-length. ++ * ++ * We unconditionally perform both of these additions to prevent a ++ * small timing information leakage. We then choose the sum that is ++ * one bit longer than the modulus. ++ * ++ * TODO: revisit the BN_copy aiming for a memory access agnostic ++ * conditional copy. + */ +- +- if (!BN_add(&kq, &kq, dsa->q)) ++ if (!BN_add(&l, &k, dsa->q) ++ || !BN_add(&m, &l, dsa->q) ++ || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m)) + goto err; +- if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) { +- if (!BN_add(&kq, &kq, dsa->q)) +- goto err; +- } ++ ++ BN_set_flags(&kq, BN_FLG_CONSTTIME); + + K = &kq; + } else { +@@ -314,7 +324,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + BN_CTX_free(ctx); + BN_clear_free(&k); + BN_clear_free(&kq); +- return (ret); ++ BN_clear_free(&l); ++ BN_clear_free(&m); ++ return ret; + } + + static int dsa_do_verify(const unsigned char *dgst, int dgst_len, +-- +2.7.4 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-1.patch 2018-06-20 11:38:07.000000000 +0000 @@ -0,0 +1,81 @@ +Backport of: + +From 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Tue, 5 Dec 2017 15:55:17 +0100 +Subject: [PATCH] Replaced variable-time GCD with consttime inversion to avoid + side-channel attacks on RSA key generation + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07) +--- + crypto/rsa/rsa_gen.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:30:18.121523563 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:30:18.117523561 -0400 +@@ -109,6 +109,7 @@ static int rsa_builtin_keygen(RSA *rsa, + BIGNUM *pr0, *d, *p; + int bitsp, bitsq, ok = -1, n = 0; + BN_CTX *ctx = NULL; ++ unsigned long error = 0; + + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -144,16 +145,25 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + ++ BN_set_flags(rsa->e, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } +@@ -177,10 +187,18 @@ static int rsa_builtin_keygen(RSA *rsa, + } + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; +- if (!BN_gcd(r1, r2, rsa->e, ctx)) +- goto err; +- if (BN_is_one(r1)) ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ + break; ++ } ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_clear_error(); ++ } else { ++ goto err; ++ } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-2.patch 2018-06-20 11:38:11.000000000 +0000 @@ -0,0 +1,55 @@ +Backport of: + +From 64eb614ccc7ccf30cc412b736f509f1d82bbf897 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Wed, 31 Jan 2018 13:10:55 +0100 +Subject: [PATCH] used ERR set/pop mark + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2) +--- + crypto/rsa/rsa_gen.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:12.537565425 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:12.529565420 -0400 +@@ -152,6 +152,7 @@ static int rsa_builtin_keygen(RSA *rsa, + goto err; + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -160,7 +161,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } +@@ -187,6 +188,7 @@ static int rsa_builtin_keygen(RSA *rsa, + } + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; ++ ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + break; +@@ -195,7 +197,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ +- ERR_clear_error(); ++ ERR_pop_to_mark(); + } else { + goto err; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-3.patch 2018-06-20 11:38:15.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 0d6710289307d277ebc3354105c965b6e8ba8eb0 Mon Sep 17 00:00:00 2001 +From: Samuel Weiser +Date: Fri, 9 Feb 2018 14:11:47 +0100 +Subject: [PATCH] consttime flag changed + +Reviewed-by: Rich Salz +Reviewed-by: Kurt Roeckx +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/5170) + +(cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298) +--- + crypto/rsa/rsa_gen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:18.793570241 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:18.785570235 -0400 +@@ -145,7 +145,7 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + +- BN_set_flags(rsa->e, BN_FLG_CONSTTIME); ++ BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { + if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0737-4.patch 2018-06-20 11:38:18.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Wed, 11 Apr 2018 10:10:58 +0300 +Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont + both get called with BN_FLG_CONSTTIME flag set. + +CVE-2018-0737 + +Reviewed-by: Rich Salz +Reviewed-by: Matt Caswell +(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) +--- + crypto/rsa/rsa_gen.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2018-06-20 07:31:24.941574975 -0400 ++++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2018-06-20 07:31:24.933574969 -0400 +@@ -145,6 +145,8 @@ static int rsa_builtin_keygen(RSA *rsa, + + BN_copy(rsa->e, e_value); + ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-0739.patch openssl-1.0.2g/debian/patches/CVE-2018-0739.patch --- openssl-1.0.2g/debian/patches/CVE-2018-0739.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-0739.patch 2018-03-27 18:18:29.000000000 +0000 @@ -0,0 +1,232 @@ +From 9310d45087ae546e27e61ddf8f6367f29848220d Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 22 Mar 2018 10:05:40 +0000 +Subject: [PATCH] Limit ASN.1 constructed types recursive definition depth + +Constructed types with a recursive definition (such as can be found in +PKCS7) could eventually exceed the stack given malicious input with +excessive recursion. Therefore we limit the stack depth. + +CVE-2018-0739 + +Credit to OSSFuzz for finding this issue. + +Reviewed-by: Rich Salz +--- + crypto/asn1/asn1.h | 1 + + crypto/asn1/asn1_err.c | 3 ++- + crypto/asn1/tasn_dec.c | 62 +++++++++++++++++++++++++++++++++----------------- + 3 files changed, 44 insertions(+), 22 deletions(-) + +Index: openssl-1.0.2g/crypto/asn1/asn1.h +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/asn1.h 2018-03-27 14:17:12.462114719 -0400 ++++ openssl-1.0.2g/crypto/asn1/asn1.h 2018-03-27 14:17:12.458114714 -0400 +@@ -1373,6 +1373,7 @@ void ERR_load_ASN1_strings(void); + # define ASN1_R_MSTRING_NOT_UNIVERSAL 139 + # define ASN1_R_MSTRING_WRONG_TAG 140 + # define ASN1_R_NESTED_ASN1_STRING 197 ++# define ASN1_R_NESTED_TOO_DEEP 219 + # define ASN1_R_NON_HEX_CHARACTERS 141 + # define ASN1_R_NOT_ASCII_FORMAT 190 + # define ASN1_R_NOT_ENOUGH_DATA 142 +Index: openssl-1.0.2g/crypto/asn1/asn1_err.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/asn1_err.c 2018-03-27 14:17:12.462114719 -0400 ++++ openssl-1.0.2g/crypto/asn1/asn1_err.c 2018-03-27 14:17:12.458114714 -0400 +@@ -1,6 +1,6 @@ + /* crypto/asn1/asn1_err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ + {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"}, + {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"}, + {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"}, ++ {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"}, + {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"}, + {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"}, + {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"}, +Index: openssl-1.0.2g/crypto/asn1/tasn_dec.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/asn1/tasn_dec.c 2018-03-27 14:17:12.462114719 -0400 ++++ openssl-1.0.2g/crypto/asn1/tasn_dec.c 2018-03-27 14:17:12.458114714 -0400 +@@ -65,6 +65,14 @@ + #include + #include + ++/* ++ * Constructed types with a recursive definition (such as can be found in PKCS7) ++ * could eventually exceed the stack given malicious input with excessive ++ * recursion. Therefore we limit the stack depth. This is the maximum number of ++ * recursive invocations of asn1_item_embed_d2i(). ++ */ ++#define ASN1_MAX_CONSTRUCTED_NEST 30 ++ + static int asn1_check_eoc(const unsigned char **in, long len); + static int asn1_find_end(const unsigned char **in, long len, char inf); + +@@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, i + static int asn1_template_ex_d2i(ASN1_VALUE **pval, + const unsigned char **in, long len, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx); ++ ASN1_TLC *ctx, int depth); + static int asn1_template_noexp_d2i(ASN1_VALUE **val, + const unsigned char **in, long len, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx); ++ ASN1_TLC *ctx, int depth); + static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, + const unsigned char **in, long len, + const ASN1_ITEM *it, +@@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval, + { + ASN1_TLC c; + asn1_tlc_clear_nc(&c); +- return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); ++ return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0); + } + + /* + * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and + * tag mismatch return -1 to handle OPTIONAL + */ +- +-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, +- const ASN1_ITEM *it, +- int tag, int aclass, char opt, ASN1_TLC *ctx) ++static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, ++ long len, const ASN1_ITEM *it, int tag, int aclass, ++ char opt, ASN1_TLC *ctx, int depth) + { + const ASN1_TEMPLATE *tt, *errtt = NULL; + const ASN1_COMPAT_FUNCS *cf; +@@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + else + asn1_cb = 0; + ++ if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP); ++ goto err; ++ } ++ + switch (it->itype) { + case ASN1_ITYPE_PRIMITIVE: + if (it->templates) { +@@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + goto err; + } + return asn1_template_ex_d2i(pval, in, len, +- it->templates, opt, ctx); ++ it->templates, opt, ctx, depth); + } + return asn1_d2i_ex_primitive(pval, in, len, it, + tag, aclass, opt, ctx); +@@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + /* + * We mark field as OPTIONAL so its absence can be recognised. + */ +- ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); ++ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); + /* If field not present, try the next one */ + if (ret == -1) + continue; +@@ -442,7 +454,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + * attempt to read in field, allowing each to be OPTIONAL + */ + +- ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); ++ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, ++ depth); + if (!ret) { + errtt = seqtt; + goto err; +@@ -512,6 +525,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + return 0; + } + ++int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, ++ const ASN1_ITEM *it, ++ int tag, int aclass, char opt, ASN1_TLC *ctx) ++{ ++ return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); ++} ++ + /* + * Templates are handled with two separate functions. One handles any + * EXPLICIT tag and the other handles the rest. +@@ -520,7 +540,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + static int asn1_template_ex_d2i(ASN1_VALUE **val, + const unsigned char **in, long inlen, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx) ++ ASN1_TLC *ctx, int depth) + { + int flags, aclass; + int ret; +@@ -555,7 +575,7 @@ static int asn1_template_ex_d2i(ASN1_VAL + return 0; + } + /* We've found the field so it can't be OPTIONAL now */ +- ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); ++ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); + return 0; +@@ -579,7 +599,7 @@ static int asn1_template_ex_d2i(ASN1_VAL + } + } + } else +- return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx); ++ return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); + + *in = p; + return 1; +@@ -592,7 +612,7 @@ static int asn1_template_ex_d2i(ASN1_VAL + static int asn1_template_noexp_d2i(ASN1_VALUE **val, + const unsigned char **in, long len, + const ASN1_TEMPLATE *tt, char opt, +- ASN1_TLC *ctx) ++ ASN1_TLC *ctx, int depth) + { + int flags, aclass; + int ret; +@@ -663,8 +683,8 @@ static int asn1_template_noexp_d2i(ASN1_ + break; + } + skfield = NULL; +- if (!ASN1_item_ex_d2i(&skfield, &p, len, +- ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { ++ if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), ++ -1, 0, 0, ctx, depth)) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, + ERR_R_NESTED_ASN1_ERROR); + goto err; +@@ -681,9 +701,8 @@ static int asn1_template_noexp_d2i(ASN1_ + } + } else if (flags & ASN1_TFLG_IMPTAG) { + /* IMPLICIT tagging */ +- ret = ASN1_item_ex_d2i(val, &p, len, +- ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, +- ctx); ++ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, ++ aclass, opt, ctx, depth); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); + goto err; +@@ -691,8 +710,9 @@ static int asn1_template_noexp_d2i(ASN1_ + return -1; + } else { + /* Nothing special */ +- ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); ++ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, ++ depth); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); + goto err; diff -Nru openssl-1.0.2g/debian/patches/CVE-2018-5407.patch openssl-1.0.2g/debian/patches/CVE-2018-5407.patch --- openssl-1.0.2g/debian/patches/CVE-2018-5407.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2018-5407.patch 2018-12-04 14:32:11.000000000 +0000 @@ -0,0 +1,342 @@ +Backport of: + +From b18162a7c9bbfb57112459a4d6631fa258fd8c0c Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Thu, 8 Nov 2018 13:57:54 +0200 +Subject: [PATCH] CVE-2018-5407 fix: ECC ladder + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Nicola Tuveri +(Merged from https://github.com/openssl/openssl/pull/7593) +--- + CHANGES | 13 +++ + crypto/bn/bn_lib.c | 32 +++++++ + crypto/ec/ec_mult.c | 246 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 291 insertions(+) + +#diff --git a/CHANGES b/CHANGES +#index b574074..fde66b5 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,19 @@ +# +# Changes between 1.0.2p and 1.0.2q [xx XXX xxxx] +# +#+ *) Microarchitecture timing vulnerability in ECC scalar multiplication +#+ +#+ OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been +#+ shown to be vulnerable to a microarchitecture timing side channel attack. +#+ An attacker with sufficient access to mount local timing attacks during +#+ ECDSA signature generation could recover the private key. +#+ +#+ This issue was reported to OpenSSL on 26th October 2018 by Alejandro +#+ Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and +#+ Nicola Tuveri. +#+ (CVE-2018-5407) +#+ [Billy Brumley] +#+ +# *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object +# Module, accidentally introduced while backporting security fixes from the +# development branch and hindering the use of ECC in FIPS mode. +Index: openssl-1.0.2g/crypto/bn/bn_lib.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/bn/bn_lib.c 2018-12-04 09:29:25.320463460 -0500 ++++ openssl-1.0.2g/crypto/bn/bn_lib.c 2018-12-04 09:30:33.432686833 -0500 +@@ -879,6 +879,32 @@ void BN_consttime_swap(BN_ULONG conditio + a->top ^= t; + b->top ^= t; + ++ t = (a->neg ^ b->neg) & condition; ++ a->neg ^= t; ++ b->neg ^= t; ++ ++ /*- ++ * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention ++ * is actually to treat it as it's read-only data, and some (if not most) ++ * of it does reside in read-only segment. In other words observation of ++ * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal ++ * condition. It would either cause SEGV or effectively cause data ++ * corruption. ++ * ++ * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be ++ * preserved. ++ * ++ * BN_FLG_SECURE: must be preserved, because it determines how x->d was ++ * allocated and hence how to free it. ++ * ++ * BN_FLG_CONSTTIME: sufficient to mask and swap ++ * ++ */ ++ ++ t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; ++ a->flags ^= t; ++ b->flags ^= t; ++ + #define BN_CONSTTIME_SWAP(ind) \ + do { \ + t = (a->d[ind] ^ b->d[ind]) & condition; \ +Index: openssl-1.0.2g/crypto/ec/ec_mult.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/ec/ec_mult.c 2018-12-04 09:29:25.320463460 -0500 ++++ openssl-1.0.2g/crypto/ec/ec_mult.c 2018-12-04 09:29:25.320463460 -0500 +@@ -306,6 +306,224 @@ static signed char *compute_wNAF(const B + return r; + } + ++#define EC_POINT_BN_set_flags(P, flags) do { \ ++ BN_set_flags(&(P)->X, (flags)); \ ++ BN_set_flags(&(P)->Y, (flags)); \ ++ BN_set_flags(&(P)->Z, (flags)); \ ++} while(0) ++ ++/*- ++ * This functions computes (in constant time) a point multiplication over the ++ * EC group. ++ * ++ * At a high level, it is Montgomery ladder with conditional swaps. ++ * ++ * It performs either a fixed scalar point multiplication ++ * (scalar * generator) ++ * when point is NULL, or a generic scalar point multiplication ++ * (scalar * point) ++ * when point is not NULL. ++ * ++ * scalar should be in the range [0,n) otherwise all constant time bets are off. ++ * ++ * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, ++ * which of course are not constant time themselves. ++ * ++ * The product is stored in r. ++ * ++ * Returns 1 on success, 0 otherwise. ++ */ ++static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, const EC_POINT *point, ++ BN_CTX *ctx) ++{ ++ int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; ++ EC_POINT *s = NULL; ++ BIGNUM *k = NULL; ++ BIGNUM *lambda = NULL; ++ BIGNUM *cardinality = NULL; ++ BN_CTX *new_ctx = NULL; ++ int ret = 0; ++ ++ if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ ++ s = EC_POINT_new(group); ++ if (s == NULL) ++ goto err; ++ ++ if (point == NULL) { ++ if (!EC_POINT_copy(s, group->generator)) ++ goto err; ++ } else { ++ if (!EC_POINT_copy(s, point)) ++ goto err; ++ } ++ ++ EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); ++ ++ cardinality = BN_CTX_get(ctx); ++ lambda = BN_CTX_get(ctx); ++ k = BN_CTX_get(ctx); ++ if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx)) ++ goto err; ++ ++ /* ++ * Group cardinalities are often on a word boundary. ++ * So when we pad the scalar, some timing diff might ++ * pop if it needs to be expanded due to carries. ++ * So expand ahead of time. ++ */ ++ cardinality_bits = BN_num_bits(cardinality); ++ group_top = cardinality->top; ++ if ((bn_wexpand(k, group_top + 2) == NULL) ++ || (bn_wexpand(lambda, group_top + 2) == NULL)) ++ goto err; ++ ++ if (!BN_copy(k, scalar)) ++ goto err; ++ ++ BN_set_flags(k, BN_FLG_CONSTTIME); ++ ++ if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { ++ /*- ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(k, k, cardinality, ctx)) ++ goto err; ++ } ++ ++ if (!BN_add(lambda, k, cardinality)) ++ goto err; ++ BN_set_flags(lambda, BN_FLG_CONSTTIME); ++ if (!BN_add(k, lambda, cardinality)) ++ goto err; ++ /* ++ * lambda := scalar + cardinality ++ * k := scalar + 2*cardinality ++ */ ++ kbit = BN_is_bit_set(lambda, cardinality_bits); ++ BN_consttime_swap(kbit, k, lambda, group_top + 2); ++ ++ group_top = group->field.top; ++ if ((bn_wexpand(&s->X, group_top) == NULL) ++ || (bn_wexpand(&s->Y, group_top) == NULL) ++ || (bn_wexpand(&s->Z, group_top) == NULL) ++ || (bn_wexpand(&r->X, group_top) == NULL) ++ || (bn_wexpand(&r->Y, group_top) == NULL) ++ || (bn_wexpand(&r->Z, group_top) == NULL)) ++ goto err; ++ ++ /* top bit is a 1, in a fixed pos */ ++ if (!EC_POINT_copy(r, s)) ++ goto err; ++ ++ EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); ++ ++ if (!EC_POINT_dbl(group, s, s, ctx)) ++ goto err; ++ ++ pbit = 0; ++ ++#define EC_POINT_CSWAP(c, a, b, w, t) do { \ ++ BN_consttime_swap(c, &(a)->X, &(b)->X, w); \ ++ BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \ ++ BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \ ++ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ ++ (a)->Z_is_one ^= (t); \ ++ (b)->Z_is_one ^= (t); \ ++} while(0) ++ ++ /*- ++ * The ladder step, with branches, is ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * Swapping R, S conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: T, U = R, S ++ * k[i] == 1: T, U = S, R ++ * ++ * Then perform the ECC ops. ++ * ++ * U = add(T, U) ++ * T = dbl(T) ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: U = add(R, S), T = dbl(R) ++ * k[i] == 1: U = add(S, R), T = dbl(S) ++ * ++ * Swapping T, U conditionally on k[i] leaves you with state ++ * ++ * k[i] == 0: R, S = T, U ++ * k[i] == 1: R, S = U, T ++ * ++ * Which leaves you with state ++ * ++ * k[i] == 0: S = add(R, S), R = dbl(R) ++ * k[i] == 1: R = add(S, R), S = dbl(S) ++ * ++ * So we get the same logic, but instead of a branch it's a ++ * conditional swap, followed by ECC ops, then another conditional swap. ++ * ++ * Optimization: The end of iteration i and start of i-1 looks like ++ * ++ * ... ++ * CSWAP(k[i], R, S) ++ * ECC ++ * CSWAP(k[i], R, S) ++ * (next iteration) ++ * CSWAP(k[i-1], R, S) ++ * ECC ++ * CSWAP(k[i-1], R, S) ++ * ... ++ * ++ * So instead of two contiguous swaps, you can merge the condition ++ * bits and do a single swap. ++ * ++ * k[i] k[i-1] Outcome ++ * 0 0 No Swap ++ * 0 1 Swap ++ * 1 0 Swap ++ * 1 1 No Swap ++ * ++ * This is XOR. pbit tracks the previous bit of k. ++ */ ++ ++ for (i = cardinality_bits - 1; i >= 0; i--) { ++ kbit = BN_is_bit_set(k, i) ^ pbit; ++ EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); ++ if (!EC_POINT_add(group, s, r, s, ctx)) ++ goto err; ++ if (!EC_POINT_dbl(group, r, r, ctx)) ++ goto err; ++ /* ++ * pbit logic merges this cswap with that of the ++ * next iteration ++ */ ++ pbit ^= kbit; ++ } ++ /* one final cswap to move the right value into r */ ++ EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); ++#undef EC_POINT_CSWAP ++ ++ ret = 1; ++ ++ err: ++ EC_POINT_free(s); ++ BN_CTX_end(ctx); ++ BN_CTX_free(new_ctx); ++ ++ return ret; ++} ++ ++#undef EC_POINT_BN_set_flags ++ + /* + * TODO: table should be optimised for the wNAF-based implementation, + * sometimes smaller windows will give better performance (thus the +@@ -365,6 +583,34 @@ int ec_wNAF_mul(const EC_GROUP *group, E + return EC_POINT_set_to_infinity(group, r); + } + ++ if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) { ++ /*- ++ * Handle the common cases where the scalar is secret, enforcing a constant ++ * time scalar multiplication algorithm. ++ */ ++ if ((scalar != NULL) && (num == 0)) { ++ /*- ++ * In this case we want to compute scalar * GeneratorPoint: this ++ * codepath is reached most prominently by (ephemeral) key generation ++ * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH ++ * keygen/first half), where the scalar is always secret. This is why ++ * we ignore if BN_FLG_CONSTTIME is actually set and we always call the ++ * constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalar, NULL, ctx); ++ } ++ if ((scalar == NULL) && (num == 1)) { ++ /*- ++ * In this case we want to compute scalar * GenericPoint: this codepath ++ * is reached most prominently by the second half of ECDH, where the ++ * secret scalar is multiplied by the peer's public point. To protect ++ * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and ++ * we always call the constant time version. ++ */ ++ return ec_mul_consttime(group, r, scalars[0], points[0], ctx); ++ } ++ } ++ + for (i = 0; i < num; i++) { + if (group->meth != points[i]->meth) { + ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1547.patch openssl-1.0.2g/debian/patches/CVE-2019-1547.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1547.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1547.patch 2020-05-27 19:17:07.000000000 +0000 @@ -0,0 +1,230 @@ +From 21c856b75d81eff61aa63b4f036bb64a85bf6d46 Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Sat, 7 Sep 2019 10:50:58 +0300 +Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor, + compute it + +The cofactor argument to EC_GROUP_set_generator is optional, and SCA +mitigations for ECC currently use it. So the library currently falls +back to very old SCA-vulnerable code if the cofactor is not present. + +This PR allows EC_GROUP_set_generator to compute the cofactor for all +curves of cryptographic interest. Steering scalar multiplication to more +SCA-robust code. + +This issue affects persisted private keys in explicit parameter form, +where the (optional) cofactor field is zero or absent. + +It also affects curves not built-in to the library, but constructed +programatically with explicit parameters, then calling +EC_GROUP_set_generator with a nonsensical value (NULL, zero). + +The very old scalar multiplication code is known to be vulnerable to +local uarch attacks, outside of the OpenSSL threat model. New results +suggest the code path is also vulnerable to traditional wall clock +timing attacks. + +CVE-2019-1547 + +Reviewed-by: Nicola Tuveri +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/9799) +--- + CHANGES | 7 ++++ + crypto/ec/ec.h | 6 ++- + crypto/ec/ec_err.c | 3 +- + crypto/ec/ec_lib.c | 102 +++++++++++++++++++++++++++++++++++++++++---- + 4 files changed, 108 insertions(+), 10 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index d804f325b4..ee272f2266 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -9,6 +9,13 @@ +# +# Changes between 1.0.2s and 1.0.2t [xx XXX xxxx] +# +#+ *) Compute ECC cofactors if not provided during EC_GROUP construction. Before +#+ this change, EC_GROUP_set_generator would accept order and/or cofactor as +#+ NULL. After this change, only the cofactor parameter can be NULL. It also +#+ does some minimal sanity checks on the passed order. +#+ (CVE-2019-1547) +#+ [Billy Bob Brumley] +#+ +# *) Document issue with installation paths in diverse Windows builds +# +# '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL +--- a/crypto/ec/ec.h ++++ b/crypto/ec/ec.h +@@ -1073,6 +1073,7 @@ int EC_KEY_print_fp(FILE *fp, const EC_K + * The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ ++ + void ERR_load_EC_strings(void); + + /* Error codes for the EC functions. */ +@@ -1270,13 +1271,14 @@ void ERR_load_EC_strings(void); + # define EC_R_SLOT_FULL 108 + # define EC_R_UNDEFINED_GENERATOR 113 + # define EC_R_UNDEFINED_ORDER 128 ++# define EC_R_UNKNOWN_COFACTOR 152 + # define EC_R_UNKNOWN_GROUP 129 + # define EC_R_UNKNOWN_ORDER 114 + # define EC_R_UNSUPPORTED_FIELD 131 + # define EC_R_WRONG_CURVE_PARAMETERS 145 + # define EC_R_WRONG_ORDER 130 + +-#ifdef __cplusplus ++# ifdef __cplusplus + } +-#endif ++# endif + #endif +--- a/crypto/ec/ec_err.c ++++ b/crypto/ec/ec_err.c +@@ -1,6 +1,6 @@ + /* crypto/ec/ec_err.c */ + /* ==================================================================== +- * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 1999-2019 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -310,6 +310,7 @@ static ERR_STRING_DATA EC_str_reasons[] + {ERR_REASON(EC_R_SLOT_FULL), "slot full"}, + {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"}, + {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"}, ++ {ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, + {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"}, + {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"}, + {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"}, +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -290,6 +290,67 @@ int EC_METHOD_get_field_type(const EC_ME + return meth->field_type; + } + ++/*- ++ * Try computing cofactor from the generator order (n) and field cardinality (q). ++ * This works for all curves of cryptographic interest. ++ * ++ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) ++ * h_min = (q + 1 - 2*sqrt(q))/n ++ * h_max = (q + 1 + 2*sqrt(q))/n ++ * h_max - h_min = 4*sqrt(q)/n ++ * So if n > 4*sqrt(q) holds, there is only one possible value for h: ++ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil ++ * ++ * Otherwise, zero cofactor and return success. ++ */ ++static int ec_guess_cofactor(EC_GROUP *group) { ++ int ret = 0; ++ BN_CTX *ctx = NULL; ++ BIGNUM *q = NULL; ++ ++ /*- ++ * If the cofactor is too large, we cannot guess it. ++ * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) ++ */ ++ if (BN_num_bits(&group->order) <= (BN_num_bits(&group->field) + 1) / 2 + 3) { ++ /* default to 0 */ ++ BN_zero(&group->cofactor); ++ /* return success */ ++ return 1; ++ } ++ ++ if ((ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ if ((q = BN_CTX_get(ctx)) == NULL) ++ goto err; ++ ++ /* set q = 2**m for binary fields; q = p otherwise */ ++ if (group->meth->field_type == NID_X9_62_characteristic_two_field) { ++ BN_zero(q); ++ if (!BN_set_bit(q, BN_num_bits(&group->field) - 1)) ++ goto err; ++ } else { ++ if (!BN_copy(q, &group->field)) ++ goto err; ++ } ++ ++ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */ ++ if (!BN_rshift1(&group->cofactor, &group->order) /* n/2 */ ++ || !BN_add(&group->cofactor, &group->cofactor, q) /* q + n/2 */ ++ /* q + 1 + n/2 */ ++ || !BN_add(&group->cofactor, &group->cofactor, BN_value_one()) ++ /* (q + 1 + n/2)/n */ ++ || !BN_div(&group->cofactor, NULL, &group->cofactor, &group->order, ctx)) ++ goto err; ++ ret = 1; ++ err: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return ret; ++} ++ + int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, + const BIGNUM *order, const BIGNUM *cofactor) + { +@@ -298,6 +359,33 @@ int EC_GROUP_set_generator(EC_GROUP *gro + return 0; + } + ++ /* require group->field >= 1 */ ++ if (BN_is_zero(&group->field) || BN_is_negative(&group->field)) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD); ++ return 0; ++ } ++ ++ /*- ++ * - require order >= 1 ++ * - enforce upper bound due to Hasse thm: order can be no more than one bit ++ * longer than field cardinality ++ */ ++ if (order == NULL || BN_is_zero(order) || BN_is_negative(order) ++ || BN_num_bits(order) > BN_num_bits(&group->field) + 1) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER); ++ return 0; ++ } ++ ++ /*- ++ * Unfortunately the cofactor is an optional field in many standards. ++ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor". ++ * So accept cofactor == NULL or cofactor >= 0. ++ */ ++ if (cofactor != NULL && BN_is_negative(cofactor)) { ++ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR); ++ return 0; ++ } ++ + if (group->generator == NULL) { + group->generator = EC_POINT_new(group); + if (group->generator == NULL) +@@ -306,17 +394,17 @@ int EC_GROUP_set_generator(EC_GROUP *gro + if (!EC_POINT_copy(group->generator, generator)) + return 0; + +- if (order != NULL) { +- if (!BN_copy(&group->order, order)) +- return 0; +- } else +- BN_zero(&group->order); ++ if (!BN_copy(&group->order, order)) ++ return 0; + +- if (cofactor != NULL) { ++ /* Either take the provided positive cofactor, or try to compute it */ ++ if (cofactor != NULL && !BN_is_zero(cofactor)) { + if (!BN_copy(&group->cofactor, cofactor)) + return 0; +- } else ++ } else if (!ec_guess_cofactor(group)) { + BN_zero(&group->cofactor); ++ return 0; ++ } + + /* + * We ignore the return value because some groups have an order with diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1551.patch openssl-1.0.2g/debian/patches/CVE-2019-1551.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1551.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1551.patch 2020-05-27 19:17:36.000000000 +0000 @@ -0,0 +1,766 @@ +From f1c5eea8a817075d31e43f5876993c6710238c98 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Wed, 4 Dec 2019 12:48:21 +0100 +Subject: [PATCH] Fix an overflow bug in rsaz_512_sqr + +There is an overflow bug in the x64_64 Montgomery squaring procedure used in +exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis +suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a +result of this defect would be very difficult to perform and are not believed +likely. Attacks against DH512 are considered just feasible. However, for an +attack the target would have to re-use the DH512 private key, which is not +recommended anyway. Also applications directly using the low level API +BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. + +CVE-2019-1551 + +Reviewed-by: Paul Dale +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/10576) +--- + crypto/bn/asm/rsaz-x86_64.pl | 399 ++++++++++++++++++----------------- + 1 file changed, 206 insertions(+), 193 deletions(-) + +diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl +index 87ce2c34d9..e0da6d9ae5 100755 +--- a/crypto/bn/asm/rsaz-x86_64.pl ++++ b/crypto/bn/asm/rsaz-x86_64.pl +@@ -140,7 +140,7 @@ rsaz_512_sqr: # 25-29% faster than rsaz_512_mul + + subq \$128+24, %rsp + .Lsqr_body: +- movq $mod, %rbp # common argument ++ movq $mod, %xmm1 # common off-load + movq ($inp), %rdx + movq 8($inp), %rax + movq $n0, 128(%rsp) +@@ -158,7 +158,8 @@ $code.=<<___; + .Loop_sqr: + movl $times,128+8(%rsp) + #first iteration +- movq %rdx, %rbx ++ movq %rdx, %rbx # 0($inp) ++ mov %rax, %rbp # 8($inp) + mulq %rdx + movq %rax, %r8 + movq 16($inp), %rax +@@ -197,31 +198,29 @@ $code.=<<___; + mulq %rbx + addq %rax, %r14 + movq %rbx, %rax +- movq %rdx, %r15 +- adcq \$0, %r15 ++ adcq \$0, %rdx + +- addq %r8, %r8 #shlq \$1, %r8 +- movq %r9, %rcx +- adcq %r9, %r9 #shld \$1, %r8, %r9 ++ xorq %rcx,%rcx # rcx:r8 = r8 << 1 ++ addq %r8, %r8 ++ movq %rdx, %r15 ++ adcq \$0, %rcx + + mulq %rax +- movq %rax, (%rsp) +- addq %rdx, %r8 +- adcq \$0, %r9 ++ addq %r8, %rdx ++ adcq \$0, %rcx + +- movq %r8, 8(%rsp) +- shrq \$63, %rcx ++ movq %rax, (%rsp) ++ movq %rdx, 8(%rsp) + + #second iteration +- movq 8($inp), %r8 + movq 16($inp), %rax +- mulq %r8 ++ mulq %rbp + addq %rax, %r10 + movq 24($inp), %rax + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r11 + movq 32($inp), %rax + adcq \$0, %rdx +@@ -229,7 +228,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r12 + movq 40($inp), %rax + adcq \$0, %rdx +@@ -237,7 +236,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r13 + movq 48($inp), %rax + adcq \$0, %rdx +@@ -245,7 +244,7 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r14 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -253,39 +252,39 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + +- mulq %r8 ++ mulq %rbp + addq %rax, %r15 +- movq %r8, %rax ++ movq %rbp, %rax + adcq \$0, %rdx + addq %rbx, %r15 +- movq %rdx, %r8 +- movq %r10, %rdx +- adcq \$0, %r8 ++ adcq \$0, %rdx + +- add %rdx, %rdx +- lea (%rcx,%r10,2), %r10 #shld \$1, %rcx, %r10 +- movq %r11, %rbx +- adcq %r11, %r11 #shld \$1, %r10, %r11 ++ xorq %rbx, %rbx # rbx:r10:r9 = r10:r9 << 1 ++ addq %r9, %r9 ++ movq %rdx, %r8 ++ adcq %r10, %r10 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ movq 16($inp), %rbp ++ adcq \$0, %rdx + addq %rax, %r9 ++ movq 24($inp), %rax + adcq %rdx, %r10 +- adcq \$0, %r11 ++ adcq \$0, %rbx + + movq %r9, 16(%rsp) + movq %r10, 24(%rsp) +- shrq \$63, %rbx +- ++ + #third iteration +- movq 16($inp), %r9 +- movq 24($inp), %rax +- mulq %r9 ++ mulq %rbp + addq %rax, %r12 + movq 32($inp), %rax + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 ++ mulq %rbp + addq %rax, %r13 + movq 40($inp), %rax + adcq \$0, %rdx +@@ -293,7 +292,7 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 ++ mulq %rbp + addq %rax, %r14 + movq 48($inp), %rax + adcq \$0, %rdx +@@ -301,9 +300,7 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 +- movq %r12, %r10 +- lea (%rbx,%r12,2), %r12 #shld \$1, %rbx, %r12 ++ mulq %rbp + addq %rax, %r15 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -311,36 +308,40 @@ $code.=<<___; + movq %rdx, %rcx + adcq \$0, %rcx + +- mulq %r9 +- shrq \$63, %r10 ++ mulq %rbp + addq %rax, %r8 +- movq %r9, %rax ++ movq %rbp, %rax + adcq \$0, %rdx + addq %rcx, %r8 +- movq %rdx, %r9 +- adcq \$0, %r9 ++ adcq \$0, %rdx + +- movq %r13, %rcx +- leaq (%r10,%r13,2), %r13 #shld \$1, %r12, %r13 ++ xorq %rcx, %rcx # rcx:r12:r11 = r12:r11 << 1 ++ addq %r11, %r11 ++ movq %rdx, %r9 ++ adcq %r12, %r12 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ movq 24($inp), %r10 ++ adcq \$0, %rdx + addq %rax, %r11 ++ movq 32($inp), %rax + adcq %rdx, %r12 +- adcq \$0, %r13 ++ adcq \$0, %rcx + + movq %r11, 32(%rsp) + movq %r12, 40(%rsp) +- shrq \$63, %rcx + + #fourth iteration +- movq 24($inp), %r10 +- movq 32($inp), %rax ++ mov %rax, %r11 # 32($inp) + mulq %r10 + addq %rax, %r14 + movq 40($inp), %rax + movq %rdx, %rbx + adcq \$0, %rbx + ++ mov %rax, %r12 # 40($inp) + mulq %r10 + addq %rax, %r15 + movq 48($inp), %rax +@@ -349,9 +350,8 @@ $code.=<<___; + movq %rdx, %rbx + adcq \$0, %rbx + ++ mov %rax, %rbp # 48($inp) + mulq %r10 +- movq %r14, %r12 +- leaq (%rcx,%r14,2), %r14 #shld \$1, %rcx, %r14 + addq %rax, %r8 + movq 56($inp), %rax + adcq \$0, %rdx +@@ -360,32 +360,33 @@ $code.=<<___; + adcq \$0, %rbx + + mulq %r10 +- shrq \$63, %r12 + addq %rax, %r9 + movq %r10, %rax + adcq \$0, %rdx + addq %rbx, %r9 +- movq %rdx, %r10 +- adcq \$0, %r10 ++ adcq \$0, %rdx + +- movq %r15, %rbx +- leaq (%r12,%r15,2),%r15 #shld \$1, %r14, %r15 ++ xorq %rbx, %rbx # rbx:r13:r14 = r13:r14 << 1 ++ addq %r13, %r13 ++ movq %rdx, %r10 ++ adcq %r14, %r14 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ adcq \$0, %rdx + addq %rax, %r13 ++ movq %r12, %rax # 40($inp) + adcq %rdx, %r14 +- adcq \$0, %r15 ++ adcq \$0, %rbx + + movq %r13, 48(%rsp) + movq %r14, 56(%rsp) +- shrq \$63, %rbx + + #fifth iteration +- movq 32($inp), %r11 +- movq 40($inp), %rax + mulq %r11 + addq %rax, %r8 +- movq 48($inp), %rax ++ movq %rbp, %rax # 48($inp) + movq %rdx, %rcx + adcq \$0, %rcx + +@@ -393,97 +394,99 @@ $code.=<<___; + addq %rax, %r9 + movq 56($inp), %rax + adcq \$0, %rdx +- movq %r8, %r12 +- leaq (%rbx,%r8,2), %r8 #shld \$1, %rbx, %r8 + addq %rcx, %r9 + movq %rdx, %rcx + adcq \$0, %rcx + ++ mov %rax, %r14 # 56($inp) + mulq %r11 +- shrq \$63, %r12 + addq %rax, %r10 + movq %r11, %rax + adcq \$0, %rdx + addq %rcx, %r10 +- movq %rdx, %r11 +- adcq \$0, %r11 ++ adcq \$0, %rdx + +- movq %r9, %rcx +- leaq (%r12,%r9,2), %r9 #shld \$1, %r8, %r9 ++ xorq %rcx, %rcx # rcx:r8:r15 = r8:r15 << 1 ++ addq %r15, %r15 ++ movq %rdx, %r11 ++ adcq %r8, %r8 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ adcq \$0, %rdx + addq %rax, %r15 ++ movq %rbp, %rax # 48($inp) + adcq %rdx, %r8 +- adcq \$0, %r9 ++ adcq \$0, %rcx + + movq %r15, 64(%rsp) + movq %r8, 72(%rsp) +- shrq \$63, %rcx + + #sixth iteration +- movq 40($inp), %r12 +- movq 48($inp), %rax + mulq %r12 + addq %rax, %r10 +- movq 56($inp), %rax ++ movq %r14, %rax # 56($inp) + movq %rdx, %rbx + adcq \$0, %rbx + + mulq %r12 + addq %rax, %r11 + movq %r12, %rax +- movq %r10, %r15 +- leaq (%rcx,%r10,2), %r10 #shld \$1, %rcx, %r10 + adcq \$0, %rdx +- shrq \$63, %r15 + addq %rbx, %r11 +- movq %rdx, %r12 +- adcq \$0, %r12 ++ adcq \$0, %rdx + +- movq %r11, %rbx +- leaq (%r15,%r11,2), %r11 #shld \$1, %r10, %r11 ++ xorq %rbx, %rbx # rbx:r10:r9 = r10:r9 << 1 ++ addq %r9, %r9 ++ movq %rdx, %r12 ++ adcq %r10, %r10 ++ adcq \$0, %rbx + + mulq %rax ++ addq %rcx, %rax ++ adcq \$0, %rdx + addq %rax, %r9 ++ movq %r14, %rax # 56($inp) + adcq %rdx, %r10 +- adcq \$0, %r11 ++ adcq \$0, %rbx + + movq %r9, 80(%rsp) + movq %r10, 88(%rsp) + + #seventh iteration +- movq 48($inp), %r13 +- movq 56($inp), %rax +- mulq %r13 ++ mulq %rbp + addq %rax, %r12 +- movq %r13, %rax +- movq %rdx, %r13 +- adcq \$0, %r13 ++ movq %rbp, %rax ++ adcq \$0, %rdx + +- xorq %r14, %r14 +- shlq \$1, %rbx +- adcq %r12, %r12 #shld \$1, %rbx, %r12 +- adcq %r13, %r13 #shld \$1, %r12, %r13 +- adcq %r14, %r14 #shld \$1, %r13, %r14 ++ xorq %rcx, %rcx # rcx:r12:r11 = r12:r11 << 1 ++ addq %r11, %r11 ++ movq %rdx, %r13 ++ adcq %r12, %r12 ++ adcq \$0, %rcx + + mulq %rax ++ addq %rbx, %rax ++ adcq \$0, %rdx + addq %rax, %r11 ++ movq %r14, %rax # 56($inp) + adcq %rdx, %r12 +- adcq \$0, %r13 ++ adcq \$0, %rcx + + movq %r11, 96(%rsp) + movq %r12, 104(%rsp) + + #eighth iteration +- movq 56($inp), %rax ++ xorq %rbx, %rbx # rbx:r13 = r13 << 1 ++ addq %r13, %r13 ++ adcq \$0, %rbx ++ + mulq %rax +- addq %rax, %r13 ++ addq %rcx, %rax + adcq \$0, %rdx +- +- addq %rdx, %r14 +- +- movq %r13, 112(%rsp) +- movq %r14, 120(%rsp) ++ addq %r13, %rax ++ adcq %rbx, %rdx + + movq (%rsp), %r8 + movq 8(%rsp), %r9 +@@ -493,6 +496,10 @@ $code.=<<___; + movq 40(%rsp), %r13 + movq 48(%rsp), %r14 + movq 56(%rsp), %r15 ++ movq %xmm1, %rbp ++ ++ movq %rax, 112(%rsp) ++ movq %rdx, 120(%rsp) + + call __rsaz_512_reduce + +@@ -524,9 +531,9 @@ $code.=<<___; + .Loop_sqrx: + movl $times,128+8(%rsp) + movq $out, %xmm0 # off-load +- movq %rbp, %xmm1 # off-load +-#first iteration ++#first iteration + mulx %rax, %r8, %r9 ++ mov %rax, %rbx + + mulx 16($inp), %rcx, %r10 + xor %rbp, %rbp # cf=0, of=0 +@@ -534,40 +541,39 @@ $code.=<<___; + mulx 24($inp), %rax, %r11 + adcx %rcx, %r9 + +- mulx 32($inp), %rcx, %r12 ++ .byte 0xc4,0x62,0xf3,0xf6,0xa6,0x20,0x00,0x00,0x00 # mulx 32($inp), %rcx, %r12 + adcx %rax, %r10 + +- mulx 40($inp), %rax, %r13 ++ .byte 0xc4,0x62,0xfb,0xf6,0xae,0x28,0x00,0x00,0x00 # mulx 40($inp), %rax, %r13 + adcx %rcx, %r11 + +- .byte 0xc4,0x62,0xf3,0xf6,0xb6,0x30,0x00,0x00,0x00 # mulx 48($inp), %rcx, %r14 ++ mulx 48($inp), %rcx, %r14 + adcx %rax, %r12 + adcx %rcx, %r13 + +- .byte 0xc4,0x62,0xfb,0xf6,0xbe,0x38,0x00,0x00,0x00 # mulx 56($inp), %rax, %r15 ++ mulx 56($inp), %rax, %r15 + adcx %rax, %r14 + adcx %rbp, %r15 # %rbp is 0 + +- mov %r9, %rcx +- shld \$1, %r8, %r9 +- shl \$1, %r8 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx +- adcx %rdx, %r8 +- mov 8($inp), %rdx +- adcx %rbp, %r9 ++ mulx %rdx, %rax, $out ++ mov %rbx, %rdx # 8($inp) ++ xor %rcx, %rcx ++ adox %r8, %r8 ++ adcx $out, %r8 ++ adox %rbp, %rcx ++ adcx %rbp, %rcx + + mov %rax, (%rsp) + mov %r8, 8(%rsp) + +-#second iteration +- mulx 16($inp), %rax, %rbx ++#second iteration ++ .byte 0xc4,0xe2,0xfb,0xf6,0x9e,0x10,0x00,0x00,0x00 # mulx 16($inp), %rax, %rbx + adox %rax, %r10 + adcx %rbx, %r11 + +- .byte 0xc4,0x62,0xc3,0xf6,0x86,0x18,0x00,0x00,0x00 # mulx 24($inp), $out, %r8 ++ mulx 24($inp), $out, %r8 + adox $out, %r11 ++ .byte 0x66 + adcx %r8, %r12 + + mulx 32($inp), %rax, %rbx +@@ -585,24 +591,25 @@ $code.=<<___; + .byte 0xc4,0x62,0xc3,0xf6,0x86,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r8 + adox $out, %r15 + adcx %rbp, %r8 ++ mulx %rdx, %rax, $out + adox %rbp, %r8 ++ .byte 0x48,0x8b,0x96,0x10,0x00,0x00,0x00 # mov 16($inp), %rdx + +- mov %r11, %rbx +- shld \$1, %r10, %r11 +- shld \$1, %rcx, %r10 +- +- xor %ebp,%ebp +- mulx %rdx, %rax, %rcx +- mov 16($inp), %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r9, %r9 ++ adcx %rbp, $out ++ adox %r10, %r10 + adcx %rax, %r9 +- adcx %rcx, %r10 +- adcx %rbp, %r11 ++ adox %rbp, %rbx ++ adcx $out, %r10 ++ adcx %rbp, %rbx + + mov %r9, 16(%rsp) + .byte 0x4c,0x89,0x94,0x24,0x18,0x00,0x00,0x00 # mov %r10, 24(%rsp) +- +-#third iteration +- .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x18,0x00,0x00,0x00 # mulx 24($inp), $out, %r9 ++ ++#third iteration ++ mulx 24($inp), $out, %r9 + adox $out, %r12 + adcx %r9, %r13 + +@@ -610,7 +617,7 @@ $code.=<<___; + adox %rax, %r13 + adcx %rcx, %r14 + +- mulx 40($inp), $out, %r9 ++ .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x28,0x00,0x00,0x00 # mulx 40($inp), $out, %r9 + adox $out, %r14 + adcx %r9, %r15 + +@@ -618,27 +625,28 @@ $code.=<<___; + adox %rax, %r15 + adcx %rcx, %r8 + +- .byte 0xc4,0x62,0xc3,0xf6,0x8e,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r9 ++ mulx 56($inp), $out, %r9 + adox $out, %r8 + adcx %rbp, %r9 ++ mulx %rdx, %rax, $out + adox %rbp, %r9 ++ mov 24($inp), %rdx + +- mov %r13, %rcx +- shld \$1, %r12, %r13 +- shld \$1, %rbx, %r12 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rcx, %rcx ++ adcx %rbx, %rax ++ adox %r11, %r11 ++ adcx %rbp, $out ++ adox %r12, %r12 + adcx %rax, %r11 +- adcx %rdx, %r12 +- mov 24($inp), %rdx +- adcx %rbp, %r13 ++ adox %rbp, %rcx ++ adcx $out, %r12 ++ adcx %rbp, %rcx + + mov %r11, 32(%rsp) +- .byte 0x4c,0x89,0xa4,0x24,0x28,0x00,0x00,0x00 # mov %r12, 40(%rsp) +- +-#fourth iteration +- .byte 0xc4,0xe2,0xfb,0xf6,0x9e,0x20,0x00,0x00,0x00 # mulx 32($inp), %rax, %rbx ++ mov %r12, 40(%rsp) ++ ++#fourth iteration ++ mulx 32($inp), %rax, %rbx + adox %rax, %r14 + adcx %rbx, %r15 + +@@ -653,25 +661,25 @@ $code.=<<___; + mulx 56($inp), $out, %r10 + adox $out, %r9 + adcx %rbp, %r10 ++ mulx %rdx, %rax, $out + adox %rbp, %r10 ++ mov 32($inp), %rdx + +- .byte 0x66 +- mov %r15, %rbx +- shld \$1, %r14, %r15 +- shld \$1, %rcx, %r14 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r13, %r13 ++ adcx %rbp, $out ++ adox %r14, %r14 + adcx %rax, %r13 +- adcx %rdx, %r14 +- mov 32($inp), %rdx +- adcx %rbp, %r15 ++ adox %rbp, %rbx ++ adcx $out, %r14 ++ adcx %rbp, %rbx + + mov %r13, 48(%rsp) + mov %r14, 56(%rsp) +- +-#fifth iteration +- .byte 0xc4,0x62,0xc3,0xf6,0x9e,0x28,0x00,0x00,0x00 # mulx 40($inp), $out, %r11 ++ ++#fifth iteration ++ mulx 40($inp), $out, %r11 + adox $out, %r8 + adcx %r11, %r9 + +@@ -682,18 +690,19 @@ $code.=<<___; + mulx 56($inp), $out, %r11 + adox $out, %r10 + adcx %rbp, %r11 ++ mulx %rdx, %rax, $out ++ mov 40($inp), %rdx + adox %rbp, %r11 + +- mov %r9, %rcx +- shld \$1, %r8, %r9 +- shld \$1, %rbx, %r8 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rcx, %rcx ++ adcx %rbx, %rax ++ adox %r15, %r15 ++ adcx %rbp, $out ++ adox %r8, %r8 + adcx %rax, %r15 +- adcx %rdx, %r8 +- mov 40($inp), %rdx +- adcx %rbp, %r9 ++ adox %rbp, %rcx ++ adcx $out, %r8 ++ adcx %rbp, %rcx + + mov %r15, 64(%rsp) + mov %r8, 72(%rsp) +@@ -706,18 +715,19 @@ $code.=<<___; + .byte 0xc4,0x62,0xc3,0xf6,0xa6,0x38,0x00,0x00,0x00 # mulx 56($inp), $out, %r12 + adox $out, %r11 + adcx %rbp, %r12 ++ mulx %rdx, %rax, $out + adox %rbp, %r12 ++ mov 48($inp), %rdx + +- mov %r11, %rbx +- shld \$1, %r10, %r11 +- shld \$1, %rcx, %r10 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r9, %r9 ++ adcx %rbp, $out ++ adox %r10, %r10 + adcx %rax, %r9 +- adcx %rdx, %r10 +- mov 48($inp), %rdx +- adcx %rbp, %r11 ++ adcx $out, %r10 ++ adox %rbp, %rbx ++ adcx %rbp, %rbx + + mov %r9, 80(%rsp) + mov %r10, 88(%rsp) +@@ -727,31 +737,31 @@ $code.=<<___; + adox %rax, %r12 + adox %rbp, %r13 + +- xor %r14, %r14 +- shld \$1, %r13, %r14 +- shld \$1, %r12, %r13 +- shld \$1, %rbx, %r12 +- +- xor %ebp, %ebp +- mulx %rdx, %rax, %rdx +- adcx %rax, %r11 +- adcx %rdx, %r12 ++ mulx %rdx, %rax, $out ++ xor %rcx, %rcx + mov 56($inp), %rdx +- adcx %rbp, %r13 ++ adcx %rbx, %rax ++ adox %r11, %r11 ++ adcx %rbp, $out ++ adox %r12, %r12 ++ adcx %rax, %r11 ++ adox %rbp, %rcx ++ adcx $out, %r12 ++ adcx %rbp, %rcx + + .byte 0x4c,0x89,0x9c,0x24,0x60,0x00,0x00,0x00 # mov %r11, 96(%rsp) + .byte 0x4c,0x89,0xa4,0x24,0x68,0x00,0x00,0x00 # mov %r12, 104(%rsp) + + #eighth iteration + mulx %rdx, %rax, %rdx +- adox %rax, %r13 +- adox %rbp, %rdx ++ xor %rbx, %rbx ++ adcx %rcx, %rax ++ adox %r13, %r13 ++ adcx %rbp, %rdx ++ adox %rbp, %rbx ++ adcx %r13, %rax ++ adcx %rdx, %rbx + +- .byte 0x66 +- add %rdx, %r14 +- +- movq %r13, 112(%rsp) +- movq %r14, 120(%rsp) + movq %xmm0, $out + movq %xmm1, %rbp + +@@ -765,6 +775,9 @@ $code.=<<___; + movq 48(%rsp), %r14 + movq 56(%rsp), %r15 + ++ movq %rax, 112(%rsp) ++ movq %rbx, 120(%rsp) ++ + call __rsaz_512_reducex + + addq 64(%rsp), %r8 +-- +2.17.1 + diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1559.patch openssl-1.0.2g/debian/patches/CVE-2019-1559.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1559.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1559.patch 2019-02-26 18:15:37.000000000 +0000 @@ -0,0 +1,59 @@ +Backport of: + +From e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 14 Dec 2018 07:28:30 +0000 +Subject: [PATCH] Go into the error state if a fatal alert is sent or received + +If an application calls SSL_shutdown after a fatal alert has occured and +then behaves different based on error codes from that function then the +application may be vulnerable to a padding oracle. + +CVE-2019-1559 + +Reviewed-by: Richard Levitte +--- + ssl/d1_pkt.c | 1 + + ssl/s3_pkt.c | 10 +++++++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +Index: openssl-1.0.2g/ssl/d1_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/d1_pkt.c 2019-02-26 13:09:11.010950562 -0500 ++++ openssl-1.0.2g/ssl/d1_pkt.c 2019-02-26 13:12:42.259997034 -0500 +@@ -1267,6 +1267,7 @@ int dtls1_read_bytes(SSL *s, int type, u + ERR_add_error_data(2, "SSL alert number ", tmp); + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL_CTX_remove_session(s->ctx, s->session); ++ s->state = SSL_ST_ERR; + return (0); + } else { + al = SSL_AD_ILLEGAL_PARAMETER; +Index: openssl-1.0.2g/ssl/s3_pkt.c +=================================================================== +--- openssl-1.0.2g.orig/ssl/s3_pkt.c 2019-02-26 13:09:11.010950562 -0500 ++++ openssl-1.0.2g/ssl/s3_pkt.c 2019-02-26 13:15:26.492809651 -0500 +@@ -1489,6 +1489,7 @@ int ssl3_read_bytes(SSL *s, int type, un + ERR_add_error_data(2, "SSL alert number ", tmp); + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL_CTX_remove_session(s->ctx, s->session); ++ s->state = SSL_ST_ERR; + return (0); + } else { + al = SSL_AD_ILLEGAL_PARAMETER; +@@ -1708,9 +1709,12 @@ int ssl3_send_alert(SSL *s, int level, i + * protocol_version alerts */ + if (desc < 0) + return -1; +- /* If a fatal one, remove from cache */ +- if ((level == 2) && (s->session != NULL)) +- SSL_CTX_remove_session(s->ctx, s->session); ++ /* If a fatal one, remove from cache and go into the error state */ ++ if (level == SSL3_AL_FATAL) { ++ if (s->session != NULL) ++ SSL_CTX_remove_session(s->ctx, s->session); ++ s->state = SSL_ST_ERR; ++ } + + s->s3->alert_dispatch = 1; + s->s3->send_alert[0] = level; diff -Nru openssl-1.0.2g/debian/patches/CVE-2019-1563.patch openssl-1.0.2g/debian/patches/CVE-2019-1563.patch --- openssl-1.0.2g/debian/patches/CVE-2019-1563.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2019-1563.patch 2020-05-27 19:17:45.000000000 +0000 @@ -0,0 +1,162 @@ +From e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Sun, 1 Sep 2019 00:16:28 +0200 +Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and + CMS_decrypt_set1_pkey + +An attack is simple, if the first CMS_recipientInfo is valid but the +second CMS_recipientInfo is chosen ciphertext. If the second +recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct +encryption key will be replaced by garbage, and the message cannot be +decoded, but if the RSA decryption fails, the correct encryption key is +used and the recipient will not notice the attack. + +As a work around for this potential attack the length of the decrypted +key must be equal to the cipher default key length, in case the +certifiate is not given and all recipientInfo are tried out. + +The old behaviour can be re-enabled in the CMS code by setting the +CMS_DEBUG_DECRYPT flag. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/9777) + +(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37) +--- + CHANGES | 14 ++++++++++++++ + crypto/cms/cms_env.c | 18 +++++++++++++++++- + crypto/cms/cms_lcl.h | 2 ++ + crypto/cms/cms_smime.c | 4 ++++ + crypto/pkcs7/pk7_doit.c | 12 ++++++++---- + 5 files changed, 45 insertions(+), 5 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index eff1121106..dbe5c1d043 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -39,6 +39,20 @@ +# (CVE-2019-1547) +# [Billy Bob Brumley] +# +#+ *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. +#+ An attack is simple, if the first CMS_recipientInfo is valid but the +#+ second CMS_recipientInfo is chosen ciphertext. If the second +#+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct +#+ encryption key will be replaced by garbage, and the message cannot be +#+ decoded, but if the RSA decryption fails, the correct encryption key is +#+ used and the recipient will not notice the attack. +#+ As a work around for this potential attack the length of the decrypted +#+ key must be equal to the cipher default key length, in case the +#+ certifiate is not given and all recipientInfo are tried out. +#+ The old behaviour can be re-enabled in the CMS code by setting the +#+ CMS_DEBUG_DECRYPT flag. +#+ [Bernd Edlinger] +#+ +# *) Document issue with installation paths in diverse Windows builds +# +# '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL +--- a/crypto/cms/cms_env.c ++++ b/crypto/cms/cms_env.c +@@ -422,6 +422,7 @@ static int cms_RecipientInfo_ktri_decryp + unsigned char *ek = NULL; + size_t eklen; + int ret = 0; ++ size_t fixlen = 0; + CMS_EncryptedContentInfo *ec; + ec = cms->d.envelopedData->encryptedContentInfo; + +@@ -430,6 +431,19 @@ static int cms_RecipientInfo_ktri_decryp + return 0; + } + ++ if (cms->d.envelopedData->encryptedContentInfo->havenocert ++ && !cms->d.envelopedData->encryptedContentInfo->debug) { ++ X509_ALGOR *calg = ec->contentEncryptionAlgorithm; ++ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm); ++ ++ if (ciph == NULL) { ++ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER); ++ return 0; ++ } ++ ++ fixlen = EVP_CIPHER_key_length(ciph); ++ } ++ + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!ktri->pctx) + return 0; +@@ -460,7 +474,9 @@ static int cms_RecipientInfo_ktri_decryp + + if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen, + ktri->encryptedKey->data, +- ktri->encryptedKey->length) <= 0) { ++ ktri->encryptedKey->length) <= 0 ++ || eklen == 0 ++ || (fixlen != 0 && eklen != fixlen)) { + CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB); + goto err; + } +--- a/crypto/cms/cms_lcl.h ++++ b/crypto/cms/cms_lcl.h +@@ -172,6 +172,8 @@ struct CMS_EncryptedContentInfo_st { + size_t keylen; + /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ + int debug; ++ /* Set to 1 if we have no cert and need extra safety measures for MMA */ ++ int havenocert; + }; + + struct CMS_RecipientInfo_st { +--- a/crypto/cms/cms_smime.c ++++ b/crypto/cms/cms_smime.c +@@ -737,6 +737,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EV + cms->d.envelopedData->encryptedContentInfo->debug = 1; + else + cms->d.envelopedData->encryptedContentInfo->debug = 0; ++ if (!cert) ++ cms->d.envelopedData->encryptedContentInfo->havenocert = 1; ++ else ++ cms->d.envelopedData->encryptedContentInfo->havenocert = 0; + if (!pk && !cert && !dcont && !out) + return 1; + if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -191,7 +191,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECI + } + + static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, +- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) ++ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey, ++ size_t fixlen) + { + EVP_PKEY_CTX *pctx = NULL; + unsigned char *ek = NULL; +@@ -224,7 +225,9 @@ static int pkcs7_decrypt_rinfo(unsigned + } + + if (EVP_PKEY_decrypt(pctx, ek, &eklen, +- ri->enc_key->data, ri->enc_key->length) <= 0) { ++ ri->enc_key->data, ri->enc_key->length) <= 0 ++ || eklen == 0 ++ || (fixlen != 0 && eklen != fixlen)) { + ret = 0; + PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); + goto err; +@@ -569,13 +572,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { + ri = sk_PKCS7_RECIP_INFO_value(rsk, i); + +- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) ++ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, ++ EVP_CIPHER_key_length(evp_cipher)) < 0) + goto err; + ERR_clear_error(); + } + } else { + /* Only exit on fatal errors, not decrypt failure */ +- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) ++ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) + goto err; + ERR_clear_error(); + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1968.patch openssl-1.0.2g/debian/patches/CVE-2020-1968.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1968.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1968.patch 2020-09-15 18:13:20.000000000 +0000 @@ -0,0 +1,279 @@ +Description: disable ciphers vulnerable to CVE-2020-1968 +Author: Marc Deslauriers + +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -373,6 +373,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + #endif + + /* Cipher 0D */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, +@@ -387,6 +388,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 112, + 168, + }, ++#endif + + /* Cipher 0E */ + #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +@@ -425,6 +427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + #endif + + /* Cipher 10 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, +@@ -439,6 +442,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 112, + 168, + }, ++#endif + + /* The Ephemeral DH ciphers */ + /* Cipher 11 */ +@@ -942,6 +946,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + }, + /* Cipher 30 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA, +@@ -956,7 +961,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + /* Cipher 31 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA, +@@ -971,6 +978,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + /* Cipher 32 */ + { + 1, +@@ -1033,6 +1041,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + }, + /* Cipher 36 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA, +@@ -1047,8 +1056,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 37 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA, +@@ -1063,6 +1074,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 38 */ + { +@@ -1162,6 +1174,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 3E */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, +@@ -1176,8 +1189,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 3F */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA256, +@@ -1192,6 +1207,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 40 */ + { +@@ -1229,6 +1245,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 42 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, +@@ -1243,8 +1260,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 43 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, +@@ -1259,6 +1278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 44 */ + { +@@ -1452,6 +1472,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 68 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, +@@ -1466,8 +1487,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 69 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA256, +@@ -1482,6 +1505,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 6A */ + { +@@ -1621,6 +1645,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + }, + /* Cipher 85 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, +@@ -1635,8 +1660,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 86 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, +@@ -1651,6 +1678,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher 87 */ + { +@@ -1787,6 +1815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher 97 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_SEED_SHA, +@@ -1801,8 +1830,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 98 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_SEED_SHA, +@@ -1817,6 +1848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher 99 */ + { +@@ -1935,6 +1967,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher A0 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256, +@@ -1949,8 +1982,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher A1 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384, +@@ -1965,6 +2000,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher A2 */ + { +@@ -1999,6 +2035,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + }, + + /* Cipher A4 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, +@@ -2013,8 +2050,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 128, + 128, + }, ++#endif + + /* Cipher A5 */ ++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS + { + 1, + TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, +@@ -2029,6 +2068,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] + 256, + 256, + }, ++#endif + + /* Cipher A6 */ + { diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-1.patch 2020-12-02 15:15:20.000000000 +0000 @@ -0,0 +1,34 @@ +From ae1e7c236db52fea0c84cb84ddbfe3d03c55ba4a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 11 Nov 2020 15:19:34 +0000 +Subject: [PATCH] DirectoryString is a CHOICE type and therefore uses explicit + tagging + +EDIPartyName has 2 fields that use a DirectoryString. However they were +marked as implicit tagging - which is not correct for a CHOICE type. + +Additionally the partyName field was marked as Optional when, according to +RFC5280 it is not. + +Many thanks to github user @filipnavara for reporting this issue. Also to +David Benjamin from Google who independently identified and reported it. + +Fixes #6859 +--- + crypto/x509v3/v3_genn.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/crypto/x509v3/v3_genn.c ++++ b/crypto/x509v3/v3_genn.c +@@ -72,8 +72,9 @@ ASN1_SEQUENCE(OTHERNAME) = { + IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME) + + ASN1_SEQUENCE(EDIPARTYNAME) = { +- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), +- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) ++ /* DirectoryString is a CHOICE type so use explicit tagging */ ++ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), ++ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) + } ASN1_SEQUENCE_END(EDIPARTYNAME) + + IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME) diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-2.patch 2020-12-02 15:15:26.000000000 +0000 @@ -0,0 +1,94 @@ +From 84743d3e7fae623c0a20bd727ec6e8c4031bf42f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 11 Nov 2020 16:12:58 +0000 +Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp() + +If a GENERAL_NAME field contained EdiPartyName data then it was +incorrectly being handled as type "other". This could lead to a +segmentation fault. + +Many thanks to David Benjamin from Google for reporting this issue. + +CVE-2020-1971 +--- + crypto/x509v3/v3_genn.c | 45 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 42 insertions(+), 3 deletions(-) + +--- a/crypto/x509v3/v3_genn.c ++++ b/crypto/x509v3/v3_genn.c +@@ -108,6 +108,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_N + (char *)a); + } + ++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) ++{ ++ int res; ++ ++ if (a == NULL || b == NULL) { ++ /* ++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it ++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here ++ */ ++ return -1; ++ } ++ if (a->nameAssigner == NULL && b->nameAssigner != NULL) ++ return -1; ++ if (a->nameAssigner != NULL && b->nameAssigner == NULL) ++ return 1; ++ /* If we get here then both have nameAssigner set, or both unset */ ++ if (a->nameAssigner != NULL) { ++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); ++ if (res != 0) ++ return res; ++ } ++ /* ++ * partyName is required, so these should never be NULL. We treat it in ++ * the same way as the a == NULL || b == NULL case above ++ */ ++ if (a->partyName == NULL || b->partyName == NULL) ++ return -1; ++ ++ return ASN1_STRING_cmp(a->partyName, b->partyName); ++} ++ + /* Returns 0 if they are equal, != 0 otherwise. */ + int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + { +@@ -117,8 +148,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE + return -1; + switch (a->type) { + case GEN_X400: ++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ break; ++ + case GEN_EDIPARTY: +- result = ASN1_TYPE_cmp(a->d.other, b->d.other); ++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); + break; + + case GEN_OTHERNAME: +@@ -165,8 +199,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAM + { + switch (type) { + case GEN_X400: ++ a->d.x400Address = value; ++ break; ++ + case GEN_EDIPARTY: +- a->d.other = value; ++ a->d.ediPartyName = value; + break; + + case GEN_OTHERNAME: +@@ -200,8 +237,10 @@ void *GENERAL_NAME_get0_value(GENERAL_NA + *ptype = a->type; + switch (a->type) { + case GEN_X400: ++ return a->d.x400Address; ++ + case GEN_EDIPARTY: +- return a->d.other; ++ return a->d.ediPartyName; + + case GEN_OTHERNAME: + return a->d.otherName; diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-3.patch 2020-12-02 15:58:53.000000000 +0000 @@ -0,0 +1,82 @@ +Backport of: + +From c521851116486d0cb351c46506d309dce0ae4c56 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 12 Nov 2020 11:58:12 +0000 +Subject: [PATCH] Check that multi-strings/CHOICE types don't use implicit + tagging + +It never makes sense for multi-string or CHOICE types to use implicit +tagging since the content would be ambiguous. It is an error in the +template if this ever happens. If we detect it we should stop parsing. + +Thanks to David Benjamin from Google for reporting this issue. +--- + crypto/asn1/asn1_err.c | 1 + + crypto/asn1/tasn_dec.c | 19 +++++++++++++++++++ + crypto/err/openssl.txt | 1 + + include/openssl/asn1err.h | 1 + + 4 files changed, 22 insertions(+) + +--- a/crypto/asn1/asn1_err.c ++++ b/crypto/asn1/asn1_err.c +@@ -202,6 +202,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ + {ERR_REASON(ASN1_R_AUX_ERROR), "aux error"}, + {ERR_REASON(ASN1_R_BAD_CLASS), "bad class"}, + {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"}, ++ {ERR_REASON(ASN1_R_BAD_TEMPLATE), "bad template"}, + {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"}, + {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"}, + {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH), +--- a/crypto/asn1/tasn_dec.c ++++ b/crypto/asn1/tasn_dec.c +@@ -223,6 +223,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE * + break; + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + p = *in; + /* Just read in tag and class */ + ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, +@@ -240,6 +249,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE * + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL); + goto err; + } ++ + /* Check tag matches bit map */ + if (!(ASN1_tag2bit(otag) & it->utype)) { + /* If OPTIONAL, assume this is OK */ +@@ -316,6 +326,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE * + goto err; + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); ++ goto err; ++ } ++ + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + if (*pval) { +--- a/crypto/asn1/asn1.h ++++ b/crypto/asn1/asn1.h +@@ -1306,6 +1306,7 @@ void ERR_load_ASN1_strings(void); + # define ASN1_R_AUX_ERROR 100 + # define ASN1_R_BAD_CLASS 101 + # define ASN1_R_BAD_OBJECT_HEADER 102 ++# define ASN1_R_BAD_TEMPLATE 230 + # define ASN1_R_BAD_PASSWORD_READ 103 + # define ASN1_R_BAD_TAG 104 + # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-4.patch 2020-12-02 15:28:54.000000000 +0000 @@ -0,0 +1,68 @@ +Backport of: + +From 69f3d3c405991b0d6eea78d554b6aab4daeb4514 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 12 Nov 2020 14:55:31 +0000 +Subject: [PATCH] Complain if we are attempting to encode with an invalid ASN.1 + template + +It never makes sense for multi-string or CHOICE types to have implicit +tagging. If we have a template that uses the in this way then we +should immediately fail. + +Thanks to David Benjamin from Google for reporting this issue. +--- + crypto/asn1/asn1_err.c | 3 ++- + crypto/asn1/tasn_enc.c | 16 ++++++++++++++++ + crypto/err/openssl.txt | 1 + + include/openssl/asn1err.h | 7 +++---- + 4 files changed, 22 insertions(+), 5 deletions(-) + +--- a/crypto/asn1/asn1_err.c ++++ b/crypto/asn1/asn1_err.c +@@ -103,6 +103,7 @@ static ERR_STRING_DATA ASN1_str_functs[] + {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"}, ++ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_I2D), "ASN1_item_ex_i2d"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"}, +--- a/crypto/asn1/tasn_enc.c ++++ b/crypto/asn1/tasn_enc.c +@@ -150,9 +150,25 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, + break; + + case ASN1_ITYPE_MSTRING: ++ /* ++ * It never makes sense for multi-strings to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); + + case ASN1_ITYPE_CHOICE: ++ /* ++ * It never makes sense for CHOICE types to have implicit tagging, so ++ * if tag != -1, then this looks like an error in the template. ++ */ ++ if (tag != -1) { ++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); ++ return -1; ++ } + if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) + return 0; + i = asn1_get_choice_selector(pval, it); +--- a/crypto/asn1/asn1.h ++++ b/crypto/asn1/asn1.h +@@ -1210,6 +1210,7 @@ void ERR_load_ASN1_strings(void); + # define ASN1_F_ASN1_ITEM_DUP 191 + # define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121 + # define ASN1_F_ASN1_ITEM_EX_D2I 120 ++# define ASN1_F_ASN1_ITEM_EX_I2D 144 + # define ASN1_F_ASN1_ITEM_I2D_BIO 192 + # define ASN1_F_ASN1_ITEM_I2D_FP 193 + # define ASN1_F_ASN1_ITEM_PACK 198 diff -Nru openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch --- openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2020-1971-5.patch 2020-12-02 18:11:20.000000000 +0000 @@ -0,0 +1,385 @@ +Backport of: + +From c3e7925c31675ad42d9e7d1974e98c10d4fef5df Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 30 Nov 2020 13:50:52 +0000 +Subject: [PATCH] Add a test for GENERAL_NAME_cmp + +Based on a boringssl test contributed by David Benjamin +--- + test/v3nametest.c | 344 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 344 insertions(+) + +--- a/crypto/x509v3/v3nametest.c ++++ b/crypto/x509v3/v3nametest.c +@@ -3,6 +3,8 @@ + #include "../e_os.h" + #include + ++#define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0])) ++ + static const char *const names[] = { + "a", "b", ".", "*", "@", + ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..", +@@ -321,6 +323,349 @@ static void run_cert(X509 *crt, const ch + } + } + ++struct gennamedata { ++ const unsigned char der[22]; ++ size_t derlen; ++} gennames[] = { ++ { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * SEQUENCE {} ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00 ++ }, ++ 21 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * [APPLICATION 0] {} ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00 ++ }, ++ 21 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 } ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * UTF8String { "b" } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * BOOLEAN { TRUE } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff ++ }, ++ 22 ++ }, { ++ /* ++ * [0] { ++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 } ++ * [0] { ++ * BOOLEAN { FALSE } ++ * } ++ * } ++ */ ++ { ++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, ++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00 ++ }, ++ 22 ++ }, { ++ /* [1 PRIMITIVE] { "a" } */ ++ { ++ 0x81, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [1 PRIMITIVE] { "b" } */ ++ { ++ 0x81, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* [2 PRIMITIVE] { "a" } */ ++ { ++ 0x82, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [2 PRIMITIVE] { "b" } */ ++ { ++ 0x82, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* ++ * [4] { ++ * SEQUENCE { ++ * SET { ++ * SEQUENCE { ++ * # commonName ++ * OBJECT_IDENTIFIER { 2.5.4.3 } ++ * UTF8String { "a" } ++ * } ++ * } ++ * } ++ * } ++ */ ++ { ++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, ++ 0x04, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 16 ++ }, { ++ /* ++ * [4] { ++ * SEQUENCE { ++ * SET { ++ * SEQUENCE { ++ * # commonName ++ * OBJECT_IDENTIFIER { 2.5.4.3 } ++ * UTF8String { "b" } ++ * } ++ * } ++ * } ++ * } ++ */ ++ { ++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55, ++ 0x04, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 16 ++ }, { ++ /* ++ * [5] { ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 7 ++ }, { ++ /* ++ * [5] { ++ * [1] { ++ * UTF8String { "b" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62 ++ }, ++ 7 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String {} ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61 ++ }, ++ 11 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String { "a" } ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01, ++ 0x61 ++ }, ++ 12 ++ }, { ++ /* ++ * [5] { ++ * [0] { ++ * UTF8String { "b" } ++ * } ++ * [1] { ++ * UTF8String { "a" } ++ * } ++ * } ++ */ ++ { ++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01, ++ 0x61 ++ }, ++ 12 ++ }, { ++ /* [6 PRIMITIVE] { "a" } */ ++ { ++ 0x86, 0x01, 0x61 ++ }, ++ 3 ++ }, { ++ /* [6 PRIMITIVE] { "b" } */ ++ { ++ 0x86, 0x01, 0x62 ++ }, ++ 3 ++ }, { ++ /* [7 PRIMITIVE] { `11111111` } */ ++ { ++ 0x87, 0x04, 0x11, 0x11, 0x11, 0x11 ++ }, ++ 6 ++ }, { ++ /* [7 PRIMITIVE] { `22222222`} */ ++ { ++ 0x87, 0x04, 0x22, 0x22, 0x22, 0x22 ++ }, ++ 6 ++ }, { ++ /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */ ++ { ++ 0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, ++ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11 ++ }, ++ 18 ++ }, { ++ /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */ ++ { ++ 0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, ++ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 ++ }, ++ 18 ++ }, { ++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */ ++ { ++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, ++ 0xb7, 0x09, 0x02, 0x01 ++ }, ++ 15 ++ }, { ++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */ ++ { ++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, ++ 0xb7, 0x09, 0x02, 0x02 ++ }, ++ 15 ++ } ++}; ++ ++static int test_GENERAL_NAME_cmp(void) ++{ ++ size_t i, j; ++ GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa) ++ * OSSL_NELEM(gennames)); ++ GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb) ++ * OSSL_NELEM(gennames)); ++ int testresult = 0; ++ ++ if (namesa == NULL || namesb == NULL) ++ goto end; ++ ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ const unsigned char *derp = gennames[i].der; ++ ++ /* ++ * We create two versions of each GENERAL_NAME so that we ensure when ++ * we compare them they are always different pointers. ++ */ ++ namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen); ++ derp = gennames[i].der; ++ namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen); ++ if (namesa[i] == NULL || namesb[i] == NULL) ++ goto end; ++ } ++ ++ /* Every name should be equal to itself and not equal to any others. */ ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ for (j = 0; j < OSSL_NELEM(gennames); j++) { ++ if (i == j) { ++ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) != 0) ++ goto end; ++ } else { ++ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) == 0) ++ goto end; ++ } ++ } ++ } ++ testresult = 1; ++ ++ end: ++ for (i = 0; i < OSSL_NELEM(gennames); i++) { ++ if (namesa != NULL) ++ GENERAL_NAME_free(namesa[i]); ++ if (namesb != NULL) ++ GENERAL_NAME_free(namesb[i]); ++ } ++ OPENSSL_free(namesa); ++ OPENSSL_free(namesb); ++ ++ return testresult; ++} ++ + int main(void) + { + const struct set_name_fn *pfn = name_fns; +@@ -342,5 +687,11 @@ int main(void) + } + ++pfn; + } ++ ++ if (!test_GENERAL_NAME_cmp()) { ++ fprintf(stderr, "test_GENERAL_NAME_cmp failed\n"); ++ return 1; ++ } ++ + return errors > 0 ? 1 : 0; + } diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23840.patch openssl-1.0.2g/debian/patches/CVE-2021-23840.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23840.