1 diff -up openssl-1.0.1b/apps/pkcs12.c.fips openssl-1.0.1b/apps/pkcs12.c
2 --- openssl-1.0.1b/apps/pkcs12.c.fips 2011-03-13 19:20:23.000000000 +0100
3 +++ openssl-1.0.1b/apps/pkcs12.c 2012-04-26 18:00:51.379768840 +0200
5 #include <openssl/err.h>
6 #include <openssl/pem.h>
7 #include <openssl/pkcs12.h>
9 +#include <openssl/fips.h>
12 #define PROG pkcs12_main
14 @@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
20 + cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
23 enc = EVP_des_ede3_cbc();
24 if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
26 diff -up openssl-1.0.1b/apps/speed.c.fips openssl-1.0.1b/apps/speed.c
27 --- openssl-1.0.1b/apps/speed.c.fips 2012-01-11 22:49:16.000000000 +0100
28 +++ openssl-1.0.1b/apps/speed.c 2012-04-26 18:00:51.380768861 +0200
30 #ifdef OPENSSL_DOING_MAKEDEPEND
31 #undef AES_set_encrypt_key
32 #undef AES_set_decrypt_key
33 -#undef DES_set_key_unchecked
35 #define BF_set_key private_BF_set_key
36 #define CAST_set_key private_CAST_set_key
38 #define SEED_set_key private_SEED_set_key
39 #define RC2_set_key private_RC2_set_key
40 #define RC4_set_key private_RC4_set_key
41 -#define DES_set_key_unchecked private_DES_set_key_unchecked
42 #define AES_set_encrypt_key private_AES_set_encrypt_key
43 #define AES_set_decrypt_key private_AES_set_decrypt_key
44 #define Camellia_set_key private_Camellia_set_key
45 @@ -941,7 +939,12 @@ int MAIN(int argc, char **argv)
46 #ifndef OPENSSL_NO_RSA
47 if (strcmp(*argv,"rsa") == 0)
53 rsa_doit[R_RSA_512]=1;
55 rsa_doit[R_RSA_1024]=1;
56 rsa_doit[R_RSA_2048]=1;
57 rsa_doit[R_RSA_4096]=1;
58 @@ -951,7 +954,12 @@ int MAIN(int argc, char **argv)
59 #ifndef OPENSSL_NO_DSA
60 if (strcmp(*argv,"dsa") == 0)
66 dsa_doit[R_DSA_512]=1;
68 dsa_doit[R_DSA_1024]=1;
69 dsa_doit[R_DSA_2048]=1;
71 @@ -1226,30 +1234,54 @@ int MAIN(int argc, char **argv)
72 AES_set_encrypt_key(key32,256,&aes_ks3);
74 #ifndef OPENSSL_NO_CAMELLIA
75 + if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
77 Camellia_set_key(key16,128,&camellia_ks1);
78 Camellia_set_key(ckey24,192,&camellia_ks2);
79 Camellia_set_key(ckey32,256,&camellia_ks3);
82 #ifndef OPENSSL_NO_IDEA
83 + if (doit[D_CBC_IDEA])
85 idea_set_encrypt_key(key16,&idea_ks);
88 #ifndef OPENSSL_NO_SEED
89 + if (doit[D_CBC_SEED])
91 SEED_set_key(key16,&seed_ks);
94 #ifndef OPENSSL_NO_RC4
97 RC4_set_key(&rc4_ks,16,key16);
100 #ifndef OPENSSL_NO_RC2
101 + if (doit[D_CBC_RC2])
103 RC2_set_key(&rc2_ks,16,key16,128);
106 #ifndef OPENSSL_NO_RC5
107 + if (doit[D_CBC_RC5])
109 RC5_32_set_key(&rc5_ks,16,key16,12);
112 #ifndef OPENSSL_NO_BF
113 + if (doit[D_CBC_BF])
115 BF_set_key(&bf_ks,16,key16);
118 #ifndef OPENSSL_NO_CAST
119 + if (doit[D_CBC_CAST])
121 CAST_set_key(&cast_ks,16,key16);
124 #ifndef OPENSSL_NO_RSA
125 memset(rsa_c,0,sizeof(rsa_c));
126 diff -up openssl-1.0.1b/Configure.fips openssl-1.0.1b/Configure
127 --- openssl-1.0.1b/Configure.fips 2012-04-26 18:00:51.341768009 +0200
128 +++ openssl-1.0.1b/Configure 2012-04-26 18:00:51.381768883 +0200
129 @@ -993,11 +993,6 @@ if (defined($disabled{"md5"}) || defined
130 $disabled{"ssl2"} = "forced";
133 -if ($fips && $fipslibdir eq "")
135 - $fipslibdir = $fipsdir . "/lib/";
138 # RSAX ENGINE sets default non-FIPS RSA method.
141 @@ -1472,7 +1467,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
144 $openssl_other_defines.="#define OPENSSL_FIPS\n";
145 - $cflags .= " -I\$(FIPSDIR)/include";
148 $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
149 @@ -1659,9 +1653,12 @@ while (<IN>)
151 s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
152 s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
153 - s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
154 s/^BASEADDR=.*/BASEADDR=$baseaddr/;
158 + s/^FIPS=.*/FIPS=yes/;
160 s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
161 s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
162 s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
163 diff -up openssl-1.0.1b/crypto/aes/aes_misc.c.fips openssl-1.0.1b/crypto/aes/aes_misc.c
164 --- openssl-1.0.1b/crypto/aes/aes_misc.c.fips 2011-06-05 19:36:33.000000000 +0200
165 +++ openssl-1.0.1b/crypto/aes/aes_misc.c 2012-04-26 18:00:51.382768906 +0200
166 @@ -69,17 +69,11 @@ const char *AES_options(void) {
167 int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
171 - fips_cipher_abort(AES);
173 return private_AES_set_encrypt_key(userKey, bits, key);
176 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
180 - fips_cipher_abort(AES);
182 return private_AES_set_decrypt_key(userKey, bits, key);
184 diff -up openssl-1.0.1b/crypto/cmac/cmac.c.fips openssl-1.0.1b/crypto/cmac/cmac.c
185 --- openssl-1.0.1b/crypto/cmac/cmac.c.fips 2012-04-11 17:11:16.000000000 +0200
186 +++ openssl-1.0.1b/crypto/cmac/cmac.c 2012-04-26 18:00:51.382768906 +0200
187 @@ -107,13 +107,6 @@ CMAC_CTX *CMAC_CTX_new(void)
189 void CMAC_CTX_cleanup(CMAC_CTX *ctx)
192 - if (FIPS_mode() && !ctx->cctx.engine)
194 - FIPS_cmac_ctx_cleanup(ctx);
198 EVP_CIPHER_CTX_cleanup(&ctx->cctx);
199 OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
200 OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
201 @@ -164,11 +157,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
202 EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
205 - /* Other algorithm blocking will be done in FIPS_cmac_init,
206 - * via FIPS_cipherinit().
208 - if (!impl && !ctx->cctx.engine)
209 - return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
212 /* All zeros means restart */
213 @@ -216,10 +204,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
215 const unsigned char *data = in;
218 - if (FIPS_mode() && !ctx->cctx.engine)
219 - return FIPS_cmac_update(ctx, in, dlen);
221 if (ctx->nlast_block == -1)
224 @@ -261,10 +245,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
225 int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
229 - if (FIPS_mode() && !ctx->cctx.engine)
230 - return FIPS_cmac_final(ctx, out, poutlen);
232 if (ctx->nlast_block == -1)
234 bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
235 diff -up openssl-1.0.1b/crypto/crypto.h.fips openssl-1.0.1b/crypto/crypto.h
236 --- openssl-1.0.1b/crypto/crypto.h.fips 2012-04-26 18:00:51.094762613 +0200
237 +++ openssl-1.0.1b/crypto/crypto.h 2012-04-26 18:00:51.382768906 +0200
238 @@ -553,24 +553,29 @@ int FIPS_mode_set(int r);
239 void OPENSSL_init(void);
241 #define fips_md_init(alg) fips_md_init_ctx(alg, alg)
242 +#define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
243 +#define fips_md_init_ctx(alg, cx) \
244 + int alg##_Init(cx##_CTX *c)
247 -#define fips_md_init_ctx(alg, cx) \
248 +#define nonfips_md_init_ctx(alg, cx) \
249 int alg##_Init(cx##_CTX *c) \
251 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
252 - "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
253 + "Digest " #alg " forbidden in FIPS mode!"); \
254 return private_##alg##_Init(c); \
256 int private_##alg##_Init(cx##_CTX *c)
258 #define fips_cipher_abort(alg) \
259 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
260 - "Low level API call to cipher " #alg " forbidden in FIPS mode!")
261 + "Cipher " #alg " forbidden in FIPS mode!")
263 +/* die if FIPS selftest failed */
264 +void FIPS_selftest_check(void);
267 -#define fips_md_init_ctx(alg, cx) \
268 - int alg##_Init(cx##_CTX *c)
269 +#define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
270 #define fips_cipher_abort(alg) while(0)
273 @@ -580,6 +585,9 @@ void OPENSSL_init(void);
275 void ERR_load_CRYPTO_strings(void);
277 +#define OPENSSL_HAVE_INIT 1
278 +void OPENSSL_init_library(void);
280 /* Error codes for the CRYPTO functions. */
282 /* Function codes. */
283 diff -up openssl-1.0.1b/crypto/des/des.h.fips openssl-1.0.1b/crypto/des/des.h
284 --- openssl-1.0.1b/crypto/des/des.h.fips 2012-04-26 18:00:51.173764340 +0200
285 +++ openssl-1.0.1b/crypto/des/des.h 2012-04-26 18:00:51.383768928 +0200
286 @@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DE
287 int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
288 int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
289 void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
291 -void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
293 void DES_string_to_key(const char *str,DES_cblock *key);
294 void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
295 void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
296 diff -up openssl-1.0.1b/crypto/des/set_key.c.fips openssl-1.0.1b/crypto/des/set_key.c
297 --- openssl-1.0.1b/crypto/des/set_key.c.fips 2011-06-01 18:54:04.000000000 +0200
298 +++ openssl-1.0.1b/crypto/des/set_key.c 2012-04-26 18:00:51.383768928 +0200
299 @@ -337,13 +337,6 @@ int DES_set_key_checked(const_DES_cblock
302 void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
305 - fips_cipher_abort(DES);
306 - private_DES_set_key_unchecked(key, schedule);
308 -void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
311 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
312 register DES_LONG c,d,t,s,t2;
313 diff -up openssl-1.0.1b/crypto/dh/dh_gen.c.fips openssl-1.0.1b/crypto/dh/dh_gen.c
314 --- openssl-1.0.1b/crypto/dh/dh_gen.c.fips 2011-06-09 17:21:46.000000000 +0200
315 +++ openssl-1.0.1b/crypto/dh/dh_gen.c 2012-04-26 18:00:51.383768928 +0200
316 @@ -84,11 +84,6 @@ int DH_generate_parameters_ex(DH *ret, i
318 if(ret->meth->generate_params)
319 return ret->meth->generate_params(ret, prime_len, generator, cb);
322 - return FIPS_dh_generate_parameters_ex(ret, prime_len,
325 return dh_builtin_genparams(ret, prime_len, generator, cb);
328 @@ -123,6 +118,20 @@ static int dh_builtin_genparams(DH *ret,
333 + if(FIPS_selftest_failed())
335 + FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED);
339 + if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
341 + DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
347 if (ctx == NULL) goto err;
349 diff -up openssl-1.0.1b/crypto/dh/dh.h.fips openssl-1.0.1b/crypto/dh/dh.h
350 --- openssl-1.0.1b/crypto/dh/dh.h.fips 2012-04-26 18:00:51.033761281 +0200
351 +++ openssl-1.0.1b/crypto/dh/dh.h 2012-04-26 18:00:51.384768950 +0200
353 # define OPENSSL_DH_MAX_MODULUS_BITS 10000
356 +#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
358 #define DH_FLAG_CACHE_MONT_P 0x01
359 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
360 * implementation now uses constant time
361 diff -up openssl-1.0.1b/crypto/dh/dh_key.c.fips openssl-1.0.1b/crypto/dh/dh_key.c
362 --- openssl-1.0.1b/crypto/dh/dh_key.c.fips 2011-11-14 15:16:09.000000000 +0100
363 +++ openssl-1.0.1b/crypto/dh/dh_key.c 2012-04-26 18:00:51.384768950 +0200
365 #include <openssl/bn.h>
366 #include <openssl/rand.h>
367 #include <openssl/dh.h>
369 +#include <openssl/fips.h>
372 static int generate_key(DH *dh);
373 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
374 @@ -104,7 +107,7 @@ compute_key,
379 +DH_FLAG_FIPS_METHOD,
383 @@ -123,6 +126,14 @@ static int generate_key(DH *dh)
384 BN_MONT_CTX *mont=NULL;
385 BIGNUM *pub_key=NULL,*priv_key=NULL;
388 + if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
390 + DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
396 if (ctx == NULL) goto err;
398 @@ -213,6 +224,13 @@ static int compute_key(unsigned char *ke
399 DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
403 + if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
405 + DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
411 if (ctx == NULL) goto err;
412 @@ -280,6 +298,9 @@ static int dh_bn_mod_exp(const DH *dh, B
414 static int dh_init(DH *dh)
417 + FIPS_selftest_check();
419 dh->flags |= DH_FLAG_CACHE_MONT_P;
422 diff -up openssl-1.0.1b/crypto/dh/dh_lib.c.fips openssl-1.0.1b/crypto/dh/dh_lib.c
423 --- openssl-1.0.1b/crypto/dh/dh_lib.c.fips 2011-06-20 21:41:11.000000000 +0200
424 +++ openssl-1.0.1b/crypto/dh/dh_lib.c 2012-04-26 18:00:51.384768950 +0200
425 @@ -81,14 +81,7 @@ const DH_METHOD *DH_get_default_method(v
427 if(!default_DH_method)
431 - return FIPS_dh_openssl();
433 - return DH_OpenSSL();
435 default_DH_method = DH_OpenSSL();
438 return default_DH_method;
440 diff -up openssl-1.0.1b/crypto/dsa/dsa_err.c.fips openssl-1.0.1b/crypto/dsa/dsa_err.c
441 --- openssl-1.0.1b/crypto/dsa/dsa_err.c.fips 2011-10-10 01:13:49.000000000 +0200
442 +++ openssl-1.0.1b/crypto/dsa/dsa_err.c 2012-04-26 18:00:51.385768972 +0200
443 @@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]=
444 {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
445 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
446 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
447 +{ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
448 +{ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
449 {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
450 {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
451 {ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
452 @@ -106,6 +108,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
453 {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
454 {ERR_REASON(DSA_R_DECODE_ERROR) ,"decode error"},
455 {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
456 +{ERR_REASON(DSA_R_KEY_SIZE_INVALID) ,"key size invalid"},
457 +{ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
458 {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
459 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
460 {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
461 diff -up openssl-1.0.1b/crypto/dsa/dsa_gen.c.fips openssl-1.0.1b/crypto/dsa/dsa_gen.c
462 --- openssl-1.0.1b/crypto/dsa/dsa_gen.c.fips 2011-06-09 17:21:46.000000000 +0200
463 +++ openssl-1.0.1b/crypto/dsa/dsa_gen.c 2012-04-26 18:00:51.385768972 +0200
465 #include <openssl/fips.h>
468 +#ifndef OPENSSL_FIPS
469 +static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
470 + const EVP_MD *evpmd, unsigned char *seed, int seed_len,
471 + BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
472 +static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
473 + BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
476 int DSA_generate_parameters_ex(DSA *ret, int bits,
477 const unsigned char *seed_in, int seed_len,
478 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
479 @@ -100,14 +108,6 @@ int DSA_generate_parameters_ex(DSA *ret,
480 if(ret->meth->dsa_paramgen)
481 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
482 counter_ret, h_ret, cb);
484 - else if (FIPS_mode())
486 - return FIPS_dsa_generate_parameters_ex(ret, bits,
488 - counter_ret, h_ret, cb);
494 @@ -125,27 +125,119 @@ int DSA_generate_parameters_ex(DSA *ret,
497 return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
498 - seed_in, seed_len, NULL, counter_ret, h_ret, cb);
499 + seed_in, seed_len, counter_ret, h_ret, cb);
504 +int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
505 + const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
506 + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
508 + return dsa_builtin_paramgen(ret, bits, qbits,
509 + evpmd, seed_in, seed_len,
510 + counter_ret, h_ret, cb);
514 int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
515 const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
516 - unsigned char *seed_out,
517 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
520 unsigned char seed[SHA256_DIGEST_LENGTH];
521 + BIGNUM *g=NULL,*q=NULL,*p=NULL;
522 + size_t qsize = qbits >> 3;
526 + if(FIPS_selftest_failed())
528 + FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN,
529 + FIPS_R_FIPS_SELFTEST_FAILED);
533 + if (FIPS_module_mode() &&
534 + (bits != 1024 || qbits != 160) &&
535 + (bits != 2048 || qbits != 224) &&
536 + (bits != 2048 || qbits != 256) &&
537 + (bits != 3072 || qbits != 256))
539 + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
543 + if (seed_len && (seed_len < (size_t)qsize))
544 + seed_in = NULL; /* seed buffer too small -- ignore */
545 + if (seed_len > sizeof(seed))
546 + seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
547 + * but our internal buffers are restricted to 256 bits*/
548 + if (seed_in != NULL)
549 + memcpy(seed, seed_in, seed_len);
553 + if ((ctx=BN_CTX_new()) == NULL)
558 + if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
559 + seed, seed_len, &p, &q, counter_ret, cb))
562 + if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
587 + if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
598 +#ifndef OPENSSL_FIPS
601 +int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
602 + const EVP_MD *evpmd, unsigned char *seed, int seed_len,
603 + BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb)
606 unsigned char md[SHA256_DIGEST_LENGTH];
607 - unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
608 + unsigned char buf[SHA256_DIGEST_LENGTH];
609 BIGNUM *r0,*W,*X,*c,*test;
610 - BIGNUM *g=NULL,*q=NULL,*p=NULL;
611 - BN_MONT_CTX *mont=NULL;
612 - int i, k, n=0, m=0, qsize = qbits >> 3;
613 + BIGNUM *q=NULL,*p=NULL;
614 + int i, k, b, n=0, m=0, qsize = qbits >> 3;
620 if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
621 qsize != SHA256_DIGEST_LENGTH)
622 @@ -153,51 +245,43 @@ int dsa_builtin_paramgen(DSA *ret, size_
626 - /* use SHA1 as default */
627 - evpmd = EVP_sha1();
630 + evpmd = EVP_sha1();
631 + else if (qbits <= 224)
632 + evpmd = EVP_sha224();
634 + evpmd = EVP_sha256();
640 bits = (bits+63)/64*64;
642 - /* NB: seed_len == 0 is special case: copy generated seed to
643 - * seed_in if it is not NULL.
645 - if (seed_len && (seed_len < (size_t)qsize))
646 - seed_in = NULL; /* seed buffer too small -- ignore */
647 - if (seed_len > (size_t)qsize)
648 - seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
649 - * but our internal buffers are restricted to 160 bits*/
650 - if (seed_in != NULL)
651 - memcpy(seed, seed_in, seed_len);
653 - if ((ctx=BN_CTX_new()) == NULL)
656 - if ((mont=BN_MONT_CTX_new()) == NULL)
660 r0 = BN_CTX_get(ctx);
661 - g = BN_CTX_get(ctx);
663 - q = BN_CTX_get(ctx);
664 + *q_ret = q = BN_CTX_get(ctx);
667 - p = BN_CTX_get(ctx);
668 + *p_ret = p = BN_CTX_get(ctx);
669 test = BN_CTX_get(ctx);
671 if (!BN_lshift(test,BN_value_one(),bits-1))
674 + /* step 3 n = \lceil bits / qbits \rceil - 1 */
675 + n = (bits+qbits-1)/qbits - 1;
676 + /* step 4 b = bits - 1 - n * qbits */
677 + b = bits - 1 - n*qbits;
681 for (;;) /* find q */
686 + /* step 5 generate seed */
687 if(!BN_GENCB_call(cb, 0, m++))
690 @@ -212,30 +296,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
691 seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
693 memcpy(buf , seed, qsize);
694 - memcpy(buf2, seed, qsize);
695 - /* precompute "SEED + 1" for step 7: */
696 - for (i = qsize-1; i >= 0; i--)
704 + /* step 6 U = hash(seed) */
705 if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
707 - if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
709 - for (i = 0; i < qsize; i++)
713 + /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
716 if (!BN_bin2bn(md, qsize, q))
720 + /* step 8 test for prime (64 round of Rabin-Miller) */
721 r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
724 @@ -243,27 +315,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
728 - /* do a callback call */
732 if(!BN_GENCB_call(cb, 2, 0)) goto err;
733 if(!BN_GENCB_call(cb, 3, 0)) goto err;
745 if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
749 + /* step 11.1, 11.2 obtain W */
751 - /* now 'buf' contains "SEED + offset - 1" */
754 /* obtain "SEED + offset + k" by incrementing: */
755 @@ -278,28 +345,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
760 if (!BN_bin2bn(md, qsize, r0))
762 - if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
764 + BN_mask_bits(r0,b);
765 + if (!BN_lshift(r0,r0,qbits*k)) goto err;
766 if (!BN_add(W,W,r0)) goto err;
769 - /* more of step 8 */
770 - if (!BN_mask_bits(W,bits-1)) goto err;
771 + /* step 11.3 X = W + 2^(L-1) */
772 if (!BN_copy(X,W)) goto err;
773 if (!BN_add(X,X,test)) goto err;
776 + /* step 11.4 c = X mod 2*q */
777 if (!BN_lshift1(r0,q)) goto err;
778 if (!BN_mod(c,X,r0,ctx)) goto err;
780 + /* step 11.5 p = X - (c - 1) */
781 if (!BN_sub(r0,c,BN_value_one())) goto err;
782 if (!BN_sub(p,X,r0)) goto err;
786 if (BN_cmp(p,test) >= 0)
790 r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
793 @@ -308,19 +377,45 @@ int dsa_builtin_paramgen(DSA *ret, size_
800 /* "offset = offset + n + 1" */
803 - if (counter >= 4096) break;
805 + if (counter >= 4*bits) break;
809 if(!BN_GENCB_call(cb, 2, 1))
812 - /* We now need to generate g */
817 + if (counter_ret != NULL) *counter_ret=counter;
822 +#ifndef OPENSSL_FIPS
825 +int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
826 + BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
829 + BIGNUM *r0, *test, *g = NULL;
833 + if ((mont=BN_MONT_CTX_new()) == NULL)
836 + r0 = BN_CTX_get(ctx);
837 + *g_ret = g = BN_CTX_get(ctx);
838 + test = BN_CTX_get(ctx);
841 if (!BN_sub(test,p,BN_value_one())) goto err;
842 if (!BN_div(r0,NULL,test,q,ctx)) goto err;
843 @@ -344,26 +439,7 @@ end:
847 - if(ret->p) BN_free(ret->p);
848 - if(ret->q) BN_free(ret->q);
849 - if(ret->g) BN_free(ret->g);
853 - if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
858 - if (counter_ret != NULL) *counter_ret=counter;
859 if (h_ret != NULL) *h_ret=h;
861 - memcpy(seed_out, seed, qsize);
868 if (mont != NULL) BN_MONT_CTX_free(mont);
870 diff -up openssl-1.0.1b/crypto/dsa/dsa.h.fips openssl-1.0.1b/crypto/dsa/dsa.h
871 --- openssl-1.0.1b/crypto/dsa/dsa.h.fips 2012-04-26 18:00:50.840757065 +0200
872 +++ openssl-1.0.1b/crypto/dsa/dsa.h 2012-04-26 18:00:51.386768993 +0200
874 # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
877 +#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
879 #define DSA_FLAG_CACHE_MONT_P 0x01
880 #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
881 * implementation now uses constant time
882 @@ -264,6 +266,17 @@ int DSA_print_fp(FILE *bp, const DSA *x,
883 DH *DSA_dup_DH(const DSA *r);
887 +int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
888 + const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
889 + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
890 +int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
891 + const EVP_MD *evpmd, unsigned char *seed, int seed_len,
892 + BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
893 +int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
894 + BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
897 #define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
898 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
899 EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
900 @@ -285,10 +298,13 @@ void ERR_load_DSA_strings(void);
901 #define DSA_F_DO_DSA_PRINT 104
902 #define DSA_F_DSAPARAMS_PRINT 100
903 #define DSA_F_DSAPARAMS_PRINT_FP 101
904 +#define DSA_F_DSA_BUILTIN_KEYGEN 124
905 +#define DSA_F_DSA_BUILTIN_PARAMGEN 123
906 #define DSA_F_DSA_DO_SIGN 112
907 #define DSA_F_DSA_DO_VERIFY 113
908 -#define DSA_F_DSA_GENERATE_KEY 124
909 -#define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
910 +#define DSA_F_DSA_GENERATE_KEY 126
911 +#define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
912 +#define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
913 #define DSA_F_DSA_NEW_METHOD 103
914 #define DSA_F_DSA_PARAM_DECODE 119
915 #define DSA_F_DSA_PRINT_FP 105
916 @@ -314,11 +330,15 @@ void ERR_load_DSA_strings(void);
917 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
918 #define DSA_R_DECODE_ERROR 104
919 #define DSA_R_INVALID_DIGEST_TYPE 106
920 +#define DSA_R_KEY_SIZE_INVALID 113
921 +#define DSA_R_KEY_SIZE_TOO_SMALL 110
922 #define DSA_R_MISSING_PARAMETERS 101
923 #define DSA_R_MODULUS_TOO_LARGE 103
924 -#define DSA_R_NEED_NEW_SETUP_VALUES 110
925 +#define DSA_R_NEED_NEW_SETUP_VALUES 112
926 #define DSA_R_NON_FIPS_DSA_METHOD 111
927 +#define DSA_R_NON_FIPS_METHOD 111
928 #define DSA_R_NO_PARAMETERS_SET 107
929 +#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
930 #define DSA_R_PARAMETER_ENCODING_ERROR 105
933 diff -up openssl-1.0.1b/crypto/dsa/dsa_key.c.fips openssl-1.0.1b/crypto/dsa/dsa_key.c
934 --- openssl-1.0.1b/crypto/dsa/dsa_key.c.fips 2011-06-09 17:21:46.000000000 +0200
935 +++ openssl-1.0.1b/crypto/dsa/dsa_key.c 2012-04-26 18:00:51.386768993 +0200
939 #include <openssl/fips.h>
940 +#include <openssl/evp.h>
942 +static int fips_check_dsa(DSA *dsa)
945 + unsigned char tbs[] = "DSA Pairwise Check Data";
946 + pk.type = EVP_PKEY_DSA;
949 + if (!fips_pkey_signature_test(&pk, tbs, 0, NULL, 0, NULL, 0, NULL))
951 + FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
952 + fips_set_selftest_fail();
960 static int dsa_builtin_keygen(DSA *dsa);
961 @@ -82,10 +100,6 @@ int DSA_generate_key(DSA *dsa)
963 if(dsa->meth->dsa_keygen)
964 return dsa->meth->dsa_keygen(dsa);
967 - return FIPS_dsa_generate_key(dsa);
969 return dsa_builtin_keygen(dsa);
972 @@ -95,6 +109,15 @@ static int dsa_builtin_keygen(DSA *dsa)
974 BIGNUM *pub_key=NULL,*priv_key=NULL;
977 + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
978 + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
980 + DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
985 if ((ctx=BN_CTX_new()) == NULL) goto err;
987 if (dsa->priv_key == NULL)
988 @@ -133,6 +156,14 @@ static int dsa_builtin_keygen(DSA *dsa)
990 dsa->priv_key=priv_key;
991 dsa->pub_key=pub_key;
993 + if(FIPS_mode() && !fips_check_dsa(dsa))
995 + dsa->pub_key = NULL;
996 + dsa->priv_key = NULL;
1003 diff -up openssl-1.0.1b/crypto/dsa/dsa_lib.c.fips openssl-1.0.1b/crypto/dsa/dsa_lib.c
1004 --- openssl-1.0.1b/crypto/dsa/dsa_lib.c.fips 2011-11-14 15:16:09.000000000 +0100
1005 +++ openssl-1.0.1b/crypto/dsa/dsa_lib.c 2012-04-26 18:00:51.387769014 +0200
1006 @@ -87,14 +87,7 @@ const DSA_METHOD *DSA_get_default_method
1008 if(!default_DSA_method)
1010 -#ifdef OPENSSL_FIPS
1012 - return FIPS_dsa_openssl();
1014 - return DSA_OpenSSL();
1016 default_DSA_method = DSA_OpenSSL();
1019 return default_DSA_method;
1021 diff -up openssl-1.0.1b/crypto/dsa/dsa_locl.h.fips openssl-1.0.1b/crypto/dsa/dsa_locl.h
1022 --- openssl-1.0.1b/crypto/dsa/dsa_locl.h.fips 2012-04-26 18:00:50.844757152 +0200
1023 +++ openssl-1.0.1b/crypto/dsa/dsa_locl.h 2012-04-26 18:00:51.387769014 +0200
1026 int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
1027 const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
1028 - unsigned char *seed_out,
1029 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
1030 diff -up openssl-1.0.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1b/crypto/dsa/dsa_ossl.c
1031 --- openssl-1.0.1b/crypto/dsa/dsa_ossl.c.fips 2011-02-01 13:53:47.000000000 +0100
1032 +++ openssl-1.0.1b/crypto/dsa/dsa_ossl.c 2012-04-26 18:00:51.388769035 +0200
1034 #include <openssl/dsa.h>
1035 #include <openssl/rand.h>
1036 #include <openssl/asn1.h>
1037 +#ifdef OPENSSL_FIPS
1038 +#include <openssl/fips.h>
1041 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
1042 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
1043 @@ -82,7 +85,7 @@ NULL, /* dsa_mod_exp, */
1044 NULL, /* dsa_bn_mod_exp, */
1048 +DSA_FLAG_FIPS_METHOD,
1052 @@ -138,6 +141,21 @@ static DSA_SIG *dsa_do_sign(const unsign
1056 +#ifdef OPENSSL_FIPS
1057 + if(FIPS_selftest_failed())
1059 + FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
1063 + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
1064 + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
1066 + DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
1074 @@ -325,6 +343,21 @@ static int dsa_do_verify(const unsigned
1078 +#ifdef OPENSSL_FIPS
1079 + if(FIPS_selftest_failed())
1081 + FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
1085 + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
1086 + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
1088 + DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
1093 if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
1095 DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
1096 @@ -399,6 +432,9 @@ static int dsa_do_verify(const unsigned
1098 static int dsa_init(DSA *dsa)
1100 +#ifdef OPENSSL_FIPS
1101 + FIPS_selftest_check();
1103 dsa->flags|=DSA_FLAG_CACHE_MONT_P;
1106 diff -up openssl-1.0.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1b/crypto/dsa/dsa_pmeth.c
1107 --- openssl-1.0.1b/crypto/dsa/dsa_pmeth.c.fips 2011-06-20 22:05:13.000000000 +0200
1108 +++ openssl-1.0.1b/crypto/dsa/dsa_pmeth.c 2012-04-26 18:00:51.388769035 +0200
1109 @@ -255,7 +255,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
1112 ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
1113 - NULL, 0, NULL, NULL, NULL, pcb);
1114 + NULL, 0, NULL, NULL, pcb);
1116 EVP_PKEY_assign_DSA(pkey, dsa);
1118 diff -up openssl-1.0.1b/crypto/dsa/dsatest.c.fips openssl-1.0.1b/crypto/dsa/dsatest.c
1119 --- openssl-1.0.1b/crypto/dsa/dsatest.c.fips 2008-08-06 17:54:11.000000000 +0200
1120 +++ openssl-1.0.1b/crypto/dsa/dsatest.c 2012-04-26 18:00:51.389769058 +0200
1121 @@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
1122 /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
1123 * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
1124 static unsigned char seed[20]={
1125 - 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
1126 - 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
1127 + 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
1128 + 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
1131 static unsigned char out_p[]={
1132 - 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
1133 - 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
1134 - 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
1135 - 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
1136 - 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
1137 - 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
1138 - 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
1139 - 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
1140 + 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
1141 + 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
1142 + 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
1143 + 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
1144 + 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
1145 + 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
1146 + 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
1147 + 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
1148 + 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
1149 + 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
1150 + 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
1153 static unsigned char out_q[]={
1154 - 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
1155 - 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
1156 - 0xda,0xce,0x91,0x5f,
1157 + 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
1158 + 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
1161 static unsigned char out_g[]={
1162 - 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
1163 - 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
1164 - 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
1165 - 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
1166 - 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
1167 - 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
1168 - 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
1169 - 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
1170 + 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
1171 + 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
1172 + 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
1173 + 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
1174 + 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
1175 + 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
1176 + 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
1177 + 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
1178 + 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
1179 + 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
1180 + 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
1183 static const unsigned char str1[]="12345678901234567890";
1184 @@ -157,7 +162,7 @@ int main(int argc, char **argv)
1185 BIO_printf(bio_err,"test generation of DSA parameters\n");
1187 BN_GENCB_set(&cb, dsa_cb, bio_err);
1188 - if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
1189 + if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
1190 seed, 20, &counter, &h, &cb))
1193 @@ -170,9 +175,9 @@ int main(int argc, char **argv)
1194 BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
1196 DSA_print(bio_err,dsa,0);
1197 - if (counter != 105)
1198 + if (counter != 239)
1200 - BIO_printf(bio_err,"counter should be 105\n");
1201 + BIO_printf(bio_err,"counter should be 239\n");
1205 diff -up openssl-1.0.1b/crypto/engine/eng_all.c.fips openssl-1.0.1b/crypto/engine/eng_all.c
1206 --- openssl-1.0.1b/crypto/engine/eng_all.c.fips 2011-08-10 20:53:13.000000000 +0200
1207 +++ openssl-1.0.1b/crypto/engine/eng_all.c 2012-04-26 18:00:51.389769058 +0200
1210 #include "cryptlib.h"
1211 #include "eng_int.h"
1212 +#ifdef OPENSSL_FIPS
1213 +#include <openssl/fips.h>
1216 void ENGINE_load_builtin_engines(void)
1218 /* Some ENGINEs need this */
1219 OPENSSL_cpuid_setup();
1220 +#ifdef OPENSSL_FIPS
1221 + OPENSSL_init_library();
1222 + if (FIPS_mode()) {
1223 + /* We allow loading dynamic engine as a third party
1224 + engine might be FIPS validated.
1225 + User is disallowed to load non-validated engines
1226 + by security policy. */
1227 + ENGINE_load_dynamic();
1232 /* There's no longer any need for an "openssl" ENGINE unless, one day,
1233 * it is the *only* way for standard builtin implementations to be be
1234 diff -up openssl-1.0.1b/crypto/err/err_all.c.fips openssl-1.0.1b/crypto/err/err_all.c
1235 --- openssl-1.0.1b/crypto/err/err_all.c.fips 2011-06-21 18:58:10.000000000 +0200
1236 +++ openssl-1.0.1b/crypto/err/err_all.c 2012-04-26 18:00:51.390769081 +0200
1238 #include <openssl/ocsp.h>
1239 #include <openssl/err.h>
1240 #include <openssl/ts.h>
1241 +#ifdef OPENSSL_FIPS
1242 +#include <openssl/fips.h>
1244 #ifndef OPENSSL_NO_CMS
1245 #include <openssl/cms.h>
1247 @@ -153,6 +156,9 @@ void ERR_load_crypto_strings(void)
1249 ERR_load_OCSP_strings();
1250 ERR_load_UI_strings();
1251 +#ifdef OPENSSL_FIPS
1252 + ERR_load_FIPS_strings();
1254 #ifndef OPENSSL_NO_CMS
1255 ERR_load_CMS_strings();
1257 diff -up openssl-1.0.1b/crypto/evp/c_allc.c.fips openssl-1.0.1b/crypto/evp/c_allc.c
1258 --- openssl-1.0.1b/crypto/evp/c_allc.c.fips 2011-11-14 22:13:35.000000000 +0100
1259 +++ openssl-1.0.1b/crypto/evp/c_allc.c 2012-04-26 18:00:51.390769081 +0200
1261 void OpenSSL_add_all_ciphers(void)
1264 +#ifdef OPENSSL_FIPS
1265 + OPENSSL_init_library();
1269 #ifndef OPENSSL_NO_DES
1270 EVP_add_cipher(EVP_des_cfb());
1271 EVP_add_cipher(EVP_des_cfb1());
1272 @@ -227,4 +232,60 @@ void OpenSSL_add_all_ciphers(void)
1273 EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
1274 EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
1276 +#ifdef OPENSSL_FIPS
1280 +#ifndef OPENSSL_NO_DES
1281 + EVP_add_cipher(EVP_des_ede_cfb());
1282 + EVP_add_cipher(EVP_des_ede3_cfb());
1284 + EVP_add_cipher(EVP_des_ede_ofb());
1285 + EVP_add_cipher(EVP_des_ede3_ofb());
1287 + EVP_add_cipher(EVP_des_ede_cbc());
1288 + EVP_add_cipher(EVP_des_ede3_cbc());
1289 + EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
1290 + EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
1292 + EVP_add_cipher(EVP_des_ede());
1293 + EVP_add_cipher(EVP_des_ede3());
1296 +#ifndef OPENSSL_NO_AES
1297 + EVP_add_cipher(EVP_aes_128_ecb());
1298 + EVP_add_cipher(EVP_aes_128_cbc());
1299 + EVP_add_cipher(EVP_aes_128_cfb());
1300 + EVP_add_cipher(EVP_aes_128_cfb1());
1301 + EVP_add_cipher(EVP_aes_128_cfb8());
1302 + EVP_add_cipher(EVP_aes_128_ofb());
1303 + EVP_add_cipher(EVP_aes_128_ctr());
1304 + EVP_add_cipher(EVP_aes_128_gcm());
1305 + EVP_add_cipher(EVP_aes_128_xts());
1306 + EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
1307 + EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
1308 + EVP_add_cipher(EVP_aes_192_ecb());
1309 + EVP_add_cipher(EVP_aes_192_cbc());
1310 + EVP_add_cipher(EVP_aes_192_cfb());
1311 + EVP_add_cipher(EVP_aes_192_cfb1());
1312 + EVP_add_cipher(EVP_aes_192_cfb8());
1313 + EVP_add_cipher(EVP_aes_192_ofb());
1314 + EVP_add_cipher(EVP_aes_192_ctr());
1315 + EVP_add_cipher(EVP_aes_192_gcm());
1316 + EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
1317 + EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
1318 + EVP_add_cipher(EVP_aes_256_ecb());
1319 + EVP_add_cipher(EVP_aes_256_cbc());
1320 + EVP_add_cipher(EVP_aes_256_cfb());
1321 + EVP_add_cipher(EVP_aes_256_cfb1());
1322 + EVP_add_cipher(EVP_aes_256_cfb8());
1323 + EVP_add_cipher(EVP_aes_256_ofb());
1324 + EVP_add_cipher(EVP_aes_256_ctr());
1325 + EVP_add_cipher(EVP_aes_256_gcm());
1326 + EVP_add_cipher(EVP_aes_256_xts());
1327 + EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
1328 + EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
1333 diff -up openssl-1.0.1b/crypto/evp/c_alld.c.fips openssl-1.0.1b/crypto/evp/c_alld.c
1334 --- openssl-1.0.1b/crypto/evp/c_alld.c.fips 2009-07-08 10:50:53.000000000 +0200
1335 +++ openssl-1.0.1b/crypto/evp/c_alld.c 2012-04-26 18:00:51.390769081 +0200
1338 void OpenSSL_add_all_digests(void)
1340 +#ifdef OPENSSL_FIPS
1341 + OPENSSL_init_library();
1345 #ifndef OPENSSL_NO_MD4
1346 EVP_add_digest(EVP_md4());
1348 @@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
1349 #ifndef OPENSSL_NO_WHIRLPOOL
1350 EVP_add_digest(EVP_whirlpool());
1352 +#ifdef OPENSSL_FIPS
1356 +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
1357 + EVP_add_digest(EVP_sha1());
1358 + EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
1359 + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
1360 +#ifndef OPENSSL_NO_DSA
1361 + EVP_add_digest(EVP_dss1());
1362 + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
1363 + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
1364 + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
1366 +#ifndef OPENSSL_NO_ECDSA
1367 + EVP_add_digest(EVP_ecdsa());
1370 +#ifndef OPENSSL_NO_SHA256
1371 + EVP_add_digest(EVP_sha224());
1372 + EVP_add_digest(EVP_sha256());
1374 +#ifndef OPENSSL_NO_SHA512
1375 + EVP_add_digest(EVP_sha384());
1376 + EVP_add_digest(EVP_sha512());
1381 diff -up openssl-1.0.1b/crypto/evp/digest.c.fips openssl-1.0.1b/crypto/evp/digest.c
1382 --- openssl-1.0.1b/crypto/evp/digest.c.fips 2011-05-29 17:55:13.000000000 +0200
1383 +++ openssl-1.0.1b/crypto/evp/digest.c 2012-04-26 18:00:51.391769103 +0200
1384 @@ -142,9 +142,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
1385 return EVP_DigestInit_ex(ctx, type, NULL);
1388 +#ifdef OPENSSL_FIPS
1390 +/* The purpose of these is to trap programs that attempt to use non FIPS
1391 + * algorithms in FIPS mode and ignore the errors.
1394 +static int bad_init(EVP_MD_CTX *ctx)
1395 + { FIPS_ERROR_IGNORED("Digest init"); return 0;}
1397 +static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count)
1398 + { FIPS_ERROR_IGNORED("Digest update"); return 0;}
1400 +static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
1401 + { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
1403 +static const EVP_MD bad_md =
1421 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
1423 EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
1424 +#ifdef OPENSSL_FIPS
1425 + if(FIPS_selftest_failed())
1427 + FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
1428 + ctx->digest = &bad_md;
1432 #ifndef OPENSSL_NO_ENGINE
1433 /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
1434 * so this context may already have an ENGINE! Try to avoid releasing
1435 @@ -201,6 +242,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
1437 if (ctx->digest != type)
1439 +#ifdef OPENSSL_FIPS
1442 + if (!(type->flags & EVP_MD_FLAG_FIPS)
1443 + && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
1445 + EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
1446 + ctx->digest = &bad_md;
1451 if (ctx->digest && ctx->digest->ctx_size)
1452 OPENSSL_free(ctx->md_data);
1454 @@ -229,26 +282,15 @@ skip_to_init:
1456 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
1458 -#ifdef OPENSSL_FIPS
1461 - if (FIPS_digestinit(ctx, type))
1463 - OPENSSL_free(ctx->md_data);
1464 - ctx->md_data = NULL;
1468 return ctx->digest->init(ctx);
1471 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
1474 - return FIPS_digestupdate(ctx, data, count);
1476 - return ctx->update(ctx,data,count);
1477 + FIPS_selftest_check();
1479 + return ctx->update(ctx,data,count);
1482 /* The caller can assume that this removes any secret data from the context */
1483 @@ -263,10 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
1484 /* The caller can assume that this removes any secret data from the context */
1485 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
1487 -#ifdef OPENSSL_FIPS
1488 - return FIPS_digestfinal(ctx, md, size);
1491 +#ifdef OPENSSL_FIPS
1492 + FIPS_selftest_check();
1495 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
1496 ret=ctx->digest->final(ctx,md);
1498 @@ -278,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
1500 memset(ctx->md_data,0,ctx->digest->ctx_size);
1505 int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
1506 @@ -372,7 +414,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
1507 /* This call frees resources associated with the context */
1508 int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
1510 -#ifndef OPENSSL_FIPS
1511 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
1512 * because sometimes only copies of the context are ever finalised.
1514 @@ -385,7 +426,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
1515 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
1516 OPENSSL_free(ctx->md_data);
1520 EVP_PKEY_CTX_free(ctx->pctx);
1521 #ifndef OPENSSL_NO_ENGINE
1522 @@ -394,9 +434,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
1523 * functional reference we held for this reason. */
1524 ENGINE_finish(ctx->engine);
1526 -#ifdef OPENSSL_FIPS
1527 - FIPS_md_ctx_cleanup(ctx);
1529 memset(ctx,'\0',sizeof *ctx);
1532 diff -up openssl-1.0.1b/crypto/evp/e_aes.c.fips openssl-1.0.1b/crypto/evp/e_aes.c
1533 --- openssl-1.0.1b/crypto/evp/e_aes.c.fips 2011-11-15 13:19:56.000000000 +0100
1534 +++ openssl-1.0.1b/crypto/evp/e_aes.c 2012-04-26 18:00:51.391769103 +0200
1537 #include <openssl/aes.h>
1538 #include "evp_locl.h"
1539 -#ifndef OPENSSL_FIPS
1540 #include "modes_lcl.h"
1541 #include <openssl/rand.h>
1543 @@ -716,7 +715,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
1547 - if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1548 + if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
1552 @@ -1128,7 +1127,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
1555 /* Requirement of SP800-38E */
1556 - if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1557 + if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1558 (len > (1UL<<20)*16))
1560 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1561 @@ -1310,4 +1309,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm
1562 BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1566 diff -up openssl-1.0.1b/crypto/evp/e_des3.c.fips openssl-1.0.1b/crypto/evp/e_des3.c
1567 --- openssl-1.0.1b/crypto/evp/e_des3.c.fips 2011-05-29 01:01:26.000000000 +0200
1568 +++ openssl-1.0.1b/crypto/evp/e_des3.c 2012-04-26 18:00:51.392769125 +0200
1570 #include <openssl/des.h>
1571 #include <openssl/rand.h>
1573 -#ifndef OPENSSL_FIPS
1575 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1576 const unsigned char *iv,int enc);
1578 @@ -208,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH
1581 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
1582 - EVP_CIPH_RAND_KEY, des_ede_init_key, NULL,
1583 - EVP_CIPHER_set_asn1_iv,
1584 - EVP_CIPHER_get_asn1_iv,
1585 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1590 #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
1591 @@ -219,21 +217,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
1592 #define des_ede3_ecb_cipher des_ede_ecb_cipher
1594 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
1595 - EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL,
1596 - EVP_CIPHER_set_asn1_iv,
1597 - EVP_CIPHER_get_asn1_iv,
1598 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1599 + des_ede3_init_key,
1603 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
1604 - EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
1605 - EVP_CIPHER_set_asn1_iv,
1606 - EVP_CIPHER_get_asn1_iv,
1607 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1608 + des_ede3_init_key,
1612 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
1613 - EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
1614 - EVP_CIPHER_set_asn1_iv,
1615 - EVP_CIPHER_get_asn1_iv,
1616 + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
1617 + des_ede3_init_key,
1621 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1622 @@ -313,4 +311,3 @@ const EVP_CIPHER *EVP_des_ede3(void)
1623 return &des_ede3_ecb;
1627 diff -up openssl-1.0.1b/crypto/evp/e_null.c.fips openssl-1.0.1b/crypto/evp/e_null.c
1628 --- openssl-1.0.1b/crypto/evp/e_null.c.fips 2011-06-20 22:00:10.000000000 +0200
1629 +++ openssl-1.0.1b/crypto/evp/e_null.c 2012-04-26 18:00:51.392769125 +0200
1631 #include <openssl/evp.h>
1632 #include <openssl/objects.h>
1634 -#ifndef OPENSSL_FIPS
1636 static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1637 const unsigned char *iv,int enc);
1638 static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1639 @@ -71,7 +69,7 @@ static const EVP_CIPHER n_cipher=
1644 + EVP_CIPH_FLAG_FIPS,
1648 @@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *c
1649 memcpy((char *)out,(const char *)in,inl);
1653 diff -up openssl-1.0.1b/crypto/evp/evp_enc.c.fips openssl-1.0.1b/crypto/evp/evp_enc.c
1654 --- openssl-1.0.1b/crypto/evp/evp_enc.c.fips 2012-04-20 02:07:48.000000000 +0200
1655 +++ openssl-1.0.1b/crypto/evp/evp_enc.c 2012-04-26 18:02:25.419823276 +0200
1658 #include "evp_locl.h"
1660 -#ifdef OPENSSL_FIPS
1661 -#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
1663 #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
1667 const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
1669 +#ifdef OPENSSL_FIPS
1671 +/* The purpose of these is to trap programs that attempt to use non FIPS
1672 + * algorithms in FIPS mode and ignore the errors.
1675 +static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1676 + const unsigned char *iv, int enc)
1677 + { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
1679 +static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1680 + const unsigned char *in, unsigned int inl)
1681 + { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
1683 +/* NB: no cleanup because it is allowed after failed init */
1685 +static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
1686 + { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
1687 +static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
1688 + { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
1689 +static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1690 + { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
1692 +static const EVP_CIPHER bad_cipher =
1711 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
1713 +#ifdef OPENSSL_FIPS
1714 + FIPS_selftest_check();
1716 memset(ctx,0,sizeof(EVP_CIPHER_CTX));
1717 /* ctx->cipher=NULL; */
1719 @@ -111,6 +152,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
1723 +#ifdef OPENSSL_FIPS
1724 + if(FIPS_selftest_failed())
1726 + FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
1727 + ctx->cipher = &bad_cipher;
1731 #ifndef OPENSSL_NO_ENGINE
1732 /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
1733 * so this context may already have an ENGINE! Try to avoid releasing
1734 @@ -169,10 +218,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
1738 -#ifdef OPENSSL_FIPS
1740 - return FIPS_cipherinit(ctx, cipher, key, iv, enc);
1743 if (ctx->cipher->ctx_size)
1745 @@ -206,10 +251,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
1746 #ifndef OPENSSL_NO_ENGINE
1749 -#ifdef OPENSSL_FIPS
1751 - return FIPS_cipherinit(ctx, cipher, key, iv, enc);
1753 /* we assume block size is a power of 2 in *cryptUpdate */
1754 OPENSSL_assert(ctx->cipher->block_size == 1
1755 || ctx->cipher->block_size == 8
1756 @@ -249,6 +290,22 @@ skip_to_init:
1760 +#ifdef OPENSSL_FIPS
1761 + /* After 'key' is set no further parameters changes are permissible.
1762 + * So only check for non FIPS enabling at this point.
1764 + if (key && FIPS_mode())
1766 + if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
1767 + & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
1769 + EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
1770 + ctx->cipher = &bad_cipher;
1776 if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
1777 if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
1779 @@ -568,7 +625,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
1781 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
1783 -#ifndef OPENSSL_FIPS
1784 if (c->cipher != NULL)
1786 if(c->cipher->cleanup && !c->cipher->cleanup(c))
1787 @@ -579,16 +635,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
1790 OPENSSL_free(c->cipher_data);
1792 #ifndef OPENSSL_NO_ENGINE
1794 /* The EVP_CIPHER we used belongs to an ENGINE, release the
1795 * functional reference we held for this reason. */
1796 ENGINE_finish(c->engine);
1798 -#ifdef OPENSSL_FIPS
1799 - FIPS_cipher_ctx_cleanup(c);
1801 memset(c,0,sizeof(EVP_CIPHER_CTX));
1804 diff -up openssl-1.0.1b/crypto/evp/evp.h.fips openssl-1.0.1b/crypto/evp/evp.h
1805 --- openssl-1.0.1b/crypto/evp/evp.h.fips 2012-04-26 18:00:51.128763357 +0200
1806 +++ openssl-1.0.1b/crypto/evp/evp.h 2012-04-26 18:00:51.394769168 +0200
1808 #include <openssl/bio.h>
1811 +#ifdef OPENSSL_FIPS
1812 +#include <openssl/fips.h>
1816 #define EVP_RC2_KEY_SIZE 16
1817 #define EVP_RC4_KEY_SIZE 16
1818 @@ -272,10 +276,6 @@ struct env_md_ctx_st
1820 #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
1821 * in EVP_MD_CTX_cleanup */
1822 -/* FIPS and pad options are ignored in 1.0.0, definitions are here
1823 - * so we don't accidentally reuse the values for other purposes.
1826 #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
1829 @@ -287,6 +287,10 @@ struct env_md_ctx_st
1830 #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */
1831 #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */
1832 #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */
1833 +#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
1834 + ((ctx->flags>>16) &0xFFFF) /* seed length */
1835 +#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */
1836 +#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */
1838 #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */
1840 @@ -338,15 +342,15 @@ struct evp_cipher_st
1841 /* cipher handles random key generation */
1842 #define EVP_CIPH_RAND_KEY 0x200
1843 /* cipher has its own additional copying logic */
1844 -#define EVP_CIPH_CUSTOM_COPY 0x400
1845 +#define EVP_CIPH_CUSTOM_COPY 0x4000
1846 /* Allow use default ASN1 get/set iv */
1847 #define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
1848 /* Buffer length in bits not bytes: CFB1 mode only */
1849 #define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
1850 /* Note if suitable for use in FIPS mode */
1851 -#define EVP_CIPH_FLAG_FIPS 0x4000
1852 +#define EVP_CIPH_FLAG_FIPS 0x400
1853 /* Allow non FIPS cipher in FIPS mode */
1854 -#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
1855 +#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
1856 /* Cipher handles any and all padding logic as well
1859 diff -up openssl-1.0.1b/crypto/evp/evp_lib.c.fips openssl-1.0.1b/crypto/evp/evp_lib.c
1860 --- openssl-1.0.1b/crypto/evp/evp_lib.c.fips 2011-05-29 04:32:05.000000000 +0200
1861 +++ openssl-1.0.1b/crypto/evp/evp_lib.c 2012-04-26 18:00:51.394769168 +0200
1862 @@ -190,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
1864 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
1866 +#ifdef OPENSSL_FIPS
1867 + FIPS_selftest_check();
1869 return ctx->cipher->do_cipher(ctx,out,in,inl);
1872 diff -up openssl-1.0.1b/crypto/evp/evp_locl.h.fips openssl-1.0.1b/crypto/evp/evp_locl.h
1873 --- openssl-1.0.1b/crypto/evp/evp_locl.h.fips 2012-04-26 18:00:51.118763138 +0200
1874 +++ openssl-1.0.1b/crypto/evp/evp_locl.h 2012-04-26 18:00:51.395769190 +0200
1875 @@ -258,10 +258,9 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
1876 BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
1877 BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
1878 NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
1879 - 0, cipher##_init_key, NULL, \
1880 - EVP_CIPHER_set_asn1_iv, \
1881 - EVP_CIPHER_get_asn1_iv, \
1883 + EVP_CIPH_FLAG_DEFAULT_ASN1, \
1884 + cipher##_init_key, NULL, NULL, NULL, NULL)
1887 struct evp_pkey_ctx_st
1889 @@ -367,11 +366,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
1890 #define MD2_Init private_MD2_Init
1891 #define MDC2_Init private_MDC2_Init
1892 #define SHA_Init private_SHA_Init
1893 -#define SHA1_Init private_SHA1_Init
1894 -#define SHA224_Init private_SHA224_Init
1895 -#define SHA256_Init private_SHA256_Init
1896 -#define SHA384_Init private_SHA384_Init
1897 -#define SHA512_Init private_SHA512_Init
1899 #define BF_set_key private_BF_set_key
1900 #define CAST_set_key private_CAST_set_key
1901 @@ -379,7 +373,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
1902 #define SEED_set_key private_SEED_set_key
1903 #define RC2_set_key private_RC2_set_key
1904 #define RC4_set_key private_RC4_set_key
1905 -#define DES_set_key_unchecked private_DES_set_key_unchecked
1906 #define Camellia_set_key private_Camellia_set_key
1909 diff -up openssl-1.0.1b/crypto/evp/Makefile.fips openssl-1.0.1b/crypto/evp/Makefile
1910 --- openssl-1.0.1b/crypto/evp/Makefile.fips 2012-04-26 12:42:19.000000000 +0200
1911 +++ openssl-1.0.1b/crypto/evp/Makefile 2012-04-26 18:00:51.395769190 +0200
1912 @@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_
1913 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
1914 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
1915 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
1916 - e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
1917 + e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
1918 e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
1920 LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
1921 @@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_
1922 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
1923 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
1924 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
1925 - e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
1926 + e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
1927 e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
1930 diff -up openssl-1.0.1b/crypto/evp/m_dss1.c.fips openssl-1.0.1b/crypto/evp/m_dss1.c
1931 --- openssl-1.0.1b/crypto/evp/m_dss1.c.fips 2011-06-01 17:11:00.000000000 +0200
1932 +++ openssl-1.0.1b/crypto/evp/m_dss1.c 2012-04-26 18:00:51.396769212 +0200
1934 #include <openssl/dsa.h>
1937 -#ifndef OPENSSL_FIPS
1939 static int init(EVP_MD_CTX *ctx)
1940 { return SHA1_Init(ctx->md_data); }
1942 @@ -84,7 +82,7 @@ static const EVP_MD dss1_md=
1946 - EVP_MD_FLAG_PKEY_DIGEST,
1947 + EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
1951 @@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void)
1956 diff -up openssl-1.0.1b/crypto/evp/m_dss.c.fips openssl-1.0.1b/crypto/evp/m_dss.c
1957 --- openssl-1.0.1b/crypto/evp/m_dss.c.fips 2011-06-01 17:11:00.000000000 +0200
1958 +++ openssl-1.0.1b/crypto/evp/m_dss.c 2012-04-26 18:00:51.396769212 +0200
1962 #ifndef OPENSSL_NO_SHA
1963 -#ifndef OPENSSL_FIPS
1965 static int init(EVP_MD_CTX *ctx)
1966 { return SHA1_Init(ctx->md_data); }
1967 @@ -82,7 +81,7 @@ static const EVP_MD dsa_md=
1971 - EVP_MD_FLAG_PKEY_DIGEST,
1972 + EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
1976 @@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void)
1981 diff -up openssl-1.0.1b/crypto/evp/m_md2.c.fips openssl-1.0.1b/crypto/evp/m_md2.c
1982 --- openssl-1.0.1b/crypto/evp/m_md2.c.fips 2005-07-16 14:37:32.000000000 +0200
1983 +++ openssl-1.0.1b/crypto/evp/m_md2.c 2012-04-26 18:00:51.396769212 +0200
1985 #ifndef OPENSSL_NO_RSA
1986 #include <openssl/rsa.h>
1988 +#include "evp_locl.h"
1990 static int init(EVP_MD_CTX *ctx)
1991 { return MD2_Init(ctx->md_data); }
1992 diff -up openssl-1.0.1b/crypto/evp/m_sha1.c.fips openssl-1.0.1b/crypto/evp/m_sha1.c
1993 --- openssl-1.0.1b/crypto/evp/m_sha1.c.fips 2011-05-29 01:01:26.000000000 +0200
1994 +++ openssl-1.0.1b/crypto/evp/m_sha1.c 2012-04-26 18:00:51.396769212 +0200
1997 #include "cryptlib.h"
1999 -#ifndef OPENSSL_FIPS
2001 #ifndef OPENSSL_NO_SHA
2003 #include <openssl/evp.h>
2004 @@ -85,7 +83,8 @@ static const EVP_MD sha1_md=
2006 NID_sha1WithRSAEncryption,
2008 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2009 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2014 @@ -122,7 +121,8 @@ static const EVP_MD sha224_md=
2016 NID_sha224WithRSAEncryption,
2017 SHA224_DIGEST_LENGTH,
2018 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2019 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2024 @@ -141,7 +141,8 @@ static const EVP_MD sha256_md=
2026 NID_sha256WithRSAEncryption,
2027 SHA256_DIGEST_LENGTH,
2028 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2029 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2034 @@ -172,7 +173,8 @@ static const EVP_MD sha384_md=
2036 NID_sha384WithRSAEncryption,
2037 SHA384_DIGEST_LENGTH,
2038 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2039 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2044 @@ -191,7 +193,8 @@ static const EVP_MD sha512_md=
2046 NID_sha512WithRSAEncryption,
2047 SHA512_DIGEST_LENGTH,
2048 - EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
2049 + EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
2054 @@ -206,4 +209,3 @@ const EVP_MD *EVP_sha512(void)
2055 { return(&sha512_md); }
2056 #endif /* ifndef OPENSSL_NO_SHA512 */
2059 diff -up openssl-1.0.1b/crypto/evp/p_sign.c.fips openssl-1.0.1b/crypto/evp/p_sign.c
2060 --- openssl-1.0.1b/crypto/evp/p_sign.c.fips 2011-06-09 18:02:39.000000000 +0200
2061 +++ openssl-1.0.1b/crypto/evp/p_sign.c 2012-04-26 18:00:51.396769212 +0200
2063 #include <openssl/evp.h>
2064 #include <openssl/objects.h>
2065 #include <openssl/x509.h>
2066 +#include <openssl/rsa.h>
2069 void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
2070 @@ -103,6 +104,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
2072 if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
2074 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
2075 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
2077 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
2080 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
2082 + saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
2083 + if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
2085 + else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
2087 + if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
2090 if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
2093 diff -up openssl-1.0.1b/crypto/evp/p_verify.c.fips openssl-1.0.1b/crypto/evp/p_verify.c
2094 --- openssl-1.0.1b/crypto/evp/p_verify.c.fips 2011-06-09 18:02:39.000000000 +0200
2095 +++ openssl-1.0.1b/crypto/evp/p_verify.c 2012-04-26 18:00:51.396769212 +0200
2097 #include <openssl/evp.h>
2098 #include <openssl/objects.h>
2099 #include <openssl/x509.h>
2100 +#include <openssl/rsa.h>
2102 int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
2103 unsigned int siglen, EVP_PKEY *pkey)
2104 @@ -88,6 +89,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
2106 if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
2108 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
2109 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
2111 + if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
2114 + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
2116 + saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
2117 + if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
2119 + else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
2121 + if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
2124 i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
2126 EVP_PKEY_CTX_free(pkctx);
2127 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_aesavs.c
2128 --- openssl-1.0.1b/crypto/fips/cavs/fips_aesavs.c.fips 2012-04-26 18:00:51.397769234 +0200
2129 +++ openssl-1.0.1b/crypto/fips/cavs/fips_aesavs.c 2012-04-26 18:00:51.397769234 +0200
2131 +/* ====================================================================
2132 + * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
2134 + * Redistribution and use in source and binary forms, with or without
2135 + * modification, are permitted provided that the following conditions
2138 + * 1. Redistributions of source code must retain the above copyright
2139 + * notice, this list of conditions and the following disclaimer.
2141 + * 2. Redistributions in binary form must reproduce the above copyright
2142 + * notice, this list of conditions and the following disclaimer in
2143 + * the documentation and/or other materials provided with the
2146 + * 3. All advertising materials mentioning features or use of this
2147 + * software must display the following acknowledgment:
2148 + * "This product includes software developed by the OpenSSL Project
2149 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
2151 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
2152 + * endorse or promote products derived from this software without
2153 + * prior written permission. For written permission, please contact
2154 + * openssl-core@openssl.org.
2156 + * 5. Products derived from this software may not be called "OpenSSL"
2157 + * nor may "OpenSSL" appear in their names without prior written
2158 + * permission of the OpenSSL Project.
2160 + * 6. Redistributions of any form whatsoever must retain the following
2162 + * "This product includes software developed by the OpenSSL Project
2163 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
2165 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
2166 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2167 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
2168 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
2169 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
2170 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2171 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
2172 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2173 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2174 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
2175 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
2176 + * OF THE POSSIBILITY OF SUCH DAMAGE.
2179 +/*---------------------------------------------
2180 + NIST AES Algorithm Validation Suite
2183 + Donated to OpenSSL by:
2185 + 20250 Century Blvd, Suite 300
2186 + Germantown, MD 20874
2188 + ----------------------------------------------*/
2191 +#include <stdlib.h>
2192 +#include <string.h>
2194 +#include <assert.h>
2196 +#include <openssl/aes.h>
2197 +#include <openssl/evp.h>
2198 +#include <openssl/bn.h>
2200 +#include <openssl/err.h>
2203 +#ifndef OPENSSL_FIPS
2205 +int main(int argc, char *argv[])
2207 + printf("No FIPS AES support\n");
2213 +#include <openssl/fips.h>
2214 +#include "fips_utl.h"
2216 +#define AES_BLOCK_SIZE 16
2220 +/*-----------------------------------------------*/
2222 +int AESTest(EVP_CIPHER_CTX *ctx,
2223 + char *amode, int akeysz, unsigned char *aKey,
2224 + unsigned char *iVec,
2225 + int dir, /* 0 = decrypt, 1 = encrypt */
2226 + unsigned char *plaintext, unsigned char *ciphertext, int len)
2228 + const EVP_CIPHER *cipher = NULL;
2230 + if (strcasecmp(amode, "CBC") == 0)
2235 + cipher = EVP_aes_128_cbc();
2239 + cipher = EVP_aes_192_cbc();
2243 + cipher = EVP_aes_256_cbc();
2248 + else if (strcasecmp(amode, "ECB") == 0)
2253 + cipher = EVP_aes_128_ecb();
2257 + cipher = EVP_aes_192_ecb();
2261 + cipher = EVP_aes_256_ecb();
2265 + else if (strcasecmp(amode, "CFB128") == 0)
2270 + cipher = EVP_aes_128_cfb128();
2274 + cipher = EVP_aes_192_cfb128();
2278 + cipher = EVP_aes_256_cfb128();
2283 + else if (strncasecmp(amode, "OFB", 3) == 0)
2288 + cipher = EVP_aes_128_ofb();
2292 + cipher = EVP_aes_192_ofb();
2296 + cipher = EVP_aes_256_ofb();
2300 + else if(!strcasecmp(amode,"CFB1"))
2305 + cipher = EVP_aes_128_cfb1();
2309 + cipher = EVP_aes_192_cfb1();
2313 + cipher = EVP_aes_256_cfb1();
2317 + else if(!strcasecmp(amode,"CFB8"))
2322 + cipher = EVP_aes_128_cfb8();
2326 + cipher = EVP_aes_192_cfb8();
2330 + cipher = EVP_aes_256_cfb8();
2336 + printf("Unknown mode: %s\n", amode);
2341 + printf("Invalid key size: %d\n", akeysz);
2344 + if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
2346 + if(!strcasecmp(amode,"CFB1"))
2347 + M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
2349 + EVP_Cipher(ctx, ciphertext, plaintext, len);
2351 + EVP_Cipher(ctx, plaintext, ciphertext, len);
2355 +/*-----------------------------------------------*/
2356 +char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
2357 +char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"};
2358 +enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128};
2359 +enum XCrypt {XDECRYPT, XENCRYPT};
2361 +/*=============================*/
2362 +/* Monte Carlo Tests */
2363 +/*-----------------------------*/
2365 +/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/
2366 +/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/
2368 +#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
2369 +#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
2371 +int do_mct(char *amode,
2372 + int akeysz, unsigned char *aKey,unsigned char *iVec,
2373 + int dir, unsigned char *text, int len,
2377 + unsigned char key[101][32];
2378 + unsigned char iv[101][AES_BLOCK_SIZE];
2379 + unsigned char ptext[1001][32];
2380 + unsigned char ctext[1001][32];
2381 + unsigned char ciphertext[64+4];
2382 + int i, j, n, n1, n2;
2383 + int imode = 0, nkeysz = akeysz/8;
2384 + EVP_CIPHER_CTX ctx;
2385 + EVP_CIPHER_CTX_init(&ctx);
2389 + printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n",
2393 + for (imode = 0; imode < 6; ++imode)
2394 + if (strcmp(amode, t_mode[imode]) == 0)
2398 + printf("Unrecognized mode: %s\n", amode);
2402 + memcpy(key[0], aKey, nkeysz);
2404 + memcpy(iv[0], iVec, AES_BLOCK_SIZE);
2405 + if (dir == XENCRYPT)
2406 + memcpy(ptext[0], text, len);
2408 + memcpy(ctext[0], text, len);
2409 + for (i = 0; i < 100; ++i)
2411 + /* printf("Iteration %d\n", i); */
2414 + fprintf(rfp,"COUNT = %d\n",i);
2415 + OutputValue("KEY",key[i],nkeysz,rfp,0);
2416 + if (imode != ECB) /* ECB */
2417 + OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0);
2418 + /* Output Ciphertext | Plaintext */
2419 + OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp,
2422 + for (j = 0; j < 1000; ++j)
2428 + { /* set up encryption */
2429 + ret = AESTest(&ctx, amode, akeysz, key[i], NULL,
2430 + dir, /* 0 = decrypt, 1 = encrypt */
2431 + ptext[j], ctext[j], len);
2432 + if (dir == XENCRYPT)
2433 + memcpy(ptext[j+1], ctext[j], len);
2435 + memcpy(ctext[j+1], ptext[j], len);
2439 + if (dir == XENCRYPT)
2441 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2442 + memcpy(ptext[j+1], ctext[j], len);
2446 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2447 + memcpy(ctext[j+1], ptext[j], len);
2457 + ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
2458 + dir, /* 0 = decrypt, 1 = encrypt */
2459 + ptext[j], ctext[j], len);
2460 + if (dir == XENCRYPT)
2461 + memcpy(ptext[j+1], iv[i], len);
2463 + memcpy(ctext[j+1], iv[i], len);
2467 + if (dir == XENCRYPT)
2469 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2470 + memcpy(ptext[j+1], ctext[j-1], len);
2474 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2475 + memcpy(ctext[j+1], ptext[j-1], len);
2483 + ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
2484 + dir, /* 0 = decrypt, 1 = encrypt */
2485 + ptext[j], ctext[j], len);
2489 + if (dir == XENCRYPT)
2490 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2492 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2494 + if (dir == XENCRYPT)
2497 + memcpy(ptext[j+1], &iv[i][j], len);
2499 + memcpy(ptext[j+1], ctext[j-16], len);
2504 + memcpy(ctext[j+1], &iv[i][j], len);
2506 + memcpy(ctext[j+1], ptext[j-16], len);
2514 + /* compensate for wrong endianness of input file */
2518 + ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir,
2519 + ptext[j], ctext[j], len);
2523 + if (dir == XENCRYPT)
2524 + EVP_Cipher(&ctx, ctext[j], ptext[j], len);
2526 + EVP_Cipher(&ctx, ptext[j], ctext[j], len);
2529 + if(dir == XENCRYPT)
2532 + sb(ptext[j+1],0,gb(iv[i],j));
2534 + sb(ptext[j+1],0,gb(ctext[j-128],0));
2539 + sb(ctext[j+1],0,gb(iv[i],j));
2541 + sb(ctext[j+1],0,gb(ptext[j-128],0));
2546 + --j; /* reset to last of range */
2547 + /* Output Ciphertext | Plaintext */
2548 + OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp,
2550 + fprintf(rfp, "\n"); /* add separator */
2552 + /* Compute next KEY */
2553 + if (dir == XENCRYPT)
2555 + if (imode == CFB8)
2556 + { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
2557 + for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
2558 + ciphertext[n1] = ctext[j-n2][0];
2560 + else if(imode == CFB1)
2562 + for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
2563 + sb(ciphertext,n1,gb(ctext[j-n2],0));
2569 + memcpy(ciphertext, ctext[j], 16);
2572 + memcpy(ciphertext, ctext[j-1]+8, 8);
2573 + memcpy(ciphertext+8, ctext[j], 16);
2576 + memcpy(ciphertext, ctext[j-1], 16);
2577 + memcpy(ciphertext+16, ctext[j], 16);
2583 + if (imode == CFB8)
2584 + { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
2585 + for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
2586 + ciphertext[n1] = ptext[j-n2][0];
2588 + else if(imode == CFB1)
2590 + for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
2591 + sb(ciphertext,n1,gb(ptext[j-n2],0));
2597 + memcpy(ciphertext, ptext[j], 16);
2600 + memcpy(ciphertext, ptext[j-1]+8, 8);
2601 + memcpy(ciphertext+8, ptext[j], 16);
2604 + memcpy(ciphertext, ptext[j-1], 16);
2605 + memcpy(ciphertext+16, ptext[j], 16);
2609 + /* Compute next key: Key[i+1] = Key[i] xor ct */
2610 + for (n = 0; n < nkeysz; ++n)
2611 + key[i+1][n] = key[i][n] ^ ciphertext[n];
2613 + /* Compute next IV and text */
2614 + if (dir == XENCRYPT)
2619 + memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE);
2624 + memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE);
2625 + memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE);
2628 + /* IV[i+1] = ct */
2629 + for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
2630 + iv[i+1][n1] = ctext[j-n2][0];
2631 + ptext[0][0] = ctext[j-16][0];
2634 + for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
2635 + sb(iv[i+1],n1,gb(ctext[j-n2],0));
2636 + ptext[0][0]=ctext[j-128][0]&0x80;
2645 + memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE);
2650 + memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE);
2651 + memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE);
2654 + for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
2655 + iv[i+1][n1] = ptext[j-n2][0];
2656 + ctext[0][0] = ptext[j-16][0];
2659 + for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
2660 + sb(iv[i+1],n1,gb(ptext[j-n2],0));
2661 + ctext[0][0]=ptext[j-128][0]&0x80;
2670 +/*================================================*/
2671 +/*----------------------------
2672 + # Config info for v-one
2673 + # AESVS MMT test data for ECB
2674 + # State : Encrypt and Decrypt
2675 + # Key Length : 256
2676 + # Fri Aug 30 04:07:22 PM
2677 + ----------------------------*/
2679 +int proc_file(char *rqfile, char *rspfile)
2681 + char afn[256], rfn[256];
2682 + FILE *afp = NULL, *rfp = NULL;
2685 + int ilen, len, ret = 0;
2686 + char algo[8] = "";
2687 + char amode[8] = "";
2688 + char atest[8] = "";
2690 + unsigned char iVec[20], aKey[40];
2691 + int dir = -1, err = 0, step = 0;
2692 + unsigned char plaintext[2048];
2693 + unsigned char ciphertext[2048];
2695 + EVP_CIPHER_CTX ctx;
2696 + EVP_CIPHER_CTX_init(&ctx);
2698 + if (!rqfile || !(*rqfile))
2700 + printf("No req file\n");
2703 + strcpy(afn, rqfile);
2705 + if ((afp = fopen(afn, "r")) == NULL)
2707 + printf("Cannot open file: %s, %s\n",
2708 + afn, strerror(errno));
2714 + rp=strstr(rfn,"req/");
2715 +#ifdef OPENSSL_SYS_WIN32
2717 + rp=strstr(rfn,"req\\");
2720 + memcpy(rp,"rsp",3);
2721 + rp = strstr(rfn, ".req");
2722 + memcpy(rp, ".rsp", 4);
2725 + if ((rfp = fopen(rspfile, "w")) == NULL)
2727 + printf("Cannot open file: %s, %s\n",
2728 + rfn, strerror(errno));
2733 + while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
2735 + tidy_line(tbuf, ibuf);
2736 + ilen = strlen(ibuf);
2737 + /* printf("step=%d ibuf=%s",step,ibuf); */
2740 + case 0: /* read preamble */
2741 + if (ibuf[0] == '\n')
2742 + { /* end of preamble */
2743 + if ((*algo == '\0') ||
2744 + (*amode == '\0') ||
2747 + printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n",
2748 + algo,amode,akeysz);
2757 + else if (ibuf[0] != '#')
2759 + printf("Invalid preamble item: %s\n", ibuf);
2763 + { /* process preamble */
2764 + char *xp, *pp = ibuf+2;
2767 + { /* insert current time & date */
2768 + time_t rtim = time(0);
2769 + fprintf(rfp, "# %s", ctime(&rtim));
2774 + if (strncmp(pp, "AESVS ", 6) == 0)
2776 + strcpy(algo, "AES");
2777 + /* get test type */
2779 + xp = strchr(pp, ' ');
2781 + strncpy(atest, pp, n);
2784 + xp = strrchr(pp, ' '); /* get mode" */
2785 + n = strlen(xp+1)-1;
2786 + strncpy(amode, xp+1, n);
2788 + /* amode[3] = '\0'; */
2790 + printf("Test = %s, Mode = %s\n", atest, amode);
2792 + else if (strncasecmp(pp, "Key Length : ", 13) == 0)
2794 + akeysz = atoi(pp+13);
2796 + printf("Key size = %d\n", akeysz);
2802 + case 1: /* [ENCRYPT] | [DECRYPT] */
2803 + if (ibuf[0] == '[')
2807 + if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
2809 + else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
2813 + printf("Invalid keyword: %s\n", ibuf);
2818 + else if (dir == -1)
2821 + printf("Missing ENCRYPT/DECRYPT keyword\n");
2827 + case 2: /* KEY = xxxx */
2831 + if(!strncasecmp(ibuf,"COUNT = ",8))
2834 + if (strncasecmp(ibuf, "KEY = ", 6) != 0)
2836 + printf("Missing KEY\n");
2841 + len = hex2bin((char*)ibuf+6, aKey);
2844 + printf("Invalid KEY\n");
2848 + PrintValue("KEY", aKey, len);
2849 + if (strcmp(amode, "ECB") == 0)
2851 + memset(iVec, 0, sizeof(iVec));
2852 + step = (dir)? 4: 5; /* no ivec for ECB */
2859 + case 3: /* IV = xxxx */
2861 + if (strncasecmp(ibuf, "IV = ", 5) != 0)
2863 + printf("Missing IV\n");
2868 + len = hex2bin((char*)ibuf+5, iVec);
2871 + printf("Invalid IV\n");
2875 + PrintValue("IV", iVec, len);
2876 + step = (dir)? 4: 5;
2880 + case 4: /* PLAINTEXT = xxxx */
2882 + if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
2884 + printf("Missing PLAINTEXT\n");
2889 + int nn = strlen(ibuf+12);
2890 + if(!strcmp(amode,"CFB1"))
2891 + len=bint2bin(ibuf+12,nn-1,plaintext);
2893 + len=hex2bin(ibuf+12, plaintext);
2896 + printf("Invalid PLAINTEXT: %s", ibuf+12);
2900 + if (len >= sizeof(plaintext))
2902 + printf("Buffer overflow\n");
2904 + PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
2905 + if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
2907 + if(do_mct(amode, akeysz, aKey, iVec,
2908 + dir, (unsigned char*)plaintext, len,
2914 + ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
2915 + dir, /* 0 = decrypt, 1 = encrypt */
2916 + plaintext, ciphertext, len);
2917 + OutputValue("CIPHERTEXT",ciphertext,len,rfp,
2918 + !strcmp(amode,"CFB1"));
2924 + case 5: /* CIPHERTEXT = xxxx */
2926 + if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
2928 + printf("Missing KEY\n");
2933 + if(!strcmp(amode,"CFB1"))
2934 + len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
2936 + len = hex2bin(ibuf+13,ciphertext);
2939 + printf("Invalid CIPHERTEXT\n");
2944 + PrintValue("CIPHERTEXT", ciphertext, len);
2945 + if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
2947 + do_mct(amode, akeysz, aKey, iVec,
2948 + dir, ciphertext, len, rfp);
2952 + ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
2953 + dir, /* 0 = decrypt, 1 = encrypt */
2954 + plaintext, ciphertext, len);
2955 + OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
2956 + !strcmp(amode,"CFB1"));
2963 + if (ibuf[0] != '\n')
2966 + printf("Missing terminator\n");
2968 + else if (strcmp(atest, "MCT") != 0)
2969 + { /* MCT already added terminating nl */
2983 +/*--------------------------------------------------
2984 + Processes either a single file or
2985 + a set of files whose names are passed in a file.
