1 diff -up openssl-1.0.1e/apps/pkcs12.c.fips openssl-1.0.1e/apps/pkcs12.c
2 --- openssl-1.0.1e/apps/pkcs12.c.fips 2013-02-11 16:26:04.000000000 +0100
3 +++ openssl-1.0.1e/apps/pkcs12.c 2013-02-19 12:47:33.714118364 +0100
5 #include <openssl/err.h>
6 #include <openssl/pem.h>
7 #include <openssl/pkcs12.h>
9 +#include <openssl/fips.h>
12 #define PROG pkcs12_main
14 @@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
20 + cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
23 enc = EVP_des_ede3_cbc();
24 if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
26 diff -up openssl-1.0.1e/apps/speed.c.fips openssl-1.0.1e/apps/speed.c
27 --- openssl-1.0.1e/apps/speed.c.fips 2013-02-11 16:26:04.000000000 +0100
28 +++ openssl-1.0.1e/apps/speed.c 2013-02-19 12:47:33.715118384 +0100
30 #ifdef OPENSSL_DOING_MAKEDEPEND
31 #undef AES_set_encrypt_key
32 #undef AES_set_decrypt_key
33 -#undef DES_set_key_unchecked
35 #define BF_set_key private_BF_set_key
36 #define CAST_set_key private_CAST_set_key
38 #define SEED_set_key private_SEED_set_key
39 #define RC2_set_key private_RC2_set_key
40 #define RC4_set_key private_RC4_set_key
41 -#define DES_set_key_unchecked private_DES_set_key_unchecked
42 #define AES_set_encrypt_key private_AES_set_encrypt_key
43 #define AES_set_decrypt_key private_AES_set_decrypt_key
44 #define Camellia_set_key private_Camellia_set_key
45 @@ -941,7 +939,12 @@ int MAIN(int argc, char **argv)
46 #ifndef OPENSSL_NO_RSA
47 if (strcmp(*argv,"rsa") == 0)
53 rsa_doit[R_RSA_512]=1;
55 rsa_doit[R_RSA_1024]=1;
56 rsa_doit[R_RSA_2048]=1;
57 rsa_doit[R_RSA_4096]=1;
58 @@ -951,7 +954,12 @@ int MAIN(int argc, char **argv)
59 #ifndef OPENSSL_NO_DSA
60 if (strcmp(*argv,"dsa") == 0)
66 dsa_doit[R_DSA_512]=1;
68 dsa_doit[R_DSA_1024]=1;
69 dsa_doit[R_DSA_2048]=1;
71 @@ -1226,30 +1234,54 @@ int MAIN(int argc, char **argv)
72 AES_set_encrypt_key(key32,256,&aes_ks3);
74 #ifndef OPENSSL_NO_CAMELLIA
75 + if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
77 Camellia_set_key(key16,128,&camellia_ks1);
78 Camellia_set_key(ckey24,192,&camellia_ks2);
79 Camellia_set_key(ckey32,256,&camellia_ks3);
82 #ifndef OPENSSL_NO_IDEA
83 + if (doit[D_CBC_IDEA])
85 idea_set_encrypt_key(key16,&idea_ks);
88 #ifndef OPENSSL_NO_SEED
89 + if (doit[D_CBC_SEED])
91 SEED_set_key(key16,&seed_ks);
94 #ifndef OPENSSL_NO_RC4
97 RC4_set_key(&rc4_ks,16,key16);
100 #ifndef OPENSSL_NO_RC2
101 + if (doit[D_CBC_RC2])
103 RC2_set_key(&rc2_ks,16,key16,128);
106 #ifndef OPENSSL_NO_RC5
107 + if (doit[D_CBC_RC5])
109 RC5_32_set_key(&rc5_ks,16,key16,12);
112 #ifndef OPENSSL_NO_BF
113 + if (doit[D_CBC_BF])
115 BF_set_key(&bf_ks,16,key16);
118 #ifndef OPENSSL_NO_CAST
119 + if (doit[D_CBC_CAST])
121 CAST_set_key(&cast_ks,16,key16);
124 #ifndef OPENSSL_NO_RSA
125 memset(rsa_c,0,sizeof(rsa_c));
126 diff -up openssl-1.0.1e/Configure.fips openssl-1.0.1e/Configure
127 --- openssl-1.0.1e/Configure.fips 2013-02-19 12:47:33.670117470 +0100
128 +++ openssl-1.0.1e/Configure 2013-02-19 12:47:33.716118405 +0100
129 @@ -995,11 +995,6 @@ if (defined($disabled{"md5"}) || defined
130 $disabled{"ssl2"} = "forced";
133 -if ($fips && $fipslibdir eq "")
135 - $fipslibdir = $fipsdir . "/lib/";
138 # RSAX ENGINE sets default non-FIPS RSA method.
141 @@ -1474,7 +1469,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
144 $openssl_other_defines.="#define OPENSSL_FIPS\n";
145 - $cflags .= " -I\$(FIPSDIR)/include";
148 $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
149 @@ -1661,9 +1655,12 @@ while (<IN>)
151 s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
152 s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
153 - s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
154 s/^BASEADDR=.*/BASEADDR=$baseaddr/;
158 + s/^FIPS=.*/FIPS=yes/;
160 s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
161 s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
162 s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
163 diff -up openssl-1.0.1e/crypto/aes/aes_misc.c.fips openssl-1.0.1e/crypto/aes/aes_misc.c
164 --- openssl-1.0.1e/crypto/aes/aes_misc.c.fips 2013-02-11 16:26:04.000000000 +0100
165 +++ openssl-1.0.1e/crypto/aes/aes_misc.c 2013-02-19 12:47:33.717118426 +0100
166 @@ -69,17 +69,11 @@ const char *AES_options(void) {
167 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
171 - fips_cipher_abort(AES);
173 return private_AES_set_encrypt_key(userKey, bits, key);
176 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
180 - fips_cipher_abort(AES);
182 return private_AES_set_decrypt_key(userKey, bits, key);
184 diff -up openssl-1.0.1e/crypto/cmac/cmac.c.fips openssl-1.0.1e/crypto/cmac/cmac.c
185 --- openssl-1.0.1e/crypto/cmac/cmac.c.fips 2013-02-11 16:26:04.000000000 +0100
186 +++ openssl-1.0.1e/crypto/cmac/cmac.c 2013-02-19 12:47:33.717118426 +0100
187 @@ -107,13 +107,6 @@ CMAC_CTX *CMAC_CTX_new(void)
189 void CMAC_CTX_cleanup(CMAC_CTX *ctx)
192 - if (FIPS_mode() && !ctx->cctx.engine)
194 - FIPS_cmac_ctx_cleanup(ctx);
198 EVP_CIPHER_CTX_cleanup(&ctx->cctx);
199 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
200 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
201 @@ -164,11 +157,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
202 EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
205 - /* Other algorithm blocking will be done in FIPS_cmac_init,
206 - * via FIPS_cipherinit().
208 - if (!impl && !ctx->cctx.engine)
209 - return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
212 /* All zeros means restart */
213 @@ -216,10 +204,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
215 const unsigned char *data = in;
218 - if (FIPS_mode() && !ctx->cctx.engine)
219 - return FIPS_cmac_update(ctx, in, dlen);
221 if (ctx->nlast_block == -1)
224 @@ -261,10 +245,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
225 int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
229 - if (FIPS_mode() && !ctx->cctx.engine)
230 - return FIPS_cmac_final(ctx, out, poutlen);
232 if (ctx->nlast_block == -1)
234 bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
235 diff -up openssl-1.0.1e/crypto/crypto.h.fips openssl-1.0.1e/crypto/crypto.h
236 --- openssl-1.0.1e/crypto/crypto.h.fips 2013-02-19 12:47:33.444112876 +0100
237 +++ openssl-1.0.1e/crypto/crypto.h 2013-02-19 12:47:33.718118447 +0100
238 @@ -553,24 +553,29 @@ int FIPS_mode_set(int r);
239 void OPENSSL_init(void);
241 #define fips_md_init(alg) fips_md_init_ctx(alg, alg)
242 +#define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
243 +#define fips_md_init_ctx(alg, cx) \
244 + int alg##_Init(cx##_CTX *c)
247 -#define fips_md_init_ctx(alg, cx) \
248 +#define nonfips_md_init_ctx(alg, cx) \
249 int alg##_Init(cx##_CTX *c) \
251 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
252 - "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
253 + "Digest " #alg " forbidden in FIPS mode!"); \
254 return private_##alg##_Init(c); \
256 int private_##alg##_Init(cx##_CTX *c)
258 #define fips_cipher_abort(alg) \
259 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
260 - "Low level API call to cipher " #alg " forbidden in FIPS mode!")
261 + "Cipher " #alg " forbidden in FIPS mode!")
263 +/* die if FIPS selftest failed */
264 +void FIPS_selftest_check(void);
267 -#define fips_md_init_ctx(alg, cx) \
268 - int alg##_Init(cx##_CTX *c)
269 +#define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
270 #define fips_cipher_abort(alg) while(0)
273 @@ -587,6 +592,9 @@ int CRYPTO_memcmp(const void *a, const v
275 void ERR_load_CRYPTO_strings(void);
277 +#define OPENSSL_HAVE_INIT 1
278 +void OPENSSL_init_library(void);
280 /* Error codes for the CRYPTO functions. */
282 /* Function codes. */
283 diff -up openssl-1.0.1e/crypto/des/des.h.fips openssl-1.0.1e/crypto/des/des.h
284 --- openssl-1.0.1e/crypto/des/des.h.fips 2013-02-19 12:47:33.516114340 +0100
285 +++ openssl-1.0.1e/crypto/des/des.h 2013-02-19 12:47:33.718118447 +0100
286 @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DE
287 int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
288 int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
289 void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
291 -void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
293 void DES_string_to_key(const char *str,DES_cblock *key);
294 void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
295 void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
296 diff -up openssl-1.0.1e/crypto/des/set_key.c.fips openssl-1.0.1e/crypto/des/set_key.c
297 --- openssl-1.0.1e/crypto/des/set_key.c.fips 2013-02-11 16:26:04.000000000 +0100
298 +++ openssl-1.0.1e/crypto/des/set_key.c 2013-02-19 12:47:33.719118468 +0100
299 @@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock
302 void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
305 - fips_cipher_abort(DES);
306 - private_DES_set_key_unchecked(key, schedule);
308 -void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
311 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
312 register DES_LONG c,d,t,s,t2;
313 diff -up openssl-1.0.1e/crypto/dh/dh_gen.c.fips openssl-1.0.1e/crypto/dh/dh_gen.c
314 --- openssl-1.0.1e/crypto/dh/dh_gen.c.fips 2013-02-11 16:26:04.000000000 +0100
315 +++ openssl-1.0.1e/crypto/dh/dh_gen.c 2013-02-19 12:47:33.719118468 +0100
316 @@ -84,11 +84,6 @@ int DH_generate_parameters_ex(DH *ret, i
318 if(ret->meth->generate_params)
319 return ret->meth->generate_params(ret, prime_len, generator, cb);
322 - return FIPS_dh_generate_parameters_ex(ret, prime_len,
325 return dh_builtin_genparams(ret, prime_len, generator, cb);
328 @@ -123,6 +118,20 @@ static int dh_builtin_genparams(DH *ret,
333 + if(FIPS_selftest_failed())
335 + FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED);
339 + if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
341 + DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
347 if (ctx == NULL) goto err;
349 diff -up openssl-1.0.1e/crypto/dh/dh.h.fips openssl-1.0.1e/crypto/dh/dh.h
350 --- openssl-1.0.1e/crypto/dh/dh.h.fips 2013-02-19 12:47:33.388111739 +0100
351 +++ openssl-1.0.1e/crypto/dh/dh.h 2013-02-19 12:47:33.719118468 +0100
353 # define OPENSSL_DH_MAX_MODULUS_BITS 10000
356 +#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
358 #define DH_FLAG_CACHE_MONT_P 0x01
359 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
360 * implementation now uses constant time
361 diff -up openssl-1.0.1e/crypto/dh/dh_key.c.fips openssl-1.0.1e/crypto/dh/dh_key.c
362 --- openssl-1.0.1e/crypto/dh/dh_key.c.fips 2013-02-11 16:26:04.000000000 +0100
363 +++ openssl-1.0.1e/crypto/dh/dh_key.c 2013-02-19 12:47:33.720118488 +0100
365 #include <openssl/bn.h>
366 #include <openssl/rand.h>
367 #include <openssl/dh.h>
369 +#include <openssl/fips.h>
372 static int generate_key(DH *dh);
373 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
374 @@ -104,7 +107,7 @@ compute_key,
379 +DH_FLAG_FIPS_METHOD,
383 @@ -123,6 +126,14 @@ static int generate_key(DH *dh)
384 BN_MONT_CTX *mont=NULL;
385 BIGNUM *pub_key=NULL,*priv_key=NULL;
388 + if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
390 + DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
396 if (ctx == NULL) goto err;
398 @@ -213,6 +224,13 @@ static int compute_key(unsigned char *ke
399 DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
403 + if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
405 + DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
411 if (ctx == NULL) goto err;
412 @@ -280,6 +298,9 @@ static int dh_bn_mod_exp(const DH *dh, B
414 static int dh_init(DH *dh)
417 + FIPS_selftest_check();
419 dh->flags |= DH_FLAG_CACHE_MONT_P;
422 diff -up openssl-1.0.1e/crypto/dh/dh_lib.c.fips openssl-1.0.1e/crypto/dh/dh_lib.c
423 --- openssl-1.0.1e/crypto/dh/dh_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
424 +++ openssl-1.0.1e/crypto/dh/dh_lib.c 2013-02-19 12:47:33.720118488 +0100
425 @@ -81,14 +81,7 @@ const DH_METHOD *DH_get_default_method(v
427 if(!default_DH_method)
431 - return FIPS_dh_openssl();
433 - return DH_OpenSSL();
435 default_DH_method = DH_OpenSSL();
438 return default_DH_method;
440 diff -up openssl-1.0.1e/crypto/dsa/dsa_err.c.fips openssl-1.0.1e/crypto/dsa/dsa_err.c
441 --- openssl-1.0.1e/crypto/dsa/dsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100
442 +++ openssl-1.0.1e/crypto/dsa/dsa_err.c 2013-02-19 12:47:33.720118488 +0100
443 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]=
444 {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
445 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
446 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
447 +{ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
448 +{ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
449 {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
450 {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
451 {ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
452 @@ -106,6 +108,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
453 {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
454 {ERR_REASON(DSA_R_DECODE_ERROR) ,"decode error"},
455 {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
456 +{ERR_REASON(DSA_R_KEY_SIZE_INVALID) ,"key size invalid"},
457 +{ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
458 {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
459 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
460 {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
461 diff -up openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips openssl-1.0.1e/crypto/dsa/dsa_gen.c
462 --- openssl-1.0.1e/crypto/dsa/dsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100
463 +++ openssl-1.0.1e/crypto/dsa/dsa_gen.c 2013-02-19 12:47:33.721118508 +0100
465 #include <openssl/fips.h>
468 +#ifndef OPENSSL_FIPS
469 +static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
470 + const EVP_MD *evpmd, unsigned char *seed, int seed_len,
471 + BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
472 +static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
473 + BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
476 int DSA_generate_parameters_ex(DSA *ret, int bits,
477 const unsigned char *seed_in, int seed_len,
478 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
479 @@ -100,14 +108,6 @@ int DSA_generate_parameters_ex(DSA *ret,
480 if(ret->meth->dsa_paramgen)
481 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
482 counter_ret, h_ret, cb);
484 - else if (FIPS_mode())
486 - return FIPS_dsa_generate_parameters_ex(ret, bits,
488 - counter_ret, h_ret, cb);
494 @@ -125,27 +125,119 @@ int DSA_generate_parameters_ex(DSA *ret,
497 return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
498 - seed_in, seed_len, NULL, counter_ret, h_ret, cb);
499 + seed_in, seed_len, counter_ret, h_ret, cb);
504 +int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
505 + const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
506 + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
508 + return dsa_builtin_paramgen(ret, bits, qbits,
509 + evpmd, seed_in, seed_len,
510 + counter_ret, h_ret, cb);
514 int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
515 const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
516 - unsigned char *seed_out,
517 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
520 unsigned char seed[SHA256_DIGEST_LENGTH];
521 + BIGNUM *g=NULL,*q=NULL,*p=NULL;
522 + size_t qsize = qbits >> 3;
526 + if(FIPS_selftest_failed())
528 + FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN,
529 + FIPS_R_FIPS_SELFTEST_FAILED);
533 + if (FIPS_module_mode() &&
534 + (bits != 1024 || qbits != 160) &&
535 + (bits != 2048 || qbits != 224) &&
536 + (bits != 2048 || qbits != 256) &&
537 + (bits != 3072 || qbits != 256))
539 + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
543 + if (seed_len && (seed_len < (size_t)qsize))
544 + seed_in = NULL; /* seed buffer too small -- ignore */
545 + if (seed_len > sizeof(seed))
546 + seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
547 + * but our internal buffers are restricted to 256 bits*/
548 + if (seed_in != NULL)
549 + memcpy(seed, seed_in, seed_len);
553 + if ((ctx=BN_CTX_new()) == NULL)
558 + if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
559 + seed, seed_len, &p, &q, counter_ret, cb))
562 + if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
587 + if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
598 +#ifndef OPENSSL_FIPS
601 +int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
602 + const EVP_MD *evpmd, unsigned char *seed, int seed_len,
603 + BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb)
606 unsigned char md[SHA256_DIGEST_LENGTH];
607 - unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
608 + unsigned char buf[SHA256_DIGEST_LENGTH];
609 BIGNUM *r0,*W,*X,*c,*test;
610 - BIGNUM *g=NULL,*q=NULL,*p=NULL;
611 - BN_MONT_CTX *mont=NULL;
612 - int i, k, n=0, m=0, qsize = qbits >> 3;
613 + BIGNUM *q=NULL,*p=NULL;
614 + int i, k, b, n=0, m=0, qsize = qbits >> 3;
620 if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
621 qsize != SHA256_DIGEST_LENGTH)
622 @@ -153,51 +245,43 @@ int dsa_builtin_paramgen(DSA *ret, size_
626 - /* use SHA1 as default */
627 - evpmd = EVP_sha1();
630 + evpmd = EVP_sha1();
631 + else if (qbits <= 224)
632 + evpmd = EVP_sha224();
634 + evpmd = EVP_sha256();
640 bits = (bits+63)/64*64;
642 - /* NB: seed_len == 0 is special case: copy generated seed to
643 - * seed_in if it is not NULL.
645 - if (seed_len && (seed_len < (size_t)qsize))
646 - seed_in = NULL; /* seed buffer too small -- ignore */
647 - if (seed_len > (size_t)qsize)
648 - seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
649 - * but our internal buffers are restricted to 160 bits*/
650 - if (seed_in != NULL)
651 - memcpy(seed, seed_in, seed_len);
653 - if ((ctx=BN_CTX_new()) == NULL)
656 - if ((mont=BN_MONT_CTX_new()) == NULL)
660 r0 = BN_CTX_get(ctx);
661 - g = BN_CTX_get(ctx);
663 - q = BN_CTX_get(ctx);
664 + *q_ret = q = BN_CTX_get(ctx);
667 - p = BN_CTX_get(ctx);
668 + *p_ret = p = BN_CTX_get(ctx);
669 test = BN_CTX_get(ctx);
671 if (!BN_lshift(test,BN_value_one(),bits-1))
674 + /* step 3 n = \lceil bits / qbits \rceil - 1 */
675 + n = (bits+qbits-1)/qbits - 1;
676 + /* step 4 b = bits - 1 - n * qbits */
677 + b = bits - 1 - n*qbits;
681 for (;;) /* find q */
686 + /* step 5 generate seed */
687 if(!BN_GENCB_call(cb, 0, m++))
690 @@ -212,30 +296,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
691 seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
693 memcpy(buf , seed, qsize);
694 - memcpy(buf2, seed, qsize);
695 - /* precompute "SEED + 1" for step 7: */
696 - for (i = qsize-1; i >= 0; i--)
704 + /* step 6 U = hash(seed) */
705 if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
707 - if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
709 - for (i = 0; i < qsize; i++)
713 + /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
716 if (!BN_bin2bn(md, qsize, q))
720 + /* step 8 test for prime (64 round of Rabin-Miller) */
721 r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
724 @@ -243,27 +315,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
728 - /* do a callback call */
732 if(!BN_GENCB_call(cb, 2, 0)) goto err;
733 if(!BN_GENCB_call(cb, 3, 0)) goto err;
745 if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
749 + /* step 11.1, 11.2 obtain W */
751 - /* now 'buf' contains "SEED + offset - 1" */
754 /* obtain "SEED + offset + k" by incrementing: */
755 @@ -278,28 +345,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
760 if (!BN_bin2bn(md, qsize, r0))
762 - if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
764 + BN_mask_bits(r0,b);
765 + if (!BN_lshift(r0,r0,qbits*k)) goto err;
766 if (!BN_add(W,W,r0)) goto err;
769 - /* more of step 8 */
770 - if (!BN_mask_bits(W,bits-1)) goto err;
771 + /* step 11.3 X = W + 2^(L-1) */
772 if (!BN_copy(X,W)) goto err;
773 if (!BN_add(X,X,test)) goto err;
776 + /* step 11.4 c = X mod 2*q */
777 if (!BN_lshift1(r0,q)) goto err;
778 if (!BN_mod(c,X,r0,ctx)) goto err;
780 + /* step 11.5 p = X - (c - 1) */
781 if (!BN_sub(r0,c,BN_value_one())) goto err;
782 if (!BN_sub(p,X,r0)) goto err;
786 if (BN_cmp(p,test) >= 0)
790 r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
793 @@ -308,19 +377,45 @@ int dsa_builtin_paramgen(DSA *ret, size_
800 /* "offset = offset + n + 1" */
803 - if (counter >= 4096) break;
805 + if (counter >= 4*bits) break;
809 if(!BN_GENCB_call(cb, 2, 1))
812 - /* We now need to generate g */
817 + if (counter_ret != NULL) *counter_ret=counter;
822 +#ifndef OPENSSL_FIPS
825 +int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
826 + BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
829 + BIGNUM *r0, *test, *g = NULL;
833 + if ((mont=BN_MONT_CTX_new()) == NULL)
836 + r0 = BN_CTX_get(ctx);
837 + *g_ret = g = BN_CTX_get(ctx);
838 + test = BN_CTX_get(ctx);
841 if (!BN_sub(test,p,BN_value_one())) goto err;
842 if (!BN_div(r0,NULL,test,q,ctx)) goto err;
843 @@ -344,26 +439,7 @@ end:
847 - if(ret->p) BN_free(ret->p);
848 - if(ret->q) BN_free(ret->q);
849 - if(ret->g) BN_free(ret->g);
853 - if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
858 - if (counter_ret != NULL) *counter_ret=counter;
859 if (h_ret != NULL) *h_ret=h;
861 - memcpy(seed_out, seed, qsize);
868 if (mont != NULL) BN_MONT_CTX_free(mont);
870 diff -up openssl-1.0.1e/crypto/dsa/dsa.h.fips openssl-1.0.1e/crypto/dsa/dsa.h
871 --- openssl-1.0.1e/crypto/dsa/dsa.h.fips 2013-02-19 12:47:33.205108020 +0100
872 +++ openssl-1.0.1e/crypto/dsa/dsa.h 2013-02-19 12:47:33.721118508 +0100
874 # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
877 +#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
879 #define DSA_FLAG_CACHE_MONT_P 0x01
880 #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
881 * implementation now uses constant time
882 @@ -264,6 +266,17 @@ int DSA_print_fp(FILE *bp, const DSA *x,
883 DH *DSA_dup_DH(const DSA *r);
887 +int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
888 + const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
889 + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
890 +int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
891 + const EVP_MD *evpmd, unsigned char *seed, int seed_len,
892 + BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
893 +int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
894 + BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
897 #define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
898 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
899 EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
900 @@ -285,10 +298,13 @@ void ERR_load_DSA_strings(void);
901 #define DSA_F_DO_DSA_PRINT 104
902 #define DSA_F_DSAPARAMS_PRINT 100
903 #define DSA_F_DSAPARAMS_PRINT_FP 101
904 +#define DSA_F_DSA_BUILTIN_KEYGEN 124
905 +#define DSA_F_DSA_BUILTIN_PARAMGEN 123
906 #define DSA_F_DSA_DO_SIGN 112
907 #define DSA_F_DSA_DO_VERIFY 113
908 -#define DSA_F_DSA_GENERATE_KEY 124
909 -#define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
910 +#define DSA_F_DSA_GENERATE_KEY 126
911 +#define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
912 +#define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
913 #define DSA_F_DSA_NEW_METHOD 103
914 #define DSA_F_DSA_PARAM_DECODE 119
915 #define DSA_F_DSA_PRINT_FP 105
916 @@ -314,11 +330,15 @@ void ERR_load_DSA_strings(void);
917 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
918 #define DSA_R_DECODE_ERROR 104
919 #define DSA_R_INVALID_DIGEST_TYPE 106
920 +#define DSA_R_KEY_SIZE_INVALID 113
921 +#define DSA_R_KEY_SIZE_TOO_SMALL 110
922 #define DSA_R_MISSING_PARAMETERS 101
923 #define DSA_R_MODULUS_TOO_LARGE 103
924 -#define DSA_R_NEED_NEW_SETUP_VALUES 110
925 +#define DSA_R_NEED_NEW_SETUP_VALUES 112
926 #define DSA_R_NON_FIPS_DSA_METHOD 111
927 +#define DSA_R_NON_FIPS_METHOD 111
928 #define DSA_R_NO_PARAMETERS_SET 107
929 +#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
930 #define DSA_R_PARAMETER_ENCODING_ERROR 105
933 diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.fips openssl-1.0.1e/crypto/dsa/dsa_key.c
934 --- openssl-1.0.1e/crypto/dsa/dsa_key.c.fips 2013-02-11 16:26:04.000000000 +0100
935 +++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-02-19 12:47:33.722118528 +0100
939 #include <openssl/fips.h>
940 +#include <openssl/evp.h>
942 +static int fips_check_dsa(DSA *dsa)
945 + unsigned char tbs[] = "DSA Pairwise Check Data";
948 + if ((pk=EVP_PKEY_new()) == NULL)
951 + EVP_PKEY_set1_DSA(pk, dsa);
953 + if (fips_pkey_signature_test(pk, tbs, 0, NULL, 0, NULL, 0, NULL))
959 + FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
960 + fips_set_selftest_fail();
971 static int dsa_builtin_keygen(DSA *dsa);
972 @@ -82,10 +111,6 @@ int DSA_generate_key(DSA *dsa)
974 if(dsa->meth->dsa_keygen)
975 return dsa->meth->dsa_keygen(dsa);
978 - return FIPS_dsa_generate_key(dsa);
980 return dsa_builtin_keygen(dsa);
983 @@ -95,6 +120,15 @@ static int dsa_builtin_keygen(DSA *dsa)
985 BIGNUM *pub_key=NULL,*priv_key=NULL;
988 + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
989 + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
991 + DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
996 if ((ctx=BN_CTX_new()) == NULL) goto err;
998 if (dsa->priv_key == NULL)
999 @@ -133,6 +167,14 @@ static int dsa_builtin_keygen(DSA *dsa)
1001 dsa->priv_key=priv_key;
1002 dsa->pub_key=pub_key;
1003 +#ifdef OPENSSL_FIPS
1004 + if(FIPS_mode() && !fips_check_dsa(dsa))
1006 + dsa->pub_key = NULL;
1007 + dsa->priv_key = NULL;
1014 diff -up openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips openssl-1.0.1e/crypto/dsa/dsa_lib.c
1015 --- openssl-1.0.1e/crypto/dsa/dsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
1016 +++ openssl-1.0.1e/crypto/dsa/dsa_lib.c 2013-02-19 12:47:33.722118528 +0100
1017 @@ -87,14 +87,7 @@ const DSA_METHOD *DSA_get_default_method
1019 if(!default_DSA_method)
1021 -#ifdef OPENSSL_FIPS
1023 - return FIPS_dsa_openssl();
1025 - return DSA_OpenSSL();
1027 default_DSA_method = DSA_OpenSSL();
1030 return default_DSA_method;
1032 diff -up openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips openssl-1.0.1e/crypto/dsa/dsa_locl.h
1033 --- openssl-1.0.1e/crypto/dsa/dsa_locl.h.fips 2013-02-19 12:47:33.209108100 +0100
1034 +++ openssl-1.0.1e/crypto/dsa/dsa_locl.h 2013-02-19 12:47:33.722118528 +0100
1037 int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
1038 const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
1039 - unsigned char *seed_out,
1040 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
1041 diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1e/crypto/dsa/dsa_ossl.c
1042 --- openssl-1.0.1e/crypto/dsa/dsa_ossl.c.fips 2013-02-11 16:26:04.000000000 +0100
1043 +++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c 2013-02-19 12:47:33.723118548 +0100
1045 #include <openssl/dsa.h>
1046 #include <openssl/rand.h>
1047 #include <openssl/asn1.h>
1048 +#ifdef OPENSSL_FIPS
1049 +#include <openssl/fips.h>
1052 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
1053 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
1054 @@ -82,7 +85,7 @@ NULL, /* dsa_mod_exp, */
1055 NULL, /* dsa_bn_mod_exp, */
1059 +DSA_FLAG_FIPS_METHOD,
1063 @@ -138,6 +141,21 @@ static DSA_SIG *dsa_do_sign(const unsign
1067 +#ifdef OPENSSL_FIPS
1068 + if(FIPS_selftest_failed())
1070 + FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
1074 + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
1075 + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
1077 + DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
1085 @@ -325,6 +343,21 @@ static int dsa_do_verify(const unsigned
1089 +#ifdef OPENSSL_FIPS
1090 + if(FIPS_selftest_failed())
1092 + FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
1096 + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
1097 + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
1099 + DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
1104 if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
1106 DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
1107 @@ -399,6 +432,9 @@ static int dsa_do_verify(const unsigned
1109 static int dsa_init(DSA *dsa)
1111 +#ifdef OPENSSL_FIPS
1112 + FIPS_selftest_check();
1114 dsa->flags|=DSA_FLAG_CACHE_MONT_P;
1117 diff -up openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1e/crypto/dsa/dsa_pmeth.c
1118 --- openssl-1.0.1e/crypto/dsa/dsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100
1119 +++ openssl-1.0.1e/crypto/dsa/dsa_pmeth.c 2013-02-19 12:47:33.723118548 +0100
1120 @@ -255,7 +255,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
1123 ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
1124 - NULL, 0, NULL, NULL, NULL, pcb);
1125 + NULL, 0, NULL, NULL, pcb);
1127 EVP_PKEY_assign_DSA(pkey, dsa);
1129 diff -up openssl-1.0.1e/crypto/dsa/dsatest.c.fips openssl-1.0.1e/crypto/dsa/dsatest.c
1130 --- openssl-1.0.1e/crypto/dsa/dsatest.c.fips 2013-02-11 16:26:04.000000000 +0100
1131 +++ openssl-1.0.1e/crypto/dsa/dsatest.c 2013-02-19 12:47:33.723118548 +0100
1132 @@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
1133 /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
1134 * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
1135 static unsigned char seed[20]={
1136 - 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
1137 - 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
1138 + 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
1139 + 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
1142 static unsigned char out_p[]={
1143 - 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
1144 - 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
1145 - 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
1146 - 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
1147 - 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
1148 - 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
1149 - 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
1150 - 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
1151 + 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
1152 + 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
1153 + 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
1154 + 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
1155 + 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
1156 + 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
1157 + 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
1158 + 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
1159 + 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
1160 + 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
1161 + 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
1164 static unsigned char out_q[]={
1165 - 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
1166 - 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
1167 - 0xda,0xce,0x91,0x5f,
1168 + 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
1169 + 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
1172 static unsigned char out_g[]={
1173 - 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
1174 - 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
1175 - 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
1176 - 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
1177 - 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
1178 - 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
1179 - 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
1180 - 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
1181 + 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
1182 + 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
1183 + 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
1184 + 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
1185 + 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
1186 + 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
1187 + 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
1188 + 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
1189 + 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
1190 + 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
1191 + 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
1194 static const unsigned char str1[]="12345678901234567890";
1195 @@ -157,7 +162,7 @@ int main(int argc, char **argv)
1196 BIO_printf(bio_err,"test generation of DSA parameters\n");
1198 BN_GENCB_set(&cb, dsa_cb, bio_err);
1199 - if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
1200 + if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
1201 seed, 20, &counter, &h, &cb))
1204 @@ -170,9 +175,9 @@ int main(int argc, char **argv)
1205 BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
1207 DSA_print(bio_err,dsa,0);
1208 - if (counter != 105)
1209 + if (counter != 239)
1211 - BIO_printf(bio_err,"counter should be 105\n");
1212 + BIO_printf(bio_err,"counter should be 239\n");
1216 diff -up openssl-1.0.1e/crypto/engine/eng_all.c.fips openssl-1.0.1e/crypto/engine/eng_all.c
1217 --- openssl-1.0.1e/crypto/engine/eng_all.c.fips 2013-02-11 16:26:04.000000000 +0100
1218 +++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-02-19 12:47:33.724118569 +0100
1221 #include "cryptlib.h"
1222 #include "eng_int.h"
1223 +#ifdef OPENSSL_FIPS
1224 +#include <openssl/fips.h>
1227 void ENGINE_load_builtin_engines(void)
1229 /* Some ENGINEs need this */
1230 OPENSSL_cpuid_setup();
1231 +#ifdef OPENSSL_FIPS
1232 + OPENSSL_init_library();
1233 + if (FIPS_mode()) {
1234 + /* We allow loading dynamic engine as a third party
1235 + engine might be FIPS validated.
1236 + User is disallowed to load non-validated engines
1237 + by security policy. */
1238 + ENGINE_load_dynamic();
1243 /* There's no longer any need for an "openssl" ENGINE unless, one day,
1244 * it is the *only* way for standard builtin implementations to be be
1245 diff -up openssl-1.0.1e/crypto/evp/c_allc.c.fips openssl-1.0.1e/crypto/evp/c_allc.c
1246 --- openssl-1.0.1e/crypto/evp/c_allc.c.fips 2013-02-11 16:26:04.000000000 +0100
1247 +++ openssl-1.0.1e/crypto/evp/c_allc.c 2013-02-19 12:47:33.725118589 +0100
1249 void OpenSSL_add_all_ciphers(void)
1252 +#ifdef OPENSSL_FIPS
1253 + OPENSSL_init_library();
1257 #ifndef OPENSSL_NO_DES
1258 EVP_add_cipher(EVP_des_cfb());
1259 EVP_add_cipher(EVP_des_cfb1());
1260 @@ -227,4 +232,60 @@ void OpenSSL_add_all_ciphers(void)
1261 EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
1262 EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
1264 +#ifdef OPENSSL_FIPS
1268 +#ifndef OPENSSL_NO_DES
1269 + EVP_add_cipher(EVP_des_ede_cfb());
1270 + EVP_add_cipher(EVP_des_ede3_cfb());
1272 + EVP_add_cipher(EVP_des_ede_ofb());
1273 + EVP_add_cipher(EVP_des_ede3_ofb());
1275 + EVP_add_cipher(EVP_des_ede_cbc());
1276 + EVP_add_cipher(EVP_des_ede3_cbc());
1277 + EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
1278 + EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
1280 + EVP_add_cipher(EVP_des_ede());
1281 + EVP_add_cipher(EVP_des_ede3());
1284 +#ifndef OPENSSL_NO_AES
1285 + EVP_add_cipher(EVP_aes_128_ecb());
1286 + EVP_add_cipher(EVP_aes_128_cbc());
1287 + EVP_add_cipher(EVP_aes_128_cfb());
1288 + EVP_add_cipher(EVP_aes_128_cfb1());
1289 + EVP_add_cipher(EVP_aes_128_cfb8());
1290 + EVP_add_cipher(EVP_aes_128_ofb());
1291 + EVP_add_cipher(EVP_aes_128_ctr());
1292 + EVP_add_cipher(EVP_aes_128_gcm());
1293 + EVP_add_cipher(EVP_aes_128_xts());
1294 + EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
1295 + EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
1296 + EVP_add_cipher(EVP_aes_192_ecb());
1297 + EVP_add_cipher(EVP_aes_192_cbc());
1298 + EVP_add_cipher(EVP_aes_192_cfb());
1299 + EVP_add_cipher(EVP_aes_192_cfb1());
1300 + EVP_add_cipher(EVP_aes_192_cfb8());
1301 + EVP_add_cipher(EVP_aes_192_ofb());
1302 + EVP_add_cipher(EVP_aes_192_ctr());
1303 + EVP_add_cipher(EVP_aes_192_gcm());
1304 + EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
1305 + EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
1306 + EVP_add_cipher(EVP_aes_256_ecb());
1307 + EVP_add_cipher(EVP_aes_256_cbc());
1308 + EVP_add_cipher(EVP_aes_256_cfb());
1309 + EVP_add_cipher(EVP_aes_256_cfb1());
1310 + EVP_add_cipher(EVP_aes_256_cfb8());
1311 + EVP_add_cipher(EVP_aes_256_ofb());
1312 + EVP_add_cipher(EVP_aes_256_ctr());
1313 + EVP_add_cipher(EVP_aes_256_gcm());
1314 + EVP_add_cipher(EVP_aes_256_xts());
1315 + EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
1316 + EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
1321 diff -up openssl-1.0.1e/crypto/evp/c_alld.c.fips openssl-1.0.1e/crypto/evp/c_alld.c
1322 --- openssl-1.0.1e/crypto/evp/c_alld.c.fips 2013-02-11 16:26:04.000000000 +0100
1323 +++ openssl-1.0.1e/crypto/evp/c_alld.c 2013-02-19 12:47:33.725118589 +0100
1326 void OpenSSL_add_all_digests(void)
1328 +#ifdef OPENSSL_FIPS
1329 + OPENSSL_init_library();
1333 #ifndef OPENSSL_NO_MD4
1334 EVP_add_digest(EVP_md4());
1336 @@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
1337 #ifndef OPENSSL_NO_WHIRLPOOL
1338 EVP_add_digest(EVP_whirlpool());
1340 +#ifdef OPENSSL_FIPS
1344 +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
1345 + EVP_add_digest(EVP_sha1());
1346 + EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
1347 + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
1348 +#ifndef OPENSSL_NO_DSA
1349 + EVP_add_digest(EVP_dss1());
1350 + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
1351 + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
1352 + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
1354 +#ifndef OPENSSL_NO_ECDSA
1355 + EVP_add_digest(EVP_ecdsa());
1358 +#ifndef OPENSSL_NO_SHA256
1359 + EVP_add_digest(EVP_sha224());
1360 + EVP_add_digest(EVP_sha256());
1362 +#ifndef OPENSSL_NO_SHA512
1363 + EVP_add_digest(EVP_sha384());
1364 + EVP_add_digest(EVP_sha512());
1369 diff -up openssl-1.0.1e/crypto/evp/digest.c.fips openssl-1.0.1e/crypto/evp/digest.c
1370 --- openssl-1.0.1e/crypto/evp/digest.c.fips 2013-02-11 16:26:04.000000000 +0100
1371 +++ openssl-1.0.1e/crypto/evp/digest.c 2013-02-19 12:51:41.276779877 +0100
1372 @@ -142,9 +142,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
1373 return EVP_DigestInit_ex(ctx, type, NULL);
1376 +#ifdef OPENSSL_FIPS
1378 +/* The purpose of these is to trap programs that attempt to use non FIPS
1379 + * algorithms in FIPS mode and ignore the errors.
1382 +static int bad_init(EVP_MD_CTX *ctx)
1383 + { FIPS_ERROR_IGNORED("Digest init"); return 0;}
1385 +static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count)
1386 + { FIPS_ERROR_IGNORED("Digest update"); return 0;}
1388 +static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
1389 + { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
1391 +static const EVP_MD bad_md =
1409 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
1411 EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
1412 +#ifdef OPENSSL_FIPS
1413 + if(FIPS_selftest_failed())
1415 + FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
1416 + ctx->digest = &bad_md;
1420 #ifndef OPENSSL_NO_ENGINE
1421 /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
1422 * so this context may already have an ENGINE! Try to avoid releasing
1423 @@ -201,6 +242,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
1425 if (ctx->digest != type)
1427 +#ifdef OPENSSL_FIPS
1430 + if (!(type->flags & EVP_MD_FLAG_FIPS)
1431 + && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
1433 + EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
1434 + ctx->digest = &bad_md;
1439 if (ctx->digest && ctx->digest->ctx_size)
1440 OPENSSL_free(ctx->md_data);
1442 @@ -229,26 +282,15 @@ skip_to_init:
1444 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
1446 -#ifdef OPENSSL_FIPS
1449 - if (FIPS_digestinit(ctx, type))
1451 - OPENSSL_free(ctx->md_data);
1452 - ctx->md_data = NULL;
1456 return ctx->digest->init(ctx);
1459 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
1462 - return FIPS_digestupdate(ctx, data, count);
1464 - return ctx->update(ctx,data,count);
1465 + FIPS_selftest_check();
1467 + return ctx->update(ctx,data,count);
1470 /* The caller can assume that this removes any secret data from the context */
1471 @@ -263,11 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
1472 /* The caller can assume that this removes any secret data from the context */
1473 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
1475 -#ifdef OPENSSL_FIPS
1476 - return FIPS_digestfinal(ctx, md, size);
1480 +#ifdef OPENSSL_FIPS
1481 + FIPS_selftest_check();
1483 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
1484 ret=ctx->digest->final(ctx,md);
1486 @@ -279,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
1488 memset(ctx->md_data,0,ctx->digest->ctx_size);
1493 int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
1494 @@ -373,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
1495 /* This call frees resources associated with the context */
1496 int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
1498 -#ifndef OPENSSL_FIPS
1499 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
1500 * because sometimes only copies of the context are ever finalised.
1502 @@ -386,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
1503 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
1504 OPENSSL_free(ctx->md_data);
1508 EVP_PKEY_CTX_free(ctx->pctx);
1509 #ifndef OPENSSL_NO_ENGINE
1510 @@ -395,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
1511 * functional reference we held for this reason. */
1512 ENGINE_finish(ctx->engine);
1514 -#ifdef OPENSSL_FIPS
1515 - FIPS_md_ctx_cleanup(ctx);
1517 memset(ctx,'\0',sizeof *ctx);
1520 diff -up openssl-1.0.1e/crypto/evp/e_aes.c.fips openssl-1.0.1e/crypto/evp/e_aes.c
1521 --- openssl-1.0.1e/crypto/evp/e_aes.c.fips 2013-02-11 16:26:04.000000000 +0100
1522 +++ openssl-1.0.1e/crypto/evp/e_aes.c 2013-02-19 12:47:33.726118609 +0100
1525 #include <openssl/aes.h>
1526 #include "evp_locl.h"
1527 -#ifndef OPENSSL_FIPS
1528 #include "modes_lcl.h"
1529 #include <openssl/rand.h>
1531 @@ -716,7 +715,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
1535 - if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1536 + if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1540 @@ -1128,7 +1127,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
1543 /* Requirement of SP800-38E */
1544 - if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1545 + if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1546 (len > (1UL<<20)*16))
1548 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1549 @@ -1311,4 +1310,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm
1550 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1554 diff -up openssl-1.0.1e/crypto/evp/e_des3.c.fips openssl-1.0.1e/crypto/evp/e_des3.c
1555 --- openssl-1.0.1e/crypto/evp/e_des3.c.fips 2013-02-11 16:26:04.000000000 +0100
1556 +++ openssl-1.0.1e/crypto/evp/e_des3.c 2013-02-19 12:47:33.727118629 +0100
1558 #include <openssl/des.h>
1559 #include <openssl/rand.h>
1561 -#ifndef OPENSSL_FIPS
1563 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1564 const unsigned char *iv,int enc);
1566 @@ -208,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH
1569 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
1570 - EVP_CIPH_RAND_KEY, des_ede_init_key, NULL,
1571 - EVP_CIPHER_set_asn1_iv,
1572 - EVP_CIPHER_get_asn1_iv,
1573 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1578 #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
1579 @@ -219,21 +217,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
1580 #define des_ede3_ecb_cipher des_ede_ecb_cipher
1582 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
1583 - EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL,
1584 - EVP_CIPHER_set_asn1_iv,
1585 - EVP_CIPHER_get_asn1_iv,
1586 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1587 + des_ede3_init_key,
1591 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
1592 - EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
1593 - EVP_CIPHER_set_asn1_iv,
1594 - EVP_CIPHER_get_asn1_iv,
1595 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1596 + des_ede3_init_key,
1600 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
1601 - EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
1602 - EVP_CIPHER_set_asn1_iv,
1603 - EVP_CIPHER_get_asn1_iv,
1604 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1605 + des_ede3_init_key,
1609 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1610 @@ -313,4 +311,3 @@ const EVP_CIPHER *EVP_des_ede3(void)
1611 return &des_ede3_ecb;
1615 diff -up openssl-1.0.1e/crypto/evp/e_null.c.fips openssl-1.0.1e/crypto/evp/e_null.c
1616 --- openssl-1.0.1e/crypto/evp/e_null.c.fips 2013-02-11 16:26:04.000000000 +0100
1617 +++ openssl-1.0.1e/crypto/evp/e_null.c 2013-02-19 12:47:33.727118629 +0100
1619 #include <openssl/evp.h>
1620 #include <openssl/objects.h>
1622 -#ifndef OPENSSL_FIPS
1624 static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1625 const unsigned char *iv,int enc);
1626 static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1627 @@ -71,7 +69,7 @@ static const EVP_CIPHER n_cipher=
1632 + EVP_CIPH_FLAG_FIPS,
1636 @@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *c
1637 memcpy((char *)out,(const char *)in,inl);
1641 diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.fips openssl-1.0.1e/crypto/evp/evp_enc.c
1642 --- openssl-1.0.1e/crypto/evp/evp_enc.c.fips 2013-02-11 16:26:04.000000000 +0100
1643 +++ openssl-1.0.1e/crypto/evp/evp_enc.c 2013-02-19 12:47:33.728118649 +0100
1646 #include "evp_locl.h"
1648 -#ifdef OPENSSL_FIPS
1649 -#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
1651 #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
1655 const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
1657 +#ifdef OPENSSL_FIPS
1659 +/* The purpose of these is to trap programs that attempt to use non FIPS
1660 + * algorithms in FIPS mode and ignore the errors.
1663 +static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1664 + const unsigned char *iv, int enc)
1665 + { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
1667 +static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1668 + const unsigned char *in, unsigned int inl)
1669 + { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
1671 +/* NB: no cleanup because it is allowed after failed init */
1673 +static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
1674 + { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
1675 +static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
1676 + { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
1677 +static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1678 + { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
1680 +static const EVP_CIPHER bad_cipher =
1699 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
1701 +#ifdef OPENSSL_FIPS
1702 + FIPS_selftest_check();
1704 memset(ctx,0,sizeof(EVP_CIPHER_CTX));
1705 /* ctx->cipher=NULL; */
1707 @@ -111,6 +152,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
1711 +#ifdef OPENSSL_FIPS
1712 + if(FIPS_selftest_failed())
1714 + FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
1715 + ctx->cipher = &bad_cipher;
1719 #ifndef OPENSSL_NO_ENGINE
1720 /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
1721 * so this context may already have an ENGINE! Try to avoid releasing
1722 @@ -169,10 +218,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
1726 -#ifdef OPENSSL_FIPS
1728 - return FIPS_cipherinit(ctx, cipher, key, iv, enc);
1731 if (ctx->cipher->ctx_size)
1733 @@ -206,10 +251,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
1734 #ifndef OPENSSL_NO_ENGINE
1737 -#ifdef OPENSSL_FIPS
1739 - return FIPS_cipherinit(ctx, cipher, key, iv, enc);
1741 /* we assume block size is a power of 2 in *cryptUpdate */
1742 OPENSSL_assert(ctx->cipher->block_size == 1
1743 || ctx->cipher->block_size == 8
1744 @@ -249,6 +290,22 @@ skip_to_init:
1748 +#ifdef OPENSSL_FIPS
1749 + /* After 'key' is set no further parameters changes are permissible.
1750 + * So only check for non FIPS enabling at this point.
1752 + if (key && FIPS_mode())
1754 + if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
1755 + & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
1757 + EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
1758 + ctx->cipher = &bad_cipher;
1764 if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
1765 if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
1767 @@ -568,7 +625,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
1769 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
1771 -#ifndef OPENSSL_FIPS
1772 if (c->cipher != NULL)
1774 if(c->cipher->cleanup && !c->cipher->cleanup(c))
1775 @@ -579,16 +635,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
1778 OPENSSL_free(c->cipher_data);
1780 #ifndef OPENSSL_NO_ENGINE
1782 /* The EVP_CIPHER we used belongs to an ENGINE, release the
1783 * functional reference we held for this reason. */
1784 ENGINE_finish(c->engine);
1786 -#ifdef OPENSSL_FIPS
1787 - FIPS_cipher_ctx_cleanup(c);
1789 memset(c,0,sizeof(EVP_CIPHER_CTX));
1792 diff -up openssl-1.0.1e/crypto/evp/evp.h.fips openssl-1.0.1e/crypto/evp/evp.h
1793 --- openssl-1.0.1e/crypto/evp/evp.h.fips 2013-02-19 12:47:33.474113487 +0100
1794 +++ openssl-1.0.1e/crypto/evp/evp.h 2013-02-19 12:47:33.728118649 +0100
1796 #include <openssl/bio.h>
1799 +#ifdef OPENSSL_FIPS
1800 +#include <openssl/fips.h>
1804 #define EVP_RC2_KEY_SIZE 16
1805 #define EVP_RC4_KEY_SIZE 16
1806 @@ -272,10 +276,6 @@ struct env_md_ctx_st
1808 #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
1809 * in EVP_MD_CTX_cleanup */
1810 -/* FIPS and pad options are ignored in 1.0.0, definitions are here
1811 - * so we don't accidentally reuse the values for other purposes.
1814 #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
1817 @@ -287,6 +287,10 @@ struct env_md_ctx_st
1818 #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */
1819 #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */
1820 #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */
1821 +#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
1822 + ((ctx->flags>>16) &0xFFFF) /* seed length */
1823 +#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */
1824 +#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */
1826 #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */
1828 @@ -338,15 +342,15 @@ struct evp_cipher_st
1829 /* cipher handles random key generation */
1830 #define EVP_CIPH_RAND_KEY 0x200
1831 /* cipher has its own additional copying logic */
1832 -#define EVP_CIPH_CUSTOM_COPY 0x400
1833 +#define EVP_CIPH_CUSTOM_COPY 0x4000
1834 /* Allow use default ASN1 get/set iv */
1835 #define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
1836 /* Buffer length in bits not bytes: CFB1 mode only */
1837 #define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
1838 /* Note if suitable for use in FIPS mode */
1839 -#define EVP_CIPH_FLAG_FIPS 0x4000
1840 +#define EVP_CIPH_FLAG_FIPS 0x400
1841 /* Allow non FIPS cipher in FIPS mode */
1842 -#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
1843 +#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
1844 /* Cipher handles any and all padding logic as well
1847 diff -up openssl-1.0.1e/crypto/evp/evp_lib.c.fips openssl-1.0.1e/crypto/evp/evp_lib.c
1848 --- openssl-1.0.1e/crypto/evp/evp_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
1849 +++ openssl-1.0.1e/crypto/evp/evp_lib.c 2013-02-19 12:47:33.729118669 +0100
1850 @@ -190,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
1852 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
1854 +#ifdef OPENSSL_FIPS
1855 + FIPS_selftest_check();
1857 return ctx->cipher->do_cipher(ctx,out,in,inl);
1860 diff -up openssl-1.0.1e/crypto/evp/evp_locl.h.fips openssl-1.0.1e/crypto/evp/evp_locl.h
1861 --- openssl-1.0.1e/crypto/evp/evp_locl.h.fips 2013-02-19 12:47:33.465113304 +0100
1862 +++ openssl-1.0.1e/crypto/evp/evp_locl.h 2013-02-19 12:47:33.729118669 +0100
1863 @@ -258,10 +258,9 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
1864 BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
1865 BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
1866 NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
1867 - 0, cipher##_init_key, NULL, \
1868 - EVP_CIPHER_set_asn1_iv, \
1869 - EVP_CIPHER_get_asn1_iv, \
1871 + EVP_CIPH_FLAG_DEFAULT_ASN1, \
1872 + cipher##_init_key, NULL, NULL, NULL, NULL)
1875 struct evp_pkey_ctx_st
1877 @@ -367,11 +366,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
1878 #define MD2_Init private_MD2_Init
1879 #define MDC2_Init private_MDC2_Init
1880 #define SHA_Init private_SHA_Init
1881 -#define SHA1_Init private_SHA1_Init
1882 -#define SHA224_Init private_SHA224_Init
1883 -#define SHA256_Init private_SHA256_Init
1884 -#define SHA384_Init private_SHA384_Init
1885 -#define SHA512_Init private_SHA512_Init
1887 #define BF_set_key private_BF_set_key
1888 #define CAST_set_key private_CAST_set_key
1889 @@ -379,7 +373,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
1890 #define SEED_set_key private_SEED_set_key
1891 #define RC2_set_key private_RC2_set_key
1892 #define RC4_set_key private_RC4_set_key
1893 -#define DES_set_key_unchecked private_DES_set_key_unchecked
1894 #define Camellia_set_key private_Camellia_set_key
1897 diff -up openssl-1.0.1e/crypto/evp/Makefile.fips openssl-1.0.1e/crypto/evp/Makefile
1898 --- openssl-1.0.1e/crypto/evp/Makefile.fips 2013-02-11 16:26:04.000000000 +0100
1899 +++ openssl-1.0.1e/crypto/evp/Makefile 2013-02-19 12:53:25.468917386 +0100
1900 @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_
1901 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
1902 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
1903 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
1904 - e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
1905 + e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
1906 e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
1908 LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
1909 @@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_
1910 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
1911 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
1912 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
1913 - e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
1914 + e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
1915 e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
1918 diff -up openssl-1.0.1e/crypto/evp/m_dss1.c.fips openssl-1.0.1e/crypto/evp/m_dss1.c
1919 --- openssl-1.0.1e/crypto/evp/m_dss1.c.fips 2013-02-11 16:26:04.000000000 +0100
1920 +++ openssl-1.0.1e/crypto/evp/m_dss1.c 2013-02-19 12:47:33.730118689 +0100
1922 #include <openssl/dsa.h>
1925 -#ifndef OPENSSL_FIPS
1927 static int init(EVP_MD_CTX *ctx)
1928 { return SHA1_Init(ctx->md_data); }
1930 @@ -84,7 +82,7 @@ static const EVP_MD dss1_md=
1934 - EVP_MD_FLAG_PKEY_DIGEST,
1935 + EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
1939 @@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void)
1944 diff -up openssl-1.0.1e/crypto/evp/m_dss.c.fips openssl-1.0.1e/crypto/evp/m_dss.c
1945 --- openssl-1.0.1e/crypto/evp/m_dss.c.fips 2013-02-11 16:26:04.000000000 +0100
1946 +++ openssl-1.0.1e/crypto/evp/m_dss.c 2013-02-19 12:47:33.730118689 +0100
1950 #ifndef OPENSSL_NO_SHA
1951 -#ifndef OPENSSL_FIPS
1953 static int init(EVP_MD_CTX *ctx)
1954 { return SHA1_Init(ctx->md_data); }
1955 @@ -82,7 +81,7 @@ static const EVP_MD dsa_md=
1959 - EVP_MD_FLAG_PKEY_DIGEST,
1960 + EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
1964 @@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void)
1969 diff -up openssl-1.0.1e/crypto/evp/m_md2.c.fips openssl-1.0.1e/crypto/evp/m_md2.c
1970 --- openssl-1.0.1e/crypto/evp/m_md2.c.fips 2013-02-11 16:26:04.000000000 +0100
1971 +++ openssl-1.0.1e/crypto/evp/m_md2.c 2013-02-19 12:47:33.731118710 +0100
1973 #ifndef OPENSSL_NO_RSA
1974 #include <openssl/rsa.h>
1976 +#include "evp_locl.h"
1978 static int init(EVP_MD_CTX *ctx)
1979 { return MD2_Init(ctx->md_data); }
1980 diff -up openssl-1.0.1e/crypto/evp/m_sha1.c.fips openssl-1.0.1e/crypto/evp/m_sha1.c
1981 --- openssl-1.0.1e/crypto/evp/m_sha1.c.fips 2013-02-11 16:26:04.000000000 +0100
1982 +++ openssl-1.0.1e/crypto/evp/m_sha1.c 2013-02-19 12:47:33.731118710 +0100
1985 #include "cryptlib.h"
1987 -#ifndef OPENSSL_FIPS
1989 #ifndef OPENSSL_NO_SHA
1991 #include <openssl/evp.h>
1992 @@ -85,7 +83,8 @@ static const EVP_MD sha1_md=
1994 NID_sha1WithRSAEncryption,
1996 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
1997 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2002 @@ -122,7 +121,8 @@ static const EVP_MD sha224_md=
2004 NID_sha224WithRSAEncryption,
2005 SHA224_DIGEST_LENGTH,
2006 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2007 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2012 @@ -141,7 +141,8 @@ static const EVP_MD sha256_md=
2014 NID_sha256WithRSAEncryption,
2015 SHA256_DIGEST_LENGTH,
2016 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2017 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2022 @@ -172,7 +173,8 @@ static const EVP_MD sha384_md=
2024 NID_sha384WithRSAEncryption,
2025 SHA384_DIGEST_LENGTH,
2026 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2027 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2032 @@ -191,7 +193,8 @@ static const EVP_MD sha512_md=
2034 NID_sha512WithRSAEncryption,
2035 SHA512_DIGEST_LENGTH,
2036 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2037 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2042 @@ -206,4 +209,3 @@ const EVP_MD *EVP_sha512(void)
2043 { return(&sha512_md); }
2044 #endif /* ifndef OPENSSL_NO_SHA512 */
2047 diff -up openssl-1.0.1e/crypto/evp/p_sign.c.fips openssl-1.0.1e/crypto/evp/p_sign.c
2048 --- openssl-1.0.1e/crypto/evp/p_sign.c.fips 2013-02-11 16:26:04.000000000 +0100
2049 +++ openssl-1.0.1e/crypto/evp/p_sign.c 2013-02-19 12:47:33.731118710 +0100
2051 #include <openssl/evp.h>
2052 #include <openssl/objects.h>
2053 #include <openssl/x509.h>
2054 +#include <openssl/rsa.h>
2057 void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
2058 @@ -103,6 +104,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
2060 if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
2062 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
2063 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
2065 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
2068 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
2070 + saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
2071 + if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
2073 + else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
2075 + if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
2078 if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
2081 diff -up openssl-1.0.1e/crypto/evp/p_verify.c.fips openssl-1.0.1e/crypto/evp/p_verify.c
2082 --- openssl-1.0.1e/crypto/evp/p_verify.c.fips 2013-02-11 16:26:04.000000000 +0100
2083 +++ openssl-1.0.1e/crypto/evp/p_verify.c 2013-02-19 12:47:33.732118731 +0100
2085 #include <openssl/evp.h>
2086 #include <openssl/objects.h>
2087 #include <openssl/x509.h>
2088 +#include <openssl/rsa.h>
2090 int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
2091 unsigned int siglen, EVP_PKEY *pkey)
2092 @@ -88,6 +89,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
2094 if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
2096 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
2097 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
2099 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
2102 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
2104 + saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
2105 + if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
2107 + else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
2109 + if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
2112 i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
2114 EVP_PKEY_CTX_free(pkctx);
2115 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c
2116 --- openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c.fips 2013-02-19 12:47:33.732118731 +0100
2117 +++ openssl-1.0.1e/crypto/fips/cavs/fips_aesavs.c 2013-02-19 12:47:33.732118731 +0100
2119 +/* ====================================================================
2120 + * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
2122 + * Redistribution and use in source and binary forms, with or without
2123 + * modification, are permitted provided that the following conditions
2126 + * 1. Redistributions of source code must retain the above copyright
2127 + * notice, this list of conditions and the following disclaimer.
2129 + * 2. Redistributions in binary form must reproduce the above copyright
2130 + * notice, this list of conditions and the following disclaimer in
2131 + * the documentation and/or other materials provided with the
2134 + * 3. All advertising materials mentioning features or use of this
2135 + * software must display the following acknowledgment:
2136 + * "This product includes software developed by the OpenSSL Project
2137 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
2139 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
2140 + * endorse or promote products derived from this software without
2141 + * prior written permission. For written permission, please contact
2142 + * openssl-core@openssl.org.
2144 + * 5. Products derived from this software may not be called "OpenSSL"
2145 + * nor may "OpenSSL" appear in their names without prior written
2146 + * permission of the OpenSSL Project.
2148 + * 6. Redistributions of any form whatsoever must retain the following
2150 + * "This product includes software developed by the OpenSSL Project
2151 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
2153 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
2154 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2155 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
2156 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
2157 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
2158 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2159 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
2160 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2161 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2162 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
2163 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
2164 + * OF THE POSSIBILITY OF SUCH DAMAGE.
2167 +/*---------------------------------------------
2168 + NIST AES Algorithm Validation Suite
2171 + Donated to OpenSSL by:
2173 + 20250 Century Blvd, Suite 300
2174 + Germantown, MD 20874
2176 + ----------------------------------------------*/
2179 +#include <stdlib.h>
2180 +#include <string.h>
2182 +#include <assert.h>
2184 +#include <openssl/aes.h>
2185 +#include <openssl/evp.h>
2186 +#include <openssl/bn.h>
2188 +#include <openssl/err.h>
2191 +#ifndef OPENSSL_FIPS
2193 +int main(int argc, char *argv[])
2195 + printf("No FIPS AES support\n");
2201 +#include <openssl/fips.h>
2202 +#include "fips_utl.h"
2204 +#define AES_BLOCK_SIZE 16
2208 +/*-----------------------------------------------*/
2210 +int AESTest(EVP_CIPHER_CTX *ctx,
2211 + char *amode, int akeysz, unsigned char *aKey,
2212 + unsigned char *iVec,
2213 + int dir, /* 0 = decrypt, 1 = encrypt */
2214 + unsigned char *plaintext, unsigned char *ciphertext, int len)
2216 + const EVP_CIPHER *cipher = NULL;
2218 + if (strcasecmp(amode, "CBC") == 0)
2223 + cipher = EVP_aes_128_cbc();
2227 + cipher = EVP_aes_192_cbc();
2231 + cipher = EVP_aes_256_cbc();
2236 + else if (strcasecmp(amode, "ECB") == 0)
2241 + cipher = EVP_aes_128_ecb();
2245 + cipher = EVP_aes_192_ecb();
2249 + cipher = EVP_aes_256_ecb();
2253 + else if (strcasecmp(amode, "CFB128") == 0)
2258 + cipher = EVP_aes_128_cfb128();
2262 + cipher = EVP_aes_192_cfb128();
2266 + cipher = EVP_aes_256_cfb128();
2271 + else if (strncasecmp(amode, "OFB", 3) == 0)
2276 + cipher = EVP_aes_128_ofb();
2280 + cipher = EVP_aes_192_ofb();
2284 + cipher = EVP_aes_256_ofb();
2288 + else if(!strcasecmp(amode,"CFB1"))
2293 + cipher = EVP_aes_128_cfb1();
2297 + cipher = EVP_aes_192_cfb1();
2301 + cipher = EVP_aes_256_cfb1();
2305 + else if(!strcasecmp(amode,"CFB8"))
2310 + cipher = EVP_aes_128_cfb8();
2314 + cipher = EVP_aes_192_cfb8();
2318 + cipher = EVP_aes_256_cfb8();
2324 + printf("Unknown mode: %s\n", amode);
2329 + printf("Invalid key size: %d\n", akeysz);
2332 + if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
2334 + if(!strcasecmp(amode,"CFB1"))
2335 + M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
2337 + EVP_Cipher(ctx, ciphertext, plaintext, len);
2339 + EVP_Cipher(ctx, plaintext, ciphertext, len);
2343 +/*-----------------------------------------------*/
2344 +char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
2345 +char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"};
2346 +enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128};
2347 +enum XCrypt {XDECRYPT, XENCRYPT};
2349 +/*=============================*/
2350 +/* Monte Carlo Tests */
2351 +/*-----------------------------*/
2353 +/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/
2354 +/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/
2356 +#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
2357 +#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
2359 +int do_mct(char *amode,
2360 + int akeysz, unsigned char *aKey,unsigned char *iVec,
2361 + int dir, unsigned char *text, int len,
2365 + unsigned char key[101][32];
2366 + unsigned char iv[101][AES_BLOCK_SIZE];
2367 + unsigned char ptext[1001][32];
2368 + unsigned char ctext[1001][32];
2369 + unsigned char ciphertext[64+4];
2370 + int i, j, n, n1, n2;
2371 + int imode = 0, nkeysz = akeysz/8;
2372 + EVP_CIPHER_CTX ctx;
2373 + EVP_CIPHER_CTX_init(&ctx);
2377 + printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n",
2381 + for (imode = 0; imode < 6; ++imode)
2382 + if (strcmp(amode, t_mode[imode]) == 0)
2386 + printf("Unrecognized mode: %s\n", amode);
2390 + memcpy(key[0], aKey, nkeysz);
2392 + memcpy(iv[0], iVec, AES_BLOCK_SIZE);
2393 + if (dir == XENCRYPT)
2394 + memcpy(ptext[0], text, len);
2396 + memcpy(ctext[0], text, len);
2397 + for (i = 0; i < 100; ++i)
2399 + /* printf("Iteration %d\n", i); */
2402 + fprintf(rfp,"COUNT = %d\n",i);
2403 + OutputValue("KEY",key[i],nkeysz,rfp,0);
2404 + if (imode != ECB) /* ECB */
2405 + OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0);
2406 + /* Output Ciphertext | Plaintext */
2407 + OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp,
2410 + for (j = 0; j < 1000; ++j)
2416 + { /* set up encryption */
2417 + ret = AESTest(&ctx, amode, akeysz, key[i], NULL,
2418 + dir, /* 0 = decrypt, 1 = encrypt */
2419 + ptext[j], ctext[j], len);
2420 + if (dir == XENCRYPT)
2421 + memcpy(ptext[j+1], ctext[j], len);
2423 + memcpy(ctext[j+1], ptext[j], len);
2427 + if (dir == XENCRYPT)
2429 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2430 + memcpy(ptext[j+1], ctext[j], len);
2434 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2435 + memcpy(ctext[j+1], ptext[j], len);
2445 + ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
2446 + dir, /* 0 = decrypt, 1 = encrypt */
2447 + ptext[j], ctext[j], len);
2448 + if (dir == XENCRYPT)
2449 + memcpy(ptext[j+1], iv[i], len);
2451 + memcpy(ctext[j+1], iv[i], len);
2455 + if (dir == XENCRYPT)
2457 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2458 + memcpy(ptext[j+1], ctext[j-1], len);
2462 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2463 + memcpy(ctext[j+1], ptext[j-1], len);
2471 + ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
2472 + dir, /* 0 = decrypt, 1 = encrypt */
2473 + ptext[j], ctext[j], len);
2477 + if (dir == XENCRYPT)
2478 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2480 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2482 + if (dir == XENCRYPT)
2485 + memcpy(ptext[j+1], &iv[i][j], len);
2487 + memcpy(ptext[j+1], ctext[j-16], len);
2492 + memcpy(ctext[j+1], &iv[i][j], len);
2494 + memcpy(ctext[j+1], ptext[j-16], len);
2502 + /* compensate for wrong endianness of input file */
2506 + ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir,
2507 + ptext[j], ctext[j], len);
2511 + if (dir == XENCRYPT)
2512 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2514 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2517 + if(dir == XENCRYPT)
2520 + sb(ptext[j+1],0,gb(iv[i],j));
2522 + sb(ptext[j+1],0,gb(ctext[j-128],0));
2527 + sb(ctext[j+1],0,gb(iv[i],j));
2529 + sb(ctext[j+1],0,gb(ptext[j-128],0));
2534 + --j; /* reset to last of range */
2535 + /* Output Ciphertext | Plaintext */
2536 + OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp,
2538 + fprintf(rfp, "\n"); /* add separator */
2540 + /* Compute next KEY */
2541 + if (dir == XENCRYPT)
2543 + if (imode == CFB8)
2544 + { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
2545 + for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
2546 + ciphertext[n1] = ctext[j-n2][0];
2548 + else if(imode == CFB1)
2550 + for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
2551 + sb(ciphertext,n1,gb(ctext[j-n2],0));
2557 + memcpy(ciphertext, ctext[j], 16);
2560 + memcpy(ciphertext, ctext[j-1]+8, 8);
2561 + memcpy(ciphertext+8, ctext[j], 16);
2564 + memcpy(ciphertext, ctext[j-1], 16);
2565 + memcpy(ciphertext+16, ctext[j], 16);
2571 + if (imode == CFB8)
2572 + { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
2573 + for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
2574 + ciphertext[n1] = ptext[j-n2][0];
2576 + else if(imode == CFB1)
2578 + for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
2579 + sb(ciphertext,n1,gb(ptext[j-n2],0));
2585 + memcpy(ciphertext, ptext[j], 16);
2588 + memcpy(ciphertext, ptext[j-1]+8, 8);
2589 + memcpy(ciphertext+8, ptext[j], 16);
2592 + memcpy(ciphertext, ptext[j-1], 16);
2593 + memcpy(ciphertext+16, ptext[j], 16);
2597 + /* Compute next key: Key[i+1] = Key[i] xor ct */
2598 + for (n = 0; n < nkeysz; ++n)
2599 + key[i+1][n] = key[i][n] ^ ciphertext[n];
2601 + /* Compute next IV and text */
2602 + if (dir == XENCRYPT)
2607 + memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE);
2612 + memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE);
2613 + memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE);
2616 + /* IV[i+1] = ct */
2617 + for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
2618 + iv[i+1][n1] = ctext[j-n2][0];
2619 + ptext[0][0] = ctext[j-16][0];
2622 + for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
2623 + sb(iv[i+1],n1,gb(ctext[j-n2],0));
2624 + ptext[0][0]=ctext[j-128][0]&0x80;
2633 + memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE);
2638 + memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE);
2639 + memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE);
2642 + for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
2643 + iv[i+1][n1] = ptext[j-n2][0];
2644 + ctext[0][0] = ptext[j-16][0];
2647 + for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
2648 + sb(iv[i+1],n1,gb(ptext[j-n2],0));
2649 + ctext[0][0]=ptext[j-128][0]&0x80;
2658 +/*================================================*/
2659 +/*----------------------------
2660 + # Config info for v-one
2661 + # AESVS MMT test data for ECB
2662 + # State : Encrypt and Decrypt
2663 + # Key Length : 256
2664 + # Fri Aug 30 04:07:22 PM
2665 + ----------------------------*/
2667 +int proc_file(char *rqfile, char *rspfile)
2669 + char afn[256], rfn[256];
2670 + FILE *afp = NULL, *rfp = NULL;
2673 + int ilen, len, ret = 0;
2674 + char algo[8] = "";
2675 + char amode[8] = "";
2676 + char atest[8] = "";
2678 + unsigned char iVec[20], aKey[40];
2679 + int dir = -1, err = 0, step = 0;
2680 + unsigned char plaintext[2048];
2681 + unsigned char ciphertext[2048];
2683 + EVP_CIPHER_CTX ctx;
2684 + EVP_CIPHER_CTX_init(&ctx);
2686 + if (!rqfile || !(*rqfile))
2688 + printf("No req file\n");
2691 + strcpy(afn, rqfile);
2693 + if ((afp = fopen(afn, "r")) == NULL)
2695 + printf("Cannot open file: %s, %s\n",
2696 + afn, strerror(errno));
2702 + rp=strstr(rfn,"req/");
2703 +#ifdef OPENSSL_SYS_WIN32
2705 + rp=strstr(rfn,"req\\");
2708 + memcpy(rp,"rsp",3);
2709 + rp = strstr(rfn, ".req");
2710 + memcpy(rp, ".rsp", 4);
2713 + if ((rfp = fopen(rspfile, "w")) == NULL)
2715 + printf("Cannot open file: %s, %s\n",
2716 + rfn, strerror(errno));
2721 + while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
2723 + tidy_line(tbuf, ibuf);
2724 + ilen = strlen(ibuf);
2725 + /* printf("step=%d ibuf=%s",step,ibuf); */
2728 + case 0: /* read preamble */
2729 + if (ibuf[0] == '\n')
2730 + { /* end of preamble */
2731 + if ((*algo == '\0') ||
2732 + (*amode == '\0') ||
2735 + printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n",
2736 + algo,amode,akeysz);
2745 + else if (ibuf[0] != '#')
2747 + printf("Invalid preamble item: %s\n", ibuf);
2751 + { /* process preamble */
2752 + char *xp, *pp = ibuf+2;
2755 + { /* insert current time & date */
2756 + time_t rtim = time(0);
2757 + fprintf(rfp, "# %s", ctime(&rtim));
2762 + if (strncmp(pp, "AESVS ", 6) == 0)
2764 + strcpy(algo, "AES");
2765 + /* get test type */
2767 + xp = strchr(pp, ' ');
2769 + strncpy(atest, pp, n);
2772 + xp = strrchr(pp, ' '); /* get mode" */
2773 + n = strlen(xp+1)-1;
2774 + strncpy(amode, xp+1, n);
2776 + /* amode[3] = '\0'; */
2778 + printf("Test = %s, Mode = %s\n", atest, amode);
2780 + else if (strncasecmp(pp, "Key Length : ", 13) == 0)
2782 + akeysz = atoi(pp+13);
2784 + printf("Key size = %d\n", akeysz);
2790 + case 1: /* [ENCRYPT] | [DECRYPT] */
2791 + if (ibuf[0] == '[')
2795 + if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
2797 + else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
2801 + printf("Invalid keyword: %s\n", ibuf);
2806 + else if (dir == -1)
2809 + printf("Missing ENCRYPT/DECRYPT keyword\n");
2815 + case 2: /* KEY = xxxx */
2819 + if(!strncasecmp(ibuf,"COUNT = ",8))
2822 + if (strncasecmp(ibuf, "KEY = ", 6) != 0)
2824 + printf("Missing KEY\n");
2829 + len = hex2bin((char*)ibuf+6, aKey);
2832 + printf("Invalid KEY\n");
2836 + PrintValue("KEY", aKey, len);
2837 + if (strcmp(amode, "ECB") == 0)
2839 + memset(iVec, 0, sizeof(iVec));
2840 + step = (dir)? 4: 5; /* no ivec for ECB */
2847 + case 3: /* IV = xxxx */
2849 + if (strncasecmp(ibuf, "IV = ", 5) != 0)
2851 + printf("Missing IV\n");
2856 + len = hex2bin((char*)ibuf+5, iVec);
2859 + printf("Invalid IV\n");
2863 + PrintValue("IV", iVec, len);
2864 + step = (dir)? 4: 5;
2868 + case 4: /* PLAINTEXT = xxxx */
2870 + if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
2872 + printf("Missing PLAINTEXT\n");
2877 + int nn = strlen(ibuf+12);
2878 + if(!strcmp(amode,"CFB1"))
2879 + len=bint2bin(ibuf+12,nn-1,plaintext);
2881 + len=hex2bin(ibuf+12, plaintext);
2884 + printf("Invalid PLAINTEXT: %s", ibuf+12);
2888 + if (len >= sizeof(plaintext))
2890 + printf("Buffer overflow\n");
2892 + PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
2893 + if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
2895 + if(do_mct(amode, akeysz, aKey, iVec,
2896 + dir, (unsigned char*)plaintext, len,
2902 + ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
2903 + dir, /* 0 = decrypt, 1 = encrypt */
2904 + plaintext, ciphertext, len);
2905 + OutputValue("CIPHERTEXT",ciphertext,len,rfp,
2906 + !strcmp(amode,"CFB1"));
2912 + case 5: /* CIPHERTEXT = xxxx */
2914 + if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
2916 + printf("Missing KEY\n");
2921 + if(!strcmp(amode,"CFB1"))
2922 + len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
2924 + len = hex2bin(ibuf+13,ciphertext);
2927 + printf("Invalid CIPHERTEXT\n");
2932 + PrintValue("CIPHERTEXT", ciphertext, len);
2933 + if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
2935 + do_mct(amode, akeysz, aKey, iVec,
2936 + dir, ciphertext, len, rfp);
2940 + ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
2941 + dir, /* 0 = decrypt, 1 = encrypt */
2942 + plaintext, ciphertext, len);
2943 + OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
2944 + !strcmp(amode,"CFB1"));
2951 + if (ibuf[0] != '\n')
2954 + printf("Missing terminator\n");
2956 + else if (strcmp(atest, "MCT") != 0)
2957 + { /* MCT already added terminating nl */
2971 +/*--------------------------------------------------
2972 + Processes either a single file or
2973 + a set of files whose names are passed in a file.