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23840.patch 2021-02-17 14:16:17.000000000 +0000 @@ -0,0 +1,79 @@ +Backport of: + +From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 2 Feb 2021 17:17:23 +0000 +Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls + +CVE-2021-23840 + +Reviewed-by: Paul Dale +--- + crypto/err/openssl.txt | 3 ++- + crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++ + crypto/evp/evp_err.c | 4 +++- + include/openssl/evperr.h | 7 +++---- + 4 files changed, 35 insertions(+), 6 deletions(-) + +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -354,6 +354,19 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct + return 1; + } else { + j = bl - i; ++ ++ /* ++ * Once we've processed the first j bytes from in, the amount of ++ * data left that is a multiple of the block length is: ++ * (inl - j) & ~(bl - 1) ++ * We must ensure that this amount of data, plus the one block that ++ * we process from ctx->buf does not exceed INT_MAX ++ */ ++ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { ++ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, ++ EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(&(ctx->buf[i]), in, j); + if (!M_do_cipher(ctx, out, ctx->buf, bl)) + return 0; +@@ -455,6 +468,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + OPENSSL_assert(b <= sizeof ctx->final); + + if (ctx->final_used) { ++ /* ++ * final_used is only ever set if buf_len is 0. Therefore the maximum ++ * length output we will ever see from evp_EncryptDecryptUpdate is ++ * the maximum multiple of the block length that is <= inl, or just: ++ * inl & ~(b - 1) ++ * Since final_used has been set then the final output length is: ++ * (inl & ~(b - 1)) + b ++ * This must never exceed INT_MAX ++ */ ++ if ((inl & ~(b - 1)) > INT_MAX - b) { ++ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(out, ctx->final, b); + out += b; + fix_len = 1; +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -215,6 +215,7 @@ static ERR_STRING_DATA EVP_str_reasons[] + {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, ++ {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW), "output would overflow"}, + {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE), + "pkcs8 unknown broken type"}, + {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"}, +--- a/crypto/evp/evp.h ++++ b/crypto/evp/evp.h +@@ -1509,6 +1509,7 @@ void ERR_load_EVP_strings(void); + # define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 ++# define EVP_R_OUTPUT_WOULD_OVERFLOW 184 + # define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23840-pre1.patch 2021-02-17 14:14:05.000000000 +0000 @@ -0,0 +1,41 @@ +Partial backport of: + +From 83151b73a4736bca1797f8edc2b0ad4cf7ac9146 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 25 Jul 2016 15:02:26 +0200 +Subject: [PATCH] evp/evp_enc.c: make assert error message more readable and + add EVPerr(PARTIALLY_OVERLAPPED) + +Reviewed-by: Stephen Henson +--- + crypto/evp/evp_enc.c | 28 +++++++++++++++++++--------- + crypto/evp/evp_err.c | 3 +++ + include/openssl/evp.h | 3 +++ + 3 files changed, 25 insertions(+), 9 deletions(-) + +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -92,8 +92,10 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), + "EVP_CIPHER_CTX_set_key_length"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, + {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"}, + {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, +--- a/crypto/evp/evp.h ++++ b/crypto/evp/evp.h +@@ -1396,8 +1396,10 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_CIPHER_CTX_CTRL 124 + # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 + # define EVP_F_EVP_DECRYPTFINAL_EX 101 ++# define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 ++# define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 + # define EVP_F_EVP_MD_SIZE 162 + # define EVP_F_EVP_OPENINIT 102 diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23840-pre2.patch 2021-02-17 14:15:44.000000000 +0000 @@ -0,0 +1,38 @@ +Backport of: + +From 4bd0db1feaaf97fbc2bd31f54f1fbdeab80b2b1a Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sun, 9 Dec 2018 14:20:30 +0100 +Subject: [PATCH] make update + +Reviewed-by: Kurt Roeckx +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/7852) + +(cherry picked from commit f2f734d4f9e34643a1d3e5b79d2447cd643519f8) +--- + crypto/err/openssl.txt | 1 + + crypto/evp/evp_err.c | 2 ++ + include/openssl/evperr.h | 1 + + 3 files changed, 4 insertions(+) + +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -94,6 +94,7 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTDECRYPTUPDATE), "evp_EncryptDecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, +--- a/crypto/evp/evp.h ++++ b/crypto/evp/evp.h +@@ -1398,6 +1398,7 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_DECRYPTFINAL_EX 101 + # define EVP_F_EVP_DECRYPTUPDATE 166 + # define EVP_F_EVP_DIGESTINIT_EX 128 ++# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 + # define EVP_F_EVP_ENCRYPTUPDATE 167 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 diff -Nru openssl-1.0.2g/debian/patches/CVE-2021-23841.patch openssl-1.0.2g/debian/patches/CVE-2021-23841.patch --- openssl-1.0.2g/debian/patches/CVE-2021-23841.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/CVE-2021-23841.patch 2021-02-17 13:06:07.000000000 +0000 @@ -0,0 +1,40 @@ +Backport of: + +From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 10 Feb 2021 16:10:36 +0000 +Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash() + +The OpenSSL public API function X509_issuer_and_serial_hash() attempts +to create a unique hash value based on the issuer and serial number data +contained within an X509 certificate. However it fails to correctly +handle any errors that may occur while parsing the issuer field (which +might occur if the issuer field is maliciously constructed). This may +subsequently result in a NULL pointer deref and a crash leading to a +potential denial of service attack. + +The function X509_issuer_and_serial_hash() is never directly called by +OpenSSL itself so applications are only vulnerable if they use this +function directly and they use it on certificates that may have been +obtained from untrusted sources. + +CVE-2021-23841 + +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) +--- + crypto/x509/x509_cmp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/x509/x509_cmp.c ++++ b/crypto/x509/x509_cmp.c +@@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_has + + EVP_MD_CTX_init(&ctx); + f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); ++ if (f == NULL) ++ goto err; + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) + goto err; + if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f))) diff -Nru openssl-1.0.2g/debian/patches/debian-targets.patch openssl-1.0.2g/debian/patches/debian-targets.patch --- openssl-1.0.2g/debian/patches/debian-targets.patch 2016-01-28 18:34:25.000000000 +0000 +++ openssl-1.0.2g/debian/patches/debian-targets.patch 2016-07-28 16:24:04.000000000 +0000 @@ -1,8 +1,8 @@ -Index: openssl-1.0.2f/Configure +Index: openssl-1.0.2g/Configure =================================================================== ---- openssl-1.0.2f.orig/Configure -+++ openssl-1.0.2f/Configure -@@ -127,6 +127,10 @@ my $clang_devteam_warn = "-Wno-unused-pa +--- openssl-1.0.2g.orig/Configure ++++ openssl-1.0.2g/Configure +@@ -131,6 +131,10 @@ my $clang_devteam_warn = "-Wno-unused-pa # Warn that "make depend" should be run? my $warn_make_depend = 0; @@ -13,7 +13,7 @@ my $strict_warnings = 0; my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; -@@ -363,6 +367,55 @@ my %table=( +@@ -367,6 +371,55 @@ my %table=( "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so", @@ -53,8 +53,8 @@ +"debian-powerpcspe","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ppc64","gcc:-m64 -DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ppc64el","gcc:-m64 -DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"debian-s390","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"debian-s390x","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390x","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh4", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3eb", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff -Nru openssl-1.0.2g/debian/patches/fix-sha-ni.patch openssl-1.0.2g/debian/patches/fix-sha-ni.patch --- openssl-1.0.2g/debian/patches/fix-sha-ni.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/fix-sha-ni.patch 2017-05-19 08:27:37.000000000 +0000 @@ -0,0 +1,27 @@ +Description: fix IV handling in SHAEXT paths. +Author: Andy Polyakov +Origin: https://github.com/openssl/openssl/commit/08d09628d2c9f3ef599399d8cad021a07ab98347 +Index: openssl-1.0.2g/crypto/aes/asm/aesni-sha1-x86_64.pl +=================================================================== +--- openssl-1.0.2g.orig/crypto/aes/asm/aesni-sha1-x86_64.pl ++++ openssl-1.0.2g/crypto/aes/asm/aesni-sha1-x86_64.pl +@@ -1702,6 +1702,7 @@ $code.=<<___; + mov 240($key),$rounds + sub $in0,$out + movups ($key),$rndkey0 # $key[0] ++ movups ($ivp),$iv # load IV + movups 16($key),$rndkey[0] # forward reference + lea 112($key),$key # size optimization + +Index: openssl-1.0.2g/crypto/aes/asm/aesni-sha256-x86_64.pl +=================================================================== +--- openssl-1.0.2g.orig/crypto/aes/asm/aesni-sha256-x86_64.pl ++++ openssl-1.0.2g/crypto/aes/asm/aesni-sha256-x86_64.pl +@@ -1299,6 +1299,7 @@ $code.=<<___; + mov 240($key),$rounds + sub $in0,$out + movups ($key),$rndkey0 # $key[0] ++ movups ($ivp),$iv # load IV + movups 16($key),$rndkey[0] # forward reference + lea 112($key),$key # size optimization + diff -Nru openssl-1.0.2g/debian/patches/move-extended-feature-detection.patch openssl-1.0.2g/debian/patches/move-extended-feature-detection.patch --- openssl-1.0.2g/debian/patches/move-extended-feature-detection.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/move-extended-feature-detection.patch 2017-04-28 01:58:40.000000000 +0000 @@ -0,0 +1,133 @@ +Description: Extended feature flags were not pulled on AMD processors, as result a number of extensions were effectively masked on AMD Ryzen CPU. + This fix moves extended feature detection past basic feature detection where it belongs. 32-bit counterpart is harmonized too. +Author: Andy Polyakov +Origin: https://github.com/openssl/openssl/commit/f8418d87e191e46b81e1b9548326ab2876fa0907 and https://github.com/openssl/openssl/commit/1aed5e1ac28790cc915ad03e86e2d5e896a4ea13 +Bug: https://github.com/openssl/openssl/issues/2848 +Bug-Ubuntu: https://launchpad.net/bugs/1674399 +--- a/crypto/x86_64cpuid.pl ++++ b/crypto/x86_64cpuid.pl +@@ -59,7 +59,7 @@ + mov %rbx,%r8 # save %rbx + + xor %eax,%eax +- mov %eax,8(%rdi) # clear 3rd word ++ mov %eax,8(%rdi) # clear extended feature flags + cpuid + mov %eax,%r11d # max value for standard query level + +@@ -127,14 +127,6 @@ + shr \$14,%r10d + and \$0xfff,%r10d # number of cores -1 per L1D + +- cmp \$7,%r11d +- jb .Lnocacheinfo +- +- mov \$7,%eax +- xor %ecx,%ecx +- cpuid +- mov %ebx,8(%rdi) +- + .Lnocacheinfo: + mov \$1,%eax + cpuid +@@ -164,6 +156,15 @@ + or %ecx,%r9d # merge AMD XOP flag + + mov %edx,%r10d # %r9d:%r10d is copy of %ecx:%edx ++ ++ cmp \$7,%r11d ++ jb .Lno_extended_info ++ mov \$7,%eax ++ xor %ecx,%ecx ++ cpuid ++ mov %ebx,8(%rdi) # save extended feature flags ++.Lno_extended_info: ++ + bt \$27,%r9d # check OSXSAVE bit + jnc .Lclear_avx + xor %ecx,%ecx # XCR0 +--- a/crypto/x86cpuid.pl ++++ b/crypto/x86cpuid.pl +@@ -22,10 +22,10 @@ + &pop ("eax"); + &xor ("ecx","eax"); + &xor ("eax","eax"); ++ &mov ("esi",&wparam(0)); ++ &mov (&DWP(8,"esi"),"eax"); # clear extended feature flags + &bt ("ecx",21); + &jnc (&label("nocpuid")); +- &mov ("esi",&wparam(0)); +- &mov (&DWP(8,"esi"),"eax"); # clear 3rd word + &cpuid (); + &mov ("edi","eax"); # max value for standard query level + +@@ -83,26 +83,16 @@ + &jmp (&label("generic")); + + &set_label("intel"); +- &cmp ("edi",7); +- &jb (&label("cacheinfo")); +- +- &mov ("esi",&wparam(0)); +- &mov ("eax",7); +- &xor ("ecx","ecx"); +- &cpuid (); +- &mov (&DWP(8,"esi"),"ebx"); +- +-&set_label("cacheinfo"); + &cmp ("edi",4); +- &mov ("edi",-1); ++ &mov ("esi",-1); + &jb (&label("nocacheinfo")); + + &mov ("eax",4); + &mov ("ecx",0); # query L1D + &cpuid (); +- &mov ("edi","eax"); +- &shr ("edi",14); +- &and ("edi",0xfff); # number of cores -1 per L1D ++ &mov ("esi","eax"); ++ &shr ("esi",14); ++ &and ("esi",0xfff); # number of cores -1 per L1D + + &set_label("nocacheinfo"); + &mov ("eax",1); +@@ -120,7 +110,7 @@ + &bt ("edx",28); # test hyper-threading bit + &jnc (&label("generic")); + &and ("edx",0xefffffff); +- &cmp ("edi",0); ++ &cmp ("esi",0); + &je (&label("generic")); + + &or ("edx",0x10000000); +@@ -132,10 +122,19 @@ + &set_label("generic"); + &and ("ebp",1<<11); # isolate AMD XOP flag + &and ("ecx",0xfffff7ff); # force 11th bit to 0 +- &mov ("esi","edx"); ++ &mov ("esi","edx"); # %ebp:%esi is copy of %ecx:%edx + &or ("ebp","ecx"); # merge AMD XOP flag + +- &bt ("ecx",27); # check OSXSAVE bit ++ &cmp ("edi",7); ++ &mov ("edi",&wparam(0)); ++ &jb (&label("no_extended_info")); ++ &mov ("eax",7); ++ &xor ("ecx","ecx"); ++ &cpuid (); ++ &mov (&DWP(8,"edi"),"ebx"); # save extended feature flag ++&set_label("no_extended_info"); ++ ++ &bt ("ebp",27); # check OSXSAVE bit + &jnc (&label("clear_avx")); + &xor ("ecx","ecx"); + &data_byte(0x0f,0x01,0xd0); # xgetbv +@@ -149,7 +148,6 @@ + &and ("esi",0xfeffffff); # clear FXSR + &set_label("clear_avx"); + &and ("ebp",0xefffe7ff); # clear AVX, FMA and AMD XOP bits +- &mov ("edi",&wparam(0)); + &and (&DWP(8,"edi"),0xffffffdf); # clear AVX2 + &set_label("done"); + &mov ("eax","esi"); diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch 2016-04-15 04:56:29.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ctor.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,187 +0,0 @@ -commit ebd8bb4303c805a4c8c20d39ac73af8d51dc2818 -Author: Joy Latten -Date: Wed Apr 13 22:38:57 2016 -0500 - - From: Joy Latten - Description: [PATCH 4/6] Additional fips 140-2 compliance changes - Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 - Forwarded: not needed - Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git - -diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c -index 29621c9..e5de012 100644 ---- a/crypto/fips/fips.c -+++ b/crypto/fips/fips.c -@@ -60,6 +60,8 @@ - #include - #include - #include -+#include -+#include - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t len) - } - - # define HMAC_PREFIX "." --# define HMAC_SUFFIX ".hmac" -+# ifndef HMAC_SUFFIX -+# define HMAC_SUFFIX ".hmac" -+# endif - # define READ_BUFFER_LENGTH 16384 - - static char *make_hmac_path(const char *origpath) -@@ -279,20 +283,14 @@ static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) - return rv; - } - --static int FIPSCHECK_verify(const char *libname, const char *symbolname) -+static int FIPSCHECK_verify(const char *path) - { -- char path[PATH_MAX + 1]; -- int rv; -+ int rv = 0; - FILE *hf; - char *hmacpath, *p; - char *hmac = NULL; - size_t n; - -- rv = get_library_path(libname, symbolname, path, sizeof(path)); -- -- if (rv < 0) -- return 0; -- - hmacpath = make_hmac_path(path); - if (hmacpath == NULL) - return 0; -@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *libname, const char *symbolname) - return 1; - } - -+static int verify_checksums(void) -+{ -+ int rv; -+ char path[PATH_MAX + 1]; -+ char *p; -+ -+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl -+ are in the same directory */ -+ -+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, -+ "FIPS_mode_set", path, sizeof(path)); -+ if (rv < 0) -+ return 0; -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ -+ /* replace libcrypto with libssl */ -+ while ((p = strstr(path, "libcrypto.so")) != NULL) { -+ p = stpcpy(p, "libssl"); -+ memmove(p, p + 3, strlen(p + 2)); -+ } -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ return 1; -+} -+ -+# ifndef FIPS_MODULE_PATH -+# define FIPS_MODULE_PATH "/etc/system-fips" -+# endif -+ -+int FIPS_module_installed(void) -+{ -+ int rv; -+ rv = access(FIPS_MODULE_PATH, F_OK); -+ if (rv < 0 && errno != ENOENT) -+ rv = 0; -+ -+ /* Installed == true */ -+ return !rv; -+} -+ - int FIPS_module_mode_set(int onoff, const char *auth) - { - int ret = 0; -@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, const char *auth) - } - # endif - -- if (!FIPSCHECK_verify -- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) { -- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -- fips_selftest_fail = 1; -- ret = 0; -- goto end; -- } -- -- if (!FIPSCHECK_verify -- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) { -+ if (!verify_checksums()) { - FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, - FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index 30668c1..9777a73 100644 ---- a/crypto/fips/fips.h -+++ b/crypto/fips/fips.h -@@ -74,6 +74,7 @@ extern "C" { - - int FIPS_module_mode_set(int onoff, const char *auth); - int FIPS_module_mode(void); -+ int FIPS_module_installed(void); - const void *FIPS_rand_check(void); - int FIPS_selftest(void); - int FIPS_selftest_failed(void); -diff --git a/crypto/o_init.c b/crypto/o_init.c -index 2f754ef..a235755 100644 ---- a/crypto/o_init.c -+++ b/crypto/o_init.c -@@ -72,6 +72,9 @@ static void init_fips_mode(void) - char buf[2] = "0"; - int fd; - -+ /* Ensure the selftests always run */ -+ FIPS_mode_set(1); -+ - if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { - buf[0] = '1'; - } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -@@ -83,8 +86,12 @@ static void init_fips_mode(void) - * otherwise.. - */ - -- if (buf[0] == '1') { -- FIPS_mode_set(1); -+ if (buf[0] != '1') { -+ /* drop down to non-FIPS mode if it is not requested */ -+ FIPS_mode_set(0); -+ } else { -+ /* abort if selftest failed */ -+ FIPS_selftest_check(); - } - } - #endif -@@ -94,13 +101,16 @@ static void init_fips_mode(void) - * sets FIPS callbacks - */ - --void OPENSSL_init_library(void) -+void __attribute__ ((constructor)) OPENSSL_init_library(void) - { - static int done = 0; - if (done) - return; - done = 1; - #ifdef OPENSSL_FIPS -+ if (!FIPS_module_installed()) { -+ return; -+ } - RAND_init_fips(); - init_fips_mode(); - if (!FIPS_mode()) { diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch 2016-04-15 04:56:29.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-ec.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,1948 +0,0 @@ -commit 8571bf5fd200656c222d3f27738c31bace246e4d -Author: Joy Latten -Date: Thu Apr 14 01:11:50 2016 -0500 - - From: Joy Latten - Decription: [Patch 2/6] Add fips 140-2 support for EC. - Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 - Forwarded: not-needed - Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git - -diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c -index 5a832ba..010bd5f 100644 ---- a/crypto/ec/ec_cvt.c -+++ b/crypto/ec/ec_cvt.c -@@ -82,10 +82,6 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, - const EC_METHOD *meth; - EC_GROUP *ret; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_group_new_curve_gfp(p, a, b, ctx); --#endif - #if defined(OPENSSL_BN_ASM_MONT) - /* - * This might appear controversial, but the fact is that generic -@@ -160,10 +156,6 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, - const EC_METHOD *meth; - EC_GROUP *ret; - --# ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_group_new_curve_gf2m(p, a, b, ctx); --# endif - meth = EC_GF2m_simple_method(); - - ret = EC_GROUP_new(meth); -diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c -index bc94ab5..d3fd257 100644 ---- a/crypto/ec/ec_key.c -+++ b/crypto/ec/ec_key.c -@@ -64,9 +64,6 @@ - #include - #include "ec_lcl.h" - #include --#ifdef OPENSSL_FIPS --# include --#endif - - EC_KEY *EC_KEY_new(void) - { -@@ -227,6 +224,38 @@ int EC_KEY_up_ref(EC_KEY *r) - return ((i > 1) ? 1 : 0); - } - -+#ifdef OPENSSL_FIPS -+ -+# include -+# include -+# include -+ -+static int fips_check_ec(EC_KEY *key) -+{ -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "ECDSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_EC_KEY(pk, key); -+ -+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) -+ ret = 1; -+ -+ err: -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); -+ fips_set_selftest_fail(); -+ } -+ if (pk) -+ EVP_PKEY_free(pk); -+ return ret; -+} -+ -+#endif -+ - int EC_KEY_generate_key(EC_KEY *eckey) - { - int ok = 0; -@@ -235,8 +264,10 @@ int EC_KEY_generate_key(EC_KEY *eckey) - EC_POINT *pub_key = NULL; - - #ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_key_generate_key(eckey); -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } - #endif - - if (!eckey || !eckey->group) { -@@ -277,6 +308,14 @@ int EC_KEY_generate_key(EC_KEY *eckey) - eckey->priv_key = priv_key; - eckey->pub_key = pub_key; - -+#ifdef OPENSSL_FIPS -+ if (!fips_check_ec(eckey)) { -+ eckey->priv_key = NULL; -+ eckey->pub_key = NULL; -+ goto err; -+ } -+#endif -+ - ok = 1; - - err: -@@ -414,10 +453,12 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, - goto err; - } - /* -- * Check if retrieved coordinates match originals: if not values are out -- * of range. -+ * Check if retrieved coordinates match originals and are less -+ * than field order: if not values are out of range. - */ -- if (BN_cmp(x, tx) || BN_cmp(y, ty)) { -+ if (BN_cmp(x, tx) || BN_cmp(y, ty) -+ || (BN_cmp(x, &key->group->field) >= 0) -+ || (BN_cmp(y, &key->group->field) >= 0)) { - ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, - EC_R_COORDINATES_OUT_OF_RANGE); - goto err; -diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c -index b2de7fa..bc9fd47 100644 ---- a/crypto/ec/ecp_mont.c -+++ b/crypto/ec/ecp_mont.c -@@ -63,10 +63,6 @@ - - #include - --#ifdef OPENSSL_FIPS --# include --#endif -- - #include "ec_lcl.h" - - const EC_METHOD *EC_GFp_mont_method(void) -@@ -111,11 +107,6 @@ const EC_METHOD *EC_GFp_mont_method(void) - ec_GFp_mont_field_set_to_one - }; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gfp_mont_method(); --#endif -- - return &ret; - } - -diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c -index 3944e24..dbd2558 100644 ---- a/crypto/ec/ecp_nist.c -+++ b/crypto/ec/ecp_nist.c -@@ -67,10 +67,6 @@ - #include - #include "ec_lcl.h" - --#ifdef OPENSSL_FIPS --# include --#endif -- - const EC_METHOD *EC_GFp_nist_method(void) - { - static const EC_METHOD ret = { -@@ -113,11 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void) - 0 /* field_set_to_one */ - }; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gfp_nist_method(); --#endif -- - return &ret; - } - -diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c -index 2b84821..b0e69cb 100644 ---- a/crypto/ec/ecp_smpl.c -+++ b/crypto/ec/ecp_smpl.c -@@ -66,10 +66,6 @@ - #include - #include - --#ifdef OPENSSL_FIPS --# include --#endif -- - #include "ec_lcl.h" - - const EC_METHOD *EC_GFp_simple_method(void) -@@ -114,11 +110,6 @@ const EC_METHOD *EC_GFp_simple_method(void) - 0 /* field_set_to_one */ - }; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gfp_simple_method(); --#endif -- - return &ret; - } - -@@ -187,6 +178,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, - return 0; - } - -+ if (BN_num_bits(p) < 256) { -+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -+ return 0; -+ } -+ - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) -diff --git a/crypto/ecdh/ecdhtest.c b/crypto/ecdh/ecdhtest.c -index 2fe2c66..4d6594a 100644 ---- a/crypto/ecdh/ecdhtest.c -+++ b/crypto/ecdh/ecdhtest.c -@@ -501,11 +501,13 @@ int main(int argc, char *argv[]) - goto err; - - /* NIST PRIME CURVES TESTS */ -+# if 0 - if (!test_ecdh_curve - (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) - goto err; - if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) - goto err; -+# endif - if (!test_ecdh_curve - (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) - goto err; -@@ -536,13 +538,14 @@ int main(int argc, char *argv[]) - if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) - goto err; - # endif -+# if 0 - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384)) - goto err; - if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512)) - goto err; -- -+# endif - ret = 0; - - err: -diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c -index cbc21d1..aa7954a 100644 ---- a/crypto/ecdh/ech_lib.c -+++ b/crypto/ecdh/ech_lib.c -@@ -93,14 +93,7 @@ void ECDH_set_default_method(const ECDH_METHOD *meth) - const ECDH_METHOD *ECDH_get_default_method(void) - { - if (!default_ECDH_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ecdh_openssl(); -- else -- return ECDH_OpenSSL(); --#else - default_ECDH_method = ECDH_OpenSSL(); --#endif - } - return default_ECDH_method; - } -diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c -index df115cc..3908dfa 100644 ---- a/crypto/ecdh/ech_ossl.c -+++ b/crypto/ecdh/ech_ossl.c -@@ -78,6 +78,10 @@ - #include - #include - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, - EC_KEY *ecdh, - void *(*KDF) (const void *in, size_t inlen, -@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = { - NULL, /* init */ - NULL, /* finish */ - #endif -- 0, /* flags */ -+ ECDH_FLAG_FIPS_METHOD, /* flags */ - NULL /* app_data */ - }; - -@@ -119,6 +123,13 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, - size_t buflen, len; - unsigned char *buf = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - if (outlen > INT_MAX) { - ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of, - * anyway */ -diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c -index 0f301f8..0d12f71 100644 ---- a/crypto/ecdsa/ecdsatest.c -+++ b/crypto/ecdsa/ecdsatest.c -@@ -138,11 +138,14 @@ int restore_rand(void) - } - - static int fbytes_counter = 0; --static const char *numbers[8] = { -+static const char *numbers[10] = { -+ "651056770906015076056810763456358567190100156695615665659", - "651056770906015076056810763456358567190100156695615665659", - "6140507067065001063065065565667405560006161556565665656654", - "8763001015071075675010661307616710783570106710677817767166" - "71676178726717", -+ "8763001015071075675010661307616710783570106710677817767166" -+ "71676178726717", - "7000000175690566466555057817571571075705015757757057795755" - "55657156756655", - "1275552191113212300012030439187146164646146646466749494799", -@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num) - int ret; - BIGNUM *tmp = NULL; - -- if (fbytes_counter >= 8) -+ if (fbytes_counter >= 10) - return 0; - tmp = BN_new(); - if (!tmp) -@@ -532,8 +535,10 @@ int main(void) - RAND_seed(rnd_seed, sizeof(rnd_seed)); - - /* the tests */ -+# if 0 - if (!x9_62_tests(out)) - goto err; -+# endif - if (!test_builtin(out)) - goto err; - -diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c -index 8dc1dda..24ef566 100644 ---- a/crypto/ecdsa/ecs_lib.c -+++ b/crypto/ecdsa/ecs_lib.c -@@ -80,14 +80,7 @@ void ECDSA_set_default_method(const ECDSA_METHOD *meth) - const ECDSA_METHOD *ECDSA_get_default_method(void) - { - if (!default_ECDSA_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ecdsa_openssl(); -- else -- return ECDSA_OpenSSL(); --#else - default_ECDSA_method = ECDSA_OpenSSL(); --#endif - } - return default_ECDSA_method; - } -diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c -index dd76960..d81cf6b 100644 ---- a/crypto/ecdsa/ecs_ossl.c -+++ b/crypto/ecdsa/ecs_ossl.c -@@ -60,6 +60,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, - const BIGNUM *, const BIGNUM *, -@@ -78,7 +81,7 @@ static ECDSA_METHOD openssl_ecdsa_meth = { - NULL, /* init */ - NULL, /* finish */ - #endif -- 0, /* flags */ -+ ECDSA_FLAG_FIPS_METHOD, /* flags */ - NULL /* app_data */ - }; - -@@ -245,6 +248,13 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, - ECDSA_DATA *ecdsa; - const BIGNUM *priv_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif -+ - ecdsa = ecdsa_check(eckey); - group = EC_KEY_get0_group(eckey); - priv_key = EC_KEY_get0_private_key(eckey); -@@ -358,6 +368,13 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, - const EC_GROUP *group; - const EC_POINT *pub_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - /* check input values */ - if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || - (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -diff --git a/crypto/evp/m_ecdsa.c b/crypto/evp/m_ecdsa.c -index 803d314..2830069 100644 ---- a/crypto/evp/m_ecdsa.c -+++ b/crypto/evp/m_ecdsa.c -@@ -136,7 +136,7 @@ static const EVP_MD ecdsa_md = { - NID_ecdsa_with_SHA1, - NID_ecdsa_with_SHA1, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_DIGEST, -+ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS, - init, - update, - final, -diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile -index b997426..0b54447 100644 ---- a/crypto/fips/Makefile -+++ b/crypto/fips/Makefile -@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_se - fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ - fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ - fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -- fips_cmac_selftest.c fips_enc.c fips_md.c -+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c - - LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ - fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ - fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ - fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ -- fips_cmac_selftest.o fips_enc.o fips_md.o -+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o - - LIBCRYPTO=-L.. -lcrypto - -@@ -119,6 +119,21 @@ fips_aes_selftest.o: ../../include/openssl/ossl_typ.h - fips_aes_selftest.o: ../../include/openssl/safestack.h - fips_aes_selftest.o: ../../include/openssl/stack.h - fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c -+fips_cmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_cmac_selftest.o: ../../include/openssl/cmac.h -+fips_cmac_selftest.o: ../../include/openssl/crypto.h -+fips_cmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_cmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_cmac_selftest.o: ../../include/openssl/lhash.h -+fips_cmac_selftest.o: ../../include/openssl/obj_mac.h -+fips_cmac_selftest.o: ../../include/openssl/objects.h -+fips_cmac_selftest.o: ../../include/openssl/opensslconf.h -+fips_cmac_selftest.o: ../../include/openssl/opensslv.h -+fips_cmac_selftest.o: ../../include/openssl/ossl_typ.h -+fips_cmac_selftest.o: ../../include/openssl/safestack.h -+fips_cmac_selftest.o: ../../include/openssl/stack.h -+fips_cmac_selftest.o: ../../include/openssl/symhacks.h fips_cmac_selftest.c -+fips_cmac_selftest.o: fips_locl.h - fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h - fips_des_selftest.o: ../../include/openssl/crypto.h - fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -@@ -232,6 +247,46 @@ fips_dsa_selftest.o: ../../include/openssl/safestack.h - fips_dsa_selftest.o: ../../include/openssl/stack.h - fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c - fips_dsa_selftest.o: fips_locl.h -+fips_ecdh_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_ecdh_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -+fips_ecdh_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -+fips_ecdh_selftest.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h -+fips_ecdh_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_ecdh_selftest.o: ../../include/openssl/lhash.h -+fips_ecdh_selftest.o: ../../include/openssl/obj_mac.h -+fips_ecdh_selftest.o: ../../include/openssl/objects.h -+fips_ecdh_selftest.o: ../../include/openssl/opensslconf.h -+fips_ecdh_selftest.o: ../../include/openssl/opensslv.h -+fips_ecdh_selftest.o: ../../include/openssl/ossl_typ.h -+fips_ecdh_selftest.o: ../../include/openssl/safestack.h -+fips_ecdh_selftest.o: ../../include/openssl/stack.h -+fips_ecdh_selftest.o: ../../include/openssl/symhacks.h fips_ecdh_selftest.c -+fips_ecdh_selftest.o: fips_locl.h -+fips_ecdsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_ecdsa_selftest.o: ../../include/openssl/bn.h -+fips_ecdsa_selftest.o: ../../include/openssl/crypto.h -+fips_ecdsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -+fips_ecdsa_selftest.o: ../../include/openssl/ecdsa.h -+fips_ecdsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_ecdsa_selftest.o: ../../include/openssl/fips.h -+fips_ecdsa_selftest.o: ../../include/openssl/lhash.h -+fips_ecdsa_selftest.o: ../../include/openssl/obj_mac.h -+fips_ecdsa_selftest.o: ../../include/openssl/objects.h -+fips_ecdsa_selftest.o: ../../include/openssl/opensslconf.h -+fips_ecdsa_selftest.o: ../../include/openssl/opensslv.h -+fips_ecdsa_selftest.o: ../../include/openssl/ossl_typ.h -+fips_ecdsa_selftest.o: ../../include/openssl/safestack.h -+fips_ecdsa_selftest.o: ../../include/openssl/stack.h -+fips_ecdsa_selftest.o: ../../include/openssl/symhacks.h fips_ecdsa_selftest.c -+fips_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -+fips_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -+fips_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -+fips_enc.o: ../../include/openssl/opensslconf.h -+fips_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -+fips_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -+fips_enc.o: ../../include/openssl/symhacks.h fips_enc.c - fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h - fips_hmac_selftest.o: ../../include/openssl/crypto.h - fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -@@ -246,6 +301,15 @@ fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h - fips_hmac_selftest.o: ../../include/openssl/safestack.h - fips_hmac_selftest.o: ../../include/openssl/stack.h - fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c -+fips_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -+fips_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_md.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -+fips_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -+fips_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -+fips_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h -+fips_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -+fips_md.o: fips_md.c - fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h - fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h - fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -diff --git a/crypto/fips/cavs/fips_ecdhvs.c b/crypto/fips/cavs/fips_ecdhvs.c -new file mode 100644 -index 0000000..be9d8d8 ---- /dev/null -+++ b/crypto/fips/cavs/fips_ecdhvs.c -@@ -0,0 +1,456 @@ -+/* fips/ecdh/fips_ecdhvs.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#define OPENSSL_FIPSAPI -+#include -+ -+#ifndef OPENSSL_FIPS -+# include -+ -+int main(int argc, char **argv) -+{ -+ printf("No FIPS ECDH support\n"); -+ return (0); -+} -+#else -+ -+# include -+# include -+# include -+# include -+# include -+# include -+# include -+# include -+ -+# include "fips_utl.h" -+ -+static const EVP_MD *eparse_md(char *line) -+{ -+ char *p; -+ if (line[0] != '[' || line[1] != 'E') -+ return NULL; -+ p = strchr(line, '-'); -+ if (!p) -+ return NULL; -+ line = p + 1; -+ p = strchr(line, ']'); -+ if (!p) -+ return NULL; -+ *p = 0; -+ p = line; -+ while (isspace(*p)) -+ p++; -+ if (!strcmp(p, "SHA1")) -+ return EVP_sha1(); -+ else if (!strcmp(p, "SHA224")) -+ return EVP_sha224(); -+ else if (!strcmp(p, "SHA256")) -+ return EVP_sha256(); -+ else if (!strcmp(p, "SHA384")) -+ return EVP_sha384(); -+ else if (!strcmp(p, "SHA512")) -+ return EVP_sha512(); -+ else -+ return NULL; -+} -+ -+static int lookup_curve2(char *cname) -+{ -+ char *p; -+ p = strchr(cname, ']'); -+ if (!p) { -+ fprintf(stderr, "Parse error: missing ]\n"); -+ return NID_undef; -+ } -+ *p = 0; -+ -+ if (!strcmp(cname, "B-163")) -+ return NID_sect163r2; -+ if (!strcmp(cname, "B-233")) -+ return NID_sect233r1; -+ if (!strcmp(cname, "B-283")) -+ return NID_sect283r1; -+ if (!strcmp(cname, "B-409")) -+ return NID_sect409r1; -+ if (!strcmp(cname, "B-571")) -+ return NID_sect571r1; -+ if (!strcmp(cname, "K-163")) -+ return NID_sect163k1; -+ if (!strcmp(cname, "K-233")) -+ return NID_sect233k1; -+ if (!strcmp(cname, "K-283")) -+ return NID_sect283k1; -+ if (!strcmp(cname, "K-409")) -+ return NID_sect409k1; -+ if (!strcmp(cname, "K-571")) -+ return NID_sect571k1; -+ if (!strcmp(cname, "P-192")) -+ return NID_X9_62_prime192v1; -+ if (!strcmp(cname, "P-224")) -+ return NID_secp224r1; -+ if (!strcmp(cname, "P-256")) -+ return NID_X9_62_prime256v1; -+ if (!strcmp(cname, "P-384")) -+ return NID_secp384r1; -+ if (!strcmp(cname, "P-521")) -+ return NID_secp521r1; -+ -+ fprintf(stderr, "Unknown Curve name %s\n", cname); -+ return NID_undef; -+} -+ -+static int lookup_curve(char *cname) -+{ -+ char *p; -+ p = strchr(cname, ':'); -+ if (!p) { -+ fprintf(stderr, "Parse error: missing :\n"); -+ return NID_undef; -+ } -+ cname = p + 1; -+ while (isspace(*cname)) -+ cname++; -+ return lookup_curve2(cname); -+} -+ -+static EC_POINT *make_peer(EC_GROUP *group, BIGNUM *x, BIGNUM *y) -+{ -+ EC_POINT *peer; -+ int rv; -+ BN_CTX *c; -+ peer = EC_POINT_new(group); -+ if (!peer) -+ return NULL; -+ c = BN_CTX_new(); -+ if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) -+ == NID_X9_62_prime_field) -+ rv = EC_POINT_set_affine_coordinates_GFp(group, peer, x, y, c); -+ else -+# ifdef OPENSSL_NO_EC2M -+ { -+ fprintf(stderr, "ERROR: GF2m not supported\n"); -+ exit(1); -+ } -+# else -+ rv = EC_POINT_set_affine_coordinates_GF2m(group, peer, x, y, c); -+# endif -+ -+ BN_CTX_free(c); -+ if (rv) -+ return peer; -+ EC_POINT_free(peer); -+ return NULL; -+} -+ -+static int ec_print_key(FILE *out, EC_KEY *key, int add_e, int exout) -+{ -+ const EC_POINT *pt; -+ const EC_GROUP *grp; -+ const EC_METHOD *meth; -+ int rv; -+ BIGNUM *tx, *ty; -+ const BIGNUM *d = NULL; -+ BN_CTX *ctx; -+ ctx = BN_CTX_new(); -+ if (!ctx) -+ return 0; -+ tx = BN_CTX_get(ctx); -+ ty = BN_CTX_get(ctx); -+ if (!tx || !ty) -+ return 0; -+ grp = EC_KEY_get0_group(key); -+ pt = EC_KEY_get0_public_key(key); -+ if (exout) -+ d = EC_KEY_get0_private_key(key); -+ meth = EC_GROUP_method_of(grp); -+ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) -+ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, tx, ty, ctx); -+ else -+# ifdef OPENSSL_NO_EC2M -+ { -+ fprintf(stderr, "ERROR: GF2m not supported\n"); -+ exit(1); -+ } -+# else -+ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, tx, ty, ctx); -+# endif -+ -+ if (add_e) { -+ do_bn_print_name(out, "QeIUTx", tx); -+ do_bn_print_name(out, "QeIUTy", ty); -+ if (d) -+ do_bn_print_name(out, "QeIUTd", d); -+ } else { -+ do_bn_print_name(out, "QIUTx", tx); -+ do_bn_print_name(out, "QIUTy", ty); -+ if (d) -+ do_bn_print_name(out, "QIUTd", d); -+ } -+ -+ BN_CTX_free(ctx); -+ -+ return rv; -+ -+} -+ -+static void ec_output_Zhash(FILE *out, int exout, EC_GROUP *group, -+ BIGNUM *ix, BIGNUM *iy, BIGNUM *id, BIGNUM *cx, -+ BIGNUM *cy, const EVP_MD *md, -+ unsigned char *rhash, size_t rhashlen) -+{ -+ EC_KEY *ec = NULL; -+ EC_POINT *peerkey = NULL; -+ unsigned char *Z; -+ unsigned char chash[EVP_MAX_MD_SIZE]; -+ int Zlen; -+ ec = EC_KEY_new(); -+ EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH); -+ EC_KEY_set_group(ec, group); -+ peerkey = make_peer(group, cx, cy); -+ if (rhash == NULL) { -+ if (md) -+ rhashlen = M_EVP_MD_size(md); -+ EC_KEY_generate_key(ec); -+ ec_print_key(out, ec, md ? 1 : 0, exout); -+ } else { -+ EC_KEY_set_public_key_affine_coordinates(ec, ix, iy); -+ EC_KEY_set_private_key(ec, id); -+ } -+ Zlen = (EC_GROUP_get_degree(group) + 7) / 8; -+ Z = OPENSSL_malloc(Zlen); -+ if (!Z) -+ exit(1); -+ ECDH_compute_key(Z, Zlen, peerkey, ec, 0); -+ if (md) { -+ if (exout) -+ OutputValue("Z", Z, Zlen, out, 0); -+ FIPS_digest(Z, Zlen, chash, NULL, md); -+ OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0); -+ if (rhash) { -+ fprintf(out, "Result = %s\n", -+ memcmp(chash, rhash, rhashlen) ? "F" : "P"); -+ } -+ } else -+ OutputValue("ZIUT", Z, Zlen, out, 0); -+ OPENSSL_cleanse(Z, Zlen); -+ OPENSSL_free(Z); -+ EC_KEY_free(ec); -+ EC_POINT_free(peerkey); -+} -+ -+# ifdef FIPS_ALGVS -+int fips_ecdhvs_main(int argc, char **argv) -+# else -+int main(int argc, char **argv) -+# endif -+{ -+ char **args = argv + 1; -+ int argn = argc - 1; -+ FILE *in, *out; -+ char buf[2048], lbuf[2048]; -+ unsigned char *rhash = NULL; -+ long rhashlen; -+ BIGNUM *cx = NULL, *cy = NULL; -+ BIGNUM *id = NULL, *ix = NULL, *iy = NULL; -+ const EVP_MD *md = NULL; -+ EC_GROUP *group = NULL; -+ char *keyword = NULL, *value = NULL; -+ int do_verify = -1, exout = 0; -+ int rv = 1; -+ -+ int curve_nids[5] = { 0, 0, 0, 0, 0 }; -+ int param_set = -1; -+ -+ fips_algtest_init(); -+ -+ if (argn && !strcmp(*args, "ecdhver")) { -+ do_verify = 1; -+ args++; -+ argn--; -+ } else if (argn && !strcmp(*args, "ecdhgen")) { -+ do_verify = 0; -+ args++; -+ argn--; -+ } -+ -+ if (argn && !strcmp(*args, "-exout")) { -+ exout = 1; -+ args++; -+ argn--; -+ } -+ -+ if (do_verify == -1) { -+ fprintf(stderr, "%s [ecdhver|ecdhgen|] [-exout] (infile outfile)\n", -+ argv[0]); -+ exit(1); -+ } -+ -+ if (argn == 2) { -+ in = fopen(*args, "r"); -+ if (!in) { -+ fprintf(stderr, "Error opening input file\n"); -+ exit(1); -+ } -+ out = fopen(args[1], "w"); -+ if (!out) { -+ fprintf(stderr, "Error opening output file\n"); -+ exit(1); -+ } -+ } else if (argn == 0) { -+ in = stdin; -+ out = stdout; -+ } else { -+ fprintf(stderr, "%s [dhver|dhgen|] [-exout] (infile outfile)\n", -+ argv[0]); -+ exit(1); -+ } -+ -+ while (fgets(buf, sizeof(buf), in) != NULL) { -+ fputs(buf, out); -+ if (buf[0] == '[' && buf[1] == 'E') { -+ int c = buf[2]; -+ if (c < 'A' || c > 'E') -+ goto parse_error; -+ param_set = c - 'A'; -+ /* If just [E?] then initial paramset */ -+ if (buf[3] == ']') -+ continue; -+ if (group) -+ EC_GROUP_free(group); -+ group = EC_GROUP_new_by_curve_name(curve_nids[c - 'A']); -+ } -+ if (strlen(buf) > 10 && !strncmp(buf, "[Curve", 6)) { -+ int nid; -+ if (param_set == -1) -+ goto parse_error; -+ nid = lookup_curve(buf); -+ if (nid == NID_undef) -+ goto parse_error; -+ curve_nids[param_set] = nid; -+ } -+ -+ if (strlen(buf) > 4 && buf[0] == '[' && buf[2] == '-') { -+ int nid = lookup_curve2(buf + 1); -+ if (nid == NID_undef) -+ goto parse_error; -+ if (group) -+ EC_GROUP_free(group); -+ group = EC_GROUP_new_by_curve_name(nid); -+ if (!group) { -+ fprintf(stderr, "ERROR: unsupported curve %s\n", buf + 1); -+ return 1; -+ } -+ } -+ -+ if (strlen(buf) > 6 && !strncmp(buf, "[E", 2)) { -+ md = eparse_md(buf); -+ if (md == NULL) -+ goto parse_error; -+ continue; -+ } -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ continue; -+ if (!strcmp(keyword, "QeCAVSx") || !strcmp(keyword, "QCAVSx")) { -+ if (!do_hex2bn(&cx, value)) -+ goto parse_error; -+ } else if (!strcmp(keyword, "QeCAVSy") || !strcmp(keyword, "QCAVSy")) { -+ if (!do_hex2bn(&cy, value)) -+ goto parse_error; -+ if (do_verify == 0) -+ ec_output_Zhash(out, exout, group, -+ NULL, NULL, NULL, -+ cx, cy, md, rhash, rhashlen); -+ } else if (!strcmp(keyword, "deIUT")) { -+ if (!do_hex2bn(&id, value)) -+ goto parse_error; -+ } else if (!strcmp(keyword, "QeIUTx")) { -+ if (!do_hex2bn(&ix, value)) -+ goto parse_error; -+ } else if (!strcmp(keyword, "QeIUTy")) { -+ if (!do_hex2bn(&iy, value)) -+ goto parse_error; -+ } else if (!strcmp(keyword, "CAVSHashZZ")) { -+ if (!md) -+ goto parse_error; -+ rhash = hex2bin_m(value, &rhashlen); -+ if (!rhash || rhashlen != M_EVP_MD_size(md)) -+ goto parse_error; -+ ec_output_Zhash(out, exout, group, ix, iy, id, cx, cy, -+ md, rhash, rhashlen); -+ } -+ } -+ rv = 0; -+ parse_error: -+ if (id) -+ BN_free(id); -+ if (ix) -+ BN_free(ix); -+ if (iy) -+ BN_free(iy); -+ if (cx) -+ BN_free(cx); -+ if (cy) -+ BN_free(cy); -+ if (group) -+ EC_GROUP_free(group); -+ if (in && in != stdin) -+ fclose(in); -+ if (out && out != stdout) -+ fclose(out); -+ if (rv) -+ fprintf(stderr, "Error Parsing request file\n"); -+ return rv; -+} -+ -+#endif -diff --git a/crypto/fips/cavs/fips_ecdsavs.c b/crypto/fips/cavs/fips_ecdsavs.c -new file mode 100644 -index 0000000..4d85fce ---- /dev/null -+++ b/crypto/fips/cavs/fips_ecdsavs.c -@@ -0,0 +1,486 @@ -+/* fips/ecdsa/fips_ecdsavs.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#define OPENSSL_FIPSAPI -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+ -+int main(int argc, char **argv) -+{ -+ printf("No FIPS ECDSA support\n"); -+ return (0); -+} -+#else -+ -+# include -+# include -+# include -+# include -+# include -+# include -+# include "fips_utl.h" -+ -+# include -+ -+static int elookup_curve(char *in, char *curve_name, const EVP_MD **pmd) -+{ -+ char *cname, *p; -+ /* Copy buffer as we will change it */ -+ strcpy(curve_name, in); -+ cname = curve_name + 1; -+ p = strchr(cname, ']'); -+ if (!p) { -+ fprintf(stderr, "Parse error: missing ]\n"); -+ return NID_undef; -+ } -+ *p = 0; -+ p = strchr(cname, ','); -+ if (p) { -+ if (!pmd) { -+ fprintf(stderr, "Parse error: unexpected digest\n"); -+ return NID_undef; -+ } -+ *p = 0; -+ p++; -+ -+ if (!strcmp(p, "SHA-1")) -+ *pmd = EVP_sha1(); -+ else if (!strcmp(p, "SHA-224")) -+ *pmd = EVP_sha224(); -+ else if (!strcmp(p, "SHA-256")) -+ *pmd = EVP_sha256(); -+ else if (!strcmp(p, "SHA-384")) -+ *pmd = EVP_sha384(); -+ else if (!strcmp(p, "SHA-512")) -+ *pmd = EVP_sha512(); -+ else { -+ fprintf(stderr, "Unknown digest %s\n", p); -+ return NID_undef; -+ } -+ } else if (pmd) -+ *pmd = EVP_sha1(); -+ -+ if (!strcmp(cname, "B-163")) -+ return NID_sect163r2; -+ if (!strcmp(cname, "B-233")) -+ return NID_sect233r1; -+ if (!strcmp(cname, "B-283")) -+ return NID_sect283r1; -+ if (!strcmp(cname, "B-409")) -+ return NID_sect409r1; -+ if (!strcmp(cname, "B-571")) -+ return NID_sect571r1; -+ if (!strcmp(cname, "K-163")) -+ return NID_sect163k1; -+ if (!strcmp(cname, "K-233")) -+ return NID_sect233k1; -+ if (!strcmp(cname, "K-283")) -+ return NID_sect283k1; -+ if (!strcmp(cname, "K-409")) -+ return NID_sect409k1; -+ if (!strcmp(cname, "K-571")) -+ return NID_sect571k1; -+ if (!strcmp(cname, "P-192")) -+ return NID_X9_62_prime192v1; -+ if (!strcmp(cname, "P-224")) -+ return NID_secp224r1; -+ if (!strcmp(cname, "P-256")) -+ return NID_X9_62_prime256v1; -+ if (!strcmp(cname, "P-384")) -+ return NID_secp384r1; -+ if (!strcmp(cname, "P-521")) -+ return NID_secp521r1; -+ -+ fprintf(stderr, "Unknown Curve name %s\n", cname); -+ return NID_undef; -+} -+ -+static int ec_get_pubkey(EC_KEY *key, BIGNUM *x, BIGNUM *y) -+{ -+ const EC_POINT *pt; -+ const EC_GROUP *grp; -+ const EC_METHOD *meth; -+ int rv; -+ BN_CTX *ctx; -+ ctx = BN_CTX_new(); -+ if (!ctx) -+ return 0; -+ grp = EC_KEY_get0_group(key); -+ pt = EC_KEY_get0_public_key(key); -+ meth = EC_GROUP_method_of(grp); -+ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) -+ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, x, y, ctx); -+ else -+# ifdef OPENSSL_NO_EC2M -+ { -+ fprintf(stderr, "ERROR: GF2m not supported\n"); -+ exit(1); -+ } -+# else -+ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, x, y, ctx); -+# endif -+ -+ BN_CTX_free(ctx); -+ -+ return rv; -+ -+} -+ -+static int KeyPair(FILE *in, FILE *out) -+{ -+ char buf[2048], lbuf[2048]; -+ char *keyword, *value; -+ int curve_nid = NID_undef; -+ int i, count; -+ BIGNUM *Qx = NULL, *Qy = NULL; -+ const BIGNUM *d = NULL; -+ EC_KEY *key = NULL; -+ Qx = BN_new(); -+ Qy = BN_new(); -+ while (fgets(buf, sizeof buf, in) != NULL) { -+ if (*buf == '[' && buf[2] == '-') { -+ if (buf[2] == '-') -+ curve_nid = elookup_curve(buf, lbuf, NULL); -+ fputs(buf, out); -+ continue; -+ } -+ if (!parse_line(&keyword, &value, lbuf, buf)) { -+ fputs(buf, out); -+ continue; -+ } -+ if (!strcmp(keyword, "N")) { -+ count = atoi(value); -+ -+ for (i = 0; i < count; i++) { -+ -+ key = EC_KEY_new_by_curve_name(curve_nid); -+ if (!EC_KEY_generate_key(key)) { -+ fprintf(stderr, "Error generating key\n"); -+ return 0; -+ } -+ -+ if (!ec_get_pubkey(key, Qx, Qy)) { -+ fprintf(stderr, "Error getting public key\n"); -+ return 0; -+ } -+ -+ d = EC_KEY_get0_private_key(key); -+ -+ do_bn_print_name(out, "d", d); -+ do_bn_print_name(out, "Qx", Qx); -+ do_bn_print_name(out, "Qy", Qy); -+ fputs(RESP_EOL, out); -+ EC_KEY_free(key); -+ -+ } -+ -+ } -+ -+ } -+ BN_free(Qx); -+ BN_free(Qy); -+ return 1; -+} -+ -+static int PKV(FILE *in, FILE *out) -+{ -+ -+ char buf[2048], lbuf[2048]; -+ char *keyword, *value; -+ int curve_nid = NID_undef; -+ BIGNUM *Qx = NULL, *Qy = NULL; -+ EC_KEY *key = NULL; -+ while (fgets(buf, sizeof buf, in) != NULL) { -+ fputs(buf, out); -+ if (*buf == '[' && buf[2] == '-') { -+ curve_nid = elookup_curve(buf, lbuf, NULL); -+ if (curve_nid == NID_undef) -+ return 0; -+ -+ } -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ continue; -+ if (!strcmp(keyword, "Qx")) { -+ if (!do_hex2bn(&Qx, value)) { -+ fprintf(stderr, "Invalid Qx value\n"); -+ return 0; -+ } -+ } -+ if (!strcmp(keyword, "Qy")) { -+ int rv; -+ if (!do_hex2bn(&Qy, value)) { -+ fprintf(stderr, "Invalid Qy value\n"); -+ return 0; -+ } -+ key = EC_KEY_new_by_curve_name(curve_nid); -+ no_err = 1; -+ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy); -+ no_err = 0; -+ EC_KEY_free(key); -+ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F"); -+ } -+ -+ } -+ BN_free(Qx); -+ BN_free(Qy); -+ return 1; -+} -+ -+static int SigGen(FILE *in, FILE *out) -+{ -+ char buf[2048], lbuf[2048]; -+ char *keyword, *value; -+ unsigned char *msg; -+ int curve_nid = NID_undef; -+ long mlen; -+ BIGNUM *Qx = NULL, *Qy = NULL; -+ EC_KEY *key = NULL; -+ ECDSA_SIG *sig = NULL; -+ const EVP_MD *digest = NULL; -+ Qx = BN_new(); -+ Qy = BN_new(); -+ while (fgets(buf, sizeof buf, in) != NULL) { -+ fputs(buf, out); -+ if (*buf == '[') { -+ curve_nid = elookup_curve(buf, lbuf, &digest); -+ if (curve_nid == NID_undef) -+ return 0; -+ } -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ continue; -+ if (!strcmp(keyword, "Msg")) { -+ msg = hex2bin_m(value, &mlen); -+ if (!msg) { -+ fprintf(stderr, "Invalid Message\n"); -+ return 0; -+ } -+ -+ key = EC_KEY_new_by_curve_name(curve_nid); -+ if (!EC_KEY_generate_key(key)) { -+ fprintf(stderr, "Error generating key\n"); -+ return 0; -+ } -+ -+ if (!ec_get_pubkey(key, Qx, Qy)) { -+ fprintf(stderr, "Error getting public key\n"); -+ return 0; -+ } -+ -+ sig = FIPS_ecdsa_sign(key, msg, mlen, digest); -+ -+ if (!sig) { -+ fprintf(stderr, "Error signing message\n"); -+ return 0; -+ } -+ -+ do_bn_print_name(out, "Qx", Qx); -+ do_bn_print_name(out, "Qy", Qy); -+ do_bn_print_name(out, "R", sig->r); -+ do_bn_print_name(out, "S", sig->s); -+ -+ EC_KEY_free(key); -+ OPENSSL_free(msg); -+ FIPS_ecdsa_sig_free(sig); -+ -+ } -+ -+ } -+ BN_free(Qx); -+ BN_free(Qy); -+ return 1; -+} -+ -+static int SigVer(FILE *in, FILE *out) -+{ -+ char buf[2048], lbuf[2048]; -+ char *keyword, *value; -+ unsigned char *msg = NULL; -+ int curve_nid = NID_undef; -+ long mlen; -+ BIGNUM *Qx = NULL, *Qy = NULL; -+ EC_KEY *key = NULL; -+ ECDSA_SIG sg, *sig = &sg; -+ const EVP_MD *digest = NULL; -+ sig->r = NULL; -+ sig->s = NULL; -+ while (fgets(buf, sizeof buf, in) != NULL) { -+ fputs(buf, out); -+ if (*buf == '[') { -+ curve_nid = elookup_curve(buf, lbuf, &digest); -+ if (curve_nid == NID_undef) -+ return 0; -+ } -+ if (!parse_line(&keyword, &value, lbuf, buf)) -+ continue; -+ if (!strcmp(keyword, "Msg")) { -+ msg = hex2bin_m(value, &mlen); -+ if (!msg) { -+ fprintf(stderr, "Invalid Message\n"); -+ return 0; -+ } -+ } -+ -+ if (!strcmp(keyword, "Qx")) { -+ if (!do_hex2bn(&Qx, value)) { -+ fprintf(stderr, "Invalid Qx value\n"); -+ return 0; -+ } -+ } -+ if (!strcmp(keyword, "Qy")) { -+ if (!do_hex2bn(&Qy, value)) { -+ fprintf(stderr, "Invalid Qy value\n"); -+ return 0; -+ } -+ } -+ if (!strcmp(keyword, "R")) { -+ if (!do_hex2bn(&sig->r, value)) { -+ fprintf(stderr, "Invalid R value\n"); -+ return 0; -+ } -+ } -+ if (!strcmp(keyword, "S")) { -+ int rv; -+ if (!do_hex2bn(&sig->s, value)) { -+ fprintf(stderr, "Invalid S value\n"); -+ return 0; -+ } -+ key = EC_KEY_new_by_curve_name(curve_nid); -+ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy); -+ -+ if (rv != 1) { -+ fprintf(stderr, "Error setting public key\n"); -+ return 0; -+ } -+ -+ no_err = 1; -+ rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig); -+ EC_KEY_free(key); -+ if (msg) -+ OPENSSL_free(msg); -+ no_err = 0; -+ -+ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F"); -+ } -+ -+ } -+ if (sig->r) -+ BN_free(sig->r); -+ if (sig->s) -+ BN_free(sig->s); -+ if (Qx) -+ BN_free(Qx); -+ if (Qy) -+ BN_free(Qy); -+ return 1; -+} -+ -+# ifdef FIPS_ALGVS -+int fips_ecdsavs_main(int argc, char **argv) -+# else -+int main(int argc, char **argv) -+# endif -+{ -+ FILE *in = NULL, *out = NULL; -+ const char *cmd = argv[1]; -+ int rv = 0; -+ fips_algtest_init(); -+ -+ if (argc == 4) { -+ in = fopen(argv[2], "r"); -+ if (!in) { -+ fprintf(stderr, "Error opening input file\n"); -+ exit(1); -+ } -+ out = fopen(argv[3], "w"); -+ if (!out) { -+ fprintf(stderr, "Error opening output file\n"); -+ exit(1); -+ } -+ } else if (argc == 2) { -+ in = stdin; -+ out = stdout; -+ } -+ -+ if (!cmd) { -+ fprintf(stderr, "fips_ecdsavs [KeyPair|PKV|SigGen|SigVer]\n"); -+ return 1; -+ } -+ if (!strcmp(cmd, "KeyPair")) -+ rv = KeyPair(in, out); -+ else if (!strcmp(cmd, "PKV")) -+ rv = PKV(in, out); -+ else if (!strcmp(cmd, "SigVer")) -+ rv = SigVer(in, out); -+ else if (!strcmp(cmd, "SigGen")) -+ rv = SigGen(in, out); -+ else { -+ fprintf(stderr, "Unknown command %s\n", cmd); -+ return 1; -+ } -+ -+ if (argc == 4) { -+ fclose(in); -+ fclose(out); -+ } -+ -+ if (rv <= 0) { -+ fprintf(stderr, "Error running %s\n", cmd); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+#endif -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index 792781e..30668c1 100644 ---- a/crypto/fips/fips.h -+++ b/crypto/fips/fips.h -@@ -93,6 +93,8 @@ extern "C" { - void FIPS_corrupt_dsa(void); - void FIPS_corrupt_dsa_keygen(void); - int FIPS_selftest_dsa(void); -+ int FIPS_selftest_ecdsa(void); -+ int FIPS_selftest_ecdh(void); - void FIPS_corrupt_rng(void); - void FIPS_rng_stick(void); - void FIPS_x931_stick(int onoff); -diff --git a/crypto/fips/fips_ecdh_selftest.c b/crypto/fips/fips_ecdh_selftest.c -new file mode 100644 -index 0000000..8cad5ad ---- /dev/null -+++ b/crypto/fips/fips_ecdh_selftest.c -@@ -0,0 +1,242 @@ -+/* fips/ecdh/fips_ecdh_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+# include "fips_locl.h" -+ -+static const unsigned char p256_qcavsx[] = { -+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, -+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, -+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 -+}; -+ -+static const unsigned char p256_qcavsy[] = { -+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, -+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, -+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e -+}; -+ -+static const unsigned char p256_qiutx[] = { -+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, -+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, -+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f -+}; -+ -+static const unsigned char p256_qiuty[] = { -+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, -+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, -+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 -+}; -+ -+static const unsigned char p256_qiutd[] = { -+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, -+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, -+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 -+}; -+ -+static const unsigned char p256_ziut[] = { -+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, -+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, -+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f -+}; -+ -+typedef struct { -+ int curve; -+ const unsigned char *x1; -+ size_t x1len; -+ const unsigned char *y1; -+ size_t y1len; -+ const unsigned char *d1; -+ size_t d1len; -+ const unsigned char *x2; -+ size_t x2len; -+ const unsigned char *y2; -+ size_t y2len; -+ const unsigned char *z; -+ size_t zlen; -+} ECDH_SELFTEST_DATA; -+ -+# define make_ecdh_test(nid, pr) { nid, \ -+ pr##_qiutx, sizeof(pr##_qiutx), \ -+ pr##_qiuty, sizeof(pr##_qiuty), \ -+ pr##_qiutd, sizeof(pr##_qiutd), \ -+ pr##_qcavsx, sizeof(pr##_qcavsx), \ -+ pr##_qcavsy, sizeof(pr##_qcavsy), \ -+ pr##_ziut, sizeof(pr##_ziut) } -+ -+static ECDH_SELFTEST_DATA test_ecdh_data[] = { -+ make_ecdh_test(NID_X9_62_prime256v1, p256), -+}; -+ -+int FIPS_selftest_ecdh(void) -+{ -+ EC_KEY *ec1 = NULL, *ec2 = NULL; -+ const EC_POINT *ecp = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ unsigned char *ztmp = NULL; -+ int rv = 1; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { -+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; -+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) -+ continue; -+ ztmp = OPENSSL_malloc(ecd->zlen); -+ -+ x = BN_bin2bn(ecd->x1, ecd->x1len, x); -+ y = BN_bin2bn(ecd->y1, ecd->y1len, y); -+ d = BN_bin2bn(ecd->d1, ecd->d1len, d); -+ -+ if (!x || !y || !d || !ztmp) { -+ rv = -1; -+ goto err; -+ } -+ -+ ec1 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec1) { -+ rv = -1; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!EC_KEY_set_private_key(ec1, d)) { -+ rv = -1; -+ goto err; -+ } -+ -+ x = BN_bin2bn(ecd->x2, ecd->x2len, x); -+ y = BN_bin2bn(ecd->y2, ecd->y2len, y); -+ -+ if (!x || !y) { -+ rv = -1; -+ goto err; -+ } -+ -+ ec2 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec2) { -+ rv = -1; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { -+ rv = -1; -+ goto err; -+ } -+ -+ ecp = EC_KEY_get0_public_key(ec2); -+ if (!ecp) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) -+ ztmp[0] ^= 0x1; -+ -+ if (memcmp(ztmp, ecd->z, ecd->zlen)) { -+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); -+ rv = 0; -+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) -+ goto err; -+ -+ EC_KEY_free(ec1); -+ ec1 = NULL; -+ EC_KEY_free(ec2); -+ ec2 = NULL; -+ OPENSSL_free(ztmp); -+ ztmp = NULL; -+ } -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (ec1) -+ EC_KEY_free(ec1); -+ if (ec2) -+ EC_KEY_free(ec2); -+ if (ztmp) -+ OPENSSL_free(ztmp); -+ -+ return rv; -+ -+} -+ -+#endif -diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c -new file mode 100644 -index 0000000..4ce6e81 ---- /dev/null -+++ b/crypto/fips/fips_ecdsa_selftest.c -@@ -0,0 +1,165 @@ -+/* fips/ecdsa/fips_ecdsa_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static const char P_256_name[] = "ECDSA P-256"; -+ -+static const unsigned char P_256_d[] = { -+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, -+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, -+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 -+}; -+ -+static const unsigned char P_256_qx[] = { -+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, -+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, -+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 -+}; -+ -+static const unsigned char P_256_qy[] = { -+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, -+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, -+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb -+}; -+ -+typedef struct { -+ int curve; -+ const char *name; -+ const unsigned char *x; -+ size_t xlen; -+ const unsigned char *y; -+ size_t ylen; -+ const unsigned char *d; -+ size_t dlen; -+} EC_SELFTEST_DATA; -+ -+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ -+ pr##_qx, sizeof(pr##_qx), \ -+ pr##_qy, sizeof(pr##_qy), \ -+ pr##_d, sizeof(pr##_d)} -+ -+static EC_SELFTEST_DATA test_ec_data[] = { -+ make_ecdsa_test(NID_X9_62_prime256v1, P_256), -+}; -+ -+int FIPS_selftest_ecdsa() -+{ -+ EC_KEY *ec = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ EVP_PKEY *pk = NULL; -+ int rv = 0; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { -+ EC_SELFTEST_DATA *ecd = test_ec_data + i; -+ -+ x = BN_bin2bn(ecd->x, ecd->xlen, x); -+ y = BN_bin2bn(ecd->y, ecd->ylen, y); -+ d = BN_bin2bn(ecd->d, ecd->dlen, d); -+ -+ if (!x || !y || !d) -+ goto err; -+ -+ ec = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec) -+ goto err; -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) -+ goto err; -+ -+ if (!EC_KEY_set_private_key(ec, d)) -+ goto err; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_EC_KEY(pk, ec); -+ -+ if (!fips_pkey_signature_test(pk, NULL, 0, -+ NULL, 0, EVP_sha256(), 0, ecd->name)) -+ goto err; -+ } -+ -+ rv = 1; -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (ec) -+ EC_KEY_free(ec); -+ -+ return rv; -+ -+} -+ -+#endif -diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c -index 629f5c2..b9354db 100644 ---- a/crypto/fips/fips_post.c -+++ b/crypto/fips/fips_post.c -@@ -95,8 +95,12 @@ int FIPS_selftest(void) - rv = 0; - if (!FIPS_selftest_rsa()) - rv = 0; -+ if (!FIPS_selftest_ecdsa()) -+ rv = 0; - if (!FIPS_selftest_dsa()) - rv = 0; -+ if (!FIPS_selftest_ecdh()) -+ rv = 0; - return rv; - } - diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch 2016-04-15 04:56:29.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2a-fips-md5-allow.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -commit a1bbf7c63dc208b24fde36521b31160ef8fc6016 -Author: Joy Latten -Date: Wed Apr 13 18:06:25 2016 -0500 - - From: Joy Latten - Description: [PATCH 3/6] Allow MD5 for fips. - Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 - Forwarded: not-needed - Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git - -diff --git a/crypto/md5/md5_dgst.c b/crypto/md5/md5_dgst.c -index 0a28b9b..0c86a49 100644 ---- a/crypto/md5/md5_dgst.c -+++ b/crypto/md5/md5_dgst.c -@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL_VERSION_PTEXT; - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --nonfips_md_init(MD5) -+int MD5_Init(MD5_CTX *c) -+#ifdef OPENSSL_FIPS -+{ -+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL) -+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!"); -+ return private_MD5_Init(c); -+} -+ -+int private_MD5_Init(MD5_CTX *c) -+#endif - { - memset(c, 0, sizeof(*c)); - c->A = INIT_DATA_A; diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch 2016-04-15 04:56:29.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2f-new-fips-reqs.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,1374 +0,0 @@ -commit be78d827c798d847bf5664f3d30f3f5ecbf214dd -Author: Joy Latten -Date: Wed Apr 13 22:58:04 2016 -0500 - - From: Joy Latten - Description: [PATCH 5/6] More fips 140-2 requirements - Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 - Forwarded: not-needed - Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git - -diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h -index 7ae5079..cd08b18 100644 ---- a/crypto/dh/dh.h -+++ b/crypto/dh/dh.h -@@ -78,6 +78,7 @@ - # endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 - - # define DH_FLAG_CACHE_MONT_P 0x01 - -diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c -index 4fcb16b..db9f700 100644 ---- a/crypto/dh/dh_gen.c -+++ b/crypto/dh/dh_gen.c -@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, - return 0; - } - -- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { - DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); - goto err; - } -diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h -index 7c78c5a..4abe46c 100644 ---- a/crypto/dsa/dsa.h -+++ b/crypto/dsa/dsa.h -@@ -89,6 +89,7 @@ - # endif - - # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024) - - # define DSA_FLAG_CACHE_MONT_P 0x01 - /* -@@ -251,9 +252,9 @@ int DSAparams_print_fp(FILE *fp, const DSA *x); - int DSA_print_fp(FILE *bp, const DSA *x, int off); - # endif - --# define DSS_prime_checks 50 -+# define DSS_prime_checks 64 - /* -- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of -+ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of - * Rabin-Miller - */ - # define DSA_is_prime(n, callback, cb_arg) \ -diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c -index 96c4c09..ca86915 100644 ---- a/crypto/dsa/dsa_gen.c -+++ b/crypto/dsa/dsa_gen.c -@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - } - - if (FIPS_module_mode() && -- (bits != 1024 || qbits != 160) && -- (bits != 2048 || qbits != 224) && -- (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) { -+ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024 -+ || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048 -+ || qbits != -+ 256) -+ && (bits != 3072 || qbits != 256)) { - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); - goto err; - } -diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c -index e1307b0..f235fce 100644 ---- a/crypto/dsa/dsa_key.c -+++ b/crypto/dsa/dsa_key.c -@@ -120,7 +120,7 @@ static int dsa_builtin_keygen(DSA *dsa) - - # ifdef OPENSSL_FIPS - if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { - DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } -diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile -index 0b54447..8d4bf9a 100644 ---- a/crypto/fips/Makefile -+++ b/crypto/fips/Makefile -@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_se - fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ - fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ - fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c -+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \ -+ fips_dh_selftest.c - - LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ - fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ - fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ - fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ -- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o -+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \ -+ fips_dh_selftest.o - - LIBCRYPTO=-L.. -lcrypto - -diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c -index e5de012..c4602e2 100644 ---- a/crypto/fips/fips.c -+++ b/crypto/fips/fips.c -@@ -418,26 +418,24 @@ int FIPS_module_mode_set(int onoff, const char *auth) - ret = 0; - goto end; - } -- OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */ -- OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */ - } - # endif - -- if (!verify_checksums()) { -- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -+ if (!FIPS_selftest()) { - fips_selftest_fail = 1; - ret = 0; - goto end; - } - -- if (FIPS_selftest()) -- fips_set_mode(onoff); -- else { -+ if (!verify_checksums()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; - } -+ -+ fips_set_mode(onoff); - ret = 1; - goto end; - } -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index 9777a73..8c9be43 100644 ---- a/crypto/fips/fips.h -+++ b/crypto/fips/fips.h -@@ -96,6 +96,7 @@ extern "C" { - int FIPS_selftest_dsa(void); - int FIPS_selftest_ecdsa(void); - int FIPS_selftest_ecdh(void); -+ int FIPS_selftest_dh(void); - void FIPS_corrupt_rng(void); - void FIPS_rng_stick(void); - void FIPS_x931_stick(int onoff); -diff --git a/crypto/fips/fips_dh_selftest.c b/crypto/fips/fips_dh_selftest.c -new file mode 100644 -index 0000000..2b1eb25 ---- /dev/null -+++ b/crypto/fips/fips_dh_selftest.c -@@ -0,0 +1,162 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 2013 Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static const unsigned char dh_test_2048_p[] = { -+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, -+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, -+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, -+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, -+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, -+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, -+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, -+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, -+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, -+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, -+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, -+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, -+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, -+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, -+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, -+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, -+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, -+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, -+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, -+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, -+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, -+ 0x4B, 0xD8, 0x37, 0xEB -+}; -+ -+static const unsigned char dh_test_2048_g[] = { -+ 0x02 -+}; -+ -+static const unsigned char dh_test_2048_pub_key[] = { -+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, -+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, -+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, -+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, -+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, -+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, -+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, -+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, -+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, -+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, -+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, -+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, -+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, -+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, -+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, -+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, -+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, -+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, -+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, -+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, -+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, -+ 0x36, 0x9E, 0xDA, 0xD2 -+}; -+ -+static const unsigned char dh_test_2048_priv_key[] = { -+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, -+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, -+ 0xEC, 0x55, 0xF6, 0xCC -+}; -+ -+int FIPS_selftest_dh() -+{ -+ DH *dh = NULL; -+ int ret = 0; -+ void *pub_key = NULL; -+ int len; -+ -+ dh = DH_new(); -+ -+ if (dh == NULL) -+ goto err; -+ -+ fips_load_key_component(dh, p, dh_test_2048); -+ fips_load_key_component(dh, g, dh_test_2048); -+ /* note that the private key is much shorter than normally used -+ * but still g ** priv_key > p -+ */ -+ fips_load_key_component(dh, priv_key, dh_test_2048); -+ -+ if (DH_generate_key(dh) <= 0) -+ goto err; -+ -+ len = BN_num_bytes(dh->pub_key); -+ if ((pub_key = OPENSSL_malloc(len)) == NULL) -+ goto err; -+ BN_bn2bin(dh->pub_key, pub_key); -+ -+ if (len != sizeof(dh_test_2048_pub_key) || -+ memcmp(pub_key, dh_test_2048_pub_key, len) != 0) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (dh) -+ DH_free(dh); -+ -+ OPENSSL_free(pub_key); -+ return ret; -+} -+#endif -diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c -index b9354db..2b19651 100644 ---- a/crypto/fips/fips_post.c -+++ b/crypto/fips/fips_post.c -@@ -99,6 +99,8 @@ int FIPS_selftest(void) - rv = 0; - if (!FIPS_selftest_dsa()) - rv = 0; -+ if (!FIPS_selftest_dh()) -+ rv = 0; - if (!FIPS_selftest_ecdh()) - rv = 0; - return rv; -diff --git a/crypto/fips/fips_rsa_selftest.c b/crypto/fips/fips_rsa_selftest.c -index e87fbda..3f918b7 100644 ---- a/crypto/fips/fips_rsa_selftest.c -+++ b/crypto/fips/fips_rsa_selftest.c -@@ -60,68 +60,107 @@ - #ifdef OPENSSL_FIPS - - static const unsigned char n[] = -- "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" -- "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" -- "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" -- "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" -- "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" -- "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" -- "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" -- "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB"; -+ "\x00\xc9\xd5\x6d\x9d\x90\xdb\x43\xd6\x02\xed\x96\x88\x13\x8a" -+ "\xb2\xbf\x6e\xa1\x06\x10\xb2\x78\x37\xa7\x14\xa8\xff\xdd\x00" -+ "\xdd\xb4\x93\xa0\x45\xcc\x96\x90\xed\xad\xa9\xdd\xc4\xd6\xca" -+ "\x0c\xf0\xed\x4f\x72\x5e\x21\x49\x9a\x18\x12\x15\x8f\x90\x5a" -+ "\xdb\xb6\x33\x99\xa3\xe6\xb4\xf0\xc4\x97\x21\x26\xbb\xe3\xba" -+ "\xf2\xff\xa0\x72\xda\x89\x63\x8e\x8b\x3e\x08\x9d\x92\x2a\xbe" -+ "\x16\xe1\x43\x15\xfc\x57\xc7\x1f\x09\x11\x67\x1c\xa9\x96\xd1" -+ "\x8b\x3e\x80\x93\xc1\x59\xd0\x6d\x39\xf2\xac\x95\xcc\x10\x75" -+ "\xe9\x31\x24\xd1\x43\xaf\x68\x52\x4b\xe7\x16\xd7\x49\x65\x6f" -+ "\x26\xc0\x86\xad\xc0\x07\x0a\xc1\xe1\x2f\x87\x85\x86\x3b\xdc" -+ "\x5a\x99\xbe\xe9\xf9\xb9\xe9\x82\x27\x51\x04\x15\xab\x06\x0e" -+ "\x76\x5a\x28\x8d\x92\xbd\xc5\xb5\x7b\xa8\xdf\x4e\x47\xa2\xc1" -+ "\xe7\x52\xbf\x47\xf7\x62\xe0\x3a\x6f\x4d\x6a\x4d\x4e\xd4\xb9" -+ "\x59\x69\xfa\xb2\x14\xc1\xee\xe6\x2f\x95\xcd\x94\x72\xae\xe4" -+ "\xdb\x18\x9a\xc4\xcd\x70\xbd\xee\x31\x16\xb7\x49\x65\xac\x40" -+ "\x19\x0e\xb5\x6d\x83\xf1\x36\xbb\x08\x2f\x2e\x4e\x92\x62\xa4" -+ "\xff\x50\xdb\x20\x45\xa2\xeb\x16\x7a\xf2\xd5\x28\xc1\xfd\x4e" "\x03\x71"; - - static int corrupt_rsa; - - static int setrsakey(RSA *key) - { -- static const unsigned char e[] = "\x11"; -+ static const unsigned char e[] = "\x01\x00\x01"; - - static const unsigned char d[] = -- "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" -- "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" -- "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" -- "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" -- "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" -- "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" -- "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" -- "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" -- "\xC1"; -+ "\x36\x27\x3d\xb1\xf9\x1b\xdb\xa7\xa0\x41\x7f\x12\x23\xac\x23" -+ "\x29\x99\xd5\x3a\x7b\x60\x67\x41\x07\x63\x53\xb4\xd2\xe7\x58" -+ "\x95\x0a\xc7\x05\xf3\x4e\xb2\xb4\x12\xd4\x70\xdc\x4f\x85\x06" -+ "\xd3\xdd\xd8\x63\x27\x3e\x67\x31\x21\x24\x39\x04\xbc\x06\xa4" -+ "\xcc\xce\x2b\x7a\xfe\x7b\xad\xde\x11\x6e\xa3\xa5\xe6\x04\x53" -+ "\x0e\xa3\x4e\x2d\xb4\x8f\x31\xbf\xca\x75\x25\x52\x02\x85\xde" -+ "\x3d\xb2\x72\x43\xb2\x89\x8a\x9a\x34\x41\x26\x3f\x9a\x67\xbe" -+ "\xa4\x96\x7b\x0e\x75\xba\xa6\x93\xd5\xb8\xd8\xb8\x57\xf2\x4b" -+ "\x0f\x14\x81\xd1\x57\x4e\xf6\x45\x4c\xa6\x3b\xd0\x70\xca\xd3" -+ "\x9d\x55\xde\x22\x05\xe7\x8e\x28\x4d\xee\x11\xcf\xb6\x67\x76" -+ "\x09\xd3\xe3\x3c\x13\xf9\x99\x34\x10\x7b\xec\x81\x38\xf0\xb6" -+ "\x34\x9c\x9b\x50\x6f\x0b\x91\x81\x4d\x89\x94\x04\x7b\xf0\x3c" -+ "\xf4\xb1\xb2\x00\x48\x8d\x5a\x8f\x88\x9e\xc5\xab\x3a\x9e\x44" -+ "\x3f\x54\xe7\xd9\x6e\x47\xaa\xa1\xbd\x40\x46\x31\xf9\xf0\x34" -+ "\xb6\x04\xe1\x2b\x5b\x73\x86\xdd\x3a\x92\x1b\x71\xc7\x3f\x32" -+ "\xe5\xc3\xc2\xab\xa1\x7e\xbf\xa4\x52\xa0\xb0\x68\x90\xd1\x20" -+ "\x12\x79\xe9\xd7\xc9\x40\xba\xf2\x19\xc7\xa5\x00\x92\x86\x0d" "\x01"; - - static const unsigned char p[] = -- "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" -- "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" -- "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" -- "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" -- "\x99"; -+ "\x00\xfc\x5c\x6e\x16\xce\x1f\x03\x7b\xcd\xf7\xb3\x72\xb2\x8f" -+ "\x16\x72\xb8\x56\xae\xf7\xcd\x67\xd8\x4e\x7d\x07\xaf\xd5\x43" -+ "\x26\xc3\x35\xbe\x43\x8f\x4e\x2f\x1c\x43\x4e\x6b\xd2\xb2\xec" -+ "\x52\x6d\x97\x52\x2b\xcc\x5c\x3a\x6b\xf4\x14\xc6\x74\xda\x66" -+ "\x38\x1c\x7a\x3f\x84\x2f\xe3\xf9\x5a\xb8\x65\x69\x46\x06\xa3" -+ "\x37\x79\xb2\xa1\x5b\x58\xed\x5e\xa7\x5f\x8c\x65\x66\xbb\xd1" -+ "\x24\x36\xe6\x37\xa7\x3d\x49\x77\x8a\x8c\x34\xd8\x69\x29\xf3" -+ "\x4d\x58\x22\xb0\x51\x24\xb6\x40\xa8\x86\x59\x0a\xb7\xba\x5c" -+ "\x97\xda\x57\xe8\x36\xda\x7a\x9c\xad"; - - static const unsigned char q[] = -- "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" -- "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" -- "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" -- "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" -- "\x03"; -+ "\x00\xcc\xbe\x7b\x09\x69\x06\xee\x45\xbf\x88\x47\x38\xa8\xf8" -+ "\x17\xe5\xb6\xba\x67\x55\xe3\xe8\x05\x8b\xb8\xe2\x53\xd6\x8e" -+ "\xef\x2c\xe7\x4f\x4a\xf7\x4e\x26\x8d\x85\x0b\x3f\xec\xc3\x1c" -+ "\xd4\xeb\xec\x6a\xc8\x72\x2a\x25\x7d\xfd\xa6\x77\x96\xf0\x1e" -+ "\xcd\x28\x57\xf8\x37\x30\x75\x6b\xbd\xd4\x7b\x0c\x87\xc5\x6c" -+ "\x87\x40\xa5\xbb\x27\x2c\x78\xc9\x74\x5a\x54\x5b\x0b\x30\x6f" -+ "\x44\x4a\xfa\x71\xe4\x21\x61\x66\xf9\xee\x65\xde\x7c\x04\xd7" -+ "\xfd\xa9\x15\x5b\x7f\xe2\x7a\xba\x69\x86\x72\xa6\x06\x8d\x9b" -+ "\x90\x55\x60\x9e\x4c\x5d\xa9\xb6\x55"; - - static const unsigned char dmp1[] = -- "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" -- "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" -- "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" -- "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; -+ "\x7a\xd6\x12\xd0\x0e\xec\x91\xa9\x85\x8b\xf8\x50\xf0\x11\x2e" -+ "\x00\x11\x32\x40\x60\x66\x1f\x11\xee\xc2\x75\x27\x65\x4b\x16" -+ "\x67\x16\x95\xd2\x14\xc3\x1d\xb3\x48\x1f\xb7\xe4\x0b\x2b\x74" -+ "\xc3\xdb\x50\x27\xf9\x85\x3a\xfa\xa9\x08\x23\xc1\x65\x3d\x34" -+ "\x3a\xc8\x56\x7a\x65\x45\x36\x6e\xae\x2a\xce\x9f\x43\x43\xd7" -+ "\x10\xe9\x9e\x18\xf4\xa4\x35\xda\x8a\x6b\xb0\x3f\xdd\x53\xe3" -+ "\xa8\xc5\x4e\x79\x9d\x1f\x51\x8c\xa2\xca\x66\x3c\x6a\x2a\xff" -+ "\x8e\xd2\xf3\xb7\xcb\x82\xda\xde\x2c\xe6\xd2\x8c\xb3\xad\xb6" -+ "\x4c\x95\x55\x76\xbd\xc9\xc8\xd1"; - - static const