2986 + A single file is specified as:
2987 + aes_test -f xxx.req
2988 + A set of files is specified as:
2989 + aes_test -d xxxxx.xxx
2990 + The default is: -d req.txt
2991 +--------------------------------------------------*/
2992 +int main(int argc, char **argv)
2994 + char *rqlist = "req.txt", *rspfile = NULL;
2996 + char fn[250] = "", rfn[256] = "";
2997 + int f_opt = 0, d_opt = 1;
2999 +#ifdef OPENSSL_FIPS
3000 + if(!FIPS_mode_set(1))
3002 + do_print_errors();
3008 + if (strcasecmp(argv[1], "-d") == 0)
3012 + else if (strcasecmp(argv[1], "-f") == 0)
3019 + printf("Invalid parameter: %s\n", argv[1]);
3024 + printf("Missing parameter\n");
3031 + strcpy(fn, argv[2]);
3032 + rspfile = argv[3];
3036 + { /* list of files (directory) */
3037 + if (!(fp = fopen(rqlist, "r")))
3039 + printf("Cannot open req list file\n");
3042 + while (fgets(fn, sizeof(fn), fp))
3044 + strtok(fn, "\r\n");
3047 + printf("Processing: %s\n", rfn);
3048 + if (proc_file(rfn, rspfile))
3050 + printf(">>> Processing failed for: %s <<<\n", rfn);
3056 + else /* single file */
3059 + printf("Processing: %s\n", fn);
3060 + if (proc_file(fn, rspfile))
3062 + printf(">>> Processing failed for: %s <<<\n", fn);
3070 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_cmactest.c
3071 --- openssl-1.0.1b/crypto/fips/cavs/fips_cmactest.c.fips 2012-04-26 18:00:51.397769234 +0200
3072 +++ openssl-1.0.1b/crypto/fips/cavs/fips_cmactest.c 2012-04-26 18:00:51.397769234 +0200
3074 +/* fips_cmactest.c */
3075 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3078 +/* ====================================================================
3079 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
3081 + * Redistribution and use in source and binary forms, with or without
3082 + * modification, are permitted provided that the following conditions
3085 + * 1. Redistributions of source code must retain the above copyright
3086 + * notice, this list of conditions and the following disclaimer.
3088 + * 2. Redistributions in binary form must reproduce the above copyright
3089 + * notice, this list of conditions and the following disclaimer in
3090 + * the documentation and/or other materials provided with the
3093 + * 3. All advertising materials mentioning features or use of this
3094 + * software must display the following acknowledgment:
3095 + * "This product includes software developed by the OpenSSL Project
3096 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
3098 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
3099 + * endorse or promote products derived from this software without
3100 + * prior written permission. For written permission, please contact
3101 + * licensing@OpenSSL.org.
3103 + * 5. Products derived from this software may not be called "OpenSSL"
3104 + * nor may "OpenSSL" appear in their names without prior written
3105 + * permission of the OpenSSL Project.
3107 + * 6. Redistributions of any form whatsoever must retain the following
3109 + * "This product includes software developed by the OpenSSL Project
3110 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
3112 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
3113 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3114 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
3115 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
3116 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
3117 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3118 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
3119 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3120 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
3121 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
3122 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
3123 + * OF THE POSSIBILITY OF SUCH DAMAGE.
3124 + * ====================================================================
3126 + * This product includes cryptographic software written by Eric Young
3127 + * (eay@cryptsoft.com). This product includes software written by Tim
3128 + * Hudson (tjh@cryptsoft.com).
3132 +#define OPENSSL_FIPSAPI
3136 +#include <string.h>
3137 +#include <openssl/bio.h>
3138 +#include <openssl/evp.h>
3139 +#include <openssl/cmac.h>
3140 +#include <openssl/err.h>
3141 +#include <openssl/bn.h>
3143 +#ifndef OPENSSL_FIPS
3145 +int main(int argc, char *argv[])
3147 + printf("No FIPS CMAC support\n");
3153 +#include <openssl/fips.h>
3154 +#include "fips_utl.h"
3156 +static int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
3157 + int mode, int Klen_counts_keys, int known_keylen);
3158 +static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
3159 + unsigned char *Key, int Klen,
3160 + unsigned char *Msg, int Msglen,
3162 +static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
3163 + unsigned char *Key, int Klen,
3164 + unsigned char *Msg, int Msglen,
3165 + unsigned char *Mac, int Maclen,
3169 +int fips_cmactest_main(int argc, char **argv)
3171 +int main(int argc, char **argv)
3174 + FILE *in = NULL, *out = NULL;
3175 + int mode = 0; /* 0 => Generate, 1 => Verify */
3176 + int Klen_counts_keys = 0; /* 0 => Klen is size of one key
3177 + 1 => Klen is amount of keys
3179 + int known_keylen = 0; /* Only set when Klen_counts_keys = 1 */
3180 + const EVP_CIPHER *cipher = 0;
3182 + fips_algtest_init();
3184 + while (argc > 1 && argv[1][0] == '-')
3186 + switch (argv[1][1])
3190 + char *p = &argv[1][2];
3195 + fprintf(stderr, "Option %s needs a value\n", argv[1]);
3202 + if (!strcmp(p, "aes128"))
3203 + cipher = EVP_aes_128_cbc();
3204 + else if (!strcmp(p, "aes192"))
3205 + cipher = EVP_aes_192_cbc();
3206 + else if (!strcmp(p, "aes256"))
3207 + cipher = EVP_aes_256_cbc();
3208 + else if (!strcmp(p, "tdea3") || !strcmp(p, "tdes3"))
3210 + cipher = EVP_des_ede3_cbc();
3211 + Klen_counts_keys = 1;
3216 + fprintf(stderr, "Unknown algorithm %s\n", p);
3228 + fprintf(stderr, "Unknown option %s\n", argv[1]);
3237 + in = fopen(argv[1], "r");
3242 + out = fopen(argv[2], "w");
3246 + fprintf(stderr, "FATAL input initialization error\n");
3252 + fprintf(stderr, "FATAL output initialization error\n");
3256 + if (!cmac_test(cipher, out, in, mode,
3257 + Klen_counts_keys, known_keylen))
3259 + fprintf(stderr, "FATAL cmac file processing error\n");
3267 + if (in && (in != stdin))
3269 + if (out && (out != stdout))
3276 +#define CMAC_TEST_MAXLINELEN 150000
3278 +int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
3279 + int mode, int Klen_counts_keys, int known_keylen)
3281 + char *linebuf, *olinebuf, *p, *q;
3282 + char *keyword, *value;
3283 + unsigned char **Keys = NULL, *Msg = NULL, *Mac = NULL;
3284 + unsigned char *Key = NULL;
3285 + int Count, Klen, Mlen, Tlen;
3286 + long Keylen, Msglen, Maclen;
3290 + olinebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
3291 + linebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
3293 + if (!linebuf || !olinebuf)
3301 + while (fgets(olinebuf, CMAC_TEST_MAXLINELEN, in))
3304 + strcpy(linebuf, olinebuf);
3305 + keyword = linebuf;
3306 + /* Skip leading space */
3307 + while (isspace((unsigned char)*keyword))
3310 + /* Skip comments */
3311 + if (keyword[0] == '#')
3313 + if (fputs(olinebuf, out) < 0)
3318 + /* Look for = sign */
3319 + p = strchr(linebuf, '=');
3321 + /* If no = or starts with [ (for [L=20] line) just copy */
3324 + if (fputs(olinebuf, out) < 0)
3331 + /* Remove trailing space */
3332 + while (isspace((unsigned char)*q))
3338 + /* Remove leading space from value */
3339 + while (isspace((unsigned char)*value))
3342 + /* Remove trailing space from value */
3343 + p = value + strlen(value) - 1;
3345 + while (*p == '\n' || isspace((unsigned char)*p))
3348 + if (!strcmp(keyword, "Count"))
3352 + Count = atoi(value);
3356 + else if (!strcmp(keyword, "Klen"))
3360 + Klen = atoi(value);
3363 + if (Klen_counts_keys)
3365 + Keys = OPENSSL_malloc(sizeof(*Keys) * Klen);
3366 + memset(Keys, '\0', sizeof(*Keys) * Klen);
3370 + Keys = OPENSSL_malloc(sizeof(*Keys));
3371 + memset(Keys, '\0', sizeof(*Keys));
3374 + else if (!strcmp(keyword, "Mlen"))
3378 + Mlen = atoi(value);
3382 + else if (!strcmp(keyword, "Tlen"))
3386 + Tlen = atoi(value);
3390 + else if (!strcmp(keyword, "Key") && !Klen_counts_keys)
3394 + Keys[0] = hex2bin_m(value, &Keylen);
3398 + else if (!strncmp(keyword, "Key", 3) && Klen_counts_keys)
3400 + int keynum = atoi(keyword + 3);
3401 + if (!keynum || keynum > Klen || Keys[keynum-1])
3403 + Keys[keynum-1] = hex2bin_m(value, &Keylen);
3404 + if (!Keys[keynum-1])
3407 + else if (!strcmp(keyword, "Msg"))
3411 + Msg = hex2bin_m(value, &Msglen);
3415 + else if (!strcmp(keyword, "Mac"))
3421 + Mac = hex2bin_m(value, &Maclen);
3425 + else if (!strcmp(keyword, "Result"))
3434 + fputs(olinebuf, out);
3436 + if (Keys && Msg && (!mode || Mac) && (Tlen > 0) && (Klen > 0))
3438 + if (Klen_counts_keys)
3441 + Key = OPENSSL_malloc(Klen * known_keylen);
3442 + for (x = 0; x < Klen; x++)
3444 + memcpy(Key + x * known_keylen,
3445 + Keys[x], known_keylen);
3446 + OPENSSL_free(Keys[x]);
3448 + Klen *= known_keylen;
3452 + Key = OPENSSL_malloc(Klen);
3453 + memcpy(Key, Keys[0], Klen);
3454 + OPENSSL_free(Keys[0]);
3456 + OPENSSL_free(Keys);
3461 + if (!print_cmac_gen(cipher, out,
3468 + if (!print_cmac_ver(cipher, out,
3477 + OPENSSL_free(Key);
3479 + OPENSSL_free(Msg);
3481 + OPENSSL_free(Mac);
3497 + OPENSSL_free(olinebuf);
3499 + OPENSSL_free(linebuf);
3501 + OPENSSL_free(Key);
3503 + OPENSSL_free(Msg);
3505 + OPENSSL_free(Mac);
3511 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
3517 +static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
3518 + unsigned char *Key, int Klen,
3519 + unsigned char *Msg, int Mlen,
3524 + unsigned char res[128];
3525 + CMAC_CTX *cmac_ctx = CMAC_CTX_new();
3527 + CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
3528 + CMAC_Update(cmac_ctx, Msg, Mlen);
3529 + if (!CMAC_Final(cmac_ctx, res, &reslen))
3531 + fputs("Error calculating CMAC\n", stderr);
3534 + else if (Tlen > (int)reslen)
3536 + fputs("Parameter error, Tlen > CMAC length\n", stderr);
3541 + fputs("Mac = ", out);
3542 + for (i = 0; i < Tlen; i++)
3543 + fprintf(out, "%02x", res[i]);
3544 + fputs(RESP_EOL, out);
3547 + CMAC_CTX_free(cmac_ctx);
3551 +static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
3552 + unsigned char *Key, int Klen,
3553 + unsigned char *Msg, int Mlen,
3554 + unsigned char *Mac, int Maclen,
3559 + unsigned char res[128];
3560 + CMAC_CTX *cmac_ctx = CMAC_CTX_new();
3562 + CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
3563 + CMAC_Update(cmac_ctx, Msg, Mlen);
3564 + if (!CMAC_Final(cmac_ctx, res, &reslen))
3566 + fputs("Error calculating CMAC\n", stderr);
3569 + else if (Tlen > (int)reslen)
3571 + fputs("Parameter error, Tlen > CMAC length\n", stderr);
3574 + else if (Tlen != Maclen)
3576 + fputs("Parameter error, Tlen != resulting Mac length\n", stderr);
3581 + if (!memcmp(Mac, res, Maclen))
3582 + fputs("Result = P" RESP_EOL, out);
3584 + fputs("Result = F" RESP_EOL, out);
3586 + CMAC_CTX_free(cmac_ctx);
3591 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_desmovs.c
3592 --- openssl-1.0.1b/crypto/fips/cavs/fips_desmovs.c.fips 2012-04-26 18:00:51.398769255 +0200
3593 +++ openssl-1.0.1b/crypto/fips/cavs/fips_desmovs.c 2012-04-26 18:00:51.398769255 +0200
3595 +/* ====================================================================
3596 + * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
3598 + * Redistribution and use in source and binary forms, with or without
3599 + * modification, are permitted provided that the following conditions
3602 + * 1. Redistributions of source code must retain the above copyright
3603 + * notice, this list of conditions and the following disclaimer.
3605 + * 2. Redistributions in binary form must reproduce the above copyright
3606 + * notice, this list of conditions and the following disclaimer in
3607 + * the documentation and/or other materials provided with the
3610 + * 3. All advertising materials mentioning features or use of this
3611 + * software must display the following acknowledgment:
3612 + * "This product includes software developed by the OpenSSL Project
3613 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
3615 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
3616 + * endorse or promote products derived from this software without
3617 + * prior written permission. For written permission, please contact
3618 + * openssl-core@openssl.org.
3620 + * 5. Products derived from this software may not be called "OpenSSL"
3621 + * nor may "OpenSSL" appear in their names without prior written
3622 + * permission of the OpenSSL Project.
3624 + * 6. Redistributions of any form whatsoever must retain the following
3626 + * "This product includes software developed by the OpenSSL Project
3627 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
3629 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
3630 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3631 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
3632 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
3633 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
3634 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3635 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
3636 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3637 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
3638 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
3639 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
3640 + * OF THE POSSIBILITY OF SUCH DAMAGE.
3643 +/*---------------------------------------------
3644 + NIST DES Modes of Operation Validation System
3647 + Based on the AES Validation Suite, which was:
3648 + Donated to OpenSSL by:
3650 + 20250 Century Blvd, Suite 300
3651 + Germantown, MD 20874
3653 + ----------------------------------------------*/
3656 +#include <stdlib.h>
3657 +#include <string.h>
3659 +#include <assert.h>
3661 +#include <openssl/des.h>
3662 +#include <openssl/evp.h>
3663 +#include <openssl/bn.h>
3665 +#include <openssl/err.h>
3668 +#ifndef OPENSSL_FIPS
3670 +int main(int argc, char *argv[])
3672 + printf("No FIPS DES support\n");
3678 +#include <openssl/fips.h>
3679 +#include "fips_utl.h"
3681 +#define DES_BLOCK_SIZE 8
3685 +int DESTest(EVP_CIPHER_CTX *ctx,
3686 + char *amode, int akeysz, unsigned char *aKey,
3687 + unsigned char *iVec,
3688 + int dir, /* 0 = decrypt, 1 = encrypt */
3689 + unsigned char *out, unsigned char *in, int len)
3691 + const EVP_CIPHER *cipher = NULL;
3693 + if (akeysz != 192)
3695 + printf("Invalid key size: %d\n", akeysz);
3699 + if (strcasecmp(amode, "CBC") == 0)
3700 + cipher = EVP_des_ede3_cbc();
3701 + else if (strcasecmp(amode, "ECB") == 0)
3702 + cipher = EVP_des_ede3_ecb();
3703 + else if (strcasecmp(amode, "CFB64") == 0)
3704 + cipher = EVP_des_ede3_cfb64();
3705 + else if (strncasecmp(amode, "OFB", 3) == 0)
3706 + cipher = EVP_des_ede3_ofb();
3707 + else if(!strcasecmp(amode,"CFB8"))
3708 + cipher = EVP_des_ede3_cfb8();
3709 + else if(!strcasecmp(amode,"CFB1"))
3710 + cipher = EVP_des_ede3_cfb1();
3713 + printf("Unknown mode: %s\n", amode);
3717 + if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
3719 + if(!strcasecmp(amode,"CFB1"))
3720 + M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
3721 + EVP_Cipher(ctx, out, in, len);
3726 +void DebugValue(char *tag, unsigned char *val, int len)
3730 + olen = bin2hex(val, len, obuf);
3731 + printf("%s = %.*s\n", tag, olen, obuf);
3734 +void shiftin(unsigned char *dst,unsigned char *src,int nbits)
3738 + /* move the bytes... */
3739 + memmove(dst,dst+nbits/8,3*8-nbits/8);
3740 + /* append new data */
3741 + memcpy(dst+3*8-nbits/8,src,(nbits+7)/8);
3742 + /* left shift the bits */
3744 + for(n=0 ; n < 3*8 ; ++n)
3745 + dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8));
3748 +/*-----------------------------------------------*/
3749 +char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
3750 +char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"};
3751 +enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64};
3752 +int Sizes[6]={64,64,64,1,8,64};
3754 +void do_mct(char *amode,
3755 + int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec,
3756 + int dir, unsigned char *text, int len,
3760 + unsigned char nk[4*8]; /* longest key+8 */
3761 + unsigned char text0[8];
3763 + for (imode=0 ; imode < 6 ; ++imode)
3764 + if(!strcmp(amode,t_mode[imode]))
3768 + printf("Unrecognized mode: %s\n", amode);
3772 + for(i=0 ; i < 400 ; ++i)
3777 + unsigned char old_iv[8];
3778 + EVP_CIPHER_CTX ctx;
3779 + EVP_CIPHER_CTX_init(&ctx);
3781 + fprintf(rfp,"\nCOUNT = %d\n",i);
3783 + OutputValue("KEY",akey,8,rfp,0);
3785 + for(n=0 ; n < kp ; ++n)
3787 + fprintf(rfp,"KEY%d",n+1);
3788 + OutputValue("",akey+n*8,8,rfp,0);
3792 + OutputValue("IV",ivec,8,rfp,0);
3793 + OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1);
3795 + /* compensate for endianness */
3799 + memcpy(text0,text,8);
3801 + for(j=0 ; j < 10000 ; ++j)
3803 + unsigned char old_text[8];
3805 + memcpy(old_text,text,8);
3808 + memcpy(old_iv,ivec,8);
3809 + DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len);
3813 + memcpy(old_iv,ctx.iv,8);
3814 + EVP_Cipher(&ctx,text,text,len);
3818 + OutputValue(t_tag[dir],text,len,rfp,imode == CFB1);
3819 + /* memcpy(ivec,text,8); */
3821 + /* DebugValue("iv",ctx.iv,8); */
3822 + /* accumulate material for the next key */
3823 + shiftin(nk,text,Sizes[imode]);
3824 + /* DebugValue("nk",nk,24);*/
3825 + if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64
3826 + || imode == CBC)) || imode == OFB)
3827 + memcpy(text,old_iv,8);
3829 + if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64))
3831 + /* the test specifies using the output of the raw DES operation
3832 + which we don't have, so reconstruct it... */
3833 + for(n=0 ; n < 8 ; ++n)
3834 + text[n]^=old_text[n];
3837 + for(n=0 ; n < 8 ; ++n)
3838 + akey[n]^=nk[16+n];
3839 + for(n=0 ; n < 8 ; ++n)
3840 + akey[8+n]^=nk[8+n];
3841 + for(n=0 ; n < 8 ; ++n)
3842 + akey[16+n]^=nk[n];
3844 + memcpy(&akey[2*8],akey,8);
3846 + memcpy(&akey[8],akey,8);
3847 + DES_set_odd_parity((DES_cblock *)akey);
3848 + DES_set_odd_parity((DES_cblock *)(akey+8));
3849 + DES_set_odd_parity((DES_cblock *)(akey+16));
3850 + memcpy(ivec,ctx.iv,8);
3852 + /* pointless exercise - the final text doesn't depend on the
3853 + initial text in OFB mode, so who cares what it is? (Who
3854 + designed these tests?) */
3856 + for(n=0 ; n < 8 ; ++n)
3857 + text[n]=text0[n]^old_iv[n];
3861 +int proc_file(char *rqfile, char *rspfile)
3863 + char afn[256], rfn[256];
3864 + FILE *afp = NULL, *rfp = NULL;
3865 + char ibuf[2048], tbuf[2048];
3866 + int ilen, len, ret = 0;
3867 + char amode[8] = "";
3868 + char atest[100] = "";
3870 + unsigned char iVec[20], aKey[40];
3871 + int dir = -1, err = 0, step = 0;
3872 + unsigned char plaintext[2048];
3873 + unsigned char ciphertext[2048];
3875 + EVP_CIPHER_CTX ctx;
3877 + EVP_CIPHER_CTX_init(&ctx);
3879 + if (!rqfile || !(*rqfile))
3881 + printf("No req file\n");
3884 + strcpy(afn, rqfile);
3886 + if ((afp = fopen(afn, "r")) == NULL)
3888 + printf("Cannot open file: %s, %s\n",
3889 + afn, strerror(errno));
3895 + rp=strstr(rfn,"req/");
3896 +#ifdef OPENSSL_SYS_WIN32
3898 + rp=strstr(rfn,"req\\");
3901 + memcpy(rp,"rsp",3);
3902 + rp = strstr(rfn, ".req");
3903 + memcpy(rp, ".rsp", 4);
3906 + if ((rfp = fopen(rspfile, "w")) == NULL)
3908 + printf("Cannot open file: %s, %s\n",
3909 + rfn, strerror(errno));
3914 + while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
3916 + tidy_line(tbuf, ibuf);
3917 + ilen = strlen(ibuf);
3918 + /* printf("step=%d ibuf=%s",step,ibuf);*/
3919 + if(step == 3 && !strcmp(amode,"ECB"))
3921 + memset(iVec, 0, sizeof(iVec));
3922 + step = (dir)? 4: 5; /* no ivec for ECB */
3926 + case 0: /* read preamble */
3927 + if (ibuf[0] == '\n')
3928 + { /* end of preamble */
3929 + if (*amode == '\0')
3931 + printf("Missing Mode\n");
3940 + else if (ibuf[0] != '#')
3942 + printf("Invalid preamble item: %s\n", ibuf);
3946 + { /* process preamble */
3947 + char *xp, *pp = ibuf+2;
3950 + { /* insert current time & date */
3951 + time_t rtim = time(0);
3952 + fprintf(rfp, "# %s", ctime(&rtim));
3957 + if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4)
3958 + || !strncmp(pp,"TDES ",5)
3959 + || !strncmp(pp,"PERMUTATION ",12)
3960 + || !strncmp(pp,"SUBSTITUTION ",13)
3961 + || !strncmp(pp,"VARIABLE ",9))
3963 + /* get test type */
3964 + if(!strncmp(pp,"DES ",4))
3966 + else if(!strncmp(pp,"TDES ",5))
3968 + xp = strchr(pp, ' ');
3970 + strncpy(atest, pp, n);
3973 + xp = strrchr(pp, ' '); /* get mode" */
3974 + n = strlen(xp+1)-1;
3975 + strncpy(amode, xp+1, n);
3977 + /* amode[3] = '\0'; */
3979 + printf("Test=%s, Mode=%s\n",atest,amode);
3985 + case 1: /* [ENCRYPT] | [DECRYPT] */
3986 + if(ibuf[0] == '\n')
3988 + if (ibuf[0] == '[')
3992 + if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
3994 + else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
3998 + printf("Invalid keyword: %s\n", ibuf);
4003 + else if (dir == -1)
4006 + printf("Missing ENCRYPT/DECRYPT keyword\n");
4012 + case 2: /* KEY = xxxx */
4018 + if(!strncasecmp(ibuf,"COUNT = ",8))
4023 + if(!strncasecmp(ibuf,"COUNT=",6))
4028 + if(!strncasecmp(ibuf,"NumKeys = ",10))
4030 + numkeys=atoi(ibuf+10);
4035 + if(!strncasecmp(ibuf,"KEY = ",6))
4038 + len = hex2bin((char*)ibuf+6, aKey);
4041 + printf("Invalid KEY\n");
4045 + PrintValue("KEY", aKey, len);
4048 + else if(!strncasecmp(ibuf,"KEYs = ",7))
4051 + len=hex2bin(ibuf+7,aKey);
4054 + printf("Invalid KEY\n");
4058 + memcpy(aKey+8,aKey,8);
4059 + memcpy(aKey+16,aKey,8);
4061 + PrintValue("KEYs",aKey,len);
4064 + else if(!strncasecmp(ibuf,"KEY",3))
4066 + int n=ibuf[3]-'1';
4069 + len=hex2bin(ibuf+7,aKey+n*8);
4072 + printf("Invalid KEY\n");
4077 + PrintValue(ibuf,aKey,len);
4083 + printf("Missing KEY\n");
4088 + case 3: /* IV = xxxx */
4090 + if (strncasecmp(ibuf, "IV = ", 5) != 0)
4092 + printf("Missing IV\n");
4097 + len = hex2bin((char*)ibuf+5, iVec);
4100 + printf("Invalid IV\n");
4104 + PrintValue("IV", iVec, len);
4105 + step = (dir)? 4: 5;
4109 + case 4: /* PLAINTEXT = xxxx */
4111 + if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
4113 + printf("Missing PLAINTEXT\n");
4118 + int nn = strlen(ibuf+12);
4119 + if(!strcmp(amode,"CFB1"))
4120 + len=bint2bin(ibuf+12,nn-1,plaintext);
4122 + len=hex2bin(ibuf+12, plaintext);
4125 + printf("Invalid PLAINTEXT: %s", ibuf+12);
4129 + if (len >= sizeof(plaintext))
4131 + printf("Buffer overflow\n");
4133 + PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
4134 + if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
4136 + do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp);
4141 + ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
4142 + dir, /* 0 = decrypt, 1 = encrypt */
4143 + ciphertext, plaintext, len);
4144 + OutputValue("CIPHERTEXT",ciphertext,len,rfp,
4145 + !strcmp(amode,"CFB1"));
4151 + case 5: /* CIPHERTEXT = xxxx */
4153 + if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
4155 + printf("Missing KEY\n");
4160 + if(!strcmp(amode,"CFB1"))
4161 + len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
4163 + len = hex2bin(ibuf+13,ciphertext);
4166 + printf("Invalid CIPHERTEXT\n");
4171 + PrintValue("CIPHERTEXT", ciphertext, len);
4172 + if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
4174 + do_mct(amode, akeysz, numkeys, aKey, iVec,
4175 + dir, ciphertext, len, rfp);
4180 + ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
4181 + dir, /* 0 = decrypt, 1 = encrypt */
4182 + plaintext, ciphertext, len);
4183 + OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
4184 + !strcmp(amode,"CFB1"));
4191 + if (ibuf[0] != '\n')
4194 + printf("Missing terminator\n");
4196 + else if (strcmp(atest, "MCT") != 0)
4197 + { /* MCT already added terminating nl */
4211 +/*--------------------------------------------------
4212 + Processes either a single file or
4213 + a set of files whose names are passed in a file.
4214 + A single file is specified as:
4215 + aes_test -f xxx.req
4216 + A set of files is specified as:
4217 + aes_test -d xxxxx.xxx
4218 + The default is: -d req.txt
4219 +--------------------------------------------------*/
4220 +int main(int argc, char **argv)
4222 + char *rqlist = "req.txt", *rspfile = NULL;
4224 + char fn[250] = "", rfn[256] = "";
4225 + int f_opt = 0, d_opt = 1;
4227 +#ifdef OPENSSL_FIPS
4228 + if(!FIPS_mode_set(1))
4230 + do_print_errors();
4236 + if (strcasecmp(argv[1], "-d") == 0)
4240 + else if (strcasecmp(argv[1], "-f") == 0)
4247 + printf("Invalid parameter: %s\n", argv[1]);
4252 + printf("Missing parameter\n");
4259 + strcpy(fn, argv[2]);
4260 + rspfile = argv[3];
4264 + { /* list of files (directory) */
4265 + if (!(fp = fopen(rqlist, "r")))
4267 + printf("Cannot open req list file\n");
4270 + while (fgets(fn, sizeof(fn), fp))
4272 + strtok(fn, "\r\n");
4274 + printf("Processing: %s\n", rfn);
4275 + if (proc_file(rfn, rspfile))
4277 + printf(">>> Processing failed for: %s <<<\n", rfn);
4283 + else /* single file */
4286 + printf("Processing: %s\n", fn);
4287 + if (proc_file(fn, rspfile))
4289 + printf(">>> Processing failed for: %s <<<\n", fn);
4297 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_dhvs.c
4298 --- openssl-1.0.1b/crypto/fips/cavs/fips_dhvs.c.fips 2012-04-26 18:00:51.398769255 +0200
4299 +++ openssl-1.0.1b/crypto/fips/cavs/fips_dhvs.c 2012-04-26 18:00:51.398769255 +0200
4301 +/* fips/dh/fips_dhvs.c */
4302 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4305 +/* ====================================================================
4306 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
4308 + * Redistribution and use in source and binary forms, with or without
4309 + * modification, are permitted provided that the following conditions
4312 + * 1. Redistributions of source code must retain the above copyright
4313 + * notice, this list of conditions and the following disclaimer.
4315 + * 2. Redistributions in binary form must reproduce the above copyright
4316 + * notice, this list of conditions and the following disclaimer in
4317 + * the documentation and/or other materials provided with the
4320 + * 3. All advertising materials mentioning features or use of this
4321 + * software must display the following acknowledgment:
4322 + * "This product includes software developed by the OpenSSL Project
4323 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
4325 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
4326 + * endorse or promote products derived from this software without
4327 + * prior written permission. For written permission, please contact
4328 + * licensing@OpenSSL.org.
4330 + * 5. Products derived from this software may not be called "OpenSSL"
4331 + * nor may "OpenSSL" appear in their names without prior written
4332 + * permission of the OpenSSL Project.
4334 + * 6. Redistributions of any form whatsoever must retain the following
4336 + * "This product includes software developed by the OpenSSL Project
4337 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
4339 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
4340 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4341 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
4342 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
4343 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4344 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
4345 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
4346 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4347 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
4348 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4349 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
4350 + * OF THE POSSIBILITY OF SUCH DAMAGE.
4351 + * ====================================================================
4355 +#define OPENSSL_FIPSAPI
4356 +#include <openssl/opensslconf.h>
4358 +#ifndef OPENSSL_FIPS
4361 +int main(int argc, char **argv)
4363 + printf("No FIPS DH support\n");
4368 +#include <openssl/crypto.h>
4369 +#include <openssl/bn.h>
4370 +#include <openssl/dh.h>
4371 +#include <openssl/fips.h>
4372 +#include <openssl/err.h>
4373 +#include <openssl/evp.h>
4374 +#include <string.h>
4377 +#include "fips_utl.h"
4379 +static const EVP_MD *parse_md(char *line)
4382 + if (line[0] != '[' || line[1] != 'F')
4384 + p = strchr(line, '-');
4388 + p = strchr(line, ']');
4393 + while(isspace(*p))
4395 + if (!strcmp(p, "SHA1"))
4396 + return EVP_sha1();
4397 + else if (!strcmp(p, "SHA224"))
4398 + return EVP_sha224();
4399 + else if (!strcmp(p, "SHA256"))
4400 + return EVP_sha256();
4401 + else if (!strcmp(p, "SHA384"))
4402 + return EVP_sha384();
4403 + else if (!strcmp(p, "SHA512"))
4404 + return EVP_sha512();
4409 +static void output_Zhash(FILE *out, int exout,
4410 + DH *dh, BIGNUM *peerkey, const EVP_MD *md,
4411 + unsigned char *rhash, size_t rhashlen)
4414 + unsigned char chash[EVP_MAX_MD_SIZE];
4416 + if (rhash == NULL)
4418 + rhashlen = M_EVP_MD_size(md);
4419 + if (!DH_generate_key(dh))
4421 + do_bn_print_name(out, "YephemIUT", dh->pub_key);
4423 + do_bn_print_name(out, "XephemIUT", dh->priv_key);
4425 + Z = OPENSSL_malloc(BN_num_bytes(dh->p));
4428 + Zlen = DH_compute_key_padded(Z, peerkey, dh);
4430 + OutputValue("Z", Z, Zlen, out, 0);
4431 + FIPS_digest(Z, Zlen, chash, NULL, md);
4432 + OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0);
4435 + fprintf(out, "Result = %s\n",
4436 + memcmp(chash, rhash, rhashlen) ? "F" : "P");
4440 + BN_clear_free(dh->priv_key);
4441 + BN_clear_free(dh->pub_key);
4442 + dh->priv_key = NULL;
4443 + dh->pub_key = NULL;
4445 + OPENSSL_cleanse(Z, Zlen);
4450 +int fips_dhvs_main(int argc, char **argv)
4452 +int main(int argc, char **argv)
4455 + char **args = argv + 1;
4456 + int argn = argc - 1;
4458 + char buf[2048], lbuf[2048];
4459 + unsigned char *rhash;
4462 + const EVP_MD *md = NULL;
4463 + BIGNUM *peerkey = NULL;
4464 + char *keyword = NULL, *value = NULL;
4465 + int do_verify = -1, exout = 0;
4467 + fips_algtest_init();
4469 + if (argn && !strcmp(*args, "dhver"))
4475 + else if (argn && !strcmp(*args, "dhgen"))
4482 + if (argn && !strcmp(*args, "-exout"))
4489 + if (do_verify == -1)
4491 + fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
4497 + in = fopen(*args, "r");
4500 + fprintf(stderr, "Error opening input file\n");
4503 + out = fopen(args[1], "w");
4506 + fprintf(stderr, "Error opening output file\n");
4510 + else if (argn == 0)
4517 + fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
4521 + dh = FIPS_dh_new();
4523 + while (fgets(buf, sizeof(buf), in) != NULL)
4526 + if (strlen(buf) > 6 && !strncmp(buf, "[F", 2))
4528 + md = parse_md(buf);
4533 + dh = FIPS_dh_new();
4536 + if (!parse_line(&keyword, &value, lbuf, buf))
4538 + if (!strcmp(keyword, "P"))
4540 + if (!do_hex2bn(&dh->p, value))
4543 + else if (!strcmp(keyword, "Q"))
4545 + if (!do_hex2bn(&dh->q, value))
4548 + else if (!strcmp(keyword, "G"))
4550 + if (!do_hex2bn(&dh->g, value))
4553 + else if (!strcmp(keyword, "XephemIUT"))
4555 + if (!do_hex2bn(&dh->priv_key, value))
4558 + else if (!strcmp(keyword, "YephemIUT"))
4560 + if (!do_hex2bn(&dh->pub_key, value))
4563 + else if (!strcmp(keyword, "YephemCAVS"))
4565 + if (!do_hex2bn(&peerkey, value))
4567 + if (do_verify == 0)
4568 + output_Zhash(out, exout, dh, peerkey, md,
4571 + else if (!strcmp(keyword, "CAVSHashZZ"))
4575 + rhash = hex2bin_m(value, &rhashlen);
4576 + if (!rhash || rhashlen != M_EVP_MD_size(md))
4578 + output_Zhash(out, exout, dh, peerkey, md,
4582 + if (in && in != stdin)
4584 + if (out && out != stdout)
4588 + fprintf(stderr, "Error Parsing request file\n");
4593 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_drbgvs.c
4594 --- openssl-1.0.1b/crypto/fips/cavs/fips_drbgvs.c.fips 2012-04-26 18:00:51.398769255 +0200
4595 +++ openssl-1.0.1b/crypto/fips/cavs/fips_drbgvs.c 2012-04-26 18:00:51.398769255 +0200
4597 +/* fips/rand/fips_drbgvs.c */
4598 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4601 +/* ====================================================================
4602 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
4604 + * Redistribution and use in source and binary forms, with or without
4605 + * modification, are permitted provided that the following conditions
4608 + * 1. Redistributions of source code must retain the above copyright
4609 + * notice, this list of conditions and the following disclaimer.
4611 + * 2. Redistributions in binary form must reproduce the above copyright
4612 + * notice, this list of conditions and the following disclaimer in
4613 + * the documentation and/or other materials provided with the
4616 + * 3. All advertising materials mentioning features or use of this
4617 + * software must display the following acknowledgment:
4618 + * "This product includes software developed by the OpenSSL Project
4619 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
4621 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
4622 + * endorse or promote products derived from this software without
4623 + * prior written permission. For written permission, please contact
4624 + * licensing@OpenSSL.org.
4626 + * 5. Products derived from this software may not be called "OpenSSL"
4627 + * nor may "OpenSSL" appear in their names without prior written
4628 + * permission of the OpenSSL Project.
4630 + * 6. Redistributions of any form whatsoever must retain the following
4632 + * "This product includes software developed by the OpenSSL Project
4633 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
4635 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
4636 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4637 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
4638 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
4639 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4640 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
4641 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
4642 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4643 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
4644 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4645 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
4646 + * OF THE POSSIBILITY OF SUCH DAMAGE.
4647 + * ====================================================================
4651 +#define OPENSSL_FIPSAPI
4652 +#include <openssl/opensslconf.h>
4654 +#ifndef OPENSSL_FIPS
4657 +int main(int argc, char **argv)
4659 + printf("No FIPS DRBG support\n");
4664 +#include <openssl/bn.h>
4665 +#include <openssl/dsa.h>
4666 +#include <openssl/fips.h>
4667 +#include <openssl/fips_rand.h>
4668 +#include <openssl/err.h>
4669 +#include <openssl/evp.h>
4670 +#include <string.h>
4673 +#include "fips_utl.h"
4675 +static int dparse_md(char *str)
4677 + switch(atoi(str + 5))
4683 + return NID_sha224;
4686 + return NID_sha256;
4689 + return NID_sha384;
4692 + return NID_sha512;
4699 +static int parse_ec(char *str)
4701 + int curve_nid, md_nid;
4703 + md = strchr(str, ' ');
4706 + if (!strncmp(str, "[P-256", 6))
4707 + curve_nid = NID_X9_62_prime256v1;
4708 + else if (!strncmp(str, "[P-384", 6))
4709 + curve_nid = NID_secp384r1;
4710 + else if (!strncmp(str, "[P-521", 6))
4711 + curve_nid = NID_secp521r1;
4714 + md_nid = dparse_md(md);
4715 + if (md_nid == NID_undef)
4717 + return (curve_nid << 16) | md_nid;
4720 +static int parse_aes(char *str, int *pdf)
4723 + if (!strncmp(str + 9, "no", 2))
4726 + *pdf = DRBG_FLAG_CTR_USE_DF;
4728 + switch(atoi(str + 5))
4731 + return NID_aes_128_ctr;
4734 + return NID_aes_192_ctr;
4737 + return NID_aes_256_ctr;
4747 + unsigned char *ent;
4749 + unsigned char *nonce;
4753 +static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
4754 + int entropy, size_t min_len, size_t max_len)
4756 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
4757 + *pout = (unsigned char *)t->ent;
4761 +static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
4762 + int entropy, size_t min_len, size_t max_len)
4764 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
4765 + *pout = (unsigned char *)t->nonce;
4766 + return t->noncelen;
4770 +int fips_drbgvs_main(int argc,char **argv)
4772 +int main(int argc,char **argv)
4775 + FILE *in = NULL, *out = NULL;
4776 + DRBG_CTX *dctx = NULL;
4780 + char buf[2048], lbuf[2048];
4781 + unsigned char randout[2048];
4782 + char *keyword = NULL, *value = NULL;
4784 + unsigned char *ent = NULL, *nonce = NULL, *pers = NULL, *adin = NULL;
4785 + long entlen, noncelen, perslen, adinlen;
4788 + enum dtype { DRBG_NONE, DRBG_CTR, DRBG_HASH, DRBG_HMAC, DRBG_DUAL_EC }
4789 + drbg_type = DRBG_NONE;
4791 + int randoutlen = 0;
4795 + fips_algtest_init();
4799 + in = fopen(argv[1], "r");
4802 + fprintf(stderr, "Error opening input file\n");
4805 + out = fopen(argv[2], "w");
4808 + fprintf(stderr, "Error opening output file\n");
4812 + else if (argc == 1)
4819 + fprintf(stderr,"%s (infile outfile)\n",argv[0]);
4823 + while (fgets(buf, sizeof(buf), in) != NULL)
4826 + if (drbg_type == DRBG_NONE)
4828 + if (strstr(buf, "CTR_DRBG"))
4829 + drbg_type = DRBG_CTR;
4830 + else if (strstr(buf, "Hash_DRBG"))
4831 + drbg_type = DRBG_HASH;
4832 + else if (strstr(buf, "HMAC_DRBG"))
4833 + drbg_type = DRBG_HMAC;
4834 + else if (strstr(buf, "Dual_EC_DRBG"))
4835 + drbg_type = DRBG_DUAL_EC;
4839 + if (strlen(buf) > 4 && !strncmp(buf, "[SHA-", 5))
4841 + nid = dparse_md(buf);
4842 + if (nid == NID_undef)
4844 + if (drbg_type == DRBG_HMAC)
4849 + nid = NID_hmacWithSHA1;
4853 + nid = NID_hmacWithSHA224;
4857 + nid = NID_hmacWithSHA256;
4861 + nid = NID_hmacWithSHA384;
4865 + nid = NID_hmacWithSHA512;
4873 + if (strlen(buf) > 12 && !strncmp(buf, "[AES-", 5))
4875 + nid = parse_aes(buf, &df);
4876 + if (nid == NID_undef)
4879 + if (strlen(buf) > 12 && !strncmp(buf, "[P-", 3))
4881 + nid = parse_ec(buf);
4882 + if (nid == NID_undef)
4885 + if (!parse_line(&keyword, &value, lbuf, buf))
4888 + if (!strcmp(keyword, "[PredictionResistance"))
4890 + if (!strcmp(value, "True]"))
4892 + else if (!strcmp(value, "False]"))
4898 + if (!strcmp(keyword, "EntropyInput"))
4900 + ent = hex2bin_m(value, &entlen);
4902 + t.entlen = entlen;
4905 + if (!strcmp(keyword, "Nonce"))
4907 + nonce = hex2bin_m(value, &noncelen);
4909 + t.noncelen = noncelen;
4912 + if (!strcmp(keyword, "PersonalizationString"))
4914 + pers = hex2bin_m(value, &perslen);
4917 + fprintf(stderr, "DRBG type not recognised!\n");
4920 + dctx = FIPS_drbg_new(nid, df | DRBG_FLAG_TEST);
4923 + FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0,
4925 + FIPS_drbg_set_app_data(dctx, &t);
4926 + randoutlen = (int)FIPS_drbg_get_blocklength(dctx);
4927 + r = FIPS_drbg_instantiate(dctx, pers, perslen);
4930 + fprintf(stderr, "Error instantiating DRBG\n");
4933 + OPENSSL_free(pers);
4934 + OPENSSL_free(ent);
4935 + OPENSSL_free(nonce);
4936 + ent = nonce = pers = NULL;
4940 + if (!strcmp(keyword, "AdditionalInput"))
4942 + adin = hex2bin_m(value, &adinlen);
4945 + r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
4949 + fprintf(stderr, "Error generating DRBG bits\n");
4954 + OPENSSL_free(adin);
4961 + if (!strcmp(keyword, "EntropyInputPR"))
4963 + ent = hex2bin_m(value, &entlen);
4965 + t.entlen = entlen;
4966 + r = FIPS_drbg_generate(dctx,
4967 + randout, randoutlen,
4968 + 1, adin, adinlen);
4972 + "Error generating DRBG bits\n");
4975 + OPENSSL_free(adin);
4976 + OPENSSL_free(ent);
4977 + adin = ent = NULL;
4981 + if (!strcmp(keyword, "EntropyInputReseed"))
4983 + ent = hex2bin_m(value, &entlen);
4985 + t.entlen = entlen;
4987 + if (!strcmp(keyword, "AdditionalInputReseed"))
4989 + adin = hex2bin_m(value, &adinlen);
4990 + FIPS_drbg_reseed(dctx, adin, adinlen);
4991 + OPENSSL_free(ent);
4992 + OPENSSL_free(adin);
4993 + ent = adin = NULL;
4997 + OutputValue("ReturnedBits", randout, randoutlen,
4999 + FIPS_drbg_free(dctx);
5005 + if (in && in != stdin)
5007 + if (out && out != stdout)
5013 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_dssvs.c
5014 --- openssl-1.0.1b/crypto/fips/cavs/fips_dssvs.c.fips 2012-04-26 18:00:51.398769255 +0200
5015 +++ openssl-1.0.1b/crypto/fips/cavs/fips_dssvs.c 2012-04-26 18:00:51.398769255 +0200
5017 +#include <openssl/opensslconf.h>
5019 +#ifndef OPENSSL_FIPS
5022 +int main(int argc, char **argv)
5024 + printf("No FIPS DSA support\n");
5029 +#include <openssl/bn.h>
5030 +#include <openssl/dsa.h>
5031 +#include <openssl/fips.h>
5032 +#include <openssl/err.h>
5033 +#include <openssl/evp.h>
5034 +#include <string.h>
5037 +#include "fips_utl.h"
5039 +static void pbn(const char *name, BIGNUM *bn)
5042 + unsigned char *tmp;
5043 + len = BN_num_bytes(bn);
5044 + tmp = OPENSSL_malloc(len);
5047 + fprintf(stderr, "Memory allocation error\n");
5050 + BN_bn2bin(bn, tmp);
5051 + printf("%s = ", name);
5052 + for (i = 0; i < len; i++)
5053 + printf("%02X", tmp[i]);
5054 + fputs("\n", stdout);
5055 + OPENSSL_free(tmp);
5063 + char *keyword, *value;
5065 + while(fgets(buf,sizeof buf,stdin) != NULL)
5067 + fputs(buf,stdout);
5068 + if (!parse_line(&keyword, &value, lbuf, buf))
5070 + if(!strcmp(keyword,"Prime"))
5075 + do_hex2bn(&pp,value);
5076 + printf("result= %c\n",
5077 + BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F');
5086 + char *keyword, *value;
5089 + while(fgets(buf,sizeof buf,stdin) != NULL)
5091 + if (!parse_line(&keyword, &value, lbuf, buf))
5093 + fputs(buf,stdout);
5096 + if(!strcmp(keyword,"[mod"))
5098 + else if(!strcmp(keyword,"N"))
5100 + int n=atoi(value);
5102 + printf("[mod = %d]\n\n",nmod);
5106 + unsigned char seed[20];
5110 + dsa = FIPS_dsa_new();
5112 + if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL))
5114 + do_print_errors();
5120 + pv("Seed",seed,20);
5121 + printf("c = %d\n",counter);
5122 + printf("H = %lx\n",h);
5123 + putc('\n',stdout);
5127 + fputs(buf,stdout);
5135 + char *keyword, *value;
5136 + BIGNUM *p = NULL, *q = NULL, *g = NULL;
5137 + int counter, counter2;
5138 + unsigned long h, h2;
5141 + unsigned char seed[1024];
5143 + while(fgets(buf,sizeof buf,stdin) != NULL)
5145 + if (!parse_line(&keyword, &value, lbuf, buf))
5147 + fputs(buf,stdout);
5150 + fputs(buf, stdout);
5151 + if(!strcmp(keyword,"[mod"))
5153 + else if(!strcmp(keyword,"P"))
5155 + else if(!strcmp(keyword,"Q"))
5157 + else if(!strcmp(keyword,"G"))
5159 + else if(!strcmp(keyword,"Seed"))
5161 + int slen = hex2bin(value, seed);
5164 + fprintf(stderr, "Seed parse length error\n");
5168 + else if(!strcmp(keyword,"c"))
5169 + counter =atoi(buf+4);
5170 + else if(!strcmp(keyword,"H"))
5173 + if (!p || !q || !g)
5175 + fprintf(stderr, "Parse Error\n");
5178 + dsa = FIPS_dsa_new();
5179 + if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL))
5181 + do_print_errors();
5184 + if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g)
5185 + || (counter != counter2) || (h != h2))
5186 + printf("Result = F\n");
5188 + printf("Result = P\n");
5195 + FIPS_dsa_free(dsa);
5201 +/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2
5202 + * algorithm tests. It is an additional test to perform sanity checks on the
5203 + * output of the KeyPair test.
5206 +static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
5209 + BIGNUM *rem = NULL;
5210 + if (BN_num_bits(p) != nmod)
5212 + if (BN_num_bits(q) != 160)
5214 + if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1)
5216 + if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1)
5219 + if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
5220 + || (BN_cmp(g, BN_value_one()) <= 0)
5221 + || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
5226 + /* Todo: check g */
5235 + char *keyword, *value;
5236 + BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
5238 + BN_CTX *ctx = NULL;
5239 + int nmod=0, paramcheck = 0;
5241 + ctx = BN_CTX_new();
5244 + while(fgets(buf,sizeof buf,stdin) != NULL)
5246 + if (!parse_line(&keyword, &value, lbuf, buf))
5248 + fputs(buf,stdout);
5251 + if(!strcmp(keyword,"[mod"))
5265 + else if(!strcmp(keyword,"P"))
5267 + else if(!strcmp(keyword,"Q"))
5269 + else if(!strcmp(keyword,"G"))
5271 + else if(!strcmp(keyword,"X"))
5273 + else if(!strcmp(keyword,"Y"))
5276 + if (!p || !q || !g || !X || !Y)
5278 + fprintf(stderr, "Parse Error\n");
5288 + if (dss_paramcheck(nmod, p, q, g, ctx))
5293 + if (paramcheck != 1)
5294 + printf("Result = F\n");
5297 + if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
5298 + printf("Result = F\n");
5300 + printf("Result = P\n");
5322 + char *keyword, *value;
5325 + while(fgets(buf,sizeof buf,stdin) != NULL)
5327 + if (!parse_line(&keyword, &value, lbuf, buf))
5329 + fputs(buf,stdout);
5332 + if(!strcmp(keyword,"[mod"))
5334 + else if(!strcmp(keyword,"N"))
5337 + int n=atoi(value);
5339 + printf("[mod = %d]\n\n",nmod);
5340 + dsa = FIPS_dsa_new();
5341 + if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
5343 + do_print_errors();
5349 + putc('\n',stdout);
5353 + if (!DSA_generate_key(dsa))
5355 + do_print_errors();
5359 + pbn("X",dsa->priv_key);
5360 + pbn("Y",dsa->pub_key);
5361 + putc('\n',stdout);
5371 + char *keyword, *value;
5375 + while(fgets(buf,sizeof buf,stdin) != NULL)
5377 + if (!parse_line(&keyword, &value, lbuf, buf))
5379 + fputs(buf,stdout);
5382 + if(!strcmp(keyword,"[mod"))
5385 + printf("[mod = %d]\n\n",nmod);
5387 + FIPS_dsa_free(dsa);
5388 + dsa = FIPS_dsa_new();
5389 + if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
5391 + do_print_errors();
5397 + putc('\n',stdout);
5399 + else if(!strcmp(keyword,"Msg"))
5401 + unsigned char msg[1024];
5402 + unsigned char sbuf[60];
5403 + unsigned int slen;
5408 + EVP_MD_CTX_init(&mctx);
5410 + n=hex2bin(value,msg);
5413 + if (!DSA_generate_key(dsa))
5415 + do_print_errors();
5418 + pk.type = EVP_PKEY_DSA;
5419 + pk.pkey.dsa = dsa;
5420 + pbn("Y",dsa->pub_key);
5422 + EVP_SignInit_ex(&mctx, EVP_dss1(), NULL);
5423 + EVP_SignUpdate(&mctx, msg, n);
5424 + EVP_SignFinal(&mctx, sbuf, &slen, &pk);
5426 + sig = DSA_SIG_new();
5427 + FIPS_dsa_sig_decode(sig, sbuf, slen);
5431 + putc('\n',stdout);
5432 + DSA_SIG_free(sig);
5433 + EVP_MD_CTX_cleanup(&mctx);
5437 + FIPS_dsa_free(dsa);
5445 + unsigned char msg[1024];
5446 + char *keyword, *value;
5448 + DSA_SIG sg, *sig = &sg;
5453 + while(fgets(buf,sizeof buf,stdin) != NULL)
5455 + if (!parse_line(&keyword, &value, lbuf, buf))
5457 + fputs(buf,stdout);
5460 + if(!strcmp(keyword,"[mod"))
5464 + FIPS_dsa_free(dsa);
5465 + dsa=FIPS_dsa_new();
5467 + else if(!strcmp(keyword,"P"))
5468 + dsa->p=hex2bn(value);
5469 + else if(!strcmp(keyword,"Q"))
5470 + dsa->q=hex2bn(value);
5471 + else if(!strcmp(keyword,"G"))
5473 + dsa->g=hex2bn(value);
5475 + printf("[mod = %d]\n\n",nmod);
5479 + putc('\n',stdout);
5481 + else if(!strcmp(keyword,"Msg"))
5483 + n=hex2bin(value,msg);
5486 + else if(!strcmp(keyword,"Y"))
5487 + dsa->pub_key=hex2bn(value);
5488 + else if(!strcmp(keyword,"R"))
5489 + sig->r=hex2bn(value);
5490 + else if(!strcmp(keyword,"S"))
5494 + unsigned char sigbuf[60];
5495 + unsigned int slen;
5497 + EVP_MD_CTX_init(&mctx);
5498 + pk.type = EVP_PKEY_DSA;
5499 + pk.pkey.dsa = dsa;
5500 + sig->s=hex2bn(value);
5502 + pbn("Y",dsa->pub_key);
5506 + slen = FIPS_dsa_sig_encode(sigbuf, sig);
5507 + EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL);
5508 + EVP_VerifyUpdate(&mctx, msg, n);
5509 + r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk);
5510 + EVP_MD_CTX_cleanup(&mctx);
5512 + printf("Result = %c\n", r == 1 ? 'P' : 'F');
5513 + putc('\n',stdout);
5518 +int main(int argc,char **argv)
5522 + fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]);
5525 + if(!FIPS_mode_set(1))
5527 + do_print_errors();
5530 + if(!strcmp(argv[1],"prime"))
5532 + else if(!strcmp(argv[1],"pqg"))
5534 + else if(!strcmp(argv[1],"pqgver"))
5536 + else if(!strcmp(argv[1],"keypair"))
5538 + else if(!strcmp(argv[1],"keyver"))
5540 + else if(!strcmp(argv[1],"siggen"))
5542 + else if(!strcmp(argv[1],"sigver"))
5546 + fprintf(stderr,"Don't know how to %s.\n",argv[1]);
5554 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_gcmtest.c
5555 --- openssl-1.0.1b/crypto/fips/cavs/fips_gcmtest.c.fips 2012-04-26 18:00:51.399769276 +0200
5556 +++ openssl-1.0.1b/crypto/fips/cavs/fips_gcmtest.c 2012-04-26 18:00:51.399769276 +0200
5558 +/* fips/aes/fips_gcmtest.c */
5559 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5562 +/* ====================================================================
5563 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
5565 + * Redistribution and use in source and binary forms, with or without
5566 + * modification, are permitted provided that the following conditions
5569 + * 1. Redistributions of source code must retain the above copyright
5570 + * notice, this list of conditions and the following disclaimer.
5572 + * 2. Redistributions in binary form must reproduce the above copyright
5573 + * notice, this list of conditions and the following disclaimer in
5574 + * the documentation and/or other materials provided with the
5577 + * 3. All advertising materials mentioning features or use of this
5578 + * software must display the following acknowledgment:
5579 + * "This product includes software developed by the OpenSSL Project
5580 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
5582 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
5583 + * endorse or promote products derived from this software without
5584 + * prior written permission. For written permission, please contact
5585 + * licensing@OpenSSL.org.
5587 + * 5. Products derived from this software may not be called "OpenSSL"
5588 + * nor may "OpenSSL" appear in their names without prior written
5589 + * permission of the OpenSSL Project.
5591 + * 6. Redistributions of any form whatsoever must retain the following
5593 + * "This product includes software developed by the OpenSSL Project
5594 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
5596 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
5597 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
5598 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
5599 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
5600 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
5601 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
5602 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
5603 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
5604 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
5605 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
5606 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
5607 + * OF THE POSSIBILITY OF SUCH DAMAGE.
5608 + * ====================================================================
5612 +#define OPENSSL_FIPSAPI
5613 +#include <openssl/opensslconf.h>
5615 +#ifndef OPENSSL_FIPS
5618 +int main(int argc, char **argv)
5620 + printf("No FIPS GCM support\n");
5625 +#include <openssl/bn.h>
5626 +#include <openssl/dsa.h>
5627 +#include <openssl/fips.h>
5628 +#include <openssl/err.h>
5629 +#include <openssl/evp.h>
5630 +#include <string.h>
5633 +#include "fips_utl.h"
5635 +static void gcmtest(FILE *in, FILE *out, int encrypt)
5639 + char *keyword, *value;
5640 + int keylen = -1, ivlen = -1, aadlen = -1, taglen = -1, ptlen = -1;
5643 + unsigned char *key = NULL, *iv = NULL, *aad = NULL, *tag = NULL;
5644 + unsigned char *ct = NULL, *pt = NULL;
5645 + EVP_CIPHER_CTX ctx;
5646 + const EVP_CIPHER *gcm = NULL;
5647 + FIPS_cipher_ctx_init(&ctx);
5649 + while(fgets(buf,sizeof buf,in) != NULL)
5652 + if (!parse_line(&keyword, &value, lbuf, buf))
5654 + if(!strcmp(keyword,"[Keylen"))
5656 + keylen = atoi(value);
5657 + if (keylen == 128)
5658 + gcm = EVP_aes_128_gcm();
5659 + else if (keylen == 192)
5660 + gcm = EVP_aes_192_gcm();
5661 + else if (keylen == 256)
5662 + gcm = EVP_aes_256_gcm();
5665 + fprintf(stderr, "Unsupported keylen %d\n",
5670 + else if (!strcmp(keyword, "[IVlen"))
5671 + ivlen = atoi(value) >> 3;
5672 + else if (!strcmp(keyword, "[AADlen"))
5673 + aadlen = atoi(value) >> 3;
5674 + else if (!strcmp(keyword, "[Taglen"))
5675 + taglen = atoi(value) >> 3;
5676 + else if (!strcmp(keyword, "[PTlen"))
5677 + ptlen = atoi(value) >> 3;
5678 + else if(!strcmp(keyword,"Key"))
5680 + key = hex2bin_m(value, &l);
5683 + fprintf(stderr, "Inconsistent Key length\n");
5687 + else if(!strcmp(keyword,"IV"))
5689 + iv = hex2bin_m(value, &l);
5692 + fprintf(stderr, "Inconsistent IV length\n");
5696 + else if(!strcmp(keyword,"PT"))
5698 + pt = hex2bin_m(value, &l);
5701 + fprintf(stderr, "Inconsistent PT length\n");
5705 + else if(!strcmp(keyword,"CT"))
5707 + ct = hex2bin_m(value, &l);
5710 + fprintf(stderr, "Inconsistent CT length\n");
5714 + else if(!strcmp(keyword,"AAD"))
5716 + aad = hex2bin_m(value, &l);
5719 + fprintf(stderr, "Inconsistent AAD length\n");
5723 + else if(!strcmp(keyword,"Tag"))
5725 + tag = hex2bin_m(value, &l);
5728 + fprintf(stderr, "Inconsistent Tag length\n");
5732 + if (encrypt && pt && aad && (iv || encrypt==1))
5734 + tag = OPENSSL_malloc(taglen);
5735 + FIPS_cipherinit(&ctx, gcm, NULL, NULL, 1);
5736 + /* Relax FIPS constraints for testing */
5737 + M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
5738 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
5741 + static unsigned char iv_fixed[4] = {1,2,3,4};
5743 + iv = OPENSSL_malloc(ivlen);
5744 + FIPS_cipherinit(&ctx, NULL, key, NULL, 1);
5745 + FIPS_cipher_ctx_ctrl(&ctx,
5746 + EVP_CTRL_GCM_SET_IV_FIXED,
5748 + if (!FIPS_cipher_ctx_ctrl(&ctx,
5749 + EVP_CTRL_GCM_IV_GEN, 0, iv))
5751 + fprintf(stderr, "IV gen error\n");
5754 + OutputValue("IV", iv, ivlen, out, 0);
5757 + FIPS_cipherinit(&ctx, NULL, key, iv, 1);
5761 + FIPS_cipher(&ctx, NULL, aad, aadlen);
5764 + ct = OPENSSL_malloc(ptlen);
5765 + rv = FIPS_cipher(&ctx, ct, pt, ptlen);
5767 + FIPS_cipher(&ctx, NULL, NULL, 0);
5768 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG,
5770 + OutputValue("CT", ct, ptlen, out, 0);
5771 + OutputValue("Tag", tag, taglen, out, 0);
5775 + OPENSSL_free(aad);
5781 + OPENSSL_free(key);
5783 + OPENSSL_free(tag);
5784 + iv = aad = ct = pt = key = tag = NULL;
5786 + if (!encrypt && tag)
5788 + FIPS_cipherinit(&ctx, gcm, NULL, NULL, 0);
5789 + /* Relax FIPS constraints for testing */
5790 + M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
5791 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
5792 + FIPS_cipherinit(&ctx, NULL, key, iv, 0);
5793 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag);
5795 + FIPS_cipher(&ctx, NULL, aad, aadlen);
5798 + pt = OPENSSL_malloc(ptlen);
5799 + rv = FIPS_cipher(&ctx, pt, ct, ptlen);
5801 + rv = FIPS_cipher(&ctx, NULL, NULL, 0);
5803 + fprintf(out, "FAIL" RESP_EOL);
5805 + OutputValue("PT", pt, ptlen, out, 0);
5809 + OPENSSL_free(aad);
5815 + OPENSSL_free(key);
5817 + OPENSSL_free(tag);
5818 + iv = aad = ct = pt = key = tag = NULL;
5821 + FIPS_cipher_ctx_cleanup(&ctx);
5824 +static void xtstest(FILE *in, FILE *out)
5827 + char lbuf[204800];
5828 + char *keyword, *value;
5832 + unsigned char *key = NULL, *iv = NULL;
5833 + unsigned char *inbuf = NULL, *outbuf = NULL;
5834 + EVP_CIPHER_CTX ctx;
5835 + const EVP_CIPHER *xts = NULL;
5836 + FIPS_cipher_ctx_init(&ctx);
5838 + while(fgets(buf,sizeof buf,in) != NULL)
5841 + if (buf[0] == '[' && strlen(buf) >= 9)
5843 + if(!strncmp(buf,"[ENCRYPT]", 9))
5845 + else if(!strncmp(buf,"[DECRYPT]", 9))
5848 + if (!parse_line(&keyword, &value, lbuf, buf))
5850 + else if(!strcmp(keyword,"Key"))
5852 + key = hex2bin_m(value, &l);
5854 + xts = EVP_aes_128_xts();
5856 + xts = EVP_aes_256_xts();
5859 + fprintf(stderr, "Inconsistent Key length\n");
5863 + else if(!strcmp(keyword,"i"))
5865 + iv = hex2bin_m(value, &l);
5868 + fprintf(stderr, "Inconsistent i length\n");
5872 + else if(encrypt && !strcmp(keyword,"PT"))
5874 + inbuf = hex2bin_m(value, &l);
5877 + else if(!encrypt && !strcmp(keyword,"CT"))
5879 + inbuf = hex2bin_m(value, &l);
5884 + FIPS_cipherinit(&ctx, xts, key, iv, encrypt);
5885 + outbuf = OPENSSL_malloc(inlen);
5886 + FIPS_cipher(&ctx, outbuf, inbuf, inlen);
5887 + OutputValue(encrypt ? "CT":"PT", outbuf, inlen, out, 0);
5888 + OPENSSL_free(inbuf);
5889 + OPENSSL_free(outbuf);
5890 + OPENSSL_free(key);
5892 + iv = key = inbuf = outbuf = NULL;
5895 + FIPS_cipher_ctx_cleanup(&ctx);
5898 +static void ccmtest(FILE *in, FILE *out)
5901 + char lbuf[200048];
5902 + char *keyword, *value;
5904 + unsigned char *Key = NULL, *Nonce = NULL;
5905 + unsigned char *Adata = NULL, *Payload = NULL;
5906 + unsigned char *CT = NULL;
5907 + int Plen = -1, Nlen = -1, Tlen = -1, Alen = -1;
5909 + EVP_CIPHER_CTX ctx;
5910 + const EVP_CIPHER *ccm = NULL;
5911 + FIPS_cipher_ctx_init(&ctx);
5913 + while(fgets(buf,sizeof buf,in) != NULL)
5918 + if (!parse_line(&keyword, &value, lbuf, buf))
5921 + /* If surrounded by square brackets zap them */
5922 + if (keyword[0] == '[')
5925 + p = strchr(value, ']');
5929 + /* See if we have a comma separated list of parameters
5930 + * if so copy rest of line back to buffer and redo later.
