diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch
index 48169fa..cb10eba 100644
--- a/openssl-1.1.1-evp-kdf.patch
+++ b/openssl-1.1.1-evp-kdf.patch
@@ -969,7 +969,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
+
+const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
+ EVP_PKEY_TLS1_PRF,
-+ 0,
++ EVP_PKEY_FLAG_FIPS,
+ pkey_kdf_init,
+ 0,
+ pkey_kdf_cleanup,
@@ -999,7 +999,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
+
+const EVP_PKEY_METHOD hkdf_pkey_meth = {
+ EVP_PKEY_HKDF,
-+ 0,
++ EVP_PKEY_FLAG_FIPS,
+ pkey_kdf_init,
+ 0,
+ pkey_kdf_cleanup,
diff --git a/openssl-1.1.1-fips-crng-test.patch b/openssl-1.1.1-fips-crng-test.patch
new file mode 100644
index 0000000..91841f1
--- /dev/null
+++ b/openssl-1.1.1-fips-crng-test.patch
@@ -0,0 +1,407 @@
+diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h
+--- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test 2019-05-07 08:56:33.242179136 +0200
++++ openssl-1.1.1b/crypto/include/internal/rand_int.h 2019-05-07 09:54:14.920204875 +0200
+@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
+
+ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+
++/* CRNG test entropy filter callbacks. */
++size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
++ unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len,
++ int prediction_resistance);
++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
++ unsigned char *out, size_t outlen);
++
+ /*
+ * RAND_POOL functions
+ */
+diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info
+--- openssl-1.1.1b/crypto/rand/build.info.crng-test 2019-05-07 09:54:14.921204857 +0200
++++ openssl-1.1.1b/crypto/rand/build.info 2019-05-07 09:55:22.730014705 +0200
+@@ -1,4 +1,4 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+- randfile.c rand_lib.c rand_err.c rand_egd.c \
++ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c
+--- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/rand/drbg_lib.c 2019-05-07 10:04:51.753157224 +0200
+@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
+
+
+ /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
+-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
++static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
+
+ static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
+
+@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
+ drbg->parent = parent;
+
+ if (parent == NULL) {
++#ifdef OPENSSL_FIPS
++ drbg->get_entropy = rand_crngt_get_entropy;
++ drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
++#else
+ drbg->get_entropy = rand_drbg_get_entropy;
+ drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
++#endif
+ #ifndef RAND_DRBG_GET_RANDOM_NONCE
+ drbg->get_nonce = rand_drbg_get_nonce;
+ drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
+diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c
+--- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test 2019-05-07 09:54:14.925204787 +0200
++++ openssl-1.1.1b/crypto/rand/rand_crng_test.c 2019-05-07 09:54:14.932204664 +0200
+@@ -0,0 +1,118 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++/*
++ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
++ */
++
++#include <string.h>
++#include <openssl/evp.h>
++#include "internal/rand_int.h"
++#include "internal/thread_once.h"
++#include "rand_lcl.h"
++
++static RAND_POOL *crngt_pool;
++static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
++
++int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
++ = &rand_crngt_get_entropy_cb;
++
++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
++ unsigned int *md_size)
++{
++ int r;
++ size_t n;
++ unsigned char *p;
++
++ n = rand_pool_acquire_entropy(crngt_pool);
++ if (n >= CRNGT_BUFSIZ) {
++ p = rand_pool_detach(crngt_pool);
++ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
++ if (r != 0)
++ memcpy(buf, p, CRNGT_BUFSIZ);
++ rand_pool_reattach(crngt_pool, p);
++ return r;
++ }
++ return 0;
++}
++