2974 + A single file is specified as:
2975 + aes_test -f xxx.req
2976 + A set of files is specified as:
2977 + aes_test -d xxxxx.xxx
2978 + The default is: -d req.txt
2979 +--------------------------------------------------*/
2980 +int main(int argc, char **argv)
2982 + char *rqlist = "req.txt", *rspfile = NULL;
2984 + char fn[250] = "", rfn[256] = "";
2985 + int f_opt = 0, d_opt = 1;
2987 +#ifdef OPENSSL_FIPS
2988 + if(!FIPS_mode_set(1))
2990 + do_print_errors();
2996 + if (strcasecmp(argv[1], "-d") == 0)
3000 + else if (strcasecmp(argv[1], "-f") == 0)
3007 + printf("Invalid parameter: %s\n", argv[1]);
3012 + printf("Missing parameter\n");
3019 + strcpy(fn, argv[2]);
3020 + rspfile = argv[3];
3024 + { /* list of files (directory) */
3025 + if (!(fp = fopen(rqlist, "r")))
3027 + printf("Cannot open req list file\n");
3030 + while (fgets(fn, sizeof(fn), fp))
3032 + strtok(fn, "\r\n");
3035 + printf("Processing: %s\n", rfn);
3036 + if (proc_file(rfn, rspfile))
3038 + printf(">>> Processing failed for: %s <<<\n", rfn);
3044 + else /* single file */
3047 + printf("Processing: %s\n", fn);
3048 + if (proc_file(fn, rspfile))
3050 + printf(">>> Processing failed for: %s <<<\n", fn);
3058 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c
3059 --- openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c.fips 2013-02-19 12:47:33.732118731 +0100
3060 +++ openssl-1.0.1e/crypto/fips/cavs/fips_cmactest.c 2013-02-19 12:47:33.732118731 +0100
3062 +/* fips_cmactest.c */
3063 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3066 +/* ====================================================================
3067 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
3069 + * Redistribution and use in source and binary forms, with or without
3070 + * modification, are permitted provided that the following conditions
3073 + * 1. Redistributions of source code must retain the above copyright
3074 + * notice, this list of conditions and the following disclaimer.
3076 + * 2. Redistributions in binary form must reproduce the above copyright
3077 + * notice, this list of conditions and the following disclaimer in
3078 + * the documentation and/or other materials provided with the
3081 + * 3. All advertising materials mentioning features or use of this
3082 + * software must display the following acknowledgment:
3083 + * "This product includes software developed by the OpenSSL Project
3084 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
3086 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
3087 + * endorse or promote products derived from this software without
3088 + * prior written permission. For written permission, please contact
3089 + * licensing@OpenSSL.org.
3091 + * 5. Products derived from this software may not be called "OpenSSL"
3092 + * nor may "OpenSSL" appear in their names without prior written
3093 + * permission of the OpenSSL Project.
3095 + * 6. Redistributions of any form whatsoever must retain the following
3097 + * "This product includes software developed by the OpenSSL Project
3098 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
3100 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
3101 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3102 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
3103 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
3104 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
3105 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3106 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
3107 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3108 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
3109 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
3110 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
3111 + * OF THE POSSIBILITY OF SUCH DAMAGE.
3112 + * ====================================================================
3114 + * This product includes cryptographic software written by Eric Young
3115 + * (eay@cryptsoft.com). This product includes software written by Tim
3116 + * Hudson (tjh@cryptsoft.com).
3120 +#define OPENSSL_FIPSAPI
3124 +#include <string.h>
3125 +#include <openssl/bio.h>
3126 +#include <openssl/evp.h>
3127 +#include <openssl/cmac.h>
3128 +#include <openssl/err.h>
3129 +#include <openssl/bn.h>
3131 +#ifndef OPENSSL_FIPS
3133 +int main(int argc, char *argv[])
3135 + printf("No FIPS CMAC support\n");
3141 +#include <openssl/fips.h>
3142 +#include "fips_utl.h"
3144 +static int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
3145 + int mode, int Klen_counts_keys, int known_keylen);
3146 +static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
3147 + unsigned char *Key, int Klen,
3148 + unsigned char *Msg, int Msglen,
3150 +static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
3151 + unsigned char *Key, int Klen,
3152 + unsigned char *Msg, int Msglen,
3153 + unsigned char *Mac, int Maclen,
3157 +int fips_cmactest_main(int argc, char **argv)
3159 +int main(int argc, char **argv)
3162 + FILE *in = NULL, *out = NULL;
3163 + int mode = 0; /* 0 => Generate, 1 => Verify */
3164 + int Klen_counts_keys = 0; /* 0 => Klen is size of one key
3165 + 1 => Klen is amount of keys
3167 + int known_keylen = 0; /* Only set when Klen_counts_keys = 1 */
3168 + const EVP_CIPHER *cipher = 0;
3170 + fips_algtest_init();
3172 + while (argc > 1 && argv[1][0] == '-')
3174 + switch (argv[1][1])
3178 + char *p = &argv[1][2];
3183 + fprintf(stderr, "Option %s needs a value\n", argv[1]);
3190 + if (!strcmp(p, "aes128"))
3191 + cipher = EVP_aes_128_cbc();
3192 + else if (!strcmp(p, "aes192"))
3193 + cipher = EVP_aes_192_cbc();
3194 + else if (!strcmp(p, "aes256"))
3195 + cipher = EVP_aes_256_cbc();
3196 + else if (!strcmp(p, "tdea3") || !strcmp(p, "tdes3"))
3198 + cipher = EVP_des_ede3_cbc();
3199 + Klen_counts_keys = 1;
3204 + fprintf(stderr, "Unknown algorithm %s\n", p);
3216 + fprintf(stderr, "Unknown option %s\n", argv[1]);
3225 + in = fopen(argv[1], "r");
3230 + out = fopen(argv[2], "w");
3234 + fprintf(stderr, "FATAL input initialization error\n");
3240 + fprintf(stderr, "FATAL output initialization error\n");
3244 + if (!cmac_test(cipher, out, in, mode,
3245 + Klen_counts_keys, known_keylen))
3247 + fprintf(stderr, "FATAL cmac file processing error\n");
3255 + if (in && (in != stdin))
3257 + if (out && (out != stdout))
3264 +#define CMAC_TEST_MAXLINELEN 150000
3266 +int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
3267 + int mode, int Klen_counts_keys, int known_keylen)
3269 + char *linebuf, *olinebuf, *p, *q;
3270 + char *keyword, *value;
3271 + unsigned char **Keys = NULL, *Msg = NULL, *Mac = NULL;
3272 + unsigned char *Key = NULL;
3273 + int Count, Klen, Mlen, Tlen;
3274 + long Keylen, Msglen, Maclen;
3278 + olinebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
3279 + linebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
3281 + if (!linebuf || !olinebuf)
3289 + while (fgets(olinebuf, CMAC_TEST_MAXLINELEN, in))
3292 + strcpy(linebuf, olinebuf);
3293 + keyword = linebuf;
3294 + /* Skip leading space */
3295 + while (isspace((unsigned char)*keyword))
3298 + /* Skip comments */
3299 + if (keyword[0] == '#')
3301 + if (fputs(olinebuf, out) < 0)
3306 + /* Look for = sign */
3307 + p = strchr(linebuf, '=');
3309 + /* If no = or starts with [ (for [L=20] line) just copy */
3312 + if (fputs(olinebuf, out) < 0)
3319 + /* Remove trailing space */
3320 + while (isspace((unsigned char)*q))
3326 + /* Remove leading space from value */
3327 + while (isspace((unsigned char)*value))
3330 + /* Remove trailing space from value */
3331 + p = value + strlen(value) - 1;
3333 + while (*p == '\n' || isspace((unsigned char)*p))
3336 + if (!strcmp(keyword, "Count"))
3340 + Count = atoi(value);
3344 + else if (!strcmp(keyword, "Klen"))
3348 + Klen = atoi(value);
3351 + if (Klen_counts_keys)
3353 + Keys = OPENSSL_malloc(sizeof(*Keys) * Klen);
3354 + memset(Keys, '\0', sizeof(*Keys) * Klen);
3358 + Keys = OPENSSL_malloc(sizeof(*Keys));
3359 + memset(Keys, '\0', sizeof(*Keys));
3362 + else if (!strcmp(keyword, "Mlen"))
3366 + Mlen = atoi(value);
3370 + else if (!strcmp(keyword, "Tlen"))
3374 + Tlen = atoi(value);
3378 + else if (!strcmp(keyword, "Key") && !Klen_counts_keys)
3382 + Keys[0] = hex2bin_m(value, &Keylen);
3386 + else if (!strncmp(keyword, "Key", 3) && Klen_counts_keys)
3388 + int keynum = atoi(keyword + 3);
3389 + if (!keynum || keynum > Klen || Keys[keynum-1])
3391 + Keys[keynum-1] = hex2bin_m(value, &Keylen);
3392 + if (!Keys[keynum-1])
3395 + else if (!strcmp(keyword, "Msg"))
3399 + Msg = hex2bin_m(value, &Msglen);
3403 + else if (!strcmp(keyword, "Mac"))
3409 + Mac = hex2bin_m(value, &Maclen);
3413 + else if (!strcmp(keyword, "Result"))
3422 + fputs(olinebuf, out);
3424 + if (Keys && Msg && (!mode || Mac) && (Tlen > 0) && (Klen > 0))
3426 + if (Klen_counts_keys)
3429 + Key = OPENSSL_malloc(Klen * known_keylen);
3430 + for (x = 0; x < Klen; x++)
3432 + memcpy(Key + x * known_keylen,
3433 + Keys[x], known_keylen);
3434 + OPENSSL_free(Keys[x]);
3436 + Klen *= known_keylen;
3440 + Key = OPENSSL_malloc(Klen);
3441 + memcpy(Key, Keys[0], Klen);
3442 + OPENSSL_free(Keys[0]);
3444 + OPENSSL_free(Keys);
3449 + if (!print_cmac_gen(cipher, out,
3456 + if (!print_cmac_ver(cipher, out,
3465 + OPENSSL_free(Key);
3467 + OPENSSL_free(Msg);
3469 + OPENSSL_free(Mac);
3485 + OPENSSL_free(olinebuf);
3487 + OPENSSL_free(linebuf);
3489 + OPENSSL_free(Key);
3491 + OPENSSL_free(Msg);
3493 + OPENSSL_free(Mac);
3499 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
3505 +static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
3506 + unsigned char *Key, int Klen,
3507 + unsigned char *Msg, int Mlen,
3512 + unsigned char res[128];
3513 + CMAC_CTX *cmac_ctx = CMAC_CTX_new();
3515 + CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
3516 + CMAC_Update(cmac_ctx, Msg, Mlen);
3517 + if (!CMAC_Final(cmac_ctx, res, &reslen))
3519 + fputs("Error calculating CMAC\n", stderr);
3522 + else if (Tlen > (int)reslen)
3524 + fputs("Parameter error, Tlen > CMAC length\n", stderr);
3529 + fputs("Mac = ", out);
3530 + for (i = 0; i < Tlen; i++)
3531 + fprintf(out, "%02x", res[i]);
3532 + fputs(RESP_EOL, out);
3535 + CMAC_CTX_free(cmac_ctx);
3539 +static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
3540 + unsigned char *Key, int Klen,
3541 + unsigned char *Msg, int Mlen,
3542 + unsigned char *Mac, int Maclen,
3547 + unsigned char res[128];
3548 + CMAC_CTX *cmac_ctx = CMAC_CTX_new();
3550 + CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
3551 + CMAC_Update(cmac_ctx, Msg, Mlen);
3552 + if (!CMAC_Final(cmac_ctx, res, &reslen))
3554 + fputs("Error calculating CMAC\n", stderr);
3557 + else if (Tlen > (int)reslen)
3559 + fputs("Parameter error, Tlen > CMAC length\n", stderr);
3562 + else if (Tlen != Maclen)
3564 + fputs("Parameter error, Tlen != resulting Mac length\n", stderr);
3569 + if (!memcmp(Mac, res, Maclen))
3570 + fputs("Result = P" RESP_EOL, out);
3572 + fputs("Result = F" RESP_EOL, out);
3574 + CMAC_CTX_free(cmac_ctx);
3579 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c
3580 --- openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c.fips 2013-02-19 12:47:33.733118752 +0100
3581 +++ openssl-1.0.1e/crypto/fips/cavs/fips_desmovs.c 2013-02-19 12:47:33.733118752 +0100
3583 +/* ====================================================================
3584 + * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
3586 + * Redistribution and use in source and binary forms, with or without
3587 + * modification, are permitted provided that the following conditions
3590 + * 1. Redistributions of source code must retain the above copyright
3591 + * notice, this list of conditions and the following disclaimer.
3593 + * 2. Redistributions in binary form must reproduce the above copyright
3594 + * notice, this list of conditions and the following disclaimer in
3595 + * the documentation and/or other materials provided with the
3598 + * 3. All advertising materials mentioning features or use of this
3599 + * software must display the following acknowledgment:
3600 + * "This product includes software developed by the OpenSSL Project
3601 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
3603 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
3604 + * endorse or promote products derived from this software without
3605 + * prior written permission. For written permission, please contact
3606 + * openssl-core@openssl.org.
3608 + * 5. Products derived from this software may not be called "OpenSSL"
3609 + * nor may "OpenSSL" appear in their names without prior written
3610 + * permission of the OpenSSL Project.
3612 + * 6. Redistributions of any form whatsoever must retain the following
3614 + * "This product includes software developed by the OpenSSL Project
3615 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
3617 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
3618 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3619 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
3620 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
3621 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
3622 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3623 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
3624 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3625 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
3626 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
3627 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
3628 + * OF THE POSSIBILITY OF SUCH DAMAGE.
3631 +/*---------------------------------------------
3632 + NIST DES Modes of Operation Validation System
3635 + Based on the AES Validation Suite, which was:
3636 + Donated to OpenSSL by:
3638 + 20250 Century Blvd, Suite 300
3639 + Germantown, MD 20874
3641 + ----------------------------------------------*/
3644 +#include <stdlib.h>
3645 +#include <string.h>
3647 +#include <assert.h>
3649 +#include <openssl/des.h>
3650 +#include <openssl/evp.h>
3651 +#include <openssl/bn.h>
3653 +#include <openssl/err.h>
3656 +#ifndef OPENSSL_FIPS
3658 +int main(int argc, char *argv[])
3660 + printf("No FIPS DES support\n");
3666 +#include <openssl/fips.h>
3667 +#include "fips_utl.h"
3669 +#define DES_BLOCK_SIZE 8
3673 +int DESTest(EVP_CIPHER_CTX *ctx,
3674 + char *amode, int akeysz, unsigned char *aKey,
3675 + unsigned char *iVec,
3676 + int dir, /* 0 = decrypt, 1 = encrypt */
3677 + unsigned char *out, unsigned char *in, int len)
3679 + const EVP_CIPHER *cipher = NULL;
3681 + if (akeysz != 192)
3683 + printf("Invalid key size: %d\n", akeysz);
3687 + if (strcasecmp(amode, "CBC") == 0)
3688 + cipher = EVP_des_ede3_cbc();
3689 + else if (strcasecmp(amode, "ECB") == 0)
3690 + cipher = EVP_des_ede3_ecb();
3691 + else if (strcasecmp(amode, "CFB64") == 0)
3692 + cipher = EVP_des_ede3_cfb64();
3693 + else if (strncasecmp(amode, "OFB", 3) == 0)
3694 + cipher = EVP_des_ede3_ofb();
3695 + else if(!strcasecmp(amode,"CFB8"))
3696 + cipher = EVP_des_ede3_cfb8();
3697 + else if(!strcasecmp(amode,"CFB1"))
3698 + cipher = EVP_des_ede3_cfb1();
3701 + printf("Unknown mode: %s\n", amode);
3705 + if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
3707 + if(!strcasecmp(amode,"CFB1"))
3708 + M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
3709 + EVP_Cipher(ctx, out, in, len);
3714 +void DebugValue(char *tag, unsigned char *val, int len)
3718 + olen = bin2hex(val, len, obuf);
3719 + printf("%s = %.*s\n", tag, olen, obuf);
3722 +void shiftin(unsigned char *dst,unsigned char *src,int nbits)
3726 + /* move the bytes... */
3727 + memmove(dst,dst+nbits/8,3*8-nbits/8);
3728 + /* append new data */
3729 + memcpy(dst+3*8-nbits/8,src,(nbits+7)/8);
3730 + /* left shift the bits */
3732 + for(n=0 ; n < 3*8 ; ++n)
3733 + dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8));
3736 +/*-----------------------------------------------*/
3737 +char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
3738 +char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"};
3739 +enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64};
3740 +int Sizes[6]={64,64,64,1,8,64};
3742 +void do_mct(char *amode,
3743 + int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec,
3744 + int dir, unsigned char *text, int len,
3748 + unsigned char nk[4*8]; /* longest key+8 */
3749 + unsigned char text0[8];
3751 + for (imode=0 ; imode < 6 ; ++imode)
3752 + if(!strcmp(amode,t_mode[imode]))
3756 + printf("Unrecognized mode: %s\n", amode);
3760 + for(i=0 ; i < 400 ; ++i)
3765 + unsigned char old_iv[8];
3766 + EVP_CIPHER_CTX ctx;
3767 + EVP_CIPHER_CTX_init(&ctx);
3769 + fprintf(rfp,"\nCOUNT = %d\n",i);
3771 + OutputValue("KEY",akey,8,rfp,0);
3773 + for(n=0 ; n < kp ; ++n)
3775 + fprintf(rfp,"KEY%d",n+1);
3776 + OutputValue("",akey+n*8,8,rfp,0);
3780 + OutputValue("IV",ivec,8,rfp,0);
3781 + OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1);
3783 + /* compensate for endianness */
3787 + memcpy(text0,text,8);
3789 + for(j=0 ; j < 10000 ; ++j)
3791 + unsigned char old_text[8];
3793 + memcpy(old_text,text,8);
3796 + memcpy(old_iv,ivec,8);
3797 + DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len);
3801 + memcpy(old_iv,ctx.iv,8);
3802 + EVP_Cipher(&ctx,text,text,len);
3806 + OutputValue(t_tag[dir],text,len,rfp,imode == CFB1);
3807 + /* memcpy(ivec,text,8); */
3809 + /* DebugValue("iv",ctx.iv,8); */
3810 + /* accumulate material for the next key */
3811 + shiftin(nk,text,Sizes[imode]);
3812 + /* DebugValue("nk",nk,24);*/
3813 + if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64
3814 + || imode == CBC)) || imode == OFB)
3815 + memcpy(text,old_iv,8);
3817 + if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64))
3819 + /* the test specifies using the output of the raw DES operation
3820 + which we don't have, so reconstruct it... */
3821 + for(n=0 ; n < 8 ; ++n)
3822 + text[n]^=old_text[n];
3825 + for(n=0 ; n < 8 ; ++n)
3826 + akey[n]^=nk[16+n];
3827 + for(n=0 ; n < 8 ; ++n)
3828 + akey[8+n]^=nk[8+n];
3829 + for(n=0 ; n < 8 ; ++n)
3830 + akey[16+n]^=nk[n];
3832 + memcpy(&akey[2*8],akey,8);
3834 + memcpy(&akey[8],akey,8);
3835 + DES_set_odd_parity((DES_cblock *)akey);
3836 + DES_set_odd_parity((DES_cblock *)(akey+8));
3837 + DES_set_odd_parity((DES_cblock *)(akey+16));
3838 + memcpy(ivec,ctx.iv,8);
3840 + /* pointless exercise - the final text doesn't depend on the
3841 + initial text in OFB mode, so who cares what it is? (Who
3842 + designed these tests?) */
3844 + for(n=0 ; n < 8 ; ++n)
3845 + text[n]=text0[n]^old_iv[n];
3849 +int proc_file(char *rqfile, char *rspfile)
3851 + char afn[256], rfn[256];
3852 + FILE *afp = NULL, *rfp = NULL;
3853 + char ibuf[2048], tbuf[2048];
3854 + int ilen, len, ret = 0;
3855 + char amode[8] = "";
3856 + char atest[100] = "";
3858 + unsigned char iVec[20], aKey[40];
3859 + int dir = -1, err = 0, step = 0;
3860 + unsigned char plaintext[2048];
3861 + unsigned char ciphertext[2048];
3863 + EVP_CIPHER_CTX ctx;
3865 + EVP_CIPHER_CTX_init(&ctx);
3867 + if (!rqfile || !(*rqfile))
3869 + printf("No req file\n");
3872 + strcpy(afn, rqfile);
3874 + if ((afp = fopen(afn, "r")) == NULL)
3876 + printf("Cannot open file: %s, %s\n",
3877 + afn, strerror(errno));
3883 + rp=strstr(rfn,"req/");
3884 +#ifdef OPENSSL_SYS_WIN32
3886 + rp=strstr(rfn,"req\\");
3889 + memcpy(rp,"rsp",3);
3890 + rp = strstr(rfn, ".req");
3891 + memcpy(rp, ".rsp", 4);
3894 + if ((rfp = fopen(rspfile, "w")) == NULL)
3896 + printf("Cannot open file: %s, %s\n",
3897 + rfn, strerror(errno));
3902 + while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
3904 + tidy_line(tbuf, ibuf);
3905 + ilen = strlen(ibuf);
3906 + /* printf("step=%d ibuf=%s",step,ibuf);*/
3907 + if(step == 3 && !strcmp(amode,"ECB"))
3909 + memset(iVec, 0, sizeof(iVec));
3910 + step = (dir)? 4: 5; /* no ivec for ECB */
3914 + case 0: /* read preamble */
3915 + if (ibuf[0] == '\n')
3916 + { /* end of preamble */
3917 + if (*amode == '\0')
3919 + printf("Missing Mode\n");
3928 + else if (ibuf[0] != '#')
3930 + printf("Invalid preamble item: %s\n", ibuf);
3934 + { /* process preamble */
3935 + char *xp, *pp = ibuf+2;
3938 + { /* insert current time & date */
3939 + time_t rtim = time(0);
3940 + fprintf(rfp, "# %s", ctime(&rtim));
3945 + if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4)
3946 + || !strncmp(pp,"TDES ",5)
3947 + || !strncmp(pp,"PERMUTATION ",12)
3948 + || !strncmp(pp,"SUBSTITUTION ",13)
3949 + || !strncmp(pp,"VARIABLE ",9))
3951 + /* get test type */
3952 + if(!strncmp(pp,"DES ",4))
3954 + else if(!strncmp(pp,"TDES ",5))
3956 + xp = strchr(pp, ' ');
3958 + strncpy(atest, pp, n);
3961 + xp = strrchr(pp, ' '); /* get mode" */
3962 + n = strlen(xp+1)-1;
3963 + strncpy(amode, xp+1, n);
3965 + /* amode[3] = '\0'; */
3967 + printf("Test=%s, Mode=%s\n",atest,amode);
3973 + case 1: /* [ENCRYPT] | [DECRYPT] */
3974 + if(ibuf[0] == '\n')
3976 + if (ibuf[0] == '[')
3980 + if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
3982 + else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
3986 + printf("Invalid keyword: %s\n", ibuf);
3991 + else if (dir == -1)
3994 + printf("Missing ENCRYPT/DECRYPT keyword\n");
4000 + case 2: /* KEY = xxxx */
4006 + if(!strncasecmp(ibuf,"COUNT = ",8))
4011 + if(!strncasecmp(ibuf,"COUNT=",6))
4016 + if(!strncasecmp(ibuf,"NumKeys = ",10))
4018 + numkeys=atoi(ibuf+10);
4023 + if(!strncasecmp(ibuf,"KEY = ",6))
4026 + len = hex2bin((char*)ibuf+6, aKey);
4029 + printf("Invalid KEY\n");
4033 + PrintValue("KEY", aKey, len);
4036 + else if(!strncasecmp(ibuf,"KEYs = ",7))
4039 + len=hex2bin(ibuf+7,aKey);
4042 + printf("Invalid KEY\n");
4046 + memcpy(aKey+8,aKey,8);
4047 + memcpy(aKey+16,aKey,8);
4049 + PrintValue("KEYs",aKey,len);
4052 + else if(!strncasecmp(ibuf,"KEY",3))
4054 + int n=ibuf[3]-'1';
4057 + len=hex2bin(ibuf+7,aKey+n*8);
4060 + printf("Invalid KEY\n");
4065 + PrintValue(ibuf,aKey,len);
4071 + printf("Missing KEY\n");
4076 + case 3: /* IV = xxxx */
4078 + if (strncasecmp(ibuf, "IV = ", 5) != 0)
4080 + printf("Missing IV\n");
4085 + len = hex2bin((char*)ibuf+5, iVec);
4088 + printf("Invalid IV\n");
4092 + PrintValue("IV", iVec, len);
4093 + step = (dir)? 4: 5;
4097 + case 4: /* PLAINTEXT = xxxx */
4099 + if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
4101 + printf("Missing PLAINTEXT\n");
4106 + int nn = strlen(ibuf+12);
4107 + if(!strcmp(amode,"CFB1"))
4108 + len=bint2bin(ibuf+12,nn-1,plaintext);
4110 + len=hex2bin(ibuf+12, plaintext);
4113 + printf("Invalid PLAINTEXT: %s", ibuf+12);
4117 + if (len >= sizeof(plaintext))
4119 + printf("Buffer overflow\n");
4121 + PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
4122 + if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
4124 + do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp);
4129 + ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
4130 + dir, /* 0 = decrypt, 1 = encrypt */
4131 + ciphertext, plaintext, len);
4132 + OutputValue("CIPHERTEXT",ciphertext,len,rfp,
4133 + !strcmp(amode,"CFB1"));
4139 + case 5: /* CIPHERTEXT = xxxx */
4141 + if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
4143 + printf("Missing KEY\n");
4148 + if(!strcmp(amode,"CFB1"))
4149 + len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
4151 + len = hex2bin(ibuf+13,ciphertext);
4154 + printf("Invalid CIPHERTEXT\n");
4159 + PrintValue("CIPHERTEXT", ciphertext, len);
4160 + if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
4162 + do_mct(amode, akeysz, numkeys, aKey, iVec,
4163 + dir, ciphertext, len, rfp);
4168 + ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
4169 + dir, /* 0 = decrypt, 1 = encrypt */
4170 + plaintext, ciphertext, len);
4171 + OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
4172 + !strcmp(amode,"CFB1"));
4179 + if (ibuf[0] != '\n')
4182 + printf("Missing terminator\n");
4184 + else if (strcmp(atest, "MCT") != 0)
4185 + { /* MCT already added terminating nl */
4199 +/*--------------------------------------------------
4200 + Processes either a single file or
4201 + a set of files whose names are passed in a file.
4202 + A single file is specified as:
4203 + aes_test -f xxx.req
4204 + A set of files is specified as:
4205 + aes_test -d xxxxx.xxx
4206 + The default is: -d req.txt
4207 +--------------------------------------------------*/
4208 +int main(int argc, char **argv)
4210 + char *rqlist = "req.txt", *rspfile = NULL;
4212 + char fn[250] = "", rfn[256] = "";
4213 + int f_opt = 0, d_opt = 1;
4215 +#ifdef OPENSSL_FIPS
4216 + if(!FIPS_mode_set(1))
4218 + do_print_errors();
4224 + if (strcasecmp(argv[1], "-d") == 0)
4228 + else if (strcasecmp(argv[1], "-f") == 0)
4235 + printf("Invalid parameter: %s\n", argv[1]);
4240 + printf("Missing parameter\n");
4247 + strcpy(fn, argv[2]);
4248 + rspfile = argv[3];
4252 + { /* list of files (directory) */
4253 + if (!(fp = fopen(rqlist, "r")))
4255 + printf("Cannot open req list file\n");
4258 + while (fgets(fn, sizeof(fn), fp))
4260 + strtok(fn, "\r\n");
4262 + printf("Processing: %s\n", rfn);
4263 + if (proc_file(rfn, rspfile))
4265 + printf(">>> Processing failed for: %s <<<\n", rfn);
4271 + else /* single file */
4274 + printf("Processing: %s\n", fn);
4275 + if (proc_file(fn, rspfile))
4277 + printf(">>> Processing failed for: %s <<<\n", fn);
4285 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c
4286 --- openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c.fips 2013-02-19 12:47:33.733118752 +0100
4287 +++ openssl-1.0.1e/crypto/fips/cavs/fips_dhvs.c 2013-02-19 12:47:33.733118752 +0100
4289 +/* fips/dh/fips_dhvs.c */
4290 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4293 +/* ====================================================================
4294 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
4296 + * Redistribution and use in source and binary forms, with or without
4297 + * modification, are permitted provided that the following conditions
4300 + * 1. Redistributions of source code must retain the above copyright
4301 + * notice, this list of conditions and the following disclaimer.
4303 + * 2. Redistributions in binary form must reproduce the above copyright
4304 + * notice, this list of conditions and the following disclaimer in
4305 + * the documentation and/or other materials provided with the
4308 + * 3. All advertising materials mentioning features or use of this
4309 + * software must display the following acknowledgment:
4310 + * "This product includes software developed by the OpenSSL Project
4311 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
4313 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
4314 + * endorse or promote products derived from this software without
4315 + * prior written permission. For written permission, please contact
4316 + * licensing@OpenSSL.org.
4318 + * 5. Products derived from this software may not be called "OpenSSL"
4319 + * nor may "OpenSSL" appear in their names without prior written
4320 + * permission of the OpenSSL Project.
4322 + * 6. Redistributions of any form whatsoever must retain the following
4324 + * "This product includes software developed by the OpenSSL Project
4325 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
4327 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
4328 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4329 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
4330 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
4331 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4332 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
4333 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
4334 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4335 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
4336 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4337 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
4338 + * OF THE POSSIBILITY OF SUCH DAMAGE.
4339 + * ====================================================================
4343 +#define OPENSSL_FIPSAPI
4344 +#include <openssl/opensslconf.h>
4346 +#ifndef OPENSSL_FIPS
4349 +int main(int argc, char **argv)
4351 + printf("No FIPS DH support\n");
4356 +#include <openssl/crypto.h>
4357 +#include <openssl/bn.h>
4358 +#include <openssl/dh.h>
4359 +#include <openssl/fips.h>
4360 +#include <openssl/err.h>
4361 +#include <openssl/evp.h>
4362 +#include <string.h>
4365 +#include "fips_utl.h"
4367 +static const EVP_MD *parse_md(char *line)
4370 + if (line[0] != '[' || line[1] != 'F')
4372 + p = strchr(line, '-');
4376 + p = strchr(line, ']');
4381 + while(isspace(*p))
4383 + if (!strcmp(p, "SHA1"))
4384 + return EVP_sha1();
4385 + else if (!strcmp(p, "SHA224"))
4386 + return EVP_sha224();
4387 + else if (!strcmp(p, "SHA256"))
4388 + return EVP_sha256();
4389 + else if (!strcmp(p, "SHA384"))
4390 + return EVP_sha384();
4391 + else if (!strcmp(p, "SHA512"))
4392 + return EVP_sha512();
4397 +static void output_Zhash(FILE *out, int exout,
4398 + DH *dh, BIGNUM *peerkey, const EVP_MD *md,
4399 + unsigned char *rhash, size_t rhashlen)
4402 + unsigned char chash[EVP_MAX_MD_SIZE];
4404 + if (rhash == NULL)
4406 + rhashlen = M_EVP_MD_size(md);
4407 + if (!DH_generate_key(dh))
4409 + do_bn_print_name(out, "YephemIUT", dh->pub_key);
4411 + do_bn_print_name(out, "XephemIUT", dh->priv_key);
4413 + Z = OPENSSL_malloc(BN_num_bytes(dh->p));
4416 + Zlen = DH_compute_key_padded(Z, peerkey, dh);
4418 + OutputValue("Z", Z, Zlen, out, 0);
4419 + FIPS_digest(Z, Zlen, chash, NULL, md);
4420 + OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0);
4423 + fprintf(out, "Result = %s\n",
4424 + memcmp(chash, rhash, rhashlen) ? "F" : "P");
4428 + BN_clear_free(dh->priv_key);
4429 + BN_clear_free(dh->pub_key);
4430 + dh->priv_key = NULL;
4431 + dh->pub_key = NULL;
4433 + OPENSSL_cleanse(Z, Zlen);
4438 +int fips_dhvs_main(int argc, char **argv)
4440 +int main(int argc, char **argv)
4443 + char **args = argv + 1;
4444 + int argn = argc - 1;
4446 + char buf[2048], lbuf[2048];
4447 + unsigned char *rhash;
4450 + const EVP_MD *md = NULL;
4451 + BIGNUM *peerkey = NULL;
4452 + char *keyword = NULL, *value = NULL;
4453 + int do_verify = -1, exout = 0;
4455 + fips_algtest_init();
4457 + if (argn && !strcmp(*args, "dhver"))
4463 + else if (argn && !strcmp(*args, "dhgen"))
4470 + if (argn && !strcmp(*args, "-exout"))
4477 + if (do_verify == -1)
4479 + fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
4485 + in = fopen(*args, "r");
4488 + fprintf(stderr, "Error opening input file\n");
4491 + out = fopen(args[1], "w");
4494 + fprintf(stderr, "Error opening output file\n");
4498 + else if (argn == 0)
4505 + fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
4509 + dh = FIPS_dh_new();
4511 + while (fgets(buf, sizeof(buf), in) != NULL)
4514 + if (strlen(buf) > 6 && !strncmp(buf, "[F", 2))
4516 + md = parse_md(buf);
4521 + dh = FIPS_dh_new();
4524 + if (!parse_line(&keyword, &value, lbuf, buf))
4526 + if (!strcmp(keyword, "P"))
4528 + if (!do_hex2bn(&dh->p, value))
4531 + else if (!strcmp(keyword, "Q"))
4533 + if (!do_hex2bn(&dh->q, value))
4536 + else if (!strcmp(keyword, "G"))
4538 + if (!do_hex2bn(&dh->g, value))
4541 + else if (!strcmp(keyword, "XephemIUT"))
4543 + if (!do_hex2bn(&dh->priv_key, value))
4546 + else if (!strcmp(keyword, "YephemIUT"))
4548 + if (!do_hex2bn(&dh->pub_key, value))
4551 + else if (!strcmp(keyword, "YephemCAVS"))
4553 + if (!do_hex2bn(&peerkey, value))
4555 + if (do_verify == 0)
4556 + output_Zhash(out, exout, dh, peerkey, md,
4559 + else if (!strcmp(keyword, "CAVSHashZZ"))
4563 + rhash = hex2bin_m(value, &rhashlen);
4564 + if (!rhash || rhashlen != M_EVP_MD_size(md))
4566 + output_Zhash(out, exout, dh, peerkey, md,
4570 + if (in && in != stdin)
4572 + if (out && out != stdout)
4576 + fprintf(stderr, "Error Parsing request file\n");
4581 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c
4582 --- openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c.fips 2013-02-19 12:47:33.733118752 +0100
4583 +++ openssl-1.0.1e/crypto/fips/cavs/fips_drbgvs.c 2013-02-19 12:47:33.733118752 +0100
4585 +/* fips/rand/fips_drbgvs.c */
4586 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4589 +/* ====================================================================
4590 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
4592 + * Redistribution and use in source and binary forms, with or without
4593 + * modification, are permitted provided that the following conditions
4596 + * 1. Redistributions of source code must retain the above copyright
4597 + * notice, this list of conditions and the following disclaimer.
4599 + * 2. Redistributions in binary form must reproduce the above copyright
4600 + * notice, this list of conditions and the following disclaimer in
4601 + * the documentation and/or other materials provided with the
4604 + * 3. All advertising materials mentioning features or use of this
4605 + * software must display the following acknowledgment:
4606 + * "This product includes software developed by the OpenSSL Project
4607 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
4609 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
4610 + * endorse or promote products derived from this software without
4611 + * prior written permission. For written permission, please contact
4612 + * licensing@OpenSSL.org.
4614 + * 5. Products derived from this software may not be called "OpenSSL"
4615 + * nor may "OpenSSL" appear in their names without prior written
4616 + * permission of the OpenSSL Project.
4618 + * 6. Redistributions of any form whatsoever must retain the following
4620 + * "This product includes software developed by the OpenSSL Project
4621 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
4623 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
4624 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4625 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
4626 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
4627 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4628 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
4629 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
4630 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4631 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
4632 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4633 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
4634 + * OF THE POSSIBILITY OF SUCH DAMAGE.
4635 + * ====================================================================
4639 +#define OPENSSL_FIPSAPI
4640 +#include <openssl/opensslconf.h>
4642 +#ifndef OPENSSL_FIPS
4645 +int main(int argc, char **argv)
4647 + printf("No FIPS DRBG support\n");
4652 +#include <openssl/bn.h>
4653 +#include <openssl/dsa.h>
4654 +#include <openssl/fips.h>
4655 +#include <openssl/fips_rand.h>
4656 +#include <openssl/err.h>
4657 +#include <openssl/evp.h>
4658 +#include <string.h>
4661 +#include "fips_utl.h"
4663 +static int dparse_md(char *str)
4665 + switch(atoi(str + 5))
4671 + return NID_sha224;
4674 + return NID_sha256;
4677 + return NID_sha384;
4680 + return NID_sha512;
4687 +static int parse_ec(char *str)
4689 + int curve_nid, md_nid;
4691 + md = strchr(str, ' ');
4694 + if (!strncmp(str, "[P-256", 6))
4695 + curve_nid = NID_X9_62_prime256v1;
4696 + else if (!strncmp(str, "[P-384", 6))
4697 + curve_nid = NID_secp384r1;
4698 + else if (!strncmp(str, "[P-521", 6))
4699 + curve_nid = NID_secp521r1;
4702 + md_nid = dparse_md(md);
4703 + if (md_nid == NID_undef)
4705 + return (curve_nid << 16) | md_nid;
4708 +static int parse_aes(char *str, int *pdf)
4711 + if (!strncmp(str + 9, "no", 2))
4714 + *pdf = DRBG_FLAG_CTR_USE_DF;
4716 + switch(atoi(str + 5))
4719 + return NID_aes_128_ctr;
4722 + return NID_aes_192_ctr;
4725 + return NID_aes_256_ctr;
4735 + unsigned char *ent;
4737 + unsigned char *nonce;
4741 +static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
4742 + int entropy, size_t min_len, size_t max_len)
4744 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
4745 + *pout = (unsigned char *)t->ent;
4749 +static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
4750 + int entropy, size_t min_len, size_t max_len)
4752 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
4753 + *pout = (unsigned char *)t->nonce;
4754 + return t->noncelen;
4758 +int fips_drbgvs_main(int argc,char **argv)
4760 +int main(int argc,char **argv)
4763 + FILE *in = NULL, *out = NULL;
4764 + DRBG_CTX *dctx = NULL;
4768 + char buf[2048], lbuf[2048];
4769 + unsigned char randout[2048];
4770 + char *keyword = NULL, *value = NULL;
4772 + unsigned char *ent = NULL, *nonce = NULL, *pers = NULL, *adin = NULL;
4773 + long entlen, noncelen, perslen, adinlen;
4776 + enum dtype { DRBG_NONE, DRBG_CTR, DRBG_HASH, DRBG_HMAC, DRBG_DUAL_EC }
4777 + drbg_type = DRBG_NONE;
4779 + int randoutlen = 0;
4783 + fips_algtest_init();
4787 + in = fopen(argv[1], "r");
4790 + fprintf(stderr, "Error opening input file\n");
4793 + out = fopen(argv[2], "w");
4796 + fprintf(stderr, "Error opening output file\n");
4800 + else if (argc == 1)
4807 + fprintf(stderr,"%s (infile outfile)\n",argv[0]);
4811 + while (fgets(buf, sizeof(buf), in) != NULL)
4814 + if (drbg_type == DRBG_NONE)
4816 + if (strstr(buf, "CTR_DRBG"))
4817 + drbg_type = DRBG_CTR;
4818 + else if (strstr(buf, "Hash_DRBG"))
4819 + drbg_type = DRBG_HASH;
4820 + else if (strstr(buf, "HMAC_DRBG"))
4821 + drbg_type = DRBG_HMAC;
4822 + else if (strstr(buf, "Dual_EC_DRBG"))
4823 + drbg_type = DRBG_DUAL_EC;
4827 + if (strlen(buf) > 4 && !strncmp(buf, "[SHA-", 5))
4829 + nid = dparse_md(buf);
4830 + if (nid == NID_undef)
4832 + if (drbg_type == DRBG_HMAC)
4837 + nid = NID_hmacWithSHA1;
4841 + nid = NID_hmacWithSHA224;
4845 + nid = NID_hmacWithSHA256;
4849 + nid = NID_hmacWithSHA384;
4853 + nid = NID_hmacWithSHA512;
4861 + if (strlen(buf) > 12 && !strncmp(buf, "[AES-", 5))
4863 + nid = parse_aes(buf, &df);
4864 + if (nid == NID_undef)
4867 + if (strlen(buf) > 12 && !strncmp(buf, "[P-", 3))
4869 + nid = parse_ec(buf);
4870 + if (nid == NID_undef)
4873 + if (!parse_line(&keyword, &value, lbuf, buf))
4876 + if (!strcmp(keyword, "[PredictionResistance"))
4878 + if (!strcmp(value, "True]"))
4880 + else if (!strcmp(value, "False]"))
4886 + if (!strcmp(keyword, "EntropyInput"))
4888 + ent = hex2bin_m(value, &entlen);
4890 + t.entlen = entlen;
4893 + if (!strcmp(keyword, "Nonce"))
4895 + nonce = hex2bin_m(value, &noncelen);
4897 + t.noncelen = noncelen;
4900 + if (!strcmp(keyword, "PersonalizationString"))
4902 + pers = hex2bin_m(value, &perslen);
4905 + fprintf(stderr, "DRBG type not recognised!\n");
4908 + dctx = FIPS_drbg_new(nid, df | DRBG_FLAG_TEST);
4911 + FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0,
4913 + FIPS_drbg_set_app_data(dctx, &t);
4914 + randoutlen = (int)FIPS_drbg_get_blocklength(dctx);
4915 + r = FIPS_drbg_instantiate(dctx, pers, perslen);
4918 + fprintf(stderr, "Error instantiating DRBG\n");
4921 + OPENSSL_free(pers);
4922 + OPENSSL_free(ent);
4923 + OPENSSL_free(nonce);
4924 + ent = nonce = pers = NULL;
4928 + if (!strcmp(keyword, "AdditionalInput"))
4930 + adin = hex2bin_m(value, &adinlen);
4933 + r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
4937 + fprintf(stderr, "Error generating DRBG bits\n");
4942 + OPENSSL_free(adin);
4949 + if (!strcmp(keyword, "EntropyInputPR"))
4951 + ent = hex2bin_m(value, &entlen);
4953 + t.entlen = entlen;
4954 + r = FIPS_drbg_generate(dctx,
4955 + randout, randoutlen,
4956 + 1, adin, adinlen);
4960 + "Error generating DRBG bits\n");
4963 + OPENSSL_free(adin);
4964 + OPENSSL_free(ent);
4965 + adin = ent = NULL;
4969 + if (!strcmp(keyword, "EntropyInputReseed"))
4971 + ent = hex2bin_m(value, &entlen);
4973 + t.entlen = entlen;
4975 + if (!strcmp(keyword, "AdditionalInputReseed"))
4977 + adin = hex2bin_m(value, &adinlen);
4978 + FIPS_drbg_reseed(dctx, adin, adinlen);
4979 + OPENSSL_free(ent);
4980 + OPENSSL_free(adin);
4981 + ent = adin = NULL;
4985 + OutputValue("ReturnedBits", randout, randoutlen,
4987 + FIPS_drbg_free(dctx);
4993 + if (in && in != stdin)
4995 + if (out && out != stdout)
5001 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c
5002 --- openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c.fips 2013-02-19 12:47:33.733118752 +0100
5003 +++ openssl-1.0.1e/crypto/fips/cavs/fips_dssvs.c 2013-02-19 12:47:33.733118752 +0100
5005 +#include <openssl/opensslconf.h>
5007 +#ifndef OPENSSL_FIPS
5010 +int main(int argc, char **argv)
5012 + printf("No FIPS DSA support\n");
5017 +#include <openssl/bn.h>
5018 +#include <openssl/dsa.h>
5019 +#include <openssl/fips.h>
5020 +#include <openssl/err.h>
5021 +#include <openssl/evp.h>
5022 +#include <string.h>
5025 +#include "fips_utl.h"
5027 +static void pbn(const char *name, BIGNUM *bn)
5030 + unsigned char *tmp;
5031 + len = BN_num_bytes(bn);
5032 + tmp = OPENSSL_malloc(len);
5035 + fprintf(stderr, "Memory allocation error\n");
5038 + BN_bn2bin(bn, tmp);
5039 + printf("%s = ", name);
5040 + for (i = 0; i < len; i++)
5041 + printf("%02X", tmp[i]);
5042 + fputs("\n", stdout);
5043 + OPENSSL_free(tmp);
5051 + char *keyword, *value;
5053 + while(fgets(buf,sizeof buf,stdin) != NULL)
5055 + fputs(buf,stdout);
5056 + if (!parse_line(&keyword, &value, lbuf, buf))
5058 + if(!strcmp(keyword,"Prime"))
5063 + do_hex2bn(&pp,value);
5064 + printf("result= %c\n",
5065 + BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F');
5074 + char *keyword, *value;
5077 + while(fgets(buf,sizeof buf,stdin) != NULL)
5079 + if (!parse_line(&keyword, &value, lbuf, buf))
5081 + fputs(buf,stdout);
5084 + if(!strcmp(keyword,"[mod"))
5086 + else if(!strcmp(keyword,"N"))
5088 + int n=atoi(value);
5090 + printf("[mod = %d]\n\n",nmod);
5094 + unsigned char seed[20];
5098 + dsa = FIPS_dsa_new();
5100 + if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL))
5102 + do_print_errors();
5108 + pv("Seed",seed,20);
5109 + printf("c = %d\n",counter);
5110 + printf("H = %lx\n",h);
5111 + putc('\n',stdout);
5115 + fputs(buf,stdout);
5123 + char *keyword, *value;
5124 + BIGNUM *p = NULL, *q = NULL, *g = NULL;
5125 + int counter, counter2;
5126 + unsigned long h, h2;
5129 + unsigned char seed[1024];
5131 + while(fgets(buf,sizeof buf,stdin) != NULL)
5133 + if (!parse_line(&keyword, &value, lbuf, buf))
5135 + fputs(buf,stdout);
5138 + fputs(buf, stdout);
5139 + if(!strcmp(keyword,"[mod"))
5141 + else if(!strcmp(keyword,"P"))
5143 + else if(!strcmp(keyword,"Q"))
5145 + else if(!strcmp(keyword,"G"))
5147 + else if(!strcmp(keyword,"Seed"))
5149 + int slen = hex2bin(value, seed);
5152 + fprintf(stderr, "Seed parse length error\n");
5156 + else if(!strcmp(keyword,"c"))
5157 + counter =atoi(buf+4);
5158 + else if(!strcmp(keyword,"H"))
5161 + if (!p || !q || !g)
5163 + fprintf(stderr, "Parse Error\n");
5166 + dsa = FIPS_dsa_new();
5167 + if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL))
5169 + do_print_errors();
5172 + if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g)
5173 + || (counter != counter2) || (h != h2))
5174 + printf("Result = F\n");
5176 + printf("Result = P\n");
5183 + FIPS_dsa_free(dsa);
5189 +/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2
5190 + * algorithm tests. It is an additional test to perform sanity checks on the
5191 + * output of the KeyPair test.
5194 +static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
5197 + BIGNUM *rem = NULL;
5198 + if (BN_num_bits(p) != nmod)
5200 + if (BN_num_bits(q) != 160)
5202 + if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1)
5204 + if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1)
5207 + if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
5208 + || (BN_cmp(g, BN_value_one()) <= 0)
5209 + || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
5214 + /* Todo: check g */
5223 + char *keyword, *value;
5224 + BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
5226 + BN_CTX *ctx = NULL;
5227 + int nmod=0, paramcheck = 0;
5229 + ctx = BN_CTX_new();
5232 + while(fgets(buf,sizeof buf,stdin) != NULL)
5234 + if (!parse_line(&keyword, &value, lbuf, buf))
5236 + fputs(buf,stdout);
5239 + if(!strcmp(keyword,"[mod"))
5253 + else if(!strcmp(keyword,"P"))
5255 + else if(!strcmp(keyword,"Q"))
5257 + else if(!strcmp(keyword,"G"))
5259 + else if(!strcmp(keyword,"X"))
5261 + else if(!strcmp(keyword,"Y"))
5264 + if (!p || !q || !g || !X || !Y)
5266 + fprintf(stderr, "Parse Error\n");
5276 + if (dss_paramcheck(nmod, p, q, g, ctx))
5281 + if (paramcheck != 1)
5282 + printf("Result = F\n");
5285 + if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
5286 + printf("Result = F\n");
5288 + printf("Result = P\n");
5310 + char *keyword, *value;
5313 + while(fgets(buf,sizeof buf,stdin) != NULL)
5315 + if (!parse_line(&keyword, &value, lbuf, buf))
5317 + fputs(buf,stdout);
5320 + if(!strcmp(keyword,"[mod"))
5322 + else if(!strcmp(keyword,"N"))
5325 + int n=atoi(value);
5327 + printf("[mod = %d]\n\n",nmod);
5328 + dsa = FIPS_dsa_new();
5329 + if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
5331 + do_print_errors();
5337 + putc('\n',stdout);
5341 + if (!DSA_generate_key(dsa))
5343 + do_print_errors();
5347 + pbn("X",dsa->priv_key);
5348 + pbn("Y",dsa->pub_key);
5349 + putc('\n',stdout);
5359 + char *keyword, *value;
5363 + while(fgets(buf,sizeof buf,stdin) != NULL)
5365 + if (!parse_line(&keyword, &value, lbuf, buf))
5367 + fputs(buf,stdout);
5370 + if(!strcmp(keyword,"[mod"))
5373 + printf("[mod = %d]\n\n",nmod);
5375 + FIPS_dsa_free(dsa);
5376 + dsa = FIPS_dsa_new();
5377 + if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
5379 + do_print_errors();
5385 + putc('\n',stdout);
5387 + else if(!strcmp(keyword,"Msg"))
5389 + unsigned char msg[1024];
5390 + unsigned char sbuf[60];
5391 + unsigned int slen;
5396 + EVP_MD_CTX_init(&mctx);
5398 + n=hex2bin(value,msg);
5401 + if (!DSA_generate_key(dsa))
5403 + do_print_errors();
5406 + pk.type = EVP_PKEY_DSA;
5407 + pk.pkey.dsa = dsa;
5408 + pbn("Y",dsa->pub_key);
5410 + EVP_SignInit_ex(&mctx, EVP_dss1(), NULL);
5411 + EVP_SignUpdate(&mctx, msg, n);
5412 + EVP_SignFinal(&mctx, sbuf, &slen, &pk);
5414 + sig = DSA_SIG_new();
5415 + FIPS_dsa_sig_decode(sig, sbuf, slen);
5419 + putc('\n',stdout);
5420 + DSA_SIG_free(sig);
5421 + EVP_MD_CTX_cleanup(&mctx);
5425 + FIPS_dsa_free(dsa);
5433 + unsigned char msg[1024];
5434 + char *keyword, *value;
5436 + DSA_SIG sg, *sig = &sg;
5441 + while(fgets(buf,sizeof buf,stdin) != NULL)
5443 + if (!parse_line(&keyword, &value, lbuf, buf))
5445 + fputs(buf,stdout);
5448 + if(!strcmp(keyword,"[mod"))
5452 + FIPS_dsa_free(dsa);
5453 + dsa=FIPS_dsa_new();
5455 + else if(!strcmp(keyword,"P"))
5456 + dsa->p=hex2bn(value);
5457 + else if(!strcmp(keyword,"Q"))
5458 + dsa->q=hex2bn(value);
5459 + else if(!strcmp(keyword,"G"))
5461 + dsa->g=hex2bn(value);
5463 + printf("[mod = %d]\n\n",nmod);
5467 + putc('\n',stdout);
5469 + else if(!strcmp(keyword,"Msg"))
5471 + n=hex2bin(value,msg);
5474 + else if(!strcmp(keyword,"Y"))
5475 + dsa->pub_key=hex2bn(value);
5476 + else if(!strcmp(keyword,"R"))
5477 + sig->r=hex2bn(value);
5478 + else if(!strcmp(keyword,"S"))
5482 + unsigned char sigbuf[60];
5483 + unsigned int slen;
5485 + EVP_MD_CTX_init(&mctx);
5486 + pk.type = EVP_PKEY_DSA;
5487 + pk.pkey.dsa = dsa;
5488 + sig->s=hex2bn(value);
5490 + pbn("Y",dsa->pub_key);
5494 + slen = FIPS_dsa_sig_encode(sigbuf, sig);
5495 + EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL);
5496 + EVP_VerifyUpdate(&mctx, msg, n);
5497 + r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk);
5498 + EVP_MD_CTX_cleanup(&mctx);
5500 + printf("Result = %c\n", r == 1 ? 'P' : 'F');
5501 + putc('\n',stdout);
5506 +int main(int argc,char **argv)
5510 + fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]);
5513 + if(!FIPS_mode_set(1))
5515 + do_print_errors();
5518 + if(!strcmp(argv[1],"prime"))
5520 + else if(!strcmp(argv[1],"pqg"))
5522 + else if(!strcmp(argv[1],"pqgver"))
5524 + else if(!strcmp(argv[1],"keypair"))
5526 + else if(!strcmp(argv[1],"keyver"))
5528 + else if(!strcmp(argv[1],"siggen"))
5530 + else if(!strcmp(argv[1],"sigver"))
5534 + fprintf(stderr,"Don't know how to %s.\n",argv[1]);
5542 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c
5543 --- openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c.fips 2013-02-19 12:47:33.734118772 +0100
5544 +++ openssl-1.0.1e/crypto/fips/cavs/fips_gcmtest.c 2013-02-19 12:47:33.734118772 +0100
5546 +/* fips/aes/fips_gcmtest.c */
5547 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5550 +/* ====================================================================
5551 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
5553 + * Redistribution and use in source and binary forms, with or without
5554 + * modification, are permitted provided that the following conditions
5557 + * 1. Redistributions of source code must retain the above copyright
5558 + * notice, this list of conditions and the following disclaimer.
5560 + * 2. Redistributions in binary form must reproduce the above copyright
5561 + * notice, this list of conditions and the following disclaimer in
5562 + * the documentation and/or other materials provided with the
5565 + * 3. All advertising materials mentioning features or use of this
5566 + * software must display the following acknowledgment:
5567 + * "This product includes software developed by the OpenSSL Project
5568 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
5570 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
5571 + * endorse or promote products derived from this software without
5572 + * prior written permission. For written permission, please contact
5573 + * licensing@OpenSSL.org.
5575 + * 5. Products derived from this software may not be called "OpenSSL"
5576 + * nor may "OpenSSL" appear in their names without prior written
5577 + * permission of the OpenSSL Project.
5579 + * 6. Redistributions of any form whatsoever must retain the following
5581 + * "This product includes software developed by the OpenSSL Project
5582 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
5584 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
5585 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
5586 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
5587 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
5588 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
5589 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
5590 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
5591 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
5592 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
5593 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
5594 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
5595 + * OF THE POSSIBILITY OF SUCH DAMAGE.
5596 + * ====================================================================
5600 +#define OPENSSL_FIPSAPI
5601 +#include <openssl/opensslconf.h>
5603 +#ifndef OPENSSL_FIPS
5606 +int main(int argc, char **argv)
5608 + printf("No FIPS GCM support\n");
5613 +#include <openssl/bn.h>
5614 +#include <openssl/dsa.h>
5615 +#include <openssl/fips.h>
5616 +#include <openssl/err.h>
5617 +#include <openssl/evp.h>
5618 +#include <string.h>
5621 +#include "fips_utl.h"
5623 +static void gcmtest(FILE *in, FILE *out, int encrypt)
5627 + char *keyword, *value;
5628 + int keylen = -1, ivlen = -1, aadlen = -1, taglen = -1, ptlen = -1;
5631 + unsigned char *key = NULL, *iv = NULL, *aad = NULL, *tag = NULL;
5632 + unsigned char *ct = NULL, *pt = NULL;
5633 + EVP_CIPHER_CTX ctx;
5634 + const EVP_CIPHER *gcm = NULL;
5635 + FIPS_cipher_ctx_init(&ctx);
5637 + while(fgets(buf,sizeof buf,in) != NULL)
5640 + if (!parse_line(&keyword, &value, lbuf, buf))
5642 + if(!strcmp(keyword,"[Keylen"))
5644 + keylen = atoi(value);
5645 + if (keylen == 128)
5646 + gcm = EVP_aes_128_gcm();
5647 + else if (keylen == 192)
5648 + gcm = EVP_aes_192_gcm();
5649 + else if (keylen == 256)
5650 + gcm = EVP_aes_256_gcm();
5653 + fprintf(stderr, "Unsupported keylen %d\n",
5658 + else if (!strcmp(keyword, "[IVlen"))
5659 + ivlen = atoi(value) >> 3;
5660 + else if (!strcmp(keyword, "[AADlen"))
5661 + aadlen = atoi(value) >> 3;
5662 + else if (!strcmp(keyword, "[Taglen"))
5663 + taglen = atoi(value) >> 3;
5664 + else if (!strcmp(keyword, "[PTlen"))
5665 + ptlen = atoi(value) >> 3;
5666 + else if(!strcmp(keyword,"Key"))
5668 + key = hex2bin_m(value, &l);
5671 + fprintf(stderr, "Inconsistent Key length\n");
5675 + else if(!strcmp(keyword,"IV"))
5677 + iv = hex2bin_m(value, &l);
5680 + fprintf(stderr, "Inconsistent IV length\n");
5684 + else if(!strcmp(keyword,"PT"))
5686 + pt = hex2bin_m(value, &l);
5689 + fprintf(stderr, "Inconsistent PT length\n");
5693 + else if(!strcmp(keyword,"CT"))
5695 + ct = hex2bin_m(value, &l);
5698 + fprintf(stderr, "Inconsistent CT length\n");
5702 + else if(!strcmp(keyword,"AAD"))
5704 + aad = hex2bin_m(value, &l);
5707 + fprintf(stderr, "Inconsistent AAD length\n");
5711 + else if(!strcmp(keyword,"Tag"))
5713 + tag = hex2bin_m(value, &l);
5716 + fprintf(stderr, "Inconsistent Tag length\n");
5720 + if (encrypt && pt && aad && (iv || encrypt==1))
5722 + tag = OPENSSL_malloc(taglen);
5723 + FIPS_cipherinit(&ctx, gcm, NULL, NULL, 1);
5724 + /* Relax FIPS constraints for testing */
5725 + M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
5726 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
5729 + static unsigned char iv_fixed[4] = {1,2,3,4};
5731 + iv = OPENSSL_malloc(ivlen);
5732 + FIPS_cipherinit(&ctx, NULL, key, NULL, 1);
5733 + FIPS_cipher_ctx_ctrl(&ctx,
5734 + EVP_CTRL_GCM_SET_IV_FIXED,
5736 + if (!FIPS_cipher_ctx_ctrl(&ctx,
5737 + EVP_CTRL_GCM_IV_GEN, 0, iv))
5739 + fprintf(stderr, "IV gen error\n");
5742 + OutputValue("IV", iv, ivlen, out, 0);
5745 + FIPS_cipherinit(&ctx, NULL, key, iv, 1);
5749 + FIPS_cipher(&ctx, NULL, aad, aadlen);
5752 + ct = OPENSSL_malloc(ptlen);
5753 + rv = FIPS_cipher(&ctx, ct, pt, ptlen);
5755 + FIPS_cipher(&ctx, NULL, NULL, 0);
5756 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG,
5758 + OutputValue("CT", ct, ptlen, out, 0);
5759 + OutputValue("Tag", tag, taglen, out, 0);
5763 + OPENSSL_free(aad);
5769 + OPENSSL_free(key);
5771 + OPENSSL_free(tag);
5772 + iv = aad = ct = pt = key = tag = NULL;
5774 + if (!encrypt && tag)
5776 + FIPS_cipherinit(&ctx, gcm, NULL, NULL, 0);
5777 + /* Relax FIPS constraints for testing */
5778 + M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
5779 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
5780 + FIPS_cipherinit(&ctx, NULL, key, iv, 0);
5781 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag);
5783 + FIPS_cipher(&ctx, NULL, aad, aadlen);
5786 + pt = OPENSSL_malloc(ptlen);
5787 + rv = FIPS_cipher(&ctx, pt, ct, ptlen);
5789 + rv = FIPS_cipher(&ctx, NULL, NULL, 0);
5791 + fprintf(out, "FAIL" RESP_EOL);
5793 + OutputValue("PT", pt, ptlen, out, 0);
5797 + OPENSSL_free(aad);
5803 + OPENSSL_free(key);
5805 + OPENSSL_free(tag);
5806 + iv = aad = ct = pt = key = tag = NULL;
5809 + FIPS_cipher_ctx_cleanup(&ctx);
5812 +static void xtstest(FILE *in, FILE *out)
5815 + char lbuf[204800];
5816 + char *keyword, *value;
5820 + unsigned char *key = NULL, *iv = NULL;
5821 + unsigned char *inbuf = NULL, *outbuf = NULL;
5822 + EVP_CIPHER_CTX ctx;
5823 + const EVP_CIPHER *xts = NULL;
5824 + FIPS_cipher_ctx_init(&ctx);
5826 + while(fgets(buf,sizeof buf,in) != NULL)
5829 + if (buf[0] == '[' && strlen(buf) >= 9)
5831 + if(!strncmp(buf,"[ENCRYPT]", 9))
5833 + else if(!strncmp(buf,"[DECRYPT]", 9))
5836 + if (!parse_line(&keyword, &value, lbuf, buf))
5838 + else if(!strcmp(keyword,"Key"))
5840 + key = hex2bin_m(value, &l);
5842 + xts = EVP_aes_128_xts();
5844 + xts = EVP_aes_256_xts();
5847 + fprintf(stderr, "Inconsistent Key length\n");
5851 + else if(!strcmp(keyword,"i"))
5853 + iv = hex2bin_m(value, &l);
5856 + fprintf(stderr, "Inconsistent i length\n");
5860 + else if(encrypt && !strcmp(keyword,"PT"))
5862 + inbuf = hex2bin_m(value, &l);
5865 + else if(!encrypt && !strcmp(keyword,"CT"))
5867 + inbuf = hex2bin_m(value, &l);
5872 + FIPS_cipherinit(&ctx, xts, key, iv, encrypt);
5873 + outbuf = OPENSSL_malloc(inlen);
5874 + FIPS_cipher(&ctx, outbuf, inbuf, inlen);
5875 + OutputValue(encrypt ? "CT":"PT", outbuf, inlen, out, 0);
5876 + OPENSSL_free(inbuf);
5877 + OPENSSL_free(outbuf);
5878 + OPENSSL_free(key);
5880 + iv = key = inbuf = outbuf = NULL;
5883 + FIPS_cipher_ctx_cleanup(&ctx);
5886 +static void ccmtest(FILE *in, FILE *out)
5889 + char lbuf[200048];
5890 + char *keyword, *value;
5892 + unsigned char *Key = NULL, *Nonce = NULL;
5893 + unsigned char *Adata = NULL, *Payload = NULL;
5894 + unsigned char *CT = NULL;
5895 + int Plen = -1, Nlen = -1, Tlen = -1, Alen = -1;
5897 + EVP_CIPHER_CTX ctx;
5898 + const EVP_CIPHER *ccm = NULL;
5899 + FIPS_cipher_ctx_init(&ctx);
5901 + while(fgets(buf,sizeof buf,in) != NULL)
5906 + if (!parse_line(&keyword, &value, lbuf, buf))
5909 + /* If surrounded by square brackets zap them */
5910 + if (keyword[0] == '[')
5913 + p = strchr(value, ']');
5917 + /* See if we have a comma separated list of parameters
5918 + * if so copy rest of line back to buffer and redo later.
5920 + p = strchr(value, ',');
5924 + strcpy(buf, p + 1);
5925 + strcat(buf, "\n");
5928 + if (!strcmp(keyword,"Plen"))
5929 + Plen = atoi(value);
5930 + else if (!strcmp(keyword,"Nlen"))
5931 + Nlen = atoi(value);
5932 + else if (!strcmp(keyword,"Tlen"))
5933 + Tlen = atoi(value);
5934 + else if (!strcmp(keyword,"Alen"))
5935 + Alen = atoi(value);
5938 + if (!strcmp(keyword,"Key"))
5941 + OPENSSL_free(Key);
5942 + Key = hex2bin_m(value, &l);
5944 + ccm = EVP_aes_128_ccm();
5946 + ccm = EVP_aes_192_ccm();
5948 + ccm = EVP_aes_256_ccm();
5951 + fprintf(stderr, "Inconsistent Key length\n");
5955 + else if (!strcmp(keyword,"Nonce"))
5958 + OPENSSL_free(Nonce);
5959 + Nonce = hex2bin_m(value, &l);
5962 + fprintf(stderr, "Inconsistent nonce length\n");
5966 + else if (!strcmp(keyword,"Payload") && !decr)
5968 + Payload = hex2bin_m(value, &l);
5969 + if (Plen && l != Plen)
5971 + fprintf(stderr, "Inconsistent Payload length\n");
5975 + else if (!strcmp(keyword,"Adata"))
5978 + OPENSSL_free(Adata);
5979 + Adata = hex2bin_m(value, &l);
5980 + if (Alen && l != Alen)
5982 + fprintf(stderr, "Inconsistent Payload length\n");
5986 + else if (!strcmp(keyword,"CT") && decr)
5988 + CT = hex2bin_m(value, &l);
5989 + if (l != (Plen + Tlen))
5991 + fprintf(stderr, "Inconsistent CT length\n");
5997 + FIPS_cipherinit(&ctx, ccm, NULL, NULL, 1);
5998 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
5999 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, Tlen, 0);
6000 + FIPS_cipherinit(&ctx, NULL, Key, Nonce, 1);
6002 + FIPS_cipher(&ctx, NULL, NULL, Plen);
6003 + FIPS_cipher(&ctx, NULL, Adata, Alen);
6004 + CT = OPENSSL_malloc(Plen + Tlen);
6005 + FIPS_cipher(&ctx, CT, Payload, Plen);
6006 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, Tlen,
6008 + OutputValue("CT", CT, Plen + Tlen, out, 0);
6010 + OPENSSL_free(Payload);
6011 + CT = Payload = NULL;
6016 + int len = Plen == 0 ? 1: Plen;
6017 + FIPS_cipherinit(&ctx, ccm, NULL, NULL, 0);
6018 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
6019 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
6021 + FIPS_cipherinit(&ctx, NULL, Key, Nonce, 0);
6022 + FIPS_cipher(&ctx, NULL, NULL, Plen);
6023 + FIPS_cipher(&ctx, NULL, Adata, Alen);
6024 + Payload = OPENSSL_malloc(len);
6025 + rv = FIPS_cipher(&ctx, Payload, CT, Plen);
6030 + fputs("Result = Pass" RESP_EOL, out);
6031 + OutputValue("Payload", Payload, len, out, 0);
6034 + fputs("Result = Fail" RESP_EOL, out);
6036 + OPENSSL_free(Payload);
6037 + CT = Payload = NULL;
6041 + OPENSSL_free(Key);
6043 + OPENSSL_free(Nonce);
6045 + OPENSSL_free(Adata);
6046 + FIPS_cipher_ctx_cleanup(&ctx);
6050 +int fips_gcmtest_main(int argc, char **argv)
6052 +int main(int argc, char **argv)
6056 + int xts = 0, ccm = 0;
6060 + in = fopen(argv[2], "r");
6063 + fprintf(stderr, "Error opening input file\n");
6066 + out = fopen(argv[3], "w");
6069 + fprintf(stderr, "Error opening output file\n");
6073 + else if (argc == 2)
6080 + fprintf(stderr,"%s [-encrypt|-decrypt]\n",argv[0]);
6083 + fips_algtest_init();
6084 + if(!strcmp(argv[1],"-encrypt"))
6086 + else if(!strcmp(argv[1],"-encryptIVext"))
6088 + else if(!strcmp(argv[1],"-decrypt"))
6090 + else if(!strcmp(argv[1],"-ccm"))
6092 + else if(!strcmp(argv[1],"-xts"))
6096 + fprintf(stderr,"Don't know how to %s.\n",argv[1]);
6105 + gcmtest(in, out, encrypt);
6117 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c
6118 --- openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c.fips 2013-02-19 12:47:33.734118772 +0100
6119 +++ openssl-1.0.1e/crypto/fips/cavs/fips_rngvs.c 2013-02-19 12:47:33.734118772 +0100
6122 + * Crude test driver for processing the VST and MCT testvector files
6123 + * generated by the CMVP RNGVS product.