5932 + p = strchr(value, ',');
5936 + strcpy(buf, p + 1);
5937 + strcat(buf, "\n");
5940 + if (!strcmp(keyword,"Plen"))
5941 + Plen = atoi(value);
5942 + else if (!strcmp(keyword,"Nlen"))
5943 + Nlen = atoi(value);
5944 + else if (!strcmp(keyword,"Tlen"))
5945 + Tlen = atoi(value);
5946 + else if (!strcmp(keyword,"Alen"))
5947 + Alen = atoi(value);
5950 + if (!strcmp(keyword,"Key"))
5953 + OPENSSL_free(Key);
5954 + Key = hex2bin_m(value, &l);
5956 + ccm = EVP_aes_128_ccm();
5958 + ccm = EVP_aes_192_ccm();
5960 + ccm = EVP_aes_256_ccm();
5963 + fprintf(stderr, "Inconsistent Key length\n");
5967 + else if (!strcmp(keyword,"Nonce"))
5970 + OPENSSL_free(Nonce);
5971 + Nonce = hex2bin_m(value, &l);
5974 + fprintf(stderr, "Inconsistent nonce length\n");
5978 + else if (!strcmp(keyword,"Payload") && !decr)
5980 + Payload = hex2bin_m(value, &l);
5981 + if (Plen && l != Plen)
5983 + fprintf(stderr, "Inconsistent Payload length\n");
5987 + else if (!strcmp(keyword,"Adata"))
5990 + OPENSSL_free(Adata);
5991 + Adata = hex2bin_m(value, &l);
5992 + if (Alen && l != Alen)
5994 + fprintf(stderr, "Inconsistent Payload length\n");
5998 + else if (!strcmp(keyword,"CT") && decr)
6000 + CT = hex2bin_m(value, &l);
6001 + if (l != (Plen + Tlen))
6003 + fprintf(stderr, "Inconsistent CT length\n");
6009 + FIPS_cipherinit(&ctx, ccm, NULL, NULL, 1);
6010 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
6011 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, Tlen, 0);
6012 + FIPS_cipherinit(&ctx, NULL, Key, Nonce, 1);
6014 + FIPS_cipher(&ctx, NULL, NULL, Plen);
6015 + FIPS_cipher(&ctx, NULL, Adata, Alen);
6016 + CT = OPENSSL_malloc(Plen + Tlen);
6017 + FIPS_cipher(&ctx, CT, Payload, Plen);
6018 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, Tlen,
6020 + OutputValue("CT", CT, Plen + Tlen, out, 0);
6022 + OPENSSL_free(Payload);
6023 + CT = Payload = NULL;
6028 + int len = Plen == 0 ? 1: Plen;
6029 + FIPS_cipherinit(&ctx, ccm, NULL, NULL, 0);
6030 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
6031 + FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
6033 + FIPS_cipherinit(&ctx, NULL, Key, Nonce, 0);
6034 + FIPS_cipher(&ctx, NULL, NULL, Plen);
6035 + FIPS_cipher(&ctx, NULL, Adata, Alen);
6036 + Payload = OPENSSL_malloc(len);
6037 + rv = FIPS_cipher(&ctx, Payload, CT, Plen);
6042 + fputs("Result = Pass" RESP_EOL, out);
6043 + OutputValue("Payload", Payload, len, out, 0);
6046 + fputs("Result = Fail" RESP_EOL, out);
6048 + OPENSSL_free(Payload);
6049 + CT = Payload = NULL;
6053 + OPENSSL_free(Key);
6055 + OPENSSL_free(Nonce);
6057 + OPENSSL_free(Adata);
6058 + FIPS_cipher_ctx_cleanup(&ctx);
6062 +int fips_gcmtest_main(int argc, char **argv)
6064 +int main(int argc, char **argv)
6068 + int xts = 0, ccm = 0;
6072 + in = fopen(argv[2], "r");
6075 + fprintf(stderr, "Error opening input file\n");
6078 + out = fopen(argv[3], "w");
6081 + fprintf(stderr, "Error opening output file\n");
6085 + else if (argc == 2)
6092 + fprintf(stderr,"%s [-encrypt|-decrypt]\n",argv[0]);
6095 + fips_algtest_init();
6096 + if(!strcmp(argv[1],"-encrypt"))
6098 + else if(!strcmp(argv[1],"-encryptIVext"))
6100 + else if(!strcmp(argv[1],"-decrypt"))
6102 + else if(!strcmp(argv[1],"-ccm"))
6104 + else if(!strcmp(argv[1],"-xts"))
6108 + fprintf(stderr,"Don't know how to %s.\n",argv[1]);
6117 + gcmtest(in, out, encrypt);
6129 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_rngvs.c
6130 --- openssl-1.0.1b/crypto/fips/cavs/fips_rngvs.c.fips 2012-04-26 18:00:51.399769276 +0200
6131 +++ openssl-1.0.1b/crypto/fips/cavs/fips_rngvs.c 2012-04-26 18:00:51.399769276 +0200
6134 + * Crude test driver for processing the VST and MCT testvector files
6135 + * generated by the CMVP RNGVS product.
6137 + * Note the input files are assumed to have a _very_ specific format
6138 + * as described in the NIST document "The Random Number Generator
6139 + * Validation System (RNGVS)", May 25, 2004.
6142 +#include <openssl/opensslconf.h>
6144 +#ifndef OPENSSL_FIPS
6147 +int main(int argc, char **argv)
6149 + printf("No FIPS RNG support\n");
6154 +#include <openssl/bn.h>
6155 +#include <openssl/dsa.h>
6156 +#include <openssl/fips.h>
6157 +#include <openssl/err.h>
6158 +#include <openssl/rand.h>
6159 +#include <openssl/fips_rand.h>
6160 +#include <openssl/x509v3.h>
6161 +#include <string.h>
6164 +#include "fips_utl.h"
6168 + unsigned char *key = NULL;
6169 + unsigned char *v = NULL;
6170 + unsigned char *dt = NULL;
6171 + unsigned char ret[16];
6174 + char *keyword, *value;
6179 + while(fgets(buf,sizeof buf,stdin) != NULL)
6181 + fputs(buf,stdout);
6182 + if(!strncmp(buf,"[AES 128-Key]", 13))
6184 + else if(!strncmp(buf,"[AES 192-Key]", 13))
6186 + else if(!strncmp(buf,"[AES 256-Key]", 13))
6188 + if (!parse_line(&keyword, &value, lbuf, buf))
6190 + if(!strcmp(keyword,"Key"))
6192 + key=hex2bin_m(value,&i);
6195 + fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
6199 + else if(!strcmp(keyword,"DT"))
6201 + dt=hex2bin_m(value,&i);
6204 + fprintf(stderr, "Invalid DT length\n");
6208 + else if(!strcmp(keyword,"V"))
6210 + v=hex2bin_m(value,&i);
6213 + fprintf(stderr, "Invalid V length\n");
6219 + fprintf(stderr, "Missing key or DT\n");
6223 + FIPS_x931_set_key(key, keylen);
6224 + FIPS_x931_seed(v,16);
6225 + FIPS_x931_set_dt(dt);
6226 + if (FIPS_x931_bytes(ret,16) <= 0)
6228 + fprintf(stderr, "Error getting PRNG value\n");
6233 + OPENSSL_free(key);
6245 + unsigned char *key = NULL;
6246 + unsigned char *v = NULL;
6247 + unsigned char *dt = NULL;
6248 + unsigned char ret[16];
6251 + char *keyword, *value;
6257 + while(fgets(buf,sizeof buf,stdin) != NULL)
6259 + fputs(buf,stdout);
6260 + if(!strncmp(buf,"[AES 128-Key]", 13))
6262 + else if(!strncmp(buf,"[AES 192-Key]", 13))
6264 + else if(!strncmp(buf,"[AES 256-Key]", 13))
6266 + if (!parse_line(&keyword, &value, lbuf, buf))
6268 + if(!strcmp(keyword,"Key"))
6270 + key=hex2bin_m(value,&i);
6273 + fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
6277 + else if(!strcmp(keyword,"DT"))
6279 + dt=hex2bin_m(value,&i);
6282 + fprintf(stderr, "Invalid DT length\n");
6286 + else if(!strcmp(keyword,"V"))
6288 + v=hex2bin_m(value,&i);
6291 + fprintf(stderr, "Invalid V length\n");
6297 + fprintf(stderr, "Missing key or DT\n");
6301 + FIPS_x931_set_key(key, keylen);
6302 + FIPS_x931_seed(v,16);
6303 + for (i = 0; i < 10000; i++)
6305 + FIPS_x931_set_dt(dt);
6306 + if (FIPS_x931_bytes(ret,16) <= 0)
6308 + fprintf(stderr, "Error getting PRNG value\n");
6311 + /* Increment DT */
6312 + for (j = 15; j >= 0; j--)
6321 + OPENSSL_free(key);
6331 +int main(int argc,char **argv)
6335 + fprintf(stderr,"%s [mct|vst]\n",argv[0]);
6338 + if(!FIPS_mode_set(1))
6340 + do_print_errors();
6343 + FIPS_x931_reset();
6344 + if (!FIPS_x931_test_mode())
6346 + fprintf(stderr, "Error setting PRNG test mode\n");
6347 + do_print_errors();
6350 + if(!strcmp(argv[1],"mct"))
6352 + else if(!strcmp(argv[1],"vst"))
6356 + fprintf(stderr,"Don't know how to %s.\n",argv[1]);
6363 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_rsagtest.c
6364 --- openssl-1.0.1b/crypto/fips/cavs/fips_rsagtest.c.fips 2012-04-26 18:00:51.399769276 +0200
6365 +++ openssl-1.0.1b/crypto/fips/cavs/fips_rsagtest.c 2012-04-26 18:00:51.399769276 +0200
6367 +/* fips_rsagtest.c */
6368 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6371 +/* ====================================================================
6372 + * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved.
6374 + * Redistribution and use in source and binary forms, with or without
6375 + * modification, are permitted provided that the following conditions
6378 + * 1. Redistributions of source code must retain the above copyright
6379 + * notice, this list of conditions and the following disclaimer.
6381 + * 2. Redistributions in binary form must reproduce the above copyright
6382 + * notice, this list of conditions and the following disclaimer in
6383 + * the documentation and/or other materials provided with the
6386 + * 3. All advertising materials mentioning features or use of this
6387 + * software must display the following acknowledgment:
6388 + * "This product includes software developed by the OpenSSL Project
6389 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
6391 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
6392 + * endorse or promote products derived from this software without
6393 + * prior written permission. For written permission, please contact
6394 + * licensing@OpenSSL.org.
6396 + * 5. Products derived from this software may not be called "OpenSSL"
6397 + * nor may "OpenSSL" appear in their names without prior written
6398 + * permission of the OpenSSL Project.
6400 + * 6. Redistributions of any form whatsoever must retain the following
6402 + * "This product includes software developed by the OpenSSL Project
6403 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
6405 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
6406 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
6407 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
6408 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
6409 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
6410 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
6411 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
6412 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
6413 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
6414 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
6415 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
6416 + * OF THE POSSIBILITY OF SUCH DAMAGE.
6417 + * ====================================================================
6419 + * This product includes cryptographic software written by Eric Young
6420 + * (eay@cryptsoft.com). This product includes software written by Tim
6421 + * Hudson (tjh@cryptsoft.com).
6427 +#include <string.h>
6428 +#include <openssl/bio.h>
6429 +#include <openssl/evp.h>
6430 +#include <openssl/hmac.h>
6431 +#include <openssl/err.h>
6432 +#include <openssl/rsa.h>
6433 +#include <openssl/bn.h>
6434 +#include <openssl/x509v3.h>
6436 +#ifndef OPENSSL_FIPS
6438 +int main(int argc, char *argv[])
6440 + printf("No FIPS RSA support\n");
6446 +#include "fips_utl.h"
6448 +int rsa_test(FILE *out, FILE *in);
6449 +static int rsa_printkey1(FILE *out, RSA *rsa,
6450 + BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
6452 +static int rsa_printkey2(FILE *out, RSA *rsa,
6453 + BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq);
6455 +int main(int argc, char **argv)
6457 + FILE *in = NULL, *out = NULL;
6461 + if(!FIPS_mode_set(1))
6463 + do_print_errors();
6470 + in = fopen(argv[1], "r");
6475 + out = fopen(argv[2], "w");
6479 + fprintf(stderr, "FATAL input initialization error\n");
6485 + fprintf(stderr, "FATAL output initialization error\n");
6489 + if (!rsa_test(out, in))
6491 + fprintf(stderr, "FATAL RSAGTEST file processing error\n");
6500 + do_print_errors();
6502 + if (in && (in != stdin))
6504 + if (out && (out != stdout))
6511 +#define RSA_TEST_MAXLINELEN 10240
6513 +int rsa_test(FILE *out, FILE *in)
6515 + char *linebuf, *olinebuf, *p, *q;
6516 + char *keyword, *value;
6518 + BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL;
6519 + BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL;
6524 + olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6525 + linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6527 + if (!linebuf || !olinebuf)
6530 + while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
6533 + strcpy(linebuf, olinebuf);
6534 + keyword = linebuf;
6535 + /* Skip leading space */
6536 + while (isspace((unsigned char)*keyword))
6539 + /* Look for = sign */
6540 + p = strchr(linebuf, '=');
6542 + /* If no = or starts with [ (for [foo = bar] line) just copy */
6543 + if (!p || *keyword=='[')
6545 + if (fputs(olinebuf, out) < 0)
6552 + /* Remove trailing space */
6553 + while (isspace((unsigned char)*q))
6559 + /* Remove leading space from value */
6560 + while (isspace((unsigned char)*value))
6563 + /* Remove trailing space from value */
6564 + p = value + strlen(value) - 1;
6566 + while (*p == '\n' || isspace((unsigned char)*p))
6569 + if (!strcmp(keyword, "xp1"))
6571 + if (Xp1 || !do_hex2bn(&Xp1,value))
6574 + else if (!strcmp(keyword, "xp2"))
6576 + if (Xp2 || !do_hex2bn(&Xp2,value))
6579 + else if (!strcmp(keyword, "Xp"))
6581 + if (Xp || !do_hex2bn(&Xp,value))
6584 + else if (!strcmp(keyword, "xq1"))
6586 + if (Xq1 || !do_hex2bn(&Xq1,value))
6589 + else if (!strcmp(keyword, "xq2"))
6591 + if (Xq2 || !do_hex2bn(&Xq2,value))
6594 + else if (!strcmp(keyword, "Xq"))
6596 + if (Xq || !do_hex2bn(&Xq,value))
6599 + else if (!strcmp(keyword, "e"))
6601 + if (e || !do_hex2bn(&e,value))
6604 + else if (!strcmp(keyword, "p1"))
6606 + else if (!strcmp(keyword, "p2"))
6608 + else if (!strcmp(keyword, "p"))
6610 + else if (!strcmp(keyword, "q1"))
6612 + else if (!strcmp(keyword, "q2"))
6614 + else if (!strcmp(keyword, "q"))
6616 + else if (!strcmp(keyword, "n"))
6618 + else if (!strcmp(keyword, "d"))
6623 + fputs(olinebuf, out);
6625 + if (e && Xp1 && Xp2 && Xp)
6627 + rsa = FIPS_rsa_new();
6630 + if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e))
6642 + if (rsa && Xq1 && Xq2 && Xq)
6644 + if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq))
6652 + FIPS_rsa_free(rsa);
6662 + OPENSSL_free(olinebuf);
6664 + OPENSSL_free(linebuf);
6683 + FIPS_rsa_free(rsa);
6689 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
6695 +static int rsa_printkey1(FILE *out, RSA *rsa,
6696 + BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
6700 + BIGNUM *p1 = NULL, *p2 = NULL;
6706 + if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp,
6707 + NULL, NULL, NULL, e, NULL))
6710 + do_bn_print_name(out, "p1", p1);
6711 + do_bn_print_name(out, "p2", p2);
6712 + do_bn_print_name(out, "p", rsa->p);
6725 +static int rsa_printkey2(FILE *out, RSA *rsa,
6726 + BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq)
6729 + BIGNUM *q1 = NULL, *q2 = NULL;
6735 + if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL,
6736 + Xq1, Xq2, Xq, NULL, NULL))
6739 + do_bn_print_name(out, "q1", q1);
6740 + do_bn_print_name(out, "q2", q2);
6741 + do_bn_print_name(out, "q", rsa->q);
6742 + do_bn_print_name(out, "n", rsa->n);
6743 + do_bn_print_name(out, "d", rsa->d);
6757 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_rsastest.c
6758 --- openssl-1.0.1b/crypto/fips/cavs/fips_rsastest.c.fips 2012-04-26 18:00:51.400769298 +0200
6759 +++ openssl-1.0.1b/crypto/fips/cavs/fips_rsastest.c 2012-04-26 18:00:51.400769298 +0200
6761 +/* fips_rsastest.c */
6762 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
6765 +/* ====================================================================
6766 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
6768 + * Redistribution and use in source and binary forms, with or without
6769 + * modification, are permitted provided that the following conditions
6772 + * 1. Redistributions of source code must retain the above copyright
6773 + * notice, this list of conditions and the following disclaimer.
6775 + * 2. Redistributions in binary form must reproduce the above copyright
6776 + * notice, this list of conditions and the following disclaimer in
6777 + * the documentation and/or other materials provided with the
6780 + * 3. All advertising materials mentioning features or use of this
6781 + * software must display the following acknowledgment:
6782 + * "This product includes software developed by the OpenSSL Project
6783 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
6785 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
6786 + * endorse or promote products derived from this software without
6787 + * prior written permission. For written permission, please contact
6788 + * licensing@OpenSSL.org.
6790 + * 5. Products derived from this software may not be called "OpenSSL"
6791 + * nor may "OpenSSL" appear in their names without prior written
6792 + * permission of the OpenSSL Project.
6794 + * 6. Redistributions of any form whatsoever must retain the following
6796 + * "This product includes software developed by the OpenSSL Project
6797 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
6799 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
6800 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
6801 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
6802 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
6803 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
6804 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
6805 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
6806 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
6807 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
6808 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
6809 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
6810 + * OF THE POSSIBILITY OF SUCH DAMAGE.
6811 + * ====================================================================
6813 + * This product includes cryptographic software written by Eric Young
6814 + * (eay@cryptsoft.com). This product includes software written by Tim
6815 + * Hudson (tjh@cryptsoft.com).
6821 +#include <string.h>
6822 +#include <openssl/bio.h>
6823 +#include <openssl/evp.h>
6824 +#include <openssl/hmac.h>
6825 +#include <openssl/err.h>
6826 +#include <openssl/rsa.h>
6827 +#include <openssl/bn.h>
6828 +#include <openssl/x509v3.h>
6830 +#ifndef OPENSSL_FIPS
6832 +int main(int argc, char *argv[])
6834 + printf("No FIPS RSA support\n");
6840 +#include "fips_utl.h"
6842 +static int rsa_stest(FILE *out, FILE *in, int Saltlen);
6843 +static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
6844 + unsigned char *Msg, long Msglen, int Saltlen);
6846 +int main(int argc, char **argv)
6848 + FILE *in = NULL, *out = NULL;
6850 + int ret = 1, Saltlen = -1;
6852 + if(!FIPS_mode_set(1))
6854 + do_print_errors();
6858 + if ((argc > 2) && !strcmp("-saltlen", argv[1]))
6860 + Saltlen = atoi(argv[2]);
6863 + fprintf(stderr, "FATAL: Invalid salt length\n");
6869 + else if ((argc > 1) && !strcmp("-x931", argv[1]))
6879 + in = fopen(argv[1], "r");
6884 + out = fopen(argv[2], "w");
6888 + fprintf(stderr, "FATAL input initialization error\n");
6894 + fprintf(stderr, "FATAL output initialization error\n");
6898 + if (!rsa_stest(out, in, Saltlen))
6900 + fprintf(stderr, "FATAL RSASTEST file processing error\n");
6909 + do_print_errors();
6911 + if (in && (in != stdin))
6913 + if (out && (out != stdout))
6920 +#define RSA_TEST_MAXLINELEN 10240
6922 +int rsa_stest(FILE *out, FILE *in, int Saltlen)
6924 + char *linebuf, *olinebuf, *p, *q;
6925 + char *keyword, *value;
6927 + const EVP_MD *dgst = NULL;
6928 + unsigned char *Msg = NULL;
6930 + int keylen = -1, current_keylen = -1;
6934 + olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6935 + linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
6937 + if (!linebuf || !olinebuf)
6940 + while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
6943 + strcpy(linebuf, olinebuf);
6944 + keyword = linebuf;
6945 + /* Skip leading space */
6946 + while (isspace((unsigned char)*keyword))
6949 + /* Look for = sign */
6950 + p = strchr(linebuf, '=');
6952 + /* If no = just copy */
6955 + if (fputs(olinebuf, out) < 0)
6962 + /* Remove trailing space */
6963 + while (isspace((unsigned char)*q))
6969 + /* Remove leading space from value */
6970 + while (isspace((unsigned char)*value))
6973 + /* Remove trailing space from value */
6974 + p = value + strlen(value) - 1;
6976 + while (*p == '\n' || isspace((unsigned char)*p))
6979 + /* Look for [mod = XXX] for key length */
6981 + if (!strcmp(keyword, "[mod"))
6983 + p = value + strlen(value) - 1;
6987 + keylen = atoi(value);
6991 + else if (!strcmp(keyword, "SHAAlg"))
6993 + if (!strcmp(value, "SHA1"))
6994 + dgst = EVP_sha1();
6995 + else if (!strcmp(value, "SHA224"))
6996 + dgst = EVP_sha224();
6997 + else if (!strcmp(value, "SHA256"))
6998 + dgst = EVP_sha256();
6999 + else if (!strcmp(value, "SHA384"))
7000 + dgst = EVP_sha384();
7001 + else if (!strcmp(value, "SHA512"))
7002 + dgst = EVP_sha512();
7006 + "FATAL: unsupported algorithm \"%s\"\n",
7011 + else if (!strcmp(keyword, "Msg"))
7015 + if (strlen(value) & 1)
7017 + Msg = hex2bin_m(value, &Msglen);
7022 + fputs(olinebuf, out);
7024 + /* If key length has changed, generate and output public
7025 + * key components of new RSA private key.
7028 + if (keylen != current_keylen)
7032 + FIPS_rsa_free(rsa);
7033 + rsa = FIPS_rsa_new();
7037 + if (!bn_e || !BN_set_word(bn_e, 0x1001))
7039 + if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL))
7042 + fputs("n = ", out);
7043 + do_bn_print(out, rsa->n);
7044 + fputs("\ne = ", out);
7045 + do_bn_print(out, rsa->e);
7047 + current_keylen = keylen;
7052 + if (!rsa_printsig(out, rsa, dgst, Msg, Msglen,
7055 + OPENSSL_free(Msg);
7066 + OPENSSL_free(olinebuf);
7068 + OPENSSL_free(linebuf);
7070 + FIPS_rsa_free(rsa);
7076 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
7082 +static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
7083 + unsigned char *Msg, long Msglen, int Saltlen)
7086 + unsigned char *sigbuf = NULL;
7088 + /* EVP_PKEY structure */
7091 + pk.type = EVP_PKEY_RSA;
7092 + pk.pkey.rsa = rsa;
7094 + siglen = RSA_size(rsa);
7095 + sigbuf = OPENSSL_malloc(siglen);
7099 + EVP_MD_CTX_init(&ctx);
7103 + M_EVP_MD_CTX_set_flags(&ctx,
7104 + EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
7106 + else if (Saltlen == -2)
7107 + M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
7108 + if (!EVP_SignInit_ex(&ctx, dgst, NULL))
7110 + if (!EVP_SignUpdate(&ctx, Msg, Msglen))
7112 + if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk))
7115 + EVP_MD_CTX_cleanup(&ctx);
7117 + fputs("S = ", out);
7119 + for (i = 0; i < siglen; i++)
7120 + fprintf(out, "%02X", sigbuf[i]);
7131 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_rsavtest.c
7132 --- openssl-1.0.1b/crypto/fips/cavs/fips_rsavtest.c.fips 2012-04-26 18:00:51.400769298 +0200
7133 +++ openssl-1.0.1b/crypto/fips/cavs/fips_rsavtest.c 2012-04-26 18:00:51.400769298 +0200
7135 +/* fips_rsavtest.c */
7136 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
7139 +/* ====================================================================
7140 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7142 + * Redistribution and use in source and binary forms, with or without
7143 + * modification, are permitted provided that the following conditions
7146 + * 1. Redistributions of source code must retain the above copyright
7147 + * notice, this list of conditions and the following disclaimer.
7149 + * 2. Redistributions in binary form must reproduce the above copyright
7150 + * notice, this list of conditions and the following disclaimer in
7151 + * the documentation and/or other materials provided with the
7154 + * 3. All advertising materials mentioning features or use of this
7155 + * software must display the following acknowledgment:
7156 + * "This product includes software developed by the OpenSSL Project
7157 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
7159 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7160 + * endorse or promote products derived from this software without
7161 + * prior written permission. For written permission, please contact
7162 + * licensing@OpenSSL.org.
7164 + * 5. Products derived from this software may not be called "OpenSSL"
7165 + * nor may "OpenSSL" appear in their names without prior written
7166 + * permission of the OpenSSL Project.
7168 + * 6. Redistributions of any form whatsoever must retain the following
7170 + * "This product includes software developed by the OpenSSL Project
7171 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
7173 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
7174 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
7175 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
7176 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
7177 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
7178 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7179 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
7180 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
7181 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
7182 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
7183 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
7184 + * OF THE POSSIBILITY OF SUCH DAMAGE.
7185 + * ====================================================================
7187 + * This product includes cryptographic software written by Eric Young
7188 + * (eay@cryptsoft.com). This product includes software written by Tim
7189 + * Hudson (tjh@cryptsoft.com).
7195 +#include <string.h>
7196 +#include <openssl/bio.h>
7197 +#include <openssl/evp.h>
7198 +#include <openssl/hmac.h>
7199 +#include <openssl/err.h>
7200 +#include <openssl/x509v3.h>
7201 +#include <openssl/bn.h>
7202 +#include <openssl/rsa.h>
7204 +#ifndef OPENSSL_FIPS
7206 +int main(int argc, char *argv[])
7208 + printf("No FIPS RSA support\n");
7214 +#include "fips_utl.h"
7216 +int rsa_test(FILE *out, FILE *in, int saltlen);
7217 +static int rsa_printver(FILE *out,
7218 + BIGNUM *n, BIGNUM *e,
7219 + const EVP_MD *dgst,
7220 + unsigned char *Msg, long Msglen,
7221 + unsigned char *S, long Slen, int Saltlen);
7223 +int main(int argc, char **argv)
7225 + FILE *in = NULL, *out = NULL;
7230 + if(!FIPS_mode_set(1))
7232 + do_print_errors();
7236 + if ((argc > 2) && !strcmp("-saltlen", argv[1]))
7238 + Saltlen = atoi(argv[2]);
7241 + fprintf(stderr, "FATAL: Invalid salt length\n");
7247 + else if ((argc > 1) && !strcmp("-x931", argv[1]))
7257 + in = fopen(argv[1], "r");
7262 + out = fopen(argv[2], "w");
7266 + fprintf(stderr, "FATAL input initialization error\n");
7272 + fprintf(stderr, "FATAL output initialization error\n");
7276 + if (!rsa_test(out, in, Saltlen))
7278 + fprintf(stderr, "FATAL RSAVTEST file processing error\n");
7287 + do_print_errors();
7289 + if (in && (in != stdin))
7291 + if (out && (out != stdout))
7298 +#define RSA_TEST_MAXLINELEN 10240
7300 +int rsa_test(FILE *out, FILE *in, int Saltlen)
7302 + char *linebuf, *olinebuf, *p, *q;
7303 + char *keyword, *value;
7304 + const EVP_MD *dgst = NULL;
7305 + BIGNUM *n = NULL, *e = NULL;
7306 + unsigned char *Msg = NULL, *S = NULL;
7307 + long Msglen, Slen;
7311 + olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
7312 + linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
7314 + if (!linebuf || !olinebuf)
7317 + while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
7320 + strcpy(linebuf, olinebuf);
7321 + keyword = linebuf;
7322 + /* Skip leading space */
7323 + while (isspace((unsigned char)*keyword))
7326 + /* Look for = sign */
7327 + p = strchr(linebuf, '=');
7329 + /* If no = or starts with [ (for [foo = bar] line) just copy */
7330 + if (!p || *keyword=='[')
7332 + if (fputs(olinebuf, out) < 0)
7339 + /* Remove trailing space */
7340 + while (isspace((unsigned char)*q))
7346 + /* Remove leading space from value */
7347 + while (isspace((unsigned char)*value))
7350 + /* Remove trailing space from value */
7351 + p = value + strlen(value) - 1;
7353 + while (*p == '\n' || isspace((unsigned char)*p))
7356 + if (!strcmp(keyword, "n"))
7358 + if (!do_hex2bn(&n,value))
7361 + else if (!strcmp(keyword, "e"))
7363 + if (!do_hex2bn(&e,value))
7366 + else if (!strcmp(keyword, "SHAAlg"))
7368 + if (!strcmp(value, "SHA1"))
7369 + dgst = EVP_sha1();
7370 + else if (!strcmp(value, "SHA224"))
7371 + dgst = EVP_sha224();
7372 + else if (!strcmp(value, "SHA256"))
7373 + dgst = EVP_sha256();
7374 + else if (!strcmp(value, "SHA384"))
7375 + dgst = EVP_sha384();
7376 + else if (!strcmp(value, "SHA512"))
7377 + dgst = EVP_sha512();
7381 + "FATAL: unsupported algorithm \"%s\"\n",
7386 + else if (!strcmp(keyword, "Msg"))
7390 + if (strlen(value) & 1)
7392 + Msg = hex2bin_m(value, &Msglen);
7396 + else if (!strcmp(keyword, "S"))
7400 + if (strlen(value) & 1)
7402 + S = hex2bin_m(value, &Slen);
7406 + else if (!strcmp(keyword, "Result"))
7411 + fputs(olinebuf, out);
7413 + if (n && e && Msg && S && dgst)
7415 + if (!rsa_printver(out, n, e, dgst,
7416 + Msg, Msglen, S, Slen, Saltlen))
7418 + OPENSSL_free(Msg);
7433 + OPENSSL_free(olinebuf);
7435 + OPENSSL_free(linebuf);
7445 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
7451 +static int rsa_printver(FILE *out,
7452 + BIGNUM *n, BIGNUM *e,
7453 + const EVP_MD *dgst,
7454 + unsigned char *Msg, long Msglen,
7455 + unsigned char *S, long Slen, int Saltlen)
7458 + /* Setup RSA and EVP_PKEY structures */
7459 + RSA *rsa_pubkey = NULL;
7462 + unsigned char *buf = NULL;
7463 + rsa_pubkey = FIPS_rsa_new();
7466 + rsa_pubkey->n = BN_dup(n);
7467 + rsa_pubkey->e = BN_dup(e);
7468 + if (!rsa_pubkey->n || !rsa_pubkey->e)
7470 + pk.type = EVP_PKEY_RSA;
7471 + pk.pkey.rsa = rsa_pubkey;
7473 + EVP_MD_CTX_init(&ctx);
7477 + M_EVP_MD_CTX_set_flags(&ctx,
7478 + EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
7480 + else if (Saltlen == -2)
7481 + M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
7482 + if (!EVP_VerifyInit_ex(&ctx, dgst, NULL))
7484 + if (!EVP_VerifyUpdate(&ctx, Msg, Msglen))
7487 + r = EVP_VerifyFinal(&ctx, S, Slen, &pk);
7490 + EVP_MD_CTX_cleanup(&ctx);
7494 + ERR_clear_error();
7497 + fputs("Result = F\n", out);
7499 + fputs("Result = P\n", out);
7505 + FIPS_rsa_free(rsa_pubkey);
7507 + OPENSSL_free(buf);
7512 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1b/crypto/fips/cavs/fips_shatest.c
7513 --- openssl-1.0.1b/crypto/fips/cavs/fips_shatest.c.fips 2012-04-26 18:00:51.400769298 +0200
7514 +++ openssl-1.0.1b/crypto/fips/cavs/fips_shatest.c 2012-04-26 18:00:51.400769298 +0200
7516 +/* fips_shatest.c */
7517 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
7520 +/* ====================================================================
7521 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
7523 + * Redistribution and use in source and binary forms, with or without
7524 + * modification, are permitted provided that the following conditions
7527 + * 1. Redistributions of source code must retain the above copyright
7528 + * notice, this list of conditions and the following disclaimer.
7530 + * 2. Redistributions in binary form must reproduce the above copyright
7531 + * notice, this list of conditions and the following disclaimer in
7532 + * the documentation and/or other materials provided with the
7535 + * 3. All advertising materials mentioning features or use of this
7536 + * software must display the following acknowledgment:
7537 + * "This product includes software developed by the OpenSSL Project
7538 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
7540 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7541 + * endorse or promote products derived from this software without
7542 + * prior written permission. For written permission, please contact
7543 + * licensing@OpenSSL.org.
7545 + * 5. Products derived from this software may not be called "OpenSSL"
7546 + * nor may "OpenSSL" appear in their names without prior written
7547 + * permission of the OpenSSL Project.
7549 + * 6. Redistributions of any form whatsoever must retain the following
7551 + * "This product includes software developed by the OpenSSL Project
7552 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
7554 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
7555 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
7556 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
7557 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
7558 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
7559 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7560 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
7561 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
7562 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
7563 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
7564 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
7565 + * OF THE POSSIBILITY OF SUCH DAMAGE.
7566 + * ====================================================================
7568 + * This product includes cryptographic software written by Eric Young
7569 + * (eay@cryptsoft.com). This product includes software written by Tim
7570 + * Hudson (tjh@cryptsoft.com).
7576 +#include <string.h>
7577 +#include <openssl/bio.h>
7578 +#include <openssl/evp.h>
7579 +#include <openssl/err.h>
7580 +#include <openssl/bn.h>
7581 +#include <openssl/x509v3.h>
7583 +#ifndef OPENSSL_FIPS
7585 +int main(int argc, char *argv[])
7587 + printf("No FIPS SHAXXX support\n");
7593 +#include "fips_utl.h"
7595 +static int dgst_test(FILE *out, FILE *in);
7596 +static int print_dgst(const EVP_MD *md, FILE *out,
7597 + unsigned char *Msg, int Msglen);
7598 +static int print_monte(const EVP_MD *md, FILE *out,
7599 + unsigned char *Seed, int SeedLen);
7601 +int main(int argc, char **argv)
7603 + FILE *in = NULL, *out = NULL;
7607 + if(!FIPS_mode_set(1))
7609 + do_print_errors();
7616 + in = fopen(argv[1], "r");
7621 + out = fopen(argv[2], "w");
7625 + fprintf(stderr, "FATAL input initialization error\n");
7631 + fprintf(stderr, "FATAL output initialization error\n");
7635 + if (!dgst_test(out, in))
7637 + fprintf(stderr, "FATAL digest file processing error\n");
7646 + do_print_errors();
7648 + if (in && (in != stdin))
7650 + if (out && (out != stdout))
7657 +#define SHA_TEST_MAX_BITS 102400
7658 +#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100)
7660 +int dgst_test(FILE *out, FILE *in)
7662 + const EVP_MD *md = NULL;
7663 + char *linebuf, *olinebuf, *p, *q;
7664 + char *keyword, *value;
7665 + unsigned char *Msg = NULL, *Seed = NULL;
7666 + long MsgLen = -1, Len = -1, SeedLen = -1;
7670 + olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
7671 + linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
7673 + if (!linebuf || !olinebuf)
7677 + while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in))
7680 + strcpy(linebuf, olinebuf);
7681 + keyword = linebuf;
7682 + /* Skip leading space */
7683 + while (isspace((unsigned char)*keyword))
7686 + /* Look for = sign */
7687 + p = strchr(linebuf, '=');
7689 + /* If no = or starts with [ (for [L=20] line) just copy */
7692 + fputs(olinebuf, out);
7698 + /* Remove trailing space */
7699 + while (isspace((unsigned char)*q))
7705 + /* Remove leading space from value */
7706 + while (isspace((unsigned char)*value))
7709 + /* Remove trailing space from value */
7710 + p = value + strlen(value) - 1;
7711 + while (*p == '\n' || isspace((unsigned char)*p))
7714 + if (!strcmp(keyword,"[L") && *p==']')
7716 + switch (atoi(value))
7718 + case 20: md=EVP_sha1(); break;
7719 + case 28: md=EVP_sha224(); break;
7720 + case 32: md=EVP_sha256(); break;
7721 + case 48: md=EVP_sha384(); break;
7722 + case 64: md=EVP_sha512(); break;
7723 + default: goto parse_error;
7726 + else if (!strcmp(keyword, "Len"))
7730 + Len = atoi(value);
7733 + /* Only handle multiples of 8 bits */
7736 + if (Len > SHA_TEST_MAX_BITS)
7738 + MsgLen = Len >> 3;
7741 + else if (!strcmp(keyword, "Msg"))
7744 + if (strlen(value) & 1)
7748 + Msg = hex2bin_m(value, &tmplen);
7752 + else if (!strcmp(keyword, "Seed"))
7754 + if (strlen(value) & 1)
7758 + Seed = hex2bin_m(value, &SeedLen);
7762 + else if (!strcmp(keyword, "MD"))
7767 + fputs(olinebuf, out);
7769 + if (md && Msg && (MsgLen >= 0))
7771 + if (!print_dgst(md, out, Msg, MsgLen))
7773 + OPENSSL_free(Msg);
7778 + else if (md && Seed && (SeedLen > 0))
7780 + if (!print_monte(md, out, Seed, SeedLen))
7782 + OPENSSL_free(Seed);
7797 + OPENSSL_free(olinebuf);
7799 + OPENSSL_free(linebuf);
7801 + OPENSSL_free(Msg);
7803 + OPENSSL_free(Seed);
7809 + fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
7815 +static int print_dgst(const EVP_MD *emd, FILE *out,
7816 + unsigned char *Msg, int Msglen)
7819 + unsigned char md[EVP_MAX_MD_SIZE];
7820 + if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL))
7822 + fputs("Error calculating HASH\n", stderr);
7825 + fputs("MD = ", out);
7826 + for (i = 0; i < mdlen; i++)
7827 + fprintf(out, "%02x", md[i]);
7832 +static int print_monte(const EVP_MD *md, FILE *out,
7833 + unsigned char *Seed, int SeedLen)
7835 + unsigned int i, j, k;
7838 + unsigned char *m1, *m2, *m3, *p;
7839 + unsigned int mlen, m1len, m2len, m3len;
7841 + EVP_MD_CTX_init(&ctx);
7843 + if (SeedLen > EVP_MAX_MD_SIZE)
7846 + mlen = EVP_MAX_MD_SIZE;
7848 + m1 = OPENSSL_malloc(mlen);
7849 + m2 = OPENSSL_malloc(mlen);
7850 + m3 = OPENSSL_malloc(mlen);
7852 + if (!m1 || !m2 || !m3)
7855 + m1len = m2len = m3len = SeedLen;
7856 + memcpy(m1, Seed, SeedLen);
7857 + memcpy(m2, Seed, SeedLen);
7858 + memcpy(m3, Seed, SeedLen);
7862 + for (j = 0; j < 100; j++)
7864 + for (i = 0; i < 1000; i++)
7866 + EVP_DigestInit_ex(&ctx, md, NULL);
7867 + EVP_DigestUpdate(&ctx, m1, m1len);
7868 + EVP_DigestUpdate(&ctx, m2, m2len);
7869 + EVP_DigestUpdate(&ctx, m3, m3len);
7876 + EVP_DigestFinal_ex(&ctx, m3, &m3len);
7878 + fprintf(out, "COUNT = %d\n", j);
7879 + fputs("MD = ", out);
7880 + for (k = 0; k < m3len; k++)
7881 + fprintf(out, "%02x", m3[k]);
7882 + fputs("\n\n", out);
7883 + memcpy(m1, m3, m3len);
7884 + memcpy(m2, m3, m3len);
7885 + m1len = m2len = m3len;
7898 + EVP_MD_CTX_cleanup(&ctx);
7904 diff -up openssl-1.0.1b/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1b/crypto/fips/cavs/fips_utl.h
7905 --- openssl-1.0.1b/crypto/fips/cavs/fips_utl.h.fips 2012-04-26 18:00:51.400769298 +0200
7906 +++ openssl-1.0.1b/crypto/fips/cavs/fips_utl.h 2012-04-26 18:00:51.400769298 +0200
7908 +/* ====================================================================
7909 + * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
7911 + * Redistribution and use in source and binary forms, with or without
7912 + * modification, are permitted provided that the following conditions
7915 + * 1. Redistributions of source code must retain the above copyright
7916 + * notice, this list of conditions and the following disclaimer.
7918 + * 2. Redistributions in binary form must reproduce the above copyright
7919 + * notice, this list of conditions and the following disclaimer in
7920 + * the documentation and/or other materials provided with the
7923 + * 3. All advertising materials mentioning features or use of this
7924 + * software must display the following acknowledgment:
7925 + * "This product includes software developed by the OpenSSL Project
7926 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
7928 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
7929 + * endorse or promote products derived from this software without
7930 + * prior written permission. For written permission, please contact
7931 + * openssl-core@openssl.org.
7933 + * 5. Products derived from this software may not be called "OpenSSL"
7934 + * nor may "OpenSSL" appear in their names without prior written
7935 + * permission of the OpenSSL Project.
7937 + * 6. Redistributions of any form whatsoever must retain the following
7939 + * "This product includes software developed by the OpenSSL Project
7940 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
7942 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
7943 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
7944 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
7945 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
7946 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
7947 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
7948 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
7949 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
7950 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
7951 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
7952 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
7953 + * OF THE POSSIBILITY OF SUCH DAMAGE.
7957 +void do_print_errors(void)
7959 + const char *file, *data;
7962 + while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)))
7964 + fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d"
7965 + ":file=%s:line=%d:%s\n",
7966 + l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l),
7967 + file, line, flags & ERR_TXT_STRING ? data : "");
7971 +int hex2bin(const char *in, unsigned char *out)
7976 + for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; )
7977 + { /* first byte */
7978 + if ((in[n1] >= '0') && (in[n1] <= '9'))
7979 + ch = in[n1++] - '0';
7980 + else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
7981 + ch = in[n1++] - 'A' + 10;
7982 + else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
7983 + ch = in[n1++] - 'a' + 10;
7991 + out[n2] = ch << 4;
7993 + if ((in[n1] >= '0') && (in[n1] <= '9'))
7994 + ch = in[n1++] - '0';
7995 + else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
7996 + ch = in[n1++] - 'A' + 10;
7997 + else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
7998 + ch = in[n1++] - 'a' + 10;
8006 +unsigned char *hex2bin_m(const char *in, long *plen)
8009 + p = OPENSSL_malloc((strlen(in) + 1)/2);
8010 + *plen = hex2bin(in, p);
8014 +int do_hex2bn(BIGNUM **pr, const char *in)
8019 + p = hex2bin_m(in, &plen);
8026 + if (BN_bin2bn(p, plen, *pr))
8032 +int do_bn_print(FILE *out, BIGNUM *bn)
8035 + unsigned char *tmp;
8036 + len = BN_num_bytes(bn);
8043 + tmp = OPENSSL_malloc(len);
8046 + fprintf(stderr, "Memory allocation error\n");
8049 + BN_bn2bin(bn, tmp);
8050 + for (i = 0; i < len; i++)
8051 + fprintf(out, "%02x", tmp[i]);
8052 + OPENSSL_free(tmp);
8056 +int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn)
8059 + fprintf(out, "%s = ", name);
8060 + r = do_bn_print(out, bn);
8067 +int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf)
8069 + char *keyword, *value, *p, *q;
8070 + strcpy(linebuf, olinebuf);
8071 + keyword = linebuf;
8072 + /* Skip leading space */
8073 + while (isspace((unsigned char)*keyword))
8076 + /* Look for = sign */
8077 + p = strchr(linebuf, '=');
8079 + /* If no '=' exit */
8085 + /* Remove trailing space */
8086 + while (isspace((unsigned char)*q))
8092 + /* Remove leading space from value */
8093 + while (isspace((unsigned char)*value))
8096 + /* Remove trailing space from value */
8097 + p = value + strlen(value) - 1;
8099 + while (*p == '\n' || isspace((unsigned char)*p))
8107 +BIGNUM *hex2bn(const char *in)
8111 + if (!do_hex2bn(&p, in))
8117 +int bin2hex(const unsigned char *in,int len,char *out)
8122 + for (n1=0,n2=0 ; n1 < len ; ++n1)
8128 + out[n2++]=ch-10+'a';
8133 + out[n2++]=ch-10+'a';
8139 +void pv(const char *tag,const unsigned char *val,int len)
8143 + bin2hex(val,len,obuf);
8144 + printf("%s = %s\n",tag,obuf);
8147 +/* To avoid extensive changes to test program at this stage just convert
8148 + * the input line into an acceptable form. Keyword lines converted to form
8149 + * "keyword = value\n" no matter what white space present, all other lines
8150 + * just have leading and trailing space removed.
8153 +int tidy_line(char *linebuf, char *olinebuf)
8155 + char *keyword, *value, *p, *q;
8156 + strcpy(linebuf, olinebuf);
8157 + keyword = linebuf;
8158 + /* Skip leading space */
8159 + while (isspace((unsigned char)*keyword))
8161 + /* Look for = sign */
8162 + p = strchr(linebuf, '=');
8164 + /* If no '=' just chop leading, trailing ws */
8167 + p = keyword + strlen(keyword) - 1;
8168 + while (*p == '\n' || isspace((unsigned char)*p))
8170 + strcpy(olinebuf, keyword);
8171 + strcat(olinebuf, "\n");
8177 + /* Remove trailing space */
8178 + while (isspace((unsigned char)*q))
8184 + /* Remove leading space from value */
8185 + while (isspace((unsigned char)*value))
8188 + /* Remove trailing space from value */
8189 + p = value + strlen(value) - 1;
8191 + while (*p == '\n' || isspace((unsigned char)*p))
8194 + strcpy(olinebuf, keyword);
8195 + strcat(olinebuf, " = ");
8196 + strcat(olinebuf, value);
8197 + strcat(olinebuf, "\n");
8202 +/* NB: this return the number of _bits_ read */
8203 +int bint2bin(const char *in, int len, unsigned char *out)
8207 + memset(out,0,len);
8208 + for(n=0 ; n < len ; ++n)
8210 + out[n/8]|=(0x80 >> (n%8));
8214 +int bin2bint(const unsigned char *in,int len,char *out)
8218 + for(n=0 ; n < len ; ++n)
8219 + out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0';
8223 +/*-----------------------------------------------*/
8225 +void PrintValue(char *tag, unsigned char *val, int len)
8230 + olen = bin2hex(val, len, obuf);
8231 + printf("%s = %.*s\n", tag, olen, obuf);
8235 +void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode)
8241 + olen=bin2bint(val,len,obuf);
8243 + olen=bin2hex(val,len,obuf);
8245 + fprintf(rfp, "%s = %.*s\n", tag, olen, obuf);
8247 + printf("%s = %.*s\n", tag, olen, obuf);
8251 diff -up openssl-1.0.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_aes_selftest.c
8252 --- openssl-1.0.1b/crypto/fips/fips_aes_selftest.c.fips 2012-04-26 18:00:51.401769321 +0200
8253 +++ openssl-1.0.1b/crypto/fips/fips_aes_selftest.c 2012-04-26 18:00:51.401769321 +0200
8255 +/* ====================================================================
8256 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
8258 + * Redistribution and use in source and binary forms, with or without
8259 + * modification, are permitted provided that the following conditions
8262 + * 1. Redistributions of source code must retain the above copyright
8263 + * notice, this list of conditions and the following disclaimer.
8265 + * 2. Redistributions in binary form must reproduce the above copyright
8266 + * notice, this list of conditions and the following disclaimer in
8267 + * the documentation and/or other materials provided with the
8270 + * 3. All advertising materials mentioning features or use of this
8271 + * software must display the following acknowledgment:
8272 + * "This product includes software developed by the OpenSSL Project
8273 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
8275 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
8276 + * endorse or promote products derived from this software without
8277 + * prior written permission. For written permission, please contact
8278 + * openssl-core@openssl.org.
8280 + * 5. Products derived from this software may not be called "OpenSSL"
8281 + * nor may "OpenSSL" appear in their names without prior written
8282 + * permission of the OpenSSL Project.
8284 + * 6. Redistributions of any form whatsoever must retain the following
8286 + * "This product includes software developed by the OpenSSL Project
8287 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
8289 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
8290 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
8291 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
8292 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
8293 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
8294 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
8295 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
8296 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
8297 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
8298 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
8299 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
8300 + * OF THE POSSIBILITY OF SUCH DAMAGE.
8304 +#include <string.h>
8305 +#include <openssl/err.h>
8306 +#ifdef OPENSSL_FIPS
8307 +#include <openssl/fips.h>
8309 +#include <openssl/evp.h>
8311 +#ifdef OPENSSL_FIPS
8312 +static const struct
8314 + const unsigned char key[16];
8315 + const unsigned char plaintext[16];
8316 + const unsigned char ciphertext[16];
8320 + { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
8321 + 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F },
8322 + { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
8323 + 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF },
8324 + { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30,
8325 + 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A },
8329 +static int corrupt_aes;
8331 +void FIPS_corrupt_aes()
8336 +int FIPS_selftest_aes()
8340 + EVP_CIPHER_CTX ctx;
8341 + EVP_CIPHER_CTX_init(&ctx);
8343 + for(n=0 ; n < 1 ; ++n)
8345 + unsigned char key[16];
8347 + memcpy(key, tests[n].key, sizeof(key));
8350 + if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
8352 + tests[n].plaintext,
8353 + tests[n].ciphertext,
8359 + EVP_CIPHER_CTX_cleanup(&ctx);
8361 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED);
8365 +/* AES-CCM test data from NIST public test vectors */
8367 +static const unsigned char ccm_key[] = {
8368 + 0xce,0xb0,0x09,0xae,0xa4,0x45,0x44,0x51,0xfe,0xad,0xf0,0xe6,
8369 + 0xb3,0x6f,0x45,0x55,0x5d,0xd0,0x47,0x23,0xba,0xa4,0x48,0xe8
8371 +static const unsigned char ccm_nonce[] = {
8372 + 0x76,0x40,0x43,0xc4,0x94,0x60,0xb7
8374 +static const unsigned char ccm_adata[] = {
8375 + 0x6e,0x80,0xdd,0x7f,0x1b,0xad,0xf3,0xa1,0xc9,0xab,0x25,0xc7,
8376 + 0x5f,0x10,0xbd,0xe7,0x8c,0x23,0xfa,0x0e,0xb8,0xf9,0xaa,0xa5,
8377 + 0x3a,0xde,0xfb,0xf4,0xcb,0xf7,0x8f,0xe4
8379 +static const unsigned char ccm_pt[] = {
8380 + 0xc8,0xd2,0x75,0xf9,0x19,0xe1,0x7d,0x7f,0xe6,0x9c,0x2a,0x1f,
8381 + 0x58,0x93,0x9d,0xfe,0x4d,0x40,0x37,0x91,0xb5,0xdf,0x13,0x10
8383 +static const unsigned char ccm_ct[] = {
8384 + 0x8a,0x0f,0x3d,0x82,0x29,0xe4,0x8e,0x74,0x87,0xfd,0x95,0xa2,
8385 + 0x8a,0xd3,0x92,0xc8,0x0b,0x36,0x81,0xd4,0xfb,0xc7,0xbb,0xfd
8387 +static const unsigned char ccm_tag[] = {
8388 + 0x2d,0xd6,0xef,0x1c,0x45,0xd4,0xcc,0xb7,0x23,0xdc,0x07,0x44,
8389 + 0x14,0xdb,0x50,0x6d
8392 +int FIPS_selftest_aes_ccm(void)
8395 + unsigned char out[128], tag[16];
8396 + EVP_CIPHER_CTX ctx;
8397 + EVP_CIPHER_CTX_init(&ctx);
8398 + memset(out, 0, sizeof(out));
8399 + if (!EVP_CipherInit(&ctx, EVP_aes_192_ccm(), NULL, NULL, 1))
8401 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
8402 + sizeof(ccm_nonce), NULL))
8404 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
8405 + sizeof(ccm_tag), NULL))
8407 + if (!EVP_CipherInit(&ctx, NULL, ccm_key, ccm_nonce, 1))
8409 + if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
8411 + if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
8413 + if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
8416 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
8418 + if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
8419 + || memcmp(out, ccm_ct, sizeof(ccm_ct)))
8422 + memset(out, 0, sizeof(out));
8424 + if (!EVP_CipherInit(&ctx, EVP_aes_192_ccm(), NULL, NULL, 0))
8426 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
8427 + sizeof(ccm_nonce), NULL))
8429 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
8431 + if (!EVP_CipherInit(&ctx, NULL, ccm_key, ccm_nonce, 0))
8433 + if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
8435 + if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
8437 + if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
8440 + if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
8446 + EVP_CIPHER_CTX_cleanup(&ctx);
8450 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM,FIPS_R_SELFTEST_FAILED);
8458 +/* AES-GCM test data from NIST public test vectors */
8460 +static const unsigned char gcm_key[] = {
8461 + 0xee,0xbc,0x1f,0x57,0x48,0x7f,0x51,0x92,0x1c,0x04,0x65,0x66,
8462 + 0x5f,0x8a,0xe6,0xd1,0x65,0x8b,0xb2,0x6d,0xe6,0xf8,0xa0,0x69,
8463 + 0xa3,0x52,0x02,0x93,0xa5,0x72,0x07,0x8f
8465 +static const unsigned char gcm_iv[] = {
8466 + 0x99,0xaa,0x3e,0x68,0xed,0x81,0x73,0xa0,0xee,0xd0,0x66,0x84
8468 +static const unsigned char gcm_pt[] = {
8469 + 0xf5,0x6e,0x87,0x05,0x5b,0xc3,0x2d,0x0e,0xeb,0x31,0xb2,0xea,
8470 + 0xcc,0x2b,0xf2,0xa5
8472 +static const unsigned char gcm_aad[] = {
8473 + 0x4d,0x23,0xc3,0xce,0xc3,0x34,0xb4,0x9b,0xdb,0x37,0x0c,0x43,
8474 + 0x7f,0xec,0x78,0xde
8476 +static const unsigned char gcm_ct[] = {
8477 + 0xf7,0x26,0x44,0x13,0xa8,0x4c,0x0e,0x7c,0xd5,0x36,0x86,0x7e,
8478 + 0xb9,0xf2,0x17,0x36
8480 +static const unsigned char gcm_tag[] = {
8481 + 0x67,0xba,0x05,0x10,0x26,0x2a,0xe4,0x87,0xd7,0x37,0xee,0x62,
8482 + 0x98,0xf7,0x7e,0x0c
8485 +int FIPS_selftest_aes_gcm(void)
8488 + unsigned char out[128], tag[16];
8489 + EVP_CIPHER_CTX ctx;
8490 + EVP_CIPHER_CTX_init(&ctx);
8491 + memset(out, 0, sizeof(out));
8492 + memset(tag, 0, sizeof(tag));
8493 + if (!EVP_CipherInit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 1))
8495 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
8496 + sizeof(gcm_iv), NULL))
8498 + if (!EVP_CipherInit(&ctx, NULL, gcm_key, gcm_iv, 1))
8500 + if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
8502 + if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
8504 + if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
8507 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
8510 + if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
8513 + memset(out, 0, sizeof(out));
8515 + if (!EVP_CipherInit(&ctx, EVP_aes_256_gcm(), NULL, NULL, 0))
8517 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
8518 + sizeof(gcm_iv), NULL))
8520 + if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
8522 + if (!EVP_CipherInit(&ctx, NULL, gcm_key, gcm_iv, 0))
8524 + if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
8526 + if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
8528 + if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
8531 + if (memcmp(out, gcm_pt, 16))
8537 + EVP_CIPHER_CTX_cleanup(&ctx);
8541 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM,FIPS_R_SELFTEST_FAILED);
8550 +static const unsigned char XTS_128_key[] = {
8551 + 0xa1,0xb9,0x0c,0xba,0x3f,0x06,0xac,0x35,0x3b,0x2c,0x34,0x38,
8552 + 0x76,0x08,0x17,0x62,0x09,0x09,0x23,0x02,0x6e,0x91,0x77,0x18,
8553 + 0x15,0xf2,0x9d,0xab,0x01,0x93,0x2f,0x2f
8555 +static const unsigned char XTS_128_i[] = {
8556 + 0x4f,0xae,0xf7,0x11,0x7c,0xda,0x59,0xc6,0x6e,0x4b,0x92,0x01,
8557 + 0x3e,0x76,0x8a,0xd5
8559 +static const unsigned char XTS_128_pt[] = {
8560 + 0xeb,0xab,0xce,0x95,0xb1,0x4d,0x3c,0x8d,0x6f,0xb3,0x50,0x39,
8561 + 0x07,0x90,0x31,0x1c
8563 +static const unsigned char XTS_128_ct[] = {
8564 + 0x77,0x8a,0xe8,0xb4,0x3c,0xb9,0x8d,0x5a,0x82,0x50,0x81,0xd5,
8565 + 0xbe,0x47,0x1c,0x63
8568 +static const unsigned char XTS_256_key[] = {
8569 + 0x1e,0xa6,0x61,0xc5,0x8d,0x94,0x3a,0x0e,0x48,0x01,0xe4,0x2f,
8570 + 0x4b,0x09,0x47,0x14,0x9e,0x7f,0x9f,0x8e,0x3e,0x68,0xd0,0xc7,
8571 + 0x50,0x52,0x10,0xbd,0x31,0x1a,0x0e,0x7c,0xd6,0xe1,0x3f,0xfd,
8572 + 0xf2,0x41,0x8d,0x8d,0x19,0x11,0xc0,0x04,0xcd,0xa5,0x8d,0xa3,
8573 + 0xd6,0x19,0xb7,0xe2,0xb9,0x14,0x1e,0x58,0x31,0x8e,0xea,0x39,
8574 + 0x2c,0xf4,0x1b,0x08
8576 +static const unsigned char XTS_256_i[] = {
8577 + 0xad,0xf8,0xd9,0x26,0x27,0x46,0x4a,0xd2,0xf0,0x42,0x8e,0x84,
8578 + 0xa9,0xf8,0x75,0x64
8580 +static const unsigned char XTS_256_pt[] = {
8581 + 0x2e,0xed,0xea,0x52,0xcd,0x82,0x15,0xe1,0xac,0xc6,0x47,0xe8,
8582 + 0x10,0xbb,0xc3,0x64,0x2e,0x87,0x28,0x7f,0x8d,0x2e,0x57,0xe3,
8583 + 0x6c,0x0a,0x24,0xfb,0xc1,0x2a,0x20,0x2e
8585 +static const unsigned char XTS_256_ct[] = {
8586 + 0xcb,0xaa,0xd0,0xe2,0xf6,0xce,0xa3,0xf5,0x0b,0x37,0xf9,0x34,
8587 + 0xd4,0x6a,0x9b,0x13,0x0b,0x9d,0x54,0xf0,0x7e,0x34,0xf3,0x6a,
8588 + 0xf7,0x93,0xe8,0x6f,0x73,0xc6,0xd7,0xdb
8591 +int FIPS_selftest_aes_xts()
8594 + EVP_CIPHER_CTX ctx;
8595 + EVP_CIPHER_CTX_init(&ctx);
8597 + if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
8598 + XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
8599 + sizeof(XTS_128_pt)) <= 0)
8602 + if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
8603 + XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
8604 + sizeof(XTS_256_pt)) <= 0)
8607 + EVP_CIPHER_CTX_cleanup(&ctx);
8609 + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS,FIPS_R_SELFTEST_FAILED);
8614 diff -up openssl-1.0.1b/crypto/fips/fips.c.fips openssl-1.0.1b/crypto/fips/fips.c
8615 --- openssl-1.0.1b/crypto/fips/fips.c.fips 2012-04-26 18:00:51.401769321 +0200
8616 +++ openssl-1.0.1b/crypto/fips/fips.c 2012-04-26 18:00:51.401769321 +0200
8618 +/* ====================================================================
8619 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
8621 + * Redistribution and use in source and binary forms, with or without
8622 + * modification, are permitted provided that the following conditions
8625 + * 1. Redistributions of source code must retain the above copyright
8626 + * notice, this list of conditions and the following disclaimer.
8628 + * 2. Redistributions in binary form must reproduce the above copyright
8629 + * notice, this list of conditions and the following disclaimer in
8630 + * the documentation and/or other materials provided with the
8633 + * 3. All advertising materials mentioning features or use of this
8634 + * software must display the following acknowledgment:
8635 + * "This product includes software developed by the OpenSSL Project
8636 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
8638 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
8639 + * endorse or promote products derived from this software without
8640 + * prior written permission. For written permission, please contact
8641 + * openssl-core@openssl.org.
8643 + * 5. Products derived from this software may not be called "OpenSSL"
8644 + * nor may "OpenSSL" appear in their names without prior written
8645 + * permission of the OpenSSL Project.
8647 + * 6. Redistributions of any form whatsoever must retain the following
8649 + * "This product includes software developed by the OpenSSL Project
8650 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
8652 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
8653 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
8654 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
8655 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
8656 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
8657 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
8658 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
8659 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
8660 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
8661 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
8662 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
8663 + * OF THE POSSIBILITY OF SUCH DAMAGE.
8667 +#define _GNU_SOURCE
8669 +#include <openssl/rand.h>
8670 +#include <openssl/fips_rand.h>
8671 +#include <openssl/err.h>
8672 +#include <openssl/bio.h>
8673 +#include <openssl/hmac.h>
8674 +#include <openssl/rsa.h>
8675 +#include <string.h>
8676 +#include <limits.h>
8679 +#include <stdlib.h>
8680 +#include "fips_locl.h"
8682 +#ifdef OPENSSL_FIPS
8684 +#include <openssl/fips.h>
8687 +#define PATH_MAX 1024
8690 +static int fips_selftest_fail = 0;
8691 +static int fips_mode = 0;
8692 +static int fips_started = 0;
8694 +static int fips_is_owning_thread(void);
8695 +static int fips_set_owning_thread(void);
8696 +static int fips_clear_owning_thread(void);
8698 +#define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
8699 +#define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
8700 +#define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
8701 +#define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
8703 +static void fips_set_mode(int onoff)
8705 + int owning_thread = fips_is_owning_thread();
8709 + if (!owning_thread) fips_w_lock();
8710 + fips_mode = onoff;
8711 + if (!owning_thread) fips_w_unlock();
8715 +int FIPS_module_mode(void)
8718 + int owning_thread = fips_is_owning_thread();
8722 + if (!owning_thread) fips_r_lock();
8724 + if (!owning_thread) fips_r_unlock();
8729 +int FIPS_selftest_failed(void)
8734 + int owning_thread = fips_is_owning_thread();
8736 + if (!owning_thread) fips_r_lock();
8737 + ret = fips_selftest_fail;
8738 + if (!owning_thread) fips_r_unlock();
8743 +/* Selftest failure fatal exit routine. This will be called
8744 + * during *any* cryptographic operation. It has the minimum
8745 + * overhead possible to avoid too big a performance hit.
8748 +void FIPS_selftest_check(void)
8750 + if (fips_selftest_fail)
8752 + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
8756 +void fips_set_selftest_fail(void)
8758 + fips_selftest_fail = 1;
8761 +/* we implement what libfipscheck does ourselves */
8764 +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
8770 + dl = dlopen(libname, RTLD_LAZY);
8775 + sym = dlsym(dl, symbolname);
8777 + if (sym != NULL && dladdr(sym, &info)) {
8778 + strncpy(path, info.dli_fname, pathlen-1);
8779 + path[pathlen-1] = '\0';
8788 +static const char conv[] = "0123456789abcdef";
8791 +bin2hex(void *buf, size_t len)
8794 + unsigned char *src = buf;
8796 + hex = malloc(len * 2 + 1);
8808 + *p = conv[c >> 4];
8810 + *p = conv[c & 0x0f];
8818 +#define HMAC_PREFIX "."
8819 +#define HMAC_SUFFIX ".hmac"
8820 +#define READ_BUFFER_LENGTH 16384
8823 +make_hmac_path(const char *origpath)
8828 + path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
8829 + if(path == NULL) {
8833 + fn = strrchr(origpath, '/');
8840 + strncpy(path, origpath, fn-origpath);
8841 + p = path + (fn - origpath);
8842 + p = stpcpy(p, HMAC_PREFIX);
8843 + p = stpcpy(p, fn);
8844 + p = stpcpy(p, HMAC_SUFFIX);
8849 +static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
8852 +compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
8856 + unsigned char rbuf[READ_BUFFER_LENGTH];
8858 + unsigned int hlen;
8861 + HMAC_CTX_init(&c);
8863 + f = fopen(path, "r");
8869 + HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
8871 + while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
8872 + HMAC_Update(&c, rbuf, len);
8875 + len = sizeof(rbuf);
8876 + /* reuse rbuf for hmac */
8877 + HMAC_Final(&c, rbuf, &hlen);
8879 + *buf = malloc(hlen);
8880 + if (*buf == NULL) {
8886 + memcpy(*buf, rbuf, hlen);
8890 + HMAC_CTX_cleanup(&c);
8899 +FIPSCHECK_verify(const char *libname, const char *symbolname)
8901 + char path[PATH_MAX+1];
8904 + char *hmacpath, *p;
8905 + char *hmac = NULL;
8908 + rv = get_library_path(libname, symbolname, path, sizeof(path));
8913 + hmacpath = make_hmac_path(path);
8914 + if (hmacpath == NULL)
8917 + hf = fopen(hmacpath, "r");
8923 + if (getline(&hmac, &n, hf) > 0) {
8928 + if ((p=strchr(hmac, '\n')) != NULL)
8931 + if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
8936 + if ((hex=bin2hex(buf, hmaclen)) == NULL) {
8942 + if (strcmp(hex, hmac) != 0) {
8957 + /* check successful */
8961 +int FIPS_module_mode_set(int onoff, const char *auth)
8967 + fips_set_owning_thread();
8972 + fips_selftest_fail = 0;
8974 + /* Don't go into FIPS mode twice, just so we can do automagic
8976 + if(FIPS_module_mode())
8978 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
8979 + fips_selftest_fail = 1;
8984 +#ifdef OPENSSL_IA32_SSE2
8986 + extern unsigned int OPENSSL_ia32cap_P[2];
8987 + if ((OPENSSL_ia32cap_P[0] & (1<<25|1<<26)) != (1<<25|1<<26))
8989 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM);
8990 + fips_selftest_fail = 1;
8994 + OPENSSL_ia32cap_P[0] |= (1<<28); /* set "shared cache" */
8995 + OPENSSL_ia32cap_P[1] &= ~(1<<(60-32)); /* clear AVX */
8999 + if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
9001 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
9002 + fips_selftest_fail = 1;
9007 + if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
9009 + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
9010 + fips_selftest_fail = 1;
9015 + if(FIPS_selftest())
9016 + fips_set_mode(onoff);
9019 + fips_selftest_fail = 1;
9027 + fips_selftest_fail = 0;
9030 + fips_clear_owning_thread();
9035 +static CRYPTO_THREADID fips_thread;
9036 +static int fips_thread_set = 0;
9038 +static int fips_is_owning_thread(void)
9044 + CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
9045 + if (fips_thread_set)
9047 + CRYPTO_THREADID cur;
9048 + CRYPTO_THREADID_current(&cur);
9049 + if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
9052 + CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
9057 +int fips_set_owning_thread(void)
9063 + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
9064 + if (!fips_thread_set)
9066 + CRYPTO_THREADID_current(&fips_thread);
9068 + fips_thread_set = 1;
9070 + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
9075 +int fips_clear_owning_thread(void)
9081 + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
9082 + if (fips_thread_set)
9084 + CRYPTO_THREADID cur;
9085 + CRYPTO_THREADID_current(&cur);
9086 + if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
9087 + fips_thread_set = 0;
9089 + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
9096 +/* The purpose of this is to ensure the error code exists and the function
9097 + * name is to keep the error checking script quiet
9099 +void hash_final(void)
9101 + FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
9107 diff -up openssl-1.0.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_cmac_selftest.c
9108 --- openssl-1.0.1b/crypto/fips/fips_cmac_selftest.c.fips 2012-04-26 18:00:51.401769321 +0200
9109 +++ openssl-1.0.1b/crypto/fips/fips_cmac_selftest.c 2012-04-26 18:00:51.401769321 +0200
9111 +/* ====================================================================
9112 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
9114 + * Redistribution and use in source and binary forms, with or without
9115 + * modification, are permitted provided that the following conditions
9118 + * 1. Redistributions of source code must retain the above copyright
9119 + * notice, this list of conditions and the following disclaimer.
9121 + * 2. Redistributions in binary form must reproduce the above copyright
9122 + * notice, this list of conditions and the following disclaimer in
9123 + * the documentation and/or other materials provided with the
9126 + * 3. All advertising materials mentioning features or use of this
9127 + * software must display the following acknowledgment:
9128 + * "This product includes software developed by the OpenSSL Project
9129 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
9131 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9132 + * endorse or promote products derived from this software without
9133 + * prior written permission. For written permission, please contact
9134 + * openssl-core@openssl.org.
9136 + * 5. Products derived from this software may not be called "OpenSSL"
9137 + * nor may "OpenSSL" appear in their names without prior written
9138 + * permission of the OpenSSL Project.
9140 + * 6. Redistributions of any form whatsoever must retain the following
9142 + * "This product includes software developed by the OpenSSL Project
9143 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9145 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9146 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9147 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9148 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9149 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9150 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9151 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9152 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9153 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9154 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9155 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9156 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9160 +#include <string.h>
9161 +#include <openssl/err.h>
9162 +#include <openssl/fips.h>
9163 +#include <openssl/cmac.h>
9164 +#include "fips_locl.h"
9166 +#ifdef OPENSSL_FIPS
9169 + const unsigned char key[EVP_MAX_KEY_LENGTH]; size_t keysize;
9170 + const unsigned char msg[64]; size_t msgsize;
9171 + const unsigned char mac[32]; size_t macsize;
9174 +/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
9175 +static const CMAC_KAT vector[] = {
9176 + { NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
9177 + { 0x77,0xa7,0x7f,0xaf, 0x29,0x0c,0x1f,0xa3,
9178 + 0x0c,0x68,0x3d,0xf1, 0x6b,0xa7,0xa7,0x7b, }, 128,
9179 + { 0x02,0x06,0x83,0xe1, 0xf0,0x39,0x2f,0x4c,
9180 + 0xac,0x54,0x31,0x8b, 0x60,0x29,0x25,0x9e,
9181 + 0x9c,0x55,0x3d,0xbc, 0x4b,0x6a,0xd9,0x98,
9182 + 0xe6,0x4d,0x58,0xe4, 0xe7,0xdc,0x2e,0x13, }, 256,
9183 + { 0xfb,0xfe,0xa4,0x1b, }, 32
9185 + { NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
9186 + { 0x7b,0x32,0x39,0x13, 0x69,0xaa,0x4c,0xa9,
9187 + 0x75,0x58,0x09,0x5b, 0xe3,0xc3,0xec,0x86,
9188 + 0x2b,0xd0,0x57,0xce, 0xf1,0xe3,0x2d,0x62, }, 192,
9190 + { 0xe4,0xd9,0x34,0x0b, 0x03,0xe6,0x7d,0xef,
9191 + 0xd4,0x96,0x9c,0xc1, 0xed,0x37,0x35,0xe6, }, 128,
9193 + { NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
9194 + { 0x0b,0x12,0x2a,0xc8, 0xf3,0x4e,0xd1,0xfe,
9195 + 0x08,0x2a,0x36,0x25, 0xd1,0x57,0x56,0x14,
9196 + 0x54,0x16,0x7a,0xc1, 0x45,0xa1,0x0b,0xbf,
9197 + 0x77,0xc6,0xa7,0x05, 0x96,0xd5,0x74,0xf1, }, 256,
9198 + { 0x49,0x8b,0x53,0xfd, 0xec,0x87,0xed,0xcb,
9199 + 0xf0,0x70,0x97,0xdc, 0xcd,0xe9,0x3a,0x08,
9200 + 0x4b,0xad,0x75,0x01, 0xa2,0x24,0xe3,0x88,
9201 + 0xdf,0x34,0x9c,0xe1, 0x89,0x59,0xfe,0x84,
9202 + 0x85,0xf8,0xad,0x15, 0x37,0xf0,0xd8,0x96,
9203 + 0xea,0x73,0xbe,0xdc, 0x72,0x14,0x71,0x3f, }, 384,
9204 + { 0xf6,0x2c,0x46,0x32, 0x9b, }, 40,
9206 + { NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
9207 + { 0x89,0xbc,0xd9,0x52, 0xa8,0xc8,0xab,0x37,
9208 + 0x1a,0xf4,0x8a,0xc7, 0xd0,0x70,0x85,0xd5,
9209 + 0xef,0xf7,0x02,0xe6, 0xd6,0x2c,0xdc,0x23, }, 192,
9210 + { 0xfa,0x62,0x0c,0x1b, 0xbe,0x97,0x31,0x9e,
9211 + 0x9a,0x0c,0xf0,0x49, 0x21,0x21,0xf7,0xa2,
9212 + 0x0e,0xb0,0x8a,0x6a, 0x70,0x9d,0xcb,0xd0,
9213 + 0x0a,0xaf,0x38,0xe4, 0xf9,0x9e,0x75,0x4e, }, 256,
9214 + { 0x8f,0x49,0xa1,0xb7, 0xd6,0xaa,0x22,0x58, }, 64,
9218 +int FIPS_selftest_cmac()
9221 + unsigned char out[32];
9222 + const EVP_CIPHER *cipher;
9223 + CMAC_CTX *ctx = CMAC_CTX_new();
9224 + const CMAC_KAT *t;
9227 + for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
9229 + cipher = FIPS_get_cipherbynid(t->nid);
9235 + if (!CMAC_Init(ctx, t->key, t->keysize/8, cipher, 0))
9240 + if (!CMAC_Update(ctx, t->msg, t->msgsize/8))
9246 + if (!CMAC_Final(ctx, out, &outlen))
9251 + CMAC_CTX_cleanup(ctx);
9253 + if(outlen < t->macsize/8 || memcmp(out,t->mac,t->macsize/8))
9260 + CMAC_CTX_free(ctx);
9267 + FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC,FIPS_R_SELFTEST_FAILED);
9272 diff -up openssl-1.0.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_des_selftest.c
9273 --- openssl-1.0.1b/crypto/fips/fips_des_selftest.c.fips 2012-04-26 18:00:51.401769321 +0200
9274 +++ openssl-1.0.1b/crypto/fips/fips_des_selftest.c 2012-04-26 18:00:51.401769321 +0200
9276 +/* ====================================================================
9277 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
9279 + * Redistribution and use in source and binary forms, with or without
9280 + * modification, are permitted provided that the following conditions
9283 + * 1. Redistributions of source code must retain the above copyright
9284 + * notice, this list of conditions and the following disclaimer.