++void rand_crngt_cleanup(void)
++{
++ rand_pool_free(crngt_pool);
++ crngt_pool = NULL;
++}
++
++int rand_crngt_init(void)
++{
++ unsigned char buf[CRNGT_BUFSIZ];
++
++ if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
++ return 0;
++ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
++ OPENSSL_cleanse(buf, sizeof(buf));
++ return 1;
++ }
++ rand_crngt_cleanup();
++ return 0;
++}
++
++static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
++{
++ return OPENSSL_init_crypto(0, NULL)
++ && rand_crngt_init()
++ && OPENSSL_atexit(&rand_crngt_cleanup);
++}
++
++int rand_crngt_single_init(void)
++{
++ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
++}
++
++size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
++ unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len,
++ int prediction_resistance)
++{
++ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
++ unsigned int sz;
++ RAND_POOL *pool;
++ size_t q, r = 0, s, t = 0;
++ int attempts = 3;
++
++ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
++ return 0;
++
++ if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL)
++ return 0;
++
++ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
++ s = q > sizeof(buf) ? sizeof(buf) : q;
++ if (!crngt_get_entropy(buf, md, &sz)
++ || memcmp(crngt_prev, md, sz) == 0
++ || !rand_pool_add(pool, buf, s, s * 8))
++ goto err;
++ memcpy(crngt_prev, md, sz);
++ t += s;
++ attempts++;
++ }
++ r = t;
++ *pout = rand_pool_detach(pool);
++err:
++ OPENSSL_cleanse(buf, sizeof(buf));
++ rand_pool_free(pool);
++ return r;
++}
++
++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
++ unsigned char *out, size_t outlen)
++{
++ OPENSSL_secure_clear_free(out, outlen);
++}
+diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h
+--- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test 2019-05-07 08:56:33.330177674 +0200
++++ openssl-1.1.1b/crypto/rand/rand_lcl.h 2019-05-07 09:54:14.933204647 +0200
+@@ -33,7 +33,15 @@
+ # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
+ # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
+
+-
++/*
++ * The number of bytes that constitutes an atomic lump of entropy with respect
++ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
++ * arbitrary, the smaller the value, the less entropy is consumed on first
++ * read but the higher the probability of the test failing by accident.
++ *
++ * The value is in bytes.
++ */
++#define CRNGT_BUFSIZ 16
+
+ /*
+ * Maximum input size for the DRBG (entropy, nonce, personalization string)
+@@ -44,7 +52,8 @@
+ */
+ # define DRBG_MAX_LENGTH INT32_MAX
+
+-
++/* The default nonce */
++# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
+
+ /*
+ * Maximum allocation size for RANDOM_POOL buffers
+@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
+ /* initializes the AES-CTR DRBG implementation */
+ int drbg_ctr_init(RAND_DRBG *drbg);
+
++/*
++ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
++ * These need to be exposed for the unit tests.
++ */
++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
++ unsigned int *md_size);
++extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
++ unsigned int *md_size);
++int rand_crngt_init(void);
++void rand_crngt_cleanup(void);
++
++/*
++ * Expose the run once initialisation function for the unit tests because.
++ * they need to restart from scratch to validate the first block is skipped
++ * properly.
++ */
++int rand_crngt_single_init(void);
++
+ #endif
+diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
+--- openssl-1.1.1b/test/drbgtest.c.crng-test 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/test/drbgtest.c 2019-05-07 10:06:24.706551561 +0200
+@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
+ return t->noncelen;
+ }
+
++ /*
++ * Disable CRNG testing if it is enabled.
++ * If the DRBG is ready or in an error state, this means an instantiate cycle
++ * for which the default personalisation string is used.