unsigned char dmq1[] = -- "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" -- "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" -- "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" -- "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; -+ "\x00\x83\x23\x1d\xbb\x11\x42\x17\x2b\x25\x5a\x2c\x03\xe6\x75" -+ "\xc1\x18\xa8\xc9\x0b\x96\xbf\xba\xc4\x92\x91\x80\xa5\x22\x2f" -+ "\xba\x91\x90\x36\x01\x56\x15\x00\x2c\x74\xa2\x97\xf7\x15\xa1" -+ "\x49\xdf\x32\x35\xd2\xdd\x0c\x91\xa6\xf8\xe7\xbe\x81\x36\x9b" -+ "\x03\xdc\x6b\x3b\xd8\x5d\x79\x57\xe0\xe6\x4f\x49\xdf\x4c\x5c" -+ "\x0e\xe5\x21\x41\x95\xfd\xad\xff\x9a\x3e\xa0\xf9\x0f\x59\x9e" -+ "\x6a\xa7\x7b\x71\xa7\x24\x9a\x36\x52\xae\x97\x20\xc1\x5e\x78" -+ "\xd9\x47\x8b\x1e\x67\xf2\xaf\x98\xe6\x2d\xef\x10\xd7\xf1\xab" -+ "\x49\xee\xe5\x4b\x7e\xae\x1f\x1d\x61"; - - static const unsigned char iqmp[] = -- "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" -- "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" -- "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" -- "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" -- "\xF7"; -+ "\x23\x96\xc1\x91\x17\x5e\x0a\x83\xd2\xdc\x7b\x69\xb2\x59\x1d" -+ "\x33\x58\x52\x3f\x18\xc7\x09\x50\x1c\xb9\xa1\xbb\x4c\xa2\x38" -+ "\x40\x4c\x9a\x8e\xfe\x9c\x90\x92\xd0\x71\x9f\x89\x99\x50\x91" -+ "\x1f\x34\x8b\x74\x53\x11\x11\x4a\x70\xe2\xf7\x30\xd8\x8c\x80" -+ "\xe1\xcc\x9f\xf1\x63\x17\x1a\x7d\x67\x29\x4c\xcb\x4e\x74\x7b" -+ "\xe0\x3e\x9e\x2f\xf4\x67\x8f\xec\xb9\x5c\x00\x1e\x7e\xa2\x7b" -+ "\x92\xc9\x6f\x4c\xe4\x0e\xf9\x48\x63\xcd\x50\x22\x5d\xbf\xb6" -+ "\x9d\x01\x33\x6a\xf4\x50\xbe\x86\x98\x4f\xca\x3f\x3a\xfa\xcf" -+ "\x07\x40\xc4\xaa\xad\xae\xbe\xbf"; - - key->n = BN_bin2bn(n, sizeof(n) - 1, key->n); - if (corrupt_rsa) -- BN_set_bit(key->n, 1024); -+ BN_set_bit(key->n, 2048); - key->e = BN_bin2bn(e, sizeof(e) - 1, key->e); - key->d = BN_bin2bn(d, sizeof(d) - 1, key->d); - key->p = BN_bin2bn(p, sizeof(p) - 1, key->p); -@@ -145,200 +184,292 @@ static const unsigned char kat_tbs[] = - "OpenSSL FIPS 140-2 Public Key RSA KAT"; - - static const unsigned char kat_RSA_PSS_SHA1[] = { -- 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F, -- 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB, -- 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3, -- 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C, -- 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7, -- 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5, -- 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45, -- 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31, -- 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8, -- 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84, -- 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9 -+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3, -+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B, -+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84, -+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B, -+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9, -+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19, -+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98, -+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5, -+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4, -+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A, -+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70, -+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1, -+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C, -+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF, -+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99, -+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45, -+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF, -+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F, -+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01, -+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC, -+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05, -+ 0xCE, 0x08, 0x1D, 0x89 - }; - - static const unsigned char kat_RSA_PSS_SHA224[] = { -- 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7, -- 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA, -- 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57, -- 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89, -- 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE, -- 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22, -- 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5, -- 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49, -- 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D, -- 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00, -- 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0 -+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA, -+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3, -+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3, -+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3, -+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7, -+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53, -+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A, -+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE, -+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06, -+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08, -+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D, -+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07, -+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70, -+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64, -+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17, -+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69, -+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97, -+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D, -+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5, -+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B, -+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD, -+ 0x2D, 0x84, 0x03, 0xB7 - }; - - static const unsigned char kat_RSA_PSS_SHA256[] = { -- 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89, -- 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F, -- 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28, -- 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E, -- 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05, -- 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA, -- 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6, -- 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F, -- 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D, -- 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6, -- 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C -+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, -+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, -+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, -+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, -+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, -+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, -+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, -+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, -+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, -+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, -+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, -+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, -+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, -+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, -+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, -+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, -+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, -+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, -+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, -+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, -+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, -+ 0x2B, 0x31, 0xB9, 0x7D - }; - - static const unsigned char kat_RSA_PSS_SHA384[] = { -- 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2, -- 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E, -- 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD, -- 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F, -- 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C, -- 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB, -- 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F, -- 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89, -- 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F, -- 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55, -- 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1 -+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D, -+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03, -+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27, -+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC, -+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1, -+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6, -+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA, -+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB, -+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3, -+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5, -+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70, -+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E, -+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C, -+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0, -+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62, -+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07, -+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88, -+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7, -+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5, -+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D, -+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF, -+ 0x90, 0xD2, 0xA6, 0x2B - }; - - static const unsigned char kat_RSA_PSS_SHA512[] = { -- 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C, -- 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A, -- 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD, -- 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39, -- 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7, -- 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61, -- 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13, -- 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63, -- 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE, -- 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88, -- 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B -+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32, -+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06, -+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D, -+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B, -+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D, -+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44, -+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B, -+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D, -+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD, -+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C, -+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1, -+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A, -+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE, -+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D, -+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F, -+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF, -+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F, -+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94, -+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE, -+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A, -+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0, -+ 0x17, 0x2C, 0x13, 0xE0 - }; - - static const unsigned char kat_RSA_SHA1[] = { -- 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, -- 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, -- 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF, -- 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, -- 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, -- 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, -- 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E, -- 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, -- 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, -- 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, -- 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 -+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA, -+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C, -+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE, -+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94, -+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08, -+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC, -+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0, -+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54, -+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F, -+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A, -+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF, -+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD, -+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8, -+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5, -+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F, -+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF, -+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60, -+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9, -+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC, -+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37, -+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF, -+ 0x27, 0x90, 0xE2, 0x01 - }; - - static const unsigned char kat_RSA_SHA224[] = { -- 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9, -- 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D, -- 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89, -- 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD, -- 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5, -- 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC, -- 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B, -- 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2, -- 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35, -- 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC, -- 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D -+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86, -+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8, -+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89, -+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39, -+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3, -+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E, -+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8, -+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4, -+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66, -+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6, -+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC, -+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9, -+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53, -+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA, -+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45, -+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC, -+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33, -+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5, -+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8, -+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83, -+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B, -+ 0xDB, 0x70, 0x00, 0xF6 - }; - - static const unsigned char kat_RSA_SHA256[] = { -- 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23, -- 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23, -- 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35, -- 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E, -- 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18, -- 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30, -- 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A, -- 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38, -- 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA, -- 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90, -- 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A -+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, -+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, -+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, -+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, -+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, -+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, -+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, -+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, -+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, -+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, -+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, -+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, -+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, -+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, -+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, -+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, -+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, -+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, -+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, -+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, -+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, -+ 0x47, 0x9D, 0x18, 0xD7 - }; - - static const unsigned char kat_RSA_SHA384[] = { -- 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F, -- 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7, -- 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C, -- 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55, -- 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF, -- 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2, -- 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C, -- 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD, -- 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1, -- 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04, -- 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF -+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00, -+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D, -+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2, -+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B, -+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF, -+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1, -+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C, -+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E, -+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76, -+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4, -+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9, -+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4, -+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56, -+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39, -+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00, -+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F, -+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D, -+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26, -+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9, -+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD, -+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4, -+ 0x7E, 0x37, 0x1D, 0x96 - }; - - static const unsigned char kat_RSA_SHA512[] = { -- 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF, -- 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A, -- 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1, -- 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8, -- 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5, -- 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B, -- 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6, -- 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05, -- 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D, -- 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91, -- 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84 -+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3, -+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F, -+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02, -+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B, -+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3, -+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1, -+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79, -+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1, -+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E, -+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1, -+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED, -+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE, -+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69, -+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2, -+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F, -+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3, -+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B, -+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86, -+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F, -+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A, -+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E, -+ 0x43, 0xA8, 0x34, 0x0A - }; - --static const unsigned char kat_RSA_X931_SHA1[] = { -- 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF, -- 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75, -- 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC, -- 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97, -- 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6, -- 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19, -- 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7, -- 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99, -- 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76, -- 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67, -- 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49 --}; -+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, -+ int ptlen) -+{ -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int ret = 0; -+ int len; - --static const unsigned char kat_RSA_X931_SHA256[] = { -- 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89, -- 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD, -- 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF, -- 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B, -- 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B, -- 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98, -- 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC, -- 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C, -- 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD, -- 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC, -- 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80 --}; -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; - --static const unsigned char kat_RSA_X931_SHA384[] = { -- 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B, -- 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB, -- 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3, -- 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6, -- 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31, -- 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1, -- 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79, -- 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF, -- 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35, -- 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D, -- 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28 --}; -+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) -+ goto err; - --static const unsigned char kat_RSA_X931_SHA512[] = { -- 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63, -- 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC, -- 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7, -- 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28, -- 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5, -- 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF, -- 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0, -- 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09, -- 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C, -- 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B, -- 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3 --}; -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ptbuf) -+ goto err; -+ -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != ptlen) -+ goto err; -+ if (memcmp(ptbuf, plaintext, len)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ return ret; -+} - - int FIPS_selftest_rsa() - { -@@ -352,7 +483,7 @@ int FIPS_selftest_rsa() - if ((pk = EVP_PKEY_new()) == NULL) - goto err; - -- EVP_PKEY_assign_RSA(pk, key); -+ EVP_PKEY_set1_RSA(pk, key); - - if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_SHA1, sizeof(kat_RSA_SHA1), -@@ -406,29 +537,7 @@ int FIPS_selftest_rsa() - EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS")) - goto err; - -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA1, -- sizeof(kat_RSA_X931_SHA1), EVP_sha1(), -- EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931")) -- goto err; -- /* NB: SHA224 not supported in X9.31 */ -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA256, -- sizeof(kat_RSA_X931_SHA256), EVP_sha256(), -- EVP_MD_CTX_FLAG_PAD_X931, -- "RSA SHA256 X931")) -- goto err; -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA384, -- sizeof(kat_RSA_X931_SHA384), EVP_sha384(), -- EVP_MD_CTX_FLAG_PAD_X931, -- "RSA SHA384 X931")) -- goto err; -- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -- kat_RSA_X931_SHA512, -- sizeof(kat_RSA_X931_SHA512), EVP_sha512(), -- EVP_MD_CTX_FLAG_PAD_X931, -- "RSA SHA512 X931")) -+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) - goto err; - - ret = 1; -@@ -436,7 +545,7 @@ int FIPS_selftest_rsa() - err: - if (pk) - EVP_PKEY_free(pk); -- else if (key) -+ if (key) - RSA_free(key); - return ret; - } -diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h -index f9fda3e..93b9896 100644 ---- a/crypto/rand/rand_lcl.h -+++ b/crypto/rand/rand_lcl.h -@@ -112,7 +112,7 @@ - #ifndef HEADER_RAND_LCL_H - # define HEADER_RAND_LCL_H - --# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */ -+# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */ - - # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) - # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index 88a78d3..adf572f 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen, - double entropy) - { - RAND_SSLeay()->add(in, inlen, entropy); -+ if (FIPS_rand_status()) { -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ FIPS_drbg_reseed(ctx, NULL, 0); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ } - return 1; - } - - static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen) - { - RAND_SSLeay()->seed(in, inlen); -+ if (FIPS_rand_status()) { -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ FIPS_drbg_reseed(ctx, NULL, 0); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ } - return 1; - } - -diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c -index c6c0a75..675f645 100644 ---- a/crypto/rsa/rsa_gen.c -+++ b/crypto/rsa/rsa_gen.c -@@ -1,5 +1,6 @@ - /* crypto/rsa/rsa_gen.c */ - /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * Copyright (C) 2013 Red Hat, Inc. - * All rights reserved. - * - * This package is an SSL implementation written -@@ -169,6 +170,259 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - return rsa_builtin_keygen(rsa, bits, e_value, cb); - } - -+#ifdef OPENSSL_FIPS -+static int FIPS_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -+ BN_GENCB *cb) -+{ -+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; -+ BIGNUM local_r0, local_d, local_p; -+ BIGNUM *pr0, *d, *p; -+ BN_CTX *ctx = NULL; -+ int ok = -1; -+ int i; -+ int n = 0; -+ int test = 0; -+ int pbits = bits / 2; -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if ((pbits & 0xFF) -+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048 -+ && bits != 3072)) { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ BN_CTX_start(ctx); -+ r0 = BN_CTX_get(ctx); -+ r1 = BN_CTX_get(ctx); -+ r2 = BN_CTX_get(ctx); -+ r3 = BN_CTX_get(ctx); -+ -+ if (r3 == NULL) -+ goto err; -+ -+ /* We need the RSA components non-NULL */ -+ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->d && ((rsa->d = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->p && ((rsa->p = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->q && ((rsa->q = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) -+ goto err; -+ -+ if (!BN_set_word(r0, RSA_F4)) -+ goto err; -+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { -+ ok = 0; /* we set our own err */ -+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); -+ goto err; -+ } -+ -+ /* prepare approximate minimum p and q */ -+ if (!BN_set_word(r0, 0xB504F334)) -+ goto err; -+ if (!BN_lshift(r0, r0, pbits - 32)) -+ goto err; -+ -+ /* prepare minimum p and q difference */ -+ if (!BN_one(r3)) -+ goto err; -+ if (!BN_lshift(r3, r3, pbits - 100)) -+ goto err; -+ -+ BN_copy(rsa->e, e_value); -+ -+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) -+ test = 1; -+ -+ retry: -+ /* generate p and q */ -+ for (i = 0; i < 5 * pbits; i++) { -+ ploop: -+ if (!test) -+ if (!BN_rand(rsa->p, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->p, r0) < 0) { -+ if (test) -+ goto err; -+ goto ploop; -+ } -+ -+ if (!BN_sub(r2, rsa->p, BN_value_one())) -+ goto err; -+ if (!BN_gcd(r1, r2, rsa->e, ctx)) -+ goto err; -+ if (BN_is_one(r1)) { -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } -+ -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 0)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ for (i = 0; i < 5 * pbits; i++) { -+ qloop: -+ if (!test) -+ if (!BN_rand(rsa->q, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->q, r0) < 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ if (!BN_sub(r2, rsa->q, rsa->p)) -+ goto err; -+ if (BN_ucmp(r2, r3) <= 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; -+ if (!BN_gcd(r1, r2, rsa->e, ctx)) -+ goto err; -+ if (BN_is_one(r1)) { -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } -+ -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 1)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ if (test) { -+ /* do not try to calculate the remaining key values */ -+ BN_clear(rsa->n); -+ ok = 1; -+ goto err; -+ } -+ -+ if (BN_cmp(rsa->p, rsa->q) < 0) { -+ tmp = rsa->p; -+ rsa->p = rsa->q; -+ rsa->q = tmp; -+ } -+ -+ /* calculate n */ -+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) -+ goto err; -+ -+ /* calculate d */ -+ if (!BN_sub(r1, rsa->p, BN_value_one())) -+ goto err; /* p-1 */ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; /* q-1 */ -+ -+ if (!BN_gcd(r0, r1, r2, ctx)) -+ goto err; -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ pr0 = &local_r0; -+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); -+ } else -+ pr0 = r0; -+ if (!BN_div(r0, NULL, r1, pr0, ctx)) -+ goto err; -+ if (!BN_mul(r0, r0, r2, ctx)) -+ goto err; /* lcm(p-1, q-1) */ -+ -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ pr0 = &local_r0; -+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); -+ } else -+ pr0 = r0; -+ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) -+ goto err; /* d */ -+ -+ if (BN_num_bits(rsa->d) < pbits) -+ goto retry; /* d is too small */ -+ -+ /* set up d for correct BN_FLG_CONSTTIME flag */ -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ d = &local_d; -+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -+ } else -+ d = rsa->d; -+ -+ /* calculate d mod (p-1) */ -+ if (!BN_mod(rsa->dmp1, d, r1, ctx)) -+ goto err; -+ -+ /* calculate d mod (q-1) */ -+ if (!BN_mod(rsa->dmq1, d, r2, ctx)) -+ goto err; -+ -+ /* calculate inverse of q mod p */ -+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { -+ p = &local_p; -+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); -+ } else -+ p = rsa->p; -+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) -+ goto err; -+ -+ if (fips_rsa_pairwise_fail) -+ BN_add_word(rsa->n, 1); -+ -+ if (!fips_check_rsa(rsa)) -+ goto err; -+ -+ ok = 1; -+ err: -+ if (ok == -1) { -+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); -+ ok = 0; -+ } -+ if (ctx != NULL) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ -+ return ok; -+} -+#endif -+ - static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - BN_GENCB *cb) - { -@@ -180,15 +434,11 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - - #ifdef OPENSSL_FIPS - if (FIPS_module_mode()) { -- if (FIPS_selftest_failed()) { -- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); -- return 0; -- } -- - if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { - FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); - return 0; - } -+ return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb); - } - #endif - -@@ -317,16 +567,6 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) - goto err; - --#ifdef OPENSSL_FIPS -- if (FIPS_module_mode()) { -- if (fips_rsa_pairwise_fail) -- BN_add_word(rsa->n, 1); -- -- if (!fips_check_rsa(rsa)) -- goto err; -- } --#endif -- - ok = 1; - err: - if (ok == -1) { -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 514fcb3..ec15996 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, - return ret; - } - -+int private_tls1_PRF(long digest_mask, -+ const void *seed1, int seed1_len, -+ const void *seed2, int seed2_len, -+ const void *seed3, int seed3_len, -+ const void *seed4, int seed4_len, -+ const void *seed5, int seed5_len, -+ const unsigned char *sec, int slen, -+ unsigned char *out1, unsigned char *out2, int olen) -+{ -+ return tls1_PRF(digest_mask, -+ seed1, seed1_len, -+ seed2, seed2_len, -+ seed3, seed3_len, -+ seed4, seed4_len, -+ seed5, seed5_len, sec, slen, out1, out2, olen); -+} -+ - static int tls1_generate_key_block(SSL *s, unsigned char *km, - unsigned char *tmp, int num) - { diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch 2016-04-15 04:56:29.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-fips.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,13852 +0,0 @@ -commit 5ca3772ed217a5e64070b0bc0124554fde145655 -Author: Joy Latten -Date: Wed Apr 13 16:51:04 2016 -0500 - - From: Joy Latten - Description: [PATCH 1/6] Add FIPS 140-2 support and define OPENSSL_FIPS - Bug-Ubuntu: http://bugs.launchpad.net/bugs/1553309 - Forwarded: not-needed - Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/ - --- - Add fips 140-2 selftest and crypto changes for fips mode. - - adds the required selftest; run on initialization - - define OPENSSL_FIPS via Configure - - add FIPS_mode & FIPS_mode_set for apps to query and/or enable fips mode - - various crypto changes when in fips mode for compliance - Note: Does not enable fips mode since hmac integrity check not included. - -diff --git a/Configure b/Configure -index 571aefc..1fcc34e 100755 ---- a/Configure -+++ b/Configure -@@ -1115,11 +1115,6 @@ if (defined($disabled{"md5"}) || defined($disabled{"rsa"})) - $disabled{"ssl2"} = "forced"; - } - --if ($fips && $fipslibdir eq "") -- { -- $fipslibdir = $fipsdir . "/lib/"; -- } -- - # RSAX ENGINE sets default non-FIPS RSA method. - if ($fips) - { -@@ -1608,7 +1603,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($bn_obj =~ /-gf2m/); - if ($fips) - { - $openssl_other_defines.="#define OPENSSL_FIPS\n"; -- $cflags .= " -I\$(FIPSDIR)/include"; - } - - $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/); -@@ -1813,9 +1807,12 @@ while () - - s/^FIPSDIR=.*/FIPSDIR=$fipsdir/; - s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/; -- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips; - s/^BASEADDR=.*/BASEADDR=$baseaddr/; - -+ if ($fips) -+ { -+ s/^FIPS=.*/FIPS=yes/; -+ } - s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; - s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; - s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); -diff --git a/Makefile.org b/Makefile.org -index 0d98f8e..7567fba 100644 ---- a/Makefile.org -+++ b/Makefile.org -@@ -136,6 +136,9 @@ FIPSCANLIB= - - BASEADDR= - -+# Non-empty if FIPS enabled -+FIPS= -+ - DIRS= crypto ssl engines apps test tools - ENGDIRS= ccgost - SHLIBDIRS= crypto ssl -@@ -148,7 +151,7 @@ SDIRS= \ - bn ec rsa dsa ecdsa dh ecdh dso engine \ - buffer bio stack lhash rand err \ - evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ -- cms pqueue ts jpake srp store cmac -+ cms pqueue ts jpake srp store cmac fips - # keep in mind that the above list is adjusted by ./Configure - # according to no-xxx arguments... - -@@ -239,6 +242,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\ - FIPSLIBDIR='${FIPSLIBDIR}' \ - FIPSDIR='${FIPSDIR}' \ - FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \ -+ FIPS="$${FIPS:-$(FIPS)}" \ - THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= - # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, - # which in turn eliminates ambiguities in variable treatment with -e. -diff --git a/apps/speed.c b/apps/speed.c -index 95adcc1..a9c47af 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -197,7 +197,6 @@ - # ifdef OPENSSL_DOING_MAKEDEPEND - # undef AES_set_encrypt_key - # undef AES_set_decrypt_key --# undef DES_set_key_unchecked - # endif - # define BF_set_key private_BF_set_key - # define CAST_set_key private_CAST_set_key -@@ -205,7 +204,6 @@ - # define SEED_set_key private_SEED_set_key - # define RC2_set_key private_RC2_set_key - # define RC4_set_key private_RC4_set_key --# define DES_set_key_unchecked private_DES_set_key_unchecked - # define AES_set_encrypt_key private_AES_set_encrypt_key - # define AES_set_decrypt_key private_AES_set_decrypt_key - # define Camellia_set_key private_Camellia_set_key -@@ -974,7 +972,12 @@ int MAIN(int argc, char **argv) - # endif - # ifndef OPENSSL_NO_RSA - if (strcmp(*argv, "rsa") == 0) { -- rsa_doit[R_RSA_512] = 1; -+# ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) -+# endif -+ { -+ rsa_doit[R_RSA_512] = 1; -+ } - rsa_doit[R_RSA_1024] = 1; - rsa_doit[R_RSA_2048] = 1; - rsa_doit[R_RSA_4096] = 1; -@@ -982,7 +985,12 @@ int MAIN(int argc, char **argv) - # endif - # ifndef OPENSSL_NO_DSA - if (strcmp(*argv, "dsa") == 0) { -- dsa_doit[R_DSA_512] = 1; -+# ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) -+# endif -+ { -+ dsa_doit[R_DSA_512] = 1; -+ } - dsa_doit[R_DSA_1024] = 1; - dsa_doit[R_DSA_2048] = 1; - } else -@@ -1233,13 +1241,19 @@ int MAIN(int argc, char **argv) - - if (j == 0) { - for (i = 0; i < ALGOR_NUM; i++) { -- if (i != D_EVP) -+ if (i != D_EVP && -+ (!FIPS_mode() || (i != D_WHIRLPOOL && -+ i != D_MD2 && i != D_MD4 && -+ i != D_MD5 && i != D_MDC2 && -+ i != D_RMD160))) - doit[i] = 1; - } - for (i = 0; i < RSA_NUM; i++) -- rsa_doit[i] = 1; -+ if (!FIPS_mode() || i != R_RSA_512) -+ rsa_doit[i] = 1; - for (i = 0; i < DSA_NUM; i++) -- dsa_doit[i] = 1; -+ if (!FIPS_mode() || i != R_DSA_512) -+ dsa_doit[i] = 1; - # ifndef OPENSSL_NO_ECDSA - for (i = 0; i < EC_NUM; i++) - ecdsa_doit[i] = 1; -@@ -1299,30 +1313,46 @@ int MAIN(int argc, char **argv) - AES_set_encrypt_key(key32, 256, &aes_ks3); - # endif - # ifndef OPENSSL_NO_CAMELLIA -- Camellia_set_key(key16, 128, &camellia_ks1); -- Camellia_set_key(ckey24, 192, &camellia_ks2); -- Camellia_set_key(ckey32, 256, &camellia_ks3); -+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { -+ Camellia_set_key(key16, 128, &camellia_ks1); -+ Camellia_set_key(ckey24, 192, &camellia_ks2); -+ Camellia_set_key(ckey32, 256, &camellia_ks3); -+ } - # endif - # ifndef OPENSSL_NO_IDEA -- idea_set_encrypt_key(key16, &idea_ks); -+ if (doit[D_CBC_IDEA]) { -+ idea_set_encrypt_key(key16, &idea_ks); -+ } - # endif - # ifndef OPENSSL_NO_SEED -- SEED_set_key(key16, &seed_ks); -+ if (doit[D_CBC_SEED]) { -+ SEED_set_key(key16, &seed_ks); -+ } - # endif - # ifndef OPENSSL_NO_RC4 -- RC4_set_key(&rc4_ks, 16, key16); -+ if (doit[D_RC4]) { -+ RC4_set_key(&rc4_ks, 16, key16); -+ } - # endif - # ifndef OPENSSL_NO_RC2 -- RC2_set_key(&rc2_ks, 16, key16, 128); -+ if (doit[D_CBC_RC2]) { -+ RC2_set_key(&rc2_ks, 16, key16, 128); -+ } - # endif - # ifndef OPENSSL_NO_RC5 -- RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ if (doit[D_CBC_RC5]) { -+ RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ } - # endif - # ifndef OPENSSL_NO_BF -- BF_set_key(&bf_ks, 16, key16); -+ if (doit[D_CBC_BF]) { -+ BF_set_key(&bf_ks, 16, key16); -+ } - # endif - # ifndef OPENSSL_NO_CAST -- CAST_set_key(&cast_ks, 16, key16); -+ if (doit[D_CBC_CAST]) { -+ CAST_set_key(&cast_ks, 16, key16); -+ } - # endif - # ifndef OPENSSL_NO_RSA - memset(rsa_c, 0, sizeof(rsa_c)); -@@ -1605,6 +1635,7 @@ int MAIN(int argc, char **argv) - HMAC_CTX hctx; - - HMAC_CTX_init(&hctx); -+ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...", - 16, EVP_md5(), NULL); - -diff --git a/crypto/aes/aes_misc.c b/crypto/aes/aes_misc.c -index fafad4d..4ab7312 100644 ---- a/crypto/aes/aes_misc.c -+++ b/crypto/aes/aes_misc.c -@@ -70,17 +70,11 @@ const char *AES_options(void) - int AES_set_encrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key) - { --#ifdef OPENSSL_FIPS -- fips_cipher_abort(AES); --#endif - return private_AES_set_encrypt_key(userKey, bits, key); - } - - int AES_set_decrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key) - { --#ifdef OPENSSL_FIPS -- fips_cipher_abort(AES); --#endif - return private_AES_set_decrypt_key(userKey, bits, key); - } -diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c -index 2954b6e..784228d 100644 ---- a/crypto/cmac/cmac.c -+++ b/crypto/cmac/cmac.c -@@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void) - - void CMAC_CTX_cleanup(CMAC_CTX *ctx) - { --#ifdef OPENSSL_FIPS -- if (FIPS_mode() && !ctx->cctx.engine) { -- FIPS_cmac_ctx_cleanup(ctx); -- return; -- } --#endif - EVP_CIPHER_CTX_cleanup(&ctx->cctx); - OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); - OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); -@@ -160,20 +154,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, - EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS); - return 0; - } -- -- /* Switch to FIPS cipher implementation if possible */ -- if (cipher != NULL) { -- const EVP_CIPHER *fcipher; -- fcipher = FIPS_get_cipherbynid(EVP_CIPHER_nid(cipher)); -- if (fcipher != NULL) -- cipher = fcipher; -- } -- /* -- * Other algorithm blocking will be done in FIPS_cmac_init, via -- * FIPS_cipherinit(). -- */ -- if (!impl && !ctx->cctx.engine) -- return FIPS_cmac_init(ctx, key, keylen, cipher, NULL); - } - #endif - /* All zeros means restart */ -@@ -219,10 +199,6 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) - { - const unsigned char *data = in; - size_t bl; --#ifdef OPENSSL_FIPS -- if (FIPS_mode() && !ctx->cctx.engine) -- return FIPS_cmac_update(ctx, in, dlen); --#endif - if (ctx->nlast_block == -1) - return 0; - if (dlen == 0) -@@ -262,10 +238,6 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen) - int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen) - { - int i, bl, lb; --#ifdef OPENSSL_FIPS -- if (FIPS_mode() && !ctx->cctx.engine) -- return FIPS_cmac_final(ctx, out, poutlen); --#endif - if (ctx->nlast_block == -1) - return 0; - bl = EVP_CIPHER_CTX_block_size(&ctx->cctx); -diff --git a/crypto/crypto.h b/crypto/crypto.h -index 6c644ce..01efbc2 100644 ---- a/crypto/crypto.h -+++ b/crypto/crypto.h -@@ -600,24 +600,29 @@ int FIPS_mode_set(int r); - void OPENSSL_init(void); - - # define fips_md_init(alg) fips_md_init_ctx(alg, alg) -+# define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg) -+# define fips_md_init_ctx(alg, cx) \ -+ int alg##_Init(cx##_CTX *c) - - # ifdef OPENSSL_FIPS --# define fips_md_init_ctx(alg, cx) \ -+# define nonfips_md_init_ctx(alg, cx) \ - int alg##_Init(cx##_CTX *c) \ - { \ - if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ -- "Low level API call to digest " #alg " forbidden in FIPS mode!"); \ -+ "Digest " #alg " forbidden in FIPS mode!"); \ - return private_##alg##_Init(c); \ - } \ - int private_##alg##_Init(cx##_CTX *c) - - # define fips_cipher_abort(alg) \ - if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \ -- "Low level API call to cipher " #alg " forbidden in FIPS mode!") -+ "Cipher " #alg " forbidden in FIPS mode!") -+ -+/* die if FIPS selftest failed */ -+void FIPS_selftest_check(void); - - # else --# define fips_md_init_ctx(alg, cx) \ -- int alg##_Init(cx##_CTX *c) -+# define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx) - # define fips_cipher_abort(alg) while(0) - # endif - -@@ -637,6 +642,9 @@ int CRYPTO_memcmp(const volatile void *a, const volatile void *b, size_t len); - */ - void ERR_load_CRYPTO_strings(void); - -+# define OPENSSL_HAVE_INIT 1 -+void OPENSSL_init_library(void); -+ - /* Error codes for the CRYPTO functions. */ - - /* Function codes. */ -diff --git a/crypto/des/des.h b/crypto/des/des.h -index 1b40144..fe02e34 100644 ---- a/crypto/des/des.h -+++ b/crypto/des/des.h -@@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule); - int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule); - int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule); - void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule); --# ifdef OPENSSL_FIPS --void private_DES_set_key_unchecked(const_DES_cblock *key, -- DES_key_schedule *schedule); --# endif - void DES_string_to_key(const char *str, DES_cblock *key); - void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2); - void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, -diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c -index 8fd8fe1..5c63164 100644 ---- a/crypto/des/set_key.c -+++ b/crypto/des/set_key.c -@@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule) - } - - void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) --#ifdef OPENSSL_FIPS --{ -- fips_cipher_abort(DES); -- private_DES_set_key_unchecked(key, schedule); --} -- --void private_DES_set_key_unchecked(const_DES_cblock *key, -- DES_key_schedule *schedule) --#endif - { - static const int shifts2[16] = - { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 }; -diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h -index a5bd901..7ae5079 100644 ---- a/crypto/dh/dh.h -+++ b/crypto/dh/dh.h -@@ -77,6 +77,8 @@ - # define OPENSSL_DH_MAX_MODULUS_BITS 10000 - # endif - -+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -+ - # define DH_FLAG_CACHE_MONT_P 0x01 - - /* -diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c -index 5bedb66..4fcb16b 100644 ---- a/crypto/dh/dh_gen.c -+++ b/crypto/dh/dh_gen.c -@@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, - #endif - if (ret->meth->generate_params) - return ret->meth->generate_params(ret, prime_len, generator, cb); --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_dh_generate_parameters_ex(ret, prime_len, generator, cb); --#endif - return dh_builtin_genparams(ret, prime_len, generator, cb); - } - -@@ -126,6 +122,18 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, - int g, ok = -1; - BN_CTX *ctx = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 1d80fb2..1c24715 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -61,6 +61,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static int generate_key(DH *dh); - static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -@@ -97,7 +100,7 @@ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { - int rv, pad; -- rv = dh->meth->compute_key(key, pub_key, dh); -+ rv = DH_compute_key(key, pub_key, dh); - if (rv <= 0) - return rv; - pad = BN_num_bytes(dh->p) - rv; -@@ -115,7 +118,7 @@ static DH_METHOD dh_ossl = { - dh_bn_mod_exp, - dh_init, - dh_finish, -- 0, -+ DH_FLAG_FIPS_METHOD, - NULL, - NULL - }; -@@ -134,6 +137,14 @@ static int generate_key(DH *dh) - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() -+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ return 0; -+ } -+#endif -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -@@ -217,6 +228,13 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); - goto err; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() -+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif - - ctx = BN_CTX_new(); - if (ctx == NULL) -@@ -277,6 +295,9 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, - - static int dh_init(DH *dh) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dh->flags |= DH_FLAG_CACHE_MONT_P; - return (1); - } -diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c -index bebc160..b38b4be 100644 ---- a/crypto/dh/dh_lib.c -+++ b/crypto/dh/dh_lib.c -@@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METHOD *meth) - const DH_METHOD *DH_get_default_method(void) - { - if (!default_DH_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_dh_openssl(); -- else -- return DH_OpenSSL(); --#else - default_DH_method = DH_OpenSSL(); --#endif - } - return default_DH_method; - } -diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h -index 545358f..7c78c5a 100644 ---- a/crypto/dsa/dsa.h -+++ b/crypto/dsa/dsa.h -@@ -88,6 +88,8 @@ - # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 - # endif - -+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+ - # define DSA_FLAG_CACHE_MONT_P 0x01 - /* - * new with 0.9.7h; the built-in DSA implementation now uses constant time -@@ -265,6 +267,20 @@ int DSA_print_fp(FILE *bp, const DSA *x, int off); - DH *DSA_dup_DH(const DSA *r); - # endif - -+# ifdef OPENSSL_FIPS -+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, -+ const EVP_MD *evpmd, -+ const unsigned char *seed_in, -+ size_t seed_len, int *counter_ret, -+ unsigned long *h_ret, BN_GENCB *cb); -+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, -+ const EVP_MD *evpmd, unsigned char *seed, -+ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret, -+ int *counter_ret, BN_GENCB *cb); -+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, BIGNUM **g_ret, -+ unsigned long *h_ret, BN_GENCB *cb); -+# endif -+ - # define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL) -@@ -287,11 +303,14 @@ void ERR_load_DSA_strings(void); - # define DSA_F_DO_DSA_PRINT 104 - # define DSA_F_DSAPARAMS_PRINT 100 - # define DSA_F_DSAPARAMS_PRINT_FP 101 --# define DSA_F_DSA_BUILTIN_PARAMGEN2 126 -+# define DSA_F_DSA_BUILTIN_KEYGEN 124 -+# define DSA_F_DSA_BUILTIN_PARAMGEN 123 -+# define DSA_F_DSA_BUILTIN_PARAMGEN2 226 - # define DSA_F_DSA_DO_SIGN 112 - # define DSA_F_DSA_DO_VERIFY 113 --# define DSA_F_DSA_GENERATE_KEY 124 --# define DSA_F_DSA_GENERATE_PARAMETERS_EX 123 -+# define DSA_F_DSA_GENERATE_KEY 126 -+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 127 -+# define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125 - # define DSA_F_DSA_NEW_METHOD 103 - # define DSA_F_DSA_PARAM_DECODE 119 - # define DSA_F_DSA_PRINT_FP 105 -@@ -317,12 +336,16 @@ void ERR_load_DSA_strings(void); - # define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 - # define DSA_R_DECODE_ERROR 104 - # define DSA_R_INVALID_DIGEST_TYPE 106 --# define DSA_R_INVALID_PARAMETERS 112 -+# define DSA_R_INVALID_PARAMETERS 212 -+# define DSA_R_KEY_SIZE_INVALID 113 -+# define DSA_R_KEY_SIZE_TOO_SMALL 110 - # define DSA_R_MISSING_PARAMETERS 101 - # define DSA_R_MODULUS_TOO_LARGE 103 --# define DSA_R_NEED_NEW_SETUP_VALUES 110 -+# define DSA_R_NEED_NEW_SETUP_VALUES 112 - # define DSA_R_NON_FIPS_DSA_METHOD 111 -+# define DSA_R_NON_FIPS_METHOD 111 - # define DSA_R_NO_PARAMETERS_SET 107 -+# define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112 - # define DSA_R_PARAMETER_ENCODING_ERROR 105 - # define DSA_R_Q_NOT_PRIME 113 - -diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c -index f5ddc66..5bae45c 100644 ---- a/crypto/dsa/dsa_err.c -+++ b/crypto/dsa/dsa_err.c -@@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[] = { - {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"}, - {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"}, - {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"}, -+ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"}, -+ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"}, - {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "DSA_BUILTIN_PARAMGEN2"}, - {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"}, - {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"}, -@@ -109,6 +111,8 @@ static ERR_STRING_DATA DSA_str_reasons[] = { - {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"}, - {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"}, - {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"}, -+ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"}, -+ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, - {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"}, - {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"}, -diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c -index 15f3bb4..96c4c09 100644 ---- a/crypto/dsa/dsa_gen.c -+++ b/crypto/dsa/dsa_gen.c -@@ -91,6 +91,16 @@ - # include - # endif - -+# ifndef OPENSSL_FIPS -+static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, -+ const EVP_MD *evpmd, unsigned char *seed, -+ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret, -+ int *counter_ret, BN_GENCB *cb); -+static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, -+ BIGNUM **g_ret, unsigned long *h_ret, -+ BN_GENCB *cb); -+# endif -+ - int DSA_generate_parameters_ex(DSA *ret, int bits, - const unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, -@@ -106,97 +116,165 @@ int DSA_generate_parameters_ex(DSA *ret, int bits, - if (ret->meth->dsa_paramgen) - return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, - counter_ret, h_ret, cb); --# ifdef OPENSSL_FIPS -- else if (FIPS_mode()) { -- return FIPS_dsa_generate_parameters_ex(ret, bits, -- seed_in, seed_len, -- counter_ret, h_ret, cb); -- } --# endif - else { - const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); - size_t qbits = EVP_MD_size(evpmd) * 8; - - return dsa_builtin_paramgen(ret, bits, qbits, evpmd, -- seed_in, seed_len, NULL, counter_ret, -+ seed_in, seed_len, counter_ret, - h_ret, cb); - } - } - -+# ifdef OPENSSL_FIPS -+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, -+ const EVP_MD *evpmd, -+ const unsigned char *seed_in, size_t seed_len, -+ int *counter_ret, unsigned long *h_ret, -+ BN_GENCB *cb) -+{ -+ return dsa_builtin_paramgen(ret, bits, qbits, -+ evpmd, seed_in, seed_len, -+ counter_ret, h_ret, cb); -+} -+# endif -+ - int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - const EVP_MD *evpmd, const unsigned char *seed_in, -- size_t seed_len, unsigned char *seed_out, -+ size_t seed_len, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) - { - int ok = 0; - unsigned char seed[SHA256_DIGEST_LENGTH]; -+ BIGNUM *g = NULL, *q = NULL, *p = NULL; -+ size_t qsize = qbits >> 3; -+ BN_CTX *ctx = NULL; -+ -+# ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (FIPS_module_mode() && -+ (bits != 1024 || qbits != 160) && -+ (bits != 2048 || qbits != 224) && -+ (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) { -+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); -+ goto err; -+ } -+# endif -+ if (seed_len && (seed_len < (size_t)qsize)) -+ seed_in = NULL; /* seed buffer too small -- ignore */ -+ if (seed_len > sizeof(seed)) -+ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED, -+ * but our internal buffers are restricted to 256 bits*/ -+ if (seed_in != NULL) -+ memcpy(seed, seed_in, seed_len); -+ else -+ seed_len = 0; -+ -+ if ((ctx = BN_CTX_new()) == NULL) -+ goto err; -+ -+ BN_CTX_start(ctx); -+ -+ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd, -+ seed, seed_len, &p, &q, counter_ret, cb)) -+ goto err; -+ -+ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb)) -+ goto err; -+ -+ ok = 1; -+ err: -+ if (ok) { -+ if (ret->p) { -+ BN_free(ret->p); -+ ret->p = NULL; -+ } -+ if (ret->q) { -+ BN_free(ret->q); -+ ret->q = NULL; -+ } -+ if (ret->g) { -+ BN_free(ret->g); -+ ret->g = NULL; -+ } -+ ret->p = BN_dup(p); -+ ret->q = BN_dup(q); -+ ret->g = BN_dup(g); -+ if (ret->p == NULL || ret->q == NULL || ret->g == NULL) -+ ok = 0; -+ } -+ if (ctx) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ return ok; -+} -+ -+# ifndef OPENSSL_FIPS -+static -+# endif -+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, -+ const EVP_MD *evpmd, unsigned char *seed, -+ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret, -+ int *counter_ret, BN_GENCB *cb) -+{ -+ int ok = 0; - unsigned char md[SHA256_DIGEST_LENGTH]; -- unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH]; -+ unsigned char buf[SHA256_DIGEST_LENGTH]; - BIGNUM *r0, *W, *X, *c, *test; -- BIGNUM *g = NULL, *q = NULL, *p = NULL; -- BN_MONT_CTX *mont = NULL; -- int i, k, n = 0, m = 0, qsize = qbits >> 3; -+ BIGNUM *q = NULL, *p = NULL; -+ int i, k, b, n = 0, m = 0, qsize = qbits >> 3; - int counter = 0; - int r = 0; -- BN_CTX *ctx = NULL; -- unsigned int h = 2; - - if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && - qsize != SHA256_DIGEST_LENGTH) - /* invalid q size */ - return 0; - -- if (evpmd == NULL) -- /* use SHA1 as default */ -+ if (evpmd == NULL) { -+ if (qbits <= 160) - evpmd = EVP_sha1(); -+ else if (qbits <= 224) -+ evpmd = EVP_sha224(); -+ else -+ evpmd = EVP_sha256(); -+ } - - if (bits < 512) - bits = 512; - - bits = (bits + 63) / 64 * 64; - -- /* -- * NB: seed_len == 0 is special case: copy generated seed to seed_in if -- * it is not NULL. -- */ -- if (seed_len && (seed_len < (size_t)qsize)) -- seed_in = NULL; /* seed buffer too small -- ignore */ -- if (seed_len > (size_t)qsize) -- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger -- * SEED, but our internal buffers are -- * restricted to 160 bits */ -- if (seed_in != NULL) -- memcpy(seed, seed_in, seed_len); -- -- if ((mont = BN_MONT_CTX_new()) == NULL) -- goto err; -- -- if ((ctx = BN_CTX_new()) == NULL) -- goto err; -- -- BN_CTX_start(ctx); -- - r0 = BN_CTX_get(ctx); -- g = BN_CTX_get(ctx); - W = BN_CTX_get(ctx); -- q = BN_CTX_get(ctx); -+ *q_ret = q = BN_CTX_get(ctx); - X = BN_CTX_get(ctx); - c = BN_CTX_get(ctx); -- p = BN_CTX_get(ctx); -+ *p_ret = p = BN_CTX_get(ctx); - test = BN_CTX_get(ctx); - - if (!BN_lshift(test, BN_value_one(), bits - 1)) - goto err; - -+ /* step 3 n = \lceil bits / qbits \rceil - 1 */ -+ n = (bits + qbits - 1) / qbits - 1; -+ /* step 4 b = bits - 1 - n * qbits */ -+ b = bits - 1 - n * qbits; -+ - for (;;) { - for (;;) { /* find q */ - int seed_is_random; - -- /* step 1 */ -+ /* step 5 generate seed */ - if (!BN_GENCB_call(cb, 0, m++)) - goto err; - -- if (!seed_len || !seed_in) { -+ if (!seed_len) { - if (RAND_pseudo_bytes(seed, qsize) < 0) - goto err; - seed_is_random = 1; -@@ -206,29 +284,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - * be bad */ - } - memcpy(buf, seed, qsize); -- memcpy(buf2, seed, qsize); -- /* precompute "SEED + 1" for step 7: */ -- for (i = qsize - 1; i >= 0; i--) { -- buf[i]++; -- if (buf[i] != 0) -- break; -- } - -- /* step 2 */ -+ /* step 6 U = hash(seed) */ - if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL)) - goto err; -- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) -- goto err; -- for (i = 0; i < qsize; i++) -- md[i] ^= buf2[i]; - -- /* step 3 */ -+ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */ - md[0] |= 0x80; - md[qsize - 1] |= 0x01; - if (!BN_bin2bn(md, qsize, q)) - goto err; - -- /* step 4 */ -+ /* step 8 test for prime (64 round of Rabin-Miller) */ - r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, - seed_is_random, cb); - if (r > 0) -@@ -236,8 +303,6 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - if (r != 0) - goto err; - -- /* do a callback call */ -- /* step 5 */ - } - - if (!BN_GENCB_call(cb, 2, 0)) -@@ -245,19 +310,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - if (!BN_GENCB_call(cb, 3, 0)) - goto err; - -- /* step 6 */ -+ /* step 11 */ - counter = 0; -- /* "offset = 2" */ -- -- n = (bits - 1) / 160; -+ /* "offset = 1" */ - - for (;;) { - if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) - goto err; - -- /* step 7 */ -+ /* step 11.1, 11.2 obtain W */ - BN_zero(W); -- /* now 'buf' contains "SEED + offset - 1" */ - for (k = 0; k <= n; k++) { - /* - * obtain "SEED + offset + k" by incrementing: -@@ -271,36 +333,37 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) - goto err; - -- /* step 8 */ - if (!BN_bin2bn(md, qsize, r0)) - goto err; -- if (!BN_lshift(r0, r0, (qsize << 3) * k)) -+ if (k == n) -+ BN_mask_bits(r0, b); -+ if (!BN_lshift(r0, r0, qbits * k)) - goto err; - if (!BN_add(W, W, r0)) - goto err; - } - -- /* more of step 8 */ -- if (!BN_mask_bits(W, bits - 1)) -- goto err; -+ /* step 11.3 X = W + 2^(L-1) */ - if (!BN_copy(X, W)) - goto err; - if (!BN_add(X, X, test)) - goto err; - -- /* step 9 */ -+ /* step 11.4 c = X mod 2*q */ - if (!BN_lshift1(r0, q)) - goto err; - if (!BN_mod(c, X, r0, ctx)) - goto err; -+ -+ /* step 11.5 p = X - (c - 1) */ - if (!BN_sub(r0, c, BN_value_one())) - goto err; - if (!BN_sub(p, X, r0)) - goto err; - -- /* step 10 */ -+ /* step 11.6 */ - if (BN_cmp(p, test) >= 0) { -- /* step 11 */ -+ /* step 11.7 */ - r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb); - if (r > 0) - goto end; /* found it */ -@@ -308,12 +371,12 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - goto err; - } - -- /* step 13 */ -+ /* step 11.9 */ - counter++; - /* "offset = offset + n + 1" */ - -- /* step 14 */ -- if (counter >= 4096) -+ /* step 12 */ -+ if (counter >= 4 * bits) - break; - } - } -@@ -321,7 +384,33 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - if (!BN_GENCB_call(cb, 2, 1)) - goto err; - -- /* We now need to generate g */ -+ ok = 1; -+ err: -+ if (ok) { -+ if (counter_ret != NULL) -+ *counter_ret = counter; -+ } -+ return ok; -+} -+ -+# ifndef OPENSSL_FIPS -+static -+# endif -+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, -+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb) -+{ -+ int ok = 0; -+ BIGNUM *r0, *test, *g = NULL; -+ BN_MONT_CTX *mont; -+ unsigned int h = 2; -+ -+ if ((mont = BN_MONT_CTX_new()) == NULL) -+ goto err; -+ -+ r0 = BN_CTX_get(ctx); -+ *g_ret = g = BN_CTX_get(ctx); -+ test = BN_CTX_get(ctx); -+ - /* Set r0=(p-1)/q */ - if (!BN_sub(test, p, BN_value_one())) - goto err; -@@ -350,46 +439,14 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - ok = 1; - err: - if (ok) { -- if (ret->p) -- BN_free(ret->p); -- if (ret->q) -- BN_free(ret->q); -- if (ret->g) -- BN_free(ret->g); -- ret->p = BN_dup(p); -- ret->q = BN_dup(q); -- ret->g = BN_dup(g); -- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { -- ok = 0; -- goto err; -- } -- if (counter_ret != NULL) -- *counter_ret = counter; - if (h_ret != NULL) - *h_ret = h; -- if (seed_out) -- memcpy(seed_out, seed, qsize); -- } -- if (ctx) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); - } - if (mont != NULL) - BN_MONT_CTX_free(mont); - return ok; - } - --# ifdef OPENSSL_FIPS --# undef fips_dsa_builtin_paramgen2 --extern int fips_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, -- const EVP_MD *evpmd, -- const unsigned char *seed_in, -- size_t seed_len, int idx, -- unsigned char *seed_out, -- int *counter_ret, unsigned long *h_ret, -- BN_GENCB *cb); --# endif -- - /* - * This is a parameter generation algorithm for the DSA2 algorithm as - * described in FIPS 186-3. -@@ -415,14 +472,6 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, - EVP_MD_CTX mctx; - unsigned int h = 2; - --# ifdef OPENSSL_FIPS -- -- if (FIPS_mode()) -- return fips_dsa_builtin_paramgen2(ret, L, N, evpmd, -- seed_in, seed_len, idx, -- seed_out, counter_ret, h_ret, cb); --# endif -- - EVP_MD_CTX_init(&mctx); - - if (evpmd == NULL) { -diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c -index e8c8d2e..e1307b0 100644 ---- a/crypto/dsa/dsa_key.c -+++ b/crypto/dsa/dsa_key.c -@@ -66,6 +66,34 @@ - - # ifdef OPENSSL_FIPS - # include -+# include -+ -+static int fips_check_dsa(DSA *dsa) -+{ -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "DSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_DSA(pk, dsa); -+ -+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) -+ ret = 1; -+ -+ err: -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED); -+ fips_set_selftest_fail(); -+ } -+ -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+} -+ - # endif - - static int dsa_builtin_keygen(DSA *dsa); -@@ -81,10 +109,6 @@ int DSA_generate_key(DSA *dsa) - # endif - if (dsa->meth->dsa_keygen) - return dsa->meth->dsa_keygen(dsa); --# ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_dsa_generate_key(dsa); --# endif - return dsa_builtin_keygen(dsa); - } - -@@ -94,6 +118,14 @@ static int dsa_builtin_keygen(DSA *dsa) - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+# endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - -@@ -131,6 +163,13 @@ static int dsa_builtin_keygen(DSA *dsa) - - dsa->priv_key = priv_key; - dsa->pub_key = pub_key; -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !fips_check_dsa(dsa)) { -+ dsa->pub_key = NULL; -+ dsa->priv_key = NULL; -+ goto err; -+ } -+# endif - ok = 1; - - err: -diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c -index eb9d21d..13b3491 100644 ---- a/crypto/dsa/dsa_lib.c -+++ b/crypto/dsa/dsa_lib.c -@@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_METHOD *meth) - const DSA_METHOD *DSA_get_default_method(void) - { - if (!default_DSA_method) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_dsa_openssl(); -- else -- return DSA_OpenSSL(); --#else - default_DSA_method = DSA_OpenSSL(); --#endif - } - return default_DSA_method; - } -diff --git a/crypto/dsa/dsa_locl.h b/crypto/dsa/dsa_locl.h -index 9c23c3e..f4f54fc 100644 ---- a/crypto/dsa/dsa_locl.h -+++ b/crypto/dsa/dsa_locl.h -@@ -56,7 +56,7 @@ - - int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - const EVP_MD *evpmd, const unsigned char *seed_in, -- size_t seed_len, unsigned char *seed_out, -+ size_t seed_len, - int *counter_ret, unsigned long *h_ret, - BN_GENCB *cb); - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index efc4f1b..12c4a06 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -65,6 +65,9 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); - static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, -@@ -83,7 +86,7 @@ static DSA_METHOD openssl_dsa_meth = { - NULL, /* dsa_bn_mod_exp, */ - dsa_init, - dsa_finish, -- 0, -+ DSA_FLAG_FIPS_METHOD, - NULL, - NULL, - NULL -@@ -140,6 +143,19 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) - DSA_SIG *ret = NULL; - int noredo = 0; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+ -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); -+ return NULL; -+ } -+#endif -+ - BN_init(&m); - BN_init(&xr); - -@@ -330,6 +346,18 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); - return -1; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+#endif - - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); -@@ -410,6 +438,9 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, - - static int dsa_init(DSA *dsa) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dsa->flags |= DSA_FLAG_CACHE_MONT_P; - return (1); - } -diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c -index 42b8bb0..5c22962 100644 ---- a/crypto/dsa/dsa_pmeth.c -+++ b/crypto/dsa/dsa_pmeth.c -@@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) - if (!dsa) - return 0; - ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, -- NULL, 0, NULL, NULL, NULL, pcb); -+ NULL, 0, NULL, NULL, pcb); - if (ret) - EVP_PKEY_assign_DSA(pkey, dsa); - else -diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c -index 8a224a8..a71973b 100644 ---- a/crypto/dsa/dsatest.c -+++ b/crypto/dsa/dsatest.c -@@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *arg); - * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 - */ - static unsigned char seed[20] = { -- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40, -- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, -+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62, -+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3, - }; - - static unsigned char out_p[] = { -- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, -- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, -- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, -- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, -- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, -- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, -- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, -- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, -+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E, -+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99, -+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD, -+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB, -+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18, -+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B, -+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E, -+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD, -+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93, -+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D, -+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F, - }; - - static unsigned char out_q[] = { -- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, -- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, -- 0xda, 0xce, 0x91, 0x5f, -+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B, -+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87, - }; - - static unsigned char out_g[] = { -- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, -- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, -- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, -- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, -- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, -- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, -- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, -- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, -+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C, -+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE, -+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36, -+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13, -+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C, -+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D, -+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9, -+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F, -+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E, -+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41, -+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29, - }; - - static const unsigned char str1[] = "12345678901234567890"; -@@ -162,7 +167,7 @@ int main(int argc, char **argv) - BIO_printf(bio_err, "test generation of DSA parameters\n"); - - BN_GENCB_set(&cb, dsa_cb, bio_err); -- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512, -+ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024, - seed, 20, - &counter, - &h, &cb)) -@@ -176,8 +181,8 @@ int main(int argc, char **argv) - BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h); - - DSA_print(bio_err, dsa, 0); -- if (counter != 105) { -- BIO_printf(bio_err, "counter should be 105\n"); -+ if (counter != 239) { -+ BIO_printf(bio_err, "counter should be 239\n"); - goto end; - } - if (h != 2) { -diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c -index 48ad0d2..7dcdd30 100644 ---- a/crypto/engine/eng_all.c -+++ b/crypto/engine/eng_all.c -@@ -59,11 +59,25 @@ - - #include "cryptlib.h" - #include "eng_int.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - void ENGINE_load_builtin_engines(void) - { - /* Some ENGINEs need this */ - OPENSSL_cpuid_setup(); -+#ifdef OPENSSL_FIPS -+ OPENSSL_init_library(); -+ if (FIPS_mode()) { -+ /* We allow loading dynamic engine as a third party -+ engine might be FIPS validated. -+ User is disallowed to load non-validated engines -+ by security policy. */ -+ ENGINE_load_dynamic(); -+ return; -+ } -+#endif - #if 0 - /* - * There's no longer any need for an "openssl" ENGINE unless, one day, it -diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c -index 280e584..9a903d8 100644 ---- a/crypto/evp/c_allc.c -+++ b/crypto/evp/c_allc.c -@@ -65,6 +65,10 @@ - void OpenSSL_add_all_ciphers(void) - { - -+#ifdef OPENSSL_FIPS -+ OPENSSL_init_library(); -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cfb()); - EVP_add_cipher(EVP_des_cfb1()); -@@ -238,4 +242,64 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher_alias(SN_camellia_256_cbc, "CAMELLIA256"); - EVP_add_cipher_alias(SN_camellia_256_cbc, "camellia256"); - #endif -+#ifdef OPENSSL_FIPS -+ } else { -+# ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede_cfb()); -+ EVP_add_cipher(EVP_des_ede3_cfb()); -+ -+ EVP_add_cipher(EVP_des_ede_ofb()); -+ EVP_add_cipher(EVP_des_ede3_ofb()); -+ -+ EVP_add_cipher(EVP_des_ede_cbc()); -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3"); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3"); -+ -+ EVP_add_cipher(EVP_des_ede()); -+ EVP_add_cipher(EVP_des_ede3()); -+# endif -+ -+# ifndef OPENSSL_NO_AES -+ EVP_add_cipher(EVP_aes_128_ecb()); -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_128_cfb()); -+ EVP_add_cipher(EVP_aes_128_cfb1()); -+ EVP_add_cipher(EVP_aes_128_cfb8()); -+ EVP_add_cipher(EVP_aes_128_ofb()); -+ EVP_add_cipher(EVP_aes_128_ctr()); -+ EVP_add_cipher(EVP_aes_128_gcm()); -+ EVP_add_cipher(EVP_aes_128_xts()); -+ EVP_add_cipher(EVP_aes_128_ccm()); -+ EVP_add_cipher(EVP_aes_128_wrap()); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); -+ EVP_add_cipher(EVP_aes_192_ecb()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_192_cfb()); -+ EVP_add_cipher(EVP_aes_192_cfb1()); -+ EVP_add_cipher(EVP_aes_192_cfb8()); -+ EVP_add_cipher(EVP_aes_192_ofb()); -+ EVP_add_cipher(EVP_aes_192_ctr()); -+ EVP_add_cipher(EVP_aes_192_gcm()); -+ EVP_add_cipher(EVP_aes_192_ccm()); -+ EVP_add_cipher(EVP_aes_192_wrap()); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); -+ EVP_add_cipher(EVP_aes_256_ecb()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_256_cfb()); -+ EVP_add_cipher(EVP_aes_256_cfb1()); -+ EVP_add_cipher(EVP_aes_256_cfb8()); -+ EVP_add_cipher(EVP_aes_256_ofb()); -+ EVP_add_cipher(EVP_aes_256_ctr()); -+ EVP_add_cipher(EVP_aes_256_gcm()); -+ EVP_add_cipher(EVP_aes_256_xts()); -+ EVP_add_cipher(EVP_aes_256_ccm()); -+ EVP_add_cipher(EVP_aes_256_wrap()); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); -+# endif -+ } -+#endif - } -diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c -index fdbe3ee..61745a5 100644 ---- a/crypto/evp/c_alld.c -+++ b/crypto/evp/c_alld.c -@@ -64,51 +64,81 @@ - - void OpenSSL_add_all_digests(void) - { -+#ifdef OPENSSL_FIPS -+ OPENSSL_init_library(); -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_MD4 -- EVP_add_digest(EVP_md4()); -+ EVP_add_digest(EVP_md4()); - #endif - #ifndef OPENSSL_NO_MD5 -- EVP_add_digest(EVP_md5()); -- EVP_add_digest_alias(SN_md5, "ssl2-md5"); -- EVP_add_digest_alias(SN_md5, "ssl3-md5"); -+ EVP_add_digest(EVP_md5()); -+ EVP_add_digest_alias(SN_md5, "ssl2-md5"); -+ EVP_add_digest_alias(SN_md5, "ssl3-md5"); - #endif - #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0) -- EVP_add_digest(EVP_sha()); -+ EVP_add_digest(EVP_sha()); - # ifndef OPENSSL_NO_DSA -- EVP_add_digest(EVP_dss()); -+ EVP_add_digest(EVP_dss()); - # endif - #endif - #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -- EVP_add_digest(EVP_sha1()); -- EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -- EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+ EVP_add_digest(EVP_sha1()); -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); - # ifndef OPENSSL_NO_DSA -- EVP_add_digest(EVP_dss1()); -- EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); -- EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); -- EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); -+ EVP_add_digest(EVP_dss1()); -+ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); -+ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); -+ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); - # endif - # ifndef OPENSSL_NO_ECDSA -- EVP_add_digest(EVP_ecdsa()); -+ EVP_add_digest(EVP_ecdsa()); - # endif - #endif - #if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES) -- EVP_add_digest(EVP_mdc2()); -+ EVP_add_digest(EVP_mdc2()); - #endif - #ifndef OPENSSL_NO_RIPEMD -- EVP_add_digest(EVP_ripemd160()); -- EVP_add_digest_alias(SN_ripemd160, "ripemd"); -- EVP_add_digest_alias(SN_ripemd160, "rmd160"); -+ EVP_add_digest(EVP_ripemd160()); -+ EVP_add_digest_alias(SN_ripemd160, "ripemd"); -+ EVP_add_digest_alias(SN_ripemd160, "rmd160"); - #endif - #ifndef OPENSSL_NO_SHA256 -- EVP_add_digest(EVP_sha224()); -- EVP_add_digest(EVP_sha256()); -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); - #endif - #ifndef OPENSSL_NO_SHA512 -- EVP_add_digest(EVP_sha384()); -- EVP_add_digest(EVP_sha512()); -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); - #endif - #ifndef OPENSSL_NO_WHIRLPOOL -- EVP_add_digest(EVP_whirlpool()); -+ EVP_add_digest(EVP_whirlpool()); -+#endif -+#ifdef OPENSSL_FIPS -+ } else { -+# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) -+ EVP_add_digest(EVP_sha1()); -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+# ifndef OPENSSL_NO_DSA -+ EVP_add_digest(EVP_dss1()); -+ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); -+ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); -+ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); -+# endif -+# ifndef OPENSSL_NO_ECDSA -+ EVP_add_digest(EVP_ecdsa()); -+# endif -+# endif -+# ifndef OPENSSL_NO_SHA256 -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+# endif -+# ifndef OPENSSL_NO_SHA512 -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+# endif -+ } - #endif - } -diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c -index f2643f3..0073d73 100644 ---- a/crypto/evp/digest.c -+++ b/crypto/evp/digest.c -@@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) - return EVP_DigestInit_ex(ctx, type, NULL); - } - -+#ifdef OPENSSL_FIPS -+ -+/* The purpose of these is to trap programs that attempt to use non FIPS -+ * algorithms in FIPS mode and ignore the errors. -+ */ -+ -+static int bad_init(EVP_MD_CTX *ctx) -+{ -+ FIPS_ERROR_IGNORED("Digest init"); -+ return 0; -+} -+ -+static int bad_update(EVP_MD_CTX *ctx, const void *data, size_t count) -+{ -+ FIPS_ERROR_IGNORED("Digest update"); -+ return 0; -+} -+ -+static int bad_final(EVP_MD_CTX *ctx, unsigned char *md) -+{ -+ FIPS_ERROR_IGNORED("Digest Final"); -+ return 0; -+} -+ -+static const EVP_MD bad_md = { -+ 0, -+ 0, -+ 0, -+ 0, -+ bad_init, -+ bad_update, -+ bad_final, -+ NULL, -+ NULL, -+ NULL, -+ 0, -+ {0, 0, 0, 0}, -+}; -+ -+#endif -+ - int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) - { - EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); - #ifdef OPENSSL_FIPS -- /* If FIPS mode switch to approved implementation if possible */ -- if (FIPS_mode()) { -- const EVP_MD *fipsmd; -- if (type) { -- fipsmd = evp_get_fips_md(type); -- if (fipsmd) -- type = fipsmd; -- } -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); -+ ctx->digest = &bad_md; -+ return 0; - } - #endif - #ifndef OPENSSL_NO_ENGINE -@@ -212,6 +249,16 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) - } - #endif - if (ctx->digest != type) { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (!(type->flags & EVP_MD_FLAG_FIPS) -+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { -+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ ctx->digest = &bad_md; -+ return 0; -+ } -+ } -+#endif - if (ctx->digest && ctx->digest->ctx_size) - OPENSSL_free(ctx->md_data); - ctx->digest = type; -@@ -236,25 +283,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) - } - if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) - return 1; --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) { -- if (FIPS_digestinit(ctx, type)) -- return 1; -- OPENSSL_free(ctx->md_data); -- ctx->md_data = NULL; -- return 0; -- } --#endif - return ctx->digest->init(ctx); - } - - int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) - { - #ifdef OPENSSL_FIPS -- return FIPS_digestupdate(ctx, data, count); --#else -- return ctx->update(ctx, data, count); -+ FIPS_selftest_check(); - #endif -+ return ctx->update(ctx, data, count); - } - - /* The caller can assume that this removes any secret data from the context */ -@@ -269,11 +306,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) - /* The caller can assume that this removes any secret data from the context */ - int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) - { --#ifdef OPENSSL_FIPS -- return FIPS_digestfinal(ctx, md, size); --#else - int ret; - -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); - ret = ctx->digest->final(ctx, md); - if (size != NULL) -@@ -284,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) - } - memset(ctx->md_data, 0, ctx->digest->ctx_size); - return ret; --#endif - } - - int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) -@@ -373,7 +409,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) - /* This call frees resources associated with the context */ - int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) - { --#ifndef OPENSSL_FIPS - /* - * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because - * sometimes only copies of the context are ever finalised. -@@ -386,7 +421,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) - OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size); - OPENSSL_free(ctx->md_data); - } --#endif - if (ctx->pctx) - EVP_PKEY_CTX_free(ctx->pctx); - #ifndef OPENSSL_NO_ENGINE -@@ -397,9 +431,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) - */ - ENGINE_finish(ctx->engine); - #endif --#ifdef OPENSSL_FIPS -- FIPS_md_ctx_cleanup(ctx); --#endif - memset(ctx, '\0', sizeof *ctx); - - return 1; -diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c -index 1734a82..b0ada06 100644 ---- a/crypto/evp/e_aes.c -+++ b/crypto/evp/e_aes.c -@@ -60,9 +60,6 @@ - # include "modes_lcl.h" - # include - --# undef EVP_CIPH_FLAG_FIPS --# define EVP_CIPH_FLAG_FIPS 0 -- - typedef struct { - union { - double align; -@@ -1159,6 +1156,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - case EVP_CTRL_GCM_SET_IVLEN: - if (arg <= 0) - return 0; -+# ifdef OPENSSL_FIPS -+ if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) -+ && arg < 12) -+ return 0; -+# endif - /* Allocate memory for IV if needed */ - if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { - if (gctx->iv != c->iv) -@@ -1727,6 +1729,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - return 0; - if (!out || !in || len < AES_BLOCK_SIZE) - return 0; -+# ifdef OPENSSL_FIPS -+ /* Requirement of SP800-38E */ -+ if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && -+ (len > (1UL << 20) * 16)) { -+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); -+ return 0; -+ } -+# endif - if (xctx->stream) - (*xctx->stream) (in, out, len, - xctx->xts.key1, xctx->xts.key2, ctx->iv); -diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c -index 0e910d6..1636fc7 100644 ---- a/crypto/evp/e_des3.c -+++ b/crypto/evp/e_des3.c -@@ -65,10 +65,6 @@ - # include - # include - --/* Block use of implementations in FIPS mode */ --# undef EVP_CIPH_FLAG_FIPS --# define EVP_CIPH_FLAG_FIPS 0 -- - typedef struct { - union { - double align; -diff --git a/crypto/evp/e_null.c b/crypto/evp/e_null.c -index 599fcb8..be9ff3d 100644 ---- a/crypto/evp/e_null.c -+++ b/crypto/evp/e_null.c -@@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - static const EVP_CIPHER n_cipher = { - NID_undef, - 1, 0, 0, -- 0, -+ EVP_CIPH_FLAG_FIPS, - null_init_key, - null_cipher, - NULL, -diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h -index 39ab793..2c34f51 100644 ---- a/crypto/evp/evp.h -+++ b/crypto/evp/evp.h -@@ -122,6 +122,10 @@ - extern "C" { - #endif - -+# ifdef OPENSSL_FIPS -+# include -+# endif -+ - /* - * Type needs to be a bit field Sub-type needs to be for variations on the - * method, as in, can it do arbitrary encryption.... -@@ -285,11 +289,6 @@ struct env_md_ctx_st { - * cleaned */ - # define EVP_MD_CTX_FLAG_REUSE 0x0004/* Don't free up ctx->md_data - * in EVP_MD_CTX_cleanup */ --/* -- * FIPS and pad options are ignored in 1.0.0, definitions are here so we -- * don't accidentally reuse the values for other purposes. -- */ -- - # define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS - * digest in FIPS mode */ - -@@ -302,6 +301,10 @@ struct env_md_ctx_st { - # define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00/* PKCS#1 v1.5 mode */ - # define EVP_MD_CTX_FLAG_PAD_X931 0x10/* X9.31 mode */ - # define EVP_MD_CTX_FLAG_PAD_PSS 0x20/* PSS mode */ -+# define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \ -+ ((ctx->flags>>16) &0xFFFF) /* seed length */ -+# define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF/* salt len same as digest */ -+# define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE/* salt max or auto recovered */ - - # define EVP_MD_CTX_FLAG_NO_INIT 0x0100/* Don't initialize md_data */ - -@@ -363,15 +366,15 @@ struct evp_cipher_st { - /* cipher handles random key generation */ - # define EVP_CIPH_RAND_KEY 0x200 - /* cipher has its own additional copying logic */ --# define EVP_CIPH_CUSTOM_COPY 0x400 -+# define EVP_CIPH_CUSTOM_COPY 0x4000 - /* Allow use default ASN1 get/set iv */ - # define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 - /* Buffer length in bits not bytes: CFB1 mode only */ - # define EVP_CIPH_FLAG_LENGTH_BITS 0x2000 - /* Note if suitable for use in FIPS mode */ --# define EVP_CIPH_FLAG_FIPS 0x4000 -+# define EVP_CIPH_FLAG_FIPS 0x400 - /* Allow non FIPS cipher in FIPS mode */ --# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000 -+# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800 - /* - * Cipher handles any and all padding logic as well as finalisation. - */ -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index 65f0e02..891a3c7 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -69,16 +69,73 @@ - #endif - #include "evp_locl.h" - --#ifdef OPENSSL_FIPS --# define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl) --#else --# define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) --#endif -+#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) - - const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT; - -+#ifdef OPENSSL_FIPS -+ -+/* The purpose of these is to trap programs that attempt to use non FIPS -+ * algorithms in FIPS mode and ignore the errors. -+ */ -+ -+static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, -+ const unsigned char *iv, int enc) -+{ -+ FIPS_ERROR_IGNORED("Cipher init"); -+ return 0; -+} -+ -+static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, unsigned int inl) -+{ -+ FIPS_ERROR_IGNORED("Cipher update"); -+ return 0; -+} -+ -+/* NB: no cleanup because it is allowed after failed init */ -+ -+static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) -+{ -+ FIPS_ERROR_IGNORED("Cipher set_asn1"); -+ return 0; -+} -+ -+static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) -+{ -+ FIPS_ERROR_IGNORED("Cipher get_asn1"); -+ return 0; -+} -+ -+static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) -+{ -+ FIPS_ERROR_IGNORED("Cipher ctrl"); -+ return 0; -+} -+ -+static const EVP_CIPHER bad_cipher = { -+ 0, -+ 0, -+ 0, -+ 0, -+ 0, -+ bad_init, -+ bad_do_cipher, -+ NULL, -+ 0, -+ bad_set_asn1, -+ bad_get_asn1, -+ bad_ctrl, -+ NULL -+}; -+ -+#endif -+ - void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - memset(ctx, 0, sizeof(EVP_CIPHER_CTX)); - /* ctx->cipher=NULL; */ - } -@@ -110,6 +167,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - enc = 1; - ctx->encrypt = enc; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); -+ ctx->cipher = &bad_cipher; -+ return 0; -+ } -+#endif - #ifndef OPENSSL_NO_ENGINE - /* - * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -168,16 +232,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - ctx->engine = NULL; - #endif - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) { -- const EVP_CIPHER *fcipher; -- if (cipher) -- fcipher = evp_get_fips_cipher(cipher); -- if (fcipher) -- cipher = fcipher; -- return FIPS_cipherinit(ctx, cipher, key, iv, enc); -- } --#endif - ctx->cipher = cipher; - if (ctx->cipher->ctx_size) { - ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); -@@ -204,10 +258,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - #ifndef OPENSSL_NO_ENGINE - skip_to_init: - #endif --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_cipherinit(ctx, cipher, key, iv, enc); --#endif - /* we assume block size is a power of 2 in *cryptUpdate */ - OPENSSL_assert(ctx->cipher->block_size == 1 - || ctx->cipher->block_size == 8 -@@ -253,6 +303,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - break; - } - } -+#ifdef OPENSSL_FIPS -+ /* After 'key' is set no further parameters changes are permissible. -+ * So only check for non FIPS enabling at this point. -+ */ -+ if (key && FIPS_mode()) { -+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) -+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) { -+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ ctx->cipher = &bad_cipher; -+ return 0; -+ } -+ } -+#endif - - if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { - if (!ctx->cipher->init(ctx, key, iv, enc)) -@@ -554,7 +617,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) - - int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) - { --#ifndef OPENSSL_FIPS - if (c->cipher != NULL) { - if (c->cipher->cleanup && !c->cipher->cleanup(c)) - return 0; -@@ -564,7 +626,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) - } - if (c->cipher_data) - OPENSSL_free(c->cipher_data); --#endif - #ifndef OPENSSL_NO_ENGINE - if (c->engine) - /* -@@ -573,9 +634,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) - */ - ENGINE_finish(c->engine); - #endif --#ifdef OPENSSL_FIPS -- FIPS_cipher_ctx_cleanup(c); --#endif - memset(c, 0, sizeof(EVP_CIPHER_CTX)); - return 1; - } -diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c -index 7e0bab9..da41dd3 100644 ---- a/crypto/evp/evp_lib.c -+++ b/crypto/evp/evp_lib.c -@@ -60,10 +60,6 @@ - #include "cryptlib.h" - #include - #include --#ifdef OPENSSL_FIPS --# include --# include "evp_locl.h" --#endif - - int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) - { -@@ -224,6 +220,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) - int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, unsigned int inl) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - return ctx->cipher->do_cipher(ctx, out, in, inl); - } - -@@ -234,22 +233,12 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) - - unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher) - { --#ifdef OPENSSL_FIPS -- const EVP_CIPHER *fcipher; -- fcipher = evp_get_fips_cipher(cipher); -- if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS) -- return cipher->flags | EVP_CIPH_FLAG_FIPS; --#endif - return cipher->flags; - } - - unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) - { --#ifdef OPENSSL_FIPS -- return EVP_CIPHER_flags(ctx->cipher); --#else - return ctx->cipher->flags; --#endif - } - - void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) -@@ -316,40 +305,8 @@ int EVP_MD_size(const EVP_MD *md) - return md->md_size; - } - --#ifdef OPENSSL_FIPS -- --const EVP_MD *evp_get_fips_md(const EVP_MD *md) --{ -- int nid = EVP_MD_type(md); -- if (nid == NID_dsa) -- return FIPS_evp_dss1(); -- else if (nid == NID_dsaWithSHA) -- return FIPS_evp_dss(); -- else if (nid == NID_ecdsa_with_SHA1) -- return FIPS_evp_ecdsa(); -- else -- return FIPS_get_digestbynid(nid); --} -- --const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher) --{ -- int nid = cipher->nid; -- if (nid == NID_undef) -- return FIPS_evp_enc_null(); -- else -- return FIPS_get_cipherbynid(nid); --} -- --#endif -- - unsigned long EVP_MD_flags(const EVP_MD *md) - { --#ifdef OPENSSL_FIPS -- const EVP_MD *fmd; -- fmd = evp_get_fips_md(md); -- if (fmd && fmd->flags & EVP_MD_FLAG_FIPS) -- return md->flags | EVP_MD_FLAG_FIPS; --#endif - return md->flags; - } - -diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h -index 2bb709a..b6fecde 100644 ---- a/crypto/evp/evp_locl.h -+++ b/crypto/evp/evp_locl.h -@@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } - BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ - BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ - NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ -- 0, cipher##_init_key, NULL, \ -- EVP_CIPHER_set_asn1_iv, \ -- EVP_CIPHER_get_asn1_iv, \ -- NULL) -+ EVP_CIPH_FLAG_DEFAULT_ASN1, \ -+ cipher##_init_key, NULL, NULL, NULL, NULL) - - struct evp_pkey_ctx_st { - /* Method associated with this operation */ -@@ -355,11 +353,6 @@ const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher); - # define MD2_Init private_MD2_Init - # define MDC2_Init private_MDC2_Init - # define SHA_Init private_SHA_Init --# define SHA1_Init private_SHA1_Init --# define SHA224_Init private_SHA224_Init --# define SHA256_Init private_SHA256_Init --# define SHA384_Init private_SHA384_Init --# define SHA512_Init private_SHA512_Init - - # define BF_set_key private_BF_set_key - # define CAST_set_key private_CAST_set_key -@@ -367,7 +360,6 @@ const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher); - # define SEED_set_key private_SEED_set_key - # define RC2_set_key private_RC2_set_key - # define RC4_set_key private_RC4_set_key --# define DES_set_key_unchecked private_DES_set_key_unchecked - # define Camellia_set_key private_Camellia_set_key - - #endif -diff --git a/crypto/evp/m_dss.c b/crypto/evp/m_dss.c -index 1478448..c048831 100644 ---- a/crypto/evp/m_dss.c -+++ b/crypto/evp/m_dss.c -@@ -86,7 +86,7 @@ static const EVP_MD dsa_md = { - NID_dsaWithSHA, - NID_dsaWithSHA, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_DIGEST, -+ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS, - init, - update, - final, -diff --git a/crypto/evp/m_dss1.c b/crypto/evp/m_dss1.c -index e36fabf..cfc15f5 100644 ---- a/crypto/evp/m_dss1.c -+++ b/crypto/evp/m_dss1.c -@@ -87,7 +87,7 @@ static const EVP_MD dss1_md = { - NID_dsa, - NID_dsaWithSHA1, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_DIGEST, -+ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS, - init, - update, - final, -diff --git a/crypto/evp/m_md2.c b/crypto/evp/m_md2.c -index 3c4cd7b..379aa2f 100644 ---- a/crypto/evp/m_md2.c -+++ b/crypto/evp/m_md2.c -@@ -68,6 +68,7 @@ - # ifndef OPENSSL_NO_RSA - # include - # endif -+# include "evp_locl.h" - - static int init(EVP_MD_CTX *ctx) - { -diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c -index a74e6b7..f1dd284 100644 ---- a/crypto/evp/m_sha1.c -+++ b/crypto/evp/m_sha1.c -@@ -87,7 +87,8 @@ static const EVP_MD sha1_md = { - NID_sha1, - NID_sha1WithRSAEncryption, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+ EVP_MD_FLAG_FIPS, - init, - update, - final, -@@ -134,7 +135,8 @@ static const EVP_MD sha224_md = { - NID_sha224, - NID_sha224WithRSAEncryption, - SHA224_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+ EVP_MD_FLAG_FIPS, - init224, - update256, - final256, -@@ -154,7 +156,8 @@ static const EVP_MD sha256_md = { - NID_sha256, - NID_sha256WithRSAEncryption, - SHA256_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+ EVP_MD_FLAG_FIPS, - init256, - update256, - final256, -@@ -197,7 +200,8 @@ static const EVP_MD sha384_md = { - NID_sha384, - NID_sha384WithRSAEncryption, - SHA384_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+ EVP_MD_FLAG_FIPS, - init384, - update512, - final512, -@@ -217,7 +221,8 @@ static const EVP_MD sha512_md = { - NID_sha512, - NID_sha512WithRSAEncryption, - SHA512_DIGEST_LENGTH, -- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+ EVP_MD_FLAG_FIPS, - init512, - update512, - final512, -diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c -index 1b9ba06..0a95123 100644 ---- a/crypto/evp/p_sign.c -+++ b/crypto/evp/p_sign.c -@@ -61,6 +61,7 @@ - #include - #include - #include -+#include - - #ifdef undef - void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type) -@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, - goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) - goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) -+ goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) { -+ int saltlen; -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= -+ 0) -+ goto err; -+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); -+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) -+ saltlen = -1; -+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) -+ saltlen = -2; -+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) -+ goto err; -+ } - if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) - goto err; - *siglen = sltmp; -diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c -index 65e1e21..477b1b0 100644 ---- a/crypto/evp/p_verify.c -+++ b/crypto/evp/p_verify.c -@@ -61,6 +61,7 @@ - #include - #include - #include -+#include - - int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, - unsigned int siglen, EVP_PKEY *pkey) -@@ -87,6 +88,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, - goto err; - if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) - goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931) -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0) -+ goto err; -+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) { -+ int saltlen; -+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= -+ 0) -+ goto err; -+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx); -+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) -+ saltlen = -1; -+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) -+ saltlen = -2; -+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0) -+ goto err; -+ } - i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); - err: - EVP_PKEY_CTX_free(pkctx); -diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile -new file mode 100644 -index 0000000..b997426 ---- /dev/null -+++ b/crypto/fips/Makefile -@@ -0,0 +1,341 @@ -+# -+# OpenSSL/crypto/fips/Makefile -+# -+ -+DIR= fips -+TOP= ../.. -+CC= cc -+INCLUDES= -+CFLAG=-g -+MAKEFILE= Makefile -+AR= ar r -+ -+CFLAGS= $(INCLUDES) $(CFLAG) -+ -+GENERAL=Makefile -+TEST=fips_test_suite.c fips_randtest.c -+APPS= -+ -+PROGRAM= fips_standalone_hmac -+EXE= $(PROGRAM)$(EXE_EXT) -+ -+LIB=$(TOP)/libcrypto.a -+LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \ -+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ -+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ -+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -+ fips_cmac_selftest.c fips_enc.c fips_md.c -+ -+LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ -+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ -+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ -+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ -+ fips_cmac_selftest.o fips_enc.o fips_md.o -+ -+LIBCRYPTO=-L.. -lcrypto -+ -+SRC= $(LIBSRC) fips_standalone_hmac.c -+ -+EXHEADER= fips.h fips_rand.h -+HEADER= $(EXHEADER) -+ -+ALL= $(GENERAL) $(SRC) $(HEADER) -+ -+top: -+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) -+ -+all: lib exe -+ -+lib: $(LIBOBJ) -+ $(AR) $(LIB) $(LIBOBJ) -+ $(RANLIB) $(LIB) || echo Never mind. -+ @touch lib -+ -+exe: $(EXE) -+ -+files: -+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO -+ -+links: -+ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) -+ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) -+ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) -+ -+install: -+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... -+ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \ -+ do \ -+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ -+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ -+ done; -+ -+tags: -+ ctags $(SRC) -+ -+tests: -+ -+lint: -+ lint -DLINT $(INCLUDES) $(SRC)>fluff -+ -+depend: -+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... -+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) -+ -+dclean: -+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new -+ mv -f Makefile.new $(MAKEFILE) -+ -+clean: -+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff -+ -+$(EXE): $(PROGRAM).o -+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \ -+ for i in $(CPUID_OBJ); do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../$$i" ; done; \ -+ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM -+ -+# DO NOT DELETE THIS LINE -- make depend depends on it. -+ -+fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -+fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h -+fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -+fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -+fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -+fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h -+fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -+fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h -+fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_aes_selftest.o: ../../include/openssl/crypto.h -+fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_aes_selftest.o: ../../include/openssl/lhash.h -+fips_aes_selftest.o: ../../include/openssl/obj_mac.h -+fips_aes_selftest.o: ../../include/openssl/objects.h -+fips_aes_selftest.o: ../../include/openssl/opensslconf.h -+fips_aes_selftest.o: ../../include/openssl/opensslv.h -+fips_aes_selftest.o: ../../include/openssl/ossl_typ.h -+fips_aes_selftest.o: ../../include/openssl/safestack.h -+fips_aes_selftest.o: ../../include/openssl/stack.h -+fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c -+fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_des_selftest.o: ../../include/openssl/crypto.h -+fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_des_selftest.o: ../../include/openssl/lhash.h -+fips_des_selftest.o: ../../include/openssl/obj_mac.h -+fips_des_selftest.o: ../../include/openssl/objects.h -+fips_des_selftest.o: ../../include/openssl/opensslconf.h -+fips_des_selftest.o: ../../include/openssl/opensslv.h -+fips_des_selftest.o: ../../include/openssl/ossl_typ.h -+fips_des_selftest.o: ../../include/openssl/safestack.h -+fips_des_selftest.o: ../../include/openssl/stack.h -+fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c -+fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -+fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h -+fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h -+fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h -+fips_drbg_ctr.o: ../../include/openssl/objects.h -+fips_drbg_ctr.o: ../../include/openssl/opensslconf.h -+fips_drbg_ctr.o: ../../include/openssl/opensslv.h -+fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -+fips_drbg_ctr.o: ../../include/openssl/safestack.h -+fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -+fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h -+fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -+fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h -+fips_drbg_hash.o: ../../include/openssl/fips.h -+fips_drbg_hash.o: ../../include/openssl/fips_rand.h -+fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h -+fips_drbg_hash.o: ../../include/openssl/objects.h -+fips_drbg_hash.o: ../../include/openssl/opensslconf.h -+fips_drbg_hash.o: ../../include/openssl/opensslv.h -+fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -+fips_drbg_hash.o: ../../include/openssl/safestack.h -+fips_drbg_hash.o: ../../include/openssl/stack.h -+fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c -+fips_drbg_hash.o: fips_rand_lcl.h -+fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -+fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h -+fips_drbg_hmac.o: ../../include/openssl/fips.h -+fips_drbg_hmac.o: ../../include/openssl/fips_rand.h -+fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h -+fips_drbg_hmac.o: ../../include/openssl/objects.h -+fips_drbg_hmac.o: ../../include/openssl/opensslconf.h -+fips_drbg_hmac.o: ../../include/openssl/opensslv.h -+fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -+fips_drbg_hmac.o: ../../include/openssl/safestack.h -+fips_drbg_hmac.o: ../../include/openssl/stack.h -+fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c -+fips_drbg_hmac.o: fips_rand_lcl.h -+fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -+fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h -+fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -+fips_drbg_lib.o: ../../include/openssl/objects.h -+fips_drbg_lib.o: ../../include/openssl/opensslconf.h -+fips_drbg_lib.o: ../../include/openssl/opensslv.h -+fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -+fips_drbg_lib.o: ../../include/openssl/safestack.h -+fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -+fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h -+fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -+fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_drbg_rand.o: ../../include/openssl/fips_rand.h -+fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h -+fips_drbg_rand.o: ../../include/openssl/obj_mac.h -+fips_drbg_rand.o: ../../include/openssl/objects.h -+fips_drbg_rand.o: ../../include/openssl/opensslconf.h -+fips_drbg_rand.o: ../../include/openssl/opensslv.h -+fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -+fips_drbg_rand.o: ../../include/openssl/safestack.h -+fips_drbg_rand.o: ../../include/openssl/stack.h -+fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c -+fips_drbg_rand.o: fips_rand_lcl.h -+fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_drbg_selftest.o: ../../include/openssl/bio.h -+fips_drbg_selftest.o: ../../include/openssl/crypto.h -+fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_drbg_selftest.o: ../../include/openssl/fips_rand.h -+fips_drbg_selftest.o: ../../include/openssl/hmac.h -+fips_drbg_selftest.o: ../../include/openssl/lhash.h -+fips_drbg_selftest.o: ../../include/openssl/obj_mac.h -+fips_drbg_selftest.o: ../../include/openssl/objects.h -+fips_drbg_selftest.o: ../../include/openssl/opensslconf.h -+fips_drbg_selftest.o: ../../include/openssl/opensslv.h -+fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h -+fips_drbg_selftest.o: ../../include/openssl/rand.h -+fips_drbg_selftest.o: ../../include/openssl/safestack.h -+fips_drbg_selftest.o: ../../include/openssl/stack.h -+fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c -+fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h -+fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -+fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -+fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -+fips_dsa_selftest.o: ../../include/openssl/obj_mac.h -+fips_dsa_selftest.o: ../../include/openssl/objects.h -+fips_dsa_selftest.o: ../../include/openssl/opensslconf.h -+fips_dsa_selftest.o: ../../include/openssl/opensslv.h -+fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h -+fips_dsa_selftest.o: ../../include/openssl/safestack.h -+fips_dsa_selftest.o: ../../include/openssl/stack.h -+fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c -+fips_dsa_selftest.o: fips_locl.h -+fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_hmac_selftest.o: ../../include/openssl/crypto.h -+fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_hmac_selftest.o: ../../include/openssl/hmac.h -+fips_hmac_selftest.o: ../../include/openssl/lhash.h -+fips_hmac_selftest.o: ../../include/openssl/obj_mac.h -+fips_hmac_selftest.o: ../../include/openssl/objects.h -+fips_hmac_selftest.o: ../../include/openssl/opensslconf.h -+fips_hmac_selftest.o: ../../include/openssl/opensslv.h -+fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h -+fips_hmac_selftest.o: ../../include/openssl/safestack.h -+fips_hmac_selftest.o: ../../include/openssl/stack.h -+fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c -+fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -+fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -+fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h -+fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h -+fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -+fips_post.o: ../../include/openssl/opensslconf.h -+fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -+fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h -+fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -+fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c -+fips_rand.o: ../../e_os.h ../../include/openssl/aes.h -+fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -+fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h -+fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h -+fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -+fips_rand.o: ../../include/openssl/opensslconf.h -+fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -+fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h -+fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -+fips_rand.o: fips_locl.h fips_rand.c -+fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h -+fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -+fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h -+fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h -+fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h -+fips_rand_lib.o: ../../include/openssl/obj_mac.h -+fips_rand_lib.o: ../../include/openssl/objects.h -+fips_rand_lib.o: ../../include/openssl/opensslconf.h -+fips_rand_lib.o: ../../include/openssl/opensslv.h -+fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -+fips_rand_lib.o: ../../include/openssl/safestack.h -+fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -+fips_rand_lib.o: fips_rand_lib.c -+fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -+fips_rand_selftest.o: ../../include/openssl/bio.h -+fips_rand_selftest.o: ../../include/openssl/crypto.h -+fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_rand_selftest.o: ../../include/openssl/fips_rand.h -+fips_rand_selftest.o: ../../include/openssl/hmac.h -+fips_rand_selftest.o: ../../include/openssl/lhash.h -+fips_rand_selftest.o: ../../include/openssl/obj_mac.h -+fips_rand_selftest.o: ../../include/openssl/objects.h -+fips_rand_selftest.o: ../../include/openssl/opensslconf.h -+fips_rand_selftest.o: ../../include/openssl/opensslv.h -+fips_rand_selftest.o: ../../include/openssl/ossl_typ.h -+fips_rand_selftest.o: ../../include/openssl/rand.h -+fips_rand_selftest.o: ../../include/openssl/safestack.h -+fips_rand_selftest.o: ../../include/openssl/stack.h -+fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h -+fips_rand_selftest.o: fips_rand_selftest.c -+fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -+fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_rsa_selftest.o: ../../include/openssl/lhash.h -+fips_rsa_selftest.o: ../../include/openssl/obj_mac.h -+fips_rsa_selftest.o: ../../include/openssl/objects.h -+fips_rsa_selftest.o: ../../include/openssl/opensslconf.h -+fips_rsa_selftest.o: ../../include/openssl/opensslv.h -+fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h -+fips_rsa_selftest.o: ../../include/openssl/rsa.h -+fips_rsa_selftest.o: ../../include/openssl/safestack.h -+fips_rsa_selftest.o: ../../include/openssl/stack.h -+fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c -+fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -+fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -+fips_rsa_x931g.o: ../../include/openssl/opensslconf.h -+fips_rsa_x931g.o: ../../include/openssl/opensslv.h -+fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h -+fips_rsa_x931g.o: ../../include/openssl/safestack.h -+fips_rsa_x931g.o: ../../include/openssl/stack.h -+fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c -+fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+fips_sha_selftest.o: ../../include/openssl/crypto.h -+fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -+fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -+fips_sha_selftest.o: ../../include/openssl/lhash.h -+fips_sha_selftest.o: ../../include/openssl/obj_mac.h -+fips_sha_selftest.o: ../../include/openssl/objects.h -+fips_sha_selftest.o: ../../include/openssl/opensslconf.h -+fips_sha_selftest.o: ../../include/openssl/opensslv.h -+fips_sha_selftest.o: ../../include/openssl/ossl_typ.h -+fips_sha_selftest.o: ../../include/openssl/safestack.h -+fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -+fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c -diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c -new file mode 100644 -index 0000000..29621c9 ---- /dev/null -+++ b/crypto/fips/fips.c -@@ -0,0 +1,483 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#define _GNU_SOURCE -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+# include -+ -+# ifndef PATH_MAX -+# define PATH_MAX 1024 -+# endif -+ -+static int fips_selftest_fail = 0; -+static int fips_mode = 0; -+static int fips_started = 0; -+ -+static int fips_is_owning_thread(void); -+static int fips_set_owning_thread(void); -+static int fips_clear_owning_thread(void); -+ -+# define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS) -+# define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS) -+# define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS) -+# define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS) -+ -+static void fips_set_mode(int onoff) -+{ -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_started) { -+ if (!owning_thread) -+ fips_w_lock(); -+ fips_mode = onoff; -+ if (!owning_thread) -+ fips_w_unlock(); -+ } -+} -+ -+int FIPS_module_mode(void) -+{ -+ int ret = 0; -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_started) { -+ if (!owning_thread) -+ fips_r_lock(); -+ ret = fips_mode; -+ if (!owning_thread) -+ fips_r_unlock(); -+ } -+ return ret; -+} -+ -+int FIPS_selftest_failed(void) -+{ -+ int ret = 0; -+ if (fips_started) { -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (!owning_thread) -+ fips_r_lock(); -+ ret = fips_selftest_fail; -+ if (!owning_thread) -+ fips_r_unlock(); -+ } -+ return ret; -+} -+ -+/* Selftest failure fatal exit routine. This will be called -+ * during *any* cryptographic operation. It has the minimum -+ * overhead possible to avoid too big a performance hit. -+ */ -+ -+void FIPS_selftest_check(void) -+{ -+ if (fips_selftest_fail) { -+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE"); -+ } -+} -+ -+void fips_set_selftest_fail(void) -+{ -+ fips_selftest_fail = 1; -+} -+ -+/* we implement what libfipscheck does ourselves */ -+ -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, -+ size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen - 1); -+ path[pathlen - 1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+ -+static const char conv[] = "0123456789abcdef"; -+ -+static char *bin2hex(void *buf, size_t len) -+{ -+ char *hex, *p; -+ unsigned char *src = buf; -+ -+ hex = malloc(len * 2 + 1); -+ if (hex == NULL) -+ return NULL; -+ -+ p = hex; -+ -+ while (len > 0) { -+ unsigned c; -+ -+ c = *src; -+ src++; -+ -+ *p = conv[c >> 4]; -+ ++p; -+ *p = conv[c & 0x0f]; -+ ++p; -+ --len; -+ } -+ *p = '\0'; -+ return hex; -+} -+ -+# define HMAC_PREFIX "." -+# define HMAC_SUFFIX ".hmac" -+# define READ_BUFFER_LENGTH 16384 -+ -+static char *make_hmac_path(const char *origpath) -+{ -+ char *path, *p; -+ const char *fn; -+ -+ path = -+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); -+ if (path == NULL) { -+ return NULL; -+ } -+ -+ fn = strrchr(origpath, '/'); -+ if (fn == NULL) { -+ fn = origpath; -+ } else { -+ ++fn; -+ } -+ -+ strncpy(path, origpath, fn - origpath); -+ p = path + (fn - origpath); -+ p = stpcpy(p, HMAC_PREFIX); -+ p = stpcpy(p, fn); -+ p = stpcpy(p, HMAC_SUFFIX); -+ -+ return path; -+} -+ -+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) -+{ -+ FILE *f = NULL; -+ int rv = -1; -+ unsigned char rbuf[READ_BUFFER_LENGTH]; -+ size_t len; -+ unsigned int hlen; -+ HMAC_CTX c; -+ -+ HMAC_CTX_init(&c); -+ -+ f = fopen(path, "r"); -+ -+ if (f == NULL) { -+ goto end; -+ } -+ -+ HMAC_Init(&c, hmackey, sizeof(hmackey) - 1, EVP_sha256()); -+ -+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) { -+ HMAC_Update(&c, rbuf, len); -+ } -+ -+ len = sizeof(rbuf); -+ /* reuse rbuf for hmac */ -+ HMAC_Final(&c, rbuf, &hlen); -+ -+ *buf = malloc(hlen); -+ if (*buf == NULL) { -+ goto end; -+ } -+ -+ *hmaclen = hlen; -+ -+ memcpy(*buf, rbuf, hlen); -+ -+ rv = 0; -+ end: -+ HMAC_CTX_cleanup(&c); -+ -+ if (f) -+ fclose(f); -+ -+ return rv; -+} -+ -+static int FIPSCHECK_verify(const char *libname, const char *symbolname) -+{ -+ char path[PATH_MAX + 1]; -+ int rv; -+ FILE *hf; -+ char *hmacpath, *p; -+ char *hmac = NULL; -+ size_t n; -+ -+ rv = get_library_path(libname, symbolname, path, sizeof(path)); -+ -+ if (rv < 0) -+ return 0; -+ -+ hmacpath = make_hmac_path(path); -+ if (hmacpath == NULL) -+ return 0; -+ -+ hf = fopen(hmacpath, "r"); -+ if (hf == NULL) { -+ free(hmacpath); -+ return 0; -+ } -+ -+ if (getline(&hmac, &n, hf) > 0) { -+ void *buf; -+ size_t hmaclen; -+ char *hex; -+ -+ if ((p = strchr(hmac, '\n')) != NULL) -+ *p = '\0'; -+ -+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { -+ rv = -4; -+ goto end; -+ } -+ -+ if ((hex = bin2hex(buf, hmaclen)) == NULL) { -+ free(buf); -+ rv = -5; -+ goto end; -+ } -+ -+ if (strcmp(hex, hmac) != 0) { -+ rv = -1; -+ } -+ free(buf); -+ free(hex); -+ } else { -+ rv = -1; -+ } -+ -+ end: -+ free(hmac); -+ free(hmacpath); -+ fclose(hf); -+ -+ if (rv < 0) -+ return 0; -+ -+ /* check successful */ -+ return 1; -+} -+ -+int FIPS_module_mode_set(int onoff, const char *auth) -+{ -+ int ret = 0; -+ -+ fips_w_lock(); -+ fips_started = 1; -+ fips_set_owning_thread(); -+ -+ if (onoff) { -+ -+ fips_selftest_fail = 0; -+ -+ /* Don't go into FIPS mode twice, just so we can do automagic -+ seeding */ -+ if (FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FIPS_MODE_ALREADY_SET); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+# ifdef OPENSSL_IA32_SSE2 -+ { -+ extern unsigned int OPENSSL_ia32cap_P[2]; -+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) != -+ (1 << 25 | 1 << 26)) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_UNSUPPORTED_PLATFORM); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */ -+ OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */ -+ } -+# endif -+ -+ if (!FIPSCHECK_verify -+ ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+ if (!FIPSCHECK_verify -+ ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+ if (FIPS_selftest()) -+ fips_set_mode(onoff); -+ else { -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ ret = 1; -+ goto end; -+ } -+ fips_set_mode(0); -+ fips_selftest_fail = 0; -+ ret = 1; -+ end: -+ fips_clear_owning_thread(); -+ fips_w_unlock(); -+ return ret; -+} -+ -+static CRYPTO_THREADID fips_thread; -+static int fips_thread_set = 0; -+ -+static int fips_is_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); -+ if (fips_thread_set) { -+ CRYPTO_THREADID cur; -+ CRYPTO_THREADID_current(&cur); -+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread)) -+ ret = 1; -+ } -+ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); -+ } -+ return ret; -+} -+ -+int fips_set_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); -+ if (!fips_thread_set) { -+ CRYPTO_THREADID_current(&fips_thread); -+ ret = 1; -+ fips_thread_set = 1; -+ } -+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); -+ } -+ return ret; -+} -+ -+int fips_clear_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); -+ if (fips_thread_set) { -+ CRYPTO_THREADID cur; -+ CRYPTO_THREADID_current(&cur); -+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread)) -+ fips_thread_set = 0; -+ } -+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); -+ } -+ return ret; -+} -+ -+# if 0 -+/* The purpose of this is to ensure the error code exists and the function -+ * name is to keep the error checking script quiet -+ */ -+void hash_final(void) -+{ -+ FIPSerr(FIPS_F_HASH_FINAL, FIPS_R_NON_FIPS_METHOD); -+} -+# endif -+ -+#endif -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -new file mode 100644 -index 0000000..792781e ---- /dev/null -+++ b/crypto/fips/fips.h -@@ -0,0 +1,278 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+# error FIPS is disabled. -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+ struct dsa_st; -+ struct rsa_st; -+ struct evp_pkey_st; -+ struct env_md_st; -+ struct env_md_ctx_st; -+ struct evp_cipher_st; -+ struct evp_cipher_ctx_st; -+ struct dh_method; -+ struct CMAC_CTX_st; -+ struct hmac_ctx_st; -+ -+ int FIPS_module_mode_set(int onoff, const char *auth); -+ int FIPS_module_mode(void); -+ const void *FIPS_rand_check(void); -+ int FIPS_selftest(void); -+ int FIPS_selftest_failed(void); -+ void FIPS_corrupt_sha1(void); -+ int FIPS_selftest_sha1(void); -+ int FIPS_selftest_sha2(void); -+ void FIPS_corrupt_aes(void); -+ int FIPS_selftest_aes_ccm(void); -+ int FIPS_selftest_aes_gcm(void); -+ int FIPS_selftest_aes_xts(void); -+ int FIPS_selftest_aes(void); -+ void FIPS_corrupt_des(void); -+ int FIPS_selftest_des(void); -+ void FIPS_corrupt_rsa(void); -+ void FIPS_corrupt_rsa_keygen(void); -+ int FIPS_selftest_rsa(void); -+ void FIPS_corrupt_dsa(void); -+ void FIPS_corrupt_dsa_keygen(void); -+ int FIPS_selftest_dsa(void); -+ void FIPS_corrupt_rng(void); -+ void FIPS_rng_stick(void); -+ void FIPS_x931_stick(int onoff); -+ void FIPS_drbg_stick(int onoff); -+ int FIPS_selftest_rng(void); -+ int FIPS_selftest_x931(void); -+ int FIPS_selftest_hmac(void); -+ int FIPS_selftest_drbg(void); -+ int FIPS_selftest_drbg_all(void); -+ int FIPS_selftest_cmac(void); -+ -+ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); -+ -+# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ -+ alg " previous FIPS forbidden algorithm error ignored"); -+ -+ int fips_pkey_signature_test(struct evp_pkey_st *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, -+ unsigned int katlen, -+ const struct env_md_st *digest, -+ unsigned int md_flags, const char *fail_str); -+ -+ int fips_cipher_test(struct evp_cipher_ctx_st *ctx, -+ const struct evp_cipher_st *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, int len); -+ -+ void fips_set_selftest_fail(void); -+ -+ const struct env_md_st *FIPS_get_digestbynid(int nid); -+ -+ const struct evp_cipher_st *FIPS_get_cipherbynid(int nid); -+ -+/* BEGIN ERROR CODES */ -+/* The following lines are auto generated by the script mkerr.pl. Any changes -+ * made after this point may be overwritten when the script is next run. -+ */ -+ void ERR_load_FIPS_strings(void); -+ -+/* Error codes for the FIPS functions. */ -+ -+/* Function codes. */ -+# define FIPS_F_DH_BUILTIN_GENPARAMS 100 -+# define FIPS_F_DH_INIT 148 -+# define FIPS_F_DRBG_RESEED 162 -+# define FIPS_F_DSA_BUILTIN_PARAMGEN 101 -+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107 -+# define FIPS_F_DSA_DO_SIGN 102 -+# define FIPS_F_DSA_DO_VERIFY 103 -+# define FIPS_F_ECDH_COMPUTE_KEY 163 -+# define FIPS_F_ECDSA_DO_SIGN 164 -+# define FIPS_F_ECDSA_DO_VERIFY 165 -+# define FIPS_F_EC_KEY_GENERATE_KEY 166 -+# define FIPS_F_EVP_CIPHERINIT_EX 124 -+# define FIPS_F_EVP_DIGESTINIT_EX 125 -+# define FIPS_F_FIPS_CHECK_DSA 104 -+# define FIPS_F_FIPS_CHECK_DSA_PRNG 151 -+# define FIPS_F_FIPS_CHECK_EC 142 -+# define FIPS_F_FIPS_CHECK_EC_PRNG 152 -+# define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105 -+# define FIPS_F_FIPS_CHECK_RSA 106 -+# define FIPS_F_FIPS_CHECK_RSA_PRNG 150 -+# define FIPS_F_FIPS_CIPHER 160 -+# define FIPS_F_FIPS_CIPHERINIT 143 -+# define FIPS_F_FIPS_CIPHER_CTX_CTRL 161 -+# define FIPS_F_FIPS_DIGESTFINAL 158 -+# define FIPS_F_FIPS_DIGESTINIT 128 -+# define FIPS_F_FIPS_DIGESTUPDATE 159 -+# define FIPS_F_FIPS_DRBG_BYTES 131 -+# define FIPS_F_FIPS_DRBG_CHECK 146 -+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132 -+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136 -+# define FIPS_F_FIPS_DRBG_GENERATE 134 -+# define FIPS_F_FIPS_DRBG_INIT 135 -+# define FIPS_F_FIPS_DRBG_INSTANTIATE 138 -+# define FIPS_F_FIPS_DRBG_NEW 139 -+# define FIPS_F_FIPS_DRBG_RESEED 140 -+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141 -+# define FIPS_F_FIPS_DSA_CHECK /* unused */ 107 -+# define FIPS_F_FIPS_DSA_SIGN_DIGEST 154 -+# define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155 -+# define FIPS_F_FIPS_GET_ENTROPY 147 -+# define FIPS_F_FIPS_MODE_SET /* unused */ 108 -+# define FIPS_F_FIPS_MODULE_MODE_SET 108 -+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 -+# define FIPS_F_FIPS_RAND_ADD 137 -+# define FIPS_F_FIPS_RAND_BYTES 122 -+# define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167 -+# define FIPS_F_FIPS_RAND_SEED 168 -+# define FIPS_F_FIPS_RAND_SET_METHOD 126 -+# define FIPS_F_FIPS_RAND_STATUS 127 -+# define FIPS_F_FIPS_RSA_SIGN_DIGEST 156 -+# define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157 -+# define FIPS_F_FIPS_SELFTEST_AES 110 -+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145 -+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129 -+# define FIPS_F_FIPS_SELFTEST_AES_XTS 144 -+# define FIPS_F_FIPS_SELFTEST_CMAC 130 -+# define FIPS_F_FIPS_SELFTEST_DES 111 -+# define FIPS_F_FIPS_SELFTEST_DSA 112 -+# define FIPS_F_FIPS_SELFTEST_ECDSA 133 -+# define FIPS_F_FIPS_SELFTEST_HMAC 113 -+# define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114 -+# define FIPS_F_FIPS_SELFTEST_SHA1 115 -+# define FIPS_F_FIPS_SELFTEST_X931 114 -+# define FIPS_F_FIPS_SET_PRNG_KEY 153 -+# define FIPS_F_HASH_FINAL 123 -+# define FIPS_F_RSA_BUILTIN_KEYGEN 116 -+# define FIPS_F_RSA_EAY_INIT 149 -+# define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117 -+# define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118 -+# define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119 -+# define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120 -+# define FIPS_F_RSA_X931_GENERATE_KEY_EX 121 -+# define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122 -+ -+/* Reason codes. */ -+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 -+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125 -+# define FIPS_R_ALREADY_INSTANTIATED 134 -+# define FIPS_R_AUTHENTICATION_FAILURE 151 -+# define FIPS_R_CANNOT_READ_EXE /* unused */ 103 -+# define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104 -+# define FIPS_R_CONTRADICTING_EVIDENCE 114 -+# define FIPS_R_DRBG_NOT_INITIALISED 152 -+# define FIPS_R_DRBG_STUCK 103 -+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 -+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 -+# define FIPS_R_ENTROPY_SOURCE_STUCK 142 -+# define FIPS_R_ERROR_INITIALISING_DRBG 115 -+# define FIPS_R_ERROR_INSTANTIATING_DRBG 127 -+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124 -+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 -+# define FIPS_R_ERROR_RETRIEVING_NONCE 140 -+# define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112 -+# define FIPS_R_FIPS_MODE_ALREADY_SET 102 -+# define FIPS_R_FIPS_SELFTEST_FAILED 106 -+# define FIPS_R_FUNCTION_ERROR 116 -+# define FIPS_R_GENERATE_ERROR 137 -+# define FIPS_R_GENERATE_ERROR_UNDETECTED 118 -+# define FIPS_R_INSTANTIATE_ERROR 119 -+# define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120 -+# define FIPS_R_INTERNAL_ERROR 121 -+# define FIPS_R_INVALID_KEY_LENGTH 109 -+# define FIPS_R_INVALID_PARAMETERS 144 -+# define FIPS_R_IN_ERROR_STATE 123 -+# define FIPS_R_KEY_TOO_SHORT 108 -+# define FIPS_R_NONCE_ERROR_UNDETECTED 149 -+# define FIPS_R_NON_FIPS_METHOD 100 -+# define FIPS_R_NOPR_TEST1_FAILURE 145 -+# define FIPS_R_NOPR_TEST2_FAILURE 146 -+# define FIPS_R_NOT_INSTANTIATED 126 -+# define FIPS_R_PAIRWISE_TEST_FAILED 107 -+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 -+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 -+# define FIPS_R_PRNG_STRENGTH_TOO_LOW 143 -+# define FIPS_R_PR_TEST1_FAILURE 147 -+# define FIPS_R_PR_TEST2_FAILURE 148 -+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 -+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 -+# define FIPS_R_RESEED_COUNTER_ERROR 132 -+# define FIPS_R_RESEED_ERROR 133 -+# define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115 -+# define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116 -+# define FIPS_R_SELFTEST_FAILED 101 -+# define FIPS_R_SELFTEST_FAILURE 135 -+# define FIPS_R_STRENGTH_ERROR_UNDETECTED 136 -+# define FIPS_R_TEST_FAILURE 117 -+# define FIPS_R_UNINSTANTIATE_ERROR 141 -+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 -+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 -+# define FIPS_R_UNSUPPORTED_PLATFORM 113 -+ -+# ifdef __cplusplus -+} -+# endif -+#endif -diff --git a/crypto/fips/fips_aes_selftest.c b/crypto/fips/fips_aes_selftest.c -new file mode 100644 -index 0000000..612ca5e ---- /dev/null -+++ b/crypto/fips/fips_aes_selftest.c -@@ -0,0 +1,365 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+static const struct { -+ const unsigned char key[16]; -+ const unsigned char plaintext[16]; -+ const unsigned char ciphertext[16]; -+} tests[] = { -+ { -+ { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, { -+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, -+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, { -+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30, -+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},}; -+ -+static int corrupt_aes; -+ -+void FIPS_corrupt_aes() -+{ -+ corrupt_aes = 1; -+} -+ -+int FIPS_selftest_aes() -+{ -+ int n; -+ int ret = 0; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ -+ for (n = 0; n < 1; ++n) { -+ unsigned char key[16]; -+ -+ memcpy(key, tests[n].key, sizeof(key)); -+ if (corrupt_aes) -+ key[0]++; -+ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(), -+ key, NULL, -+ tests[n].plaintext, -+ tests[n].ciphertext, 16) <= 0) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED); -+ return ret; -+} -+ -+/* AES-CCM test data from NIST public test vectors */ -+ -+static const unsigned char ccm_key[] = { -+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6, -+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8 -+}; -+ -+static const unsigned char ccm_nonce[] = { -+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7 -+}; -+ -+static const unsigned char ccm_adata[] = { -+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7, -+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5, -+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4 -+}; -+ -+static const unsigned char ccm_pt[] = { -+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f, -+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10 -+}; -+ -+static const unsigned char ccm_ct[] = { -+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2, -+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd -+}; -+ -+static const unsigned char ccm_tag[] = { -+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44, -+ 0x14, 0xdb, 0x50, 0x6d -+}; -+ -+int FIPS_selftest_aes_ccm(void) -+{ -+ int ret = 0; -+ unsigned char out[128], tag[16]; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ memset(out, 0, sizeof(out)); -+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, -+ sizeof(ccm_nonce), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, -+ sizeof(ccm_tag), NULL)) -+ goto err; -+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 1)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) -+ goto err; -+ if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct)) -+ goto err; -+ -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag)) -+ goto err; -+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag)) -+ || memcmp(out, ccm_ct, sizeof(ccm_ct))) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ -+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, -+ sizeof(ccm_nonce), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag)) -+ goto err; -+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 0)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) -+ goto err; -+ if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt)) -+ goto err; -+ -+ if (memcmp(out, ccm_pt, sizeof(ccm_pt))) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } else -+ return ret; -+ -+} -+ -+/* AES-GCM test data from NIST public test vectors */ -+ -+static const unsigned char gcm_key[] = { -+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66, -+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69, -+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f -+}; -+ -+static const unsigned char gcm_iv[] = { -+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84 -+}; -+ -+static const unsigned char gcm_pt[] = { -+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea, -+ 0xcc, 0x2b, 0xf2, 0xa5 -+}; -+ -+static const unsigned char gcm_aad[] = { -+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43, -+ 0x7f, 0xec, 0x78, 0xde -+}; -+ -+static const unsigned char gcm_ct[] = { -+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e, -+ 0xb9, 0xf2, 0x17, 0x36 -+}; -+ -+static const unsigned char gcm_tag[] = { -+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62, -+ 0x98, 0xf7, 0x7e, 0x0c -+}; -+ -+int FIPS_selftest_aes_gcm(void) -+{ -+ int ret = 0; -+ unsigned char out[128], tag[16]; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ memset(out, 0, sizeof(out)); -+ memset(tag, 0, sizeof(tag)); -+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, -+ sizeof(gcm_iv), NULL)) -+ goto err; -+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 1)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) -+ goto err; -+ if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0) -+ goto err; -+ -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) -+ goto err; -+ -+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16)) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ -+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, -+ sizeof(gcm_iv), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag)) -+ goto err; -+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 0)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) -+ goto err; -+ if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt)) -+ goto err; -+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0) -+ goto err; -+ -+ if (memcmp(out, gcm_pt, 16)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } else -+ return ret; -+ -+} -+ -+static const unsigned char XTS_128_key[] = { -+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38, -+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18, -+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f -+}; -+ -+static const unsigned char XTS_128_i[] = { -+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01, -+ 0x3e, 0x76, 0x8a, 0xd5 -+}; -+ -+static const unsigned char XTS_128_pt[] = { -+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39, -+ 0x07, 0x90, 0x31, 0x1c -+}; -+ -+static const unsigned char XTS_128_ct[] = { -+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5, -+ 0xbe, 0x47, 0x1c, 0x63 -+}; -+ -+static const unsigned char XTS_256_key[] = { -+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f, -+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7, -+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd, -+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3, -+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39, -+ 0x2c, 0xf4, 0x1b, 0x08 -+}; -+ -+static const unsigned char XTS_256_i[] = { -+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, -+ 0xa9, 0xf8, 0x75, 0x64 -+}; -+ -+static const unsigned char XTS_256_pt[] = { -+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8, -+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3, -+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e -+}; -+ -+static const unsigned char XTS_256_ct[] = { -+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34, -+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a, -+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb -+}; -+ -+int FIPS_selftest_aes_xts() -+{ -+ int ret = 1; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ -+ if (fips_cipher_test(&ctx, EVP_aes_128_xts(), -+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct, -+ sizeof(XTS_128_pt)) <= 0) -+ ret = 0; -+ -+ if (fips_cipher_test(&ctx, EVP_aes_256_xts(), -+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct, -+ sizeof(XTS_256_pt)) <= 0) -+ ret = 0; -+ -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED); -+ return ret; -+} -+ -+#endif -diff --git a/crypto/fips/fips_cmac_selftest.c b/crypto/fips/fips_cmac_selftest.c -new file mode 100644 -index 0000000..9e75ec9 ---- /dev/null -+++ b/crypto/fips/fips_cmac_selftest.c -@@ -0,0 +1,156 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+typedef struct { -+ int nid; -+ const unsigned char key[EVP_MAX_KEY_LENGTH]; -+ size_t keysize; -+ const unsigned char msg[64]; -+ size_t msgsize; -+ const unsigned char mac[32]; -+ size_t macsize; -+} CMAC_KAT; -+ -+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */ -+static const CMAC_KAT vector[] = { -+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */ -+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3, -+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128, -+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c, -+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e, -+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98, -+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256, -+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32}, -+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */ -+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9, -+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86, -+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192, -+ {0x0}, 0, -+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef, -+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128, -+ }, -+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */ -+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe, -+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14, -+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf, -+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256, -+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb, -+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08, -+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88, -+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84, -+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96, -+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384, -+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40, -+ }, -+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */ -+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37, -+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5, -+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192, -+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e, -+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2, -+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0, -+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256, -+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64, -+ }, -+}; -+ -+int FIPS_selftest_cmac() -+{ -+ size_t n, outlen; -+ unsigned char out[32]; -+ const EVP_CIPHER *cipher; -+ CMAC_CTX *ctx = CMAC_CTX_new(); -+ const CMAC_KAT *t; -+ int rv = 1; -+ -+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { -+ cipher = FIPS_get_cipherbynid(t->nid); -+ if (!cipher) { -+ rv = -1; -+ goto err; -+ } -+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) { -+ rv = -1; -+ goto err; -+ } -+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!CMAC_Final(ctx, out, &outlen)) { -+ rv = -1; -+ goto err; -+ } -+ CMAC_CTX_cleanup(ctx); -+ -+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) { -+ rv = 0; -+ } -+ } -+ -+ err: -+ CMAC_CTX_free(ctx); -+ -+ if (rv == -1) { -+ rv = 0; -+ } -+ if (!rv) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED); -+ -+ return rv; -+} -+#endif -diff --git a/crypto/fips/fips_des_selftest.c b/crypto/fips/fips_des_selftest.c -new file mode 100644 -index 0000000..0743904 ---- /dev/null -+++ b/crypto/fips/fips_des_selftest.c -@@ -0,0 +1,138 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static const struct { -+ const unsigned char key[16]; -+ const unsigned char plaintext[8]; -+ const unsigned char ciphertext[8]; -+} tests2[] = { -+ { -+ { -+ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec, -+ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, { -+ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, { -+ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd} -+ }, { -+ { -+ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34, -+ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, { -+ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, { -+ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},} -+}; -+ -+static const struct { -+ const unsigned char key[24]; -+ const unsigned char plaintext[8]; -+ const unsigned char ciphertext[8]; -+} tests3[] = { -+ { -+ { -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, -+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, { -+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, { -+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, { -+ { -+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE, -+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, -+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, { -+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, { -+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},}; -+ -+static int corrupt_des; -+ -+void FIPS_corrupt_des() -+{ -+ corrupt_des = 1; -+} -+ -+int FIPS_selftest_des() -+{ -+ int n, ret = 0; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ -+ for (n = 0; n < 2; ++n) { -+ unsigned char plaintext[8]; -+ -+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext)); -+ if (corrupt_des) -+ plaintext[0]++; -+ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(), -+ tests2[n].key, NULL, -+ plaintext, tests2[n].ciphertext, 8)) -+ goto err; -+ } -+ -+ /* Encrypt/decrypt with 3DES and compare to known answers */ -+ for (n = 0; n < 2; ++n) { -+ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(), -+ tests3[n].key, NULL, -+ tests3[n].plaintext, tests3[n].ciphertext, 8)) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED); -+ -+ return ret; -+} -+#endif -diff --git a/crypto/fips/fips_drbg_ctr.c b/crypto/fips/fips_drbg_ctr.c -new file mode 100644 -index 0000000..a830b2c ---- /dev/null -+++ b/crypto/fips/fips_drbg_ctr.c -@@ -0,0 +1,415 @@ -+/* fips/rand/fips_drbg_ctr.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+static void inc_128(DRBG_CTR_CTX * cctx) -+{ -+ int i; -+ unsigned char c; -+ unsigned char *p = cctx->V + 15; -+ for (i = 0; i < 16; i++) { -+ c = *p; -+ c++; -+ *p = c; -+ if (c) -+ return; -+ p--; -+ } -+} -+ -+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in, -+ size_t inlen) -+{ -+ size_t i, n; -+ /* Any zero padding will have no effect on the result as we -+ * are XORing. So just process however much input we have. -+ */ -+ -+ if (!in || !inlen) -+ return; -+ -+ if (inlen < cctx->keylen) -+ n = inlen; -+ else -+ n = cctx->keylen; -+ -+ for (i = 0; i < n; i++) -+ cctx->K[i] ^= in[i]; -+ if (inlen <= cctx->keylen) -+ return; -+ -+ n = inlen - cctx->keylen; -+ /* Should never happen */ -+ if (n > 16) -+ n = 16; -+ for (i = 0; i < 16; i++) -+ cctx->V[i] ^= in[i + cctx->keylen]; -+} -+ -+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */ -+ -+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out, -+ const unsigned char *in) -+{ -+ int i; -+ for (i = 0; i < 16; i++) -+ out[i] ^= in[i]; -+ AES_encrypt(out, out, &cctx->df_ks); -+#if 0 -+ fprintf(stderr, "BCC in+out\n"); -+ BIO_dump_fp(stderr, in, 16); -+ BIO_dump_fp(stderr, out, 16); -+#endif -+} -+ -+/* Handle several BCC operations for as much data as we need for K and X */ -+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in) -+{ -+ ctr_BCC_block(cctx, cctx->KX, in); -+ ctr_BCC_block(cctx, cctx->KX + 16, in); -+ if (cctx->keylen != 16) -+ ctr_BCC_block(cctx, cctx->KX + 32, in); -+} -+ -+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: -+ * see 10.4.2 stage 7. -+ */ -+static void ctr_BCC_init(DRBG_CTR_CTX * cctx) -+{ -+ memset(cctx->KX, 0, 48); -+ memset(cctx->bltmp, 0, 16); -+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); -+ cctx->bltmp[3] = 1; -+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); -+ if (cctx->keylen != 16) { -+ cctx->bltmp[3] = 2; -+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); -+ } -+} -+ -+/* Process several blocks into BCC algorithm, some possibly partial */ -+static void ctr_BCC_update(DRBG_CTR_CTX * cctx, -+ const unsigned char *in, size_t inlen) -+{ -+ if (!in || !inlen) -+ return; -+ /* If we have partial block handle it first */ -+ if (cctx->bltmp_pos) { -+ size_t left = 16 - cctx->bltmp_pos; -+ /* If we now have a complete block process it */ -+ if (inlen >= left) { -+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); -+ ctr_BCC_blocks(cctx, cctx->bltmp); -+ cctx->bltmp_pos = 0; -+ inlen -= left; -+ in += left; -+ } -+ } -+ /* Process zero or more complete blocks */ -+ while (inlen >= 16) { -+ ctr_BCC_blocks(cctx, in); -+ in += 16; -+ inlen -= 16; -+ } -+ /* Copy any remaining partial block to the temporary buffer */ -+ if (inlen > 0) { -+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); -+ cctx->bltmp_pos += inlen; -+ } -+} -+ -+static void ctr_BCC_final(DRBG_CTR_CTX * cctx) -+{ -+ if (cctx->bltmp_pos) { -+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); -+ ctr_BCC_blocks(cctx, cctx->bltmp); -+ } -+} -+ -+static void ctr_df(DRBG_CTR_CTX * cctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len) -+{ -+ size_t inlen; -+ unsigned char *p = cctx->bltmp; -+ static unsigned char c80 = 0x80; -+ -+ ctr_BCC_init(cctx); -+ if (!in1) -+ in1len = 0; -+ if (!in2) -+ in2len = 0; -+ if (!in3) -+ in3len = 0; -+ inlen = in1len + in2len + in3len; -+ /* Initialise L||N in temporary block */ -+ *p++ = (inlen >> 24) & 0xff; -+ *p++ = (inlen >> 16) & 0xff; -+ *p++ = (inlen >> 8) & 0xff; -+ *p++ = inlen & 0xff; -+ /* NB keylen is at most 32 bytes */ -+ *p++ = 0; -+ *p++ = 0; -+ *p++ = 0; -+ *p = (unsigned char)((cctx->keylen + 16) & 0xff); -+ cctx->bltmp_pos = 8; -+ ctr_BCC_update(cctx, in1, in1len); -+ ctr_BCC_update(cctx, in2, in2len); -+ ctr_BCC_update(cctx, in3, in3len); -+ ctr_BCC_update(cctx, &c80, 1); -+ ctr_BCC_final(cctx); -+ /* Set up key K */ -+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); -+ /* X follows key K */ -+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); -+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); -+ if (cctx->keylen != 16) -+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); -+#if 0 -+ fprintf(stderr, "Output of ctr_df:\n"); -+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16); -+#endif -+} -+ -+/* NB the no-df Update in SP800-90 specifies a constant input length -+ * of seedlen, however other uses of this algorithm pad the input with -+ * zeroes if necessary and have up to two parameters XORed together, -+ * handle both cases in this function instead. -+ */ -+ -+static void ctr_Update(DRBG_CTX *dctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *nonce, size_t noncelen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ /* ks is already setup for correct key */ -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->K, &cctx->ks); -+ /* If keylen longer than 128 bits need extra encrypt */ -+ if (cctx->keylen != 16) { -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); -+ } -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->V, &cctx->ks); -+ /* If 192 bit key part of V is on end of K */ -+ if (cctx->keylen == 24) { -+ memcpy(cctx->V + 8, cctx->V, 8); -+ memcpy(cctx->V, cctx->K + 24, 8); -+ } -+ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ /* If no input reuse existing derived value */ -+ if (in1 || nonce || in2) -+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); -+ /* If this a reuse input in1len != 0 */ -+ if (in1len) -+ ctr_XOR(cctx, cctx->KX, dctx->seedlen); -+ } else { -+ ctr_XOR(cctx, in1, in1len); -+ ctr_XOR(cctx, in2, in2len); -+ } -+ -+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); -+#if 0 -+ fprintf(stderr, "K+V after update is:\n"); -+ BIO_dump_fp(stderr, cctx->K, cctx->keylen); -+ BIO_dump_fp(stderr, cctx->V, 16); -+#endif -+} -+ -+static int drbg_ctr_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *nonce, size_t noncelen, -+ const unsigned char *pers, size_t perslen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ memset(cctx->K, 0, sizeof(cctx->K)); -+ memset(cctx->V, 0, sizeof(cctx->V)); -+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); -+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen); -+ return 1; -+} -+ -+static int drbg_ctr_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *adin, size_t adinlen) -+{ -+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0); -+ return 1; -+} -+ -+static int drbg_ctr_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adinlen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ if (adin && adinlen) { -+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); -+ /* This means we reuse derived value */ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ adin = NULL; -+ adinlen = 1; -+ } -+ } else -+ adinlen = 0; -+ -+ for (;;) { -+ inc_128(cctx); -+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { -+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks); -+ dctx->lb_valid = 1; -+ continue; -+ } -+ if (outlen < 16) { -+ /* Use K as temp space as it will be updated */ -+ AES_encrypt(cctx->V, cctx->K, &cctx->ks); -+ if (!fips_drbg_cprng_test(dctx, cctx->K)) -+ return 0; -+ memcpy(out, cctx->K, outlen); -+ break; -+ } -+ AES_encrypt(cctx->V, out, &cctx->ks); -+ if (!fips_drbg_cprng_test(dctx, out)) -+ return 0; -+ out += 16; -+ outlen -= 16; -+ if (outlen == 0) -+ break; -+ } -+ -+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); -+ -+ return 1; -+ -+} -+ -+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx) -+{ -+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX)); -+ return 1; -+} -+ -+int fips_drbg_ctr_init(DRBG_CTX *dctx) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ -+ size_t keylen; -+ -+ switch (dctx->type) { -+ case NID_aes_128_ctr: -+ keylen = 16; -+ break; -+ -+ case NID_aes_192_ctr: -+ keylen = 24; -+ break; -+ -+ case NID_aes_256_ctr: -+ keylen = 32; -+ break; -+ -+ default: -+ return -2; -+ } -+ -+ dctx->instantiate = drbg_ctr_instantiate; -+ dctx->reseed = drbg_ctr_reseed; -+ dctx->generate = drbg_ctr_generate; -+ dctx->uninstantiate = drbg_ctr_uninstantiate; -+ -+ cctx->keylen = keylen; -+ dctx->strength = keylen * 8; -+ dctx->blocklength = 16; -+ dctx->seedlen = keylen + 16; -+ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ /* df initialisation */ -+ static unsigned char df_key[32] = { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, -+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f -+ }; -+ /* Set key schedule for df_key */ -+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); -+ -+ dctx->min_entropy = cctx->keylen; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ } else { -+ dctx->min_entropy = dctx->seedlen; -+ dctx->max_entropy = dctx->seedlen; -+ /* Nonce not used */ -+ dctx->min_nonce = 0; -+ dctx->max_nonce = 0; -+ dctx->max_pers = dctx->seedlen; -+ dctx->max_adin = dctx->seedlen; -+ } -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff --git a/crypto/fips/fips_drbg_hash.c b/crypto/fips/fips_drbg_hash.c -new file mode 100644 -index 0000000..b19420a ---- /dev/null -+++ b/crypto/fips/fips_drbg_hash.c -@@ -0,0 +1,358 @@ -+/* fips/rand/fips_drbg_hash.