6125 + * Note the input files are assumed to have a _very_ specific format
6126 + * as described in the NIST document "The Random Number Generator
6127 + * Validation System (RNGVS)", May 25, 2004.
6130 +#include <openssl/opensslconf.h>
6132 +#ifndef OPENSSL_FIPS
6135 +int main(int argc, char **argv)
6137 + printf("No FIPS RNG support\n");
6142 +#include <openssl/bn.h>
6143 +#include <openssl/dsa.h>
6144 +#include <openssl/fips.h>
6145 +#include <openssl/err.h>
6146 +#include <openssl/rand.h>
6147 +#include <openssl/fips_rand.h>
6148 +#include <openssl/x509v3.h>
6149 +#include <string.h>
6152 +#include "fips_utl.h"
6156 + unsigned char *key = NULL;
6157 + unsigned char *v = NULL;
6158 + unsigned char *dt = NULL;
6159 + unsigned char ret[16];
6162 + char *keyword, *value;
6167 + while(fgets(buf,sizeof buf,stdin) != NULL)
6169 + fputs(buf,stdout);
6170 + if(!strncmp(buf,"[AES 128-Key]", 13))
6172 + else if(!strncmp(buf,"[AES 192-Key]", 13))
6174 + else if(!strncmp(buf,"[AES 256-Key]", 13))
6176 + if (!parse_line(&keyword, &value, lbuf, buf))
6178 + if(!strcmp(keyword,"Key"))
6180 + key=hex2bin_m(value,&i);
6183 + fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
6187 + else if(!strcmp(keyword,"DT"))
6189 + dt=hex2bin_m(value,&i);
6192 + fprintf(stderr, "Invalid DT length\n");
6196 + else if(!strcmp(keyword,"V"))
6198 + v=hex2bin_m(value,&i);
6201 + fprintf(stderr, "Invalid V length\n");
6207 + fprintf(stderr, "Missing key or DT\n");
6211 + FIPS_x931_set_key(key, keylen);
6212 + FIPS_x931_seed(v,16);
6213 + FIPS_x931_set_dt(dt);
6214 + if (FIPS_x931_bytes(ret,16) <= 0)
6216 + fprintf(stderr, "Error getting PRNG value\n");
6221 + OPENSSL_free(key);
6233 + unsigned char *key = NULL;
6234 + unsigned char *v = NULL;
6235 + unsigned char *dt = NULL;
6236 + unsigned char ret[16];
6239 + char *keyword, *value;
6245 + while(fgets(buf,sizeof buf,stdin) != NULL)
6247 + fputs(buf,stdout);
6248 + if(!strncmp(buf,"[AES 128-Key]", 13))
6250 + else if(!strncmp(buf,"[AES 192-Key]", 13))
6252 + else if(!strncmp(buf,"[AES 256-Key]", 13))
6254 + if (!parse_line(&keyword, &value, lbuf, buf))
6256 + if(!strcmp(keyword,"Key"))
6258 + key=hex2bin_m(value,&i);
6261 + fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
6265 + else if(!strcmp(keyword,"DT"))
6267 + dt=hex2bin_m(value,&i);
6270 + fprintf(stderr, "Invalid DT length\n");
6274 + else if(!strcmp(keyword,"V"))
6276 + v=hex2bin_m(value,&i);
6279 + fprintf(stderr, "Invalid V length\n");
6285 + fprintf(stderr, "Missing key or DT\n");
6289 + FIPS_x931_set_key(key, keylen);
6290 + FIPS_x931_seed(v,16);
6291 + for (i = 0; i < 10000; i++)
6293 + FIPS_x931_set_dt(dt);
6294 + if (FIPS_x931_bytes(ret,16) <= 0)
6296 + fprintf(stderr, "Error getting PRNG value\n");
6299 + /* Increment DT */
6300 + for (j = 15; j >= 0; j--)
6309 + OPENSSL_free(key);
6319 +int main(int argc,char **argv)
6323 + fprintf(stderr,"%s [mct|vst]\n",argv[0]);
6326 + if(!FIPS_mode_set(1))
6328 + do_print_errors();
6331 + FIPS_x931_reset();
6332 + if (!FIPS_x931_test_mode())
6334 + fprintf(stderr, "Error setting PRNG test mode\n");
6335 + do_print_errors();
6338 + if(!strcmp(argv[1],"mct"))
6340 + else if(!strcmp(argv[1],"vst"))
6344 + fprintf(stderr,"Don't know how to %s.\n",argv[1]);
6351 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c
6352 --- openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c.fips 2013-02-19 12:47:33.734118772 +0100
6353 +++ openssl-1.0.1e/crypto/fips/cavs/fips_rsagtest.c 2013-02-19 12:47:33.734118772 +0100
6355 +/* fips_rsagtest.c */
6356 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6359 +/* ====================================================================
6360 + * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved.
6362 + * Redistribution and use in source and binary forms, with or without
6363 + * modification, are permitted provided that the following conditions
6366 + * 1. Redistributions of source code must retain the above copyright
6367 + * notice, this list of conditions and the following disclaimer.
6369 + * 2. Redistributions in binary form must reproduce the above copyright
6370 + * notice, this list of conditions and the following disclaimer in
6371 + * the documentation and/or other materials provided with the
6374 + * 3. All advertising materials mentioning features or use of this
6375 + * software must display the following acknowledgment:
6376 + * "This product includes software developed by the OpenSSL Project
6377 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
6379 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
6380 + * endorse or promote products derived from this software without
6381 + * prior written permission. For written permission, please contact
6382 + * licensing@OpenSSL.org.
6384 + * 5. Products derived from this software may not be called "OpenSSL"
6385 + * nor may "OpenSSL" appear in their names without prior written
6386 + * permission of the OpenSSL Project.
6388 + * 6. Redistributions of any form whatsoever must retain the following
6390 + * "This product includes software developed by the OpenSSL Project
6391 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
6393 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
6394 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
6395 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
6396 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
6397 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
6398 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
6399 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
6400 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
6401 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
6402 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
6403 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
6404 + * OF THE POSSIBILITY OF SUCH DAMAGE.
6405 + * ====================================================================
6407 + * This product includes cryptographic software written by Eric Young
6408 + * (eay@cryptsoft.com). This product includes software written by Tim
6409 + * Hudson (tjh@cryptsoft.com).
6415 +#include <string.h>
6416 +#include <openssl/bio.h>
6417 +#include <openssl/evp.h>
6418 +#include <openssl/hmac.h>
6419 +#include <openssl/err.h>
6420 +#include <openssl/rsa.h>
6421 +#include <openssl/bn.h>
6422 +#include <openssl/x509v3.h>
6424 +#ifndef OPENSSL_FIPS
6426 +int main(int argc, char *argv[])
6428 + printf("No FIPS RSA support\n");
6434 +#include "fips_utl.h"
6436 +int rsa_test(FILE *out, FILE *in);
6437 +static int rsa_printkey1(FILE *out, RSA *rsa,
6438 + BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
6440 +static int rsa_printkey2(FILE *out, RSA *rsa,
6441 + BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq);
6443 +int main(int argc, char **argv)
6445 + FILE *in = NULL, *out = NULL;
6449 + if(!FIPS_mode_set(1))
6451 + do_print_errors();
6458 + in = fopen(argv[1], "r");
6463 + out = fopen(argv[2], "w");
6467 + fprintf(stderr, "FATAL input initialization error\n");
6473 + fprintf(stderr, "FATAL output initialization error\n");
6477 + if (!rsa_test(out, in))
6479 + fprintf(stderr, "FATAL RSAGTEST file processing error\n");
6488 + do_print_errors();
6490 + if (in && (in != stdin))
6492 + if (out && (out != stdout))
6499 +#define RSA_TEST_MAXLINELEN 10240
6501 +int rsa_test(FILE *out, FILE *in)
6503 + char *linebuf, *olinebuf, *p, *q;
6504 + char *keyword, *value;
6506 + BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL;
6507 + BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL;
6512 + olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6513 + linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6515 + if (!linebuf || !olinebuf)
6518 + while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
6521 + strcpy(linebuf, olinebuf);
6522 + keyword = linebuf;
6523 + /* Skip leading space */
6524 + while (isspace((unsigned char)*keyword))
6527 + /* Look for = sign */
6528 + p = strchr(linebuf, '=');
6530 + /* If no = or starts with [ (for [foo = bar] line) just copy */
6531 + if (!p || *keyword=='[')
6533 + if (fputs(olinebuf, out) < 0)
6540 + /* Remove trailing space */
6541 + while (isspace((unsigned char)*q))
6547 + /* Remove leading space from value */
6548 + while (isspace((unsigned char)*value))
6551 + /* Remove trailing space from value */
6552 + p = value + strlen(value) - 1;
6554 + while (*p == '\n' || isspace((unsigned char)*p))
6557 + if (!strcmp(keyword, "xp1"))
6559 + if (Xp1 || !do_hex2bn(&Xp1,value))
6562 + else if (!strcmp(keyword, "xp2"))
6564 + if (Xp2 || !do_hex2bn(&Xp2,value))
6567 + else if (!strcmp(keyword, "Xp"))
6569 + if (Xp || !do_hex2bn(&Xp,value))
6572 + else if (!strcmp(keyword, "xq1"))
6574 + if (Xq1 || !do_hex2bn(&Xq1,value))
6577 + else if (!strcmp(keyword, "xq2"))
6579 + if (Xq2 || !do_hex2bn(&Xq2,value))
6582 + else if (!strcmp(keyword, "Xq"))
6584 + if (Xq || !do_hex2bn(&Xq,value))
6587 + else if (!strcmp(keyword, "e"))
6589 + if (e || !do_hex2bn(&e,value))
6592 + else if (!strcmp(keyword, "p1"))
6594 + else if (!strcmp(keyword, "p2"))
6596 + else if (!strcmp(keyword, "p"))
6598 + else if (!strcmp(keyword, "q1"))
6600 + else if (!strcmp(keyword, "q2"))
6602 + else if (!strcmp(keyword, "q"))
6604 + else if (!strcmp(keyword, "n"))
6606 + else if (!strcmp(keyword, "d"))
6611 + fputs(olinebuf, out);
6613 + if (e && Xp1 && Xp2 && Xp)
6615 + rsa = FIPS_rsa_new();
6618 + if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e))
6630 + if (rsa && Xq1 && Xq2 && Xq)
6632 + if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq))
6640 + FIPS_rsa_free(rsa);
6650 + OPENSSL_free(olinebuf);
6652 + OPENSSL_free(linebuf);
6671 + FIPS_rsa_free(rsa);
6677 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
6683 +static int rsa_printkey1(FILE *out, RSA *rsa,
6684 + BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
6688 + BIGNUM *p1 = NULL, *p2 = NULL;
6694 + if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp,
6695 + NULL, NULL, NULL, e, NULL))
6698 + do_bn_print_name(out, "p1", p1);
6699 + do_bn_print_name(out, "p2", p2);
6700 + do_bn_print_name(out, "p", rsa->p);
6713 +static int rsa_printkey2(FILE *out, RSA *rsa,
6714 + BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq)
6717 + BIGNUM *q1 = NULL, *q2 = NULL;
6723 + if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL,
6724 + Xq1, Xq2, Xq, NULL, NULL))
6727 + do_bn_print_name(out, "q1", q1);
6728 + do_bn_print_name(out, "q2", q2);
6729 + do_bn_print_name(out, "q", rsa->q);
6730 + do_bn_print_name(out, "n", rsa->n);
6731 + do_bn_print_name(out, "d", rsa->d);
6745 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c
6746 --- openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c.fips 2013-02-19 12:47:33.734118772 +0100
6747 +++ openssl-1.0.1e/crypto/fips/cavs/fips_rsastest.c 2013-02-19 12:47:33.734118772 +0100
6749 +/* fips_rsastest.c */
6750 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6753 +/* ====================================================================
6754 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
6756 + * Redistribution and use in source and binary forms, with or without
6757 + * modification, are permitted provided that the following conditions
6760 + * 1. Redistributions of source code must retain the above copyright
6761 + * notice, this list of conditions and the following disclaimer.
6763 + * 2. Redistributions in binary form must reproduce the above copyright
6764 + * notice, this list of conditions and the following disclaimer in
6765 + * the documentation and/or other materials provided with the
6768 + * 3. All advertising materials mentioning features or use of this
6769 + * software must display the following acknowledgment:
6770 + * "This product includes software developed by the OpenSSL Project
6771 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
6773 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
6774 + * endorse or promote products derived from this software without
6775 + * prior written permission. For written permission, please contact
6776 + * licensing@OpenSSL.org.
6778 + * 5. Products derived from this software may not be called "OpenSSL"
6779 + * nor may "OpenSSL" appear in their names without prior written
6780 + * permission of the OpenSSL Project.
6782 + * 6. Redistributions of any form whatsoever must retain the following
6784 + * "This product includes software developed by the OpenSSL Project
6785 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
6787 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
6788 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
6789 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
6790 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
6791 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
6792 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
6793 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
6794 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
6795 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
6796 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
6797 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
6798 + * OF THE POSSIBILITY OF SUCH DAMAGE.
6799 + * ====================================================================
6801 + * This product includes cryptographic software written by Eric Young
6802 + * (eay@cryptsoft.com). This product includes software written by Tim
6803 + * Hudson (tjh@cryptsoft.com).
6809 +#include <string.h>
6810 +#include <openssl/bio.h>
6811 +#include <openssl/evp.h>
6812 +#include <openssl/hmac.h>
6813 +#include <openssl/err.h>
6814 +#include <openssl/rsa.h>
6815 +#include <openssl/bn.h>
6816 +#include <openssl/x509v3.h>
6818 +#ifndef OPENSSL_FIPS
6820 +int main(int argc, char *argv[])
6822 + printf("No FIPS RSA support\n");
6828 +#include "fips_utl.h"
6830 +static int rsa_stest(FILE *out, FILE *in, int Saltlen);
6831 +static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
6832 + unsigned char *Msg, long Msglen, int Saltlen);
6834 +int main(int argc, char **argv)
6836 + FILE *in = NULL, *out = NULL;
6838 + int ret = 1, Saltlen = -1;
6840 + if(!FIPS_mode_set(1))
6842 + do_print_errors();
6846 + if ((argc > 2) && !strcmp("-saltlen", argv[1]))
6848 + Saltlen = atoi(argv[2]);
6851 + fprintf(stderr, "FATAL: Invalid salt length\n");
6857 + else if ((argc > 1) && !strcmp("-x931", argv[1]))
6867 + in = fopen(argv[1], "r");
6872 + out = fopen(argv[2], "w");
6876 + fprintf(stderr, "FATAL input initialization error\n");
6882 + fprintf(stderr, "FATAL output initialization error\n");
6886 + if (!rsa_stest(out, in, Saltlen))
6888 + fprintf(stderr, "FATAL RSASTEST file processing error\n");
6897 + do_print_errors();
6899 + if (in && (in != stdin))
6901 + if (out && (out != stdout))
6908 +#define RSA_TEST_MAXLINELEN 10240
6910 +int rsa_stest(FILE *out, FILE *in, int Saltlen)
6912 + char *linebuf, *olinebuf, *p, *q;
6913 + char *keyword, *value;
6915 + const EVP_MD *dgst = NULL;
6916 + unsigned char *Msg = NULL;
6918 + int keylen = -1, current_keylen = -1;
6922 + olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6923 + linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6925 + if (!linebuf || !olinebuf)
6928 + while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
6931 + strcpy(linebuf, olinebuf);
6932 + keyword = linebuf;
6933 + /* Skip leading space */
6934 + while (isspace((unsigned char)*keyword))
6937 + /* Look for = sign */
6938 + p = strchr(linebuf, '=');
6940 + /* If no = just copy */
6943 + if (fputs(olinebuf, out) < 0)
6950 + /* Remove trailing space */
6951 + while (isspace((unsigned char)*q))
6957 + /* Remove leading space from value */
6958 + while (isspace((unsigned char)*value))
6961 + /* Remove trailing space from value */
6962 + p = value + strlen(value) - 1;
6964 + while (*p == '\n' || isspace((unsigned char)*p))
6967 + /* Look for [mod = XXX] for key length */
6969 + if (!strcmp(keyword, "[mod"))
6971 + p = value + strlen(value) - 1;
6975 + keylen = atoi(value);
6979 + else if (!strcmp(keyword, "SHAAlg"))
6981 + if (!strcmp(value, "SHA1"))
6982 + dgst = EVP_sha1();
6983 + else if (!strcmp(value, "SHA224"))
6984 + dgst = EVP_sha224();
6985 + else if (!strcmp(value, "SHA256"))
6986 + dgst = EVP_sha256();
6987 + else if (!strcmp(value, "SHA384"))
6988 + dgst = EVP_sha384();
6989 + else if (!strcmp(value, "SHA512"))
6990 + dgst = EVP_sha512();
6994 + "FATAL: unsupported algorithm \"%s\"\n",
6999 + else if (!strcmp(keyword, "Msg"))
7003 + if (strlen(value) & 1)
7005 + Msg = hex2bin_m(value, &Msglen);
7010 + fputs(olinebuf, out);
7012 + /* If key length has changed, generate and output public
7013 + * key components of new RSA private key.
7016 + if (keylen != current_keylen)
7020 + FIPS_rsa_free(rsa);
7021 + rsa = FIPS_rsa_new();
7025 + if (!bn_e || !BN_set_word(bn_e, 0x1001))
7027 + if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL))
7030 + fputs("n = ", out);
7031 + do_bn_print(out, rsa->n);
7032 + fputs("\ne = ", out);
7033 + do_bn_print(out, rsa->e);
7035 + current_keylen = keylen;
7040 + if (!rsa_printsig(out, rsa, dgst, Msg, Msglen,
7043 + OPENSSL_free(Msg);
7054 + OPENSSL_free(olinebuf);
7056 + OPENSSL_free(linebuf);
7058 + FIPS_rsa_free(rsa);
7064 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
7070 +static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
7071 + unsigned char *Msg, long Msglen, int Saltlen)
7074 + unsigned char *sigbuf = NULL;
7076 + /* EVP_PKEY structure */
7079 + pk.type = EVP_PKEY_RSA;
7080 + pk.pkey.rsa = rsa;
7082 + siglen = RSA_size(rsa);
7083 + sigbuf = OPENSSL_malloc(siglen);
7087 + EVP_MD_CTX_init(&ctx);
7091 + M_EVP_MD_CTX_set_flags(&ctx,
7092 + EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
7094 + else if (Saltlen == -2)
7095 + M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
7096 + if (!EVP_SignInit_ex(&ctx, dgst, NULL))
7098 + if (!EVP_SignUpdate(&ctx, Msg, Msglen))
7100 + if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk))
7103 + EVP_MD_CTX_cleanup(&ctx);
7105 + fputs("S = ", out);
7107 + for (i = 0; i < siglen; i++)
7108 + fprintf(out, "%02X", sigbuf[i]);
7119 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c
7120 --- openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c.fips 2013-02-19 12:47:33.735118792 +0100
7121 +++ openssl-1.0.1e/crypto/fips/cavs/fips_rsavtest.c 2013-02-19 12:47:33.735118792 +0100
7123 +/* fips_rsavtest.c */
7124 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
7127 +/* ====================================================================
7128 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7130 + * Redistribution and use in source and binary forms, with or without
7131 + * modification, are permitted provided that the following conditions
7134 + * 1. Redistributions of source code must retain the above copyright
7135 + * notice, this list of conditions and the following disclaimer.
7137 + * 2. Redistributions in binary form must reproduce the above copyright
7138 + * notice, this list of conditions and the following disclaimer in
7139 + * the documentation and/or other materials provided with the
7142 + * 3. All advertising materials mentioning features or use of this
7143 + * software must display the following acknowledgment:
7144 + * "This product includes software developed by the OpenSSL Project
7145 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
7147 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7148 + * endorse or promote products derived from this software without
7149 + * prior written permission. For written permission, please contact
7150 + * licensing@OpenSSL.org.
7152 + * 5. Products derived from this software may not be called "OpenSSL"
7153 + * nor may "OpenSSL" appear in their names without prior written
7154 + * permission of the OpenSSL Project.
7156 + * 6. Redistributions of any form whatsoever must retain the following
7158 + * "This product includes software developed by the OpenSSL Project
7159 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
7161 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
7162 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
7163 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
7164 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
7165 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
7166 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7167 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
7168 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
7169 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
7170 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
7171 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
7172 + * OF THE POSSIBILITY OF SUCH DAMAGE.
7173 + * ====================================================================
7175 + * This product includes cryptographic software written by Eric Young
7176 + * (eay@cryptsoft.com). This product includes software written by Tim
7177 + * Hudson (tjh@cryptsoft.com).
7183 +#include <string.h>
7184 +#include <openssl/bio.h>
7185 +#include <openssl/evp.h>
7186 +#include <openssl/hmac.h>
7187 +#include <openssl/err.h>
7188 +#include <openssl/x509v3.h>
7189 +#include <openssl/bn.h>
7190 +#include <openssl/rsa.h>
7192 +#ifndef OPENSSL_FIPS
7194 +int main(int argc, char *argv[])
7196 + printf("No FIPS RSA support\n");
7202 +#include "fips_utl.h"
7204 +int rsa_test(FILE *out, FILE *in, int saltlen);
7205 +static int rsa_printver(FILE *out,
7206 + BIGNUM *n, BIGNUM *e,
7207 + const EVP_MD *dgst,
7208 + unsigned char *Msg, long Msglen,
7209 + unsigned char *S, long Slen, int Saltlen);
7211 +int main(int argc, char **argv)
7213 + FILE *in = NULL, *out = NULL;
7218 + if(!FIPS_mode_set(1))
7220 + do_print_errors();
7224 + if ((argc > 2) && !strcmp("-saltlen", argv[1]))
7226 + Saltlen = atoi(argv[2]);
7229 + fprintf(stderr, "FATAL: Invalid salt length\n");
7235 + else if ((argc > 1) && !strcmp("-x931", argv[1]))
7245 + in = fopen(argv[1], "r");
7250 + out = fopen(argv[2], "w");
7254 + fprintf(stderr, "FATAL input initialization error\n");
7260 + fprintf(stderr, "FATAL output initialization error\n");
7264 + if (!rsa_test(out, in, Saltlen))
7266 + fprintf(stderr, "FATAL RSAVTEST file processing error\n");
7275 + do_print_errors();
7277 + if (in && (in != stdin))
7279 + if (out && (out != stdout))
7286 +#define RSA_TEST_MAXLINELEN 10240
7288 +int rsa_test(FILE *out, FILE *in, int Saltlen)
7290 + char *linebuf, *olinebuf, *p, *q;
7291 + char *keyword, *value;
7292 + const EVP_MD *dgst = NULL;
7293 + BIGNUM *n = NULL, *e = NULL;
7294 + unsigned char *Msg = NULL, *S = NULL;
7295 + long Msglen, Slen;
7299 + olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
7300 + linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
7302 + if (!linebuf || !olinebuf)
7305 + while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
7308 + strcpy(linebuf, olinebuf);
7309 + keyword = linebuf;
7310 + /* Skip leading space */
7311 + while (isspace((unsigned char)*keyword))
7314 + /* Look for = sign */
7315 + p = strchr(linebuf, '=');
7317 + /* If no = or starts with [ (for [foo = bar] line) just copy */
7318 + if (!p || *keyword=='[')
7320 + if (fputs(olinebuf, out) < 0)
7327 + /* Remove trailing space */
7328 + while (isspace((unsigned char)*q))
7334 + /* Remove leading space from value */
7335 + while (isspace((unsigned char)*value))
7338 + /* Remove trailing space from value */
7339 + p = value + strlen(value) - 1;
7341 + while (*p == '\n' || isspace((unsigned char)*p))
7344 + if (!strcmp(keyword, "n"))
7346 + if (!do_hex2bn(&n,value))
7349 + else if (!strcmp(keyword, "e"))
7351 + if (!do_hex2bn(&e,value))
7354 + else if (!strcmp(keyword, "SHAAlg"))
7356 + if (!strcmp(value, "SHA1"))
7357 + dgst = EVP_sha1();
7358 + else if (!strcmp(value, "SHA224"))
7359 + dgst = EVP_sha224();
7360 + else if (!strcmp(value, "SHA256"))
7361 + dgst = EVP_sha256();
7362 + else if (!strcmp(value, "SHA384"))
7363 + dgst = EVP_sha384();
7364 + else if (!strcmp(value, "SHA512"))
7365 + dgst = EVP_sha512();
7369 + "FATAL: unsupported algorithm \"%s\"\n",
7374 + else if (!strcmp(keyword, "Msg"))
7378 + if (strlen(value) & 1)
7380 + Msg = hex2bin_m(value, &Msglen);
7384 + else if (!strcmp(keyword, "S"))
7388 + if (strlen(value) & 1)
7390 + S = hex2bin_m(value, &Slen);
7394 + else if (!strcmp(keyword, "Result"))
7399 + fputs(olinebuf, out);
7401 + if (n && e && Msg && S && dgst)
7403 + if (!rsa_printver(out, n, e, dgst,
7404 + Msg, Msglen, S, Slen, Saltlen))
7406 + OPENSSL_free(Msg);
7421 + OPENSSL_free(olinebuf);
7423 + OPENSSL_free(linebuf);
7433 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
7439 +static int rsa_printver(FILE *out,
7440 + BIGNUM *n, BIGNUM *e,
7441 + const EVP_MD *dgst,
7442 + unsigned char *Msg, long Msglen,
7443 + unsigned char *S, long Slen, int Saltlen)
7446 + /* Setup RSA and EVP_PKEY structures */
7447 + RSA *rsa_pubkey = NULL;
7450 + unsigned char *buf = NULL;
7451 + rsa_pubkey = FIPS_rsa_new();
7454 + rsa_pubkey->n = BN_dup(n);
7455 + rsa_pubkey->e = BN_dup(e);
7456 + if (!rsa_pubkey->n || !rsa_pubkey->e)
7458 + pk.type = EVP_PKEY_RSA;
7459 + pk.pkey.rsa = rsa_pubkey;
7461 + EVP_MD_CTX_init(&ctx);
7465 + M_EVP_MD_CTX_set_flags(&ctx,
7466 + EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
7468 + else if (Saltlen == -2)
7469 + M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
7470 + if (!EVP_VerifyInit_ex(&ctx, dgst, NULL))
7472 + if (!EVP_VerifyUpdate(&ctx, Msg, Msglen))
7475 + r = EVP_VerifyFinal(&ctx, S, Slen, &pk);
7478 + EVP_MD_CTX_cleanup(&ctx);
7482 + ERR_clear_error();
7485 + fputs("Result = F\n", out);
7487 + fputs("Result = P\n", out);
7493 + FIPS_rsa_free(rsa_pubkey);
7495 + OPENSSL_free(buf);
7500 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c
7501 --- openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c.fips 2013-02-19 12:47:33.735118792 +0100
7502 +++ openssl-1.0.1e/crypto/fips/cavs/fips_shatest.c 2013-02-19 12:47:33.735118792 +0100
7504 +/* fips_shatest.c */
7505 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
7508 +/* ====================================================================
7509 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7511 + * Redistribution and use in source and binary forms, with or without
7512 + * modification, are permitted provided that the following conditions
7515 + * 1. Redistributions of source code must retain the above copyright
7516 + * notice, this list of conditions and the following disclaimer.
7518 + * 2. Redistributions in binary form must reproduce the above copyright
7519 + * notice, this list of conditions and the following disclaimer in
7520 + * the documentation and/or other materials provided with the
7523 + * 3. All advertising materials mentioning features or use of this
7524 + * software must display the following acknowledgment:
7525 + * "This product includes software developed by the OpenSSL Project
7526 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
7528 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7529 + * endorse or promote products derived from this software without
7530 + * prior written permission. For written permission, please contact
7531 + * licensing@OpenSSL.org.
7533 + * 5. Products derived from this software may not be called "OpenSSL"
7534 + * nor may "OpenSSL" appear in their names without prior written
7535 + * permission of the OpenSSL Project.
7537 + * 6. Redistributions of any form whatsoever must retain the following
7539 + * "This product includes software developed by the OpenSSL Project
7540 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
7542 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
7543 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
7544 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
7545 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
7546 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
7547 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7548 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
7549 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
7550 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
7551 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
7552 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
7553 + * OF THE POSSIBILITY OF SUCH DAMAGE.
7554 + * ====================================================================
7556 + * This product includes cryptographic software written by Eric Young
7557 + * (eay@cryptsoft.com). This product includes software written by Tim
7558 + * Hudson (tjh@cryptsoft.com).
7564 +#include <string.h>
7565 +#include <openssl/bio.h>
7566 +#include <openssl/evp.h>
7567 +#include <openssl/err.h>
7568 +#include <openssl/bn.h>
7569 +#include <openssl/x509v3.h>
7571 +#ifndef OPENSSL_FIPS
7573 +int main(int argc, char *argv[])
7575 + printf("No FIPS SHAXXX support\n");
7581 +#include "fips_utl.h"
7583 +static int dgst_test(FILE *out, FILE *in);
7584 +static int print_dgst(const EVP_MD *md, FILE *out,
7585 + unsigned char *Msg, int Msglen);
7586 +static int print_monte(const EVP_MD *md, FILE *out,
7587 + unsigned char *Seed, int SeedLen);
7589 +int main(int argc, char **argv)
7591 + FILE *in = NULL, *out = NULL;
7595 + if(!FIPS_mode_set(1))
7597 + do_print_errors();
7604 + in = fopen(argv[1], "r");
7609 + out = fopen(argv[2], "w");
7613 + fprintf(stderr, "FATAL input initialization error\n");
7619 + fprintf(stderr, "FATAL output initialization error\n");
7623 + if (!dgst_test(out, in))
7625 + fprintf(stderr, "FATAL digest file processing error\n");
7634 + do_print_errors();
7636 + if (in && (in != stdin))
7638 + if (out && (out != stdout))
7645 +#define SHA_TEST_MAX_BITS 102400
7646 +#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100)
7648 +int dgst_test(FILE *out, FILE *in)
7650 + const EVP_MD *md = NULL;
7651 + char *linebuf, *olinebuf, *p, *q;
7652 + char *keyword, *value;
7653 + unsigned char *Msg = NULL, *Seed = NULL;
7654 + long MsgLen = -1, Len = -1, SeedLen = -1;
7658 + olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
7659 + linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
7661 + if (!linebuf || !olinebuf)
7665 + while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in))
7668 + strcpy(linebuf, olinebuf);
7669 + keyword = linebuf;
7670 + /* Skip leading space */
7671 + while (isspace((unsigned char)*keyword))
7674 + /* Look for = sign */
7675 + p = strchr(linebuf, '=');
7677 + /* If no = or starts with [ (for [L=20] line) just copy */
7680 + fputs(olinebuf, out);
7686 + /* Remove trailing space */
7687 + while (isspace((unsigned char)*q))
7693 + /* Remove leading space from value */
7694 + while (isspace((unsigned char)*value))
7697 + /* Remove trailing space from value */
7698 + p = value + strlen(value) - 1;
7699 + while (*p == '\n' || isspace((unsigned char)*p))
7702 + if (!strcmp(keyword,"[L") && *p==']')
7704 + switch (atoi(value))
7706 + case 20: md=EVP_sha1(); break;
7707 + case 28: md=EVP_sha224(); break;
7708 + case 32: md=EVP_sha256(); break;
7709 + case 48: md=EVP_sha384(); break;
7710 + case 64: md=EVP_sha512(); break;
7711 + default: goto parse_error;
7714 + else if (!strcmp(keyword, "Len"))
7718 + Len = atoi(value);
7721 + /* Only handle multiples of 8 bits */
7724 + if (Len > SHA_TEST_MAX_BITS)
7726 + MsgLen = Len >> 3;
7729 + else if (!strcmp(keyword, "Msg"))
7732 + if (strlen(value) & 1)
7736 + Msg = hex2bin_m(value, &tmplen);
7740 + else if (!strcmp(keyword, "Seed"))
7742 + if (strlen(value) & 1)
7746 + Seed = hex2bin_m(value, &SeedLen);
7750 + else if (!strcmp(keyword, "MD"))
7755 + fputs(olinebuf, out);
7757 + if (md && Msg && (MsgLen >= 0))
7759 + if (!print_dgst(md, out, Msg, MsgLen))
7761 + OPENSSL_free(Msg);
7766 + else if (md && Seed && (SeedLen > 0))
7768 + if (!print_monte(md, out, Seed, SeedLen))
7770 + OPENSSL_free(Seed);
7785 + OPENSSL_free(olinebuf);
7787 + OPENSSL_free(linebuf);
7789 + OPENSSL_free(Msg);
7791 + OPENSSL_free(Seed);
7797 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
7803 +static int print_dgst(const EVP_MD *emd, FILE *out,
7804 + unsigned char *Msg, int Msglen)
7807 + unsigned char md[EVP_MAX_MD_SIZE];
7808 + if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL))
7810 + fputs("Error calculating HASH\n", stderr);
7813 + fputs("MD = ", out);
7814 + for (i = 0; i < mdlen; i++)
7815 + fprintf(out, "%02x", md[i]);
7820 +static int print_monte(const EVP_MD *md, FILE *out,
7821 + unsigned char *Seed, int SeedLen)
7823 + unsigned int i, j, k;
7826 + unsigned char *m1, *m2, *m3, *p;
7827 + unsigned int mlen, m1len, m2len, m3len;
7829 + EVP_MD_CTX_init(&ctx);
7831 + if (SeedLen > EVP_MAX_MD_SIZE)
7834 + mlen = EVP_MAX_MD_SIZE;
7836 + m1 = OPENSSL_malloc(mlen);
7837 + m2 = OPENSSL_malloc(mlen);
7838 + m3 = OPENSSL_malloc(mlen);
7840 + if (!m1 || !m2 || !m3)
7843 + m1len = m2len = m3len = SeedLen;
7844 + memcpy(m1, Seed, SeedLen);
7845 + memcpy(m2, Seed, SeedLen);
7846 + memcpy(m3, Seed, SeedLen);
7850 + for (j = 0; j < 100; j++)
7852 + for (i = 0; i < 1000; i++)
7854 + EVP_DigestInit_ex(&ctx, md, NULL);
7855 + EVP_DigestUpdate(&ctx, m1, m1len);
7856 + EVP_DigestUpdate(&ctx, m2, m2len);
7857 + EVP_DigestUpdate(&ctx, m3, m3len);
7864 + EVP_DigestFinal_ex(&ctx, m3, &m3len);
7866 + fprintf(out, "COUNT = %d\n", j);
7867 + fputs("MD = ", out);
7868 + for (k = 0; k < m3len; k++)
7869 + fprintf(out, "%02x", m3[k]);
7870 + fputs("\n\n", out);
7871 + memcpy(m1, m3, m3len);
7872 + memcpy(m2, m3, m3len);
7873 + m1len = m2len = m3len;
7886 + EVP_MD_CTX_cleanup(&ctx);
7892 diff -up openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1e/crypto/fips/cavs/fips_utl.h
7893 --- openssl-1.0.1e/crypto/fips/cavs/fips_utl.h.fips 2013-02-19 12:47:33.735118792 +0100
7894 +++ openssl-1.0.1e/crypto/fips/cavs/fips_utl.h 2013-02-19 12:47:33.735118792 +0100
7896 +/* ====================================================================
7897 + * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
7899 + * Redistribution and use in source and binary forms, with or without
7900 + * modification, are permitted provided that the following conditions
7903 + * 1. Redistributions of source code must retain the above copyright
7904 + * notice, this list of conditions and the following disclaimer.
7906 + * 2. Redistributions in binary form must reproduce the above copyright
7907 + * notice, this list of conditions and the following disclaimer in
7908 + * the documentation and/or other materials provided with the
7911 + * 3. All advertising materials mentioning features or use of this
7912 + * software must display the following acknowledgment:
7913 + * "This product includes software developed by the OpenSSL Project
7914 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
7916 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7917 + * endorse or promote products derived from this software without
7918 + * prior written permission. For written permission, please contact
7919 + * openssl-core@openssl.org.
7921 + * 5. Products derived from this software may not be called "OpenSSL"
7922 + * nor may "OpenSSL" appear in their names without prior written
7923 + * permission of the OpenSSL Project.
7925 + * 6. Redistributions of any form whatsoever must retain the following
7927 + * "This product includes software developed by the OpenSSL Project
7928 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
7930 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
7931 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
7932 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
7933 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
7934 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
7935 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7936 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
7937 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
7938 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
7939 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
7940 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
7941 + * OF THE POSSIBILITY OF SUCH DAMAGE.
7945 +void do_print_errors(void)
7947 + const char *file, *data;
7950 + while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)))
7952 + fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d"
7953 + ":file=%s:line=%d:%s\n",
7954 + l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l),
7955 + file, line, flags & ERR_TXT_STRING ? data : "");
7959 +int hex2bin(const char *in, unsigned char *out)
7964 + for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; )
7965 + { /* first byte */
7966 + if ((in[n1] >= '0') && (in[n1] <= '9'))
7967 + ch = in[n1++] - '0';
7968 + else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
7969 + ch = in[n1++] - 'A' + 10;
7970 + else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
7971 + ch = in[n1++] - 'a' + 10;
7979 + out[n2] = ch << 4;
7981 + if ((in[n1] >= '0') && (in[n1] <= '9'))
7982 + ch = in[n1++] - '0';
7983 + else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
7984 + ch = in[n1++] - 'A' + 10;
7985 + else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
7986 + ch = in[n1++] - 'a' + 10;
7994 +unsigned char *hex2bin_m(const char *in, long *plen)
7997 + p = OPENSSL_malloc((strlen(in) + 1)/2);
7998 + *plen = hex2bin(in, p);
8002 +int do_hex2bn(BIGNUM **pr, const char *in)
8007 + p = hex2bin_m(in, &plen);
8014 + if (BN_bin2bn(p, plen, *pr))
8020 +int do_bn_print(FILE *out, BIGNUM *bn)
8023 + unsigned char *tmp;
8024 + len = BN_num_bytes(bn);
8031 + tmp = OPENSSL_malloc(len);
8034 + fprintf(stderr, "Memory allocation error\n");
8037 + BN_bn2bin(bn, tmp);
8038 + for (i = 0; i < len; i++)
8039 + fprintf(out, "%02x", tmp[i]);
8040 + OPENSSL_free(tmp);
8044 +int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn)
8047 + fprintf(out, "%s = ", name);
8048 + r = do_bn_print(out, bn);
8055 +int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf)
8057 + char *keyword, *value, *p, *q;
8058 + strcpy(linebuf, olinebuf);
8059 + keyword = linebuf;
8060 + /* Skip leading space */
8061 + while (isspace((unsigned char)*keyword))
8064 + /* Look for = sign */
8065 + p = strchr(linebuf, '=');
8067 + /* If no '=' exit */
8073 + /* Remove trailing space */
8074 + while (isspace((unsigned char)*q))
8080 + /* Remove leading space from value */
8081 + while (isspace((unsigned char)*value))
8084 + /* Remove trailing space from value */
8085 + p = value + strlen(value) - 1;
8087 + while (*p == '\n' || isspace((unsigned char)*p))
8095 +BIGNUM *hex2bn(const char *in)
8099 + if (!do_hex2bn(&p, in))
8105 +int bin2hex(const unsigned char *in,int len,char *out)
8110 + for (n1=0,n2=0 ; n1 < len ; ++n1)
8116 + out[n2++]=ch-10+'a';
8121 + out[n2++]=ch-10+'a';
8127 +void pv(const char *tag,const unsigned char *val,int len)
8131 + bin2hex(val,len,obuf);
8132 + printf("%s = %s\n",tag,obuf);
8135 +/* To avoid extensive changes to test program at this stage just convert
8136 + * the input line into an acceptable form. Keyword lines converted to form
8137 + * "keyword = value\n" no matter what white space present, all other lines
8138 + * just have leading and trailing space removed.
8141 +int tidy_line(char *linebuf, char *olinebuf)
8143 + char *keyword, *value, *p, *q;
8144 + strcpy(linebuf, olinebuf);
8145 + keyword = linebuf;
8146 + /* Skip leading space */
8147 + while (isspace((unsigned char)*keyword))
8149 + /* Look for = sign */
8150 + p = strchr(linebuf, '=');
8152 + /* If no '=' just chop leading, trailing ws */
8155 + p = keyword + strlen(keyword) - 1;
8156 + while (*p == '\n' || isspace((unsigned char)*p))
8158 + strcpy(olinebuf, keyword);
8159 + strcat(olinebuf, "\n");
8165 + /* Remove trailing space */
8166 + while (isspace((unsigned char)*q))
8172 + /* Remove leading space from value */
8173 + while (isspace((unsigned char)*value))
8176 + /* Remove trailing space from value */
8177 + p = value + strlen(value) - 1;
8179 + while (*p == '\n' || isspace((unsigned char)*p))
8182 + strcpy(olinebuf, keyword);
8183 + strcat(olinebuf, " = ");
8184 + strcat(olinebuf, value);
8185 + strcat(olinebuf, "\n");
8190 +/* NB: this return the number of _bits_ read */
8191 +int bint2bin(const char *in, int len, unsigned char *out)
8195 + memset(out,0,len);
8196 + for(n=0 ; n < len ; ++n)
8198 + out[n/8]|=(0x80 >> (n%8));
8202 +int bin2bint(const unsigned char *in,int len,char *out)
8206 + for(n=0 ; n < len ; ++n)
8207 + out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0';
8211 +/*-----------------------------------------------*/
8213 +void PrintValue(char *tag, unsigned char *val, int len)
8218 + olen = bin2hex(val, len, obuf);
8219 + printf("%s = %.*s\n", tag, olen, obuf);
8223 +void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode)
8229 + olen=bin2bint(val,len,obuf);
8231 + olen=bin2hex(val,len,obuf);
8233 + fprintf(rfp, "%s = %.*s\n", tag, olen, obuf);
8235 + printf("%s = %.*s\n", tag, olen, obuf);
8239 diff -up openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_aes_selftest.c
8240 --- openssl-1.0.1e/crypto/fips/fips_aes_selftest.c.fips 2013-02-19 12:47:33.735118792 +0100
8241 +++ openssl-1.0.1e/crypto/fips/fips_aes_selftest.c 2013-02-19 12:47:33.735118792 +0100
8243 +/* ====================================================================
8244 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
8246 + * Redistribution and use in source and binary forms, with or without
8247 + * modification, are permitted provided that the following conditions
8250 + * 1. Redistributions of source code must retain the above copyright
8251 + * notice, this list of conditions and the following disclaimer.
8253 + * 2. Redistributions in binary form must reproduce the above copyright
8254 + * notice, this list of conditions and the following disclaimer in
8255 + * the documentation and/or other materials provided with the
8258 + * 3. All advertising materials mentioning features or use of this
8259 + * software must display the following acknowledgment:
8260 + * "This product includes software developed by the OpenSSL Project
8261 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
8263 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
8264 + * endorse or promote products derived from this software without
8265 + * prior written permission. For written permission, please contact
8266 + * openssl-core@openssl.org.
8268 + * 5. Products derived from this software may not be called "OpenSSL"
8269 + * nor may "OpenSSL" appear in their names without prior written
8270 + * permission of the OpenSSL Project.
8272 + * 6. Redistributions of any form whatsoever must retain the following
8274 + * "This product includes software developed by the OpenSSL Project
8275 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
8277 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
8278 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
8279 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
8280 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
8281 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
8282 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
8283 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
8284 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
8285 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
8286 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
8287 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
8288 + * OF THE POSSIBILITY OF SUCH DAMAGE.
8292 +#include <string.h>
8293 +#include <openssl/err.h>
8294 +#ifdef OPENSSL_FIPS
8295 +#include <openssl/fips.h>
8297 +#include <openssl/evp.h>
8299 +#ifdef OPENSSL_FIPS
8300 +static const struct
8302 + const unsigned char key[16];
8303 + const unsigned char plaintext[16];
8304 + const unsigned char ciphertext[16];
8308 + { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
8309 + 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F },
8310 + { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
8311 + 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF },
8312 + { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30,
8313 + 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A },
8317 +static int corrupt_aes;
8319 +void FIPS_corrupt_aes()
8324 +int FIPS_selftest_aes()
8328 + EVP_CIPHER_CTX ctx;
8329 + EVP_CIPHER_CTX_init(&ctx);
8331 + for(n=0 ; n < 1 ; ++n)
8333 + unsigned char key[16];
8335 + memcpy(key, tests[n].key, sizeof(key));
8338 + if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
8340 + tests[n].plaintext,
8341 + tests[n].ciphertext,
8347 + EVP_CIPHER_CTX_cleanup(&ctx);
8349 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED);
8353 +/* AES-CCM test data from NIST public test vectors */
8355 +static const unsigned char ccm_key[] = {
8356 + 0xce,0xb0,0x09,0xae,0xa4,0x45,0x44,0x51,0xfe,0xad,0xf0,0xe6,
8357 + 0xb3,0x6f,0x45,0x55,0x5d,0xd0,0x47,0x23,0xba,0xa4,0x48,0xe8
8359 +static const unsigned char ccm_nonce[] = {
8360 + 0x76,0x40,0x43,0xc4,0x94,0x60,0xb7
8362 +static const unsigned char ccm_adata[] = {
8363 + 0x6e,0x80,0xdd,0x7f,0x1b,0xad,0xf3,0xa1,0xc9,0xab,0x25,0xc7,
8364 + 0x5f,0x10,0xbd,0xe7,0x8c,0x23,0xfa,0x0e,0xb8,0xf9,0xaa,0xa5,
8365 + 0x3a,0xde,0xfb,0xf4,0xcb,0xf7,0x8f,0xe4
8367 +static const unsigned char ccm_pt[] = {
8368 + 0xc8,0xd2,0x75,0xf9,0x19,0xe1,0x7d,0x7f,0xe6,0x9c,0x2a,0x1f,
8369 + 0x58,0x93,0x9d,0xfe,0x4d,0x40,0x37,0x91,0xb5,0xdf,0x13,0x10
8371 +static const unsigned char ccm_ct[] = {
8372 + 0x8a,0x0f,0x3d,0x82,0x29,0xe4,0x8e,0x74,0x87,0xfd,0x95,0xa2,
8373 + 0x8a,0xd3,0x92,0xc8,0x0b,0x36,0x81,0xd4,0xfb,0xc7,0xbb,0xfd
8375 +static const unsigned char ccm_tag[] = {
8376 + 0x2d,0xd6,0xef,0x1c,0x45,0xd4,0xcc,0xb7,0x23,0xdc,0x07,0x44,
8377 + 0x14,0xdb,0x50,0x6d
8380 +int FIPS_selftest_aes_ccm(void)
8383 + unsigned char out[128], tag[16];
8384 + EVP_CIPHER_CTX ctx;
8385 + EVP_CIPHER_CTX_init(&ctx);
8386 + memset(out, 0, sizeof(out));
8387 + if (!EVP_CipherInit(&ctx, EVP_aes_192_ccm(), NULL, NULL, 1))
8389 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
8390 + sizeof(ccm_nonce), NULL))
8392 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
8393 + sizeof(ccm_tag), NULL))
8395 + if (!EVP_CipherInit(&ctx, NULL, ccm_key, ccm_nonce, 1))
8397 + if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
8399 + if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
8401 + if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
8404 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
8406 + if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
8407 + || memcmp(out, ccm_ct, sizeof(ccm_ct)))
8410 + memset(out, 0, sizeof(out));
8412 + if (!EVP_CipherInit(&ctx, EVP_aes_192_ccm(), NULL, NULL, 0))
8414 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
8415 + sizeof(ccm_nonce), NULL))
8417 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
8419 + if (!EVP_CipherInit(&ctx, NULL, ccm_key, ccm_nonce, 0))
8421 + if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
8423 + if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
8425 + if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
8428 + if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
8434 + EVP_CIPHER_CTX_cleanup(&ctx);
8438 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM,FIPS_R_SELFTEST_FAILED);
8446 +/* AES-GCM test data from NIST public test vectors */
8448 +static const unsigned char gcm_key[] = {
8449 + 0xee,0xbc,0x1f,0x57,0x48,0x7f,0x51,0x92,0x1c,0x04,0x65,0x66,
8450 + 0x5f,0x8a,0xe6,0xd1,0x65,0x8b,0xb2,0x6d,0xe6,0xf8,0xa0,0x69,
8451 + 0xa3,0x52,0x02,0x93,0xa5,0x72,0x07,0x8f
8453 +static const unsigned char gcm_iv[] = {
8454 + 0x99,0xaa,0x3e,0x68,0xed,0x81,0x73,0xa0,0xee,0xd0,0x66,0x84
8456 +static const unsigned char gcm_pt[] = {
8457 + 0xf5,0x6e,0x87,0x05,0x5b,0xc3,0x2d,0x0e,0xeb,0x31,0xb2,0xea,
8458 + 0xcc,0x2b,0xf2,0xa5
8460 +static const unsigned char gcm_aad[] = {
8461 + 0x4d,0x23,0xc3,0xce,0xc3,0x34,0xb4,0x9b,0xdb,0x37,0x0c,0x43,
8462 + 0x7f,0xec,0x78,0xde
8464 +static const unsigned char gcm_ct[] = {
8465 + 0xf7,0x26,0x44,0x13,0xa8,0x4c,0x0e,0x7c,0xd5,0x36,0x86,0x7e,
8466 + 0xb9,0xf2,0x17,0x36
8468 +static const unsigned char gcm_tag[] = {
8469 + 0x67,0xba,0x05,0x10,0x26,0x2a,0xe4,0x87,0xd7,0x37,0xee,0x62,
8470 + 0x98,0xf7,0x7e,0x0c
8473 +int FIPS_selftest_aes_gcm(void)
8476 + unsigned char out[128], tag[16];
8477 + EVP_CIPHER_CTX ctx;
8478 + EVP_CIPHER_CTX_init(&ctx);
8479 + memset(out, 0, sizeof(out));
8480 + memset(tag, 0, sizeof(tag));
8481 + if (!EVP_CipherInit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 1))
8483 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
8484 + sizeof(gcm_iv), NULL))
8486 + if (!EVP_CipherInit(&ctx, NULL, gcm_key, gcm_iv, 1))
8488 + if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
8490 + if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
8492 + if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
8495 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
8498 + if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
8501 + memset(out, 0, sizeof(out));
8503 + if (!EVP_CipherInit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 0))
8505 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
8506 + sizeof(gcm_iv), NULL))
8508 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
8510 + if (!EVP_CipherInit(&ctx, NULL, gcm_key, gcm_iv, 0))
8512 + if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
8514 + if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
8516 + if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
8519 + if (memcmp(out, gcm_pt, 16))
8525 + EVP_CIPHER_CTX_cleanup(&ctx);
8529 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM,FIPS_R_SELFTEST_FAILED);
8538 +static const unsigned char XTS_128_key[] = {
8539 + 0xa1,0xb9,0x0c,0xba,0x3f,0x06,0xac,0x35,0x3b,0x2c,0x34,0x38,
8540 + 0x76,0x08,0x17,0x62,0x09,0x09,0x23,0x02,0x6e,0x91,0x77,0x18,
8541 + 0x15,0xf2,0x9d,0xab,0x01,0x93,0x2f,0x2f
8543 +static const unsigned char XTS_128_i[] = {
8544 + 0x4f,0xae,0xf7,0x11,0x7c,0xda,0x59,0xc6,0x6e,0x4b,0x92,0x01,
8545 + 0x3e,0x76,0x8a,0xd5
8547 +static const unsigned char XTS_128_pt[] = {
8548 + 0xeb,0xab,0xce,0x95,0xb1,0x4d,0x3c,0x8d,0x6f,0xb3,0x50,0x39,
8549 + 0x07,0x90,0x31,0x1c
8551 +static const unsigned char XTS_128_ct[] = {
8552 + 0x77,0x8a,0xe8,0xb4,0x3c,0xb9,0x8d,0x5a,0x82,0x50,0x81,0xd5,
8553 + 0xbe,0x47,0x1c,0x63
8556 +static const unsigned char XTS_256_key[] = {
8557 + 0x1e,0xa6,0x61,0xc5,0x8d,0x94,0x3a,0x0e,0x48,0x01,0xe4,0x2f,
8558 + 0x4b,0x09,0x47,0x14,0x9e,0x7f,0x9f,0x8e,0x3e,0x68,0xd0,0xc7,
8559 + 0x50,0x52,0x10,0xbd,0x31,0x1a,0x0e,0x7c,0xd6,0xe1,0x3f,0xfd,
8560 + 0xf2,0x41,0x8d,0x8d,0x19,0x11,0xc0,0x04,0xcd,0xa5,0x8d,0xa3,
8561 + 0xd6,0x19,0xb7,0xe2,0xb9,0x14,0x1e,0x58,0x31,0x8e,0xea,0x39,
8562 + 0x2c,0xf4,0x1b,0x08
8564 +static const unsigned char XTS_256_i[] = {
8565 + 0xad,0xf8,0xd9,0x26,0x27,0x46,0x4a,0xd2,0xf0,0x42,0x8e,0x84,
8566 + 0xa9,0xf8,0x75,0x64
8568 +static const unsigned char XTS_256_pt[] = {
8569 + 0x2e,0xed,0xea,0x52,0xcd,0x82,0x15,0xe1,0xac,0xc6,0x47,0xe8,
8570 + 0x10,0xbb,0xc3,0x64,0x2e,0x87,0x28,0x7f,0x8d,0x2e,0x57,0xe3,
8571 + 0x6c,0x0a,0x24,0xfb,0xc1,0x2a,0x20,0x2e
8573 +static const unsigned char XTS_256_ct[] = {
8574 + 0xcb,0xaa,0xd0,0xe2,0xf6,0xce,0xa3,0xf5,0x0b,0x37,0xf9,0x34,
8575 + 0xd4,0x6a,0x9b,0x13,0x0b,0x9d,0x54,0xf0,0x7e,0x34,0xf3,0x6a,
8576 + 0xf7,0x93,0xe8,0x6f,0x73,0xc6,0xd7,0xdb
8579 +int FIPS_selftest_aes_xts()
8582 + EVP_CIPHER_CTX ctx;
8583 + EVP_CIPHER_CTX_init(&ctx);
8585 + if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
8586 + XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
8587 + sizeof(XTS_128_pt)) <= 0)
8590 + if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
8591 + XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
8592 + sizeof(XTS_256_pt)) <= 0)
8595 + EVP_CIPHER_CTX_cleanup(&ctx);
8597 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS,FIPS_R_SELFTEST_FAILED);
8602 diff -up openssl-1.0.1e/crypto/fips/fips.c.fips openssl-1.0.1e/crypto/fips/fips.c
8603 --- openssl-1.0.1e/crypto/fips/fips.c.fips 2013-02-19 12:47:33.735118792 +0100
8604 +++ openssl-1.0.1e/crypto/fips/fips.c 2013-02-19 12:47:33.736118812 +0100
8606 +/* ====================================================================
8607 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
8609 + * Redistribution and use in source and binary forms, with or without
8610 + * modification, are permitted provided that the following conditions
8613 + * 1. Redistributions of source code must retain the above copyright
8614 + * notice, this list of conditions and the following disclaimer.
8616 + * 2. Redistributions in binary form must reproduce the above copyright
8617 + * notice, this list of conditions and the following disclaimer in
8618 + * the documentation and/or other materials provided with the
8621 + * 3. All advertising materials mentioning features or use of this
8622 + * software must display the following acknowledgment:
8623 + * "This product includes software developed by the OpenSSL Project
8624 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
8626 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
8627 + * endorse or promote products derived from this software without
8628 + * prior written permission. For written permission, please contact
8629 + * openssl-core@openssl.org.
8631 + * 5. Products derived from this software may not be called "OpenSSL"
8632 + * nor may "OpenSSL" appear in their names without prior written
8633 + * permission of the OpenSSL Project.
8635 + * 6. Redistributions of any form whatsoever must retain the following
8637 + * "This product includes software developed by the OpenSSL Project
8638 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
8640 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
8641 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
8642 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
8643 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
8644 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
8645 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
8646 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
8647 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
8648 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
8649 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
8650 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
8651 + * OF THE POSSIBILITY OF SUCH DAMAGE.
8655 +#define _GNU_SOURCE
8657 +#include <openssl/rand.h>
8658 +#include <openssl/fips_rand.h>
8659 +#include <openssl/err.h>
8660 +#include <openssl/bio.h>
8661 +#include <openssl/hmac.h>
8662 +#include <openssl/rsa.h>
8663 +#include <string.h>
8664 +#include <limits.h>
8667 +#include <stdlib.h>
8668 +#include "fips_locl.h"
8670 +#ifdef OPENSSL_FIPS
8672 +#include <openssl/fips.h>
8675 +#define PATH_MAX 1024
8678 +static int fips_selftest_fail = 0;
8679 +static int fips_mode = 0;
8680 +static int fips_started = 0;
8682 +static int fips_is_owning_thread(void);
8683 +static int fips_set_owning_thread(void);
8684 +static int fips_clear_owning_thread(void);
8686 +#define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
8687 +#define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
8688 +#define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
8689 +#define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
8691 +static void fips_set_mode(int onoff)
8693 + int owning_thread = fips_is_owning_thread();
8697 + if (!owning_thread) fips_w_lock();
8698 + fips_mode = onoff;
8699 + if (!owning_thread) fips_w_unlock();
8703 +int FIPS_module_mode(void)
8706 + int owning_thread = fips_is_owning_thread();
8710 + if (!owning_thread) fips_r_lock();
8712 + if (!owning_thread) fips_r_unlock();
8717 +int FIPS_selftest_failed(void)
8722 + int owning_thread = fips_is_owning_thread();
8724 + if (!owning_thread) fips_r_lock();
8725 + ret = fips_selftest_fail;
8726 + if (!owning_thread) fips_r_unlock();
8731 +/* Selftest failure fatal exit routine. This will be called
8732 + * during *any* cryptographic operation. It has the minimum
8733 + * overhead possible to avoid too big a performance hit.
8736 +void FIPS_selftest_check(void)
8738 + if (fips_selftest_fail)
8740 + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
8744 +void fips_set_selftest_fail(void)
8746 + fips_selftest_fail = 1;
8749 +/* we implement what libfipscheck does ourselves */
8752 +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
8758 + dl = dlopen(libname, RTLD_LAZY);
8763 + sym = dlsym(dl, symbolname);
8765 + if (sym != NULL && dladdr(sym, &info)) {
8766 + strncpy(path, info.dli_fname, pathlen-1);
8767 + path[pathlen-1] = '\0';
8776 +static const char conv[] = "0123456789abcdef";
8779 +bin2hex(void *buf, size_t len)
8782 + unsigned char *src = buf;
8784 + hex = malloc(len * 2 + 1);
8796 + *p = conv[c >> 4];
8798 + *p = conv[c & 0x0f];
8806 +#define HMAC_PREFIX "."
8807 +#define HMAC_SUFFIX ".hmac"
8808 +#define READ_BUFFER_LENGTH 16384
8811 +make_hmac_path(const char *origpath)
8816 + path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
8817 + if(path == NULL) {
8821 + fn = strrchr(origpath, '/');
8828 + strncpy(path, origpath, fn-origpath);
8829 + p = path + (fn - origpath);
8830 + p = stpcpy(p, HMAC_PREFIX);
8831 + p = stpcpy(p, fn);
8832 + p = stpcpy(p, HMAC_SUFFIX);
8837 +static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
8840 +compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
8844 + unsigned char rbuf[READ_BUFFER_LENGTH];
8846 + unsigned int hlen;
8849 + HMAC_CTX_init(&c);
8851 + f = fopen(path, "r");
8857 + HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
8859 + while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
8860 + HMAC_Update(&c, rbuf, len);
8863 + len = sizeof(rbuf);
8864 + /* reuse rbuf for hmac */
8865 + HMAC_Final(&c, rbuf, &hlen);
8867 + *buf = malloc(hlen);
8868 + if (*buf == NULL) {
8874 + memcpy(*buf, rbuf, hlen);
8878 + HMAC_CTX_cleanup(&c);
8887 +FIPSCHECK_verify(const char *libname, const char *symbolname)
8889 + char path[PATH_MAX+1];
8892 + char *hmacpath, *p;
8893 + char *hmac = NULL;
8896 + rv = get_library_path(libname, symbolname, path, sizeof(path));
8901 + hmacpath = make_hmac_path(path);
8902 + if (hmacpath == NULL)
8905 + hf = fopen(hmacpath, "r");
8911 + if (getline(&hmac, &n, hf) > 0) {
8916 + if ((p=strchr(hmac, '\n')) != NULL)
8919 + if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
8924 + if ((hex=bin2hex(buf, hmaclen)) == NULL) {
8930 + if (strcmp(hex, hmac) != 0) {
8945 + /* check successful */
8949 +int FIPS_module_mode_set(int onoff, const char *auth)
8955 + fips_set_owning_thread();
8960 + fips_selftest_fail = 0;
8962 + /* Don't go into FIPS mode twice, just so we can do automagic
8964 + if(FIPS_module_mode())
8966 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
8967 + fips_selftest_fail = 1;
8972 +#ifdef OPENSSL_IA32_SSE2
8974 + extern unsigned int OPENSSL_ia32cap_P[2];
8975 + if ((OPENSSL_ia32cap_P[0] & (1<<25|1<<26)) != (1<<25|1<<26))
8977 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM);
8978 + fips_selftest_fail = 1;
8982 + OPENSSL_ia32cap_P[0] |= (1<<28); /* set "shared cache" */
8983 + OPENSSL_ia32cap_P[1] &= ~(1<<(60-32)); /* clear AVX */
8987 + if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
8989 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
8990 + fips_selftest_fail = 1;
8995 + if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
8997 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
8998 + fips_selftest_fail = 1;
9003 + if(FIPS_selftest())
9004 + fips_set_mode(onoff);
9007 + fips_selftest_fail = 1;
9015 + fips_selftest_fail = 0;
9018 + fips_clear_owning_thread();
9023 +static CRYPTO_THREADID fips_thread;
9024 +static int fips_thread_set = 0;
9026 +static int fips_is_owning_thread(void)
9032 + CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
9033 + if (fips_thread_set)
9035 + CRYPTO_THREADID cur;
9036 + CRYPTO_THREADID_current(&cur);
9037 + if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
9040 + CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
9045 +int fips_set_owning_thread(void)
9051 + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
9052 + if (!fips_thread_set)
9054 + CRYPTO_THREADID_current(&fips_thread);
9056 + fips_thread_set = 1;
9058 + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
9063 +int fips_clear_owning_thread(void)
9069 + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
9070 + if (fips_thread_set)
9072 + CRYPTO_THREADID cur;
9073 + CRYPTO_THREADID_current(&cur);
9074 + if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
9075 + fips_thread_set = 0;
9077 + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
9084 +/* The purpose of this is to ensure the error code exists and the function
9085 + * name is to keep the error checking script quiet
9087 +void hash_final(void)
9089 + FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
9095 diff -up openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c
9096 --- openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c.fips 2013-02-19 12:47:33.736118812 +0100
9097 +++ openssl-1.0.1e/crypto/fips/fips_cmac_selftest.c 2013-02-19 12:47:33.736118812 +0100
9099 +/* ====================================================================
9100 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
9102 + * Redistribution and use in source and binary forms, with or without
9103 + * modification, are permitted provided that the following conditions
9106 + * 1. Redistributions of source code must retain the above copyright
9107 + * notice, this list of conditions and the following disclaimer.
9109 + * 2. Redistributions in binary form must reproduce the above copyright
9110 + * notice, this list of conditions and the following disclaimer in
9111 + * the documentation and/or other materials provided with the
9114 + * 3. All advertising materials mentioning features or use of this
9115 + * software must display the following acknowledgment:
9116 + * "This product includes software developed by the OpenSSL Project
9117 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
9119 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9120 + * endorse or promote products derived from this software without
9121 + * prior written permission. For written permission, please contact
9122 + * openssl-core@openssl.org.
9124 + * 5. Products derived from this software may not be called "OpenSSL"
9125 + * nor may "OpenSSL" appear in their names without prior written
9126 + * permission of the OpenSSL Project.
9128 + * 6. Redistributions of any form whatsoever must retain the following
9130 + * "This product includes software developed by the OpenSSL Project
9131 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9133 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9134 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9135 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9136 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9137 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9138 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9139 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9140 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9141 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9142 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9143 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9144 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9148 +#include <string.h>
9149 +#include <openssl/err.h>
9150 +#include <openssl/fips.h>
9151 +#include <openssl/cmac.h>
9152 +#include "fips_locl.h"
9154 +#ifdef OPENSSL_FIPS
9157 + const unsigned char key[EVP_MAX_KEY_LENGTH]; size_t keysize;
9158 + const unsigned char msg[64]; size_t msgsize;
9159 + const unsigned char mac[32]; size_t macsize;
9162 +/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
9163 +static const CMAC_KAT vector[] = {
9164 + { NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
9165 + { 0x77,0xa7,0x7f,0xaf, 0x29,0x0c,0x1f,0xa3,
9166 + 0x0c,0x68,0x3d,0xf1, 0x6b,0xa7,0xa7,0x7b, }, 128,
9167 + { 0x02,0x06,0x83,0xe1, 0xf0,0x39,0x2f,0x4c,
9168 + 0xac,0x54,0x31,0x8b, 0x60,0x29,0x25,0x9e,
9169 + 0x9c,0x55,0x3d,0xbc, 0x4b,0x6a,0xd9,0x98,
9170 + 0xe6,0x4d,0x58,0xe4, 0xe7,0xdc,0x2e,0x13, }, 256,
9171 + { 0xfb,0xfe,0xa4,0x1b, }, 32
9173 + { NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
9174 + { 0x7b,0x32,0x39,0x13, 0x69,0xaa,0x4c,0xa9,
9175 + 0x75,0x58,0x09,0x5b, 0xe3,0xc3,0xec,0x86,
9176 + 0x2b,0xd0,0x57,0xce, 0xf1,0xe3,0x2d,0x62, }, 192,
9178 + { 0xe4,0xd9,0x34,0x0b, 0x03,0xe6,0x7d,0xef,
9179 + 0xd4,0x96,0x9c,0xc1, 0xed,0x37,0x35,0xe6, }, 128,
9181 + { NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
9182 + { 0x0b,0x12,0x2a,0xc8, 0xf3,0x4e,0xd1,0xfe,
9183 + 0x08,0x2a,0x36,0x25, 0xd1,0x57,0x56,0x14,
9184 + 0x54,0x16,0x7a,0xc1, 0x45,0xa1,0x0b,0xbf,
9185 + 0x77,0xc6,0xa7,0x05, 0x96,0xd5,0x74,0xf1, }, 256,
9186 + { 0x49,0x8b,0x53,0xfd, 0xec,0x87,0xed,0xcb,
9187 + 0xf0,0x70,0x97,0xdc, 0xcd,0xe9,0x3a,0x08,
9188 + 0x4b,0xad,0x75,0x01, 0xa2,0x24,0xe3,0x88,
9189 + 0xdf,0x34,0x9c,0xe1, 0x89,0x59,0xfe,0x84,
9190 + 0x85,0xf8,0xad,0x15, 0x37,0xf0,0xd8,0x96,
9191 + 0xea,0x73,0xbe,0xdc, 0x72,0x14,0x71,0x3f, }, 384,
9192 + { 0xf6,0x2c,0x46,0x32, 0x9b, }, 40,
9194 + { NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
9195 + { 0x89,0xbc,0xd9,0x52, 0xa8,0xc8,0xab,0x37,
9196 + 0x1a,0xf4,0x8a,0xc7, 0xd0,0x70,0x85,0xd5,
9197 + 0xef,0xf7,0x02,0xe6, 0xd6,0x2c,0xdc,0x23, }, 192,
9198 + { 0xfa,0x62,0x0c,0x1b, 0xbe,0x97,0x31,0x9e,
9199 + 0x9a,0x0c,0xf0,0x49, 0x21,0x21,0xf7,0xa2,
9200 + 0x0e,0xb0,0x8a,0x6a, 0x70,0x9d,0xcb,0xd0,
9201 + 0x0a,0xaf,0x38,0xe4, 0xf9,0x9e,0x75,0x4e, }, 256,
9202 + { 0x8f,0x49,0xa1,0xb7, 0xd6,0xaa,0x22,0x58, }, 64,
9206 +int FIPS_selftest_cmac()
9209 + unsigned char out[32];
9210 + const EVP_CIPHER *cipher;
9211 + CMAC_CTX *ctx = CMAC_CTX_new();
9212 + const CMAC_KAT *t;
9215 + for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
9217 + cipher = FIPS_get_cipherbynid(t->nid);
9223 + if (!CMAC_Init(ctx, t->key, t->keysize/8, cipher, 0))
9228 + if (!CMAC_Update(ctx, t->msg, t->msgsize/8))
9234 + if (!CMAC_Final(ctx, out, &outlen))
9239 + CMAC_CTX_cleanup(ctx);
9241 + if(outlen < t->macsize/8 || memcmp(out,t->mac,t->macsize/8))
9248 + CMAC_CTX_free(ctx);
9255 + FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC,FIPS_R_SELFTEST_FAILED);
9260 diff -up openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_des_selftest.c
9261 --- openssl-1.0.1e/crypto/fips/fips_des_selftest.c.fips 2013-02-19 12:47:33.736118812 +0100
9262 +++ openssl-1.0.1e/crypto/fips/fips_des_selftest.c 2013-02-19 12:47:33.736118812 +0100
9264 +/* ====================================================================
9265 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
9267 + * Redistribution and use in source and binary forms, with or without
9268 + * modification, are permitted provided that the following conditions
9271 + * 1. Redistributions of source code must retain the above copyright
9272 + * notice, this list of conditions and the following disclaimer.