9286 + * 2. Redistributions in binary form must reproduce the above copyright
9287 + * notice, this list of conditions and the following disclaimer in
9288 + * the documentation and/or other materials provided with the
9291 + * 3. All advertising materials mentioning features or use of this
9292 + * software must display the following acknowledgment:
9293 + * "This product includes software developed by the OpenSSL Project
9294 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
9296 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9297 + * endorse or promote products derived from this software without
9298 + * prior written permission. For written permission, please contact
9299 + * openssl-core@openssl.org.
9301 + * 5. Products derived from this software may not be called "OpenSSL"
9302 + * nor may "OpenSSL" appear in their names without prior written
9303 + * permission of the OpenSSL Project.
9305 + * 6. Redistributions of any form whatsoever must retain the following
9307 + * "This product includes software developed by the OpenSSL Project
9308 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
9310 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9311 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9312 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9313 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9314 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9315 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9316 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9317 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9318 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9319 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9320 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9321 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9325 +#include <string.h>
9326 +#include <openssl/err.h>
9327 +#ifdef OPENSSL_FIPS
9328 +#include <openssl/fips.h>
9330 +#include <openssl/evp.h>
9331 +#include <openssl/opensslconf.h>
9333 +#ifdef OPENSSL_FIPS
9335 +static const struct
9337 + const unsigned char key[16];
9338 + const unsigned char plaintext[8];
9339 + const unsigned char ciphertext[8];
9343 + { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec,
9344 + 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 },
9345 + { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef },
9346 + { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd }
9349 + { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34,
9350 + 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 },
9351 + { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e },
9352 + { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff },
9356 +static const struct
9358 + const unsigned char key[24];
9359 + const unsigned char plaintext[8];
9360 + const unsigned char ciphertext[8];
9364 + { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
9365 + 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,
9366 + 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 },
9367 + { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c },
9368 + { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b },
9371 + { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE,
9372 + 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
9373 + 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 },
9374 + { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
9375 + { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 },
9380 +static int corrupt_des;
9382 +void FIPS_corrupt_des()
9387 +int FIPS_selftest_des()
9390 + EVP_CIPHER_CTX ctx;
9391 + EVP_CIPHER_CTX_init(&ctx);
9392 + /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
9393 + for(n=0 ; n < 2 ; ++n)
9395 + unsigned char plaintext[8];
9397 + memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
9400 + if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
9401 + tests2[n].key, NULL,
9402 + plaintext, tests2[n].ciphertext, 8))
9406 + /* Encrypt/decrypt with 3DES and compare to known answers */
9407 + for(n=0 ; n < 2 ; ++n)
9409 + if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
9410 + tests3[n].key, NULL,
9411 + tests3[n].plaintext, tests3[n].ciphertext, 8))
9416 + EVP_CIPHER_CTX_cleanup(&ctx);
9418 + FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED);
9423 diff -up openssl-1.0.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1b/crypto/fips/fips_drbg_ctr.c
9424 --- openssl-1.0.1b/crypto/fips/fips_drbg_ctr.c.fips 2012-04-26 18:00:51.401769321 +0200
9425 +++ openssl-1.0.1b/crypto/fips/fips_drbg_ctr.c 2012-04-26 18:00:51.402769343 +0200
9427 +/* fips/rand/fips_drbg_ctr.c */
9428 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
9431 +/* ====================================================================
9432 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
9434 + * Redistribution and use in source and binary forms, with or without
9435 + * modification, are permitted provided that the following conditions
9438 + * 1. Redistributions of source code must retain the above copyright
9439 + * notice, this list of conditions and the following disclaimer.
9441 + * 2. Redistributions in binary form must reproduce the above copyright
9442 + * notice, this list of conditions and the following disclaimer in
9443 + * the documentation and/or other materials provided with the
9446 + * 3. All advertising materials mentioning features or use of this
9447 + * software must display the following acknowledgment:
9448 + * "This product includes software developed by the OpenSSL Project
9449 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
9451 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9452 + * endorse or promote products derived from this software without
9453 + * prior written permission. For written permission, please contact
9454 + * licensing@OpenSSL.org.
9456 + * 5. Products derived from this software may not be called "OpenSSL"
9457 + * nor may "OpenSSL" appear in their names without prior written
9458 + * permission of the OpenSSL Project.
9460 + * 6. Redistributions of any form whatsoever must retain the following
9462 + * "This product includes software developed by the OpenSSL Project
9463 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
9465 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9466 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9467 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9468 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9469 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9470 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9471 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9472 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9473 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9474 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9475 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9476 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9477 + * ====================================================================
9480 +#include <stdlib.h>
9481 +#include <string.h>
9482 +#include <openssl/crypto.h>
9483 +#include <openssl/fips.h>
9484 +#include <openssl/fips_rand.h>
9485 +#include "fips_rand_lcl.h"
9487 +static void inc_128(DRBG_CTR_CTX *cctx)
9491 + unsigned char *p = cctx->V + 15;
9492 + for (i = 0; i < 16; i++)
9503 +static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
9506 + /* Any zero padding will have no effect on the result as we
9507 + * are XORing. So just process however much input we have.
9510 + if (!in || !inlen)
9513 + if (inlen < cctx->keylen)
9518 + for (i = 0; i < n; i++)
9519 + cctx->K[i] ^= in[i];
9520 + if (inlen <= cctx->keylen)
9523 + n = inlen - cctx->keylen;
9524 + /* Should never happen */
9527 + for (i = 0; i < 16; i++)
9528 + cctx->V[i] ^= in[i + cctx->keylen];
9531 +/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
9533 +static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
9534 + const unsigned char *in)
9537 + for (i = 0; i < 16; i++)
9539 + AES_encrypt(out, out, &cctx->df_ks);
9541 +fprintf(stderr, "BCC in+out\n");
9542 +BIO_dump_fp(stderr, in, 16);
9543 +BIO_dump_fp(stderr, out, 16);
9547 +/* Handle several BCC operations for as much data as we need for K and X */
9548 +static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
9550 + ctr_BCC_block(cctx, cctx->KX, in);
9551 + ctr_BCC_block(cctx, cctx->KX + 16, in);
9552 + if (cctx->keylen != 16)
9553 + ctr_BCC_block(cctx, cctx->KX + 32, in);
9555 +/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
9556 + * see 10.4.2 stage 7.
9558 +static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
9560 + memset(cctx->KX, 0, 48);
9561 + memset(cctx->bltmp, 0, 16);
9562 + ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
9563 + cctx->bltmp[3] = 1;
9564 + ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
9565 + if (cctx->keylen != 16)
9567 + cctx->bltmp[3] = 2;
9568 + ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
9572 +/* Process several blocks into BCC algorithm, some possibly partial */
9573 +static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
9574 + const unsigned char *in, size_t inlen)
9576 + if (!in || !inlen)
9578 + /* If we have partial block handle it first */
9579 + if (cctx->bltmp_pos)
9581 + size_t left = 16 - cctx->bltmp_pos;
9582 + /* If we now have a complete block process it */
9583 + if (inlen >= left)
9585 + memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
9586 + ctr_BCC_blocks(cctx, cctx->bltmp);
9587 + cctx->bltmp_pos = 0;
9592 + /* Process zero or more complete blocks */
9593 + while (inlen >= 16)
9595 + ctr_BCC_blocks(cctx, in);
9599 + /* Copy any remaining partial block to the temporary buffer */
9602 + memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
9603 + cctx->bltmp_pos += inlen;
9607 +static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
9609 + if (cctx->bltmp_pos)
9611 + memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
9612 + ctr_BCC_blocks(cctx, cctx->bltmp);
9616 +static void ctr_df(DRBG_CTR_CTX *cctx,
9617 + const unsigned char *in1, size_t in1len,
9618 + const unsigned char *in2, size_t in2len,
9619 + const unsigned char *in3, size_t in3len)
9622 + unsigned char *p = cctx->bltmp;
9623 + static unsigned char c80 = 0x80;
9625 + ctr_BCC_init(cctx);
9632 + inlen = in1len + in2len + in3len;
9633 + /* Initialise L||N in temporary block */
9634 + *p++ = (inlen >> 24) & 0xff;
9635 + *p++ = (inlen >> 16) & 0xff;
9636 + *p++ = (inlen >> 8) & 0xff;
9637 + *p++ = inlen & 0xff;
9638 + /* NB keylen is at most 32 bytes */
9642 + *p = (unsigned char)((cctx->keylen + 16) & 0xff);
9643 + cctx->bltmp_pos = 8;
9644 + ctr_BCC_update(cctx, in1, in1len);
9645 + ctr_BCC_update(cctx, in2, in2len);
9646 + ctr_BCC_update(cctx, in3, in3len);
9647 + ctr_BCC_update(cctx, &c80, 1);
9648 + ctr_BCC_final(cctx);
9649 + /* Set up key K */
9650 + AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
9651 + /* X follows key K */
9652 + AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
9653 + AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
9654 + if (cctx->keylen != 16)
9655 + AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
9657 +fprintf(stderr, "Output of ctr_df:\n");
9658 +BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
9662 +/* NB the no-df Update in SP800-90 specifies a constant input length
9663 + * of seedlen, however other uses of this algorithm pad the input with
9664 + * zeroes if necessary and have up to two parameters XORed together,
9665 + * handle both cases in this function instead.
9668 +static void ctr_Update(DRBG_CTX *dctx,
9669 + const unsigned char *in1, size_t in1len,
9670 + const unsigned char *in2, size_t in2len,
9671 + const unsigned char *nonce, size_t noncelen)
9673 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9674 + /* ks is already setup for correct key */
9676 + AES_encrypt(cctx->V, cctx->K, &cctx->ks);
9677 + /* If keylen longer than 128 bits need extra encrypt */
9678 + if (cctx->keylen != 16)
9681 + AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
9684 + AES_encrypt(cctx->V, cctx->V, &cctx->ks);
9685 + /* If 192 bit key part of V is on end of K */
9686 + if (cctx->keylen == 24)
9688 + memcpy(cctx->V + 8, cctx->V, 8);
9689 + memcpy(cctx->V, cctx->K + 24, 8);
9692 + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
9694 + /* If no input reuse existing derived value */
9695 + if (in1 || nonce || in2)
9696 + ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
9697 + /* If this a reuse input in1len != 0 */
9699 + ctr_XOR(cctx, cctx->KX, dctx->seedlen);
9703 + ctr_XOR(cctx, in1, in1len);
9704 + ctr_XOR(cctx, in2, in2len);
9707 + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
9709 +fprintf(stderr, "K+V after update is:\n");
9710 +BIO_dump_fp(stderr, cctx->K, cctx->keylen);
9711 +BIO_dump_fp(stderr, cctx->V, 16);
9715 +static int drbg_ctr_instantiate(DRBG_CTX *dctx,
9716 + const unsigned char *ent, size_t entlen,
9717 + const unsigned char *nonce, size_t noncelen,
9718 + const unsigned char *pers, size_t perslen)
9720 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9721 + memset(cctx->K, 0, sizeof(cctx->K));
9722 + memset(cctx->V, 0, sizeof(cctx->V));
9723 + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
9724 + ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
9728 +static int drbg_ctr_reseed(DRBG_CTX *dctx,
9729 + const unsigned char *ent, size_t entlen,
9730 + const unsigned char *adin, size_t adinlen)
9732 + ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
9736 +static int drbg_ctr_generate(DRBG_CTX *dctx,
9737 + unsigned char *out, size_t outlen,
9738 + const unsigned char *adin, size_t adinlen)
9740 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9741 + if (adin && adinlen)
9743 + ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
9744 + /* This means we reuse derived value */
9745 + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
9757 + if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
9759 + AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
9760 + dctx->lb_valid = 1;
9765 + /* Use K as temp space as it will be updated */
9766 + AES_encrypt(cctx->V, cctx->K, &cctx->ks);
9767 + if (!fips_drbg_cprng_test(dctx, cctx->K))
9769 + memcpy(out, cctx->K, outlen);
9772 + AES_encrypt(cctx->V, out, &cctx->ks);
9773 + if (!fips_drbg_cprng_test(dctx, out))
9781 + ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
9787 +static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
9789 + memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
9793 +int fips_drbg_ctr_init(DRBG_CTX *dctx)
9795 + DRBG_CTR_CTX *cctx = &dctx->d.ctr;
9799 + switch (dctx->type)
9801 + case NID_aes_128_ctr:
9805 + case NID_aes_192_ctr:
9809 + case NID_aes_256_ctr:
9817 + dctx->instantiate = drbg_ctr_instantiate;
9818 + dctx->reseed = drbg_ctr_reseed;
9819 + dctx->generate = drbg_ctr_generate;
9820 + dctx->uninstantiate = drbg_ctr_uninstantiate;
9822 + cctx->keylen = keylen;
9823 + dctx->strength = keylen * 8;
9824 + dctx->blocklength = 16;
9825 + dctx->seedlen = keylen + 16;
9827 + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
9829 + /* df initialisation */
9830 + static unsigned char df_key[32] =
9832 + 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
9833 + 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
9834 + 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
9835 + 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
9837 + /* Set key schedule for df_key */
9838 + AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
9840 + dctx->min_entropy = cctx->keylen;
9841 + dctx->max_entropy = DRBG_MAX_LENGTH;
9842 + dctx->min_nonce = dctx->min_entropy / 2;
9843 + dctx->max_nonce = DRBG_MAX_LENGTH;
9844 + dctx->max_pers = DRBG_MAX_LENGTH;
9845 + dctx->max_adin = DRBG_MAX_LENGTH;
9849 + dctx->min_entropy = dctx->seedlen;
9850 + dctx->max_entropy = dctx->seedlen;
9851 + /* Nonce not used */
9852 + dctx->min_nonce = 0;
9853 + dctx->max_nonce = 0;
9854 + dctx->max_pers = dctx->seedlen;
9855 + dctx->max_adin = dctx->seedlen;
9858 + dctx->max_request = 1<<16;
9859 + dctx->reseed_interval = 1<<24;
9863 diff -up openssl-1.0.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1b/crypto/fips/fips_drbg_hash.c
9864 --- openssl-1.0.1b/crypto/fips/fips_drbg_hash.c.fips 2012-04-26 18:00:51.402769343 +0200
9865 +++ openssl-1.0.1b/crypto/fips/fips_drbg_hash.c 2012-04-26 18:00:51.402769343 +0200
9867 +/* fips/rand/fips_drbg_hash.c */
9868 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
9871 +/* ====================================================================
9872 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
9874 + * Redistribution and use in source and binary forms, with or without
9875 + * modification, are permitted provided that the following conditions
9878 + * 1. Redistributions of source code must retain the above copyright
9879 + * notice, this list of conditions and the following disclaimer.
9881 + * 2. Redistributions in binary form must reproduce the above copyright
9882 + * notice, this list of conditions and the following disclaimer in
9883 + * the documentation and/or other materials provided with the
9886 + * 3. All advertising materials mentioning features or use of this
9887 + * software must display the following acknowledgment:
9888 + * "This product includes software developed by the OpenSSL Project
9889 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
9891 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9892 + * endorse or promote products derived from this software without
9893 + * prior written permission. For written permission, please contact
9894 + * licensing@OpenSSL.org.
9896 + * 5. Products derived from this software may not be called "OpenSSL"
9897 + * nor may "OpenSSL" appear in their names without prior written
9898 + * permission of the OpenSSL Project.
9900 + * 6. Redistributions of any form whatsoever must retain the following
9902 + * "This product includes software developed by the OpenSSL Project
9903 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
9905 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9906 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9907 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9908 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9909 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9910 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9911 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9912 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9913 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9914 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9915 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9916 + * OF THE POSSIBILITY OF SUCH DAMAGE.
9917 + * ====================================================================
9920 +#define OPENSSL_FIPSAPI
9922 +#include <stdlib.h>
9923 +#include <string.h>
9924 +#include <openssl/crypto.h>
9925 +#include <openssl/fips.h>
9926 +#include <openssl/fips_rand.h>
9927 +#include "fips_rand_lcl.h"
9929 +/* This is Hash_df from SP 800-90 10.4.1 */
9931 +static int hash_df(DRBG_CTX *dctx, unsigned char *out,
9932 + const unsigned char *in1, size_t in1len,
9933 + const unsigned char *in2, size_t in2len,
9934 + const unsigned char *in3, size_t in3len,
9935 + const unsigned char *in4, size_t in4len)
9937 + EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
9938 + unsigned char *vtmp = dctx->d.hash.vtmp;
9939 + unsigned char tmp[6];
9940 + /* Standard only ever needs seedlen bytes which is always less than
9941 + * maximum permitted so no need to check length.
9943 + size_t outlen = dctx->seedlen;
9945 + tmp[1] = ((outlen * 8) >> 24) & 0xff;
9946 + tmp[2] = ((outlen * 8) >> 16) & 0xff;
9947 + tmp[3] = ((outlen * 8) >> 8) & 0xff;
9948 + tmp[4] = (outlen * 8) & 0xff;
9951 + tmp[5] = (unsigned char)in1len;
9957 + if (!FIPS_digestinit(mctx, dctx->d.hash.md))
9959 + if (!FIPS_digestupdate(mctx, tmp, 5))
9961 + if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
9963 + if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
9965 + if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
9967 + if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
9969 + if (outlen < dctx->blocklength)
9971 + if (!FIPS_digestfinal(mctx, vtmp, NULL))
9973 + memcpy(out, vtmp, outlen);
9974 + OPENSSL_cleanse(vtmp, dctx->blocklength);
9977 + else if(!FIPS_digestfinal(mctx, out, NULL))
9980 + outlen -= dctx->blocklength;
9984 + out += dctx->blocklength;
9989 +/* Add an unsigned buffer to the buf value, storing the result in buf. For
9990 + * this algorithm the length of input never exceeds the seed length.
9993 +static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
9994 + unsigned char *in, size_t inlen)
9997 + const unsigned char *q;
9998 + unsigned char c, *p;
9999 + p = buf + dctx->seedlen;
10002 + OPENSSL_assert(i <= dctx->seedlen);
10004 + /* Special case: zero length, just increment buffer */
10025 + i = dctx->seedlen - inlen;
10027 + /* If not adding whole buffer handle final carries */
10042 +/* Finalise and add hash to V */
10044 +static int ctx_add_md(DRBG_CTX *dctx)
10046 + if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
10048 + ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
10052 +static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
10054 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10057 + memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
10060 + FIPS_digestinit(&hctx->mctx, hctx->md);
10061 + FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
10062 + if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
10064 + FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
10065 + dctx->lb_valid = 1;
10067 + else if (outlen < dctx->blocklength)
10069 + FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
10070 + if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
10072 + memcpy(out, hctx->vtmp, outlen);
10077 + FIPS_digestfinal(&hctx->mctx, out, NULL);
10078 + if (!fips_drbg_cprng_test(dctx, out))
10080 + outlen -= dctx->blocklength;
10083 + out += dctx->blocklength;
10085 + ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
10089 +static int drbg_hash_instantiate(DRBG_CTX *dctx,
10090 + const unsigned char *ent, size_t ent_len,
10091 + const unsigned char *nonce, size_t nonce_len,
10092 + const unsigned char *pstr, size_t pstr_len)
10094 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10095 + if (!hash_df(dctx, hctx->V,
10096 + ent, ent_len, nonce, nonce_len, pstr, pstr_len,
10099 + if (!hash_df(dctx, hctx->C,
10100 + NULL, 0, hctx->V, dctx->seedlen,
10101 + NULL, 0, NULL, 0))
10104 +#ifdef HASH_DRBG_TRACE
10105 + fprintf(stderr, "V+C after instantiate:\n");
10106 + hexprint(stderr, hctx->V, dctx->seedlen);
10107 + hexprint(stderr, hctx->C, dctx->seedlen);
10113 +static int drbg_hash_reseed(DRBG_CTX *dctx,
10114 + const unsigned char *ent, size_t ent_len,
10115 + const unsigned char *adin, size_t adin_len)
10117 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10118 + /* V about to be updated so use C as output instead */
10119 + if (!hash_df(dctx, hctx->C,
10120 + NULL, 1, hctx->V, dctx->seedlen,
10121 + ent, ent_len, adin, adin_len))
10123 + memcpy(hctx->V, hctx->C, dctx->seedlen);
10124 + if (!hash_df(dctx, hctx->C, NULL, 0,
10125 + hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
10127 +#ifdef HASH_DRBG_TRACE
10128 + fprintf(stderr, "V+C after reseed:\n");
10129 + hexprint(stderr, hctx->V, dctx->seedlen);
10130 + hexprint(stderr, hctx->C, dctx->seedlen);
10135 +static int drbg_hash_generate(DRBG_CTX *dctx,
10136 + unsigned char *out, size_t outlen,
10137 + const unsigned char *adin, size_t adin_len)
10139 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10140 + EVP_MD_CTX *mctx = &hctx->mctx;
10141 + unsigned char tmp[4];
10142 + if (adin && adin_len)
10145 + if (!FIPS_digestinit(mctx, hctx->md))
10147 + if (!EVP_DigestUpdate(mctx, tmp, 1))
10149 + if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
10151 + if (!EVP_DigestUpdate(mctx, adin, adin_len))
10153 + if (!ctx_add_md(dctx))
10156 + if (!hash_gen(dctx, out, outlen))
10160 + if (!FIPS_digestinit(mctx, hctx->md))
10162 + if (!EVP_DigestUpdate(mctx, tmp, 1))
10164 + if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
10167 + if (!ctx_add_md(dctx))
10170 + ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
10172 + tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
10173 + tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
10174 + tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
10175 + tmp[3] = dctx->reseed_counter & 0xff;
10176 + ctx_add_buf(dctx, hctx->V, tmp, 4);
10177 +#ifdef HASH_DRBG_TRACE
10178 + fprintf(stderr, "V+C after generate:\n");
10179 + hexprint(stderr, hctx->V, dctx->seedlen);
10180 + hexprint(stderr, hctx->C, dctx->seedlen);
10185 +static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
10187 + EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
10188 + OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
10192 +int fips_drbg_hash_init(DRBG_CTX *dctx)
10194 + const EVP_MD *md;
10195 + DRBG_HASH_CTX *hctx = &dctx->d.hash;
10196 + md = FIPS_get_digestbynid(dctx->type);
10199 + switch (dctx->type)
10202 + dctx->strength = 128;
10206 + dctx->strength = 192;
10210 + dctx->strength = 256;
10214 + dctx->instantiate = drbg_hash_instantiate;
10215 + dctx->reseed = drbg_hash_reseed;
10216 + dctx->generate = drbg_hash_generate;
10217 + dctx->uninstantiate = drbg_hash_uninstantiate;
10219 + dctx->d.hash.md = md;
10220 + EVP_MD_CTX_init(&hctx->mctx);
10222 + /* These are taken from SP 800-90 10.1 table 2 */
10224 + dctx->blocklength = M_EVP_MD_size(md);
10225 + if (dctx->blocklength > 32)
10226 + dctx->seedlen = 111;
10228 + dctx->seedlen = 55;
10231 + dctx->min_entropy = dctx->strength / 8;
10232 + dctx->max_entropy = DRBG_MAX_LENGTH;
10234 + dctx->min_nonce = dctx->min_entropy / 2;
10235 + dctx->max_nonce = DRBG_MAX_LENGTH;
10237 + dctx->max_pers = DRBG_MAX_LENGTH;
10238 + dctx->max_adin = DRBG_MAX_LENGTH;
10240 + dctx->max_request = 1<<16;
10241 + dctx->reseed_interval = 1<<24;
10245 diff -up openssl-1.0.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1b/crypto/fips/fips_drbg_hmac.c
10246 --- openssl-1.0.1b/crypto/fips/fips_drbg_hmac.c.fips 2012-04-26 18:00:51.402769343 +0200
10247 +++ openssl-1.0.1b/crypto/fips/fips_drbg_hmac.c 2012-04-26 18:00:51.402769343 +0200
10249 +/* fips/rand/fips_drbg_hmac.c */
10250 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
10253 +/* ====================================================================
10254 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
10256 + * Redistribution and use in source and binary forms, with or without
10257 + * modification, are permitted provided that the following conditions
10260 + * 1. Redistributions of source code must retain the above copyright
10261 + * notice, this list of conditions and the following disclaimer.
10263 + * 2. Redistributions in binary form must reproduce the above copyright
10264 + * notice, this list of conditions and the following disclaimer in
10265 + * the documentation and/or other materials provided with the
10268 + * 3. All advertising materials mentioning features or use of this
10269 + * software must display the following acknowledgment:
10270 + * "This product includes software developed by the OpenSSL Project
10271 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
10273 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
10274 + * endorse or promote products derived from this software without
10275 + * prior written permission. For written permission, please contact
10276 + * licensing@OpenSSL.org.
10278 + * 5. Products derived from this software may not be called "OpenSSL"
10279 + * nor may "OpenSSL" appear in their names without prior written
10280 + * permission of the OpenSSL Project.
10282 + * 6. Redistributions of any form whatsoever must retain the following
10283 + * acknowledgment:
10284 + * "This product includes software developed by the OpenSSL Project
10285 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
10287 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
10288 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
10289 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
10290 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
10291 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
10292 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
10293 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
10294 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10295 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10296 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10297 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10298 + * OF THE POSSIBILITY OF SUCH DAMAGE.
10299 + * ====================================================================
10302 +#include <stdlib.h>
10303 +#include <string.h>
10304 +#include <openssl/crypto.h>
10305 +#include <openssl/evp.h>
10306 +#include <openssl/hmac.h>
10307 +#include <openssl/aes.h>
10308 +#include <openssl/fips.h>
10309 +#include <openssl/fips_rand.h>
10310 +#include "fips_rand_lcl.h"
10312 +static int drbg_hmac_update(DRBG_CTX *dctx,
10313 + const unsigned char *in1, size_t in1len,
10314 + const unsigned char *in2, size_t in2len,
10315 + const unsigned char *in3, size_t in3len
10318 + static unsigned char c0 = 0, c1 = 1;
10319 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10320 + HMAC_CTX *hctx = &hmac->hctx;
10322 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10324 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10326 + if (!HMAC_Update(hctx, &c0, 1))
10328 + if (in1len && !HMAC_Update(hctx, in1, in1len))
10330 + if (in2len && !HMAC_Update(hctx, in2, in2len))
10332 + if (in3len && !HMAC_Update(hctx, in3, in3len))
10335 + if (!HMAC_Final(hctx, hmac->K, NULL))
10338 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10340 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10343 + if (!HMAC_Final(hctx, hmac->V, NULL))
10346 + if (!in1len && !in2len && !in3len)
10349 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10351 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10353 + if (!HMAC_Update(hctx, &c1, 1))
10355 + if (in1len && !HMAC_Update(hctx, in1, in1len))
10357 + if (in2len && !HMAC_Update(hctx, in2, in2len))
10359 + if (in3len && !HMAC_Update(hctx, in3, in3len))
10362 + if (!HMAC_Final(hctx, hmac->K, NULL))
10365 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
10367 + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
10370 + if (!HMAC_Final(hctx, hmac->V, NULL))
10377 +static int drbg_hmac_instantiate(DRBG_CTX *dctx,
10378 + const unsigned char *ent, size_t ent_len,
10379 + const unsigned char *nonce, size_t nonce_len,
10380 + const unsigned char *pstr, size_t pstr_len)
10382 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10383 + memset(hmac->K, 0, dctx->blocklength);
10384 + memset(hmac->V, 1, dctx->blocklength);
10385 + if (!drbg_hmac_update(dctx,
10386 + ent, ent_len, nonce, nonce_len, pstr, pstr_len))
10389 +#ifdef HMAC_DRBG_TRACE
10390 + fprintf(stderr, "K+V after instantiate:\n");
10391 + hexprint(stderr, hmac->K, hmac->blocklength);
10392 + hexprint(stderr, hmac->V, hmac->blocklength);
10397 +static int drbg_hmac_reseed(DRBG_CTX *dctx,
10398 + const unsigned char *ent, size_t ent_len,
10399 + const unsigned char *adin, size_t adin_len)
10401 + if (!drbg_hmac_update(dctx,
10402 + ent, ent_len, adin, adin_len, NULL, 0))
10405 +#ifdef HMAC_DRBG_TRACE
10407 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10408 + fprintf(stderr, "K+V after reseed:\n");
10409 + hexprint(stderr, hmac->K, hmac->blocklength);
10410 + hexprint(stderr, hmac->V, hmac->blocklength);
10416 +static int drbg_hmac_generate(DRBG_CTX *dctx,
10417 + unsigned char *out, size_t outlen,
10418 + const unsigned char *adin, size_t adin_len)
10420 + DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
10421 + HMAC_CTX *hctx = &hmac->hctx;
10422 + const unsigned char *Vtmp = hmac->V;
10423 + if (adin_len && !drbg_hmac_update(dctx, adin, adin_len,
10424 + NULL, 0, NULL, 0))
10428 + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength,
10431 + if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
10433 + if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
10435 + if (!HMAC_Final(hctx, dctx->lb, NULL))
10437 + dctx->lb_valid = 1;
10441 + else if (outlen > dctx->blocklength)
10443 + if (!HMAC_Final(hctx, out, NULL))
10445 + if (!fips_drbg_cprng_test(dctx, out))
10451 + if (!HMAC_Final(hctx, hmac->V, NULL))
10453 + if (!fips_drbg_cprng_test(dctx, hmac->V))
10455 + memcpy(out, hmac->V, outlen);
10458 + out += dctx->blocklength;
10459 + outlen -= dctx->blocklength;
10461 + if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
10467 +static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
10469 + HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
10470 + OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
10474 +int fips_drbg_hmac_init(DRBG_CTX *dctx)
10476 + const EVP_MD *md = NULL;
10477 + DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
10478 + dctx->strength = 256;
10479 + switch (dctx->type)
10481 + case NID_hmacWithSHA1:
10483 + dctx->strength = 128;
10486 + case NID_hmacWithSHA224:
10487 + md = EVP_sha224();
10488 + dctx->strength = 192;
10491 + case NID_hmacWithSHA256:
10492 + md = EVP_sha256();
10495 + case NID_hmacWithSHA384:
10496 + md = EVP_sha384();
10499 + case NID_hmacWithSHA512:
10500 + md = EVP_sha512();
10504 + dctx->strength = 0;
10507 + dctx->instantiate = drbg_hmac_instantiate;
10508 + dctx->reseed = drbg_hmac_reseed;
10509 + dctx->generate = drbg_hmac_generate;
10510 + dctx->uninstantiate = drbg_hmac_uninstantiate;
10511 + HMAC_CTX_init(&hctx->hctx);
10513 + dctx->blocklength = M_EVP_MD_size(md);
10514 + dctx->seedlen = M_EVP_MD_size(md);
10516 + dctx->min_entropy = dctx->strength / 8;
10517 + dctx->max_entropy = DRBG_MAX_LENGTH;
10519 + dctx->min_nonce = dctx->min_entropy / 2;
10520 + dctx->max_nonce = DRBG_MAX_LENGTH;
10522 + dctx->max_pers = DRBG_MAX_LENGTH;
10523 + dctx->max_adin = DRBG_MAX_LENGTH;
10525 + dctx->max_request = 1<<16;
10526 + dctx->reseed_interval = 1<<24;
10530 diff -up openssl-1.0.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1b/crypto/fips/fips_drbg_lib.c
10531 --- openssl-1.0.1b/crypto/fips/fips_drbg_lib.c.fips 2012-04-26 18:00:51.402769343 +0200
10532 +++ openssl-1.0.1b/crypto/fips/fips_drbg_lib.c 2012-04-26 18:00:51.402769343 +0200
10534 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
10537 +/* ====================================================================
10538 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
10540 + * Redistribution and use in source and binary forms, with or without
10541 + * modification, are permitted provided that the following conditions
10544 + * 1. Redistributions of source code must retain the above copyright
10545 + * notice, this list of conditions and the following disclaimer.
10547 + * 2. Redistributions in binary form must reproduce the above copyright
10548 + * notice, this list of conditions and the following disclaimer in
10549 + * the documentation and/or other materials provided with the
10552 + * 3. All advertising materials mentioning features or use of this
10553 + * software must display the following acknowledgment:
10554 + * "This product includes software developed by the OpenSSL Project
10555 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
10557 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
10558 + * endorse or promote products derived from this software without
10559 + * prior written permission. For written permission, please contact
10560 + * licensing@OpenSSL.org.
10562 + * 5. Products derived from this software may not be called "OpenSSL"
10563 + * nor may "OpenSSL" appear in their names without prior written
10564 + * permission of the OpenSSL Project.
10566 + * 6. Redistributions of any form whatsoever must retain the following
10567 + * acknowledgment:
10568 + * "This product includes software developed by the OpenSSL Project
10569 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
10571 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
10572 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
10573 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
10574 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
10575 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
10576 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
10577 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
10578 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10579 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
10580 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
10581 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
10582 + * OF THE POSSIBILITY OF SUCH DAMAGE.
10583 + * ====================================================================
10586 +#include <string.h>
10587 +#include <openssl/crypto.h>
10588 +#include <openssl/err.h>
10589 +#include <openssl/fips_rand.h>
10590 +#include "fips_locl.h"
10591 +#include "fips_rand_lcl.h"
10593 +/* Support framework for SP800-90 DRBGs */
10595 +int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
10598 + memset(dctx, 0, sizeof(DRBG_CTX));
10599 + dctx->status = DRBG_STATUS_UNINITIALISED;
10600 + dctx->xflags = flags;
10601 + dctx->type = type;
10603 + dctx->iflags = 0;
10604 + dctx->entropy_blocklen = 0;
10605 + dctx->health_check_cnt = 0;
10606 + dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
10608 + rv = fips_drbg_hash_init(dctx);
10611 + rv = fips_drbg_ctr_init(dctx);
10613 + rv = fips_drbg_hmac_init(dctx);
10618 + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
10620 + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
10623 + /* If not in test mode run selftests on DRBG of the same type */
10625 + if (!(dctx->xflags & DRBG_FLAG_TEST))
10627 + if (!FIPS_drbg_health_check(dctx))
10629 + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
10637 +DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
10640 + dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
10643 + FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
10649 + memset(dctx, 0, sizeof(DRBG_CTX));
10651 + dctx->status = DRBG_STATUS_UNINITIALISED;
10655 + if (FIPS_drbg_init(dctx, type, flags) <= 0)
10657 + OPENSSL_free(dctx);
10664 +void FIPS_drbg_free(DRBG_CTX *dctx)
10666 + if (dctx->uninstantiate)
10667 + dctx->uninstantiate(dctx);
10668 + /* Don't free up default DRBG */
10669 + if (dctx == FIPS_get_default_drbg())
10671 + memset(dctx, 0, sizeof(DRBG_CTX));
10673 + dctx->status = DRBG_STATUS_UNINITIALISED;
10677 + OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
10678 + OPENSSL_free(dctx);
10682 +static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
10683 + int entropy, size_t min_len, size_t max_len)
10685 + unsigned char *tout, *p;
10686 + size_t bl = dctx->entropy_blocklen, rv;
10687 + if (!dctx->get_entropy)
10689 + if (dctx->xflags & DRBG_FLAG_TEST || !bl)
10690 + return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
10691 + rv = dctx->get_entropy(dctx, &tout, entropy + bl,
10692 + min_len + bl, max_len + bl);
10693 + if (tout == NULL)
10695 + *pout = tout + bl;
10696 + if (rv < (min_len + bl) || (rv % bl))
10698 + /* Compare consecutive blocks for continuous PRNG test */
10699 + for (p = tout; p < tout + rv - bl; p += bl)
10701 + if (!memcmp(p, p + bl, bl))
10703 + FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
10708 + if (rv > max_len)
10713 +static void fips_cleanup_entropy(DRBG_CTX *dctx,
10714 + unsigned char *out, size_t olen)
10717 + if (dctx->xflags & DRBG_FLAG_TEST)
10720 + bl = dctx->entropy_blocklen;
10721 + /* Call cleanup with original arguments */
10722 + dctx->cleanup_entropy(dctx, out - bl, olen + bl);
10726 +int FIPS_drbg_instantiate(DRBG_CTX *dctx,
10727 + const unsigned char *pers, size_t perslen)
10729 + size_t entlen = 0, noncelen = 0;
10730 + unsigned char *nonce = NULL, *entropy = NULL;
10733 + /* Put here so error script picks them up */
10734 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
10735 + FIPS_R_PERSONALISATION_STRING_TOO_LONG);
10736 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
10737 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
10738 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
10739 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
10740 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
10741 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
10746 + if (perslen > dctx->max_pers)
10748 + r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
10752 + if (!dctx->instantiate)
10754 + r = FIPS_R_DRBG_NOT_INITIALISED;
10758 + if (dctx->status != DRBG_STATUS_UNINITIALISED)
10760 + if (dctx->status == DRBG_STATUS_ERROR)
10761 + r = FIPS_R_IN_ERROR_STATE;
10763 + r = FIPS_R_ALREADY_INSTANTIATED;
10767 + dctx->status = DRBG_STATUS_ERROR;
10769 + entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
10770 + dctx->min_entropy, dctx->max_entropy);
10772 + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
10774 + r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
10778 + if (dctx->max_nonce > 0 && dctx->get_nonce)
10780 + noncelen = dctx->get_nonce(dctx, &nonce,
10781 + dctx->strength / 2,
10782 + dctx->min_nonce, dctx->max_nonce);
10784 + if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
10786 + r = FIPS_R_ERROR_RETRIEVING_NONCE;
10792 + if (!dctx->instantiate(dctx,
10797 + r = FIPS_R_ERROR_INSTANTIATING_DRBG;
10802 + dctx->status = DRBG_STATUS_READY;
10803 + if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
10804 + dctx->reseed_counter = 1;
10808 + if (entropy && dctx->cleanup_entropy)
10809 + fips_cleanup_entropy(dctx, entropy, entlen);
10811 + if (nonce && dctx->cleanup_nonce)
10812 + dctx->cleanup_nonce(dctx, nonce, noncelen);
10814 + if (dctx->status == DRBG_STATUS_READY)
10817 + if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
10818 + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
10824 +static int drbg_reseed(DRBG_CTX *dctx,
10825 + const unsigned char *adin, size_t adinlen, int hcheck)
10827 + unsigned char *entropy = NULL;
10828 + size_t entlen = 0;
10832 + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
10833 + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
10835 + if (dctx->status != DRBG_STATUS_READY
10836 + && dctx->status != DRBG_STATUS_RESEED)
10838 + if (dctx->status == DRBG_STATUS_ERROR)
10839 + r = FIPS_R_IN_ERROR_STATE;
10840 + else if(dctx->status == DRBG_STATUS_UNINITIALISED)
10841 + r = FIPS_R_NOT_INSTANTIATED;
10847 + else if (adinlen > dctx->max_adin)
10849 + r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
10853 + dctx->status = DRBG_STATUS_ERROR;
10854 + /* Peform health check on all reseed operations if not a prediction
10855 + * resistance request and not in test mode.
10857 + if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST))
10859 + if (!FIPS_drbg_health_check(dctx))
10861 + r = FIPS_R_SELFTEST_FAILURE;
10866 + entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
10867 + dctx->min_entropy, dctx->max_entropy);
10869 + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
10871 + r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
10875 + if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
10878 + dctx->status = DRBG_STATUS_READY;
10879 + if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
10880 + dctx->reseed_counter = 1;
10883 + if (entropy && dctx->cleanup_entropy)
10884 + fips_cleanup_entropy(dctx, entropy, entlen);
10886 + if (dctx->status == DRBG_STATUS_READY)
10889 + if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
10890 + FIPSerr(FIPS_F_DRBG_RESEED, r);
10895 +int FIPS_drbg_reseed(DRBG_CTX *dctx,
10896 + const unsigned char *adin, size_t adinlen)
10898 + return drbg_reseed(dctx, adin, adinlen, 1);
10901 +static int fips_drbg_check(DRBG_CTX *dctx)
10903 + if (dctx->xflags & DRBG_FLAG_TEST)
10905 + dctx->health_check_cnt++;
10906 + if (dctx->health_check_cnt >= dctx->health_check_interval)
10908 + if (!FIPS_drbg_health_check(dctx))
10910 + FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
10917 +int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
10918 + int prediction_resistance,
10919 + const unsigned char *adin, size_t adinlen)
10923 + if (FIPS_selftest_failed())
10925 + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
10929 + if (!fips_drbg_check(dctx))
10932 + if (dctx->status != DRBG_STATUS_READY
10933 + && dctx->status != DRBG_STATUS_RESEED)
10935 + if (dctx->status == DRBG_STATUS_ERROR)
10936 + r = FIPS_R_IN_ERROR_STATE;
10937 + else if(dctx->status == DRBG_STATUS_UNINITIALISED)
10938 + r = FIPS_R_NOT_INSTANTIATED;
10942 + if (outlen > dctx->max_request)
10944 + r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
10948 + if (adinlen > dctx->max_adin)
10950 + r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
10954 + if (dctx->iflags & DRBG_CUSTOM_RESEED)
10955 + dctx->generate(dctx, NULL, outlen, NULL, 0);
10956 + else if (dctx->reseed_counter >= dctx->reseed_interval)
10957 + dctx->status = DRBG_STATUS_RESEED;
10959 + if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
10961 + /* If prediction resistance request don't do health check */
10962 + int hcheck = prediction_resistance ? 0 : 1;
10964 + if (!drbg_reseed(dctx, adin, adinlen, hcheck))
10966 + r = FIPS_R_RESEED_ERROR;
10973 + if (!dctx->generate(dctx, out, outlen, adin, adinlen))
10975 + r = FIPS_R_GENERATE_ERROR;
10976 + dctx->status = DRBG_STATUS_ERROR;
10979 + if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
10981 + if (dctx->reseed_counter >= dctx->reseed_interval)
10982 + dctx->status = DRBG_STATUS_RESEED;
10984 + dctx->reseed_counter++;
10990 + if (!(dctx->iflags & DRBG_FLAG_NOERR))
10991 + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
10998 +int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
11001 + if (!dctx->uninstantiate)
11004 + rv = dctx->uninstantiate(dctx);
11005 + /* Although we'd like to cleanse here we can't because we have to
11006 + * test the uninstantiate really zeroes the data.
11008 + memset(&dctx->d, 0, sizeof(dctx->d));
11009 + dctx->status = DRBG_STATUS_UNINITIALISED;
11010 + /* If method has problems uninstantiating, return error */
11014 +int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
11015 + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
11016 + int entropy, size_t min_len, size_t max_len),
11017 + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
11018 + size_t entropy_blocklen,
11019 + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
11020 + int entropy, size_t min_len, size_t max_len),
11021 + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
11023 + if (dctx->status != DRBG_STATUS_UNINITIALISED)
11025 + dctx->entropy_blocklen = entropy_blocklen;
11026 + dctx->get_entropy = get_entropy;
11027 + dctx->cleanup_entropy = cleanup_entropy;
11028 + dctx->get_nonce = get_nonce;
11029 + dctx->cleanup_nonce = cleanup_nonce;
11033 +int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
11034 + size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
11035 + void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
11036 + int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
11037 + int (*rand_add_cb)(DRBG_CTX *ctx,
11038 + const void *buf, int num, double entropy))
11040 + if (dctx->status != DRBG_STATUS_UNINITIALISED)
11042 + dctx->get_adin = get_adin;
11043 + dctx->cleanup_adin = cleanup_adin;
11044 + dctx->rand_seed_cb = rand_seed_cb;
11045 + dctx->rand_add_cb = rand_add_cb;
11049 +void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
11051 + return dctx->app_data;
11054 +void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
11056 + dctx->app_data = app_data;
11059 +size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
11061 + return dctx->blocklength;
11064 +int FIPS_drbg_get_strength(DRBG_CTX *dctx)
11066 + return dctx->strength;
11069 +void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
11071 + dctx->health_check_interval = interval;
11074 +void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
11076 + dctx->reseed_interval = interval;
11079 +static int drbg_stick = 0;
11081 +void FIPS_drbg_stick(int onoff)
11083 + drbg_stick = onoff;
11086 +/* Continuous DRBG utility function */
11087 +int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
11089 + /* No CPRNG in test mode */
11090 + if (dctx->xflags & DRBG_FLAG_TEST)
11092 + /* Check block is valid: should never happen */
11093 + if (dctx->lb_valid == 0)
11095 + FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
11096 + fips_set_selftest_fail();
11100 + memcpy(dctx->lb, out, dctx->blocklength);
11101 + /* Check against last block: fail if match */
11102 + if (!memcmp(dctx->lb, out, dctx->blocklength))
11104 + FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
11105 + fips_set_selftest_fail();
11108 + /* Save last block for next comparison */
11109 + memcpy(dctx->lb, out, dctx->blocklength);
11112 diff -up openssl-1.0.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1b/crypto/fips/fips_drbg_rand.c
11113 --- openssl-1.0.1b/crypto/fips/fips_drbg_rand.c.fips 2012-04-26 18:00:51.403769365 +0200
11114 +++ openssl-1.0.1b/crypto/fips/fips_drbg_rand.c 2012-04-26 18:00:51.403769365 +0200
11116 +/* fips/rand/fips_drbg_rand.c */
11117 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
11120 +/* ====================================================================
11121 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
11123 + * Redistribution and use in source and binary forms, with or without
11124 + * modification, are permitted provided that the following conditions
11127 + * 1. Redistributions of source code must retain the above copyright
11128 + * notice, this list of conditions and the following disclaimer.
11130 + * 2. Redistributions in binary form must reproduce the above copyright
11131 + * notice, this list of conditions and the following disclaimer in
11132 + * the documentation and/or other materials provided with the
11135 + * 3. All advertising materials mentioning features or use of this
11136 + * software must display the following acknowledgment:
11137 + * "This product includes software developed by the OpenSSL Project
11138 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
11140 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
11141 + * endorse or promote products derived from this software without
11142 + * prior written permission. For written permission, please contact
11143 + * licensing@OpenSSL.org.
11145 + * 5. Products derived from this software may not be called "OpenSSL"
11146 + * nor may "OpenSSL" appear in their names without prior written
11147 + * permission of the OpenSSL Project.
11149 + * 6. Redistributions of any form whatsoever must retain the following
11150 + * acknowledgment:
11151 + * "This product includes software developed by the OpenSSL Project
11152 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
11154 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
11155 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
11156 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
11157 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
11158 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
11159 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
11160 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
11161 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
11162 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
11163 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
11164 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
11165 + * OF THE POSSIBILITY OF SUCH DAMAGE.
11166 + * ====================================================================
11169 +#include <string.h>
11170 +#include <openssl/crypto.h>
11171 +#include <openssl/err.h>
11172 +#include <openssl/rand.h>
11173 +#include <openssl/fips_rand.h>
11174 +#include "fips_rand_lcl.h"
11176 +/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
11178 +/* Since we only have one global PRNG used at any time in OpenSSL use a global
11179 + * variable to store context.
11182 +static DRBG_CTX ossl_dctx;
11184 +DRBG_CTX *FIPS_get_default_drbg(void)
11186 + return &ossl_dctx;
11189 +static int fips_drbg_bytes(unsigned char *out, int count)
11191 + DRBG_CTX *dctx = &ossl_dctx;
11193 + unsigned char *adin = NULL;
11194 + size_t adinlen = 0;
11195 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
11199 + if (count > (int)dctx->max_request)
11200 + rcnt = dctx->max_request;
11203 + if (dctx->get_adin)
11205 + adinlen = dctx->get_adin(dctx, &adin);
11206 + if (adinlen && !adin)
11208 + FIPSerr(FIPS_F_FIPS_DRBG_BYTES, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
11212 + rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
11215 + if (dctx->cleanup_adin)
11216 + dctx->cleanup_adin(dctx, adin, adinlen);
11227 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
11231 +static int fips_drbg_pseudo(unsigned char *out, int count)
11233 + if (fips_drbg_bytes(out, count) <= 0)
11238 +static int fips_drbg_status(void)
11240 + DRBG_CTX *dctx = &ossl_dctx;
11242 + CRYPTO_r_lock(CRYPTO_LOCK_RAND);
11243 + rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
11244 + CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
11248 +static void fips_drbg_cleanup(void)
11250 + DRBG_CTX *dctx = &ossl_dctx;
11251 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
11252 + FIPS_drbg_uninstantiate(dctx);
11253 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
11256 +static int fips_drbg_seed(const void *seed, int seedlen)
11258 + DRBG_CTX *dctx = &ossl_dctx;
11259 + if (dctx->rand_seed_cb)
11260 + return dctx->rand_seed_cb(dctx, seed, seedlen);
11264 +static int fips_drbg_add(const void *seed, int seedlen,
11265 + double add_entropy)
11267 + DRBG_CTX *dctx = &ossl_dctx;
11268 + if (dctx->rand_add_cb)
11269 + return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
11273 +static const RAND_METHOD rand_drbg_meth =
11277 + fips_drbg_cleanup,
11279 + fips_drbg_pseudo,
11283 +const RAND_METHOD *FIPS_drbg_method(void)
11285 + return &rand_drbg_meth;
11288 diff -up openssl-1.0.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_drbg_selftest.c
11289 --- openssl-1.0.1b/crypto/fips/fips_drbg_selftest.c.fips 2012-04-26 18:00:51.403769365 +0200
11290 +++ openssl-1.0.1b/crypto/fips/fips_drbg_selftest.c 2012-04-26 18:00:51.403769365 +0200
11292 +/* fips/rand/fips_drbg_selftest.c */
11293 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
11296 +/* ====================================================================
11297 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
11299 + * Redistribution and use in source and binary forms, with or without
11300 + * modification, are permitted provided that the following conditions
11303 + * 1. Redistributions of source code must retain the above copyright
11304 + * notice, this list of conditions and the following disclaimer.
11306 + * 2. Redistributions in binary form must reproduce the above copyright
11307 + * notice, this list of conditions and the following disclaimer in
11308 + * the documentation and/or other materials provided with the
11311 + * 3. All advertising materials mentioning features or use of this
11312 + * software must display the following acknowledgment:
11313 + * "This product includes software developed by the OpenSSL Project
11314 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
11316 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
11317 + * endorse or promote products derived from this software without
11318 + * prior written permission. For written permission, please contact
11319 + * licensing@OpenSSL.org.
11321 + * 5. Products derived from this software may not be called "OpenSSL"
11322 + * nor may "OpenSSL" appear in their names without prior written
11323 + * permission of the OpenSSL Project.
11325 + * 6. Redistributions of any form whatsoever must retain the following
11326 + * acknowledgment:
11327 + * "This product includes software developed by the OpenSSL Project
11328 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
11330 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
11331 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
11332 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
11333 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
11334 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
11335 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
11336 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
11337 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
11338 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
11339 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
11340 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
11341 + * OF THE POSSIBILITY OF SUCH DAMAGE.
11342 + * ====================================================================
11345 +#include <string.h>
11346 +#include <openssl/crypto.h>
11347 +#include <openssl/err.h>
11348 +#include <openssl/fips_rand.h>
11349 +#include "fips_rand_lcl.h"
11350 +#include "fips_locl.h"
11352 +#include "fips_drbg_selftest.h"
11357 + unsigned int flags;
11359 + /* KAT data for no PR */
11360 + const unsigned char *ent;
11362 + const unsigned char *nonce;
11364 + const unsigned char *pers;
11366 + const unsigned char *adin;
11368 + const unsigned char *entreseed;
11369 + size_t entreseedlen;
11370 + const unsigned char *adinreseed;
11371 + size_t adinreseedlen;
11372 + const unsigned char *adin2;
11374 + const unsigned char *kat;
11376 + const unsigned char *kat2;
11379 + /* KAT data for PR */
11380 + const unsigned char *ent_pr;
11381 + size_t entlen_pr;
11382 + const unsigned char *nonce_pr;
11383 + size_t noncelen_pr;
11384 + const unsigned char *pers_pr;
11385 + size_t perslen_pr;
11386 + const unsigned char *adin_pr;
11387 + size_t adinlen_pr;
11388 + const unsigned char *entpr_pr;
11389 + size_t entprlen_pr;
11390 + const unsigned char *ading_pr;
11391 + size_t adinglen_pr;
11392 + const unsigned char *entg_pr;
11393 + size_t entglen_pr;
11394 + const unsigned char *kat_pr;
11395 + size_t katlen_pr;
11396 + const unsigned char *kat2_pr;
11397 + size_t kat2len_pr;
11399 + } DRBG_SELFTEST_DATA;
11401 +#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
11402 + pr##_entropyinput, sizeof(pr##_entropyinput), \
11403 + pr##_nonce, sizeof(pr##_nonce), \
11404 + pr##_personalizationstring, sizeof(pr##_personalizationstring), \
11405 + pr##_additionalinput, sizeof(pr##_additionalinput), \
11406 + pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
11407 + pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
11408 + pr##_additionalinput2, sizeof(pr##_additionalinput2), \
11409 + pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
11410 + pr##_returnedbits, sizeof(pr##_returnedbits), \
11411 + pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
11412 + pr##_pr_nonce, sizeof(pr##_pr_nonce), \
11413 + pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
11414 + pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
11415 + pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
11416 + pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
11417 + pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
11418 + pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
11419 + pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
11422 +#define make_drbg_test_data_df(nid, pr, p) \
11423 + make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
11425 +#define make_drbg_test_data_ec(curve, md, pr, p) \
11426 + make_drbg_test_data((curve << 16) | md , 0, pr, p)
11428 +static DRBG_SELFTEST_DATA drbg_test[] = {
11429 + make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
11430 + make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
11431 + make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
11432 + make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
11433 + make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
11434 + make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
11435 + make_drbg_test_data(NID_sha1, 0, sha1, 0),
11436 + make_drbg_test_data(NID_sha224, 0, sha224, 0),
11437 + make_drbg_test_data(NID_sha256, 0, sha256, 1),
11438 + make_drbg_test_data(NID_sha384, 0, sha384, 0),
11439 + make_drbg_test_data(NID_sha512, 0, sha512, 0),
11440 + make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
11441 + make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
11442 + make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
11443 + make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
11444 + make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
11450 + const unsigned char *ent;
11453 + const unsigned char *nonce;
11458 +static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
11459 + int entropy, size_t min_len, size_t max_len)
11461 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
11462 + *pout = (unsigned char *)t->ent;
11464 + return t->entlen;
11467 +static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
11468 + int entropy, size_t min_len, size_t max_len)
11470 + TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
11471 + *pout = (unsigned char *)t->nonce;
11473 + return t->noncelen;
11476 +static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
11482 + unsigned char randout[1024];
11484 + /* Initial test without PR */
11486 + /* Instantiate DRBG with test entropy, nonce and personalisation
11490 + if (!FIPS_drbg_init(dctx, td->nid, td->flags))
11492 + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
11495 + FIPS_drbg_set_app_data(dctx, &t);
11498 + t.entlen = td->entlen;
11499 + t.nonce = td->nonce;
11500 + t.noncelen = td->noncelen;
11504 + if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
11507 + /* Note for CTR without DF some additional input values
11508 + * ignore bytes after the keylength: so reduce adinlen
11509 + * to half to ensure invalid data is fed in.
11511 + if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
11512 + adinlen = td->adinlen / 2;
11514 + adinlen = td->adinlen;
11516 + /* Generate with no PR and verify output matches expected data */
11517 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11518 + td->adin, adinlen))
11521 + if (memcmp(randout, td->kat, td->katlen))
11523 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
11526 + /* If abbreviated POST end of test */
11532 + /* Reseed DRBG with test entropy and additional input */
11533 + t.ent = td->entreseed;
11534 + t.entlen = td->entreseedlen;
11536 + if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
11539 + /* Generate with no PR and verify output matches expected data */
11540 + if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
11541 + td->adin2, td->adin2len))
11544 + if (memcmp(randout, td->kat2, td->kat2len))
11546 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
11550 + FIPS_drbg_uninstantiate(dctx);
11552 + /* Now test with PR */
11554 + /* Instantiate DRBG with test entropy, nonce and personalisation
11557 + if (!FIPS_drbg_init(dctx, td->nid, td->flags))
11559 + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
11562 + FIPS_drbg_set_app_data(dctx, &t);
11564 + t.ent = td->ent_pr;
11565 + t.entlen = td->entlen_pr;
11566 + t.nonce = td->nonce_pr;
11567 + t.noncelen = td->noncelen_pr;
11571 + if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
11574 + /* Now generate with PR: we need to supply entropy as this will
11575 + * perform a reseed operation. Check output matches expected value.
11578 + t.ent = td->entpr_pr;
11579 + t.entlen = td->entprlen_pr;
11581 + /* Note for CTR without DF some additional input values
11582 + * ignore bytes after the keylength: so reduce adinlen
11583 + * to half to ensure invalid data is fed in.
11585 + if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
11586 + adinlen = td->adinlen_pr / 2;
11588 + adinlen = td->adinlen_pr;
11589 + if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
11590 + td->adin_pr, adinlen))
11593 + if (memcmp(randout, td->kat_pr, td->katlen_pr))
11595 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
11599 + /* Now generate again with PR: supply new entropy again.
11600 + * Check output matches expected value.
11603 + t.ent = td->entg_pr;
11604 + t.entlen = td->entglen_pr;
11606 + if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
11607 + td->ading_pr, td->adinglen_pr))
11610 + if (memcmp(randout, td->kat2_pr, td->kat2len_pr))
11612 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
11615 + /* All OK, test complete */
11620 + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
11622 + FIPS_drbg_uninstantiate(dctx);
11628 +/* Initialise a DRBG based on selftest data */
11630 +static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_ENT *t)
11633 + if (!FIPS_drbg_init(dctx, td->nid, td->flags))
11636 + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
11639 + FIPS_drbg_set_app_data(dctx, t);
11641 + t->ent = td->ent;
11642 + t->entlen = td->entlen;
11643 + t->nonce = td->nonce;
11644 + t->noncelen = td->noncelen;
11650 +/* Initialise and instantiate DRBG based on selftest data */
11651 +static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
11654 + if (!do_drbg_init(dctx, td, t))
11656 + if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
11662 +/* This function performs extensive error checking as required by SP800-90.
11663 + * Induce several failure modes and check an error condition is set.
11664 + * This function along with fips_drbg_single_kat peforms the health checking
11668 +static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
11670 + unsigned char randout[1024];
11673 + unsigned int reseed_counter_tmp;
11674 + unsigned char *p = (unsigned char *)dctx;
11676 + /* Initialise DRBG */
11678 + if (!do_drbg_init(dctx, td, &t))
11681 + /* Don't report induced errors */
11682 + dctx->iflags |= DRBG_FLAG_NOERR;
11684 + /* Personalisation string tests */
11686 + /* Test detection of too large personlisation string */
11688 + if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
11690 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
11694 + /* Entropy source tests */
11696 + /* Test entropy source failure detecion: i.e. returns no data */
11700 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11702 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11706 + /* Try to generate output from uninstantiated DRBG */
11707 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11708 + td->adin, td->adinlen))
11710 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
11714 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11715 + if (!FIPS_drbg_uninstantiate(dctx))
11717 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11721 + if (!do_drbg_init(dctx, td, &t))
11724 + dctx->iflags |= DRBG_FLAG_NOERR;
11726 + /* Test insufficient entropy */
11728 + t.entlen = dctx->min_entropy - 1;
11730 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11732 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11736 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11737 + if (!FIPS_drbg_uninstantiate(dctx))
11739 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11743 + /* Test too much entropy */
11745 + if (!do_drbg_init(dctx, td, &t))
11748 + dctx->iflags |= DRBG_FLAG_NOERR;
11750 + t.entlen = dctx->max_entropy + 1;
11752 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11754 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11758 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11759 + if (!FIPS_drbg_uninstantiate(dctx))
11761 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11765 + /* Nonce tests */
11767 + /* Test too small nonce */
11769 + if (dctx->min_nonce)
11772 + if (!do_drbg_init(dctx, td, &t))
11775 + dctx->iflags |= DRBG_FLAG_NOERR;
11777 + t.noncelen = dctx->min_nonce - 1;
11779 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11781 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
11785 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11786 + if (!FIPS_drbg_uninstantiate(dctx))
11788 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11794 + /* Test too large nonce */
11796 + if (dctx->max_nonce)
11799 + if (!do_drbg_init(dctx, td, &t))
11802 + dctx->iflags |= DRBG_FLAG_NOERR;
11804 + t.noncelen = dctx->max_nonce + 1;
11806 + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
11808 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
11812 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11813 + if (!FIPS_drbg_uninstantiate(dctx))
11815 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11821 + /* Instantiate with valid data. */
11822 + if (!do_drbg_instantiate(dctx, td, &t))
11825 + /* Check generation is now OK */
11826 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11827 + td->adin, td->adinlen))
11830 + dctx->iflags |= DRBG_FLAG_NOERR;
11832 + /* Request too much data for one request */
11833 + if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
11834 + td->adin, td->adinlen))
11836 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
11840 + /* Try too large additional input */
11841 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11842 + td->adin, dctx->max_adin + 1))
11844 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
11848 + /* Check prediction resistance request fails if entropy source
11854 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
11855 + td->adin, td->adinlen))
11857 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11861 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11862 + if (!FIPS_drbg_uninstantiate(dctx))
11864 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11869 + /* Instantiate again with valid data */
11871 + if (!do_drbg_instantiate(dctx, td, &t))
11873 + /* Test reseed counter works */
11874 + /* Save initial reseed counter */
11875 + reseed_counter_tmp = dctx->reseed_counter;
11876 + /* Set reseed counter to beyond interval */
11877 + dctx->reseed_counter = dctx->reseed_interval;
11879 + /* Generate output and check entropy has been requested for reseed */
11881 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11882 + td->adin, td->adinlen))
11884 + if (t.entcnt != 1)
11886 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
11889 + /* Check reseed counter has been reset */
11890 + if (dctx->reseed_counter != reseed_counter_tmp + 1)
11892 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
11896 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11897 + if (!FIPS_drbg_uninstantiate(dctx))
11899 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11903 + /* Check prediction resistance request fails if entropy source
11909 + dctx->iflags |= DRBG_FLAG_NOERR;
11910 + if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
11911 + td->adin, td->adinlen))
11913 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11917 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11919 + if (!FIPS_drbg_uninstantiate(dctx))
11921 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11926 + if (!do_drbg_instantiate(dctx, td, &t))
11928 + /* Test reseed counter works */
11929 + /* Save initial reseed counter */
11930 + reseed_counter_tmp = dctx->reseed_counter;
11931 + /* Set reseed counter to beyond interval */
11932 + dctx->reseed_counter = dctx->reseed_interval;
11934 + /* Generate output and check entropy has been requested for reseed */
11936 + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
11937 + td->adin, td->adinlen))
11939 + if (t.entcnt != 1)
11941 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
11944 + /* Check reseed counter has been reset */
11945 + if (dctx->reseed_counter != reseed_counter_tmp + 1)
11947 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
11951 + dctx->iflags &= ~DRBG_FLAG_NOERR;
11952 + if (!FIPS_drbg_uninstantiate(dctx))
11954 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11958 + /* Explicit reseed tests */
11960 + /* Test explicit reseed with too large additional input */
11961 + if (!do_drbg_init(dctx, td, &t))
11964 + dctx->iflags |= DRBG_FLAG_NOERR;
11966 + if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0)
11968 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
11972 + /* Test explicit reseed with entropy source failure */
11976 + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
11978 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
11982 + if (!FIPS_drbg_uninstantiate(dctx))
11984 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
11988 + /* Test explicit reseed with too much entropy */
11990 + if (!do_drbg_init(dctx, td, &t))
11993 + dctx->iflags |= DRBG_FLAG_NOERR;
11995 + t.entlen = dctx->max_entropy + 1;
11997 + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
11999 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
12003 + if (!FIPS_drbg_uninstantiate(dctx))
12005 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
12009 + /* Test explicit reseed with too little entropy */
12011 + if (!do_drbg_init(dctx, td, &t))
12014 + dctx->iflags |= DRBG_FLAG_NOERR;
12016 + t.entlen = dctx->min_entropy - 1;
12018 + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
12020 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
12024 + if (!FIPS_drbg_uninstantiate(dctx))
12026 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
12030 + p = (unsigned char *)&dctx->d;
12031 + /* Standard says we have to check uninstantiate really zeroes
12034 + for (i = 0; i < sizeof(dctx->d); i++)
12038 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
12047 + /* A real error as opposed to an induced one: underlying function will
12048 + * indicate the error.
12050 + if (!(dctx->iflags & DRBG_FLAG_NOERR))
12051 + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
12052 + FIPS_drbg_uninstantiate(dctx);
12057 +int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
12059 + DRBG_SELFTEST_DATA *td;
12060 + flags |= DRBG_FLAG_TEST;
12061 + for (td = drbg_test; td->nid != 0; td++)
12063 + if (td->nid == nid && td->flags == flags)
12065 + if (!fips_drbg_single_kat(dctx, td, 0))
12067 + return fips_drbg_error_check(dctx, td);
12073 +int FIPS_drbg_health_check(DRBG_CTX *dctx)
12076 + DRBG_CTX *tctx = NULL;
12077 + tctx = FIPS_drbg_new(0, 0);
12078 + fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
12081 + rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
12083 + FIPS_drbg_free(tctx);
12085 + fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
12087 + fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
12089 + dctx->status = DRBG_STATUS_ERROR;
12091 + dctx->health_check_cnt = 0;
12095 +int FIPS_selftest_drbg(void)
12098 + DRBG_SELFTEST_DATA *td;
12100 + dctx = FIPS_drbg_new(0, 0);
12103 + for (td = drbg_test; td->nid != 0; td++)
12105 + if (td->post != 1)
12107 + if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
12109 + if (!fips_drbg_single_kat(dctx, td, 1))
12111 + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
12115 + if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
12118 + FIPS_drbg_free(dctx);
12123 +int FIPS_selftest_drbg_all(void)
12126 + DRBG_SELFTEST_DATA *td;
12128 + dctx = FIPS_drbg_new(0, 0);
12131 + for (td = drbg_test; td->nid != 0; td++)
12133 + if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
12135 + if (!fips_drbg_single_kat(dctx, td, 0))
12137 + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
12141 + if (!fips_drbg_error_check(dctx, td))
12143 + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
12147 + if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
12150 + FIPS_drbg_free(dctx);
12154 diff -up openssl-1.0.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1b/crypto/fips/fips_drbg_selftest.h
12155 --- openssl-1.0.1b/crypto/fips/fips_drbg_selftest.h.fips 2012-04-26 18:00:51.404769387 +0200
12156 +++ openssl-1.0.1b/crypto/fips/fips_drbg_selftest.h 2012-04-26 18:00:51.404769387 +0200
12158 +/* ====================================================================
12159 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
12161 + * Redistribution and use in source and binary forms, with or without
12162 + * modification, are permitted provided that the following conditions
12165 + * 1. Redistributions of source code must retain the above copyright
12166 + * notice, this list of conditions and the following disclaimer.
12168 + * 2. Redistributions in binary form must reproduce the above copyright
12169 + * notice, this list of conditions and the following disclaimer in
12170 + * the documentation and/or other materials provided with the
12173 + * 3. All advertising materials mentioning features or use of this
12174 + * software must display the following acknowledgment:
12175 + * "This product includes software developed by the OpenSSL Project
12176 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
12178 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
12179 + * endorse or promote products derived from this software without
12180 + * prior written permission. For written permission, please contact
12181 + * openssl-core.org.
12183 + * 5. Products derived from this software may not be called "OpenSSL"
12184 + * nor may "OpenSSL" appear in their names without prior written
12185 + * permission of the OpenSSL Project.
12187 + * 6. Redistributions of any form whatsoever must retain the following
12188 + * acknowledgment:
12189 + * "This product includes software developed by the OpenSSL Project
12190 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
12192 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
12193 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
12194 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
12195 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
12196 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
12197 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
12198 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
12199 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
12200 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
12201 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
12202 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
12203 + * OF THE POSSIBILITY OF SUCH DAMAGE.