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+/* This is Hash_df from SP 800-90 10.4.1 */ -+ -+static int hash_df(DRBG_CTX *dctx, unsigned char *out, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len, -+ const unsigned char *in4, size_t in4len) -+{ -+ EVP_MD_CTX *mctx = &dctx->d.hash.mctx; -+ unsigned char *vtmp = dctx->d.hash.vtmp; -+ unsigned char tmp[6]; -+ /* Standard only ever needs seedlen bytes which is always less than -+ * maximum permitted so no need to check length. -+ */ -+ size_t outlen = dctx->seedlen; -+ tmp[0] = 1; -+ tmp[1] = ((outlen * 8) >> 24) & 0xff; -+ tmp[2] = ((outlen * 8) >> 16) & 0xff; -+ tmp[3] = ((outlen * 8) >> 8) & 0xff; -+ tmp[4] = (outlen * 8) & 0xff; -+ if (!in1) { -+ tmp[5] = (unsigned char)in1len; -+ in1 = tmp + 5; -+ in1len = 1; -+ } -+ for (;;) { -+ if (!FIPS_digestinit(mctx, dctx->d.hash.md)) -+ return 0; -+ if (!FIPS_digestupdate(mctx, tmp, 5)) -+ return 0; -+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len)) -+ return 0; -+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len)) -+ return 0; -+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len)) -+ return 0; -+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len)) -+ return 0; -+ if (outlen < dctx->blocklength) { -+ if (!FIPS_digestfinal(mctx, vtmp, NULL)) -+ return 0; -+ memcpy(out, vtmp, outlen); -+ OPENSSL_cleanse(vtmp, dctx->blocklength); -+ return 1; -+ } else if (!FIPS_digestfinal(mctx, out, NULL)) -+ return 0; -+ -+ outlen -= dctx->blocklength; -+ if (outlen == 0) -+ return 1; -+ tmp[0]++; -+ out += dctx->blocklength; -+ } -+} -+ -+/* Add an unsigned buffer to the buf value, storing the result in buf. For -+ * this algorithm the length of input never exceeds the seed length. -+ */ -+ -+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf, -+ unsigned char *in, size_t inlen) -+{ -+ size_t i = inlen; -+ const unsigned char *q; -+ unsigned char c, *p; -+ p = buf + dctx->seedlen; -+ q = in + inlen; -+ -+ OPENSSL_assert(i <= dctx->seedlen); -+ -+ /* Special case: zero length, just increment buffer */ -+ if (i) -+ c = 0; -+ else -+ c = 1; -+ -+ while (i) { -+ int r; -+ p--; -+ q--; -+ r = *p + *q + c; -+ /* Carry */ -+ if (r > 0xff) -+ c = 1; -+ else -+ c = 0; -+ *p = r & 0xff; -+ i--; -+ } -+ -+ i = dctx->seedlen - inlen; -+ -+ /* If not adding whole buffer handle final carries */ -+ if (c && i) { -+ do { -+ p--; -+ c = *p; -+ c++; -+ *p = c; -+ if (c) -+ return; -+ } while (i--); -+ } -+} -+ -+/* Finalise and add hash to V */ -+ -+static int ctx_add_md(DRBG_CTX *dctx) -+{ -+ if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL)) -+ return 0; -+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength); -+ return 1; -+} -+ -+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ if (outlen == 0) -+ return 1; -+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen); -+ for (;;) { -+ FIPS_digestinit(&hctx->mctx, hctx->md); -+ FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen); -+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { -+ FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL); -+ dctx->lb_valid = 1; -+ } else if (outlen < dctx->blocklength) { -+ FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL); -+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp)) -+ return 0; -+ memcpy(out, hctx->vtmp, outlen); -+ return 1; -+ } else { -+ FIPS_digestfinal(&hctx->mctx, out, NULL); -+ if (!fips_drbg_cprng_test(dctx, out)) -+ return 0; -+ outlen -= dctx->blocklength; -+ if (outlen == 0) -+ return 1; -+ out += dctx->blocklength; -+ } -+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0); -+ } -+} -+ -+static int drbg_hash_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *nonce, size_t nonce_len, -+ const unsigned char *pstr, size_t pstr_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ if (!hash_df(dctx, hctx->V, -+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0)) -+ return 0; -+ if (!hash_df(dctx, hctx->C, -+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) -+ return 0; -+ -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after instantiate:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ /* V about to be updated so use C as output instead */ -+ if (!hash_df(dctx, hctx->C, -+ NULL, 1, hctx->V, dctx->seedlen, -+ ent, ent_len, adin, adin_len)) -+ return 0; -+ memcpy(hctx->V, hctx->C, dctx->seedlen); -+ if (!hash_df(dctx, hctx->C, NULL, 0, -+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) -+ return 0; -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after reseed:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ EVP_MD_CTX *mctx = &hctx->mctx; -+ unsigned char tmp[4]; -+ if (adin && adin_len) { -+ tmp[0] = 2; -+ if (!FIPS_digestinit(mctx, hctx->md)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, tmp, 1)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, adin, adin_len)) -+ return 0; -+ if (!ctx_add_md(dctx)) -+ return 0; -+ } -+ if (!hash_gen(dctx, out, outlen)) -+ return 0; -+ -+ tmp[0] = 3; -+ if (!FIPS_digestinit(mctx, hctx->md)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, tmp, 1)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) -+ return 0; -+ -+ if (!ctx_add_md(dctx)) -+ return 0; -+ -+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen); -+ -+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff; -+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff; -+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff; -+ tmp[3] = dctx->reseed_counter & 0xff; -+ ctx_add_buf(dctx, hctx->V, tmp, 4); -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after generate:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_uninstantiate(DRBG_CTX *dctx) -+{ -+ EVP_MD_CTX_cleanup(&dctx->d.hash.mctx); -+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX)); -+ return 1; -+} -+ -+int fips_drbg_hash_init(DRBG_CTX *dctx) -+{ -+ const EVP_MD *md; -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ md = FIPS_get_digestbynid(dctx->type); -+ if (!md) -+ return -2; -+ switch (dctx->type) { -+ case NID_sha1: -+ dctx->strength = 128; -+ break; -+ -+ case NID_sha224: -+ dctx->strength = 192; -+ break; -+ -+ default: -+ dctx->strength = 256; -+ break; -+ } -+ -+ dctx->instantiate = drbg_hash_instantiate; -+ dctx->reseed = drbg_hash_reseed; -+ dctx->generate = drbg_hash_generate; -+ dctx->uninstantiate = drbg_hash_uninstantiate; -+ -+ dctx->d.hash.md = md; -+ EVP_MD_CTX_init(&hctx->mctx); -+ -+ /* These are taken from SP 800-90 10.1 table 2 */ -+ -+ dctx->blocklength = M_EVP_MD_size(md); -+ if (dctx->blocklength > 32) -+ dctx->seedlen = 111; -+ else -+ dctx->seedlen = 55; -+ -+ dctx->min_entropy = dctx->strength / 8; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff --git a/crypto/fips/fips_drbg_hmac.c b/crypto/fips/fips_drbg_hmac.c -new file mode 100644 -index 0000000..105db12 ---- /dev/null -+++ b/crypto/fips/fips_drbg_hmac.c -@@ -0,0 +1,270 @@ -+/* fips/rand/fips_drbg_hmac.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+static int drbg_hmac_update(DRBG_CTX *dctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len) -+{ -+ static unsigned char c0 = 0, c1 = 1; -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ HMAC_CTX *hctx = &hmac->hctx; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ if (!HMAC_Update(hctx, &c0, 1)) -+ return 0; -+ if (in1len && !HMAC_Update(hctx, in1, in1len)) -+ return 0; -+ if (in2len && !HMAC_Update(hctx, in2, in2len)) -+ return 0; -+ if (in3len && !HMAC_Update(hctx, in3, in3len)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->K, NULL)) -+ return 0; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ -+ if (!in1len && !in2len && !in3len) -+ return 1; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ if (!HMAC_Update(hctx, &c1, 1)) -+ return 0; -+ if (in1len && !HMAC_Update(hctx, in1, in1len)) -+ return 0; -+ if (in2len && !HMAC_Update(hctx, in2, in2len)) -+ return 0; -+ if (in3len && !HMAC_Update(hctx, in3, in3len)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->K, NULL)) -+ return 0; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ -+ return 1; -+ -+} -+ -+static int drbg_hmac_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *nonce, size_t nonce_len, -+ const unsigned char *pstr, size_t pstr_len) -+{ -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ memset(hmac->K, 0, dctx->blocklength); -+ memset(hmac->V, 1, dctx->blocklength); -+ if (!drbg_hmac_update(dctx, -+ ent, ent_len, nonce, nonce_len, pstr, pstr_len)) -+ return 0; -+ -+#ifdef HMAC_DRBG_TRACE -+ fprintf(stderr, "K+V after instantiate:\n"); -+ hexprint(stderr, hmac->K, hmac->blocklength); -+ hexprint(stderr, hmac->V, hmac->blocklength); -+#endif -+ return 1; -+} -+ -+static int drbg_hmac_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *adin, size_t adin_len) -+{ -+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0)) -+ return 0; -+ -+#ifdef HMAC_DRBG_TRACE -+ { -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ fprintf(stderr, "K+V after reseed:\n"); -+ hexprint(stderr, hmac->K, hmac->blocklength); -+ hexprint(stderr, hmac->V, hmac->blocklength); -+ } -+#endif -+ return 1; -+} -+ -+static int drbg_hmac_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ HMAC_CTX *hctx = &hmac->hctx; -+ const unsigned char *Vtmp = hmac->V; -+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) -+ return 0; -+ for (;;) { -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength)) -+ return 0; -+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) { -+ if (!HMAC_Final(hctx, dctx->lb, NULL)) -+ return 0; -+ dctx->lb_valid = 1; -+ Vtmp = dctx->lb; -+ continue; -+ } else if (outlen > dctx->blocklength) { -+ if (!HMAC_Final(hctx, out, NULL)) -+ return 0; -+ if (!fips_drbg_cprng_test(dctx, out)) -+ return 0; -+ Vtmp = out; -+ } else { -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ if (!fips_drbg_cprng_test(dctx, hmac->V)) -+ return 0; -+ memcpy(out, hmac->V, outlen); -+ break; -+ } -+ out += dctx->blocklength; -+ outlen -= dctx->blocklength; -+ } -+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) -+ return 0; -+ -+ return 1; -+} -+ -+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx) -+{ -+ HMAC_CTX_cleanup(&dctx->d.hmac.hctx); -+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX)); -+ return 1; -+} -+ -+int fips_drbg_hmac_init(DRBG_CTX *dctx) -+{ -+ const EVP_MD *md = NULL; -+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac; -+ dctx->strength = 256; -+ switch (dctx->type) { -+ case NID_hmacWithSHA1: -+ md = EVP_sha1(); -+ dctx->strength = 128; -+ break; -+ -+ case NID_hmacWithSHA224: -+ md = EVP_sha224(); -+ dctx->strength = 192; -+ break; -+ -+ case NID_hmacWithSHA256: -+ md = EVP_sha256(); -+ break; -+ -+ case NID_hmacWithSHA384: -+ md = EVP_sha384(); -+ break; -+ -+ case NID_hmacWithSHA512: -+ md = EVP_sha512(); -+ break; -+ -+ default: -+ dctx->strength = 0; -+ return -2; -+ } -+ dctx->instantiate = drbg_hmac_instantiate; -+ dctx->reseed = drbg_hmac_reseed; -+ dctx->generate = drbg_hmac_generate; -+ dctx->uninstantiate = drbg_hmac_uninstantiate; -+ HMAC_CTX_init(&hctx->hctx); -+ hctx->md = md; -+ dctx->blocklength = M_EVP_MD_size(md); -+ dctx->seedlen = M_EVP_MD_size(md); -+ -+ dctx->min_entropy = dctx->strength / 8; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff --git a/crypto/fips/fips_drbg_lib.c b/crypto/fips/fips_drbg_lib.c -new file mode 100644 -index 0000000..1a71322 ---- /dev/null -+++ b/crypto/fips/fips_drbg_lib.c -@@ -0,0 +1,553 @@ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+#include "fips_rand_lcl.h" -+ -+/* Support framework for SP800-90 DRBGs */ -+ -+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) -+{ -+ int rv; -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ dctx->xflags = flags; -+ dctx->type = type; -+ -+ dctx->iflags = 0; -+ dctx->entropy_blocklen = 0; -+ dctx->health_check_cnt = 0; -+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL; -+ -+ rv = fips_drbg_hash_init(dctx); -+ -+ if (rv == -2) -+ rv = fips_drbg_ctr_init(dctx); -+ if (rv == -2) -+ rv = fips_drbg_hmac_init(dctx); -+ -+ if (rv <= 0) { -+ if (rv == -2) -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE); -+ else -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG); -+ } -+ -+ /* If not in test mode run selftests on DRBG of the same type */ -+ -+ if (!(dctx->xflags & DRBG_FLAG_TEST)) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); -+ return 0; -+ } -+ } -+ -+ return rv; -+} -+ -+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) -+{ -+ DRBG_CTX *dctx; -+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); -+ if (!dctx) { -+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE); -+ return NULL; -+ } -+ -+ if (type == 0) { -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->type = 0; -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ return dctx; -+ } -+ -+ if (FIPS_drbg_init(dctx, type, flags) <= 0) { -+ OPENSSL_free(dctx); -+ return NULL; -+ } -+ -+ return dctx; -+} -+ -+void FIPS_drbg_free(DRBG_CTX *dctx) -+{ -+ if (dctx->uninstantiate) -+ dctx->uninstantiate(dctx); -+ /* Don't free up default DRBG */ -+ if (dctx == FIPS_get_default_drbg()) { -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->type = 0; -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ } else { -+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d)); -+ OPENSSL_free(dctx); -+ } -+} -+ -+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ unsigned char *tout, *p; -+ size_t bl = dctx->entropy_blocklen, rv; -+ if (!dctx->get_entropy) -+ return 0; -+ if (dctx->xflags & DRBG_FLAG_TEST || !bl) -+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); -+ rv = dctx->get_entropy(dctx, &tout, entropy + bl, -+ min_len + bl, max_len + bl); -+ if (tout == NULL) -+ return 0; -+ *pout = tout + bl; -+ if (rv < (min_len + bl) || (rv % bl)) -+ return 0; -+ /* Compare consecutive blocks for continuous PRNG test */ -+ for (p = tout; p < tout + rv - bl; p += bl) { -+ if (!memcmp(p, p + bl, bl)) { -+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK); -+ return 0; -+ } -+ } -+ rv -= bl; -+ if (rv > max_len) -+ return max_len; -+ return rv; -+} -+ -+static void fips_cleanup_entropy(DRBG_CTX *dctx, -+ unsigned char *out, size_t olen) -+{ -+ size_t bl; -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ bl = 0; -+ else -+ bl = dctx->entropy_blocklen; -+ /* Call cleanup with original arguments */ -+ dctx->cleanup_entropy(dctx, out - bl, olen + bl); -+} -+ -+int FIPS_drbg_instantiate(DRBG_CTX *dctx, -+ const unsigned char *pers, size_t perslen) -+{ -+ size_t entlen = 0, noncelen = 0; -+ unsigned char *nonce = NULL, *entropy = NULL; -+ -+#if 0 -+ /* Put here so error script picks them up */ -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, -+ FIPS_R_PERSONALISATION_STRING_TOO_LONG); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED); -+#endif -+ -+ int r = 0; -+ -+ if (perslen > dctx->max_pers) { -+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG; -+ goto end; -+ } -+ -+ if (!dctx->instantiate) { -+ r = FIPS_R_DRBG_NOT_INITIALISED; -+ goto end; -+ } -+ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else -+ r = FIPS_R_ALREADY_INSTANTIATED; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_ERROR; -+ -+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, -+ dctx->min_entropy, dctx->max_entropy); -+ -+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { -+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; -+ goto end; -+ } -+ -+ if (dctx->max_nonce > 0 && dctx->get_nonce) { -+ noncelen = dctx->get_nonce(dctx, &nonce, -+ dctx->strength / 2, -+ dctx->min_nonce, dctx->max_nonce); -+ -+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { -+ r = FIPS_R_ERROR_RETRIEVING_NONCE; -+ goto end; -+ } -+ -+ } -+ -+ if (!dctx->instantiate(dctx, -+ entropy, entlen, nonce, noncelen, pers, perslen)) { -+ r = FIPS_R_ERROR_INSTANTIATING_DRBG; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_READY; -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) -+ dctx->reseed_counter = 1; -+ -+ end: -+ -+ if (entropy && dctx->cleanup_entropy) -+ fips_cleanup_entropy(dctx, entropy, entlen); -+ -+ if (nonce && dctx->cleanup_nonce) -+ dctx->cleanup_nonce(dctx, nonce, noncelen); -+ -+ if (dctx->status == DRBG_STATUS_READY) -+ return 1; -+ -+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r); -+ -+ return 0; -+ -+} -+ -+static int drbg_reseed(DRBG_CTX *dctx, -+ const unsigned char *adin, size_t adinlen, int hcheck) -+{ -+ unsigned char *entropy = NULL; -+ size_t entlen = 0; -+ int r = 0; -+ -+#if 0 -+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED); -+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); -+#endif -+ if (dctx->status != DRBG_STATUS_READY -+ && dctx->status != DRBG_STATUS_RESEED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else if (dctx->status == DRBG_STATUS_UNINITIALISED) -+ r = FIPS_R_NOT_INSTANTIATED; -+ goto end; -+ } -+ -+ if (!adin) -+ adinlen = 0; -+ else if (adinlen > dctx->max_adin) { -+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_ERROR; -+ /* Peform health check on all reseed operations if not a prediction -+ * resistance request and not in test mode. -+ */ -+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ r = FIPS_R_SELFTEST_FAILURE; -+ goto end; -+ } -+ } -+ -+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, -+ dctx->min_entropy, dctx->max_entropy); -+ -+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { -+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; -+ goto end; -+ } -+ -+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen)) -+ goto end; -+ -+ dctx->status = DRBG_STATUS_READY; -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) -+ dctx->reseed_counter = 1; -+ end: -+ -+ if (entropy && dctx->cleanup_entropy) -+ fips_cleanup_entropy(dctx, entropy, entlen); -+ -+ if (dctx->status == DRBG_STATUS_READY) -+ return 1; -+ -+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_DRBG_RESEED, r); -+ -+ return 0; -+} -+ -+int FIPS_drbg_reseed(DRBG_CTX *dctx, -+ const unsigned char *adin, size_t adinlen) -+{ -+ return drbg_reseed(dctx, adin, adinlen, 1); -+} -+ -+static int fips_drbg_check(DRBG_CTX *dctx) -+{ -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ return 1; -+ dctx->health_check_cnt++; -+ if (dctx->health_check_cnt >= dctx->health_check_interval) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, -+ int prediction_resistance, -+ const unsigned char *adin, size_t adinlen) -+{ -+ int r = 0; -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (!fips_drbg_check(dctx)) -+ return 0; -+ -+ if (dctx->status != DRBG_STATUS_READY -+ && dctx->status != DRBG_STATUS_RESEED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else if (dctx->status == DRBG_STATUS_UNINITIALISED) -+ r = FIPS_R_NOT_INSTANTIATED; -+ goto end; -+ } -+ -+ if (outlen > dctx->max_request) { -+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG; -+ return 0; -+ } -+ -+ if (adinlen > dctx->max_adin) { -+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; -+ goto end; -+ } -+ -+ if (dctx->iflags & DRBG_CUSTOM_RESEED) -+ dctx->generate(dctx, NULL, outlen, NULL, 0); -+ else if (dctx->reseed_counter >= dctx->reseed_interval) -+ dctx->status = DRBG_STATUS_RESEED; -+ -+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { -+ /* If prediction resistance request don't do health check */ -+ int hcheck = prediction_resistance ? 0 : 1; -+ -+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) { -+ r = FIPS_R_RESEED_ERROR; -+ goto end; -+ } -+ adin = NULL; -+ adinlen = 0; -+ } -+ -+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) { -+ r = FIPS_R_GENERATE_ERROR; -+ dctx->status = DRBG_STATUS_ERROR; -+ goto end; -+ } -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) { -+ if (dctx->reseed_counter >= dctx->reseed_interval) -+ dctx->status = DRBG_STATUS_RESEED; -+ else -+ dctx->reseed_counter++; -+ } -+ -+ end: -+ if (r) { -+ if (!(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx) -+{ -+ int rv; -+ if (!dctx->uninstantiate) -+ rv = 1; -+ else -+ rv = dctx->uninstantiate(dctx); -+ /* Although we'd like to cleanse here we can't because we have to -+ * test the uninstantiate really zeroes the data. -+ */ -+ memset(&dctx->d, 0, sizeof(dctx->d)); -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ /* If method has problems uninstantiating, return error */ -+ return rv; -+} -+ -+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, -+ size_t (*get_entropy) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_entropy) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ size_t entropy_blocklen, -+ size_t (*get_nonce) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, size_t min_len, -+ size_t max_len), -+ void (*cleanup_nonce) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen)) -+{ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) -+ return 0; -+ dctx->entropy_blocklen = entropy_blocklen; -+ dctx->get_entropy = get_entropy; -+ dctx->cleanup_entropy = cleanup_entropy; -+ dctx->get_nonce = get_nonce; -+ dctx->cleanup_nonce = cleanup_nonce; -+ return 1; -+} -+ -+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, -+ size_t (*get_adin) (DRBG_CTX *ctx, -+ unsigned char **pout), -+ void (*cleanup_adin) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ int (*rand_seed_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num), -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, int num, -+ double entropy)) -+{ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) -+ return 0; -+ dctx->get_adin = get_adin; -+ dctx->cleanup_adin = cleanup_adin; -+ dctx->rand_seed_cb = rand_seed_cb; -+ dctx->rand_add_cb = rand_add_cb; -+ return 1; -+} -+ -+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx) -+{ -+ return dctx->app_data; -+} -+ -+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data) -+{ -+ dctx->app_data = app_data; -+} -+ -+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx) -+{ -+ return dctx->blocklength; -+} -+ -+int FIPS_drbg_get_strength(DRBG_CTX *dctx) -+{ -+ return dctx->strength; -+} -+ -+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval) -+{ -+ dctx->health_check_interval = interval; -+} -+ -+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval) -+{ -+ dctx->reseed_interval = interval; -+} -+ -+static int drbg_stick = 0; -+ -+void FIPS_drbg_stick(int onoff) -+{ -+ drbg_stick = onoff; -+} -+ -+/* Continuous DRBG utility function */ -+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out) -+{ -+ /* No CPRNG in test mode */ -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ return 1; -+ /* Check block is valid: should never happen */ -+ if (dctx->lb_valid == 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR); -+ fips_set_selftest_fail(); -+ return 0; -+ } -+ if (drbg_stick) -+ memcpy(dctx->lb, out, dctx->blocklength); -+ /* Check against last block: fail if match */ -+ if (!memcmp(dctx->lb, out, dctx->blocklength)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK); -+ fips_set_selftest_fail(); -+ return 0; -+ } -+ /* Save last block for next comparison */ -+ memcpy(dctx->lb, out, dctx->blocklength); -+ return 1; -+} -diff --git a/crypto/fips/fips_drbg_rand.c b/crypto/fips/fips_drbg_rand.c -new file mode 100644 -index 0000000..43600dd ---- /dev/null -+++ b/crypto/fips/fips_drbg_rand.c -@@ -0,0 +1,166 @@ -+/* fips/rand/fips_drbg_rand.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */ -+ -+/* Since we only have one global PRNG used at any time in OpenSSL use a global -+ * variable to store context. -+ */ -+ -+static DRBG_CTX ossl_dctx; -+ -+DRBG_CTX *FIPS_get_default_drbg(void) -+{ -+ return &ossl_dctx; -+} -+ -+static int fips_drbg_bytes(unsigned char *out, int count) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int rv = 0; -+ unsigned char *adin = NULL; -+ size_t adinlen = 0; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ do { -+ size_t rcnt; -+ if (count > (int)dctx->max_request) -+ rcnt = dctx->max_request; -+ else -+ rcnt = count; -+ if (dctx->get_adin) { -+ adinlen = dctx->get_adin(dctx, &adin); -+ if (adinlen && !adin) { -+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES, -+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); -+ goto err; -+ } -+ } -+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen); -+ if (adin) { -+ if (dctx->cleanup_adin) -+ dctx->cleanup_adin(dctx, adin, adinlen); -+ adin = NULL; -+ } -+ if (!rv) -+ goto err; -+ out += rcnt; -+ count -= rcnt; -+ } -+ while (count); -+ rv = 1; -+ err: -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return rv; -+} -+ -+static int fips_drbg_pseudo(unsigned char *out, int count) -+{ -+ if (fips_drbg_bytes(out, count) <= 0) -+ return -1; -+ return 1; -+} -+ -+static int fips_drbg_status(void) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int rv; -+ CRYPTO_r_lock(CRYPTO_LOCK_RAND); -+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0; -+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND); -+ return rv; -+} -+ -+static void fips_drbg_cleanup(void) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ FIPS_drbg_uninstantiate(dctx); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+} -+ -+static int fips_drbg_seed(const void *seed, int seedlen) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ if (dctx->rand_seed_cb) -+ return dctx->rand_seed_cb(dctx, seed, seedlen); -+ return 1; -+} -+ -+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ if (dctx->rand_add_cb) -+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); -+ return 1; -+} -+ -+static const RAND_METHOD rand_drbg_meth = { -+ fips_drbg_seed, -+ fips_drbg_bytes, -+ fips_drbg_cleanup, -+ fips_drbg_add, -+ fips_drbg_pseudo, -+ fips_drbg_status -+}; -+ -+const RAND_METHOD *FIPS_drbg_method(void) -+{ -+ return &rand_drbg_meth; -+} -diff --git a/crypto/fips/fips_drbg_selftest.c b/crypto/fips/fips_drbg_selftest.c -new file mode 100644 -index 0000000..1397202 ---- /dev/null -+++ b/crypto/fips/fips_drbg_selftest.c -@@ -0,0 +1,827 @@ -+/* fips/rand/fips_drbg_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+#include "fips_locl.h" -+ -+#include "fips_drbg_selftest.h" -+ -+typedef struct { -+ int post; -+ int nid; -+ unsigned int flags; -+ -+ /* KAT data for no PR */ -+ const unsigned char *ent; -+ size_t entlen; -+ const unsigned char *nonce; -+ size_t noncelen; -+ const unsigned char *pers; -+ size_t perslen; -+ const unsigned char *adin; -+ size_t adinlen; -+ const unsigned char *entreseed; -+ size_t entreseedlen; -+ const unsigned char *adinreseed; -+ size_t adinreseedlen; -+ const unsigned char *adin2; -+ size_t adin2len; -+ const unsigned char *kat; -+ size_t katlen; -+ const unsigned char *kat2; -+ size_t kat2len; -+ -+ /* KAT data for PR */ -+ const unsigned char *ent_pr; -+ size_t entlen_pr; -+ const unsigned char *nonce_pr; -+ size_t noncelen_pr; -+ const unsigned char *pers_pr; -+ size_t perslen_pr; -+ const unsigned char *adin_pr; -+ size_t adinlen_pr; -+ const unsigned char *entpr_pr; -+ size_t entprlen_pr; -+ const unsigned char *ading_pr; -+ size_t adinglen_pr; -+ const unsigned char *entg_pr; -+ size_t entglen_pr; -+ const unsigned char *kat_pr; -+ size_t katlen_pr; -+ const unsigned char *kat2_pr; -+ size_t kat2len_pr; -+ -+} DRBG_SELFTEST_DATA; -+ -+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \ -+ pr##_entropyinput, sizeof(pr##_entropyinput), \ -+ pr##_nonce, sizeof(pr##_nonce), \ -+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \ -+ pr##_additionalinput, sizeof(pr##_additionalinput), \ -+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ -+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ -+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \ -+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ -+ pr##_returnedbits, sizeof(pr##_returnedbits), \ -+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ -+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \ -+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ -+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ -+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ -+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ -+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ -+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ -+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \ -+ } -+ -+#define make_drbg_test_data_df(nid, pr, p) \ -+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p) -+ -+#define make_drbg_test_data_ec(curve, md, pr, p) \ -+ make_drbg_test_data((curve << 16) | md , 0, pr, p) -+ -+static DRBG_SELFTEST_DATA drbg_test[] = { -+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), -+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), -+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), -+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0), -+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0), -+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1), -+ make_drbg_test_data(NID_sha1, 0, sha1, 0), -+ make_drbg_test_data(NID_sha224, 0, sha224, 0), -+ make_drbg_test_data(NID_sha256, 0, sha256, 1), -+ make_drbg_test_data(NID_sha384, 0, sha384, 0), -+ make_drbg_test_data(NID_sha512, 0, sha512, 0), -+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0), -+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0), -+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1), -+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0), -+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0), -+ {0, 0, 0} -+}; -+ -+typedef struct { -+ const unsigned char *ent; -+ size_t entlen; -+ int entcnt; -+ const unsigned char *nonce; -+ size_t noncelen; -+ int noncecnt; -+} TEST_ENT; -+ -+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); -+ *pout = (unsigned char *)t->ent; -+ t->entcnt++; -+ return t->entlen; -+} -+ -+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); -+ *pout = (unsigned char *)t->nonce; -+ t->noncecnt++; -+ return t->noncelen; -+} -+ -+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, -+ int quick) -+{ -+ TEST_ENT t; -+ int rv = 0; -+ size_t adinlen; -+ unsigned char randout[1024]; -+ -+ /* Initial test without PR */ -+ -+ /* Instantiate DRBG with test entropy, nonce and personalisation -+ * string. -+ */ -+ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, &t); -+ -+ t.ent = td->ent; -+ t.entlen = td->entlen; -+ t.nonce = td->nonce; -+ t.noncelen = td->noncelen; -+ t.entcnt = 0; -+ t.noncecnt = 0; -+ -+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) -+ goto err; -+ -+ /* Note for CTR without DF some additional input values -+ * ignore bytes after the keylength: so reduce adinlen -+ * to half to ensure invalid data is fed in. -+ */ -+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) -+ adinlen = td->adinlen / 2; -+ else -+ adinlen = td->adinlen; -+ -+ /* Generate with no PR and verify output matches expected data */ -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen)) -+ goto err; -+ -+ if (memcmp(randout, td->kat, td->katlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE); -+ goto err2; -+ } -+ /* If abbreviated POST end of test */ -+ if (quick) { -+ rv = 1; -+ goto err; -+ } -+ /* Reseed DRBG with test entropy and additional input */ -+ t.ent = td->entreseed; -+ t.entlen = td->entreseedlen; -+ -+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen)) -+ goto err; -+ -+ /* Generate with no PR and verify output matches expected data */ -+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, -+ td->adin2, td->adin2len)) -+ goto err; -+ -+ if (memcmp(randout, td->kat2, td->kat2len)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE); -+ goto err2; -+ } -+ -+ FIPS_drbg_uninstantiate(dctx); -+ -+ /* Now test with PR */ -+ -+ /* Instantiate DRBG with test entropy, nonce and personalisation -+ * string. -+ */ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, &t); -+ -+ t.ent = td->ent_pr; -+ t.entlen = td->entlen_pr; -+ t.nonce = td->nonce_pr; -+ t.noncelen = td->noncelen_pr; -+ t.entcnt = 0; -+ t.noncecnt = 0; -+ -+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr)) -+ goto err; -+ -+ /* Now generate with PR: we need to supply entropy as this will -+ * perform a reseed operation. Check output matches expected value. -+ */ -+ -+ t.ent = td->entpr_pr; -+ t.entlen = td->entprlen_pr; -+ -+ /* Note for CTR without DF some additional input values -+ * ignore bytes after the keylength: so reduce adinlen -+ * to half to ensure invalid data is fed in. -+ */ -+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) -+ adinlen = td->adinlen_pr / 2; -+ else -+ adinlen = td->adinlen_pr; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1, -+ td->adin_pr, adinlen)) -+ goto err; -+ -+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE); -+ goto err2; -+ } -+ -+ /* Now generate again with PR: supply new entropy again. -+ * Check output matches expected value. -+ */ -+ -+ t.ent = td->entg_pr; -+ t.entlen = td->entglen_pr; -+ -+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1, -+ td->ading_pr, td->adinglen_pr)) -+ goto err; -+ -+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE); -+ goto err2; -+ } -+ /* All OK, test complete */ -+ rv = 1; -+ -+ err: -+ if (rv == 0) -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED); -+ err2: -+ FIPS_drbg_uninstantiate(dctx); -+ -+ return rv; -+ -+} -+ -+/* Initialise a DRBG based on selftest data */ -+ -+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t) -+{ -+ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, t); -+ -+ t->ent = td->ent; -+ t->entlen = td->entlen; -+ t->nonce = td->nonce; -+ t->noncelen = td->noncelen; -+ t->entcnt = 0; -+ t->noncecnt = 0; -+ return 1; -+} -+ -+/* Initialise and instantiate DRBG based on selftest data */ -+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, -+ TEST_ENT * t) -+{ -+ if (!do_drbg_init(dctx, td, t)) -+ return 0; -+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) -+ return 0; -+ -+ return 1; -+} -+ -+/* This function performs extensive error checking as required by SP800-90. -+ * Induce several failure modes and check an error condition is set. -+ * This function along with fips_drbg_single_kat peforms the health checking -+ * operation. -+ */ -+ -+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td) -+{ -+ unsigned char randout[1024]; -+ TEST_ENT t; -+ size_t i; -+ unsigned int reseed_counter_tmp; -+ unsigned char *p = (unsigned char *)dctx; -+ -+ /* Initialise DRBG */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ /* Don't report induced errors */ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Personalisation string tests */ -+ -+ /* Test detection of too large personlisation string */ -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Entropy source tests */ -+ -+ /* Test entropy source failure detecion: i.e. returns no data */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Try to generate output from uninstantiated DRBG */ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_GENERATE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Test insufficient entropy */ -+ -+ t.entlen = dctx->min_entropy - 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test too much entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->max_entropy + 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Nonce tests */ -+ -+ /* Test too small nonce */ -+ -+ if (dctx->min_nonce) { -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.noncelen = dctx->min_nonce - 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_NONCE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ } -+ -+ /* Test too large nonce */ -+ -+ if (dctx->max_nonce) { -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.noncelen = dctx->max_nonce + 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_NONCE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ } -+ -+ /* Instantiate with valid data. */ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ -+ /* Check generation is now OK */ -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Request too much data for one request */ -+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Try too large additional input */ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, dctx->max_adin + 1)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Check prediction resistance request fails if entropy source -+ * failure. -+ */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Instantiate again with valid data */ -+ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ /* Test reseed counter works */ -+ /* Save initial reseed counter */ -+ reseed_counter_tmp = dctx->reseed_counter; -+ /* Set reseed counter to beyond interval */ -+ dctx->reseed_counter = dctx->reseed_interval; -+ -+ /* Generate output and check entropy has been requested for reseed */ -+ t.entcnt = 0; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ if (t.entcnt != 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); -+ goto err; -+ } -+ /* Check reseed counter has been reset */ -+ if (dctx->reseed_counter != reseed_counter_tmp + 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Check prediction resistance request fails if entropy source -+ * failure. -+ */ -+ -+ t.entlen = 0; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ /* Test reseed counter works */ -+ /* Save initial reseed counter */ -+ reseed_counter_tmp = dctx->reseed_counter; -+ /* Set reseed counter to beyond interval */ -+ dctx->reseed_counter = dctx->reseed_interval; -+ -+ /* Generate output and check entropy has been requested for reseed */ -+ t.entcnt = 0; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ if (t.entcnt != 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); -+ goto err; -+ } -+ /* Check reseed counter has been reset */ -+ if (dctx->reseed_counter != reseed_counter_tmp + 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Explicit reseed tests */ -+ -+ /* Test explicit reseed with too large additional input */ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Test explicit reseed with entropy source failure */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test explicit reseed with too much entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->max_entropy + 1; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test explicit reseed with too little entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->min_entropy - 1; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ p = (unsigned char *)&dctx->d; -+ /* Standard says we have to check uninstantiate really zeroes -+ * the data... -+ */ -+ for (i = 0; i < sizeof(dctx->d); i++) { -+ if (*p != 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR); -+ goto err; -+ } -+ p++; -+ } -+ -+ return 1; -+ -+ err: -+ /* A real error as opposed to an induced one: underlying function will -+ * indicate the error. -+ */ -+ if (!(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR); -+ FIPS_drbg_uninstantiate(dctx); -+ return 0; -+ -+} -+ -+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags) -+{ -+ DRBG_SELFTEST_DATA *td; -+ flags |= DRBG_FLAG_TEST; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (td->nid == nid && td->flags == flags) { -+ if (!fips_drbg_single_kat(dctx, td, 0)) -+ return 0; -+ return fips_drbg_error_check(dctx, td); -+ } -+ } -+ return 0; -+} -+ -+int FIPS_drbg_health_check(DRBG_CTX *dctx) -+{ -+ int rv; -+ DRBG_CTX *tctx = NULL; -+ tctx = FIPS_drbg_new(0, 0); -+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ if (!tctx) -+ return 0; -+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags); -+ if (tctx) -+ FIPS_drbg_free(tctx); -+ if (rv) -+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ else -+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ if (!rv) -+ dctx->status = DRBG_STATUS_ERROR; -+ else -+ dctx->health_check_cnt = 0; -+ return rv; -+} -+ -+int FIPS_selftest_drbg(void) -+{ -+ DRBG_CTX *dctx; -+ DRBG_SELFTEST_DATA *td; -+ int rv = 1; -+ dctx = FIPS_drbg_new(0, 0); -+ if (!dctx) -+ return 0; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (td->post != 1) -+ continue; -+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 1; -+ if (!fips_drbg_single_kat(dctx, td, 1)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 0; -+ } -+ FIPS_drbg_free(dctx); -+ return rv; -+} -+ -+int FIPS_selftest_drbg_all(void) -+{ -+ DRBG_CTX *dctx; -+ DRBG_SELFTEST_DATA *td; -+ int rv = 1; -+ dctx = FIPS_drbg_new(0, 0); -+ if (!dctx) -+ return 0; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 1; -+ if (!fips_drbg_single_kat(dctx, td, 0)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_drbg_error_check(dctx, td)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 0; -+ } -+ FIPS_drbg_free(dctx); -+ return rv; -+} -diff --git a/crypto/fips/fips_drbg_selftest.h b/crypto/fips/fips_drbg_selftest.h -new file mode 100644 -index 0000000..ccc1898 ---- /dev/null -+++ b/crypto/fips/fips_drbg_selftest.h -@@ -0,0 +1,1791 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+/* Selftest and health check data for the SP800-90 DRBG */ -+ -+#define __fips_constseg -+ -+/* AES-128 use df PR */ -+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = { -+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, -+ 0xc8, 0xdb, 0xff, 0x12 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = { -+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = { -+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, -+ 0xd7, 0xd7, 0x01, 0x67 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_additionalinput[] = { -+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, -+ 0x9a, 0x47, 0x08, 0x76 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { -+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, -+ 0x09, 0xfb, 0xa3, 0xb6 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { -+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, -+ 0x66, 0x1c, 0xea, 0x5b -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = { -+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, -+ 0x3f, 0x5e, 0x31, 0x06 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { -+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, -+ 0xa7, 0xe3, 0xa8, 0x67 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = { -+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, -+ 0x0f, 0x38, 0x43, 0xc6 -+}; -+ -+/* AES-128 use df No PR */ -+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = { -+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, -+ 0x9d, 0x7d, 0x1c, 0x9b -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = { -+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_personalizationstring[] = { -+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, -+ 0x38, 0x66, 0xba, 0x1b -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = { -+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, -+ 0xb5, 0xe2, 0xb2, 0x41 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = { -+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, -+ 0xe7, 0x57, 0x11, 0xb4 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_entropyinputreseed[] = { -+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, -+ 0xc7, 0xc4, 0x9e, 0x39 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_additionalinputreseed[] = { -+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, -+ 0xc8, 0x93, 0xfa, 0x84 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = { -+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, -+ 0x06, 0x0c, 0x15, 0x2c -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = { -+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, -+ 0x46, 0x81, 0xc7, 0x19 -+}; -+ -+/* AES-192 use df PR */ -+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = { -+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, -+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = { -+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, -+ 0xd1, 0x80, 0x78, 0xfa -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = { -+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, -+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, -+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_additionalinput[] = { -+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, -+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, -+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { -+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, -+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { -+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, -+ 0x19, 0x30, 0x6b, 0x67 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = { -+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, -+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, -+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { -+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, -+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = { -+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, -+ 0x7e, 0x1a, 0x2b, 0x83 -+}; -+ -+/* AES-192 use df No PR */ -+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = { -+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, -+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = { -+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, -+ 0x77, 0xd7, 0x41, 0x0e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_personalizationstring[] = { -+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, -+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, -+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = { -+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, -+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, -+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = { -+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, -+ 0xb7, 0xed, 0xe9, 0xea -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_entropyinputreseed[] = { -+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, -+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_additionalinputreseed[] = { -+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, -+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, -+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = { -+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, -+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, -+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = { -+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, -+ 0x1a, 0xf9, 0x13, 0x28 -+}; -+ -+/* AES-256 use df PR */ -+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = { -+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, -+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, -+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = { -+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, -+ 0x2b, 0x36, 0xff, 0xa4 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = { -+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, -+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, -+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_additionalinput[] = { -+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, -+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, -+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { -+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, -+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, -+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { -+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, -+ 0x17, 0xab, 0x3c, 0x7a -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = { -+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, -+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, -+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { -+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, -+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, -+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = { -+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, -+ 0xd9, 0xe2, 0x97, 0x00 -+}; -+ -+/* AES-256 use df No PR */ -+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = { -+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, -+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, -+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = { -+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, -+ 0x4c, 0x44, 0x84, 0x40 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_personalizationstring[] = { -+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, -+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, -+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = { -+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, -+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, -+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = { -+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, -+ 0x28, 0x0c, 0x3b, 0xc1 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_entropyinputreseed[] = { -+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, -+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, -+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_additionalinputreseed[] = { -+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, -+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, -+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = { -+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, -+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, -+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = { -+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, -+ 0xfa, 0xfd, 0x35, 0x5e -+}; -+ -+/* AES-128 no df PR */ -+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = { -+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, -+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, -+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = { -+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = { -+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, -+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, -+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_additionalinput[] = { -+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, -+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, -+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { -+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, -+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, -+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { -+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, -+ 0xaf, 0x19, 0x32, 0x16 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = { -+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, -+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, -+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { -+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, -+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, -+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = { -+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, -+ 0x57, 0x82, 0x33, 0xaf -+}; -+ -+/* AES-128 no df No PR */ -+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = { -+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, -+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, -+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = { -+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_personalizationstring[] = { -+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, -+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, -+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = { -+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, -+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, -+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = { -+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, -+ 0xed, 0x3e, 0x65, 0xc2 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_entropyinputreseed[] = { -+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, -+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, -+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_additionalinputreseed[] = { -+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, -+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, -+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = { -+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, -+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, -+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = { -+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, -+ 0x81, 0x37, 0x19, 0xd4 -+}; -+ -+/* AES-192 no df PR */ -+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = { -+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, -+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, -+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, -+ 0x17, 0x1f, 0x8d, 0x9a -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = { -+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, -+ 0x61, 0x5c, 0xee, 0x0f -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = { -+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, -+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, -+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, -+ 0x57, 0x2e, 0xe7, 0x55 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_additionalinput[] = { -+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, -+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, -+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, -+ 0xe2, 0xd0, 0x0c, 0x2f -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { -+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, -+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, -+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, -+ 0x1d, 0x30, 0xb3, 0x78 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { -+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, -+ 0x7e, 0x3e, 0x0c, 0x26 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = { -+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, -+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, -+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, -+ 0x0c, 0x4b, 0xee, 0x6e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { -+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, -+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, -+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, -+ 0x8e, 0x0a, 0x83, 0xdf -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = { -+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, -+ 0xb9, 0xa1, 0x21, 0x68 -+}; -+ -+/* AES-192 no df No PR */ -+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = { -+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, -+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, -+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, -+ 0x94, 0xc3, 0x59, 0x63 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = { -+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, -+ 0x29, 0xfd, 0x45, 0x71 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_personalizationstring[] = { -+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, -+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, -+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, -+ 0x3b, 0x88, 0xce, 0x35 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = { -+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, -+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, -+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, -+ 0x3e, 0xbe, 0xd4, 0x8e -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = { -+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, -+ 0x45, 0xe7, 0x4a, 0xc5 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_entropyinputreseed[] = { -+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, -+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, -+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, -+ 0x9b, 0xcb, 0x7e, 0x75 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_additionalinputreseed[] = { -+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, -+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, -+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, -+ 0x5d, 0x7a, 0x25, 0x79 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = { -+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, -+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, -+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, -+ 0x91, 0x6a, 0xe3, 0x5f -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = { -+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, -+ 0x66, 0x67, 0x2c, 0x92 -+}; -+ -+/* AES-256 no df PR */ -+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = { -+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, -+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, -+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, -+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = { -+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, -+ 0xcc, 0x4b, 0xee, 0x2e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = { -+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, -+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, -+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, -+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_additionalinput[] = { -+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, -+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, -+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, -+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { -+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, -+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, -+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, -+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { -+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, -+ 0x79, 0x60, 0x93, 0xcf -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = { -+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, -+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, -+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, -+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { -+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, -+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, -+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, -+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = { -+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, -+ 0x2d, 0x5f, 0x4a, 0x46 -+}; -+ -+/* AES-256 no df No PR */ -+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = { -+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, -+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, -+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, -+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = { -+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, -+ 0x43, 0x96, 0xb9, 0xf0 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_personalizationstring[] = { -+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, -+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, -+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, -+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = { -+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, -+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, -+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, -+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = { -+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, -+ 0xd2, 0x25, 0x75, 0x0e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_entropyinputreseed[] = { -+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, -+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, -+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, -+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_additionalinputreseed[] = { -+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, -+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, -+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, -+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = { -+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, -+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, -+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, -+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = { -+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, -+ 0xf6, 0x02, 0x32, 0xe2 -+}; -+ -+/* SHA-1 PR */ -+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = { -+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2, -+ 0x31, 0xa5, 0x91, 0x13 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_nonce[] = { -+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = { -+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60, -+ 0xda, 0xea, 0x77, 0x52 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = { -+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22, -+ 0x6a, 0x51, 0xe3, 0xf8 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = { -+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9, -+ 0xcb, 0xa9, 0x36, 0x7a -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = { -+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e, -+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = { -+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99, -+ 0x16, 0x03, 0x19, 0x47 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = { -+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2, -+ 0xae, 0xcd, 0x8c, 0xc4 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = { -+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6, -+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87 -+}; -+ -+/* SHA-1 No PR */ -+__fips_constseg static const unsigned char sha1_entropyinput[] = { -+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9, -+ 0xe2, 0x7f, 0x4c, 0x7b -+}; -+ -+__fips_constseg static const unsigned char sha1_nonce[] = { -+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14 -+}; -+ -+__fips_constseg static const unsigned char sha1_personalizationstring[] = { -+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76, -+ 0x28, 0xec, 0x6d, 0xca -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinput[] = { -+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35, -+ 0xc0, 0x72, 0xca, 0x28 -+}; -+ -+__fips_constseg static const unsigned char sha1_int_returnedbits[] = { -+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72, -+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea -+}; -+ -+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = { -+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96, -+ 0xd6, 0x99, 0x27, 0xed -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = { -+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda, -+ 0x84, 0x3d, 0xd4, 0xc0 -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinput2[] = { -+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e, -+ 0x52, 0x65, 0xcd, 0x96 -+}; -+ -+__fips_constseg static const unsigned char sha1_returnedbits[] = { -+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce, -+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7 -+}; -+ -+/* SHA-224 PR */ -+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = { -+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75, -+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_nonce[] = { -+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = { -+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0, -+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = { -+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88, -+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = { -+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1, -+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = { -+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a, -+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1, -+ 0x54, 0x60, 0xee, 0x6a -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = { -+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52, -+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = { -+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77, -+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = { -+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20, -+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e, -+ 0xdd, 0x11, 0x4c, 0xc4 -+}; -+ -+/* SHA-224 No PR */ -+__fips_constseg static const unsigned char sha224_entropyinput[] = { -+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29, -+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb -+}; -+ -+__fips_constseg static const unsigned char sha224_nonce[] = { -+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0 -+}; -+ -+__fips_constseg static const unsigned char sha224_personalizationstring[] = { -+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda, -+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinput[] = { -+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00, -+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f -+}; -+ -+__fips_constseg static const unsigned char sha224_int_returnedbits[] = { -+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa, -+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20, -+ 0x55, 0x22, 0x9a, 0xad -+}; -+ -+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = { -+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5, -+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17 -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = { -+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6, -+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19 -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinput2[] = { -+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d, -+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6 -+}; -+ -+__fips_constseg static const unsigned char sha224_returnedbits[] = { -+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b, -+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a, -+ 0x3b, 0xa7, 0x5c, 0x93 -+}; -+ -+/* SHA-256 PR */ -+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = { -+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4, -+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb, -+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_nonce[] = { -+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d, -+ 0x2b, 0x91, 0x4d, 0x38 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = { -+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56, -+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48, -+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = { -+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac, -+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5, -+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = { -+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8, -+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94, -+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = { -+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2, -+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7, -+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = { -+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b, -+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43, -+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = { -+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2, -+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d, -+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = { -+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3, -+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64, -+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2 -+}; -+ -+/* SHA-256 No PR */ -+__fips_constseg static const unsigned char sha256_entropyinput[] = { -+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5, -+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7, -+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c -+}; -+ -+__fips_constseg static const unsigned char sha256_nonce[] = { -+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5, -+ 0x5d, 0x6f, 0x6d, 0x35 -+}; -+ -+__fips_constseg static const unsigned char sha256_personalizationstring[] = { -+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde, -+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20, -+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinput[] = { -+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4, -+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a, -+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87 -+}; -+ -+__fips_constseg static const unsigned char sha256_int_returnedbits[] = { -+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1, -+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e, -+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76 -+}; -+ -+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = { -+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d, -+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34, -+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = { -+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda, -+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac, -+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8 -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinput2[] = { -+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15, -+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3, -+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda -+}; -+ -+__fips_constseg static const unsigned char sha256_returnedbits[] = { -+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d, -+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd, -+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3 -+}; -+ -+/* SHA-384 PR */ -+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = { -+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24, -+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55, -+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_nonce[] = { -+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd, -+ 0x38, 0x3e, 0x2e, 0x56 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = { -+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96, -+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d, -+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = { -+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39, -+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06, -+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = { -+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64, -+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc, -+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = { -+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f, -+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45, -+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b, -+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = { -+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2, -+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03, -+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = { -+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7, -+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90, -+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = { -+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb, -+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12, -+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53, -+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66 -+}; -+ -+/* SHA-384 No PR */ -+__fips_constseg static const unsigned char sha384_entropyinput[] = { -+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69, -+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d, -+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4 -+}; -+ -+__fips_constseg static const unsigned char sha384_nonce[] = { -+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77, -+ 0x44, 0xaf, 0x2f, 0x09 -+}; -+ -+__fips_constseg static const unsigned char sha384_personalizationstring[] = { -+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb, -+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca, -+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1 -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinput[] = { -+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb, -+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02, -+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48 -+}; -+ -+__fips_constseg static const unsigned char sha384_int_returnedbits[] = { -+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04, -+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63, -+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa, -+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a -+}; -+ -+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = { -+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2, -+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27, -+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = { -+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f, -+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e, -+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22 -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinput2[] = { -+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea, -+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2, -+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94 -+}; -+ -+__fips_constseg static const unsigned char sha384_returnedbits[] = { -+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd, -+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9, -+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54, -+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7 -+}; -+ -+/* SHA-512 PR */ -+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = { -+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f, -+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2, -+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_nonce[] = { -+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67, -+ 0x88, 0xc7, 0xa2, 0xc4 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = { -+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff, -+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07, -+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = { -+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce, -+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22, -+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = { -+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80, -+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e, -+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = { -+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50, -+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae, -+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5, -+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95, -+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53, -+ 0xe2, 0xc6, 0x8b, 0xc3 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = { -+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4, -+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40, -+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = { -+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5, -+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34, -+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = { -+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51, -+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93, -+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80, -+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7, -+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd, -+ 0x67, 0xf7, 0x68, 0xdd -+}; -+ -+/* SHA-512 No PR */ -+__fips_constseg static const unsigned char sha512_entropyinput[] = { -+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17, -+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56, -+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd -+}; -+ -+__fips_constseg static const unsigned char sha512_nonce[] = { -+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31, -+ 0x5a, 0x64, 0xf0, 0xf7 -+}; -+ -+__fips_constseg static const unsigned char