9274 + * 2. Redistributions in binary form must reproduce the above copyright
9275 + * notice, this list of conditions and the following disclaimer in
9276 + * the documentation and/or other materials provided with the
9279 + * 3. All advertising materials mentioning features or use of this
9280 + * software must display the following acknowledgment:
9281 + * "This product includes software developed by the OpenSSL Project
9282 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
9284 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9285 + * endorse or promote products derived from this software without
9286 + * prior written permission. For written permission, please contact
9287 + * openssl-core@openssl.org.
9289 + * 5. Products derived from this software may not be called "OpenSSL"
9290 + * nor may "OpenSSL" appear in their names without prior written
9291 + * permission of the OpenSSL Project.
9293 + * 6. Redistributions of any form whatsoever must retain the following
9295 + * "This product includes software developed by the OpenSSL Project
9296 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9298 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9299 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9300 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9301 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9302 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9303 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9304 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9305 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9306 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9307 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9308 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9309 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9313 +#include <string.h>
9314 +#include <openssl/err.h>
9315 +#ifdef OPENSSL_FIPS
9316 +#include <openssl/fips.h>
9318 +#include <openssl/evp.h>
9319 +#include <openssl/opensslconf.h>
9321 +#ifdef OPENSSL_FIPS
9323 +static const struct
9325 + const unsigned char key[16];
9326 + const unsigned char plaintext[8];
9327 + const unsigned char ciphertext[8];
9331 + { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec,
9332 + 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 },
9333 + { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef },
9334 + { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd }
9337 + { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34,
9338 + 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 },
9339 + { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e },
9340 + { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff },
9344 +static const struct
9346 + const unsigned char key[24];
9347 + const unsigned char plaintext[8];
9348 + const unsigned char ciphertext[8];
9352 + { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
9353 + 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,
9354 + 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 },
9355 + { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c },
9356 + { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b },
9359 + { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE,
9360 + 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
9361 + 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 },
9362 + { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
9363 + { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 },
9368 +static int corrupt_des;
9370 +void FIPS_corrupt_des()
9375 +int FIPS_selftest_des()
9378 + EVP_CIPHER_CTX ctx;
9379 + EVP_CIPHER_CTX_init(&ctx);
9380 + /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
9381 + for(n=0 ; n < 2 ; ++n)
9383 + unsigned char plaintext[8];
9385 + memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
9388 + if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
9389 + tests2[n].key, NULL,
9390 + plaintext, tests2[n].ciphertext, 8))
9394 + /* Encrypt/decrypt with 3DES and compare to known answers */
9395 + for(n=0 ; n < 2 ; ++n)
9397 + if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
9398 + tests3[n].key, NULL,
9399 + tests3[n].plaintext, tests3[n].ciphertext, 8))
9404 + EVP_CIPHER_CTX_cleanup(&ctx);
9406 + FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED);
9411 diff -up openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c
9412 --- openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c.fips 2013-02-19 12:47:33.736118812 +0100
9413 +++ openssl-1.0.1e/crypto/fips/fips_drbg_ctr.c 2013-02-19 12:47:33.736118812 +0100
9415 +/* fips/rand/fips_drbg_ctr.c */
9416 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
9419 +/* ====================================================================
9420 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
9422 + * Redistribution and use in source and binary forms, with or without
9423 + * modification, are permitted provided that the following conditions
9426 + * 1. Redistributions of source code must retain the above copyright
9427 + * notice, this list of conditions and the following disclaimer.
9429 + * 2. Redistributions in binary form must reproduce the above copyright
9430 + * notice, this list of conditions and the following disclaimer in
9431 + * the documentation and/or other materials provided with the
9434 + * 3. All advertising materials mentioning features or use of this
9435 + * software must display the following acknowledgment:
9436 + * "This product includes software developed by the OpenSSL Project
9437 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
9439 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9440 + * endorse or promote products derived from this software without
9441 + * prior written permission. For written permission, please contact
9442 + * licensing@OpenSSL.org.
9444 + * 5. Products derived from this software may not be called "OpenSSL"
9445 + * nor may "OpenSSL" appear in their names without prior written
9446 + * permission of the OpenSSL Project.
9448 + * 6. Redistributions of any form whatsoever must retain the following
9450 + * "This product includes software developed by the OpenSSL Project
9451 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
9453 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9454 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9455 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9456 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9457 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9458 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9459 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9460 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9461 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9462 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9463 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9464 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9465 + * ====================================================================
9468 +#include <stdlib.h>
9469 +#include <string.h>
9470 +#include <openssl/crypto.h>
9471 +#include <openssl/fips.h>
9472 +#include <openssl/fips_rand.h>
9473 +#include "fips_rand_lcl.h"
9475 +static void inc_128(DRBG_CTR_CTX *cctx)
9479 + unsigned char *p = cctx->V + 15;
9480 + for (i = 0; i < 16; i++)
9491 +static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
9494 + /* Any zero padding will have no effect on the result as we
9495 + * are XORing. So just process however much input we have.
9498 + if (!in || !inlen)
9501 + if (inlen < cctx->keylen)
9506 + for (i = 0; i < n; i++)
9507 + cctx->K[i] ^= in[i];
9508 + if (inlen <= cctx->keylen)
9511 + n = inlen - cctx->keylen;
9512 + /* Should never happen */
9515 + for (i = 0; i < 16; i++)
9516 + cctx->V[i] ^= in[i + cctx->keylen];
9519 +/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
9521 +static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
9522 + const unsigned char *in)
9525 + for (i = 0; i < 16; i++)
9527 + AES_encrypt(out, out, &cctx->df_ks);
9529 +fprintf(stderr, "BCC in+out\n");
9530 +BIO_dump_fp(stderr, in, 16);
9531 +BIO_dump_fp(stderr, out, 16);
9535 +/* Handle several BCC operations for as much data as we need for K and X */
9536 +static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
9538 + ctr_BCC_block(cctx, cctx->KX, in);
9539 + ctr_BCC_block(cctx, cctx->KX + 16, in);
9540 + if (cctx->keylen != 16)
9541 + ctr_BCC_block(cctx, cctx->KX + 32, in);
9543 +/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
9544 + * see 10.4.2 stage 7.
9546 +static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
9548 + memset(cctx->KX, 0, 48);
9549 + memset(cctx->bltmp, 0, 16);
9550 + ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
9551 + cctx->bltmp[3] = 1;
9552 + ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
9553 + if (cctx->keylen != 16)
9555 + cctx->bltmp[3] = 2;
9556 + ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
9560 +/* Process several blocks into BCC algorithm, some possibly partial */
9561 +static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
9562 + const unsigned char *in, size_t inlen)
9564 + if (!in || !inlen)
9566 + /* If we have partial block handle it first */
9567 + if (cctx->bltmp_pos)
9569 + size_t left = 16 - cctx->bltmp_pos;
9570 + /* If we now have a complete block process it */
9571 + if (inlen >= left)
9573 + memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
9574 + ctr_BCC_blocks(cctx, cctx->bltmp);
9575 + cctx->bltmp_pos = 0;
9580 + /* Process zero or more complete blocks */
9581 + while (inlen >= 16)
9583 + ctr_BCC_blocks(cctx, in);
9587 + /* Copy any remaining partial block to the temporary buffer */
9590 + memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
9591 + cctx->bltmp_pos += inlen;
9595 +static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
9597 + if (cctx->bltmp_pos)
9599 + memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
9600 + ctr_BCC_blocks(cctx, cctx->bltmp);
9604 +static void ctr_df(DRBG_CTR_CTX *cctx,
9605 + const unsigned char *in1, size_t in1len,
9606 + const unsigned char *in2, size_t in2len,
9607 + const unsigned char *in3, size_t in3len)
9610 + unsigned char *p = cctx->bltmp;
9611 + static unsigned char c80 = 0x80;
9613 + ctr_BCC_init(cctx);
9620 + inlen = in1len + in2len + in3len;
9621 + /* Initialise L||N in temporary block */
9622 + *p++ = (inlen >> 24) & 0xff;
9623 + *p++ = (inlen >> 16) & 0xff;
9624 + *p++ = (inlen >> 8) & 0xff;
9625 + *p++ = inlen & 0xff;
9626 + /* NB keylen is at most 32 bytes */
9630 + *p = (unsigned char)((cctx->keylen + 16) & 0xff);
9631 + cctx->bltmp_pos = 8;
9632 + ctr_BCC_update(cctx, in1, in1len);
9633 + ctr_BCC_update(cctx, in2, in2len);
9634 + ctr_BCC_update(cctx, in3, in3len);
9635 + ctr_BCC_update(cctx, &c80, 1);
9636 + ctr_BCC_final(cctx);
9637 + /* Set up key K */
9638 + AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
9639 + /* X follows key K */
9640 + AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
9641 + AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
9642 + if (cctx->keylen != 16)
9643 + AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
9645 +fprintf(stderr, "Output of ctr_df:\n");
9646 +BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
9650 +/* NB the no-df Update in SP800-90 specifies a constant input length
9651 + * of seedlen, however other uses of this algorithm pad the input with
9652 + * zeroes if necessary and have up to two parameters XORed together,
9653 + * handle both cases in this function instead.
9656 +static void ctr_Update(DRBG_CTX *dctx,
9657 + const unsigned char *in1, size_t in1len,
9658 + const unsigned char *in2, size_t in2len,
9659 + const unsigned char *nonce, size_t noncelen)
9661 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9662 + /* ks is already setup for correct key */
9664 + AES_encrypt(cctx->V, cctx->K, &cctx->ks);
9665 + /* If keylen longer than 128 bits need extra encrypt */
9666 + if (cctx->keylen != 16)
9669 + AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
9672 + AES_encrypt(cctx->V, cctx->V, &cctx->ks);
9673 + /* If 192 bit key part of V is on end of K */
9674 + if (cctx->keylen == 24)
9676 + memcpy(cctx->V + 8, cctx->V, 8);
9677 + memcpy(cctx->V, cctx->K + 24, 8);
9680 + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
9682 + /* If no input reuse existing derived value */
9683 + if (in1 || nonce || in2)
9684 + ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
9685 + /* If this a reuse input in1len != 0 */
9687 + ctr_XOR(cctx, cctx->KX, dctx->seedlen);
9691 + ctr_XOR(cctx, in1, in1len);
9692 + ctr_XOR(cctx, in2, in2len);
9695 + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
9697 +fprintf(stderr, "K+V after update is:\n");
9698 +BIO_dump_fp(stderr, cctx->K, cctx->keylen);
9699 +BIO_dump_fp(stderr, cctx->V, 16);
9703 +static int drbg_ctr_instantiate(DRBG_CTX *dctx,
9704 + const unsigned char *ent, size_t entlen,
9705 + const unsigned char *nonce, size_t noncelen,
9706 + const unsigned char *pers, size_t perslen)
9708 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9709 + memset(cctx->K, 0, sizeof(cctx->K));
9710 + memset(cctx->V, 0, sizeof(cctx->V));
9711 + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
9712 + ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
9716 +static int drbg_ctr_reseed(DRBG_CTX *dctx,
9717 + const unsigned char *ent, size_t entlen,
9718 + const unsigned char *adin, size_t adinlen)
9720 + ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
9724 +static int drbg_ctr_generate(DRBG_CTX *dctx,
9725 + unsigned char *out, size_t outlen,
9726 + const unsigned char *adin, size_t adinlen)
9728 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9729 + if (adin && adinlen)
9731 + ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
9732 + /* This means we reuse derived value */
9733 + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
9745 + if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
9747 + AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
9748 + dctx->lb_valid = 1;
9753 + /* Use K as temp space as it will be updated */
9754 + AES_encrypt(cctx->V, cctx->K, &cctx->ks);
9755 + if (!fips_drbg_cprng_test(dctx, cctx->K))
9757 + memcpy(out, cctx->K, outlen);
9760 + AES_encrypt(cctx->V, out, &cctx->ks);
9761 + if (!fips_drbg_cprng_test(dctx, out))
9769 + ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
9775 +static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
9777 + memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
9781 +int fips_drbg_ctr_init(DRBG_CTX *dctx)
9783 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9787 + switch (dctx->type)
9789 + case NID_aes_128_ctr:
9793 + case NID_aes_192_ctr:
9797 + case NID_aes_256_ctr:
9805 + dctx->instantiate = drbg_ctr_instantiate;
9806 + dctx->reseed = drbg_ctr_reseed;
9807 + dctx->generate = drbg_ctr_generate;
9808 + dctx->uninstantiate = drbg_ctr_uninstantiate;
9810 + cctx->keylen = keylen;
9811 + dctx->strength = keylen * 8;
9812 + dctx->blocklength = 16;
9813 + dctx->seedlen = keylen + 16;
9815 + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
9817 + /* df initialisation */
9818 + static unsigned char df_key[32] =
9820 + 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
9821 + 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
9822 + 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
9823 + 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
9825 + /* Set key schedule for df_key */
9826 + AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
9828 + dctx->min_entropy = cctx->keylen;
9829 + dctx->max_entropy = DRBG_MAX_LENGTH;
9830 + dctx->min_nonce = dctx->min_entropy / 2;
9831 + dctx->max_nonce = DRBG_MAX_LENGTH;
9832 + dctx->max_pers = DRBG_MAX_LENGTH;
9833 + dctx->max_adin = DRBG_MAX_LENGTH;
9837 + dctx->min_entropy = dctx->seedlen;
9838 + dctx->max_entropy = dctx->seedlen;
9839 + /* Nonce not used */
9840 + dctx->min_nonce = 0;
9841 + dctx->max_nonce = 0;
9842 + dctx->max_pers = dctx->seedlen;
9843 + dctx->max_adin = dctx->seedlen;
9846 + dctx->max_request = 1<<16;
9847 + dctx->reseed_interval = 1<<24;
9851 diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hash.c
9852 --- openssl-1.0.1e/crypto/fips/fips_drbg_hash.c.fips 2013-02-19 12:47:33.736118812 +0100
9853 +++ openssl-1.0.1e/crypto/fips/fips_drbg_hash.c 2013-02-19 12:47:33.736118812 +0100
9855 +/* fips/rand/fips_drbg_hash.c */
9856 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
9859 +/* ====================================================================
9860 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
9862 + * Redistribution and use in source and binary forms, with or without
9863 + * modification, are permitted provided that the following conditions
9866 + * 1. Redistributions of source code must retain the above copyright
9867 + * notice, this list of conditions and the following disclaimer.
9869 + * 2. Redistributions in binary form must reproduce the above copyright
9870 + * notice, this list of conditions and the following disclaimer in
9871 + * the documentation and/or other materials provided with the
9874 + * 3. All advertising materials mentioning features or use of this
9875 + * software must display the following acknowledgment:
9876 + * "This product includes software developed by the OpenSSL Project
9877 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
9879 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9880 + * endorse or promote products derived from this software without
9881 + * prior written permission. For written permission, please contact
9882 + * licensing@OpenSSL.org.
9884 + * 5. Products derived from this software may not be called "OpenSSL"
9885 + * nor may "OpenSSL" appear in their names without prior written
9886 + * permission of the OpenSSL Project.
9888 + * 6. Redistributions of any form whatsoever must retain the following
9890 + * "This product includes software developed by the OpenSSL Project
9891 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
9893 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9894 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9895 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9896 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9897 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9898 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9899 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9900 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9901 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9902 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9903 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9904 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9905 + * ====================================================================
9908 +#define OPENSSL_FIPSAPI
9910 +#include <stdlib.h>
9911 +#include <string.h>
9912 +#include <openssl/crypto.h>
9913 +#include <openssl/fips.h>
9914 +#include <openssl/fips_rand.h>
9915 +#include "fips_rand_lcl.h"
9917 +/* This is Hash_df from SP 800-90 10.4.1 */
9919 +static int hash_df(DRBG_CTX *dctx, unsigned char *out,
9920 + const unsigned char *in1, size_t in1len,
9921 + const unsigned char *in2, size_t in2len,
9922 + const unsigned char *in3, size_t in3len,
9923 + const unsigned char *in4, size_t in4len)
9925 + EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
9926 + unsigned char *vtmp = dctx->d.hash.vtmp;
9927 + unsigned char tmp[6];
9928 + /* Standard only ever needs seedlen bytes which is always less than
9929 + * maximum permitted so no need to check length.
9931 + size_t outlen = dctx->seedlen;
9933 + tmp[1] = ((outlen * 8) >> 24) & 0xff;
9934 + tmp[2] = ((outlen * 8) >> 16) & 0xff;
9935 + tmp[3] = ((outlen * 8) >> 8) & 0xff;
9936 + tmp[4] = (outlen * 8) & 0xff;
9939 + tmp[5] = (unsigned char)in1len;
9945 + if (!FIPS_digestinit(mctx, dctx->d.hash.md))
9947 + if (!FIPS_digestupdate(mctx, tmp, 5))
9949 + if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
9951 + if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
9953 + if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
9955 + if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
9957 + if (outlen < dctx->blocklength)
9959 + if (!FIPS_digestfinal(mctx, vtmp, NULL))
9961 + memcpy(out, vtmp, outlen);
9962 + OPENSSL_cleanse(vtmp, dctx->blocklength);
9965 + else if(!FIPS_digestfinal(mctx, out, NULL))
9968 + outlen -= dctx->blocklength;
9972 + out += dctx->blocklength;
9977 +/* Add an unsigned buffer to the buf value, storing the result in buf. For
9978 + * this algorithm the length of input never exceeds the seed length.
9981 +static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
9982 + unsigned char *in, size_t inlen)
9985 + const unsigned char *q;
9986 + unsigned char c, *p;
9987 + p = buf + dctx->seedlen;
9990 + OPENSSL_assert(i <= dctx->seedlen);
9992 + /* Special case: zero length, just increment buffer */
10013 + i = dctx->seedlen - inlen;
10015 + /* If not adding whole buffer handle final carries */
10030 +/* Finalise and add hash to V */
10032 +static int ctx_add_md(DRBG_CTX *dctx)
10034 + if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
10036 + ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
10040 +static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
10042 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10045 + memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
10048 + FIPS_digestinit(&hctx->mctx, hctx->md);
10049 + FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
10050 + if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
10052 + FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
10053 + dctx->lb_valid = 1;
10055 + else if (outlen < dctx->blocklength)
10057 + FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
10058 + if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
10060 + memcpy(out, hctx->vtmp, outlen);
10065 + FIPS_digestfinal(&hctx->mctx, out, NULL);
10066 + if (!fips_drbg_cprng_test(dctx, out))
10068 + outlen -= dctx->blocklength;
10071 + out += dctx->blocklength;
10073 + ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
10077 +static int drbg_hash_instantiate(DRBG_CTX *dctx,
10078 + const unsigned char *ent, size_t ent_len,
10079 + const unsigned char *nonce, size_t nonce_len,
10080 + const unsigned char *pstr, size_t pstr_len)
10082 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10083 + if (!hash_df(dctx, hctx->V,
10084 + ent, ent_len, nonce, nonce_len, pstr, pstr_len,
10087 + if (!hash_df(dctx, hctx->C,
10088 + NULL, 0, hctx->V, dctx->seedlen,
10089 + NULL, 0, NULL, 0))
10092 +#ifdef HASH_DRBG_TRACE
10093 + fprintf(stderr, "V+C after instantiate:\n");
10094 + hexprint(stderr, hctx->V, dctx->seedlen);
10095 + hexprint(stderr, hctx->C, dctx->seedlen);
10101 +static int drbg_hash_reseed(DRBG_CTX *dctx,
10102 + const unsigned char *ent, size_t ent_len,
10103 + const unsigned char *adin, size_t adin_len)
10105 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10106 + /* V about to be updated so use C as output instead */
10107 + if (!hash_df(dctx, hctx->C,
10108 + NULL, 1, hctx->V, dctx->seedlen,
10109 + ent, ent_len, adin, adin_len))
10111 + memcpy(hctx->V, hctx->C, dctx->seedlen);
10112 + if (!hash_df(dctx, hctx->C, NULL, 0,
10113 + hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
10115 +#ifdef HASH_DRBG_TRACE
10116 + fprintf(stderr, "V+C after reseed:\n");
10117 + hexprint(stderr, hctx->V, dctx->seedlen);
10118 + hexprint(stderr, hctx->C, dctx->seedlen);
10123 +static int drbg_hash_generate(DRBG_CTX *dctx,
10124 + unsigned char *out, size_t outlen,
10125 + const unsigned char *adin, size_t adin_len)
10127 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10128 + EVP_MD_CTX *mctx = &hctx->mctx;
10129 + unsigned char tmp[4];
10130 + if (adin && adin_len)
10133 + if (!FIPS_digestinit(mctx, hctx->md))
10135 + if (!EVP_DigestUpdate(mctx, tmp, 1))
10137 + if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
10139 + if (!EVP_DigestUpdate(mctx, adin, adin_len))
10141 + if (!ctx_add_md(dctx))
10144 + if (!hash_gen(dctx, out, outlen))
10148 + if (!FIPS_digestinit(mctx, hctx->md))
10150 + if (!EVP_DigestUpdate(mctx, tmp, 1))
10152 + if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
10155 + if (!ctx_add_md(dctx))
10158 + ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
10160 + tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
10161 + tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
10162 + tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
10163 + tmp[3] = dctx->reseed_counter & 0xff;
10164 + ctx_add_buf(dctx, hctx->V, tmp, 4);
10165 +#ifdef HASH_DRBG_TRACE
10166 + fprintf(stderr, "V+C after generate:\n");
10167 + hexprint(stderr, hctx->V, dctx->seedlen);
10168 + hexprint(stderr, hctx->C, dctx->seedlen);
10173 +static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
10175 + EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
10176 + OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
10180 +int fips_drbg_hash_init(DRBG_CTX *dctx)
10182 + const EVP_MD *md;
10183 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10184 + md = FIPS_get_digestbynid(dctx->type);
10187 + switch (dctx->type)
10190 + dctx->strength = 128;
10194 + dctx->strength = 192;
10198 + dctx->strength = 256;
10202 + dctx->instantiate = drbg_hash_instantiate;
10203 + dctx->reseed = drbg_hash_reseed;
10204 + dctx->generate = drbg_hash_generate;
10205 + dctx->uninstantiate = drbg_hash_uninstantiate;
10207 + dctx->d.hash.md = md;
10208 + EVP_MD_CTX_init(&hctx->mctx);
10210 + /* These are taken from SP 800-90 10.1 table 2 */
10212 + dctx->blocklength = M_EVP_MD_size(md);
10213 + if (dctx->blocklength > 32)
10214 + dctx->seedlen = 111;
10216 + dctx->seedlen = 55;
10219 + dctx->min_entropy = dctx->strength / 8;
10220 + dctx->max_entropy = DRBG_MAX_LENGTH;
10222 + dctx->min_nonce = dctx->min_entropy / 2;
10223 + dctx->max_nonce = DRBG_MAX_LENGTH;
10225 + dctx->max_pers = DRBG_MAX_LENGTH;
10226 + dctx->max_adin = DRBG_MAX_LENGTH;
10228 + dctx->max_request = 1<<16;
10229 + dctx->reseed_interval = 1<<24;
10233 diff -up openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c
10234 --- openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c.fips 2013-02-19 12:47:33.737118832 +0100
10235 +++ openssl-1.0.1e/crypto/fips/fips_drbg_hmac.c 2013-02-19 12:47:33.737118832 +0100
10237 +/* fips/rand/fips_drbg_hmac.c */
10238 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
10241 +/* ====================================================================
10242 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
10244 + * Redistribution and use in source and binary forms, with or without
10245 + * modification, are permitted provided that the following conditions
10248 + * 1. Redistributions of source code must retain the above copyright
10249 + * notice, this list of conditions and the following disclaimer.
10251 + * 2. Redistributions in binary form must reproduce the above copyright
10252 + * notice, this list of conditions and the following disclaimer in
10253 + * the documentation and/or other materials provided with the
10256 + * 3. All advertising materials mentioning features or use of this
10257 + * software must display the following acknowledgment:
10258 + * "This product includes software developed by the OpenSSL Project
10259 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
10261 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
10262 + * endorse or promote products derived from this software without
10263 + * prior written permission. For written permission, please contact
10264 + * licensing@OpenSSL.org.
10266 + * 5. Products derived from this software may not be called "OpenSSL"
10267 + * nor may "OpenSSL" appear in their names without prior written
10268 + * permission of the OpenSSL Project.
10270 + * 6. Redistributions of any form whatsoever must retain the following
10271 + * acknowledgment:
10272 + * "This product includes software developed by the OpenSSL Project
10273 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
10275 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
10276 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
10277 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
10278 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
10279 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
10280 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
10281 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
10282 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10283 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10284 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10285 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10286 + * OF THE POSSIBILITY OF SUCH DAMAGE.
10287 + * ====================================================================
10290 +#include <stdlib.h>
10291 +#include <string.h>
10292 +#include <openssl/crypto.h>
10293 +#include <openssl/evp.h>
10294 +#include <openssl/hmac.h>
10295 +#include <openssl/aes.h>
10296 +#include <openssl/fips.h>
10297 +#include <openssl/fips_rand.h>
10298 +#include "fips_rand_lcl.h"
10300 +static int drbg_hmac_update(DRBG_CTX *dctx,
10301 + const unsigned char *in1, size_t in1len,
10302 + const unsigned char *in2, size_t in2len,
10303 + const unsigned char *in3, size_t in3len
10306 + static unsigned char c0 = 0, c1 = 1;
10307 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10308 + HMAC_CTX *hctx = &hmac->hctx;
10310 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10312 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10314 + if (!HMAC_Update(hctx, &c0, 1))
10316 + if (in1len && !HMAC_Update(hctx, in1, in1len))
10318 + if (in2len && !HMAC_Update(hctx, in2, in2len))
10320 + if (in3len && !HMAC_Update(hctx, in3, in3len))
10323 + if (!HMAC_Final(hctx, hmac->K, NULL))
10326 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10328 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10331 + if (!HMAC_Final(hctx, hmac->V, NULL))
10334 + if (!in1len && !in2len && !in3len)
10337 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10339 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10341 + if (!HMAC_Update(hctx, &c1, 1))
10343 + if (in1len && !HMAC_Update(hctx, in1, in1len))
10345 + if (in2len && !HMAC_Update(hctx, in2, in2len))
10347 + if (in3len && !HMAC_Update(hctx, in3, in3len))
10350 + if (!HMAC_Final(hctx, hmac->K, NULL))
10353 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10355 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10358 + if (!HMAC_Final(hctx, hmac->V, NULL))
10365 +static int drbg_hmac_instantiate(DRBG_CTX *dctx,
10366 + const unsigned char *ent, size_t ent_len,
10367 + const unsigned char *nonce, size_t nonce_len,
10368 + const unsigned char *pstr, size_t pstr_len)
10370 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10371 + memset(hmac->K, 0, dctx->blocklength);
10372 + memset(hmac->V, 1, dctx->blocklength);
10373 + if (!drbg_hmac_update(dctx,
10374 + ent, ent_len, nonce, nonce_len, pstr, pstr_len))
10377 +#ifdef HMAC_DRBG_TRACE
10378 + fprintf(stderr, "K+V after instantiate:\n");
10379 + hexprint(stderr, hmac->K, hmac->blocklength);
10380 + hexprint(stderr, hmac->V, hmac->blocklength);
10385 +static int drbg_hmac_reseed(DRBG_CTX *dctx,
10386 + const unsigned char *ent, size_t ent_len,
10387 + const unsigned char *adin, size_t adin_len)
10389 + if (!drbg_hmac_update(dctx,
10390 + ent, ent_len, adin, adin_len, NULL, 0))
10393 +#ifdef HMAC_DRBG_TRACE
10395 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10396 + fprintf(stderr, "K+V after reseed:\n");
10397 + hexprint(stderr, hmac->K, hmac->blocklength);
10398 + hexprint(stderr, hmac->V, hmac->blocklength);
10404 +static int drbg_hmac_generate(DRBG_CTX *dctx,
10405 + unsigned char *out, size_t outlen,
10406 + const unsigned char *adin, size_t adin_len)
10408 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10409 + HMAC_CTX *hctx = &hmac->hctx;
10410 + const unsigned char *Vtmp = hmac->V;
10411 + if (adin_len && !drbg_hmac_update(dctx, adin, adin_len,
10412 + NULL, 0, NULL, 0))
10416 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength,
10419 + if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
10421 + if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
10423 + if (!HMAC_Final(hctx, dctx->lb, NULL))
10425 + dctx->lb_valid = 1;
10429 + else if (outlen > dctx->blocklength)
10431 + if (!HMAC_Final(hctx, out, NULL))
10433 + if (!fips_drbg_cprng_test(dctx, out))
10439 + if (!HMAC_Final(hctx, hmac->V, NULL))
10441 + if (!fips_drbg_cprng_test(dctx, hmac->V))
10443 + memcpy(out, hmac->V, outlen);
10446 + out += dctx->blocklength;
10447 + outlen -= dctx->blocklength;
10449 + if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
10455 +static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
10457 + HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
10458 + OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
10462 +int fips_drbg_hmac_init(DRBG_CTX *dctx)
10464 + const EVP_MD *md = NULL;
10465 + DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
10466 + dctx->strength = 256;
10467 + switch (dctx->type)
10469 + case NID_hmacWithSHA1:
10471 + dctx->strength = 128;
10474 + case NID_hmacWithSHA224:
10475 + md = EVP_sha224();
10476 + dctx->strength = 192;
10479 + case NID_hmacWithSHA256:
10480 + md = EVP_sha256();
10483 + case NID_hmacWithSHA384:
10484 + md = EVP_sha384();
10487 + case NID_hmacWithSHA512:
10488 + md = EVP_sha512();
10492 + dctx->strength = 0;
10495 + dctx->instantiate = drbg_hmac_instantiate;
10496 + dctx->reseed = drbg_hmac_reseed;
10497 + dctx->generate = drbg_hmac_generate;
10498 + dctx->uninstantiate = drbg_hmac_uninstantiate;
10499 + HMAC_CTX_init(&hctx->hctx);
10501 + dctx->blocklength = M_EVP_MD_size(md);
10502 + dctx->seedlen = M_EVP_MD_size(md);
10504 + dctx->min_entropy = dctx->strength / 8;
10505 + dctx->max_entropy = DRBG_MAX_LENGTH;
10507 + dctx->min_nonce = dctx->min_entropy / 2;
10508 + dctx->max_nonce = DRBG_MAX_LENGTH;
10510 + dctx->max_pers = DRBG_MAX_LENGTH;
10511 + dctx->max_adin = DRBG_MAX_LENGTH;
10513 + dctx->max_request = 1<<16;
10514 + dctx->reseed_interval = 1<<24;
10518 diff -up openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_lib.c
10519 --- openssl-1.0.1e/crypto/fips/fips_drbg_lib.c.fips 2013-02-19 12:47:33.737118832 +0100
10520 +++ openssl-1.0.1e/crypto/fips/fips_drbg_lib.c 2013-02-19 12:47:33.737118832 +0100
10522 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
10525 +/* ====================================================================
10526 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
10528 + * Redistribution and use in source and binary forms, with or without
10529 + * modification, are permitted provided that the following conditions
10532 + * 1. Redistributions of source code must retain the above copyright
10533 + * notice, this list of conditions and the following disclaimer.
10535 + * 2. Redistributions in binary form must reproduce the above copyright
10536 + * notice, this list of conditions and the following disclaimer in
10537 + * the documentation and/or other materials provided with the
10540 + * 3. All advertising materials mentioning features or use of this
10541 + * software must display the following acknowledgment:
10542 + * "This product includes software developed by the OpenSSL Project
10543 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
10545 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
10546 + * endorse or promote products derived from this software without
10547 + * prior written permission. For written permission, please contact
10548 + * licensing@OpenSSL.org.
10550 + * 5. Products derived from this software may not be called "OpenSSL"
10551 + * nor may "OpenSSL" appear in their names without prior written
10552 + * permission of the OpenSSL Project.
10554 + * 6. Redistributions of any form whatsoever must retain the following
10555 + * acknowledgment:
10556 + * "This product includes software developed by the OpenSSL Project
10557 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
10559 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
10560 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
10561 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
10562 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
10563 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
10564 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
10565 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
10566 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10567 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10568 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10569 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10570 + * OF THE POSSIBILITY OF SUCH DAMAGE.
10571 + * ====================================================================
10574 +#include <string.h>
10575 +#include <openssl/crypto.h>
10576 +#include <openssl/err.h>
10577 +#include <openssl/fips_rand.h>
10578 +#include "fips_locl.h"
10579 +#include "fips_rand_lcl.h"
10581 +/* Support framework for SP800-90 DRBGs */
10583 +int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
10586 + memset(dctx, 0, sizeof(DRBG_CTX));
10587 + dctx->status = DRBG_STATUS_UNINITIALISED;
10588 + dctx->xflags = flags;
10589 + dctx->type = type;
10591 + dctx->iflags = 0;
10592 + dctx->entropy_blocklen = 0;
10593 + dctx->health_check_cnt = 0;
10594 + dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
10596 + rv = fips_drbg_hash_init(dctx);
10599 + rv = fips_drbg_ctr_init(dctx);
10601 + rv = fips_drbg_hmac_init(dctx);
10606 + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
10608 + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
10611 + /* If not in test mode run selftests on DRBG of the same type */
10613 + if (!(dctx->xflags & DRBG_FLAG_TEST))
10615 + if (!FIPS_drbg_health_check(dctx))
10617 + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
10625 +DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
10628 + dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
10631 + FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
10637 + memset(dctx, 0, sizeof(DRBG_CTX));
10639 + dctx->status = DRBG_STATUS_UNINITIALISED;
10643 + if (FIPS_drbg_init(dctx, type, flags) <= 0)
10645 + OPENSSL_free(dctx);
10652 +void FIPS_drbg_free(DRBG_CTX *dctx)
10654 + if (dctx->uninstantiate)
10655 + dctx->uninstantiate(dctx);
10656 + /* Don't free up default DRBG */
10657 + if (dctx == FIPS_get_default_drbg())
10659 + memset(dctx, 0, sizeof(DRBG_CTX));
10661 + dctx->status = DRBG_STATUS_UNINITIALISED;
10665 + OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
10666 + OPENSSL_free(dctx);
10670 +static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
10671 + int entropy, size_t min_len, size_t max_len)
10673 + unsigned char *tout, *p;
10674 + size_t bl = dctx->entropy_blocklen, rv;
10675 + if (!dctx->get_entropy)
10677 + if (dctx->xflags & DRBG_FLAG_TEST || !bl)
10678 + return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
10679 + rv = dctx->get_entropy(dctx, &tout, entropy + bl,
10680 + min_len + bl, max_len + bl);
10681 + if (tout == NULL)
10683 + *pout = tout + bl;
10684 + if (rv < (min_len + bl) || (rv % bl))
10686 + /* Compare consecutive blocks for continuous PRNG test */
10687 + for (p = tout; p < tout + rv - bl; p += bl)
10689 + if (!memcmp(p, p + bl, bl))
10691 + FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
10696 + if (rv > max_len)
10701 +static void fips_cleanup_entropy(DRBG_CTX *dctx,
10702 + unsigned char *out, size_t olen)
10705 + if (dctx->xflags & DRBG_FLAG_TEST)
10708 + bl = dctx->entropy_blocklen;
10709 + /* Call cleanup with original arguments */
10710 + dctx->cleanup_entropy(dctx, out - bl, olen + bl);
10714 +int FIPS_drbg_instantiate(DRBG_CTX *dctx,
10715 + const unsigned char *pers, size_t perslen)
10717 + size_t entlen = 0, noncelen = 0;
10718 + unsigned char *nonce = NULL, *entropy = NULL;
10721 + /* Put here so error script picks them up */
10722 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
10723 + FIPS_R_PERSONALISATION_STRING_TOO_LONG);
10724 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
10725 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
10726 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
10727 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
10728 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
10729 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
10734 + if (perslen > dctx->max_pers)
10736 + r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
10740 + if (!dctx->instantiate)
10742 + r = FIPS_R_DRBG_NOT_INITIALISED;
10746 + if (dctx->status != DRBG_STATUS_UNINITIALISED)
10748 + if (dctx->status == DRBG_STATUS_ERROR)
10749 + r = FIPS_R_IN_ERROR_STATE;
10751 + r = FIPS_R_ALREADY_INSTANTIATED;
10755 + dctx->status = DRBG_STATUS_ERROR;
10757 + entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
10758 + dctx->min_entropy, dctx->max_entropy);
10760 + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
10762 + r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
10766 + if (dctx->max_nonce > 0 && dctx->get_nonce)
10768 + noncelen = dctx->get_nonce(dctx, &nonce,
10769 + dctx->strength / 2,
10770 + dctx->min_nonce, dctx->max_nonce);
10772 + if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
10774 + r = FIPS_R_ERROR_RETRIEVING_NONCE;
10780 + if (!dctx->instantiate(dctx,
10785 + r = FIPS_R_ERROR_INSTANTIATING_DRBG;
10790 + dctx->status = DRBG_STATUS_READY;
10791 + if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
10792 + dctx->reseed_counter = 1;
10796 + if (entropy && dctx->cleanup_entropy)
10797 + fips_cleanup_entropy(dctx, entropy, entlen);
10799 + if (nonce && dctx->cleanup_nonce)
10800 + dctx->cleanup_nonce(dctx, nonce, noncelen);
10802 + if (dctx->status == DRBG_STATUS_READY)
10805 + if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
10806 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
10812 +static int drbg_reseed(DRBG_CTX *dctx,
10813 + const unsigned char *adin, size_t adinlen, int hcheck)
10815 + unsigned char *entropy = NULL;
10816 + size_t entlen = 0;
10820 + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
10821 + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
10823 + if (dctx->status != DRBG_STATUS_READY
10824 + && dctx->status != DRBG_STATUS_RESEED)
10826 + if (dctx->status == DRBG_STATUS_ERROR)
10827 + r = FIPS_R_IN_ERROR_STATE;
10828 + else if(dctx->status == DRBG_STATUS_UNINITIALISED)
10829 + r = FIPS_R_NOT_INSTANTIATED;
10835 + else if (adinlen > dctx->max_adin)
10837 + r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
10841 + dctx->status = DRBG_STATUS_ERROR;
10842 + /* Peform health check on all reseed operations if not a prediction
10843 + * resistance request and not in test mode.
10845 + if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST))
10847 + if (!FIPS_drbg_health_check(dctx))
10849 + r = FIPS_R_SELFTEST_FAILURE;
10854 + entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
10855 + dctx->min_entropy, dctx->max_entropy);
10857 + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
10859 + r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
10863 + if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
10866 + dctx->status = DRBG_STATUS_READY;
10867 + if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
10868 + dctx->reseed_counter = 1;
10871 + if (entropy && dctx->cleanup_entropy)
10872 + fips_cleanup_entropy(dctx, entropy, entlen);
10874 + if (dctx->status == DRBG_STATUS_READY)
10877 + if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
10878 + FIPSerr(FIPS_F_DRBG_RESEED, r);
10883 +int FIPS_drbg_reseed(DRBG_CTX *dctx,
10884 + const unsigned char *adin, size_t adinlen)
10886 + return drbg_reseed(dctx, adin, adinlen, 1);
10889 +static int fips_drbg_check(DRBG_CTX *dctx)
10891 + if (dctx->xflags & DRBG_FLAG_TEST)
10893 + dctx->health_check_cnt++;
10894 + if (dctx->health_check_cnt >= dctx->health_check_interval)
10896 + if (!FIPS_drbg_health_check(dctx))
10898 + FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
10905 +int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
10906 + int prediction_resistance,
10907 + const unsigned char *adin, size_t adinlen)
10911 + if (FIPS_selftest_failed())
10913 + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
10917 + if (!fips_drbg_check(dctx))
10920 + if (dctx->status != DRBG_STATUS_READY
10921 + && dctx->status != DRBG_STATUS_RESEED)
10923 + if (dctx->status == DRBG_STATUS_ERROR)
10924 + r = FIPS_R_IN_ERROR_STATE;
10925 + else if(dctx->status == DRBG_STATUS_UNINITIALISED)
10926 + r = FIPS_R_NOT_INSTANTIATED;
10930 + if (outlen > dctx->max_request)
10932 + r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
10936 + if (adinlen > dctx->max_adin)
10938 + r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
10942 + if (dctx->iflags & DRBG_CUSTOM_RESEED)
10943 + dctx->generate(dctx, NULL, outlen, NULL, 0);
10944 + else if (dctx->reseed_counter >= dctx->reseed_interval)
10945 + dctx->status = DRBG_STATUS_RESEED;
10947 + if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
10949 + /* If prediction resistance request don't do health check */
10950 + int hcheck = prediction_resistance ? 0 : 1;
10952 + if (!drbg_reseed(dctx, adin, adinlen, hcheck))
10954 + r = FIPS_R_RESEED_ERROR;
10961 + if (!dctx->generate(dctx, out, outlen, adin, adinlen))
10963 + r = FIPS_R_GENERATE_ERROR;
10964 + dctx->status = DRBG_STATUS_ERROR;
10967 + if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
10969 + if (dctx->reseed_counter >= dctx->reseed_interval)
10970 + dctx->status = DRBG_STATUS_RESEED;
10972 + dctx->reseed_counter++;
10978 + if (!(dctx->iflags & DRBG_FLAG_NOERR))
10979 + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
10986 +int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
10989 + if (!dctx->uninstantiate)
10992 + rv = dctx->uninstantiate(dctx);
10993 + /* Although we'd like to cleanse here we can't because we have to
10994 + * test the uninstantiate really zeroes the data.
10996 + memset(&dctx->d, 0, sizeof(dctx->d));
10997 + dctx->status = DRBG_STATUS_UNINITIALISED;
10998 + /* If method has problems uninstantiating, return error */
11002 +int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
11003 + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
11004 + int entropy, size_t min_len, size_t max_len),
11005 + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
11006 + size_t entropy_blocklen,
11007 + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
11008 + int entropy, size_t min_len, size_t max_len),
11009 + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
11011 + if (dctx->status != DRBG_STATUS_UNINITIALISED)
11013 + dctx->entropy_blocklen = entropy_blocklen;
11014 + dctx->get_entropy = get_entropy;
11015 + dctx->cleanup_entropy = cleanup_entropy;
11016 + dctx->get_nonce = get_nonce;
11017 + dctx->cleanup_nonce = cleanup_nonce;
11021 +int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
11022 + size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
11023 + void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
11024 + int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
11025 + int (*rand_add_cb)(DRBG_CTX *ctx,
11026 + const void *buf, int num, double entropy))
11028 + if (dctx->status != DRBG_STATUS_UNINITIALISED)
11030 + dctx->get_adin = get_adin;
11031 + dctx->cleanup_adin = cleanup_adin;
11032 + dctx->rand_seed_cb = rand_seed_cb;
11033 + dctx->rand_add_cb = rand_add_cb;
11037 +void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
11039 + return dctx->app_data;
11042 +void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
11044 + dctx->app_data = app_data;
11047 +size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
11049 + return dctx->blocklength;
11052 +int FIPS_drbg_get_strength(DRBG_CTX *dctx)
11054 + return dctx->strength;
11057 +void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
11059 + dctx->health_check_interval = interval;
11062 +void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
11064 + dctx->reseed_interval = interval;
11067 +static int drbg_stick = 0;
11069 +void FIPS_drbg_stick(int onoff)
11071 + drbg_stick = onoff;
11074 +/* Continuous DRBG utility function */
11075 +int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
11077 + /* No CPRNG in test mode */
11078 + if (dctx->xflags & DRBG_FLAG_TEST)
11080 + /* Check block is valid: should never happen */
11081 + if (dctx->lb_valid == 0)
11083 + FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
11084 + fips_set_selftest_fail();
11088 + memcpy(dctx->lb, out, dctx->blocklength);
11089 + /* Check against last block: fail if match */
11090 + if (!memcmp(dctx->lb, out, dctx->blocklength))
11092 + FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
11093 + fips_set_selftest_fail();
11096 + /* Save last block for next comparison */
11097 + memcpy(dctx->lb, out, dctx->blocklength);
11100 diff -up openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_rand.c
11101 --- openssl-1.0.1e/crypto/fips/fips_drbg_rand.c.fips 2013-02-19 12:47:33.737118832 +0100
11102 +++ openssl-1.0.1e/crypto/fips/fips_drbg_rand.c 2013-02-19 12:47:33.737118832 +0100
11104 +/* fips/rand/fips_drbg_rand.c */
11105 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
11108 +/* ====================================================================
11109 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
11111 + * Redistribution and use in source and binary forms, with or without
11112 + * modification, are permitted provided that the following conditions
11115 + * 1. Redistributions of source code must retain the above copyright
11116 + * notice, this list of conditions and the following disclaimer.
11118 + * 2. Redistributions in binary form must reproduce the above copyright
11119 + * notice, this list of conditions and the following disclaimer in
11120 + * the documentation and/or other materials provided with the
11123 + * 3. All advertising materials mentioning features or use of this
11124 + * software must display the following acknowledgment:
11125 + * "This product includes software developed by the OpenSSL Project
11126 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
11128 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
11129 + * endorse or promote products derived from this software without
11130 + * prior written permission. For written permission, please contact
11131 + * licensing@OpenSSL.org.
11133 + * 5. Products derived from this software may not be called "OpenSSL"
11134 + * nor may "OpenSSL" appear in their names without prior written
11135 + * permission of the OpenSSL Project.
11137 + * 6. Redistributions of any form whatsoever must retain the following
11138 + * acknowledgment:
11139 + * "This product includes software developed by the OpenSSL Project
11140 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
11142 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
11143 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
11144 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
11145 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
11146 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
11147 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
11148 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
11149 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
11150 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
11151 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
11152 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
11153 + * OF THE POSSIBILITY OF SUCH DAMAGE.
11154 + * ====================================================================
11157 +#include <string.h>
11158 +#include <openssl/crypto.h>
11159 +#include <openssl/err.h>
11160 +#include <openssl/rand.h>
11161 +#include <openssl/fips_rand.h>
11162 +#include "fips_rand_lcl.h"
11164 +/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
11166 +/* Since we only have one global PRNG used at any time in OpenSSL use a global
11167 + * variable to store context.
11170 +static DRBG_CTX ossl_dctx;
11172 +DRBG_CTX *FIPS_get_default_drbg(void)
11174 + return &ossl_dctx;
11177 +static int fips_drbg_bytes(unsigned char *out, int count)
11179 + DRBG_CTX *dctx = &ossl_dctx;
11181 + unsigned char *adin = NULL;
11182 + size_t adinlen = 0;
11183 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
11187 + if (count > (int)dctx->max_request)
11188 + rcnt = dctx->max_request;
11191 + if (dctx->get_adin)
11193 + adinlen = dctx->get_adin(dctx, &adin);
11194 + if (adinlen && !adin)
11196 + FIPSerr(FIPS_F_FIPS_DRBG_BYTES, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
11200 + rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
11203 + if (dctx->cleanup_adin)
11204 + dctx->cleanup_adin(dctx, adin, adinlen);
11215 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
11219 +static int fips_drbg_pseudo(unsigned char *out, int count)
11221 + if (fips_drbg_bytes(out, count) <= 0)
11226 +static int fips_drbg_status(void)
11228 + DRBG_CTX *dctx = &ossl_dctx;
11230 + CRYPTO_r_lock(CRYPTO_LOCK_RAND);
11231 + rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
11232 + CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
11236 +static void fips_drbg_cleanup(void)
11238 + DRBG_CTX *dctx = &ossl_dctx;
11239 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
11240 + FIPS_drbg_uninstantiate(dctx);
11241 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
11244 +static int fips_drbg_seed(const void *seed, int seedlen)
11246 + DRBG_CTX *dctx = &ossl_dctx;
11247 + if (dctx->rand_seed_cb)
11248 + return dctx->rand_seed_cb(dctx, seed, seedlen);
11252 +static int fips_drbg_add(const void *seed, int seedlen,
11253 + double add_entropy)
11255 + DRBG_CTX *dctx = &ossl_dctx;
11256 + if (dctx->rand_add_cb)
11257 + return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
11261 +static const RAND_METHOD rand_drbg_meth =
11265 + fips_drbg_cleanup,
11267 + fips_drbg_pseudo,
11271 +const RAND_METHOD *FIPS_drbg_method(void)
11273 + return &rand_drbg_meth;
11276 diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c
11277 --- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c.fips 2013-02-19 12:47:33.737118832 +0100
11278 +++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.c 2013-02-19 12:47:33.737118832 +0100
11280 +/* fips/rand/fips_drbg_selftest.c */
11281 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
11284 +/* ====================================================================
11285 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
11287 + * Redistribution and use in source and binary forms, with or without
11288 + * modification, are permitted provided that the following conditions
11291 + * 1. Redistributions of source code must retain the above copyright
11292 + * notice, this list of conditions and the following disclaimer.
11294 + * 2. Redistributions in binary form must reproduce the above copyright
11295 + * notice, this list of conditions and the following disclaimer in
11296 + * the documentation and/or other materials provided with the
11299 + * 3. All advertising materials mentioning features or use of this
11300 + * software must display the following acknowledgment:
11301 + * "This product includes software developed by the OpenSSL Project
11302 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
11304 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
11305 + * endorse or promote products derived from this software without
11306 + * prior written permission. For written permission, please contact
11307 + * licensing@OpenSSL.org.
11309 + * 5. Products derived from this software may not be called "OpenSSL"
11310 + * nor may "OpenSSL" appear in their names without prior written
11311 + * permission of the OpenSSL Project.
11313 + * 6. Redistributions of any form whatsoever must retain the following
11314 + * acknowledgment:
11315 + * "This product includes software developed by the OpenSSL Project
11316 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
11318 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
11319 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
11320 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
11321 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
11322 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
11323 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
11324 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
11325 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
11326 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
11327 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
11328 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
11329 + * OF THE POSSIBILITY OF SUCH DAMAGE.
11330 + * ====================================================================
11333 +#include <string.h>
11334 +#include <openssl/crypto.h>
11335 +#include <openssl/err.h>
11336 +#include <openssl/fips_rand.h>
11337 +#include "fips_rand_lcl.h"
11338 +#include "fips_locl.h"
11340 +#include "fips_drbg_selftest.h"
11345 + unsigned int flags;
11347 + /* KAT data for no PR */
11348 + const unsigned char *ent;
11350 + const unsigned char *nonce;
11352 + const unsigned char *pers;
11354 + const unsigned char *adin;
11356 + const unsigned char *entreseed;
11357 + size_t entreseedlen;
11358 + const unsigned char *adinreseed;
11359 + size_t adinreseedlen;
11360 + const unsigned char *adin2;
11362 + const unsigned char *kat;
11364 + const unsigned char *kat2;
11367 + /* KAT data for PR */
11368 + const unsigned char *ent_pr;
11369 + size_t entlen_pr;
11370 + const unsigned char *nonce_pr;
11371 + size_t noncelen_pr;
11372 + const unsigned char *pers_pr;
11373 + size_t perslen_pr;
11374 + const unsigned char *adin_pr;
11375 + size_t adinlen_pr;
11376 + const unsigned char *entpr_pr;
11377 + size_t entprlen_pr;
11378 + const unsigned char *ading_pr;
11379 + size_t adinglen_pr;
11380 + const unsigned char *entg_pr;
11381 + size_t entglen_pr;
11382 + const unsigned char *kat_pr;
11383 + size_t katlen_pr;
11384 + const unsigned char *kat2_pr;
11385 + size_t kat2len_pr;
11387 + } DRBG_SELFTEST_DATA;
11389 +#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
11390 + pr##_entropyinput, sizeof(pr##_entropyinput), \
11391 + pr##_nonce, sizeof(pr##_nonce), \
11392 + pr##_personalizationstring, sizeof(pr##_personalizationstring), \
11393 + pr##_additionalinput, sizeof(pr##_additionalinput), \
11394 + pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
11395 + pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
11396 + pr##_additionalinput2, sizeof(pr##_additionalinput2), \
11397 + pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
11398 + pr##_returnedbits, sizeof(pr##_returnedbits), \
11399 + pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
11400 + pr##_pr_nonce, sizeof(pr##_pr_nonce), \
11401 + pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
11402 + pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
11403 + pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
11404 + pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
11405 + pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
11406 + pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
11407 + pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
11410 +#define make_drbg_test_data_df(nid, pr, p) \
11411 + make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
11413 +#define make_drbg_test_data_ec(curve, md, pr, p) \
11414 + make_drbg_test_data((curve << 16) | md , 0, pr, p)
11416 +static DRBG_SELFTEST_DATA drbg_test[] = {
11417 + make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
11418 + make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
11419 + make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
11420 + make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
11421 + make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
11422 + make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
11423 + make_drbg_test_data(NID_sha1, 0, sha1, 0),
11424 + make_drbg_test_data(NID_sha224, 0, sha224, 0),
11425 + make_drbg_test_data(NID_sha256, 0, sha256, 1),
11426 + make_drbg_test_data(NID_sha384, 0, sha384, 0),
11427 + make_drbg_test_data(NID_sha512, 0, sha512, 0),
11428 + make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
11429 + make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
11430 + make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
11431 + make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
11432 + make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
11438 + const unsigned char *ent;
11441 + const unsigned char *nonce;
11446 +static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
11447 + int entropy, size_t min_len, size_t max_len)
11449 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
11450 + *pout = (unsigned char *)t->ent;
11452 + return t->entlen;
11455 +static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
11456 + int entropy, size_t min_len, size_t max_len)
11458 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
11459 + *pout = (unsigned char *)t->nonce;
11461 + return t->noncelen;
11464 +static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
11470 + unsigned char randout[1024];
11472 + /* Initial test without PR */
11474 + /* Instantiate DRBG with test entropy, nonce and personalisation
11478 + if (!FIPS_drbg_init(dctx, td->nid, td->flags))
11480 + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
11483 + FIPS_drbg_set_app_data(dctx, &t);
11486 + t.entlen = td->entlen;
11487 + t.nonce = td->nonce;
11488 + t.noncelen = td->noncelen;
11492 + if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
11495 + /* Note for CTR without DF some additional input values
11496 + * ignore bytes after the keylength: so reduce adinlen
11497 + * to half to ensure invalid data is fed in.
11499 + if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
11500 + adinlen = td->adinlen / 2;
11502 + adinlen = td->adinlen;
11504 + /* Generate with no PR and verify output matches expected data */
11505 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11506 + td->adin, adinlen))
11509 + if (memcmp(randout, td->kat, td->katlen))
11511 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
11514 + /* If abbreviated POST end of test */
11520 + /* Reseed DRBG with test entropy and additional input */
11521 + t.ent = td->entreseed;
11522 + t.entlen = td->entreseedlen;
11524 + if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
11527 + /* Generate with no PR and verify output matches expected data */
11528 + if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
11529 + td->adin2, td->adin2len))
11532 + if (memcmp(randout, td->kat2, td->kat2len))
11534 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
11538 + FIPS_drbg_uninstantiate(dctx);
11540 + /* Now test with PR */
11542 + /* Instantiate DRBG with test entropy, nonce and personalisation
11545 + if (!FIPS_drbg_init(dctx, td->nid, td->flags))
11547 + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
11550 + FIPS_drbg_set_app_data(dctx, &t);
11552 + t.ent = td->ent_pr;
11553 + t.entlen = td->entlen_pr;
11554 + t.nonce = td->nonce_pr;
11555 + t.noncelen = td->noncelen_pr;
11559 + if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
11562 + /* Now generate with PR: we need to supply entropy as this will
11563 + * perform a reseed operation. Check output matches expected value.
11566 + t.ent = td->entpr_pr;
11567 + t.entlen = td->entprlen_pr;
11569 + /* Note for CTR without DF some additional input values
11570 + * ignore bytes after the keylength: so reduce adinlen
11571 + * to half to ensure invalid data is fed in.
11573 + if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
11574 + adinlen = td->adinlen_pr / 2;
11576 + adinlen = td->adinlen_pr;
11577 + if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
11578 + td->adin_pr, adinlen))
11581 + if (memcmp(randout, td->kat_pr, td->katlen_pr))
11583 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
11587 + /* Now generate again with PR: supply new entropy again.
11588 + * Check output matches expected value.
11591 + t.ent = td->entg_pr;
11592 + t.entlen = td->entglen_pr;
11594 + if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
11595 + td->ading_pr, td->adinglen_pr))
11598 + if (memcmp(randout, td->kat2_pr, td->kat2len_pr))
11600 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
11603 + /* All OK, test complete */
11608 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
11610 + FIPS_drbg_uninstantiate(dctx);
11616 +/* Initialise a DRBG based on selftest data */
11618 +static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_ENT *t)
11621 + if (!FIPS_drbg_init(dctx, td->nid, td->flags))
11624 + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
11627 + FIPS_drbg_set_app_data(dctx, t);
11629 + t->ent = td->ent;
11630 + t->entlen = td->entlen;
11631 + t->nonce = td->nonce;
11632 + t->noncelen = td->noncelen;
11638 +/* Initialise and instantiate DRBG based on selftest data */
11639 +static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
11642 + if (!do_drbg_init(dctx, td, t))
11644 + if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
11650 +/* This function performs extensive error checking as required by SP800-90.
11651 + * Induce several failure modes and check an error condition is set.
11652 + * This function along with fips_drbg_single_kat peforms the health checking
11656 +static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
11658 + unsigned char randout[1024];
11661 + unsigned int reseed_counter_tmp;
11662 + unsigned char *p = (unsigned char *)dctx;
11664 + /* Initialise DRBG */
11666 + if (!do_drbg_init(dctx, td, &t))
11669 + /* Don't report induced errors */
11670 + dctx->iflags |= DRBG_FLAG_NOERR;
11672 + /* Personalisation string tests */
11674 + /* Test detection of too large personlisation string */
11676 + if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
11678 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
11682 + /* Entropy source tests */
11684 + /* Test entropy source failure detecion: i.e. returns no data */
11688 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11690 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11694 + /* Try to generate output from uninstantiated DRBG */
11695 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11696 + td->adin, td->adinlen))
11698 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
11702 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11703 + if (!FIPS_drbg_uninstantiate(dctx))
11705 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11709 + if (!do_drbg_init(dctx, td, &t))
11712 + dctx->iflags |= DRBG_FLAG_NOERR;
11714 + /* Test insufficient entropy */
11716 + t.entlen = dctx->min_entropy - 1;
11718 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11720 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11724 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11725 + if (!FIPS_drbg_uninstantiate(dctx))
11727 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11731 + /* Test too much entropy */
11733 + if (!do_drbg_init(dctx, td, &t))
11736 + dctx->iflags |= DRBG_FLAG_NOERR;
11738 + t.entlen = dctx->max_entropy + 1;
11740 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11742 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11746 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11747 + if (!FIPS_drbg_uninstantiate(dctx))
11749 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11753 + /* Nonce tests */
11755 + /* Test too small nonce */
11757 + if (dctx->min_nonce)
11760 + if (!do_drbg_init(dctx, td, &t))
11763 + dctx->iflags |= DRBG_FLAG_NOERR;
11765 + t.noncelen = dctx->min_nonce - 1;
11767 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11769 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
11773 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11774 + if (!FIPS_drbg_uninstantiate(dctx))
11776 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11782 + /* Test too large nonce */
11784 + if (dctx->max_nonce)
11787 + if (!do_drbg_init(dctx, td, &t))
11790 + dctx->iflags |= DRBG_FLAG_NOERR;
11792 + t.noncelen = dctx->max_nonce + 1;
11794 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11796 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
11800 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11801 + if (!FIPS_drbg_uninstantiate(dctx))
11803 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11809 + /* Instantiate with valid data. */
11810 + if (!do_drbg_instantiate(dctx, td, &t))
11813 + /* Check generation is now OK */
11814 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11815 + td->adin, td->adinlen))
11818 + dctx->iflags |= DRBG_FLAG_NOERR;
11820 + /* Request too much data for one request */
11821 + if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
11822 + td->adin, td->adinlen))
11824 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
11828 + /* Try too large additional input */
11829 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11830 + td->adin, dctx->max_adin + 1))
11832 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
11836 + /* Check prediction resistance request fails if entropy source
11842 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
11843 + td->adin, td->adinlen))
11845 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11849 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11850 + if (!FIPS_drbg_uninstantiate(dctx))
11852 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11857 + /* Instantiate again with valid data */
11859 + if (!do_drbg_instantiate(dctx, td, &t))
11861 + /* Test reseed counter works */
11862 + /* Save initial reseed counter */
11863 + reseed_counter_tmp = dctx->reseed_counter;
11864 + /* Set reseed counter to beyond interval */
11865 + dctx->reseed_counter = dctx->reseed_interval;
11867 + /* Generate output and check entropy has been requested for reseed */
11869 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11870 + td->adin, td->adinlen))
11872 + if (t.entcnt != 1)
11874 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
11877 + /* Check reseed counter has been reset */
11878 + if (dctx->reseed_counter != reseed_counter_tmp + 1)
11880 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
11884 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11885 + if (!FIPS_drbg_uninstantiate(dctx))
11887 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11891 + /* Check prediction resistance request fails if entropy source
11897 + dctx->iflags |= DRBG_FLAG_NOERR;
11898 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
11899 + td->adin, td->adinlen))
11901 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11905 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11907 + if (!FIPS_drbg_uninstantiate(dctx))
11909 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11914 + if (!do_drbg_instantiate(dctx, td, &t))
11916 + /* Test reseed counter works */
11917 + /* Save initial reseed counter */
11918 + reseed_counter_tmp = dctx->reseed_counter;
11919 + /* Set reseed counter to beyond interval */
11920 + dctx->reseed_counter = dctx->reseed_interval;
11922 + /* Generate output and check entropy has been requested for reseed */
11924 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11925 + td->adin, td->adinlen))
11927 + if (t.entcnt != 1)
11929 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
11932 + /* Check reseed counter has been reset */
11933 + if (dctx->reseed_counter != reseed_counter_tmp + 1)
11935 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
11939 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11940 + if (!FIPS_drbg_uninstantiate(dctx))
11942 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11946 + /* Explicit reseed tests */
11948 + /* Test explicit reseed with too large additional input */
11949 + if (!do_drbg_init(dctx, td, &t))
11952 + dctx->iflags |= DRBG_FLAG_NOERR;
11954 + if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0)
11956 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
11960 + /* Test explicit reseed with entropy source failure */
11964 + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
11966 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11970 + if (!FIPS_drbg_uninstantiate(dctx))
11972 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11976 + /* Test explicit reseed with too much entropy */
11978 + if (!do_drbg_init(dctx, td, &t))
11981 + dctx->iflags |= DRBG_FLAG_NOERR;
11983 + t.entlen = dctx->max_entropy + 1;
11985 + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
11987 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11991 + if (!FIPS_drbg_uninstantiate(dctx))
11993 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11997 + /* Test explicit reseed with too little entropy */
11999 + if (!do_drbg_init(dctx, td, &t))
12002 + dctx->iflags |= DRBG_FLAG_NOERR;
12004 + t.entlen = dctx->min_entropy - 1;
12006 + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
12008 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
12012 + if (!FIPS_drbg_uninstantiate(dctx))
12014 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
12018 + p = (unsigned char *)&dctx->d;
12019 + /* Standard says we have to check uninstantiate really zeroes
12022 + for (i = 0; i < sizeof(dctx->d); i++)
12026 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
12035 + /* A real error as opposed to an induced one: underlying function will
12036 + * indicate the error.
12038 + if (!(dctx->iflags & DRBG_FLAG_NOERR))
12039 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
12040 + FIPS_drbg_uninstantiate(dctx);
12045 +int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
12047 + DRBG_SELFTEST_DATA *td;
12048 + flags |= DRBG_FLAG_TEST;
12049 + for (td = drbg_test; td->nid != 0; td++)
12051 + if (td->nid == nid && td->flags == flags)
12053 + if (!fips_drbg_single_kat(dctx, td, 0))
12055 + return fips_drbg_error_check(dctx, td);
12061 +int FIPS_drbg_health_check(DRBG_CTX *dctx)
12064 + DRBG_CTX *tctx = NULL;
12065 + tctx = FIPS_drbg_new(0, 0);
12066 + fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
12069 + rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
12071 + FIPS_drbg_free(tctx);
12073 + fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
12075 + fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
12077 + dctx->status = DRBG_STATUS_ERROR;
12079 + dctx->health_check_cnt = 0;
12083 +int FIPS_selftest_drbg(void)
12086 + DRBG_SELFTEST_DATA *td;
12088 + dctx = FIPS_drbg_new(0, 0);
12091 + for (td = drbg_test; td->nid != 0; td++)
12093 + if (td->post != 1)
12095 + if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
12097 + if (!fips_drbg_single_kat(dctx, td, 1))
12099 + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
12103 + if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
12106 + FIPS_drbg_free(dctx);
12111 +int FIPS_selftest_drbg_all(void)
12114 + DRBG_SELFTEST_DATA *td;
12116 + dctx = FIPS_drbg_new(0, 0);
12119 + for (td = drbg_test; td->nid != 0; td++)
12121 + if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
12123 + if (!fips_drbg_single_kat(dctx, td, 0))
12125 + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
12129 + if (!fips_drbg_error_check(dctx, td))
12131 + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
12135 + if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
12138 + FIPS_drbg_free(dctx);
12142 diff -up openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h
12143 --- openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h.fips 2013-02-19 12:47:33.738118852 +0100
12144 +++ openssl-1.0.1e/crypto/fips/fips_drbg_selftest.h 2013-02-19 12:47:33.738118852 +0100
12146 +/* ====================================================================
12147 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
12149 + * Redistribution and use in source and binary forms, with or without
12150 + * modification, are permitted provided that the following conditions
12153 + * 1. Redistributions of source code must retain the above copyright
12154 + * notice, this list of conditions and the following disclaimer.
12156 + * 2. Redistributions in binary form must reproduce the above copyright
12157 + * notice, this list of conditions and the following disclaimer in
12158 + * the documentation and/or other materials provided with the
12161 + * 3. All advertising materials mentioning features or use of this
12162 + * software must display the following acknowledgment:
12163 + * "This product includes software developed by the OpenSSL Project
12164 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
12166 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
12167 + * endorse or promote products derived from this software without
12168 + * prior written permission. For written permission, please contact
12169 + * openssl-core.org.
12171 + * 5. Products derived from this software may not be called "OpenSSL"
12172 + * nor may "OpenSSL" appear in their names without prior written
12173 + * permission of the OpenSSL Project.
12175 + * 6. Redistributions of any form whatsoever must retain the following
12176 + * acknowledgment:
12177 + * "This product includes software developed by the OpenSSL Project
12178 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
12180 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
12181 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
12182 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
12183 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
12184 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
12185 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
12186 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
12187 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
12188 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
12189 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
12190 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
12191 + * OF THE POSSIBILITY OF SUCH DAMAGE.