12207 +/* Selftest and health check data for the SP800-90 DRBG */
12209 +#define __fips_constseg
12211 +/* AES-128 use df PR */
12213 +static const unsigned char aes_128_use_df_pr_entropyinput[] =
12215 + 0x61,0x52,0x7c,0xe3,0x23,0x7d,0x0a,0x07,0x10,0x0c,0x50,0x33,
12216 + 0xc8,0xdb,0xff,0x12
12220 +static const unsigned char aes_128_use_df_pr_nonce[] =
12222 + 0x51,0x0d,0x85,0x77,0xed,0x22,0x97,0x28
12226 +static const unsigned char aes_128_use_df_pr_personalizationstring[] =
12228 + 0x59,0x9f,0xbb,0xcd,0xd5,0x25,0x69,0xb5,0xcb,0xb5,0x03,0xfe,
12229 + 0xd7,0xd7,0x01,0x67
12233 +static const unsigned char aes_128_use_df_pr_additionalinput[] =
12235 + 0xef,0x88,0x76,0x01,0xaf,0x3c,0xfe,0x8b,0xaf,0x26,0x06,0x9e,
12236 + 0x9a,0x47,0x08,0x76
12240 +static const unsigned char aes_128_use_df_pr_entropyinputpr[] =
12242 + 0xe2,0x76,0xf9,0xf6,0x3a,0xba,0x10,0x9f,0xbf,0x47,0x0e,0x51,
12243 + 0x09,0xfb,0xa3,0xb6
12247 +static const unsigned char aes_128_use_df_pr_int_returnedbits[] =
12249 + 0xd4,0x98,0x8a,0x46,0x80,0x4c,0xdb,0xa3,0x59,0x02,0x57,0x52,
12250 + 0x66,0x1c,0xea,0x5b
12254 +static const unsigned char aes_128_use_df_pr_additionalinput2[] =
12256 + 0x88,0x8c,0x91,0xd6,0xbe,0x56,0x6e,0x08,0x9a,0x62,0x2b,0x11,
12257 + 0x3f,0x5e,0x31,0x06
12261 +static const unsigned char aes_128_use_df_pr_entropyinputpr2[] =
12263 + 0xc0,0x5c,0x6b,0x98,0x01,0x0d,0x58,0x18,0x51,0x18,0x96,0xae,
12264 + 0xa7,0xe3,0xa8,0x67
12268 +static const unsigned char aes_128_use_df_pr_returnedbits[] =
12270 + 0xcf,0x01,0xac,0x22,0x31,0x06,0x8e,0xfc,0xce,0x56,0xea,0x24,
12271 + 0x0f,0x38,0x43,0xc6
12275 +/* AES-128 use df No PR */
12277 +static const unsigned char aes_128_use_df_entropyinput[] =
12279 + 0x1f,0x8e,0x34,0x82,0x0c,0xb7,0xbe,0xc5,0x01,0x3e,0xd0,0xa3,
12280 + 0x9d,0x7d,0x1c,0x9b
12284 +static const unsigned char aes_128_use_df_nonce[] =
12286 + 0xd5,0x4d,0xbd,0x4a,0x93,0x7f,0xb8,0x96
12290 +static const unsigned char aes_128_use_df_personalizationstring[] =
12292 + 0xab,0xd6,0x3f,0x04,0xfe,0x27,0x6b,0x2d,0xd7,0xc3,0x1c,0xf3,
12293 + 0x38,0x66,0xba,0x1b
12297 +static const unsigned char aes_128_use_df_additionalinput[] =
12299 + 0xfe,0xf4,0x09,0xa8,0xb7,0x73,0x27,0x9c,0x5f,0xa7,0xea,0x46,
12300 + 0xb5,0xe2,0xb2,0x41
12304 +static const unsigned char aes_128_use_df_int_returnedbits[] =
12306 + 0x42,0xe4,0x4e,0x7b,0x27,0xdd,0xcb,0xbc,0x0a,0xcf,0xa6,0x67,
12307 + 0xe7,0x57,0x11,0xb4
12311 +static const unsigned char aes_128_use_df_entropyinputreseed[] =
12313 + 0x14,0x26,0x69,0xd9,0xf3,0x65,0x03,0xd6,0x6b,0xb9,0x44,0x0b,
12314 + 0xc7,0xc4,0x9e,0x39
12318 +static const unsigned char aes_128_use_df_additionalinputreseed[] =
12320 + 0x55,0x2e,0x60,0x9a,0x05,0x72,0x8a,0xa8,0xef,0x22,0x81,0x5a,
12321 + 0xc8,0x93,0xfa,0x84
12325 +static const unsigned char aes_128_use_df_additionalinput2[] =
12327 + 0x3c,0x40,0xc8,0xc4,0x16,0x0c,0x21,0xa4,0x37,0x2c,0x8f,0xa5,
12328 + 0x06,0x0c,0x15,0x2c
12332 +static const unsigned char aes_128_use_df_returnedbits[] =
12334 + 0xe1,0x3e,0x99,0x98,0x86,0x67,0x0b,0x63,0x7b,0xbe,0x3f,0x88,
12335 + 0x46,0x81,0xc7,0x19
12339 +/* AES-192 use df PR */
12341 +static const unsigned char aes_192_use_df_pr_entropyinput[] =
12343 + 0x2b,0x4e,0x8b,0xe1,0xf1,0x34,0x80,0x56,0x81,0xf9,0x74,0xec,
12344 + 0x17,0x44,0x2a,0xf1,0x14,0xb0,0xbf,0x97,0x39,0xb7,0x04,0x7d
12348 +static const unsigned char aes_192_use_df_pr_nonce[] =
12350 + 0xd6,0x9d,0xeb,0x14,0x4e,0x6c,0x30,0x1e,0x39,0x55,0x73,0xd0,
12351 + 0xd1,0x80,0x78,0xfa
12355 +static const unsigned char aes_192_use_df_pr_personalizationstring[] =
12357 + 0xfc,0x43,0x4a,0xf8,0x9a,0x55,0xb3,0x53,0x83,0xe2,0x18,0x16,
12358 + 0x0c,0xdc,0xcd,0x5e,0x4f,0xa0,0x03,0x01,0x2b,0x9f,0xe4,0xd5,
12359 + 0x7d,0x49,0xf0,0x41,0x9e,0x3d,0x99,0x04
12363 +static const unsigned char aes_192_use_df_pr_additionalinput[] =
12365 + 0x5e,0x9f,0x49,0x6f,0x21,0x8b,0x1d,0x32,0xd5,0x84,0x5c,0xac,
12366 + 0xaf,0xdf,0xe4,0x79,0x9e,0xaf,0xa9,0x82,0xd0,0xf8,0x4f,0xcb,
12367 + 0x69,0x10,0x0a,0x7e,0x81,0x57,0xb5,0x36
12371 +static const unsigned char aes_192_use_df_pr_entropyinputpr[] =
12373 + 0xd4,0x81,0x0c,0xd7,0x66,0x39,0xec,0x42,0x53,0x87,0x41,0xa5,
12374 + 0x1e,0x7d,0x80,0x91,0x8e,0xbb,0xed,0xac,0x14,0x02,0x1a,0xd5
12378 +static const unsigned char aes_192_use_df_pr_int_returnedbits[] =
12380 + 0xdf,0x1d,0x39,0x45,0x7c,0x9b,0xc6,0x2b,0x7d,0x8c,0x93,0xe9,
12381 + 0x19,0x30,0x6b,0x67
12385 +static const unsigned char aes_192_use_df_pr_additionalinput2[] =
12387 + 0x00,0x71,0x27,0x4e,0xd3,0x14,0xf1,0x20,0x7f,0x4a,0x41,0x32,
12388 + 0x2a,0x97,0x11,0x43,0x8f,0x4a,0x15,0x7b,0x9b,0x51,0x79,0xda,
12389 + 0x49,0x3d,0xde,0xe8,0xbc,0x93,0x91,0x99
12393 +static const unsigned char aes_192_use_df_pr_entropyinputpr2[] =
12395 + 0x90,0xee,0x76,0xa1,0x45,0x8d,0xb7,0x40,0xb0,0x11,0xbf,0xd0,
12396 + 0x65,0xd7,0x3c,0x7c,0x4f,0x20,0x3f,0x4e,0x11,0x9d,0xb3,0x5e
12400 +static const unsigned char aes_192_use_df_pr_returnedbits[] =
12402 + 0x24,0x3b,0x20,0xa4,0x37,0x66,0xba,0x72,0x39,0x3f,0xcf,0x3c,
12403 + 0x7e,0x1a,0x2b,0x83
12407 +/* AES-192 use df No PR */
12409 +static const unsigned char aes_192_use_df_entropyinput[] =
12411 + 0x8d,0x74,0xa4,0x50,0x1a,0x02,0x68,0x0c,0x2a,0x69,0xc4,0x82,
12412 + 0x3b,0xbb,0xda,0x0e,0x7f,0x77,0xa3,0x17,0x78,0x57,0xb2,0x7b
12416 +static const unsigned char aes_192_use_df_nonce[] =
12418 + 0x75,0xd5,0x1f,0xac,0xa4,0x8d,0x42,0x78,0xd7,0x69,0x86,0x9d,
12419 + 0x77,0xd7,0x41,0x0e
12423 +static const unsigned char aes_192_use_df_personalizationstring[] =
12425 + 0x4e,0x33,0x41,0x3c,0x9c,0xc2,0xd2,0x53,0xaf,0x90,0xea,0xcf,
12426 + 0x19,0x50,0x1e,0xe6,0x6f,0x63,0xc8,0x32,0x22,0xdc,0x07,0x65,
12427 + 0x9c,0xd3,0xf8,0x30,0x9e,0xed,0x35,0x70
12431 +static const unsigned char aes_192_use_df_additionalinput[] =
12433 + 0x5d,0x8b,0x8c,0xc1,0xdf,0x0e,0x02,0x78,0xfb,0x19,0xb8,0x69,
12434 + 0x78,0x4e,0x9c,0x52,0xbc,0xc7,0x20,0xc9,0xe6,0x5e,0x77,0x22,
12435 + 0x28,0x3d,0x0c,0x9e,0x68,0xa8,0x45,0xd7
12439 +static const unsigned char aes_192_use_df_int_returnedbits[] =
12441 + 0xd5,0xe7,0x08,0xc5,0x19,0x99,0xd5,0x31,0x03,0x0a,0x74,0xb6,
12442 + 0xb7,0xed,0xe9,0xea
12446 +static const unsigned char aes_192_use_df_entropyinputreseed[] =
12448 + 0x9c,0x26,0xda,0xf1,0xac,0xd9,0x5a,0xd6,0xa8,0x65,0xf5,0x02,
12449 + 0x8f,0xdc,0xa2,0x09,0x54,0xa6,0xe2,0xa4,0xde,0x32,0xe0,0x01
12453 +static const unsigned char aes_192_use_df_additionalinputreseed[] =
12455 + 0x9b,0x90,0xb0,0x3a,0x0e,0x3a,0x80,0x07,0x4a,0xf4,0xda,0x76,
12456 + 0x28,0x30,0x3c,0xee,0x54,0x1b,0x94,0x59,0x51,0x43,0x56,0x77,
12457 + 0xaf,0x88,0xdd,0x63,0x89,0x47,0x06,0x65
12461 +static const unsigned char aes_192_use_df_additionalinput2[] =
12463 + 0x3c,0x11,0x64,0x7a,0x96,0xf5,0xd8,0xb8,0xae,0xd6,0x70,0x4e,
12464 + 0x16,0x96,0xde,0xe9,0x62,0xbc,0xee,0x28,0x2f,0x26,0xa6,0xf0,
12465 + 0x56,0xef,0xa3,0xf1,0x6b,0xa1,0xb1,0x77
12469 +static const unsigned char aes_192_use_df_returnedbits[] =
12471 + 0x0b,0xe2,0x56,0x03,0x1e,0xdb,0x2c,0x6d,0x7f,0x1b,0x15,0x58,
12472 + 0x1a,0xf9,0x13,0x28
12476 +/* AES-256 use df PR */
12478 +static const unsigned char aes_256_use_df_pr_entropyinput[] =
12480 + 0x61,0x68,0xfc,0x1a,0xf0,0xb5,0x95,0x6b,0x85,0x09,0x9b,0x74,
12481 + 0x3f,0x13,0x78,0x49,0x3b,0x85,0xec,0x93,0x13,0x3b,0xa9,0x4f,
12482 + 0x96,0xab,0x2c,0xe4,0xc8,0x8f,0xdd,0x6a
12486 +static const unsigned char aes_256_use_df_pr_nonce[] =
12488 + 0xad,0xd2,0xbb,0xba,0xb7,0x65,0x89,0xc3,0x21,0x6c,0x55,0x33,
12489 + 0x2b,0x36,0xff,0xa4
12493 +static const unsigned char aes_256_use_df_pr_personalizationstring[] =
12495 + 0x6e,0xca,0xe7,0x20,0x72,0xd3,0x84,0x5a,0x32,0xd3,0x4b,0x24,
12496 + 0x72,0xc4,0x63,0x2b,0x9d,0x12,0x24,0x0c,0x23,0x26,0x8e,0x83,
12497 + 0x16,0x37,0x0b,0xd1,0x06,0x4f,0x68,0x6d
12501 +static const unsigned char aes_256_use_df_pr_additionalinput[] =
12503 + 0x7e,0x08,0x4a,0xbb,0xe3,0x21,0x7c,0xc9,0x23,0xd2,0xf8,0xb0,
12504 + 0x73,0x98,0xba,0x84,0x74,0x23,0xab,0x06,0x8a,0xe2,0x22,0xd3,
12505 + 0x7b,0xce,0x9b,0xd2,0x4a,0x76,0xb8,0xde
12509 +static const unsigned char aes_256_use_df_pr_entropyinputpr[] =
12511 + 0x0b,0x23,0xaf,0xdf,0xf1,0x62,0xd7,0xd3,0x43,0x97,0xf8,0x77,
12512 + 0x04,0xa8,0x42,0x20,0xbd,0xf6,0x0f,0xc1,0x17,0x2f,0x9f,0x54,
12513 + 0xbb,0x56,0x17,0x86,0x68,0x0e,0xba,0xa9
12517 +static const unsigned char aes_256_use_df_pr_int_returnedbits[] =
12519 + 0x31,0x8e,0xad,0xaf,0x40,0xeb,0x6b,0x74,0x31,0x46,0x80,0xc7,
12520 + 0x17,0xab,0x3c,0x7a
12524 +static const unsigned char aes_256_use_df_pr_additionalinput2[] =
12526 + 0x94,0x6b,0xc9,0x9f,0xab,0x8d,0xc5,0xec,0x71,0x88,0x1d,0x00,
12527 + 0x8c,0x89,0x68,0xe4,0xc8,0x07,0x77,0x36,0x17,0x6d,0x79,0x78,
12528 + 0xc7,0x06,0x4e,0x99,0x04,0x28,0x29,0xc3
12532 +static const unsigned char aes_256_use_df_pr_entropyinputpr2[] =
12534 + 0xbf,0x6c,0x59,0x2a,0x0d,0x44,0x0f,0xae,0x9a,0x5e,0x03,0x73,
12535 + 0xd8,0xa6,0xe1,0xcf,0x25,0x61,0x38,0x24,0x86,0x9e,0x53,0xe8,
12536 + 0xa4,0xdf,0x56,0xf4,0x06,0x07,0x9c,0x0f
12540 +static const unsigned char aes_256_use_df_pr_returnedbits[] =
12542 + 0x22,0x4a,0xb4,0xb8,0xb6,0xee,0x7d,0xb1,0x9e,0xc9,0xf9,0xa0,
12543 + 0xd9,0xe2,0x97,0x00
12547 +/* AES-256 use df No PR */
12549 +static const unsigned char aes_256_use_df_entropyinput[] =
12551 + 0xa5,0x3e,0x37,0x10,0x17,0x43,0x91,0x93,0x59,0x1e,0x47,0x50,
12552 + 0x87,0xaa,0xdd,0xd5,0xc1,0xc3,0x86,0xcd,0xca,0x0d,0xdb,0x68,
12553 + 0xe0,0x02,0xd8,0x0f,0xdc,0x40,0x1a,0x47
12557 +static const unsigned char aes_256_use_df_nonce[] =
12559 + 0xa9,0x4d,0xa5,0x5a,0xfd,0xc5,0x0c,0xe5,0x1c,0x9a,0x3b,0x8a,
12560 + 0x4c,0x44,0x84,0x40
12564 +static const unsigned char aes_256_use_df_personalizationstring[] =
12566 + 0x8b,0x52,0xa2,0x4a,0x93,0xc3,0x4e,0xa7,0x1e,0x1c,0xa7,0x05,
12567 + 0xeb,0x82,0x9b,0xa6,0x5d,0xe4,0xd4,0xe0,0x7f,0xa3,0xd8,0x6b,
12568 + 0x37,0x84,0x5f,0xf1,0xc7,0xd5,0xf6,0xd2
12572 +static const unsigned char aes_256_use_df_additionalinput[] =
12574 + 0x20,0xf4,0x22,0xed,0xf8,0x5c,0xa1,0x6a,0x01,0xcf,0xbe,0x5f,
12575 + 0x8d,0x6c,0x94,0x7f,0xae,0x12,0xa8,0x57,0xdb,0x2a,0xa9,0xbf,
12576 + 0xc7,0xb3,0x65,0x81,0x80,0x8d,0x0d,0x46
12580 +static const unsigned char aes_256_use_df_int_returnedbits[] =
12582 + 0x4e,0x44,0xfd,0xf3,0x9e,0x29,0xa2,0xb8,0x0f,0x5d,0x6c,0xe1,
12583 + 0x28,0x0c,0x3b,0xc1
12587 +static const unsigned char aes_256_use_df_entropyinputreseed[] =
12589 + 0xdd,0x40,0xe5,0x98,0x7b,0x27,0x16,0x73,0x15,0x68,0xd2,0x76,
12590 + 0xbf,0x0c,0x67,0x15,0x75,0x79,0x03,0xd3,0xde,0xde,0x91,0x46,
12591 + 0x42,0xdd,0xd4,0x67,0xc8,0x79,0xc8,0x1e
12595 +static const unsigned char aes_256_use_df_additionalinputreseed[] =
12597 + 0x7f,0xd8,0x1f,0xbd,0x2a,0xb5,0x1c,0x11,0x5d,0x83,0x4e,0x99,
12598 + 0xf6,0x5c,0xa5,0x40,0x20,0xed,0x38,0x8e,0xd5,0x9e,0xe0,0x75,
12599 + 0x93,0xfe,0x12,0x5e,0x5d,0x73,0xfb,0x75
12603 +static const unsigned char aes_256_use_df_additionalinput2[] =
12605 + 0xcd,0x2c,0xff,0x14,0x69,0x3e,0x4c,0x9e,0xfd,0xfe,0x26,0x0d,
12606 + 0xe9,0x86,0x00,0x49,0x30,0xba,0xb1,0xc6,0x50,0x57,0x77,0x2a,
12607 + 0x62,0x39,0x2c,0x3b,0x74,0xeb,0xc9,0x0d
12611 +static const unsigned char aes_256_use_df_returnedbits[] =
12613 + 0x4f,0x78,0xbe,0xb9,0x4d,0x97,0x8c,0xe9,0xd0,0x97,0xfe,0xad,
12614 + 0xfa,0xfd,0x35,0x5e
12618 +/* AES-128 no df PR */
12620 +static const unsigned char aes_128_no_df_pr_entropyinput[] =
12622 + 0x9a,0x25,0x65,0x10,0x67,0xd5,0xb6,0x6b,0x70,0xa1,0xb3,0xa4,
12623 + 0x43,0x95,0x80,0xc0,0x84,0x0a,0x79,0xb0,0x88,0x74,0xf2,0xbf,
12624 + 0x31,0x6c,0x33,0x38,0x0b,0x00,0xb2,0x5a
12628 +static const unsigned char aes_128_no_df_pr_nonce[] =
12630 + 0x78,0x47,0x6b,0xf7,0x90,0x8e,0x87,0xf1
12634 +static const unsigned char aes_128_no_df_pr_personalizationstring[] =
12636 + 0xf7,0x22,0x1d,0x3a,0xbe,0x1d,0xca,0x32,0x1b,0xbd,0x87,0x0c,
12637 + 0x51,0x24,0x19,0xee,0xa3,0x23,0x09,0x63,0x33,0x3d,0xa8,0x0c,
12638 + 0x1c,0xfa,0x42,0x89,0xcc,0x6f,0xa0,0xa8
12642 +static const unsigned char aes_128_no_df_pr_additionalinput[] =
12644 + 0xc9,0xe0,0x80,0xbf,0x8c,0x45,0x58,0x39,0xff,0x00,0xab,0x02,
12645 + 0x4c,0x3e,0x3a,0x95,0x9b,0x80,0xa8,0x21,0x2a,0xee,0xba,0x73,
12646 + 0xb1,0xd9,0xcf,0x28,0xf6,0x8f,0x9b,0x12
12650 +static const unsigned char aes_128_no_df_pr_entropyinputpr[] =
12652 + 0x4c,0xa8,0xc5,0xf0,0x59,0x9e,0xa6,0x8d,0x26,0x53,0xd7,0x8a,
12653 + 0xa9,0xd8,0xf7,0xed,0xb2,0xf9,0x12,0x42,0xe1,0xe5,0xbd,0xe7,
12654 + 0xe7,0x1d,0x74,0x99,0x00,0x9d,0x31,0x3e
12658 +static const unsigned char aes_128_no_df_pr_int_returnedbits[] =
12660 + 0xe2,0xac,0x20,0xf0,0x80,0xe7,0xbc,0x7e,0x9c,0x7b,0x65,0x71,
12661 + 0xaf,0x19,0x32,0x16
12665 +static const unsigned char aes_128_no_df_pr_additionalinput2[] =
12667 + 0x32,0x7f,0x38,0x8b,0x73,0x0a,0x78,0x83,0xdc,0x30,0xbe,0x9f,
12668 + 0x10,0x1f,0xf5,0x1f,0xca,0x00,0xb5,0x0d,0xd6,0x9d,0x60,0x83,
12669 + 0x51,0x54,0x7d,0x38,0x23,0x3a,0x52,0x50
12673 +static const unsigned char aes_128_no_df_pr_entropyinputpr2[] =
12675 + 0x18,0x61,0x53,0x56,0xed,0xed,0xd7,0x20,0xfb,0x71,0x04,0x7a,
12676 + 0xb2,0xac,0xc1,0x28,0xcd,0xf2,0xc2,0xfc,0xaa,0xb1,0x06,0x07,
12677 + 0xe9,0x46,0x95,0x02,0x48,0x01,0x78,0xf9
12681 +static const unsigned char aes_128_no_df_pr_returnedbits[] =
12683 + 0x29,0xc8,0x1b,0x15,0xb1,0xd1,0xc2,0xf6,0x71,0x86,0x68,0x33,
12684 + 0x57,0x82,0x33,0xaf
12688 +/* AES-128 no df No PR */
12690 +static const unsigned char aes_128_no_df_entropyinput[] =
12692 + 0xc9,0xc5,0x79,0xbc,0xe8,0xc5,0x19,0xd8,0xbc,0x66,0x73,0x67,
12693 + 0xf6,0xd3,0x72,0xaa,0xa6,0x16,0xb8,0x50,0xb7,0x47,0x3a,0x42,
12694 + 0xab,0xf4,0x16,0xb2,0x96,0xd2,0xb6,0x60
12698 +static const unsigned char aes_128_no_df_nonce[] =
12700 + 0x5f,0xbf,0x97,0x0c,0x4b,0xa4,0x87,0x13
12704 +static const unsigned char aes_128_no_df_personalizationstring[] =
12706 + 0xce,0xfb,0x7b,0x3f,0xd4,0x6b,0x29,0x0d,0x69,0x06,0xff,0xbb,
12707 + 0xf2,0xe5,0xc6,0x6c,0x0a,0x10,0xa0,0xcf,0x1a,0x48,0xc7,0x8b,
12708 + 0x3c,0x16,0x88,0xed,0x50,0x13,0x81,0xce
12712 +static const unsigned char aes_128_no_df_additionalinput[] =
12714 + 0x4b,0x22,0x46,0x18,0x02,0x7b,0xd2,0x1b,0x22,0x42,0x7c,0x37,
12715 + 0xd9,0xf6,0xe8,0x9b,0x12,0x30,0x5f,0xe9,0x90,0xe8,0x08,0x24,
12716 + 0x4f,0x06,0x66,0xdb,0x19,0x2b,0x13,0x95
12720 +static const unsigned char aes_128_no_df_int_returnedbits[] =
12722 + 0x2e,0x96,0x70,0x64,0xfa,0xdf,0xdf,0x57,0xb5,0x82,0xee,0xd6,
12723 + 0xed,0x3e,0x65,0xc2
12727 +static const unsigned char aes_128_no_df_entropyinputreseed[] =
12729 + 0x26,0xc0,0x72,0x16,0x3a,0x4b,0xb7,0x99,0xd4,0x07,0xaf,0x66,
12730 + 0x62,0x36,0x96,0xa4,0x51,0x17,0xfa,0x07,0x8b,0x17,0x5e,0xa1,
12731 + 0x2f,0x3c,0x10,0xe7,0x90,0xd0,0x46,0x00
12735 +static const unsigned char aes_128_no_df_additionalinputreseed[] =
12737 + 0x83,0x39,0x37,0x7b,0x02,0x06,0xd2,0x12,0x13,0x8d,0x8b,0xf2,
12738 + 0xf0,0xf6,0x26,0xeb,0xa4,0x22,0x7b,0xc2,0xe7,0xba,0x79,0xe4,
12739 + 0x3b,0x77,0x5d,0x4d,0x47,0xb2,0x2d,0xb4
12743 +static const unsigned char aes_128_no_df_additionalinput2[] =
12745 + 0x0b,0xb9,0x67,0x37,0xdb,0x83,0xdf,0xca,0x81,0x8b,0xf9,0x3f,
12746 + 0xf1,0x11,0x1b,0x2f,0xf0,0x61,0xa6,0xdf,0xba,0xa3,0xb1,0xac,
12747 + 0xd3,0xe6,0x09,0xb8,0x2c,0x6a,0x67,0xd6
12751 +static const unsigned char aes_128_no_df_returnedbits[] =
12753 + 0x1e,0xa7,0xa4,0xe4,0xe1,0xa6,0x7c,0x69,0x9a,0x44,0x6c,0x36,
12754 + 0x81,0x37,0x19,0xd4
12758 +/* AES-192 no df PR */
12760 +static const unsigned char aes_192_no_df_pr_entropyinput[] =
12762 + 0x9d,0x2c,0xd2,0x55,0x66,0xea,0xe0,0xbe,0x18,0xb7,0x76,0xe7,
12763 + 0x73,0x35,0xd8,0x1f,0xad,0x3a,0xe3,0x81,0x0e,0x92,0xd0,0x61,
12764 + 0xc9,0x12,0x26,0xf6,0x1c,0xdf,0xfe,0x47,0xaa,0xfe,0x7d,0x5a,
12765 + 0x17,0x1f,0x8d,0x9a
12769 +static const unsigned char aes_192_no_df_pr_nonce[] =
12771 + 0x44,0x82,0xed,0xe8,0x4c,0x28,0x5a,0x14,0xff,0x88,0x8d,0x19,
12772 + 0x61,0x5c,0xee,0x0f
12776 +static const unsigned char aes_192_no_df_pr_personalizationstring[] =
12778 + 0x47,0xd7,0x9b,0x99,0xaa,0xcb,0xe7,0xd2,0x57,0x66,0x2c,0xe1,
12779 + 0x78,0xd6,0x2c,0xea,0xa3,0x23,0x5f,0x2a,0xc1,0x3a,0xf0,0xa4,
12780 + 0x20,0x3b,0xfa,0x07,0xd5,0x05,0x02,0xe4,0x57,0x01,0xb6,0x10,
12781 + 0x57,0x2e,0xe7,0x55
12785 +static const unsigned char aes_192_no_df_pr_additionalinput[] =
12787 + 0x4b,0x74,0x0b,0x40,0xce,0x6b,0xc2,0x6a,0x24,0xb4,0xf3,0xad,
12788 + 0x7a,0xa5,0x7a,0xa2,0x15,0xe2,0xc8,0x61,0x15,0xc6,0xb7,0x85,
12789 + 0x69,0x11,0xad,0x7b,0x14,0xd2,0xf6,0x12,0xa1,0x95,0x5d,0x3f,
12790 + 0xe2,0xd0,0x0c,0x2f
12794 +static const unsigned char aes_192_no_df_pr_entropyinputpr[] =
12796 + 0x0c,0x9c,0xad,0x05,0xee,0xae,0x48,0x23,0x89,0x59,0xa1,0x94,
12797 + 0xd7,0xd8,0x75,0xd5,0x54,0x93,0xc7,0x4a,0xd9,0x26,0xde,0xeb,
12798 + 0xba,0xb0,0x7e,0x30,0x1d,0x5f,0x69,0x40,0x9c,0x3b,0x17,0x58,
12799 + 0x1d,0x30,0xb3,0x78
12803 +static const unsigned char aes_192_no_df_pr_int_returnedbits[] =
12805 + 0xf7,0x93,0xb0,0x6d,0x77,0x83,0xd5,0x38,0x01,0xe1,0x52,0x40,
12806 + 0x7e,0x3e,0x0c,0x26
12810 +static const unsigned char aes_192_no_df_pr_additionalinput2[] =
12812 + 0xbc,0x4b,0x37,0x44,0x1c,0xc5,0x45,0x5f,0x8f,0x51,0x62,0x8a,
12813 + 0x85,0x30,0x1d,0x7c,0xe4,0xcf,0xf7,0x44,0xce,0x32,0x3e,0x57,
12814 + 0x95,0xa4,0x2a,0xdf,0xfd,0x9e,0x38,0x41,0xb3,0xf6,0xc5,0xee,
12815 + 0x0c,0x4b,0xee,0x6e
12819 +static const unsigned char aes_192_no_df_pr_entropyinputpr2[] =
12821 + 0xec,0xaf,0xf6,0x4f,0xb1,0xa0,0x54,0xb5,0x5b,0xe3,0x46,0xb0,
12822 + 0x76,0x5a,0x7c,0x3f,0x7b,0x94,0x69,0x21,0x51,0x02,0xe5,0x9f,
12823 + 0x04,0x59,0x02,0x98,0xc6,0x43,0x2c,0xcc,0x26,0x4c,0x87,0x6b,
12824 + 0x8e,0x0a,0x83,0xdf
12828 +static const unsigned char aes_192_no_df_pr_returnedbits[] =
12830 + 0x74,0x45,0xfb,0x53,0x84,0x96,0xbe,0xff,0x15,0xcc,0x41,0x91,
12831 + 0xb9,0xa1,0x21,0x68
12835 +/* AES-192 no df No PR */
12837 +static const unsigned char aes_192_no_df_entropyinput[] =
12839 + 0x3c,0x7d,0xb5,0xe0,0x54,0xd9,0x6e,0x8c,0xa9,0x86,0xce,0x4e,
12840 + 0x6b,0xaf,0xeb,0x2f,0xe7,0x75,0xe0,0x8b,0xa4,0x3b,0x07,0xfe,
12841 + 0xbe,0x33,0x75,0x93,0x80,0x27,0xb5,0x29,0x47,0x8b,0xc7,0x28,
12842 + 0x94,0xc3,0x59,0x63
12846 +static const unsigned char aes_192_no_df_nonce[] =
12848 + 0x43,0xf1,0x7d,0xb8,0xc3,0xfe,0xd0,0x23,0x6b,0xb4,0x92,0xdb,
12849 + 0x29,0xfd,0x45,0x71
12853 +static const unsigned char aes_192_no_df_personalizationstring[] =
12855 + 0x9f,0x24,0x29,0x99,0x9e,0x01,0xab,0xe9,0x19,0xd8,0x23,0x08,
12856 + 0xb7,0xd6,0x7e,0x8c,0xc0,0x9e,0x7f,0x6e,0x5b,0x33,0x20,0x96,
12857 + 0x0b,0x23,0x2c,0xa5,0x6a,0xf8,0x1b,0x04,0x26,0xdb,0x2e,0x2b,
12858 + 0x3b,0x88,0xce,0x35
12862 +static const unsigned char aes_192_no_df_additionalinput[] =
12864 + 0x94,0xe9,0x7c,0x3d,0xa7,0xdb,0x60,0x83,0x1f,0x98,0x3f,0x0b,
12865 + 0x88,0x59,0x57,0x51,0x88,0x9f,0x76,0x49,0x9f,0xa6,0xda,0x71,
12866 + 0x1d,0x0d,0x47,0x16,0x63,0xc5,0x68,0xe4,0x5d,0x39,0x69,0xb3,
12867 + 0x3e,0xbe,0xd4,0x8e
12871 +static const unsigned char aes_192_no_df_int_returnedbits[] =
12873 + 0xf9,0xd7,0xad,0x69,0xab,0x8f,0x23,0x56,0x70,0x17,0x4f,0x2a,
12874 + 0x45,0xe7,0x4a,0xc5
12878 +static const unsigned char aes_192_no_df_entropyinputreseed[] =
12880 + 0xa6,0x71,0x6a,0x3d,0xba,0xd1,0xe8,0x66,0xa6,0xef,0xb2,0x0e,
12881 + 0xa8,0x9c,0xaa,0x4e,0xaf,0x17,0x89,0x50,0x00,0xda,0xa1,0xb1,
12882 + 0x0b,0xa4,0xd9,0x35,0x89,0xc8,0xe5,0xb0,0xd9,0xb7,0xc4,0x33,
12883 + 0x9b,0xcb,0x7e,0x75
12887 +static const unsigned char aes_192_no_df_additionalinputreseed[] =
12889 + 0x27,0x21,0xfc,0xc2,0xbd,0xf3,0x3c,0xce,0xc3,0xca,0xc1,0x01,
12890 + 0xe0,0xff,0x93,0x12,0x7d,0x54,0x42,0xe3,0x9f,0x03,0xdf,0x27,
12891 + 0x04,0x07,0x3c,0x53,0x7f,0xa8,0x66,0xc8,0x97,0x4b,0x61,0x40,
12892 + 0x5d,0x7a,0x25,0x79
12896 +static const unsigned char aes_192_no_df_additionalinput2[] =
12898 + 0x2d,0x8e,0x16,0x5d,0x0b,0x9f,0xeb,0xaa,0xd6,0xec,0x28,0x71,
12899 + 0x7c,0x0b,0xc1,0x1d,0xd4,0x44,0x19,0x47,0xfd,0x1d,0x7c,0xe5,
12900 + 0xf3,0x27,0xe1,0xb6,0x72,0x0a,0xe0,0xec,0x0e,0xcd,0xef,0x1a,
12901 + 0x91,0x6a,0xe3,0x5f
12905 +static const unsigned char aes_192_no_df_returnedbits[] =
12907 + 0xe5,0xda,0xb8,0xe0,0x63,0x59,0x5a,0xcc,0x3d,0xdc,0x9f,0xe8,
12908 + 0x66,0x67,0x2c,0x92
12912 +/* AES-256 no df PR */
12914 +static const unsigned char aes_256_no_df_pr_entropyinput[] =
12916 + 0x15,0xc7,0x5d,0xcb,0x41,0x4b,0x16,0x01,0x3a,0xd1,0x44,0xe8,
12917 + 0x22,0x32,0xc6,0x9c,0x3f,0xe7,0x43,0xf5,0x9a,0xd3,0xea,0xf2,
12918 + 0xd7,0x4e,0x6e,0x6a,0x55,0x73,0x40,0xef,0x89,0xad,0x0d,0x03,
12919 + 0x96,0x7e,0x78,0x81,0x2f,0x91,0x1b,0x44,0xb0,0x02,0xba,0x1c
12923 +static const unsigned char aes_256_no_df_pr_nonce[] =
12925 + 0xdc,0xe4,0xd4,0x27,0x7a,0x90,0xd7,0x99,0x43,0xa1,0x3c,0x30,
12926 + 0xcc,0x4b,0xee,0x2e
12930 +static const unsigned char aes_256_no_df_pr_personalizationstring[] =
12932 + 0xe3,0xe6,0xb9,0x11,0xe4,0x7a,0xa4,0x40,0x6b,0xf8,0x73,0xf7,
12933 + 0x7e,0xec,0xc7,0xb9,0x97,0xbf,0xf8,0x25,0x7b,0xbe,0x11,0x9b,
12934 + 0x5b,0x6a,0x0c,0x2e,0x2b,0x01,0x51,0xcd,0x41,0x4b,0x6b,0xac,
12935 + 0x31,0xa8,0x0b,0xf7,0xe6,0x59,0x42,0xb8,0x03,0x0c,0xf8,0x06
12939 +static const unsigned char aes_256_no_df_pr_additionalinput[] =
12941 + 0x6a,0x9f,0x00,0x91,0xae,0xfe,0xcf,0x84,0x99,0xce,0xb1,0x40,
12942 + 0x6d,0x5d,0x33,0x28,0x84,0xf4,0x8c,0x63,0x4c,0x7e,0xbd,0x2c,
12943 + 0x80,0x76,0xee,0x5a,0xaa,0x15,0x07,0x31,0xd8,0xbb,0x8c,0x69,
12944 + 0x9d,0x9d,0xbc,0x7e,0x49,0xae,0xec,0x39,0x6b,0xd1,0x1f,0x7e
12948 +static const unsigned char aes_256_no_df_pr_entropyinputpr[] =
12950 + 0xf3,0xb9,0x75,0x9c,0xbd,0x88,0xea,0xa2,0x50,0xad,0xd6,0x16,
12951 + 0x1a,0x12,0x3c,0x86,0x68,0xaf,0x6f,0xbe,0x19,0xf2,0xee,0xcc,
12952 + 0xa5,0x70,0x84,0x53,0x50,0xcb,0x9f,0x14,0xa9,0xe5,0xee,0xb9,
12953 + 0x48,0x45,0x40,0xe2,0xc7,0xc9,0x9a,0x74,0xff,0x8c,0x99,0x1f
12957 +static const unsigned char aes_256_no_df_pr_int_returnedbits[] =
12959 + 0x2e,0xf2,0x45,0x4c,0x62,0x2e,0x0a,0xb9,0x6b,0xa2,0xfd,0x56,
12960 + 0x79,0x60,0x93,0xcf
12964 +static const unsigned char aes_256_no_df_pr_additionalinput2[] =
12966 + 0xaf,0x69,0x20,0xe9,0x3b,0x37,0x9d,0x3f,0xb4,0x80,0x02,0x7a,
12967 + 0x25,0x7d,0xb8,0xde,0x71,0xc5,0x06,0x0c,0xb4,0xe2,0x8f,0x35,
12968 + 0xd8,0x14,0x0d,0x7f,0x76,0x63,0x4e,0xb5,0xee,0xe9,0x6f,0x34,
12969 + 0xc7,0x5f,0x56,0x14,0x4a,0xe8,0x73,0x95,0x5b,0x1c,0xb9,0xcb
12973 +static const unsigned char aes_256_no_df_pr_entropyinputpr2[] =
12975 + 0xe5,0xb0,0x2e,0x7e,0x52,0x30,0xe3,0x63,0x82,0xb6,0x44,0xd3,
12976 + 0x25,0x19,0x05,0x24,0x9a,0x9f,0x5f,0x27,0x6a,0x29,0xab,0xfa,
12977 + 0x07,0xa2,0x42,0x0f,0xc5,0xa8,0x94,0x7c,0x17,0x7b,0x85,0x83,
12978 + 0x0c,0x25,0x0e,0x63,0x0b,0xe9,0x12,0x60,0xcd,0xef,0x80,0x0f
12982 +static const unsigned char aes_256_no_df_pr_returnedbits[] =
12984 + 0x5e,0xf2,0x26,0xef,0x9f,0x58,0x5d,0xd5,0x4a,0x10,0xfe,0xa7,
12985 + 0x2d,0x5f,0x4a,0x46
12989 +/* AES-256 no df No PR */
12991 +static const unsigned char aes_256_no_df_entropyinput[] =
12993 + 0xfb,0xcf,0x1b,0x61,0x16,0x89,0x78,0x23,0xf5,0xd8,0x96,0xe3,
12994 + 0x4e,0x64,0x0b,0x29,0x9a,0x3f,0xf8,0xa5,0xed,0xf2,0xfe,0xdb,
12995 + 0x16,0xca,0x7f,0x10,0xfa,0x5e,0x18,0x76,0x2c,0x63,0x5e,0x96,
12996 + 0xcf,0xb3,0xd6,0xfc,0xaf,0x99,0x39,0x28,0x9c,0x61,0xe8,0xb3
13000 +static const unsigned char aes_256_no_df_nonce[] =
13002 + 0x12,0x96,0xf0,0x52,0xf3,0x8d,0x81,0xcf,0xde,0x86,0xf2,0x99,
13003 + 0x43,0x96,0xb9,0xf0
13007 +static const unsigned char aes_256_no_df_personalizationstring[] =
13009 + 0x63,0x0d,0x78,0xf5,0x90,0x8e,0x32,0x47,0xb0,0x4d,0x37,0x60,
13010 + 0x09,0x96,0xbc,0xbf,0x97,0x7a,0x62,0x14,0x45,0xbd,0x8d,0xcc,
13011 + 0x69,0xfb,0x03,0xe1,0x80,0x1c,0xc7,0xe2,0x2a,0xf9,0x37,0x3f,
13012 + 0x66,0x4d,0x62,0xd9,0x10,0xe0,0xad,0xc8,0x9a,0xf0,0xa8,0x6d
13016 +static const unsigned char aes_256_no_df_additionalinput[] =
13018 + 0x36,0xc6,0x13,0x60,0xbb,0x14,0xad,0x22,0xb0,0x38,0xac,0xa6,
13019 + 0x18,0x16,0x93,0x25,0x86,0xb7,0xdc,0xdc,0x36,0x98,0x2b,0xf9,
13020 + 0x68,0x33,0xd3,0xc6,0xff,0xce,0x8d,0x15,0x59,0x82,0x76,0xed,
13021 + 0x6f,0x8d,0x49,0x74,0x2f,0xda,0xdc,0x1f,0x17,0xd0,0xde,0x17
13025 +static const unsigned char aes_256_no_df_int_returnedbits[] =
13027 + 0x16,0x2f,0x8e,0x3f,0x21,0x7a,0x1c,0x20,0x56,0xd1,0x92,0xf6,
13028 + 0xd2,0x25,0x75,0x0e
13032 +static const unsigned char aes_256_no_df_entropyinputreseed[] =
13034 + 0x91,0x79,0x76,0xee,0xe0,0xcf,0x9e,0xc2,0xd5,0xd4,0x23,0x9b,
13035 + 0x12,0x8c,0x7e,0x0a,0xb7,0xd2,0x8b,0xd6,0x7c,0xa3,0xc6,0xe5,
13036 + 0x0e,0xaa,0xc7,0x6b,0xae,0x0d,0xfa,0x53,0x06,0x79,0xa1,0xed,
13037 + 0x4d,0x6a,0x0e,0xd8,0x9d,0xbe,0x1b,0x31,0x93,0x7b,0xec,0xfb
13041 +static const unsigned char aes_256_no_df_additionalinputreseed[] =
13043 + 0xd2,0x46,0x50,0x22,0x10,0x14,0x63,0xf7,0xea,0x0f,0xb9,0x7e,
13044 + 0x0d,0xe1,0x94,0x07,0xaf,0x09,0x44,0x31,0xea,0x64,0xa4,0x18,
13045 + 0x5b,0xf9,0xd8,0xc2,0xfa,0x03,0x47,0xc5,0x39,0x43,0xd5,0x3b,
13046 + 0x62,0x86,0x64,0xea,0x2c,0x73,0x8c,0xae,0x9d,0x98,0x98,0x29
13050 +static const unsigned char aes_256_no_df_additionalinput2[] =
13052 + 0x8c,0xab,0x18,0xf8,0xc3,0xec,0x18,0x5c,0xb3,0x1e,0x9d,0xbe,
13053 + 0x3f,0x03,0xb4,0x00,0x98,0x9d,0xae,0xeb,0xf4,0x94,0xf8,0x42,
13054 + 0x8f,0xe3,0x39,0x07,0xe1,0xc9,0xad,0x0b,0x1f,0xed,0xc0,0xba,
13055 + 0xf6,0xd1,0xec,0x27,0x86,0x7b,0xd6,0x55,0x9b,0x60,0xa5,0xc6
13059 +static const unsigned char aes_256_no_df_returnedbits[] =
13061 + 0xef,0xd2,0xd8,0x5c,0xdc,0x62,0x25,0x9f,0xaa,0x1e,0x2c,0x67,
13062 + 0xf6,0x02,0x32,0xe2
13068 +static const unsigned char sha1_pr_entropyinput[] =
13070 + 0xd2,0x36,0xa5,0x27,0x31,0x73,0xdd,0x11,0x4f,0x93,0xbd,0xe2,
13071 + 0x31,0xa5,0x91,0x13
13075 +static const unsigned char sha1_pr_nonce[] =
13077 + 0xb5,0xb3,0x60,0xef,0xf7,0x63,0x31,0xf3
13081 +static const unsigned char sha1_pr_personalizationstring[] =
13083 + 0xd4,0xbb,0x02,0x10,0xb2,0x71,0xdb,0x81,0xd6,0xf0,0x42,0x60,
13084 + 0xda,0xea,0x77,0x52
13088 +static const unsigned char sha1_pr_additionalinput[] =
13090 + 0x4d,0xd2,0x6c,0x87,0xfb,0x2c,0x4f,0xa6,0x8d,0x16,0x63,0x22,
13091 + 0x6a,0x51,0xe3,0xf8
13095 +static const unsigned char sha1_pr_entropyinputpr[] =
13097 + 0xc9,0x83,0x9e,0x16,0xf6,0x1c,0x0f,0xb2,0xec,0x60,0x31,0xa9,
13098 + 0xcb,0xa9,0x36,0x7a
13102 +static const unsigned char sha1_pr_int_returnedbits[] =
13104 + 0xa8,0x13,0x4f,0xf4,0x31,0x02,0x44,0xe3,0xd3,0x3d,0x61,0x9e,
13105 + 0xe5,0xc6,0x3e,0x89,0xb5,0x9b,0x0f,0x35
13109 +static const unsigned char sha1_pr_additionalinput2[] =
13111 + 0xf9,0xe8,0xd2,0x72,0x13,0x34,0x95,0x6f,0x15,0x49,0x47,0x99,
13112 + 0x16,0x03,0x19,0x47
13116 +static const unsigned char sha1_pr_entropyinputpr2[] =
13118 + 0x4e,0x8c,0x49,0x9b,0x4a,0x5c,0x9b,0x9c,0x3a,0xee,0xfb,0xd2,
13119 + 0xae,0xcd,0x8c,0xc4
13123 +static const unsigned char sha1_pr_returnedbits[] =
13125 + 0x50,0xb4,0xb4,0xcd,0x68,0x57,0xfc,0x2e,0xc1,0x52,0xcc,0xf6,
13126 + 0x68,0xa4,0x81,0xed,0x7e,0xe4,0x1d,0x87
13132 +static const unsigned char sha1_entropyinput[] =
13134 + 0xa9,0x47,0x1b,0x29,0x2d,0x1c,0x05,0xdf,0x76,0xd0,0x62,0xf9,
13135 + 0xe2,0x7f,0x4c,0x7b
13139 +static const unsigned char sha1_nonce[] =
13141 + 0x53,0x23,0x24,0xe3,0xec,0x0c,0x54,0x14
13145 +static const unsigned char sha1_personalizationstring[] =
13147 + 0x7a,0x87,0xa1,0xac,0x1c,0xfd,0xab,0xae,0xf7,0xd6,0xfb,0x76,
13148 + 0x28,0xec,0x6d,0xca
13152 +static const unsigned char sha1_additionalinput[] =
13154 + 0xfc,0x92,0x35,0xd6,0x7e,0xb7,0x24,0x65,0xfd,0x12,0x27,0x35,
13155 + 0xc0,0x72,0xca,0x28
13159 +static const unsigned char sha1_int_returnedbits[] =
13161 + 0x57,0x88,0x82,0xe5,0x25,0xa5,0x2c,0x4a,0x06,0x20,0x6c,0x72,
13162 + 0x55,0x61,0xdd,0x90,0x71,0x9f,0x95,0xea
13166 +static const unsigned char sha1_entropyinputreseed[] =
13168 + 0x69,0xa5,0x40,0x62,0x98,0x47,0x56,0x73,0x4a,0x8f,0x60,0x96,
13169 + 0xd6,0x99,0x27,0xed
13173 +static const unsigned char sha1_additionalinputreseed[] =
13175 + 0xe5,0x40,0x4e,0xbd,0x50,0x00,0xf5,0x15,0xa6,0xee,0x45,0xda,
13176 + 0x84,0x3d,0xd4,0xc0
13180 +static const unsigned char sha1_additionalinput2[] =
13182 + 0x11,0x51,0x14,0xf0,0x09,0x1b,0x4e,0x56,0x0d,0xe9,0xf6,0x1e,
13183 + 0x52,0x65,0xcd,0x96
13187 +static const unsigned char sha1_returnedbits[] =
13189 + 0xa1,0x9c,0x94,0x6e,0x29,0xe1,0x33,0x0d,0x32,0xd6,0xaa,0xce,
13190 + 0x71,0x3f,0x52,0x72,0x8b,0x42,0xa8,0xd7
13196 +static const unsigned char sha224_pr_entropyinput[] =
13198 + 0x12,0x69,0x32,0x4f,0x83,0xa6,0xf5,0x14,0xe3,0x49,0x3e,0x75,
13199 + 0x3e,0xde,0xad,0xa1,0x29,0xc3,0xf3,0x19,0x20,0xb5,0x4c,0xd9
13203 +static const unsigned char sha224_pr_nonce[] =
13205 + 0x6a,0x78,0xd0,0xeb,0xbb,0x5a,0xf0,0xee,0xe8,0xc3,0xba,0x71
13209 +static const unsigned char sha224_pr_personalizationstring[] =
13211 + 0xd5,0xb8,0xb6,0xbc,0xc1,0x5b,0x60,0x31,0x3c,0xf5,0xe5,0xc0,
13212 + 0x8e,0x52,0x7a,0xbd,0xea,0x47,0xa9,0x5f,0x8f,0xf9,0x8b,0xae
13216 +static const unsigned char sha224_pr_additionalinput[] =
13218 + 0x1f,0x55,0xec,0xae,0x16,0x12,0x84,0xba,0x84,0x16,0x19,0x88,
13219 + 0x8e,0xb8,0x33,0x25,0x54,0xff,0xca,0x79,0xaf,0x07,0x25,0x50
13223 +static const unsigned char sha224_pr_entropyinputpr[] =
13225 + 0x92,0xa3,0x32,0xa8,0x9a,0x0a,0x58,0x7c,0x1d,0x5a,0x7e,0xe1,
13226 + 0xb2,0x73,0xab,0x0e,0x16,0x79,0x23,0xd3,0x29,0x89,0x81,0xe1
13230 +static const unsigned char sha224_pr_int_returnedbits[] =
13232 + 0xf3,0x38,0x91,0x40,0x37,0x7a,0x51,0x72,0x42,0x74,0x78,0x0a,
13233 + 0x69,0xfd,0xa6,0x44,0x43,0x45,0x6c,0x0c,0x5a,0x19,0xff,0xf1,
13234 + 0x54,0x60,0xee,0x6a
13238 +static const unsigned char sha224_pr_additionalinput2[] =
13240 + 0x75,0xf3,0x04,0x25,0xdd,0x36,0xa8,0x37,0x46,0xae,0x0c,0x52,
13241 + 0x05,0x79,0x4c,0x26,0xdb,0xe9,0x71,0x16,0x4c,0x0a,0xf2,0x60
13245 +static const unsigned char sha224_pr_entropyinputpr2[] =
13247 + 0xea,0xc5,0x03,0x0a,0x4f,0xb0,0x38,0x8d,0x23,0xd4,0xc8,0x77,
13248 + 0xe2,0x6d,0x9c,0x0b,0x44,0xf7,0x2d,0x5b,0xbf,0x5d,0x2a,0x11
13252 +static const unsigned char sha224_pr_returnedbits[] =
13254 + 0x60,0x50,0x2b,0xe7,0x86,0xd8,0x26,0x73,0xe3,0x1d,0x95,0x20,
13255 + 0xb3,0x2c,0x32,0x1c,0xf5,0xce,0x57,0xa6,0x67,0x2b,0xdc,0x4e,
13256 + 0xdd,0x11,0x4c,0xc4
13260 +/* SHA-224 No PR */
13262 +static const unsigned char sha224_entropyinput[] =
13264 + 0xb2,0x1c,0x77,0x4d,0xf6,0xd3,0xb6,0x40,0xb7,0x30,0x3e,0x29,
13265 + 0xb0,0x85,0x1c,0xbe,0x4a,0xea,0x6b,0x5a,0xb5,0x8a,0x97,0xeb
13269 +static const unsigned char sha224_nonce[] =
13271 + 0x42,0x02,0x0a,0x1c,0x98,0x9a,0x77,0x9e,0x9f,0x80,0xba,0xe0
13275 +static const unsigned char sha224_personalizationstring[] =
13277 + 0x98,0xb8,0x04,0x41,0xfc,0xc1,0x5d,0xc5,0xe9,0xb9,0x08,0xda,
13278 + 0xf9,0xfa,0x0d,0x90,0xce,0xdf,0x1d,0x10,0xa9,0x8d,0x50,0x0c
13282 +static const unsigned char sha224_additionalinput[] =
13284 + 0x9a,0x8d,0x39,0x49,0x42,0xd5,0x0b,0xae,0xe1,0xaf,0xb7,0x00,
13285 + 0x02,0xfa,0x96,0xb1,0xa5,0x1d,0x2d,0x25,0x78,0xee,0x83,0x3f
13289 +static const unsigned char sha224_int_returnedbits[] =
13291 + 0xe4,0xf5,0x53,0x79,0x5a,0x97,0x58,0x06,0x08,0xba,0x7b,0xfa,
13292 + 0xf0,0x83,0x05,0x8c,0x22,0xc0,0xc9,0xdb,0x15,0xe7,0xde,0x20,
13293 + 0x55,0x22,0x9a,0xad
13297 +static const unsigned char sha224_entropyinputreseed[] =
13299 + 0x67,0x09,0x48,0xaa,0x07,0x16,0x99,0x89,0x7f,0x6d,0xa0,0xe5,
13300 + 0x8f,0xdf,0xbc,0xdb,0xfe,0xe5,0x6c,0x7a,0x95,0x4a,0x66,0x17
13304 +static const unsigned char sha224_additionalinputreseed[] =
13306 + 0x0f,0x4b,0x1c,0x6f,0xb7,0xe3,0x47,0xe5,0x5d,0x7d,0x38,0xd6,
13307 + 0x28,0x9b,0xeb,0x55,0x63,0x09,0x3e,0x7c,0x56,0xea,0xf8,0x19
13311 +static const unsigned char sha224_additionalinput2[] =
13313 + 0x2d,0x26,0x7c,0x37,0xe4,0x7a,0x28,0x5e,0x5a,0x3c,0xaf,0x3d,
13314 + 0x5a,0x8e,0x55,0xa2,0x1a,0x6e,0xc0,0xe5,0xf6,0x21,0xd3,0xf6
13318 +static const unsigned char sha224_returnedbits[] =
13320 + 0x4d,0x83,0x35,0xdf,0x67,0xa9,0xfc,0x17,0xda,0x70,0xcc,0x8b,
13321 + 0x7f,0x77,0xae,0xa2,0x5f,0xb9,0x7e,0x74,0x4c,0x26,0xc1,0x7a,
13322 + 0x3b,0xa7,0x5c,0x93
13328 +static const unsigned char sha256_pr_entropyinput[] =
13330 + 0xce,0x49,0x00,0x7a,0x56,0xe3,0x67,0x8f,0xe1,0xb6,0xa7,0xd4,
13331 + 0x4f,0x08,0x7a,0x1b,0x01,0xf4,0xfa,0x6b,0xef,0xb7,0xe5,0xeb,
13332 + 0x07,0x3d,0x11,0x0d,0xc8,0xea,0x2b,0xfe
13336 +static const unsigned char sha256_pr_nonce[] =
13338 + 0x73,0x41,0xc8,0x92,0x94,0xe2,0xc5,0x5f,0x93,0xfd,0x39,0x5d,
13339 + 0x2b,0x91,0x4d,0x38
13343 +static const unsigned char sha256_pr_personalizationstring[] =
13345 + 0x50,0x6d,0x01,0x01,0x07,0x5a,0x80,0x35,0x7a,0x56,0x1a,0x56,
13346 + 0x2f,0x9a,0x0b,0x35,0xb2,0xb1,0xc9,0xe5,0xca,0x69,0x61,0x48,
13347 + 0xff,0xfb,0x0f,0xd9,0x4b,0x79,0x1d,0xba
13351 +static const unsigned char sha256_pr_additionalinput[] =
13353 + 0x20,0xb8,0xdf,0x44,0x77,0x5a,0xb8,0xd3,0xbf,0xf6,0xcf,0xac,
13354 + 0x5e,0xa6,0x96,0x62,0x73,0x44,0x40,0x4a,0x30,0xfb,0x38,0xa5,
13355 + 0x7b,0x0d,0xe4,0x0d,0xc6,0xe4,0x9a,0x1f
13359 +static const unsigned char sha256_pr_entropyinputpr[] =
13361 + 0x04,0xc4,0x65,0xf4,0xd3,0xbf,0x83,0x4b,0xab,0xc8,0x41,0xa8,
13362 + 0xc2,0xe0,0x44,0x63,0x77,0x4c,0x6f,0x6c,0x49,0x46,0xff,0x94,
13363 + 0x17,0xea,0xe6,0x1a,0x9d,0x5e,0x66,0x78
13367 +static const unsigned char sha256_pr_int_returnedbits[] =
13369 + 0x07,0x4d,0xac,0x9b,0x86,0xca,0x4a,0xaa,0x6e,0x7a,0x03,0xa2,
13370 + 0x5d,0x10,0xea,0x0b,0xf9,0x83,0xcc,0xd1,0xfc,0xe2,0x07,0xc7,
13371 + 0x06,0x34,0x60,0x6f,0x83,0x94,0x99,0x76
13375 +static const unsigned char sha256_pr_additionalinput2[] =
13377 + 0x89,0x4e,0x45,0x8c,0x11,0xf9,0xbc,0x5b,0xac,0x74,0x8b,0x4b,
13378 + 0x5f,0xf7,0x19,0xf3,0xf5,0x24,0x54,0x14,0xd1,0x15,0xb1,0x43,
13379 + 0x12,0xa4,0x5f,0xd4,0xec,0xfc,0xcd,0x09
13383 +static const unsigned char sha256_pr_entropyinputpr2[] =
13385 + 0x0e,0xeb,0x1f,0xd7,0xfc,0xd1,0x9d,0xd4,0x05,0x36,0x8b,0xb2,
13386 + 0xfb,0xe4,0xf4,0x51,0x0c,0x87,0x9b,0x02,0x44,0xd5,0x92,0x4d,
13387 + 0x44,0xfe,0x1a,0x03,0x43,0x56,0xbd,0x86
13391 +static const unsigned char sha256_pr_returnedbits[] =
13393 + 0x02,0xaa,0xb6,0x1d,0x7e,0x2a,0x40,0x03,0x69,0x2d,0x49,0xa3,
13394 + 0x41,0xe7,0x44,0x0b,0xaf,0x7b,0x85,0xe4,0x5f,0x53,0x3b,0x64,
13395 + 0xbc,0x89,0xc8,0x82,0xd4,0x78,0x37,0xa2
13399 +/* SHA-256 No PR */
13401 +static const unsigned char sha256_entropyinput[] =
13403 + 0x5b,0x1b,0xec,0x4d,0xa9,0x38,0x74,0x5a,0x34,0x0b,0x7b,0xc5,
13404 + 0xe5,0xd7,0x66,0x7c,0xbc,0x82,0xb9,0x0e,0x2d,0x1f,0x92,0xd7,
13405 + 0xc1,0xbc,0x67,0x69,0xec,0x6b,0x03,0x3c
13409 +static const unsigned char sha256_nonce[] =
13411 + 0xa4,0x0c,0xd8,0x9c,0x61,0xd8,0xc3,0x54,0xfe,0x53,0xc9,0xe5,
13412 + 0x5d,0x6f,0x6d,0x35
13416 +static const unsigned char sha256_personalizationstring[] =
13418 + 0x22,0x5e,0x62,0x93,0x42,0x83,0x78,0x24,0xd8,0x40,0x8c,0xde,
13419 + 0x6f,0xf9,0xa4,0x7a,0xc5,0xa7,0x3b,0x88,0xa3,0xee,0x42,0x20,
13420 + 0xfd,0x61,0x56,0xc6,0x4c,0x13,0x41,0x9c
13424 +static const unsigned char sha256_additionalinput[] =
13426 + 0xbf,0x74,0x5b,0xf6,0xc5,0x64,0x5e,0x99,0x34,0x8f,0xbc,0xa4,
13427 + 0xe2,0xbd,0xd8,0x85,0x26,0x37,0xea,0xba,0x4f,0xf2,0x9a,0x9a,
13428 + 0x66,0xfc,0xdf,0x63,0x26,0x26,0x19,0x87
13432 +static const unsigned char sha256_int_returnedbits[] =
13434 + 0xb3,0xc6,0x07,0x07,0xd6,0x75,0xf6,0x2b,0xd6,0x21,0x96,0xf1,
13435 + 0xae,0xdb,0x2b,0xac,0x25,0x2a,0xae,0xae,0x41,0x72,0x03,0x5e,
13436 + 0xbf,0xd3,0x64,0xbc,0x59,0xf9,0xc0,0x76
13440 +static const unsigned char sha256_entropyinputreseed[] =
13442 + 0xbf,0x20,0x33,0x56,0x29,0xa8,0x37,0x04,0x1f,0x78,0x34,0x3d,
13443 + 0x81,0x2a,0xc9,0x86,0xc6,0x7a,0x2f,0x88,0x5e,0xd5,0xbe,0x34,
13444 + 0x46,0x20,0xa4,0x35,0xeb,0xc7,0xe2,0x9d
13448 +static const unsigned char sha256_additionalinputreseed[] =
13450 + 0x9b,0xae,0x2d,0x2d,0x61,0xa4,0x89,0xeb,0x43,0x46,0xa7,0xda,
13451 + 0xef,0x40,0xca,0x4a,0x99,0x11,0x41,0xdc,0x5c,0x94,0xe9,0xac,
13452 + 0xd4,0xd0,0xe6,0xbd,0xfb,0x03,0x9c,0xa8
13456 +static const unsigned char sha256_additionalinput2[] =
13458 + 0x23,0xaa,0x0c,0xbd,0x28,0x33,0xe2,0x51,0xfc,0x71,0xd2,0x15,
13459 + 0x1f,0x76,0xfd,0x0d,0xe0,0xb7,0xb5,0x84,0x75,0x5b,0xbe,0xf3,
13460 + 0x5c,0xca,0xc5,0x30,0xf2,0x75,0x1f,0xda
13464 +static const unsigned char sha256_returnedbits[] =
13466 + 0x90,0x3c,0xc1,0x10,0x8c,0x12,0x01,0xc6,0xa6,0x3a,0x0f,0x4d,
13467 + 0xb6,0x3a,0x4f,0x41,0x9c,0x61,0x75,0x84,0xe9,0x74,0x75,0xfd,
13468 + 0xfe,0xf2,0x1f,0x43,0xd8,0x5e,0x24,0xa3
13474 +static const unsigned char sha384_pr_entropyinput[] =
13476 + 0x71,0x9d,0xb2,0x5a,0x71,0x6d,0x04,0xe9,0x1e,0xc7,0x92,0x24,
13477 + 0x6e,0x12,0x33,0xa9,0x52,0x64,0x31,0xef,0x71,0xeb,0x22,0x55,
13478 + 0x28,0x97,0x06,0x6a,0xc0,0x0c,0xa0,0x7e
13482 +static const unsigned char sha384_pr_nonce[] =
13484 + 0xf5,0x0d,0xfa,0xb0,0xec,0x6a,0x7c,0xd6,0xbd,0x9b,0x05,0xfd,
13485 + 0x38,0x3e,0x2e,0x56
13489 +static const unsigned char sha384_pr_personalizationstring[] =
13491 + 0x74,0xac,0x7e,0x6d,0xb1,0xa4,0xe7,0x21,0xd1,0x1e,0x6e,0x96,
13492 + 0x6d,0x4d,0x53,0x46,0x82,0x96,0x6e,0xcf,0xaa,0x81,0x8d,0x7d,
13493 + 0x9e,0xe1,0x0f,0x15,0xea,0x41,0xbf,0xe3
13497 +static const unsigned char sha384_pr_additionalinput[] =
13499 + 0xda,0x95,0xd4,0xd0,0xb8,0x11,0xd3,0x49,0x27,0x5d,0xa9,0x39,
13500 + 0x68,0xf3,0xa8,0xe9,0x5d,0x19,0x8a,0x2b,0x66,0xe8,0x69,0x06,
13501 + 0x7c,0x9e,0x03,0xa1,0x8b,0x26,0x2d,0x6e
13505 +static const unsigned char sha384_pr_entropyinputpr[] =
13507 + 0x49,0xdf,0x44,0x00,0xe4,0x1c,0x75,0x0b,0x26,0x5a,0x59,0x64,
13508 + 0x1f,0x4e,0xb1,0xb2,0x13,0xf1,0x22,0x4e,0xb4,0x6d,0x9a,0xcc,
13509 + 0xa0,0x48,0xe6,0xcf,0x1d,0xd1,0x92,0x0d
13513 +static const unsigned char sha384_pr_int_returnedbits[] =
13515 + 0xc8,0x52,0xae,0xbf,0x04,0x3c,0x27,0xb7,0x78,0x18,0xaa,0x8f,
13516 + 0xff,0xcf,0xa4,0xf1,0xcc,0xe7,0x68,0xfa,0x22,0xa2,0x13,0x45,
13517 + 0xe8,0xdd,0x87,0xe6,0xf2,0x6e,0xdd,0xc7,0x52,0x90,0x9f,0x7b,
13518 + 0xfa,0x61,0x2d,0x9d,0x9e,0xcf,0x98,0xac,0x52,0x40,0xce,0xaf
13522 +static const unsigned char sha384_pr_additionalinput2[] =
13524 + 0x61,0x7c,0x03,0x9a,0x3e,0x50,0x57,0x60,0xc5,0x83,0xc9,0xb2,
13525 + 0xd1,0x87,0x85,0x66,0x92,0x5d,0x84,0x0e,0x53,0xfb,0x70,0x03,
13526 + 0x72,0xfd,0xba,0xae,0x9c,0x8f,0xf8,0x18
13530 +static const unsigned char sha384_pr_entropyinputpr2[] =
13532 + 0xf8,0xeb,0x89,0xb1,0x8d,0x78,0xbe,0x21,0xe0,0xbb,0x9d,0xb7,
13533 + 0x95,0x0e,0xd9,0x46,0x0c,0x8c,0xe2,0x63,0xb7,0x9d,0x67,0x90,
13534 + 0xbd,0xc7,0x0b,0xa5,0xce,0xb2,0x65,0x81
13538 +static const unsigned char sha384_pr_returnedbits[] =
13540 + 0xe6,0x9f,0xfe,0x68,0xd6,0xb5,0x79,0xf1,0x06,0x5f,0xa3,0xbb,
13541 + 0x23,0x85,0xd8,0xf0,0x29,0x5a,0x68,0x9e,0xf5,0xf4,0xa6,0x12,
13542 + 0xe0,0x9a,0xe2,0xac,0x00,0x1d,0x98,0x26,0xfc,0x53,0x95,0x53,
13543 + 0xe4,0x3e,0x17,0xd5,0x08,0x0b,0x70,0x3d,0x67,0x99,0xac,0x66
13547 +/* SHA-384 No PR */
13549 +static const unsigned char sha384_entropyinput[] =
13551 + 0x07,0x15,0x27,0x2a,0xaf,0x74,0x24,0x37,0xbc,0xd5,0x14,0x69,
13552 + 0xce,0x11,0xff,0xa2,0x6b,0xb8,0x05,0x67,0x34,0xf8,0xbd,0x6d,
13553 + 0x6a,0xcc,0xcd,0x60,0xa3,0x68,0xca,0xf4
13557 +static const unsigned char sha384_nonce[] =
13559 + 0x70,0x17,0xc2,0x5b,0x5d,0x22,0x0b,0x06,0x15,0x54,0x78,0x77,
13560 + 0x44,0xaf,0x2f,0x09
13564 +static const unsigned char sha384_personalizationstring[] =
13566 + 0x89,0x39,0x28,0xb0,0x60,0xeb,0x3d,0xdc,0x55,0x75,0x86,0xeb,
13567 + 0xae,0xa2,0x8f,0xbc,0x1b,0x75,0xd4,0xe1,0x0f,0xaa,0x38,0xca,
13568 + 0x62,0x8b,0xcb,0x2c,0x26,0xf6,0xbc,0xb1
13572 +static const unsigned char sha384_additionalinput[] =
13574 + 0x30,0x2b,0x42,0x35,0xef,0xda,0x40,0x55,0x28,0xc6,0x95,0xfb,
13575 + 0x54,0x01,0x62,0xd7,0x87,0x14,0x48,0x6d,0x90,0x4c,0xa9,0x02,
13576 + 0x54,0x40,0x22,0xc8,0x66,0xa5,0x48,0x48
13580 +static const unsigned char sha384_int_returnedbits[] =
13582 + 0x82,0xc4,0xa1,0x9c,0x21,0xd2,0xe7,0xa5,0xa6,0xf6,0x5f,0x04,
13583 + 0x5c,0xc7,0x31,0x9d,0x8d,0x59,0x74,0x50,0x19,0x89,0x2f,0x63,
13584 + 0xd5,0xb7,0x7e,0xeb,0x15,0xe3,0x70,0x83,0xa1,0x24,0x59,0xfa,
13585 + 0x2c,0x56,0xf6,0x88,0x3a,0x92,0x93,0xa1,0xfb,0x79,0xc1,0x7a
13589 +static const unsigned char sha384_entropyinputreseed[] =
13591 + 0x39,0xa6,0xe8,0x5c,0x82,0x17,0x71,0x26,0x57,0x4f,0x9f,0xc2,
13592 + 0x55,0xff,0x5c,0x9b,0x53,0x1a,0xd1,0x5f,0xbc,0x62,0xe4,0x27,
13593 + 0x2d,0x32,0xf0,0xe4,0x52,0x8c,0xc5,0x0c
13597 +static const unsigned char sha384_additionalinputreseed[] =
13599 + 0x8d,0xcb,0x8d,0xce,0x08,0xea,0x80,0xe8,0x9b,0x61,0xa8,0x0f,
13600 + 0xaf,0x49,0x20,0x9e,0x74,0xcb,0x57,0x80,0x42,0xb0,0x84,0x5e,
13601 + 0x30,0x2a,0x67,0x08,0xf4,0xe3,0x40,0x22
13605 +static const unsigned char sha384_additionalinput2[] =
13607 + 0x7c,0x8f,0xc2,0xae,0x22,0x4a,0xd6,0xf6,0x05,0xa4,0x7a,0xea,
13608 + 0xbb,0x25,0xd0,0xb7,0x5a,0xd6,0xcf,0x9d,0xf3,0x6c,0xe2,0xb2,
13609 + 0x4e,0xb4,0xbd,0xf4,0xe5,0x40,0x80,0x94
13613 +static const unsigned char sha384_returnedbits[] =
13615 + 0x9e,0x7e,0xfb,0x59,0xbb,0xaa,0x3c,0xf7,0xe1,0xf8,0x76,0xdd,
13616 + 0x63,0x5f,0xaf,0x23,0xd6,0x64,0x61,0xc0,0x9a,0x09,0x47,0xc9,
13617 + 0x33,0xdf,0x6d,0x55,0x91,0x34,0x79,0x70,0xc4,0x99,0x6e,0x54,
13618 + 0x09,0x64,0x21,0x1a,0xbd,0x1e,0x80,0x40,0x34,0xad,0xfa,0xd7
13624 +static const unsigned char sha512_pr_entropyinput[] =
13626 + 0x13,0xf7,0x61,0x75,0x65,0x28,0xa2,0x59,0x13,0x5a,0x4a,0x4f,
13627 + 0x56,0x60,0x8c,0x53,0x7d,0xb0,0xbd,0x06,0x4f,0xed,0xcc,0xd2,
13628 + 0xa2,0xb5,0xfd,0x5b,0x3a,0xab,0xec,0x28
13632 +static const unsigned char sha512_pr_nonce[] =
13634 + 0xbe,0xa3,0x91,0x93,0x1d,0xc3,0x31,0x3a,0x23,0x33,0x50,0x67,
13635 + 0x88,0xc7,0xa2,0xc4
13639 +static const unsigned char sha512_pr_personalizationstring[] =
13641 + 0x1f,0x59,0x4d,0x7b,0xe6,0x46,0x91,0x48,0xc1,0x25,0xfa,0xff,
13642 + 0x89,0x12,0x77,0x35,0xdf,0x3e,0xf4,0x80,0x5f,0xd9,0xb0,0x07,
13643 + 0x22,0x41,0xdd,0x48,0x78,0x6b,0x77,0x2b
13647 +static const unsigned char sha512_pr_additionalinput[] =
13649 + 0x30,0xff,0x63,0x6f,0xac,0xd9,0x84,0x39,0x6f,0xe4,0x99,0xce,
13650 + 0x91,0x7d,0x7e,0xc8,0x58,0xf2,0x12,0xc3,0xb6,0xad,0xda,0x22,
13651 + 0x04,0xa0,0xd2,0x21,0xfe,0xf2,0x95,0x1d
13655 +static const unsigned char sha512_pr_entropyinputpr[] =
13657 + 0x64,0x54,0x13,0xec,0x4f,0x77,0xda,0xb2,0x92,0x2e,0x52,0x80,
13658 + 0x11,0x10,0xc2,0xf8,0xe6,0xa7,0xcd,0x4b,0xfc,0x32,0x2e,0x9e,
13659 + 0xeb,0xbb,0xb1,0xbf,0x15,0x5c,0x73,0x08
13663 +static const unsigned char sha512_pr_int_returnedbits[] =
13665 + 0xef,0x1e,0xdc,0x0a,0xa4,0x36,0x91,0x9c,0x3d,0x27,0x97,0x50,
13666 + 0x8d,0x36,0x29,0x8d,0xce,0x6a,0x0c,0xf7,0x21,0xc0,0x91,0xae,
13667 + 0x0c,0x96,0x72,0xbd,0x52,0x81,0x58,0xfc,0x6d,0xe5,0xf7,0xa5,
13668 + 0xfd,0x5d,0xa7,0x58,0x68,0xc8,0x99,0x58,0x8e,0xc8,0xce,0x95,
13669 + 0x01,0x7d,0xff,0xa4,0xc8,0xf7,0x63,0xfe,0x5f,0x69,0x83,0x53,
13670 + 0xe2,0xc6,0x8b,0xc3
13674 +static const unsigned char sha512_pr_additionalinput2[] =
13676 + 0xe6,0x9b,0xc4,0x88,0x34,0xca,0xea,0x29,0x2f,0x98,0x05,0xa4,
13677 + 0xd3,0xc0,0x7b,0x11,0xe8,0xbb,0x75,0xf2,0xbd,0x29,0xb7,0x40,
13678 + 0x25,0x7f,0xc1,0xb7,0xb1,0xf1,0x25,0x61
13682 +static const unsigned char sha512_pr_entropyinputpr2[] =
13684 + 0x23,0x6d,0xff,0xde,0xfb,0xd1,0xba,0x33,0x18,0xe6,0xbe,0xb5,
13685 + 0x48,0x77,0x6d,0x7f,0xa7,0xe1,0x4d,0x48,0x1e,0x3c,0xa7,0x34,
13686 + 0x1a,0xc8,0x60,0xdb,0x8f,0x99,0x15,0x99
13690 +static const unsigned char sha512_pr_returnedbits[] =
13692 + 0x70,0x27,0x31,0xdb,0x92,0x70,0x21,0xfe,0x16,0xb6,0xc8,0x51,
13693 + 0x34,0x87,0x65,0xd0,0x4e,0xfd,0xfe,0x68,0xec,0xac,0xdc,0x93,
13694 + 0x41,0x38,0x92,0x90,0xb4,0x94,0xf9,0x0d,0xa4,0xf7,0x4e,0x80,
13695 + 0x92,0x67,0x48,0x40,0xa7,0x08,0xc7,0xbc,0x66,0x00,0xfd,0xf7,
13696 + 0x4c,0x8b,0x17,0x6e,0xd1,0x8f,0x9b,0xf3,0x6f,0xf6,0x34,0xdd,
13697 + 0x67,0xf7,0x68,0xdd
13701 +/* SHA-512 No PR */
13703 +static const unsigned char sha512_entropyinput[] =
13705 + 0xb6,0x0b,0xb7,0xbc,0x84,0x56,0xf6,0x12,0xaf,0x45,0x67,0x17,
13706 + 0x7c,0xd1,0xb2,0x78,0x2b,0xa0,0xf2,0xbe,0xb6,0x6d,0x8b,0x56,
13707 + 0xc6,0xbc,0x4d,0xe1,0xf7,0xbe,0xce,0xbd
13711 +static const unsigned char sha512_nonce[] =
13713 + 0x9d,0xed,0xc0,0xe5,0x5a,0x98,0x6a,0xcb,0x51,0x7d,0x76,0x31,
13714 + 0x5a,0x64,0xf0,0xf7
13718 +static const unsigned char sha512_personalizationstring[] =
13720 + 0xc2,0x6d,0xa3,0xc3,0x06,0x74,0xe5,0x01,0x5c,0x10,0x17,0xc7,
13721 + 0xaf,0x83,0x9d,0x59,0x8d,0x2d,0x29,0x38,0xc5,0x59,0x70,0x8b,
13722 + 0x46,0x48,0x2d,0xcf,0x36,0x7d,0x59,0xc0
13726 +static const unsigned char sha512_additionalinput[] =
13728 + 0xec,0x8c,0xd4,0xf7,0x61,0x6e,0x0d,0x95,0x79,0xb7,0x28,0xad,
13729 + 0x5f,0x69,0x74,0x5f,0x2d,0x36,0x06,0x8a,0x6b,0xac,0x54,0x97,
13730 + 0xc4,0xa1,0x12,0x85,0x0a,0xdf,0x4b,0x34
13734 +static const unsigned char sha512_int_returnedbits[] =
13736 + 0x84,0x2f,0x1f,0x68,0x6a,0xa3,0xad,0x1e,0xfb,0xf4,0x15,0xbd,
13737 + 0xde,0x38,0xd4,0x30,0x80,0x51,0xe9,0xd3,0xc7,0x20,0x88,0xe9,
13738 + 0xf5,0xcc,0xdf,0x57,0x5c,0x47,0x2f,0x57,0x3c,0x5f,0x13,0x56,
13739 + 0xcc,0xc5,0x4f,0x84,0xf8,0x10,0x41,0xd5,0x7e,0x58,0x6e,0x19,
13740 + 0x19,0x9e,0xaf,0xc2,0x22,0x58,0x41,0x50,0x79,0xc2,0xd8,0x04,
13741 + 0x28,0xd4,0x39,0x9a
13745 +static const unsigned char sha512_entropyinputreseed[] =
13747 + 0xfa,0x7f,0x46,0x51,0x83,0x62,0x98,0x16,0x9a,0x19,0xa2,0x49,
13748 + 0xa9,0xe6,0x4a,0xd8,0x85,0xe7,0xd4,0x3b,0x2c,0x82,0xc5,0x82,
13749 + 0xbf,0x11,0xf9,0x9e,0xbc,0xd0,0x01,0xee
13753 +static const unsigned char sha512_additionalinputreseed[] =
13755 + 0xb9,0x12,0xe0,0x4f,0xf7,0xa7,0xc4,0xd8,0xd0,0x8e,0x99,0x29,
13756 + 0x7c,0x9a,0xe9,0xcf,0xc4,0x6c,0xf8,0xc3,0xa7,0x41,0x83,0xd6,
13757 + 0x2e,0xfa,0xb8,0x5e,0x8e,0x6b,0x78,0x20
13761 +static const unsigned char sha512_additionalinput2[] =
13763 + 0xd7,0x07,0x52,0xb9,0x83,0x2c,0x03,0x71,0xee,0xc9,0xc0,0x85,
13764 + 0xe1,0x57,0xb2,0xcd,0x3a,0xf0,0xc9,0x34,0x24,0x41,0x1c,0x42,
13765 + 0x99,0xb2,0x84,0xe9,0x17,0xd2,0x76,0x92
13769 +static const unsigned char sha512_returnedbits[] =
13771 + 0x36,0x17,0x5d,0x98,0x2b,0x65,0x25,0x8e,0xc8,0x29,0xdf,0x27,
13772 + 0x05,0x36,0x26,0x12,0x8a,0x68,0x74,0x27,0x37,0xd4,0x7f,0x32,
13773 + 0xb1,0x12,0xd6,0x85,0x83,0xeb,0x2e,0xa0,0xed,0x4b,0xb5,0x7b,
13774 + 0x6f,0x39,0x3c,0x71,0x77,0x02,0x12,0xcc,0x2c,0x3a,0x8e,0x63,
13775 + 0xdf,0x4a,0xbd,0x6f,0x6e,0x2e,0xed,0x0a,0x85,0xa5,0x2f,0xa2,
13776 + 0x68,0xde,0x42,0xb5
13780 +/* HMAC SHA-1 PR */
13782 +static const unsigned char hmac_sha1_pr_entropyinput[] =
13784 + 0x26,0x5f,0x36,0x14,0xff,0x3d,0x83,0xfa,0x73,0x5e,0x75,0xdc,
13785 + 0x2c,0x18,0x17,0x1b
13789 +static const unsigned char hmac_sha1_pr_nonce[] =
13791 + 0xc8,0xe3,0x57,0xa5,0x7b,0x74,0x86,0x6e
13795 +static const unsigned char hmac_sha1_pr_personalizationstring[] =
13797 + 0x6e,0xdb,0x0d,0xfe,0x7d,0xac,0x79,0xd0,0xa5,0x3a,0x48,0x85,
13798 + 0x80,0xe2,0x7f,0x2a
13802 +static const unsigned char hmac_sha1_pr_additionalinput[] =
13804 + 0x31,0xcd,0x5e,0x43,0xdc,0xfb,0x7a,0x79,0xca,0x88,0xde,0x1f,
13805 + 0xd7,0xbb,0x42,0x09
13809 +static const unsigned char hmac_sha1_pr_entropyinputpr[] =
13811 + 0x7c,0x23,0x95,0x38,0x00,0x95,0xc1,0x78,0x1f,0x8f,0xd7,0x63,
13812 + 0x23,0x87,0x2a,0xed
13816 +static const unsigned char hmac_sha1_pr_int_returnedbits[] =
13818 + 0xbb,0x34,0xe7,0x93,0xa3,0x02,0x2c,0x4a,0xd0,0x89,0xda,0x7f,
13819 + 0xed,0xf4,0x4c,0xde,0x17,0xec,0xe5,0x6c
13823 +static const unsigned char hmac_sha1_pr_additionalinput2[] =
13825 + 0x49,0xbc,0x2d,0x2c,0xb7,0x32,0xcb,0x20,0xdf,0xf5,0x77,0x58,
13826 + 0xa0,0x4b,0x93,0x6e
13830 +static const unsigned char hmac_sha1_pr_entropyinputpr2[] =
13832 + 0x3c,0xaa,0xb0,0x21,0x42,0xb0,0xdd,0x34,0xf0,0x16,0x7f,0x0c,
13833 + 0x0f,0xff,0x2e,0xaf
13837 +static const unsigned char hmac_sha1_pr_returnedbits[] =
13839 + 0x8e,0xcb,0xa3,0x64,0xb2,0xb8,0x33,0x6c,0x64,0x3b,0x78,0x16,
13840 + 0x99,0x35,0xc8,0x30,0xcb,0x3e,0xa0,0xd8
13844 +/* HMAC SHA-1 No PR */
13846 +static const unsigned char hmac_sha1_entropyinput[] =