++ */
++static int disable_crngt(RAND_DRBG *drbg)
++{
++ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
++ const int instantiate = drbg->state != DRBG_UNINITIALISED;
++
++ if (drbg->get_entropy != rand_crngt_get_entropy)
++ return 1;
++
++ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
++ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
++ &rand_drbg_cleanup_entropy,
++ &rand_drbg_get_nonce,
++ &rand_drbg_cleanup_nonce))
++ || (instantiate
++ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
++ sizeof(pers) - 1)))
++ return 0;
++ return 1;
++}
++
+ static int uninstantiate(RAND_DRBG *drbg)
+ {
+ int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
+@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA
+ if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
+ return 0;
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+- kat_nonce, NULL))) {
++ kat_nonce, NULL))
++ || !TEST_true(disable_crngt(drbg))) {
+ failures++;
+ goto err;
+ }
+@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT
+ unsigned int reseed_counter_tmp;
+ int ret = 0;
+
+- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
++ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
++ || !TEST_true(disable_crngt(drbg)))
+ goto err;
+
+ /*
+@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void)
+ || !TEST_ptr_eq(private->parent, master))
+ return 0;
+
++ /* Disable CRNG testing for the master DRBG */
++ if (!TEST_true(disable_crngt(master)))
++ return 0;
++
+ /* uninstantiate the three global DRBGs */
+ RAND_DRBG_uninstantiate(private);
+ RAND_DRBG_uninstantiate(public);
+@@ -919,7 +950,8 @@ static int test_rand_seed(void)
+ size_t rand_buflen;
+ size_t required_seed_buflen = 0;
+
+- if (!TEST_ptr(master = RAND_DRBG_get0_master()))
++ if (!TEST_ptr(master = RAND_DRBG_get0_master())
++ || !TEST_true(disable_crngt(master)))
+ return 0;
+
+ #ifdef OPENSSL_RAND_SEED_NONE
+@@ -968,6 +1000,95 @@ static int test_rand_add(void)
+ return 1;
+ }
+
++/*
++ * A list of the FIPS DRGB types.
++ */
++static const struct s_drgb_types {
++ int nid;
++ int flags;
++} drgb_types[] = {
++ { NID_aes_128_ctr, 0 },
++ { NID_aes_192_ctr, 0 },
++ { NID_aes_256_ctr, 0 },
++};
++
++/* Six cases for each covers seed sizes up to 32 bytes */
++static const size_t crngt_num_cases = 6;
++
++static size_t crngt_case, crngt_idx;
++
++static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
++ unsigned int *md_size)
++{
++ size_t i, z;
++
++ if (!TEST_int_lt(crngt_idx, crngt_num_cases))
++ return 0;
++ /* Generate a block of unique data unless this is the duplication point */
++ z = crngt_idx++;
++ if (z > 0 && crngt_case == z)
++ z--;
++ for (i = 0; i < CRNGT_BUFSIZ; i++)
++ buf[i] = (unsigned char)(i + 'A' + z);
++ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
++}
++
++static int test_crngt(int n)
++{
++ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
++ RAND_DRBG *drbg = NULL;
++ unsigned char buff[100];
++ size_t ent;
++ int res = 0;
++ int expect;
++
++ if (!TEST_true(rand_crngt_single_init()))
++ return 0;
++ rand_crngt_cleanup();
++
++ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
++ return 0;
++ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
++ crngt_case = n % crngt_num_cases;
++ crngt_idx = 0;
++ crngt_get_entropy = &crngt_entropy_cb;
++ if (!TEST_true(rand_crngt_init()))
++ goto err;
++#ifndef OPENSSL_FIPS
++ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
++ &rand_crngt_cleanup_entropy,
++ &rand_drbg_get_nonce,
++ &rand_drbg_cleanup_nonce)))
++ goto err;
++#endif
++ expect = crngt_case == 0 || crngt_case > ent;
++ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
++ goto err;
++ if (!expect)
++ goto fin;
++ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
++ goto err;
++
++ expect = crngt_case == 0 || crngt_case > 2 * ent;
++ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
++ goto err;
++ if (!expect)
++ goto fin;
++ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
++ goto err;
++
++fin:
++ res = 1;
++err:
++ if (!res)
++ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
++ crngt_case, crngt_idx);
++ uninstantiate(drbg);
++ RAND_DRBG_free(drbg);
++ crngt_get_entropy = &rand_crngt_get_entropy_cb;
++ return res;
++}
++
+ int setup_tests(void)
+ {
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+@@ -980,5 +1101,6 @@ int setup_tests(void)
+ #if defined(OPENSSL_THREADS)
+ ADD_TEST(test_multi_thread);
+ #endif
++ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
+ return 1;
+ }
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
index c3ed6e2..adcc584 100644
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
@@ -1,6 +1,6 @@
diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
---- openssl-1.1.1b/apps/speed.c.fips 2019-02-28 11:30:06.768746376 +0100
-+++ openssl-1.1.1b/apps/speed.c 2019-02-28 11:30:06.779746172 +0100
+--- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 08:56:33.531174336 +0200
++++ openssl-1.1.1b/apps/speed.c 2019-05-07 09:43:06.673989992 +0200
@@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv)
continue;
if (strcmp(*argv, "rsa") == 0) {
@@ -22,7 +22,22 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
dsa_doit[R_DSA_2048] = 1;
continue;
}
-@@ -1734,15 +1737,21 @@ int speed_main(int argc, char **argv)
+@@ -1640,12 +1643,12 @@ int speed_main(int argc, char **argv)
+ ecdh_doit[i] = 2;
+ continue;
+ }
+- if (strcmp(*argv, "eddsa") == 0) {
++ if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) {
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+ eddsa_doit[loop] = 1;
+ continue;
+ }
+- if (found(*argv, eddsa_choices, &i)) {
++ if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) {
+ eddsa_doit[i] = 2;
+ continue;
+ }
+@@ -1734,23 +1737,30 @@ int speed_main(int argc, char **argv)
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
@@ -47,7 +62,18 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
#endif
#ifndef OPENSSL_NO_EC
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
-@@ -1798,30 +1807,46 @@ int speed_main(int argc, char **argv)
+ ecdsa_doit[loop] = 1;
+ for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
+ ecdh_doit[loop] = 1;
+- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+- eddsa_doit[loop] = 1;
++ if (!FIPS_mode())
++ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
++ eddsa_doit[loop] = 1;
+ #endif
+ }
+ for (i = 0; i < ALGOR_NUM; i++)
+@@ -1798,30 +1808,46 @@ int speed_main(int argc, char **argv)
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
@@ -104,7 +130,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
-@@ -2118,6 +2143,7 @@ int speed_main(int argc, char **argv)
+@@ -2118,6 +2144,7 @@ int speed_main(int argc, char **argv)
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
@@ -124,6 +150,18 @@ diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure
"evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
+diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/cm_pmeth.c
+--- openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/cmac/cm_pmeth.c 2019-05-06 14:55:32.866749109 +0200
+@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
+
+ const EVP_PKEY_METHOD cmac_pkey_meth = {
+ EVP_PKEY_CMAC,
+- EVP_PKEY_FLAG_SIGCTX_CUSTOM,
++ EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS,
+ pkey_cmac_init,
+ pkey_cmac_copy,
+ pkey_cmac_cleanup,
diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.c
--- openssl-1.1.1b/crypto/dh/dh_err.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/dh/dh_err.c 2019-02-28 11:30:06.779746172 +0100
@@ -284,6 +322,27 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.