12195 +/* Selftest and health check data for the SP800-90 DRBG */
12197 +#define __fips_constseg
12199 +/* AES-128 use df PR */
12201 +static const unsigned char aes_128_use_df_pr_entropyinput[] =
12203 + 0x61,0x52,0x7c,0xe3,0x23,0x7d,0x0a,0x07,0x10,0x0c,0x50,0x33,
12204 + 0xc8,0xdb,0xff,0x12
12208 +static const unsigned char aes_128_use_df_pr_nonce[] =
12210 + 0x51,0x0d,0x85,0x77,0xed,0x22,0x97,0x28
12214 +static const unsigned char aes_128_use_df_pr_personalizationstring[] =
12216 + 0x59,0x9f,0xbb,0xcd,0xd5,0x25,0x69,0xb5,0xcb,0xb5,0x03,0xfe,
12217 + 0xd7,0xd7,0x01,0x67
12221 +static const unsigned char aes_128_use_df_pr_additionalinput[] =
12223 + 0xef,0x88,0x76,0x01,0xaf,0x3c,0xfe,0x8b,0xaf,0x26,0x06,0x9e,
12224 + 0x9a,0x47,0x08,0x76
12228 +static const unsigned char aes_128_use_df_pr_entropyinputpr[] =
12230 + 0xe2,0x76,0xf9,0xf6,0x3a,0xba,0x10,0x9f,0xbf,0x47,0x0e,0x51,
12231 + 0x09,0xfb,0xa3,0xb6
12235 +static const unsigned char aes_128_use_df_pr_int_returnedbits[] =
12237 + 0xd4,0x98,0x8a,0x46,0x80,0x4c,0xdb,0xa3,0x59,0x02,0x57,0x52,
12238 + 0x66,0x1c,0xea,0x5b
12242 +static const unsigned char aes_128_use_df_pr_additionalinput2[] =
12244 + 0x88,0x8c,0x91,0xd6,0xbe,0x56,0x6e,0x08,0x9a,0x62,0x2b,0x11,
12245 + 0x3f,0x5e,0x31,0x06
12249 +static const unsigned char aes_128_use_df_pr_entropyinputpr2[] =
12251 + 0xc0,0x5c,0x6b,0x98,0x01,0x0d,0x58,0x18,0x51,0x18,0x96,0xae,
12252 + 0xa7,0xe3,0xa8,0x67
12256 +static const unsigned char aes_128_use_df_pr_returnedbits[] =
12258 + 0xcf,0x01,0xac,0x22,0x31,0x06,0x8e,0xfc,0xce,0x56,0xea,0x24,
12259 + 0x0f,0x38,0x43,0xc6
12263 +/* AES-128 use df No PR */
12265 +static const unsigned char aes_128_use_df_entropyinput[] =
12267 + 0x1f,0x8e,0x34,0x82,0x0c,0xb7,0xbe,0xc5,0x01,0x3e,0xd0,0xa3,
12268 + 0x9d,0x7d,0x1c,0x9b
12272 +static const unsigned char aes_128_use_df_nonce[] =
12274 + 0xd5,0x4d,0xbd,0x4a,0x93,0x7f,0xb8,0x96
12278 +static const unsigned char aes_128_use_df_personalizationstring[] =
12280 + 0xab,0xd6,0x3f,0x04,0xfe,0x27,0x6b,0x2d,0xd7,0xc3,0x1c,0xf3,
12281 + 0x38,0x66,0xba,0x1b
12285 +static const unsigned char aes_128_use_df_additionalinput[] =
12287 + 0xfe,0xf4,0x09,0xa8,0xb7,0x73,0x27,0x9c,0x5f,0xa7,0xea,0x46,
12288 + 0xb5,0xe2,0xb2,0x41
12292 +static const unsigned char aes_128_use_df_int_returnedbits[] =
12294 + 0x42,0xe4,0x4e,0x7b,0x27,0xdd,0xcb,0xbc,0x0a,0xcf,0xa6,0x67,
12295 + 0xe7,0x57,0x11,0xb4
12299 +static const unsigned char aes_128_use_df_entropyinputreseed[] =
12301 + 0x14,0x26,0x69,0xd9,0xf3,0x65,0x03,0xd6,0x6b,0xb9,0x44,0x0b,
12302 + 0xc7,0xc4,0x9e,0x39
12306 +static const unsigned char aes_128_use_df_additionalinputreseed[] =
12308 + 0x55,0x2e,0x60,0x9a,0x05,0x72,0x8a,0xa8,0xef,0x22,0x81,0x5a,
12309 + 0xc8,0x93,0xfa,0x84
12313 +static const unsigned char aes_128_use_df_additionalinput2[] =
12315 + 0x3c,0x40,0xc8,0xc4,0x16,0x0c,0x21,0xa4,0x37,0x2c,0x8f,0xa5,
12316 + 0x06,0x0c,0x15,0x2c
12320 +static const unsigned char aes_128_use_df_returnedbits[] =
12322 + 0xe1,0x3e,0x99,0x98,0x86,0x67,0x0b,0x63,0x7b,0xbe,0x3f,0x88,
12323 + 0x46,0x81,0xc7,0x19
12327 +/* AES-192 use df PR */
12329 +static const unsigned char aes_192_use_df_pr_entropyinput[] =
12331 + 0x2b,0x4e,0x8b,0xe1,0xf1,0x34,0x80,0x56,0x81,0xf9,0x74,0xec,
12332 + 0x17,0x44,0x2a,0xf1,0x14,0xb0,0xbf,0x97,0x39,0xb7,0x04,0x7d
12336 +static const unsigned char aes_192_use_df_pr_nonce[] =
12338 + 0xd6,0x9d,0xeb,0x14,0x4e,0x6c,0x30,0x1e,0x39,0x55,0x73,0xd0,
12339 + 0xd1,0x80,0x78,0xfa
12343 +static const unsigned char aes_192_use_df_pr_personalizationstring[] =
12345 + 0xfc,0x43,0x4a,0xf8,0x9a,0x55,0xb3,0x53,0x83,0xe2,0x18,0x16,
12346 + 0x0c,0xdc,0xcd,0x5e,0x4f,0xa0,0x03,0x01,0x2b,0x9f,0xe4,0xd5,
12347 + 0x7d,0x49,0xf0,0x41,0x9e,0x3d,0x99,0x04
12351 +static const unsigned char aes_192_use_df_pr_additionalinput[] =
12353 + 0x5e,0x9f,0x49,0x6f,0x21,0x8b,0x1d,0x32,0xd5,0x84,0x5c,0xac,
12354 + 0xaf,0xdf,0xe4,0x79,0x9e,0xaf,0xa9,0x82,0xd0,0xf8,0x4f,0xcb,
12355 + 0x69,0x10,0x0a,0x7e,0x81,0x57,0xb5,0x36
12359 +static const unsigned char aes_192_use_df_pr_entropyinputpr[] =
12361 + 0xd4,0x81,0x0c,0xd7,0x66,0x39,0xec,0x42,0x53,0x87,0x41,0xa5,
12362 + 0x1e,0x7d,0x80,0x91,0x8e,0xbb,0xed,0xac,0x14,0x02,0x1a,0xd5
12366 +static const unsigned char aes_192_use_df_pr_int_returnedbits[] =
12368 + 0xdf,0x1d,0x39,0x45,0x7c,0x9b,0xc6,0x2b,0x7d,0x8c,0x93,0xe9,
12369 + 0x19,0x30,0x6b,0x67
12373 +static const unsigned char aes_192_use_df_pr_additionalinput2[] =
12375 + 0x00,0x71,0x27,0x4e,0xd3,0x14,0xf1,0x20,0x7f,0x4a,0x41,0x32,
12376 + 0x2a,0x97,0x11,0x43,0x8f,0x4a,0x15,0x7b,0x9b,0x51,0x79,0xda,
12377 + 0x49,0x3d,0xde,0xe8,0xbc,0x93,0x91,0x99
12381 +static const unsigned char aes_192_use_df_pr_entropyinputpr2[] =
12383 + 0x90,0xee,0x76,0xa1,0x45,0x8d,0xb7,0x40,0xb0,0x11,0xbf,0xd0,
12384 + 0x65,0xd7,0x3c,0x7c,0x4f,0x20,0x3f,0x4e,0x11,0x9d,0xb3,0x5e
12388 +static const unsigned char aes_192_use_df_pr_returnedbits[] =
12390 + 0x24,0x3b,0x20,0xa4,0x37,0x66,0xba,0x72,0x39,0x3f,0xcf,0x3c,
12391 + 0x7e,0x1a,0x2b,0x83
12395 +/* AES-192 use df No PR */
12397 +static const unsigned char aes_192_use_df_entropyinput[] =
12399 + 0x8d,0x74,0xa4,0x50,0x1a,0x02,0x68,0x0c,0x2a,0x69,0xc4,0x82,
12400 + 0x3b,0xbb,0xda,0x0e,0x7f,0x77,0xa3,0x17,0x78,0x57,0xb2,0x7b
12404 +static const unsigned char aes_192_use_df_nonce[] =
12406 + 0x75,0xd5,0x1f,0xac,0xa4,0x8d,0x42,0x78,0xd7,0x69,0x86,0x9d,
12407 + 0x77,0xd7,0x41,0x0e
12411 +static const unsigned char aes_192_use_df_personalizationstring[] =
12413 + 0x4e,0x33,0x41,0x3c,0x9c,0xc2,0xd2,0x53,0xaf,0x90,0xea,0xcf,
12414 + 0x19,0x50,0x1e,0xe6,0x6f,0x63,0xc8,0x32,0x22,0xdc,0x07,0x65,
12415 + 0x9c,0xd3,0xf8,0x30,0x9e,0xed,0x35,0x70
12419 +static const unsigned char aes_192_use_df_additionalinput[] =
12421 + 0x5d,0x8b,0x8c,0xc1,0xdf,0x0e,0x02,0x78,0xfb,0x19,0xb8,0x69,
12422 + 0x78,0x4e,0x9c,0x52,0xbc,0xc7,0x20,0xc9,0xe6,0x5e,0x77,0x22,
12423 + 0x28,0x3d,0x0c,0x9e,0x68,0xa8,0x45,0xd7
12427 +static const unsigned char aes_192_use_df_int_returnedbits[] =
12429 + 0xd5,0xe7,0x08,0xc5,0x19,0x99,0xd5,0x31,0x03,0x0a,0x74,0xb6,
12430 + 0xb7,0xed,0xe9,0xea
12434 +static const unsigned char aes_192_use_df_entropyinputreseed[] =
12436 + 0x9c,0x26,0xda,0xf1,0xac,0xd9,0x5a,0xd6,0xa8,0x65,0xf5,0x02,
12437 + 0x8f,0xdc,0xa2,0x09,0x54,0xa6,0xe2,0xa4,0xde,0x32,0xe0,0x01
12441 +static const unsigned char aes_192_use_df_additionalinputreseed[] =
12443 + 0x9b,0x90,0xb0,0x3a,0x0e,0x3a,0x80,0x07,0x4a,0xf4,0xda,0x76,
12444 + 0x28,0x30,0x3c,0xee,0x54,0x1b,0x94,0x59,0x51,0x43,0x56,0x77,
12445 + 0xaf,0x88,0xdd,0x63,0x89,0x47,0x06,0x65
12449 +static const unsigned char aes_192_use_df_additionalinput2[] =
12451 + 0x3c,0x11,0x64,0x7a,0x96,0xf5,0xd8,0xb8,0xae,0xd6,0x70,0x4e,
12452 + 0x16,0x96,0xde,0xe9,0x62,0xbc,0xee,0x28,0x2f,0x26,0xa6,0xf0,
12453 + 0x56,0xef,0xa3,0xf1,0x6b,0xa1,0xb1,0x77
12457 +static const unsigned char aes_192_use_df_returnedbits[] =
12459 + 0x0b,0xe2,0x56,0x03,0x1e,0xdb,0x2c,0x6d,0x7f,0x1b,0x15,0x58,
12460 + 0x1a,0xf9,0x13,0x28
12464 +/* AES-256 use df PR */
12466 +static const unsigned char aes_256_use_df_pr_entropyinput[] =
12468 + 0x61,0x68,0xfc,0x1a,0xf0,0xb5,0x95,0x6b,0x85,0x09,0x9b,0x74,
12469 + 0x3f,0x13,0x78,0x49,0x3b,0x85,0xec,0x93,0x13,0x3b,0xa9,0x4f,
12470 + 0x96,0xab,0x2c,0xe4,0xc8,0x8f,0xdd,0x6a
12474 +static const unsigned char aes_256_use_df_pr_nonce[] =
12476 + 0xad,0xd2,0xbb,0xba,0xb7,0x65,0x89,0xc3,0x21,0x6c,0x55,0x33,
12477 + 0x2b,0x36,0xff,0xa4
12481 +static const unsigned char aes_256_use_df_pr_personalizationstring[] =
12483 + 0x6e,0xca,0xe7,0x20,0x72,0xd3,0x84,0x5a,0x32,0xd3,0x4b,0x24,
12484 + 0x72,0xc4,0x63,0x2b,0x9d,0x12,0x24,0x0c,0x23,0x26,0x8e,0x83,
12485 + 0x16,0x37,0x0b,0xd1,0x06,0x4f,0x68,0x6d
12489 +static const unsigned char aes_256_use_df_pr_additionalinput[] =
12491 + 0x7e,0x08,0x4a,0xbb,0xe3,0x21,0x7c,0xc9,0x23,0xd2,0xf8,0xb0,
12492 + 0x73,0x98,0xba,0x84,0x74,0x23,0xab,0x06,0x8a,0xe2,0x22,0xd3,
12493 + 0x7b,0xce,0x9b,0xd2,0x4a,0x76,0xb8,0xde
12497 +static const unsigned char aes_256_use_df_pr_entropyinputpr[] =
12499 + 0x0b,0x23,0xaf,0xdf,0xf1,0x62,0xd7,0xd3,0x43,0x97,0xf8,0x77,
12500 + 0x04,0xa8,0x42,0x20,0xbd,0xf6,0x0f,0xc1,0x17,0x2f,0x9f,0x54,
12501 + 0xbb,0x56,0x17,0x86,0x68,0x0e,0xba,0xa9
12505 +static const unsigned char aes_256_use_df_pr_int_returnedbits[] =
12507 + 0x31,0x8e,0xad,0xaf,0x40,0xeb,0x6b,0x74,0x31,0x46,0x80,0xc7,
12508 + 0x17,0xab,0x3c,0x7a
12512 +static const unsigned char aes_256_use_df_pr_additionalinput2[] =
12514 + 0x94,0x6b,0xc9,0x9f,0xab,0x8d,0xc5,0xec,0x71,0x88,0x1d,0x00,
12515 + 0x8c,0x89,0x68,0xe4,0xc8,0x07,0x77,0x36,0x17,0x6d,0x79,0x78,
12516 + 0xc7,0x06,0x4e,0x99,0x04,0x28,0x29,0xc3
12520 +static const unsigned char aes_256_use_df_pr_entropyinputpr2[] =
12522 + 0xbf,0x6c,0x59,0x2a,0x0d,0x44,0x0f,0xae,0x9a,0x5e,0x03,0x73,
12523 + 0xd8,0xa6,0xe1,0xcf,0x25,0x61,0x38,0x24,0x86,0x9e,0x53,0xe8,
12524 + 0xa4,0xdf,0x56,0xf4,0x06,0x07,0x9c,0x0f
12528 +static const unsigned char aes_256_use_df_pr_returnedbits[] =
12530 + 0x22,0x4a,0xb4,0xb8,0xb6,0xee,0x7d,0xb1,0x9e,0xc9,0xf9,0xa0,
12531 + 0xd9,0xe2,0x97,0x00
12535 +/* AES-256 use df No PR */
12537 +static const unsigned char aes_256_use_df_entropyinput[] =
12539 + 0xa5,0x3e,0x37,0x10,0x17,0x43,0x91,0x93,0x59,0x1e,0x47,0x50,
12540 + 0x87,0xaa,0xdd,0xd5,0xc1,0xc3,0x86,0xcd,0xca,0x0d,0xdb,0x68,
12541 + 0xe0,0x02,0xd8,0x0f,0xdc,0x40,0x1a,0x47
12545 +static const unsigned char aes_256_use_df_nonce[] =
12547 + 0xa9,0x4d,0xa5,0x5a,0xfd,0xc5,0x0c,0xe5,0x1c,0x9a,0x3b,0x8a,
12548 + 0x4c,0x44,0x84,0x40
12552 +static const unsigned char aes_256_use_df_personalizationstring[] =
12554 + 0x8b,0x52,0xa2,0x4a,0x93,0xc3,0x4e,0xa7,0x1e,0x1c,0xa7,0x05,
12555 + 0xeb,0x82,0x9b,0xa6,0x5d,0xe4,0xd4,0xe0,0x7f,0xa3,0xd8,0x6b,
12556 + 0x37,0x84,0x5f,0xf1,0xc7,0xd5,0xf6,0xd2
12560 +static const unsigned char aes_256_use_df_additionalinput[] =
12562 + 0x20,0xf4,0x22,0xed,0xf8,0x5c,0xa1,0x6a,0x01,0xcf,0xbe,0x5f,
12563 + 0x8d,0x6c,0x94,0x7f,0xae,0x12,0xa8,0x57,0xdb,0x2a,0xa9,0xbf,
12564 + 0xc7,0xb3,0x65,0x81,0x80,0x8d,0x0d,0x46
12568 +static const unsigned char aes_256_use_df_int_returnedbits[] =
12570 + 0x4e,0x44,0xfd,0xf3,0x9e,0x29,0xa2,0xb8,0x0f,0x5d,0x6c,0xe1,
12571 + 0x28,0x0c,0x3b,0xc1
12575 +static const unsigned char aes_256_use_df_entropyinputreseed[] =
12577 + 0xdd,0x40,0xe5,0x98,0x7b,0x27,0x16,0x73,0x15,0x68,0xd2,0x76,
12578 + 0xbf,0x0c,0x67,0x15,0x75,0x79,0x03,0xd3,0xde,0xde,0x91,0x46,
12579 + 0x42,0xdd,0xd4,0x67,0xc8,0x79,0xc8,0x1e
12583 +static const unsigned char aes_256_use_df_additionalinputreseed[] =
12585 + 0x7f,0xd8,0x1f,0xbd,0x2a,0xb5,0x1c,0x11,0x5d,0x83,0x4e,0x99,
12586 + 0xf6,0x5c,0xa5,0x40,0x20,0xed,0x38,0x8e,0xd5,0x9e,0xe0,0x75,
12587 + 0x93,0xfe,0x12,0x5e,0x5d,0x73,0xfb,0x75
12591 +static const unsigned char aes_256_use_df_additionalinput2[] =
12593 + 0xcd,0x2c,0xff,0x14,0x69,0x3e,0x4c,0x9e,0xfd,0xfe,0x26,0x0d,
12594 + 0xe9,0x86,0x00,0x49,0x30,0xba,0xb1,0xc6,0x50,0x57,0x77,0x2a,
12595 + 0x62,0x39,0x2c,0x3b,0x74,0xeb,0xc9,0x0d
12599 +static const unsigned char aes_256_use_df_returnedbits[] =
12601 + 0x4f,0x78,0xbe,0xb9,0x4d,0x97,0x8c,0xe9,0xd0,0x97,0xfe,0xad,
12602 + 0xfa,0xfd,0x35,0x5e
12606 +/* AES-128 no df PR */
12608 +static const unsigned char aes_128_no_df_pr_entropyinput[] =
12610 + 0x9a,0x25,0x65,0x10,0x67,0xd5,0xb6,0x6b,0x70,0xa1,0xb3,0xa4,
12611 + 0x43,0x95,0x80,0xc0,0x84,0x0a,0x79,0xb0,0x88,0x74,0xf2,0xbf,
12612 + 0x31,0x6c,0x33,0x38,0x0b,0x00,0xb2,0x5a
12616 +static const unsigned char aes_128_no_df_pr_nonce[] =
12618 + 0x78,0x47,0x6b,0xf7,0x90,0x8e,0x87,0xf1
12622 +static const unsigned char aes_128_no_df_pr_personalizationstring[] =
12624 + 0xf7,0x22,0x1d,0x3a,0xbe,0x1d,0xca,0x32,0x1b,0xbd,0x87,0x0c,
12625 + 0x51,0x24,0x19,0xee,0xa3,0x23,0x09,0x63,0x33,0x3d,0xa8,0x0c,
12626 + 0x1c,0xfa,0x42,0x89,0xcc,0x6f,0xa0,0xa8
12630 +static const unsigned char aes_128_no_df_pr_additionalinput[] =
12632 + 0xc9,0xe0,0x80,0xbf,0x8c,0x45,0x58,0x39,0xff,0x00,0xab,0x02,
12633 + 0x4c,0x3e,0x3a,0x95,0x9b,0x80,0xa8,0x21,0x2a,0xee,0xba,0x73,
12634 + 0xb1,0xd9,0xcf,0x28,0xf6,0x8f,0x9b,0x12
12638 +static const unsigned char aes_128_no_df_pr_entropyinputpr[] =
12640 + 0x4c,0xa8,0xc5,0xf0,0x59,0x9e,0xa6,0x8d,0x26,0x53,0xd7,0x8a,
12641 + 0xa9,0xd8,0xf7,0xed,0xb2,0xf9,0x12,0x42,0xe1,0xe5,0xbd,0xe7,
12642 + 0xe7,0x1d,0x74,0x99,0x00,0x9d,0x31,0x3e
12646 +static const unsigned char aes_128_no_df_pr_int_returnedbits[] =
12648 + 0xe2,0xac,0x20,0xf0,0x80,0xe7,0xbc,0x7e,0x9c,0x7b,0x65,0x71,
12649 + 0xaf,0x19,0x32,0x16
12653 +static const unsigned char aes_128_no_df_pr_additionalinput2[] =
12655 + 0x32,0x7f,0x38,0x8b,0x73,0x0a,0x78,0x83,0xdc,0x30,0xbe,0x9f,
12656 + 0x10,0x1f,0xf5,0x1f,0xca,0x00,0xb5,0x0d,0xd6,0x9d,0x60,0x83,
12657 + 0x51,0x54,0x7d,0x38,0x23,0x3a,0x52,0x50
12661 +static const unsigned char aes_128_no_df_pr_entropyinputpr2[] =
12663 + 0x18,0x61,0x53,0x56,0xed,0xed,0xd7,0x20,0xfb,0x71,0x04,0x7a,
12664 + 0xb2,0xac,0xc1,0x28,0xcd,0xf2,0xc2,0xfc,0xaa,0xb1,0x06,0x07,
12665 + 0xe9,0x46,0x95,0x02,0x48,0x01,0x78,0xf9
12669 +static const unsigned char aes_128_no_df_pr_returnedbits[] =
12671 + 0x29,0xc8,0x1b,0x15,0xb1,0xd1,0xc2,0xf6,0x71,0x86,0x68,0x33,
12672 + 0x57,0x82,0x33,0xaf
12676 +/* AES-128 no df No PR */
12678 +static const unsigned char aes_128_no_df_entropyinput[] =
12680 + 0xc9,0xc5,0x79,0xbc,0xe8,0xc5,0x19,0xd8,0xbc,0x66,0x73,0x67,
12681 + 0xf6,0xd3,0x72,0xaa,0xa6,0x16,0xb8,0x50,0xb7,0x47,0x3a,0x42,
12682 + 0xab,0xf4,0x16,0xb2,0x96,0xd2,0xb6,0x60
12686 +static const unsigned char aes_128_no_df_nonce[] =
12688 + 0x5f,0xbf,0x97,0x0c,0x4b,0xa4,0x87,0x13
12692 +static const unsigned char aes_128_no_df_personalizationstring[] =
12694 + 0xce,0xfb,0x7b,0x3f,0xd4,0x6b,0x29,0x0d,0x69,0x06,0xff,0xbb,
12695 + 0xf2,0xe5,0xc6,0x6c,0x0a,0x10,0xa0,0xcf,0x1a,0x48,0xc7,0x8b,
12696 + 0x3c,0x16,0x88,0xed,0x50,0x13,0x81,0xce
12700 +static const unsigned char aes_128_no_df_additionalinput[] =
12702 + 0x4b,0x22,0x46,0x18,0x02,0x7b,0xd2,0x1b,0x22,0x42,0x7c,0x37,
12703 + 0xd9,0xf6,0xe8,0x9b,0x12,0x30,0x5f,0xe9,0x90,0xe8,0x08,0x24,
12704 + 0x4f,0x06,0x66,0xdb,0x19,0x2b,0x13,0x95
12708 +static const unsigned char aes_128_no_df_int_returnedbits[] =
12710 + 0x2e,0x96,0x70,0x64,0xfa,0xdf,0xdf,0x57,0xb5,0x82,0xee,0xd6,
12711 + 0xed,0x3e,0x65,0xc2
12715 +static const unsigned char aes_128_no_df_entropyinputreseed[] =
12717 + 0x26,0xc0,0x72,0x16,0x3a,0x4b,0xb7,0x99,0xd4,0x07,0xaf,0x66,
12718 + 0x62,0x36,0x96,0xa4,0x51,0x17,0xfa,0x07,0x8b,0x17,0x5e,0xa1,
12719 + 0x2f,0x3c,0x10,0xe7,0x90,0xd0,0x46,0x00
12723 +static const unsigned char aes_128_no_df_additionalinputreseed[] =
12725 + 0x83,0x39,0x37,0x7b,0x02,0x06,0xd2,0x12,0x13,0x8d,0x8b,0xf2,
12726 + 0xf0,0xf6,0x26,0xeb,0xa4,0x22,0x7b,0xc2,0xe7,0xba,0x79,0xe4,
12727 + 0x3b,0x77,0x5d,0x4d,0x47,0xb2,0x2d,0xb4
12731 +static const unsigned char aes_128_no_df_additionalinput2[] =
12733 + 0x0b,0xb9,0x67,0x37,0xdb,0x83,0xdf,0xca,0x81,0x8b,0xf9,0x3f,
12734 + 0xf1,0x11,0x1b,0x2f,0xf0,0x61,0xa6,0xdf,0xba,0xa3,0xb1,0xac,
12735 + 0xd3,0xe6,0x09,0xb8,0x2c,0x6a,0x67,0xd6
12739 +static const unsigned char aes_128_no_df_returnedbits[] =
12741 + 0x1e,0xa7,0xa4,0xe4,0xe1,0xa6,0x7c,0x69,0x9a,0x44,0x6c,0x36,
12742 + 0x81,0x37,0x19,0xd4
12746 +/* AES-192 no df PR */
12748 +static const unsigned char aes_192_no_df_pr_entropyinput[] =
12750 + 0x9d,0x2c,0xd2,0x55,0x66,0xea,0xe0,0xbe,0x18,0xb7,0x76,0xe7,
12751 + 0x73,0x35,0xd8,0x1f,0xad,0x3a,0xe3,0x81,0x0e,0x92,0xd0,0x61,
12752 + 0xc9,0x12,0x26,0xf6,0x1c,0xdf,0xfe,0x47,0xaa,0xfe,0x7d,0x5a,
12753 + 0x17,0x1f,0x8d,0x9a
12757 +static const unsigned char aes_192_no_df_pr_nonce[] =
12759 + 0x44,0x82,0xed,0xe8,0x4c,0x28,0x5a,0x14,0xff,0x88,0x8d,0x19,
12760 + 0x61,0x5c,0xee,0x0f
12764 +static const unsigned char aes_192_no_df_pr_personalizationstring[] =
12766 + 0x47,0xd7,0x9b,0x99,0xaa,0xcb,0xe7,0xd2,0x57,0x66,0x2c,0xe1,
12767 + 0x78,0xd6,0x2c,0xea,0xa3,0x23,0x5f,0x2a,0xc1,0x3a,0xf0,0xa4,
12768 + 0x20,0x3b,0xfa,0x07,0xd5,0x05,0x02,0xe4,0x57,0x01,0xb6,0x10,
12769 + 0x57,0x2e,0xe7,0x55
12773 +static const unsigned char aes_192_no_df_pr_additionalinput[] =
12775 + 0x4b,0x74,0x0b,0x40,0xce,0x6b,0xc2,0x6a,0x24,0xb4,0xf3,0xad,
12776 + 0x7a,0xa5,0x7a,0xa2,0x15,0xe2,0xc8,0x61,0x15,0xc6,0xb7,0x85,
12777 + 0x69,0x11,0xad,0x7b,0x14,0xd2,0xf6,0x12,0xa1,0x95,0x5d,0x3f,
12778 + 0xe2,0xd0,0x0c,0x2f
12782 +static const unsigned char aes_192_no_df_pr_entropyinputpr[] =
12784 + 0x0c,0x9c,0xad,0x05,0xee,0xae,0x48,0x23,0x89,0x59,0xa1,0x94,
12785 + 0xd7,0xd8,0x75,0xd5,0x54,0x93,0xc7,0x4a,0xd9,0x26,0xde,0xeb,
12786 + 0xba,0xb0,0x7e,0x30,0x1d,0x5f,0x69,0x40,0x9c,0x3b,0x17,0x58,
12787 + 0x1d,0x30,0xb3,0x78
12791 +static const unsigned char aes_192_no_df_pr_int_returnedbits[] =
12793 + 0xf7,0x93,0xb0,0x6d,0x77,0x83,0xd5,0x38,0x01,0xe1,0x52,0x40,
12794 + 0x7e,0x3e,0x0c,0x26
12798 +static const unsigned char aes_192_no_df_pr_additionalinput2[] =
12800 + 0xbc,0x4b,0x37,0x44,0x1c,0xc5,0x45,0x5f,0x8f,0x51,0x62,0x8a,
12801 + 0x85,0x30,0x1d,0x7c,0xe4,0xcf,0xf7,0x44,0xce,0x32,0x3e,0x57,
12802 + 0x95,0xa4,0x2a,0xdf,0xfd,0x9e,0x38,0x41,0xb3,0xf6,0xc5,0xee,
12803 + 0x0c,0x4b,0xee,0x6e
12807 +static const unsigned char aes_192_no_df_pr_entropyinputpr2[] =
12809 + 0xec,0xaf,0xf6,0x4f,0xb1,0xa0,0x54,0xb5,0x5b,0xe3,0x46,0xb0,
12810 + 0x76,0x5a,0x7c,0x3f,0x7b,0x94,0x69,0x21,0x51,0x02,0xe5,0x9f,
12811 + 0x04,0x59,0x02,0x98,0xc6,0x43,0x2c,0xcc,0x26,0x4c,0x87,0x6b,
12812 + 0x8e,0x0a,0x83,0xdf
12816 +static const unsigned char aes_192_no_df_pr_returnedbits[] =
12818 + 0x74,0x45,0xfb,0x53,0x84,0x96,0xbe,0xff,0x15,0xcc,0x41,0x91,
12819 + 0xb9,0xa1,0x21,0x68
12823 +/* AES-192 no df No PR */
12825 +static const unsigned char aes_192_no_df_entropyinput[] =
12827 + 0x3c,0x7d,0xb5,0xe0,0x54,0xd9,0x6e,0x8c,0xa9,0x86,0xce,0x4e,
12828 + 0x6b,0xaf,0xeb,0x2f,0xe7,0x75,0xe0,0x8b,0xa4,0x3b,0x07,0xfe,
12829 + 0xbe,0x33,0x75,0x93,0x80,0x27,0xb5,0x29,0x47,0x8b,0xc7,0x28,
12830 + 0x94,0xc3,0x59,0x63
12834 +static const unsigned char aes_192_no_df_nonce[] =
12836 + 0x43,0xf1,0x7d,0xb8,0xc3,0xfe,0xd0,0x23,0x6b,0xb4,0x92,0xdb,
12837 + 0x29,0xfd,0x45,0x71
12841 +static const unsigned char aes_192_no_df_personalizationstring[] =
12843 + 0x9f,0x24,0x29,0x99,0x9e,0x01,0xab,0xe9,0x19,0xd8,0x23,0x08,
12844 + 0xb7,0xd6,0x7e,0x8c,0xc0,0x9e,0x7f,0x6e,0x5b,0x33,0x20,0x96,
12845 + 0x0b,0x23,0x2c,0xa5,0x6a,0xf8,0x1b,0x04,0x26,0xdb,0x2e,0x2b,
12846 + 0x3b,0x88,0xce,0x35
12850 +static const unsigned char aes_192_no_df_additionalinput[] =
12852 + 0x94,0xe9,0x7c,0x3d,0xa7,0xdb,0x60,0x83,0x1f,0x98,0x3f,0x0b,
12853 + 0x88,0x59,0x57,0x51,0x88,0x9f,0x76,0x49,0x9f,0xa6,0xda,0x71,
12854 + 0x1d,0x0d,0x47,0x16,0x63,0xc5,0x68,0xe4,0x5d,0x39,0x69,0xb3,
12855 + 0x3e,0xbe,0xd4,0x8e
12859 +static const unsigned char aes_192_no_df_int_returnedbits[] =
12861 + 0xf9,0xd7,0xad,0x69,0xab,0x8f,0x23,0x56,0x70,0x17,0x4f,0x2a,
12862 + 0x45,0xe7,0x4a,0xc5
12866 +static const unsigned char aes_192_no_df_entropyinputreseed[] =
12868 + 0xa6,0x71,0x6a,0x3d,0xba,0xd1,0xe8,0x66,0xa6,0xef,0xb2,0x0e,
12869 + 0xa8,0x9c,0xaa,0x4e,0xaf,0x17,0x89,0x50,0x00,0xda,0xa1,0xb1,
12870 + 0x0b,0xa4,0xd9,0x35,0x89,0xc8,0xe5,0xb0,0xd9,0xb7,0xc4,0x33,
12871 + 0x9b,0xcb,0x7e,0x75
12875 +static const unsigned char aes_192_no_df_additionalinputreseed[] =
12877 + 0x27,0x21,0xfc,0xc2,0xbd,0xf3,0x3c,0xce,0xc3,0xca,0xc1,0x01,
12878 + 0xe0,0xff,0x93,0x12,0x7d,0x54,0x42,0xe3,0x9f,0x03,0xdf,0x27,
12879 + 0x04,0x07,0x3c,0x53,0x7f,0xa8,0x66,0xc8,0x97,0x4b,0x61,0x40,
12880 + 0x5d,0x7a,0x25,0x79
12884 +static const unsigned char aes_192_no_df_additionalinput2[] =
12886 + 0x2d,0x8e,0x16,0x5d,0x0b,0x9f,0xeb,0xaa,0xd6,0xec,0x28,0x71,
12887 + 0x7c,0x0b,0xc1,0x1d,0xd4,0x44,0x19,0x47,0xfd,0x1d,0x7c,0xe5,
12888 + 0xf3,0x27,0xe1,0xb6,0x72,0x0a,0xe0,0xec,0x0e,0xcd,0xef,0x1a,
12889 + 0x91,0x6a,0xe3,0x5f
12893 +static const unsigned char aes_192_no_df_returnedbits[] =
12895 + 0xe5,0xda,0xb8,0xe0,0x63,0x59,0x5a,0xcc,0x3d,0xdc,0x9f,0xe8,
12896 + 0x66,0x67,0x2c,0x92
12900 +/* AES-256 no df PR */
12902 +static const unsigned char aes_256_no_df_pr_entropyinput[] =
12904 + 0x15,0xc7,0x5d,0xcb,0x41,0x4b,0x16,0x01,0x3a,0xd1,0x44,0xe8,
12905 + 0x22,0x32,0xc6,0x9c,0x3f,0xe7,0x43,0xf5,0x9a,0xd3,0xea,0xf2,
12906 + 0xd7,0x4e,0x6e,0x6a,0x55,0x73,0x40,0xef,0x89,0xad,0x0d,0x03,
12907 + 0x96,0x7e,0x78,0x81,0x2f,0x91,0x1b,0x44,0xb0,0x02,0xba,0x1c
12911 +static const unsigned char aes_256_no_df_pr_nonce[] =
12913 + 0xdc,0xe4,0xd4,0x27,0x7a,0x90,0xd7,0x99,0x43,0xa1,0x3c,0x30,
12914 + 0xcc,0x4b,0xee,0x2e
12918 +static const unsigned char aes_256_no_df_pr_personalizationstring[] =
12920 + 0xe3,0xe6,0xb9,0x11,0xe4,0x7a,0xa4,0x40,0x6b,0xf8,0x73,0xf7,
12921 + 0x7e,0xec,0xc7,0xb9,0x97,0xbf,0xf8,0x25,0x7b,0xbe,0x11,0x9b,
12922 + 0x5b,0x6a,0x0c,0x2e,0x2b,0x01,0x51,0xcd,0x41,0x4b,0x6b,0xac,
12923 + 0x31,0xa8,0x0b,0xf7,0xe6,0x59,0x42,0xb8,0x03,0x0c,0xf8,0x06
12927 +static const unsigned char aes_256_no_df_pr_additionalinput[] =
12929 + 0x6a,0x9f,0x00,0x91,0xae,0xfe,0xcf,0x84,0x99,0xce,0xb1,0x40,
12930 + 0x6d,0x5d,0x33,0x28,0x84,0xf4,0x8c,0x63,0x4c,0x7e,0xbd,0x2c,
12931 + 0x80,0x76,0xee,0x5a,0xaa,0x15,0x07,0x31,0xd8,0xbb,0x8c,0x69,
12932 + 0x9d,0x9d,0xbc,0x7e,0x49,0xae,0xec,0x39,0x6b,0xd1,0x1f,0x7e
12936 +static const unsigned char aes_256_no_df_pr_entropyinputpr[] =
12938 + 0xf3,0xb9,0x75,0x9c,0xbd,0x88,0xea,0xa2,0x50,0xad,0xd6,0x16,
12939 + 0x1a,0x12,0x3c,0x86,0x68,0xaf,0x6f,0xbe,0x19,0xf2,0xee,0xcc,
12940 + 0xa5,0x70,0x84,0x53,0x50,0xcb,0x9f,0x14,0xa9,0xe5,0xee,0xb9,
12941 + 0x48,0x45,0x40,0xe2,0xc7,0xc9,0x9a,0x74,0xff,0x8c,0x99,0x1f
12945 +static const unsigned char aes_256_no_df_pr_int_returnedbits[] =
12947 + 0x2e,0xf2,0x45,0x4c,0x62,0x2e,0x0a,0xb9,0x6b,0xa2,0xfd,0x56,
12948 + 0x79,0x60,0x93,0xcf
12952 +static const unsigned char aes_256_no_df_pr_additionalinput2[] =
12954 + 0xaf,0x69,0x20,0xe9,0x3b,0x37,0x9d,0x3f,0xb4,0x80,0x02,0x7a,
12955 + 0x25,0x7d,0xb8,0xde,0x71,0xc5,0x06,0x0c,0xb4,0xe2,0x8f,0x35,
12956 + 0xd8,0x14,0x0d,0x7f,0x76,0x63,0x4e,0xb5,0xee,0xe9,0x6f,0x34,
12957 + 0xc7,0x5f,0x56,0x14,0x4a,0xe8,0x73,0x95,0x5b,0x1c,0xb9,0xcb
12961 +static const unsigned char aes_256_no_df_pr_entropyinputpr2[] =
12963 + 0xe5,0xb0,0x2e,0x7e,0x52,0x30,0xe3,0x63,0x82,0xb6,0x44,0xd3,
12964 + 0x25,0x19,0x05,0x24,0x9a,0x9f,0x5f,0x27,0x6a,0x29,0xab,0xfa,
12965 + 0x07,0xa2,0x42,0x0f,0xc5,0xa8,0x94,0x7c,0x17,0x7b,0x85,0x83,
12966 + 0x0c,0x25,0x0e,0x63,0x0b,0xe9,0x12,0x60,0xcd,0xef,0x80,0x0f
12970 +static const unsigned char aes_256_no_df_pr_returnedbits[] =
12972 + 0x5e,0xf2,0x26,0xef,0x9f,0x58,0x5d,0xd5,0x4a,0x10,0xfe,0xa7,
12973 + 0x2d,0x5f,0x4a,0x46
12977 +/* AES-256 no df No PR */
12979 +static const unsigned char aes_256_no_df_entropyinput[] =
12981 + 0xfb,0xcf,0x1b,0x61,0x16,0x89,0x78,0x23,0xf5,0xd8,0x96,0xe3,
12982 + 0x4e,0x64,0x0b,0x29,0x9a,0x3f,0xf8,0xa5,0xed,0xf2,0xfe,0xdb,
12983 + 0x16,0xca,0x7f,0x10,0xfa,0x5e,0x18,0x76,0x2c,0x63,0x5e,0x96,
12984 + 0xcf,0xb3,0xd6,0xfc,0xaf,0x99,0x39,0x28,0x9c,0x61,0xe8,0xb3
12988 +static const unsigned char aes_256_no_df_nonce[] =
12990 + 0x12,0x96,0xf0,0x52,0xf3,0x8d,0x81,0xcf,0xde,0x86,0xf2,0x99,
12991 + 0x43,0x96,0xb9,0xf0
12995 +static const unsigned char aes_256_no_df_personalizationstring[] =
12997 + 0x63,0x0d,0x78,0xf5,0x90,0x8e,0x32,0x47,0xb0,0x4d,0x37,0x60,
12998 + 0x09,0x96,0xbc,0xbf,0x97,0x7a,0x62,0x14,0x45,0xbd,0x8d,0xcc,
12999 + 0x69,0xfb,0x03,0xe1,0x80,0x1c,0xc7,0xe2,0x2a,0xf9,0x37,0x3f,
13000 + 0x66,0x4d,0x62,0xd9,0x10,0xe0,0xad,0xc8,0x9a,0xf0,0xa8,0x6d
13004 +static const unsigned char aes_256_no_df_additionalinput[] =
13006 + 0x36,0xc6,0x13,0x60,0xbb,0x14,0xad,0x22,0xb0,0x38,0xac,0xa6,
13007 + 0x18,0x16,0x93,0x25,0x86,0xb7,0xdc,0xdc,0x36,0x98,0x2b,0xf9,
13008 + 0x68,0x33,0xd3,0xc6,0xff,0xce,0x8d,0x15,0x59,0x82,0x76,0xed,
13009 + 0x6f,0x8d,0x49,0x74,0x2f,0xda,0xdc,0x1f,0x17,0xd0,0xde,0x17
13013 +static const unsigned char aes_256_no_df_int_returnedbits[] =
13015 + 0x16,0x2f,0x8e,0x3f,0x21,0x7a,0x1c,0x20,0x56,0xd1,0x92,0xf6,
13016 + 0xd2,0x25,0x75,0x0e
13020 +static const unsigned char aes_256_no_df_entropyinputreseed[] =
13022 + 0x91,0x79,0x76,0xee,0xe0,0xcf,0x9e,0xc2,0xd5,0xd4,0x23,0x9b,
13023 + 0x12,0x8c,0x7e,0x0a,0xb7,0xd2,0x8b,0xd6,0x7c,0xa3,0xc6,0xe5,
13024 + 0x0e,0xaa,0xc7,0x6b,0xae,0x0d,0xfa,0x53,0x06,0x79,0xa1,0xed,
13025 + 0x4d,0x6a,0x0e,0xd8,0x9d,0xbe,0x1b,0x31,0x93,0x7b,0xec,0xfb
13029 +static const unsigned char aes_256_no_df_additionalinputreseed[] =
13031 + 0xd2,0x46,0x50,0x22,0x10,0x14,0x63,0xf7,0xea,0x0f,0xb9,0x7e,
13032 + 0x0d,0xe1,0x94,0x07,0xaf,0x09,0x44,0x31,0xea,0x64,0xa4,0x18,
13033 + 0x5b,0xf9,0xd8,0xc2,0xfa,0x03,0x47,0xc5,0x39,0x43,0xd5,0x3b,
13034 + 0x62,0x86,0x64,0xea,0x2c,0x73,0x8c,0xae,0x9d,0x98,0x98,0x29
13038 +static const unsigned char aes_256_no_df_additionalinput2[] =
13040 + 0x8c,0xab,0x18,0xf8,0xc3,0xec,0x18,0x5c,0xb3,0x1e,0x9d,0xbe,
13041 + 0x3f,0x03,0xb4,0x00,0x98,0x9d,0xae,0xeb,0xf4,0x94,0xf8,0x42,
13042 + 0x8f,0xe3,0x39,0x07,0xe1,0xc9,0xad,0x0b,0x1f,0xed,0xc0,0xba,
13043 + 0xf6,0xd1,0xec,0x27,0x86,0x7b,0xd6,0x55,0x9b,0x60,0xa5,0xc6
13047 +static const unsigned char aes_256_no_df_returnedbits[] =
13049 + 0xef,0xd2,0xd8,0x5c,0xdc,0x62,0x25,0x9f,0xaa,0x1e,0x2c,0x67,
13050 + 0xf6,0x02,0x32,0xe2
13056 +static const unsigned char sha1_pr_entropyinput[] =
13058 + 0xd2,0x36,0xa5,0x27,0x31,0x73,0xdd,0x11,0x4f,0x93,0xbd,0xe2,
13059 + 0x31,0xa5,0x91,0x13
13063 +static const unsigned char sha1_pr_nonce[] =
13065 + 0xb5,0xb3,0x60,0xef,0xf7,0x63,0x31,0xf3
13069 +static const unsigned char sha1_pr_personalizationstring[] =
13071 + 0xd4,0xbb,0x02,0x10,0xb2,0x71,0xdb,0x81,0xd6,0xf0,0x42,0x60,
13072 + 0xda,0xea,0x77,0x52
13076 +static const unsigned char sha1_pr_additionalinput[] =
13078 + 0x4d,0xd2,0x6c,0x87,0xfb,0x2c,0x4f,0xa6,0x8d,0x16,0x63,0x22,
13079 + 0x6a,0x51,0xe3,0xf8
13083 +static const unsigned char sha1_pr_entropyinputpr[] =
13085 + 0xc9,0x83,0x9e,0x16,0xf6,0x1c,0x0f,0xb2,0xec,0x60,0x31,0xa9,
13086 + 0xcb,0xa9,0x36,0x7a
13090 +static const unsigned char sha1_pr_int_returnedbits[] =
13092 + 0xa8,0x13,0x4f,0xf4,0x31,0x02,0x44,0xe3,0xd3,0x3d,0x61,0x9e,
13093 + 0xe5,0xc6,0x3e,0x89,0xb5,0x9b,0x0f,0x35
13097 +static const unsigned char sha1_pr_additionalinput2[] =
13099 + 0xf9,0xe8,0xd2,0x72,0x13,0x34,0x95,0x6f,0x15,0x49,0x47,0x99,
13100 + 0x16,0x03,0x19,0x47
13104 +static const unsigned char sha1_pr_entropyinputpr2[] =
13106 + 0x4e,0x8c,0x49,0x9b,0x4a,0x5c,0x9b,0x9c,0x3a,0xee,0xfb,0xd2,
13107 + 0xae,0xcd,0x8c,0xc4
13111 +static const unsigned char sha1_pr_returnedbits[] =
13113 + 0x50,0xb4,0xb4,0xcd,0x68,0x57,0xfc,0x2e,0xc1,0x52,0xcc,0xf6,
13114 + 0x68,0xa4,0x81,0xed,0x7e,0xe4,0x1d,0x87
13120 +static const unsigned char sha1_entropyinput[] =
13122 + 0xa9,0x47,0x1b,0x29,0x2d,0x1c,0x05,0xdf,0x76,0xd0,0x62,0xf9,
13123 + 0xe2,0x7f,0x4c,0x7b
13127 +static const unsigned char sha1_nonce[] =
13129 + 0x53,0x23,0x24,0xe3,0xec,0x0c,0x54,0x14
13133 +static const unsigned char sha1_personalizationstring[] =
13135 + 0x7a,0x87,0xa1,0xac,0x1c,0xfd,0xab,0xae,0xf7,0xd6,0xfb,0x76,
13136 + 0x28,0xec,0x6d,0xca
13140 +static const unsigned char sha1_additionalinput[] =
13142 + 0xfc,0x92,0x35,0xd6,0x7e,0xb7,0x24,0x65,0xfd,0x12,0x27,0x35,
13143 + 0xc0,0x72,0xca,0x28
13147 +static const unsigned char sha1_int_returnedbits[] =
13149 + 0x57,0x88,0x82,0xe5,0x25,0xa5,0x2c,0x4a,0x06,0x20,0x6c,0x72,
13150 + 0x55,0x61,0xdd,0x90,0x71,0x9f,0x95,0xea
13154 +static const unsigned char sha1_entropyinputreseed[] =
13156 + 0x69,0xa5,0x40,0x62,0x98,0x47,0x56,0x73,0x4a,0x8f,0x60,0x96,
13157 + 0xd6,0x99,0x27,0xed
13161 +static const unsigned char sha1_additionalinputreseed[] =
13163 + 0xe5,0x40,0x4e,0xbd,0x50,0x00,0xf5,0x15,0xa6,0xee,0x45,0xda,
13164 + 0x84,0x3d,0xd4,0xc0
13168 +static const unsigned char sha1_additionalinput2[] =
13170 + 0x11,0x51,0x14,0xf0,0x09,0x1b,0x4e,0x56,0x0d,0xe9,0xf6,0x1e,
13171 + 0x52,0x65,0xcd,0x96
13175 +static const unsigned char sha1_returnedbits[] =
13177 + 0xa1,0x9c,0x94,0x6e,0x29,0xe1,0x33,0x0d,0x32,0xd6,0xaa,0xce,
13178 + 0x71,0x3f,0x52,0x72,0x8b,0x42,0xa8,0xd7
13184 +static const unsigned char sha224_pr_entropyinput[] =
13186 + 0x12,0x69,0x32,0x4f,0x83,0xa6,0xf5,0x14,0xe3,0x49,0x3e,0x75,
13187 + 0x3e,0xde,0xad,0xa1,0x29,0xc3,0xf3,0x19,0x20,0xb5,0x4c,0xd9
13191 +static const unsigned char sha224_pr_nonce[] =
13193 + 0x6a,0x78,0xd0,0xeb,0xbb,0x5a,0xf0,0xee,0xe8,0xc3,0xba,0x71
13197 +static const unsigned char sha224_pr_personalizationstring[] =
13199 + 0xd5,0xb8,0xb6,0xbc,0xc1,0x5b,0x60,0x31,0x3c,0xf5,0xe5,0xc0,
13200 + 0x8e,0x52,0x7a,0xbd,0xea,0x47,0xa9,0x5f,0x8f,0xf9,0x8b,0xae
13204 +static const unsigned char sha224_pr_additionalinput[] =
13206 + 0x1f,0x55,0xec,0xae,0x16,0x12,0x84,0xba,0x84,0x16,0x19,0x88,
13207 + 0x8e,0xb8,0x33,0x25,0x54,0xff,0xca,0x79,0xaf,0x07,0x25,0x50
13211 +static const unsigned char sha224_pr_entropyinputpr[] =
13213 + 0x92,0xa3,0x32,0xa8,0x9a,0x0a,0x58,0x7c,0x1d,0x5a,0x7e,0xe1,
13214 + 0xb2,0x73,0xab,0x0e,0x16,0x79,0x23,0xd3,0x29,0x89,0x81,0xe1
13218 +static const unsigned char sha224_pr_int_returnedbits[] =
13220 + 0xf3,0x38,0x91,0x40,0x37,0x7a,0x51,0x72,0x42,0x74,0x78,0x0a,
13221 + 0x69,0xfd,0xa6,0x44,0x43,0x45,0x6c,0x0c,0x5a,0x19,0xff,0xf1,
13222 + 0x54,0x60,0xee,0x6a
13226 +static const unsigned char sha224_pr_additionalinput2[] =
13228 + 0x75,0xf3,0x04,0x25,0xdd,0x36,0xa8,0x37,0x46,0xae,0x0c,0x52,
13229 + 0x05,0x79,0x4c,0x26,0xdb,0xe9,0x71,0x16,0x4c,0x0a,0xf2,0x60
13233 +static const unsigned char sha224_pr_entropyinputpr2[] =
13235 + 0xea,0xc5,0x03,0x0a,0x4f,0xb0,0x38,0x8d,0x23,0xd4,0xc8,0x77,
13236 + 0xe2,0x6d,0x9c,0x0b,0x44,0xf7,0x2d,0x5b,0xbf,0x5d,0x2a,0x11
13240 +static const unsigned char sha224_pr_returnedbits[] =
13242 + 0x60,0x50,0x2b,0xe7,0x86,0xd8,0x26,0x73,0xe3,0x1d,0x95,0x20,
13243 + 0xb3,0x2c,0x32,0x1c,0xf5,0xce,0x57,0xa6,0x67,0x2b,0xdc,0x4e,
13244 + 0xdd,0x11,0x4c,0xc4
13248 +/* SHA-224 No PR */
13250 +static const unsigned char sha224_entropyinput[] =
13252 + 0xb2,0x1c,0x77,0x4d,0xf6,0xd3,0xb6,0x40,0xb7,0x30,0x3e,0x29,
13253 + 0xb0,0x85,0x1c,0xbe,0x4a,0xea,0x6b,0x5a,0xb5,0x8a,0x97,0xeb
13257 +static const unsigned char sha224_nonce[] =
13259 + 0x42,0x02,0x0a,0x1c,0x98,0x9a,0x77,0x9e,0x9f,0x80,0xba,0xe0
13263 +static const unsigned char sha224_personalizationstring[] =
13265 + 0x98,0xb8,0x04,0x41,0xfc,0xc1,0x5d,0xc5,0xe9,0xb9,0x08,0xda,
13266 + 0xf9,0xfa,0x0d,0x90,0xce,0xdf,0x1d,0x10,0xa9,0x8d,0x50,0x0c
13270 +static const unsigned char sha224_additionalinput[] =
13272 + 0x9a,0x8d,0x39,0x49,0x42,0xd5,0x0b,0xae,0xe1,0xaf,0xb7,0x00,
13273 + 0x02,0xfa,0x96,0xb1,0xa5,0x1d,0x2d,0x25,0x78,0xee,0x83,0x3f
13277 +static const unsigned char sha224_int_returnedbits[] =
13279 + 0xe4,0xf5,0x53,0x79,0x5a,0x97,0x58,0x06,0x08,0xba,0x7b,0xfa,
13280 + 0xf0,0x83,0x05,0x8c,0x22,0xc0,0xc9,0xdb,0x15,0xe7,0xde,0x20,
13281 + 0x55,0x22,0x9a,0xad
13285 +static const unsigned char sha224_entropyinputreseed[] =
13287 + 0x67,0x09,0x48,0xaa,0x07,0x16,0x99,0x89,0x7f,0x6d,0xa0,0xe5,
13288 + 0x8f,0xdf,0xbc,0xdb,0xfe,0xe5,0x6c,0x7a,0x95,0x4a,0x66,0x17
13292 +static const unsigned char sha224_additionalinputreseed[] =
13294 + 0x0f,0x4b,0x1c,0x6f,0xb7,0xe3,0x47,0xe5,0x5d,0x7d,0x38,0xd6,
13295 + 0x28,0x9b,0xeb,0x55,0x63,0x09,0x3e,0x7c,0x56,0xea,0xf8,0x19
13299 +static const unsigned char sha224_additionalinput2[] =
13301 + 0x2d,0x26,0x7c,0x37,0xe4,0x7a,0x28,0x5e,0x5a,0x3c,0xaf,0x3d,
13302 + 0x5a,0x8e,0x55,0xa2,0x1a,0x6e,0xc0,0xe5,0xf6,0x21,0xd3,0xf6
13306 +static const unsigned char sha224_returnedbits[] =
13308 + 0x4d,0x83,0x35,0xdf,0x67,0xa9,0xfc,0x17,0xda,0x70,0xcc,0x8b,
13309 + 0x7f,0x77,0xae,0xa2,0x5f,0xb9,0x7e,0x74,0x4c,0x26,0xc1,0x7a,
13310 + 0x3b,0xa7,0x5c,0x93
13316 +static const unsigned char sha256_pr_entropyinput[] =
13318 + 0xce,0x49,0x00,0x7a,0x56,0xe3,0x67,0x8f,0xe1,0xb6,0xa7,0xd4,
13319 + 0x4f,0x08,0x7a,0x1b,0x01,0xf4,0xfa,0x6b,0xef,0xb7,0xe5,0xeb,
13320 + 0x07,0x3d,0x11,0x0d,0xc8,0xea,0x2b,0xfe
13324 +static const unsigned char sha256_pr_nonce[] =
13326 + 0x73,0x41,0xc8,0x92,0x94,0xe2,0xc5,0x5f,0x93,0xfd,0x39,0x5d,
13327 + 0x2b,0x91,0x4d,0x38
13331 +static const unsigned char sha256_pr_personalizationstring[] =
13333 + 0x50,0x6d,0x01,0x01,0x07,0x5a,0x80,0x35,0x7a,0x56,0x1a,0x56,
13334 + 0x2f,0x9a,0x0b,0x35,0xb2,0xb1,0xc9,0xe5,0xca,0x69,0x61,0x48,
13335 + 0xff,0xfb,0x0f,0xd9,0x4b,0x79,0x1d,0xba
13339 +static const unsigned char sha256_pr_additionalinput[] =
13341 + 0x20,0xb8,0xdf,0x44,0x77,0x5a,0xb8,0xd3,0xbf,0xf6,0xcf,0xac,
13342 + 0x5e,0xa6,0x96,0x62,0x73,0x44,0x40,0x4a,0x30,0xfb,0x38,0xa5,
13343 + 0x7b,0x0d,0xe4,0x0d,0xc6,0xe4,0x9a,0x1f
13347 +static const unsigned char sha256_pr_entropyinputpr[] =
13349 + 0x04,0xc4,0x65,0xf4,0xd3,0xbf,0x83,0x4b,0xab,0xc8,0x41,0xa8,
13350 + 0xc2,0xe0,0x44,0x63,0x77,0x4c,0x6f,0x6c,0x49,0x46,0xff,0x94,
13351 + 0x17,0xea,0xe6,0x1a,0x9d,0x5e,0x66,0x78
13355 +static const unsigned char sha256_pr_int_returnedbits[] =
13357 + 0x07,0x4d,0xac,0x9b,0x86,0xca,0x4a,0xaa,0x6e,0x7a,0x03,0xa2,
13358 + 0x5d,0x10,0xea,0x0b,0xf9,0x83,0xcc,0xd1,0xfc,0xe2,0x07,0xc7,
13359 + 0x06,0x34,0x60,0x6f,0x83,0x94,0x99,0x76
13363 +static const unsigned char sha256_pr_additionalinput2[] =
13365 + 0x89,0x4e,0x45,0x8c,0x11,0xf9,0xbc,0x5b,0xac,0x74,0x8b,0x4b,
13366 + 0x5f,0xf7,0x19,0xf3,0xf5,0x24,0x54,0x14,0xd1,0x15,0xb1,0x43,
13367 + 0x12,0xa4,0x5f,0xd4,0xec,0xfc,0xcd,0x09
13371 +static const unsigned char sha256_pr_entropyinputpr2[] =
13373 + 0x0e,0xeb,0x1f,0xd7,0xfc,0xd1,0x9d,0xd4,0x05,0x36,0x8b,0xb2,
13374 + 0xfb,0xe4,0xf4,0x51,0x0c,0x87,0x9b,0x02,0x44,0xd5,0x92,0x4d,
13375 + 0x44,0xfe,0x1a,0x03,0x43,0x56,0xbd,0x86
13379 +static const unsigned char sha256_pr_returnedbits[] =
13381 + 0x02,0xaa,0xb6,0x1d,0x7e,0x2a,0x40,0x03,0x69,0x2d,0x49,0xa3,
13382 + 0x41,0xe7,0x44,0x0b,0xaf,0x7b,0x85,0xe4,0x5f,0x53,0x3b,0x64,
13383 + 0xbc,0x89,0xc8,0x82,0xd4,0x78,0x37,0xa2
13387 +/* SHA-256 No PR */
13389 +static const unsigned char sha256_entropyinput[] =
13391 + 0x5b,0x1b,0xec,0x4d,0xa9,0x38,0x74,0x5a,0x34,0x0b,0x7b,0xc5,
13392 + 0xe5,0xd7,0x66,0x7c,0xbc,0x82,0xb9,0x0e,0x2d,0x1f,0x92,0xd7,
13393 + 0xc1,0xbc,0x67,0x69,0xec,0x6b,0x03,0x3c
13397 +static const unsigned char sha256_nonce[] =
13399 + 0xa4,0x0c,0xd8,0x9c,0x61,0xd8,0xc3,0x54,0xfe,0x53,0xc9,0xe5,
13400 + 0x5d,0x6f,0x6d,0x35
13404 +static const unsigned char sha256_personalizationstring[] =
13406 + 0x22,0x5e,0x62,0x93,0x42,0x83,0x78,0x24,0xd8,0x40,0x8c,0xde,
13407 + 0x6f,0xf9,0xa4,0x7a,0xc5,0xa7,0x3b,0x88,0xa3,0xee,0x42,0x20,
13408 + 0xfd,0x61,0x56,0xc6,0x4c,0x13,0x41,0x9c
13412 +static const unsigned char sha256_additionalinput[] =
13414 + 0xbf,0x74,0x5b,0xf6,0xc5,0x64,0x5e,0x99,0x34,0x8f,0xbc,0xa4,
13415 + 0xe2,0xbd,0xd8,0x85,0x26,0x37,0xea,0xba,0x4f,0xf2,0x9a,0x9a,
13416 + 0x66,0xfc,0xdf,0x63,0x26,0x26,0x19,0x87
13420 +static const unsigned char sha256_int_returnedbits[] =
13422 + 0xb3,0xc6,0x07,0x07,0xd6,0x75,0xf6,0x2b,0xd6,0x21,0x96,0xf1,
13423 + 0xae,0xdb,0x2b,0xac,0x25,0x2a,0xae,0xae,0x41,0x72,0x03,0x5e,
13424 + 0xbf,0xd3,0x64,0xbc,0x59,0xf9,0xc0,0x76
13428 +static const unsigned char sha256_entropyinputreseed[] =
13430 + 0xbf,0x20,0x33,0x56,0x29,0xa8,0x37,0x04,0x1f,0x78,0x34,0x3d,
13431 + 0x81,0x2a,0xc9,0x86,0xc6,0x7a,0x2f,0x88,0x5e,0xd5,0xbe,0x34,
13432 + 0x46,0x20,0xa4,0x35,0xeb,0xc7,0xe2,0x9d
13436 +static const unsigned char sha256_additionalinputreseed[] =
13438 + 0x9b,0xae,0x2d,0x2d,0x61,0xa4,0x89,0xeb,0x43,0x46,0xa7,0xda,
13439 + 0xef,0x40,0xca,0x4a,0x99,0x11,0x41,0xdc,0x5c,0x94,0xe9,0xac,
13440 + 0xd4,0xd0,0xe6,0xbd,0xfb,0x03,0x9c,0xa8
13444 +static const unsigned char sha256_additionalinput2[] =
13446 + 0x23,0xaa,0x0c,0xbd,0x28,0x33,0xe2,0x51,0xfc,0x71,0xd2,0x15,
13447 + 0x1f,0x76,0xfd,0x0d,0xe0,0xb7,0xb5,0x84,0x75,0x5b,0xbe,0xf3,
13448 + 0x5c,0xca,0xc5,0x30,0xf2,0x75,0x1f,0xda
13452 +static const unsigned char sha256_returnedbits[] =
13454 + 0x90,0x3c,0xc1,0x10,0x8c,0x12,0x01,0xc6,0xa6,0x3a,0x0f,0x4d,
13455 + 0xb6,0x3a,0x4f,0x41,0x9c,0x61,0x75,0x84,0xe9,0x74,0x75,0xfd,
13456 + 0xfe,0xf2,0x1f,0x43,0xd8,0x5e,0x24,0xa3
13462 +static const unsigned char sha384_pr_entropyinput[] =
13464 + 0x71,0x9d,0xb2,0x5a,0x71,0x6d,0x04,0xe9,0x1e,0xc7,0x92,0x24,
13465 + 0x6e,0x12,0x33,0xa9,0x52,0x64,0x31,0xef,0x71,0xeb,0x22,0x55,
13466 + 0x28,0x97,0x06,0x6a,0xc0,0x0c,0xa0,0x7e
13470 +static const unsigned char sha384_pr_nonce[] =
13472 + 0xf5,0x0d,0xfa,0xb0,0xec,0x6a,0x7c,0xd6,0xbd,0x9b,0x05,0xfd,
13473 + 0x38,0x3e,0x2e,0x56
13477 +static const unsigned char sha384_pr_personalizationstring[] =
13479 + 0x74,0xac,0x7e,0x6d,0xb1,0xa4,0xe7,0x21,0xd1,0x1e,0x6e,0x96,
13480 + 0x6d,0x4d,0x53,0x46,0x82,0x96,0x6e,0xcf,0xaa,0x81,0x8d,0x7d,
13481 + 0x9e,0xe1,0x0f,0x15,0xea,0x41,0xbf,0xe3
13485 +static const unsigned char sha384_pr_additionalinput[] =
13487 + 0xda,0x95,0xd4,0xd0,0xb8,0x11,0xd3,0x49,0x27,0x5d,0xa9,0x39,
13488 + 0x68,0xf3,0xa8,0xe9,0x5d,0x19,0x8a,0x2b,0x66,0xe8,0x69,0x06,
13489 + 0x7c,0x9e,0x03,0xa1,0x8b,0x26,0x2d,0x6e
13493 +static const unsigned char sha384_pr_entropyinputpr[] =
13495 + 0x49,0xdf,0x44,0x00,0xe4,0x1c,0x75,0x0b,0x26,0x5a,0x59,0x64,
13496 + 0x1f,0x4e,0xb1,0xb2,0x13,0xf1,0x22,0x4e,0xb4,0x6d,0x9a,0xcc,
13497 + 0xa0,0x48,0xe6,0xcf,0x1d,0xd1,0x92,0x0d
13501 +static const unsigned char sha384_pr_int_returnedbits[] =
13503 + 0xc8,0x52,0xae,0xbf,0x04,0x3c,0x27,0xb7,0x78,0x18,0xaa,0x8f,
13504 + 0xff,0xcf,0xa4,0xf1,0xcc,0xe7,0x68,0xfa,0x22,0xa2,0x13,0x45,
13505 + 0xe8,0xdd,0x87,0xe6,0xf2,0x6e,0xdd,0xc7,0x52,0x90,0x9f,0x7b,
13506 + 0xfa,0x61,0x2d,0x9d,0x9e,0xcf,0x98,0xac,0x52,0x40,0xce,0xaf
13510 +static const unsigned char sha384_pr_additionalinput2[] =
13512 + 0x61,0x7c,0x03,0x9a,0x3e,0x50,0x57,0x60,0xc5,0x83,0xc9,0xb2,
13513 + 0xd1,0x87,0x85,0x66,0x92,0x5d,0x84,0x0e,0x53,0xfb,0x70,0x03,
13514 + 0x72,0xfd,0xba,0xae,0x9c,0x8f,0xf8,0x18
13518 +static const unsigned char sha384_pr_entropyinputpr2[] =
13520 + 0xf8,0xeb,0x89,0xb1,0x8d,0x78,0xbe,0x21,0xe0,0xbb,0x9d,0xb7,
13521 + 0x95,0x0e,0xd9,0x46,0x0c,0x8c,0xe2,0x63,0xb7,0x9d,0x67,0x90,
13522 + 0xbd,0xc7,0x0b,0xa5,0xce,0xb2,0x65,0x81
13526 +static const unsigned char sha384_pr_returnedbits[] =
13528 + 0xe6,0x9f,0xfe,0x68,0xd6,0xb5,0x79,0xf1,0x06,0x5f,0xa3,0xbb,
13529 + 0x23,0x85,0xd8,0xf0,0x29,0x5a,0x68,0x9e,0xf5,0xf4,0xa6,0x12,
13530 + 0xe0,0x9a,0xe2,0xac,0x00,0x1d,0x98,0x26,0xfc,0x53,0x95,0x53,
13531 + 0xe4,0x3e,0x17,0xd5,0x08,0x0b,0x70,0x3d,0x67,0x99,0xac,0x66
13535 +/* SHA-384 No PR */
13537 +static const unsigned char sha384_entropyinput[] =
13539 + 0x07,0x15,0x27,0x2a,0xaf,0x74,0x24,0x37,0xbc,0xd5,0x14,0x69,
13540 + 0xce,0x11,0xff,0xa2,0x6b,0xb8,0x05,0x67,0x34,0xf8,0xbd,0x6d,
13541 + 0x6a,0xcc,0xcd,0x60,0xa3,0x68,0xca,0xf4
13545 +static const unsigned char sha384_nonce[] =
13547 + 0x70,0x17,0xc2,0x5b,0x5d,0x22,0x0b,0x06,0x15,0x54,0x78,0x77,
13548 + 0x44,0xaf,0x2f,0x09
13552 +static const unsigned char sha384_personalizationstring[] =
13554 + 0x89,0x39,0x28,0xb0,0x60,0xeb,0x3d,0xdc,0x55,0x75,0x86,0xeb,
13555 + 0xae,0xa2,0x8f,0xbc,0x1b,0x75,0xd4,0xe1,0x0f,0xaa,0x38,0xca,
13556 + 0x62,0x8b,0xcb,0x2c,0x26,0xf6,0xbc,0xb1
13560 +static const unsigned char sha384_additionalinput[] =
13562 + 0x30,0x2b,0x42,0x35,0xef,0xda,0x40,0x55,0x28,0xc6,0x95,0xfb,
13563 + 0x54,0x01,0x62,0xd7,0x87,0x14,0x48,0x6d,0x90,0x4c,0xa9,0x02,
13564 + 0x54,0x40,0x22,0xc8,0x66,0xa5,0x48,0x48
13568 +static const unsigned char sha384_int_returnedbits[] =
13570 + 0x82,0xc4,0xa1,0x9c,0x21,0xd2,0xe7,0xa5,0xa6,0xf6,0x5f,0x04,
13571 + 0x5c,0xc7,0x31,0x9d,0x8d,0x59,0x74,0x50,0x19,0x89,0x2f,0x63,
13572 + 0xd5,0xb7,0x7e,0xeb,0x15,0xe3,0x70,0x83,0xa1,0x24,0x59,0xfa,
13573 + 0x2c,0x56,0xf6,0x88,0x3a,0x92,0x93,0xa1,0xfb,0x79,0xc1,0x7a
13577 +static const unsigned char sha384_entropyinputreseed[] =
13579 + 0x39,0xa6,0xe8,0x5c,0x82,0x17,0x71,0x26,0x57,0x4f,0x9f,0xc2,
13580 + 0x55,0xff,0x5c,0x9b,0x53,0x1a,0xd1,0x5f,0xbc,0x62,0xe4,0x27,
13581 + 0x2d,0x32,0xf0,0xe4,0x52,0x8c,0xc5,0x0c
13585 +static const unsigned char sha384_additionalinputreseed[] =
13587 + 0x8d,0xcb,0x8d,0xce,0x08,0xea,0x80,0xe8,0x9b,0x61,0xa8,0x0f,
13588 + 0xaf,0x49,0x20,0x9e,0x74,0xcb,0x57,0x80,0x42,0xb0,0x84,0x5e,
13589 + 0x30,0x2a,0x67,0x08,0xf4,0xe3,0x40,0x22
13593 +static const unsigned char sha384_additionalinput2[] =
13595 + 0x7c,0x8f,0xc2,0xae,0x22,0x4a,0xd6,0xf6,0x05,0xa4,0x7a,0xea,
13596 + 0xbb,0x25,0xd0,0xb7,0x5a,0xd6,0xcf,0x9d,0xf3,0x6c,0xe2,0xb2,
13597 + 0x4e,0xb4,0xbd,0xf4,0xe5,0x40,0x80,0x94
13601 +static const unsigned char sha384_returnedbits[] =
13603 + 0x9e,0x7e,0xfb,0x59,0xbb,0xaa,0x3c,0xf7,0xe1,0xf8,0x76,0xdd,
13604 + 0x63,0x5f,0xaf,0x23,0xd6,0x64,0x61,0xc0,0x9a,0x09,0x47,0xc9,
13605 + 0x33,0xdf,0x6d,0x55,0x91,0x34,0x79,0x70,0xc4,0x99,0x6e,0x54,
13606 + 0x09,0x64,0x21,0x1a,0xbd,0x1e,0x80,0x40,0x34,0xad,0xfa,0xd7
13612 +static const unsigned char sha512_pr_entropyinput[] =
13614 + 0x13,0xf7,0x61,0x75,0x65,0x28,0xa2,0x59,0x13,0x5a,0x4a,0x4f,
13615 + 0x56,0x60,0x8c,0x53,0x7d,0xb0,0xbd,0x06,0x4f,0xed,0xcc,0xd2,
13616 + 0xa2,0xb5,0xfd,0x5b,0x3a,0xab,0xec,0x28
13620 +static const unsigned char sha512_pr_nonce[] =
13622 + 0xbe,0xa3,0x91,0x93,0x1d,0xc3,0x31,0x3a,0x23,0x33,0x50,0x67,
13623 + 0x88,0xc7,0xa2,0xc4
13627 +static const unsigned char sha512_pr_personalizationstring[] =
13629 + 0x1f,0x59,0x4d,0x7b,0xe6,0x46,0x91,0x48,0xc1,0x25,0xfa,0xff,
13630 + 0x89,0x12,0x77,0x35,0xdf,0x3e,0xf4,0x80,0x5f,0xd9,0xb0,0x07,
13631 + 0x22,0x41,0xdd,0x48,0x78,0x6b,0x77,0x2b
13635 +static const unsigned char sha512_pr_additionalinput[] =
13637 + 0x30,0xff,0x63,0x6f,0xac,0xd9,0x84,0x39,0x6f,0xe4,0x99,0xce,
13638 + 0x91,0x7d,0x7e,0xc8,0x58,0xf2,0x12,0xc3,0xb6,0xad,0xda,0x22,
13639 + 0x04,0xa0,0xd2,0x21,0xfe,0xf2,0x95,0x1d
13643 +static const unsigned char sha512_pr_entropyinputpr[] =
13645 + 0x64,0x54,0x13,0xec,0x4f,0x77,0xda,0xb2,0x92,0x2e,0x52,0x80,
13646 + 0x11,0x10,0xc2,0xf8,0xe6,0xa7,0xcd,0x4b,0xfc,0x32,0x2e,0x9e,
13647 + 0xeb,0xbb,0xb1,0xbf,0x15,0x5c,0x73,0x08
13651 +static const unsigned char sha512_pr_int_returnedbits[] =
13653 + 0xef,0x1e,0xdc,0x0a,0xa4,0x36,0x91,0x9c,0x3d,0x27,0x97,0x50,
13654 + 0x8d,0x36,0x29,0x8d,0xce,0x6a,0x0c,0xf7,0x21,0xc0,0x91,0xae,
13655 + 0x0c,0x96,0x72,0xbd,0x52,0x81,0x58,0xfc,0x6d,0xe5,0xf7,0xa5,
13656 + 0xfd,0x5d,0xa7,0x58,0x68,0xc8,0x99,0x58,0x8e,0xc8,0xce,0x95,
13657 + 0x01,0x7d,0xff,0xa4,0xc8,0xf7,0x63,0xfe,0x5f,0x69,0x83,0x53,
13658 + 0xe2,0xc6,0x8b,0xc3
13662 +static const unsigned char sha512_pr_additionalinput2[] =
13664 + 0xe6,0x9b,0xc4,0x88,0x34,0xca,0xea,0x29,0x2f,0x98,0x05,0xa4,
13665 + 0xd3,0xc0,0x7b,0x11,0xe8,0xbb,0x75,0xf2,0xbd,0x29,0xb7,0x40,
13666 + 0x25,0x7f,0xc1,0xb7,0xb1,0xf1,0x25,0x61
13670 +static const unsigned char sha512_pr_entropyinputpr2[] =
13672 + 0x23,0x6d,0xff,0xde,0xfb,0xd1,0xba,0x33,0x18,0xe6,0xbe,0xb5,
13673 + 0x48,0x77,0x6d,0x7f,0xa7,0xe1,0x4d,0x48,0x1e,0x3c,0xa7,0x34,
13674 + 0x1a,0xc8,0x60,0xdb,0x8f,0x99,0x15,0x99
13678 +static const unsigned char sha512_pr_returnedbits[] =
13680 + 0x70,0x27,0x31,0xdb,0x92,0x70,0x21,0xfe,0x16,0xb6,0xc8,0x51,
13681 + 0x34,0x87,0x65,0xd0,0x4e,0xfd,0xfe,0x68,0xec,0xac,0xdc,0x93,
13682 + 0x41,0x38,0x92,0x90,0xb4,0x94,0xf9,0x0d,0xa4,0xf7,0x4e,0x80,
13683 + 0x92,0x67,0x48,0x40,0xa7,0x08,0xc7,0xbc,0x66,0x00,0xfd,0xf7,
13684 + 0x4c,0x8b,0x17,0x6e,0xd1,0x8f,0x9b,0xf3,0x6f,0xf6,0x34,0xdd,
13685 + 0x67,0xf7,0x68,0xdd
13689 +/* SHA-512 No PR */
13691 +static const unsigned char sha512_entropyinput[] =
13693 + 0xb6,0x0b,0xb7,0xbc,0x84,0x56,0xf6,0x12,0xaf,0x45,0x67,0x17,
13694 + 0x7c,0xd1,0xb2,0x78,0x2b,0xa0,0xf2,0xbe,0xb6,0x6d,0x8b,0x56,
13695 + 0xc6,0xbc,0x4d,0xe1,0xf7,0xbe,0xce,0xbd
13699 +static const unsigned char sha512_nonce[] =
13701 + 0x9d,0xed,0xc0,0xe5,0x5a,0x98,0x6a,0xcb,0x51,0x7d,0x76,0x31,
13702 + 0x5a,0x64,0xf0,0xf7
13706 +static const unsigned char sha512_personalizationstring[] =
13708 + 0xc2,0x6d,0xa3,0xc3,0x06,0x74,0xe5,0x01,0x5c,0x10,0x17,0xc7,
13709 + 0xaf,0x83,0x9d,0x59,0x8d,0x2d,0x29,0x38,0xc5,0x59,0x70,0x8b,
13710 + 0x46,0x48,0x2d,0xcf,0x36,0x7d,0x59,0xc0
13714 +static const unsigned char sha512_additionalinput[] =
13716 + 0xec,0x8c,0xd4,0xf7,0x61,0x6e,0x0d,0x95,0x79,0xb7,0x28,0xad,
13717 + 0x5f,0x69,0x74,0x5f,0x2d,0x36,0x06,0x8a,0x6b,0xac,0x54,0x97,
13718 + 0xc4,0xa1,0x12,0x85,0x0a,0xdf,0x4b,0x34
13722 +static const unsigned char sha512_int_returnedbits[] =
13724 + 0x84,0x2f,0x1f,0x68,0x6a,0xa3,0xad,0x1e,0xfb,0xf4,0x15,0xbd,
13725 + 0xde,0x38,0xd4,0x30,0x80,0x51,0xe9,0xd3,0xc7,0x20,0x88,0xe9,
13726 + 0xf5,0xcc,0xdf,0x57,0x5c,0x47,0x2f,0x57,0x3c,0x5f,0x13,0x56,
13727 + 0xcc,0xc5,0x4f,0x84,0xf8,0x10,0x41,0xd5,0x7e,0x58,0x6e,0x19,
13728 + 0x19,0x9e,0xaf,0xc2,0x22,0x58,0x41,0x50,0x79,0xc2,0xd8,0x04,
13729 + 0x28,0xd4,0x39,0x9a
13733 +static const unsigned char sha512_entropyinputreseed[] =
13735 + 0xfa,0x7f,0x46,0x51,0x83,0x62,0x98,0x16,0x9a,0x19,0xa2,0x49,
13736 + 0xa9,0xe6,0x4a,0xd8,0x85,0xe7,0xd4,0x3b,0x2c,0x82,0xc5,0x82,
13737 + 0xbf,0x11,0xf9,0x9e,0xbc,0xd0,0x01,0xee
13741 +static const unsigned char sha512_additionalinputreseed[] =
13743 + 0xb9,0x12,0xe0,0x4f,0xf7,0xa7,0xc4,0xd8,0xd0,0x8e,0x99,0x29,
13744 + 0x7c,0x9a,0xe9,0xcf,0xc4,0x6c,0xf8,0xc3,0xa7,0x41,0x83,0xd6,
13745 + 0x2e,0xfa,0xb8,0x5e,0x8e,0x6b,0x78,0x20
13749 +static const unsigned char sha512_additionalinput2[] =
13751 + 0xd7,0x07,0x52,0xb9,0x83,0x2c,0x03,0x71,0xee,0xc9,0xc0,0x85,
13752 + 0xe1,0x57,0xb2,0xcd,0x3a,0xf0,0xc9,0x34,0x24,0x41,0x1c,0x42,
13753 + 0x99,0xb2,0x84,0xe9,0x17,0xd2,0x76,0x92
13757 +static const unsigned char sha512_returnedbits[] =
13759 + 0x36,0x17,0x5d,0x98,0x2b,0x65,0x25,0x8e,0xc8,0x29,0xdf,0x27,
13760 + 0x05,0x36,0x26,0x12,0x8a,0x68,0x74,0x27,0x37,0xd4,0x7f,0x32,
13761 + 0xb1,0x12,0xd6,0x85,0x83,0xeb,0x2e,0xa0,0xed,0x4b,0xb5,0x7b,
13762 + 0x6f,0x39,0x3c,0x71,0x77,0x02,0x12,0xcc,0x2c,0x3a,0x8e,0x63,
13763 + 0xdf,0x4a,0xbd,0x6f,0x6e,0x2e,0xed,0x0a,0x85,0xa5,0x2f,0xa2,
13764 + 0x68,0xde,0x42,0xb5
13768 +/* HMAC SHA-1 PR */
13770 +static const unsigned char hmac_sha1_pr_entropyinput[] =
13772 + 0x26,0x5f,0x36,0x14,0xff,0x3d,0x83,0xfa,0x73,0x5e,0x75,0xdc,
13773 + 0x2c,0x18,0x17,0x1b
13777 +static const unsigned char hmac_sha1_pr_nonce[] =
13779 + 0xc8,0xe3,0x57,0xa5,0x7b,0x74,0x86,0x6e
13783 +static const unsigned char hmac_sha1_pr_personalizationstring[] =
13785 + 0x6e,0xdb,0x0d,0xfe,0x7d,0xac,0x79,0xd0,0xa5,0x3a,0x48,0x85,
13786 + 0x80,0xe2,0x7f,0x2a
13790 +static const unsigned char hmac_sha1_pr_additionalinput[] =
13792 + 0x31,0xcd,0x5e,0x43,0xdc,0xfb,0x7a,0x79,0xca,0x88,0xde,0x1f,
13793 + 0xd7,0xbb,0x42,0x09
13797 +static const unsigned char hmac_sha1_pr_entropyinputpr[] =
13799 + 0x7c,0x23,0x95,0x38,0x00,0x95,0xc1,0x78,0x1f,0x8f,0xd7,0x63,
13800 + 0x23,0x87,0x2a,0xed
13804 +static const unsigned char hmac_sha1_pr_int_returnedbits[] =
13806 + 0xbb,0x34,0xe7,0x93,0xa3,0x02,0x2c,0x4a,0xd0,0x89,0xda,0x7f,
13807 + 0xed,0xf4,0x4c,0xde,0x17,0xec,0xe5,0x6c
13811 +static const unsigned char hmac_sha1_pr_additionalinput2[] =
13813 + 0x49,0xbc,0x2d,0x2c,0xb7,0x32,0xcb,0x20,0xdf,0xf5,0x77,0x58,
13814 + 0xa0,0x4b,0x93,0x6e
13818 +static const unsigned char hmac_sha1_pr_entropyinputpr2[] =
13820 + 0x3c,0xaa,0xb0,0x21,0x42,0xb0,0xdd,0x34,0xf0,0x16,0x7f,0x0c,
13821 + 0x0f,0xff,0x2e,0xaf
13825 +static const unsigned char hmac_sha1_pr_returnedbits[] =
13827 + 0x8e,0xcb,0xa3,0x64,0xb2,0xb8,0x33,0x6c,0x64,0x3b,0x78,0x16,
13828 + 0x99,0x35,0xc8,0x30,0xcb,0x3e,0xa0,0xd8
13832 +/* HMAC SHA-1 No PR */
13834 +static const unsigned char hmac_sha1_entropyinput[] =