13848 + 0x32,0x9a,0x2a,0x87,0x7b,0x89,0x7c,0xf6,0xcb,0x95,0xd5,0x40,
13849 + 0x17,0xfe,0x47,0x70
13853 +static const unsigned char hmac_sha1_nonce[] =
13855 + 0x16,0xd8,0xe0,0xc7,0x52,0xcf,0x4a,0x25
13859 +static const unsigned char hmac_sha1_personalizationstring[] =
13861 + 0x35,0x35,0xa9,0xa5,0x40,0xbe,0x9b,0xd1,0x56,0xdd,0x44,0x00,
13862 + 0x72,0xf7,0xd3,0x5e
13866 +static const unsigned char hmac_sha1_additionalinput[] =
13868 + 0x1b,0x2c,0x84,0x2d,0x4a,0x89,0x8f,0x69,0x19,0xf1,0xf3,0xdb,
13869 + 0xbb,0xe3,0xaa,0xea
13873 +static const unsigned char hmac_sha1_int_returnedbits[] =
13875 + 0xcf,0xfa,0x7d,0x72,0x0f,0xe6,0xc7,0x96,0xa0,0x69,0x31,0x11,
13876 + 0x9b,0x0b,0x1a,0x20,0x1f,0x3f,0xaa,0xd1
13880 +static const unsigned char hmac_sha1_entropyinputreseed[] =
13882 + 0x90,0x75,0x15,0x04,0x95,0xf1,0xba,0x81,0x0c,0x37,0x94,0x6f,
13883 + 0x86,0x52,0x6d,0x9c
13887 +static const unsigned char hmac_sha1_additionalinputreseed[] =
13889 + 0x5b,0x40,0xba,0x5f,0x17,0x70,0xf0,0x4b,0xdf,0xc9,0x97,0x92,
13890 + 0x79,0xc5,0x82,0x28
13894 +static const unsigned char hmac_sha1_additionalinput2[] =
13896 + 0x97,0xc8,0x80,0x90,0xb3,0xaa,0x6e,0x60,0xea,0x83,0x7a,0xe3,
13897 + 0x8a,0xca,0xa4,0x7f
13901 +static const unsigned char hmac_sha1_returnedbits[] =
13903 + 0x90,0xbd,0x05,0x56,0x6d,0xb5,0x22,0xd5,0xb9,0x5a,0x29,0x2d,
13904 + 0xe9,0x0b,0xe1,0xac,0xde,0x27,0x0b,0xb0
13908 +/* HMAC SHA-224 PR */
13910 +static const unsigned char hmac_sha224_pr_entropyinput[] =
13912 + 0x17,0x32,0x2b,0x2e,0x6f,0x1b,0x9c,0x6d,0x31,0xe0,0x34,0x07,
13913 + 0xcf,0xed,0xf6,0xb6,0x5a,0x76,0x4c,0xbc,0x62,0x85,0x01,0x90
13917 +static const unsigned char hmac_sha224_pr_nonce[] =
13919 + 0x38,0xbf,0x5f,0x20,0xb3,0x68,0x2f,0x43,0x61,0x05,0x8f,0x23
13923 +static const unsigned char hmac_sha224_pr_personalizationstring[] =
13925 + 0xc0,0xc9,0x45,0xac,0x8d,0x27,0x77,0x08,0x0b,0x17,0x6d,0xed,
13926 + 0xc1,0x7d,0xd5,0x07,0x9d,0x6e,0xf8,0x23,0x2a,0x22,0x13,0xbd
13930 +static const unsigned char hmac_sha224_pr_additionalinput[] =
13932 + 0xa4,0x3c,0xe7,0x3b,0xea,0x19,0x45,0x32,0xc2,0x83,0x6d,0x21,
13933 + 0x8a,0xc0,0xee,0x67,0x45,0xde,0x13,0x7d,0x9d,0x61,0x00,0x3b
13937 +static const unsigned char hmac_sha224_pr_entropyinputpr[] =
13939 + 0x15,0x05,0x74,0x4a,0x7f,0x8d,0x5c,0x60,0x16,0xe5,0x7b,0xad,
13940 + 0xf5,0x41,0x8f,0x55,0x60,0xc4,0x09,0xee,0x1e,0x11,0x81,0xab
13944 +static const unsigned char hmac_sha224_pr_int_returnedbits[] =
13946 + 0x6f,0xf5,0x9a,0xe2,0x54,0x53,0x30,0x3d,0x5a,0x27,0x29,0x38,
13947 + 0x27,0xf2,0x0d,0x05,0xe9,0x26,0xcb,0x16,0xc3,0x51,0x5f,0x13,
13948 + 0x41,0xfe,0x99,0xf2
13952 +static const unsigned char hmac_sha224_pr_additionalinput2[] =
13954 + 0x73,0x81,0x88,0x84,0x8f,0xed,0x6f,0x10,0x9f,0x93,0xbf,0x17,
13955 + 0x35,0x7c,0xef,0xd5,0x8d,0x26,0xa6,0x7a,0xe8,0x09,0x36,0x4f
13959 +static const unsigned char hmac_sha224_pr_entropyinputpr2[] =
13961 + 0xe6,0xcf,0xcf,0x7e,0x12,0xe5,0x43,0xd2,0x38,0xd8,0x24,0x6f,
13962 + 0x5a,0x37,0x68,0xbf,0x4f,0xa0,0xff,0xd5,0x61,0x8a,0x93,0xe0
13966 +static const unsigned char hmac_sha224_pr_returnedbits[] =
13968 + 0xaf,0xf9,0xd8,0x19,0x91,0x30,0x82,0x6f,0xa9,0x1e,0x9d,0xd7,
13969 + 0xf3,0x50,0xe0,0xc7,0xd5,0x64,0x96,0x7d,0x4c,0x4d,0x78,0x03,
13970 + 0x6d,0xd8,0x9e,0x72
13974 +/* HMAC SHA-224 No PR */
13976 +static const unsigned char hmac_sha224_entropyinput[] =
13978 + 0x11,0x82,0xfd,0xd9,0x42,0xf4,0xfa,0xc8,0xf2,0x41,0xe6,0x54,
13979 + 0x01,0xae,0x22,0x6e,0xc6,0xaf,0xaf,0xd0,0xa6,0xb2,0xe2,0x6d
13983 +static const unsigned char hmac_sha224_nonce[] =
13985 + 0xa9,0x48,0xd7,0x92,0x39,0x7e,0x2a,0xdc,0x30,0x1f,0x0e,0x2b
13989 +static const unsigned char hmac_sha224_personalizationstring[] =
13991 + 0x11,0xd5,0xf4,0xbd,0x67,0x8c,0x31,0xcf,0xa3,0x3f,0x1e,0x6b,
13992 + 0xa8,0x07,0x02,0x0b,0xc8,0x2e,0x6c,0x64,0x41,0x5b,0xc8,0x37
13996 +static const unsigned char hmac_sha224_additionalinput[] =
13998 + 0x68,0x18,0xc2,0x06,0xeb,0x3e,0x04,0x95,0x44,0x5e,0xfb,0xe6,
13999 + 0x41,0xc1,0x5c,0xcc,0x40,0x2f,0xb7,0xd2,0x0f,0xf3,0x6b,0xe7
14003 +static const unsigned char hmac_sha224_int_returnedbits[] =
14005 + 0x7f,0x45,0xc7,0x5d,0x32,0xe6,0x17,0x60,0xba,0xdc,0xb8,0x42,
14006 + 0x1b,0x9c,0xf1,0xfa,0x3b,0x4d,0x29,0x54,0xc6,0x90,0xff,0x5c,
14007 + 0xcd,0xd6,0xa9,0xcc
14011 +static const unsigned char hmac_sha224_entropyinputreseed[] =
14013 + 0xc4,0x8e,0x37,0x95,0x69,0x53,0x28,0xd7,0x37,0xbb,0x70,0x95,
14014 + 0x1c,0x07,0x1d,0xd9,0xb7,0xe6,0x1b,0xbb,0xfe,0x41,0xeb,0xc9
14018 +static const unsigned char hmac_sha224_additionalinputreseed[] =
14020 + 0x53,0x17,0xa1,0x6a,0xfa,0x77,0x47,0xb0,0x95,0x56,0x9a,0x20,
14021 + 0x57,0xde,0x5c,0x89,0x9f,0x7f,0xe2,0xde,0x17,0x3a,0x50,0x23
14025 +static const unsigned char hmac_sha224_additionalinput2[] =
14027 + 0x3a,0x32,0xf9,0x85,0x0c,0xc1,0xed,0x76,0x2d,0xdf,0x40,0xc3,
14028 + 0x06,0x22,0x66,0xd4,0x9a,0x9a,0xff,0x5a,0x7e,0x7a,0xf3,0x96
14032 +static const unsigned char hmac_sha224_returnedbits[] =
14034 + 0x43,0xb4,0x57,0x5c,0x38,0x25,0x9d,0xae,0xec,0x96,0xd1,0x85,
14035 + 0x3a,0x84,0x8d,0xfe,0x68,0xd5,0x0e,0x5c,0x8f,0x65,0xa5,0x4e,
14036 + 0x45,0x84,0xa8,0x94
14040 +/* HMAC SHA-256 PR */
14042 +static const unsigned char hmac_sha256_pr_entropyinput[] =
14044 + 0x4d,0xb0,0x43,0xd8,0x34,0x4b,0x10,0x70,0xb1,0x8b,0xed,0xea,
14045 + 0x07,0x92,0x9f,0x6c,0x79,0x31,0xaf,0x81,0x29,0xeb,0x6e,0xca,
14046 + 0x32,0x48,0x28,0xe7,0x02,0x5d,0xa6,0xa6
14050 +static const unsigned char hmac_sha256_pr_nonce[] =
14052 + 0x3a,0xae,0x15,0xa9,0x99,0xdc,0xe4,0x67,0x34,0x3b,0x70,0x15,
14053 + 0xaa,0xd3,0x30,0x9a
14057 +static const unsigned char hmac_sha256_pr_personalizationstring[] =
14059 + 0x13,0x1d,0x24,0x04,0xb0,0x18,0x81,0x15,0x21,0x51,0x2a,0x24,
14060 + 0x52,0x61,0xbe,0x64,0x82,0x6b,0x55,0x2f,0xe2,0xf1,0x40,0x7d,
14061 + 0x71,0xd8,0x01,0x86,0x15,0xb7,0x8b,0xb5
14065 +static const unsigned char hmac_sha256_pr_additionalinput[] =
14067 + 0x8f,0xa6,0x54,0x5f,0xb1,0xd0,0xd8,0xc3,0xe7,0x0c,0x15,0xa9,
14068 + 0x23,0x6e,0xfe,0xfb,0x93,0xf7,0x3a,0xbd,0x59,0x01,0xfa,0x18,
14069 + 0x8e,0xe9,0x1a,0xa9,0x78,0xfc,0x79,0x0b
14073 +static const unsigned char hmac_sha256_pr_entropyinputpr[] =
14075 + 0xcf,0x24,0xb9,0xeb,0xb3,0xd4,0xcd,0x17,0x37,0x38,0x75,0x79,
14076 + 0x15,0xcb,0x2d,0x75,0x51,0xf1,0xcc,0xaa,0x32,0xa4,0xa7,0x36,
14077 + 0x7c,0x5c,0xe4,0x47,0xf1,0x3e,0x1d,0xe5
14081 +static const unsigned char hmac_sha256_pr_int_returnedbits[] =
14083 + 0x52,0x42,0xfa,0xeb,0x85,0xe0,0x30,0x22,0x79,0x00,0x16,0xb2,
14084 + 0x88,0x2f,0x14,0x6a,0xb7,0xfc,0xb7,0x53,0xdc,0x4a,0x12,0xef,
14085 + 0x54,0xd6,0x33,0xe9,0x20,0xd6,0xfd,0x56
14089 +static const unsigned char hmac_sha256_pr_additionalinput2[] =
14091 + 0xf4,0xf6,0x49,0xa1,0x2d,0x64,0x2b,0x30,0x58,0xf8,0xbd,0xb8,
14092 + 0x75,0xeb,0xbb,0x5e,0x1c,0x9b,0x81,0x6a,0xda,0x14,0x86,0x6e,
14093 + 0xd0,0xda,0x18,0xb7,0x88,0xfb,0x59,0xf3
14097 +static const unsigned char hmac_sha256_pr_entropyinputpr2[] =
14099 + 0x21,0xcd,0x6e,0x46,0xad,0x99,0x07,0x17,0xb4,0x3d,0x76,0x0a,
14100 + 0xff,0x5b,0x52,0x50,0x78,0xdf,0x1f,0x24,0x06,0x0d,0x3f,0x74,
14101 + 0xa9,0xc9,0x37,0xcf,0xd8,0x26,0x25,0x91
14105 +static const unsigned char hmac_sha256_pr_returnedbits[] =
14107 + 0xa7,0xaf,0x2f,0x29,0xe0,0x3a,0x72,0x95,0x96,0x1c,0xa9,0xf0,
14108 + 0x4a,0x17,0x4d,0x66,0x06,0x10,0xbf,0x39,0x89,0x88,0xb8,0x91,
14109 + 0x37,0x18,0x99,0xcf,0x8c,0x53,0x3b,0x7e
14113 +/* HMAC SHA-256 No PR */
14115 +static const unsigned char hmac_sha256_entropyinput[] =
14117 + 0x96,0xb7,0x53,0x22,0x1e,0x52,0x2a,0x96,0xb1,0x15,0x3c,0x35,
14118 + 0x5a,0x8b,0xd3,0x4a,0xa6,0x6c,0x83,0x0a,0x7d,0xa3,0x23,0x3d,
14119 + 0x43,0xa1,0x07,0x2c,0x2d,0xe3,0x81,0xcc
14123 +static const unsigned char hmac_sha256_nonce[] =
14125 + 0xf1,0xac,0x97,0xcb,0x5e,0x06,0x48,0xd2,0x94,0xbe,0x15,0x2e,
14126 + 0xc7,0xfc,0xc2,0x01
14130 +static const unsigned char hmac_sha256_personalizationstring[] =
14132 + 0x98,0xc5,0x1e,0x35,0x5e,0x89,0x0d,0xce,0x64,0x6d,0x18,0xa7,
14133 + 0x5a,0xc6,0xf3,0xe7,0xd6,0x9e,0xc0,0xea,0xb7,0x3a,0x8d,0x65,
14134 + 0xb8,0xeb,0x10,0xd7,0x57,0x18,0xa0,0x32
14138 +static const unsigned char hmac_sha256_additionalinput[] =
14140 + 0x1b,0x10,0xaf,0xac,0xd0,0x65,0x95,0xad,0x04,0xad,0x03,0x1c,
14141 + 0xe0,0x40,0xd6,0x3e,0x1c,0x46,0x53,0x39,0x7c,0xe2,0xbc,0xda,
14142 + 0x8c,0xa2,0x33,0xa7,0x9a,0x26,0xd3,0x27
14146 +static const unsigned char hmac_sha256_int_returnedbits[] =
14148 + 0xba,0x61,0x0e,0x55,0xfe,0x11,0x8a,0x9e,0x0f,0x80,0xdf,0x1d,
14149 + 0x03,0x0a,0xfe,0x15,0x94,0x28,0x4b,0xba,0xf4,0x9f,0x51,0x25,
14150 + 0x88,0xe5,0x4e,0xfb,0xaf,0xce,0x69,0x90
14154 +static const unsigned char hmac_sha256_entropyinputreseed[] =
14156 + 0x62,0x7f,0x1e,0x6b,0xe8,0x8e,0xe1,0x35,0x7d,0x9b,0x4f,0xc7,
14157 + 0xec,0xc8,0xac,0xef,0x6b,0x13,0x9e,0x05,0x56,0xc1,0x08,0xf9,
14158 + 0x2f,0x0f,0x27,0x9c,0xd4,0x15,0xed,0x2d
14162 +static const unsigned char hmac_sha256_additionalinputreseed[] =
14164 + 0xc7,0x76,0x6e,0xa9,0xd2,0xb2,0x76,0x40,0x82,0x25,0x2c,0xb3,
14165 + 0x6f,0xac,0xe9,0x74,0xef,0x8f,0x3c,0x8e,0xcd,0xf1,0xbf,0xb3,
14166 + 0x49,0x77,0x34,0x88,0x52,0x36,0xe6,0x2e
14170 +static const unsigned char hmac_sha256_additionalinput2[] =
14172 + 0x8d,0xb8,0x0c,0xd1,0xbf,0x70,0xf6,0x19,0xc3,0x41,0x80,0x9f,
14173 + 0xe1,0xa5,0xa4,0x1f,0x2c,0x26,0xb1,0xe5,0xd8,0xeb,0xbe,0xf8,
14174 + 0xdf,0x88,0x6a,0x89,0xd6,0x05,0xd8,0x9d
14178 +static const unsigned char hmac_sha256_returnedbits[] =
14180 + 0x43,0x12,0x2a,0x2c,0x40,0x53,0x2e,0x7c,0x66,0x34,0xac,0xc3,
14181 + 0x43,0xe3,0xe0,0x6a,0xfc,0xfa,0xea,0x87,0x21,0x1f,0xe2,0x26,
14182 + 0xc4,0xf9,0x09,0x9a,0x0d,0x6e,0x7f,0xe0
14186 +/* HMAC SHA-384 PR */
14188 +static const unsigned char hmac_sha384_pr_entropyinput[] =
14190 + 0x69,0x81,0x98,0x88,0x44,0xf5,0xd6,0x2e,0x00,0x08,0x3b,0xc5,
14191 + 0xfb,0xd7,0x8e,0x6f,0x23,0xf8,0x6d,0x09,0xd6,0x85,0x49,0xd1,
14192 + 0xf8,0x6d,0xa4,0x58,0x54,0xfd,0x88,0xa9
14196 +static const unsigned char hmac_sha384_pr_nonce[] =
14198 + 0x6e,0x38,0x81,0xca,0xb7,0xe8,0x6e,0x66,0x49,0x8a,0xb2,0x59,
14199 + 0xee,0x16,0xc9,0xde
14203 +static const unsigned char hmac_sha384_pr_personalizationstring[] =
14205 + 0xfe,0x4c,0xd9,0xf4,0x78,0x3b,0x08,0x41,0x8d,0x8f,0x55,0xc4,
14206 + 0x43,0x56,0xb6,0x12,0x36,0x6b,0x30,0xb7,0x5e,0xe1,0xb9,0x47,
14207 + 0x04,0xb1,0x4e,0xa9,0x00,0xa1,0x52,0xa1
14211 +static const unsigned char hmac_sha384_pr_additionalinput[] =
14213 + 0x89,0xe9,0xcc,0x8f,0x27,0x3c,0x26,0xd1,0x95,0xc8,0x7d,0x0f,
14214 + 0x5b,0x1a,0xf0,0x78,0x39,0x56,0x6f,0xa4,0x23,0xe7,0xd1,0xda,
14215 + 0x7c,0x66,0x33,0xa0,0x90,0xc9,0x92,0x88
14219 +static const unsigned char hmac_sha384_pr_entropyinputpr[] =
14221 + 0xbe,0x3d,0x7c,0x0d,0xca,0xda,0x7c,0x49,0xb8,0x12,0x36,0xc0,
14222 + 0xdb,0xad,0x35,0xa8,0xc7,0x0b,0x2a,0x2c,0x69,0x6d,0x25,0x56,
14223 + 0x63,0x82,0x11,0x3e,0xa7,0x33,0x70,0x72
14227 +static const unsigned char hmac_sha384_pr_int_returnedbits[] =
14229 + 0x82,0x3d,0xe6,0x54,0x80,0x42,0xf8,0xba,0x90,0x4f,0x06,0xa6,
14230 + 0xd2,0x7f,0xbf,0x79,0x7c,0x12,0x7d,0xa6,0xa2,0x66,0xe8,0xa6,
14231 + 0xc0,0xd6,0x4a,0x55,0xbf,0xd8,0x0a,0xc5,0xf8,0x03,0x88,0xdd,
14232 + 0x8e,0x87,0xd1,0x5a,0x48,0x26,0x72,0x2a,0x8e,0xcf,0xee,0xba
14236 +static const unsigned char hmac_sha384_pr_additionalinput2[] =
14238 + 0x8f,0xff,0xd9,0x84,0xbb,0x85,0x3a,0x66,0xa1,0x21,0xce,0xb2,
14239 + 0x3a,0x3a,0x17,0x22,0x19,0xae,0xc7,0xb6,0x63,0x81,0xd5,0xff,
14240 + 0x0d,0xc8,0xe1,0xaf,0x57,0xd2,0xcb,0x60
14244 +static const unsigned char hmac_sha384_pr_entropyinputpr2[] =
14246 + 0xd7,0xfb,0xc9,0xe8,0xe2,0xf2,0xaa,0x4c,0xb8,0x51,0x2f,0xe1,
14247 + 0x22,0xba,0xf3,0xda,0x0a,0x19,0x76,0x71,0x57,0xb2,0x1d,0x94,
14248 + 0x09,0x69,0x6c,0xd3,0x97,0x51,0x81,0x87
14252 +static const unsigned char hmac_sha384_pr_returnedbits[] =
14254 + 0xe6,0x19,0x28,0xa8,0x21,0xce,0x5e,0xdb,0x24,0x79,0x8c,0x76,
14255 + 0x5d,0x73,0xb2,0xdf,0xac,0xef,0x85,0xa7,0x3b,0x19,0x09,0x8b,
14256 + 0x7f,0x98,0x28,0xa9,0x93,0xd8,0x7a,0xad,0x55,0x8b,0x24,0x9d,
14257 + 0xe6,0x98,0xfe,0x47,0xd5,0x48,0xc1,0x23,0xd8,0x1d,0x62,0x75
14261 +/* HMAC SHA-384 No PR */
14263 +static const unsigned char hmac_sha384_entropyinput[] =
14265 + 0xc3,0x56,0x2b,0x1d,0xc2,0xbb,0xa8,0xf0,0xae,0x1b,0x0d,0xd3,
14266 + 0x5a,0x6c,0xda,0x57,0x8e,0xa5,0x8a,0x0d,0x6c,0x4b,0x18,0xb1,
14267 + 0x04,0x3e,0xb4,0x99,0x35,0xc4,0xc0,0x5f
14271 +static const unsigned char hmac_sha384_nonce[] =
14273 + 0xc5,0x49,0x1e,0x66,0x27,0x92,0xbe,0xec,0xb5,0x1e,0x4b,0xb1,
14274 + 0x38,0xe3,0xeb,0x62
14278 +static const unsigned char hmac_sha384_personalizationstring[] =
14280 + 0xbe,0xe7,0x6b,0x57,0xde,0x88,0x11,0x96,0x9b,0x6e,0xea,0xe5,
14281 + 0x63,0x83,0x4c,0xb6,0x8d,0x66,0xaa,0x1f,0x8b,0x54,0xe7,0x62,
14282 + 0x6d,0x5a,0xfc,0xbf,0x97,0xba,0xcd,0x77
14286 +static const unsigned char hmac_sha384_additionalinput[] =
14288 + 0xe5,0x28,0x5f,0x43,0xf5,0x83,0x6e,0x0a,0x83,0x5c,0xe3,0x81,
14289 + 0x03,0xf2,0xf8,0x78,0x00,0x7c,0x95,0x87,0x16,0xd6,0x6c,0x58,
14290 + 0x33,0x6c,0x53,0x35,0x0d,0x66,0xe3,0xce
14294 +static const unsigned char hmac_sha384_int_returnedbits[] =
14296 + 0xe2,0x1f,0xf3,0xda,0x0d,0x19,0x99,0x87,0xc4,0x90,0xa2,0x31,
14297 + 0xca,0x2a,0x89,0x58,0x43,0x44,0xb8,0xde,0xcf,0xa4,0xbe,0x3b,
14298 + 0x53,0x26,0x22,0x31,0x76,0x41,0x22,0xb5,0xa8,0x70,0x2f,0x4b,
14299 + 0x64,0x95,0x4d,0x48,0x96,0x35,0xe6,0xbd,0x3c,0x34,0xdb,0x1b
14303 +static const unsigned char hmac_sha384_entropyinputreseed[] =
14305 + 0x77,0x61,0xba,0xbc,0xf2,0xc1,0xf3,0x4b,0x86,0x65,0xfd,0x48,
14306 + 0x0e,0x3c,0x02,0x5e,0xa2,0x7a,0x6b,0x7c,0xed,0x21,0x5e,0xf9,
14307 + 0xcd,0xcd,0x77,0x07,0x2b,0xbe,0xc5,0x5c
14311 +static const unsigned char hmac_sha384_additionalinputreseed[] =
14313 + 0x18,0x24,0x5f,0xc6,0x84,0xd1,0x67,0xc3,0x9a,0x11,0xa5,0x8c,
14314 + 0x07,0x39,0x21,0x83,0x4d,0x04,0xc4,0x6a,0x28,0x19,0xcf,0x92,
14315 + 0x21,0xd9,0x9e,0x41,0x72,0x6c,0x9e,0x63
14319 +static const unsigned char hmac_sha384_additionalinput2[] =
14321 + 0x96,0x67,0x41,0x28,0x9b,0xb7,0x92,0x8d,0x64,0x3b,0xe4,0xcf,
14322 + 0x7e,0xaa,0x1e,0xb1,0x4b,0x1d,0x09,0x56,0x67,0x9c,0xc6,0x6d,
14323 + 0x3b,0xe8,0x91,0x9d,0xe1,0x8a,0xb7,0x32
14327 +static const unsigned char hmac_sha384_returnedbits[] =
14329 + 0xe3,0x59,0x61,0x38,0x92,0xec,0xe2,0x3c,0xff,0xb7,0xdb,0x19,
14330 + 0x0f,0x5b,0x93,0x68,0x0d,0xa4,0x94,0x40,0x72,0x0b,0xe0,0xed,
14331 + 0x4d,0xcd,0x68,0xa0,0x1e,0xfe,0x67,0xb2,0xfa,0x21,0x56,0x74,
14332 + 0xa4,0xad,0xcf,0xb7,0x60,0x66,0x2e,0x40,0xde,0x82,0xca,0xfb
14336 +/* HMAC SHA-512 PR */
14338 +static const unsigned char hmac_sha512_pr_entropyinput[] =
14340 + 0xaa,0x9e,0x45,0x67,0x0e,0x00,0x2a,0x67,0x98,0xd6,0xda,0x0b,
14341 + 0x0f,0x17,0x7e,0xac,0xfd,0x27,0xc4,0xca,0x84,0xdf,0xde,0xba,
14342 + 0x85,0xd9,0xbe,0x8f,0xf3,0xff,0x91,0x4d
14346 +static const unsigned char hmac_sha512_pr_nonce[] =
14348 + 0x8c,0x49,0x2f,0x58,0x1e,0x7a,0xda,0x4b,0x7e,0x8a,0x30,0x7b,
14349 + 0x86,0xea,0xaf,0xa2
14353 +static const unsigned char hmac_sha512_pr_personalizationstring[] =
14355 + 0x71,0xe1,0xbb,0xad,0xa7,0x4b,0x2e,0x31,0x3b,0x0b,0xec,0x24,
14356 + 0x99,0x38,0xbc,0xaa,0x05,0x4c,0x46,0x44,0xfa,0xad,0x8e,0x02,
14357 + 0xc1,0x7e,0xad,0xec,0x54,0xa6,0xd0,0xad
14361 +static const unsigned char hmac_sha512_pr_additionalinput[] =
14363 + 0x3d,0x6e,0xa6,0xa8,0x29,0x2a,0xb2,0xf5,0x98,0x42,0xe4,0x92,
14364 + 0x78,0x22,0x67,0xfd,0x1b,0x15,0x1e,0x29,0xaa,0x71,0x3c,0x3c,
14365 + 0xe7,0x05,0x20,0xa9,0x29,0xc6,0x75,0x71
14369 +static const unsigned char hmac_sha512_pr_entropyinputpr[] =
14371 + 0xab,0xb9,0x16,0xd8,0x55,0x35,0x54,0xb7,0x97,0x3f,0x94,0xbc,
14372 + 0x2f,0x7c,0x70,0xc7,0xd0,0xed,0xb7,0x4b,0xf7,0xf6,0x6c,0x03,
14373 + 0x0c,0xb0,0x03,0xd8,0xbb,0x71,0xd9,0x10
14377 +static const unsigned char hmac_sha512_pr_int_returnedbits[] =
14379 + 0x8e,0xd3,0xfd,0x52,0x9e,0x83,0x08,0x49,0x18,0x6e,0x23,0x56,
14380 + 0x5c,0x45,0x93,0x34,0x05,0xe2,0x98,0x8f,0x0c,0xd4,0x32,0x0c,
14381 + 0xfd,0xda,0x5f,0x92,0x3a,0x8c,0x81,0xbd,0xf6,0x6c,0x55,0xfd,
14382 + 0xb8,0x20,0xce,0x8d,0x97,0x27,0xe8,0xe8,0xe0,0xb3,0x85,0x50,
14383 + 0xa2,0xc2,0xb2,0x95,0x1d,0x48,0xd3,0x7b,0x4b,0x78,0x13,0x35,
14384 + 0x05,0x17,0xbe,0x0d
14388 +static const unsigned char hmac_sha512_pr_additionalinput2[] =
14390 + 0xc3,0xfc,0x95,0xaa,0x69,0x06,0xae,0x59,0x41,0xce,0x26,0x08,
14391 + 0x29,0x6d,0x45,0xda,0xe8,0xb3,0x6c,0x95,0x60,0x0f,0x70,0x2c,
14392 + 0x10,0xba,0x38,0x8c,0xcf,0x29,0x99,0xaa
14396 +static const unsigned char hmac_sha512_pr_entropyinputpr2[] =
14398 + 0x3b,0x9a,0x25,0xce,0xd7,0xf9,0x5c,0xd1,0x3a,0x3e,0xaa,0x71,
14399 + 0x14,0x3e,0x19,0xe8,0xce,0xe6,0xfe,0x51,0x84,0xe9,0x1b,0xfe,
14400 + 0x3f,0xa7,0xf2,0xfd,0x76,0x5f,0x6a,0xe7
14404 +static const unsigned char hmac_sha512_pr_returnedbits[] =
14406 + 0xb7,0x82,0xa9,0x57,0x81,0x67,0x53,0xb5,0xa1,0xe9,0x3d,0x35,
14407 + 0xf9,0xe4,0x97,0xbe,0xa6,0xca,0xf1,0x01,0x13,0x09,0xe7,0x21,
14408 + 0xc0,0xed,0x93,0x5d,0x4b,0xf4,0xeb,0x8d,0x53,0x25,0x8a,0xc4,
14409 + 0xb1,0x6f,0x6e,0x37,0xcd,0x2e,0xac,0x39,0xb2,0xb6,0x99,0xa3,
14410 + 0x82,0x00,0xb0,0x21,0xf0,0xc7,0x2f,0x4c,0x73,0x92,0xfd,0x00,
14411 + 0xb6,0xaf,0xbc,0xd3
14415 +/* HMAC SHA-512 No PR */
14417 +static const unsigned char hmac_sha512_entropyinput[] =
14419 + 0x6e,0x85,0xe6,0x25,0x96,0x29,0xa7,0x52,0x5b,0x60,0xba,0xaa,
14420 + 0xde,0xdb,0x36,0x0a,0x51,0x9a,0x15,0xae,0x6e,0x18,0xd3,0xfe,
14421 + 0x39,0xb9,0x4a,0x96,0xf8,0x77,0xcb,0x95
14425 +static const unsigned char hmac_sha512_nonce[] =
14427 + 0xe0,0xa6,0x5d,0x08,0xc3,0x7c,0xae,0x25,0x2e,0x80,0xd1,0x3e,
14428 + 0xd9,0xaf,0x43,0x3c
14432 +static const unsigned char hmac_sha512_personalizationstring[] =
14434 + 0x53,0x99,0x52,0x5f,0x11,0xa9,0x64,0x66,0x20,0x5e,0x1b,0x5f,
14435 + 0x42,0xb3,0xf4,0xda,0xed,0xbb,0x63,0xc1,0x23,0xaf,0xd0,0x01,
14436 + 0x90,0x3b,0xd0,0x78,0xe4,0x0b,0xa7,0x20
14440 +static const unsigned char hmac_sha512_additionalinput[] =
14442 + 0x85,0x90,0x80,0xd3,0x98,0xf1,0x53,0x6d,0x68,0x15,0x8f,0xe5,
14443 + 0x60,0x3f,0x17,0x29,0x55,0x8d,0x33,0xb1,0x45,0x64,0x64,0x8d,
14444 + 0x50,0x21,0x89,0xae,0xf6,0xfd,0x32,0x73
14448 +static const unsigned char hmac_sha512_int_returnedbits[] =
14450 + 0x28,0x56,0x30,0x6f,0xf4,0xa1,0x48,0xe0,0xc9,0xf5,0x75,0x90,
14451 + 0xcc,0xfb,0xdf,0xdf,0x71,0x3d,0x0a,0x9a,0x03,0x65,0x3b,0x18,
14452 + 0x61,0xe3,0xd1,0xda,0xcc,0x4a,0xfe,0x55,0x38,0xf8,0x21,0x6b,
14453 + 0xfa,0x18,0x01,0x42,0x39,0x2f,0x99,0x53,0x38,0x15,0x82,0x34,
14454 + 0xc5,0x93,0x92,0xbc,0x4d,0x75,0x1a,0x5f,0x21,0x27,0xcc,0xa1,
14455 + 0xb1,0x57,0x69,0xe8
14459 +static const unsigned char hmac_sha512_entropyinputreseed[] =
14461 + 0x8c,0x52,0x7e,0x77,0x72,0x3f,0xa3,0x04,0x97,0x10,0x9b,0x41,
14462 + 0xbd,0xe8,0xff,0x89,0xed,0x80,0xe3,0xbd,0xaa,0x12,0x2d,0xca,
14463 + 0x75,0x82,0x36,0x77,0x88,0xcd,0xa6,0x73
14467 +static const unsigned char hmac_sha512_additionalinputreseed[] =
14469 + 0x7e,0x32,0xe3,0x69,0x69,0x07,0x34,0xa2,0x16,0xa2,0x5d,0x1a,
14470 + 0x10,0x91,0xd3,0xe2,0x21,0xa2,0xa3,0xdd,0xcd,0x0c,0x09,0x86,
14471 + 0x11,0xe1,0x50,0xff,0x5c,0xb7,0xeb,0x5c
14475 +static const unsigned char hmac_sha512_additionalinput2[] =
14477 + 0x7f,0x78,0x66,0xd8,0xfb,0x67,0xcf,0x8d,0x8c,0x08,0x30,0xa5,
14478 + 0xf8,0x7d,0xcf,0x44,0x59,0xce,0xf8,0xdf,0x58,0xd3,0x60,0xcb,
14479 + 0xa8,0x60,0xb9,0x07,0xc4,0xb1,0x95,0x48
14483 +static const unsigned char hmac_sha512_returnedbits[] =
14485 + 0xdf,0xa7,0x36,0xd4,0xdc,0x5d,0x4d,0x31,0xad,0x69,0x46,0x9f,
14486 + 0xf1,0x7c,0xd7,0x3b,0x4f,0x55,0xf2,0xd7,0xb9,0x9d,0xad,0x7a,
14487 + 0x79,0x08,0x59,0xa5,0xdc,0x74,0xf5,0x9b,0x73,0xd2,0x13,0x25,
14488 + 0x0b,0x81,0x08,0x08,0x25,0xfb,0x39,0xf2,0xf0,0xa3,0xa4,0x8d,
14489 + 0xef,0x05,0x9e,0xb8,0xc7,0x52,0xe4,0x0e,0x42,0xaa,0x7c,0x79,
14490 + 0xc2,0xd6,0xfd,0xa5
14493 diff -up openssl-1.0.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_dsa_selftest.c
14494 --- openssl-1.0.1b/crypto/fips/fips_dsa_selftest.c.fips 2012-04-26 18:00:51.404769387 +0200
14495 +++ openssl-1.0.1b/crypto/fips/fips_dsa_selftest.c 2012-04-26 18:00:51.404769387 +0200
14497 +/* ====================================================================
14498 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
14500 + * Redistribution and use in source and binary forms, with or without
14501 + * modification, are permitted provided that the following conditions
14504 + * 1. Redistributions of source code must retain the above copyright
14505 + * notice, this list of conditions and the following disclaimer.
14507 + * 2. Redistributions in binary form must reproduce the above copyright
14508 + * notice, this list of conditions and the following disclaimer in
14509 + * the documentation and/or other materials provided with the
14512 + * 3. All advertising materials mentioning features or use of this
14513 + * software must display the following acknowledgment:
14514 + * "This product includes software developed by the OpenSSL Project
14515 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
14517 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
14518 + * endorse or promote products derived from this software without
14519 + * prior written permission. For written permission, please contact
14520 + * openssl-core@openssl.org.
14522 + * 5. Products derived from this software may not be called "OpenSSL"
14523 + * nor may "OpenSSL" appear in their names without prior written
14524 + * permission of the OpenSSL Project.
14526 + * 6. Redistributions of any form whatsoever must retain the following
14527 + * acknowledgment:
14528 + * "This product includes software developed by the OpenSSL Project
14529 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
14531 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
14532 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14533 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
14534 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
14535 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
14536 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
14537 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14538 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
14539 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
14540 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
14541 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
14542 + * OF THE POSSIBILITY OF SUCH DAMAGE.
14546 +#include <string.h>
14547 +#include <openssl/crypto.h>
14548 +#include <openssl/dsa.h>
14549 +#include <openssl/fips.h>
14550 +#include <openssl/err.h>
14551 +#include <openssl/evp.h>
14552 +#include <openssl/bn.h>
14553 +#include "fips_locl.h"
14555 +#ifdef OPENSSL_FIPS
14557 +static const unsigned char dsa_test_2048_p[] = {
14558 + 0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
14559 + 0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
14560 + 0x3b,0x7e,0x4d,0x04,0x44,0x1d,0xd1,0xa0,0x65,0x86,0x62,0x59,
14561 + 0x64,0x93,0xca,0x8e,0x9e,0x8f,0xbb,0x7e,0x34,0xaa,0xdd,0xb6,
14562 + 0x2e,0x5d,0x67,0xb6,0xd0,0x9a,0x6e,0x61,0xb7,0x69,0xe7,0xc3,
14563 + 0x52,0xaa,0x2b,0x10,0xe2,0x0c,0xa0,0x63,0x69,0x63,0xb5,0x52,
14564 + 0x3e,0x86,0x47,0x0d,0xec,0xbb,0xed,0xa0,0x27,0xe7,0x97,0xe7,
14565 + 0xb6,0x76,0x35,0xd4,0xd4,0x9c,0x30,0x70,0x0e,0x74,0xaf,0x8a,
14566 + 0x0f,0xf1,0x56,0xa8,0x01,0xaf,0x57,0xa2,0x6e,0x70,0x78,0xf1,
14567 + 0xd8,0x2f,0x74,0x90,0x8e,0xcb,0x6d,0x07,0xe7,0x0b,0x35,0x03,
14568 + 0xee,0xd9,0x4f,0xa3,0x2c,0xf1,0x7a,0x7f,0xc3,0xd6,0xcf,0x40,
14569 + 0xdc,0x7b,0x00,0x83,0x0e,0x6a,0x25,0x66,0xdc,0x07,0x3e,0x34,
14570 + 0x33,0x12,0x51,0x7c,0x6a,0xa5,0x15,0x2b,0x4b,0xfe,0xcd,0x2e,
14571 + 0x55,0x1f,0xee,0x34,0x63,0x18,0xa1,0x53,0x42,0x3c,0x99,0x6b,
14572 + 0x0d,0x5d,0xcb,0x91,0x02,0xae,0xdd,0x38,0x79,0x86,0x16,0xf1,
14573 + 0xf1,0xe0,0xd6,0xc4,0x03,0x52,0x5b,0x1f,0x9b,0x3d,0x4d,0xc7,
14574 + 0x66,0xde,0x2d,0xfc,0x4a,0x56,0xd7,0xb8,0xba,0x59,0x63,0xd6,
14575 + 0x0f,0x3e,0x16,0x31,0x88,0x70,0xad,0x43,0x69,0x52,0xe5,0x57,
14576 + 0x65,0x37,0x4e,0xab,0x85,0xe8,0xec,0x17,0xd6,0xb9,0xa4,0x54,
14577 + 0x7b,0x9b,0x5f,0x27,0x52,0xf3,0x10,0x5b,0xe8,0x09,0xb2,0x3a,
14578 + 0x2c,0x8d,0x74,0x69,0xdb,0x02,0xe2,0x4d,0x59,0x23,0x94,0xa7,
14579 + 0xdb,0xa0,0x69,0xe9
14582 +static const unsigned char dsa_test_2048_q[] = {
14583 + 0xd2,0x77,0x04,0x4e,0x50,0xf5,0xa4,0xe3,0xf5,0x10,0xa5,0x0a,
14584 + 0x0b,0x84,0xfd,0xff,0xbc,0xa0,0x47,0xed,0x27,0x60,0x20,0x56,
14585 + 0x74,0x41,0xa0,0xa5
14588 +static const unsigned char dsa_test_2048_g[] = {
14589 + 0x13,0xd7,0x54,0xe2,0x1f,0xd2,0x41,0x65,0x5d,0xa8,0x91,0xc5,
14590 + 0x22,0xa6,0x5a,0x72,0xa8,0x9b,0xdc,0x64,0xec,0x9b,0x54,0xa8,
14591 + 0x21,0xed,0x4a,0x89,0x8b,0x49,0x0e,0x0c,0x4f,0xcb,0x72,0x19,
14592 + 0x2a,0x4a,0x20,0xf5,0x41,0xf3,0xf2,0x92,0x53,0x99,0xf0,0xba,
14593 + 0xec,0xf9,0x29,0xaa,0xfb,0xf7,0x9d,0xfe,0x43,0x32,0x39,0x3b,
14594 + 0x32,0xcd,0x2e,0x2f,0xcf,0x27,0x2f,0x32,0xa6,0x27,0x43,0x4a,
14595 + 0x0d,0xf2,0x42,0xb7,0x5b,0x41,0x4d,0xf3,0x72,0x12,0x1e,0x53,
14596 + 0xa5,0x53,0xf2,0x22,0xf8,0x36,0xb0,0x00,0xf0,0x16,0x48,0x5b,
14597 + 0x6b,0xd0,0x89,0x84,0x51,0x80,0x1d,0xcd,0x8d,0xe6,0x4c,0xd5,
14598 + 0x36,0x56,0x96,0xff,0xc5,0x32,0xd5,0x28,0xc5,0x06,0x62,0x0a,
14599 + 0x94,0x2a,0x03,0x05,0x04,0x6d,0x8f,0x18,0x76,0x34,0x1f,0x1e,
14600 + 0x57,0x0b,0xc3,0x97,0x4b,0xa6,0xb9,0xa4,0x38,0xe9,0x70,0x23,
14601 + 0x02,0xa2,0xe6,0xe6,0x7b,0xfd,0x06,0xd3,0x2b,0xc6,0x79,0x96,
14602 + 0x22,0x71,0xd7,0xb4,0x0c,0xd7,0x2f,0x38,0x6e,0x64,0xe0,0xd7,
14603 + 0xef,0x86,0xca,0x8c,0xa5,0xd1,0x42,0x28,0xdc,0x2a,0x4f,0x16,
14604 + 0xe3,0x18,0x98,0x86,0xb5,0x99,0x06,0x74,0xf4,0x20,0x0f,0x3a,
14605 + 0x4c,0xf6,0x5a,0x3f,0x0d,0xdb,0xa1,0xfa,0x67,0x2d,0xff,0x2f,
14606 + 0x5e,0x14,0x3d,0x10,0xe4,0xe9,0x7a,0xe8,0x4f,0x6d,0xa0,0x95,
14607 + 0x35,0xd5,0xb9,0xdf,0x25,0x91,0x81,0xa7,0x9b,0x63,0xb0,0x69,
14608 + 0xe9,0x49,0x97,0x2b,0x02,0xba,0x36,0xb3,0x58,0x6a,0xab,0x7e,
14609 + 0x45,0xf3,0x22,0xf8,0x2e,0x4e,0x85,0xca,0x3a,0xb8,0x55,0x91,
14610 + 0xb3,0xc2,0xa9,0x66
14613 +static const unsigned char dsa_test_2048_pub_key[] = {
14614 + 0x24,0x52,0xf3,0xcc,0xbe,0x9e,0xd5,0xca,0x7d,0xc7,0x4c,0x60,
14615 + 0x2b,0x99,0x22,0x6e,0x8f,0x2f,0xab,0x38,0xe7,0xd7,0xdd,0xfb,
14616 + 0x75,0x53,0x9b,0x17,0x15,0x5e,0x9f,0xcf,0xd1,0xab,0xa5,0x64,
14617 + 0xeb,0x85,0x35,0xd8,0x12,0xc9,0xc2,0xdc,0xf9,0x72,0x84,0x44,
14618 + 0x1b,0xc4,0x82,0x24,0x36,0x24,0xc7,0xf4,0x57,0x58,0x0c,0x1c,
14619 + 0x38,0xa5,0x7c,0x46,0xc4,0x57,0x39,0x24,0x70,0xed,0xb5,0x2c,
14620 + 0xb5,0xa6,0xe0,0x3f,0xe6,0x28,0x7b,0xb6,0xf4,0x9a,0x42,0xa2,
14621 + 0x06,0x5a,0x05,0x4f,0x03,0x08,0x39,0xdf,0x1f,0xd3,0x14,0x9c,
14622 + 0x4c,0xa0,0x53,0x1d,0xd8,0xca,0x8a,0xaa,0x9c,0xc7,0x33,0x71,
14623 + 0x93,0x38,0x73,0x48,0x33,0x61,0x18,0x22,0x45,0x45,0xe8,0x8c,
14624 + 0x80,0xff,0xd8,0x76,0x5d,0x74,0x36,0x03,0x33,0xcc,0xab,0x99,
14625 + 0x72,0x77,0x9b,0x65,0x25,0xa6,0x5b,0xdd,0x0d,0x10,0xc6,0x75,
14626 + 0xc1,0x09,0xbb,0xd3,0xe5,0xbe,0x4d,0x72,0xef,0x6e,0xba,0x6e,
14627 + 0x43,0x8d,0x52,0x26,0x23,0x7d,0xb8,0x88,0x37,0x9c,0x5f,0xcc,
14628 + 0x47,0xa3,0x84,0x7f,0xf6,0x37,0x11,0xba,0xed,0x6d,0x03,0xaf,
14629 + 0xe8,0x1e,0x69,0x4a,0x41,0x3b,0x68,0x0b,0xd3,0x8a,0xb4,0x90,
14630 + 0x3f,0x83,0x70,0xa7,0x07,0xef,0x55,0x1d,0x49,0x41,0x02,0x6d,
14631 + 0x95,0x79,0xd6,0x91,0xde,0x8e,0xda,0xa1,0x61,0x05,0xeb,0x9d,
14632 + 0xba,0x3c,0x2f,0x4c,0x1b,0xec,0x50,0x82,0x75,0xaa,0x02,0x07,
14633 + 0xe2,0x51,0xb5,0xec,0xcb,0x28,0x6a,0x4b,0x01,0xd4,0x49,0xd3,
14634 + 0x0a,0xcb,0x67,0x37,0x17,0xa0,0xd2,0xfb,0x3b,0x50,0xc8,0x93,
14635 + 0xf7,0xda,0xb1,0x4f
14638 +static const unsigned char dsa_test_2048_priv_key[] = {
14639 + 0x0c,0x4b,0x30,0x89,0xd1,0xb8,0x62,0xcb,0x3c,0x43,0x64,0x91,
14640 + 0xf0,0x91,0x54,0x70,0xc5,0x27,0x96,0xe3,0xac,0xbe,0xe8,0x00,
14641 + 0xec,0x55,0xf6,0xcc
14644 +static int corrupt_dsa;
14646 +void FIPS_corrupt_dsa()
14651 +int FIPS_selftest_dsa()
14654 + EVP_PKEY *pk = NULL;
14662 + fips_load_key_component(dsa, p, dsa_test_2048);
14663 + fips_load_key_component(dsa, q, dsa_test_2048);
14664 + fips_load_key_component(dsa, g, dsa_test_2048);
14665 + fips_load_key_component(dsa, pub_key, dsa_test_2048);
14666 + fips_load_key_component(dsa, priv_key, dsa_test_2048);
14669 + BN_set_bit(dsa->pub_key, 2047);
14671 + if ((pk=EVP_PKEY_new()) == NULL)
14674 + EVP_PKEY_assign_DSA(pk, dsa);
14676 + if (!fips_pkey_signature_test(pk, NULL, 0,
14677 + NULL, 0, EVP_sha256(), 0,
14684 + EVP_PKEY_free(pk);
14690 diff -up openssl-1.0.1b/crypto/fips/fips_enc.c.fips openssl-1.0.1b/crypto/fips/fips_enc.c
14691 --- openssl-1.0.1b/crypto/fips/fips_enc.c.fips 2012-04-26 18:00:51.405769408 +0200
14692 +++ openssl-1.0.1b/crypto/fips/fips_enc.c 2012-04-26 18:00:51.405769408 +0200
14694 +/* fipe/evp/fips_enc.c */
14695 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
14696 + * All rights reserved.
14698 + * This package is an SSL implementation written
14699 + * by Eric Young (eay@cryptsoft.com).
14700 + * The implementation was written so as to conform with Netscapes SSL.
14702 + * This library is free for commercial and non-commercial use as long as
14703 + * the following conditions are aheared to. The following conditions
14704 + * apply to all code found in this distribution, be it the RC4, RSA,
14705 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
14706 + * included with this distribution is covered by the same copyright terms
14707 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14709 + * Copyright remains Eric Young's, and as such any Copyright notices in
14710 + * the code are not to be removed.
14711 + * If this package is used in a product, Eric Young should be given attribution
14712 + * as the author of the parts of the library used.
14713 + * This can be in the form of a textual message at program startup or
14714 + * in documentation (online or textual) provided with the package.
14716 + * Redistribution and use in source and binary forms, with or without
14717 + * modification, are permitted provided that the following conditions
14719 + * 1. Redistributions of source code must retain the copyright
14720 + * notice, this list of conditions and the following disclaimer.
14721 + * 2. Redistributions in binary form must reproduce the above copyright
14722 + * notice, this list of conditions and the following disclaimer in the
14723 + * documentation and/or other materials provided with the distribution.
14724 + * 3. All advertising materials mentioning features or use of this software
14725 + * must display the following acknowledgement:
14726 + * "This product includes cryptographic software written by
14727 + * Eric Young (eay@cryptsoft.com)"
14728 + * The word 'cryptographic' can be left out if the rouines from the library
14729 + * being used are not cryptographic related :-).
14730 + * 4. If you include any Windows specific code (or a derivative thereof) from
14731 + * the apps directory (application code) you must include an acknowledgement:
14732 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
14734 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
14735 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14736 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
14737 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
14738 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
14739 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
14740 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
14741 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
14742 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
14743 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
14746 + * The licence and distribution terms for any publically available version or
14747 + * derivative of this code cannot be changed. i.e. this code cannot simply be
14748 + * copied and put under another distribution licence
14749 + * [including the GNU Public Licence.]
14752 +#include <stdio.h>
14753 +#include <string.h>
14754 +#include <openssl/evp.h>
14755 +#include <openssl/err.h>
14756 +#include <openssl/fips.h>
14758 +const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
14762 + case NID_aes_128_cbc:
14763 + return EVP_aes_128_cbc();
14765 + case NID_aes_128_ccm:
14766 + return EVP_aes_128_ccm();
14768 + case NID_aes_128_cfb1:
14769 + return EVP_aes_128_cfb1();
14771 + case NID_aes_128_cfb128:
14772 + return EVP_aes_128_cfb128();
14774 + case NID_aes_128_cfb8:
14775 + return EVP_aes_128_cfb8();
14777 + case NID_aes_128_ctr:
14778 + return EVP_aes_128_ctr();
14780 + case NID_aes_128_ecb:
14781 + return EVP_aes_128_ecb();
14783 + case NID_aes_128_gcm:
14784 + return EVP_aes_128_gcm();
14786 + case NID_aes_128_ofb128:
14787 + return EVP_aes_128_ofb();
14789 + case NID_aes_128_xts:
14790 + return EVP_aes_128_xts();
14792 + case NID_aes_192_cbc:
14793 + return EVP_aes_192_cbc();
14795 + case NID_aes_192_ccm:
14796 + return EVP_aes_192_ccm();
14798 + case NID_aes_192_cfb1:
14799 + return EVP_aes_192_cfb1();
14801 + case NID_aes_192_cfb128:
14802 + return EVP_aes_192_cfb128();
14804 + case NID_aes_192_cfb8:
14805 + return EVP_aes_192_cfb8();
14807 + case NID_aes_192_ctr:
14808 + return EVP_aes_192_ctr();
14810 + case NID_aes_192_ecb:
14811 + return EVP_aes_192_ecb();
14813 + case NID_aes_192_gcm:
14814 + return EVP_aes_192_gcm();
14816 + case NID_aes_192_ofb128:
14817 + return EVP_aes_192_ofb();
14819 + case NID_aes_256_cbc:
14820 + return EVP_aes_256_cbc();
14822 + case NID_aes_256_ccm:
14823 + return EVP_aes_256_ccm();
14825 + case NID_aes_256_cfb1:
14826 + return EVP_aes_256_cfb1();
14828 + case NID_aes_256_cfb128:
14829 + return EVP_aes_256_cfb128();
14831 + case NID_aes_256_cfb8:
14832 + return EVP_aes_256_cfb8();
14834 + case NID_aes_256_ctr:
14835 + return EVP_aes_256_ctr();
14837 + case NID_aes_256_ecb:
14838 + return EVP_aes_256_ecb();
14840 + case NID_aes_256_gcm:
14841 + return EVP_aes_256_gcm();
14843 + case NID_aes_256_ofb128:
14844 + return EVP_aes_256_ofb();
14846 + case NID_aes_256_xts:
14847 + return EVP_aes_256_xts();
14849 + case NID_des_ede_ecb:
14850 + return EVP_des_ede();
14852 + case NID_des_ede3_ecb:
14853 + return EVP_des_ede3();
14855 + case NID_des_ede3_cbc:
14856 + return EVP_des_ede3_cbc();
14858 + case NID_des_ede3_cfb1:
14859 + return EVP_des_ede3_cfb1();
14861 + case NID_des_ede3_cfb64:
14862 + return EVP_des_ede3_cfb64();
14864 + case NID_des_ede3_cfb8:
14865 + return EVP_des_ede3_cfb8();
14867 + case NID_des_ede3_ofb64:
14868 + return EVP_des_ede3_ofb();
14870 + case NID_des_ede_cbc:
14871 + return EVP_des_ede_cbc();
14873 + case NID_des_ede_cfb64:
14874 + return EVP_des_ede_cfb64();
14876 + case NID_des_ede_ofb64:
14877 + return EVP_des_ede_ofb();
14885 diff -up openssl-1.0.1b/crypto/fips/fips.h.fips openssl-1.0.1b/crypto/fips/fips.h
14886 --- openssl-1.0.1b/crypto/fips/fips.h.fips 2012-04-26 18:00:51.405769408 +0200
14887 +++ openssl-1.0.1b/crypto/fips/fips.h 2012-04-26 18:00:51.405769408 +0200
14889 +/* ====================================================================
14890 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
14892 + * Redistribution and use in source and binary forms, with or without
14893 + * modification, are permitted provided that the following conditions
14896 + * 1. Redistributions of source code must retain the above copyright
14897 + * notice, this list of conditions and the following disclaimer.
14899 + * 2. Redistributions in binary form must reproduce the above copyright
14900 + * notice, this list of conditions and the following disclaimer in
14901 + * the documentation and/or other materials provided with the
14904 + * 3. All advertising materials mentioning features or use of this
14905 + * software must display the following acknowledgment:
14906 + * "This product includes software developed by the OpenSSL Project
14907 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
14909 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
14910 + * endorse or promote products derived from this software without
14911 + * prior written permission. For written permission, please contact
14912 + * openssl-core@openssl.org.
14914 + * 5. Products derived from this software may not be called "OpenSSL"
14915 + * nor may "OpenSSL" appear in their names without prior written
14916 + * permission of the OpenSSL Project.
14918 + * 6. Redistributions of any form whatsoever must retain the following
14919 + * acknowledgment:
14920 + * "This product includes software developed by the OpenSSL Project
14921 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
14923 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
14924 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14925 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
14926 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
14927 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
14928 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
14929 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14930 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
14931 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
14932 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
14933 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
14934 + * OF THE POSSIBILITY OF SUCH DAMAGE.
14938 +#include <openssl/opensslconf.h>
14939 +#include <openssl/crypto.h>
14940 +#include <stdarg.h>
14942 +#ifndef OPENSSL_FIPS
14943 +#error FIPS is disabled.
14946 +#ifdef OPENSSL_FIPS
14948 +#ifdef __cplusplus
14954 +struct evp_pkey_st;
14956 +struct env_md_ctx_st;
14957 +struct evp_cipher_st;
14958 +struct evp_cipher_ctx_st;
14960 +struct CMAC_CTX_st;
14961 +struct hmac_ctx_st;
14963 +int FIPS_module_mode_set(int onoff, const char *auth);
14964 +int FIPS_module_mode(void);
14965 +const void *FIPS_rand_check(void);
14966 +int FIPS_selftest(void);
14967 +int FIPS_selftest_failed(void);
14968 +void FIPS_corrupt_sha1(void);
14969 +int FIPS_selftest_sha1(void);
14970 +int FIPS_selftest_sha2(void);
14971 +void FIPS_corrupt_aes(void);
14972 +int FIPS_selftest_aes_ccm(void);
14973 +int FIPS_selftest_aes_gcm(void);
14974 +int FIPS_selftest_aes_xts(void);
14975 +int FIPS_selftest_aes(void);
14976 +void FIPS_corrupt_des(void);
14977 +int FIPS_selftest_des(void);
14978 +void FIPS_corrupt_rsa(void);
14979 +void FIPS_corrupt_rsa_keygen(void);
14980 +int FIPS_selftest_rsa(void);
14981 +void FIPS_corrupt_dsa(void);
14982 +void FIPS_corrupt_dsa_keygen(void);
14983 +int FIPS_selftest_dsa(void);
14984 +void FIPS_corrupt_rng(void);
14985 +void FIPS_rng_stick(void);
14986 +void FIPS_x931_stick(int onoff);
14987 +void FIPS_drbg_stick(int onoff);
14988 +int FIPS_selftest_rng(void);
14989 +int FIPS_selftest_x931(void);
14990 +int FIPS_selftest_hmac(void);
14991 +int FIPS_selftest_drbg(void);
14992 +int FIPS_selftest_drbg_all(void);
14993 +int FIPS_selftest_cmac(void);
14995 +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
14997 +#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
14998 + alg " previous FIPS forbidden algorithm error ignored");
15000 +int fips_pkey_signature_test(struct evp_pkey_st *pkey,
15001 + const unsigned char *tbs, int tbslen,
15002 + const unsigned char *kat, unsigned int katlen,
15003 + const struct env_md_st *digest, unsigned int md_flags,
15004 + const char *fail_str);
15006 +int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
15007 + const struct evp_cipher_st *cipher,
15008 + const unsigned char *key,
15009 + const unsigned char *iv,
15010 + const unsigned char *plaintext,
15011 + const unsigned char *ciphertext,
15014 +void fips_set_selftest_fail(void);
15016 +const struct env_md_st *FIPS_get_digestbynid(int nid);
15018 +const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
15021 +/* BEGIN ERROR CODES */
15022 +/* The following lines are auto generated by the script mkerr.pl. Any changes
15023 + * made after this point may be overwritten when the script is next run.
15025 +void ERR_load_FIPS_strings(void);
15027 +/* Error codes for the FIPS functions. */
15029 +/* Function codes. */
15030 +#define FIPS_F_DH_BUILTIN_GENPARAMS 100
15031 +#define FIPS_F_DH_INIT 148
15032 +#define FIPS_F_DRBG_RESEED 162
15033 +#define FIPS_F_DSA_BUILTIN_PARAMGEN 101
15034 +#define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
15035 +#define FIPS_F_DSA_DO_SIGN 102
15036 +#define FIPS_F_DSA_DO_VERIFY 103
15037 +#define FIPS_F_ECDH_COMPUTE_KEY 163
15038 +#define FIPS_F_ECDSA_DO_SIGN 164
15039 +#define FIPS_F_ECDSA_DO_VERIFY 165
15040 +#define FIPS_F_EC_KEY_GENERATE_KEY 166
15041 +#define FIPS_F_EVP_CIPHERINIT_EX 124
15042 +#define FIPS_F_EVP_DIGESTINIT_EX 125
15043 +#define FIPS_F_FIPS_CHECK_DSA 104
15044 +#define FIPS_F_FIPS_CHECK_DSA_PRNG 151
15045 +#define FIPS_F_FIPS_CHECK_EC 142
15046 +#define FIPS_F_FIPS_CHECK_EC_PRNG 152
15047 +#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
15048 +#define FIPS_F_FIPS_CHECK_RSA 106
15049 +#define FIPS_F_FIPS_CHECK_RSA_PRNG 150
15050 +#define FIPS_F_FIPS_CIPHER 160
15051 +#define FIPS_F_FIPS_CIPHERINIT 143
15052 +#define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
15053 +#define FIPS_F_FIPS_DIGESTFINAL 158
15054 +#define FIPS_F_FIPS_DIGESTINIT 128
15055 +#define FIPS_F_FIPS_DIGESTUPDATE 159
15056 +#define FIPS_F_FIPS_DRBG_BYTES 131
15057 +#define FIPS_F_FIPS_DRBG_CHECK 146
15058 +#define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
15059 +#define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
15060 +#define FIPS_F_FIPS_DRBG_GENERATE 134
15061 +#define FIPS_F_FIPS_DRBG_INIT 135
15062 +#define FIPS_F_FIPS_DRBG_INSTANTIATE 138
15063 +#define FIPS_F_FIPS_DRBG_NEW 139
15064 +#define FIPS_F_FIPS_DRBG_RESEED 140
15065 +#define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
15066 +#define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
15067 +#define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
15068 +#define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
15069 +#define FIPS_F_FIPS_GET_ENTROPY 147
15070 +#define FIPS_F_FIPS_MODE_SET /* unused */ 108
15071 +#define FIPS_F_FIPS_MODULE_MODE_SET 108
15072 +#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
15073 +#define FIPS_F_FIPS_RAND_ADD 137
15074 +#define FIPS_F_FIPS_RAND_BYTES 122
15075 +#define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
15076 +#define FIPS_F_FIPS_RAND_SEED 168
15077 +#define FIPS_F_FIPS_RAND_SET_METHOD 126
15078 +#define FIPS_F_FIPS_RAND_STATUS 127
15079 +#define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
15080 +#define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
15081 +#define FIPS_F_FIPS_SELFTEST_AES 110
15082 +#define FIPS_F_FIPS_SELFTEST_AES_CCM 145
15083 +#define FIPS_F_FIPS_SELFTEST_AES_GCM 129
15084 +#define FIPS_F_FIPS_SELFTEST_AES_XTS 144
15085 +#define FIPS_F_FIPS_SELFTEST_CMAC 130
15086 +#define FIPS_F_FIPS_SELFTEST_DES 111
15087 +#define FIPS_F_FIPS_SELFTEST_DSA 112
15088 +#define FIPS_F_FIPS_SELFTEST_ECDSA 133
15089 +#define FIPS_F_FIPS_SELFTEST_HMAC 113
15090 +#define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
15091 +#define FIPS_F_FIPS_SELFTEST_SHA1 115
15092 +#define FIPS_F_FIPS_SELFTEST_X931 114
15093 +#define FIPS_F_FIPS_SET_PRNG_KEY 153
15094 +#define FIPS_F_HASH_FINAL 123
15095 +#define FIPS_F_RSA_BUILTIN_KEYGEN 116
15096 +#define FIPS_F_RSA_EAY_INIT 149
15097 +#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
15098 +#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
15099 +#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
15100 +#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
15101 +#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
15102 +#define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
15104 +/* Reason codes. */
15105 +#define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
15106 +#define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
15107 +#define FIPS_R_ALREADY_INSTANTIATED 134
15108 +#define FIPS_R_AUTHENTICATION_FAILURE 151
15109 +#define FIPS_R_CANNOT_READ_EXE /* unused */ 103
15110 +#define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
15111 +#define FIPS_R_CONTRADICTING_EVIDENCE 114
15112 +#define FIPS_R_DRBG_NOT_INITIALISED 152
15113 +#define FIPS_R_DRBG_STUCK 103
15114 +#define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
15115 +#define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
15116 +#define FIPS_R_ENTROPY_SOURCE_STUCK 142
15117 +#define FIPS_R_ERROR_INITIALISING_DRBG 115
15118 +#define FIPS_R_ERROR_INSTANTIATING_DRBG 127
15119 +#define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
15120 +#define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
15121 +#define FIPS_R_ERROR_RETRIEVING_NONCE 140
15122 +#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
15123 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
15124 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
15125 +#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
15126 +#define FIPS_R_FIPS_MODE_ALREADY_SET 102
15127 +#define FIPS_R_FIPS_SELFTEST_FAILED 106
15128 +#define FIPS_R_FUNCTION_ERROR 116
15129 +#define FIPS_R_GENERATE_ERROR 137
15130 +#define FIPS_R_GENERATE_ERROR_UNDETECTED 118
15131 +#define FIPS_R_INSTANTIATE_ERROR 119
15132 +#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
15133 +#define FIPS_R_INTERNAL_ERROR 121
15134 +#define FIPS_R_INVALID_KEY_LENGTH 109
15135 +#define FIPS_R_INVALID_PARAMETERS 144
15136 +#define FIPS_R_IN_ERROR_STATE 123
15137 +#define FIPS_R_KEY_TOO_SHORT 108
15138 +#define FIPS_R_NONCE_ERROR_UNDETECTED 149
15139 +#define FIPS_R_NON_FIPS_METHOD 100
15140 +#define FIPS_R_NOPR_TEST1_FAILURE 145
15141 +#define FIPS_R_NOPR_TEST2_FAILURE 146
15142 +#define FIPS_R_NOT_INSTANTIATED 126
15143 +#define FIPS_R_PAIRWISE_TEST_FAILED 107
15144 +#define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
15145 +#define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
15146 +#define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
15147 +#define FIPS_R_PR_TEST1_FAILURE 147
15148 +#define FIPS_R_PR_TEST2_FAILURE 148
15149 +#define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
15150 +#define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
15151 +#define FIPS_R_RESEED_COUNTER_ERROR 132
15152 +#define FIPS_R_RESEED_ERROR 133
15153 +#define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
15154 +#define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
15155 +#define FIPS_R_SELFTEST_FAILED 101
15156 +#define FIPS_R_SELFTEST_FAILURE 135
15157 +#define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
15158 +#define FIPS_R_TEST_FAILURE 117
15159 +#define FIPS_R_UNINSTANTIATE_ERROR 141
15160 +#define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
15161 +#define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
15162 +#define FIPS_R_UNSUPPORTED_PLATFORM 113
15164 +#ifdef __cplusplus
15168 diff -up openssl-1.0.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_hmac_selftest.c
15169 --- openssl-1.0.1b/crypto/fips/fips_hmac_selftest.c.fips 2012-04-26 18:00:51.405769408 +0200
15170 +++ openssl-1.0.1b/crypto/fips/fips_hmac_selftest.c 2012-04-26 18:00:51.405769408 +0200
15172 +/* ====================================================================
15173 + * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
15175 + * Redistribution and use in source and binary forms, with or without
15176 + * modification, are permitted provided that the following conditions
15179 + * 1. Redistributions of source code must retain the above copyright
15180 + * notice, this list of conditions and the following disclaimer.