dh->flags |= DH_FLAG_CACHE_MONT_P;
return 1;
}
+diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pmeth.c
+--- openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/dh/dh_pmeth.c 2019-05-06 14:57:29.184723430 +0200
+@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
+
+ const EVP_PKEY_METHOD dh_pkey_meth = {
+ EVP_PKEY_DH,
+- 0,
++ EVP_PKEY_FLAG_FIPS,
+ pkey_dh_init,
+ pkey_dh_copy,
+ pkey_dh_cleanup,
+@@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
+
+ const EVP_PKEY_METHOD dhx_pkey_meth = {
+ EVP_PKEY_DHX,
+- 0,
++ EVP_PKEY_FLAG_FIPS,
+ pkey_dh_init,
+ pkey_dh_copy,
+ pkey_dh_cleanup,
diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_err.c
--- openssl-1.1.1b/crypto/dsa/dsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/dsa/dsa_err.c 2019-02-28 11:30:06.798745819 +0100
@@ -638,6 +697,15 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/ds
BN_GENCB_free(pcb);
if (ret)
EVP_PKEY_assign_DSA(pkey, dsa);
+@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
+
+ const EVP_PKEY_METHOD dsa_pkey_meth = {
+ EVP_PKEY_DSA,
+- EVP_PKEY_FLAG_AUTOARGLEN,
++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+ pkey_dsa_init,
+ pkey_dsa_copy,
+ pkey_dsa_cleanup,
diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh_ossl.c
--- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-02-28 11:30:06.801745763 +0100
@@ -772,6 +840,18 @@ diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.
ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
return 0;
}
+diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pmeth.c
+--- openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/ec/ec_pmeth.c 2019-05-06 14:47:34.651077251 +0200
+@@ -434,7 +434,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
+
+ const EVP_PKEY_METHOD ec_pkey_meth = {
+ EVP_PKEY_EC,
+- 0,
++ EVP_PKEY_FLAG_FIPS,
+ pkey_ec_init,
+ pkey_ec_copy,
+ pkey_ec_cleanup,
diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_allc.c
--- openssl-1.1.1b/crypto/evp/c_allc.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/c_allc.c 2019-02-28 11:30:06.802745744 +0100
@@ -958,8 +1038,93 @@ diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/diges
if (size != NULL)
diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.c
--- openssl-1.1.1b/crypto/evp/e_aes.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-02-28 11:30:06.804745707 +0100
-@@ -2794,9 +2794,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
++++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-05-06 16:32:41.631668333 +0200
+@@ -387,22 +387,33 @@ static int aesni_xts_init_key(EVP_CIPHER
+ return 1;
+
+ if (key) {
++ /* The key is two half length keys in reality */
++ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
++ const int bits = bytes * 8;
++
++ /*
++ * Verify that the two keys are different.
++ *
++ * This addresses Rogaway's vulnerability.
++ * See comment in aes_xts_init_key() below.
++ */
++ if (memcmp(key, key + bytes, bytes) == 0) {
++ EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
++ return 0;
++ }
++
+ /* key_len is two AES keys */
+ if (enc) {
+- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ aesni_set_encrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) aesni_encrypt;
+ xctx->stream = aesni_xts_encrypt;
+ } else {
+- aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ aesni_set_decrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) aesni_decrypt;
+ xctx->stream = aesni_xts_decrypt;
+ }
+
+- aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks2.ks);
++ aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
+ xctx->xts.block2 = (block128_f) aesni_encrypt;
+
+ xctx->xts.key1 = &xctx->ks1;
+@@ -791,7 +802,21 @@ static int aes_t4_xts_init_key(EVP_CIPHE
+ return 1;
+
+ if (key) {
+- int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
++ /* The key is two half length keys in reality */
++ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
++ const int bits = bytes * 8;
++
++ /*
++ * Verify that the two keys are different.
++ *
++ * This addresses Rogaway's vulnerability.
++ * See comment in aes_xts_init_key() below.