13836 + 0x32,0x9a,0x2a,0x87,0x7b,0x89,0x7c,0xf6,0xcb,0x95,0xd5,0x40,
13837 + 0x17,0xfe,0x47,0x70
13841 +static const unsigned char hmac_sha1_nonce[] =
13843 + 0x16,0xd8,0xe0,0xc7,0x52,0xcf,0x4a,0x25
13847 +static const unsigned char hmac_sha1_personalizationstring[] =
13849 + 0x35,0x35,0xa9,0xa5,0x40,0xbe,0x9b,0xd1,0x56,0xdd,0x44,0x00,
13850 + 0x72,0xf7,0xd3,0x5e
13854 +static const unsigned char hmac_sha1_additionalinput[] =
13856 + 0x1b,0x2c,0x84,0x2d,0x4a,0x89,0x8f,0x69,0x19,0xf1,0xf3,0xdb,
13857 + 0xbb,0xe3,0xaa,0xea
13861 +static const unsigned char hmac_sha1_int_returnedbits[] =
13863 + 0xcf,0xfa,0x7d,0x72,0x0f,0xe6,0xc7,0x96,0xa0,0x69,0x31,0x11,
13864 + 0x9b,0x0b,0x1a,0x20,0x1f,0x3f,0xaa,0xd1
13868 +static const unsigned char hmac_sha1_entropyinputreseed[] =
13870 + 0x90,0x75,0x15,0x04,0x95,0xf1,0xba,0x81,0x0c,0x37,0x94,0x6f,
13871 + 0x86,0x52,0x6d,0x9c
13875 +static const unsigned char hmac_sha1_additionalinputreseed[] =
13877 + 0x5b,0x40,0xba,0x5f,0x17,0x70,0xf0,0x4b,0xdf,0xc9,0x97,0x92,
13878 + 0x79,0xc5,0x82,0x28
13882 +static const unsigned char hmac_sha1_additionalinput2[] =
13884 + 0x97,0xc8,0x80,0x90,0xb3,0xaa,0x6e,0x60,0xea,0x83,0x7a,0xe3,
13885 + 0x8a,0xca,0xa4,0x7f
13889 +static const unsigned char hmac_sha1_returnedbits[] =
13891 + 0x90,0xbd,0x05,0x56,0x6d,0xb5,0x22,0xd5,0xb9,0x5a,0x29,0x2d,
13892 + 0xe9,0x0b,0xe1,0xac,0xde,0x27,0x0b,0xb0
13896 +/* HMAC SHA-224 PR */
13898 +static const unsigned char hmac_sha224_pr_entropyinput[] =
13900 + 0x17,0x32,0x2b,0x2e,0x6f,0x1b,0x9c,0x6d,0x31,0xe0,0x34,0x07,
13901 + 0xcf,0xed,0xf6,0xb6,0x5a,0x76,0x4c,0xbc,0x62,0x85,0x01,0x90
13905 +static const unsigned char hmac_sha224_pr_nonce[] =
13907 + 0x38,0xbf,0x5f,0x20,0xb3,0x68,0x2f,0x43,0x61,0x05,0x8f,0x23
13911 +static const unsigned char hmac_sha224_pr_personalizationstring[] =
13913 + 0xc0,0xc9,0x45,0xac,0x8d,0x27,0x77,0x08,0x0b,0x17,0x6d,0xed,
13914 + 0xc1,0x7d,0xd5,0x07,0x9d,0x6e,0xf8,0x23,0x2a,0x22,0x13,0xbd
13918 +static const unsigned char hmac_sha224_pr_additionalinput[] =
13920 + 0xa4,0x3c,0xe7,0x3b,0xea,0x19,0x45,0x32,0xc2,0x83,0x6d,0x21,
13921 + 0x8a,0xc0,0xee,0x67,0x45,0xde,0x13,0x7d,0x9d,0x61,0x00,0x3b
13925 +static const unsigned char hmac_sha224_pr_entropyinputpr[] =
13927 + 0x15,0x05,0x74,0x4a,0x7f,0x8d,0x5c,0x60,0x16,0xe5,0x7b,0xad,
13928 + 0xf5,0x41,0x8f,0x55,0x60,0xc4,0x09,0xee,0x1e,0x11,0x81,0xab
13932 +static const unsigned char hmac_sha224_pr_int_returnedbits[] =
13934 + 0x6f,0xf5,0x9a,0xe2,0x54,0x53,0x30,0x3d,0x5a,0x27,0x29,0x38,
13935 + 0x27,0xf2,0x0d,0x05,0xe9,0x26,0xcb,0x16,0xc3,0x51,0x5f,0x13,
13936 + 0x41,0xfe,0x99,0xf2
13940 +static const unsigned char hmac_sha224_pr_additionalinput2[] =
13942 + 0x73,0x81,0x88,0x84,0x8f,0xed,0x6f,0x10,0x9f,0x93,0xbf,0x17,
13943 + 0x35,0x7c,0xef,0xd5,0x8d,0x26,0xa6,0x7a,0xe8,0x09,0x36,0x4f
13947 +static const unsigned char hmac_sha224_pr_entropyinputpr2[] =
13949 + 0xe6,0xcf,0xcf,0x7e,0x12,0xe5,0x43,0xd2,0x38,0xd8,0x24,0x6f,
13950 + 0x5a,0x37,0x68,0xbf,0x4f,0xa0,0xff,0xd5,0x61,0x8a,0x93,0xe0
13954 +static const unsigned char hmac_sha224_pr_returnedbits[] =
13956 + 0xaf,0xf9,0xd8,0x19,0x91,0x30,0x82,0x6f,0xa9,0x1e,0x9d,0xd7,
13957 + 0xf3,0x50,0xe0,0xc7,0xd5,0x64,0x96,0x7d,0x4c,0x4d,0x78,0x03,
13958 + 0x6d,0xd8,0x9e,0x72
13962 +/* HMAC SHA-224 No PR */
13964 +static const unsigned char hmac_sha224_entropyinput[] =
13966 + 0x11,0x82,0xfd,0xd9,0x42,0xf4,0xfa,0xc8,0xf2,0x41,0xe6,0x54,
13967 + 0x01,0xae,0x22,0x6e,0xc6,0xaf,0xaf,0xd0,0xa6,0xb2,0xe2,0x6d
13971 +static const unsigned char hmac_sha224_nonce[] =
13973 + 0xa9,0x48,0xd7,0x92,0x39,0x7e,0x2a,0xdc,0x30,0x1f,0x0e,0x2b
13977 +static const unsigned char hmac_sha224_personalizationstring[] =
13979 + 0x11,0xd5,0xf4,0xbd,0x67,0x8c,0x31,0xcf,0xa3,0x3f,0x1e,0x6b,
13980 + 0xa8,0x07,0x02,0x0b,0xc8,0x2e,0x6c,0x64,0x41,0x5b,0xc8,0x37
13984 +static const unsigned char hmac_sha224_additionalinput[] =
13986 + 0x68,0x18,0xc2,0x06,0xeb,0x3e,0x04,0x95,0x44,0x5e,0xfb,0xe6,
13987 + 0x41,0xc1,0x5c,0xcc,0x40,0x2f,0xb7,0xd2,0x0f,0xf3,0x6b,0xe7
13991 +static const unsigned char hmac_sha224_int_returnedbits[] =
13993 + 0x7f,0x45,0xc7,0x5d,0x32,0xe6,0x17,0x60,0xba,0xdc,0xb8,0x42,
13994 + 0x1b,0x9c,0xf1,0xfa,0x3b,0x4d,0x29,0x54,0xc6,0x90,0xff,0x5c,
13995 + 0xcd,0xd6,0xa9,0xcc
13999 +static const unsigned char hmac_sha224_entropyinputreseed[] =
14001 + 0xc4,0x8e,0x37,0x95,0x69,0x53,0x28,0xd7,0x37,0xbb,0x70,0x95,
14002 + 0x1c,0x07,0x1d,0xd9,0xb7,0xe6,0x1b,0xbb,0xfe,0x41,0xeb,0xc9
14006 +static const unsigned char hmac_sha224_additionalinputreseed[] =
14008 + 0x53,0x17,0xa1,0x6a,0xfa,0x77,0x47,0xb0,0x95,0x56,0x9a,0x20,
14009 + 0x57,0xde,0x5c,0x89,0x9f,0x7f,0xe2,0xde,0x17,0x3a,0x50,0x23
14013 +static const unsigned char hmac_sha224_additionalinput2[] =
14015 + 0x3a,0x32,0xf9,0x85,0x0c,0xc1,0xed,0x76,0x2d,0xdf,0x40,0xc3,
14016 + 0x06,0x22,0x66,0xd4,0x9a,0x9a,0xff,0x5a,0x7e,0x7a,0xf3,0x96
14020 +static const unsigned char hmac_sha224_returnedbits[] =
14022 + 0x43,0xb4,0x57,0x5c,0x38,0x25,0x9d,0xae,0xec,0x96,0xd1,0x85,
14023 + 0x3a,0x84,0x8d,0xfe,0x68,0xd5,0x0e,0x5c,0x8f,0x65,0xa5,0x4e,
14024 + 0x45,0x84,0xa8,0x94
14028 +/* HMAC SHA-256 PR */
14030 +static const unsigned char hmac_sha256_pr_entropyinput[] =
14032 + 0x4d,0xb0,0x43,0xd8,0x34,0x4b,0x10,0x70,0xb1,0x8b,0xed,0xea,
14033 + 0x07,0x92,0x9f,0x6c,0x79,0x31,0xaf,0x81,0x29,0xeb,0x6e,0xca,
14034 + 0x32,0x48,0x28,0xe7,0x02,0x5d,0xa6,0xa6
14038 +static const unsigned char hmac_sha256_pr_nonce[] =
14040 + 0x3a,0xae,0x15,0xa9,0x99,0xdc,0xe4,0x67,0x34,0x3b,0x70,0x15,
14041 + 0xaa,0xd3,0x30,0x9a
14045 +static const unsigned char hmac_sha256_pr_personalizationstring[] =
14047 + 0x13,0x1d,0x24,0x04,0xb0,0x18,0x81,0x15,0x21,0x51,0x2a,0x24,
14048 + 0x52,0x61,0xbe,0x64,0x82,0x6b,0x55,0x2f,0xe2,0xf1,0x40,0x7d,
14049 + 0x71,0xd8,0x01,0x86,0x15,0xb7,0x8b,0xb5
14053 +static const unsigned char hmac_sha256_pr_additionalinput[] =
14055 + 0x8f,0xa6,0x54,0x5f,0xb1,0xd0,0xd8,0xc3,0xe7,0x0c,0x15,0xa9,
14056 + 0x23,0x6e,0xfe,0xfb,0x93,0xf7,0x3a,0xbd,0x59,0x01,0xfa,0x18,
14057 + 0x8e,0xe9,0x1a,0xa9,0x78,0xfc,0x79,0x0b
14061 +static const unsigned char hmac_sha256_pr_entropyinputpr[] =
14063 + 0xcf,0x24,0xb9,0xeb,0xb3,0xd4,0xcd,0x17,0x37,0x38,0x75,0x79,
14064 + 0x15,0xcb,0x2d,0x75,0x51,0xf1,0xcc,0xaa,0x32,0xa4,0xa7,0x36,
14065 + 0x7c,0x5c,0xe4,0x47,0xf1,0x3e,0x1d,0xe5
14069 +static const unsigned char hmac_sha256_pr_int_returnedbits[] =
14071 + 0x52,0x42,0xfa,0xeb,0x85,0xe0,0x30,0x22,0x79,0x00,0x16,0xb2,
14072 + 0x88,0x2f,0x14,0x6a,0xb7,0xfc,0xb7,0x53,0xdc,0x4a,0x12,0xef,
14073 + 0x54,0xd6,0x33,0xe9,0x20,0xd6,0xfd,0x56
14077 +static const unsigned char hmac_sha256_pr_additionalinput2[] =
14079 + 0xf4,0xf6,0x49,0xa1,0x2d,0x64,0x2b,0x30,0x58,0xf8,0xbd,0xb8,
14080 + 0x75,0xeb,0xbb,0x5e,0x1c,0x9b,0x81,0x6a,0xda,0x14,0x86,0x6e,
14081 + 0xd0,0xda,0x18,0xb7,0x88,0xfb,0x59,0xf3
14085 +static const unsigned char hmac_sha256_pr_entropyinputpr2[] =
14087 + 0x21,0xcd,0x6e,0x46,0xad,0x99,0x07,0x17,0xb4,0x3d,0x76,0x0a,
14088 + 0xff,0x5b,0x52,0x50,0x78,0xdf,0x1f,0x24,0x06,0x0d,0x3f,0x74,
14089 + 0xa9,0xc9,0x37,0xcf,0xd8,0x26,0x25,0x91
14093 +static const unsigned char hmac_sha256_pr_returnedbits[] =
14095 + 0xa7,0xaf,0x2f,0x29,0xe0,0x3a,0x72,0x95,0x96,0x1c,0xa9,0xf0,
14096 + 0x4a,0x17,0x4d,0x66,0x06,0x10,0xbf,0x39,0x89,0x88,0xb8,0x91,
14097 + 0x37,0x18,0x99,0xcf,0x8c,0x53,0x3b,0x7e
14101 +/* HMAC SHA-256 No PR */
14103 +static const unsigned char hmac_sha256_entropyinput[] =
14105 + 0x96,0xb7,0x53,0x22,0x1e,0x52,0x2a,0x96,0xb1,0x15,0x3c,0x35,
14106 + 0x5a,0x8b,0xd3,0x4a,0xa6,0x6c,0x83,0x0a,0x7d,0xa3,0x23,0x3d,
14107 + 0x43,0xa1,0x07,0x2c,0x2d,0xe3,0x81,0xcc
14111 +static const unsigned char hmac_sha256_nonce[] =
14113 + 0xf1,0xac,0x97,0xcb,0x5e,0x06,0x48,0xd2,0x94,0xbe,0x15,0x2e,
14114 + 0xc7,0xfc,0xc2,0x01
14118 +static const unsigned char hmac_sha256_personalizationstring[] =
14120 + 0x98,0xc5,0x1e,0x35,0x5e,0x89,0x0d,0xce,0x64,0x6d,0x18,0xa7,
14121 + 0x5a,0xc6,0xf3,0xe7,0xd6,0x9e,0xc0,0xea,0xb7,0x3a,0x8d,0x65,
14122 + 0xb8,0xeb,0x10,0xd7,0x57,0x18,0xa0,0x32
14126 +static const unsigned char hmac_sha256_additionalinput[] =
14128 + 0x1b,0x10,0xaf,0xac,0xd0,0x65,0x95,0xad,0x04,0xad,0x03,0x1c,
14129 + 0xe0,0x40,0xd6,0x3e,0x1c,0x46,0x53,0x39,0x7c,0xe2,0xbc,0xda,
14130 + 0x8c,0xa2,0x33,0xa7,0x9a,0x26,0xd3,0x27
14134 +static const unsigned char hmac_sha256_int_returnedbits[] =
14136 + 0xba,0x61,0x0e,0x55,0xfe,0x11,0x8a,0x9e,0x0f,0x80,0xdf,0x1d,
14137 + 0x03,0x0a,0xfe,0x15,0x94,0x28,0x4b,0xba,0xf4,0x9f,0x51,0x25,
14138 + 0x88,0xe5,0x4e,0xfb,0xaf,0xce,0x69,0x90
14142 +static const unsigned char hmac_sha256_entropyinputreseed[] =
14144 + 0x62,0x7f,0x1e,0x6b,0xe8,0x8e,0xe1,0x35,0x7d,0x9b,0x4f,0xc7,
14145 + 0xec,0xc8,0xac,0xef,0x6b,0x13,0x9e,0x05,0x56,0xc1,0x08,0xf9,
14146 + 0x2f,0x0f,0x27,0x9c,0xd4,0x15,0xed,0x2d
14150 +static const unsigned char hmac_sha256_additionalinputreseed[] =
14152 + 0xc7,0x76,0x6e,0xa9,0xd2,0xb2,0x76,0x40,0x82,0x25,0x2c,0xb3,
14153 + 0x6f,0xac,0xe9,0x74,0xef,0x8f,0x3c,0x8e,0xcd,0xf1,0xbf,0xb3,
14154 + 0x49,0x77,0x34,0x88,0x52,0x36,0xe6,0x2e
14158 +static const unsigned char hmac_sha256_additionalinput2[] =
14160 + 0x8d,0xb8,0x0c,0xd1,0xbf,0x70,0xf6,0x19,0xc3,0x41,0x80,0x9f,
14161 + 0xe1,0xa5,0xa4,0x1f,0x2c,0x26,0xb1,0xe5,0xd8,0xeb,0xbe,0xf8,
14162 + 0xdf,0x88,0x6a,0x89,0xd6,0x05,0xd8,0x9d
14166 +static const unsigned char hmac_sha256_returnedbits[] =
14168 + 0x43,0x12,0x2a,0x2c,0x40,0x53,0x2e,0x7c,0x66,0x34,0xac,0xc3,
14169 + 0x43,0xe3,0xe0,0x6a,0xfc,0xfa,0xea,0x87,0x21,0x1f,0xe2,0x26,
14170 + 0xc4,0xf9,0x09,0x9a,0x0d,0x6e,0x7f,0xe0
14174 +/* HMAC SHA-384 PR */
14176 +static const unsigned char hmac_sha384_pr_entropyinput[] =
14178 + 0x69,0x81,0x98,0x88,0x44,0xf5,0xd6,0x2e,0x00,0x08,0x3b,0xc5,
14179 + 0xfb,0xd7,0x8e,0x6f,0x23,0xf8,0x6d,0x09,0xd6,0x85,0x49,0xd1,
14180 + 0xf8,0x6d,0xa4,0x58,0x54,0xfd,0x88,0xa9
14184 +static const unsigned char hmac_sha384_pr_nonce[] =
14186 + 0x6e,0x38,0x81,0xca,0xb7,0xe8,0x6e,0x66,0x49,0x8a,0xb2,0x59,
14187 + 0xee,0x16,0xc9,0xde
14191 +static const unsigned char hmac_sha384_pr_personalizationstring[] =
14193 + 0xfe,0x4c,0xd9,0xf4,0x78,0x3b,0x08,0x41,0x8d,0x8f,0x55,0xc4,
14194 + 0x43,0x56,0xb6,0x12,0x36,0x6b,0x30,0xb7,0x5e,0xe1,0xb9,0x47,
14195 + 0x04,0xb1,0x4e,0xa9,0x00,0xa1,0x52,0xa1
14199 +static const unsigned char hmac_sha384_pr_additionalinput[] =
14201 + 0x89,0xe9,0xcc,0x8f,0x27,0x3c,0x26,0xd1,0x95,0xc8,0x7d,0x0f,
14202 + 0x5b,0x1a,0xf0,0x78,0x39,0x56,0x6f,0xa4,0x23,0xe7,0xd1,0xda,
14203 + 0x7c,0x66,0x33,0xa0,0x90,0xc9,0x92,0x88
14207 +static const unsigned char hmac_sha384_pr_entropyinputpr[] =
14209 + 0xbe,0x3d,0x7c,0x0d,0xca,0xda,0x7c,0x49,0xb8,0x12,0x36,0xc0,
14210 + 0xdb,0xad,0x35,0xa8,0xc7,0x0b,0x2a,0x2c,0x69,0x6d,0x25,0x56,
14211 + 0x63,0x82,0x11,0x3e,0xa7,0x33,0x70,0x72
14215 +static const unsigned char hmac_sha384_pr_int_returnedbits[] =
14217 + 0x82,0x3d,0xe6,0x54,0x80,0x42,0xf8,0xba,0x90,0x4f,0x06,0xa6,
14218 + 0xd2,0x7f,0xbf,0x79,0x7c,0x12,0x7d,0xa6,0xa2,0x66,0xe8,0xa6,
14219 + 0xc0,0xd6,0x4a,0x55,0xbf,0xd8,0x0a,0xc5,0xf8,0x03,0x88,0xdd,
14220 + 0x8e,0x87,0xd1,0x5a,0x48,0x26,0x72,0x2a,0x8e,0xcf,0xee,0xba
14224 +static const unsigned char hmac_sha384_pr_additionalinput2[] =
14226 + 0x8f,0xff,0xd9,0x84,0xbb,0x85,0x3a,0x66,0xa1,0x21,0xce,0xb2,
14227 + 0x3a,0x3a,0x17,0x22,0x19,0xae,0xc7,0xb6,0x63,0x81,0xd5,0xff,
14228 + 0x0d,0xc8,0xe1,0xaf,0x57,0xd2,0xcb,0x60
14232 +static const unsigned char hmac_sha384_pr_entropyinputpr2[] =
14234 + 0xd7,0xfb,0xc9,0xe8,0xe2,0xf2,0xaa,0x4c,0xb8,0x51,0x2f,0xe1,
14235 + 0x22,0xba,0xf3,0xda,0x0a,0x19,0x76,0x71,0x57,0xb2,0x1d,0x94,
14236 + 0x09,0x69,0x6c,0xd3,0x97,0x51,0x81,0x87
14240 +static const unsigned char hmac_sha384_pr_returnedbits[] =
14242 + 0xe6,0x19,0x28,0xa8,0x21,0xce,0x5e,0xdb,0x24,0x79,0x8c,0x76,
14243 + 0x5d,0x73,0xb2,0xdf,0xac,0xef,0x85,0xa7,0x3b,0x19,0x09,0x8b,
14244 + 0x7f,0x98,0x28,0xa9,0x93,0xd8,0x7a,0xad,0x55,0x8b,0x24,0x9d,
14245 + 0xe6,0x98,0xfe,0x47,0xd5,0x48,0xc1,0x23,0xd8,0x1d,0x62,0x75
14249 +/* HMAC SHA-384 No PR */
14251 +static const unsigned char hmac_sha384_entropyinput[] =
14253 + 0xc3,0x56,0x2b,0x1d,0xc2,0xbb,0xa8,0xf0,0xae,0x1b,0x0d,0xd3,
14254 + 0x5a,0x6c,0xda,0x57,0x8e,0xa5,0x8a,0x0d,0x6c,0x4b,0x18,0xb1,
14255 + 0x04,0x3e,0xb4,0x99,0x35,0xc4,0xc0,0x5f
14259 +static const unsigned char hmac_sha384_nonce[] =
14261 + 0xc5,0x49,0x1e,0x66,0x27,0x92,0xbe,0xec,0xb5,0x1e,0x4b,0xb1,
14262 + 0x38,0xe3,0xeb,0x62
14266 +static const unsigned char hmac_sha384_personalizationstring[] =
14268 + 0xbe,0xe7,0x6b,0x57,0xde,0x88,0x11,0x96,0x9b,0x6e,0xea,0xe5,
14269 + 0x63,0x83,0x4c,0xb6,0x8d,0x66,0xaa,0x1f,0x8b,0x54,0xe7,0x62,
14270 + 0x6d,0x5a,0xfc,0xbf,0x97,0xba,0xcd,0x77
14274 +static const unsigned char hmac_sha384_additionalinput[] =
14276 + 0xe5,0x28,0x5f,0x43,0xf5,0x83,0x6e,0x0a,0x83,0x5c,0xe3,0x81,
14277 + 0x03,0xf2,0xf8,0x78,0x00,0x7c,0x95,0x87,0x16,0xd6,0x6c,0x58,
14278 + 0x33,0x6c,0x53,0x35,0x0d,0x66,0xe3,0xce
14282 +static const unsigned char hmac_sha384_int_returnedbits[] =
14284 + 0xe2,0x1f,0xf3,0xda,0x0d,0x19,0x99,0x87,0xc4,0x90,0xa2,0x31,
14285 + 0xca,0x2a,0x89,0x58,0x43,0x44,0xb8,0xde,0xcf,0xa4,0xbe,0x3b,
14286 + 0x53,0x26,0x22,0x31,0x76,0x41,0x22,0xb5,0xa8,0x70,0x2f,0x4b,
14287 + 0x64,0x95,0x4d,0x48,0x96,0x35,0xe6,0xbd,0x3c,0x34,0xdb,0x1b
14291 +static const unsigned char hmac_sha384_entropyinputreseed[] =
14293 + 0x77,0x61,0xba,0xbc,0xf2,0xc1,0xf3,0x4b,0x86,0x65,0xfd,0x48,
14294 + 0x0e,0x3c,0x02,0x5e,0xa2,0x7a,0x6b,0x7c,0xed,0x21,0x5e,0xf9,
14295 + 0xcd,0xcd,0x77,0x07,0x2b,0xbe,0xc5,0x5c
14299 +static const unsigned char hmac_sha384_additionalinputreseed[] =
14301 + 0x18,0x24,0x5f,0xc6,0x84,0xd1,0x67,0xc3,0x9a,0x11,0xa5,0x8c,
14302 + 0x07,0x39,0x21,0x83,0x4d,0x04,0xc4,0x6a,0x28,0x19,0xcf,0x92,
14303 + 0x21,0xd9,0x9e,0x41,0x72,0x6c,0x9e,0x63
14307 +static const unsigned char hmac_sha384_additionalinput2[] =
14309 + 0x96,0x67,0x41,0x28,0x9b,0xb7,0x92,0x8d,0x64,0x3b,0xe4,0xcf,
14310 + 0x7e,0xaa,0x1e,0xb1,0x4b,0x1d,0x09,0x56,0x67,0x9c,0xc6,0x6d,
14311 + 0x3b,0xe8,0x91,0x9d,0xe1,0x8a,0xb7,0x32
14315 +static const unsigned char hmac_sha384_returnedbits[] =
14317 + 0xe3,0x59,0x61,0x38,0x92,0xec,0xe2,0x3c,0xff,0xb7,0xdb,0x19,
14318 + 0x0f,0x5b,0x93,0x68,0x0d,0xa4,0x94,0x40,0x72,0x0b,0xe0,0xed,
14319 + 0x4d,0xcd,0x68,0xa0,0x1e,0xfe,0x67,0xb2,0xfa,0x21,0x56,0x74,
14320 + 0xa4,0xad,0xcf,0xb7,0x60,0x66,0x2e,0x40,0xde,0x82,0xca,0xfb
14324 +/* HMAC SHA-512 PR */
14326 +static const unsigned char hmac_sha512_pr_entropyinput[] =
14328 + 0xaa,0x9e,0x45,0x67,0x0e,0x00,0x2a,0x67,0x98,0xd6,0xda,0x0b,
14329 + 0x0f,0x17,0x7e,0xac,0xfd,0x27,0xc4,0xca,0x84,0xdf,0xde,0xba,
14330 + 0x85,0xd9,0xbe,0x8f,0xf3,0xff,0x91,0x4d
14334 +static const unsigned char hmac_sha512_pr_nonce[] =
14336 + 0x8c,0x49,0x2f,0x58,0x1e,0x7a,0xda,0x4b,0x7e,0x8a,0x30,0x7b,
14337 + 0x86,0xea,0xaf,0xa2
14341 +static const unsigned char hmac_sha512_pr_personalizationstring[] =
14343 + 0x71,0xe1,0xbb,0xad,0xa7,0x4b,0x2e,0x31,0x3b,0x0b,0xec,0x24,
14344 + 0x99,0x38,0xbc,0xaa,0x05,0x4c,0x46,0x44,0xfa,0xad,0x8e,0x02,
14345 + 0xc1,0x7e,0xad,0xec,0x54,0xa6,0xd0,0xad
14349 +static const unsigned char hmac_sha512_pr_additionalinput[] =
14351 + 0x3d,0x6e,0xa6,0xa8,0x29,0x2a,0xb2,0xf5,0x98,0x42,0xe4,0x92,
14352 + 0x78,0x22,0x67,0xfd,0x1b,0x15,0x1e,0x29,0xaa,0x71,0x3c,0x3c,
14353 + 0xe7,0x05,0x20,0xa9,0x29,0xc6,0x75,0x71
14357 +static const unsigned char hmac_sha512_pr_entropyinputpr[] =
14359 + 0xab,0xb9,0x16,0xd8,0x55,0x35,0x54,0xb7,0x97,0x3f,0x94,0xbc,
14360 + 0x2f,0x7c,0x70,0xc7,0xd0,0xed,0xb7,0x4b,0xf7,0xf6,0x6c,0x03,
14361 + 0x0c,0xb0,0x03,0xd8,0xbb,0x71,0xd9,0x10
14365 +static const unsigned char hmac_sha512_pr_int_returnedbits[] =
14367 + 0x8e,0xd3,0xfd,0x52,0x9e,0x83,0x08,0x49,0x18,0x6e,0x23,0x56,
14368 + 0x5c,0x45,0x93,0x34,0x05,0xe2,0x98,0x8f,0x0c,0xd4,0x32,0x0c,
14369 + 0xfd,0xda,0x5f,0x92,0x3a,0x8c,0x81,0xbd,0xf6,0x6c,0x55,0xfd,
14370 + 0xb8,0x20,0xce,0x8d,0x97,0x27,0xe8,0xe8,0xe0,0xb3,0x85,0x50,
14371 + 0xa2,0xc2,0xb2,0x95,0x1d,0x48,0xd3,0x7b,0x4b,0x78,0x13,0x35,
14372 + 0x05,0x17,0xbe,0x0d
14376 +static const unsigned char hmac_sha512_pr_additionalinput2[] =
14378 + 0xc3,0xfc,0x95,0xaa,0x69,0x06,0xae,0x59,0x41,0xce,0x26,0x08,
14379 + 0x29,0x6d,0x45,0xda,0xe8,0xb3,0x6c,0x95,0x60,0x0f,0x70,0x2c,
14380 + 0x10,0xba,0x38,0x8c,0xcf,0x29,0x99,0xaa
14384 +static const unsigned char hmac_sha512_pr_entropyinputpr2[] =
14386 + 0x3b,0x9a,0x25,0xce,0xd7,0xf9,0x5c,0xd1,0x3a,0x3e,0xaa,0x71,
14387 + 0x14,0x3e,0x19,0xe8,0xce,0xe6,0xfe,0x51,0x84,0xe9,0x1b,0xfe,
14388 + 0x3f,0xa7,0xf2,0xfd,0x76,0x5f,0x6a,0xe7
14392 +static const unsigned char hmac_sha512_pr_returnedbits[] =
14394 + 0xb7,0x82,0xa9,0x57,0x81,0x67,0x53,0xb5,0xa1,0xe9,0x3d,0x35,
14395 + 0xf9,0xe4,0x97,0xbe,0xa6,0xca,0xf1,0x01,0x13,0x09,0xe7,0x21,
14396 + 0xc0,0xed,0x93,0x5d,0x4b,0xf4,0xeb,0x8d,0x53,0x25,0x8a,0xc4,
14397 + 0xb1,0x6f,0x6e,0x37,0xcd,0x2e,0xac,0x39,0xb2,0xb6,0x99,0xa3,
14398 + 0x82,0x00,0xb0,0x21,0xf0,0xc7,0x2f,0x4c,0x73,0x92,0xfd,0x00,
14399 + 0xb6,0xaf,0xbc,0xd3
14403 +/* HMAC SHA-512 No PR */
14405 +static const unsigned char hmac_sha512_entropyinput[] =
14407 + 0x6e,0x85,0xe6,0x25,0x96,0x29,0xa7,0x52,0x5b,0x60,0xba,0xaa,
14408 + 0xde,0xdb,0x36,0x0a,0x51,0x9a,0x15,0xae,0x6e,0x18,0xd3,0xfe,
14409 + 0x39,0xb9,0x4a,0x96,0xf8,0x77,0xcb,0x95
14413 +static const unsigned char hmac_sha512_nonce[] =
14415 + 0xe0,0xa6,0x5d,0x08,0xc3,0x7c,0xae,0x25,0x2e,0x80,0xd1,0x3e,
14416 + 0xd9,0xaf,0x43,0x3c
14420 +static const unsigned char hmac_sha512_personalizationstring[] =
14422 + 0x53,0x99,0x52,0x5f,0x11,0xa9,0x64,0x66,0x20,0x5e,0x1b,0x5f,
14423 + 0x42,0xb3,0xf4,0xda,0xed,0xbb,0x63,0xc1,0x23,0xaf,0xd0,0x01,
14424 + 0x90,0x3b,0xd0,0x78,0xe4,0x0b,0xa7,0x20
14428 +static const unsigned char hmac_sha512_additionalinput[] =
14430 + 0x85,0x90,0x80,0xd3,0x98,0xf1,0x53,0x6d,0x68,0x15,0x8f,0xe5,
14431 + 0x60,0x3f,0x17,0x29,0x55,0x8d,0x33,0xb1,0x45,0x64,0x64,0x8d,
14432 + 0x50,0x21,0x89,0xae,0xf6,0xfd,0x32,0x73
14436 +static const unsigned char hmac_sha512_int_returnedbits[] =
14438 + 0x28,0x56,0x30,0x6f,0xf4,0xa1,0x48,0xe0,0xc9,0xf5,0x75,0x90,
14439 + 0xcc,0xfb,0xdf,0xdf,0x71,0x3d,0x0a,0x9a,0x03,0x65,0x3b,0x18,
14440 + 0x61,0xe3,0xd1,0xda,0xcc,0x4a,0xfe,0x55,0x38,0xf8,0x21,0x6b,
14441 + 0xfa,0x18,0x01,0x42,0x39,0x2f,0x99,0x53,0x38,0x15,0x82,0x34,
14442 + 0xc5,0x93,0x92,0xbc,0x4d,0x75,0x1a,0x5f,0x21,0x27,0xcc,0xa1,
14443 + 0xb1,0x57,0x69,0xe8
14447 +static const unsigned char hmac_sha512_entropyinputreseed[] =
14449 + 0x8c,0x52,0x7e,0x77,0x72,0x3f,0xa3,0x04,0x97,0x10,0x9b,0x41,
14450 + 0xbd,0xe8,0xff,0x89,0xed,0x80,0xe3,0xbd,0xaa,0x12,0x2d,0xca,
14451 + 0x75,0x82,0x36,0x77,0x88,0xcd,0xa6,0x73
14455 +static const unsigned char hmac_sha512_additionalinputreseed[] =
14457 + 0x7e,0x32,0xe3,0x69,0x69,0x07,0x34,0xa2,0x16,0xa2,0x5d,0x1a,
14458 + 0x10,0x91,0xd3,0xe2,0x21,0xa2,0xa3,0xdd,0xcd,0x0c,0x09,0x86,
14459 + 0x11,0xe1,0x50,0xff,0x5c,0xb7,0xeb,0x5c
14463 +static const unsigned char hmac_sha512_additionalinput2[] =
14465 + 0x7f,0x78,0x66,0xd8,0xfb,0x67,0xcf,0x8d,0x8c,0x08,0x30,0xa5,
14466 + 0xf8,0x7d,0xcf,0x44,0x59,0xce,0xf8,0xdf,0x58,0xd3,0x60,0xcb,
14467 + 0xa8,0x60,0xb9,0x07,0xc4,0xb1,0x95,0x48
14471 +static const unsigned char hmac_sha512_returnedbits[] =
14473 + 0xdf,0xa7,0x36,0xd4,0xdc,0x5d,0x4d,0x31,0xad,0x69,0x46,0x9f,
14474 + 0xf1,0x7c,0xd7,0x3b,0x4f,0x55,0xf2,0xd7,0xb9,0x9d,0xad,0x7a,
14475 + 0x79,0x08,0x59,0xa5,0xdc,0x74,0xf5,0x9b,0x73,0xd2,0x13,0x25,
14476 + 0x0b,0x81,0x08,0x08,0x25,0xfb,0x39,0xf2,0xf0,0xa3,0xa4,0x8d,
14477 + 0xef,0x05,0x9e,0xb8,0xc7,0x52,0xe4,0x0e,0x42,0xaa,0x7c,0x79,
14478 + 0xc2,0xd6,0xfd,0xa5
14481 diff -up openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c
14482 --- openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c.fips 2013-02-19 12:47:33.739118872 +0100
14483 +++ openssl-1.0.1e/crypto/fips/fips_dsa_selftest.c 2013-02-19 12:47:33.739118872 +0100
14485 +/* ====================================================================
14486 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
14488 + * Redistribution and use in source and binary forms, with or without
14489 + * modification, are permitted provided that the following conditions
14492 + * 1. Redistributions of source code must retain the above copyright
14493 + * notice, this list of conditions and the following disclaimer.
14495 + * 2. Redistributions in binary form must reproduce the above copyright
14496 + * notice, this list of conditions and the following disclaimer in
14497 + * the documentation and/or other materials provided with the
14500 + * 3. All advertising materials mentioning features or use of this
14501 + * software must display the following acknowledgment:
14502 + * "This product includes software developed by the OpenSSL Project
14503 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
14505 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
14506 + * endorse or promote products derived from this software without
14507 + * prior written permission. For written permission, please contact
14508 + * openssl-core@openssl.org.
14510 + * 5. Products derived from this software may not be called "OpenSSL"
14511 + * nor may "OpenSSL" appear in their names without prior written
14512 + * permission of the OpenSSL Project.
14514 + * 6. Redistributions of any form whatsoever must retain the following
14515 + * acknowledgment:
14516 + * "This product includes software developed by the OpenSSL Project
14517 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
14519 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
14520 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14521 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
14522 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
14523 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
14524 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
14525 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14526 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
14527 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
14528 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
14529 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
14530 + * OF THE POSSIBILITY OF SUCH DAMAGE.
14534 +#include <string.h>
14535 +#include <openssl/crypto.h>
14536 +#include <openssl/dsa.h>
14537 +#include <openssl/fips.h>
14538 +#include <openssl/err.h>
14539 +#include <openssl/evp.h>
14540 +#include <openssl/bn.h>
14541 +#include "fips_locl.h"
14543 +#ifdef OPENSSL_FIPS
14545 +static const unsigned char dsa_test_2048_p[] = {
14546 + 0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
14547 + 0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
14548 + 0x3b,0x7e,0x4d,0x04,0x44,0x1d,0xd1,0xa0,0x65,0x86,0x62,0x59,
14549 + 0x64,0x93,0xca,0x8e,0x9e,0x8f,0xbb,0x7e,0x34,0xaa,0xdd,0xb6,
14550 + 0x2e,0x5d,0x67,0xb6,0xd0,0x9a,0x6e,0x61,0xb7,0x69,0xe7,0xc3,
14551 + 0x52,0xaa,0x2b,0x10,0xe2,0x0c,0xa0,0x63,0x69,0x63,0xb5,0x52,
14552 + 0x3e,0x86,0x47,0x0d,0xec,0xbb,0xed,0xa0,0x27,0xe7,0x97,0xe7,
14553 + 0xb6,0x76,0x35,0xd4,0xd4,0x9c,0x30,0x70,0x0e,0x74,0xaf,0x8a,
14554 + 0x0f,0xf1,0x56,0xa8,0x01,0xaf,0x57,0xa2,0x6e,0x70,0x78,0xf1,
14555 + 0xd8,0x2f,0x74,0x90,0x8e,0xcb,0x6d,0x07,0xe7,0x0b,0x35,0x03,
14556 + 0xee,0xd9,0x4f,0xa3,0x2c,0xf1,0x7a,0x7f,0xc3,0xd6,0xcf,0x40,
14557 + 0xdc,0x7b,0x00,0x83,0x0e,0x6a,0x25,0x66,0xdc,0x07,0x3e,0x34,
14558 + 0x33,0x12,0x51,0x7c,0x6a,0xa5,0x15,0x2b,0x4b,0xfe,0xcd,0x2e,
14559 + 0x55,0x1f,0xee,0x34,0x63,0x18,0xa1,0x53,0x42,0x3c,0x99,0x6b,
14560 + 0x0d,0x5d,0xcb,0x91,0x02,0xae,0xdd,0x38,0x79,0x86,0x16,0xf1,
14561 + 0xf1,0xe0,0xd6,0xc4,0x03,0x52,0x5b,0x1f,0x9b,0x3d,0x4d,0xc7,
14562 + 0x66,0xde,0x2d,0xfc,0x4a,0x56,0xd7,0xb8,0xba,0x59,0x63,0xd6,
14563 + 0x0f,0x3e,0x16,0x31,0x88,0x70,0xad,0x43,0x69,0x52,0xe5,0x57,
14564 + 0x65,0x37,0x4e,0xab,0x85,0xe8,0xec,0x17,0xd6,0xb9,0xa4,0x54,
14565 + 0x7b,0x9b,0x5f,0x27,0x52,0xf3,0x10,0x5b,0xe8,0x09,0xb2,0x3a,
14566 + 0x2c,0x8d,0x74,0x69,0xdb,0x02,0xe2,0x4d,0x59,0x23,0x94,0xa7,
14567 + 0xdb,0xa0,0x69,0xe9
14570 +static const unsigned char dsa_test_2048_q[] = {
14571 + 0xd2,0x77,0x04,0x4e,0x50,0xf5,0xa4,0xe3,0xf5,0x10,0xa5,0x0a,
14572 + 0x0b,0x84,0xfd,0xff,0xbc,0xa0,0x47,0xed,0x27,0x60,0x20,0x56,
14573 + 0x74,0x41,0xa0,0xa5
14576 +static const unsigned char dsa_test_2048_g[] = {
14577 + 0x13,0xd7,0x54,0xe2,0x1f,0xd2,0x41,0x65,0x5d,0xa8,0x91,0xc5,
14578 + 0x22,0xa6,0x5a,0x72,0xa8,0x9b,0xdc,0x64,0xec,0x9b,0x54,0xa8,
14579 + 0x21,0xed,0x4a,0x89,0x8b,0x49,0x0e,0x0c,0x4f,0xcb,0x72,0x19,
14580 + 0x2a,0x4a,0x20,0xf5,0x41,0xf3,0xf2,0x92,0x53,0x99,0xf0,0xba,
14581 + 0xec,0xf9,0x29,0xaa,0xfb,0xf7,0x9d,0xfe,0x43,0x32,0x39,0x3b,
14582 + 0x32,0xcd,0x2e,0x2f,0xcf,0x27,0x2f,0x32,0xa6,0x27,0x43,0x4a,
14583 + 0x0d,0xf2,0x42,0xb7,0x5b,0x41,0x4d,0xf3,0x72,0x12,0x1e,0x53,
14584 + 0xa5,0x53,0xf2,0x22,0xf8,0x36,0xb0,0x00,0xf0,0x16,0x48,0x5b,
14585 + 0x6b,0xd0,0x89,0x84,0x51,0x80,0x1d,0xcd,0x8d,0xe6,0x4c,0xd5,
14586 + 0x36,0x56,0x96,0xff,0xc5,0x32,0xd5,0x28,0xc5,0x06,0x62,0x0a,
14587 + 0x94,0x2a,0x03,0x05,0x04,0x6d,0x8f,0x18,0x76,0x34,0x1f,0x1e,
14588 + 0x57,0x0b,0xc3,0x97,0x4b,0xa6,0xb9,0xa4,0x38,0xe9,0x70,0x23,
14589 + 0x02,0xa2,0xe6,0xe6,0x7b,0xfd,0x06,0xd3,0x2b,0xc6,0x79,0x96,
14590 + 0x22,0x71,0xd7,0xb4,0x0c,0xd7,0x2f,0x38,0x6e,0x64,0xe0,0xd7,
14591 + 0xef,0x86,0xca,0x8c,0xa5,0xd1,0x42,0x28,0xdc,0x2a,0x4f,0x16,
14592 + 0xe3,0x18,0x98,0x86,0xb5,0x99,0x06,0x74,0xf4,0x20,0x0f,0x3a,
14593 + 0x4c,0xf6,0x5a,0x3f,0x0d,0xdb,0xa1,0xfa,0x67,0x2d,0xff,0x2f,
14594 + 0x5e,0x14,0x3d,0x10,0xe4,0xe9,0x7a,0xe8,0x4f,0x6d,0xa0,0x95,
14595 + 0x35,0xd5,0xb9,0xdf,0x25,0x91,0x81,0xa7,0x9b,0x63,0xb0,0x69,
14596 + 0xe9,0x49,0x97,0x2b,0x02,0xba,0x36,0xb3,0x58,0x6a,0xab,0x7e,
14597 + 0x45,0xf3,0x22,0xf8,0x2e,0x4e,0x85,0xca,0x3a,0xb8,0x55,0x91,
14598 + 0xb3,0xc2,0xa9,0x66
14601 +static const unsigned char dsa_test_2048_pub_key[] = {
14602 + 0x24,0x52,0xf3,0xcc,0xbe,0x9e,0xd5,0xca,0x7d,0xc7,0x4c,0x60,
14603 + 0x2b,0x99,0x22,0x6e,0x8f,0x2f,0xab,0x38,0xe7,0xd7,0xdd,0xfb,
14604 + 0x75,0x53,0x9b,0x17,0x15,0x5e,0x9f,0xcf,0xd1,0xab,0xa5,0x64,
14605 + 0xeb,0x85,0x35,0xd8,0x12,0xc9,0xc2,0xdc,0xf9,0x72,0x84,0x44,
14606 + 0x1b,0xc4,0x82,0x24,0x36,0x24,0xc7,0xf4,0x57,0x58,0x0c,0x1c,
14607 + 0x38,0xa5,0x7c,0x46,0xc4,0x57,0x39,0x24,0x70,0xed,0xb5,0x2c,
14608 + 0xb5,0xa6,0xe0,0x3f,0xe6,0x28,0x7b,0xb6,0xf4,0x9a,0x42,0xa2,
14609 + 0x06,0x5a,0x05,0x4f,0x03,0x08,0x39,0xdf,0x1f,0xd3,0x14,0x9c,
14610 + 0x4c,0xa0,0x53,0x1d,0xd8,0xca,0x8a,0xaa,0x9c,0xc7,0x33,0x71,
14611 + 0x93,0x38,0x73,0x48,0x33,0x61,0x18,0x22,0x45,0x45,0xe8,0x8c,
14612 + 0x80,0xff,0xd8,0x76,0x5d,0x74,0x36,0x03,0x33,0xcc,0xab,0x99,
14613 + 0x72,0x77,0x9b,0x65,0x25,0xa6,0x5b,0xdd,0x0d,0x10,0xc6,0x75,
14614 + 0xc1,0x09,0xbb,0xd3,0xe5,0xbe,0x4d,0x72,0xef,0x6e,0xba,0x6e,
14615 + 0x43,0x8d,0x52,0x26,0x23,0x7d,0xb8,0x88,0x37,0x9c,0x5f,0xcc,
14616 + 0x47,0xa3,0x84,0x7f,0xf6,0x37,0x11,0xba,0xed,0x6d,0x03,0xaf,
14617 + 0xe8,0x1e,0x69,0x4a,0x41,0x3b,0x68,0x0b,0xd3,0x8a,0xb4,0x90,
14618 + 0x3f,0x83,0x70,0xa7,0x07,0xef,0x55,0x1d,0x49,0x41,0x02,0x6d,
14619 + 0x95,0x79,0xd6,0x91,0xde,0x8e,0xda,0xa1,0x61,0x05,0xeb,0x9d,
14620 + 0xba,0x3c,0x2f,0x4c,0x1b,0xec,0x50,0x82,0x75,0xaa,0x02,0x07,
14621 + 0xe2,0x51,0xb5,0xec,0xcb,0x28,0x6a,0x4b,0x01,0xd4,0x49,0xd3,
14622 + 0x0a,0xcb,0x67,0x37,0x17,0xa0,0xd2,0xfb,0x3b,0x50,0xc8,0x93,
14623 + 0xf7,0xda,0xb1,0x4f
14626 +static const unsigned char dsa_test_2048_priv_key[] = {
14627 + 0x0c,0x4b,0x30,0x89,0xd1,0xb8,0x62,0xcb,0x3c,0x43,0x64,0x91,
14628 + 0xf0,0x91,0x54,0x70,0xc5,0x27,0x96,0xe3,0xac,0xbe,0xe8,0x00,
14629 + 0xec,0x55,0xf6,0xcc
14632 +static int corrupt_dsa;
14634 +void FIPS_corrupt_dsa()
14639 +int FIPS_selftest_dsa()
14642 + EVP_PKEY *pk = NULL;
14650 + fips_load_key_component(dsa, p, dsa_test_2048);
14651 + fips_load_key_component(dsa, q, dsa_test_2048);
14652 + fips_load_key_component(dsa, g, dsa_test_2048);
14653 + fips_load_key_component(dsa, pub_key, dsa_test_2048);
14654 + fips_load_key_component(dsa, priv_key, dsa_test_2048);
14657 + BN_set_bit(dsa->pub_key, 2047);
14659 + if ((pk=EVP_PKEY_new()) == NULL)
14662 + EVP_PKEY_assign_DSA(pk, dsa);
14664 + if (!fips_pkey_signature_test(pk, NULL, 0,
14665 + NULL, 0, EVP_sha256(), 0,
14672 + EVP_PKEY_free(pk);
14678 diff -up openssl-1.0.1e/crypto/fips/fips_enc.c.fips openssl-1.0.1e/crypto/fips/fips_enc.c
14679 --- openssl-1.0.1e/crypto/fips/fips_enc.c.fips 2013-02-19 12:47:33.739118872 +0100
14680 +++ openssl-1.0.1e/crypto/fips/fips_enc.c 2013-02-19 12:47:33.739118872 +0100
14682 +/* fipe/evp/fips_enc.c */
14683 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
14684 + * All rights reserved.
14686 + * This package is an SSL implementation written
14687 + * by Eric Young (eay@cryptsoft.com).
14688 + * The implementation was written so as to conform with Netscapes SSL.
14690 + * This library is free for commercial and non-commercial use as long as
14691 + * the following conditions are aheared to. The following conditions
14692 + * apply to all code found in this distribution, be it the RC4, RSA,
14693 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
14694 + * included with this distribution is covered by the same copyright terms
14695 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14697 + * Copyright remains Eric Young's, and as such any Copyright notices in
14698 + * the code are not to be removed.
14699 + * If this package is used in a product, Eric Young should be given attribution
14700 + * as the author of the parts of the library used.
14701 + * This can be in the form of a textual message at program startup or
14702 + * in documentation (online or textual) provided with the package.
14704 + * Redistribution and use in source and binary forms, with or without
14705 + * modification, are permitted provided that the following conditions
14707 + * 1. Redistributions of source code must retain the copyright
14708 + * notice, this list of conditions and the following disclaimer.
14709 + * 2. Redistributions in binary form must reproduce the above copyright
14710 + * notice, this list of conditions and the following disclaimer in the
14711 + * documentation and/or other materials provided with the distribution.
14712 + * 3. All advertising materials mentioning features or use of this software
14713 + * must display the following acknowledgement:
14714 + * "This product includes cryptographic software written by
14715 + * Eric Young (eay@cryptsoft.com)"
14716 + * The word 'cryptographic' can be left out if the rouines from the library
14717 + * being used are not cryptographic related :-).
14718 + * 4. If you include any Windows specific code (or a derivative thereof) from
14719 + * the apps directory (application code) you must include an acknowledgement:
14720 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
14722 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
14723 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14724 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
14725 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
14726 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
14727 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
14728 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
14729 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
14730 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
14731 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
14734 + * The licence and distribution terms for any publically available version or
14735 + * derivative of this code cannot be changed. i.e. this code cannot simply be
14736 + * copied and put under another distribution licence
14737 + * [including the GNU Public Licence.]
14740 +#include <stdio.h>
14741 +#include <string.h>
14742 +#include <openssl/evp.h>
14743 +#include <openssl/err.h>
14744 +#include <openssl/fips.h>
14746 +const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
14750 + case NID_aes_128_cbc:
14751 + return EVP_aes_128_cbc();
14753 + case NID_aes_128_ccm:
14754 + return EVP_aes_128_ccm();
14756 + case NID_aes_128_cfb1:
14757 + return EVP_aes_128_cfb1();
14759 + case NID_aes_128_cfb128:
14760 + return EVP_aes_128_cfb128();
14762 + case NID_aes_128_cfb8:
14763 + return EVP_aes_128_cfb8();
14765 + case NID_aes_128_ctr:
14766 + return EVP_aes_128_ctr();
14768 + case NID_aes_128_ecb:
14769 + return EVP_aes_128_ecb();
14771 + case NID_aes_128_gcm:
14772 + return EVP_aes_128_gcm();
14774 + case NID_aes_128_ofb128:
14775 + return EVP_aes_128_ofb();
14777 + case NID_aes_128_xts:
14778 + return EVP_aes_128_xts();
14780 + case NID_aes_192_cbc:
14781 + return EVP_aes_192_cbc();
14783 + case NID_aes_192_ccm:
14784 + return EVP_aes_192_ccm();
14786 + case NID_aes_192_cfb1:
14787 + return EVP_aes_192_cfb1();
14789 + case NID_aes_192_cfb128:
14790 + return EVP_aes_192_cfb128();
14792 + case NID_aes_192_cfb8:
14793 + return EVP_aes_192_cfb8();
14795 + case NID_aes_192_ctr:
14796 + return EVP_aes_192_ctr();
14798 + case NID_aes_192_ecb:
14799 + return EVP_aes_192_ecb();
14801 + case NID_aes_192_gcm:
14802 + return EVP_aes_192_gcm();
14804 + case NID_aes_192_ofb128:
14805 + return EVP_aes_192_ofb();
14807 + case NID_aes_256_cbc:
14808 + return EVP_aes_256_cbc();
14810 + case NID_aes_256_ccm:
14811 + return EVP_aes_256_ccm();
14813 + case NID_aes_256_cfb1:
14814 + return EVP_aes_256_cfb1();
14816 + case NID_aes_256_cfb128:
14817 + return EVP_aes_256_cfb128();
14819 + case NID_aes_256_cfb8:
14820 + return EVP_aes_256_cfb8();
14822 + case NID_aes_256_ctr:
14823 + return EVP_aes_256_ctr();
14825 + case NID_aes_256_ecb:
14826 + return EVP_aes_256_ecb();
14828 + case NID_aes_256_gcm:
14829 + return EVP_aes_256_gcm();
14831 + case NID_aes_256_ofb128:
14832 + return EVP_aes_256_ofb();
14834 + case NID_aes_256_xts:
14835 + return EVP_aes_256_xts();
14837 + case NID_des_ede_ecb:
14838 + return EVP_des_ede();
14840 + case NID_des_ede3_ecb:
14841 + return EVP_des_ede3();
14843 + case NID_des_ede3_cbc:
14844 + return EVP_des_ede3_cbc();
14846 + case NID_des_ede3_cfb1:
14847 + return EVP_des_ede3_cfb1();
14849 + case NID_des_ede3_cfb64:
14850 + return EVP_des_ede3_cfb64();
14852 + case NID_des_ede3_cfb8:
14853 + return EVP_des_ede3_cfb8();
14855 + case NID_des_ede3_ofb64:
14856 + return EVP_des_ede3_ofb();
14858 + case NID_des_ede_cbc:
14859 + return EVP_des_ede_cbc();
14861 + case NID_des_ede_cfb64:
14862 + return EVP_des_ede_cfb64();
14864 + case NID_des_ede_ofb64:
14865 + return EVP_des_ede_ofb();
14873 diff -up openssl-1.0.1e/crypto/fips/fips.h.fips openssl-1.0.1e/crypto/fips/fips.h
14874 --- openssl-1.0.1e/crypto/fips/fips.h.fips 2013-02-19 12:47:33.739118872 +0100
14875 +++ openssl-1.0.1e/crypto/fips/fips.h 2013-02-19 12:47:33.739118872 +0100
14877 +/* ====================================================================
14878 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
14880 + * Redistribution and use in source and binary forms, with or without
14881 + * modification, are permitted provided that the following conditions
14884 + * 1. Redistributions of source code must retain the above copyright
14885 + * notice, this list of conditions and the following disclaimer.
14887 + * 2. Redistributions in binary form must reproduce the above copyright
14888 + * notice, this list of conditions and the following disclaimer in
14889 + * the documentation and/or other materials provided with the
14892 + * 3. All advertising materials mentioning features or use of this
14893 + * software must display the following acknowledgment:
14894 + * "This product includes software developed by the OpenSSL Project
14895 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
14897 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
14898 + * endorse or promote products derived from this software without
14899 + * prior written permission. For written permission, please contact
14900 + * openssl-core@openssl.org.
14902 + * 5. Products derived from this software may not be called "OpenSSL"
14903 + * nor may "OpenSSL" appear in their names without prior written
14904 + * permission of the OpenSSL Project.
14906 + * 6. Redistributions of any form whatsoever must retain the following
14907 + * acknowledgment:
14908 + * "This product includes software developed by the OpenSSL Project
14909 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
14911 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
14912 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14913 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
14914 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
14915 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
14916 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
14917 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14918 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
14919 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
14920 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
14921 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
14922 + * OF THE POSSIBILITY OF SUCH DAMAGE.
14926 +#include <openssl/opensslconf.h>
14927 +#include <openssl/crypto.h>
14928 +#include <stdarg.h>
14930 +#ifndef OPENSSL_FIPS
14931 +#error FIPS is disabled.
14934 +#ifdef OPENSSL_FIPS
14936 +#ifdef __cplusplus
14942 +struct evp_pkey_st;
14944 +struct env_md_ctx_st;
14945 +struct evp_cipher_st;
14946 +struct evp_cipher_ctx_st;
14948 +struct CMAC_CTX_st;
14949 +struct hmac_ctx_st;
14951 +int FIPS_module_mode_set(int onoff, const char *auth);
14952 +int FIPS_module_mode(void);
14953 +const void *FIPS_rand_check(void);
14954 +int FIPS_selftest(void);
14955 +int FIPS_selftest_failed(void);
14956 +void FIPS_corrupt_sha1(void);
14957 +int FIPS_selftest_sha1(void);
14958 +int FIPS_selftest_sha2(void);
14959 +void FIPS_corrupt_aes(void);
14960 +int FIPS_selftest_aes_ccm(void);
14961 +int FIPS_selftest_aes_gcm(void);
14962 +int FIPS_selftest_aes_xts(void);
14963 +int FIPS_selftest_aes(void);
14964 +void FIPS_corrupt_des(void);
14965 +int FIPS_selftest_des(void);
14966 +void FIPS_corrupt_rsa(void);
14967 +void FIPS_corrupt_rsa_keygen(void);
14968 +int FIPS_selftest_rsa(void);
14969 +void FIPS_corrupt_dsa(void);
14970 +void FIPS_corrupt_dsa_keygen(void);
14971 +int FIPS_selftest_dsa(void);
14972 +void FIPS_corrupt_rng(void);
14973 +void FIPS_rng_stick(void);
14974 +void FIPS_x931_stick(int onoff);
14975 +void FIPS_drbg_stick(int onoff);
14976 +int FIPS_selftest_rng(void);
14977 +int FIPS_selftest_x931(void);
14978 +int FIPS_selftest_hmac(void);
14979 +int FIPS_selftest_drbg(void);
14980 +int FIPS_selftest_drbg_all(void);
14981 +int FIPS_selftest_cmac(void);
14983 +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
14985 +#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
14986 + alg " previous FIPS forbidden algorithm error ignored");
14988 +int fips_pkey_signature_test(struct evp_pkey_st *pkey,
14989 + const unsigned char *tbs, int tbslen,
14990 + const unsigned char *kat, unsigned int katlen,
14991 + const struct env_md_st *digest, unsigned int md_flags,
14992 + const char *fail_str);
14994 +int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
14995 + const struct evp_cipher_st *cipher,
14996 + const unsigned char *key,
14997 + const unsigned char *iv,
14998 + const unsigned char *plaintext,
14999 + const unsigned char *ciphertext,
15002 +void fips_set_selftest_fail(void);
15004 +const struct env_md_st *FIPS_get_digestbynid(int nid);
15006 +const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
15009 +/* BEGIN ERROR CODES */
15010 +/* The following lines are auto generated by the script mkerr.pl. Any changes
15011 + * made after this point may be overwritten when the script is next run.
15013 +void ERR_load_FIPS_strings(void);
15015 +/* Error codes for the FIPS functions. */
15017 +/* Function codes. */
15018 +#define FIPS_F_DH_BUILTIN_GENPARAMS 100
15019 +#define FIPS_F_DH_INIT 148
15020 +#define FIPS_F_DRBG_RESEED 162
15021 +#define FIPS_F_DSA_BUILTIN_PARAMGEN 101
15022 +#define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
15023 +#define FIPS_F_DSA_DO_SIGN 102
15024 +#define FIPS_F_DSA_DO_VERIFY 103
15025 +#define FIPS_F_ECDH_COMPUTE_KEY 163
15026 +#define FIPS_F_ECDSA_DO_SIGN 164
15027 +#define FIPS_F_ECDSA_DO_VERIFY 165
15028 +#define FIPS_F_EC_KEY_GENERATE_KEY 166
15029 +#define FIPS_F_EVP_CIPHERINIT_EX 124
15030 +#define FIPS_F_EVP_DIGESTINIT_EX 125
15031 +#define FIPS_F_FIPS_CHECK_DSA 104
15032 +#define FIPS_F_FIPS_CHECK_DSA_PRNG 151
15033 +#define FIPS_F_FIPS_CHECK_EC 142
15034 +#define FIPS_F_FIPS_CHECK_EC_PRNG 152
15035 +#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
15036 +#define FIPS_F_FIPS_CHECK_RSA 106
15037 +#define FIPS_F_FIPS_CHECK_RSA_PRNG 150
15038 +#define FIPS_F_FIPS_CIPHER 160
15039 +#define FIPS_F_FIPS_CIPHERINIT 143
15040 +#define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
15041 +#define FIPS_F_FIPS_DIGESTFINAL 158
15042 +#define FIPS_F_FIPS_DIGESTINIT 128
15043 +#define FIPS_F_FIPS_DIGESTUPDATE 159
15044 +#define FIPS_F_FIPS_DRBG_BYTES 131
15045 +#define FIPS_F_FIPS_DRBG_CHECK 146
15046 +#define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
15047 +#define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
15048 +#define FIPS_F_FIPS_DRBG_GENERATE 134
15049 +#define FIPS_F_FIPS_DRBG_INIT 135
15050 +#define FIPS_F_FIPS_DRBG_INSTANTIATE 138
15051 +#define FIPS_F_FIPS_DRBG_NEW 139
15052 +#define FIPS_F_FIPS_DRBG_RESEED 140
15053 +#define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
15054 +#define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
15055 +#define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
15056 +#define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
15057 +#define FIPS_F_FIPS_GET_ENTROPY 147
15058 +#define FIPS_F_FIPS_MODE_SET /* unused */ 108
15059 +#define FIPS_F_FIPS_MODULE_MODE_SET 108
15060 +#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
15061 +#define FIPS_F_FIPS_RAND_ADD 137
15062 +#define FIPS_F_FIPS_RAND_BYTES 122
15063 +#define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
15064 +#define FIPS_F_FIPS_RAND_SEED 168
15065 +#define FIPS_F_FIPS_RAND_SET_METHOD 126
15066 +#define FIPS_F_FIPS_RAND_STATUS 127
15067 +#define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
15068 +#define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
15069 +#define FIPS_F_FIPS_SELFTEST_AES 110
15070 +#define FIPS_F_FIPS_SELFTEST_AES_CCM 145
15071 +#define FIPS_F_FIPS_SELFTEST_AES_GCM 129
15072 +#define FIPS_F_FIPS_SELFTEST_AES_XTS 144
15073 +#define FIPS_F_FIPS_SELFTEST_CMAC 130
15074 +#define FIPS_F_FIPS_SELFTEST_DES 111
15075 +#define FIPS_F_FIPS_SELFTEST_DSA 112
15076 +#define FIPS_F_FIPS_SELFTEST_ECDSA 133
15077 +#define FIPS_F_FIPS_SELFTEST_HMAC 113
15078 +#define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
15079 +#define FIPS_F_FIPS_SELFTEST_SHA1 115
15080 +#define FIPS_F_FIPS_SELFTEST_X931 114
15081 +#define FIPS_F_FIPS_SET_PRNG_KEY 153
15082 +#define FIPS_F_HASH_FINAL 123
15083 +#define FIPS_F_RSA_BUILTIN_KEYGEN 116
15084 +#define FIPS_F_RSA_EAY_INIT 149
15085 +#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
15086 +#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
15087 +#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
15088 +#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
15089 +#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
15090 +#define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
15092 +/* Reason codes. */
15093 +#define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
15094 +#define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
15095 +#define FIPS_R_ALREADY_INSTANTIATED 134
15096 +#define FIPS_R_AUTHENTICATION_FAILURE 151
15097 +#define FIPS_R_CANNOT_READ_EXE /* unused */ 103
15098 +#define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
15099 +#define FIPS_R_CONTRADICTING_EVIDENCE 114
15100 +#define FIPS_R_DRBG_NOT_INITIALISED 152
15101 +#define FIPS_R_DRBG_STUCK 103
15102 +#define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
15103 +#define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
15104 +#define FIPS_R_ENTROPY_SOURCE_STUCK 142
15105 +#define FIPS_R_ERROR_INITIALISING_DRBG 115
15106 +#define FIPS_R_ERROR_INSTANTIATING_DRBG 127
15107 +#define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
15108 +#define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
15109 +#define FIPS_R_ERROR_RETRIEVING_NONCE 140
15110 +#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
15111 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
15112 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
15113 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
15114 +#define FIPS_R_FIPS_MODE_ALREADY_SET 102
15115 +#define FIPS_R_FIPS_SELFTEST_FAILED 106
15116 +#define FIPS_R_FUNCTION_ERROR 116
15117 +#define FIPS_R_GENERATE_ERROR 137
15118 +#define FIPS_R_GENERATE_ERROR_UNDETECTED 118
15119 +#define FIPS_R_INSTANTIATE_ERROR 119
15120 +#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
15121 +#define FIPS_R_INTERNAL_ERROR 121
15122 +#define FIPS_R_INVALID_KEY_LENGTH 109
15123 +#define FIPS_R_INVALID_PARAMETERS 144
15124 +#define FIPS_R_IN_ERROR_STATE 123
15125 +#define FIPS_R_KEY_TOO_SHORT 108
15126 +#define FIPS_R_NONCE_ERROR_UNDETECTED 149
15127 +#define FIPS_R_NON_FIPS_METHOD 100
15128 +#define FIPS_R_NOPR_TEST1_FAILURE 145
15129 +#define FIPS_R_NOPR_TEST2_FAILURE 146
15130 +#define FIPS_R_NOT_INSTANTIATED 126
15131 +#define FIPS_R_PAIRWISE_TEST_FAILED 107
15132 +#define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
15133 +#define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
15134 +#define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
15135 +#define FIPS_R_PR_TEST1_FAILURE 147
15136 +#define FIPS_R_PR_TEST2_FAILURE 148
15137 +#define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
15138 +#define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
15139 +#define FIPS_R_RESEED_COUNTER_ERROR 132
15140 +#define FIPS_R_RESEED_ERROR 133
15141 +#define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
15142 +#define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
15143 +#define FIPS_R_SELFTEST_FAILED 101
15144 +#define FIPS_R_SELFTEST_FAILURE 135
15145 +#define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
15146 +#define FIPS_R_TEST_FAILURE 117
15147 +#define FIPS_R_UNINSTANTIATE_ERROR 141
15148 +#define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
15149 +#define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
15150 +#define FIPS_R_UNSUPPORTED_PLATFORM 113
15152 +#ifdef __cplusplus
15156 diff -up openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c
15157 --- openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c.fips 2013-02-19 12:47:33.739118872 +0100
15158 +++ openssl-1.0.1e/crypto/fips/fips_hmac_selftest.c 2013-02-19 12:47:33.740118893 +0100
15160 +/* ====================================================================
15161 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
15163 + * Redistribution and use in source and binary forms, with or without
15164 + * modification, are permitted provided that the following conditions
15167 + * 1. Redistributions of source code must retain the above copyright
15168 + * notice, this list of conditions and the following disclaimer.