15182 + * 2. Redistributions in binary form must reproduce the above copyright
15183 + * notice, this list of conditions and the following disclaimer in
15184 + * the documentation and/or other materials provided with the
15187 + * 3. All advertising materials mentioning features or use of this
15188 + * software must display the following acknowledgment:
15189 + * "This product includes software developed by the OpenSSL Project
15190 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15192 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15193 + * endorse or promote products derived from this software without
15194 + * prior written permission. For written permission, please contact
15195 + * openssl-core@openssl.org.
15197 + * 5. Products derived from this software may not be called "OpenSSL"
15198 + * nor may "OpenSSL" appear in their names without prior written
15199 + * permission of the OpenSSL Project.
15201 + * 6. Redistributions of any form whatsoever must retain the following
15202 + * acknowledgment:
15203 + * "This product includes software developed by the OpenSSL Project
15204 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15206 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15207 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15208 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15209 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15210 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15211 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15212 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15213 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15214 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15215 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15216 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15217 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15221 +#include <string.h>
15222 +#include <openssl/err.h>
15223 +#ifdef OPENSSL_FIPS
15224 +#include <openssl/fips.h>
15226 +#include <openssl/hmac.h>
15228 +#ifdef OPENSSL_FIPS
15230 + const EVP_MD *(*alg)(void);
15231 + const char *key, *iv;
15232 + unsigned char kaval[EVP_MAX_MD_SIZE];
15235 +static const HMAC_KAT vector[] = {
15237 + /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
15238 + "0123456789:;<=>?@ABC",
15240 + { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19,
15241 + 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c,
15242 + 0xc6,0xc7,0x5d,0x24 }
15245 + /* just keep extending the above... */
15246 + "0123456789:;<=>?@ABC",
15248 + { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb,
15249 + 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa,
15250 + 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b,
15251 + 0x8c,0x8d,0x12,0xc7 }
15254 + "0123456789:;<=>?@ABC",
15256 + { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09,
15257 + 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34,
15258 + 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38,
15259 + 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 }
15262 + "0123456789:;<=>?@ABC",
15264 + { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad,
15265 + 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6,
15266 + 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04,
15267 + 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f,
15268 + 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50,
15269 + 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f }
15272 + "0123456789:;<=>?@ABC",
15274 + { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41,
15275 + 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac,
15276 + 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0,
15277 + 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68,
15278 + 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f,
15279 + 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7,
15280 + 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45,
15281 + 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 }
15285 +int FIPS_selftest_hmac()
15288 + unsigned int outlen;
15289 + unsigned char out[EVP_MAX_MD_SIZE];
15290 + const EVP_MD *md;
15291 + const HMAC_KAT *t;
15293 + for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
15295 + md = (*t->alg)();
15296 + HMAC(md,t->key,strlen(t->key),
15297 + (const unsigned char *)t->iv,strlen(t->iv),
15300 + if(memcmp(out,t->kaval,outlen))
15302 + FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED);
15309 diff -up openssl-1.0.1b/crypto/fips/fips_locl.h.fips openssl-1.0.1b/crypto/fips/fips_locl.h
15310 --- openssl-1.0.1b/crypto/fips/fips_locl.h.fips 2012-04-26 18:00:51.405769408 +0200
15311 +++ openssl-1.0.1b/crypto/fips/fips_locl.h 2012-04-26 18:00:51.405769408 +0200
15313 +/* ====================================================================
15314 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
15316 + * Redistribution and use in source and binary forms, with or without
15317 + * modification, are permitted provided that the following conditions
15320 + * 1. Redistributions of source code must retain the above copyright
15321 + * notice, this list of conditions and the following disclaimer.
15323 + * 2. Redistributions in binary form must reproduce the above copyright
15324 + * notice, this list of conditions and the following disclaimer in
15325 + * the documentation and/or other materials provided with the
15328 + * 3. All advertising materials mentioning features or use of this
15329 + * software must display the following acknowledgment:
15330 + * "This product includes software developed by the OpenSSL Project
15331 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15333 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15334 + * endorse or promote products derived from this software without
15335 + * prior written permission. For written permission, please contact
15336 + * openssl-core@openssl.org.
15338 + * 5. Products derived from this software may not be called "OpenSSL"
15339 + * nor may "OpenSSL" appear in their names without prior written
15340 + * permission of the OpenSSL Project.
15342 + * 6. Redistributions of any form whatsoever must retain the following
15343 + * acknowledgment:
15344 + * "This product includes software developed by the OpenSSL Project
15345 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15347 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15348 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15349 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15350 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15351 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15352 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15353 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15354 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15355 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15356 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15357 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15358 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15362 +#ifdef OPENSSL_FIPS
15364 +#ifdef __cplusplus
15368 +#define FIPS_MAX_CIPHER_TEST_SIZE 32
15369 +#define fips_load_key_component(key, comp, pre) \
15370 + key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
15371 + if (!key->comp) \
15374 +#define fips_post_started(id, subid, ex) 1
15375 +#define fips_post_success(id, subid, ex) 1
15376 +#define fips_post_failed(id, subid, ex) 1
15377 +#define fips_post_corrupt(id, subid, ex) 1
15378 +#define fips_post_status() 1
15380 +#ifdef __cplusplus
15384 diff -up openssl-1.0.1b/crypto/fips/fips_md.c.fips openssl-1.0.1b/crypto/fips/fips_md.c
15385 --- openssl-1.0.1b/crypto/fips/fips_md.c.fips 2012-04-26 18:00:51.405769408 +0200
15386 +++ openssl-1.0.1b/crypto/fips/fips_md.c 2012-04-26 18:00:51.405769408 +0200
15388 +/* fips/evp/fips_md.c */
15389 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
15390 + * All rights reserved.
15392 + * This package is an SSL implementation written
15393 + * by Eric Young (eay@cryptsoft.com).
15394 + * The implementation was written so as to conform with Netscapes SSL.
15396 + * This library is free for commercial and non-commercial use as long as
15397 + * the following conditions are aheared to. The following conditions
15398 + * apply to all code found in this distribution, be it the RC4, RSA,
15399 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15400 + * included with this distribution is covered by the same copyright terms
15401 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15403 + * Copyright remains Eric Young's, and as such any Copyright notices in
15404 + * the code are not to be removed.
15405 + * If this package is used in a product, Eric Young should be given attribution
15406 + * as the author of the parts of the library used.
15407 + * This can be in the form of a textual message at program startup or
15408 + * in documentation (online or textual) provided with the package.
15410 + * Redistribution and use in source and binary forms, with or without
15411 + * modification, are permitted provided that the following conditions
15413 + * 1. Redistributions of source code must retain the copyright
15414 + * notice, this list of conditions and the following disclaimer.
15415 + * 2. Redistributions in binary form must reproduce the above copyright
15416 + * notice, this list of conditions and the following disclaimer in the
15417 + * documentation and/or other materials provided with the distribution.
15418 + * 3. All advertising materials mentioning features or use of this software
15419 + * must display the following acknowledgement:
15420 + * "This product includes cryptographic software written by
15421 + * Eric Young (eay@cryptsoft.com)"
15422 + * The word 'cryptographic' can be left out if the rouines from the library
15423 + * being used are not cryptographic related :-).
15424 + * 4. If you include any Windows specific code (or a derivative thereof) from
15425 + * the apps directory (application code) you must include an acknowledgement:
15426 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
15428 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
15429 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15430 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15431 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
15432 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
15433 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
15434 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15435 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
15436 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
15437 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
15440 + * The licence and distribution terms for any publically available version or
15441 + * derivative of this code cannot be changed. i.e. this code cannot simply be
15442 + * copied and put under another distribution licence
15443 + * [including the GNU Public Licence.]
15445 +/* ====================================================================
15446 + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
15448 + * Redistribution and use in source and binary forms, with or without
15449 + * modification, are permitted provided that the following conditions
15452 + * 1. Redistributions of source code must retain the above copyright
15453 + * notice, this list of conditions and the following disclaimer.
15455 + * 2. Redistributions in binary form must reproduce the above copyright
15456 + * notice, this list of conditions and the following disclaimer in
15457 + * the documentation and/or other materials provided with the
15460 + * 3. All advertising materials mentioning features or use of this
15461 + * software must display the following acknowledgment:
15462 + * "This product includes software developed by the OpenSSL Project
15463 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15465 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15466 + * endorse or promote products derived from this software without
15467 + * prior written permission. For written permission, please contact
15468 + * openssl-core@openssl.org.
15470 + * 5. Products derived from this software may not be called "OpenSSL"
15471 + * nor may "OpenSSL" appear in their names without prior written
15472 + * permission of the OpenSSL Project.
15474 + * 6. Redistributions of any form whatsoever must retain the following
15475 + * acknowledgment:
15476 + * "This product includes software developed by the OpenSSL Project
15477 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15479 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15480 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15481 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15482 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15483 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15484 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15485 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15486 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15487 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15488 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15489 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15490 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15491 + * ====================================================================
15493 + * This product includes cryptographic software written by Eric Young
15494 + * (eay@cryptsoft.com). This product includes software written by Tim
15495 + * Hudson (tjh@cryptsoft.com).
15499 +/* Minimal standalone FIPS versions of Digest operations */
15501 +#define OPENSSL_FIPSAPI
15503 +#include <stdio.h>
15504 +#include <string.h>
15505 +#include <openssl/objects.h>
15506 +#include <openssl/evp.h>
15507 +#include <openssl/err.h>
15508 +#include <openssl/fips.h>
15510 +const EVP_MD *FIPS_get_digestbynid(int nid)
15515 + return EVP_sha1();
15518 + return EVP_sha224();
15521 + return EVP_sha256();
15524 + return EVP_sha384();
15527 + return EVP_sha512();
15533 diff -up openssl-1.0.1b/crypto/fips/fips_post.c.fips openssl-1.0.1b/crypto/fips/fips_post.c
15534 --- openssl-1.0.1b/crypto/fips/fips_post.c.fips 2012-04-26 18:00:51.406769429 +0200
15535 +++ openssl-1.0.1b/crypto/fips/fips_post.c 2012-04-26 18:00:51.406769429 +0200
15537 +/* ====================================================================
15538 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
15540 + * Redistribution and use in source and binary forms, with or without
15541 + * modification, are permitted provided that the following conditions
15544 + * 1. Redistributions of source code must retain the above copyright
15545 + * notice, this list of conditions and the following disclaimer.
15547 + * 2. Redistributions in binary form must reproduce the above copyright
15548 + * notice, this list of conditions and the following disclaimer in
15549 + * the documentation and/or other materials provided with the
15552 + * 3. All advertising materials mentioning features or use of this
15553 + * software must display the following acknowledgment:
15554 + * "This product includes software developed by the OpenSSL Project
15555 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15557 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15558 + * endorse or promote products derived from this software without
15559 + * prior written permission. For written permission, please contact
15560 + * openssl-core@openssl.org.
15562 + * 5. Products derived from this software may not be called "OpenSSL"
15563 + * nor may "OpenSSL" appear in their names without prior written
15564 + * permission of the OpenSSL Project.
15566 + * 6. Redistributions of any form whatsoever must retain the following
15567 + * acknowledgment:
15568 + * "This product includes software developed by the OpenSSL Project
15569 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15571 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15572 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15573 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15574 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15575 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15576 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15577 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15578 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15579 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15580 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15581 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15582 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15586 +#define OPENSSL_FIPSAPI
15588 +#include <openssl/crypto.h>
15589 +#include <openssl/rand.h>
15590 +#include <openssl/fips_rand.h>
15591 +#include <openssl/err.h>
15592 +#include <openssl/bio.h>
15593 +#include <openssl/hmac.h>
15594 +#include <openssl/rsa.h>
15595 +#include <openssl/dsa.h>
15596 +#include <string.h>
15597 +#include <limits.h>
15599 +#ifdef OPENSSL_FIPS
15601 +/* Power on self test (POST) support functions */
15603 +#include <openssl/fips.h>
15604 +#include "fips_locl.h"
15606 +/* Run all selftests */
15607 +int FIPS_selftest(void)
15610 + if (!FIPS_selftest_drbg())
15612 + if (!FIPS_selftest_x931())
15614 + if (!FIPS_selftest_sha1())
15616 + if (!FIPS_selftest_sha2())
15618 + if (!FIPS_selftest_hmac())
15620 + if (!FIPS_selftest_cmac())
15622 + if (!FIPS_selftest_aes())
15624 + if (!FIPS_selftest_aes_ccm())
15626 + if (!FIPS_selftest_aes_gcm())
15628 + if (!FIPS_selftest_aes_xts())
15630 + if (!FIPS_selftest_des())
15632 + if (!FIPS_selftest_rsa())
15634 + if (!FIPS_selftest_dsa())
15639 +/* Generalized public key test routine. Signs and verifies the data
15640 + * supplied in tbs using mesage digest md and setting option digest
15641 + * flags md_flags. If the 'kat' parameter is not NULL it will
15642 + * additionally check the signature matches it: a known answer test
15643 + * The string "fail_str" is used for identification purposes in case
15644 + * of failure. If "pkey" is NULL just perform a message digest check.
15647 +int fips_pkey_signature_test(EVP_PKEY *pkey,
15648 + const unsigned char *tbs, int tbslen,
15649 + const unsigned char *kat, unsigned int katlen,
15650 + const EVP_MD *digest, unsigned int md_flags,
15651 + const char *fail_str)
15654 + unsigned char sigtmp[256], *sig = sigtmp;
15655 + unsigned int siglen;
15657 + EVP_MD_CTX_init(&mctx);
15659 + if (digest == NULL)
15660 + digest = EVP_sha256();
15662 + if ((pkey->type == EVP_PKEY_RSA)
15663 + && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp)))
15665 + sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
15668 + FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE);
15673 + if (tbslen == -1)
15674 + tbslen = strlen((char *)tbs);
15677 + EVP_MD_CTX_set_flags(&mctx, md_flags);
15679 + if (!EVP_SignInit_ex(&mctx, digest, NULL))
15681 + if (!EVP_SignUpdate(&mctx, tbs, tbslen))
15683 + if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
15686 + if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
15689 + if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
15691 + if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
15693 + ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
15696 + if (sig != sigtmp)
15697 + OPENSSL_free(sig);
15698 + EVP_MD_CTX_cleanup(&mctx);
15701 + FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE);
15703 + ERR_add_error_data(2, "Type=", fail_str);
15709 +/* Generalized symmetric cipher test routine. Encrypt data, verify result
15710 + * against known answer, decrypt and compare with original plaintext.
15713 +int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
15714 + const unsigned char *key,
15715 + const unsigned char *iv,
15716 + const unsigned char *plaintext,
15717 + const unsigned char *ciphertext,
15720 + unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
15721 + unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
15723 + OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
15724 + memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
15725 + memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
15727 + if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
15729 + if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
15731 + if (memcmp(citmp, ciphertext, len))
15733 + if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
15735 + if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
15737 + if (memcmp(pltmp, plaintext, len))
15742 diff -up openssl-1.0.1b/crypto/fips/fips_rand.c.fips openssl-1.0.1b/crypto/fips/fips_rand.c
15743 --- openssl-1.0.1b/crypto/fips/fips_rand.c.fips 2012-04-26 18:00:51.406769429 +0200
15744 +++ openssl-1.0.1b/crypto/fips/fips_rand.c 2012-04-26 18:00:51.406769429 +0200
15746 +/* ====================================================================
15747 + * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
15749 + * Redistribution and use in source and binary forms, with or without
15750 + * modification, are permitted provided that the following conditions
15753 + * 1. Redistributions of source code must retain the above copyright
15754 + * notice, this list of conditions and the following disclaimer.
15756 + * 2. Redistributions in binary form must reproduce the above copyright
15757 + * notice, this list of conditions and the following disclaimer in
15758 + * the documentation and/or other materials provided with the
15761 + * 3. All advertising materials mentioning features or use of this
15762 + * software must display the following acknowledgment:
15763 + * "This product includes software developed by the OpenSSL Project
15764 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
15766 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
15767 + * endorse or promote products derived from this software without
15768 + * prior written permission. For written permission, please contact
15769 + * openssl-core@openssl.org.
15771 + * 5. Products derived from this software may not be called "OpenSSL"
15772 + * nor may "OpenSSL" appear in their names without prior written
15773 + * permission of the OpenSSL Project.
15775 + * 6. Redistributions of any form whatsoever must retain the following
15776 + * acknowledgment:
15777 + * "This product includes software developed by the OpenSSL Project
15778 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
15780 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
15781 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15782 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15783 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
15784 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
15785 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
15786 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
15787 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15788 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
15789 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
15790 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
15791 + * OF THE POSSIBILITY OF SUCH DAMAGE.
15796 + * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
15798 +#include <openssl/crypto.h>
15801 +/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
15802 + be defined and gettimeofday() won't be declared with strict compilers
15803 + like DEC C in ANSI C mode. */
15804 +#ifndef _XOPEN_SOURCE_EXTENDED
15805 +#define _XOPEN_SOURCE_EXTENDED 1
15808 +#include <openssl/rand.h>
15809 +#include <openssl/aes.h>
15810 +#include <openssl/err.h>
15811 +#include <openssl/fips_rand.h>
15812 +#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
15813 +# include <sys/time.h>
15815 +#if defined(OPENSSL_SYS_VXWORKS)
15816 +# include <time.h>
15818 +#include <assert.h>
15819 +#ifndef OPENSSL_SYS_WIN32
15820 +# ifdef OPENSSL_UNISTD
15821 +# include OPENSSL_UNISTD
15823 +# include <unistd.h>
15826 +#include <string.h>
15827 +#include <openssl/fips.h>
15828 +#include "fips_locl.h"
15830 +#ifdef OPENSSL_FIPS
15832 +void *OPENSSL_stderr(void);
15834 +#define AES_BLOCK_LENGTH 16
15837 +/* AES FIPS PRNG implementation */
15846 + unsigned long counter;
15849 + /* Temporary storage for key if it equals seed length */
15850 + unsigned char tmp_key[AES_BLOCK_LENGTH];
15851 + unsigned char V[AES_BLOCK_LENGTH];
15852 + unsigned char DT[AES_BLOCK_LENGTH];
15853 + unsigned char last[AES_BLOCK_LENGTH];
15856 +static FIPS_PRNG_CTX sctx;
15858 +static int fips_prng_fail = 0;
15860 +void FIPS_x931_stick(int onoff)
15862 + fips_prng_fail = onoff;
15865 +void FIPS_rng_stick(void)
15867 + FIPS_x931_stick(1);
15870 +static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
15874 + ctx->test_mode = 0;
15875 + ctx->counter = 0;
15879 + OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
15880 + OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
15884 +static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
15885 + const unsigned char *key, unsigned int keylen)
15887 + if (FIPS_selftest_failed())
15889 + FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
15892 + if (keylen != 16 && keylen != 24 && keylen != 32)
15894 + /* error: invalid key size */
15897 + AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
15898 + if (keylen == 16)
15900 + memcpy(ctx->tmp_key, key, 16);
15910 +static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
15911 + const unsigned char *seed, unsigned int seedlen)
15916 + /* In test mode seed is just supplied data */
15917 + if (ctx->test_mode)
15919 + if (seedlen != AES_BLOCK_LENGTH)
15921 + memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
15925 + /* Outside test mode XOR supplied data with existing seed */
15926 + for (i = 0; i < seedlen; i++)
15928 + ctx->V[ctx->vpos++] ^= seed[i];
15929 + if (ctx->vpos == AES_BLOCK_LENGTH)
15932 + /* Special case if first seed and key length equals
15933 + * block size check key and seed do not match.
15935 + if (ctx->keyed == 2)
15937 + if (!memcmp(ctx->tmp_key, ctx->V, 16))
15939 + RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
15940 + RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
15943 + OPENSSL_cleanse(ctx->tmp_key, 16);
15952 +static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
15956 + RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
15959 + ctx->test_mode = 1;
15963 +int FIPS_x931_test_mode(void)
15965 + return fips_set_test_mode(&sctx);
15968 +int FIPS_rand_test_mode(void)
15970 + return fips_set_test_mode(&sctx);
15974 +int FIPS_x931_set_dt(unsigned char *dt)
15976 + if (!sctx.test_mode)
15978 + RANDerr(RAND_F_FIPS_X931_SET_DT,RAND_R_NOT_IN_TEST_MODE);
15981 + memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
15985 +int FIPS_rand_set_dt(unsigned char *dt)
15987 + if (!sctx.test_mode)
15989 + RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE);
15992 + memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
15996 +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
15998 +#ifdef OPENSSL_SYS_WIN32
16000 +#elif defined(OPENSSL_SYS_VXWORKS)
16001 + struct timespec ts;
16003 + struct timeval tv;
16006 +#ifndef GETPID_IS_MEANINGLESS
16007 + unsigned long pid;
16010 +#ifdef OPENSSL_SYS_WIN32
16011 + GetSystemTimeAsFileTime(&ft);
16012 + buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
16013 + buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
16014 + buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
16015 + buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
16016 + buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
16017 + buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
16018 + buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
16019 + buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
16020 +#elif defined(OPENSSL_SYS_VXWORKS)
16021 + clock_gettime(CLOCK_REALTIME, &ts);
16022 + buf[0] = (unsigned char) (ts.tv_sec & 0xff);
16023 + buf[1] = (unsigned char) ((ts.tv_sec >> 8) & 0xff);
16024 + buf[2] = (unsigned char) ((ts.tv_sec >> 16) & 0xff);
16025 + buf[3] = (unsigned char) ((ts.tv_sec >> 24) & 0xff);
16026 + buf[4] = (unsigned char) (ts.tv_nsec & 0xff);
16027 + buf[5] = (unsigned char) ((ts.tv_nsec >> 8) & 0xff);
16028 + buf[6] = (unsigned char) ((ts.tv_nsec >> 16) & 0xff);
16029 + buf[7] = (unsigned char) ((ts.tv_nsec >> 24) & 0xff);
16031 + gettimeofday(&tv,NULL);
16032 + buf[0] = (unsigned char) (tv.tv_sec & 0xff);
16033 + buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
16034 + buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
16035 + buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
16036 + buf[4] = (unsigned char) (tv.tv_usec & 0xff);
16037 + buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
16038 + buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
16039 + buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
16041 + buf[8] = (unsigned char) (*pctr & 0xff);
16042 + buf[9] = (unsigned char) ((*pctr >> 8) & 0xff);
16043 + buf[10] = (unsigned char) ((*pctr >> 16) & 0xff);
16044 + buf[11] = (unsigned char) ((*pctr >> 24) & 0xff);
16049 +#ifndef GETPID_IS_MEANINGLESS
16050 + pid=(unsigned long)getpid();
16051 + buf[12] = (unsigned char) (pid & 0xff);
16052 + buf[13] = (unsigned char) ((pid >> 8) & 0xff);
16053 + buf[14] = (unsigned char) ((pid >> 16) & 0xff);
16054 + buf[15] = (unsigned char) ((pid >> 24) & 0xff);
16058 +static int fips_rand(FIPS_PRNG_CTX *ctx,
16059 + unsigned char *out, unsigned int outlen)
16061 + unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
16062 + unsigned char tmp[AES_BLOCK_LENGTH];
16066 + RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
16071 + RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
16074 + if (!ctx->seeded)
16076 + RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
16081 + if (!ctx->test_mode)
16082 + FIPS_get_timevec(ctx->DT, &ctx->counter);
16083 + AES_encrypt(ctx->DT, I, &ctx->ks);
16084 + for (i = 0; i < AES_BLOCK_LENGTH; i++)
16085 + tmp[i] = I[i] ^ ctx->V[i];
16086 + AES_encrypt(tmp, R, &ctx->ks);
16087 + for (i = 0; i < AES_BLOCK_LENGTH; i++)
16088 + tmp[i] = R[i] ^ I[i];
16089 + AES_encrypt(tmp, ctx->V, &ctx->ks);
16090 + /* Continuous PRNG test */
16093 + if (fips_prng_fail)
16094 + memcpy(ctx->last, R, AES_BLOCK_LENGTH);
16095 + if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
16097 + RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
16099 + fips_set_selftest_fail();
16103 + memcpy(ctx->last, R, AES_BLOCK_LENGTH);
16104 + if (!ctx->second)
16107 + if (!ctx->test_mode)
16111 + if (outlen <= AES_BLOCK_LENGTH)
16113 + memcpy(out, R, outlen);
16117 + memcpy(out, R, AES_BLOCK_LENGTH);
16118 + out += AES_BLOCK_LENGTH;
16119 + outlen -= AES_BLOCK_LENGTH;
16125 +int FIPS_x931_set_key(const unsigned char *key, int keylen)
16128 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16129 + ret = fips_set_prng_key(&sctx, key, keylen);
16130 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16134 +int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
16136 + return FIPS_x931_set_key(key, keylen);
16139 +int FIPS_x931_seed(const void *seed, int seedlen)
16142 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16143 + ret = fips_set_prng_seed(&sctx, seed, seedlen);
16144 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16149 +int FIPS_x931_bytes(unsigned char *out, int count)
16152 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16153 + ret = fips_rand(&sctx, out, count);
16154 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16158 +int FIPS_x931_status(void)
16161 + CRYPTO_r_lock(CRYPTO_LOCK_RAND);
16162 + ret = sctx.seeded;
16163 + CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
16167 +void FIPS_x931_reset(void)
16169 + CRYPTO_w_lock(CRYPTO_LOCK_RAND);
16170 + fips_rand_prng_reset(&sctx);
16171 + CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
16174 +static int fips_do_rand_seed(const void *seed, int seedlen)
16176 + FIPS_x931_seed(seed, seedlen);
16180 +static int fips_do_rand_add(const void *seed, int seedlen,
16181 + double add_entropy)
16183 + FIPS_x931_seed(seed, seedlen);
16187 +static const RAND_METHOD rand_x931_meth=
16189 + fips_do_rand_seed,
16192 + fips_do_rand_add,
16197 +const RAND_METHOD *FIPS_x931_method(void)
16199 + return &rand_x931_meth;
16203 diff -up openssl-1.0.1b/crypto/fips/fips_rand.h.fips openssl-1.0.1b/crypto/fips/fips_rand.h
16204 --- openssl-1.0.1b/crypto/fips/fips_rand.h.fips 2012-04-26 18:00:51.406769429 +0200
16205 +++ openssl-1.0.1b/crypto/fips/fips_rand.h 2012-04-26 18:00:51.406769429 +0200
16207 +/* ====================================================================
16208 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
16210 + * Redistribution and use in source and binary forms, with or without
16211 + * modification, are permitted provided that the following conditions
16214 + * 1. Redistributions of source code must retain the above copyright
16215 + * notice, this list of conditions and the following disclaimer.
16217 + * 2. Redistributions in binary form must reproduce the above copyright
16218 + * notice, this list of conditions and the following disclaimer in
16219 + * the documentation and/or other materials provided with the
16222 + * 3. All advertising materials mentioning features or use of this
16223 + * software must display the following acknowledgment:
16224 + * "This product includes software developed by the OpenSSL Project
16225 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
16227 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16228 + * endorse or promote products derived from this software without
16229 + * prior written permission. For written permission, please contact
16230 + * openssl-core@openssl.org.
16232 + * 5. Products derived from this software may not be called "OpenSSL"
16233 + * nor may "OpenSSL" appear in their names without prior written
16234 + * permission of the OpenSSL Project.
16236 + * 6. Redistributions of any form whatsoever must retain the following
16237 + * acknowledgment:
16238 + * "This product includes software developed by the OpenSSL Project
16239 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
16241 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16242 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16243 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16244 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16245 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16246 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16247 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16248 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16249 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16250 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16251 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16252 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16256 +#ifndef HEADER_FIPS_RAND_H
16257 +#define HEADER_FIPS_RAND_H
16259 +#include <openssl/aes.h>
16260 +#include <openssl/evp.h>
16261 +#include <openssl/hmac.h>
16262 +#include <openssl/rand.h>
16264 +#ifdef OPENSSL_FIPS
16266 +#ifdef __cplusplus
16270 +int FIPS_x931_set_key(const unsigned char *key, int keylen);
16271 +int FIPS_x931_seed(const void *buf, int num);
16272 +int FIPS_x931_bytes(unsigned char *out, int outlen);
16274 +int FIPS_x931_test_mode(void);
16275 +void FIPS_x931_reset(void);
16276 +int FIPS_x931_set_dt(unsigned char *dt);
16278 +int FIPS_x931_status(void);
16280 +const RAND_METHOD *FIPS_x931_method(void);
16282 +typedef struct drbg_ctx_st DRBG_CTX;
16283 +/* DRBG external flags */
16284 +/* Flag for CTR mode only: use derivation function ctr_df */
16285 +#define DRBG_FLAG_CTR_USE_DF 0x1
16286 +/* PRNG is in test state */
16287 +#define DRBG_FLAG_TEST 0x2
16289 +DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
16290 +int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
16291 +int FIPS_drbg_instantiate(DRBG_CTX *dctx,
16292 + const unsigned char *pers, size_t perslen);
16293 +int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
16294 +int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
16295 + int prediction_resistance,
16296 + const unsigned char *adin, size_t adinlen);
16298 +int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
16299 +void FIPS_drbg_free(DRBG_CTX *dctx);
16301 +int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
16302 + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
16303 + int entropy, size_t min_len, size_t max_len),
16304 + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
16305 + size_t entropy_blocklen,
16306 + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
16307 + int entropy, size_t min_len, size_t max_len),
16308 + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen));
16310 +int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
16311 + size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
16312 + void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
16313 + int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
16314 + int (*rand_add_cb)(DRBG_CTX *ctx,
16315 + const void *buf, int num, double entropy));
16317 +void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
16318 +void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
16319 +size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
16320 +int FIPS_drbg_get_strength(DRBG_CTX *dctx);
16321 +void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
16322 +void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
16324 +int FIPS_drbg_health_check(DRBG_CTX *dctx);
16326 +DRBG_CTX *FIPS_get_default_drbg(void);
16327 +const RAND_METHOD *FIPS_drbg_method(void);
16330 +int FIPS_rand_set_method(const RAND_METHOD *meth);
16331 +const RAND_METHOD *FIPS_rand_get_method(void);
16333 +void FIPS_rand_set_bits(int nbits);
16335 +int FIPS_rand_strength(void);
16337 +/* 1.0.0 compat functions */
16338 +int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
16339 +int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
16340 +int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
16341 +int FIPS_rand_test_mode(void);
16342 +void FIPS_rand_reset(void);
16343 +int FIPS_rand_set_dt(unsigned char *dt);
16344 +int FIPS_rand_status(void);
16345 +const RAND_METHOD *FIPS_rand_method(void);
16347 +#ifdef __cplusplus
16352 diff -up openssl-1.0.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1b/crypto/fips/fips_rand_lcl.h
16353 --- openssl-1.0.1b/crypto/fips/fips_rand_lcl.h.fips 2012-04-26 18:00:51.406769429 +0200
16354 +++ openssl-1.0.1b/crypto/fips/fips_rand_lcl.h 2012-04-26 18:00:51.406769429 +0200
16356 +/* fips/rand/fips_rand_lcl.h */
16357 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
16360 +/* ====================================================================
16361 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
16363 + * Redistribution and use in source and binary forms, with or without
16364 + * modification, are permitted provided that the following conditions
16367 + * 1. Redistributions of source code must retain the above copyright
16368 + * notice, this list of conditions and the following disclaimer.
16370 + * 2. Redistributions in binary form must reproduce the above copyright
16371 + * notice, this list of conditions and the following disclaimer in
16372 + * the documentation and/or other materials provided with the
16375 + * 3. All advertising materials mentioning features or use of this
16376 + * software must display the following acknowledgment:
16377 + * "This product includes software developed by the OpenSSL Project
16378 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
16380 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16381 + * endorse or promote products derived from this software without
16382 + * prior written permission. For written permission, please contact
16383 + * licensing@OpenSSL.org.
16385 + * 5. Products derived from this software may not be called "OpenSSL"
16386 + * nor may "OpenSSL" appear in their names without prior written
16387 + * permission of the OpenSSL Project.
16389 + * 6. Redistributions of any form whatsoever must retain the following
16390 + * acknowledgment:
16391 + * "This product includes software developed by the OpenSSL Project
16392 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
16394 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16395 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16396 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16397 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16398 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16399 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16400 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16401 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16402 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16403 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16404 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16405 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16406 + * ====================================================================
16409 +typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
16410 +typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
16411 +typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
16413 +/* 888 bits from 10.1 table 2 */
16414 +#define HASH_PRNG_MAX_SEEDLEN 111
16416 +struct drbg_hash_ctx_st
16418 + const EVP_MD *md;
16420 + unsigned char V[HASH_PRNG_MAX_SEEDLEN];
16421 + unsigned char C[HASH_PRNG_MAX_SEEDLEN];
16422 + /* Temporary value storage: should always exceed max digest length */
16423 + unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
16426 +struct drbg_hmac_ctx_st
16428 + const EVP_MD *md;
16430 + unsigned char K[EVP_MAX_MD_SIZE];
16431 + unsigned char V[EVP_MAX_MD_SIZE];
16434 +struct drbg_ctr_ctx_st
16438 + unsigned char K[32];
16439 + unsigned char V[16];
16440 + /* Temp variables used by derivation function */
16443 + /* Temporary block storage used by ctr_df */
16444 + unsigned char bltmp[16];
16445 + size_t bltmp_pos;
16446 + unsigned char KX[48];
16449 +/* DRBG internal flags */
16451 +/* Functions shouldn't call err library */
16452 +#define DRBG_FLAG_NOERR 0x1
16453 +/* Custom reseed checking */
16454 +#define DRBG_CUSTOM_RESEED 0x2
16456 +/* DRBG status values */
16457 +/* not initialised */
16458 +#define DRBG_STATUS_UNINITIALISED 0
16459 +/* ok and ready to generate random bits */
16460 +#define DRBG_STATUS_READY 1
16461 +/* reseed required */
16462 +#define DRBG_STATUS_RESEED 2
16463 +/* fatal error condition */
16464 +#define DRBG_STATUS_ERROR 3
16466 +/* A default maximum length: larger than any reasonable value used in pratice */
16468 +#define DRBG_MAX_LENGTH 0x7ffffff0
16469 +/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
16470 + * so use max digest length.
16472 +#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
16474 +#define DRBG_HEALTH_INTERVAL (1 << 24)
16476 +/* DRBG context structure */
16478 +struct drbg_ctx_st
16480 + /* First types common to all implementations */
16481 + /* DRBG type: a NID for the underlying algorithm */
16483 + /* Various external flags */
16484 + unsigned int xflags;
16485 + /* Various internal use only flags */
16486 + unsigned int iflags;
16487 + /* Used for periodic health checks */
16488 + int health_check_cnt, health_check_interval;
16490 + /* The following parameters are setup by mechanism drbg_init() call */
16492 + size_t blocklength;
16493 + size_t max_request;
16495 + size_t min_entropy, max_entropy;
16496 + size_t min_nonce, max_nonce;
16497 + size_t max_pers, max_adin;
16498 + unsigned int reseed_counter;
16499 + unsigned int reseed_interval;
16502 + /* Application data: typically used by test get_entropy */
16504 + /* Implementation specific structures */
16507 + DRBG_HASH_CTX hash;
16508 + DRBG_HMAC_CTX hmac;
16509 + DRBG_CTR_CTX ctr;
16511 + /* Initialiase PRNG and setup callbacks below */
16512 + int (*init)(DRBG_CTX *ctx, int nid, int security, unsigned int flags);
16513 + /* Intantiate PRNG */
16514 + int (*instantiate)(DRBG_CTX *ctx,
16515 + const unsigned char *ent, size_t entlen,
16516 + const unsigned char *nonce, size_t noncelen,
16517 + const unsigned char *pers, size_t perslen);
16519 + int (*reseed)(DRBG_CTX *ctx,
16520 + const unsigned char *ent, size_t entlen,
16521 + const unsigned char *adin, size_t adinlen);
16522 + /* generat output */
16523 + int (*generate)(DRBG_CTX *ctx,
16524 + unsigned char *out, size_t outlen,
16525 + const unsigned char *adin, size_t adinlen);
16526 + /* uninstantiate */
16527 + int (*uninstantiate)(DRBG_CTX *ctx);
16529 + /* Entropy source block length */
16530 + size_t entropy_blocklen;
16532 + /* entropy gathering function */
16533 + size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
16534 + int entropy, size_t min_len, size_t max_len);
16535 + /* Indicates we have finished with entropy buffer */
16536 + void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
16538 + /* nonce gathering function */
16539 + size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
16540 + int entropy, size_t min_len, size_t max_len);
16541 + /* Indicates we have finished with nonce buffer */
16542 + void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
16544 + /* Continuous random number test temporary area */
16546 + unsigned char lb[EVP_MAX_MD_SIZE];
16547 + /* set if lb is valid */
16550 + /* Callbacks used when called through RAND interface */
16551 + /* Get any additional input for generate */
16552 + size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout);
16553 + void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
16554 + /* Callback for RAND_seed(), RAND_add() */
16555 + int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num);
16556 + int (*rand_add_cb)(DRBG_CTX *ctx,
16557 + const void *buf, int num, double entropy);
16561 +int fips_drbg_ctr_init(DRBG_CTX *dctx);
16562 +int fips_drbg_hash_init(DRBG_CTX *dctx);
16563 +int fips_drbg_hmac_init(DRBG_CTX *dctx);
16564 +int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
16565 +int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
16567 +const struct env_md_st *FIPS_get_digestbynid(int nid);
16569 +const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
16571 +#define FIPS_digestinit EVP_DigestInit
16572 +#define FIPS_digestupdate EVP_DigestUpdate
16573 +#define FIPS_digestfinal EVP_DigestFinal
16574 +#define M_EVP_MD_size EVP_MD_size
16575 diff -up openssl-1.0.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1b/crypto/fips/fips_rand_lib.c
16576 --- openssl-1.0.1b/crypto/fips/fips_rand_lib.c.fips 2012-04-26 18:00:51.407769451 +0200
16577 +++ openssl-1.0.1b/crypto/fips/fips_rand_lib.c 2012-04-26 18:00:51.407769451 +0200
16579 +/* ====================================================================
16580 + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
16582 + * Redistribution and use in source and binary forms, with or without
16583 + * modification, are permitted provided that the following conditions
16586 + * 1. Redistributions of source code must retain the above copyright
16587 + * notice, this list of conditions and the following disclaimer.
16589 + * 2. Redistributions in binary form must reproduce the above copyright
16590 + * notice, this list of conditions and the following disclaimer in
16591 + * the documentation and/or other materials provided with the
16594 + * 3. All advertising materials mentioning features or use of this
16595 + * software must display the following acknowledgment:
16596 + * "This product includes software developed by the OpenSSL Project
16597 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
16599 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16600 + * endorse or promote products derived from this software without
16601 + * prior written permission. For written permission, please contact
16602 + * openssl-core@openssl.org.
16604 + * 5. Products derived from this software may not be called "OpenSSL"
16605 + * nor may "OpenSSL" appear in their names without prior written
16606 + * permission of the OpenSSL Project.
16608 + * 6. Redistributions of any form whatsoever must retain the following
16609 + * acknowledgment:
16610 + * "This product includes software developed by the OpenSSL Project
16611 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
16613 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16614 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16615 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16616 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16617 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16618 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16619 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16620 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16621 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16622 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16623 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16624 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16628 +#include <openssl/crypto.h>
16629 +#include <openssl/rand.h>
16630 +#include <openssl/err.h>
16631 +#include <openssl/fips.h>
16632 +#include <openssl/fips_rand.h>
16635 +/* FIPS API for PRNG use. Similar to RAND functionality but without
16636 + * ENGINE and additional checking for non-FIPS rand methods.
16639 +static const RAND_METHOD *fips_rand_meth = NULL;
16640 +static int fips_approved_rand_meth = 0;
16641 +static int fips_rand_bits = 0;
16643 +/* Allows application to override number of bits and uses non-FIPS methods */
16644 +void FIPS_rand_set_bits(int nbits)
16646 + fips_rand_bits = nbits;
16649 +int FIPS_rand_set_method(const RAND_METHOD *meth)
16651 + if (!fips_rand_bits)
16653 + if (meth == FIPS_drbg_method())
16654 + fips_approved_rand_meth = 1;
16655 + else if (meth == FIPS_x931_method())
16656 + fips_approved_rand_meth = 2;
16659 + fips_approved_rand_meth = 0;
16660 + if (FIPS_module_mode())
16662 + FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD,
16663 + FIPS_R_NON_FIPS_METHOD);
16668 + fips_rand_meth = meth;
16672 +const RAND_METHOD *FIPS_rand_get_method(void)
16674 + return fips_rand_meth;
16677 +const RAND_METHOD *FIPS_rand_method(void)
16679 + return FIPS_rand_get_method();
16682 +void FIPS_rand_reset(void)
16684 + if (fips_rand_meth && fips_rand_meth->cleanup)
16685 + fips_rand_meth->cleanup();
16688 +int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
16690 + if (!fips_approved_rand_meth && FIPS_module_mode())
16692 + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
16695 + if (fips_rand_meth && fips_rand_meth->seed)
16696 + fips_rand_meth->seed(buf,num);
16700 +void FIPS_rand_add(const void *buf, int num, double entropy)
16702 + if (!fips_approved_rand_meth && FIPS_module_mode())
16704 + FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
16707 + if (fips_rand_meth && fips_rand_meth->add)
16708 + fips_rand_meth->add(buf,num,entropy);
16711 +int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
16713 + if (!fips_approved_rand_meth && FIPS_module_mode())
16715 + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
16718 + if (fips_rand_meth && fips_rand_meth->bytes)
16719 + return fips_rand_meth->bytes(buf,num);
16723 +int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
16725 + if (!fips_approved_rand_meth && FIPS_module_mode())
16727 + FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
16730 + if (fips_rand_meth && fips_rand_meth->pseudorand)
16731 + return fips_rand_meth->pseudorand(buf,num);
16735 +int FIPS_rand_status(void)
16737 + if (!fips_approved_rand_meth && FIPS_module_mode())
16739 + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
16742 + if (fips_rand_meth && fips_rand_meth->status)
16743 + return fips_rand_meth->status();
16747 +/* Return instantiated strength of PRNG. For DRBG this is an internal
16748 + * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
16749 + * type of PRNG is not approved and returns 0 in FIPS mode and maximum
16750 + * 256 outside FIPS mode.
16753 +int FIPS_rand_strength(void)
16755 + if (fips_rand_bits)
16756 + return fips_rand_bits;
16757 + if (fips_approved_rand_meth == 1)
16758 + return FIPS_drbg_get_strength(FIPS_get_default_drbg());
16759 + else if (fips_approved_rand_meth == 2)
16761 + else if (fips_approved_rand_meth == 0)
16763 + if (FIPS_module_mode())
16770 diff -up openssl-1.0.1b/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_rand_selftest.c
16771 --- openssl-1.0.1b/crypto/fips/fips_rand_selftest.c.fips 2012-04-26 18:00:51.407769451 +0200
16772 +++ openssl-1.0.1b/crypto/fips/fips_rand_selftest.c 2012-04-26 18:00:51.407769451 +0200
16774 +/* ====================================================================
16775 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
16777 + * Redistribution and use in source and binary forms, with or without
16778 + * modification, are permitted provided that the following conditions
16781 + * 1. Redistributions of source code must retain the above copyright
16782 + * notice, this list of conditions and the following disclaimer.
16784 + * 2. Redistributions in binary form must reproduce the above copyright
16785 + * notice, this list of conditions and the following disclaimer in
16786 + * the documentation and/or other materials provided with the
16789 + * 3. All advertising materials mentioning features or use of this
16790 + * software must display the following acknowledgment:
16791 + * "This product includes software developed by the OpenSSL Project
16792 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
16794 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
16795 + * endorse or promote products derived from this software without
16796 + * prior written permission. For written permission, please contact
16797 + * openssl-core@openssl.org.
16799 + * 5. Products derived from this software may not be called "OpenSSL"
16800 + * nor may "OpenSSL" appear in their names without prior written
16801 + * permission of the OpenSSL Project.
16803 + * 6. Redistributions of any form whatsoever must retain the following
16804 + * acknowledgment:
16805 + * "This product includes software developed by the OpenSSL Project
16806 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
16808 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
16809 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16810 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16811 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
16812 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
16813 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
16814 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
16815 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
16816 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16817 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
16818 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
16819 + * OF THE POSSIBILITY OF SUCH DAMAGE.
16823 +#include <string.h>
16824 +#include <openssl/err.h>
16825 +#include <openssl/fips.h>
16826 +#include <openssl/rand.h>
16827 +#include <openssl/fips_rand.h>
16828 +#include "fips_locl.h"
16830 +#ifdef OPENSSL_FIPS
16836 + unsigned char DT[16];
16837 + unsigned char V[16];
16838 + unsigned char R[16];
16841 +/* The following test vectors are taken directly from the RGNVS spec */
16843 +static unsigned char aes_128_key[16] =
16844 + {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42,
16845 + 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02};
16847 +static AES_PRNG_TV aes_128_tv =
16850 + {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
16851 + 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9},
16853 + {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
16854 + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
16856 + {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55,
16857 + 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41}
16860 +static unsigned char aes_192_key[24] =
16861 + {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e,
16862 + 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc,
16863 + 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b};
16865 +static AES_PRNG_TV aes_192_tv =
16868 + {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
16869 + 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b},
16871 + {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
16872 + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
16874 + {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef,
16875 + 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93}
16878 +static unsigned char aes_256_key[32] =
16879 + {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d,
16880 + 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f,
16881 + 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5,
16882 + 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb};
16884 +static AES_PRNG_TV aes_256_tv =
16887 + {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
16888 + 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88},
16890 + {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
16891 + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
16893 + {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc,
16894 + 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72}
16897 +void FIPS_corrupt_rng()
16899 + aes_192_tv.V[0]++;
16902 +#define fips_x931_test(key, tv) \
16903 + do_x931_test(key, sizeof key, &tv)
16905 +static int do_x931_test(unsigned char *key, int keylen,
16908 + unsigned char R[16], V[16];
16910 + memcpy(V, tv->V, sizeof(V));
16911 + if (!FIPS_x931_set_key(key, keylen))
16913 + if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
16915 + if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
16917 + FIPS_x931_seed(V, 16);
16918 + FIPS_x931_set_dt(tv->DT);
16919 + FIPS_x931_bytes(R, 16);
16920 + if (memcmp(R, tv->R, 16))
16922 + fips_post_failed(FIPS_TEST_X931, keylen, NULL);
16925 + else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
16930 +int FIPS_selftest_x931()
16933 + FIPS_x931_reset();
16934 + if (!FIPS_x931_test_mode())
16936 + FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
16939 + if (!fips_x931_test(aes_128_key,aes_128_tv))
16941 + if (!fips_x931_test(aes_192_key, aes_192_tv))
16943 + if (!fips_x931_test(aes_256_key, aes_256_tv))
16945 + FIPS_x931_reset();
16947 + FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
16951 +int FIPS_selftest_rng(void)
16953 + return FIPS_selftest_x931();
16957 diff -up openssl-1.0.1b/crypto/fips/fips_randtest.c.fips openssl-1.0.1b/crypto/fips/fips_randtest.c
16958 --- openssl-1.0.1b/crypto/fips/fips_randtest.c.fips 2012-04-26 18:00:51.407769451 +0200
16959 +++ openssl-1.0.1b/crypto/fips/fips_randtest.c 2012-04-26 18:00:51.407769451 +0200
16961 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
16962 + * All rights reserved.
16964 + * This package is an SSL implementation written
16965 + * by Eric Young (eay@cryptsoft.com).
16966 + * The implementation was written so as to conform with Netscapes SSL.
16968 + * This library is free for commercial and non-commercial use as long as
16969 + * the following conditions are aheared to. The following conditions
16970 + * apply to all code found in this distribution, be it the RC4, RSA,
16971 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
16972 + * included with this distribution is covered by the same copyright terms
16973 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16975 + * Copyright remains Eric Young's, and as such any Copyright notices in
16976 + * the code are not to be removed.
16977 + * If this package is used in a product, Eric Young should be given attribution
16978 + * as the author of the parts of the library used.
16979 + * This can be in the form of a textual message at program startup or
16980 + * in documentation (online or textual) provided with the package.
16982 + * Redistribution and use in source and binary forms, with or without
16983 + * modification, are permitted provided that the following conditions
16985 + * 1. Redistributions of source code must retain the copyright
16986 + * notice, this list of conditions and the following disclaimer.
16987 + * 2. Redistributions in binary form must reproduce the above copyright
16988 + * notice, this list of conditions and the following disclaimer in the
16989 + * documentation and/or other materials provided with the distribution.
16990 + * 3. All advertising materials mentioning features or use of this software
16991 + * must display the following acknowledgement:
16992 + * "This product includes cryptographic software written by
16993 + * Eric Young (eay@cryptsoft.com)"
16994 + * The word 'cryptographic' can be left out if the rouines from the library
16995 + * being used are not cryptographic related :-).
16996 + * 4. If you include any Windows specific code (or a derivative thereof) from
16997 + * the apps directory (application code) you must include an acknowledgement:
16998 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
17000 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
17001 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17002 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17003 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17004 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17005 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
17006 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17007 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
17008 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
17009 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
17012 + * The licence and distribution terms for any publically available version or
17013 + * derivative of this code cannot be changed. i.e. this code cannot simply be
17014 + * copied and put under another distribution licence
17015 + * [including the GNU Public Licence.]
17017 +/* ====================================================================
17018 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
17020 + * Redistribution and use in source and binary forms, with or without
17021 + * modification, are permitted provided that the following conditions
17024 + * 1. Redistributions of source code must retain the above copyright
17025 + * notice, this list of conditions and the following disclaimer.
17027 + * 2. Redistributions in binary form must reproduce the above copyright
17028 + * notice, this list of conditions and the following disclaimer in
17029 + * the documentation and/or other materials provided with the
17032 + * 3. All advertising materials mentioning features or use of this
17033 + * software must display the following acknowledgment:
17034 + * "This product includes software developed by the OpenSSL Project
17035 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
17037 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
17038 + * endorse or promote products derived from this software without
17039 + * prior written permission. For written permission, please contact
17040 + * openssl-core@openssl.org.
17042 + * 5. Products derived from this software may not be called "OpenSSL"
17043 + * nor may "OpenSSL" appear in their names without prior written
17044 + * permission of the OpenSSL Project.
17046 + * 6. Redistributions of any form whatsoever must retain the following
17047 + * acknowledgment:
17048 + * "This product includes software developed by the OpenSSL Project
17049 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
17051 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
17052 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17053 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17054 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
17055 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
17056 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
17057 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
17058 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17059 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
17060 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
17061 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
17062 + * OF THE POSSIBILITY OF SUCH DAMAGE.
17066 +#include <stdio.h>
17067 +#include <stdlib.h>
17068 +#include <string.h>
17069 +#include <ctype.h>
17070 +#include <openssl/rand.h>
17071 +#include <openssl/fips_rand.h>
17072 +#include <openssl/err.h>
17073 +#include <openssl/bn.h>
17077 +#ifndef OPENSSL_FIPS
17078 +int main(int argc, char *argv[])
17080 + printf("No FIPS RAND support\n");
17086 +#include "fips_utl.h"
17087 +#include <openssl/fips.h>
17091 + unsigned char DT[16];
17092 + unsigned char V[16];
17093 + unsigned char R[16];
17096 +static const unsigned char aes_128_mct_key[16] =
17097 + {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5,
17098 + 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48};
17100 +static const AES_PRNG_MCT aes_128_mct_tv = {
17102 + {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b,
17103 + 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac},
17105 + {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97,
17106 + 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1},
17108 + {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb,
17109 + 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73}
17112 +static const unsigned char aes_192_mct_key[24] =
17113 + {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73,
17114 + 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91,
17115 + 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a};
17117 +static const AES_PRNG_MCT aes_192_mct_tv = {
17119 + {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9,
17120 + 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52},
17122 + {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64,
17123 + 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d},
17125 + {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21,
17126 + 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47}
17129 +static const unsigned char aes_256_mct_key[32] =
17130 + {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a,
17131 + 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0,
17132 + 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d,
17133 + 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50};
17135 +static const AES_PRNG_MCT aes_256_mct_tv = {
17137 + {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee,
17138 + 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c},
17140 + {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1,
17141 + 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca},
17143 + {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1,
17144 + 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d}
17147 +static void dump(const unsigned char *b,int n)
17151 + printf(" %02x",*b++);
17155 +static void compare(const unsigned char *result,const unsigned char *expected,
17160 + for(i=0 ; i < n ; ++i)
17161 + if(result[i] != expected[i])
17163 + puts("Random test failed, got:");
17165 + puts("\n expected:");
17166 + dump(expected,n);
17173 +static void run_test(const unsigned char *key, int keylen,
17174 + const AES_PRNG_MCT *tv)
17176 + unsigned char buf[16], dt[16];
17178 + FIPS_x931_reset();
17179 + FIPS_x931_test_mode();
17180 + FIPS_x931_set_key(key, keylen);
17181 + FIPS_x931_seed(tv->V, 16);
17182 + memcpy(dt, tv->DT, 16);
17183 + for (i = 0; i < 10000; i++)
17185 + FIPS_x931_set_dt(dt);
17186 + FIPS_x931_bytes(buf, 16);
17187 + /* Increment DT */
17188 + for (j = 15; j >= 0; j--)
17196 + compare(buf,tv->R, 16);
17201 + run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
17202 + printf("FIPS PRNG test 1 done\n");
17203 + run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
17204 + printf("FIPS PRNG test 2 done\n");
17205 + run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
17206 + printf("FIPS PRNG test 3 done\n");
17211 diff -up openssl-1.0.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_rsa_selftest.c
17212 --- openssl-1.0.1b/crypto/fips/fips_rsa_selftest.c.fips 2012-04-26 18:00:51.407769451 +0200
17213 +++ openssl-1.0.1b/crypto/fips/fips_rsa_selftest.c 2012-04-26 18:00:51.407769451 +0200
17215 +/* ====================================================================
17216 + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
17218 + * Redistribution and use in source and binary forms, with or without
17219 + * modification, are permitted provided that the following conditions
17222 + * 1. Redistributions of source code must retain the above copyright
17223 + * notice, this list of conditions and the following disclaimer.
17225 + * 2. Redistributions in binary form must reproduce the above copyright
17226 + * notice, this list of conditions and the following disclaimer in
17227 + * the documentation and/or other materials provided with the
17230 + * 3. All advertising materials mentioning features or use of this
17231 + * software must display the following acknowledgment:
17232 + * "This product includes software developed by the OpenSSL Project
17233 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
17235 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
17236 + * endorse or promote products derived from this software without
17237 + * prior written permission. For written permission, please contact
17238 + * openssl-core@openssl.org.
17240 + * 5. Products derived from this software may not be called "OpenSSL"
17241 + * nor may "OpenSSL" appear in their names without prior written
17242 + * permission of the OpenSSL Project.
17244 + * 6. Redistributions of any form whatsoever must retain the following
17245 + * acknowledgment:
17246 + * "This product includes software developed by the OpenSSL Project
17247 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
17249 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
17250 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17251 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17252 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
17253 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
17254 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
17255 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
17256 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17257 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
17258 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
17259 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
17260 + * OF THE POSSIBILITY OF SUCH DAMAGE.
17264 +#include <string.h>
17265 +#include <openssl/err.h>
17266 +#ifdef OPENSSL_FIPS
17267 +#include <openssl/fips.h>
17269 +#include <openssl/rsa.h>
17270 +#include <openssl/evp.h>
17271 +#include <openssl/bn.h>
17272 +#include <openssl/opensslconf.h>
17274 +#ifdef OPENSSL_FIPS
17276 +static const unsigned char n[] =
17277 +"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
17278 +"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
17279 +"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
17280 +"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
17281 +"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
17282 +"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
17283 +"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
17284 +"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
17287 +static int corrupt_rsa;
17289 +static int setrsakey(RSA *key)
17291 + static const unsigned char e[] = "\x11";
17293 + static const unsigned char d[] =
17294 +"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
17295 +"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
17296 +"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
17297 +"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
17298 +"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
17299 +"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
17300 +"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
17301 +"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
17304 + static const unsigned char p[] =
17305 +"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
17306 +"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
17307 +"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
17308 +"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
17311 + static const unsigned char q[] =
17312 +"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
17313 +"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
17314 +"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
17315 +"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
17318 + static const unsigned char dmp1[] =
17319 +"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
17320 +"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
17321 +"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
17322 +"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
17324 + static const unsigned char dmq1[] =
17325 +"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
17326 +"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
17327 +"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
17328 +"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
17330 + static const unsigned char iqmp[] =
17331 +"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
17332 +"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
17333 +"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
17334 +"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
17337 + key->n = BN_bin2bn(n, sizeof(n)-1, key->n);
17339 + BN_set_bit(key->n, 1024);
17340 + key->e = BN_bin2bn(e, sizeof(e)-1, key->e);
17341 + key->d = BN_bin2bn(d, sizeof(d)-1, key->d);
17342 + key->p = BN_bin2bn(p, sizeof(p)-1, key->p);
17343 + key->q = BN_bin2bn(q, sizeof(q)-1, key->q);
17344 + key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1);
17345 + key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1);
17346 + key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp);
17350 +void FIPS_corrupt_rsa()
17355 +/* Known Answer Test (KAT) data for the above RSA private key signing
17359 +static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT";
17361 +static const unsigned char kat_RSA_PSS_SHA1[] = {
17362 + 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
17363 + 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
17364 + 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
17365 + 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
17366 + 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
17367 + 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
17368 + 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
17369 + 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
17370 + 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
17371 + 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
17372 + 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
17375 +static const unsigned char kat_RSA_PSS_SHA224[] = {
17376 + 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
17377 + 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
17378 + 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
17379 + 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
17380 + 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
17381 + 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
17382 + 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
17383 + 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
17384 + 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
17385 + 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
17386 + 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
17389 +static const unsigned char kat_RSA_PSS_SHA256[] = {
17390 + 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
17391 + 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
17392 + 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
17393 + 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
17394 + 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
17395 + 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
17396 + 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
17397 + 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
17398 + 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
17399 + 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
17400 + 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
17403 +static const unsigned char kat_RSA_PSS_SHA384[] = {
17404 + 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
17405 + 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
17406 + 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
17407 + 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
17408 + 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
17409 + 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
17410 + 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
17411 + 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
17412 + 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
17413 + 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
17414 + 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
17417 +static const unsigned char kat_RSA_PSS_SHA512[] = {
17418 + 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
17419 + 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
17420 + 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
17421 + 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
17422 + 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
17423 + 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
17424 + 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
17425 + 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
17426 + 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
17427 + 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
17428 + 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
17431 +static const unsigned char kat_RSA_SHA1[] = {
17432 + 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
17433 + 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
17434 + 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
17435 + 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
17436 + 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
17437 + 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
17438 + 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
17439 + 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
17440 + 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
17441 + 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
17442 + 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
17445 +static const unsigned char kat_RSA_SHA224[] = {
17446 + 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
17447 + 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
17448 + 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
17449 + 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
17450 + 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
17451 + 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
17452 + 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
17453 + 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
17454 + 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
17455 + 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
17456 + 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
17459 +static const unsigned char kat_RSA_SHA256[] = {
17460 + 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
17461 + 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
17462 + 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
17463 + 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
17464 + 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
17465 + 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
17466 + 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
17467 + 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
17468 + 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
17469 + 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
17470 + 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
17473 +static const unsigned char kat_RSA_SHA384[] = {
17474 + 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
17475 + 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
17476 + 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
17477 + 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
17478 + 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
17479 + 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
17480 + 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
17481 + 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
17482 + 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
17483 + 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
17484 + 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
17487 +static const unsigned char kat_RSA_SHA512[] = {
17488 + 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
17489 + 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
17490 + 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
17491 + 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
17492 + 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
17493 + 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
17494 + 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
17495 + 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
17496 + 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
17497 + 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
17498 + 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
17501 +static const unsigned char kat_RSA_X931_SHA1[] = {
17502 + 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
17503 + 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
17504 + 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
17505 + 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
17506 + 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
17507 + 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
17508 + 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
17509 + 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
17510 + 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
17511 + 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
17512 + 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
17515 +static const unsigned char kat_RSA_X931_SHA256[] = {
17516 + 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
17517 + 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
17518 + 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
17519 + 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
17520 + 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
17521 + 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
17522 + 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
17523 + 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
17524 + 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
17525 + 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
17526 + 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
17529 +static const unsigned char kat_RSA_X931_SHA384[] = {
17530 + 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
17531 + 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
17532 + 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
17533 + 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
17534 + 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
17535 + 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
17536 + 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
17537 + 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
17538 + 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
17539 + 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
17540 + 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
17543 +static const unsigned char kat_RSA_X931_SHA512[] = {
17544 + 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
17545 + 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
17546 + 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
17547 + 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
17548 + 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
17549 + 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
17550 + 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
17551 + 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
17552 + 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
17553 + 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
17554 + 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
17558 +int FIPS_selftest_rsa()
17562 + EVP_PKEY *pk = NULL;
17564 + if ((key=RSA_new()) == NULL)
17567 + if ((pk=EVP_PKEY_new()) == NULL)
17570 + EVP_PKEY_assign_RSA(pk, key);
17572 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17573 + kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
17574 + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17575 + "RSA SHA1 PKCS#1"))
17577 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17578 + kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
17579 + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17580 + "RSA SHA224 PKCS#1"))
17582 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17583 + kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
17584 + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17585 + "RSA SHA256 PKCS#1"))
17587 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17588 + kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
17589 + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17590 + "RSA SHA384 PKCS#1"))
17592 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17593 + kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
17594 + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
17595 + "RSA SHA512 PKCS#1"))
17598 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17599 + kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
17600 + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
17603 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17604 + kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224),
17605 + EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS,
17606 + "RSA SHA224 PSS"))
17608 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17609 + kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256),
17610 + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS,
17611 + "RSA SHA256 PSS"))
17613 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17614 + kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384),
17615 + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS,
17616 + "RSA SHA384 PSS"))
17618 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17619 + kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512),
17620 + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS,
17621 + "RSA SHA512 PSS"))
17625 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17626 + kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
17627 + EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
17628 + "RSA SHA1 X931"))
17630 + /* NB: SHA224 not supported in X9.31 */
17631 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17632 + kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
17633 + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
17634 + "RSA SHA256 X931"))
17636 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17637 + kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
17638 + EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
17639 + "RSA SHA384 X931"))
17641 + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
17642 + kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
17643 + EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
17644 + "RSA SHA512 X931"))
17652 + EVP_PKEY_free(pk);
17658 +#endif /* def OPENSSL_FIPS */
17659 diff -up openssl-1.0.1b/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1b/crypto/fips/fips_rsa_x931g.c
17660 --- openssl-1.0.1b/crypto/fips/fips_rsa_x931g.c.fips 2012-04-26 18:00:51.408769474 +0200
17661 +++ openssl-1.0.1b/crypto/fips/fips_rsa_x931g.c 2012-04-26 18:00:51.408769474 +0200
17663 +/* crypto/rsa/rsa_gen.c */
17664 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
17665 + * All rights reserved.
17667 + * This package is an SSL implementation written
17668 + * by Eric Young (eay@cryptsoft.com).
17669 + * The implementation was written so as to conform with Netscapes SSL.
17671 + * This library is free for commercial and non-commercial use as long as
17672 + * the following conditions are aheared to. The following conditions
17673 + * apply to all code found in this distribution, be it the RC4, RSA,
17674 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
17675 + * included with this distribution is covered by the same copyright terms
17676 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17678 + * Copyright remains Eric Young's, and as such any Copyright notices in
17679 + * the code are not to be removed.
17680 + * If this package is used in a product, Eric Young should be given attribution
17681 + * as the author of the parts of the library used.
17682 + * This can be in the form of a textual message at program startup or
17683 + * in documentation (online or textual) provided with the package.
17685 + * Redistribution and use in source and binary forms, with or without
17686 + * modification, are permitted provided that the following conditions
17688 + * 1. Redistributions of source code must retain the copyright
17689 + * notice, this list of conditions and the following disclaimer.
17690 + * 2. Redistributions in binary form must reproduce the above copyright
17691 + * notice, this list of conditions and the following disclaimer in the
17692 + * documentation and/or other materials provided with the distribution.
17693 + * 3. All advertising materials mentioning features or use of this software
17694 + * must display the following acknowledgement:
17695 + * "This product includes cryptographic software written by
17696 + * Eric Young (eay@cryptsoft.com)"
17697 + * The word 'cryptographic' can be left out if the rouines from the library
17698 + * being used are not cryptographic related :-).
17699 + * 4. If you include any Windows specific code (or a derivative thereof) from
17700 + * the apps directory (application code) you must include an acknowledgement:
17701 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
17703 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
17704 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17705 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17706 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17707 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17708 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
17709 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17710 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
17711 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
17712 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
17715 + * The licence and distribution terms for any publically available version or
17716 + * derivative of this code cannot be changed. i.e. this code cannot simply be
17717 + * copied and put under another distribution licence
17718 + * [including the GNU Public Licence.]
17721 +#include <stdio.h>
17722 +#include <string.h>
17724 +#include <openssl/err.h>
17725 +#include <openssl/bn.h>
17726 +#include <openssl/rsa.h>
17727 +#ifdef OPENSSL_FIPS
17728 +#include <openssl/fips.h>
17730 +extern int fips_check_rsa(RSA *rsa);
17733 +/* X9.31 RSA key derivation and generation */
17735 +int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
17736 + const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
17737 + const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
17738 + const BIGNUM *e, BN_GENCB *cb)
17740 + BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL;
17741 + BN_CTX *ctx=NULL,*ctx2=NULL;
17746 + ctx = BN_CTX_new();
17749 + BN_CTX_start(ctx);
17751 + r0 = BN_CTX_get(ctx);
17752 + r1 = BN_CTX_get(ctx);
17753 + r2 = BN_CTX_get(ctx);
17754 + r3 = BN_CTX_get(ctx);
17760 + rsa->e = BN_dup(e);
17767 + /* If not all parameters present only calculate what we can.
17768 + * This allows test programs to output selective parameters.
17771 + if (Xp && !rsa->p)
17773 + rsa->p = BN_new();
17777 + if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
17778 + Xp, Xp1, Xp2, e, ctx, cb))
17782 + if (Xq && !rsa->q)
17784 + rsa->q = BN_new();
17787 + if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
17788 + Xq, Xq1, Xq2, e, ctx, cb))
17792 + if (!rsa->p || !rsa->q)
17795 + BN_CTX_free(ctx);
17799 + /* Since both primes are set we can now calculate all remaining
17803 + /* calculate n */
17805 + if (rsa->n == NULL)
17807 + if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx))
17810 + /* calculate d */
17811 + if (!BN_sub(r1,rsa->p,BN_value_one()))
17812 + goto err; /* p-1 */
17813 + if (!BN_sub(r2,rsa->q,BN_value_one()))
17814 + goto err; /* q-1 */
17815 + if (!BN_mul(r0,r1,r2,ctx))
17816 + goto err; /* (p-1)(q-1) */
17818 + if (!BN_gcd(r3, r1, r2, ctx))
17821 + if (!BN_div(r0, NULL, r0, r3, ctx))
17822 + goto err; /* LCM((p-1)(q-1)) */
17824 + ctx2 = BN_CTX_new();
17828 + rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
17829 + if (rsa->d == NULL)
17832 + /* calculate d mod (p-1) */
17833 + rsa->dmp1=BN_new();
17834 + if (rsa->dmp1 == NULL)
17836 + if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx))
17839 + /* calculate d mod (q-1) */
17840 + rsa->dmq1=BN_new();
17841 + if (rsa->dmq1 == NULL)
17843 + if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx))
17846 + /* calculate inverse of q mod p */
17847 + rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
17853 + BN_CTX_free(ctx);
17856 + BN_CTX_free(ctx2);
17857 + /* If this is set all calls successful */
17858 + if (rsa && rsa->iqmp != NULL)
17865 +int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
17868 + BIGNUM *Xp = NULL, *Xq = NULL;
17869 + BN_CTX *ctx = NULL;
17871 +#ifdef OPENSSL_FIPS
17872 + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
17873 + (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
17875 + FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
17881 + FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH);
17885 + if(FIPS_selftest_failed())
17887 + FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED);
17892 + ctx = BN_CTX_new();
17896 + BN_CTX_start(ctx);
17897 + Xp = BN_CTX_get(ctx);
17898 + Xq = BN_CTX_get(ctx);
17899 + if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
17902 + rsa->p = BN_new();
17903 + rsa->q = BN_new();
17904 + if (!rsa->p || !rsa->q)
17907 + /* Generate two primes from Xp, Xq */
17909 + if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
17913 + if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
17917 + /* Since rsa->p and rsa->q are valid this call will just derive
17918 + * remaining RSA components.
17921 + if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
17922 + NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
17925 +#ifdef OPENSSL_FIPS
17926 + if(!fips_check_rsa(rsa))
17936 + BN_CTX_free(ctx);
17945 diff -up openssl-1.0.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1b/crypto/fips/fips_sha_selftest.c
17946 --- openssl-1.0.1b/crypto/fips/fips_sha_selftest.c.fips 2012-04-26 18:00:51.408769474 +0200
17947 +++ openssl-1.0.1b/crypto/fips/fips_sha_selftest.c 2012-04-26 18:00:51.408769474 +0200
17949 +/* ====================================================================
17950 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
17952 + * Redistribution and use in source and binary forms, with or without
17953 + * modification, are permitted provided that the following conditions
17956 + * 1. Redistributions of source code must retain the above copyright
17957 + * notice, this list of conditions and the following disclaimer.