++ */
++ if (memcmp(key, key + bytes, bytes) == 0) {
++ EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
++ return 0;
++ }
++
+ xctx->stream = NULL;
+ /* key_len is two AES keys */
+ if (enc) {
+@@ -808,8 +833,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
+ return 0;
+ }
+ } else {
+- aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) aes_t4_decrypt;
+ switch (bits) {
+ case 128:
+@@ -823,9 +847,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
+ }
+ }
+
+- aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks2.ks);
++ aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
+ xctx->xts.block2 = (block128_f) aes_t4_encrypt;
+
+ xctx->xts.key1 = &xctx->ks1;
+@@ -2794,9 +2816,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
return 1;
}
@@ -972,7 +1137,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
{
-@@ -2826,6 +2826,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+@@ -2826,6 +2848,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
@@ -984,7 +1149,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
/* Allocate memory for IV if needed */
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
if (gctx->iv != c->iv)
-@@ -3275,11 +3280,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+@@ -3275,11 +3302,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
| EVP_CIPH_CUSTOM_COPY)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
@@ -1002,7 +1167,123 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
-@@ -3414,6 +3422,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+@@ -3313,8 +3343,33 @@ static int aes_xts_init_key(EVP_CIPHER_C
+ if (!iv && !key)
+ return 1;
+
+- if (key)
++ if (key) {
+ do {
++ /* The key is two half length keys in reality */
++ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
++ const int bits = bytes * 8;
++
++ /*
++ * Verify that the two keys are different.
++ *
++ * This addresses the vulnerability described in Rogaway's
++ * September 2004 paper:
++ *
++ * "Efficient Instantiations of Tweakable Blockciphers and
++ * Refinements to Modes OCB and PMAC".
++ * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
++ *
++ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
++ * that:
++ * "The check for Key_1 != Key_2 shall be done at any place
++ * BEFORE using the keys in the XTS-AES algorithm to process
++ * data with them."
++ */
++ if (memcmp(key, key + bytes, bytes) == 0) {
++ EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
++ return 0;
++ }
++
+ #ifdef AES_XTS_ASM
+ xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
+ #else
+@@ -3324,26 +3379,20 @@ static int aes_xts_init_key(EVP_CIPHER_C
+ #ifdef HWAES_CAPABLE
+ if (HWAES_CAPABLE) {
+ if (enc) {
+- HWAES_set_encrypt_key(key,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) HWAES_encrypt;
+ # ifdef HWAES_xts_encrypt
+ xctx->stream = HWAES_xts_encrypt;
+ # endif
+ } else {
+- HWAES_set_decrypt_key(key,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) HWAES_decrypt;
+ # ifdef HWAES_xts_decrypt
+ xctx->stream = HWAES_xts_decrypt;
+ #endif
+ }
+
+- HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks2.ks);
++ HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
+ xctx->xts.block2 = (block128_f) HWAES_encrypt;
+
+ xctx->xts.key1 = &xctx->ks1;
+@@ -3358,20 +3407,14 @@ static int aes_xts_init_key(EVP_CIPHER_C
+ #ifdef VPAES_CAPABLE
+ if (VPAES_CAPABLE) {
+ if (enc) {
+- vpaes_set_encrypt_key(key,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) vpaes_encrypt;
+ } else {
+- vpaes_set_decrypt_key(key,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) vpaes_decrypt;
+ }
+
+- vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks2.ks);
++ vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
+ xctx->xts.block2 = (block128_f) vpaes_encrypt;
+
+ xctx->xts.key1 = &xctx->ks1;
+@@ -3381,22 +3424,19 @@ static int aes_xts_init_key(EVP_CIPHER_C
+ (void)0; /* terminate potentially open 'else' */
+
+ if (enc) {
+- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ AES_set_encrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) AES_encrypt;
+ } else {
+- AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks1.ks);
++ AES_set_decrypt_key(key, bits, &xctx->ks1.ks);
+ xctx->xts.block1 = (block128_f) AES_decrypt;
+ }
+
+- AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
+- EVP_CIPHER_CTX_key_length(ctx) * 4,
+- &xctx->ks2.ks);
++ AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks);
+ xctx->xts.block2 = (block128_f) AES_encrypt;
+
+ xctx->xts.key1 = &xctx->ks1;
+ } while (0);
++ }
+
+ if (iv) {
+ xctx->xts.key2 = &xctx->ks2;
+@@ -3414,6 +3454,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
return 0;
if (!out || !in || len < AES_BLOCK_SIZE)
return 0;
@@ -1017,7 +1298,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
if (xctx->stream)
(*xctx->stream) (in, out, len,
xctx->xts.key1, xctx->xts.key2,
-@@ -3431,8 +3447,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+@@ -3431,8 +3479,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
| EVP_CIPH_CUSTOM_COPY)
@@ -1030,7 +1311,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
-@@ -3697,11 +3715,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
+@@ -3697,11 +3747,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
#define aes_ccm_cleanup NULL
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
@@ -1045,7 +1326,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.