15170 + * 2. Redistributions in binary form must reproduce the above copyright
15171 + * notice, this list of conditions and the following disclaimer in
15172 + * the documentation and/or other materials provided with the
15175 + * 3. All advertising materials mentioning features or use of this
15176 + * software must display the following acknowledgment:
15177 + * "This product includes software developed by the OpenSSL Project
15178 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15180 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15181 + * endorse or promote products derived from this software without
15182 + * prior written permission. For written permission, please contact
15183 + * openssl-core@openssl.org.
15185 + * 5. Products derived from this software may not be called "OpenSSL"
15186 + * nor may "OpenSSL" appear in their names without prior written
15187 + * permission of the OpenSSL Project.
15189 + * 6. Redistributions of any form whatsoever must retain the following
15190 + * acknowledgment:
15191 + * "This product includes software developed by the OpenSSL Project
15192 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15194 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15195 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15196 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15197 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15198 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15199 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15200 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15201 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15202 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15203 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15204 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15205 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15209 +#include <string.h>
15210 +#include <openssl/err.h>
15211 +#ifdef OPENSSL_FIPS
15212 +#include <openssl/fips.h>
15214 +#include <openssl/hmac.h>
15216 +#ifdef OPENSSL_FIPS
15218 + const EVP_MD *(*alg)(void);
15219 + const char *key, *iv;
15220 + unsigned char kaval[EVP_MAX_MD_SIZE];
15223 +static const HMAC_KAT vector[] = {
15225 + /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
15226 + "0123456789:;<=>?@ABC",
15228 + { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19,
15229 + 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c,
15230 + 0xc6,0xc7,0x5d,0x24 }
15233 + /* just keep extending the above... */
15234 + "0123456789:;<=>?@ABC",
15236 + { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb,
15237 + 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa,
15238 + 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b,
15239 + 0x8c,0x8d,0x12,0xc7 }
15242 + "0123456789:;<=>?@ABC",
15244 + { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09,
15245 + 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34,
15246 + 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38,
15247 + 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 }
15250 + "0123456789:;<=>?@ABC",
15252 + { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad,
15253 + 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6,
15254 + 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04,
15255 + 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f,
15256 + 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50,
15257 + 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f }
15260 + "0123456789:;<=>?@ABC",
15262 + { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41,
15263 + 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac,
15264 + 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0,
15265 + 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68,
15266 + 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f,
15267 + 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7,
15268 + 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45,
15269 + 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 }
15273 +int FIPS_selftest_hmac()
15276 + unsigned int outlen;
15277 + unsigned char out[EVP_MAX_MD_SIZE];
15278 + const EVP_MD *md;
15279 + const HMAC_KAT *t;
15281 + for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
15283 + md = (*t->alg)();
15284 + HMAC(md,t->key,strlen(t->key),
15285 + (const unsigned char *)t->iv,strlen(t->iv),
15288 + if(memcmp(out,t->kaval,outlen))
15290 + FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED);
15297 diff -up openssl-1.0.1e/crypto/fips/fips_locl.h.fips openssl-1.0.1e/crypto/fips/fips_locl.h
15298 --- openssl-1.0.1e/crypto/fips/fips_locl.h.fips 2013-02-19 12:47:33.740118893 +0100
15299 +++ openssl-1.0.1e/crypto/fips/fips_locl.h 2013-02-19 12:47:33.740118893 +0100
15301 +/* ====================================================================
15302 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
15304 + * Redistribution and use in source and binary forms, with or without
15305 + * modification, are permitted provided that the following conditions
15308 + * 1. Redistributions of source code must retain the above copyright
15309 + * notice, this list of conditions and the following disclaimer.
15311 + * 2. Redistributions in binary form must reproduce the above copyright
15312 + * notice, this list of conditions and the following disclaimer in
15313 + * the documentation and/or other materials provided with the
15316 + * 3. All advertising materials mentioning features or use of this
15317 + * software must display the following acknowledgment:
15318 + * "This product includes software developed by the OpenSSL Project
15319 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15321 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15322 + * endorse or promote products derived from this software without
15323 + * prior written permission. For written permission, please contact
15324 + * openssl-core@openssl.org.
15326 + * 5. Products derived from this software may not be called "OpenSSL"
15327 + * nor may "OpenSSL" appear in their names without prior written
15328 + * permission of the OpenSSL Project.
15330 + * 6. Redistributions of any form whatsoever must retain the following
15331 + * acknowledgment:
15332 + * "This product includes software developed by the OpenSSL Project
15333 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15335 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15336 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15337 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15338 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15339 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15340 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15341 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15342 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15343 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15344 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15345 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15346 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15350 +#ifdef OPENSSL_FIPS
15352 +#ifdef __cplusplus
15356 +#define FIPS_MAX_CIPHER_TEST_SIZE 32
15357 +#define fips_load_key_component(key, comp, pre) \
15358 + key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
15359 + if (!key->comp) \
15362 +#define fips_post_started(id, subid, ex) 1
15363 +#define fips_post_success(id, subid, ex) 1
15364 +#define fips_post_failed(id, subid, ex) 1
15365 +#define fips_post_corrupt(id, subid, ex) 1
15366 +#define fips_post_status() 1
15368 +#ifdef __cplusplus
15372 diff -up openssl-1.0.1e/crypto/fips/fips_md.c.fips openssl-1.0.1e/crypto/fips/fips_md.c
15373 --- openssl-1.0.1e/crypto/fips/fips_md.c.fips 2013-02-19 12:47:33.740118893 +0100
15374 +++ openssl-1.0.1e/crypto/fips/fips_md.c 2013-02-19 12:47:33.740118893 +0100
15376 +/* fips/evp/fips_md.c */
15377 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
15378 + * All rights reserved.
15380 + * This package is an SSL implementation written
15381 + * by Eric Young (eay@cryptsoft.com).
15382 + * The implementation was written so as to conform with Netscapes SSL.
15384 + * This library is free for commercial and non-commercial use as long as
15385 + * the following conditions are aheared to. The following conditions
15386 + * apply to all code found in this distribution, be it the RC4, RSA,
15387 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15388 + * included with this distribution is covered by the same copyright terms
15389 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15391 + * Copyright remains Eric Young's, and as such any Copyright notices in
15392 + * the code are not to be removed.
15393 + * If this package is used in a product, Eric Young should be given attribution
15394 + * as the author of the parts of the library used.
15395 + * This can be in the form of a textual message at program startup or
15396 + * in documentation (online or textual) provided with the package.
15398 + * Redistribution and use in source and binary forms, with or without
15399 + * modification, are permitted provided that the following conditions
15401 + * 1. Redistributions of source code must retain the copyright
15402 + * notice, this list of conditions and the following disclaimer.
15403 + * 2. Redistributions in binary form must reproduce the above copyright
15404 + * notice, this list of conditions and the following disclaimer in the
15405 + * documentation and/or other materials provided with the distribution.
15406 + * 3. All advertising materials mentioning features or use of this software
15407 + * must display the following acknowledgement:
15408 + * "This product includes cryptographic software written by
15409 + * Eric Young (eay@cryptsoft.com)"
15410 + * The word 'cryptographic' can be left out if the rouines from the library
15411 + * being used are not cryptographic related :-).
15412 + * 4. If you include any Windows specific code (or a derivative thereof) from
15413 + * the apps directory (application code) you must include an acknowledgement:
15414 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
15416 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
15417 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15418 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15419 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
15420 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
15421 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
15422 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15423 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
15424 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
15425 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
15428 + * The licence and distribution terms for any publically available version or
15429 + * derivative of this code cannot be changed. i.e. this code cannot simply be
15430 + * copied and put under another distribution licence
15431 + * [including the GNU Public Licence.]
15433 +/* ====================================================================
15434 + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
15436 + * Redistribution and use in source and binary forms, with or without
15437 + * modification, are permitted provided that the following conditions
15440 + * 1. Redistributions of source code must retain the above copyright
15441 + * notice, this list of conditions and the following disclaimer.
15443 + * 2. Redistributions in binary form must reproduce the above copyright
15444 + * notice, this list of conditions and the following disclaimer in
15445 + * the documentation and/or other materials provided with the
15448 + * 3. All advertising materials mentioning features or use of this
15449 + * software must display the following acknowledgment:
15450 + * "This product includes software developed by the OpenSSL Project
15451 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15453 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15454 + * endorse or promote products derived from this software without
15455 + * prior written permission. For written permission, please contact
15456 + * openssl-core@openssl.org.
15458 + * 5. Products derived from this software may not be called "OpenSSL"
15459 + * nor may "OpenSSL" appear in their names without prior written
15460 + * permission of the OpenSSL Project.
15462 + * 6. Redistributions of any form whatsoever must retain the following
15463 + * acknowledgment:
15464 + * "This product includes software developed by the OpenSSL Project
15465 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15467 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15468 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15469 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15470 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15471 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15472 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15473 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15474 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15475 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15476 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15477 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15478 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15479 + * ====================================================================
15481 + * This product includes cryptographic software written by Eric Young
15482 + * (eay@cryptsoft.com). This product includes software written by Tim
15483 + * Hudson (tjh@cryptsoft.com).
15487 +/* Minimal standalone FIPS versions of Digest operations */
15489 +#define OPENSSL_FIPSAPI
15491 +#include <stdio.h>
15492 +#include <string.h>
15493 +#include <openssl/objects.h>
15494 +#include <openssl/evp.h>
15495 +#include <openssl/err.h>
15496 +#include <openssl/fips.h>
15498 +const EVP_MD *FIPS_get_digestbynid(int nid)
15503 + return EVP_sha1();
15506 + return EVP_sha224();
15509 + return EVP_sha256();
15512 + return EVP_sha384();
15515 + return EVP_sha512();
15521 diff -up openssl-1.0.1e/crypto/fips/fips_post.c.fips openssl-1.0.1e/crypto/fips/fips_post.c
15522 --- openssl-1.0.1e/crypto/fips/fips_post.c.fips 2013-02-19 12:47:33.740118893 +0100
15523 +++ openssl-1.0.1e/crypto/fips/fips_post.c 2013-02-19 12:47:33.740118893 +0100
15525 +/* ====================================================================
15526 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
15528 + * Redistribution and use in source and binary forms, with or without
15529 + * modification, are permitted provided that the following conditions
15532 + * 1. Redistributions of source code must retain the above copyright
15533 + * notice, this list of conditions and the following disclaimer.
15535 + * 2. Redistributions in binary form must reproduce the above copyright
15536 + * notice, this list of conditions and the following disclaimer in
15537 + * the documentation and/or other materials provided with the
15540 + * 3. All advertising materials mentioning features or use of this
15541 + * software must display the following acknowledgment:
15542 + * "This product includes software developed by the OpenSSL Project
15543 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15545 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15546 + * endorse or promote products derived from this software without
15547 + * prior written permission. For written permission, please contact
15548 + * openssl-core@openssl.org.
15550 + * 5. Products derived from this software may not be called "OpenSSL"
15551 + * nor may "OpenSSL" appear in their names without prior written
15552 + * permission of the OpenSSL Project.
15554 + * 6. Redistributions of any form whatsoever must retain the following
15555 + * acknowledgment:
15556 + * "This product includes software developed by the OpenSSL Project
15557 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15559 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15560 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15561 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15562 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15563 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15564 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15565 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15566 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15567 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15568 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15569 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15570 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15574 +#define OPENSSL_FIPSAPI
15576 +#include <openssl/crypto.h>
15577 +#include <openssl/rand.h>
15578 +#include <openssl/fips_rand.h>
15579 +#include <openssl/err.h>
15580 +#include <openssl/bio.h>
15581 +#include <openssl/hmac.h>
15582 +#include <openssl/rsa.h>
15583 +#include <openssl/dsa.h>
15584 +#include <string.h>
15585 +#include <limits.h>
15587 +#ifdef OPENSSL_FIPS
15589 +/* Power on self test (POST) support functions */
15591 +#include <openssl/fips.h>
15592 +#include "fips_locl.h"
15594 +/* Run all selftests */
15595 +int FIPS_selftest(void)
15598 + if (!FIPS_selftest_drbg())
15600 + if (!FIPS_selftest_x931())
15602 + if (!FIPS_selftest_sha1())
15604 + if (!FIPS_selftest_sha2())
15606 + if (!FIPS_selftest_hmac())
15608 + if (!FIPS_selftest_cmac())
15610 + if (!FIPS_selftest_aes())
15612 + if (!FIPS_selftest_aes_ccm())
15614 + if (!FIPS_selftest_aes_gcm())
15616 + if (!FIPS_selftest_aes_xts())
15618 + if (!FIPS_selftest_des())
15620 + if (!FIPS_selftest_rsa())
15622 + if (!FIPS_selftest_dsa())
15627 +/* Generalized public key test routine. Signs and verifies the data
15628 + * supplied in tbs using mesage digest md and setting option digest
15629 + * flags md_flags. If the 'kat' parameter is not NULL it will
15630 + * additionally check the signature matches it: a known answer test
15631 + * The string "fail_str" is used for identification purposes in case
15632 + * of failure. If "pkey" is NULL just perform a message digest check.
15635 +int fips_pkey_signature_test(EVP_PKEY *pkey,
15636 + const unsigned char *tbs, int tbslen,
15637 + const unsigned char *kat, unsigned int katlen,
15638 + const EVP_MD *digest, unsigned int md_flags,
15639 + const char *fail_str)
15642 + unsigned char sigtmp[256], *sig = sigtmp;
15643 + unsigned int siglen;
15645 + EVP_MD_CTX_init(&mctx);
15647 + if (digest == NULL)
15648 + digest = EVP_sha256();
15650 + if ((pkey->type == EVP_PKEY_RSA)
15651 + && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp)))
15653 + sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
15656 + FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE);
15661 + if (tbslen == -1)
15662 + tbslen = strlen((char *)tbs);
15665 + EVP_MD_CTX_set_flags(&mctx, md_flags);
15667 + if (!EVP_SignInit_ex(&mctx, digest, NULL))
15669 + if (!EVP_SignUpdate(&mctx, tbs, tbslen))
15671 + if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
15674 + if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
15677 + if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
15679 + if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
15681 + ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
15684 + if (sig != sigtmp)
15685 + OPENSSL_free(sig);
15686 + EVP_MD_CTX_cleanup(&mctx);
15689 + FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE);
15691 + ERR_add_error_data(2, "Type=", fail_str);
15697 +/* Generalized symmetric cipher test routine. Encrypt data, verify result
15698 + * against known answer, decrypt and compare with original plaintext.
15701 +int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
15702 + const unsigned char *key,
15703 + const unsigned char *iv,
15704 + const unsigned char *plaintext,
15705 + const unsigned char *ciphertext,
15708 + unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
15709 + unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
15711 + OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
15712 + memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
15713 + memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
15715 + if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
15717 + if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
15719 + if (memcmp(citmp, ciphertext, len))
15721 + if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
15723 + if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
15725 + if (memcmp(pltmp, plaintext, len))
15730 diff -up openssl-1.0.1e/crypto/fips/fips_rand.c.fips openssl-1.0.1e/crypto/fips/fips_rand.c
15731 --- openssl-1.0.1e/crypto/fips/fips_rand.c.fips 2013-02-19 12:47:33.740118893 +0100
15732 +++ openssl-1.0.1e/crypto/fips/fips_rand.c 2013-02-19 12:47:33.740118893 +0100
15734 +/* ====================================================================
15735 + * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
15737 + * Redistribution and use in source and binary forms, with or without
15738 + * modification, are permitted provided that the following conditions
15741 + * 1. Redistributions of source code must retain the above copyright
15742 + * notice, this list of conditions and the following disclaimer.
15744 + * 2. Redistributions in binary form must reproduce the above copyright
15745 + * notice, this list of conditions and the following disclaimer in
15746 + * the documentation and/or other materials provided with the
15749 + * 3. All advertising materials mentioning features or use of this
15750 + * software must display the following acknowledgment:
15751 + * "This product includes software developed by the OpenSSL Project
15752 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15754 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15755 + * endorse or promote products derived from this software without
15756 + * prior written permission. For written permission, please contact
15757 + * openssl-core@openssl.org.
15759 + * 5. Products derived from this software may not be called "OpenSSL"
15760 + * nor may "OpenSSL" appear in their names without prior written
15761 + * permission of the OpenSSL Project.
15763 + * 6. Redistributions of any form whatsoever must retain the following
15764 + * acknowledgment:
15765 + * "This product includes software developed by the OpenSSL Project
15766 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15768 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15769 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15770 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15771 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15772 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15773 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15774 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15775 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15776 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15777 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15778 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15779 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15784 + * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
15786 +#include <openssl/crypto.h>
15789 +/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
15790 + be defined and gettimeofday() won't be declared with strict compilers
15791 + like DEC C in ANSI C mode. */
15792 +#ifndef _XOPEN_SOURCE_EXTENDED
15793 +#define _XOPEN_SOURCE_EXTENDED 1
15796 +#include <openssl/rand.h>
15797 +#include <openssl/aes.h>
15798 +#include <openssl/err.h>
15799 +#include <openssl/fips_rand.h>
15800 +#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
15801 +# include <sys/time.h>
15803 +#if defined(OPENSSL_SYS_VXWORKS)
15804 +# include <time.h>
15806 +#include <assert.h>
15807 +#ifndef OPENSSL_SYS_WIN32
15808 +# ifdef OPENSSL_UNISTD
15809 +# include OPENSSL_UNISTD
15811 +# include <unistd.h>
15814 +#include <string.h>
15815 +#include <openssl/fips.h>
15816 +#include "fips_locl.h"
15818 +#ifdef OPENSSL_FIPS
15820 +void *OPENSSL_stderr(void);
15822 +#define AES_BLOCK_LENGTH 16
15825 +/* AES FIPS PRNG implementation */
15834 + unsigned long counter;
15837 + /* Temporary storage for key if it equals seed length */
15838 + unsigned char tmp_key[AES_BLOCK_LENGTH];
15839 + unsigned char V[AES_BLOCK_LENGTH];
15840 + unsigned char DT[AES_BLOCK_LENGTH];
15841 + unsigned char last[AES_BLOCK_LENGTH];
15844 +static FIPS_PRNG_CTX sctx;
15846 +static int fips_prng_fail = 0;
15848 +void FIPS_x931_stick(int onoff)
15850 + fips_prng_fail = onoff;
15853 +void FIPS_rng_stick(void)
15855 + FIPS_x931_stick(1);
15858 +static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
15862 + ctx->test_mode = 0;
15863 + ctx->counter = 0;
15867 + OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
15868 + OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
15872 +static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
15873 + const unsigned char *key, unsigned int keylen)
15875 + if (FIPS_selftest_failed())
15877 + FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
15880 + if (keylen != 16 && keylen != 24 && keylen != 32)
15882 + /* error: invalid key size */
15885 + AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
15886 + if (keylen == 16)
15888 + memcpy(ctx->tmp_key, key, 16);
15898 +static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
15899 + const unsigned char *seed, unsigned int seedlen)
15904 + /* In test mode seed is just supplied data */
15905 + if (ctx->test_mode)
15907 + if (seedlen != AES_BLOCK_LENGTH)
15909 + memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
15913 + /* Outside test mode XOR supplied data with existing seed */
15914 + for (i = 0; i < seedlen; i++)
15916 + ctx->V[ctx->vpos++] ^= seed[i];
15917 + if (ctx->vpos == AES_BLOCK_LENGTH)
15920 + /* Special case if first seed and key length equals
15921 + * block size check key and seed do not match.
15923 + if (ctx->keyed == 2)
15925 + if (!memcmp(ctx->tmp_key, ctx->V, 16))
15927 + RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
15928 + RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
15931 + OPENSSL_cleanse(ctx->tmp_key, 16);
15940 +static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
15944 + RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
15947 + ctx->test_mode = 1;
15951 +int FIPS_x931_test_mode(void)
15953 + return fips_set_test_mode(&sctx);
15956 +int FIPS_rand_test_mode(void)
15958 + return fips_set_test_mode(&sctx);
15962 +int FIPS_x931_set_dt(unsigned char *dt)
15964 + if (!sctx.test_mode)
15966 + RANDerr(RAND_F_FIPS_X931_SET_DT,RAND_R_NOT_IN_TEST_MODE);
15969 + memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
15973 +int FIPS_rand_set_dt(unsigned char *dt)
15975 + if (!sctx.test_mode)
15977 + RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE);
15980 + memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
15984 +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
15986 +#ifdef OPENSSL_SYS_WIN32
15988 +#elif defined(OPENSSL_SYS_VXWORKS)
15989 + struct timespec ts;
15991 + struct timeval tv;
15994 +#ifndef GETPID_IS_MEANINGLESS
15995 + unsigned long pid;
15998 +#ifdef OPENSSL_SYS_WIN32
15999 + GetSystemTimeAsFileTime(&ft);
16000 + buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
16001 + buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
16002 + buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
16003 + buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
16004 + buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
16005 + buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
16006 + buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
16007 + buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
16008 +#elif defined(OPENSSL_SYS_VXWORKS)
16009 + clock_gettime(CLOCK_REALTIME, &ts);
16010 + buf[0] = (unsigned char) (ts.tv_sec & 0xff);
16011 + buf[1] = (unsigned char) ((ts.tv_sec >> 8) & 0xff);
16012 + buf[2] = (unsigned char) ((ts.tv_sec >> 16) & 0xff);
16013 + buf[3] = (unsigned char) ((ts.tv_sec >> 24) & 0xff);
16014 + buf[4] = (unsigned char) (ts.tv_nsec & 0xff);
16015 + buf[5] = (unsigned char) ((ts.tv_nsec >> 8) & 0xff);
16016 + buf[6] = (unsigned char) ((ts.tv_nsec >> 16) & 0xff);
16017 + buf[7] = (unsigned char) ((ts.tv_nsec >> 24) & 0xff);
16019 + gettimeofday(&tv,NULL);
16020 + buf[0] = (unsigned char) (tv.tv_sec & 0xff);
16021 + buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
16022 + buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
16023 + buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
16024 + buf[4] = (unsigned char) (tv.tv_usec & 0xff);
16025 + buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
16026 + buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
16027 + buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
16029 + buf[8] = (unsigned char) (*pctr & 0xff);
16030 + buf[9] = (unsigned char) ((*pctr >> 8) & 0xff);
16031 + buf[10] = (unsigned char) ((*pctr >> 16) & 0xff);
16032 + buf[11] = (unsigned char) ((*pctr >> 24) & 0xff);
16037 +#ifndef GETPID_IS_MEANINGLESS
16038 + pid=(unsigned long)getpid();
16039 + buf[12] = (unsigned char) (pid & 0xff);
16040 + buf[13] = (unsigned char) ((pid >> 8) & 0xff);
16041 + buf[14] = (unsigned char) ((pid >> 16) & 0xff);
16042 + buf[15] = (unsigned char) ((pid >> 24) & 0xff);
16046 +static int fips_rand(FIPS_PRNG_CTX *ctx,
16047 + unsigned char *out, unsigned int outlen)
16049 + unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
16050 + unsigned char tmp[AES_BLOCK_LENGTH];
16054 + RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
16059 + RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
16062 + if (!ctx->seeded)
16064 + RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
16069 + if (!ctx->test_mode)
16070 + FIPS_get_timevec(ctx->DT, &ctx->counter);
16071 + AES_encrypt(ctx->DT, I, &ctx->ks);
16072 + for (i = 0; i < AES_BLOCK_LENGTH; i++)
16073 + tmp[i] = I[i] ^ ctx->V[i];
16074 + AES_encrypt(tmp, R, &ctx->ks);
16075 + for (i = 0; i < AES_BLOCK_LENGTH; i++)
16076 + tmp[i] = R[i] ^ I[i];
16077 + AES_encrypt(tmp, ctx->V, &ctx->ks);
16078 + /* Continuous PRNG test */
16081 + if (fips_prng_fail)
16082 + memcpy(ctx->last, R, AES_BLOCK_LENGTH);
16083 + if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
16085 + RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
16087 + fips_set_selftest_fail();
16091 + memcpy(ctx->last, R, AES_BLOCK_LENGTH);
16092 + if (!ctx->second)
16095 + if (!ctx->test_mode)
16099 + if (outlen <= AES_BLOCK_LENGTH)
16101 + memcpy(out, R, outlen);
16105 + memcpy(out, R, AES_BLOCK_LENGTH);
16106 + out += AES_BLOCK_LENGTH;
16107 + outlen -= AES_BLOCK_LENGTH;
16113 +int FIPS_x931_set_key(const unsigned char *key, int keylen)
16116 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16117 + ret = fips_set_prng_key(&sctx, key, keylen);
16118 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16122 +int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
16124 + return FIPS_x931_set_key(key, keylen);
16127 +int FIPS_x931_seed(const void *seed, int seedlen)
16130 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16131 + ret = fips_set_prng_seed(&sctx, seed, seedlen);
16132 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16137 +int FIPS_x931_bytes(unsigned char *out, int count)
16140 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16141 + ret = fips_rand(&sctx, out, count);
16142 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16146 +int FIPS_x931_status(void)
16149 + CRYPTO_r_lock(CRYPTO_LOCK_RAND);
16150 + ret = sctx.seeded;
16151 + CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
16155 +void FIPS_x931_reset(void)
16157 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16158 + fips_rand_prng_reset(&sctx);
16159 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16162 +static int fips_do_rand_seed(const void *seed, int seedlen)
16164 + FIPS_x931_seed(seed, seedlen);
16168 +static int fips_do_rand_add(const void *seed, int seedlen,
16169 + double add_entropy)
16171 + FIPS_x931_seed(seed, seedlen);
16175 +static const RAND_METHOD rand_x931_meth=
16177 + fips_do_rand_seed,
16180 + fips_do_rand_add,
16185 +const RAND_METHOD *FIPS_x931_method(void)
16187 + return &rand_x931_meth;
16191 diff -up openssl-1.0.1e/crypto/fips/fips_rand.h.fips openssl-1.0.1e/crypto/fips/fips_rand.h
16192 --- openssl-1.0.1e/crypto/fips/fips_rand.h.fips 2013-02-19 12:47:33.740118893 +0100
16193 +++ openssl-1.0.1e/crypto/fips/fips_rand.h 2013-02-19 12:47:33.741118914 +0100
16195 +/* ====================================================================
16196 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
16198 + * Redistribution and use in source and binary forms, with or without
16199 + * modification, are permitted provided that the following conditions
16202 + * 1. Redistributions of source code must retain the above copyright
16203 + * notice, this list of conditions and the following disclaimer.
16205 + * 2. Redistributions in binary form must reproduce the above copyright
16206 + * notice, this list of conditions and the following disclaimer in
16207 + * the documentation and/or other materials provided with the
16210 + * 3. All advertising materials mentioning features or use of this
16211 + * software must display the following acknowledgment:
16212 + * "This product includes software developed by the OpenSSL Project
16213 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
16215 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16216 + * endorse or promote products derived from this software without
16217 + * prior written permission. For written permission, please contact
16218 + * openssl-core@openssl.org.
16220 + * 5. Products derived from this software may not be called "OpenSSL"
16221 + * nor may "OpenSSL" appear in their names without prior written
16222 + * permission of the OpenSSL Project.
16224 + * 6. Redistributions of any form whatsoever must retain the following
16225 + * acknowledgment:
16226 + * "This product includes software developed by the OpenSSL Project
16227 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
16229 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16230 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16231 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16232 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16233 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16234 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16235 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16236 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16237 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16238 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16239 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16240 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16244 +#ifndef HEADER_FIPS_RAND_H
16245 +#define HEADER_FIPS_RAND_H
16247 +#include <openssl/aes.h>
16248 +#include <openssl/evp.h>
16249 +#include <openssl/hmac.h>
16250 +#include <openssl/rand.h>
16252 +#ifdef OPENSSL_FIPS
16254 +#ifdef __cplusplus
16258 +int FIPS_x931_set_key(const unsigned char *key, int keylen);
16259 +int FIPS_x931_seed(const void *buf, int num);
16260 +int FIPS_x931_bytes(unsigned char *out, int outlen);
16262 +int FIPS_x931_test_mode(void);
16263 +void FIPS_x931_reset(void);
16264 +int FIPS_x931_set_dt(unsigned char *dt);
16266 +int FIPS_x931_status(void);
16268 +const RAND_METHOD *FIPS_x931_method(void);
16270 +typedef struct drbg_ctx_st DRBG_CTX;
16271 +/* DRBG external flags */
16272 +/* Flag for CTR mode only: use derivation function ctr_df */
16273 +#define DRBG_FLAG_CTR_USE_DF 0x1
16274 +/* PRNG is in test state */
16275 +#define DRBG_FLAG_TEST 0x2
16277 +DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
16278 +int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
16279 +int FIPS_drbg_instantiate(DRBG_CTX *dctx,
16280 + const unsigned char *pers, size_t perslen);
16281 +int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
16282 +int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
16283 + int prediction_resistance,
16284 + const unsigned char *adin, size_t adinlen);
16286 +int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
16287 +void FIPS_drbg_free(DRBG_CTX *dctx);
16289 +int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
16290 + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
16291 + int entropy, size_t min_len, size_t max_len),
16292 + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
16293 + size_t entropy_blocklen,
16294 + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
16295 + int entropy, size_t min_len, size_t max_len),
16296 + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen));
16298 +int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
16299 + size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
16300 + void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
16301 + int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
16302 + int (*rand_add_cb)(DRBG_CTX *ctx,
16303 + const void *buf, int num, double entropy));
16305 +void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
16306 +void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
16307 +size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
16308 +int FIPS_drbg_get_strength(DRBG_CTX *dctx);
16309 +void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
16310 +void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
16312 +int FIPS_drbg_health_check(DRBG_CTX *dctx);
16314 +DRBG_CTX *FIPS_get_default_drbg(void);
16315 +const RAND_METHOD *FIPS_drbg_method(void);
16318 +int FIPS_rand_set_method(const RAND_METHOD *meth);
16319 +const RAND_METHOD *FIPS_rand_get_method(void);
16321 +void FIPS_rand_set_bits(int nbits);
16323 +int FIPS_rand_strength(void);
16325 +/* 1.0.0 compat functions */
16326 +int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
16327 +int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
16328 +int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
16329 +int FIPS_rand_test_mode(void);
16330 +void FIPS_rand_reset(void);
16331 +int FIPS_rand_set_dt(unsigned char *dt);
16332 +int FIPS_rand_status(void);
16333 +const RAND_METHOD *FIPS_rand_method(void);
16335 +#ifdef __cplusplus
16340 diff -up openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1e/crypto/fips/fips_rand_lcl.h
16341 --- openssl-1.0.1e/crypto/fips/fips_rand_lcl.h.fips 2013-02-19 12:47:33.741118914 +0100
16342 +++ openssl-1.0.1e/crypto/fips/fips_rand_lcl.h 2013-02-19 12:47:33.741118914 +0100
16344 +/* fips/rand/fips_rand_lcl.h */
16345 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
16348 +/* ====================================================================
16349 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
16351 + * Redistribution and use in source and binary forms, with or without
16352 + * modification, are permitted provided that the following conditions
16355 + * 1. Redistributions of source code must retain the above copyright
16356 + * notice, this list of conditions and the following disclaimer.
16358 + * 2. Redistributions in binary form must reproduce the above copyright
16359 + * notice, this list of conditions and the following disclaimer in
16360 + * the documentation and/or other materials provided with the
16363 + * 3. All advertising materials mentioning features or use of this
16364 + * software must display the following acknowledgment:
16365 + * "This product includes software developed by the OpenSSL Project
16366 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
16368 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16369 + * endorse or promote products derived from this software without
16370 + * prior written permission. For written permission, please contact
16371 + * licensing@OpenSSL.org.
16373 + * 5. Products derived from this software may not be called "OpenSSL"
16374 + * nor may "OpenSSL" appear in their names without prior written
16375 + * permission of the OpenSSL Project.
16377 + * 6. Redistributions of any form whatsoever must retain the following
16378 + * acknowledgment:
16379 + * "This product includes software developed by the OpenSSL Project
16380 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
16382 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16383 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16384 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16385 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16386 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16387 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16388 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16389 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16390 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16391 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16392 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16393 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16394 + * ====================================================================
16397 +typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
16398 +typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
16399 +typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
16401 +/* 888 bits from 10.1 table 2 */
16402 +#define HASH_PRNG_MAX_SEEDLEN 111
16404 +struct drbg_hash_ctx_st
16406 + const EVP_MD *md;
16408 + unsigned char V[HASH_PRNG_MAX_SEEDLEN];
16409 + unsigned char C[HASH_PRNG_MAX_SEEDLEN];
16410 + /* Temporary value storage: should always exceed max digest length */
16411 + unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
16414 +struct drbg_hmac_ctx_st
16416 + const EVP_MD *md;
16418 + unsigned char K[EVP_MAX_MD_SIZE];
16419 + unsigned char V[EVP_MAX_MD_SIZE];
16422 +struct drbg_ctr_ctx_st
16426 + unsigned char K[32];
16427 + unsigned char V[16];
16428 + /* Temp variables used by derivation function */
16431 + /* Temporary block storage used by ctr_df */
16432 + unsigned char bltmp[16];
16433 + size_t bltmp_pos;
16434 + unsigned char KX[48];
16437 +/* DRBG internal flags */
16439 +/* Functions shouldn't call err library */
16440 +#define DRBG_FLAG_NOERR 0x1
16441 +/* Custom reseed checking */
16442 +#define DRBG_CUSTOM_RESEED 0x2
16444 +/* DRBG status values */
16445 +/* not initialised */
16446 +#define DRBG_STATUS_UNINITIALISED 0
16447 +/* ok and ready to generate random bits */
16448 +#define DRBG_STATUS_READY 1
16449 +/* reseed required */
16450 +#define DRBG_STATUS_RESEED 2
16451 +/* fatal error condition */
16452 +#define DRBG_STATUS_ERROR 3
16454 +/* A default maximum length: larger than any reasonable value used in pratice */
16456 +#define DRBG_MAX_LENGTH 0x7ffffff0
16457 +/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
16458 + * so use max digest length.
16460 +#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
16462 +#define DRBG_HEALTH_INTERVAL (1 << 24)
16464 +/* DRBG context structure */
16466 +struct drbg_ctx_st
16468 + /* First types common to all implementations */
16469 + /* DRBG type: a NID for the underlying algorithm */
16471 + /* Various external flags */
16472 + unsigned int xflags;
16473 + /* Various internal use only flags */
16474 + unsigned int iflags;
16475 + /* Used for periodic health checks */
16476 + int health_check_cnt, health_check_interval;
16478 + /* The following parameters are setup by mechanism drbg_init() call */
16480 + size_t blocklength;
16481 + size_t max_request;
16483 + size_t min_entropy, max_entropy;
16484 + size_t min_nonce, max_nonce;
16485 + size_t max_pers, max_adin;
16486 + unsigned int reseed_counter;
16487 + unsigned int reseed_interval;
16490 + /* Application data: typically used by test get_entropy */
16492 + /* Implementation specific structures */
16495 + DRBG_HASH_CTX hash;
16496 + DRBG_HMAC_CTX hmac;
16497 + DRBG_CTR_CTX ctr;
16499 + /* Initialiase PRNG and setup callbacks below */
16500 + int (*init)(DRBG_CTX *ctx, int nid, int security, unsigned int flags);
16501 + /* Intantiate PRNG */
16502 + int (*instantiate)(DRBG_CTX *ctx,
16503 + const unsigned char *ent, size_t entlen,
16504 + const unsigned char *nonce, size_t noncelen,
16505 + const unsigned char *pers, size_t perslen);
16507 + int (*reseed)(DRBG_CTX *ctx,
16508 + const unsigned char *ent, size_t entlen,
16509 + const unsigned char *adin, size_t adinlen);
16510 + /* generat output */
16511 + int (*generate)(DRBG_CTX *ctx,
16512 + unsigned char *out, size_t outlen,
16513 + const unsigned char *adin, size_t adinlen);
16514 + /* uninstantiate */
16515 + int (*uninstantiate)(DRBG_CTX *ctx);
16517 + /* Entropy source block length */
16518 + size_t entropy_blocklen;
16520 + /* entropy gathering function */
16521 + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
16522 + int entropy, size_t min_len, size_t max_len);
16523 + /* Indicates we have finished with entropy buffer */
16524 + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
16526 + /* nonce gathering function */
16527 + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
16528 + int entropy, size_t min_len, size_t max_len);
16529 + /* Indicates we have finished with nonce buffer */
16530 + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
16532 + /* Continuous random number test temporary area */
16534 + unsigned char lb[EVP_MAX_MD_SIZE];
16535 + /* set if lb is valid */
16538 + /* Callbacks used when called through RAND interface */
16539 + /* Get any additional input for generate */
16540 + size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout);
16541 + void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
16542 + /* Callback for RAND_seed(), RAND_add() */
16543 + int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num);
16544 + int (*rand_add_cb)(DRBG_CTX *ctx,
16545 + const void *buf, int num, double entropy);
16549 +int fips_drbg_ctr_init(DRBG_CTX *dctx);
16550 +int fips_drbg_hash_init(DRBG_CTX *dctx);
16551 +int fips_drbg_hmac_init(DRBG_CTX *dctx);
16552 +int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
16553 +int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
16555 +const struct env_md_st *FIPS_get_digestbynid(int nid);
16557 +const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
16559 +#define FIPS_digestinit EVP_DigestInit
16560 +#define FIPS_digestupdate EVP_DigestUpdate
16561 +#define FIPS_digestfinal EVP_DigestFinal
16562 +#define M_EVP_MD_size EVP_MD_size
16563 diff -up openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1e/crypto/fips/fips_rand_lib.c
16564 --- openssl-1.0.1e/crypto/fips/fips_rand_lib.c.fips 2013-02-19 12:47:33.741118914 +0100
16565 +++ openssl-1.0.1e/crypto/fips/fips_rand_lib.c 2013-02-19 12:47:33.741118914 +0100
16567 +/* ====================================================================
16568 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
16570 + * Redistribution and use in source and binary forms, with or without
16571 + * modification, are permitted provided that the following conditions
16574 + * 1. Redistributions of source code must retain the above copyright
16575 + * notice, this list of conditions and the following disclaimer.
16577 + * 2. Redistributions in binary form must reproduce the above copyright
16578 + * notice, this list of conditions and the following disclaimer in
16579 + * the documentation and/or other materials provided with the
16582 + * 3. All advertising materials mentioning features or use of this
16583 + * software must display the following acknowledgment:
16584 + * "This product includes software developed by the OpenSSL Project
16585 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
16587 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16588 + * endorse or promote products derived from this software without
16589 + * prior written permission. For written permission, please contact
16590 + * openssl-core@openssl.org.
16592 + * 5. Products derived from this software may not be called "OpenSSL"
16593 + * nor may "OpenSSL" appear in their names without prior written
16594 + * permission of the OpenSSL Project.
16596 + * 6. Redistributions of any form whatsoever must retain the following
16597 + * acknowledgment:
16598 + * "This product includes software developed by the OpenSSL Project
16599 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
16601 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16602 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16603 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16604 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16605 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16606 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16607 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16608 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16609 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16610 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16611 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16612 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16616 +#include <openssl/crypto.h>
16617 +#include <openssl/rand.h>
16618 +#include <openssl/err.h>
16619 +#include <openssl/fips.h>
16620 +#include <openssl/fips_rand.h>
16623 +/* FIPS API for PRNG use. Similar to RAND functionality but without
16624 + * ENGINE and additional checking for non-FIPS rand methods.
16627 +static const RAND_METHOD *fips_rand_meth = NULL;
16628 +static int fips_approved_rand_meth = 0;
16629 +static int fips_rand_bits = 0;
16631 +/* Allows application to override number of bits and uses non-FIPS methods */
16632 +void FIPS_rand_set_bits(int nbits)
16634 + fips_rand_bits = nbits;
16637 +int FIPS_rand_set_method(const RAND_METHOD *meth)
16639 + if (!fips_rand_bits)
16641 + if (meth == FIPS_drbg_method())
16642 + fips_approved_rand_meth = 1;
16643 + else if (meth == FIPS_x931_method())
16644 + fips_approved_rand_meth = 2;
16647 + fips_approved_rand_meth = 0;
16648 + if (FIPS_module_mode())
16650 + FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD,
16651 + FIPS_R_NON_FIPS_METHOD);
16656 + fips_rand_meth = meth;
16660 +const RAND_METHOD *FIPS_rand_get_method(void)
16662 + return fips_rand_meth;
16665 +const RAND_METHOD *FIPS_rand_method(void)
16667 + return FIPS_rand_get_method();
16670 +void FIPS_rand_reset(void)
16672 + if (fips_rand_meth && fips_rand_meth->cleanup)
16673 + fips_rand_meth->cleanup();
16676 +int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
16678 + if (!fips_approved_rand_meth && FIPS_module_mode())
16680 + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
16683 + if (fips_rand_meth && fips_rand_meth->seed)
16684 + fips_rand_meth->seed(buf,num);
16688 +void FIPS_rand_add(const void *buf, int num, double entropy)
16690 + if (!fips_approved_rand_meth && FIPS_module_mode())
16692 + FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
16695 + if (fips_rand_meth && fips_rand_meth->add)
16696 + fips_rand_meth->add(buf,num,entropy);
16699 +int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
16701 + if (!fips_approved_rand_meth && FIPS_module_mode())
16703 + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
16706 + if (fips_rand_meth && fips_rand_meth->bytes)
16707 + return fips_rand_meth->bytes(buf,num);
16711 +int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
16713 + if (!fips_approved_rand_meth && FIPS_module_mode())
16715 + FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
16718 + if (fips_rand_meth && fips_rand_meth->pseudorand)
16719 + return fips_rand_meth->pseudorand(buf,num);
16723 +int FIPS_rand_status(void)
16725 + if (!fips_approved_rand_meth && FIPS_module_mode())
16727 + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
16730 + if (fips_rand_meth && fips_rand_meth->status)
16731 + return fips_rand_meth->status();
16735 +/* Return instantiated strength of PRNG. For DRBG this is an internal
16736 + * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
16737 + * type of PRNG is not approved and returns 0 in FIPS mode and maximum
16738 + * 256 outside FIPS mode.
16741 +int FIPS_rand_strength(void)
16743 + if (fips_rand_bits)
16744 + return fips_rand_bits;
16745 + if (fips_approved_rand_meth == 1)
16746 + return FIPS_drbg_get_strength(FIPS_get_default_drbg());
16747 + else if (fips_approved_rand_meth == 2)
16749 + else if (fips_approved_rand_meth == 0)
16751 + if (FIPS_module_mode())
16758 diff -up openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rand_selftest.c
16759 --- openssl-1.0.1e/crypto/fips/fips_rand_selftest.c.fips 2013-02-19 12:47:33.741118914 +0100
16760 +++ openssl-1.0.1e/crypto/fips/fips_rand_selftest.c 2013-02-19 12:47:33.741118914 +0100
16762 +/* ====================================================================
16763 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
16765 + * Redistribution and use in source and binary forms, with or without
16766 + * modification, are permitted provided that the following conditions
16769 + * 1. Redistributions of source code must retain the above copyright
16770 + * notice, this list of conditions and the following disclaimer.
16772 + * 2. Redistributions in binary form must reproduce the above copyright
16773 + * notice, this list of conditions and the following disclaimer in
16774 + * the documentation and/or other materials provided with the
16777 + * 3. All advertising materials mentioning features or use of this
16778 + * software must display the following acknowledgment:
16779 + * "This product includes software developed by the OpenSSL Project
16780 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
16782 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16783 + * endorse or promote products derived from this software without
16784 + * prior written permission. For written permission, please contact
16785 + * openssl-core@openssl.org.
16787 + * 5. Products derived from this software may not be called "OpenSSL"
16788 + * nor may "OpenSSL" appear in their names without prior written
16789 + * permission of the OpenSSL Project.
16791 + * 6. Redistributions of any form whatsoever must retain the following
16792 + * acknowledgment:
16793 + * "This product includes software developed by the OpenSSL Project
16794 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
16796 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16797 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16798 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16799 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16800 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16801 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16802 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16803 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16804 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16805 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16806 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16807 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16811 +#include <string.h>
16812 +#include <openssl/err.h>
16813 +#include <openssl/fips.h>
16814 +#include <openssl/rand.h>
16815 +#include <openssl/fips_rand.h>
16816 +#include "fips_locl.h"
16818 +#ifdef OPENSSL_FIPS
16824 + unsigned char DT[16];
16825 + unsigned char V[16];
16826 + unsigned char R[16];
16829 +/* The following test vectors are taken directly from the RGNVS spec */
16831 +static unsigned char aes_128_key[16] =
16832 + {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42,
16833 + 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02};
16835 +static AES_PRNG_TV aes_128_tv =
16838 + {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
16839 + 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9},
16841 + {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
16842 + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
16844 + {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55,
16845 + 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41}
16848 +static unsigned char aes_192_key[24] =
16849 + {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e,
16850 + 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc,
16851 + 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b};
16853 +static AES_PRNG_TV aes_192_tv =
16856 + {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
16857 + 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b},
16859 + {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
16860 + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
16862 + {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef,
16863 + 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93}
16866 +static unsigned char aes_256_key[32] =
16867 + {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d,
16868 + 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f,
16869 + 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5,
16870 + 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb};
16872 +static AES_PRNG_TV aes_256_tv =
16875 + {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
16876 + 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88},
16878 + {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
16879 + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
16881 + {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc,
16882 + 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72}
16885 +void FIPS_corrupt_rng()
16887 + aes_192_tv.V[0]++;
16890 +#define fips_x931_test(key, tv) \
16891 + do_x931_test(key, sizeof key, &tv)
16893 +static int do_x931_test(unsigned char *key, int keylen,
16896 + unsigned char R[16], V[16];
16898 + memcpy(V, tv->V, sizeof(V));
16899 + if (!FIPS_x931_set_key(key, keylen))
16901 + if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
16903 + if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
16905 + FIPS_x931_seed(V, 16);
16906 + FIPS_x931_set_dt(tv->DT);
16907 + FIPS_x931_bytes(R, 16);
16908 + if (memcmp(R, tv->R, 16))
16910 + fips_post_failed(FIPS_TEST_X931, keylen, NULL);
16913 + else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
16918 +int FIPS_selftest_x931()
16921 + FIPS_x931_reset();
16922 + if (!FIPS_x931_test_mode())
16924 + FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
16927 + if (!fips_x931_test(aes_128_key,aes_128_tv))
16929 + if (!fips_x931_test(aes_192_key, aes_192_tv))
16931 + if (!fips_x931_test(aes_256_key, aes_256_tv))
16933 + FIPS_x931_reset();
16935 + FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
16939 +int FIPS_selftest_rng(void)
16941 + return FIPS_selftest_x931();
16945 diff -up openssl-1.0.1e/crypto/fips/fips_randtest.c.fips openssl-1.0.1e/crypto/fips/fips_randtest.c
16946 --- openssl-1.0.1e/crypto/fips/fips_randtest.c.fips 2013-02-19 12:47:33.741118914 +0100
16947 +++ openssl-1.0.1e/crypto/fips/fips_randtest.c 2013-02-19 12:47:33.741118914 +0100
16949 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
16950 + * All rights reserved.
16952 + * This package is an SSL implementation written
16953 + * by Eric Young (eay@cryptsoft.com).
16954 + * The implementation was written so as to conform with Netscapes SSL.
16956 + * This library is free for commercial and non-commercial use as long as
16957 + * the following conditions are aheared to. The following conditions
16958 + * apply to all code found in this distribution, be it the RC4, RSA,
16959 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
16960 + * included with this distribution is covered by the same copyright terms
16961 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16963 + * Copyright remains Eric Young's, and as such any Copyright notices in
16964 + * the code are not to be removed.
16965 + * If this package is used in a product, Eric Young should be given attribution
16966 + * as the author of the parts of the library used.
16967 + * This can be in the form of a textual message at program startup or
16968 + * in documentation (online or textual) provided with the package.
16970 + * Redistribution and use in source and binary forms, with or without
16971 + * modification, are permitted provided that the following conditions
16973 + * 1. Redistributions of source code must retain the copyright
16974 + * notice, this list of conditions and the following disclaimer.
16975 + * 2. Redistributions in binary form must reproduce the above copyright
16976 + * notice, this list of conditions and the following disclaimer in the
16977 + * documentation and/or other materials provided with the distribution.
16978 + * 3. All advertising materials mentioning features or use of this software
16979 + * must display the following acknowledgement:
16980 + * "This product includes cryptographic software written by
16981 + * Eric Young (eay@cryptsoft.com)"
16982 + * The word 'cryptographic' can be left out if the rouines from the library
16983 + * being used are not cryptographic related :-).
16984 + * 4. If you include any Windows specific code (or a derivative thereof) from
16985 + * the apps directory (application code) you must include an acknowledgement:
16986 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
16988 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
16989 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16990 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16991 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16992 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
16993 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
16994 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16995 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
16996 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
16997 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
17000 + * The licence and distribution terms for any publically available version or
17001 + * derivative of this code cannot be changed. i.e. this code cannot simply be
17002 + * copied and put under another distribution licence
17003 + * [including the GNU Public Licence.]
17005 +/* ====================================================================
17006 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
17008 + * Redistribution and use in source and binary forms, with or without
17009 + * modification, are permitted provided that the following conditions
17012 + * 1. Redistributions of source code must retain the above copyright
17013 + * notice, this list of conditions and the following disclaimer.
17015 + * 2. Redistributions in binary form must reproduce the above copyright
17016 + * notice, this list of conditions and the following disclaimer in
17017 + * the documentation and/or other materials provided with the
17020 + * 3. All advertising materials mentioning features or use of this
17021 + * software must display the following acknowledgment:
17022 + * "This product includes software developed by the OpenSSL Project
17023 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
17025 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
17026 + * endorse or promote products derived from this software without
17027 + * prior written permission. For written permission, please contact
17028 + * openssl-core@openssl.org.
17030 + * 5. Products derived from this software may not be called "OpenSSL"
17031 + * nor may "OpenSSL" appear in their names without prior written
17032 + * permission of the OpenSSL Project.
17034 + * 6. Redistributions of any form whatsoever must retain the following
17035 + * acknowledgment:
17036 + * "This product includes software developed by the OpenSSL Project
17037 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
17039 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
17040 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17041 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17042 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
17043 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
17044 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
17045 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
17046 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17047 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
17048 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
17049 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
17050 + * OF THE POSSIBILITY OF SUCH DAMAGE.
17054 +#include <stdio.h>
17055 +#include <stdlib.h>
17056 +#include <string.h>
17057 +#include <ctype.h>
17058 +#include <openssl/rand.h>
17059 +#include <openssl/fips_rand.h>
17060 +#include <openssl/err.h>
17061 +#include <openssl/bn.h>
17065 +#ifndef OPENSSL_FIPS
17066 +int main(int argc, char *argv[])
17068 + printf("No FIPS RAND support\n");
17074 +#include "fips_utl.h"
17075 +#include <openssl/fips.h>
17079 + unsigned char DT[16];
17080 + unsigned char V[16];
17081 + unsigned char R[16];
17084 +static const unsigned char aes_128_mct_key[16] =
17085 + {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5,
17086 + 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48};
17088 +static const AES_PRNG_MCT aes_128_mct_tv = {
17090 + {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b,
17091 + 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac},
17093 + {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97,
17094 + 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1},
17096 + {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb,
17097 + 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73}
17100 +static const unsigned char aes_192_mct_key[24] =
17101 + {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73,
17102 + 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91,
17103 + 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a};
17105 +static const AES_PRNG_MCT aes_192_mct_tv = {
17107 + {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9,
17108 + 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52},
17110 + {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64,
17111 + 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d},
17113 + {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21,
17114 + 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47}
17117 +static const unsigned char aes_256_mct_key[32] =
17118 + {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a,
17119 + 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0,
17120 + 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d,
17121 + 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50};
17123 +static const AES_PRNG_MCT aes_256_mct_tv = {
17125 + {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee,
17126 + 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c},
17128 + {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1,
17129 + 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca},
17131 + {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1,
17132 + 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d}
17135 +static void dump(const unsigned char *b,int n)
17139 + printf(" %02x",*b++);
17143 +static void compare(const unsigned char *result,const unsigned char *expected,
17148 + for(i=0 ; i < n ; ++i)
17149 + if(result[i] != expected[i])
17151 + puts("Random test failed, got:");
17153 + puts("\n expected:");
17154 + dump(expected,n);
17161 +static void run_test(const unsigned char *key, int keylen,
17162 + const AES_PRNG_MCT *tv)
17164 + unsigned char buf[16], dt[16];
17166 + FIPS_x931_reset();
17167 + FIPS_x931_test_mode();
17168 + FIPS_x931_set_key(key, keylen);
17169 + FIPS_x931_seed(tv->V, 16);
17170 + memcpy(dt, tv->DT, 16);
17171 + for (i = 0; i < 10000; i++)
17173 + FIPS_x931_set_dt(dt);
17174 + FIPS_x931_bytes(buf, 16);
17175 + /* Increment DT */
17176 + for (j = 15; j >= 0; j--)
17184 + compare(buf,tv->R, 16);
17189 + run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
17190 + printf("FIPS PRNG test 1 done\n");
17191 + run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
17192 + printf("FIPS PRNG test 2 done\n");
17193 + run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
17194 + printf("FIPS PRNG test 3 done\n");
17199 diff -up openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c
17200 --- openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c.fips 2013-02-19 12:47:33.742118935 +0100
17201 +++ openssl-1.0.1e/crypto/fips/fips_rsa_selftest.c 2013-02-19 12:47:33.742118935 +0100
17203 +/* ====================================================================
17204 + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
17206 + * Redistribution and use in source and binary forms, with or without
17207 + * modification, are permitted provided that the following conditions
17210 + * 1. Redistributions of source code must retain the above copyright
17211 + * notice, this list of conditions and the following disclaimer.
17213 + * 2. Redistributions in binary form must reproduce the above copyright
17214 + * notice, this list of conditions and the following disclaimer in
17215 + * the documentation and/or other materials provided with the
17218 + * 3. All advertising materials mentioning features or use of this
17219 + * software must display the following acknowledgment:
17220 + * "This product includes software developed by the OpenSSL Project
17221 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
17223 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
17224 + * endorse or promote products derived from this software without
17225 + * prior written permission. For written permission, please contact
17226 + * openssl-core@openssl.org.
17228 + * 5. Products derived from this software may not be called "OpenSSL"
17229 + * nor may "OpenSSL" appear in their names without prior written
17230 + * permission of the OpenSSL Project.
17232 + * 6. Redistributions of any form whatsoever must retain the following
17233 + * acknowledgment:
17234 + * "This product includes software developed by the OpenSSL Project
17235 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
17237 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
17238 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17239 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17240 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
17241 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
17242 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
17243 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
17244 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17245 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
17246 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
17247 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
17248 + * OF THE POSSIBILITY OF SUCH DAMAGE.
17252 +#include <string.h>
17253 +#include <openssl/err.h>
17254 +#ifdef OPENSSL_FIPS
17255 +#include <openssl/fips.h>
17257 +#include <openssl/rsa.h>
17258 +#include <openssl/evp.h>
17259 +#include <openssl/bn.h>
17260 +#include <openssl/opensslconf.h>
17262 +#ifdef OPENSSL_FIPS
17264 +static const unsigned char n[] =
17265 +"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
17266 +"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
17267 +"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
17268 +"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
17269 +"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
17270 +"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
17271 +"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
17272 +"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
17275 +static int corrupt_rsa;
17277 +static int setrsakey(RSA *key)
17279 + static const unsigned char e[] = "\x11";
17281 + static const unsigned char d[] =
17282 +"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
17283 +"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
17284 +"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
17285 +"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
17286 +"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
17287 +"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
17288 +"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
17289 +"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
17292 + static const unsigned char p[] =
17293 +"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
17294 +"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
17295 +"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
17296 +"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
17299 + static const unsigned char q[] =
17300 +"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
17301 +"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
17302 +"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
17303 +"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
17306 + static const unsigned char dmp1[] =
17307 +"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
17308 +"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
17309 +"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
17310 +"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
17312 + static const unsigned char dmq1[] =
17313 +"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
17314 +"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
17315 +"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
17316 +"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
17318 + static const unsigned char iqmp[] =
17319 +"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
17320 +"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
17321 +"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
17322 +"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
17325 + key->n = BN_bin2bn(n, sizeof(n)-1, key->n);
17327 + BN_set_bit(key->n, 1024);
17328 + key->e = BN_bin2bn(e, sizeof(e)-1, key->e);
17329 + key->d = BN_bin2bn(d, sizeof(d)-1, key->d);
17330 + key->p = BN_bin2bn(p, sizeof(p)-1, key->p);
17331 + key->q = BN_bin2bn(q, sizeof(q)-1, key->q);
17332 + key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1);
17333 + key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1);
17334 + key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp);
17338 +void FIPS_corrupt_rsa()
17343 +/* Known Answer Test (KAT) data for the above RSA private key signing
17347 +static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT";
17349 +static const unsigned char kat_RSA_PSS_SHA1[] = {
17350 + 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
17351 + 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
17352 + 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
17353 + 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
17354 + 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
17355 + 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
17356 + 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
17357 + 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
17358 + 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
17359 + 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
17360 + 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
17363 +static const unsigned char kat_RSA_PSS_SHA224[] = {
17364 + 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
17365 + 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
17366 + 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
17367 + 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
17368 + 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
17369 + 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
17370 + 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
17371 + 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
17372 + 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
17373 + 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
17374 + 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
17377 +static const unsigned char kat_RSA_PSS_SHA256[] = {
17378 + 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
17379 + 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
17380 + 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
17381 + 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
17382 + 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
17383 + 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
17384 + 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
17385 + 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
17386 + 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
17387 + 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
17388 + 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
17391 +static const unsigned char kat_RSA_PSS_SHA384[] = {
17392 + 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
17393 + 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
17394 + 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
17395 + 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
17396 + 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
17397 + 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
17398 + 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
17399 + 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
17400 + 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
17401 + 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
17402 + 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
17405 +static const unsigned char kat_RSA_PSS_SHA512[] = {
17406 + 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
17407 + 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
17408 + 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
17409 + 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
17410 + 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
17411 + 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
17412 + 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
17413 + 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
17414 + 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
17415 + 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
17416 + 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
17419 +static const unsigned char kat_RSA_SHA1[] = {
17420 + 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
17421 + 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
17422 + 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
17423 + 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
17424 + 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
17425 + 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
17426 + 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
17427 + 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
17428 + 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
17429 + 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
17430 + 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
17433 +static const unsigned char kat_RSA_SHA224[] = {
17434 + 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
17435 + 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
17436 + 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
17437 + 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
17438 + 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
17439 + 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
17440 + 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
17441 + 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
17442 + 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
17443 + 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
17444 + 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
17447 +static const unsigned char kat_RSA_SHA256[] = {
17448 + 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
17449 + 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
17450 + 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
17451 + 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
17452 + 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
17453 + 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
17454 + 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
17455 + 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
17456 + 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
17457 + 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
17458 + 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
17461 +static const unsigned char kat_RSA_SHA384[] = {
17462 + 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
17463 + 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
17464 + 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
17465 + 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
17466 + 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
17467 + 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
17468 + 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
17469 + 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
17470 + 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
17471 + 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
17472 + 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
17475 +static const unsigned char kat_RSA_SHA512[] = {
17476 + 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
17477 + 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
17478 + 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
17479 + 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
17480 + 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
17481 + 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
17482 + 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
17483 + 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
17484 + 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
17485 + 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
17486 + 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
17489 +static const unsigned char kat_RSA_X931_SHA1[] = {
17490 + 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
17491 + 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
17492 + 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
17493 + 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
17494 + 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
17495 + 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
17496 + 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
17497 + 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
17498 + 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
17499 + 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
17500 + 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
17503 +static const unsigned char kat_RSA_X931_SHA256[] = {
17504 + 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
17505 + 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
17506 + 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
17507 + 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
17508 + 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
17509 + 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
17510 + 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
17511 + 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
17512 + 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
17513 + 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
17514 + 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
17517 +static const unsigned char kat_RSA_X931_SHA384[] = {
17518 + 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
17519 + 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
17520 + 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
17521 + 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
17522 + 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
17523 + 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
17524 + 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
17525 + 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
17526 + 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
17527 + 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
17528 + 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
17531 +static const unsigned char kat_RSA_X931_SHA512[] = {
17532 + 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
17533 + 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
17534 + 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
17535 + 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
17536 + 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
17537 + 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
17538 + 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
17539 + 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
17540 + 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
17541 + 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
17542 + 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
17546 +int FIPS_selftest_rsa()
17550 + EVP_PKEY *pk = NULL;
17552 + if ((key=RSA_new()) == NULL)
17555 + if ((pk=EVP_PKEY_new()) == NULL)
17558 + EVP_PKEY_assign_RSA(pk, key);
17560 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17561 + kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
17562 + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17563 + "RSA SHA1 PKCS#1"))
17565 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17566 + kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
17567 + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17568 + "RSA SHA224 PKCS#1"))
17570 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17571 + kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
17572 + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17573 + "RSA SHA256 PKCS#1"))
17575 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17576 + kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
17577 + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17578 + "RSA SHA384 PKCS#1"))
17580 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17581 + kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
17582 + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17583 + "RSA SHA512 PKCS#1"))
17586 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17587 + kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
17588 + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
17591 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17592 + kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224),
17593 + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS,
17594 + "RSA SHA224 PSS"))
17596 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17597 + kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256),
17598 + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS,
17599 + "RSA SHA256 PSS"))
17601 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17602 + kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384),
17603 + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS,
17604 + "RSA SHA384 PSS"))
17606 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17607 + kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512),
17608 + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS,
17609 + "RSA SHA512 PSS"))
17613 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17614 + kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
17615 + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
17616 + "RSA SHA1 X931"))
17618 + /* NB: SHA224 not supported in X9.31 */
17619 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17620 + kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
17621 + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
17622 + "RSA SHA256 X931"))
17624 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17625 + kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
17626 + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
17627 + "RSA SHA384 X931"))
17629 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17630 + kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
17631 + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
17632 + "RSA SHA512 X931"))
17640 + EVP_PKEY_free(pk);
17646 +#endif /* def OPENSSL_FIPS */
17647 diff -up openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c
17648 --- openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c.fips 2013-02-19 12:47:33.742118935 +0100
17649 +++ openssl-1.0.1e/crypto/fips/fips_rsa_x931g.c 2013-02-19 12:47:33.742118935 +0100
17651 +/* crypto/rsa/rsa_gen.c */
17652 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
17653 + * All rights reserved.
17655 + * This package is an SSL implementation written
17656 + * by Eric Young (eay@cryptsoft.com).
17657 + * The implementation was written so as to conform with Netscapes SSL.
17659 + * This library is free for commercial and non-commercial use as long as
17660 + * the following conditions are aheared to. The following conditions
17661 + * apply to all code found in this distribution, be it the RC4, RSA,
17662 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
17663 + * included with this distribution is covered by the same copyright terms
17664 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17666 + * Copyright remains Eric Young's, and as such any Copyright notices in
17667 + * the code are not to be removed.
17668 + * If this package is used in a product, Eric Young should be given attribution
17669 + * as the author of the parts of the library used.
17670 + * This can be in the form of a textual message at program startup or
17671 + * in documentation (online or textual) provided with the package.
17673 + * Redistribution and use in source and binary forms, with or without
17674 + * modification, are permitted provided that the following conditions
17676 + * 1. Redistributions of source code must retain the copyright
17677 + * notice, this list of conditions and the following disclaimer.
17678 + * 2. Redistributions in binary form must reproduce the above copyright
17679 + * notice, this list of conditions and the following disclaimer in the
17680 + * documentation and/or other materials provided with the distribution.
17681 + * 3. All advertising materials mentioning features or use of this software
17682 + * must display the following acknowledgement:
17683 + * "This product includes cryptographic software written by
17684 + * Eric Young (eay@cryptsoft.com)"
17685 + * The word 'cryptographic' can be left out if the rouines from the library
17686 + * being used are not cryptographic related :-).
17687 + * 4. If you include any Windows specific code (or a derivative thereof) from
17688 + * the apps directory (application code) you must include an acknowledgement:
17689 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
17691 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
17692 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17693 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17694 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17695 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17696 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
17697 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17698 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
17699 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
17700 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
17703 + * The licence and distribution terms for any publically available version or
17704 + * derivative of this code cannot be changed. i.e. this code cannot simply be
17705 + * copied and put under another distribution licence
17706 + * [including the GNU Public Licence.]
17709 +#include <stdio.h>
17710 +#include <string.h>
17712 +#include <openssl/err.h>
17713 +#include <openssl/bn.h>
17714 +#include <openssl/rsa.h>
17715 +#ifdef OPENSSL_FIPS
17716 +#include <openssl/fips.h>
17718 +extern int fips_check_rsa(RSA *rsa);
17721 +/* X9.31 RSA key derivation and generation */
17723 +int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
17724 + const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
17725 + const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
17726 + const BIGNUM *e, BN_GENCB *cb)
17728 + BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL;
17729 + BN_CTX *ctx=NULL,*ctx2=NULL;
17734 + ctx = BN_CTX_new();
17737 + BN_CTX_start(ctx);
17739 + r0 = BN_CTX_get(ctx);
17740 + r1 = BN_CTX_get(ctx);
17741 + r2 = BN_CTX_get(ctx);
17742 + r3 = BN_CTX_get(ctx);
17748 + rsa->e = BN_dup(e);
17755 + /* If not all parameters present only calculate what we can.
17756 + * This allows test programs to output selective parameters.
17759 + if (Xp && !rsa->p)
17761 + rsa->p = BN_new();
17765 + if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
17766 + Xp, Xp1, Xp2, e, ctx, cb))
17770 + if (Xq && !rsa->q)
17772 + rsa->q = BN_new();
17775 + if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
17776 + Xq, Xq1, Xq2, e, ctx, cb))
17780 + if (!rsa->p || !rsa->q)
17783 + BN_CTX_free(ctx);
17787 + /* Since both primes are set we can now calculate all remaining
17791 + /* calculate n */
17793 + if (rsa->n == NULL)
17795 + if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx))
17798 + /* calculate d */
17799 + if (!BN_sub(r1,rsa->p,BN_value_one()))
17800 + goto err; /* p-1 */
17801 + if (!BN_sub(r2,rsa->q,BN_value_one()))
17802 + goto err; /* q-1 */
17803 + if (!BN_mul(r0,r1,r2,ctx))
17804 + goto err; /* (p-1)(q-1) */
17806 + if (!BN_gcd(r3, r1, r2, ctx))
17809 + if (!BN_div(r0, NULL, r0, r3, ctx))
17810 + goto err; /* LCM((p-1)(q-1)) */
17812 + ctx2 = BN_CTX_new();
17816 + rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
17817 + if (rsa->d == NULL)
17820 + /* calculate d mod (p-1) */
17821 + rsa->dmp1=BN_new();
17822 + if (rsa->dmp1 == NULL)
17824 + if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx))
17827 + /* calculate d mod (q-1) */
17828 + rsa->dmq1=BN_new();
17829 + if (rsa->dmq1 == NULL)
17831 + if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx))
17834 + /* calculate inverse of q mod p */
17835 + rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
17841 + BN_CTX_free(ctx);
17844 + BN_CTX_free(ctx2);
17845 + /* If this is set all calls successful */
17846 + if (rsa && rsa->iqmp != NULL)
17853 +int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
17856 + BIGNUM *Xp = NULL, *Xq = NULL;
17857 + BN_CTX *ctx = NULL;
17859 +#ifdef OPENSSL_FIPS
17860 + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
17861 + (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
17863 + FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
17869 + FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH);
17873 + if(FIPS_selftest_failed())
17875 + FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED);
17880 + ctx = BN_CTX_new();
17884 + BN_CTX_start(ctx);
17885 + Xp = BN_CTX_get(ctx);
17886 + Xq = BN_CTX_get(ctx);
17887 + if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
17890 + rsa->p = BN_new();
17891 + rsa->q = BN_new();
17892 + if (!rsa->p || !rsa->q)
17895 + /* Generate two primes from Xp, Xq */
17897 + if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
17901 + if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
17905 + /* Since rsa->p and rsa->q are valid this call will just derive
17906 + * remaining RSA components.