17959 + * 2. Redistributions in binary form must reproduce the above copyright
17960 + * notice, this list of conditions and the following disclaimer in
17961 + * the documentation and/or other materials provided with the
17964 + * 3. All advertising materials mentioning features or use of this
17965 + * software must display the following acknowledgment:
17966 + * "This product includes software developed by the OpenSSL Project
17967 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
17969 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
17970 + * endorse or promote products derived from this software without
17971 + * prior written permission. For written permission, please contact
17972 + * openssl-core@openssl.org.
17974 + * 5. Products derived from this software may not be called "OpenSSL"
17975 + * nor may "OpenSSL" appear in their names without prior written
17976 + * permission of the OpenSSL Project.
17978 + * 6. Redistributions of any form whatsoever must retain the following
17979 + * acknowledgment:
17980 + * "This product includes software developed by the OpenSSL Project
17981 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
17983 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
17984 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17985 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17986 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
17987 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
17988 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
17989 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
17990 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17991 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
17992 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
17993 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
17994 + * OF THE POSSIBILITY OF SUCH DAMAGE.
17998 +#include <string.h>
17999 +#include <openssl/err.h>
18000 +#ifdef OPENSSL_FIPS
18001 +#include <openssl/fips.h>
18003 +#include <openssl/evp.h>
18004 +#include <openssl/sha.h>
18006 +#ifdef OPENSSL_FIPS
18007 +static const char test[][60]=
18011 + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
18014 +static const unsigned char ret[][SHA_DIGEST_LENGTH]=
18016 + { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55,
18017 + 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 },
18018 + { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e,
18019 + 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d },
18020 + { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae,
18021 + 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 },
18024 +static int corrupt_sha;
18026 +void FIPS_corrupt_sha1()
18031 +int FIPS_selftest_sha1()
18035 + for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n)
18037 + unsigned char md[SHA_DIGEST_LENGTH];
18039 + EVP_Digest(test[n],strlen(test[n])+corrupt_sha,md, NULL, EVP_sha1(), NULL);
18040 + if(memcmp(md,ret[n],sizeof md))
18042 + FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1,FIPS_R_SELFTEST_FAILED);
18049 +static const unsigned char msg_sha256[] = { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
18051 +static const unsigned char dig_sha256[] = { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
18052 + 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
18053 + 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
18054 + 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a };
18056 +static const unsigned char msg_sha512[] = { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
18057 + 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd };
18058 +static const unsigned char dig_sha512[] = { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
18059 + 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
18060 + 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
18061 + 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
18062 + 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
18063 + 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
18064 + 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
18065 + 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 };
18067 +int FIPS_selftest_sha2(void)
18069 + unsigned char md[SHA512_DIGEST_LENGTH];
18071 + EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
18072 + if(memcmp(dig_sha256, md, sizeof(dig_sha256)))
18074 + FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
18078 + EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
18079 + if(memcmp(dig_sha512, md, sizeof(dig_sha512)))
18081 + FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
18089 diff -up openssl-1.0.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1b/crypto/fips/fips_standalone_hmac.c
18090 --- openssl-1.0.1b/crypto/fips/fips_standalone_hmac.c.fips 2012-04-26 18:00:51.408769474 +0200
18091 +++ openssl-1.0.1b/crypto/fips/fips_standalone_hmac.c 2012-04-26 18:00:51.408769474 +0200
18093 +/* ====================================================================
18094 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
18096 + * Redistribution and use in source and binary forms, with or without
18097 + * modification, are permitted provided that the following conditions
18100 + * 1. Redistributions of source code must retain the above copyright
18101 + * notice, this list of conditions and the following disclaimer.
18103 + * 2. Redistributions in binary form must reproduce the above copyright
18104 + * notice, this list of conditions and the following disclaimer in
18105 + * the documentation and/or other materials provided with the
18108 + * 3. All advertising materials mentioning features or use of this
18109 + * software must display the following acknowledgment:
18110 + * "This product includes software developed by the OpenSSL Project
18111 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
18113 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
18114 + * endorse or promote products derived from this software without
18115 + * prior written permission. For written permission, please contact
18116 + * openssl-core@openssl.org.
18118 + * 5. Products derived from this software may not be called "OpenSSL"
18119 + * nor may "OpenSSL" appear in their names without prior written
18120 + * permission of the OpenSSL Project.
18122 + * 6. Redistributions of any form whatsoever must retain the following
18123 + * acknowledgment:
18124 + * "This product includes software developed by the OpenSSL Project
18125 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
18127 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
18128 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18129 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18130 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
18131 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18132 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18133 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
18134 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
18135 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
18136 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
18137 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
18138 + * OF THE POSSIBILITY OF SUCH DAMAGE.
18142 +#include <stdio.h>
18143 +#include <stdlib.h>
18144 +#include <string.h>
18145 +#include <openssl/opensslconf.h>
18146 +#include <openssl/sha.h>
18147 +#include <openssl/hmac.h>
18149 +#ifndef FIPSCANISTER_O
18150 +int FIPS_selftest_failed() { return 0; }
18151 +void FIPS_selftest_check() {}
18152 +void OPENSSL_cleanse(void *p,size_t len) {}
18155 +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
18156 + defined(__INTEL__) || \
18157 + defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
18159 +unsigned int OPENSSL_ia32cap_P[2];
18162 +#ifdef OPENSSL_FIPS
18164 +static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
18167 + size_t len=strlen(key);
18169 + unsigned char keymd[HMAC_MAX_MD_CBLOCK];
18170 + unsigned char pad[HMAC_MAX_MD_CBLOCK];
18172 + if (len > SHA_CBLOCK)
18174 + SHA256_Init(md_ctx);
18175 + SHA256_Update(md_ctx,key,len);
18176 + SHA256_Final(keymd,md_ctx);
18177 + len=SHA256_DIGEST_LENGTH;
18180 + memcpy(keymd,key,len);
18181 + memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len);
18183 + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
18184 + pad[i]=0x36^keymd[i];
18185 + SHA256_Init(md_ctx);
18186 + SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
18188 + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
18189 + pad[i]=0x5c^keymd[i];
18190 + SHA256_Init(o_ctx);
18191 + SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
18194 +static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
18196 + unsigned char buf[SHA256_DIGEST_LENGTH];
18198 + SHA256_Final(buf,md_ctx);
18199 + SHA256_Update(o_ctx,buf,sizeof buf);
18200 + SHA256_Final(md,o_ctx);
18205 +int main(int argc,char **argv)
18207 +#ifdef OPENSSL_FIPS
18208 + static char key[]="orboDeJITITejsirpADONivirpUkvarP";
18213 + fprintf(stderr,"%s [<file>]+\n",argv[0]);
18218 + if (!strcmp(argv[n],"-binary"))
18221 + binary=1; /* emit binary fingerprint... */
18224 + for(; n < argc ; ++n)
18226 + FILE *f=fopen(argv[n],"rb");
18227 + SHA256_CTX md_ctx,o_ctx;
18228 + unsigned char md[SHA256_DIGEST_LENGTH];
18237 + hmac_init(&md_ctx,&o_ctx,key);
18241 + size_t l=fread(buf,1,sizeof buf,f);
18253 + SHA256_Update(&md_ctx,buf,l);
18255 + hmac_final(md,&md_ctx,&o_ctx);
18259 + fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
18260 + break; /* ... for single(!) file */
18263 +/* printf("HMAC-SHA1(%s)= ",argv[n]); */
18264 + for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
18265 + printf("%02x",md[i]);
18273 diff -up openssl-1.0.1b/crypto/fips/fips_test_suite.c.fips openssl-1.0.1b/crypto/fips/fips_test_suite.c
18274 --- openssl-1.0.1b/crypto/fips/fips_test_suite.c.fips 2012-04-26 18:00:51.408769474 +0200
18275 +++ openssl-1.0.1b/crypto/fips/fips_test_suite.c 2012-04-26 18:00:51.408769474 +0200
18277 +/* ====================================================================
18278 + * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
18281 + * This command is intended as a test driver for the FIPS-140 testing
18282 + * lab performing FIPS-140 validation. It demonstrates the use of the
18283 + * OpenSSL library ito perform a variety of common cryptographic
18284 + * functions. A power-up self test is demonstrated by deliberately
18285 + * pointing to an invalid executable hash
18287 + * Contributed by Steve Marquess.
18290 +#include <stdio.h>
18291 +#include <assert.h>
18292 +#include <ctype.h>
18293 +#include <string.h>
18294 +#include <stdlib.h>
18295 +#include <openssl/aes.h>
18296 +#include <openssl/des.h>
18297 +#include <openssl/rsa.h>
18298 +#include <openssl/dsa.h>
18299 +#include <openssl/dh.h>
18300 +#include <openssl/hmac.h>
18301 +#include <openssl/err.h>
18303 +#include <openssl/bn.h>
18304 +#include <openssl/rand.h>
18305 +#include <openssl/sha.h>
18308 +#ifndef OPENSSL_FIPS
18309 +int main(int argc, char *argv[])
18311 + printf("No FIPS support\n");
18316 +#include <openssl/fips.h>
18317 +#include "fips_utl.h"
18319 +/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
18321 +static int FIPS_aes_test(void)
18324 + unsigned char pltmp[16];
18325 + unsigned char citmp[16];
18326 + unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
18327 + unsigned char plaintext[16] = "etaonrishdlcu";
18328 + EVP_CIPHER_CTX ctx;
18329 + EVP_CIPHER_CTX_init(&ctx);
18330 + if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
18332 + EVP_Cipher(&ctx, citmp, plaintext, 16);
18333 + if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
18335 + EVP_Cipher(&ctx, pltmp, citmp, 16);
18336 + if (memcmp(pltmp, plaintext, 16))
18340 + EVP_CIPHER_CTX_cleanup(&ctx);
18344 +static int FIPS_des3_test(void)
18347 + unsigned char pltmp[8];
18348 + unsigned char citmp[8];
18349 + unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
18350 + 19,20,21,22,23,24};
18351 + unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
18352 + EVP_CIPHER_CTX ctx;
18353 + EVP_CIPHER_CTX_init(&ctx);
18354 + if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
18356 + EVP_Cipher(&ctx, citmp, plaintext, 8);
18357 + if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
18359 + EVP_Cipher(&ctx, pltmp, citmp, 8);
18360 + if (memcmp(pltmp, plaintext, 8))
18364 + EVP_CIPHER_CTX_cleanup(&ctx);
18369 + * DSA: generate keys and sign, verify input plaintext.
18371 +static int FIPS_dsa_test(int bad)
18375 + unsigned char dgst[] = "etaonrishdlc";
18376 + unsigned char buf[60];
18377 + unsigned int slen;
18381 + ERR_clear_error();
18382 + EVP_MD_CTX_init(&mctx);
18386 + if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
18388 + if (!DSA_generate_key(dsa))
18391 + BN_add_word(dsa->pub_key, 1);
18393 + pk.type = EVP_PKEY_DSA;
18394 + pk.pkey.dsa = dsa;
18396 + if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
18398 + if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
18400 + if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
18403 + if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
18405 + if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
18407 + r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
18409 + EVP_MD_CTX_cleanup(&mctx);
18418 + * RSA: generate keys and sign, verify input plaintext.
18420 +static int FIPS_rsa_test(int bad)
18423 + unsigned char input_ptext[] = "etaonrishdlc";
18424 + unsigned char buf[256];
18425 + unsigned int slen;
18431 + ERR_clear_error();
18432 + EVP_MD_CTX_init(&mctx);
18437 + BN_set_word(bn, 65537);
18438 + if (!RSA_generate_key_ex(key, 1024,bn,NULL))
18442 + BN_add_word(key->n, 1);
18444 + pk.type = EVP_PKEY_RSA;
18445 + pk.pkey.rsa = key;
18447 + if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
18449 + if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
18451 + if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
18454 + if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
18456 + if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
18458 + r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
18460 + EVP_MD_CTX_cleanup(&mctx);
18468 +/* SHA1: generate hash of known digest value and compare to known
18469 + precomputed correct hash
18471 +static int FIPS_sha1_test()
18473 + unsigned char digest[SHA_DIGEST_LENGTH] =
18474 + { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
18475 + unsigned char str[] = "etaonrishd";
18477 + unsigned char md[SHA_DIGEST_LENGTH];
18479 + ERR_clear_error();
18480 + if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
18481 + if (memcmp(md,digest,sizeof(md)))
18486 +/* SHA256: generate hash of known digest value and compare to known
18487 + precomputed correct hash
18489 +static int FIPS_sha256_test()
18491 + unsigned char digest[SHA256_DIGEST_LENGTH] =
18492 + {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
18493 + 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
18494 + unsigned char str[] = "etaonrishd";
18496 + unsigned char md[SHA256_DIGEST_LENGTH];
18498 + ERR_clear_error();
18499 + if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
18500 + if (memcmp(md,digest,sizeof(md)))
18505 +/* SHA512: generate hash of known digest value and compare to known
18506 + precomputed correct hash
18508 +static int FIPS_sha512_test()
18510 + unsigned char digest[SHA512_DIGEST_LENGTH] =
18511 + {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
18512 + 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
18513 + 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
18514 + 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
18515 + unsigned char str[] = "etaonrishd";
18517 + unsigned char md[SHA512_DIGEST_LENGTH];
18519 + ERR_clear_error();
18520 + if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
18521 + if (memcmp(md,digest,sizeof(md)))
18526 +/* HMAC-SHA1: generate hash of known digest value and compare to known
18527 + precomputed correct hash
18529 +static int FIPS_hmac_sha1_test()
18531 + unsigned char key[] = "etaonrishd";
18532 + unsigned char iv[] = "Sample text";
18533 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18534 + {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
18535 + 0xb2, 0xfb, 0xec, 0xc6};
18537 + unsigned char out[EVP_MAX_MD_SIZE];
18538 + unsigned int outlen;
18540 + ERR_clear_error();
18541 + if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18542 + if (memcmp(out,kaval,outlen))
18547 +/* HMAC-SHA224: generate hash of known digest value and compare to known
18548 + precomputed correct hash
18550 +static int FIPS_hmac_sha224_test()
18552 + unsigned char key[] = "etaonrishd";
18553 + unsigned char iv[] = "Sample text";
18554 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18555 + {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
18556 + 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
18558 + unsigned char out[EVP_MAX_MD_SIZE];
18559 + unsigned int outlen;
18561 + ERR_clear_error();
18562 + if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18563 + if (memcmp(out,kaval,outlen))
18568 +/* HMAC-SHA256: generate hash of known digest value and compare to known
18569 + precomputed correct hash
18571 +static int FIPS_hmac_sha256_test()
18573 + unsigned char key[] = "etaonrishd";
18574 + unsigned char iv[] = "Sample text";
18575 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18576 + {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
18577 + 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
18579 + unsigned char out[EVP_MAX_MD_SIZE];
18580 + unsigned int outlen;
18582 + ERR_clear_error();
18583 + if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18584 + if (memcmp(out,kaval,outlen))
18589 +/* HMAC-SHA384: generate hash of known digest value and compare to known
18590 + precomputed correct hash
18592 +static int FIPS_hmac_sha384_test()
18594 + unsigned char key[] = "etaonrishd";
18595 + unsigned char iv[] = "Sample text";
18596 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18597 + {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
18598 + 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
18599 + 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
18601 + unsigned char out[EVP_MAX_MD_SIZE];
18602 + unsigned int outlen;
18604 + ERR_clear_error();
18605 + if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18606 + if (memcmp(out,kaval,outlen))
18611 +/* HMAC-SHA512: generate hash of known digest value and compare to known
18612 + precomputed correct hash
18614 +static int FIPS_hmac_sha512_test()
18616 + unsigned char key[] = "etaonrishd";
18617 + unsigned char iv[] = "Sample text";
18618 + unsigned char kaval[EVP_MAX_MD_SIZE] =
18619 + {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
18620 + 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
18621 + 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
18622 + 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
18624 + unsigned char out[EVP_MAX_MD_SIZE];
18625 + unsigned int outlen;
18627 + ERR_clear_error();
18628 + if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
18629 + if (memcmp(out,kaval,outlen))
18635 +/* DH: generate shared parameters
18637 +static int dh_test()
18640 + ERR_clear_error();
18641 + dh = FIPS_dh_new();
18644 + if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
18646 + FIPS_dh_free(dh);
18652 +static int Zeroize()
18656 + unsigned char userkey[16] =
18657 + { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
18660 + key = FIPS_rsa_new();
18664 + BN_set_word(bn, 65537);
18665 + if (!RSA_generate_key_ex(key, 1024,bn,NULL))
18669 + n = BN_num_bytes(key->d);
18670 + printf(" Generated %d byte RSA private key\n", n);
18671 + printf("\tBN key before overwriting:\n");
18672 + do_bn_print(stdout, key->d);
18673 + BN_rand(key->d,n*8,-1,0);
18674 + printf("\tBN key after overwriting:\n");
18675 + do_bn_print(stdout, key->d);
18677 + printf("\tchar buffer key before overwriting: \n\t\t");
18678 + for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
18680 + RAND_bytes(userkey, sizeof userkey);
18681 + printf("\tchar buffer key after overwriting: \n\t\t");
18682 + for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
18689 +const char * Fail(const char *msg)
18691 + do_print_errors();
18696 +int main(int argc,char **argv)
18699 + int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
18700 + int bad_rsa = 0, bad_dsa = 0;
18701 + int do_rng_stick = 0;
18704 + printf("\tFIPS-mode test application\n\n");
18706 + /* Load entropy from external file, if any */
18707 + RAND_load_file(".rnd", 1024);
18710 + /* Corrupted KAT tests */
18711 + if (!strcmp(argv[1], "aes")) {
18712 + FIPS_corrupt_aes();
18713 + printf("AES encryption/decryption with corrupted KAT...\n");
18714 + } else if (!strcmp(argv[1], "des")) {
18715 + FIPS_corrupt_des();
18716 + printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
18717 + } else if (!strcmp(argv[1], "dsa")) {
18718 + FIPS_corrupt_dsa();
18719 + printf("DSA key generation and signature validation with corrupted KAT...\n");
18720 + } else if (!strcmp(argv[1], "rsa")) {
18721 + FIPS_corrupt_rsa();
18722 + printf("RSA key generation and signature validation with corrupted KAT...\n");
18723 + } else if (!strcmp(argv[1], "rsakey")) {
18724 + printf("RSA key generation and signature validation with corrupted key...\n");
18727 + } else if (!strcmp(argv[1], "rsakeygen")) {
18728 + do_corrupt_rsa_keygen = 1;
18730 + printf("RSA key generation and signature validation with corrupted keygen...\n");
18731 + } else if (!strcmp(argv[1], "dsakey")) {
18732 + printf("DSA key generation and signature validation with corrupted key...\n");
18735 + } else if (!strcmp(argv[1], "dsakeygen")) {
18736 + do_corrupt_dsa_keygen = 1;
18738 + printf("DSA key generation and signature validation with corrupted keygen...\n");
18739 + } else if (!strcmp(argv[1], "sha1")) {
18740 + FIPS_corrupt_sha1();
18741 + printf("SHA-1 hash with corrupted KAT...\n");
18742 + } else if (!strcmp(argv[1], "rng")) {
18743 + FIPS_corrupt_rng();
18744 + } else if (!strcmp(argv[1], "rngstick")) {
18745 + do_rng_stick = 1;
18747 + printf("RNG test with stuck continuous test...\n");
18749 + printf("Bad argument \"%s\"\n", argv[1]);
18753 + if (!FIPS_mode_set(1)) {
18754 + do_print_errors();
18755 + printf("Power-up self test failed\n");
18758 + printf("Power-up self test successful\n");
18763 + /* Non-Approved cryptographic operation
18765 + printf("1. Non-Approved cryptographic operation test...\n");
18766 + printf("\ta. Included algorithm (D-H)...");
18767 + printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
18769 + /* Power-up self test
18771 + ERR_clear_error();
18772 + printf("2. Automatic power-up self test...");
18773 + if (!FIPS_mode_set(1))
18775 + do_print_errors();
18776 + printf(Fail("FAILED!\n"));
18779 + printf("successful\n");
18780 + if (do_corrupt_dsa_keygen)
18781 + FIPS_corrupt_dsa_keygen();
18782 + if (do_corrupt_rsa_keygen)
18783 + FIPS_corrupt_rsa_keygen();
18784 + if (do_rng_stick)
18785 + FIPS_rng_stick();
18787 + /* AES encryption/decryption
18789 + printf("3. AES encryption/decryption...");
18790 + printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") );
18792 + /* RSA key generation and encryption/decryption
18794 + printf("4. RSA key generation and encryption/decryption...");
18795 + printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") );
18797 + /* DES-CBC encryption/decryption
18799 + printf("5. DES-ECB encryption/decryption...");
18800 + printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") );
18802 + /* DSA key generation and signature validation
18804 + printf("6. DSA key generation and signature validation...");
18805 + printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") );
18809 + printf("7a. SHA-1 hash...");
18810 + printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
18814 + printf("7b. SHA-256 hash...");
18815 + printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
18819 + printf("7c. SHA-512 hash...");
18820 + printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
18822 + /* HMAC-SHA-1 hash
18824 + printf("7d. HMAC-SHA-1 hash...");
18825 + printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
18827 + /* HMAC-SHA-224 hash
18829 + printf("7e. HMAC-SHA-224 hash...");
18830 + printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") );
18832 + /* HMAC-SHA-256 hash
18834 + printf("7f. HMAC-SHA-256 hash...");
18835 + printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
18837 + /* HMAC-SHA-384 hash
18839 + printf("7g. HMAC-SHA-384 hash...");
18840 + printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") );
18842 + /* HMAC-SHA-512 hash
18844 + printf("7h. HMAC-SHA-512 hash...");
18845 + printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
18847 + /* Non-Approved cryptographic operation
18849 + printf("8. Non-Approved cryptographic operation test...\n");
18850 + printf("\ta. Included algorithm (D-H)...");
18851 + printf( dh_test() ? "successful as expected\n"
18852 + : Fail("failed INCORRECTLY!\n") );
18856 + printf("9. Zero-ization...\n");
18857 + printf( Zeroize() ? "\tsuccessful as expected\n"
18858 + : Fail("\tfailed INCORRECTLY!\n") );
18860 + printf("\nAll tests completed with %d errors\n", Error);
18861 + return Error ? 1 : 0;
18865 diff -up openssl-1.0.1b/crypto/fips/Makefile.fips openssl-1.0.1b/crypto/fips/Makefile
18866 --- openssl-1.0.1b/crypto/fips/Makefile.fips 2012-04-26 18:00:51.409769496 +0200
18867 +++ openssl-1.0.1b/crypto/fips/Makefile 2012-04-26 18:00:51.409769496 +0200
18870 +# OpenSSL/crypto/fips/Makefile
18878 +MAKEFILE= Makefile
18881 +CFLAGS= $(INCLUDES) $(CFLAG)
18884 +TEST=fips_test_suite.c fips_randtest.c
18887 +PROGRAM= fips_standalone_hmac
18888 +EXE= $(PROGRAM)$(EXE_EXT)
18890 +LIB=$(TOP)/libcrypto.a
18891 +LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
18892 + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
18893 + fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
18894 + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
18895 + fips_cmac_selftest.c fips_enc.c fips_md.c
18897 +LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
18898 + fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
18899 + fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
18900 + fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
18901 + fips_cmac_selftest.o fips_enc.o fips_md.o
18903 +LIBCRYPTO=-L.. -lcrypto
18905 +SRC= $(LIBSRC) fips_standalone_hmac.c
18907 +EXHEADER= fips.h fips_rand.h
18908 +HEADER= $(EXHEADER)
18910 +ALL= $(GENERAL) $(SRC) $(HEADER)
18913 + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
18918 + $(AR) $(LIB) $(LIBOBJ)
18919 + $(RANLIB) $(LIB) || echo Never mind.
18925 + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
18928 + @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
18929 + @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
18930 + @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
18933 + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
18934 + @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
18936 + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
18937 + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
18946 + lint -DLINT $(INCLUDES) $(SRC)>fluff
18949 + @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
18950 + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
18953 + $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
18954 + mv -f Makefile.new $(MAKEFILE)
18957 + rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
18959 +$(EXE): $(PROGRAM).o
18960 + FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
18961 + $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
18963 +# DO NOT DELETE THIS LINE -- make depend depends on it.
18965 +fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
18966 +fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
18967 +fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
18968 +fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
18969 +fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
18970 +fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
18971 +fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
18972 +fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
18973 +fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
18974 +fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
18975 +fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
18976 +fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
18977 +fips_aes_selftest.o: ../../include/openssl/crypto.h
18978 +fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
18979 +fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
18980 +fips_aes_selftest.o: ../../include/openssl/lhash.h
18981 +fips_aes_selftest.o: ../../include/openssl/obj_mac.h
18982 +fips_aes_selftest.o: ../../include/openssl/objects.h
18983 +fips_aes_selftest.o: ../../include/openssl/opensslconf.h
18984 +fips_aes_selftest.o: ../../include/openssl/opensslv.h
18985 +fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
18986 +fips_aes_selftest.o: ../../include/openssl/safestack.h
18987 +fips_aes_selftest.o: ../../include/openssl/stack.h
18988 +fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
18989 +fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
18990 +fips_des_selftest.o: ../../include/openssl/crypto.h
18991 +fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
18992 +fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
18993 +fips_des_selftest.o: ../../include/openssl/lhash.h
18994 +fips_des_selftest.o: ../../include/openssl/obj_mac.h
18995 +fips_des_selftest.o: ../../include/openssl/objects.h
18996 +fips_des_selftest.o: ../../include/openssl/opensslconf.h
18997 +fips_des_selftest.o: ../../include/openssl/opensslv.h
18998 +fips_des_selftest.o: ../../include/openssl/ossl_typ.h
18999 +fips_des_selftest.o: ../../include/openssl/safestack.h
19000 +fips_des_selftest.o: ../../include/openssl/stack.h
19001 +fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
19002 +fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19003 +fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19004 +fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
19005 +fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
19006 +fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
19007 +fips_drbg_ctr.o: ../../include/openssl/objects.h
19008 +fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
19009 +fips_drbg_ctr.o: ../../include/openssl/opensslv.h
19010 +fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19011 +fips_drbg_ctr.o: ../../include/openssl/safestack.h
19012 +fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19013 +fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
19014 +fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19015 +fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19016 +fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
19017 +fips_drbg_hash.o: ../../include/openssl/fips.h
19018 +fips_drbg_hash.o: ../../include/openssl/fips_rand.h
19019 +fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
19020 +fips_drbg_hash.o: ../../include/openssl/objects.h
19021 +fips_drbg_hash.o: ../../include/openssl/opensslconf.h
19022 +fips_drbg_hash.o: ../../include/openssl/opensslv.h
19023 +fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19024 +fips_drbg_hash.o: ../../include/openssl/safestack.h
19025 +fips_drbg_hash.o: ../../include/openssl/stack.h
19026 +fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
19027 +fips_drbg_hash.o: fips_rand_lcl.h
19028 +fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19029 +fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19030 +fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
19031 +fips_drbg_hmac.o: ../../include/openssl/fips.h
19032 +fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
19033 +fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
19034 +fips_drbg_hmac.o: ../../include/openssl/objects.h
19035 +fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
19036 +fips_drbg_hmac.o: ../../include/openssl/opensslv.h
19037 +fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19038 +fips_drbg_hmac.o: ../../include/openssl/safestack.h
19039 +fips_drbg_hmac.o: ../../include/openssl/stack.h
19040 +fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
19041 +fips_drbg_hmac.o: fips_rand_lcl.h
19042 +fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19043 +fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19044 +fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19045 +fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19046 +fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
19047 +fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
19048 +fips_drbg_lib.o: ../../include/openssl/objects.h
19049 +fips_drbg_lib.o: ../../include/openssl/opensslconf.h
19050 +fips_drbg_lib.o: ../../include/openssl/opensslv.h
19051 +fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19052 +fips_drbg_lib.o: ../../include/openssl/safestack.h
19053 +fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19054 +fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
19055 +fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19056 +fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19057 +fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19058 +fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19059 +fips_drbg_rand.o: ../../include/openssl/fips_rand.h
19060 +fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19061 +fips_drbg_rand.o: ../../include/openssl/obj_mac.h
19062 +fips_drbg_rand.o: ../../include/openssl/objects.h
19063 +fips_drbg_rand.o: ../../include/openssl/opensslconf.h
19064 +fips_drbg_rand.o: ../../include/openssl/opensslv.h
19065 +fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19066 +fips_drbg_rand.o: ../../include/openssl/safestack.h
19067 +fips_drbg_rand.o: ../../include/openssl/stack.h
19068 +fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
19069 +fips_drbg_rand.o: fips_rand_lcl.h
19070 +fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19071 +fips_drbg_selftest.o: ../../include/openssl/bio.h
19072 +fips_drbg_selftest.o: ../../include/openssl/crypto.h
19073 +fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19074 +fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19075 +fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
19076 +fips_drbg_selftest.o: ../../include/openssl/hmac.h
19077 +fips_drbg_selftest.o: ../../include/openssl/lhash.h
19078 +fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
19079 +fips_drbg_selftest.o: ../../include/openssl/objects.h
19080 +fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
19081 +fips_drbg_selftest.o: ../../include/openssl/opensslv.h
19082 +fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
19083 +fips_drbg_selftest.o: ../../include/openssl/rand.h
19084 +fips_drbg_selftest.o: ../../include/openssl/safestack.h
19085 +fips_drbg_selftest.o: ../../include/openssl/stack.h
19086 +fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
19087 +fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
19088 +fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19089 +fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
19090 +fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
19091 +fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19092 +fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
19093 +fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
19094 +fips_dsa_selftest.o: ../../include/openssl/objects.h
19095 +fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
19096 +fips_dsa_selftest.o: ../../include/openssl/opensslv.h
19097 +fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
19098 +fips_dsa_selftest.o: ../../include/openssl/safestack.h
19099 +fips_dsa_selftest.o: ../../include/openssl/stack.h
19100 +fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
19101 +fips_dsa_selftest.o: fips_locl.h
19102 +fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19103 +fips_hmac_selftest.o: ../../include/openssl/crypto.h
19104 +fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19105 +fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19106 +fips_hmac_selftest.o: ../../include/openssl/hmac.h
19107 +fips_hmac_selftest.o: ../../include/openssl/lhash.h
19108 +fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
19109 +fips_hmac_selftest.o: ../../include/openssl/objects.h
19110 +fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
19111 +fips_hmac_selftest.o: ../../include/openssl/opensslv.h
19112 +fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
19113 +fips_hmac_selftest.o: ../../include/openssl/safestack.h
19114 +fips_hmac_selftest.o: ../../include/openssl/stack.h
19115 +fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
19116 +fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19117 +fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
19118 +fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
19119 +fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19120 +fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
19121 +fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19122 +fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
19123 +fips_post.o: ../../include/openssl/opensslconf.h
19124 +fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
19125 +fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
19126 +fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
19127 +fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
19128 +fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
19129 +fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19130 +fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
19131 +fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19132 +fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
19133 +fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19134 +fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
19135 +fips_rand.o: ../../include/openssl/opensslconf.h
19136 +fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
19137 +fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
19138 +fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19139 +fips_rand.o: fips_locl.h fips_rand.c
19140 +fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
19141 +fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19142 +fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
19143 +fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
19144 +fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
19145 +fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
19146 +fips_rand_lib.o: ../../include/openssl/obj_mac.h
19147 +fips_rand_lib.o: ../../include/openssl/objects.h
19148 +fips_rand_lib.o: ../../include/openssl/opensslconf.h
19149 +fips_rand_lib.o: ../../include/openssl/opensslv.h
19150 +fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
19151 +fips_rand_lib.o: ../../include/openssl/safestack.h
19152 +fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
19153 +fips_rand_lib.o: fips_rand_lib.c
19154 +fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
19155 +fips_rand_selftest.o: ../../include/openssl/bio.h
19156 +fips_rand_selftest.o: ../../include/openssl/crypto.h
19157 +fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19158 +fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19159 +fips_rand_selftest.o: ../../include/openssl/fips_rand.h
19160 +fips_rand_selftest.o: ../../include/openssl/hmac.h
19161 +fips_rand_selftest.o: ../../include/openssl/lhash.h
19162 +fips_rand_selftest.o: ../../include/openssl/obj_mac.h
19163 +fips_rand_selftest.o: ../../include/openssl/objects.h
19164 +fips_rand_selftest.o: ../../include/openssl/opensslconf.h
19165 +fips_rand_selftest.o: ../../include/openssl/opensslv.h
19166 +fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
19167 +fips_rand_selftest.o: ../../include/openssl/rand.h
19168 +fips_rand_selftest.o: ../../include/openssl/safestack.h
19169 +fips_rand_selftest.o: ../../include/openssl/stack.h
19170 +fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
19171 +fips_rand_selftest.o: fips_rand_selftest.c
19172 +fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19173 +fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
19174 +fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19175 +fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19176 +fips_rsa_selftest.o: ../../include/openssl/lhash.h
19177 +fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
19178 +fips_rsa_selftest.o: ../../include/openssl/objects.h
19179 +fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
19180 +fips_rsa_selftest.o: ../../include/openssl/opensslv.h
19181 +fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
19182 +fips_rsa_selftest.o: ../../include/openssl/rsa.h
19183 +fips_rsa_selftest.o: ../../include/openssl/safestack.h
19184 +fips_rsa_selftest.o: ../../include/openssl/stack.h
19185 +fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
19186 +fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19187 +fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
19188 +fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19189 +fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
19190 +fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
19191 +fips_rsa_x931g.o: ../../include/openssl/opensslv.h
19192 +fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
19193 +fips_rsa_x931g.o: ../../include/openssl/safestack.h
19194 +fips_rsa_x931g.o: ../../include/openssl/stack.h
19195 +fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
19196 +fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
19197 +fips_sha_selftest.o: ../../include/openssl/crypto.h
19198 +fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
19199 +fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
19200 +fips_sha_selftest.o: ../../include/openssl/lhash.h
19201 +fips_sha_selftest.o: ../../include/openssl/obj_mac.h
19202 +fips_sha_selftest.o: ../../include/openssl/objects.h
19203 +fips_sha_selftest.o: ../../include/openssl/opensslconf.h
19204 +fips_sha_selftest.o: ../../include/openssl/opensslv.h
19205 +fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
19206 +fips_sha_selftest.o: ../../include/openssl/safestack.h
19207 +fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
19208 +fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
19209 diff -up openssl-1.0.1b/crypto/hmac/hmac.c.fips openssl-1.0.1b/crypto/hmac/hmac.c
19210 --- openssl-1.0.1b/crypto/hmac/hmac.c.fips 2011-06-12 17:07:26.000000000 +0200
19211 +++ openssl-1.0.1b/crypto/hmac/hmac.c 2012-04-26 18:00:51.409769496 +0200
19212 @@ -81,11 +81,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
19213 EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
19216 - /* Other algorithm blocking will be done in FIPS_cmac_init,
19217 - * via FIPS_hmac_init_ex().
19219 - if (!impl && !ctx->i_ctx.engine)
19220 - return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
19224 @@ -99,6 +94,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
19228 +#ifdef OPENSSL_FIPS
19229 + if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
19230 + && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
19231 + || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
19232 + || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
19236 j=EVP_MD_block_size(md);
19237 OPENSSL_assert(j <= (int)sizeof(ctx->key));
19238 @@ -155,10 +157,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
19240 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
19242 -#ifdef OPENSSL_FIPS
19243 - if (FIPS_mode() && !ctx->i_ctx.engine)
19244 - return FIPS_hmac_update(ctx, data, len);
19246 return EVP_DigestUpdate(&ctx->md_ctx,data,len);
19249 @@ -166,10 +164,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
19252 unsigned char buf[EVP_MAX_MD_SIZE];
19253 -#ifdef OPENSSL_FIPS
19254 - if (FIPS_mode() && !ctx->i_ctx.engine)
19255 - return FIPS_hmac_final(ctx, md, len);
19258 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
19260 @@ -209,13 +203,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
19262 void HMAC_CTX_cleanup(HMAC_CTX *ctx)
19264 -#ifdef OPENSSL_FIPS
19265 - if (FIPS_mode() && !ctx->i_ctx.engine)
19267 - FIPS_hmac_ctx_cleanup(ctx);
19271 EVP_MD_CTX_cleanup(&ctx->i_ctx);
19272 EVP_MD_CTX_cleanup(&ctx->o_ctx);
19273 EVP_MD_CTX_cleanup(&ctx->md_ctx);
19274 diff -up openssl-1.0.1b/crypto/md2/md2_dgst.c.fips openssl-1.0.1b/crypto/md2/md2_dgst.c
19275 --- openssl-1.0.1b/crypto/md2/md2_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200
19276 +++ openssl-1.0.1b/crypto/md2/md2_dgst.c 2012-04-26 18:00:51.409769496 +0200
19278 #include <openssl/md2.h>
19279 #include <openssl/opensslv.h>
19280 #include <openssl/crypto.h>
19281 +#ifdef OPENSSL_FIPS
19282 +#include <openssl/fips.h>
19285 +#include <openssl/err.h>
19287 const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT;
19289 @@ -116,7 +121,7 @@ const char *MD2_options(void)
19290 return("md2(int)");
19294 +nonfips_md_init(MD2)
19297 memset(c->state,0,sizeof c->state);
19298 diff -up openssl-1.0.1b/crypto/md4/md4_dgst.c.fips openssl-1.0.1b/crypto/md4/md4_dgst.c
19299 --- openssl-1.0.1b/crypto/md4/md4_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200
19300 +++ openssl-1.0.1b/crypto/md4/md4_dgst.c 2012-04-26 18:00:51.409769496 +0200
19301 @@ -71,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_V
19302 #define INIT_DATA_C (unsigned long)0x98badcfeL
19303 #define INIT_DATA_D (unsigned long)0x10325476L
19306 +nonfips_md_init(MD4)
19308 memset (c,0,sizeof(*c));
19310 diff -up openssl-1.0.1b/crypto/md5/md5_dgst.c.fips openssl-1.0.1b/crypto/md5/md5_dgst.c
19311 --- openssl-1.0.1b/crypto/md5/md5_dgst.c.fips 2011-06-01 15:39:43.000000000 +0200
19312 +++ openssl-1.0.1b/crypto/md5/md5_dgst.c 2012-04-26 18:00:51.409769496 +0200
19313 @@ -71,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_V
19314 #define INIT_DATA_C (unsigned long)0x98badcfeL
19315 #define INIT_DATA_D (unsigned long)0x10325476L
19318 +nonfips_md_init(MD5)
19320 memset (c,0,sizeof(*c));
19322 diff -up openssl-1.0.1b/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1b/crypto/mdc2/mdc2dgst.c
19323 --- openssl-1.0.1b/crypto/mdc2/mdc2dgst.c.fips 2011-06-01 15:39:44.000000000 +0200
19324 +++ openssl-1.0.1b/crypto/mdc2/mdc2dgst.c 2012-04-26 18:00:51.691775656 +0200
19326 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
19328 static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
19329 -fips_md_init(MDC2)
19330 +nonfips_md_init(MDC2)
19334 diff -up openssl-1.0.1b/crypto/o_init.c.fips openssl-1.0.1b/crypto/o_init.c
19335 --- openssl-1.0.1b/crypto/o_init.c.fips 2011-05-26 16:19:19.000000000 +0200
19336 +++ openssl-1.0.1b/crypto/o_init.c 2012-04-26 18:00:51.696775766 +0200
19337 @@ -55,28 +55,63 @@
19339 #include <openssl/err.h>
19340 #ifdef OPENSSL_FIPS
19341 +#include <sys/types.h>
19342 +#include <sys/stat.h>
19343 +#include <fcntl.h>
19344 +#include <unistd.h>
19345 +#include <errno.h>
19346 +#include <stdlib.h>
19347 #include <openssl/fips.h>
19348 #include <openssl/rand.h>
19350 +#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
19352 +static void init_fips_mode(void)
19354 + char buf[2] = "0";
19357 + if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
19361 + else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
19363 + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
19366 + /* Failure reading the fips mode switch file means just not
19367 + * switching into FIPS mode. We would break too many things
19371 + if (buf[0] == '1')
19373 + FIPS_mode_set(1);
19378 /* Perform any essential OpenSSL initialization operations.
19379 * Currently only sets FIPS callbacks
19382 -void OPENSSL_init(void)
19383 +void OPENSSL_init_library(void)
19385 static int done = 0;
19389 #ifdef OPENSSL_FIPS
19390 - FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
19391 - FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
19392 - FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
19394 + init_fips_mode();
19397 fprintf(stderr, "Called OPENSSL_init\n");
19401 +void OPENSSL_init(void)
19403 + OPENSSL_init_library();
19405 diff -up openssl-1.0.1b/crypto/opensslconf.h.in.fips openssl-1.0.1b/crypto/opensslconf.h.in
19406 --- openssl-1.0.1b/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
19407 +++ openssl-1.0.1b/crypto/opensslconf.h.in 2012-04-26 18:00:51.702775897 +0200
19409 /* crypto/opensslconf.h.in */
19411 +#ifdef OPENSSL_DOING_MAKEDEPEND
19413 +/* Include any symbols here that have to be explicitly set to enable a feature
19414 + * that should be visible to makedepend.
19416 + * [Our "make depend" doesn't actually look at this, we use actual build settings
19417 + * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
19420 +#ifndef OPENSSL_FIPS
19421 +#define OPENSSL_FIPS
19426 /* Generate 80386 code? */
19429 diff -up openssl-1.0.1b/crypto/pkcs12/p12_crt.c.fips openssl-1.0.1b/crypto/pkcs12/p12_crt.c
19430 --- openssl-1.0.1b/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100
19431 +++ openssl-1.0.1b/crypto/pkcs12/p12_crt.c 2012-04-26 18:00:51.708776028 +0200
19434 #include "cryptlib.h"
19435 #include <openssl/pkcs12.h>
19436 +#ifdef OPENSSL_FIPS
19437 +#include <openssl/fips.h>
19442 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
19443 @@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char *
19448 +#ifdef OPENSSL_FIPS
19450 + nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
19453 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
19456 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
19458 diff -up openssl-1.0.1b/crypto/rand/md_rand.c.fips openssl-1.0.1b/crypto/rand/md_rand.c
19459 --- openssl-1.0.1b/crypto/rand/md_rand.c.fips 2011-01-26 15:55:23.000000000 +0100
19460 +++ openssl-1.0.1b/crypto/rand/md_rand.c 2012-04-26 18:00:51.713776137 +0200
19461 @@ -389,7 +389,10 @@ static int ssleay_rand_bytes(unsigned ch
19462 CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
19463 crypto_lock_rand = 1;
19465 - if (!initialized)
19466 + /* always poll for external entropy in FIPS mode, drbg provides the
19469 + if (!initialized || FIPS_module_mode())
19473 diff -up openssl-1.0.1b/crypto/rand/rand.h.fips openssl-1.0.1b/crypto/rand/rand.h
19474 --- openssl-1.0.1b/crypto/rand/rand.h.fips 2012-04-26 18:00:50.809756388 +0200
19475 +++ openssl-1.0.1b/crypto/rand/rand.h 2012-04-26 18:00:51.714776159 +0200
19476 @@ -133,15 +133,33 @@ void ERR_load_RAND_strings(void);
19477 /* Error codes for the RAND functions. */
19479 /* Function codes. */
19480 +#define RAND_F_ENG_RAND_GET_RAND_METHOD 108
19481 +#define RAND_F_FIPS_RAND 103
19482 +#define RAND_F_FIPS_RAND_BYTES 102
19483 +#define RAND_F_FIPS_RAND_SET_DT 106
19484 +#define RAND_F_FIPS_X931_SET_DT 106
19485 +#define RAND_F_FIPS_SET_DT 104
19486 +#define RAND_F_FIPS_SET_PRNG_SEED 107
19487 +#define RAND_F_FIPS_SET_TEST_MODE 105
19488 #define RAND_F_RAND_GET_RAND_METHOD 101
19489 -#define RAND_F_RAND_INIT_FIPS 102
19490 +#define RAND_F_RAND_INIT_FIPS 109
19491 #define RAND_F_SSLEAY_RAND_BYTES 100
19493 /* Reason codes. */
19494 -#define RAND_R_ERROR_INITIALISING_DRBG 102
19495 -#define RAND_R_ERROR_INSTANTIATING_DRBG 103
19496 -#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
19497 +#define RAND_R_ERROR_INITIALISING_DRBG 112
19498 +#define RAND_R_ERROR_INSTANTIATING_DRBG 113
19499 +#define RAND_R_NON_FIPS_METHOD 105
19500 +#define RAND_R_NOT_IN_TEST_MODE 106
19501 +#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
19502 +#define RAND_R_NO_KEY_SET 107
19503 +#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
19504 +#define RAND_R_PRNG_ERROR 108
19505 +#define RAND_R_PRNG_KEYED 109
19506 +#define RAND_R_PRNG_NOT_REKEYED 102
19507 +#define RAND_R_PRNG_NOT_RESEEDED 103
19508 #define RAND_R_PRNG_NOT_SEEDED 100
19509 +#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
19510 +#define RAND_R_PRNG_STUCK 104
19514 diff -up openssl-1.0.1b/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1b/crypto/ripemd/rmd_dgst.c
19515 --- openssl-1.0.1b/crypto/ripemd/rmd_dgst.c.fips 2011-06-01 15:39:44.000000000 +0200
19516 +++ openssl-1.0.1b/crypto/ripemd/rmd_dgst.c 2012-04-26 18:00:51.715776181 +0200
19517 @@ -70,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160"
19518 void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
19521 -fips_md_init(RIPEMD160)
19522 +nonfips_md_init(RIPEMD160)
19524 memset (c,0,sizeof(*c));
19526 diff -up openssl-1.0.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1b/crypto/rsa/rsa_crpt.c
19527 --- openssl-1.0.1b/crypto/rsa/rsa_crpt.c.fips 2011-06-02 20:22:42.000000000 +0200
19528 +++ openssl-1.0.1b/crypto/rsa/rsa_crpt.c 2012-04-26 18:00:51.715776181 +0200
19529 @@ -90,10 +90,9 @@ int RSA_private_encrypt(int flen, const
19530 RSA *rsa, int padding)
19532 #ifdef OPENSSL_FIPS
19533 - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19534 - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19535 + if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19537 - RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
19538 + RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
19542 @@ -118,10 +117,9 @@ int RSA_public_decrypt(int flen, const u
19543 RSA *rsa, int padding)
19545 #ifdef OPENSSL_FIPS
19546 - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19547 - && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19548 + if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19550 - RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
19551 + RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
19555 diff -up openssl-1.0.1b/crypto/rsa/rsa_eay.c.fips openssl-1.0.1b/crypto/rsa/rsa_eay.c
19556 --- openssl-1.0.1b/crypto/rsa/rsa_eay.c.fips 2011-10-19 16:58:59.000000000 +0200
19557 +++ openssl-1.0.1b/crypto/rsa/rsa_eay.c 2012-04-26 18:00:51.716776203 +0200
19558 @@ -114,6 +114,10 @@
19559 #include <openssl/bn.h>
19560 #include <openssl/rsa.h>
19561 #include <openssl/rand.h>
19562 +#include <openssl/err.h>
19563 +#ifdef OPENSSL_FIPS
19564 +#include <openssl/fips.h>
19569 @@ -138,7 +142,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
19570 BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
19574 + RSA_FLAG_FIPS_METHOD, /* flags */
19577 0, /* rsa_verify */
19578 @@ -158,6 +162,24 @@ static int RSA_eay_public_encrypt(int fl
19579 unsigned char *buf=NULL;
19582 +#ifdef OPENSSL_FIPS
19585 + if (FIPS_selftest_failed())
19587 + FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19591 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19592 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19594 + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19600 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
19602 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
19603 @@ -361,6 +383,24 @@ static int RSA_eay_private_encrypt(int f
19604 BIGNUM *unblind = NULL;
19605 BN_BLINDING *blinding = NULL;
19607 +#ifdef OPENSSL_FIPS
19610 + if(FIPS_selftest_failed())
19612 + FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19616 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19617 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19619 + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19625 if ((ctx=BN_CTX_new()) == NULL) goto err;
19627 f = BN_CTX_get(ctx);
19628 @@ -504,6 +544,24 @@ static int RSA_eay_private_decrypt(int f
19629 BIGNUM *unblind = NULL;
19630 BN_BLINDING *blinding = NULL;
19632 +#ifdef OPENSSL_FIPS
19635 + if(FIPS_selftest_failed())
19637 + FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19641 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19642 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19644 + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19650 if((ctx = BN_CTX_new()) == NULL) goto err;
19652 f = BN_CTX_get(ctx);
19653 @@ -639,6 +697,24 @@ static int RSA_eay_public_decrypt(int fl
19654 unsigned char *buf=NULL;
19657 +#ifdef OPENSSL_FIPS
19660 + if(FIPS_selftest_failed())
19662 + FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
19666 + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
19667 + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
19669 + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
19675 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
19677 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
19678 @@ -847,12 +923,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c
19679 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
19681 /* If p < q it is occasionally possible for the correction of
19682 - * adding 'p' if r0 is negative above to leave the result still
19683 + * adding 'p' if r0 is negative above to leave the result still
19684 * negative. This can break the private key operations: the following
19685 * second correction should *always* correct this rare occurrence.
19686 * This will *never* happen with OpenSSL generated keys because
19687 - * they ensure p > q [steve]
19689 + * they ensure p > q [steve]
19691 if (BN_is_negative(r0))
19692 if (!BN_add(r0,r0,rsa->p)) goto err;
19693 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
19694 @@ -897,6 +973,9 @@ err:
19696 static int RSA_eay_init(RSA *rsa)
19698 +#ifdef OPENSSL_FIPS
19699 + FIPS_selftest_check();
19701 rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
19704 diff -up openssl-1.0.1b/crypto/rsa/rsa_err.c.fips openssl-1.0.1b/crypto/rsa/rsa_err.c
19705 --- openssl-1.0.1b/crypto/rsa/rsa_err.c.fips 2011-10-10 01:13:50.000000000 +0200
19706 +++ openssl-1.0.1b/crypto/rsa/rsa_err.c 2012-04-26 18:00:51.717776225 +0200
19707 @@ -121,6 +121,8 @@ static ERR_STRING_DATA RSA_str_functs[]=
19708 {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
19709 {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
19710 {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
19711 +{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
19712 +{ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
19713 {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
19714 {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
19715 {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
19716 diff -up openssl-1.0.1b/crypto/rsa/rsa_gen.c.fips openssl-1.0.1b/crypto/rsa/rsa_gen.c
19717 --- openssl-1.0.1b/crypto/rsa/rsa_gen.c.fips 2011-06-09 15:18:07.000000000 +0200
19718 +++ openssl-1.0.1b/crypto/rsa/rsa_gen.c 2012-04-26 18:00:51.718776246 +0200
19720 #include <openssl/rsa.h>
19721 #ifdef OPENSSL_FIPS
19722 #include <openssl/fips.h>
19723 +#include <openssl/err.h>
19724 +#include <openssl/evp.h>
19726 +static int fips_rsa_pairwise_fail = 0;
19728 +void FIPS_corrupt_rsa_keygen(void)
19730 + fips_rsa_pairwise_fail = 1;
19733 +int fips_check_rsa(RSA *rsa)
19735 + const unsigned char tbs[] = "RSA Pairwise Check Data";
19736 + unsigned char *ctbuf = NULL, *ptbuf = NULL;
19737 + int len, ret = 0;
19740 + if ((pk=EVP_PKEY_new()) == NULL)
19743 + EVP_PKEY_set1_RSA(pk, rsa);
19745 + /* Perform pairwise consistency signature test */
19746 + if (!fips_pkey_signature_test(pk, tbs, -1,
19747 + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
19748 + || !fips_pkey_signature_test(pk, tbs, -1,
19749 + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL)
19750 + || !fips_pkey_signature_test(pk, tbs, -1,
19751 + NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL))
19753 + /* Now perform pairwise consistency encrypt/decrypt test */
19754 + ctbuf = OPENSSL_malloc(RSA_size(rsa));
19758 + len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING);
19761 + /* Check ciphertext doesn't match plaintext */
19762 + if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
19764 + ptbuf = OPENSSL_malloc(RSA_size(rsa));
19768 + len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
19769 + if (len != (sizeof(tbs) - 1))
19771 + if (memcmp(ptbuf, tbs, len))
19782 + fips_set_selftest_fail();
19783 + FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
19787 + OPENSSL_free(ctbuf);
19789 + OPENSSL_free(ptbuf);
19791 + EVP_PKEY_free(pk);
19797 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
19798 @@ -81,7 +153,7 @@ static int rsa_builtin_keygen(RSA *rsa,
19799 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
19801 #ifdef OPENSSL_FIPS
19802 - if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19803 + if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
19804 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
19806 RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
19807 @@ -90,10 +162,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
19809 if(rsa->meth->rsa_keygen)
19810 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
19811 -#ifdef OPENSSL_FIPS
19813 - return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
19815 return rsa_builtin_keygen(rsa, bits, e_value, cb);
19818 @@ -105,6 +173,23 @@ static int rsa_builtin_keygen(RSA *rsa,
19819 int bitsp,bitsq,ok= -1,n=0;
19822 +#ifdef OPENSSL_FIPS
19823 + if (FIPS_module_mode())
19825 + if(FIPS_selftest_failed())
19827 + FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED);
19831 + if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
19833 + FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
19840 if (ctx == NULL) goto err;
19842 @@ -216,6 +301,17 @@ static int rsa_builtin_keygen(RSA *rsa,
19844 if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
19846 +#ifdef OPENSSL_FIPS
19847 + if (FIPS_module_mode())
19849 + if (fips_rsa_pairwise_fail)
19850 + BN_add_word(rsa->n, 1);
19852 + if(!fips_check_rsa(rsa))
19860 diff -up openssl-1.0.1b/crypto/rsa/rsa.h.fips openssl-1.0.1b/crypto/rsa/rsa.h
19861 --- openssl-1.0.1b/crypto/rsa/rsa.h.fips 2012-04-26 18:00:51.140763619 +0200
19862 +++ openssl-1.0.1b/crypto/rsa/rsa.h 2012-04-26 18:00:51.718776246 +0200
19863 @@ -164,6 +164,8 @@ struct rsa_st
19864 # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
19867 +#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
19869 #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
19870 # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
19872 @@ -290,6 +292,11 @@ RSA * RSA_generate_key(int bits, unsigne
19875 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
19876 +int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
19877 + const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
19878 + const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
19879 + const BIGNUM *e, BN_GENCB *cb);
19880 +int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb);
19882 int RSA_check_key(const RSA *);
19883 /* next 4 return -1 on error */
19884 @@ -487,7 +494,7 @@ void ERR_load_RSA_strings(void);
19885 #define RSA_F_RSA_PADDING_ADD_NONE 107
19886 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
19887 #define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
19888 -#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
19889 +#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
19890 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
19891 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
19892 #define RSA_F_RSA_PADDING_ADD_SSLV23 110
19893 @@ -500,20 +507,22 @@ void ERR_load_RSA_strings(void);
19894 #define RSA_F_RSA_PADDING_CHECK_X931 128
19895 #define RSA_F_RSA_PRINT 115
19896 #define RSA_F_RSA_PRINT_FP 116
19897 -#define RSA_F_RSA_PRIVATE_DECRYPT 150
19898 -#define RSA_F_RSA_PRIVATE_ENCRYPT 151
19899 +#define RSA_F_RSA_PRIVATE_DECRYPT 157
19900 +#define RSA_F_RSA_PRIVATE_ENCRYPT 148
19901 #define RSA_F_RSA_PRIV_DECODE 137
19902 #define RSA_F_RSA_PRIV_ENCODE 138
19903 -#define RSA_F_RSA_PUBLIC_DECRYPT 152
19904 +#define RSA_F_RSA_PUBLIC_DECRYPT 149
19905 #define RSA_F_RSA_PUBLIC_ENCRYPT 153
19906 #define RSA_F_RSA_PUB_DECODE 139
19907 #define RSA_F_RSA_SETUP_BLINDING 136
19908 +#define RSA_F_RSA_SET_DEFAULT_METHOD 150
19909 +#define RSA_F_RSA_SET_METHOD 151
19910 #define RSA_F_RSA_SIGN 117
19911 #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
19912 #define RSA_F_RSA_VERIFY 119
19913 #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
19914 #define RSA_F_RSA_VERIFY_PKCS1_PSS 126
19915 -#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
19916 +#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
19918 /* Reason codes. */
19919 #define RSA_R_ALGORITHM_MISMATCH 100
19920 @@ -542,21 +551,22 @@ void ERR_load_RSA_strings(void);
19921 #define RSA_R_INVALID_MGF1_MD 156
19922 #define RSA_R_INVALID_PADDING 138
19923 #define RSA_R_INVALID_PADDING_MODE 141
19924 -#define RSA_R_INVALID_PSS_PARAMETERS 149
19925 +#define RSA_R_INVALID_PSS_PARAMETERS 157
19926 #define RSA_R_INVALID_PSS_SALTLEN 146
19927 -#define RSA_R_INVALID_SALT_LENGTH 150
19928 +#define RSA_R_INVALID_SALT_LENGTH 158
19929 #define RSA_R_INVALID_TRAILER 139
19930 #define RSA_R_INVALID_X931_DIGEST 142
19931 #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
19932 #define RSA_R_KEY_SIZE_TOO_SMALL 120
19933 #define RSA_R_LAST_OCTET_INVALID 134
19934 #define RSA_R_MODULUS_TOO_LARGE 105
19935 -#define RSA_R_NON_FIPS_RSA_METHOD 157
19936 +#define RSA_R_NON_FIPS_RSA_METHOD 149
19937 +#define RSA_R_NON_FIPS_METHOD 149
19938 #define RSA_R_NO_PUBLIC_EXPONENT 140
19939 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
19940 #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
19941 #define RSA_R_OAEP_DECODING_ERROR 121
19942 -#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
19943 +#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
19944 #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
19945 #define RSA_R_PADDING_CHECK_FAILED 114
19946 #define RSA_R_P_NOT_PRIME 128
19947 diff -up openssl-1.0.1b/crypto/rsa/rsa_lib.c.fips openssl-1.0.1b/crypto/rsa/rsa_lib.c
19948 --- openssl-1.0.1b/crypto/rsa/rsa_lib.c.fips 2011-06-20 21:41:13.000000000 +0200
19949 +++ openssl-1.0.1b/crypto/rsa/rsa_lib.c 2012-04-26 18:00:51.719776267 +0200
19950 @@ -84,6 +84,13 @@ RSA *RSA_new(void)
19952 void RSA_set_default_method(const RSA_METHOD *meth)
19954 +#ifdef OPENSSL_FIPS
19955 + if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
19957 + RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
19961 default_RSA_meth = meth;
19964 @@ -91,18 +98,11 @@ const RSA_METHOD *RSA_get_default_method
19966 if (default_RSA_meth == NULL)
19968 -#ifdef OPENSSL_FIPS
19970 - return FIPS_rsa_pkcs1_ssleay();
19972 - return RSA_PKCS1_SSLeay();
19975 default_RSA_meth=RSA_null_method();
19977 default_RSA_meth=RSA_PKCS1_SSLeay();
19982 return default_RSA_meth;
19983 @@ -118,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_M
19984 /* NB: The caller is specifically setting a method, so it's not up to us
19985 * to deal with which ENGINE it comes from. */
19986 const RSA_METHOD *mtmp;
19987 +#ifdef OPENSSL_FIPS
19988 + if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
19990 + RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
19995 if (mtmp->finish) mtmp->finish(rsa);
19996 #ifndef OPENSSL_NO_ENGINE
19997 @@ -170,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine)
20001 +#ifdef OPENSSL_FIPS
20002 + if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD))
20004 + RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
20005 +#ifndef OPENSSL_NO_ENGINE
20007 + ENGINE_finish(ret->engine);
20009 + OPENSSL_free(ret);
20016 @@ -188,7 +207,7 @@ RSA *RSA_new_method(ENGINE *engine)
20017 ret->blinding=NULL;
20018 ret->mt_blinding=NULL;
20019 ret->bignum_data=NULL;
20020 - ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
20021 + ret->flags=ret->meth->flags;
20022 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
20024 #ifndef OPENSSL_NO_ENGINE
20025 diff -up openssl-1.0.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1b/crypto/rsa/rsa_pmeth.c
20026 --- openssl-1.0.1b/crypto/rsa/rsa_pmeth.c.fips 2012-02-15 15:14:01.000000000 +0100
20027 +++ openssl-1.0.1b/crypto/rsa/rsa_pmeth.c 2012-04-26 18:00:51.720776289 +0200
20028 @@ -206,22 +206,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
20029 RSA_R_INVALID_DIGEST_LENGTH);
20032 -#ifdef OPENSSL_FIPS
20035 - unsigned int slen;
20036 - ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
20049 if (EVP_MD_type(rctx->md) == NID_mdc2)
20051 @@ -354,19 +338,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
20055 -#ifdef OPENSSL_FIPS
20058 - return FIPS_rsa_verify_digest(rsa,
20068 if (rctx->pad_mode == RSA_PKCS1_PADDING)
20069 return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
20071 diff -up openssl-1.0.1b/crypto/rsa/rsa_sign.c.fips openssl-1.0.1b/crypto/rsa/rsa_sign.c
20072 --- openssl-1.0.1b/crypto/rsa/rsa_sign.c.fips 2012-02-15 15:00:09.000000000 +0100
20073 +++ openssl-1.0.1b/crypto/rsa/rsa_sign.c 2012-04-26 18:00:51.720776289 +0200
20074 @@ -138,7 +138,8 @@ int RSA_sign(int type, const unsigned ch
20075 i2d_X509_SIG(&sig,&p);
20078 - i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
20079 + /* NB: call underlying method directly to avoid FIPS blocking */
20080 + i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING) : 0;
20084 @@ -178,8 +179,8 @@ int int_rsa_verify(int dtype, const unsi
20086 if((dtype == NID_md5_sha1) && rm)
20088 - i = RSA_public_decrypt((int)siglen,
20089 - sigbuf,rm,rsa,RSA_PKCS1_PADDING);
20090 + i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
20091 + sigbuf,rm,rsa,RSA_PKCS1_PADDING) : 0;
20095 @@ -196,7 +197,8 @@ int int_rsa_verify(int dtype, const unsi
20096 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
20099 - i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
20100 + /* NB: call underlying method directly to avoid FIPS blocking */
20101 + i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING) : 0;
20103 if (i <= 0) goto err;
20104 /* Oddball MDC2 case: signature can be OCTET STRING.
20105 diff -up openssl-1.0.1b/crypto/sha/sha256.c.fips openssl-1.0.1b/crypto/sha/sha256.c
20106 --- openssl-1.0.1b/crypto/sha/sha256.c.fips 2011-06-01 15:39:44.000000000 +0200
20107 +++ openssl-1.0.1b/crypto/sha/sha256.c 2012-04-26 18:00:51.721776312 +0200
20108 @@ -12,12 +12,19 @@
20110 #include <openssl/crypto.h>
20111 #include <openssl/sha.h>
20112 +#ifdef OPENSSL_FIPS
20113 +#include <openssl/fips.h>
20116 #include <openssl/opensslv.h>
20118 const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
20120 fips_md_init_ctx(SHA224, SHA256)
20122 +#ifdef OPENSSL_FIPS
20123 + FIPS_selftest_check();
20125 memset (c,0,sizeof(*c));
20126 c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL;
20127 c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL;
20128 @@ -29,6 +36,9 @@ fips_md_init_ctx(SHA224, SHA256)
20130 fips_md_init(SHA256)
20132 +#ifdef OPENSSL_FIPS
20133 + FIPS_selftest_check();
20135 memset (c,0,sizeof(*c));
20136 c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
20137 c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL;
20138 diff -up openssl-1.0.1b/crypto/sha/sha512.c.fips openssl-1.0.1b/crypto/sha/sha512.c
20139 --- openssl-1.0.1b/crypto/sha/sha512.c.fips 2011-11-14 21:58:01.000000000 +0100
20140 +++ openssl-1.0.1b/crypto/sha/sha512.c 2012-04-26 18:00:51.722776334 +0200
20142 * ====================================================================
20144 #include <openssl/opensslconf.h>
20145 +#ifdef OPENSSL_FIPS
20146 +#include <openssl/fips.h>
20149 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
20151 * IMPLEMENTATION NOTES.
20152 @@ -61,6 +65,9 @@ const char SHA512_version[]="SHA-512" OP
20154 fips_md_init_ctx(SHA384, SHA512)
20156 +#ifdef OPENSSL_FIPS
20157 + FIPS_selftest_check();
20159 c->h[0]=U64(0xcbbb9d5dc1059ed8);
20160 c->h[1]=U64(0x629a292a367cd507);
20161 c->h[2]=U64(0x9159015a3070dd17);
20162 @@ -77,6 +84,9 @@ fips_md_init_ctx(SHA384, SHA512)
20164 fips_md_init(SHA512)
20166 +#ifdef OPENSSL_FIPS
20167 + FIPS_selftest_check();
20169 c->h[0]=U64(0x6a09e667f3bcc908);
20170 c->h[1]=U64(0xbb67ae8584caa73b);
20171 c->h[2]=U64(0x3c6ef372fe94f82b);
20172 diff -up openssl-1.0.1b/crypto/sha/sha.h.fips openssl-1.0.1b/crypto/sha/sha.h
20173 --- openssl-1.0.1b/crypto/sha/sha.h.fips 2012-04-26 18:00:50.616752170 +0200
20174 +++ openssl-1.0.1b/crypto/sha/sha.h 2012-04-26 18:00:51.722776334 +0200
20175 @@ -116,9 +116,6 @@ unsigned char *SHA(const unsigned char *
20176 void SHA_Transform(SHA_CTX *c, const unsigned char *data);
20178 #ifndef OPENSSL_NO_SHA1
20179 -#ifdef OPENSSL_FIPS
20180 -int private_SHA1_Init(SHA_CTX *c);
20182 int SHA1_Init(SHA_CTX *c);
20183 int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
20184 int SHA1_Final(unsigned char *md, SHA_CTX *c);
20185 @@ -141,10 +138,6 @@ typedef struct SHA256state_st
20188 #ifndef OPENSSL_NO_SHA256
20189 -#ifdef OPENSSL_FIPS
20190 -int private_SHA224_Init(SHA256_CTX *c);
20191 -int private_SHA256_Init(SHA256_CTX *c);
20193 int SHA224_Init(SHA256_CTX *c);
20194 int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
20195 int SHA224_Final(unsigned char *md, SHA256_CTX *c);
20196 @@ -192,10 +185,6 @@ typedef struct SHA512state_st
20199 #ifndef OPENSSL_NO_SHA512
20200 -#ifdef OPENSSL_FIPS
20201 -int private_SHA384_Init(SHA512_CTX *c);
20202 -int private_SHA512_Init(SHA512_CTX *c);
20204 int SHA384_Init(SHA512_CTX *c);
20205 int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
20206 int SHA384_Final(unsigned char *md, SHA512_CTX *c);
20207 diff -up openssl-1.0.1b/crypto/sha/sha_locl.h.fips openssl-1.0.1b/crypto/sha/sha_locl.h
20208 --- openssl-1.0.1b/crypto/sha/sha_locl.h.fips 2012-04-26 18:00:50.622752302 +0200
20209 +++ openssl-1.0.1b/crypto/sha/sha_locl.h 2012-04-26 18:00:51.723776356 +0200
20210 @@ -123,11 +123,14 @@ void sha1_block_data_order (SHA_CTX *c,
20211 #define INIT_DATA_h4 0xc3d2e1f0UL
20215 +nonfips_md_init(SHA)
20217 fips_md_init_ctx(SHA1, SHA)
20220 +#if defined(SHA_1) && defined(OPENSSL_FIPS)
20221 + FIPS_selftest_check();
20223 memset (c,0,sizeof(*c));
20224 c->h0=INIT_DATA_h0;
20225 c->h1=INIT_DATA_h1;
20226 diff -up openssl-1.0.1b/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1b/crypto/whrlpool/wp_dgst.c
20227 --- openssl-1.0.1b/crypto/whrlpool/wp_dgst.c.fips 2011-06-01 15:39:45.000000000 +0200
20228 +++ openssl-1.0.1b/crypto/whrlpool/wp_dgst.c 2012-04-26 18:00:51.724776378 +0200
20230 #include <openssl/crypto.h>
20231 #include <string.h>
20233 -fips_md_init(WHIRLPOOL)
20234 +nonfips_md_init(WHIRLPOOL)
20236 memset (c,0,sizeof(*c));
20238 diff -up openssl-1.0.1b/Makefile.org.fips openssl-1.0.1b/Makefile.org
20239 --- openssl-1.0.1b/Makefile.org.fips 2012-04-26 18:00:51.350768207 +0200
20240 +++ openssl-1.0.1b/Makefile.org 2012-04-26 18:00:51.724776378 +0200
20241 @@ -136,6 +136,9 @@ FIPSCANLIB=
20245 +# Non-empty if FIPS enabled
20248 DIRS= crypto ssl engines apps test tools
20250 SHLIBDIRS= crypto ssl
20251 @@ -148,7 +151,7 @@ SDIRS= \
20252 bn ec rsa dsa ecdsa dh ecdh dso engine \
20253 buffer bio stack lhash rand err \
20254 evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
20255 - cms pqueue ts jpake srp store cmac
20256 + cms pqueue ts jpake srp store cmac fips
20257 # keep in mind that the above list is adjusted by ./Configure
20258 # according to no-xxx arguments...
20260 @@ -237,6 +240,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
20261 FIPSLIBDIR='${FIPSLIBDIR}' \
20262 FIPSDIR='${FIPSDIR}' \
20263 FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
20264 + FIPS="$${FIPS:-$(FIPS)}" \
20265 THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
20266 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
20267 # which in turn eliminates ambiguities in variable treatment with -e.
20268 diff -up openssl-1.0.1b/ssl/ssl_algs.c.fips openssl-1.0.1b/ssl/ssl_algs.c
20269 --- openssl-1.0.1b/ssl/ssl_algs.c.fips 2012-01-15 14:42:50.000000000 +0100
20270 +++ openssl-1.0.1b/ssl/ssl_algs.c 2012-04-26 18:00:51.725776399 +0200
20272 int SSL_library_init(void)
20275 +#ifdef OPENSSL_FIPS
20276 + OPENSSL_init_library();
20277 + if (!FIPS_mode())
20281 #ifndef OPENSSL_NO_DES
20282 EVP_add_cipher(EVP_des_cbc());
20283 EVP_add_cipher(EVP_des_ede3_cbc());
20284 @@ -136,6 +142,50 @@ int SSL_library_init(void)
20285 EVP_add_digest(EVP_sha());
20286 EVP_add_digest(EVP_dss());
20288 +#ifdef OPENSSL_FIPS
20292 +#ifndef OPENSSL_NO_DES
20293 + EVP_add_cipher(EVP_des_ede3_cbc());
20295 +#ifndef OPENSSL_NO_AES
20296 + EVP_add_cipher(EVP_aes_128_cbc());
20297 + EVP_add_cipher(EVP_aes_192_cbc());
20298 + EVP_add_cipher(EVP_aes_256_cbc());
20299 + EVP_add_cipher(EVP_aes_128_gcm());
20300 + EVP_add_cipher(EVP_aes_256_gcm());
20302 +#ifndef OPENSSL_NO_MD5
20303 + /* needed even in the FIPS mode for TLS MAC */
20304 + EVP_add_digest(EVP_md5());
20305 + EVP_add_digest_alias(SN_md5,"ssl2-md5");
20306 + EVP_add_digest_alias(SN_md5,"ssl3-md5");
20308 +#ifndef OPENSSL_NO_SHA
20309 + EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
20310 + EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
20311 + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
20313 +#ifndef OPENSSL_NO_SHA256
20314 + EVP_add_digest(EVP_sha224());
20315 + EVP_add_digest(EVP_sha256());
20317 +#ifndef OPENSSL_NO_SHA512
20318 + EVP_add_digest(EVP_sha384());
20319 + EVP_add_digest(EVP_sha512());
20321 +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
20322 + EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
20323 + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
20324 + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
20325 + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
20327 +#ifndef OPENSSL_NO_ECDSA
20328 + EVP_add_digest(EVP_ecdsa());
20332 #ifndef OPENSSL_NO_COMP
20333 /* This will initialise the built-in compression algorithms.
20334 The value returned is a STACK_OF(SSL_COMP), but that can