sha512_personalizationstring[] = { -+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7, -+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b, -+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0 -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinput[] = { -+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad, -+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97, -+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34 -+}; -+ -+__fips_constseg static const unsigned char sha512_int_returnedbits[] = { -+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd, -+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9, -+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56, -+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19, -+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04, -+ 0x28, 0xd4, 0x39, 0x9a -+}; -+ -+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = { -+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49, -+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82, -+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = { -+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29, -+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6, -+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20 -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinput2[] = { -+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85, -+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42, -+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92 -+}; -+ -+__fips_constseg static const unsigned char sha512_returnedbits[] = { -+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27, -+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32, -+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b, -+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63, -+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2, -+ 0x68, 0xde, 0x42, 0xb5 -+}; -+ -+/* HMAC SHA-1 PR */ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = { -+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc, -+ 0x2c, 0x18, 0x17, 0x1b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = { -+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha1_pr_personalizationstring[] = { -+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85, -+ 0x80, 0xe2, 0x7f, 0x2a -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = { -+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f, -+ 0xd7, 0xbb, 0x42, 0x09 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = { -+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63, -+ 0x23, 0x87, 0x2a, 0xed -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = { -+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f, -+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = { -+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58, -+ 0xa0, 0x4b, 0x93, 0x6e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = { -+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c, -+ 0x0f, 0xff, 0x2e, 0xaf -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = { -+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16, -+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8 -+}; -+ -+/* HMAC SHA-1 No PR */ -+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = { -+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40, -+ 0x17, 0xfe, 0x47, 0x70 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_nonce[] = { -+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = { -+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00, -+ 0x72, 0xf7, 0xd3, 0x5e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = { -+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb, -+ 0xbb, 0xe3, 0xaa, 0xea -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = { -+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11, -+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = { -+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f, -+ 0x86, 0x52, 0x6d, 0x9c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = { -+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92, -+ 0x79, 0xc5, 0x82, 0x28 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = { -+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3, -+ 0x8a, 0xca, 0xa4, 0x7f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = { -+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d, -+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0 -+}; -+ -+/* HMAC SHA-224 PR */ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = { -+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07, -+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = { -+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_pr_personalizationstring[] = { -+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed, -+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = { -+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21, -+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = { -+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad, -+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = { -+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38, -+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13, -+ 0x41, 0xfe, 0x99, 0xf2 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = { -+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17, -+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = { -+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f, -+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = { -+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7, -+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03, -+ 0x6d, 0xd8, 0x9e, 0x72 -+}; -+ -+/* HMAC SHA-224 No PR */ -+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = { -+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54, -+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_nonce[] = { -+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_personalizationstring[] = { -+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b, -+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = { -+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6, -+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = { -+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42, -+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c, -+ 0xcd, 0xd6, 0xa9, 0xcc -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = { -+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95, -+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_additionalinputreseed[] = { -+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20, -+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = { -+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3, -+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = { -+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85, -+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e, -+ 0x45, 0x84, 0xa8, 0x94 -+}; -+ -+/* HMAC SHA-256 PR */ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = { -+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea, -+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca, -+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = { -+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15, -+ 0xaa, 0xd3, 0x30, 0x9a -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_pr_personalizationstring[] = { -+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24, -+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d, -+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = { -+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9, -+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18, -+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = { -+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79, -+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36, -+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = { -+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2, -+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef, -+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = { -+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8, -+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e, -+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = { -+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a, -+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74, -+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = { -+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0, -+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91, -+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e -+}; -+ -+/* HMAC SHA-256 No PR */ -+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = { -+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35, -+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d, -+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_nonce[] = { -+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e, -+ 0xc7, 0xfc, 0xc2, 0x01 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_personalizationstring[] = { -+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7, -+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65, -+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = { -+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c, -+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda, -+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = { -+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d, -+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25, -+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = { -+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7, -+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9, -+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_additionalinputreseed[] = { -+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3, -+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3, -+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = { -+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f, -+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8, -+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = { -+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3, -+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26, -+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0 -+}; -+ -+/* HMAC SHA-384 PR */ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = { -+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5, -+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1, -+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = { -+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59, -+ 0xee, 0x16, 0xc9, 0xde -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_pr_personalizationstring[] = { -+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4, -+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47, -+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = { -+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f, -+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda, -+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = { -+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0, -+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56, -+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = { -+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6, -+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6, -+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd, -+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = { -+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2, -+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff, -+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = { -+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1, -+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94, -+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = { -+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76, -+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b, -+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d, -+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75 -+}; -+ -+/* HMAC SHA-384 No PR */ -+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = { -+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3, -+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1, -+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_nonce[] = { -+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1, -+ 0x38, 0xe3, 0xeb, 0x62 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_personalizationstring[] = { -+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5, -+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62, -+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = { -+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81, -+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58, -+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = { -+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31, -+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b, -+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b, -+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = { -+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48, -+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9, -+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_additionalinputreseed[] = { -+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c, -+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92, -+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = { -+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf, -+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d, -+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = { -+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19, -+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed, -+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74, -+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb -+}; -+ -+/* HMAC SHA-512 PR */ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = { -+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b, -+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba, -+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = { -+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b, -+ 0x86, 0xea, 0xaf, 0xa2 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_pr_personalizationstring[] = { -+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24, -+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02, -+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = { -+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92, -+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c, -+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = { -+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc, -+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03, -+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = { -+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56, -+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c, -+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd, -+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50, -+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35, -+ 0x05, 0x17, 0xbe, 0x0d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = { -+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08, -+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c, -+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = { -+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71, -+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe, -+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = { -+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35, -+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21, -+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4, -+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3, -+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00, -+ 0xb6, 0xaf, 0xbc, 0xd3 -+}; -+ -+/* HMAC SHA-512 No PR */ -+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = { -+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa, -+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe, -+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_nonce[] = { -+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e, -+ 0xd9, 0xaf, 0x43, 0x3c -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_personalizationstring[] = { -+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f, -+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01, -+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = { -+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5, -+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d, -+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = { -+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90, -+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18, -+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b, -+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34, -+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1, -+ 0xb1, 0x57, 0x69, 0xe8 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = { -+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41, -+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca, -+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_additionalinputreseed[] = { -+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a, -+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86, -+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = { -+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5, -+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb, -+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = { -+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f, -+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a, -+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25, -+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d, -+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, -+ 0xc2, 0xd6, 0xfd, 0xa5 -+}; -diff --git a/crypto/fips/fips_dsa_selftest.c b/crypto/fips/fips_dsa_selftest.c -new file mode 100644 -index 0000000..4c0da82 ---- /dev/null -+++ b/crypto/fips/fips_dsa_selftest.c -@@ -0,0 +1,192 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static const unsigned char dsa_test_2048_p[] = { -+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, -+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62, -+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59, -+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6, -+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3, -+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52, -+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7, -+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a, -+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1, -+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03, -+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40, -+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34, -+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e, -+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b, -+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1, -+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7, -+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6, -+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57, -+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54, -+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a, -+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7, -+ 0xdb, 0xa0, 0x69, 0xe9 -+}; -+ -+static const unsigned char dsa_test_2048_q[] = { -+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a, -+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56, -+ 0x74, 0x41, 0xa0, 0xa5 -+}; -+ -+static const unsigned char dsa_test_2048_g[] = { -+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5, -+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8, -+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19, -+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba, -+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b, -+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a, -+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53, -+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b, -+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5, -+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a, -+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e, -+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23, -+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96, -+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7, -+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16, -+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a, -+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f, -+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95, -+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69, -+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e, -+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91, -+ 0xb3, 0xc2, 0xa9, 0x66 -+}; -+ -+static const unsigned char dsa_test_2048_pub_key[] = { -+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60, -+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb, -+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64, -+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44, -+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c, -+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c, -+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2, -+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c, -+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71, -+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c, -+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99, -+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75, -+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e, -+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc, -+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf, -+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90, -+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d, -+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d, -+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07, -+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3, -+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93, -+ 0xf7, 0xda, 0xb1, 0x4f -+}; -+ -+static const unsigned char dsa_test_2048_priv_key[] = { -+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91, -+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00, -+ 0xec, 0x55, 0xf6, 0xcc -+}; -+ -+static int corrupt_dsa; -+ -+void FIPS_corrupt_dsa() -+{ -+ corrupt_dsa = 1; -+} -+ -+int FIPS_selftest_dsa() -+{ -+ DSA *dsa = NULL; -+ EVP_PKEY *pk = NULL; -+ int ret = 0; -+ -+ dsa = DSA_new(); -+ -+ if (dsa == NULL) -+ goto err; -+ -+ fips_load_key_component(dsa, p, dsa_test_2048); -+ fips_load_key_component(dsa, q, dsa_test_2048); -+ fips_load_key_component(dsa, g, dsa_test_2048); -+ fips_load_key_component(dsa, pub_key, dsa_test_2048); -+ fips_load_key_component(dsa, priv_key, dsa_test_2048); -+ -+ if (corrupt_dsa) -+ BN_set_bit(dsa->pub_key, 2047); -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_DSA(pk, dsa); -+ -+ if (!fips_pkey_signature_test(pk, NULL, 0, -+ NULL, 0, EVP_sha256(), 0, "DSA SHA256")) -+ goto err; -+ ret = 1; -+ -+ err: -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (dsa) -+ DSA_free(dsa); -+ return ret; -+} -+#endif -diff --git a/crypto/fips/fips_enc.c b/crypto/fips/fips_enc.c -new file mode 100644 -index 0000000..a1427b9 ---- /dev/null -+++ b/crypto/fips/fips_enc.c -@@ -0,0 +1,189 @@ -+/* fipe/evp/fips_enc.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+const EVP_CIPHER *FIPS_get_cipherbynid(int nid) -+{ -+ switch (nid) { -+ case NID_aes_128_cbc: -+ return EVP_aes_128_cbc(); -+ -+ case NID_aes_128_ccm: -+ return EVP_aes_128_ccm(); -+ -+ case NID_aes_128_cfb1: -+ return EVP_aes_128_cfb1(); -+ -+ case NID_aes_128_cfb128: -+ return EVP_aes_128_cfb128(); -+ -+ case NID_aes_128_cfb8: -+ return EVP_aes_128_cfb8(); -+ -+ case NID_aes_128_ctr: -+ return EVP_aes_128_ctr(); -+ -+ case NID_aes_128_ecb: -+ return EVP_aes_128_ecb(); -+ -+ case NID_aes_128_gcm: -+ return EVP_aes_128_gcm(); -+ -+ case NID_aes_128_ofb128: -+ return EVP_aes_128_ofb(); -+ -+ case NID_aes_128_xts: -+ return EVP_aes_128_xts(); -+ -+ case NID_aes_192_cbc: -+ return EVP_aes_192_cbc(); -+ -+ case NID_aes_192_ccm: -+ return EVP_aes_192_ccm(); -+ -+ case NID_aes_192_cfb1: -+ return EVP_aes_192_cfb1(); -+ -+ case NID_aes_192_cfb128: -+ return EVP_aes_192_cfb128(); -+ -+ case NID_aes_192_cfb8: -+ return EVP_aes_192_cfb8(); -+ -+ case NID_aes_192_ctr: -+ return EVP_aes_192_ctr(); -+ -+ case NID_aes_192_ecb: -+ return EVP_aes_192_ecb(); -+ -+ case NID_aes_192_gcm: -+ return EVP_aes_192_gcm(); -+ -+ case NID_aes_192_ofb128: -+ return EVP_aes_192_ofb(); -+ -+ case NID_aes_256_cbc: -+ return EVP_aes_256_cbc(); -+ -+ case NID_aes_256_ccm: -+ return EVP_aes_256_ccm(); -+ -+ case NID_aes_256_cfb1: -+ return EVP_aes_256_cfb1(); -+ -+ case NID_aes_256_cfb128: -+ return EVP_aes_256_cfb128(); -+ -+ case NID_aes_256_cfb8: -+ return EVP_aes_256_cfb8(); -+ -+ case NID_aes_256_ctr: -+ return EVP_aes_256_ctr(); -+ -+ case NID_aes_256_ecb: -+ return EVP_aes_256_ecb(); -+ -+ case NID_aes_256_gcm: -+ return EVP_aes_256_gcm(); -+ -+ case NID_aes_256_ofb128: -+ return EVP_aes_256_ofb(); -+ -+ case NID_aes_256_xts: -+ return EVP_aes_256_xts(); -+ -+ case NID_des_ede_ecb: -+ return EVP_des_ede(); -+ -+ case NID_des_ede3_ecb: -+ return EVP_des_ede3(); -+ -+ case NID_des_ede3_cbc: -+ return EVP_des_ede3_cbc(); -+ -+ case NID_des_ede3_cfb1: -+ return EVP_des_ede3_cfb1(); -+ -+ case NID_des_ede3_cfb64: -+ return EVP_des_ede3_cfb64(); -+ -+ case NID_des_ede3_cfb8: -+ return EVP_des_ede3_cfb8(); -+ -+ case NID_des_ede3_ofb64: -+ return EVP_des_ede3_ofb(); -+ -+ case NID_des_ede_cbc: -+ return EVP_des_ede_cbc(); -+ -+ case NID_des_ede_cfb64: -+ return EVP_des_ede_cfb64(); -+ -+ case NID_des_ede_ofb64: -+ return EVP_des_ede_ofb(); -+ -+ default: -+ return NULL; -+ -+ } -+} -diff --git a/crypto/fips/fips_hmac_selftest.c b/crypto/fips/fips_hmac_selftest.c -new file mode 100644 -index 0000000..ca46450 ---- /dev/null -+++ b/crypto/fips/fips_hmac_selftest.c -@@ -0,0 +1,134 @@ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+typedef struct { -+ const EVP_MD *(*alg) (void); -+ const char *key, *iv; -+ unsigned char kaval[EVP_MAX_MD_SIZE]; -+} HMAC_KAT; -+ -+static const HMAC_KAT vector[] = { -+ {EVP_sha1, -+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19, -+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c, -+ 0xc6, 0xc7, 0x5d, 0x24} -+ }, -+ {EVP_sha224, -+ /* just keep extending the above... */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb, -+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa, -+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b, -+ 0x8c, 0x8d, 0x12, 0xc7} -+ }, -+ {EVP_sha256, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09, -+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34, -+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38, -+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9} -+ }, -+ {EVP_sha384, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad, -+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6, -+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04, -+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f, -+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50, -+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f} -+ }, -+ {EVP_sha512, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41, -+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac, -+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0, -+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68, -+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f, -+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7, -+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45, -+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05} -+ }, -+}; -+ -+int FIPS_selftest_hmac() -+{ -+ int n; -+ unsigned int outlen; -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ const EVP_MD *md; -+ const HMAC_KAT *t; -+ -+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { -+ md = (*t->alg) (); -+ HMAC(md, t->key, strlen(t->key), -+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen); -+ -+ if (memcmp(out, t->kaval, outlen)) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ } -+ return 1; -+} -+#endif -diff --git a/crypto/fips/fips_locl.h b/crypto/fips/fips_locl.h -new file mode 100644 -index 0000000..40f873b ---- /dev/null -+++ b/crypto/fips/fips_locl.h -@@ -0,0 +1,71 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+# define FIPS_MAX_CIPHER_TEST_SIZE 32 -+# define fips_load_key_component(key, comp, pre) \ -+ key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \ -+ if (!key->comp) \ -+ goto err -+ -+# define fips_post_started(id, subid, ex) 1 -+# define fips_post_success(id, subid, ex) 1 -+# define fips_post_failed(id, subid, ex) 1 -+# define fips_post_corrupt(id, subid, ex) 1 -+# define fips_post_status() 1 -+ -+# ifdef __cplusplus -+} -+# endif -+#endif -diff --git a/crypto/fips/fips_md.c b/crypto/fips/fips_md.c -new file mode 100644 -index 0000000..ef3a439 ---- /dev/null -+++ b/crypto/fips/fips_md.c -@@ -0,0 +1,144 @@ -+/* fips/evp/fips_md.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+/* ==================================================================== -+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+/* Minimal standalone FIPS versions of Digest operations */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+const EVP_MD *FIPS_get_digestbynid(int nid) -+{ -+ switch (nid) { -+ case NID_sha1: -+ return EVP_sha1(); -+ -+ case NID_sha224: -+ return EVP_sha224(); -+ -+ case NID_sha256: -+ return EVP_sha256(); -+ -+ case NID_sha384: -+ return EVP_sha384(); -+ -+ case NID_sha512: -+ return EVP_sha512(); -+ -+ default: -+ return NULL; -+ } -+} -diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c -new file mode 100644 -index 0000000..629f5c2 ---- /dev/null -+++ b/crypto/fips/fips_post.c -@@ -0,0 +1,201 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+/* Power on self test (POST) support functions */ -+ -+# include -+# include "fips_locl.h" -+ -+/* Run all selftests */ -+int FIPS_selftest(void) -+{ -+ int rv = 1; -+ if (!FIPS_selftest_drbg()) -+ rv = 0; -+ if (!FIPS_selftest_x931()) -+ rv = 0; -+ if (!FIPS_selftest_sha1()) -+ rv = 0; -+ if (!FIPS_selftest_sha2()) -+ rv = 0; -+ if (!FIPS_selftest_hmac()) -+ rv = 0; -+ if (!FIPS_selftest_cmac()) -+ rv = 0; -+ if (!FIPS_selftest_aes()) -+ rv = 0; -+ if (!FIPS_selftest_aes_ccm()) -+ rv = 0; -+ if (!FIPS_selftest_aes_gcm()) -+ rv = 0; -+ if (!FIPS_selftest_aes_xts()) -+ rv = 0; -+ if (!FIPS_selftest_des()) -+ rv = 0; -+ if (!FIPS_selftest_rsa()) -+ rv = 0; -+ if (!FIPS_selftest_dsa()) -+ rv = 0; -+ return rv; -+} -+ -+/* Generalized public key test routine. Signs and verifies the data -+ * supplied in tbs using mesage digest md and setting option digest -+ * flags md_flags. If the 'kat' parameter is not NULL it will -+ * additionally check the signature matches it: a known answer test -+ * The string "fail_str" is used for identification purposes in case -+ * of failure. If "pkey" is NULL just perform a message digest check. -+ */ -+ -+int fips_pkey_signature_test(EVP_PKEY *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, unsigned int katlen, -+ const EVP_MD *digest, unsigned int md_flags, -+ const char *fail_str) -+{ -+ int ret = 0; -+ unsigned char sigtmp[256], *sig = sigtmp; -+ unsigned int siglen; -+ EVP_MD_CTX mctx; -+ EVP_MD_CTX_init(&mctx); -+ -+ if (digest == NULL) -+ digest = EVP_sha256(); -+ -+ if ((pkey->type == EVP_PKEY_RSA) -+ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) { -+ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa)); -+ if (!sig) { -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ } -+ -+ if (tbslen == -1) -+ tbslen = strlen((char *)tbs); -+ -+ if (md_flags) -+ EVP_MD_CTX_set_flags(&mctx, md_flags); -+ -+ if (!EVP_SignInit_ex(&mctx, digest, NULL)) -+ goto error; -+ if (!EVP_SignUpdate(&mctx, tbs, tbslen)) -+ goto error; -+ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey)) -+ goto error; -+ -+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) -+ goto error; -+ -+ if (!EVP_VerifyInit_ex(&mctx, digest, NULL)) -+ goto error; -+ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen)) -+ goto error; -+ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey); -+ -+ error: -+ if (sig != sigtmp) -+ OPENSSL_free(sig); -+ EVP_MD_CTX_cleanup(&mctx); -+ if (ret != 1) { -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE); -+ if (fail_str) -+ ERR_add_error_data(2, "Type=", fail_str); -+ return 0; -+ } -+ return 1; -+} -+ -+/* Generalized symmetric cipher test routine. Encrypt data, verify result -+ * against known answer, decrypt and compare with original plaintext. -+ */ -+ -+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, int len) -+{ -+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ -+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); -+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); -+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); -+ -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) -+ return 0; -+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0) -+ return 0; -+ if (memcmp(citmp, ciphertext, len)) -+ return 0; -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) -+ return 0; -+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0) -+ return 0; -+ if (memcmp(pltmp, plaintext, len)) -+ return 0; -+ return 1; -+} -+#endif -diff --git a/crypto/fips/fips_rand.c b/crypto/fips/fips_rand.c -new file mode 100644 -index 0000000..c5060a2 ---- /dev/null -+++ b/crypto/fips/fips_rand.c -@@ -0,0 +1,428 @@ -+/* ==================================================================== -+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+/* -+ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4. -+ */ -+#include -+#include "e_os.h" -+ -+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't -+ be defined and gettimeofday() won't be declared with strict compilers -+ like DEC C in ANSI C mode. */ -+#ifndef _XOPEN_SOURCE_EXTENDED -+# define _XOPEN_SOURCE_EXTENDED 1 -+#endif -+ -+#include -+#include -+#include -+#include -+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) -+# include -+#endif -+#if defined(OPENSSL_SYS_VXWORKS) -+# include -+#endif -+#include -+#ifndef OPENSSL_SYS_WIN32 -+# ifdef OPENSSL_UNISTD -+# include OPENSSL_UNISTD -+# else -+# include -+# endif -+#endif -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+void *OPENSSL_stderr(void); -+ -+# define AES_BLOCK_LENGTH 16 -+ -+/* AES FIPS PRNG implementation */ -+ -+typedef struct { -+ int seeded; -+ int keyed; -+ int test_mode; -+ int second; -+ int error; -+ unsigned long counter; -+ AES_KEY ks; -+ int vpos; -+ /* Temporary storage for key if it equals seed length */ -+ unsigned char tmp_key[AES_BLOCK_LENGTH]; -+ unsigned char V[AES_BLOCK_LENGTH]; -+ unsigned char DT[AES_BLOCK_LENGTH]; -+ unsigned char last[AES_BLOCK_LENGTH]; -+} FIPS_PRNG_CTX; -+ -+static FIPS_PRNG_CTX sctx; -+ -+static int fips_prng_fail = 0; -+ -+void FIPS_x931_stick(int onoff) -+{ -+ fips_prng_fail = onoff; -+} -+ -+void FIPS_rng_stick(void) -+{ -+ FIPS_x931_stick(1); -+} -+ -+static void fips_rand_prng_reset(FIPS_PRNG_CTX * ctx) -+{ -+ ctx->seeded = 0; -+ ctx->keyed = 0; -+ ctx->test_mode = 0; -+ ctx->counter = 0; -+ ctx->second = 0; -+ ctx->error = 0; -+ ctx->vpos = 0; -+ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH); -+ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY)); -+} -+ -+static int fips_set_prng_key(FIPS_PRNG_CTX * ctx, -+ const unsigned char *key, unsigned int keylen) -+{ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ if (keylen != 16 && keylen != 24 && keylen != 32) { -+ /* error: invalid key size */ -+ return 0; -+ } -+ AES_set_encrypt_key(key, keylen << 3, &ctx->ks); -+ if (keylen == 16) { -+ memcpy(ctx->tmp_key, key, 16); -+ ctx->keyed = 2; -+ } else -+ ctx->keyed = 1; -+ ctx->seeded = 0; -+ ctx->second = 0; -+ return 1; -+} -+ -+static int fips_set_prng_seed(FIPS_PRNG_CTX * ctx, -+ const unsigned char *seed, unsigned int seedlen) -+{ -+ unsigned int i; -+ if (!ctx->keyed) -+ return 0; -+ /* In test mode seed is just supplied data */ -+ if (ctx->test_mode) { -+ if (seedlen != AES_BLOCK_LENGTH) -+ return 0; -+ memcpy(ctx->V, seed, AES_BLOCK_LENGTH); -+ ctx->seeded = 1; -+ return 1; -+ } -+ /* Outside test mode XOR supplied data with existing seed */ -+ for (i = 0; i < seedlen; i++) { -+ ctx->V[ctx->vpos++] ^= seed[i]; -+ if (ctx->vpos == AES_BLOCK_LENGTH) { -+ ctx->vpos = 0; -+ /* Special case if first seed and key length equals -+ * block size check key and seed do not match. -+ */ -+ if (ctx->keyed == 2) { -+ if (!memcmp(ctx->tmp_key, ctx->V, 16)) { -+ RANDerr(RAND_F_FIPS_SET_PRNG_SEED, -+ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY); -+ return 0; -+ } -+ OPENSSL_cleanse(ctx->tmp_key, 16); -+ ctx->keyed = 1; -+ } -+ ctx->seeded = 1; -+ } -+ } -+ return 1; -+} -+ -+static int fips_set_test_mode(FIPS_PRNG_CTX * ctx) -+{ -+ if (ctx->keyed) { -+ RANDerr(RAND_F_FIPS_SET_TEST_MODE, RAND_R_PRNG_KEYED); -+ return 0; -+ } -+ ctx->test_mode = 1; -+ return 1; -+} -+ -+int FIPS_x931_test_mode(void) -+{ -+ return fips_set_test_mode(&sctx); -+} -+ -+int FIPS_rand_test_mode(void) -+{ -+ return fips_set_test_mode(&sctx); -+} -+ -+int FIPS_x931_set_dt(unsigned char *dt) -+{ -+ if (!sctx.test_mode) { -+ RANDerr(RAND_F_FIPS_X931_SET_DT, RAND_R_NOT_IN_TEST_MODE); -+ return 0; -+ } -+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); -+ return 1; -+} -+ -+int FIPS_rand_set_dt(unsigned char *dt) -+{ -+ if (!sctx.test_mode) { -+ RANDerr(RAND_F_FIPS_RAND_SET_DT, RAND_R_NOT_IN_TEST_MODE); -+ return 0; -+ } -+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); -+ return 1; -+} -+ -+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) -+{ -+# ifdef OPENSSL_SYS_WIN32 -+ FILETIME ft; -+# elif defined(OPENSSL_SYS_VXWORKS) -+ struct timespec ts; -+# else -+ struct timeval tv; -+# endif -+ -+# ifndef GETPID_IS_MEANINGLESS -+ unsigned long pid; -+# endif -+ -+# ifdef OPENSSL_SYS_WIN32 -+ GetSystemTimeAsFileTime(&ft); -+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff); -+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff); -+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff); -+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff); -+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff); -+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff); -+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff); -+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff); -+# elif defined(OPENSSL_SYS_VXWORKS) -+ clock_gettime(CLOCK_REALTIME, &ts); -+ buf[0] = (unsigned char)(ts.tv_sec & 0xff); -+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff); -+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff); -+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff); -+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff); -+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff); -+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff); -+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff); -+# else -+ gettimeofday(&tv, NULL); -+ buf[0] = (unsigned char)(tv.tv_sec & 0xff); -+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff); -+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff); -+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff); -+ buf[4] = (unsigned char)(tv.tv_usec & 0xff); -+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff); -+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff); -+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff); -+# endif -+ buf[8] = (unsigned char)(*pctr & 0xff); -+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff); -+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff); -+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff); -+ -+ (*pctr)++; -+ -+# ifndef GETPID_IS_MEANINGLESS -+ pid = (unsigned long)getpid(); -+ buf[12] = (unsigned char)(pid & 0xff); -+ buf[13] = (unsigned char)((pid >> 8) & 0xff); -+ buf[14] = (unsigned char)((pid >> 16) & 0xff); -+ buf[15] = (unsigned char)((pid >> 24) & 0xff); -+# endif -+} -+ -+static int fips_rand(FIPS_PRNG_CTX * ctx, -+ unsigned char *out, unsigned int outlen) -+{ -+ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; -+ unsigned char tmp[AES_BLOCK_LENGTH]; -+ int i; -+ if (ctx->error) { -+ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_ERROR); -+ return 0; -+ } -+ if (!ctx->keyed) { -+ RANDerr(RAND_F_FIPS_RAND, RAND_R_NO_KEY_SET); -+ return 0; -+ } -+ if (!ctx->seeded) { -+ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_NOT_SEEDED); -+ return 0; -+ } -+ for (;;) { -+ if (!ctx->test_mode) -+ FIPS_get_timevec(ctx->DT, &ctx->counter); -+ AES_encrypt(ctx->DT, I, &ctx->ks); -+ for (i = 0; i < AES_BLOCK_LENGTH; i++) -+ tmp[i] = I[i] ^ ctx->V[i]; -+ AES_encrypt(tmp, R, &ctx->ks); -+ for (i = 0; i < AES_BLOCK_LENGTH; i++) -+ tmp[i] = R[i] ^ I[i]; -+ AES_encrypt(tmp, ctx->V, &ctx->ks); -+ /* Continuous PRNG test */ -+ if (ctx->second) { -+ if (fips_prng_fail) -+ memcpy(ctx->last, R, AES_BLOCK_LENGTH); -+ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) { -+ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_STUCK); -+ ctx->error = 1; -+ fips_set_selftest_fail(); -+ return 0; -+ } -+ } -+ memcpy(ctx->last, R, AES_BLOCK_LENGTH); -+ if (!ctx->second) { -+ ctx->second = 1; -+ if (!ctx->test_mode) -+ continue; -+ } -+ -+ if (outlen <= AES_BLOCK_LENGTH) { -+ memcpy(out, R, outlen); -+ break; -+ } -+ -+ memcpy(out, R, AES_BLOCK_LENGTH); -+ out += AES_BLOCK_LENGTH; -+ outlen -= AES_BLOCK_LENGTH; -+ } -+ return 1; -+} -+ -+int FIPS_x931_set_key(const unsigned char *key, int keylen) -+{ -+ int ret; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ ret = fips_set_prng_key(&sctx, key, keylen); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+} -+ -+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen) -+{ -+ return FIPS_x931_set_key(key, keylen); -+} -+ -+int FIPS_x931_seed(const void *seed, int seedlen) -+{ -+ int ret; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ ret = fips_set_prng_seed(&sctx, seed, seedlen); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+} -+ -+int FIPS_x931_bytes(unsigned char *out, int count) -+{ -+ int ret; -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ ret = fips_rand(&sctx, out, count); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+} -+ -+int FIPS_x931_status(void) -+{ -+ int ret; -+ CRYPTO_r_lock(CRYPTO_LOCK_RAND); -+ ret = sctx.seeded; -+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND); -+ return ret; -+} -+ -+void FIPS_x931_reset(void) -+{ -+ CRYPTO_w_lock(CRYPTO_LOCK_RAND); -+ fips_rand_prng_reset(&sctx); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -+} -+ -+static int fips_do_rand_seed(const void *seed, int seedlen) -+{ -+ FIPS_x931_seed(seed, seedlen); -+ return 1; -+} -+ -+static int fips_do_rand_add(const void *seed, int seedlen, double add_entropy) -+{ -+ FIPS_x931_seed(seed, seedlen); -+ return 1; -+} -+ -+static const RAND_METHOD rand_x931_meth = { -+ fips_do_rand_seed, -+ FIPS_x931_bytes, -+ FIPS_x931_reset, -+ fips_do_rand_add, -+ FIPS_x931_bytes, -+ FIPS_x931_status -+}; -+ -+const RAND_METHOD *FIPS_x931_method(void) -+{ -+ return &rand_x931_meth; -+} -+ -+#endif -diff --git a/crypto/fips/fips_rand.h b/crypto/fips/fips_rand.h -new file mode 100644 -index 0000000..e78eb35 ---- /dev/null -+++ b/crypto/fips/fips_rand.h -@@ -0,0 +1,163 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifndef HEADER_FIPS_RAND_H -+# define HEADER_FIPS_RAND_H -+ -+# include -+# include -+# include -+# include -+ -+# ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+ int FIPS_x931_set_key(const unsigned char *key, int keylen); -+ int FIPS_x931_seed(const void *buf, int num); -+ int FIPS_x931_bytes(unsigned char *out, int outlen); -+ -+ int FIPS_x931_test_mode(void); -+ void FIPS_x931_reset(void); -+ int FIPS_x931_set_dt(unsigned char *dt); -+ -+ int FIPS_x931_status(void); -+ -+ const RAND_METHOD *FIPS_x931_method(void); -+ -+ typedef struct drbg_ctx_st DRBG_CTX; -+/* DRBG external flags */ -+/* Flag for CTR mode only: use derivation function ctr_df */ -+# define DRBG_FLAG_CTR_USE_DF 0x1 -+/* PRNG is in test state */ -+# define DRBG_FLAG_TEST 0x2 -+ -+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags); -+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags); -+ int FIPS_drbg_instantiate(DRBG_CTX *dctx, -+ const unsigned char *pers, size_t perslen); -+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, -+ size_t adinlen); -+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, -+ int prediction_resistance, -+ const unsigned char *adin, size_t adinlen); -+ -+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); -+ void FIPS_drbg_free(DRBG_CTX *dctx); -+ -+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, -+ size_t (*get_entropy) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_entropy) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ size_t entropy_blocklen, -+ size_t (*get_nonce) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_nonce) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen)); -+ -+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, -+ size_t (*get_adin) (DRBG_CTX *ctx, -+ unsigned char -+ **pout), -+ void (*cleanup_adin) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ int (*rand_seed_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num), -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num, -+ double entropy)); -+ -+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx); -+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data); -+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx); -+ int FIPS_drbg_get_strength(DRBG_CTX *dctx); -+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval); -+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval); -+ -+ int FIPS_drbg_health_check(DRBG_CTX *dctx); -+ -+ DRBG_CTX *FIPS_get_default_drbg(void); -+ const RAND_METHOD *FIPS_drbg_method(void); -+ -+ int FIPS_rand_set_method(const RAND_METHOD *meth); -+ const RAND_METHOD *FIPS_rand_get_method(void); -+ -+ void FIPS_rand_set_bits(int nbits); -+ -+ int FIPS_rand_strength(void); -+ -+/* 1.0.0 compat functions */ -+ int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen); -+ int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num); -+ int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen); -+ int FIPS_rand_test_mode(void); -+ void FIPS_rand_reset(void); -+ int FIPS_rand_set_dt(unsigned char *dt); -+ int FIPS_rand_status(void); -+ const RAND_METHOD *FIPS_rand_method(void); -+ -+# ifdef __cplusplus -+} -+# endif -+# endif -+#endif -diff --git a/crypto/fips/fips_rand_lcl.h b/crypto/fips/fips_rand_lcl.h -new file mode 100644 -index 0000000..0a1d251 ---- /dev/null -+++ b/crypto/fips/fips_rand_lcl.h -@@ -0,0 +1,213 @@ -+/* fips/rand/fips_rand_lcl.h */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; -+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; -+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; -+ -+/* 888 bits from 10.1 table 2 */ -+#define HASH_PRNG_MAX_SEEDLEN 111 -+ -+struct drbg_hash_ctx_st { -+ const EVP_MD *md; -+ EVP_MD_CTX mctx; -+ unsigned char V[HASH_PRNG_MAX_SEEDLEN]; -+ unsigned char C[HASH_PRNG_MAX_SEEDLEN]; -+ /* Temporary value storage: should always exceed max digest length */ -+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; -+}; -+ -+struct drbg_hmac_ctx_st { -+ const EVP_MD *md; -+ HMAC_CTX hctx; -+ unsigned char K[EVP_MAX_MD_SIZE]; -+ unsigned char V[EVP_MAX_MD_SIZE]; -+}; -+ -+struct drbg_ctr_ctx_st { -+ AES_KEY ks; -+ size_t keylen; -+ unsigned char K[32]; -+ unsigned char V[16]; -+ /* Temp variables used by derivation function */ -+ AES_KEY df_ks; -+ AES_KEY df_kxks; -+ /* Temporary block storage used by ctr_df */ -+ unsigned char bltmp[16]; -+ size_t bltmp_pos; -+ unsigned char KX[48]; -+}; -+ -+/* DRBG internal flags */ -+ -+/* Functions shouldn't call err library */ -+#define DRBG_FLAG_NOERR 0x1 -+/* Custom reseed checking */ -+#define DRBG_CUSTOM_RESEED 0x2 -+ -+/* DRBG status values */ -+/* not initialised */ -+#define DRBG_STATUS_UNINITIALISED 0 -+/* ok and ready to generate random bits */ -+#define DRBG_STATUS_READY 1 -+/* reseed required */ -+#define DRBG_STATUS_RESEED 2 -+/* fatal error condition */ -+#define DRBG_STATUS_ERROR 3 -+ -+/* A default maximum length: larger than any reasonable value used in pratice */ -+ -+#define DRBG_MAX_LENGTH 0x7ffffff0 -+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes -+ * so use max digest length. -+ */ -+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE -+ -+#define DRBG_HEALTH_INTERVAL (1 << 24) -+ -+/* DRBG context structure */ -+ -+struct drbg_ctx_st { -+ /* First types common to all implementations */ -+ /* DRBG type: a NID for the underlying algorithm */ -+ int type; -+ /* Various external flags */ -+ unsigned int xflags; -+ /* Various internal use only flags */ -+ unsigned int iflags; -+ /* Used for periodic health checks */ -+ int health_check_cnt, health_check_interval; -+ -+ /* The following parameters are setup by mechanism drbg_init() call */ -+ int strength; -+ size_t blocklength; -+ size_t max_request; -+ -+ size_t min_entropy, max_entropy; -+ size_t min_nonce, max_nonce; -+ size_t max_pers, max_adin; -+ unsigned int reseed_counter; -+ unsigned int reseed_interval; -+ size_t seedlen; -+ int status; -+ /* Application data: typically used by test get_entropy */ -+ void *app_data; -+ /* Implementation specific structures */ -+ union { -+ DRBG_HASH_CTX hash; -+ DRBG_HMAC_CTX hmac; -+ DRBG_CTR_CTX ctr; -+ } d; -+ /* Initialiase PRNG and setup callbacks below */ -+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags); -+ /* Intantiate PRNG */ -+ int (*instantiate) (DRBG_CTX *ctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *nonce, size_t noncelen, -+ const unsigned char *pers, size_t perslen); -+ /* reseed */ -+ int (*reseed) (DRBG_CTX *ctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *adin, size_t adinlen); -+ /* generat output */ -+ int (*generate) (DRBG_CTX *ctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adinlen); -+ /* uninstantiate */ -+ int (*uninstantiate) (DRBG_CTX *ctx); -+ -+ /* Entropy source block length */ -+ size_t entropy_blocklen; -+ -+ /* entropy gathering function */ -+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len); -+ /* Indicates we have finished with entropy buffer */ -+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ -+ /* nonce gathering function */ -+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len); -+ /* Indicates we have finished with nonce buffer */ -+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ -+ /* Continuous random number test temporary area */ -+ /* Last block */ -+ unsigned char lb[EVP_MAX_MD_SIZE]; -+ /* set if lb is valid */ -+ int lb_valid; -+ -+ /* Callbacks used when called through RAND interface */ -+ /* Get any additional input for generate */ -+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout); -+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ /* Callback for RAND_seed(), RAND_add() */ -+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num); -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, int num, double entropy); -+}; -+ -+int fips_drbg_ctr_init(DRBG_CTX *dctx); -+int fips_drbg_hash_init(DRBG_CTX *dctx); -+int fips_drbg_hmac_init(DRBG_CTX *dctx); -+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags); -+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); -+ -+const struct env_md_st *FIPS_get_digestbynid(int nid); -+ -+const struct evp_cipher_st *FIPS_get_cipherbynid(int nid); -+ -+#define FIPS_digestinit EVP_DigestInit -+#define FIPS_digestupdate EVP_DigestUpdate -+#define FIPS_digestfinal EVP_DigestFinal -+#define M_EVP_MD_size EVP_MD_size -diff --git a/crypto/fips/fips_rand_lib.c b/crypto/fips/fips_rand_lib.c -new file mode 100644 -index 0000000..6f2ccc6 ---- /dev/null -+++ b/crypto/fips/fips_rand_lib.c -@@ -0,0 +1,181 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "e_os.h" -+ -+/* FIPS API for PRNG use. Similar to RAND functionality but without -+ * ENGINE and additional checking for non-FIPS rand methods. -+ */ -+ -+static const RAND_METHOD *fips_rand_meth = NULL; -+static int fips_approved_rand_meth = 0; -+static int fips_rand_bits = 0; -+ -+/* Allows application to override number of bits and uses non-FIPS methods */ -+void FIPS_rand_set_bits(int nbits) -+{ -+ fips_rand_bits = nbits; -+} -+ -+int FIPS_rand_set_method(const RAND_METHOD *meth) -+{ -+ if (!fips_rand_bits) { -+ if (meth == FIPS_drbg_method()) -+ fips_approved_rand_meth = 1; -+ else if (meth == FIPS_x931_method()) -+ fips_approved_rand_meth = 2; -+ else { -+ fips_approved_rand_meth = 0; -+ if (FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ } -+ } -+ fips_rand_meth = meth; -+ return 1; -+} -+ -+const RAND_METHOD *FIPS_rand_get_method(void) -+{ -+ return fips_rand_meth; -+} -+ -+const RAND_METHOD *FIPS_rand_method(void) -+{ -+ return FIPS_rand_get_method(); -+} -+ -+void FIPS_rand_reset(void) -+{ -+ if (fips_rand_meth && fips_rand_meth->cleanup) -+ fips_rand_meth->cleanup(); -+} -+ -+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->seed) -+ fips_rand_meth->seed(buf, num); -+ return 1; -+} -+ -+void FIPS_rand_add(const void *buf, int num, double entropy) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD); -+ return; -+ } -+ if (fips_rand_meth && fips_rand_meth->add) -+ fips_rand_meth->add(buf, num, entropy); -+} -+ -+int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->bytes) -+ return fips_rand_meth->bytes(buf, num); -+ return 0; -+} -+ -+int FIPS_rand_pseudo_bytes(unsigned char *buf, int num) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->pseudorand) -+ return fips_rand_meth->pseudorand(buf, num); -+ return -1; -+} -+ -+int FIPS_rand_status(void) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->status) -+ return fips_rand_meth->status(); -+ return 0; -+} -+ -+/* Return instantiated strength of PRNG. For DRBG this is an internal -+ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other -+ * type of PRNG is not approved and returns 0 in FIPS mode and maximum -+ * 256 outside FIPS mode. -+ */ -+ -+int FIPS_rand_strength(void) -+{ -+ if (fips_rand_bits) -+ return fips_rand_bits; -+ if (fips_approved_rand_meth == 1) -+ return FIPS_drbg_get_strength(FIPS_get_default_drbg()); -+ else if (fips_approved_rand_meth == 2) -+ return 80; -+ else if (fips_approved_rand_meth == 0) { -+ if (FIPS_module_mode()) -+ return 0; -+ else -+ return 256; -+ } -+ return 0; -+} -diff --git a/crypto/fips/fips_rand_selftest.c b/crypto/fips/fips_rand_selftest.c -new file mode 100644 -index 0000000..d88fdf7 ---- /dev/null -+++ b/crypto/fips/fips_rand_selftest.c -@@ -0,0 +1,176 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+typedef struct { -+ unsigned char DT[16]; -+ unsigned char V[16]; -+ unsigned char R[16]; -+} AES_PRNG_TV; -+ -+/* The following test vectors are taken directly from the RGNVS spec */ -+ -+static unsigned char aes_128_key[16] = -+ { 0xf3, 0xb1, 0x66, 0x6d, 0x13, 0x60, 0x72, 0x42, -+ 0xed, 0x06, 0x1c, 0xab, 0xb8, 0xd4, 0x62, 0x02 -+}; -+ -+static AES_PRNG_TV aes_128_tv = { -+ /* DT */ -+ {0xe6, 0xb3, 0xbe, 0x78, 0x2a, 0x23, 0xfa, 0x62, -+ 0xd7, 0x1d, 0x4a, 0xfb, 0xb0, 0xe9, 0x22, 0xf9}, -+ /* V */ -+ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, -+ /* R */ -+ {0x59, 0x53, 0x1e, 0xd1, 0x3b, 0xb0, 0xc0, 0x55, -+ 0x84, 0x79, 0x66, 0x85, 0xc1, 0x2f, 0x76, 0x41} -+}; -+ -+static unsigned char aes_192_key[24] = -+ { 0x15, 0xd8, 0x78, 0x0d, 0x62, 0xd3, 0x25, 0x6e, -+ 0x44, 0x64, 0x10, 0x13, 0x60, 0x2b, 0xa9, 0xbc, -+ 0x4a, 0xfb, 0xca, 0xeb, 0x4c, 0x8b, 0x99, 0x3b -+}; -+ -+static AES_PRNG_TV aes_192_tv = { -+ /* DT */ -+ {0x3f, 0xd8, 0xff, 0xe8, 0x80, 0x69, 0x8b, 0xc1, -+ 0xbf, 0x99, 0x7d, 0xa4, 0x24, 0x78, 0xf3, 0x4b}, -+ /* V */ -+ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, -+ /* R */ -+ {0x17, 0x07, 0xd5, 0x28, 0x19, 0x79, 0x1e, 0xef, -+ 0xa5, 0x0c, 0xbf, 0x25, 0xe5, 0x56, 0xb4, 0x93} -+}; -+ -+static unsigned char aes_256_key[32] = -+ { 0x6d, 0x14, 0x06, 0x6c, 0xb6, 0xd8, 0x21, 0x2d, -+ 0x82, 0x8d, 0xfa, 0xf2, 0x7a, 0x03, 0xb7, 0x9f, -+ 0x0c, 0xc7, 0x3e, 0xcd, 0x76, 0xeb, 0xee, 0xb5, -+ 0x21, 0x05, 0x8c, 0x4f, 0x31, 0x7a, 0x80, 0xbb -+}; -+ -+static AES_PRNG_TV aes_256_tv = { -+ /* DT */ -+ {0xda, 0x3a, 0x41, 0xec, 0x1d, 0xa3, 0xb0, 0xd5, -+ 0xf2, 0xa9, 0x4e, 0x34, 0x74, 0x8e, 0x9e, 0x88}, -+ /* V */ -+ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, -+ /* R */ -+ {0x35, 0xc7, 0xef, 0xa7, 0x78, 0x4d, 0x29, 0xbc, -+ 0x82, 0x79, 0x99, 0xfb, 0xd0, 0xb3, 0x3b, 0x72} -+}; -+ -+void FIPS_corrupt_rng() -+{ -+ aes_192_tv.V[0]++; -+} -+ -+# define fips_x931_test(key, tv) \ -+ do_x931_test(key, sizeof key, &tv) -+ -+static int do_x931_test(unsigned char *key, int keylen, AES_PRNG_TV * tv) -+{ -+ unsigned char R[16], V[16]; -+ int rv = 1; -+ memcpy(V, tv->V, sizeof(V)); -+ if (!FIPS_x931_set_key(key, keylen)) -+ return 0; -+ if (!fips_post_started(FIPS_TEST_X931, keylen, NULL)) -+ return 1; -+ if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL)) -+ V[0]++; -+ FIPS_x931_seed(V, 16); -+ FIPS_x931_set_dt(tv->DT); -+ FIPS_x931_bytes(R, 16); -+ if (memcmp(R, tv->R, 16)) { -+ fips_post_failed(FIPS_TEST_X931, keylen, NULL); -+ rv = 0; -+ } else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL)) -+ return 0; -+ return rv; -+} -+ -+int FIPS_selftest_x931() -+{ -+ int rv = 1; -+ FIPS_x931_reset(); -+ if (!FIPS_x931_test_mode()) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ if (!fips_x931_test(aes_128_key, aes_128_tv)) -+ rv = 0; -+ if (!fips_x931_test(aes_192_key, aes_192_tv)) -+ rv = 0; -+ if (!fips_x931_test(aes_256_key, aes_256_tv)) -+ rv = 0; -+ FIPS_x931_reset(); -+ if (!rv) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED); -+ return rv; -+} -+ -+int FIPS_selftest_rng(void) -+{ -+ return FIPS_selftest_x931(); -+} -+ -+#endif -diff --git a/crypto/fips/fips_randtest.c b/crypto/fips/fips_randtest.c -new file mode 100644 -index 0000000..283f5bd ---- /dev/null -+++ b/crypto/fips/fips_randtest.c -@@ -0,0 +1,247 @@ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "e_os.h" -+ -+#ifndef OPENSSL_FIPS -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS RAND support\n"); -+ return (0); -+} -+ -+#else -+ -+# include "fips_utl.h" -+# include -+ -+typedef struct { -+ unsigned char DT[16]; -+ unsigned char V[16]; -+ unsigned char R[16]; -+} AES_PRNG_MCT; -+ -+static const unsigned char aes_128_mct_key[16] = -+ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5, -+ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48 -+}; -+ -+static const AES_PRNG_MCT aes_128_mct_tv = { -+ /* DT */ -+ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b, -+ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac}, -+ /* V */ -+ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97, -+ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1}, -+ /* R */ -+ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb, -+ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73} -+}; -+ -+static const unsigned char aes_192_mct_key[24] = -+ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73, -+ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91, -+ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a -+}; -+ -+static const AES_PRNG_MCT aes_192_mct_tv = { -+ /* DT */ -+ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9, -+ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52}, -+ /* V */ -+ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64, -+ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d}, -+ /* R */ -+ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21, -+ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47} -+}; -+ -+static const unsigned char aes_256_mct_key[32] = -+ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a, -+ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0, -+ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d, -+ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50 -+}; -+ -+static const AES_PRNG_MCT aes_256_mct_tv = { -+ /* DT */ -+ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee, -+ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c}, -+ /* V */ -+ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1, -+ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca}, -+ /* R */ -+ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1, -+ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d} -+}; -+ -+static void dump(const unsigned char *b, int n) -+{ -+ while (n-- > 0) { -+ printf(" %02x", *b++); -+ } -+} -+ -+static void compare(const unsigned char *result, -+ const unsigned char *expected, int n) -+{ -+ int i; -+ -+ for (i = 0; i < n; ++i) -+ if (result[i] != expected[i]) { -+ puts("Random test failed, got:"); -+ dump(result, n); -+ puts("\n expected:"); -+ dump(expected, n); -+ putchar('\n'); -+ EXIT(1); -+ } -+} -+ -+static void run_test(const unsigned char *key, int keylen, -+ const AES_PRNG_MCT * tv) -+{ -+ unsigned char buf[16], dt[16]; -+ int i, j; -+ FIPS_x931_reset(); -+ FIPS_x931_test_mode(); -+ FIPS_x931_set_key(key, keylen); -+ FIPS_x931_seed(tv->V, 16); -+ memcpy(dt, tv->DT, 16); -+ for (i = 0; i < 10000; i++) { -+ FIPS_x931_set_dt(dt); -+ FIPS_x931_bytes(buf, 16); -+ /* Increment DT */ -+ for (j = 15; j >= 0; j--) { -+ dt[j]++; -+ if (dt[j]) -+ break; -+ } -+ } -+ -+ compare(buf, tv->R, 16); -+} -+ -+int main() -+{ -+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv); -+ printf("FIPS PRNG test 1 done\n"); -+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv); -+ printf("FIPS PRNG test 2 done\n"); -+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv); -+ printf("FIPS PRNG test 3 done\n"); -+ return 0; -+} -+ -+#endif -diff --git a/crypto/fips/fips_rsa_selftest.c b/crypto/fips/fips_rsa_selftest.c -new file mode 100644 -index 0000000..e87fbda ---- /dev/null -+++ b/crypto/fips/fips_rsa_selftest.c -@@ -0,0 +1,444 @@ -+/* ==================================================================== -+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static const unsigned char n[] = -+ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" -+ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" -+ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" -+ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" -+ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" -+ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" -+ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" -+ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB"; -+ -+static int corrupt_rsa; -+ -+static int setrsakey(RSA *key) -+{ -+ static const unsigned char e[] = "\x11"; -+ -+ static const unsigned char d[] = -+ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" -+ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" -+ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" -+ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" -+ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" -+ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" -+ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" -+ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" -+ "\xC1"; -+ -+ static const unsigned char p[] = -+ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" -+ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" -+ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" -+ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" -+ "\x99"; -+ -+ static const unsigned char q[] = -+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" -+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" -+ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" -+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" -+ "\x03"; -+ -+ static const unsigned char dmp1[] = -+ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" -+ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" -+ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" -+ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; -+ -+ static const unsigned char dmq1[] = -+ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" -+ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" -+ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" -+ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; -+ -+ static const unsigned char iqmp[] = -+ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" -+ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" -+ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" -+ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" -+ "\xF7"; -+ -+ key->n = BN_bin2bn(n, sizeof(n) - 1, key->n); -+ if (corrupt_rsa) -+ BN_set_bit(key->n, 1024); -+ key->e = BN_bin2bn(e, sizeof(e) - 1, key->e); -+ key->d = BN_bin2bn(d, sizeof(d) - 1, key->d); -+ key->p = BN_bin2bn(p, sizeof(p) - 1, key->p); -+ key->q = BN_bin2bn(q, sizeof(q) - 1, key->q); -+ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1) - 1, key->dmp1); -+ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1) - 1, key->dmq1); -+ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp) - 1, key->iqmp); -+ return 1; -+} -+ -+void FIPS_corrupt_rsa() -+{ -+ corrupt_rsa = 1; -+} -+ -+/* Known Answer Test (KAT) data for the above RSA private key signing -+ * kat_tbs. -+ */ -+ -+static const unsigned char kat_tbs[] = -+ "OpenSSL FIPS 140-2 Public Key RSA KAT"; -+ -+static const unsigned char kat_RSA_PSS_SHA1[] = { -+ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F, -+ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB, -+ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3, -+ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C, -+ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7, -+ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5, -+ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45, -+ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31, -+ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8, -+ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84, -+ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA224[] = { -+ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7, -+ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA, -+ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57, -+ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89, -+ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE, -+ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22, -+ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5, -+ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49, -+ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D, -+ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00, -+ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA256[] = { -+ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89, -+ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F, -+ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28, -+ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E, -+ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05, -+ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA, -+ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6, -+ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F, -+ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D, -+ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6, -+ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA384[] = { -+ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2, -+ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E, -+ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD, -+ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F, -+ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C, -+ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB, -+ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F, -+ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89, -+ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F, -+ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55, -+ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1 -+}; -+ -+static const unsigned char kat_RSA_PSS_SHA512[] = { -+ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C, -+ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A, -+ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD, -+ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39, -+ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7, -+ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61, -+ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13, -+ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63, -+ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE, -+ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88, -+ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B -+}; -+ -+static const unsigned char kat_RSA_SHA1[] = { -+ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, -+ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, -+ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF, -+ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, -+ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, -+ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, -+ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E, -+ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, -+ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, -+ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, -+ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 -+}; -+ -+static const unsigned char kat_RSA_SHA224[] = { -+ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9, -+ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D, -+ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89, -+ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD, -+ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5, -+ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC, -+ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B, -+ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2, -+ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35, -+ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC, -+ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D -+}; -+ -+static const unsigned char kat_RSA_SHA256[] = { -+ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23, -+ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23, -+ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35, -+ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E, -+ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18, -+ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30, -+ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A, -+ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38, -+ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA, -+ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90, -+ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A -+}; -+ -+static const unsigned char kat_RSA_SHA384[] = { -+ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F, -+ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7, -+ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C, -+ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55, -+ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF, -+ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2, -+ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C, -+ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD, -+ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1, -+ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04, -+ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF -+}; -+ -+static const unsigned char kat_RSA_SHA512[] = { -+ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF, -+ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A, -+ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1, -+ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8, -+ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5, -+ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B, -+ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6, -+ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05, -+ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D, -+ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91, -+ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA1[] = { -+ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF, -+ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75, -+ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC, -+ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97, -+ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6, -+ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19, -+ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7, -+ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99, -+ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76, -+ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67, -+ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA256[] = { -+ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89, -+ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD, -+ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF, -+ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B, -+ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B, -+ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98, -+ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC, -+ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C, -+ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD, -+ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC, -+ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA384[] = { -+ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B, -+ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB, -+ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3, -+ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6, -+ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31, -+ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1, -+ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79, -+ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF, -+ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35, -+ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D, -+ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28 -+}; -+ -+static const unsigned char kat_RSA_X931_SHA512[] = { -+ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63, -+ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC, -+ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7, -+ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28, -+ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5, -+ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF, -+ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0, -+ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09, -+ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C, -+ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B, -+ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3 -+}; -+ -+int FIPS_selftest_rsa() -+{ -+ int ret = 0; -+ RSA *key; -+ EVP_PKEY *pk = NULL; -+ -+ if ((key = RSA_new()) == NULL) -+ goto err; -+ setrsakey(key); -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_RSA(pk, key); -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1), -+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA1 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224), -+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA224 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256), -+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA256 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384), -+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA384 PKCS#1")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512), -+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA512 PKCS#1")) -+ goto err; -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), -+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, -+ "RSA SHA1 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA224, -+ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA256, -+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA384, -+ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA512, -+ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS")) -+ goto err; -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA1, -+ sizeof(kat_RSA_X931_SHA1), EVP_sha1(), -+ EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931")) -+ goto err; -+ /* NB: SHA224 not supported in X9.31 */ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA256, -+ sizeof(kat_RSA_X931_SHA256), EVP_sha256(), -+ EVP_MD_CTX_FLAG_PAD_X931, -+ "RSA SHA256 X931")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA384, -+ sizeof(kat_RSA_X931_SHA384), EVP_sha384(), -+ EVP_MD_CTX_FLAG_PAD_X931, -+ "RSA SHA384 X931")) -+ goto err; -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_X931_SHA512, -+ sizeof(kat_RSA_X931_SHA512), EVP_sha512(), -+ EVP_MD_CTX_FLAG_PAD_X931, -+ "RSA SHA512 X931")) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (key) -+ RSA_free(key); -+ return ret; -+} -+ -+#endif /* def OPENSSL_FIPS */ -diff --git a/crypto/fips/fips_rsa_x931g.c b/crypto/fips/fips_rsa_x931g.c -new file mode 100644 -index 0000000..c70e272 ---- /dev/null -+++ b/crypto/fips/fips_rsa_x931g.c -@@ -0,0 +1,273 @@ -+/* crypto/rsa/rsa_gen.c */ -+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -+ * All rights reserved. -+ * -+ * This package is an SSL implementation written -+ * by Eric Young (eay@cryptsoft.com). -+ * The implementation was written so as to conform with Netscapes SSL. -+ * -+ * This library is free for commercial and non-commercial use as long as -+ * the following conditions are aheared to. The following conditions -+ * apply to all code found in this distribution, be it the RC4, RSA, -+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation -+ * included with this distribution is covered by the same copyright terms -+ * except that the holder is Tim Hudson (tjh@cryptsoft.com). -+ * -+ * Copyright remains Eric Young's, and as such any Copyright notices in -+ * the code are not to be removed. -+ * If this package is used in a product, Eric Young should be given attribution -+ * as the author of the parts of the library used. -+ * This can be in the form of a textual message at program startup or -+ * in documentation (online or textual) provided with the package. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * "This product includes cryptographic software written by -+ * Eric Young (eay@cryptsoft.com)" -+ * The word 'cryptographic' can be left out if the rouines from the library -+ * being used are not cryptographic related :-). -+ * 4. If you include any Windows specific code (or a derivative thereof) from -+ * the apps directory (application code) you must include an acknowledgement: -+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * The licence and distribution terms for any publically available version or -+ * derivative of this code cannot be changed. i.e. this code cannot simply be -+ * copied and put under another distribution licence -+ * [including the GNU Public Licence.] -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+ -+extern int fips_check_rsa(RSA *rsa); -+#endif -+ -+/* X9.31 RSA key derivation and generation */ -+ -+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, -+ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2, -+ const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2, -+ const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb) -+{ -+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL; -+ BN_CTX *ctx = NULL, *ctx2 = NULL; -+ -+ if (!rsa) -+ goto err; -+ -+ ctx = BN_CTX_new(); -+ if (!ctx) -+ goto err; -+ BN_CTX_start(ctx); -+ -+ r0 = BN_CTX_get(ctx); -+ r1 = BN_CTX_get(ctx); -+ r2 = BN_CTX_get(ctx); -+ r3 = BN_CTX_get(ctx); -+ -+ if (r3 == NULL) -+ goto err; -+ if (!rsa->e) { -+ rsa->e = BN_dup(e); -+ if (!rsa->e) -+ goto err; -+ } else -+ e = rsa->e; -+ -+ /* If not all parameters present only calculate what we can. -+ * This allows test programs to output selective parameters. -+ */ -+ -+ if (Xp && !rsa->p) { -+ rsa->p = BN_new(); -+ if (!rsa->p) -+ goto err; -+ -+ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2, -+ Xp, Xp1, Xp2, e, ctx, cb)) -+ goto err; -+ } -+ -+ if (Xq && !rsa->q) { -+ rsa->q = BN_new(); -+ if (!rsa->q) -+ goto err; -+ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2, -+ Xq, Xq1, Xq2, e, ctx, cb)) -+ goto err; -+ } -+ -+ if (!rsa->p || !rsa->q) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ return 2; -+ } -+ -+ /* Since both primes are set we can now calculate all remaining -+ * components. -+ */ -+ -+ /* calculate n */ -+ rsa->n = BN_new(); -+ if (rsa->n == NULL) -+ goto err; -+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) -+ goto err; -+ -+ /* calculate d */ -+ if (!BN_sub(r1, rsa->p, BN_value_one())) -+ goto err; /* p-1 */ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; /* q-1 */ -+ if (!BN_mul(r0, r1, r2, ctx)) -+ goto err; /* (p-1)(q-1) */ -+ -+ if (!BN_gcd(r3, r1, r2, ctx)) -+ goto err; -+ -+ if (!BN_div(r0, NULL, r0, r3, ctx)) -+ goto err; /* LCM((p-1)(q-1)) */ -+ -+ ctx2 = BN_CTX_new(); -+ if (!ctx2) -+ goto err; -+ -+ rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */ -+ if (rsa->d == NULL) -+ goto err; -+ -+ /* calculate d mod (p-1) */ -+ rsa->dmp1 = BN_new(); -+ if (rsa->dmp1 == NULL) -+ goto err; -+ if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx)) -+ goto err; -+ -+ /* calculate d mod (q-1) */ -+ rsa->dmq1 = BN_new(); -+ if (rsa->dmq1 == NULL) -+ goto err; -+ if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx)) -+ goto err; -+ -+ /* calculate inverse of q mod p */ -+ rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2); -+ -+ err: -+ if (ctx) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ if (ctx2) -+ BN_CTX_free(ctx2); -+ /* If this is set all calls successful */ -+ if (rsa && rsa->iqmp != NULL) -+ return 1; -+ -+ return 0; -+ -+} -+ -+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, -+ BN_GENCB *cb) -+{ -+ int ok = 0; -+ BIGNUM *Xp = NULL, *Xq = NULL; -+ BN_CTX *ctx = NULL; -+ -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) && -+ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_KEY_TOO_SHORT); -+ return 0; -+ } -+ -+ if (bits & 0xff) { -+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif -+ -+ ctx = BN_CTX_new(); -+ if (!ctx) -+ goto error; -+ -+ BN_CTX_start(ctx); -+ Xp = BN_CTX_get(ctx); -+ Xq = BN_CTX_get(ctx); -+ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx)) -+ goto error; -+ -+ rsa->p = BN_new(); -+ rsa->q = BN_new(); -+ if (!rsa->p || !rsa->q) -+ goto error; -+ -+ /* Generate two primes from Xp, Xq */ -+ -+ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp, -+ e, ctx, cb)) -+ goto error; -+ -+ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq, -+ e, ctx, cb)) -+ goto error; -+ -+ /* Since rsa->p and rsa->q are valid this call will just derive -+ * remaining RSA components. -+ */ -+ -+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, NULL, NULL, e, cb)) -+ goto error; -+ -+#ifdef OPENSSL_FIPS -+ if (!fips_check_rsa(rsa)) -+ goto error; -+#endif -+ -+ ok = 1; -+ -+ error: -+ if (ctx) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ -+ if (ok) -+ return 1; -+ -+ return 0; -+ -+} -diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c -new file mode 100644 -index 0000000..446ddd9 ---- /dev/null -+++ b/crypto/fips/fips_sha_selftest.c -@@ -0,0 +1,145 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+static const char test[][60] = { -+ "", -+ "abc", -+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -+}; -+ -+static const unsigned char ret[][SHA_DIGEST_LENGTH] = { -+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, -+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09}, -+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, -+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d}, -+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae, -+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1}, -+}; -+ -+static int corrupt_sha; -+ -+void FIPS_corrupt_sha1() -+{ -+ corrupt_sha = 1; -+} -+ -+int FIPS_selftest_sha1() -+{ -+ int n; -+ -+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) { -+ unsigned char md[SHA_DIGEST_LENGTH]; -+ -+ EVP_Digest(test[n], strlen(test[n]) + corrupt_sha, md, NULL, -+ EVP_sha1(), NULL); -+ if (memcmp(md, ret[n], sizeof md)) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+static const unsigned char msg_sha256[] = -+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30, -+ 0xfc -+}; -+ -+static const unsigned char dig_sha256[] = -+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b, -+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01, -+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83, -+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a -+}; -+ -+static const unsigned char msg_sha512[] = -+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7, -+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd -+}; -+ -+static const unsigned char dig_sha512[] = -+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16, -+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44, -+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0, -+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f, -+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38, -+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04, -+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1, -+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 -+}; -+ -+int FIPS_selftest_sha2(void) -+{ -+ unsigned char md[SHA512_DIGEST_LENGTH]; -+ -+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); -+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) { -+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); -+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) { -+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+#endif -diff --git a/crypto/fips/fips_standalone_hmac.c b/crypto/fips/fips_standalone_hmac.c -new file mode 100644 -index 0000000..ffc3411 ---- /dev/null -+++ b/crypto/fips/fips_standalone_hmac.c -@@ -0,0 +1,268 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef FIPSCANISTER_O -+int FIPS_selftest_failed() -+{ -+ return 0; -+} -+ -+void FIPS_selftest_check() -+{ -+} -+#endif -+ -+#ifdef OPENSSL_FIPS -+int bn_mul_mont_fpu64(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, -+ const BN_ULONG *np, const BN_ULONG *n0, int num) -+{ -+ return 0; -+}; -+ -+int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, -+ const BN_ULONG *np, const BN_ULONG *n0, int num) -+{ -+ return 0; -+}; -+ -+# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ -+ defined(__INTEL__) || \ -+ defined(__x86_64) || defined(__x86_64__) || \ -+ defined(_M_AMD64) || defined(_M_X64) -+ -+unsigned int OPENSSL_ia32cap_P[4]; -+unsigned long *OPENSSL_ia32cap_loc(void) -+{ -+ if (sizeof(long) == 4) -+ /* -+ * If 32-bit application pulls address of OPENSSL_ia32cap_P[0] -+ * clear second element to maintain the illusion that vector -+ * is 32-bit. -+ */ -+ OPENSSL_ia32cap_P[1] = 0; -+ -+ OPENSSL_ia32cap_P[2] = 0; -+ -+ return (unsigned long *)OPENSSL_ia32cap_P; -+} -+ -+# if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY) -+# define OPENSSL_CPUID_SETUP -+# if defined(_WIN32) -+typedef unsigned __int64 IA32CAP; -+# else -+typedef unsigned long long IA32CAP; -+# endif -+void OPENSSL_cpuid_setup(void) -+{ -+ static int trigger = 0; -+ IA32CAP OPENSSL_ia32_cpuid(unsigned int *); -+ IA32CAP vec; -+ char *env; -+ -+ if (trigger) -+ return; -+ -+ trigger = 1; -+ if ((env = getenv("OPENSSL_ia32cap"))) { -+ int off = (env[0] == '~') ? 1 : 0; -+# if defined(_WIN32) -+ if (!sscanf(env + off, "%I64i", &vec)) -+ vec = strtoul(env + off, NULL, 0); -+# else -+ if (!sscanf(env + off, "%lli", (long long *)&vec)) -+ vec = strtoul(env + off, NULL, 0); -+# endif -+ if (off) -+ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~vec; -+ else if (env[0] == ':') -+ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P); -+ -+ OPENSSL_ia32cap_P[2] = 0; -+ if ((env = strchr(env, ':'))) { -+ unsigned int vecx; -+ env++; -+ off = (env[0] == '~') ? 1 : 0; -+ vecx = strtoul(env + off, NULL, 0); -+ if (off) -+ OPENSSL_ia32cap_P[2] &= ~vecx; -+ else -+ OPENSSL_ia32cap_P[2] = vecx; -+ } -+ } else -+ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P); -+ -+ /* -+ * |(1<<10) sets a reserved bit to signal that variable -+ * was initialized already... This is to avoid interference -+ * with cpuid snippets in ELF .init segment. -+ */ -+ OPENSSL_ia32cap_P[0] = (unsigned int)vec | (1 << 10); -+ OPENSSL_ia32cap_P[1] = (unsigned int)(vec >> 32); -+} -+# else -+unsigned int OPENSSL_ia32cap_P[4]; -+# endif -+ -+# else -+unsigned long *OPENSSL_ia32cap_loc(void) -+{ -+ return NULL; -+} -+# endif -+int OPENSSL_NONPIC_relocated = 0; -+# if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ) -+void OPENSSL_cpuid_setup(void) -+{ -+} -+# endif -+ -+static void hmac_init(SHA256_CTX *md_ctx, SHA256_CTX *o_ctx, const char *key) -+{ -+ size_t len = strlen(key); -+ int i; -+ unsigned char keymd[HMAC_MAX_MD_CBLOCK]; -+ unsigned char pad[HMAC_MAX_MD_CBLOCK]; -+ -+ if (len > SHA_CBLOCK) { -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx, key, len); -+ SHA256_Final(keymd, md_ctx); -+ len = SHA256_DIGEST_LENGTH; -+ } else -+ memcpy(keymd, key, len); -+ memset(&keymd[len], '\0', HMAC_MAX_MD_CBLOCK - len); -+ -+ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++) -+ pad[i] = 0x36 ^ keymd[i]; -+ SHA256_Init(md_ctx); -+ SHA256_Update(md_ctx, pad, SHA256_CBLOCK); -+ -+ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++) -+ pad[i] = 0x5c ^ keymd[i]; -+ SHA256_Init(o_ctx); -+ SHA256_Update(o_ctx, pad, SHA256_CBLOCK); -+} -+ -+static void hmac_final(unsigned char *md, SHA256_CTX *md_ctx, -+ SHA256_CTX *o_ctx) -+{ -+ unsigned char buf[SHA256_DIGEST_LENGTH]; -+ -+ SHA256_Final(buf, md_ctx); -+ SHA256_Update(o_ctx, buf, sizeof buf); -+ SHA256_Final(md, o_ctx); -+} -+ -+#endif -+ -+int main(int argc, char **argv) -+{ -+#ifdef OPENSSL_FIPS -+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ int n, binary = 0; -+ -+ if (argc < 2) { -+ fprintf(stderr, "%s []+\n", argv[0]); -+ exit(1); -+ } -+ -+ n = 1; -+ if (!strcmp(argv[n], "-binary")) { -+ n++; -+ binary = 1; /* emit binary fingerprint... */ -+ } -+ -+ for (; n < argc; ++n) { -+ FILE *f = fopen(argv[n], "rb"); -+ SHA256_CTX md_ctx, o_ctx; -+ unsigned char md[SHA256_DIGEST_LENGTH]; -+ int i; -+ -+ if (!f) { -+ perror(argv[n]); -+ exit(2); -+ } -+ -+ hmac_init(&md_ctx, &o_ctx, key); -+ for (;;) { -+ char buf[1024]; -+ size_t l = fread(buf, 1, sizeof buf, f); -+ -+ if (l == 0) { -+ if (ferror(f)) { -+ perror(argv[n]); -+ exit(3); -+ } else -+ break; -+ } -+ SHA256_Update(&md_ctx, buf, l); -+ } -+ hmac_final(md, &md_ctx, &o_ctx); -+ -+ if (binary) { -+ fwrite(md, SHA256_DIGEST_LENGTH, 1, stdout); -+ break; /* ... for single(!) file */ -+ } -+ -+/* printf("HMAC-SHA1(%s)= ",argv[n]); */ -+ for (i = 0; i < SHA256_DIGEST_LENGTH; ++i) -+ printf("%02x", md[i]); -+ printf("\n"); -+ } -+#endif -+ return 0; -+} -diff --git a/crypto/fips/fips_test_suite.c b/crypto/fips/fips_test_suite.c -new file mode 100644 -index 0000000..1e4b69c ---- /dev/null -+++ b/crypto/fips/fips_test_suite.c -@@ -0,0 +1,639 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * -+ * This command is intended as a test driver for the FIPS-140 testing -+ * lab performing FIPS-140 validation. It demonstrates the use of the -+ * OpenSSL library ito perform a variety of common cryptographic -+ * functions. A power-up self test is demonstrated by deliberately -+ * pointing to an invalid executable hash -+ * -+ * Contributed by Steve Marquess. -+ * -+ */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+int main(int argc, char *argv[]) -+{ -+ printf("No FIPS support\n"); -+ return (0); -+} -+#else -+ -+# include -+# include "fips_utl.h" -+ -+/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext -+*/ -+static int FIPS_aes_test(void) -+{ -+ int ret = 0; -+ unsigned char pltmp[16]; -+ unsigned char citmp[16]; -+ unsigned char key[16] = -+ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }; -+ unsigned char plaintext[16] = "etaonrishdlcu"; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 1) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, citmp, plaintext, 16); -+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 0) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, pltmp, citmp, 16); -+ if (memcmp(pltmp, plaintext, 16)) -+ goto err; -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ return ret; -+} -+ -+static int FIPS_des3_test(void) -+{ -+ int ret = 0; -+ unsigned char pltmp[8]; -+ unsigned char citmp[8]; -+ unsigned char key[] = -+ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, -+ 19, 20, 21, 22, 23, 24 -+ }; -+ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' }; -+ EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX_init(&ctx); -+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 1) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, citmp, plaintext, 8); -+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 0) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, pltmp, citmp, 8); -+ if (memcmp(pltmp, plaintext, 8)) -+ goto err; -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ return ret; -+} -+ -+/* -+ * DSA: generate keys and sign, verify input plaintext. -+ */ -+static int FIPS_dsa_test(int bad) -+{ -+ DSA *dsa = NULL; -+ EVP_PKEY pk; -+ unsigned char dgst[] = "etaonrishdlc"; -+ unsigned char buf[60]; -+ unsigned int slen; -+ int r = 0; -+ EVP_MD_CTX mctx; -+ -+ ERR_clear_error(); -+ EVP_MD_CTX_init(&mctx); -+ dsa = DSA_new(); -+ if (!dsa) -+ goto end; -+ if (!DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL)) -+ goto end; -+ if (!DSA_generate_key(dsa)) -+ goto end; -+ if (bad) -+ BN_add_word(dsa->pub_key, 1); -+ -+ pk.type = EVP_PKEY_DSA; -+ pk.pkey.dsa = dsa; -+ -+ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) -+ goto end; -+ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1)) -+ goto end; -+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) -+ goto end; -+ -+ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) -+ goto end; -+ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1)) -+ goto end; -+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk); -+ end: -+ EVP_MD_CTX_cleanup(&mctx); -+ if (dsa) -+ DSA_free(dsa); -+ if (r != 1) -+ return 0; -+ return 1; -+} -+ -+/* -+ * RSA: generate keys and sign, verify input plaintext. -+ */ -+static int FIPS_rsa_test(int bad) -+{ -+ RSA *key; -+ unsigned char input_ptext[] = "etaonrishdlc"; -+ unsigned char buf[256]; -+ unsigned int slen; -+ BIGNUM *bn; -+ EVP_MD_CTX mctx; -+ EVP_PKEY pk; -+ int r = 0; -+ -+ ERR_clear_error(); -+ EVP_MD_CTX_init(&mctx); -+ key = RSA_new(); -+ bn = BN_new(); -+ if (!key || !bn) -+ return 0; -+ BN_set_word(bn, 65537); -+ if (!RSA_generate_key_ex(key, 1024, bn, NULL)) -+ return 0; -+ BN_free(bn); -+ if (bad) -+ BN_add_word(key->n, 1); -+ -+ pk.type = EVP_PKEY_RSA; -+ pk.pkey.rsa = key; -+ -+ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL)) -+ goto end; -+ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) -+ goto end; -+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) -+ goto end; -+ -+ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL)) -+ goto end; -+ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) -+ goto end; -+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk); -+ end: -+ EVP_MD_CTX_cleanup(&mctx); -+ if (key) -+ RSA_free(key); -+ if (r != 1) -+ return 0; -+ return 1; -+} -+ -+/* SHA1: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_sha1_test() -+{ -+ unsigned char digest[SHA_DIGEST_LENGTH] = -+ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, -+0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 }; -+ unsigned char str[] = "etaonrishd"; -+ -+ unsigned char md[SHA_DIGEST_LENGTH]; -+ -+ ERR_clear_error(); -+ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha1(), NULL)) -+ return 0; -+ if (memcmp(md, digest, sizeof(md))) -+ return 0; -+ return 1; -+} -+ -+/* SHA256: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_sha256_test() -+{ -+ unsigned char digest[SHA256_DIGEST_LENGTH] = -+ { 0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, -+0x68, 0xc0, 0xea, 0x40, 0x91, -+ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, -+ 0x50, 0x4f, 0x47, 0x57 -+ }; -+ unsigned char str[] = "etaonrishd"; -+ -+ unsigned char md[SHA256_DIGEST_LENGTH]; -+ -+ ERR_clear_error(); -+ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha256(), NULL)) -+ return 0; -+ if (memcmp(md, digest, sizeof(md))) -+ return 0; -+ return 1; -+} -+ -+/* SHA512: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_sha512_test() -+{ -+ unsigned char digest[SHA512_DIGEST_LENGTH] = -+ { 0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, -+0x94, 0x71, 0x64, 0x28, 0xca, -+ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, -+ 0xd0, 0xe7, 0x0b, 0x94, 0x4a, -+ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, -+ 0x24, 0xb1, 0xd9, 0x40, 0x22, -+ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, -+ 0xeb, 0x2d, 0x42, 0x1d, 0xa3 -+ }; -+ unsigned char str[] = "etaonrishd"; -+ -+ unsigned char md[SHA512_DIGEST_LENGTH]; -+ -+ ERR_clear_error(); -+ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha512(), NULL)) -+ return 0; -+ if (memcmp(md, digest, sizeof(md))) -+ return 0; -+ return 1; -+} -+ -+/* HMAC-SHA1: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha1_test() -+{ -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ { 0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, -+0x56, 0x1b, 0x61, 0x2e, 0x70, -+ 0xb2, 0xfb, 0xec, 0xc6 -+ }; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC -+ (EVP_sha1(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, &outlen)) -+ return 0; -+ if (memcmp(out, kaval, outlen)) -+ return 0; -+ return 1; -+} -+ -+/* HMAC-SHA224: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha224_test() -+{ -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ { 0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, -+0x1c, 0xb2, 0xf0, 0x20, 0x35, -+ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19 -+ }; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC -+ (EVP_sha224(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, -+ &outlen)) -+ return 0; -+ if (memcmp(out, kaval, outlen)) -+ return 0; -+ return 1; -+} -+ -+/* HMAC-SHA256: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha256_test() -+{ -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ { 0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, -+0x02, 0xf5, 0x72, 0x33, 0x87, -+ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, -+ 0x51, 0xff, 0xda, 0x24, 0xf4 -+ }; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC -+ (EVP_sha256(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, -+ &outlen)) -+ return 0; -+ if (memcmp(out, kaval, outlen)) -+ return 0; -+ return 1; -+} -+ -+/* HMAC-SHA384: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha384_test() -+{ -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ { 0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, -+0x26, 0x99, 0xef, 0x3b, 0x10, -+ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, -+ 0xac, 0xb0, 0x07, 0x39, 0x08, -+ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, -+ 0xf3, 0xb8, 0x9b, 0x88, 0x1c -+ }; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC -+ (EVP_sha384(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, -+ &outlen)) -+ return 0; -+ if (memcmp(out, kaval, outlen)) -+ return 0; -+ return 1; -+} -+ -+/* HMAC-SHA512: generate hash of known digest value and compare to known -+ precomputed correct hash -+*/ -+static int FIPS_hmac_sha512_test() -+{ -+ unsigned char key[] = "etaonrishd"; -+ unsigned char iv[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ { 0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, -+0x77, 0x59, 0x85, 0xa9, 0xe6, -+ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, -+ 0xad, 0x7e, 0x24, 0xca, 0xb1, -+ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, -+ 0x6b, 0x61, 0x7f, 0xeb, 0x9c, -+ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, -+ 0x3d, 0xa6, 0xd9, 0x2a, 0x53 -+ }; -+ -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ unsigned int outlen; -+ -+ ERR_clear_error(); -+ if (!HMAC -+ (EVP_sha512(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, -+ &outlen)) -+ return 0; -+ if (memcmp(out, kaval, outlen)) -+ return 0; -+ return 1; -+} -+ -+/* DH: generate shared parameters -+*/ -+static int dh_test() -+{ -+ DH *dh; -+ ERR_clear_error(); -+ dh = FIPS_dh_new(); -+ if (!dh) -+ return 0; -+ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL)) -+ return 0; -+ FIPS_dh_free(dh); -+ return 1; -+} -+ -+/* Zeroize -+*/ -+static int Zeroize() -+{ -+ RSA *key; -+ BIGNUM *bn; -+ unsigned char userkey[16] = -+ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, -+0x83, 0x02, 0xb1, 0x09, 0x68 }; -+ int i, n; -+ -+ key = FIPS_rsa_new(); -+ bn = BN_new(); -+ if (!key || !bn) -+ return 0; -+ BN_set_word(bn, 65537); -+ if (!RSA_generate_key_ex(key, 1024, bn, NULL)) -+ return 0; -+ BN_free(bn); -+ -+ n = BN_num_bytes(key->d); -+ printf(" Generated %d byte RSA private key\n", n); -+ printf("\tBN key before overwriting:\n"); -+ do_bn_print(stdout, key->d); -+ BN_rand(key->d, n * 8, -1, 0); -+ printf("\tBN key after overwriting:\n"); -+ do_bn_print(stdout, key->d); -+ -+ printf("\tchar buffer key before overwriting: \n\t\t"); -+ for (i = 0; i < sizeof(userkey); i++) -+ printf("%02x", userkey[i]); -+ printf("\n"); -+ RAND_bytes(userkey, sizeof userkey); -+ printf("\tchar buffer key after overwriting: \n\t\t"); -+ for (i = 0; i < sizeof(userkey); i++) -+ printf("%02x", userkey[i]); -+ printf("\n"); -+ -+ return 1; -+} -+ -+static int Error; -+const char *Fail(const char *msg) -+{ -+ do_print_errors(); -+ Error++; -+ return msg; -+} -+ -+int main(int argc, char **argv) -+{ -+ -+ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0; -+ int bad_rsa = 0, bad_dsa = 0; -+ int do_rng_stick = 0; -+ int no_exit = 0; -+ -+ printf("\tFIPS-mode test application\n\n"); -+ -+ /* Load entropy from external file, if any */ -+ RAND_load_file(".rnd", 1024); -+ -+ if (argv[1]) { -+ /* Corrupted KAT tests */ -+ if (!strcmp(argv[1], "aes")) { -+ FIPS_corrupt_aes(); -+ printf("AES encryption/decryption with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "des")) { -+ FIPS_corrupt_des(); -+ printf("DES3-ECB encryption/decryption with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "dsa")) { -+ FIPS_corrupt_dsa(); -+ printf -+ ("DSA key generation and signature validation with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "rsa")) { -+ FIPS_corrupt_rsa(); -+ printf -+ ("RSA key generation and signature validation with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "rsakey")) { -+ printf -+ ("RSA key generation and signature validation with corrupted key...\n"); -+ bad_rsa = 1; -+ no_exit = 1; -+ } else if (!strcmp(argv[1], "rsakeygen")) { -+ do_corrupt_rsa_keygen = 1; -+ no_exit = 1; -+ printf -+ ("RSA key generation and signature validation with corrupted keygen...\n"); -+ } else if (!strcmp(argv[1], "dsakey")) { -+ printf -+ ("DSA key generation and signature validation with corrupted key...\n"); -+ bad_dsa = 1; -+ no_exit = 1; -+ } else if (!strcmp(argv[1], "dsakeygen")) { -+ do_corrupt_dsa_keygen = 1; -+ no_exit = 1; -+ printf -+ ("DSA key generation and signature validation with corrupted keygen...\n"); -+ } else if (!strcmp(argv[1], "sha1")) { -+ FIPS_corrupt_sha1(); -+ printf("SHA-1 hash with corrupted KAT...\n"); -+ } else if (!strcmp(argv[1], "rng")) { -+ FIPS_corrupt_rng(); -+ } else if (!strcmp(argv[1], "rngstick")) { -+ do_rng_stick = 1; -+ no_exit = 1; -+ printf("RNG test with stuck continuous test...\n"); -+ } else { -+ printf("Bad argument \"%s\"\n", argv[1]); -+ exit(1); -+ } -+ if (!no_exit) { -+ if (!FIPS_mode_set(1)) { -+ do_print_errors(); -+ printf("Power-up self test failed\n"); -+ exit(1); -+ } -+ printf("Power-up self test successful\n"); -+ exit(0); -+ } -+ } -+ -+ /* Non-Approved cryptographic operation -+ */ -+ printf("1. Non-Approved cryptographic operation test...\n"); -+ printf("\ta. Included algorithm (D-H)..."); -+ printf(dh_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* Power-up self test -+ */ -+ ERR_clear_error(); -+ printf("2. Automatic power-up self test..."); -+ if (!FIPS_mode_set(1)) { -+ do_print_errors(); -+ printf(Fail("FAILED!\n")); -+ exit(1); -+ } -+ printf("successful\n"); -+ if (do_corrupt_dsa_keygen) -+ FIPS_corrupt_dsa_keygen(); -+ if (do_corrupt_rsa_keygen) -+ FIPS_corrupt_rsa_keygen(); -+ if (do_rng_stick) -+ FIPS_rng_stick(); -+ -+ /* AES encryption/decryption -+ */ -+ printf("3. AES encryption/decryption..."); -+ printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* RSA key generation and encryption/decryption -+ */ -+ printf("4. RSA key generation and encryption/decryption..."); -+ printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n")); -+ -+ /* DES-CBC encryption/decryption -+ */ -+ printf("5. DES-ECB encryption/decryption..."); -+ printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* DSA key generation and signature validation -+ */ -+ printf("6. DSA key generation and signature validation..."); -+ printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n")); -+ -+ /* SHA-1 hash -+ */ -+ printf("7a. SHA-1 hash..."); -+ printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* SHA-256 hash -+ */ -+ printf("7b. SHA-256 hash..."); -+ printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* SHA-512 hash -+ */ -+ printf("7c. SHA-512 hash..."); -+ printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* HMAC-SHA-1 hash -+ */ -+ printf("7d. HMAC-SHA-1 hash..."); -+ printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* HMAC-SHA-224 hash -+ */ -+ printf("7e. HMAC-SHA-224 hash..."); -+ printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* HMAC-SHA-256 hash -+ */ -+ printf("7f. HMAC-SHA-256 hash..."); -+ printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* HMAC-SHA-384 hash -+ */ -+ printf("7g. HMAC-SHA-384 hash..."); -+ printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* HMAC-SHA-512 hash -+ */ -+ printf("7h. HMAC-SHA-512 hash..."); -+ printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n")); -+ -+ /* Non-Approved cryptographic operation -+ */ -+ printf("8. Non-Approved cryptographic operation test...\n"); -+ printf("\ta. Included algorithm (D-H)..."); -+ printf(dh_test()? "successful as expected\n" -+ : Fail("failed INCORRECTLY!\n")); -+ -+ /* Zeroization -+ */ -+ printf("9. Zero-ization...\n"); -+ printf(Zeroize()? "\tsuccessful as expected\n" -+ : Fail("\tfailed INCORRECTLY!\n")); -+ -+ printf("\nAll tests completed with %d errors\n", Error); -+ return Error ? 1 : 0; -+} -+ -+#endif -diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c -index 51a0a3e..cca5d78 100644 ---- a/crypto/hmac/hmac.c -+++ b/crypto/hmac/hmac.c -@@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, - EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS); - return 0; - } -- /* -- * Other algorithm blocking will be done in FIPS_cmac_init, via -- * FIPS_hmac_init_ex(). -- */ -- if (!impl && !ctx->i_ctx.engine) -- return FIPS_hmac_init_ex(ctx, key, len, md, NULL); - } - #endif - /* If we are changing MD then we must have a key */ -@@ -111,6 +105,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, - } - - if (key != NULL) { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS) -+ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) -+ goto err; -+#endif - reset = 1; - j = EVP_MD_block_size(md); - OPENSSL_assert(j <= (int)sizeof(ctx->key)); -@@ -164,10 +165,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md) - - int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) - { --#ifdef OPENSSL_FIPS -- if (FIPS_mode() && !ctx->i_ctx.engine) -- return FIPS_hmac_update(ctx, data, len); --#endif - if (!ctx->md) - return 0; - -@@ -178,10 +175,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) - { - unsigned int i; - unsigned char buf[EVP_MAX_MD_SIZE]; --#ifdef OPENSSL_FIPS -- if (FIPS_mode() && !ctx->i_ctx.engine) -- return FIPS_hmac_final(ctx, md, len); --#endif - - if (!ctx->md) - goto err; -@@ -225,12 +218,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) - - void HMAC_CTX_cleanup(HMAC_CTX *ctx) - { --#ifdef OPENSSL_FIPS -- if (FIPS_mode() && !ctx->i_ctx.engine) { -- FIPS_hmac_ctx_cleanup(ctx); -- return; -- } --#endif - EVP_MD_CTX_cleanup(&ctx->i_ctx); - EVP_MD_CTX_cleanup(&ctx->o_ctx); - EVP_MD_CTX_cleanup(&ctx->md_ctx); -diff --git a/crypto/md2/md2_dgst.c b/crypto/md2/md2_dgst.c -index 9cd79f8..7a49951 100644 ---- a/crypto/md2/md2_dgst.c -+++ b/crypto/md2/md2_dgst.c -@@ -62,6 +62,11 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ -+#include - - const char MD2_version[] = "MD2" OPENSSL_VERSION_PTEXT; - -@@ -119,7 +124,7 @@ const char *MD2_options(void) - return ("md2(int)"); - } - --fips_md_init(MD2) -+nonfips_md_init(MD2) - { - c->num = 0; - memset(c->state, 0, sizeof c->state); -diff --git a/crypto/md4/md4_dgst.c b/crypto/md4/md4_dgst.c -index 614fca0..d14f01f 100644 ---- a/crypto/md4/md4_dgst.c -+++ b/crypto/md4/md4_dgst.c -@@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL_VERSION_PTEXT; - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --fips_md_init(MD4) -+nonfips_md_init(MD4) - { - memset(c, 0, sizeof(*c)); - c->A = INIT_DATA_A; -diff --git a/crypto/md5/md5_dgst.c b/crypto/md5/md5_dgst.c -index 2b51946..0a28b9b 100644 ---- a/crypto/md5/md5_dgst.c -+++ b/crypto/md5/md5_dgst.c -@@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL_VERSION_PTEXT; - #define INIT_DATA_C (unsigned long)0x98badcfeL - #define INIT_DATA_D (unsigned long)0x10325476L - --fips_md_init(MD5) -+nonfips_md_init(MD5) - { - memset(c, 0, sizeof(*c)); - c->A = INIT_DATA_A; -diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c -index 6615cf8..f4dd0ad 100644 ---- a/crypto/mdc2/mdc2dgst.c -+++ b/crypto/mdc2/mdc2dgst.c -@@ -76,7 +76,7 @@ - *((c)++)=(unsigned char)(((l)>>24L)&0xff)) - - static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len); --fips_md_init(MDC2) -+nonfips_md_init(MDC2) - { - c->num = 0; - c->pad_type = 1; -diff --git a/crypto/o_fips.c b/crypto/o_fips.c -index f56d5bb..0abd233 100644 ---- a/crypto/o_fips.c -+++ b/crypto/o_fips.c -@@ -80,6 +80,8 @@ int FIPS_mode_set(int r) - # ifndef FIPS_AUTH_USER_PASS - # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password" - # endif -+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ -+ return 1; - if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS)) - return 0; - if (r) -diff --git a/crypto/o_init.c b/crypto/o_init.c -index 2088388..2f754ef 100644 ---- a/crypto/o_init.c -+++ b/crypto/o_init.c -@@ -56,8 +56,37 @@ - #include - #include - #ifdef OPENSSL_FIPS -+# include -+# include -+# include -+# include -+# include -+# include - # include - # include -+ -+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" -+ -+static void init_fips_mode(void) -+{ -+ char buf[2] = "0"; -+ int fd; -+ -+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ buf[0] = '1'; -+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -+ close(fd); -+ } -+ /* Failure reading the fips mode switch file means just not -+ * switching into FIPS mode. We would break too many things -+ * otherwise.. -+ */ -+ -+ if (buf[0] == '1') { -+ FIPS_mode_set(1); -+ } -+} - #endif - - /* -@@ -65,19 +94,26 @@ - * sets FIPS callbacks - */ - --void OPENSSL_init(void) -+void OPENSSL_init_library(void) - { - static int done = 0; - if (done) - return; - done = 1; - #ifdef OPENSSL_FIPS -- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock); -- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata); -- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free); - RAND_init_fips(); -+ init_fips_mode(); -+ if (!FIPS_mode()) { -+ /* Clean up prematurely set default rand method */ -+ RAND_set_rand_method(NULL); -+ } - #endif - #if 0 - fprintf(stderr, "Called OPENSSL_init\n"); - #endif - } -+ -+void OPENSSL_init(void) -+{ -+ OPENSSL_init_library(); -+} -diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in -index 7a1c85d..e86ec45 100644 ---- a/crypto/opensslconf.h.in -+++ b/crypto/opensslconf.h.in -@@ -1,5 +1,20 @@ - /* crypto/opensslconf.h.in */ - -+#ifdef OPENSSL_DOING_MAKEDEPEND -+ -+/* Include any symbols here that have to be explicitly set to enable a feature -+ * that should be visible to makedepend. -+ * -+ * [Our "make depend" doesn't actually look at this, we use actual build settings -+ * instead; we want to make it easy to remove subdirectories with disabled algorithms.] -+ */ -+ -+#ifndef OPENSSL_FIPS -+#define OPENSSL_FIPS -+#endif -+ -+#endif -+ - /* Generate 80386 code? */ - #undef I386_ONLY - -diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c -index 9e0064e..9d6b8b0 100644 ---- a/crypto/rand/md_rand.c -+++ b/crypto/rand/md_rand.c -@@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) - CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); - crypto_lock_rand = 1; - -- if (!initialized) { -+ /* always poll for external entropy in FIPS mode, drbg provides the -+ * expansion -+ */ -+ if (!initialized || FIPS_module_mode()) { - RAND_poll(); - initialized = 1; - } -diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h -index 2553afd..09dc4cc 100644 ---- a/crypto/rand/rand.h -+++ b/crypto/rand/rand.h -@@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void); - /* Error codes for the RAND functions. */ - - /* Function codes. */ -+# define RAND_F_ENG_RAND_GET_RAND_METHOD 108 -+# define RAND_F_FIPS_RAND 103 -+# define RAND_F_FIPS_RAND_BYTES 102 -+# define RAND_F_FIPS_RAND_SET_DT 106 -+# define RAND_F_FIPS_X931_SET_DT 106 -+# define RAND_F_FIPS_SET_DT 104 -+# define RAND_F_FIPS_SET_PRNG_SEED 107 -+# define RAND_F_FIPS_SET_TEST_MODE 105 - # define RAND_F_RAND_GET_RAND_METHOD 101 --# define RAND_F_RAND_INIT_FIPS 102 -+# define RAND_F_RAND_INIT_FIPS 109 - # define RAND_F_SSLEAY_RAND_BYTES 100 - - /* Reason codes. */ --# define RAND_R_DUAL_EC_DRBG_DISABLED 104 --# define RAND_R_ERROR_INITIALISING_DRBG 102 --# define RAND_R_ERROR_INSTANTIATING_DRBG 103 --# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101 -+# define RAND_R_DUAL_EC_DRBG_DISABLED 114 -+# define RAND_R_ERROR_INITIALISING_DRBG 112 -+# define RAND_R_ERROR_INSTANTIATING_DRBG 113 -+# define RAND_R_NON_FIPS_METHOD 105 -+# define RAND_R_NOT_IN_TEST_MODE 106 -+# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111 -+# define RAND_R_NO_KEY_SET 107 -+# define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101 -+# define RAND_R_PRNG_ERROR 108 -+# define RAND_R_PRNG_KEYED 109 -+# define RAND_R_PRNG_NOT_REKEYED 102 -+# define RAND_R_PRNG_NOT_RESEEDED 103 - # define RAND_R_PRNG_NOT_SEEDED 100 -+# define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110 -+# define RAND_R_PRNG_STUCK 104 - - #ifdef __cplusplus - } -diff --git a/crypto/ripemd/rmd_dgst.c b/crypto/ripemd/rmd_dgst.c -index 4ddd939..2d21dd7 100644 ---- a/crypto/ripemd/rmd_dgst.c -+++ b/crypto/ripemd/rmd_dgst.c -@@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p, size_t num); - void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num); - #endif - --fips_md_init(RIPEMD160) -+nonfips_md_init(RIPEMD160) - { - memset(c, 0, sizeof(*c)); - c->A = RIPEMD160_A; -diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h -index d2ee374..d2e93dd 100644 ---- a/crypto/rsa/rsa.h -+++ b/crypto/rsa/rsa.h -@@ -168,6 +168,8 @@ struct rsa_st { - # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 - # endif - -+# define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024 -+ - # ifndef OPENSSL_RSA_SMALL_MODULUS_BITS - # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 - # endif -@@ -329,6 +331,13 @@ RSA *RSA_generate_key(int bits, unsigned long e, void - - /* New version */ - int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); -+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, -+ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2, -+ const BIGNUM *Xp, const BIGNUM *Xq1, -+ const BIGNUM *Xq2, const BIGNUM *Xq, -+ const BIGNUM *e, BN_GENCB *cb); -+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, -+ BN_GENCB *cb); - - int RSA_check_key(const RSA *); - /* next 4 return -1 on error */ -@@ -538,7 +547,7 @@ void ERR_load_RSA_strings(void); - # define RSA_F_RSA_ALGOR_TO_MD 157 - # define RSA_F_RSA_BUILTIN_KEYGEN 129 - # define RSA_F_RSA_CHECK_KEY 123 --# define RSA_F_RSA_CMS_DECRYPT 158 -+# define RSA_F_RSA_CMS_DECRYPT 258 - # define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101 - # define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102 - # define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103 -@@ -559,7 +568,7 @@ void ERR_load_RSA_strings(void); - # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 - # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 160 - # define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 --# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148 -+# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158 - # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108 - # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109 - # define RSA_F_RSA_PADDING_ADD_SSLV23 110 -@@ -573,21 +582,23 @@ void ERR_load_RSA_strings(void); - # define RSA_F_RSA_PADDING_CHECK_X931 128 - # define RSA_F_RSA_PRINT 115 - # define RSA_F_RSA_PRINT_FP 116 --# define RSA_F_RSA_PRIVATE_DECRYPT 150 --# define RSA_F_RSA_PRIVATE_ENCRYPT 151 -+# define RSA_F_RSA_PRIVATE_DECRYPT 157 -+# define RSA_F_RSA_PRIVATE_ENCRYPT 148 - # define RSA_F_RSA_PRIV_DECODE 137 - # define RSA_F_RSA_PRIV_ENCODE 138 - # define RSA_F_RSA_PSS_TO_CTX 162 --# define RSA_F_RSA_PUBLIC_DECRYPT 152 -+# define RSA_F_RSA_PUBLIC_DECRYPT 149 - # define RSA_F_RSA_PUBLIC_ENCRYPT 153 - # define RSA_F_RSA_PUB_DECODE 139 - # define RSA_F_RSA_SETUP_BLINDING 136 -+# define RSA_F_RSA_SET_DEFAULT_METHOD 150 -+# define RSA_F_RSA_SET_METHOD 151 - # define RSA_F_RSA_SIGN 117 - # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 - # define RSA_F_RSA_VERIFY 119 - # define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120 - # define RSA_F_RSA_VERIFY_PKCS1_PSS 126 --# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149 -+# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152 - - /* Reason codes. */ - # define RSA_R_ALGORITHM_MISMATCH 100 -@@ -620,21 +631,22 @@ void ERR_load_RSA_strings(void); - # define RSA_R_INVALID_OAEP_PARAMETERS 162 - # define RSA_R_INVALID_PADDING 138 - # define RSA_R_INVALID_PADDING_MODE 141 --# define RSA_R_INVALID_PSS_PARAMETERS 149 -+# define RSA_R_INVALID_PSS_PARAMETERS 157 - # define RSA_R_INVALID_PSS_SALTLEN 146 --# define RSA_R_INVALID_SALT_LENGTH 150 -+# define RSA_R_INVALID_SALT_LENGTH 158 - # define RSA_R_INVALID_TRAILER 139 - # define RSA_R_INVALID_X931_DIGEST 142 - # define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 - # define RSA_R_KEY_SIZE_TOO_SMALL 120 - # define RSA_R_LAST_OCTET_INVALID 134 - # define RSA_R_MODULUS_TOO_LARGE 105 --# define RSA_R_NON_FIPS_RSA_METHOD 157 -+# define RSA_R_NON_FIPS_RSA_METHOD 149 -+# define RSA_R_NON_FIPS_METHOD 149 - # define RSA_R_NO_PUBLIC_EXPONENT 140 - # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 - # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 - # define RSA_R_OAEP_DECODING_ERROR 121 --# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158 -+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150 - # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 - # define RSA_R_PADDING_CHECK_FAILED 114 - # define RSA_R_PKCS_DECODING_ERROR 159 -diff --git a/crypto/rsa/rsa_crpt.c b/crypto/rsa/rsa_crpt.c -index 5c416b5..81e00d9 100644 ---- a/crypto/rsa/rsa_crpt.c -+++ b/crypto/rsa/rsa_crpt.c -@@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { - #ifdef OPENSSL_FIPS -- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -- RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); -+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, -+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); - return -1; - } - #endif -@@ -115,9 +115,9 @@ int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, - RSA *rsa, int padding) - { - #ifdef OPENSSL_FIPS -- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -- RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); -+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, -+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); - return -1; - } - #endif -diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c -index b147fff..2de7afc 100644 ---- a/crypto/rsa/rsa_eay.c -+++ b/crypto/rsa/rsa_eay.c -@@ -114,6 +114,10 @@ - #include - #include - #include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif - - #ifndef RSA_NULL - -@@ -140,7 +144,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth = { - * if e == 3 */ - RSA_eay_init, - RSA_eay_finish, -- 0, /* flags */ -+ RSA_FLAG_FIPS_METHOD, /* flags */ - NULL, - 0, /* rsa_sign */ - 0, /* rsa_verify */ -@@ -160,6 +164,22 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, - unsigned char *buf = NULL; - BN_CTX *ctx = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; -@@ -361,6 +381,22 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -497,6 +533,22 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -623,6 +675,22 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, - unsigned char *buf = NULL; - BN_CTX *ctx = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; -@@ -886,6 +954,9 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) - - static int RSA_eay_init(RSA *rsa) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE; - return (1); - } -diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c -index 0bab05e..9557e1d 100644 ---- a/crypto/rsa/rsa_err.c -+++ b/crypto/rsa/rsa_err.c -@@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[] = { - {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, - {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, - {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, -+ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"}, -+ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"}, - {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, - {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), - "RSA_sign_ASN1_OCTET_STRING"}, -diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c -index 7f7dca3..c6c0a75 100644 ---- a/crypto/rsa/rsa_gen.c -+++ b/crypto/rsa/rsa_gen.c -@@ -69,8 +69,80 @@ - #include - #ifdef OPENSSL_FIPS - # include --extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, -- BN_GENCB *cb); -+# include -+# include -+ -+static int fips_rsa_pairwise_fail = 0; -+ -+void FIPS_corrupt_rsa_keygen(void) -+{ -+ fips_rsa_pairwise_fail = 1; -+} -+ -+int fips_check_rsa(RSA *rsa) -+{ -+ const unsigned char tbs[] = "RSA Pairwise Check Data"; -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int len, ret = 0; -+ EVP_PKEY *pk; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_RSA(pk, rsa); -+ -+ /* Perform pairwise consistency signature test */ -+ if (!fips_pkey_signature_test(pk, tbs, -1, -+ NULL, 0, EVP_sha1(), -+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) -+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), -+ EVP_MD_CTX_FLAG_PAD_X931, NULL) -+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(), -+ EVP_MD_CTX_FLAG_PAD_PSS, NULL)) -+ goto err; -+ /* Now perform pairwise consistency encrypt/decrypt test */ -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; -+ -+ len = -+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, -+ RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) -+ goto err; -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ -+ if (!ptbuf) -+ goto err; -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != (sizeof(tbs) - 1)) -+ goto err; -+ if (memcmp(ptbuf, tbs, len)) -+ goto err; -+ -+ ret = 1; -+ -+ if (!ptbuf) -+ goto err; -+ -+ err: -+ if (ret == 0) { -+ fips_set_selftest_fail(); -+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED); -+ } -+ -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+} - #endif - - static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -@@ -86,7 +158,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - { - #ifdef OPENSSL_FIPS -- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { - RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); - return 0; -@@ -94,10 +166,6 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - #endif - if (rsa->meth->rsa_keygen) - return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb); --#endif - return rsa_builtin_keygen(rsa, bits, e_value, cb); - } - -@@ -110,6 +178,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - int bitsp, bitsq, ok = -1, n = 0; - BN_CTX *ctx = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_module_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { -+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); -+ return 0; -+ } -+ } -+#endif -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -@@ -235,6 +317,16 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) - goto err; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_module_mode()) { -+ if (fips_rsa_pairwise_fail) -+ BN_add_word(rsa->n, 1); -+ -+ if (!fips_check_rsa(rsa)) -+ goto err; -+ } -+#endif -+ - ok = 1; - err: - if (ok == -1) { -diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c -index a6805de..fe7b520 100644 ---- a/crypto/rsa/rsa_lib.c -+++ b/crypto/rsa/rsa_lib.c -@@ -84,23 +84,22 @@ RSA *RSA_new(void) - - void RSA_set_default_method(const RSA_METHOD *meth) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD); -+ return; -+ } -+#endif - default_RSA_meth = meth; - } - - const RSA_METHOD *RSA_get_default_method(void) - { - if (default_RSA_meth == NULL) { --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_rsa_pkcs1_ssleay(); -- else -- return RSA_PKCS1_SSLeay(); --#else --# ifdef RSA_NULL -+#ifdef RSA_NULL - default_RSA_meth = RSA_null_method(); --# else -+#else - default_RSA_meth = RSA_PKCS1_SSLeay(); --# endif - #endif - } - -@@ -119,6 +118,12 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) - * to deal with which ENGINE it comes from. - */ - const RSA_METHOD *mtmp; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - mtmp = rsa->meth; - if (mtmp->finish) - mtmp->finish(rsa); -@@ -165,6 +170,17 @@ RSA *RSA_new_method(ENGINE *engine) - } - } - #endif -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD); -+# ifndef OPENSSL_NO_ENGINE -+ if (ret->engine) -+ ENGINE_finish(ret->engine); -+# endif -+ OPENSSL_free(ret); -+ return NULL; -+ } -+#endif - - ret->pad = 0; - ret->version = 0; -@@ -183,7 +199,7 @@ RSA *RSA_new_method(ENGINE *engine) - ret->blinding = NULL; - ret->mt_blinding = NULL; - ret->bignum_data = NULL; -- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; -+ ret->flags = ret->meth->flags; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { - #ifndef OPENSSL_NO_ENGINE - if (ret->engine) -diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c -index 2036355..3deba38 100644 ---- a/crypto/rsa/rsa_pmeth.c -+++ b/crypto/rsa/rsa_pmeth.c -@@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, - RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); - return -1; - } --#ifdef OPENSSL_FIPS -- if (ret > 0) { -- unsigned int slen; -- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md, -- rctx->pad_mode, -- rctx->saltlen, -- rctx->mgf1md, sig, &slen); -- if (ret > 0) -- *siglen = slen; -- else -- *siglen = 0; -- return ret; -- } --#endif - - if (EVP_MD_type(rctx->md) == NID_mdc2) { - unsigned int sltmp; -@@ -359,17 +345,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, - } - #endif - if (rctx->md) { --#ifdef OPENSSL_FIPS -- if (rv > 0) { -- return FIPS_rsa_verify_digest(rsa, -- tbs, tbslen, -- rctx->md, -- rctx->pad_mode, -- rctx->saltlen, -- rctx->mgf1md, sig, siglen); -- -- } --#endif - if (rctx->pad_mode == RSA_PKCS1_PADDING) - return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, - sig, siglen, rsa); -diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c -index 82ca832..a77e7d3 100644 ---- a/crypto/rsa/rsa_sign.c -+++ b/crypto/rsa/rsa_sign.c -@@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, - i2d_X509_SIG(&sig, &p); - s = tmps; - } -- i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING); -+ /* NB: call underlying method directly to avoid FIPS blocking */ -+ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i, s, sigret, rsa, -+ RSA_PKCS1_PADDING) : -+ 0; - if (i <= 0) - ret = 0; - else -@@ -188,8 +191,10 @@ int int_rsa_verify(int dtype, const unsigned char *m, - } - - if ((dtype == NID_md5_sha1) && rm) { -- i = RSA_public_decrypt((int)siglen, -- sigbuf, rm, rsa, RSA_PKCS1_PADDING); -+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, -+ sigbuf, rm, rsa, -+ RSA_PKCS1_PADDING) -+ : 0; - if (i <= 0) - return 0; - *prm_len = i; -@@ -205,7 +210,11 @@ int int_rsa_verify(int dtype, const unsigned char *m, - RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH); - goto err; - } -- i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING); -+ /* NB: call underlying method directly to avoid FIPS blocking */ -+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, sigbuf, -+ s, rsa, -+ RSA_PKCS1_PADDING) : -+ 0; - - if (i <= 0) - goto err; -diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h -index e5169e4..ccec037 100644 ---- a/crypto/sha/sha.h -+++ b/crypto/sha/sha.h -@@ -105,9 +105,6 @@ typedef struct SHAstate_st { - } SHA_CTX; - - # ifndef OPENSSL_NO_SHA0 --# ifdef OPENSSL_FIPS --int private_SHA_Init(SHA_CTX *c); --# endif - int SHA_Init(SHA_CTX *c); - int SHA_Update(SHA_CTX *c, const void *data, size_t len); - int SHA_Final(unsigned char *md, SHA_CTX *c); -@@ -115,9 +112,6 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md); - void SHA_Transform(SHA_CTX *c, const unsigned char *data); - # endif - # ifndef OPENSSL_NO_SHA1 --# ifdef OPENSSL_FIPS --int private_SHA1_Init(SHA_CTX *c); --# endif - int SHA1_Init(SHA_CTX *c); - int SHA1_Update(SHA_CTX *c, const void *data, size_t len); - int SHA1_Final(unsigned char *md, SHA_CTX *c); -@@ -139,10 +133,6 @@ typedef struct SHA256state_st { - } SHA256_CTX; - - # ifndef OPENSSL_NO_SHA256 --# ifdef OPENSSL_FIPS --int private_SHA224_Init(SHA256_CTX *c); --int private_SHA256_Init(SHA256_CTX *c); --# endif - int SHA224_Init(SHA256_CTX *c); - int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); - int SHA224_Final(unsigned char *md, SHA256_CTX *c); -@@ -192,10 +182,6 @@ typedef struct SHA512state_st { - # endif - - # ifndef OPENSSL_NO_SHA512 --# ifdef OPENSSL_FIPS --int private_SHA384_Init(SHA512_CTX *c); --int private_SHA512_Init(SHA512_CTX *c); --# endif - int SHA384_Init(SHA512_CTX *c); - int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); - int SHA384_Final(unsigned char *md, SHA512_CTX *c); -diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c -index 72a1159..a6cf450 100644 ---- a/crypto/sha/sha256.c -+++ b/crypto/sha/sha256.c -@@ -12,12 +12,19 @@ - - # include - # include -+# ifdef OPENSSL_FIPS -+# include -+# endif -+ - # include - - const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT; - - fips_md_init_ctx(SHA224, SHA256) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - memset(c, 0, sizeof(*c)); - c->h[0] = 0xc1059ed8UL; - c->h[1] = 0x367cd507UL; -@@ -33,6 +40,9 @@ fips_md_init_ctx(SHA224, SHA256) - - fips_md_init(SHA256) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - memset(c, 0, sizeof(*c)); - c->h[0] = 0x6a09e667UL; - c->h[1] = 0xbb67ae85UL; -diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c -index 3bf66ae..f6e7c99 100644 ---- a/crypto/sha/sha512.c -+++ b/crypto/sha/sha512.c -@@ -5,6 +5,10 @@ - * ==================================================================== - */ - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) - /*- - * IMPLEMENTATION NOTES. -@@ -62,6 +66,9 @@ const char SHA512_version[] = "SHA-512" OPENSSL_VERSION_PTEXT; - - fips_md_init_ctx(SHA384, SHA512) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - c->h[0] = U64(0xcbbb9d5dc1059ed8); - c->h[1] = U64(0x629a292a367cd507); - c->h[2] = U64(0x9159015a3070dd17); -@@ -80,6 +87,9 @@ fips_md_init_ctx(SHA384, SHA512) - - fips_md_init(SHA512) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - c->h[0] = U64(0x6a09e667f3bcc908); - c->h[1] = U64(0xbb67ae8584caa73b); - c->h[2] = U64(0x3c6ef372fe94f82b); -diff --git a/crypto/sha/sha_locl.h b/crypto/sha/sha_locl.h -index 03bd411..84ce5ca 100644 ---- a/crypto/sha/sha_locl.h -+++ b/crypto/sha/sha_locl.h -@@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); - #define INIT_DATA_h4 0xc3d2e1f0UL - - #ifdef SHA_0 --fips_md_init(SHA) -+nonfips_md_init(SHA) - #else - fips_md_init_ctx(SHA1, SHA) - #endif - { -+#if defined(SHA_1) && defined(OPENSSL_FIPS) -+ FIPS_selftest_check(); -+#endif - memset(c, 0, sizeof(*c)); - c->h0 = INIT_DATA_h0; - c->h1 = INIT_DATA_h1; -diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c -index e33bb4f..050b281 100644 ---- a/crypto/whrlpool/wp_dgst.c -+++ b/crypto/whrlpool/wp_dgst.c -@@ -55,7 +55,7 @@ - #include - #include - --fips_md_init(WHIRLPOOL) -+nonfips_md_init(WHIRLPOOL) - { - memset(c, 0, sizeof(*c)); - return (1); -diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c -index e6f515f..34c0ab9 100644 ---- a/ssl/ssl_algs.c -+++ b/ssl/ssl_algs.c -@@ -64,6 +64,11 @@ - int SSL_library_init(void) - { - -+#ifdef OPENSSL_FIPS -+ OPENSSL_init_library(); -+ if (!FIPS_mode()) { -+#endif -+ - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cbc()); - EVP_add_cipher(EVP_des_ede3_cbc()); -@@ -142,6 +147,48 @@ int SSL_library_init(void) - EVP_add_digest(EVP_sha()); - EVP_add_digest(EVP_dss()); - #endif -+#ifdef OPENSSL_FIPS -+ } else { -+# ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+# endif -+# ifndef OPENSSL_NO_AES -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_128_gcm()); -+ EVP_add_cipher(EVP_aes_256_gcm()); -+# endif -+# ifndef OPENSSL_NO_MD5 -+ /* needed even in the FIPS mode for TLS MAC */ -+ EVP_add_digest(EVP_md5()); -+ EVP_add_digest_alias(SN_md5, "ssl2-md5"); -+ EVP_add_digest_alias(SN_md5, "ssl3-md5"); -+# endif -+# ifndef OPENSSL_NO_SHA -+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+# endif -+# ifndef OPENSSL_NO_SHA256 -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+# endif -+# ifndef OPENSSL_NO_SHA512 -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+# endif -+# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) -+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ -+ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); -+ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); -+ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); -+# endif -+# ifndef OPENSSL_NO_ECDSA -+ EVP_add_digest(EVP_ecdsa()); -+# endif -+ } -+#endif - #ifndef OPENSSL_NO_COMP - /* - * This will initialise the built-in compression algorithms. The value diff -Nru openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch --- openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch 2016-04-15 04:56:29.000000000 +0000 +++ openssl-1.0.2g/debian/patches/openssl-1.0.2g-ubuntu-fips-cleanup.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,3193 +0,0 @@ -commit f13fe282dfde82d0b079805beacd0ccf8905af3a -Author: Joy Latten -Date: Thu Apr 14 02:14:18 2016 -0500 - - From: Joy Latten - Description: [PATCH 6/6] Use upstream algorithms and cleanup compiler warnings. - Forwarded: not-needed - - Use the DSA, DSA2, error codes, and EC curves from upstream openssl for fips; - use fips_utl.h from upstream; remove fips prngs from Makefile since fips - no longer allows them; cleanup compiler warnings; add additional tests from - upstream to fips-test-suite. - -diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h -index 4abe46c..45e1472 100644 ---- a/crypto/dsa/dsa.h -+++ b/crypto/dsa/dsa.h -@@ -115,6 +115,7 @@ - */ - - # define DSA_FLAG_NON_FIPS_ALLOW 0x0400 -+#define DSA_FLAG_FIPS_CHECKED 0x0800 - - #ifdef __cplusplus - extern "C" { -@@ -268,20 +269,6 @@ int DSA_print_fp(FILE *bp, const DSA *x, int off); - DH *DSA_dup_DH(const DSA *r); - # endif - --# ifdef OPENSSL_FIPS --int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, -- const EVP_MD *evpmd, -- const unsigned char *seed_in, -- size_t seed_len, int *counter_ret, -- unsigned long *h_ret, BN_GENCB *cb); --int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, -- const EVP_MD *evpmd, unsigned char *seed, -- int seed_len, BIGNUM **p_ret, BIGNUM **q_ret, -- int *counter_ret, BN_GENCB *cb); --int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, BIGNUM **g_ret, -- unsigned long *h_ret, BN_GENCB *cb); --# endif -- - # define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL) -@@ -304,14 +291,11 @@ void ERR_load_DSA_strings(void); - # define DSA_F_DO_DSA_PRINT 104 - # define DSA_F_DSAPARAMS_PRINT 100 - # define DSA_F_DSAPARAMS_PRINT_FP 101 --# define DSA_F_DSA_BUILTIN_KEYGEN 124 --# define DSA_F_DSA_BUILTIN_PARAMGEN 123 --# define DSA_F_DSA_BUILTIN_PARAMGEN2 226 -+# define DSA_F_DSA_BUILTIN_PARAMGEN2 126 - # define DSA_F_DSA_DO_SIGN 112 - # define DSA_F_DSA_DO_VERIFY 113 --# define DSA_F_DSA_GENERATE_KEY 126 --# define DSA_F_DSA_GENERATE_PARAMETERS_EX 127 --# define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125 -+# define DSA_F_DSA_GENERATE_KEY 124 -+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 123 - # define DSA_F_DSA_NEW_METHOD 103 - # define DSA_F_DSA_PARAM_DECODE 119 - # define DSA_F_DSA_PRINT_FP 105 -@@ -329,6 +313,8 @@ void ERR_load_DSA_strings(void); - # define DSA_F_PKEY_DSA_CTRL 120 - # define DSA_F_PKEY_DSA_KEYGEN 121 - # define DSA_F_SIG_CB 114 -+# define DSA_F_DSA_BUILTIN_KEYGEN 200 -+# define DSA_F_DSA_BUILTIN_PARAMGEN 201 - - /* Reason codes. */ - # define DSA_R_BAD_Q_VALUE 102 -@@ -337,18 +323,16 @@ void ERR_load_DSA_strings(void); - # define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 - # define DSA_R_DECODE_ERROR 104 - # define DSA_R_INVALID_DIGEST_TYPE 106 --# define DSA_R_INVALID_PARAMETERS 212 --# define DSA_R_KEY_SIZE_INVALID 113 --# define DSA_R_KEY_SIZE_TOO_SMALL 110 -+# define DSA_R_INVALID_PARAMETERS 112 - # define DSA_R_MISSING_PARAMETERS 101 - # define DSA_R_MODULUS_TOO_LARGE 103 --# define DSA_R_NEED_NEW_SETUP_VALUES 112 -+# define DSA_R_NEED_NEW_SETUP_VALUES 110 - # define DSA_R_NON_FIPS_DSA_METHOD 111 --# define DSA_R_NON_FIPS_METHOD 111 - # define DSA_R_NO_PARAMETERS_SET 107 --# define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112 - # define DSA_R_PARAMETER_ENCODING_ERROR 105 - # define DSA_R_Q_NOT_PRIME 113 -+# define DSA_R_KEY_SIZE_INVALID 200 -+# define DSA_R_KEY_SIZE_TOO_SMALL 201 - - #ifdef __cplusplus - } -diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c -index 5bae45c..1b67170 100644 ---- a/crypto/dsa/dsa_err.c -+++ b/crypto/dsa/dsa_err.c -@@ -111,8 +111,6 @@ static ERR_STRING_DATA DSA_str_reasons[] = { - {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"}, - {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"}, - {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"}, -- {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"}, -- {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, - {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"}, - {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"}, -@@ -120,6 +118,8 @@ static ERR_STRING_DATA DSA_str_reasons[] = { - {ERR_REASON(DSA_R_NO_PARAMETERS_SET), "no parameters set"}, - {ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, - {ERR_REASON(DSA_R_Q_NOT_PRIME), "q not prime"}, -+ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"}, -+ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, - {0, NULL} - }; - -diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c -index ca86915..40a73bc 100644 ---- a/crypto/dsa/dsa_gen.c -+++ b/crypto/dsa/dsa_gen.c -@@ -84,21 +84,9 @@ - # include - # include - # include "dsa_locl.h" -- --# ifdef OPENSSL_FIPS --/* Workaround bug in prototype */ --# define fips_dsa_builtin_paramgen2 fips_dsa_paramgen_bad --# include --# endif -- --# ifndef OPENSSL_FIPS --static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, -- const EVP_MD *evpmd, unsigned char *seed, -- int seed_len, BIGNUM **p_ret, BIGNUM **q_ret, -- int *counter_ret, BN_GENCB *cb); --static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, -- BIGNUM **g_ret, unsigned long *h_ret, -- BN_GENCB *cb); -+#ifdef OPENSSL_FIPS -+#include -+#include - # endif - - int DSA_generate_parameters_ex(DSA *ret, int bits, -@@ -121,162 +109,97 @@ int DSA_generate_parameters_ex(DSA *ret, int bits, - size_t qbits = EVP_MD_size(evpmd) * 8; - - return dsa_builtin_paramgen(ret, bits, qbits, evpmd, -- seed_in, seed_len, counter_ret, -+ seed_in, seed_len, NULL, counter_ret, - h_ret, cb); - } - } - --# ifdef OPENSSL_FIPS --int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, -- const EVP_MD *evpmd, -- const unsigned char *seed_in, size_t seed_len, -- int *counter_ret, unsigned long *h_ret, -- BN_GENCB *cb) --{ -- return dsa_builtin_paramgen(ret, bits, qbits, -- evpmd, seed_in, seed_len, -- counter_ret, h_ret, cb); --} --# endif -- - int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - const EVP_MD *evpmd, const unsigned char *seed_in, -- size_t seed_len, -+ size_t seed_len, unsigned char *seed_out, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) - { - int ok = 0; - unsigned char seed[SHA256_DIGEST_LENGTH]; -+ unsigned char md[SHA256_DIGEST_LENGTH]; -+ unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH]; -+ BIGNUM *r0, *W, *X, *c, *test; - BIGNUM *g = NULL, *q = NULL, *p = NULL; -- size_t qsize = qbits >> 3; -+ BN_MONT_CTX *mont = NULL; -+ int i, k, n = 0, m = 0, qsize = qbits >> 3; -+ int counter = 0; -+ int r = 0; - BN_CTX *ctx = NULL; -- --# ifdef OPENSSL_FIPS -+ unsigned int h = 2; -+#ifdef OPENSSL_FIPS - if (FIPS_selftest_failed()) { - FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED); - goto err; - } - -- if (FIPS_module_mode() && -- (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024 -- || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048 -- || qbits != -- 256) -- && (bits != 3072 || qbits != 256)) { -- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); -- goto err; -- } --# endif -- if (seed_len && (seed_len < (size_t)qsize)) -- seed_in = NULL; /* seed buffer too small -- ignore */ -- if (seed_len > sizeof(seed)) -- seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED, -- * but our internal buffers are restricted to 256 bits*/ -- if (seed_in != NULL) -- memcpy(seed, seed_in, seed_len); -- else -- seed_len = 0; -- -- if ((ctx = BN_CTX_new()) == NULL) -- goto err; -- -- BN_CTX_start(ctx); -- -- if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd, -- seed, seed_len, &p, &q, counter_ret, cb)) -+ if (FIPS_module_mode() && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && ((bits != 1024 || qbits != 160) && (bits != 2048 || qbits != 224) -+ && (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256))) { -+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; -- -- if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb)) -- goto err; -- -- ok = 1; -- err: -- if (ok) { -- if (ret->p) { -- BN_free(ret->p); -- ret->p = NULL; -- } -- if (ret->q) { -- BN_free(ret->q); -- ret->q = NULL; -- } -- if (ret->g) { -- BN_free(ret->g); -- ret->g = NULL; -- } -- ret->p = BN_dup(p); -- ret->q = BN_dup(q); -- ret->g = BN_dup(g); -- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) -- ok = 0; -- } -- if (ctx) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); - } -- return ok; --} -- --# ifndef OPENSSL_FIPS --static --# endif --int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, -- const EVP_MD *evpmd, unsigned char *seed, -- int seed_len, BIGNUM **p_ret, BIGNUM **q_ret, -- int *counter_ret, BN_GENCB *cb) --{ -- int ok = 0; -- unsigned char md[SHA256_DIGEST_LENGTH]; -- unsigned char buf[SHA256_DIGEST_LENGTH]; -- BIGNUM *r0, *W, *X, *c, *test; -- BIGNUM *q = NULL, *p = NULL; -- int i, k, b, n = 0, m = 0, qsize = qbits >> 3; -- int counter = 0; -- int r = 0; -- -+#endif - if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH && - qsize != SHA256_DIGEST_LENGTH) - /* invalid q size */ - return 0; - -- if (evpmd == NULL) { -- if (qbits <= 160) -+ if (evpmd == NULL) -+ /* use SHA1 as default */ - evpmd = EVP_sha1(); -- else if (qbits <= 224) -- evpmd = EVP_sha224(); -- else -- evpmd = EVP_sha256(); -- } - - if (bits < 512) - bits = 512; - - bits = (bits + 63) / 64 * 64; - -+ /* -+ * NB: seed_len == 0 is special case: copy generated seed to seed_in if -+ * it is not NULL. -+ */ -+ if (seed_len && (seed_len < (size_t)qsize)) -+ seed_in = NULL; /* seed buffer too small -- ignore */ -+ if (seed_len > (size_t)qsize) -+ seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger -+ * SEED, but our internal buffers are -+ * restricted to 160 bits */ -+ if (seed_in != NULL) -+ memcpy(seed, seed_in, seed_len); -+ -+ if ((mont = BN_MONT_CTX_new()) == NULL) -+ goto err; -+ -+ if ((ctx = BN_CTX_new()) == NULL) -+ goto err; -+ -+ BN_CTX_start(ctx); -+ - r0 = BN_CTX_get(ctx); -+ g = BN_CTX_get(ctx); - W = BN_CTX_get(ctx); -- *q_ret = q = BN_CTX_get(ctx); -+ q = BN_CTX_get(ctx); - X = BN_CTX_get(ctx); - c = BN_CTX_get(ctx); -- *p_ret = p = BN_CTX_get(ctx); -+ p = BN_CTX_get(ctx); - test = BN_CTX_get(ctx); - - if (!BN_lshift(test, BN_value_one(), bits - 1)) - goto err; - -- /* step 3 n = \lceil bits / qbits \rceil - 1 */ -- n = (bits + qbits - 1) / qbits - 1; -- /* step 4 b = bits - 1 - n * qbits */ -- b = bits - 1 - n * qbits; -- - for (;;) { - for (;;) { /* find q */ - int seed_is_random; - -- /* step 5 generate seed */ -+ /* step 1 */ - if (!BN_GENCB_call(cb, 0, m++)) - goto err; - -- if (!seed_len) { -+ if (!seed_len || !seed_in) { - if (RAND_pseudo_bytes(seed, qsize) < 0) - goto err; - seed_is_random = 1; -@@ -286,18 +209,29 @@ int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, - * be bad */ - } - memcpy(buf, seed, qsize); -+ memcpy(buf2, seed, qsize); -+ /* precompute "SEED + 1" for step 7: */ -+ for (i = qsize - 1; i >= 0; i--) { -+ buf[i]++; -+ if (buf[i] != 0) -+ break; -+ } - -- /* step 6 U = hash(seed) */ -+ /* step 2 */ - if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL)) - goto err; -+ if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) -+ goto err; -+ for (i = 0; i < qsize; i++) -+ md[i] ^= buf2[i]; - -- /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */ -+ /* step 3 */ - md[0] |= 0x80; - md[qsize - 1] |= 0x01; - if (!BN_bin2bn(md, qsize, q)) - goto err; - -- /* step 8 test for prime (64 round of Rabin-Miller) */ -+ /* step 4 */ - r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, - seed_is_random, cb); - if (r > 0) -@@ -305,6 +239,8 @@ int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, - if (r != 0) - goto err; - -+ /* do a callback call */ -+ /* step 5 */ - } - - if (!BN_GENCB_call(cb, 2, 0)) -@@ -312,16 +248,19 @@ int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, - if (!BN_GENCB_call(cb, 3, 0)) - goto err; - -- /* step 11 */ -+ /* step 6 */ - counter = 0; -- /* "offset = 1" */ -+ /* "offset = 2" */ -+ -+ n = (bits - 1) / 160; - - for (;;) { - if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) - goto err; - -- /* step 11.1, 11.2 obtain W */ -+ /* step 7 */ - BN_zero(W); -+ /* now 'buf' contains "SEED + offset - 1" */ - for (k = 0; k <= n; k++) { - /* - * obtain "SEED + offset + k" by incrementing: -@@ -335,37 +274,36 @@ int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, - if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) - goto err; - -+ /* step 8 */ - if (!BN_bin2bn(md, qsize, r0)) - goto err; -- if (k == n) -- BN_mask_bits(r0, b); -- if (!BN_lshift(r0, r0, qbits * k)) -+ if (!BN_lshift(r0, r0, (qsize << 3) * k)) - goto err; - if (!BN_add(W, W, r0)) - goto err; - } - -- /* step 11.3 X = W + 2^(L-1) */ -+ /* more of step 8 */ -+ if (!BN_mask_bits(W, bits - 1)) -+ goto err; - if (!BN_copy(X, W)) - goto err; - if (!BN_add(X, X, test)) - goto err; - -- /* step 11.4 c = X mod 2*q */ -+ /* step 9 */ - if (!BN_lshift1(r0, q)) - goto err; - if (!BN_mod(c, X, r0, ctx)) - goto err; -- -- /* step 11.5 p = X - (c - 1) */ - if (!BN_sub(r0, c, BN_value_one())) - goto err; - if (!BN_sub(p, X, r0)) - goto err; - -- /* step 11.6 */ -+ /* step 10 */ - if (BN_cmp(p, test) >= 0) { -- /* step 11.7 */ -+ /* step 11 */ - r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb); - if (r > 0) - goto end; /* found it */ -@@ -373,12 +311,12 @@ int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, - goto err; - } - -- /* step 11.9 */ -+ /* step 13 */ - counter++; - /* "offset = offset + n + 1" */ - -- /* step 12 */ -- if (counter >= 4 * bits) -+ /* step 14 */ -+ if (counter >= 4096) - break; - } - } -@@ -386,33 +324,7 @@ int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits, - if (!BN_GENCB_call(cb, 2, 1)) - goto err; - -- ok = 1; -- err: -- if (ok) { -- if (counter_ret != NULL) -- *counter_ret = counter; -- } -- return ok; --} -- --# ifndef OPENSSL_FIPS --static --# endif --int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, -- BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb) --{ -- int ok = 0; -- BIGNUM *r0, *test, *g = NULL; -- BN_MONT_CTX *mont; -- unsigned int h = 2; -- -- if ((mont = BN_MONT_CTX_new()) == NULL) -- goto err; -- -- r0 = BN_CTX_get(ctx); -- *g_ret = g = BN_CTX_get(ctx); -- test = BN_CTX_get(ctx); -- -+ /* We now need to generate g */ - /* Set r0=(p-1)/q */ - if (!BN_sub(test, p, BN_value_one())) - goto err; -@@ -441,14 +353,106 @@ int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, - ok = 1; - err: - if (ok) { -+ if (ret->p) -+ BN_free(ret->p); -+ if (ret->q) -+ BN_free(ret->q); -+ if (ret->g) -+ BN_free(ret->g); -+ ret->p = BN_dup(p); -+ ret->q = BN_dup(q); -+ ret->g = BN_dup(g); -+ if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { -+ ok = 0; -+ goto err; -+ } -+ if (counter_ret != NULL) -+ *counter_ret = counter; - if (h_ret != NULL) - *h_ret = h; -+ if (seed_out) -+ memcpy(seed_out, seed, qsize); -+ } -+ if (ctx) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); - } - if (mont != NULL) - BN_MONT_CTX_free(mont); - return ok; - } - -+#ifdef OPENSSL_FIPS -+ -+/* Security strength of parameter values for (L,N): see FIPS186-3 4.2 -+ * and SP800-131A -+ */ -+ -+static int fips_ffc_strength(size_t L, size_t N) -+{ -+ if (L >= 15360 && N >= 512) -+ return 256; -+ if (L >= 7680 && N >= 384) -+ return 192; -+ if (L >= 3072 && N >= 256) -+ return 128; -+ if (L >= 2048 && N >= 224) -+ return 112; -+ if (L >= 1024 && N >= 160) -+ return 80; -+ return 0; -+} -+ -+/* Valid DSA2 parameters from FIPS 186-3 */ -+ -+static int dsa2_valid_parameters(size_t L, size_t N) -+{ -+ if (L == 1024 && N == 160) -+ return 80; -+ if (L == 2048 && N == 224) -+ return 112; -+ if (L == 2048 && N == 256) -+ return 112; -+ if (L == 3072 && N == 256) -+ return 128; -+ return 0; -+} -+ -+int fips_check_dsa_prng(DSA *dsa, size_t L, size_t N) -+{ -+ int strength; -+ -+ if (!FIPS_module_mode()) -+ return 1; -+ -+ if (dsa->flags & (DSA_FLAG_NON_FIPS_ALLOW|DSA_FLAG_FIPS_CHECKED)) -+ return 1; -+ -+ if (!L || !N) { -+ L = BN_num_bits(dsa->p); -+ N = BN_num_bits(dsa->q); -+ } -+ if (!dsa2_valid_parameters(L, N)) { -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA_PRNG, FIPS_R_INVALID_PARAMETERS); -+ return 0; -+ } -+ -+ strength = fips_ffc_strength(L, N); -+ -+ if (!strength) { -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA_PRNG,FIPS_R_KEY_TOO_SHORT); -+ return 0; -+ } -+ -+ if (FIPS_rand_strength() >= strength) -+ return 1; -+ -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA_PRNG,FIPS_R_PRNG_STRENGTH_TOO_LOW); -+ return 0; -+ -+} -+#endif /* OPENSSL_FIPS */ -+ - /* - * This is a parameter generation algorithm for the DSA2 algorithm as - * described in FIPS 186-3. -@@ -474,6 +478,17 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, - EVP_MD_CTX mctx; - unsigned int h = 2; - -+# ifdef OPENSSL_FIPS -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (!fips_check_dsa_prng(ret, L, N)) -+ goto err; -+# endif -+ - EVP_MD_CTX_init(&mctx); - - if (evpmd == NULL) { -diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c -index f235fce..2d96c99 100644 ---- a/crypto/dsa/dsa_key.c -+++ b/crypto/dsa/dsa_key.c -@@ -70,7 +70,7 @@ - - static int fips_check_dsa(DSA *dsa) - { -- EVP_PKEY *pk; -+ EVP_PKEY *pk = NULL; - unsigned char tbs[] = "DSA Pairwise Check Data"; - int ret = 0; - -@@ -101,7 +101,7 @@ static int dsa_builtin_keygen(DSA *dsa); - int DSA_generate_key(DSA *dsa) - { - # ifdef OPENSSL_FIPS -- if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) -+ if (FIPS_module_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) - && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { - DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); - return 0; -@@ -119,11 +119,14 @@ static int dsa_builtin_keygen(DSA *dsa) - BIGNUM *pub_key = NULL, *priv_key = NULL; - - # ifdef OPENSSL_FIPS -- if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ if (FIPS_module_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) - && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { - DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } -+ -+ if (!fips_check_dsa_prng(dsa, 0, 0)) -+ goto err; - # endif - - if ((ctx = BN_CTX_new()) == NULL) -diff --git a/crypto/dsa/dsa_locl.h b/crypto/dsa/dsa_locl.h -index f4f54fc..9c23c3e 100644 ---- a/crypto/dsa/dsa_locl.h -+++ b/crypto/dsa/dsa_locl.h -@@ -56,7 +56,7 @@ - - int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, - const EVP_MD *evpmd, const unsigned char *seed_in, -- size_t seed_len, -+ size_t seed_len, unsigned char *seed_out, - int *counter_ret, unsigned long *h_ret, - BN_GENCB *cb); - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index 12c4a06..816ec91 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -154,6 +154,9 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) - DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); - return NULL; - } -+ -+ if (!fips_check_dsa_prng(dsa, 0, 0)) -+ goto err; - #endif - - BN_init(&m); -diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c -index 5c22962..42b8bb0 100644 ---- a/crypto/dsa/dsa_pmeth.c -+++ b/crypto/dsa/dsa_pmeth.c -@@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) - if (!dsa) - return 0; - ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, -- NULL, 0, NULL, NULL, pcb); -+ NULL, 0, NULL, NULL, NULL, pcb); - if (ret) - EVP_PKEY_assign_DSA(pkey, dsa); - else -diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c -index a71973b..8a224a8 100644 ---- a/crypto/dsa/dsatest.c -+++ b/crypto/dsa/dsatest.c -@@ -100,41 +100,36 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *arg); - * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 - */ - static unsigned char seed[20] = { -- 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62, -- 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3, -+ 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40, -+ 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, - }; - - static unsigned char out_p[] = { -- 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E, -- 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99, -- 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD, -- 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB, -- 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18, -- 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B, -- 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E, -- 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD, -- 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93, -- 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D, -- 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F, -+ 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, -+ 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, -+ 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, -+ 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, -+ 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, -+ 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, -+ 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, -+ 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, - }; - - static unsigned char out_q[] = { -- 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B, -- 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87, -+ 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, -+ 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, -+ 0xda, 0xce, 0x91, 0x5f, - }; - - static unsigned char out_g[] = { -- 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C, -- 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE, -- 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36, -- 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13, -- 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C, -- 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D, -- 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9, -- 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F, -- 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E, -- 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41, -- 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29, -+ 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, -+ 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, -+ 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, -+ 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, -+ 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, -+ 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, -+ 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, -+ 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, - }; - - static const unsigned char str1[] = "12345678901234567890"; -@@ -167,7 +162,7 @@ int main(int argc, char **argv) - BIO_printf(bio_err, "test generation of DSA parameters\n"); - - BN_GENCB_set(&cb, dsa_cb, bio_err); -- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024, -+ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512, - seed, 20, - &counter, - &h, &cb)) -@@ -181,8 +176,8 @@ int main(int argc, char **argv) - BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h); - - DSA_print(bio_err, dsa, 0); -- if (counter != 239) { -- BIO_printf(bio_err, "counter should be 239\n"); -+ if (counter != 105) { -+ BIO_printf(bio_err, "counter should be 105\n"); - goto end; - } - if (h != 2) { -diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c -index 5b27b91..d5cb4a9 100644 ---- a/crypto/ec/ec2_smpl.c -+++ b/crypto/ec/ec2_smpl.c -@@ -73,10 +73,6 @@ - - #ifndef OPENSSL_NO_EC2M - --# ifdef OPENSSL_FIPS --# include --# endif -- - const EC_METHOD *EC_GF2m_simple_method(void) - { - static const EC_METHOD ret = { -@@ -124,11 +120,6 @@ const EC_METHOD *EC_GF2m_simple_method(void) - 0 /* field_set_to_one */ - }; - --# ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return fips_ec_gf2m_simple_method(); --# endif -- - return &ret; - } - -diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c -index 6dbe9d8..81846ec 100644 ---- a/crypto/ec/ec_curve.c -+++ b/crypto/ec/ec_curve.c -@@ -75,10 +75,6 @@ - #include - #include - --#ifdef OPENSSL_FIPS --# include --#endif -- - typedef struct { - int field_type, /* either NID_X9_62_prime_field or - * NID_X9_62_characteristic_two_field */ -@@ -3162,10 +3158,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) - size_t i; - EC_GROUP *ret = NULL; - --#ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_ec_group_new_by_curve_name(nid); --#endif - if (nid <= 0) - return NULL; - -diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c -index b0e69cb..6edb60a 100644 ---- a/crypto/ec/ecp_smpl.c -+++ b/crypto/ec/ecp_smpl.c -@@ -178,11 +178,6 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, - return 0; - } - -- if (BN_num_bits(p) < 256) { -- ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -- return 0; -- } -- - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) -diff --git a/crypto/ecdh/ecdhtest.c b/crypto/ecdh/ecdhtest.c -index 4d6594a..5ddb745 100644 ---- a/crypto/ecdh/ecdhtest.c -+++ b/crypto/ecdh/ecdhtest.c -@@ -382,6 +382,7 @@ static const unsigned char bp512_Z[] = { - - /* Given private value and NID, create EC_KEY structure */ - -+#if 0 - static EC_KEY *mk_eckey(int nid, const unsigned char *p, size_t plen) - { - int ok = 0; -@@ -469,6 +470,7 @@ static int ecdh_kat(BIO *out, const char *cname, int nid, - } - return rv; - } -+#endif - - # define test_ecdh_kat(bio, curve, bits) \ - ecdh_kat(bio, curve, NID_brainpoolP##bits##r1, \ -diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h -index 2c34f51..55d9bd1 100644 ---- a/crypto/evp/evp.h -+++ b/crypto/evp/evp.h -@@ -366,15 +366,15 @@ struct evp_cipher_st { - /* cipher handles random key generation */ - # define EVP_CIPH_RAND_KEY 0x200 - /* cipher has its own additional copying logic */ --# define EVP_CIPH_CUSTOM_COPY 0x4000 -+# define EVP_CIPH_CUSTOM_COPY 0x400 - /* Allow use default ASN1 get/set iv */ - # define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 - /* Buffer length in bits not bytes: CFB1 mode only */ - # define EVP_CIPH_FLAG_LENGTH_BITS 0x2000 - /* Note if suitable for use in FIPS mode */ --# define EVP_CIPH_FLAG_FIPS 0x400 -+# define EVP_CIPH_FLAG_FIPS 0x4000 - /* Allow non FIPS cipher in FIPS mode */ --# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800 -+# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000 - /* - * Cipher handles any and all padding logic as well as finalisation. - */ -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index 891a3c7..cb368a2 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -87,7 +87,7 @@ static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, - } - - static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -- const unsigned char *in, unsigned int inl) -+ const unsigned char *in, size_t inl) - { - FIPS_ERROR_IGNORED("Cipher update"); - return 0; -diff --git a/crypto/fips/Makefile b/crypto/fips/Makefile -index 8d4bf9a..3fef7c9 100644 ---- a/crypto/fips/Makefile -+++ b/crypto/fips/Makefile -@@ -13,21 +13,21 @@ AR= ar r - CFLAGS= $(INCLUDES) $(CFLAG) - - GENERAL=Makefile --TEST=fips_test_suite.c fips_randtest.c -+TEST=fips_test_suite.c - APPS= - --PROGRAM= fips_standalone_hmac -+#PROGRAM= fips_standalone_hmac - EXE= $(PROGRAM)$(EXE_EXT) - - LIB=$(TOP)/libcrypto.a --LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \ -+LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ - fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ - fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ - fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ - fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \ - fips_dh_selftest.c - --LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \ -+LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o \ - fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \ - fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \ - fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \ -@@ -36,7 +36,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_se - - LIBCRYPTO=-L.. -lcrypto - --SRC= $(LIBSRC) fips_standalone_hmac.c -+#SRC= $(LIBSRC) fips_standalone_hmac.c -+SRC= $(LIBSRC) - - EXHEADER= fips.h fips_rand.h - HEADER= $(EXHEADER) -diff --git a/crypto/fips/fips.c b/crypto/fips/fips.c -index c4602e2..2a63bd5 100644 ---- a/crypto/fips/fips.c -+++ b/crypto/fips/fips.c -@@ -371,21 +371,6 @@ static int verify_checksums(void) - return 1; - } - --# ifndef FIPS_MODULE_PATH --# define FIPS_MODULE_PATH "/etc/system-fips" --# endif -- --int FIPS_module_installed(void) --{ -- int rv; -- rv = access(FIPS_MODULE_PATH, F_OK); -- if (rv < 0 && errno != ENOENT) -- rv = 0; -- -- /* Installed == true */ -- return !rv; --} -- - int FIPS_module_mode_set(int onoff, const char *auth) - { - int ret = 0; -@@ -418,6 +403,8 @@ int FIPS_module_mode_set(int onoff, const char *auth) - ret = 0; - goto end; - } -+ OPENSSL_ia32cap_P[0] |= (1<<28); /* set "shared cache" */ -+ OPENSSL_ia32cap_P[1] &= ~(1<<(60-32)); /* clear AVX */ - } - # endif - -@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth) - fips_selftest_fail = 0; - ret = 1; - end: -+ ERR_clear_error(); /* clear above err msg; fips mode disabled for now */ - fips_clear_owning_thread(); - fips_w_unlock(); - return ret; -diff --git a/crypto/fips/fips.h b/crypto/fips/fips.h -index 8c9be43..d39204d 100644 ---- a/crypto/fips/fips.h -+++ b/crypto/fips/fips.h -@@ -92,7 +92,6 @@ extern "C" { - void FIPS_corrupt_rsa_keygen(void); - int FIPS_selftest_rsa(void); - void FIPS_corrupt_dsa(void); -- void FIPS_corrupt_dsa_keygen(void); - int FIPS_selftest_dsa(void); - int FIPS_selftest_ecdsa(void); - int FIPS_selftest_ecdh(void); -@@ -110,6 +109,9 @@ extern "C" { - - void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); - -+int fips_check_rsa(struct rsa_st *rsa); -+int fips_check_dsa_prng(struct dsa_st *dsa, size_t L, size_t N); -+ - # define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ - alg " previous FIPS forbidden algorithm error ignored"); - -@@ -146,116 +148,110 @@ extern "C" { - # define FIPS_F_DH_INIT 148 - # define FIPS_F_DRBG_RESEED 162 - # define FIPS_F_DSA_BUILTIN_PARAMGEN 101 --# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107 --# define FIPS_F_DSA_DO_SIGN 102 --# define FIPS_F_DSA_DO_VERIFY 103 -+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 102 -+# define FIPS_F_DSA_DO_SIGN 103 -+# define FIPS_F_DSA_DO_VERIFY 104 - # define FIPS_F_ECDH_COMPUTE_KEY 163 - # define FIPS_F_ECDSA_DO_SIGN 164 - # define FIPS_F_ECDSA_DO_VERIFY 165 - # define FIPS_F_EC_KEY_GENERATE_KEY 166 --# define FIPS_F_EVP_CIPHERINIT_EX 124 --# define FIPS_F_EVP_DIGESTINIT_EX 125 --# define FIPS_F_FIPS_CHECK_DSA 104 -+# define FIPS_F_FIPS_CHECK_DSA 105 - # define FIPS_F_FIPS_CHECK_DSA_PRNG 151 --# define FIPS_F_FIPS_CHECK_EC 142 -+# define FIPS_F_FIPS_CHECK_EC 106 - # define FIPS_F_FIPS_CHECK_EC_PRNG 152 --# define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105 --# define FIPS_F_FIPS_CHECK_RSA 106 -+# define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 107 -+# define FIPS_F_FIPS_CHECK_RSA 108 - # define FIPS_F_FIPS_CHECK_RSA_PRNG 150 - # define FIPS_F_FIPS_CIPHER 160 --# define FIPS_F_FIPS_CIPHERINIT 143 -+# define FIPS_F_FIPS_CIPHERINIT 109 - # define FIPS_F_FIPS_CIPHER_CTX_CTRL 161 - # define FIPS_F_FIPS_DIGESTFINAL 158 --# define FIPS_F_FIPS_DIGESTINIT 128 -+# define FIPS_F_FIPS_DIGESTINIT 110 - # define FIPS_F_FIPS_DIGESTUPDATE 159 --# define FIPS_F_FIPS_DRBG_BYTES 131 -+# define FIPS_F_FIPS_DRBG_BYTES 111 - # define FIPS_F_FIPS_DRBG_CHECK 146 --# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132 --# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136 --# define FIPS_F_FIPS_DRBG_GENERATE 134 --# define FIPS_F_FIPS_DRBG_INIT 135 --# define FIPS_F_FIPS_DRBG_INSTANTIATE 138 --# define FIPS_F_FIPS_DRBG_NEW 139 --# define FIPS_F_FIPS_DRBG_RESEED 140 --# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141 --# define FIPS_F_FIPS_DSA_CHECK /* unused */ 107 -+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 112 -+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 114 -+# define FIPS_F_FIPS_DRBG_GENERATE 113 -+# define FIPS_F_FIPS_DRBG_INIT 115 -+# define FIPS_F_FIPS_DRBG_INSTANTIATE 116 -+# define FIPS_F_FIPS_DRBG_NEW 117 -+# define FIPS_F_FIPS_DRBG_RESEED 118 -+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 119 - # define FIPS_F_FIPS_DSA_SIGN_DIGEST 154 - # define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155 - # define FIPS_F_FIPS_GET_ENTROPY 147 --# define FIPS_F_FIPS_MODE_SET /* unused */ 108 --# define FIPS_F_FIPS_MODULE_MODE_SET 108 --# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 --# define FIPS_F_FIPS_RAND_ADD 137 --# define FIPS_F_FIPS_RAND_BYTES 122 --# define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167 --# define FIPS_F_FIPS_RAND_SEED 168 -+# define FIPS_F_FIPS_MODULE_MODE_SET 120 -+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 121 -+# define FIPS_F_FIPS_RAND_ADD 122 -+# define FIPS_F_FIPS_RAND_BYTES 123 -+# define FIPS_F_FIPS_RAND_PSEUDO_BYTES 124 -+# define FIPS_F_FIPS_RAND_SEED 125 - # define FIPS_F_FIPS_RAND_SET_METHOD 126 - # define FIPS_F_FIPS_RAND_STATUS 127 - # define FIPS_F_FIPS_RSA_SIGN_DIGEST 156 - # define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157 --# define FIPS_F_FIPS_SELFTEST_AES 110 -+# define FIPS_F_FIPS_SELFTEST_AES 128 - # define FIPS_F_FIPS_SELFTEST_AES_CCM 145 - # define FIPS_F_FIPS_SELFTEST_AES_GCM 129 - # define FIPS_F_FIPS_SELFTEST_AES_XTS 144 - # define FIPS_F_FIPS_SELFTEST_CMAC 130 --# define FIPS_F_FIPS_SELFTEST_DES 111 --# define FIPS_F_FIPS_SELFTEST_DSA 112 -+# define FIPS_F_FIPS_SELFTEST_DES 131 -+# define FIPS_F_FIPS_SELFTEST_DSA 132 - # define FIPS_F_FIPS_SELFTEST_ECDSA 133 --# define FIPS_F_FIPS_SELFTEST_HMAC 113 --# define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114 --# define FIPS_F_FIPS_SELFTEST_SHA1 115 --# define FIPS_F_FIPS_SELFTEST_X931 114 -+# define FIPS_F_FIPS_SELFTEST_HMAC 134 -+# define FIPS_F_FIPS_SELFTEST_SHA1 135 -+# define FIPS_F_FIPS_SELFTEST_X931 136 - # define FIPS_F_FIPS_SET_PRNG_KEY 153 --# define FIPS_F_HASH_FINAL 123 --# define FIPS_F_RSA_BUILTIN_KEYGEN 116 -+# define FIPS_F_HASH_FINAL 137 -+# define FIPS_F_RSA_BUILTIN_KEYGEN 138 - # define FIPS_F_RSA_EAY_INIT 149 --# define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117 --# define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118 --# define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119 --# define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120 --# define FIPS_F_RSA_X931_GENERATE_KEY_EX 121 --# define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122 -+# define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 139 -+# define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 140 -+# define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 141 -+# define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 142 -+# define FIPS_F_RSA_X931_GENERATE_KEY_EX 143 -+# define FIPS_F_EVP_CIPHERINIT_EX 200 -+# define FIPS_F_EVP_DIGESTINIT_EX 201 -+# define FIPS_F_FIPS_SELFTEST_SHA2 202 - - /* Reason codes. */ - # define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 --# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125 --# define FIPS_R_ALREADY_INSTANTIATED 134 -+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 100 -+# define FIPS_R_ALREADY_INSTANTIATED 101 - # define FIPS_R_AUTHENTICATION_FAILURE 151 --# define FIPS_R_CANNOT_READ_EXE /* unused */ 103 --# define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104 --# define FIPS_R_CONTRADICTING_EVIDENCE 114 -+# define FIPS_R_CONTRADICTING_EVIDENCE 102 - # define FIPS_R_DRBG_NOT_INITIALISED 152 - # define FIPS_R_DRBG_STUCK 103 - # define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 - # define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 - # define FIPS_R_ENTROPY_SOURCE_STUCK 142 --# define FIPS_R_ERROR_INITIALISING_DRBG 115 --# define FIPS_R_ERROR_INSTANTIATING_DRBG 127 --# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124 --# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 --# define FIPS_R_ERROR_RETRIEVING_NONCE 140 --# define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105 --# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 --# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111 --# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112 --# define FIPS_R_FIPS_MODE_ALREADY_SET 102 --# define FIPS_R_FIPS_SELFTEST_FAILED 106 -+# define FIPS_R_ERROR_INITIALISING_DRBG 106 -+# define FIPS_R_ERROR_INSTANTIATING_DRBG 107 -+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 108 -+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 109 -+# define FIPS_R_ERROR_RETRIEVING_NONCE 110 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 111 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 112 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 113 -+# define FIPS_R_FIPS_MODE_ALREADY_SET 114 -+# define FIPS_R_FIPS_SELFTEST_FAILED 115 - # define FIPS_R_FUNCTION_ERROR 116 --# define FIPS_R_GENERATE_ERROR 137 -+# define FIPS_R_GENERATE_ERROR 117 - # define FIPS_R_GENERATE_ERROR_UNDETECTED 118 - # define FIPS_R_INSTANTIATE_ERROR 119 - # define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120 - # define FIPS_R_INTERNAL_ERROR 121 --# define FIPS_R_INVALID_KEY_LENGTH 109 -+# define FIPS_R_INVALID_KEY_LENGTH 122 - # define FIPS_R_INVALID_PARAMETERS 144 - # define FIPS_R_IN_ERROR_STATE 123 --# define FIPS_R_KEY_TOO_SHORT 108 -+# define FIPS_R_KEY_TOO_SHORT 124 - # define FIPS_R_NONCE_ERROR_UNDETECTED 149 --# define FIPS_R_NON_FIPS_METHOD 100 -+# define FIPS_R_NON_FIPS_METHOD 125 - # define FIPS_R_NOPR_TEST1_FAILURE 145 - # define FIPS_R_NOPR_TEST2_FAILURE 146 - # define FIPS_R_NOT_INSTANTIATED 126 --# define FIPS_R_PAIRWISE_TEST_FAILED 107 -+# define FIPS_R_PAIRWISE_TEST_FAILED 127 - # define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 - # define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 - # define FIPS_R_PRNG_STRENGTH_TOO_LOW 143 -@@ -265,16 +261,14 @@ extern "C" { - # define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 - # define FIPS_R_RESEED_COUNTER_ERROR 132 - # define FIPS_R_RESEED_ERROR 133 --# define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115 --# define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116 --# define FIPS_R_SELFTEST_FAILED 101 -+# define FIPS_R_SELFTEST_FAILED 134 - # define FIPS_R_SELFTEST_FAILURE 135 - # define FIPS_R_STRENGTH_ERROR_UNDETECTED 136 --# define FIPS_R_TEST_FAILURE 117 -+# define FIPS_R_TEST_FAILURE 137 - # define FIPS_R_UNINSTANTIATE_ERROR 141 - # define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 - # define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 --# define FIPS_R_UNSUPPORTED_PLATFORM 113 -+# define FIPS_R_UNSUPPORTED_PLATFORM 140 - - # ifdef __cplusplus - } -diff --git a/crypto/fips/fips_cmac_selftest.c b/crypto/fips/fips_cmac_selftest.c -index 9e75ec9..3955c35 100644 ---- a/crypto/fips/fips_cmac_selftest.c -+++ b/crypto/fips/fips_cmac_selftest.c -@@ -49,11 +49,12 @@ - - #include - #include --#include - #include --#include "fips_locl.h" - - #ifdef OPENSSL_FIPS -+#include -+#include "fips_locl.h" -+ - typedef struct { - int nid; - const unsigned char key[EVP_MAX_KEY_LENGTH]; -diff --git a/crypto/fips/fips_dh_selftest.c b/crypto/fips/fips_dh_selftest.c -index 2b1eb25..e205bad 100644 ---- a/crypto/fips/fips_dh_selftest.c -+++ b/crypto/fips/fips_dh_selftest.c -@@ -51,13 +51,13 @@ - #include - #include - #include --#include - #include - #include - #include --#include "fips_locl.h" - - #ifdef OPENSSL_FIPS -+#include -+#include "fips_locl.h" - - static const unsigned char dh_test_2048_p[] = { - 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, -diff --git a/crypto/fips/fips_drbg_ctr.c b/crypto/fips/fips_drbg_ctr.c -index a830b2c..11b5f92 100644 ---- a/crypto/fips/fips_drbg_ctr.c -+++ b/crypto/fips/fips_drbg_ctr.c -@@ -54,6 +54,8 @@ - #include - #include - #include -+ -+#ifdef OPENSSL_FIPS - #include - #include - #include "fips_rand_lcl.h" -@@ -413,3 +415,4 @@ int fips_drbg_ctr_init(DRBG_CTX *dctx) - - return 1; - } -+#endif -diff --git a/crypto/fips/fips_drbg_hash.c b/crypto/fips/fips_drbg_hash.c -index b19420a..176a9e6 100644 ---- a/crypto/fips/fips_drbg_hash.c -+++ b/crypto/fips/fips_drbg_hash.c -@@ -56,6 +56,8 @@ - #include - #include - #include -+ -+#ifdef OPENSSL_FIPS - #include - #include - #include "fips_rand_lcl.h" -@@ -356,3 +358,4 @@ int fips_drbg_hash_init(DRBG_CTX *dctx) - - return 1; - } -+#endif -diff --git a/crypto/fips/fips_drbg_hmac.c b/crypto/fips/fips_drbg_hmac.c -index 105db12..7e1bfc3 100644 ---- a/crypto/fips/fips_drbg_hmac.c -+++ b/crypto/fips/fips_drbg_hmac.c -@@ -57,6 +57,8 @@ - #include - #include - #include -+ -+#ifdef OPENSSL_FIPS - #include - #include - #include "fips_rand_lcl.h" -@@ -268,3 +270,4 @@ int fips_drbg_hmac_init(DRBG_CTX *dctx) - - return 1; - } -+#endif -diff --git a/crypto/fips/fips_drbg_lib.c b/crypto/fips/fips_drbg_lib.c -index 1a71322..d8c7407 100644 ---- a/crypto/fips/fips_drbg_lib.c -+++ b/crypto/fips/fips_drbg_lib.c -@@ -53,6 +53,8 @@ - #include - #include - #include -+ -+#ifdef OPENSSL_FIPS - #include - #include "fips_locl.h" - #include "fips_rand_lcl.h" -@@ -551,3 +553,4 @@ int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out) - memcpy(dctx->lb, out, dctx->blocklength); - return 1; - } -+#endif -diff --git a/crypto/fips/fips_drbg_rand.c b/crypto/fips/fips_drbg_rand.c -index 43600dd..bb523c8 100644 ---- a/crypto/fips/fips_drbg_rand.c -+++ b/crypto/fips/fips_drbg_rand.c -@@ -55,6 +55,8 @@ - #include - #include - #include -+ -+#ifdef OPENSSL_FIPS - #include - #include "fips_rand_lcl.h" - -@@ -164,3 +166,4 @@ const RAND_METHOD *FIPS_drbg_method(void) - { - return &rand_drbg_meth; - } -+#endif -diff --git a/crypto/fips/fips_drbg_selftest.c b/crypto/fips/fips_drbg_selftest.c -index 1397202..7a5b1a0 100644 ---- a/crypto/fips/fips_drbg_selftest.c -+++ b/crypto/fips/fips_drbg_selftest.c -@@ -10,7 +10,7 @@ - * are met: - * - * 1. Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -+ * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in -@@ -54,6 +54,8 @@ - #include - #include - #include -+ -+#ifdef OPENSSL_FIPS - #include - #include "fips_rand_lcl.h" - #include "fips_locl.h" -@@ -756,16 +758,11 @@ int FIPS_drbg_health_check(DRBG_CTX *dctx) - int rv; - DRBG_CTX *tctx = NULL; - tctx = FIPS_drbg_new(0, 0); -- fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); - if (!tctx) - return 0; - rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags); - if (tctx) - FIPS_drbg_free(tctx); -- if (rv) -- fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -- else -- fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); - if (!rv) - dctx->status = DRBG_STATUS_ERROR; - else -@@ -784,15 +781,10 @@ int FIPS_selftest_drbg(void) - for (td = drbg_test; td->nid != 0; td++) { - if (td->post != 1) - continue; -- if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -- return 1; - if (!fips_drbg_single_kat(dctx, td, 1)) { -- fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); - rv = 0; - continue; - } -- if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -- return 0; - } - FIPS_drbg_free(dctx); - return rv; -@@ -807,21 +799,16 @@ int FIPS_selftest_drbg_all(void) - if (!dctx) - return 0; - for (td = drbg_test; td->nid != 0; td++) { -- if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -- return 1; - if (!fips_drbg_single_kat(dctx, td, 0)) { -- fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); - rv = 0; - continue; - } - if (!fips_drbg_error_check(dctx, td)) { -- fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); - rv = 0; - continue; - } -- if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -- return 0; - } - FIPS_drbg_free(dctx); - return rv; - } -+#endif -diff --git a/crypto/fips/fips_dsa_selftest.c b/crypto/fips/fips_dsa_selftest.c -index 4c0da82..521c346 100644 ---- a/crypto/fips/fips_dsa_selftest.c -+++ b/crypto/fips/fips_dsa_selftest.c -@@ -50,13 +50,13 @@ - #include - #include - #include --#include - #include - #include - #include --#include "fips_locl.h" - - #ifdef OPENSSL_FIPS -+#include -+#include "fips_locl.h" - - static const unsigned char dsa_test_2048_p[] = { - 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, -diff --git a/crypto/fips/fips_ecdh_selftest.c b/crypto/fips/fips_ecdh_selftest.c -index 8cad5ad..2b7341e 100644 ---- a/crypto/fips/fips_ecdh_selftest.c -+++ b/crypto/fips/fips_ecdh_selftest.c -@@ -58,13 +58,13 @@ - #include - #include - #include --#include - #include - #include - #include - - #ifdef OPENSSL_FIPS - -+#include - # include "fips_locl.h" - - static const unsigned char p256_qcavsx[] = { -@@ -207,7 +207,6 @@ int FIPS_selftest_ecdh(void) - ztmp[0] ^= 0x1; - - if (memcmp(ztmp, ecd->z, ecd->zlen)) { -- fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); - rv = 0; - } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) - goto err; -diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c -index 4ce6e81..a654582 100644 ---- a/crypto/fips/fips_ecdsa_selftest.c -+++ b/crypto/fips/fips_ecdsa_selftest.c -@@ -58,12 +58,12 @@ - #include - #include - #include --#include - #include - #include - #include - - #ifdef OPENSSL_FIPS -+#include - - static const char P_256_name[] = "ECDSA P-256"; - -diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c -index 2b19651..9ca4b20 100644 ---- a/crypto/fips/fips_post.c -+++ b/crypto/fips/fips_post.c -@@ -72,9 +72,7 @@ int FIPS_selftest(void) - { - int rv = 1; - if (!FIPS_selftest_drbg()) -- rv = 0; -- if (!FIPS_selftest_x931()) -- rv = 0; -+ rv = 0; - if (!FIPS_selftest_sha1()) - rv = 0; - if (!FIPS_selftest_sha2()) -diff --git a/crypto/fips/fips_rand.c b/crypto/fips/fips_rand.c -index c5060a2..cc2254a 100644 ---- a/crypto/fips/fips_rand.c -+++ b/crypto/fips/fips_rand.c -@@ -60,10 +60,6 @@ - # define _XOPEN_SOURCE_EXTENDED 1 - #endif - --#include --#include --#include --#include - #if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) - # include - #endif -@@ -83,154 +79,8 @@ - #include "fips_locl.h" - - #ifdef OPENSSL_FIPS -- --void *OPENSSL_stderr(void); -- --# define AES_BLOCK_LENGTH 16 -- --/* AES FIPS PRNG implementation */ -- --typedef struct { -- int seeded; -- int keyed; -- int test_mode; -- int second; -- int error; -- unsigned long counter; -- AES_KEY ks; -- int vpos; -- /* Temporary storage for key if it equals seed length */ -- unsigned char tmp_key[AES_BLOCK_LENGTH]; -- unsigned char V[AES_BLOCK_LENGTH]; -- unsigned char DT[AES_BLOCK_LENGTH]; -- unsigned char last[AES_BLOCK_LENGTH]; --} FIPS_PRNG_CTX; -- --static FIPS_PRNG_CTX sctx; -- --static int fips_prng_fail = 0; -- --void FIPS_x931_stick(int onoff) --{ -- fips_prng_fail = onoff; --} -- --void FIPS_rng_stick(void) --{ -- FIPS_x931_stick(1); --} -- --static void fips_rand_prng_reset(FIPS_PRNG_CTX * ctx) --{ -- ctx->seeded = 0; -- ctx->keyed = 0; -- ctx->test_mode = 0; -- ctx->counter = 0; -- ctx->second = 0; -- ctx->error = 0; -- ctx->vpos = 0; -- OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH); -- OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY)); --} -- --static int fips_set_prng_key(FIPS_PRNG_CTX * ctx, -- const unsigned char *key, unsigned int keylen) --{ -- if (FIPS_selftest_failed()) { -- FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED); -- return 0; -- } -- if (keylen != 16 && keylen != 24 && keylen != 32) { -- /* error: invalid key size */ -- return 0; -- } -- AES_set_encrypt_key(key, keylen << 3, &ctx->ks); -- if (keylen == 16) { -- memcpy(ctx->tmp_key, key, 16); -- ctx->keyed = 2; -- } else -- ctx->keyed = 1; -- ctx->seeded = 0; -- ctx->second = 0; -- return 1; --} -- --static int fips_set_prng_seed(FIPS_PRNG_CTX * ctx, -- const unsigned char *seed, unsigned int seedlen) --{ -- unsigned int i; -- if (!ctx->keyed) -- return 0; -- /* In test mode seed is just supplied data */ -- if (ctx->test_mode) { -- if (seedlen != AES_BLOCK_LENGTH) -- return 0; -- memcpy(ctx->V, seed, AES_BLOCK_LENGTH); -- ctx->seeded = 1; -- return 1; -- } -- /* Outside test mode XOR supplied data with existing seed */ -- for (i = 0; i < seedlen; i++) { -- ctx->V[ctx->vpos++] ^= seed[i]; -- if (ctx->vpos == AES_BLOCK_LENGTH) { -- ctx->vpos = 0; -- /* Special case if first seed and key length equals -- * block size check key and seed do not match. -- */ -- if (ctx->keyed == 2) { -- if (!memcmp(ctx->tmp_key, ctx->V, 16)) { -- RANDerr(RAND_F_FIPS_SET_PRNG_SEED, -- RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY); -- return 0; -- } -- OPENSSL_cleanse(ctx->tmp_key, 16); -- ctx->keyed = 1; -- } -- ctx->seeded = 1; -- } -- } -- return 1; --} -- --static int fips_set_test_mode(FIPS_PRNG_CTX * ctx) --{ -- if (ctx->keyed) { -- RANDerr(RAND_F_FIPS_SET_TEST_MODE, RAND_R_PRNG_KEYED); -- return 0; -- } -- ctx->test_mode = 1; -- return 1; --} -- --int FIPS_x931_test_mode(void) --{ -- return fips_set_test_mode(&sctx); --} -- --int FIPS_rand_test_mode(void) --{ -- return fips_set_test_mode(&sctx); --} -- --int FIPS_x931_set_dt(unsigned char *dt) --{ -- if (!sctx.test_mode) { -- RANDerr(RAND_F_FIPS_X931_SET_DT, RAND_R_NOT_IN_TEST_MODE); -- return 0; -- } -- memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); -- return 1; --} -- --int FIPS_rand_set_dt(unsigned char *dt) --{ -- if (!sctx.test_mode) { -- RANDerr(RAND_F_FIPS_RAND_SET_DT, RAND_R_NOT_IN_TEST_MODE); -- return 0; -- } -- memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); -- return 1; --} -+#include -+#include "fips_locl.h" - - void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) - { -@@ -292,137 +142,4 @@ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) - buf[15] = (unsigned char)((pid >> 24) & 0xff); - # endif - } -- --static int fips_rand(FIPS_PRNG_CTX * ctx, -- unsigned char *out, unsigned int outlen) --{ -- unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; -- unsigned char tmp[AES_BLOCK_LENGTH]; -- int i; -- if (ctx->error) { -- RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_ERROR); -- return 0; -- } -- if (!ctx->keyed) { -- RANDerr(RAND_F_FIPS_RAND, RAND_R_NO_KEY_SET); -- return 0; -- } -- if (!ctx->seeded) { -- RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_NOT_SEEDED); -- return 0; -- } -- for (;;) { -- if (!ctx->test_mode) -- FIPS_get_timevec(ctx->DT, &ctx->counter); -- AES_encrypt(ctx->DT, I, &ctx->ks); -- for (i = 0; i < AES_BLOCK_LENGTH; i++) -- tmp[i] = I[i] ^ ctx->V[i]; -- AES_encrypt(tmp, R, &ctx->ks); -- for (i = 0; i < AES_BLOCK_LENGTH; i++) -- tmp[i] = R[i] ^ I[i]; -- AES_encrypt(tmp, ctx->V, &ctx->ks); -- /* Continuous PRNG test */ -- if (ctx->second) { -- if (fips_prng_fail) -- memcpy(ctx->last, R, AES_BLOCK_LENGTH); -- if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) { -- RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_STUCK); -- ctx->error = 1; -- fips_set_selftest_fail(); -- return 0; -- } -- } -- memcpy(ctx->last, R, AES_BLOCK_LENGTH); -- if (!ctx->second) { -- ctx->second = 1; -- if (!ctx->test_mode) -- continue; -- } -- -- if (outlen <= AES_BLOCK_LENGTH) { -- memcpy(out, R, outlen); -- break; -- } -- -- memcpy(out, R, AES_BLOCK_LENGTH); -- out += AES_BLOCK_LENGTH; -- outlen -= AES_BLOCK_LENGTH; -- } -- return 1; --} -- --int FIPS_x931_set_key(const unsigned char *key, int keylen) --{ -- int ret; -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -- ret = fips_set_prng_key(&sctx, key, keylen); -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -- return ret; --} -- --int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen) --{ -- return FIPS_x931_set_key(key, keylen); --} -- --int FIPS_x931_seed(const void *seed, int seedlen) --{ -- int ret; -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -- ret = fips_set_prng_seed(&sctx, seed, seedlen); -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -- return ret; --} -- --int FIPS_x931_bytes(unsigned char *out, int count) --{ -- int ret; -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -- ret = fips_rand(&sctx, out, count); -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -- return ret; --} -- --int FIPS_x931_status(void) --{ -- int ret; -- CRYPTO_r_lock(CRYPTO_LOCK_RAND); -- ret = sctx.seeded; -- CRYPTO_r_unlock(CRYPTO_LOCK_RAND); -- return ret; --} -- --void FIPS_x931_reset(void) --{ -- CRYPTO_w_lock(CRYPTO_LOCK_RAND); -- fips_rand_prng_reset(&sctx); -- CRYPTO_w_unlock(CRYPTO_LOCK_RAND); --} -- --static int fips_do_rand_seed(const void *seed, int seedlen) --{ -- FIPS_x931_seed(seed, seedlen); -- return 1; --} -- --static int fips_do_rand_add(const void *seed, int seedlen, double add_entropy) --{ -- FIPS_x931_seed(seed, seedlen); -- return 1; --} -- --static const RAND_METHOD rand_x931_meth = { -- fips_do_rand_seed, -- FIPS_x931_bytes, -- FIPS_x931_reset, -- fips_do_rand_add, -- FIPS_x931_bytes, -- FIPS_x931_status --}; -- --const RAND_METHOD *FIPS_x931_method(void) --{ -- return &rand_x931_meth; --} -- - #endif -diff --git a/crypto/fips/fips_rand.h b/crypto/fips/fips_rand.h -index e78eb35..e25e57c 100644 ---- a/crypto/fips/fips_rand.h -+++ b/crypto/fips/fips_rand.h -@@ -61,19 +61,7 @@ - extern "C" { - # endif - -- int FIPS_x931_set_key(const unsigned char *key, int keylen); -- int FIPS_x931_seed(const void *buf, int num); -- int FIPS_x931_bytes(unsigned char *out, int outlen); -- -- int FIPS_x931_test_mode(void); -- void FIPS_x931_reset(void); -- int FIPS_x931_set_dt(unsigned char *dt); -- -- int FIPS_x931_status(void); -- -- const RAND_METHOD *FIPS_x931_method(void); -- -- typedef struct drbg_ctx_st DRBG_CTX; -+typedef struct drbg_ctx_st DRBG_CTX; - /* DRBG external flags */ - /* Flag for CTR mode only: use derivation function ctr_df */ - # define DRBG_FLAG_CTR_USE_DF 0x1 -@@ -147,14 +135,8 @@ extern "C" { - int FIPS_rand_strength(void); - - /* 1.0.0 compat functions */ -- int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen); -- int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num); -- int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen); -- int FIPS_rand_test_mode(void); -- void FIPS_rand_reset(void); -- int FIPS_rand_set_dt(unsigned char *dt); -- int FIPS_rand_status(void); - const RAND_METHOD *FIPS_rand_method(void); -+ int FIPS_rand_status(void); - - # ifdef __cplusplus - } -diff --git a/crypto/fips/fips_rand_lcl.h b/crypto/fips/fips_rand_lcl.h -index 0a1d251..5aff0bb 100644 ---- a/crypto/fips/fips_rand_lcl.h -+++ b/crypto/fips/fips_rand_lcl.h -@@ -205,8 +205,6 @@ int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); - - const struct env_md_st *FIPS_get_digestbynid(int nid); - --const struct evp_cipher_st *FIPS_get_cipherbynid(int nid); -- - #define FIPS_digestinit EVP_DigestInit - #define FIPS_digestupdate EVP_DigestUpdate - #define FIPS_digestfinal EVP_DigestFinal -diff --git a/crypto/fips/fips_rand_lib.c b/crypto/fips/fips_rand_lib.c -index 6f2ccc6..ab35ee0 100644 ---- a/crypto/fips/fips_rand_lib.c -+++ b/crypto/fips/fips_rand_lib.c -@@ -50,6 +50,7 @@ - #include - #include - #include -+#ifdef OPENSSL_FIPS - #include - #include - #include "e_os.h" -@@ -73,8 +74,6 @@ int FIPS_rand_set_method(const RAND_METHOD *meth) - if (!fips_rand_bits) { - if (meth == FIPS_drbg_method()) - fips_approved_rand_meth = 1; -- else if (meth == FIPS_x931_method()) -- fips_approved_rand_meth = 2; - else { - fips_approved_rand_meth = 0; - if (FIPS_module_mode()) { -@@ -169,8 +168,6 @@ int FIPS_rand_strength(void) - return fips_rand_bits; - if (fips_approved_rand_meth == 1) - return FIPS_drbg_get_strength(FIPS_get_default_drbg()); -- else if (fips_approved_rand_meth == 2) -- return 80; - else if (fips_approved_rand_meth == 0) { - if (FIPS_module_mode()) - return 0; -@@ -179,3 +176,4 @@ int FIPS_rand_strength(void) - } - return 0; - } -+#endif -diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c -index 446ddd9..3f4ca12 100644 ---- a/crypto/fips/fips_sha_selftest.c -+++ b/crypto/fips/fips_sha_selftest.c -@@ -129,13 +129,13 @@ int FIPS_selftest_sha2(void) - - EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); - if (memcmp(dig_sha256, md, sizeof(dig_sha256))) { -- FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED); -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); - return 0; - } - - EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); - if (memcmp(dig_sha512, md, sizeof(dig_sha512))) { -- FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED); -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); - return 0; - } - -diff --git a/crypto/fips/fips_test_suite.c b/crypto/fips/fips_test_suite.c -index 1e4b69c..5ab0458 100644 ---- a/crypto/fips/fips_test_suite.c -+++ b/crypto/fips/fips_test_suite.c -@@ -27,6 +27,8 @@ - #include - #include - #include -+#include -+#include - - #ifndef OPENSSL_FIPS - int main(int argc, char *argv[]) -@@ -65,6 +67,48 @@ static int FIPS_aes_test(void) - return ret; - } - -+static int FIPS_aes_gcm_test(void) -+{ -+ int ret = 0; -+ unsigned char pltmp[16]; -+ unsigned char citmp[16]; -+ unsigned char tagtmp[16]; -+ unsigned char key[16] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}; -+ unsigned char iv[16] = {21,22,23,24,25,26,27,28,29,30,31,32}; -+ unsigned char aad[] = "Some text AAD"; -+ unsigned char plaintext[16] = "etaonrishdlcu"; -+ EVP_CIPHER_CTX ctx; -+ -+ EVP_CIPHER_CTX_init(&ctx); -+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_gcm(), NULL, key, iv, 1) <= 0) -+ goto err; -+ EVP_Cipher(&ctx, NULL, aad, sizeof(aad)); -+ EVP_Cipher(&ctx, citmp, plaintext, 16); -+ EVP_Cipher(&ctx, NULL, NULL, 0); -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tagtmp)) -+ goto err; -+ -+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_gcm(), NULL, key, iv, 0) <= 0) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tagtmp)) -+ goto err; -+ -+ EVP_Cipher(&ctx, NULL, aad, sizeof(aad)); -+ -+ EVP_Cipher(&ctx, pltmp, citmp, 16); -+ -+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0) -+ goto err; -+ -+ if (memcmp(pltmp, plaintext, 16)) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_CTX_cleanup(&ctx); -+ return ret; -+} -+ - static int FIPS_des3_test(void) - { - int ret = 0; -@@ -97,7 +141,7 @@ static int FIPS_des3_test(void) - static int FIPS_dsa_test(int bad) - { - DSA *dsa = NULL; -- EVP_PKEY pk; -+ EVP_PKEY *pk = NULL; - unsigned char dgst[] = "etaonrishdlc"; - unsigned char buf[60]; - unsigned int slen; -@@ -116,24 +160,27 @@ static int FIPS_dsa_test(int bad) - if (bad) - BN_add_word(dsa->pub_key, 1); - -- pk.type = EVP_PKEY_DSA; -- pk.pkey.dsa = dsa; -+ if ((pk=EVP_PKEY_new()) == NULL) -+ goto end; -+ EVP_PKEY_assign_DSA(pk, dsa); - - if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) - goto end; - if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1)) - goto end; -- if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) -+ if (!EVP_SignFinal(&mctx, buf, &slen, pk)) - goto end; - - if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) - goto end; - if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1)) - goto end; -- r = EVP_VerifyFinal(&mctx, buf, slen, &pk); -+ r = EVP_VerifyFinal(&mctx, buf, slen, pk); - end: - EVP_MD_CTX_cleanup(&mctx); -- if (dsa) -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (dsa) - DSA_free(dsa); - if (r != 1) - return 0; -@@ -145,13 +192,13 @@ static int FIPS_dsa_test(int bad) - */ - static int FIPS_rsa_test(int bad) - { -- RSA *key; -+ RSA *key = NULL; - unsigned char input_ptext[] = "etaonrishdlc"; - unsigned char buf[256]; - unsigned int slen; - BIGNUM *bn; - EVP_MD_CTX mctx; -- EVP_PKEY pk; -+ EVP_PKEY *pk = NULL; - int r = 0; - - ERR_clear_error(); -@@ -167,23 +214,26 @@ static int FIPS_rsa_test(int bad) - if (bad) - BN_add_word(key->n, 1); - -- pk.type = EVP_PKEY_RSA; -- pk.pkey.rsa = key; -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto end; -+ EVP_PKEY_set1_RSA(pk, key); - - if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL)) - goto end; - if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) - goto end; -- if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) -+ if (!EVP_SignFinal(&mctx, buf, &slen, pk)) - goto end; - - if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL)) - goto end; - if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) - goto end; -- r = EVP_VerifyFinal(&mctx, buf, slen, &pk); -+ r = EVP_VerifyFinal(&mctx, buf, slen, pk); - end: - EVP_MD_CTX_cleanup(&mctx); -+ if (pk) -+ EVP_PKEY_free(pk); - if (key) - RSA_free(key); - if (r != 1) -@@ -399,18 +449,217 @@ static int FIPS_hmac_sha512_test() - return 1; - } - -+ -+/* CMAC-AES128: generate hash of known digest value and compare to known -+ * precomputed correct hash -+ */ -+static int FIPS_cmac_aes128_test() -+{ -+ unsigned char key[16] = { 0x2b,0x7e,0x15,0x16, 0x28,0xae,0xd2,0xa6, -+ 0xab,0xf7,0x15,0x88, 0x09,0xcf,0x4f,0x3c }; -+ unsigned char data[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = { 0x16,0x83,0xfe,0xac, 0x52,0x9b,0xae,0x23, -+ 0xd7,0xd5,0x66,0xf5, 0xd2,0x8d,0xbd,0x2a }; -+ unsigned char *out = NULL; -+ size_t outlen; -+ CMAC_CTX *ctx = CMAC_CTX_new(); -+ int r = 0; -+ -+ ERR_clear_error(); -+ if (!ctx) -+ goto end; -+ if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_128_cbc(),NULL)) -+ goto end; -+ if (!CMAC_Update(ctx,data,sizeof(data)-1)) -+ goto end; -+ /* This should return 1. If not, there's a programming error... */ -+ if (!CMAC_Final(ctx, out, &outlen)) -+ -+ goto end; -+ out = OPENSSL_malloc(outlen); -+ if (!CMAC_Final(ctx, out, &outlen)) -+ goto end; -+#if 0 -+ { -+ char *hexout = OPENSSL_malloc(outlen * 2 + 1); -+ bin2hex(out, outlen, hexout); -+ printf("CMAC-AES128: res = %s\n", hexout); -+ OPENSSL_free(hexout); -+ } -+ r = 1; -+#else -+ if (!memcmp(out,kaval,outlen)) -+ r = 1; -+#endif -+ -+end: -+ CMAC_CTX_free(ctx); -+ if (out) -+ OPENSSL_free(out); -+ return r; -+} -+ -+/* CMAC-AES192: generate hash of known digest value and compare to known -+ * precomputed correct hash -+ */ -+static int FIPS_cmac_aes192_test() -+{ -+ unsigned char key[] = { 0x8e,0x73,0xb0,0xf7, 0xda,0x0e,0x64,0x52, -+ 0xc8,0x10,0xf3,0x2b, 0x80,0x90,0x79,0xe5, -+ 0x62,0xf8,0xea,0xd2, 0x52,0x2c,0x6b,0x7b, }; -+ unsigned char data[] = "Sample text"; -+ unsigned char kaval[] = { 0xd6,0x99,0x19,0x25, 0xe5,0x1d,0x95,0x48, -+ 0xb1,0x4a,0x0b,0xf2, 0xc6,0x3c,0x47,0x1f, }; -+ unsigned char *out = NULL; -+ size_t outlen; -+ CMAC_CTX *ctx = CMAC_CTX_new(); -+ int r = 0; -+ -+ ERR_clear_error(); -+ if (!ctx) -+ goto end; -+ if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_192_cbc(),NULL)) -+ goto end; -+ if (!CMAC_Update(ctx,data,sizeof(data)-1)) -+ goto end; -+ /* This should return 1. If not, there's a programming error... */ -+ if (!CMAC_Final(ctx, out, &outlen)) -+ goto end; -+ out = OPENSSL_malloc(outlen); -+ if (!CMAC_Final(ctx, out, &outlen)) -+ goto end; -+#if 0 -+ { -+ char *hexout = OPENSSL_malloc(outlen * 2 + 1); -+ bin2hex(out, outlen, hexout); -+ printf("CMAC-AES192: res = %s\n", hexout); -+ OPENSSL_free(hexout); -+ } -+ r = 1; -+#else -+ if (!memcmp(out,kaval,outlen)) -+ r = 1; -+#endif -+ -+end: -+ CMAC_CTX_free(ctx); -+ if (out) -+ OPENSSL_free(out); -+ return r; -+} -+ -+/* CMAC-AES256: generate hash of known digest value and compare to known -+ * precomputed correct hash -+ */ -+static int FIPS_cmac_aes256_test() -+{ -+ unsigned char key[] = { 0x60,0x3d,0xeb,0x10, 0x15,0xca,0x71,0xbe, -+ 0x2b,0x73,0xae,0xf0, 0x85,0x7d,0x77,0x81, -+ 0x1f,0x35,0x2c,0x07, 0x3b,0x61,0x08,0xd7, -+ 0x2d,0x98,0x10,0xa3, 0x09,0x14,0xdf,0xf4, }; -+ unsigned char data[] = "Sample text"; -+ unsigned char kaval[] = { 0xec,0xc2,0xcf,0x63,0xc7,0xce,0xfc,0xa4, -+ 0xb0,0x86,0x37,0x5f,0x15,0x60,0xba,0x1f }; -+ unsigned char *out = NULL; -+ size_t outlen; -+ CMAC_CTX *ctx = CMAC_CTX_new(); -+ int r = 0; -+ -+ ERR_clear_error(); -+ -+ if (!ctx) -+ goto end; -+ if (!CMAC_Init(ctx,key,sizeof(key),EVP_aes_256_cbc(),NULL)) -+ goto end; -+ if (!CMAC_Update(ctx,data,sizeof(data)-1)) -+ goto end; -+ /* This should return 1. If not, there's a programming error... */ -+ if (!CMAC_Final(ctx, out, &outlen)) -+ goto end; -+ out = OPENSSL_malloc(outlen); -+ if (!CMAC_Final(ctx, out, &outlen)) -+ goto end; -+#if 0 -+ { -+ char *hexout = OPENSSL_malloc(outlen * 2 + 1); -+ bin2hex(out, outlen, hexout); -+ printf("CMAC-AES256: res = %s\n", hexout); -+ OPENSSL_free(hexout); -+ } -+ r = 1; -+#else -+ if (!memcmp(out,kaval,outlen)) -+ r = 1; -+#endif -+ -+end: -+ CMAC_CTX_free(ctx); -+ if (out) -+ OPENSSL_free(out); -+ return r; -+} -+ -+/* CMAC-TDEA3: generate hash of known digest value and compare to known -+ * precomputed correct hash -+ */ -+static int FIPS_cmac_tdea3_test() -+{ -+ unsigned char key[] = { 0x8a,0xa8,0x3b,0xf8, 0xcb,0xda,0x10,0x62, -+ 0x0b,0xc1,0xbf,0x19, 0xfb,0xb6,0xcd,0x58, -+ 0xbc,0x31,0x3d,0x4a, 0x37,0x1c,0xa8,0xb5, }; -+ unsigned char data[] = "Sample text"; -+ unsigned char kaval[EVP_MAX_MD_SIZE] = -+ { 0xb4,0x06,0x4e,0xbf,0x59,0x89,0xba,0x68, }; -+ unsigned char *out = NULL; -+ size_t outlen; -+ CMAC_CTX *ctx = CMAC_CTX_new(); -+ int r = 0; -+ -+ ERR_clear_error(); -+ if (!ctx) -+ goto end; -+ if (!CMAC_Init(ctx,key,sizeof(key),EVP_des_ede3_cbc(),NULL)) -+ goto end; -+ if (!CMAC_Update(ctx,data,sizeof(data)-1)) -+ goto end; -+ /* This should return 1. If not, there's a programming error... */ -+ if (!CMAC_Final(ctx, out, &outlen)) -+ goto end; -+ out = OPENSSL_malloc(outlen); -+ if (!CMAC_Final(ctx, out, &outlen)) -+ goto end; -+#if 0 -+ { -+ char *hexout = OPENSSL_malloc(outlen * 2 + 1); -+ bin2hex(out, outlen, hexout); -+ printf("CMAC-TDEA3: res = %s\n", hexout); -+ OPENSSL_free(hexout); -+ } -+ r = 1; -+#else -+ if (!memcmp(out,kaval,outlen)) -+ r = 1; -+#endif -+ -+end: -+ CMAC_CTX_free(ctx); -+ if (out) -+ OPENSSL_free(out); -+ return r; -+} -+ - /* DH: generate shared parameters - */ - static int dh_test() - { - DH *dh; - ERR_clear_error(); -- dh = FIPS_dh_new(); -+ dh = DH_new(); - if (!dh) - return 0; -- if (!DH_generate_parameters_ex(dh, 1024, 2, NULL)) -+ if (!DH_generate_parameters_ex(dh, 2048, 2, NULL)) - return 0; -- FIPS_dh_free(dh); -+ DH_free(dh); - return 1; - } - -@@ -425,7 +674,7 @@ static int Zeroize() - 0x83, 0x02, 0xb1, 0x09, 0x68 }; - int i, n; - -- key = FIPS_rsa_new(); -+ key = RSA_new(); - bn = BN_new(); - if (!key || !bn) - return 0; -@@ -452,9 +701,91 @@ static int Zeroize() - printf("%02x", userkey[i]); - printf("\n"); - -+ RSA_free(key); - return 1; - } - -+/* Dummy Entropy for DRBG tests. WARNING: THIS IS TOTALLY BOGUS -+ * HAS ZERO SECURITY AND MUST NOT BE USED IN REAL APPLICATIONS. -+ */ -+static unsigned char dummy_drbg_entropy[1024]; -+static size_t drbg_test_cb(DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ *pout = dummy_drbg_entropy; -+ /* Round up to multiple of block size */ -+ return (min_len + 0xf) & ~0xf; -+} -+ -+/* DRBG test: just generate lots of data and trigger health checks */ -+static int do_drbg_test(int type, int flags) -+{ -+ DRBG_CTX *dctx; -+ int rv = 0; -+ size_t i; -+ unsigned char randout[1024]; -+ -+ dctx = FIPS_drbg_new(type, flags); -+ if (!dctx) -+ return 0; -+ FIPS_drbg_set_callbacks(dctx, drbg_test_cb, 0, 0x10, drbg_test_cb, 0); -+ for (i = 0; i < sizeof(dummy_drbg_entropy); i++) { -+ dummy_drbg_entropy[i] = i & 0xff; -+ } -+ if (!FIPS_drbg_instantiate(dctx, dummy_drbg_entropy, 10)) -+ goto err; -+ FIPS_drbg_set_check_interval(dctx, 10); -+ for (i = 0; i < 32; i++) { -+ if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), -+ 0, NULL, 0)) -+ goto err; -+ if (!FIPS_drbg_generate(dctx, randout, sizeof(randout), -+ 0, dummy_drbg_entropy, 1)) -+ goto err; -+ } -+ rv = 1; -+err: -+ FIPS_drbg_free(dctx); -+ return rv; -+} -+ -+typedef struct -+{ -+ int type, flags; -+} DRBG_LIST; -+ -+static int do_drbg_all(void) -+{ -+ static DRBG_LIST drbg_types[] = { -+ {NID_sha1, 0}, -+ {NID_sha224, 0}, -+ {NID_sha256, 0}, -+ {NID_sha384, 0}, -+ {NID_sha512, 0}, -+ {NID_hmacWithSHA1, 0}, -+ {NID_hmacWithSHA224, 0}, -+ {NID_hmacWithSHA256, 0}, -+ {NID_hmacWithSHA384, 0}, -+ {NID_hmacWithSHA512, 0}, -+ {NID_aes_128_ctr, 0}, -+ {NID_aes_192_ctr, 0}, -+ {NID_aes_256_ctr, 0}, -+ {NID_aes_128_ctr, DRBG_FLAG_CTR_USE_DF}, -+ {NID_aes_192_ctr, DRBG_FLAG_CTR_USE_DF}, -+ {NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF}, -+ {0, 0} -+ }; -+ DRBG_LIST *lst; -+ int rv = 1; -+ for (lst = drbg_types;; lst++) { -+ if (lst->type == 0) -+ break; -+ if (!do_drbg_test(lst->type, lst->flags)) -+ rv = 0; -+ } -+ return rv; -+} -+ - static int Error; - const char *Fail(const char *msg) - { -@@ -463,13 +794,19 @@ const char *Fail(const char *msg) - return msg; - } - -+static void test_msg(const char *msg, int result) -+{ -+ printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!")); -+} -+ - int main(int argc, char **argv) - { - -- int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0; -+ int do_corrupt_rsa_keygen = 0; - int bad_rsa = 0, bad_dsa = 0; -- int do_rng_stick = 0; - int no_exit = 0; -+ int do_drbg = 0; -+ int do_drbg_stick = 0; - - printf("\tFIPS-mode test application\n\n"); - -@@ -507,20 +844,16 @@ int main(int argc, char **argv) - ("DSA key generation and signature validation with corrupted key...\n"); - bad_dsa = 1; - no_exit = 1; -- } else if (!strcmp(argv[1], "dsakeygen")) { -- do_corrupt_dsa_keygen = 1; -- no_exit = 1; -- printf -- ("DSA key generation and signature validation with corrupted keygen...\n"); - } else if (!strcmp(argv[1], "sha1")) { - FIPS_corrupt_sha1(); - printf("SHA-1 hash with corrupted KAT...\n"); -- } else if (!strcmp(argv[1], "rng")) { -- FIPS_corrupt_rng(); -- } else if (!strcmp(argv[1], "rngstick")) { -- do_rng_stick = 1; -+ } else if (!strcmp(argv[1], "drbg")) { -+ do_drbg = 1; - no_exit = 1; -- printf("RNG test with stuck continuous test...\n"); -+ } else if (!strcmp(argv[1], "drbgstick")) { -+ do_drbg_stick = 1; -+ no_exit = 1; -+ printf("DRBG test with stuck continuous test...\n"); - } else { - printf("Bad argument \"%s\"\n", argv[1]); - exit(1); -@@ -539,8 +872,7 @@ int main(int argc, char **argv) - /* Non-Approved cryptographic operation - */ - printf("1. Non-Approved cryptographic operation test...\n"); -- printf("\ta. Included algorithm (D-H)..."); -- printf(dh_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("\ta. Included algorithm (D-H)...", dh_test()); - - /* Power-up self test - */ -@@ -548,90 +880,109 @@ int main(int argc, char **argv) - printf("2. Automatic power-up self test..."); - if (!FIPS_mode_set(1)) { - do_print_errors(); -- printf(Fail("FAILED!\n")); -+ printf("%s\n", Fail("FAILED!")); - exit(1); - } - printf("successful\n"); -- if (do_corrupt_dsa_keygen) -- FIPS_corrupt_dsa_keygen(); - if (do_corrupt_rsa_keygen) - FIPS_corrupt_rsa_keygen(); -- if (do_rng_stick) -- FIPS_rng_stick(); -+ if (do_drbg_stick) -+ FIPS_drbg_stick(1); - - /* AES encryption/decryption - */ -- printf("3. AES encryption/decryption..."); -- printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("3. AES encryption/decryption", FIPS_aes_test()); -+ -+ /* AES GCM encryption/decryption -+ */ -+ test_msg("3b. AES-GCM encryption/decryption", FIPS_aes_gcm_test()); - - /* RSA key generation and encryption/decryption - */ -- printf("4. RSA key generation and encryption/decryption..."); -- printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n")); -+ test_msg("4. RSA key generation and encryption/decryption", -+ FIPS_rsa_test(bad_rsa)); - - /* DES-CBC encryption/decryption - */ -- printf("5. DES-ECB encryption/decryption..."); -- printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test()); - - /* DSA key generation and signature validation - */ -- printf("6. DSA key generation and signature validation..."); -- printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n")); -+ test_msg("6. DSA key generation and signature validation", -+ FIPS_dsa_test(bad_dsa)); - - /* SHA-1 hash - */ -- printf("7a. SHA-1 hash..."); -- printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7a. SHA-1 hash", FIPS_sha1_test()); - - /* SHA-256 hash - */ -- printf("7b. SHA-256 hash..."); -- printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7b. SHA-256 hash", FIPS_sha256_test()); - - /* SHA-512 hash - */ -- printf("7c. SHA-512 hash..."); -- printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7c. SHA-512 hash", FIPS_sha512_test()); - - /* HMAC-SHA-1 hash - */ -- printf("7d. HMAC-SHA-1 hash..."); -- printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test()); - - /* HMAC-SHA-224 hash - */ -- printf("7e. HMAC-SHA-224 hash..."); -- printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test()); - - /* HMAC-SHA-256 hash - */ -- printf("7f. HMAC-SHA-256 hash..."); -- printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test()); - - /* HMAC-SHA-384 hash - */ -- printf("7g. HMAC-SHA-384 hash..."); -- printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test()); - - /* HMAC-SHA-512 hash - */ -- printf("7h. HMAC-SHA-512 hash..."); -- printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n")); -+ test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test()); -+ -+ /* CMAC-AES-128 hash -+ */ -+ test_msg("8a. CMAC-AES-128 hash", FIPS_cmac_aes128_test()); -+ -+ /* CMAC-AES-192 hash -+ */ -+ test_msg("8b. CMAC-AES-192 hash", FIPS_cmac_aes192_test()); -+ -+ /* CMAC-AES-256 hash -+ */ -+ test_msg("8c. CMAC-AES-256 hash", FIPS_cmac_aes256_test()); -+ -+ /* CMAC-TDEA-3 hash -+ */ -+ test_msg("8d. CMAC-TDEA-3 hash", FIPS_cmac_tdea3_test()); - - /* Non-Approved cryptographic operation - */ -- printf("8. Non-Approved cryptographic operation test...\n"); -- printf("\ta. Included algorithm (D-H)..."); -- printf(dh_test()? "successful as expected\n" -+ printf("9. Non-Approved cryptographic operation test...\n"); -+ printf("\ta. Included algorithm (D-H)...%s\n", -+ dh_test()? "successful as expected\n" - : Fail("failed INCORRECTLY!\n")); - - /* Zeroization - */ -- printf("9. Zero-ization...\n"); -- printf(Zeroize()? "\tsuccessful as expected\n" -+ printf("10. Zero-ization...\n\t%s\n", -+ Zeroize()? "\tsuccessful as expected" - : Fail("\tfailed INCORRECTLY!\n")); - -+ printf("11. Complete DRBG health check...\n"); -+ printf("\t%s\n", FIPS_selftest_drbg_all() ? "successful as expected" -+ : Fail("failed INCORRECTLY!")); -+ -+ printf("12. DRBG generation check...\n"); -+ if (!do_drbg) -+ printf("\tskipped\n"); -+ else -+ printf("\t%s\n", do_drbg_all() ? "successful as expected" -+ : Fail("failed INCORRECTLY!") ); -+ - printf("\nAll tests completed with %d errors\n", Error); - return Error ? 1 : 0; - } -diff --git a/crypto/fips/fips_utl.h b/crypto/fips/fips_utl.h -new file mode 100644 -index 0000000..0b289bf ---- /dev/null -+++ b/crypto/fips/fips_utl.h -@@ -0,0 +1,342 @@ -+/* ==================================================================== -+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+void do_print_errors(void) -+ { -+ const char *file, *data; -+ int line, flags; -+ unsigned long l; -+ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags))) -+ { -+ fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d" -+ ":file=%s:line=%d:%s\n", -+ l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l), -+ file, line, flags & ERR_TXT_STRING ? data : ""); -+ } -+ } -+ -+int hex2bin(const char *in, unsigned char *out) -+ { -+ int n1, n2; -+ unsigned char ch; -+ -+ for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; ) -+ { /* first byte */ -+ if ((in[n1] >= '0') && (in[n1] <= '9')) -+ ch = in[n1++] - '0'; -+ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) -+ ch = in[n1++] - 'A' + 10; -+ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) -+ ch = in[n1++] - 'a' + 10; -+ else -+ return -1; -+ if(!in[n1]) -+ { -+ out[n2++]=ch; -+ break; -+ } -+ out[n2] = ch << 4; -+ /* second byte */ -+ if ((in[n1] >= '0') && (in[n1] <= '9')) -+ ch = in[n1++] - '0'; -+ else if ((in[n1] >= 'A') && (in[n1] <= 'F')) -+ ch = in[n1++] - 'A' + 10; -+ else if ((in[n1] >= 'a') && (in[n1] <= 'f')) -+ ch = in[n1++] - 'a' + 10; -+ else -+ return -1; -+ out[n2++] |= ch; -+ } -+ return n2; -+ } -+ -+unsigned char *hex2bin_m(const char *in, long *plen) -+ { -+ unsigned char *p; -+ p = OPENSSL_malloc((strlen(in) + 1)/2); -+ *plen = hex2bin(in, p); -+ return p; -+ } -+ -+int do_hex2bn(BIGNUM **pr, const char *in) -+ { -+ unsigned char *p; -+ long plen; -+ int r = 0; -+ p = hex2bin_m(in, &plen); -+ if (!p) -+ return 0; -+ if (!*pr) -+ *pr = BN_new(); -+ if (!*pr) -+ return 0; -+ if (BN_bin2bn(p, plen, *pr)) -+ r = 1; -+ OPENSSL_free(p); -+ return r; -+ } -+ -+int do_bn_print(FILE *out, BIGNUM *bn) -+ { -+ int len, i; -+ unsigned char *tmp; -+ len = BN_num_bytes(bn); -+ if (len == 0) -+ { -+ fputs("00", out); -+ return 1; -+ } -+ -+ tmp = OPENSSL_malloc(len); -+ if (!tmp) -+ { -+ fprintf(stderr, "Memory allocation error\n"); -+ return 0; -+ } -+ BN_bn2bin(bn, tmp); -+ for (i = 0; i < len; i++) -+ fprintf(out, "%02x", tmp[i]); -+ OPENSSL_free(tmp); -+ return 1; -+ } -+ -+int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn) -+ { -+ int r; -+ fprintf(out, "%s = ", name); -+ r = do_bn_print(out, bn); -+ if (!r) -+ return 0; -+ fputs("\n", out); -+ return 1; -+ } -+ -+int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf) -+ { -+ char *keyword, *value, *p, *q; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no '=' exit */ -+ if (!p) -+ return 0; -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ *pkw = keyword; -+ *pval = value; -+ return 1; -+ } -+ -+BIGNUM *hex2bn(const char *in) -+ { -+ BIGNUM *p=NULL; -+ -+ if (!do_hex2bn(&p, in)) -+ return NULL; -+ -+ return p; -+ } -+ -+int bin2hex(const unsigned char *in,int len,char *out) -+ { -+ int n1, n2; -+ unsigned char ch; -+ -+ for (n1=0,n2=0 ; n1 < len ; ++n1) -+ { -+ ch=in[n1] >> 4; -+ if (ch <= 0x09) -+ out[n2++]=ch+'0'; -+ else -+ out[n2++]=ch-10+'a'; -+ ch=in[n1] & 0x0f; -+ if(ch <= 0x09) -+ out[n2++]=ch+'0'; -+ else -+ out[n2++]=ch-10+'a'; -+ } -+ out[n2]='\0'; -+ return n2; -+ } -+ -+void pv(const char *tag,const unsigned char *val,int len) -+ { -+ char obuf[2048]; -+ -+ bin2hex(val,len,obuf); -+ printf("%s = %s\n",tag,obuf); -+ } -+ -+/* To avoid extensive changes to test program at this stage just convert -+ * the input line into an acceptable form. Keyword lines converted to form -+ * "keyword = value\n" no matter what white space present, all other lines -+ * just have leading and trailing space removed. -+ */ -+ -+int tidy_line(char *linebuf, char *olinebuf) -+ { -+ char *keyword, *value, *p, *q; -+ strcpy(linebuf, olinebuf); -+ keyword = linebuf; -+ /* Skip leading space */ -+ while (isspace((unsigned char)*keyword)) -+ keyword++; -+ /* Look for = sign */ -+ p = strchr(linebuf, '='); -+ -+ /* If no '=' just chop leading, trailing ws */ -+ if (!p) -+ { -+ p = keyword + strlen(keyword) - 1; -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ strcpy(olinebuf, keyword); -+ strcat(olinebuf, "\n"); -+ return 1; -+ } -+ -+ q = p - 1; -+ -+ /* Remove trailing space */ -+ while (isspace((unsigned char)*q)) -+ *q-- = 0; -+ -+ *p = 0; -+ value = p + 1; -+ -+ /* Remove leading space from value */ -+ while (isspace((unsigned char)*value)) -+ value++; -+ -+ /* Remove trailing space from value */ -+ p = value + strlen(value) - 1; -+ -+ while (*p == '\n' || isspace((unsigned char)*p)) -+ *p-- = 0; -+ -+ strcpy(olinebuf, keyword); -+ strcat(olinebuf, " = "); -+ strcat(olinebuf, value); -+ strcat(olinebuf, "\n"); -+ -+ return 1; -+ } -+ -+/* NB: this return the number of _bits_ read */ -+int bint2bin(const char *in, int len, unsigned char *out) -+ { -+ int n; -+ -+ memset(out,0,len); -+ for(n=0 ; n < len ; ++n) -+ if(in[n] == '1') -+ out[n/8]|=(0x80 >> (n%8)); -+ return len; -+ } -+ -+int bin2bint(const unsigned char *in,int len,char *out) -+ { -+ int n; -+ -+ for(n=0 ; n < len ; ++n) -+ out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0'; -+ return n; -+ } -+ -+/*-----------------------------------------------*/ -+ -+void PrintValue(char *tag, unsigned char *val, int len) -+{ -+#if VERBOSE -+ char obuf[2048]; -+ int olen; -+ olen = bin2hex(val, len, obuf); -+ printf("%s = %.*s\n", tag, olen, obuf); -+#endif -+} -+ -+void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode) -+ { -+ char obuf[2048]; -+ int olen; -+ -+ if(bitmode) -+ olen=bin2bint(val,len,obuf); -+ else -+ olen=bin2hex(val,len,obuf); -+ -+ fprintf(rfp, "%s = %.*s\n", tag, olen, obuf); -+#if VERBOSE -+ printf("%s = %.*s\n", tag, olen, obuf); -+#endif -+ } -diff --git a/crypto/o_init.c b/crypto/o_init.c -index a235755..ffcf39b 100644 ---- a/crypto/o_init.c -+++ b/crypto/o_init.c -@@ -75,9 +75,12 @@ static void init_fips_mode(void) - /* Ensure the selftests always run */ - FIPS_mode_set(1); - -+ /* For now, do not enforce fips mode via env var - if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { - buf[0] = '1'; - } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ */ -+ if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { - while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; - close(fd); - } -@@ -108,9 +111,11 @@ void __attribute__ ((constructor)) OPENSSL_init_library(void) - return; - done = 1; - #ifdef OPENSSL_FIPS -+ /* For now, do not check for /etc/system-fips to see if fips installed - if (!FIPS_module_installed()) { - return; - } -+ */ - RAND_init_fips(); - init_fips_mode(); - if (!FIPS_mode()) { -diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h -index 09dc4cc..2553afd 100644 ---- a/crypto/rand/rand.h -+++ b/crypto/rand/rand.h -@@ -133,34 +133,16 @@ void ERR_load_RAND_strings(void); - /* Error codes for the RAND functions. */ - - /* Function codes. */ --# define RAND_F_ENG_RAND_GET_RAND_METHOD 108 --# define RAND_F_FIPS_RAND 103 --# define RAND_F_FIPS_RAND_BYTES 102 --# define RAND_F_FIPS_RAND_SET_DT 106 --# define RAND_F_FIPS_X931_SET_DT 106 --# define RAND_F_FIPS_SET_DT 104 --# define RAND_F_FIPS_SET_PRNG_SEED 107 --# define RAND_F_FIPS_SET_TEST_MODE 105 - # define RAND_F_RAND_GET_RAND_METHOD 101 --# define RAND_F_RAND_INIT_FIPS 109 -+# define RAND_F_RAND_INIT_FIPS 102 - # define RAND_F_SSLEAY_RAND_BYTES 100 - - /* Reason codes. */ --# define RAND_R_DUAL_EC_DRBG_DISABLED 114 --# define RAND_R_ERROR_INITIALISING_DRBG 112 --# define RAND_R_ERROR_INSTANTIATING_DRBG 113 --# define RAND_R_NON_FIPS_METHOD 105 --# define RAND_R_NOT_IN_TEST_MODE 106 --# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111 --# define RAND_R_NO_KEY_SET 107 --# define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101 --# define RAND_R_PRNG_ERROR 108 --# define RAND_R_PRNG_KEYED 109 --# define RAND_R_PRNG_NOT_REKEYED 102 --# define RAND_R_PRNG_NOT_RESEEDED 103 -+# define RAND_R_DUAL_EC_DRBG_DISABLED 104 -+# define RAND_R_ERROR_INITIALISING_DRBG 102 -+# define RAND_R_ERROR_INSTANTIATING_DRBG 103 -+# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101 - # define RAND_R_PRNG_NOT_SEEDED 100 --# define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110 --# define RAND_R_PRNG_STUCK 104 - - #ifdef __cplusplus - } -diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h -index d2e93dd..1317acd 100644 ---- a/crypto/rsa/rsa.h -+++ b/crypto/rsa/rsa.h -@@ -547,7 +547,7 @@ void ERR_load_RSA_strings(void); - # define RSA_F_RSA_ALGOR_TO_MD 157 - # define RSA_F_RSA_BUILTIN_KEYGEN 129 - # define RSA_F_RSA_CHECK_KEY 123 --# define RSA_F_RSA_CMS_DECRYPT 258 -+# define RSA_F_RSA_CMS_DECRYPT 158 - # define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101 - # define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102 - # define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103 -@@ -568,7 +568,7 @@ void ERR_load_RSA_strings(void); - # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 - # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 160 - # define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 --# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158 -+# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148 - # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108 - # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109 - # define RSA_F_RSA_PADDING_ADD_SSLV23 110 -@@ -582,23 +582,23 @@ void ERR_load_RSA_strings(void); - # define RSA_F_RSA_PADDING_CHECK_X931 128 - # define RSA_F_RSA_PRINT 115 - # define RSA_F_RSA_PRINT_FP 116 --# define RSA_F_RSA_PRIVATE_DECRYPT 157 --# define RSA_F_RSA_PRIVATE_ENCRYPT 148 -+# define RSA_F_RSA_PRIVATE_DECRYPT 150 -+# define RSA_F_RSA_PRIVATE_ENCRYPT 151 - # define RSA_F_RSA_PRIV_DECODE 137 - # define RSA_F_RSA_PRIV_ENCODE 138 - # define RSA_F_RSA_PSS_TO_CTX 162 --# define RSA_F_RSA_PUBLIC_DECRYPT 149 -+# define RSA_F_RSA_PUBLIC_DECRYPT 152 - # define RSA_F_RSA_PUBLIC_ENCRYPT 153 - # define RSA_F_RSA_PUB_DECODE 139 - # define RSA_F_RSA_SETUP_BLINDING 136 --# define RSA_F_RSA_SET_DEFAULT_METHOD 150 --# define RSA_F_RSA_SET_METHOD 151 - # define RSA_F_RSA_SIGN 117 - # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 - # define RSA_F_RSA_VERIFY 119 - # define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120 - # define RSA_F_RSA_VERIFY_PKCS1_PSS 126 --# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152 -+# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149 -+# define RSA_F_RSA_SET_DEFAULT_METHOD 200 -+# define RSA_F_RSA_SET_METHOD 201 - - /* Reason codes. */ - # define RSA_R_ALGORITHM_MISMATCH 100 -@@ -631,22 +631,21 @@ void ERR_load_RSA_strings(void); - # define RSA_R_INVALID_OAEP_PARAMETERS 162 - # define RSA_R_INVALID_PADDING 138 - # define RSA_R_INVALID_PADDING_MODE 141 --# define RSA_R_INVALID_PSS_PARAMETERS 157 -+# define RSA_R_INVALID_PSS_PARAMETERS 149 - # define RSA_R_INVALID_PSS_SALTLEN 146 --# define RSA_R_INVALID_SALT_LENGTH 158 -+# define RSA_R_INVALID_SALT_LENGTH 150 - # define RSA_R_INVALID_TRAILER 139 - # define RSA_R_INVALID_X931_DIGEST 142 - # define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 - # define RSA_R_KEY_SIZE_TOO_SMALL 120 - # define RSA_R_LAST_OCTET_INVALID 134 - # define RSA_R_MODULUS_TOO_LARGE 105 --# define RSA_R_NON_FIPS_RSA_METHOD 149 --# define RSA_R_NON_FIPS_METHOD 149 -+# define RSA_R_NON_FIPS_RSA_METHOD 157 - # define RSA_R_NO_PUBLIC_EXPONENT 140 - # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 - # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 - # define RSA_R_OAEP_DECODING_ERROR 121 --# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150 -+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158 - # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 - # define RSA_R_PADDING_CHECK_FAILED 114 - # define RSA_R_PKCS_DECODING_ERROR 159 -@@ -669,6 +668,7 @@ void ERR_load_RSA_strings(void); - # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 - # define RSA_R_VALUE_MISSING 147 - # define RSA_R_WRONG_SIGNATURE_LENGTH 119 -+# define RSA_R_NON_FIPS_METHOD 200 - - #ifdef __cplusplus - } -diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c -index 9557e1d..ea092dd 100644 ---- a/crypto/rsa/rsa_err.c -+++ b/crypto/rsa/rsa_err.c -@@ -1,6 +1,6 @@ - /* crypto/rsa/rsa_err.c */ - /* ==================================================================== -- * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -136,8 +136,6 @@ static ERR_STRING_DATA RSA_str_functs[] = { - {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"}, - {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, - {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, -- {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"}, -- {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"}, - {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, - {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), - "RSA_sign_ASN1_OCTET_STRING"}, -@@ -146,6 +144,8 @@ static ERR_STRING_DATA RSA_str_functs[] = { - "RSA_verify_ASN1_OCTET_STRING"}, - {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"}, - {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"}, -+ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"}, -+ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"}, - {0, NULL} - }; - -@@ -232,6 +232,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = { - "unsupported signature type"}, - {ERR_REASON(RSA_R_VALUE_MISSING), "value missing"}, - {ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"}, -+ {ERR_REASON(RSA_R_NON_FIPS_METHOD), "non fips method"}, - {0, NULL} - }; - -diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h -index ccec037..cb52fc8 100644 ---- a/crypto/sha/sha.h -+++ b/crypto/sha/sha.h -@@ -105,6 +105,9 @@ typedef struct SHAstate_st { - } SHA_CTX; - - # ifndef OPENSSL_NO_SHA0 -+#ifdef OPENSSL_FIPS -+int private_SHA_Init(SHA_CTX *c); -+#endif - int SHA_Init(SHA_CTX *c); - int SHA_Update(SHA_CTX *c, const void *data, size_t len); - int SHA_Final(unsigned char *md, SHA_CTX *c); -diff --git a/openssl.ld b/openssl.ld -index 8d40f31..dcbfdac 100644 ---- a/openssl.ld -+++ b/openssl.ld -@@ -4617,5 +4617,15 @@ OPENSSL_1.0.2g { - global: - SRP_VBASE_get1_by_user; - SRP_user_pwd_free; -+ OPENSSL_init_library; -+ private_BF_set_key; -+ private_CAST_set_key; -+ private_idea_set_encrypt_key; -+ private_SEED_set_key; -+ private_RC2_set_key; -+ private_RC4_set_key; -+ private_AES_set_encrypt_key; -+ private_AES_set_decrypt_key; -+ private_Camellia_set_key; - } OPENSSL_1.0.2; - diff -Nru openssl-1.0.2g/debian/patches/series openssl-1.0.2g/debian/patches/series --- openssl-1.0.2g/debian/patches/series 2016-04-15 04:56:29.000000000 +0000 +++ openssl-1.0.2g/debian/patches/series 2021-06-28 13:05:36.000000000 +0000 @@ -19,9 +19,65 @@ perlpath-quilt.patch no-sslv3.patch arm64-aarch64_asm.patch -openssl-1.0.2g-fips.patch -openssl-1.0.2a-fips-ec.patch -openssl-1.0.2a-fips-md5-allow.patch -openssl-1.0.2a-fips-ctor.patch -openssl-1.0.2f-new-fips-reqs.patch -openssl-1.0.2g-ubuntu-fips-cleanup.patch +CVE-2016-2105.patch +CVE-2016-2106.patch +CVE-2016-2107.patch +CVE-2016-2108.patch +CVE-2016-2109.patch +0b48a24ce993d1a4409d7bde26295f6df0d173cb.patch +CVE-2016-2177.patch +CVE-2016-2178-1.patch +CVE-2016-2178-2.patch +CVE-2016-2179.patch +CVE-2016-2180.patch +CVE-2016-2181-1.patch +CVE-2016-2181-2.patch +CVE-2016-2181-3.patch +CVE-2016-2182.patch +CVE-2016-2183.patch +CVE-2016-6302.patch +CVE-2016-6303.patch +CVE-2016-6304.patch +CVE-2016-6306-1.patch +CVE-2016-6306-2.patch +CVE-2016-2182-2.patch +CVE-2016-7055.patch +CVE-2016-8610.patch +CVE-2016-8610-2.patch +CVE-2017-3731.patch +CVE-2017-3732.patch +move-extended-feature-detection.patch +fix-sha-ni.patch +CVE-2017-3735.patch +CVE-2017-3736.patch +CVE-2017-3737-pre.patch +CVE-2017-3737-1.patch +CVE-2017-3737-2.patch +CVE-2017-3738.patch +CVE-2018-0739.patch +CVE-2018-0495.patch +CVE-2018-0732.patch +CVE-2018-0737-1.patch +CVE-2018-0737-2.patch +CVE-2018-0737-3.patch +CVE-2018-0737-4.patch +CVE-2018-0734-pre1.patch +CVE-2018-0734-1.patch +CVE-2018-0734-2.patch +CVE-2018-0734-3.patch +CVE-2018-5407.patch +CVE-2019-1559.patch +CVE-2019-1547.patch +CVE-2019-1551.patch +CVE-2019-1563.patch +CVE-2020-1968.patch +CVE-2020-1971-1.patch +CVE-2020-1971-2.patch +CVE-2020-1971-3.patch +CVE-2020-1971-4.patch +CVE-2020-1971-5.patch +CVE-2021-23840-pre1.patch +CVE-2021-23840-pre2.patch +CVE-2021-23840.patch +CVE-2021-23841.patch +trusted-first-by-default.patch diff -Nru openssl-1.0.2g/debian/patches/trusted-first-by-default.patch openssl-1.0.2g/debian/patches/trusted-first-by-default.patch --- openssl-1.0.2g/debian/patches/trusted-first-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2g/debian/patches/trusted-first-by-default.patch 2021-06-28 13:05:36.000000000 +0000 @@ -0,0 +1,19 @@ +Description: Enable X509_V_FLAG_TRUSTED_FIRST by default + This is to ensure that letsencrypt connection with the default chain + remains trusted even after the expiry of the redundand CA + certificate. +Author: Dimitri John Ledkov +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1928989 + + +--- openssl-1.0.2g.orig/crypto/x509/x509_vpm.c ++++ openssl-1.0.2g/crypto/x509/x509_vpm.c +@@ -537,7 +537,7 @@ static const X509_VERIFY_PARAM default_t + "default", /* X509 default parameters */ + 0, /* Check time */ + 0, /* internal flags */ +- 0, /* flags */ ++ X509_V_FLAG_TRUSTED_FIRST, /* flags */ + 0, /* purpose */ + 0, /* trust */ + 100, /* depth */ diff -Nru openssl-1.0.2g/debian/rules openssl-1.0.2g/debian/rules --- openssl-1.0.2g/debian/rules 2016-04-12 20:37:38.000000000 +0000 +++ openssl-1.0.2g/debian/rules 2016-08-19 17:05:06.000000000 +0000 @@ -41,7 +41,7 @@ ifeq ($(DEB_HOST_ARCH),amd64) ARCH_CONFARGS := enable-ec_nistp_64_gcc_128 endif -CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 enable-unit-test fips $(ARCH_CONFARGS) +CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 enable-unit-test $(ARCH_CONFARGS) OPT_alpha = ev4 ev5 ARCHOPTS = OPT_$(DEB_HOST_ARCH) OPTS = $($(ARCHOPTS))