17909 + if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
17910 + NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
17913 +#ifdef OPENSSL_FIPS
17914 + if(!fips_check_rsa(rsa))
17924 + BN_CTX_free(ctx);
17933 diff -up openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1e/crypto/fips/fips_sha_selftest.c
17934 --- openssl-1.0.1e/crypto/fips/fips_sha_selftest.c.fips 2013-02-19 12:47:33.742118935 +0100
17935 +++ openssl-1.0.1e/crypto/fips/fips_sha_selftest.c 2013-02-19 12:47:33.742118935 +0100
17937 +/* ====================================================================
17938 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
17940 + * Redistribution and use in source and binary forms, with or without
17941 + * modification, are permitted provided that the following conditions
17944 + * 1. Redistributions of source code must retain the above copyright
17945 + * notice, this list of conditions and the following disclaimer.
17947 + * 2. Redistributions in binary form must reproduce the above copyright
17948 + * notice, this list of conditions and the following disclaimer in
17949 + * the documentation and/or other materials provided with the
17952 + * 3. All advertising materials mentioning features or use of this
17953 + * software must display the following acknowledgment:
17954 + * "This product includes software developed by the OpenSSL Project
17955 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
17957 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
17958 + * endorse or promote products derived from this software without
17959 + * prior written permission. For written permission, please contact
17960 + * openssl-core@openssl.org.
17962 + * 5. Products derived from this software may not be called "OpenSSL"
17963 + * nor may "OpenSSL" appear in their names without prior written
17964 + * permission of the OpenSSL Project.
17966 + * 6. Redistributions of any form whatsoever must retain the following
17967 + * acknowledgment:
17968 + * "This product includes software developed by the OpenSSL Project
17969 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
17971 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
17972 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17973 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17974 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
17975 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
17976 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
17977 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
17978 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17979 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
17980 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
17981 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
17982 + * OF THE POSSIBILITY OF SUCH DAMAGE.
17986 +#include <string.h>
17987 +#include <openssl/err.h>
17988 +#ifdef OPENSSL_FIPS
17989 +#include <openssl/fips.h>
17991 +#include <openssl/evp.h>
17992 +#include <openssl/sha.h>
17994 +#ifdef OPENSSL_FIPS
17995 +static const char test[][60]=
17999 + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
18002 +static const unsigned char ret[][SHA_DIGEST_LENGTH]=
18004 + { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55,
18005 + 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 },
18006 + { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e,
18007 + 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d },
18008 + { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae,
18009 + 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 },
18012 +static int corrupt_sha;
18014 +void FIPS_corrupt_sha1()
18019 +int FIPS_selftest_sha1()
18023 + for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n)
18025 + unsigned char md[SHA_DIGEST_LENGTH];
18027 + EVP_Digest(test[n],strlen(test[n])+corrupt_sha,md, NULL, EVP_sha1(), NULL);
18028 + if(memcmp(md,ret[n],sizeof md))
18030 + FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1,FIPS_R_SELFTEST_FAILED);
18037 +static const unsigned char msg_sha256[] = { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
18039 +static const unsigned char dig_sha256[] = { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
18040 + 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
18041 + 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
18042 + 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a };
18044 +static const unsigned char msg_sha512[] = { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
18045 + 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd };
18046 +static const unsigned char dig_sha512[] = { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
18047 + 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
18048 + 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
18049 + 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
18050 + 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
18051 + 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
18052 + 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
18053 + 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 };
18055 +int FIPS_selftest_sha2(void)
18057 + unsigned char md[SHA512_DIGEST_LENGTH];
18059 + EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
18060 + if(memcmp(dig_sha256, md, sizeof(dig_sha256)))
18062 + FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
18066 + EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
18067 + if(memcmp(dig_sha512, md, sizeof(dig_sha512)))
18069 + FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
18077 diff -up openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c
18078 --- openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c.fips 2013-02-19 12:47:33.742118935 +0100
18079 +++ openssl-1.0.1e/crypto/fips/fips_standalone_hmac.c 2013-02-19 12:47:33.742118935 +0100
18081 +/* ====================================================================
18082 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
18084 + * Redistribution and use in source and binary forms, with or without
18085 + * modification, are permitted provided that the following conditions
18088 + * 1. Redistributions of source code must retain the above copyright
18089 + * notice, this list of conditions and the following disclaimer.
18091 + * 2. Redistributions in binary form must reproduce the above copyright
18092 + * notice, this list of conditions and the following disclaimer in
18093 + * the documentation and/or other materials provided with the
18096 + * 3. All advertising materials mentioning features or use of this
18097 + * software must display the following acknowledgment:
18098 + * "This product includes software developed by the OpenSSL Project
18099 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
18101 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
18102 + * endorse or promote products derived from this software without
18103 + * prior written permission. For written permission, please contact
18104 + * openssl-core@openssl.org.
18106 + * 5. Products derived from this software may not be called "OpenSSL"
18107 + * nor may "OpenSSL" appear in their names without prior written
18108 + * permission of the OpenSSL Project.
18110 + * 6. Redistributions of any form whatsoever must retain the following
18111 + * acknowledgment:
18112 + * "This product includes software developed by the OpenSSL Project
18113 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
18115 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
18116 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18117 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18118 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
18119 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18120 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18121 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
18122 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
18123 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
18124 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
18125 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
18126 + * OF THE POSSIBILITY OF SUCH DAMAGE.
18130 +#include <stdio.h>
18131 +#include <stdlib.h>
18132 +#include <string.h>
18133 +#include <openssl/opensslconf.h>
18134 +#include <openssl/sha.h>
18135 +#include <openssl/hmac.h>
18137 +#ifndef FIPSCANISTER_O
18138 +int FIPS_selftest_failed() { return 0; }
18139 +void FIPS_selftest_check() {}
18140 +void OPENSSL_cleanse(void *p,size_t len) {}
18143 +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
18144 + defined(__INTEL__) || \
18145 + defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
18147 +unsigned int OPENSSL_ia32cap_P[2];
18150 +#ifdef OPENSSL_FIPS
18152 +static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
18155 + size_t len=strlen(key);
18157 + unsigned char keymd[HMAC_MAX_MD_CBLOCK];
18158 + unsigned char pad[HMAC_MAX_MD_CBLOCK];
18160 + if (len > SHA_CBLOCK)
18162 + SHA256_Init(md_ctx);
18163 + SHA256_Update(md_ctx,key,len);
18164 + SHA256_Final(keymd,md_ctx);
18165 + len=SHA256_DIGEST_LENGTH;
18168 + memcpy(keymd,key,len);
18169 + memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len);
18171 + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
18172 + pad[i]=0x36^keymd[i];
18173 + SHA256_Init(md_ctx);
18174 + SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
18176 + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
18177 + pad[i]=0x5c^keymd[i];
18178 + SHA256_Init(o_ctx);
18179 + SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
18182 +static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
18184 + unsigned char buf[SHA256_DIGEST_LENGTH];
18186 + SHA256_Final(buf,md_ctx);
18187 + SHA256_Update(o_ctx,buf,sizeof buf);
18188 + SHA256_Final(md,o_ctx);
18193 +int main(int argc,char **argv)
18195 +#ifdef OPENSSL_FIPS
18196 + static char key[]="orboDeJITITejsirpADONivirpUkvarP";
18201 + fprintf(stderr,"%s [<file>]+\n",argv[0]);
18206 + if (!strcmp(argv[n],"-binary"))
18209 + binary=1; /* emit binary fingerprint... */
18212 + for(; n < argc ; ++n)
18214 + FILE *f=fopen(argv[n],"rb");
18215 + SHA256_CTX md_ctx,o_ctx;
18216 + unsigned char md[SHA256_DIGEST_LENGTH];
18225 + hmac_init(&md_ctx,&o_ctx,key);
18229 + size_t l=fread(buf,1,sizeof buf,f);
18241 + SHA256_Update(&md_ctx,buf,l);
18243 + hmac_final(md,&md_ctx,&o_ctx);
18247 + fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
18248 + break; /* ... for single(!) file */
18251 +/* printf("HMAC-SHA1(%s)= ",argv[n]); */
18252 + for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
18253 + printf("%02x",md[i]);
18261 diff -up openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips openssl-1.0.1e/crypto/fips/fips_test_suite.c
18262 --- openssl-1.0.1e/crypto/fips/fips_test_suite.c.fips 2013-02-19 12:47:33.743118955 +0100
18263 +++ openssl-1.0.1e/crypto/fips/fips_test_suite.c 2013-02-19 12:47:33.743118955 +0100
18265 +/* ====================================================================
18266 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
18269 + * This command is intended as a test driver for the FIPS-140 testing
18270 + * lab performing FIPS-140 validation. It demonstrates the use of the
18271 + * OpenSSL library ito perform a variety of common cryptographic
18272 + * functions. A power-up self test is demonstrated by deliberately
18273 + * pointing to an invalid executable hash
18275 + * Contributed by Steve Marquess.
18278 +#include <stdio.h>
18279 +#include <assert.h>
18280 +#include <ctype.h>
18281 +#include <string.h>
18282 +#include <stdlib.h>
18283 +#include <openssl/aes.h>
18284 +#include <openssl/des.h>
18285 +#include <openssl/rsa.h>
18286 +#include <openssl/dsa.h>
18287 +#include <openssl/dh.h>
18288 +#include <openssl/hmac.h>
18289 +#include <openssl/err.h>
18291 +#include <openssl/bn.h>
18292 +#include <openssl/rand.h>
18293 +#include <openssl/sha.h>
18296 +#ifndef OPENSSL_FIPS
18297 +int main(int argc, char *argv[])
18299 + printf("No FIPS support\n");
18304 +#include <openssl/fips.h>
18305 +#include "fips_utl.h"
18307 +/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
18309 +static int FIPS_aes_test(void)
18312 + unsigned char pltmp[16];
18313 + unsigned char citmp[16];
18314 + unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
18315 + unsigned char plaintext[16] = "etaonrishdlcu";
18316 + EVP_CIPHER_CTX ctx;
18317 + EVP_CIPHER_CTX_init(&ctx);
18318 + if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
18320 + EVP_Cipher(&ctx, citmp, plaintext, 16);
18321 + if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
18323 + EVP_Cipher(&ctx, pltmp, citmp, 16);
18324 + if (memcmp(pltmp, plaintext, 16))
18328 + EVP_CIPHER_CTX_cleanup(&ctx);
18332 +static int FIPS_des3_test(void)
18335 + unsigned char pltmp[8];
18336 + unsigned char citmp[8];
18337 + unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
18338 + 19,20,21,22,23,24};
18339 + unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
18340 + EVP_CIPHER_CTX ctx;
18341 + EVP_CIPHER_CTX_init(&ctx);
18342 + if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
18344 + EVP_Cipher(&ctx, citmp, plaintext, 8);
18345 + if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
18347 + EVP_Cipher(&ctx, pltmp, citmp, 8);
18348 + if (memcmp(pltmp, plaintext, 8))
18352 + EVP_CIPHER_CTX_cleanup(&ctx);
18357 + * DSA: generate keys and sign, verify input plaintext.
18359 +static int FIPS_dsa_test(int bad)
18363 + unsigned char dgst[] = "etaonrishdlc";
18364 + unsigned char buf[60];
18365 + unsigned int slen;
18369 + ERR_clear_error();
18370 + EVP_MD_CTX_init(&mctx);
18374 + if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
18376 + if (!DSA_generate_key(dsa))
18379 + BN_add_word(dsa->pub_key, 1);
18381 + pk.type = EVP_PKEY_DSA;
18382 + pk.pkey.dsa = dsa;
18384 + if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
18386 + if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
18388 + if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
18391 + if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
18393 + if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
18395 + r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
18397 + EVP_MD_CTX_cleanup(&mctx);
18406 + * RSA: generate keys and sign, verify input plaintext.
18408 +static int FIPS_rsa_test(int bad)
18411 + unsigned char input_ptext[] = "etaonrishdlc";
18412 + unsigned char buf[256];
18413 + unsigned int slen;
18419 + ERR_clear_error();
18420 + EVP_MD_CTX_init(&mctx);
18425 + BN_set_word(bn, 65537);
18426 + if (!RSA_generate_key_ex(key, 1024,bn,NULL))
18430 + BN_add_word(key->n, 1);
18432 + pk.type = EVP_PKEY_RSA;
18433 + pk.pkey.rsa = key;
18435 + if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
18437 + if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
18439 + if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
18442 + if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
18444 + if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
18446 + r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
18448 + EVP_MD_CTX_cleanup(&mctx);
18456 +/* SHA1: generate hash of known digest value and compare to known
18457 + precomputed correct hash
18459 +static int FIPS_sha1_test()
18461 + unsigned char digest[SHA_DIGEST_LENGTH] =
18462 + { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
18463 + unsigned char str[] = "etaonrishd";
18465 + unsigned char md[SHA_DIGEST_LENGTH];
18467 + ERR_clear_error();
18468 + if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
18469 + if (memcmp(md,digest,sizeof(md)))
18474 +/* SHA256: generate hash of known digest value and compare to known
18475 + precomputed correct hash
18477 +static int FIPS_sha256_test()
18479 + unsigned char digest[SHA256_DIGEST_LENGTH] =
18480 + {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
18481 + 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
18482 + unsigned char str[] = "etaonrishd";
18484 + unsigned char md[SHA256_DIGEST_LENGTH];
18486 + ERR_clear_error();
18487 + if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
18488 + if (memcmp(md,digest,sizeof(md)))
18493 +/* SHA512: generate hash of known digest value and compare to known
18494 + precomputed correct hash
18496 +static int FIPS_sha512_test()
18498 + unsigned char digest[SHA512_DIGEST_LENGTH] =
18499 + {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
18500 + 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
18501 + 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
18502 + 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
18503 + unsigned char str[] = "etaonrishd";
18505 + unsigned char md[SHA512_DIGEST_LENGTH];
18507 + ERR_clear_error();
18508 + if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
18509 + if (memcmp(md,digest,sizeof(md)))
18514 +/* HMAC-SHA1: generate hash of known digest value and compare to known
18515 + precomputed correct hash
18517 +static int FIPS_hmac_sha1_test()
18519 + unsigned char key[] = "etaonrishd";
18520 + unsigned char iv[] = "Sample text";
18521 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18522 + {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
18523 + 0xb2, 0xfb, 0xec, 0xc6};
18525 + unsigned char out[EVP_MAX_MD_SIZE];
18526 + unsigned int outlen;
18528 + ERR_clear_error();
18529 + if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18530 + if (memcmp(out,kaval,outlen))
18535 +/* HMAC-SHA224: generate hash of known digest value and compare to known
18536 + precomputed correct hash
18538 +static int FIPS_hmac_sha224_test()
18540 + unsigned char key[] = "etaonrishd";
18541 + unsigned char iv[] = "Sample text";
18542 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18543 + {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
18544 + 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
18546 + unsigned char out[EVP_MAX_MD_SIZE];
18547 + unsigned int outlen;
18549 + ERR_clear_error();
18550 + if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18551 + if (memcmp(out,kaval,outlen))
18556 +/* HMAC-SHA256: generate hash of known digest value and compare to known
18557 + precomputed correct hash
18559 +static int FIPS_hmac_sha256_test()
18561 + unsigned char key[] = "etaonrishd";
18562 + unsigned char iv[] = "Sample text";
18563 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18564 + {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
18565 + 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
18567 + unsigned char out[EVP_MAX_MD_SIZE];
18568 + unsigned int outlen;
18570 + ERR_clear_error();
18571 + if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18572 + if (memcmp(out,kaval,outlen))
18577 +/* HMAC-SHA384: generate hash of known digest value and compare to known
18578 + precomputed correct hash
18580 +static int FIPS_hmac_sha384_test()
18582 + unsigned char key[] = "etaonrishd";
18583 + unsigned char iv[] = "Sample text";
18584 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18585 + {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
18586 + 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
18587 + 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
18589 + unsigned char out[EVP_MAX_MD_SIZE];
18590 + unsigned int outlen;
18592 + ERR_clear_error();
18593 + if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18594 + if (memcmp(out,kaval,outlen))
18599 +/* HMAC-SHA512: generate hash of known digest value and compare to known
18600 + precomputed correct hash
18602 +static int FIPS_hmac_sha512_test()
18604 + unsigned char key[] = "etaonrishd";
18605 + unsigned char iv[] = "Sample text";
18606 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18607 + {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
18608 + 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
18609 + 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
18610 + 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
18612 + unsigned char out[EVP_MAX_MD_SIZE];
18613 + unsigned int outlen;
18615 + ERR_clear_error();
18616 + if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18617 + if (memcmp(out,kaval,outlen))
18623 +/* DH: generate shared parameters
18625 +static int dh_test()
18628 + ERR_clear_error();
18629 + dh = FIPS_dh_new();
18632 + if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
18634 + FIPS_dh_free(dh);
18640 +static int Zeroize()
18644 + unsigned char userkey[16] =
18645 + { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
18648 + key = FIPS_rsa_new();
18652 + BN_set_word(bn, 65537);
18653 + if (!RSA_generate_key_ex(key, 1024,bn,NULL))
18657 + n = BN_num_bytes(key->d);
18658 + printf(" Generated %d byte RSA private key\n", n);
18659 + printf("\tBN key before overwriting:\n");
18660 + do_bn_print(stdout, key->d);
18661 + BN_rand(key->d,n*8,-1,0);
18662 + printf("\tBN key after overwriting:\n");
18663 + do_bn_print(stdout, key->d);
18665 + printf("\tchar buffer key before overwriting: \n\t\t");
18666 + for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
18668 + RAND_bytes(userkey, sizeof userkey);
18669 + printf("\tchar buffer key after overwriting: \n\t\t");
18670 + for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
18677 +const char * Fail(const char *msg)
18679 + do_print_errors();
18684 +int main(int argc,char **argv)
18687 + int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
18688 + int bad_rsa = 0, bad_dsa = 0;
18689 + int do_rng_stick = 0;
18692 + printf("\tFIPS-mode test application\n\n");
18694 + /* Load entropy from external file, if any */
18695 + RAND_load_file(".rnd", 1024);
18698 + /* Corrupted KAT tests */
18699 + if (!strcmp(argv[1], "aes")) {
18700 + FIPS_corrupt_aes();
18701 + printf("AES encryption/decryption with corrupted KAT...\n");
18702 + } else if (!strcmp(argv[1], "des")) {
18703 + FIPS_corrupt_des();
18704 + printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
18705 + } else if (!strcmp(argv[1], "dsa")) {
18706 + FIPS_corrupt_dsa();
18707 + printf("DSA key generation and signature validation with corrupted KAT...\n");
18708 + } else if (!strcmp(argv[1], "rsa")) {
18709 + FIPS_corrupt_rsa();
18710 + printf("RSA key generation and signature validation with corrupted KAT...\n");
18711 + } else if (!strcmp(argv[1], "rsakey")) {
18712 + printf("RSA key generation and signature validation with corrupted key...\n");
18715 + } else if (!strcmp(argv[1], "rsakeygen")) {
18716 + do_corrupt_rsa_keygen = 1;
18718 + printf("RSA key generation and signature validation with corrupted keygen...\n");
18719 + } else if (!strcmp(argv[1], "dsakey")) {
18720 + printf("DSA key generation and signature validation with corrupted key...\n");
18723 + } else if (!strcmp(argv[1], "dsakeygen")) {
18724 + do_corrupt_dsa_keygen = 1;
18726 + printf("DSA key generation and signature validation with corrupted keygen...\n");
18727 + } else if (!strcmp(argv[1], "sha1")) {
18728 + FIPS_corrupt_sha1();
18729 + printf("SHA-1 hash with corrupted KAT...\n");
18730 + } else if (!strcmp(argv[1], "rng")) {
18731 + FIPS_corrupt_rng();
18732 + } else if (!strcmp(argv[1], "rngstick")) {
18733 + do_rng_stick = 1;
18735 + printf("RNG test with stuck continuous test...\n");
18737 + printf("Bad argument \"%s\"\n", argv[1]);
18741 + if (!FIPS_mode_set(1)) {
18742 + do_print_errors();
18743 + printf("Power-up self test failed\n");
18746 + printf("Power-up self test successful\n");
18751 + /* Non-Approved cryptographic operation
18753 + printf("1. Non-Approved cryptographic operation test...\n");
18754 + printf("\ta. Included algorithm (D-H)...");
18755 + printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
18757 + /* Power-up self test
18759 + ERR_clear_error();
18760 + printf("2. Automatic power-up self test...");
18761 + if (!FIPS_mode_set(1))
18763 + do_print_errors();
18764 + printf(Fail("FAILED!\n"));
18767 + printf("successful\n");
18768 + if (do_corrupt_dsa_keygen)
18769 + FIPS_corrupt_dsa_keygen();
18770 + if (do_corrupt_rsa_keygen)
18771 + FIPS_corrupt_rsa_keygen();
18772 + if (do_rng_stick)
18773 + FIPS_rng_stick();
18775 + /* AES encryption/decryption
18777 + printf("3. AES encryption/decryption...");
18778 + printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") );
18780 + /* RSA key generation and encryption/decryption
18782 + printf("4. RSA key generation and encryption/decryption...");
18783 + printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") );
18785 + /* DES-CBC encryption/decryption
18787 + printf("5. DES-ECB encryption/decryption...");
18788 + printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") );
18790 + /* DSA key generation and signature validation
18792 + printf("6. DSA key generation and signature validation...");
18793 + printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") );
18797 + printf("7a. SHA-1 hash...");
18798 + printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
18802 + printf("7b. SHA-256 hash...");
18803 + printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
18807 + printf("7c. SHA-512 hash...");
18808 + printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
18810 + /* HMAC-SHA-1 hash
18812 + printf("7d. HMAC-SHA-1 hash...");
18813 + printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
18815 + /* HMAC-SHA-224 hash
18817 + printf("7e. HMAC-SHA-224 hash...");
18818 + printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") );
18820 + /* HMAC-SHA-256 hash
18822 + printf("7f. HMAC-SHA-256 hash...");
18823 + printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
18825 + /* HMAC-SHA-384 hash
18827 + printf("7g. HMAC-SHA-384 hash...");
18828 + printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") );
18830 + /* HMAC-SHA-512 hash
18832 + printf("7h. HMAC-SHA-512 hash...");
18833 + printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
18835 + /* Non-Approved cryptographic operation
18837 + printf("8. Non-Approved cryptographic operation test...\n");
18838 + printf("\ta. Included algorithm (D-H)...");
18839 + printf( dh_test() ? "successful as expected\n"
18840 + : Fail("failed INCORRECTLY!\n") );
18844 + printf("9. Zero-ization...\n");
18845 + printf( Zeroize() ? "\tsuccessful as expected\n"
18846 + : Fail("\tfailed INCORRECTLY!\n") );
18848 + printf("\nAll tests completed with %d errors\n", Error);
18849 + return Error ? 1 : 0;
18853 diff -up openssl-1.0.1e/crypto/fips/Makefile.fips openssl-1.0.1e/crypto/fips/Makefile
18854 --- openssl-1.0.1e/crypto/fips/Makefile.fips 2013-02-19 12:47:33.743118955 +0100
18855 +++ openssl-1.0.1e/crypto/fips/Makefile 2013-02-19 12:47:33.743118955 +0100
18858 +# OpenSSL/crypto/fips/Makefile
18866 +MAKEFILE= Makefile
18869 +CFLAGS= $(INCLUDES) $(CFLAG)
18872 +TEST=fips_test_suite.c fips_randtest.c
18875 +PROGRAM= fips_standalone_hmac
18876 +EXE= $(PROGRAM)$(EXE_EXT)
18878 +LIB=$(TOP)/libcrypto.a
18879 +LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
18880 + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
18881 + fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
18882 + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
18883 + fips_cmac_selftest.c fips_enc.c fips_md.c
18885 +LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
18886 + fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
18887 + fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
18888 + fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
18889 + fips_cmac_selftest.o fips_enc.o fips_md.o
18891 +LIBCRYPTO=-L.. -lcrypto
18893 +SRC= $(LIBSRC) fips_standalone_hmac.c
18895 +EXHEADER= fips.h fips_rand.h
18896 +HEADER= $(EXHEADER)
18898 +ALL= $(GENERAL) $(SRC) $(HEADER)
18901 + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
18906 + $(AR) $(LIB) $(LIBOBJ)
18907 + $(RANLIB) $(LIB) || echo Never mind.
18913 + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
18916 + @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
18917 + @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
18918 + @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
18921 + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
18922 + @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
18924 + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
18925 + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
18934 + lint -DLINT $(INCLUDES) $(SRC)>fluff
18937 + @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
18938 + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
18941 + $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
18942 + mv -f Makefile.new $(MAKEFILE)
18945 + rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
18947 +$(EXE): $(PROGRAM).o
18948 + FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
18949 + $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
18951 +# DO NOT DELETE THIS LINE -- make depend depends on it.
18953 +fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
18954 +fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
18955 +fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
18956 +fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
18957 +fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
18958 +fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
18959 +fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
18960 +fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
18961 +fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
18962 +fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
18963 +fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
18964 +fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
18965 +fips_aes_selftest.o: ../../include/openssl/crypto.h
18966 +fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
18967 +fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
18968 +fips_aes_selftest.o: ../../include/openssl/lhash.h
18969 +fips_aes_selftest.o: ../../include/openssl/obj_mac.h
18970 +fips_aes_selftest.o: ../../include/openssl/objects.h
18971 +fips_aes_selftest.o: ../../include/openssl/opensslconf.h
18972 +fips_aes_selftest.o: ../../include/openssl/opensslv.h
18973 +fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
18974 +fips_aes_selftest.o: ../../include/openssl/safestack.h
18975 +fips_aes_selftest.o: ../../include/openssl/stack.h
18976 +fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
18977 +fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
18978 +fips_des_selftest.o: ../../include/openssl/crypto.h
18979 +fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
18980 +fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
18981 +fips_des_selftest.o: ../../include/openssl/lhash.h
18982 +fips_des_selftest.o: ../../include/openssl/obj_mac.h
18983 +fips_des_selftest.o: ../../include/openssl/objects.h
18984 +fips_des_selftest.o: ../../include/openssl/opensslconf.h
18985 +fips_des_selftest.o: ../../include/openssl/opensslv.h
18986 +fips_des_selftest.o: ../../include/openssl/ossl_typ.h
18987 +fips_des_selftest.o: ../../include/openssl/safestack.h
18988 +fips_des_selftest.o: ../../include/openssl/stack.h
18989 +fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
18990 +fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
18991 +fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
18992 +fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
18993 +fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
18994 +fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
18995 +fips_drbg_ctr.o: ../../include/openssl/objects.h
18996 +fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
18997 +fips_drbg_ctr.o: ../../include/openssl/opensslv.h
18998 +fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
18999 +fips_drbg_ctr.o: ../../include/openssl/safestack.h
19000 +fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19001 +fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
19002 +fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19003 +fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19004 +fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
19005 +fips_drbg_hash.o: ../../include/openssl/fips.h
19006 +fips_drbg_hash.o: ../../include/openssl/fips_rand.h
19007 +fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
19008 +fips_drbg_hash.o: ../../include/openssl/objects.h
19009 +fips_drbg_hash.o: ../../include/openssl/opensslconf.h
19010 +fips_drbg_hash.o: ../../include/openssl/opensslv.h
19011 +fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19012 +fips_drbg_hash.o: ../../include/openssl/safestack.h
19013 +fips_drbg_hash.o: ../../include/openssl/stack.h
19014 +fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
19015 +fips_drbg_hash.o: fips_rand_lcl.h
19016 +fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19017 +fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19018 +fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
19019 +fips_drbg_hmac.o: ../../include/openssl/fips.h
19020 +fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
19021 +fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
19022 +fips_drbg_hmac.o: ../../include/openssl/objects.h
19023 +fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
19024 +fips_drbg_hmac.o: ../../include/openssl/opensslv.h
19025 +fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19026 +fips_drbg_hmac.o: ../../include/openssl/safestack.h
19027 +fips_drbg_hmac.o: ../../include/openssl/stack.h
19028 +fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
19029 +fips_drbg_hmac.o: fips_rand_lcl.h
19030 +fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19031 +fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19032 +fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19033 +fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19034 +fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
19035 +fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
19036 +fips_drbg_lib.o: ../../include/openssl/objects.h
19037 +fips_drbg_lib.o: ../../include/openssl/opensslconf.h
19038 +fips_drbg_lib.o: ../../include/openssl/opensslv.h
19039 +fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19040 +fips_drbg_lib.o: ../../include/openssl/safestack.h
19041 +fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19042 +fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
19043 +fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19044 +fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19045 +fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19046 +fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19047 +fips_drbg_rand.o: ../../include/openssl/fips_rand.h
19048 +fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19049 +fips_drbg_rand.o: ../../include/openssl/obj_mac.h
19050 +fips_drbg_rand.o: ../../include/openssl/objects.h
19051 +fips_drbg_rand.o: ../../include/openssl/opensslconf.h
19052 +fips_drbg_rand.o: ../../include/openssl/opensslv.h
19053 +fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19054 +fips_drbg_rand.o: ../../include/openssl/safestack.h
19055 +fips_drbg_rand.o: ../../include/openssl/stack.h
19056 +fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
19057 +fips_drbg_rand.o: fips_rand_lcl.h
19058 +fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19059 +fips_drbg_selftest.o: ../../include/openssl/bio.h
19060 +fips_drbg_selftest.o: ../../include/openssl/crypto.h
19061 +fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19062 +fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19063 +fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
19064 +fips_drbg_selftest.o: ../../include/openssl/hmac.h
19065 +fips_drbg_selftest.o: ../../include/openssl/lhash.h
19066 +fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
19067 +fips_drbg_selftest.o: ../../include/openssl/objects.h
19068 +fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
19069 +fips_drbg_selftest.o: ../../include/openssl/opensslv.h
19070 +fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
19071 +fips_drbg_selftest.o: ../../include/openssl/rand.h
19072 +fips_drbg_selftest.o: ../../include/openssl/safestack.h
19073 +fips_drbg_selftest.o: ../../include/openssl/stack.h
19074 +fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
19075 +fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
19076 +fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19077 +fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
19078 +fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
19079 +fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19080 +fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
19081 +fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
19082 +fips_dsa_selftest.o: ../../include/openssl/objects.h
19083 +fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
19084 +fips_dsa_selftest.o: ../../include/openssl/opensslv.h
19085 +fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
19086 +fips_dsa_selftest.o: ../../include/openssl/safestack.h
19087 +fips_dsa_selftest.o: ../../include/openssl/stack.h
19088 +fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
19089 +fips_dsa_selftest.o: fips_locl.h
19090 +fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19091 +fips_hmac_selftest.o: ../../include/openssl/crypto.h
19092 +fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19093 +fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19094 +fips_hmac_selftest.o: ../../include/openssl/hmac.h
19095 +fips_hmac_selftest.o: ../../include/openssl/lhash.h
19096 +fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
19097 +fips_hmac_selftest.o: ../../include/openssl/objects.h
19098 +fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
19099 +fips_hmac_selftest.o: ../../include/openssl/opensslv.h
19100 +fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
19101 +fips_hmac_selftest.o: ../../include/openssl/safestack.h
19102 +fips_hmac_selftest.o: ../../include/openssl/stack.h
19103 +fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
19104 +fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19105 +fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19106 +fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
19107 +fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19108 +fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
19109 +fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19110 +fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
19111 +fips_post.o: ../../include/openssl/opensslconf.h
19112 +fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
19113 +fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
19114 +fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
19115 +fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
19116 +fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
19117 +fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19118 +fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
19119 +fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19120 +fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
19121 +fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19122 +fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
19123 +fips_rand.o: ../../include/openssl/opensslconf.h
19124 +fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
19125 +fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
19126 +fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19127 +fips_rand.o: fips_locl.h fips_rand.c
19128 +fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
19129 +fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19130 +fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
19131 +fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19132 +fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
19133 +fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19134 +fips_rand_lib.o: ../../include/openssl/obj_mac.h
19135 +fips_rand_lib.o: ../../include/openssl/objects.h
19136 +fips_rand_lib.o: ../../include/openssl/opensslconf.h
19137 +fips_rand_lib.o: ../../include/openssl/opensslv.h
19138 +fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19139 +fips_rand_lib.o: ../../include/openssl/safestack.h
19140 +fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19141 +fips_rand_lib.o: fips_rand_lib.c
19142 +fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19143 +fips_rand_selftest.o: ../../include/openssl/bio.h
19144 +fips_rand_selftest.o: ../../include/openssl/crypto.h
19145 +fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19146 +fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19147 +fips_rand_selftest.o: ../../include/openssl/fips_rand.h
19148 +fips_rand_selftest.o: ../../include/openssl/hmac.h
19149 +fips_rand_selftest.o: ../../include/openssl/lhash.h
19150 +fips_rand_selftest.o: ../../include/openssl/obj_mac.h
19151 +fips_rand_selftest.o: ../../include/openssl/objects.h
19152 +fips_rand_selftest.o: ../../include/openssl/opensslconf.h
19153 +fips_rand_selftest.o: ../../include/openssl/opensslv.h
19154 +fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
19155 +fips_rand_selftest.o: ../../include/openssl/rand.h
19156 +fips_rand_selftest.o: ../../include/openssl/safestack.h
19157 +fips_rand_selftest.o: ../../include/openssl/stack.h
19158 +fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
19159 +fips_rand_selftest.o: fips_rand_selftest.c
19160 +fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19161 +fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
19162 +fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19163 +fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19164 +fips_rsa_selftest.o: ../../include/openssl/lhash.h
19165 +fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
19166 +fips_rsa_selftest.o: ../../include/openssl/objects.h
19167 +fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
19168 +fips_rsa_selftest.o: ../../include/openssl/opensslv.h
19169 +fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
19170 +fips_rsa_selftest.o: ../../include/openssl/rsa.h
19171 +fips_rsa_selftest.o: ../../include/openssl/safestack.h
19172 +fips_rsa_selftest.o: ../../include/openssl/stack.h
19173 +fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
19174 +fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19175 +fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
19176 +fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19177 +fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
19178 +fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
19179 +fips_rsa_x931g.o: ../../include/openssl/opensslv.h
19180 +fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
19181 +fips_rsa_x931g.o: ../../include/openssl/safestack.h
19182 +fips_rsa_x931g.o: ../../include/openssl/stack.h
19183 +fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
19184 +fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19185 +fips_sha_selftest.o: ../../include/openssl/crypto.h
19186 +fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19187 +fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19188 +fips_sha_selftest.o: ../../include/openssl/lhash.h
19189 +fips_sha_selftest.o: ../../include/openssl/obj_mac.h
19190 +fips_sha_selftest.o: ../../include/openssl/objects.h
19191 +fips_sha_selftest.o: ../../include/openssl/opensslconf.h
19192 +fips_sha_selftest.o: ../../include/openssl/opensslv.h
19193 +fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
19194 +fips_sha_selftest.o: ../../include/openssl/safestack.h
19195 +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
19196 +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
19197 diff -up openssl-1.0.1e/crypto/hmac/hmac.c.fips openssl-1.0.1e/crypto/hmac/hmac.c
19198 --- openssl-1.0.1e/crypto/hmac/hmac.c.fips 2013-02-11 16:26:04.000000000 +0100
19199 +++ openssl-1.0.1e/crypto/hmac/hmac.c 2013-02-19 12:47:33.743118955 +0100
19200 @@ -81,11 +81,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
19201 EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
19204 - /* Other algorithm blocking will be done in FIPS_cmac_init,
19205 - * via FIPS_hmac_init_ex().
19207 - if (!impl && !ctx->i_ctx.engine)
19208 - return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
19212 @@ -99,6 +94,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
19216 +#ifdef OPENSSL_FIPS
19217 + if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
19218 + && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
19219 + || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
19220 + || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
19224 j=EVP_MD_block_size(md);
19225 OPENSSL_assert(j <= (int)sizeof(ctx->key));
19226 @@ -155,10 +157,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
19228 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
19230 -#ifdef OPENSSL_FIPS
19231 - if (FIPS_mode() && !ctx->i_ctx.engine)
19232 - return FIPS_hmac_update(ctx, data, len);
19234 return EVP_DigestUpdate(&ctx->md_ctx,data,len);
19237 @@ -166,10 +164,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
19240 unsigned char buf[EVP_MAX_MD_SIZE];
19241 -#ifdef OPENSSL_FIPS
19242 - if (FIPS_mode() && !ctx->i_ctx.engine)
19243 - return FIPS_hmac_final(ctx, md, len);
19246 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
19248 @@ -209,13 +203,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
19250 void HMAC_CTX_cleanup(HMAC_CTX *ctx)
19252 -#ifdef OPENSSL_FIPS
19253 - if (FIPS_mode() && !ctx->i_ctx.engine)
19255 - FIPS_hmac_ctx_cleanup(ctx);
19259 EVP_MD_CTX_cleanup(&ctx->i_ctx);
19260 EVP_MD_CTX_cleanup(&ctx->o_ctx);
19261 EVP_MD_CTX_cleanup(&ctx->md_ctx);
19262 diff -up openssl-1.0.1e/crypto/md2/md2_dgst.c.fips openssl-1.0.1e/crypto/md2/md2_dgst.c
19263 --- openssl-1.0.1e/crypto/md2/md2_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
19264 +++ openssl-1.0.1e/crypto/md2/md2_dgst.c 2013-02-19 12:47:33.743118955 +0100
19266 #include <openssl/md2.h>
19267 #include <openssl/opensslv.h>
19268 #include <openssl/crypto.h>
19269 +#ifdef OPENSSL_FIPS
19270 +#include <openssl/fips.h>
19273 +#include <openssl/err.h>
19275 const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT;
19277 @@ -116,7 +121,7 @@ const char *MD2_options(void)
19278 return("md2(int)");
19282 +nonfips_md_init(MD2)
19285 memset(c->state,0,sizeof c->state);
19286 diff -up openssl-1.0.1e/crypto/md4/md4_dgst.c.fips openssl-1.0.1e/crypto/md4/md4_dgst.c
19287 --- openssl-1.0.1e/crypto/md4/md4_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
19288 +++ openssl-1.0.1e/crypto/md4/md4_dgst.c 2013-02-19 12:47:33.744118975 +0100
19289 @@ -71,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_V
19290 #define INIT_DATA_C (unsigned long)0x98badcfeL
19291 #define INIT_DATA_D (unsigned long)0x10325476L
19294 +nonfips_md_init(MD4)
19296 memset (c,0,sizeof(*c));
19298 diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.fips openssl-1.0.1e/crypto/md5/md5_dgst.c
19299 --- openssl-1.0.1e/crypto/md5/md5_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
19300 +++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 12:47:33.744118975 +0100
19301 @@ -71,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_V
19302 #define INIT_DATA_C (unsigned long)0x98badcfeL
19303 #define INIT_DATA_D (unsigned long)0x10325476L
19306 +nonfips_md_init(MD5)
19308 memset (c,0,sizeof(*c));
19310 diff -up openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1e/crypto/mdc2/mdc2dgst.c
19311 --- openssl-1.0.1e/crypto/mdc2/mdc2dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
19312 +++ openssl-1.0.1e/crypto/mdc2/mdc2dgst.c 2013-02-19 12:47:33.744118975 +0100
19314 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
19316 static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
19317 -fips_md_init(MDC2)
19318 +nonfips_md_init(MDC2)
19322 diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c
19323 --- openssl-1.0.1e/crypto/o_fips.c.fips 2013-02-11 16:26:04.000000000 +0100
19324 +++ openssl-1.0.1e/crypto/o_fips.c 2013-02-19 12:47:33.744118975 +0100
19325 @@ -79,6 +79,8 @@ int FIPS_mode_set(int r)
19326 #ifndef FIPS_AUTH_USER_PASS
19327 #define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
19329 + if (FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
19331 if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
19334 diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c
19335 --- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100
19336 +++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 12:47:33.744118975 +0100
19337 @@ -55,28 +55,63 @@
19339 #include <openssl/err.h>
19340 #ifdef OPENSSL_FIPS
19341 +#include <sys/types.h>
19342 +#include <sys/stat.h>
19343 +#include <fcntl.h>
19344 +#include <unistd.h>
19345 +#include <errno.h>
19346 +#include <stdlib.h>
19347 #include <openssl/fips.h>
19348 #include <openssl/rand.h>
19350 +#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
19352 +static void init_fips_mode(void)
19354 + char buf[2] = "0";
19357 + if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
19361 + else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
19363 + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
19366 + /* Failure reading the fips mode switch file means just not
19367 + * switching into FIPS mode. We would break too many things
19371 + if (buf[0] == '1')
19373 + FIPS_mode_set(1);
19378 /* Perform any essential OpenSSL initialization operations.
19379 * Currently only sets FIPS callbacks
19382 -void OPENSSL_init(void)
19383 +void OPENSSL_init_library(void)
19385 static int done = 0;
19389 #ifdef OPENSSL_FIPS
19390 - FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
19391 - FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
19392 - FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
19394 + init_fips_mode();
19397 fprintf(stderr, "Called OPENSSL_init\n");
19401 +void OPENSSL_init(void)
19403 + OPENSSL_init_library();
19405 diff -up openssl-1.0.1e/crypto/opensslconf.h.in.fips openssl-1.0.1e/crypto/opensslconf.h.in
19406 --- openssl-1.0.1e/crypto/opensslconf.h.in.fips 2013-02-11 16:26:04.000000000 +0100
19407 +++ openssl-1.0.1e/crypto/opensslconf.h.in 2013-02-19 12:47:33.744118975 +0100
19409 /* crypto/opensslconf.h.in */
19411 +#ifdef OPENSSL_DOING_MAKEDEPEND
19413 +/* Include any symbols here that have to be explicitly set to enable a feature
19414 + * that should be visible to makedepend.
19416 + * [Our "make depend" doesn't actually look at this, we use actual build settings
19417 + * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
19420 +#ifndef OPENSSL_FIPS
19421 +#define OPENSSL_FIPS
19426 /* Generate 80386 code? */
19429 diff -up openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1e/crypto/pkcs12/p12_crt.c
19430 --- openssl-1.0.1e/crypto/pkcs12/p12_crt.c.fips 2013-02-11 16:26:04.000000000 +0100
19431 +++ openssl-1.0.1e/crypto/pkcs12/p12_crt.c 2013-02-19 12:47:33.744118975 +0100
19434 #include "cryptlib.h"
19435 #include <openssl/pkcs12.h>
19436 +#ifdef OPENSSL_FIPS
19437 +#include <openssl/fips.h>
19442 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
19443 @@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char *
19448 +#ifdef OPENSSL_FIPS
19450 + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
19453 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
19456 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
19458 diff -up openssl-1.0.1e/crypto/rand/md_rand.c.fips openssl-1.0.1e/crypto/rand/md_rand.c
19459 --- openssl-1.0.1e/crypto/rand/md_rand.c.fips 2013-02-11 16:26:04.000000000 +0100
19460 +++ openssl-1.0.1e/crypto/rand/md_rand.c 2013-02-19 12:47:33.745118995 +0100
19461 @@ -389,7 +389,10 @@ static int ssleay_rand_bytes(unsigned ch
19462 CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
19463 crypto_lock_rand = 1;
19465 - if (!initialized)
19466 + /* always poll for external entropy in FIPS mode, drbg provides the
19469 + if (!initialized || FIPS_module_mode())
19473 diff -up openssl-1.0.1e/crypto/rand/rand.h.fips openssl-1.0.1e/crypto/rand/rand.h
19474 --- openssl-1.0.1e/crypto/rand/rand.h.fips 2013-02-19 12:47:33.176107430 +0100
19475 +++ openssl-1.0.1e/crypto/rand/rand.h 2013-02-19 12:47:33.745118995 +0100
19476 @@ -133,15 +133,33 @@ void ERR_load_RAND_strings(void);
19477 /* Error codes for the RAND functions. */
19479 /* Function codes. */
19480 +#define RAND_F_ENG_RAND_GET_RAND_METHOD 108
19481 +#define RAND_F_FIPS_RAND 103
19482 +#define RAND_F_FIPS_RAND_BYTES 102
19483 +#define RAND_F_FIPS_RAND_SET_DT 106
19484 +#define RAND_F_FIPS_X931_SET_DT 106
19485 +#define RAND_F_FIPS_SET_DT 104
19486 +#define RAND_F_FIPS_SET_PRNG_SEED 107
19487 +#define RAND_F_FIPS_SET_TEST_MODE 105
19488 #define RAND_F_RAND_GET_RAND_METHOD 101
19489 -#define RAND_F_RAND_INIT_FIPS 102
19490 +#define RAND_F_RAND_INIT_FIPS 109
19491 #define RAND_F_SSLEAY_RAND_BYTES 100
19493 /* Reason codes. */
19494 -#define RAND_R_ERROR_INITIALISING_DRBG 102
19495 -#define RAND_R_ERROR_INSTANTIATING_DRBG 103
19496 -#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
19497 +#define RAND_R_ERROR_INITIALISING_DRBG 112
19498 +#define RAND_R_ERROR_INSTANTIATING_DRBG 113
19499 +#define RAND_R_NON_FIPS_METHOD 105
19500 +#define RAND_R_NOT_IN_TEST_MODE 106
19501 +#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
19502 +#define RAND_R_NO_KEY_SET 107
19503 +#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
19504 +#define RAND_R_PRNG_ERROR 108
19505 +#define RAND_R_PRNG_KEYED 109
19506 +#define RAND_R_PRNG_NOT_REKEYED 102
19507 +#define RAND_R_PRNG_NOT_RESEEDED 103
19508 #define RAND_R_PRNG_NOT_SEEDED 100
19509 +#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
19510 +#define RAND_R_PRNG_STUCK 104
19514 diff -up openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1e/crypto/ripemd/rmd_dgst.c
19515 --- openssl-1.0.1e/crypto/ripemd/rmd_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
19516 +++ openssl-1.0.1e/crypto/ripemd/rmd_dgst.c 2013-02-19 12:47:33.745118995 +0100
19517 @@ -70,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160"
19518 void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
19521 -fips_md_init(RIPEMD160)
19522 +nonfips_md_init(RIPEMD160)
19524 memset (c,0,sizeof(*c));
19526 diff -up openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1e/crypto/rsa/rsa_crpt.c
19527 --- openssl-1.0.1e/crypto/rsa/rsa_crpt.c.fips 2013-02-11 16:26:04.000000000 +0100
19528 +++ openssl-1.0.1e/crypto/rsa/rsa_crpt.c 2013-02-19 12:47:33.745118995 +0100
19529 @@ -90,10 +90,9 @@ int RSA_private_encrypt(int flen, const
19530 RSA *rsa, int padding)
19532 #ifdef OPENSSL_FIPS
19533 - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19534 - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19535 + if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19537 - RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
19538 + RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
19542 @@ -118,10 +117,9 @@ int RSA_public_decrypt(int flen, const u
19543 RSA *rsa, int padding)
19545 #ifdef OPENSSL_FIPS
19546 - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19547 - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19548 + if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19550 - RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
19551 + RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
19555 diff -up openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips openssl-1.0.1e/crypto/rsa/rsa_eay.c
19556 --- openssl-1.0.1e/crypto/rsa/rsa_eay.c.fips 2013-02-11 16:26:04.000000000 +0100
19557 +++ openssl-1.0.1e/crypto/rsa/rsa_eay.c 2013-02-19 12:47:33.745118995 +0100
19558 @@ -114,6 +114,10 @@
19559 #include <openssl/bn.h>
19560 #include <openssl/rsa.h>
19561 #include <openssl/rand.h>
19562 +#include <openssl/err.h>
19563 +#ifdef OPENSSL_FIPS
19564 +#include <openssl/fips.h>
19569 @@ -138,7 +142,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
19570 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
19574 + RSA_FLAG_FIPS_METHOD, /* flags */
19577 0, /* rsa_verify */
19578 @@ -158,6 +162,24 @@ static int RSA_eay_public_encrypt(int fl
19579 unsigned char *buf=NULL;
19582 +#ifdef OPENSSL_FIPS
19585 + if (FIPS_selftest_failed())
19587 + FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19591 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19592 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19594 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19600 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
19602 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
19603 @@ -361,6 +383,24 @@ static int RSA_eay_private_encrypt(int f
19604 BIGNUM *unblind = NULL;
19605 BN_BLINDING *blinding = NULL;
19607 +#ifdef OPENSSL_FIPS
19610 + if(FIPS_selftest_failed())
19612 + FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19616 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19617 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19619 + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19625 if ((ctx=BN_CTX_new()) == NULL) goto err;
19627 f = BN_CTX_get(ctx);
19628 @@ -504,6 +544,24 @@ static int RSA_eay_private_decrypt(int f
19629 BIGNUM *unblind = NULL;
19630 BN_BLINDING *blinding = NULL;
19632 +#ifdef OPENSSL_FIPS
19635 + if(FIPS_selftest_failed())
19637 + FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19641 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19642 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19644 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19650 if((ctx = BN_CTX_new()) == NULL) goto err;
19652 f = BN_CTX_get(ctx);
19653 @@ -639,6 +697,24 @@ static int RSA_eay_public_decrypt(int fl
19654 unsigned char *buf=NULL;
19657 +#ifdef OPENSSL_FIPS
19660 + if(FIPS_selftest_failed())
19662 + FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19666 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19667 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19669 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19675 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
19677 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
19678 @@ -897,6 +973,9 @@ err:
19680 static int RSA_eay_init(RSA *rsa)
19682 +#ifdef OPENSSL_FIPS
19683 + FIPS_selftest_check();
19685 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
19688 diff -up openssl-1.0.1e/crypto/rsa/rsa_err.c.fips openssl-1.0.1e/crypto/rsa/rsa_err.c
19689 --- openssl-1.0.1e/crypto/rsa/rsa_err.c.fips 2013-02-11 16:26:04.000000000 +0100
19690 +++ openssl-1.0.1e/crypto/rsa/rsa_err.c 2013-02-19 12:47:33.746119015 +0100
19691 @@ -121,6 +121,8 @@ static ERR_STRING_DATA RSA_str_functs[]=
19692 {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
19693 {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
19694 {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
19695 +{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
19696 +{ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
19697 {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
19698 {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
19699 {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
19700 diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips openssl-1.0.1e/crypto/rsa/rsa_gen.c
19701 --- openssl-1.0.1e/crypto/rsa/rsa_gen.c.fips 2013-02-11 16:26:04.000000000 +0100
19702 +++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2013-02-19 12:47:33.746119015 +0100
19704 #include <openssl/rsa.h>
19705 #ifdef OPENSSL_FIPS
19706 #include <openssl/fips.h>
19707 +#include <openssl/err.h>
19708 +#include <openssl/evp.h>
19710 +static int fips_rsa_pairwise_fail = 0;
19712 +void FIPS_corrupt_rsa_keygen(void)
19714 + fips_rsa_pairwise_fail = 1;
19717 +int fips_check_rsa(RSA *rsa)
19719 + const unsigned char tbs[] = "RSA Pairwise Check Data";
19720 + unsigned char *ctbuf = NULL, *ptbuf = NULL;
19721 + int len, ret = 0;
19724 + if ((pk=EVP_PKEY_new()) == NULL)
19727 + EVP_PKEY_set1_RSA(pk, rsa);
19729 + /* Perform pairwise consistency signature test */
19730 + if (!fips_pkey_signature_test(pk, tbs, -1,
19731 + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
19732 + || !fips_pkey_signature_test(pk, tbs, -1,
19733 + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL)
19734 + || !fips_pkey_signature_test(pk, tbs, -1,
19735 + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL))
19737 + /* Now perform pairwise consistency encrypt/decrypt test */
19738 + ctbuf = OPENSSL_malloc(RSA_size(rsa));
19742 + len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING);
19745 + /* Check ciphertext doesn't match plaintext */
19746 + if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
19748 + ptbuf = OPENSSL_malloc(RSA_size(rsa));
19752 + len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
19753 + if (len != (sizeof(tbs) - 1))
19755 + if (memcmp(ptbuf, tbs, len))
19766 + fips_set_selftest_fail();
19767 + FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
19771 + OPENSSL_free(ctbuf);
19773 + OPENSSL_free(ptbuf);
19775 + EVP_PKEY_free(pk);
19781 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
19782 @@ -81,7 +153,7 @@ static int rsa_builtin_keygen(RSA *rsa,
19783 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
19785 #ifdef OPENSSL_FIPS
19786 - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19787 + if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19788 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19790 RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
19791 @@ -90,10 +162,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
19793 if(rsa->meth->rsa_keygen)
19794 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
19795 -#ifdef OPENSSL_FIPS
19797 - return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
19799 return rsa_builtin_keygen(rsa, bits, e_value, cb);
19802 @@ -105,6 +173,23 @@ static int rsa_builtin_keygen(RSA *rsa,
19803 int bitsp,bitsq,ok= -1,n=0;
19806 +#ifdef OPENSSL_FIPS
19807 + if (FIPS_module_mode())
19809 + if(FIPS_selftest_failed())
19811 + FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED);
19815 + if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
19817 + FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
19824 if (ctx == NULL) goto err;
19826 @@ -216,6 +301,17 @@ static int rsa_builtin_keygen(RSA *rsa,
19828 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
19830 +#ifdef OPENSSL_FIPS
19831 + if (FIPS_module_mode())
19833 + if (fips_rsa_pairwise_fail)
19834 + BN_add_word(rsa->n, 1);
19836 + if(!fips_check_rsa(rsa))
19844 diff -up openssl-1.0.1e/crypto/rsa/rsa.h.fips openssl-1.0.1e/crypto/rsa/rsa.h
19845 --- openssl-1.0.1e/crypto/rsa/rsa.h.fips 2013-02-19 12:47:33.485113710 +0100
19846 +++ openssl-1.0.1e/crypto/rsa/rsa.h 2013-02-19 12:47:33.746119015 +0100
19847 @@ -164,6 +164,8 @@ struct rsa_st
19848 # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
19851 +#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
19853 #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
19854 # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
19856 @@ -290,6 +292,11 @@ RSA * RSA_generate_key(int bits, unsigne
19859 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
19860 +int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
19861 + const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
19862 + const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
19863 + const BIGNUM *e, BN_GENCB *cb);
19864 +int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb);
19866 int RSA_check_key(const RSA *);
19867 /* next 4 return -1 on error */
19868 @@ -487,7 +494,7 @@ void ERR_load_RSA_strings(void);
19869 #define RSA_F_RSA_PADDING_ADD_NONE 107
19870 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
19871 #define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
19872 -#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
19873 +#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
19874 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
19875 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
19876 #define RSA_F_RSA_PADDING_ADD_SSLV23 110
19877 @@ -500,20 +507,22 @@ void ERR_load_RSA_strings(void);
19878 #define RSA_F_RSA_PADDING_CHECK_X931 128
19879 #define RSA_F_RSA_PRINT 115
19880 #define RSA_F_RSA_PRINT_FP 116
19881 -#define RSA_F_RSA_PRIVATE_DECRYPT 150
19882 -#define RSA_F_RSA_PRIVATE_ENCRYPT 151
19883 +#define RSA_F_RSA_PRIVATE_DECRYPT 157
19884 +#define RSA_F_RSA_PRIVATE_ENCRYPT 148
19885 #define RSA_F_RSA_PRIV_DECODE 137
19886 #define RSA_F_RSA_PRIV_ENCODE 138
19887 -#define RSA_F_RSA_PUBLIC_DECRYPT 152
19888 +#define RSA_F_RSA_PUBLIC_DECRYPT 149
19889 #define RSA_F_RSA_PUBLIC_ENCRYPT 153
19890 #define RSA_F_RSA_PUB_DECODE 139
19891 #define RSA_F_RSA_SETUP_BLINDING 136
19892 +#define RSA_F_RSA_SET_DEFAULT_METHOD 150
19893 +#define RSA_F_RSA_SET_METHOD 151
19894 #define RSA_F_RSA_SIGN 117
19895 #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
19896 #define RSA_F_RSA_VERIFY 119
19897 #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
19898 #define RSA_F_RSA_VERIFY_PKCS1_PSS 126
19899 -#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
19900 +#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
19902 /* Reason codes. */
19903 #define RSA_R_ALGORITHM_MISMATCH 100
19904 @@ -542,21 +551,22 @@ void ERR_load_RSA_strings(void);
19905 #define RSA_R_INVALID_MGF1_MD 156
19906 #define RSA_R_INVALID_PADDING 138
19907 #define RSA_R_INVALID_PADDING_MODE 141
19908 -#define RSA_R_INVALID_PSS_PARAMETERS 149
19909 +#define RSA_R_INVALID_PSS_PARAMETERS 157
19910 #define RSA_R_INVALID_PSS_SALTLEN 146
19911 -#define RSA_R_INVALID_SALT_LENGTH 150
19912 +#define RSA_R_INVALID_SALT_LENGTH 158
19913 #define RSA_R_INVALID_TRAILER 139
19914 #define RSA_R_INVALID_X931_DIGEST 142
19915 #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
19916 #define RSA_R_KEY_SIZE_TOO_SMALL 120
19917 #define RSA_R_LAST_OCTET_INVALID 134
19918 #define RSA_R_MODULUS_TOO_LARGE 105
19919 -#define RSA_R_NON_FIPS_RSA_METHOD 157
19920 +#define RSA_R_NON_FIPS_RSA_METHOD 149
19921 +#define RSA_R_NON_FIPS_METHOD 149
19922 #define RSA_R_NO_PUBLIC_EXPONENT 140
19923 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
19924 #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
19925 #define RSA_R_OAEP_DECODING_ERROR 121
19926 -#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
19927 +#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
19928 #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
19929 #define RSA_R_PADDING_CHECK_FAILED 114
19930 #define RSA_R_P_NOT_PRIME 128
19931 diff -up openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips openssl-1.0.1e/crypto/rsa/rsa_lib.c
19932 --- openssl-1.0.1e/crypto/rsa/rsa_lib.c.fips 2013-02-11 16:26:04.000000000 +0100
19933 +++ openssl-1.0.1e/crypto/rsa/rsa_lib.c 2013-02-19 12:47:33.746119015 +0100
19934 @@ -84,6 +84,13 @@ RSA *RSA_new(void)
19936 void RSA_set_default_method(const RSA_METHOD *meth)
19938 +#ifdef OPENSSL_FIPS
19939 + if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
19941 + RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
19945 default_RSA_meth = meth;
19948 @@ -91,18 +98,11 @@ const RSA_METHOD *RSA_get_default_method
19950 if (default_RSA_meth == NULL)
19952 -#ifdef OPENSSL_FIPS
19954 - return FIPS_rsa_pkcs1_ssleay();
19956 - return RSA_PKCS1_SSLeay();
19959 default_RSA_meth=RSA_null_method();
19961 default_RSA_meth=RSA_PKCS1_SSLeay();
19966 return default_RSA_meth;
19967 @@ -118,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_M
19968 /* NB: The caller is specifically setting a method, so it's not up to us
19969 * to deal with which ENGINE it comes from. */
19970 const RSA_METHOD *mtmp;
19971 +#ifdef OPENSSL_FIPS
19972 + if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
19974 + RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
19979 if (mtmp->finish) mtmp->finish(rsa);
19980 #ifndef OPENSSL_NO_ENGINE
19981 @@ -170,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine)
19985 +#ifdef OPENSSL_FIPS
19986 + if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD))
19988 + RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
19989 +#ifndef OPENSSL_NO_ENGINE
19991 + ENGINE_finish(ret->engine);
19993 + OPENSSL_free(ret);
20000 @@ -188,7 +207,7 @@ RSA *RSA_new_method(ENGINE *engine)
20001 ret->blinding=NULL;
20002 ret->mt_blinding=NULL;
20003 ret->bignum_data=NULL;
20004 - ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
20005 + ret->flags=ret->meth->flags;
20006 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
20008 #ifndef OPENSSL_NO_ENGINE
20009 diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1e/crypto/rsa/rsa_pmeth.c
20010 --- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.fips 2013-02-11 16:26:04.000000000 +0100
20011 +++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-02-19 12:47:33.746119015 +0100
20012 @@ -206,22 +206,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
20013 RSA_R_INVALID_DIGEST_LENGTH);
20016 -#ifdef OPENSSL_FIPS
20019 - unsigned int slen;
20020 - ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
20033 if (EVP_MD_type(rctx->md) == NID_mdc2)
20035 @@ -354,19 +338,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
20039 -#ifdef OPENSSL_FIPS
20042 - return FIPS_rsa_verify_digest(rsa,
20052 if (rctx->pad_mode == RSA_PKCS1_PADDING)
20053 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
20055 diff -up openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips openssl-1.0.1e/crypto/rsa/rsa_sign.c
20056 --- openssl-1.0.1e/crypto/rsa/rsa_sign.c.fips 2013-02-11 16:26:04.000000000 +0100
20057 +++ openssl-1.0.1e/crypto/rsa/rsa_sign.c 2013-02-19 12:47:33.747119035 +0100
20058 @@ -138,7 +138,8 @@ int RSA_sign(int type, const unsigned ch
20059 i2d_X509_SIG(&sig,&p);
20062 - i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
20063 + /* NB: call underlying method directly to avoid FIPS blocking */
20064 + i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING) : 0;
20068 @@ -178,8 +179,8 @@ int int_rsa_verify(int dtype, const unsi
20070 if((dtype == NID_md5_sha1) && rm)
20072 - i = RSA_public_decrypt((int)siglen,
20073 - sigbuf,rm,rsa,RSA_PKCS1_PADDING);
20074 + i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
20075 + sigbuf,rm,rsa,RSA_PKCS1_PADDING) : 0;
20079 @@ -196,7 +197,8 @@ int int_rsa_verify(int dtype, const unsi
20080 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
20083 - i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
20084 + /* NB: call underlying method directly to avoid FIPS blocking */
20085 + i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING) : 0;
20087 if (i <= 0) goto err;
20088 /* Oddball MDC2 case: signature can be OCTET STRING.
20089 diff -up openssl-1.0.1e/crypto/sha/sha256.c.fips openssl-1.0.1e/crypto/sha/sha256.c
20090 --- openssl-1.0.1e/crypto/sha/sha256.c.fips 2013-02-11 16:26:04.000000000 +0100
20091 +++ openssl-1.0.1e/crypto/sha/sha256.c 2013-02-19 12:47:33.747119035 +0100
20092 @@ -12,12 +12,19 @@
20094 #include <openssl/crypto.h>
20095 #include <openssl/sha.h>
20096 +#ifdef OPENSSL_FIPS
20097 +#include <openssl/fips.h>
20100 #include <openssl/opensslv.h>
20102 const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
20104 fips_md_init_ctx(SHA224, SHA256)
20106 +#ifdef OPENSSL_FIPS
20107 + FIPS_selftest_check();
20109 memset (c,0,sizeof(*c));
20110 c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL;
20111 c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL;
20112 @@ -29,6 +36,9 @@ fips_md_init_ctx(SHA224, SHA256)
20114 fips_md_init(SHA256)
20116 +#ifdef OPENSSL_FIPS
20117 + FIPS_selftest_check();
20119 memset (c,0,sizeof(*c));
20120 c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
20121 c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL;
20122 diff -up openssl-1.0.1e/crypto/sha/sha512.c.fips openssl-1.0.1e/crypto/sha/sha512.c
20123 --- openssl-1.0.1e/crypto/sha/sha512.c.fips 2013-02-11 16:26:04.000000000 +0100
20124 +++ openssl-1.0.1e/crypto/sha/sha512.c 2013-02-19 12:47:33.747119035 +0100
20126 * ====================================================================
20128 #include <openssl/opensslconf.h>
20129 +#ifdef OPENSSL_FIPS
20130 +#include <openssl/fips.h>
20133 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
20135 * IMPLEMENTATION NOTES.
20136 @@ -61,6 +65,9 @@ const char SHA512_version[]="SHA-512" OP
20138 fips_md_init_ctx(SHA384, SHA512)
20140 +#ifdef OPENSSL_FIPS
20141 + FIPS_selftest_check();
20143 c->h[0]=U64(0xcbbb9d5dc1059ed8);
20144 c->h[1]=U64(0x629a292a367cd507);
20145 c->h[2]=U64(0x9159015a3070dd17);
20146 @@ -77,6 +84,9 @@ fips_md_init_ctx(SHA384, SHA512)
20148 fips_md_init(SHA512)
20150 +#ifdef OPENSSL_FIPS
20151 + FIPS_selftest_check();
20153 c->h[0]=U64(0x6a09e667f3bcc908);
20154 c->h[1]=U64(0xbb67ae8584caa73b);
20155 c->h[2]=U64(0x3c6ef372fe94f82b);
20156 diff -up openssl-1.0.1e/crypto/sha/sha.h.fips openssl-1.0.1e/crypto/sha/sha.h
20157 --- openssl-1.0.1e/crypto/sha/sha.h.fips 2013-02-19 12:47:32.986103568 +0100
20158 +++ openssl-1.0.1e/crypto/sha/sha.h 2013-02-19 12:47:33.747119035 +0100
20159 @@ -116,9 +116,6 @@ unsigned char *SHA(const unsigned char *
20160 void SHA_Transform(SHA_CTX *c, const unsigned char *data);
20162 #ifndef OPENSSL_NO_SHA1
20163 -#ifdef OPENSSL_FIPS
20164 -int private_SHA1_Init(SHA_CTX *c);
20166 int SHA1_Init(SHA_CTX *c);
20167 int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
20168 int SHA1_Final(unsigned char *md, SHA_CTX *c);
20169 @@ -141,10 +138,6 @@ typedef struct SHA256state_st
20172 #ifndef OPENSSL_NO_SHA256
20173 -#ifdef OPENSSL_FIPS
20174 -int private_SHA224_Init(SHA256_CTX *c);
20175 -int private_SHA256_Init(SHA256_CTX *c);
20177 int SHA224_Init(SHA256_CTX *c);
20178 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
20179 int SHA224_Final(unsigned char *md, SHA256_CTX *c);
20180 @@ -192,10 +185,6 @@ typedef struct SHA512state_st
20183 #ifndef OPENSSL_NO_SHA512
20184 -#ifdef OPENSSL_FIPS
20185 -int private_SHA384_Init(SHA512_CTX *c);
20186 -int private_SHA512_Init(SHA512_CTX *c);
20188 int SHA384_Init(SHA512_CTX *c);
20189 int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
20190 int SHA384_Final(unsigned char *md, SHA512_CTX *c);
20191 diff -up openssl-1.0.1e/crypto/sha/sha_locl.h.fips openssl-1.0.1e/crypto/sha/sha_locl.h
20192 --- openssl-1.0.1e/crypto/sha/sha_locl.h.fips 2013-02-19 12:47:32.991103670 +0100
20193 +++ openssl-1.0.1e/crypto/sha/sha_locl.h 2013-02-19 12:47:33.747119035 +0100
20194 @@ -123,11 +123,14 @@ void sha1_block_data_order (SHA_CTX *c,
20195 #define INIT_DATA_h4 0xc3d2e1f0UL
20199 +nonfips_md_init(SHA)
20201 fips_md_init_ctx(SHA1, SHA)
20204 +#if defined(SHA_1) && defined(OPENSSL_FIPS)
20205 + FIPS_selftest_check();
20207 memset (c,0,sizeof(*c));
20208 c->h0=INIT_DATA_h0;
20209 c->h1=INIT_DATA_h1;
20210 diff -up openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1e/crypto/whrlpool/wp_dgst.c
20211 --- openssl-1.0.1e/crypto/whrlpool/wp_dgst.c.fips 2013-02-11 16:26:04.000000000 +0100
20212 +++ openssl-1.0.1e/crypto/whrlpool/wp_dgst.c 2013-02-19 12:47:33.748119055 +0100
20214 #include <openssl/crypto.h>
20215 #include <string.h>
20217 -fips_md_init(WHIRLPOOL)
20218 +nonfips_md_init(WHIRLPOOL)
20220 memset (c,0,sizeof(*c));
20222 diff -up openssl-1.0.1e/Makefile.org.fips openssl-1.0.1e/Makefile.org
20223 --- openssl-1.0.1e/Makefile.org.fips 2013-02-19 12:47:33.678117634 +0100
20224 +++ openssl-1.0.1e/Makefile.org 2013-02-19 12:47:33.748119055 +0100
20225 @@ -136,6 +136,9 @@ FIPSCANLIB=
20229 +# Non-empty if FIPS enabled
20232 DIRS= crypto ssl engines apps test tools
20234 SHLIBDIRS= crypto ssl
20235 @@ -148,7 +151,7 @@ SDIRS= \
20236 bn ec rsa dsa ecdsa dh ecdh dso engine \
20237 buffer bio stack lhash rand err \
20238 evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
20239 - cms pqueue ts jpake srp store cmac
20240 + cms pqueue ts jpake srp store cmac fips
20241 # keep in mind that the above list is adjusted by ./Configure
20242 # according to no-xxx arguments...
20244 @@ -237,6 +240,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
20245 FIPSLIBDIR='${FIPSLIBDIR}' \
20246 FIPSDIR='${FIPSDIR}' \
20247 FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
20248 + FIPS="$${FIPS:-$(FIPS)}" \
20249 THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
20250 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
20251 # which in turn eliminates ambiguities in variable treatment with -e.
20252 diff -up openssl-1.0.1e/ssl/ssl_algs.c.fips openssl-1.0.1e/ssl/ssl_algs.c
20253 --- openssl-1.0.1e/ssl/ssl_algs.c.fips 2013-02-11 16:26:04.000000000 +0100
20254 +++ openssl-1.0.1e/ssl/ssl_algs.c 2013-02-19 12:47:33.748119055 +0100
20256 int SSL_library_init(void)
20259 +#ifdef OPENSSL_FIPS
20260 + OPENSSL_init_library();
20261 + if (!FIPS_mode())
20265 #ifndef OPENSSL_NO_DES
20266 EVP_add_cipher(EVP_des_cbc());
20267 EVP_add_cipher(EVP_des_ede3_cbc());
20268 @@ -137,6 +143,50 @@ int SSL_library_init(void)
20269 EVP_add_digest(EVP_sha());
20270 EVP_add_digest(EVP_dss());
20272 +#ifdef OPENSSL_FIPS
20276 +#ifndef OPENSSL_NO_DES
20277 + EVP_add_cipher(EVP_des_ede3_cbc());
20279 +#ifndef OPENSSL_NO_AES
20280 + EVP_add_cipher(EVP_aes_128_cbc());
20281 + EVP_add_cipher(EVP_aes_192_cbc());
20282 + EVP_add_cipher(EVP_aes_256_cbc());
20283 + EVP_add_cipher(EVP_aes_128_gcm());
20284 + EVP_add_cipher(EVP_aes_256_gcm());
20286 +#ifndef OPENSSL_NO_MD5
20287 + /* needed even in the FIPS mode for TLS MAC */
20288 + EVP_add_digest(EVP_md5());
20289 + EVP_add_digest_alias(SN_md5,"ssl2-md5");
20290 + EVP_add_digest_alias(SN_md5,"ssl3-md5");
20292 +#ifndef OPENSSL_NO_SHA
20293 + EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
20294 + EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
20295 + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
20297 +#ifndef OPENSSL_NO_SHA256
20298 + EVP_add_digest(EVP_sha224());
20299 + EVP_add_digest(EVP_sha256());
20301 +#ifndef OPENSSL_NO_SHA512
20302 + EVP_add_digest(EVP_sha384());
20303 + EVP_add_digest(EVP_sha512());
20305 +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
20306 + EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
20307 + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
20308 + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
20309 + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
20311 +#ifndef OPENSSL_NO_ECDSA
20312 + EVP_add_digest(EVP_ecdsa());
20316 #ifndef OPENSSL_NO_COMP
20317 /* This will initialise the built-in compression algorithms.
20318 The value returned is a STACK_OF(SSL_COMP), but that can
projects / ipfire-3.x.git / blob