typedef struct {
union {
-@@ -3794,7 +3812,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+@@ -3794,7 +3844,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
return rv ? (int)rv : -1;
}
@@ -1176,12 +1457,21 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_
if (!ctx->cipher->init(ctx, key, iv, enc))
diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_err.c
--- openssl-1.1.1b/crypto/evp/evp_err.c.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-02-28 11:30:06.805745688 +0100
-@@ -20,6 +20,7 @@ static const ERR_STRING_DATA EVP_str_fun
++++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-05-06 16:41:08.565739361 +0200
+@@ -15,11 +15,16 @@
+
+ static const ERR_STRING_DATA EVP_str_functs[] = {
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"},
++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
++ "aes_t4_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
@@ -1201,6 +1491,17 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
+@@ -266,6 +269,10 @@ static const ERR_STRING_DATA EVP_str_rea
+ "wrap mode not allowed"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
+ "wrong final block length"},
++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
++ "xts data unit is too large"},
++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
++ "xts duplicated keys"},
+ {0, NULL}
+ };
+
diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_lib.c
--- openssl-1.1.1b/crypto/evp/evp_lib.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/evp_lib.c 2019-02-28 11:30:06.806745670 +0100
@@ -1280,6 +1581,82 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha
init512,
update512,
final512,
+diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha3.c
+--- openssl-1.1.1b/crypto/evp/m_sha3.c.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/evp/m_sha3.c 2019-05-06 16:12:23.012851747 +0200
+@@ -292,7 +292,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+ NID_sha3_##bitlen, \
+ NID_RSA_SHA3_##bitlen, \
+ bitlen / 8, \
+- EVP_MD_FLAG_DIGALGID_ABSENT, \
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
+ s390x_sha3_init, \
+ s390x_sha3_update, \
+ s390x_sha3_final, \
+@@ -305,7 +305,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+ NID_sha3_##bitlen, \
+ NID_RSA_SHA3_##bitlen, \
+ bitlen / 8, \
+- EVP_MD_FLAG_DIGALGID_ABSENT, \
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
+ sha3_init, \
+ sha3_update, \
+ sha3_final, \
+@@ -326,7 +326,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+ NID_shake##bitlen, \
+ 0, \
+ bitlen / 8, \
+- EVP_MD_FLAG_XOF, \
++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \
+ s390x_shake_init, \
+ s390x_sha3_update, \
+ s390x_shake_final, \
+@@ -340,7 +340,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+ NID_shake##bitlen, \
+ 0, \
+ bitlen / 8, \
+- EVP_MD_FLAG_XOF, \
++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \
+ shake_init, \
+ sha3_update, \
+ sha3_final, \
+@@ -364,7 +364,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+ NID_sha3_##bitlen, \
+ NID_RSA_SHA3_##bitlen, \
+ bitlen / 8, \
+- EVP_MD_FLAG_DIGALGID_ABSENT, \
++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
+ sha3_init, \
+ sha3_update, \
+ sha3_final, \
+@@ -383,7 +383,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+ NID_shake##bitlen, \
+ 0, \
+ bitlen / 8, \
+- EVP_MD_FLAG_XOF, \
++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \
+ shake_init, \
+ sha3_update, \
+ sha3_final, \
+diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pmeth_lib.c
+--- openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/evp/pmeth_lib.c 2019-05-06 15:11:33.207095983 +0200
+@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE
+ pmeth = ENGINE_get_pkey_meth(e, id);
+ else
+ #endif
++ {
+ pmeth = EVP_PKEY_meth_find(id);
++#ifdef OPENSSL_FIPS
++ if (!(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) {
++ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS);
++ return NULL;
++ }
++#endif
++ }
+
+ if (pmeth == NULL) {
+ #ifndef OPENSSL_NO_ENGINE
diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/build.info
--- openssl-1.1.1b/crypto/fips/build.info.fips 2019-02-28 11:30:06.806745670 +0100
+++ openssl-1.1.1b/crypto/fips/build.info 2019-02-28 11:30:06.806745670 +0100
@@ -1291,7 +1668,7 @@ diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/b
+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
-+ fips_enc.c fips_md.c fips_dh_selftest.c fips_ers.c
++ fips_dh_selftest.c fips_ers.c
+
+PROGRAMS_NO_INST=\
+ fips_standalone_hmac
@@ -2329,7 +2706,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/cry
+ int rv = 1;
+
+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
-+ cipher = FIPS_get_cipherbynid(t->nid);
++ cipher = EVP_get_cipherbynid(t->nid);
+ if (!cipher) {
+ rv = -1;
+ goto err;
@@ -3405,7 +3782,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/
+{
+ const EVP_MD *md;
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ md = FIPS_get_digestbynid(dctx->type);
++ md = EVP_get_digestbynid(dctx->type);
+ if (!md)
+ return -2;
+ switch (dctx->type) {
@@ -7683,203 +8060,10 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/cr
+}
+
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_enc.c.fips openssl-1.1.1b/crypto/fips/fips_enc.c
---- openssl-1.1.1b/crypto/fips/fips_enc.c.fips 2019-02-28 11:30:06.815745503 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_enc.c 2019-02-28 11:30:06.814745521 +0100
-@@ -0,0 +1,189 @@
-+/* fipe/evp/fips_enc.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
-+{
-+ switch (nid) {
-+ case NID_aes_128_cbc:
-+ return EVP_aes_128_cbc();
-+
-+ case NID_aes_128_ccm:
-+ return EVP_aes_128_ccm();
-+
-+ case NID_aes_128_cfb1:
-+ return EVP_aes_128_cfb1();
-+
-+ case NID_aes_128_cfb128:
-+ return EVP_aes_128_cfb128();
-+
-+ case NID_aes_128_cfb8:
-+ return EVP_aes_128_cfb8();
-+
-+ case NID_aes_128_ctr:
-+ return EVP_aes_128_ctr();
-+
-+ case NID_aes_128_ecb:
-+ return EVP_aes_128_ecb();
-+
-+ case NID_aes_128_gcm:
-+ return EVP_aes_128_gcm();
-+
-+ case NID_aes_128_ofb128:
-+ return EVP_aes_128_ofb();
-+
-+ case NID_aes_128_xts:
-+ return EVP_aes_128_xts();
-+
-+ case NID_aes_192_cbc:
-+ return EVP_aes_192_cbc();
-+
-+ case NID_aes_192_ccm:
-+ return EVP_aes_192_ccm();
-+
-+ case NID_aes_192_cfb1:
-+ return EVP_aes_192_cfb1();
-+
-+ case NID_aes_192_cfb128:
-+ return EVP_aes_192_cfb128();
-+
-+ case NID_aes_192_cfb8:
-+ return EVP_aes_192_cfb8();
-+
-+ case NID_aes_192_ctr:
-+ return EVP_aes_192_ctr();
-+
-+ case NID_aes_192_ecb:
-+ return EVP_aes_192_ecb();
-+
-+ case NID_aes_192_gcm:
-+ return EVP_aes_192_gcm();
-+
-+ case NID_aes_192_ofb128:
-+ return EVP_aes_192_ofb();
-+
-+ case NID_aes_256_cbc:
-+ return EVP_aes_256_cbc();
-+
-+ case NID_aes_256_ccm:
-+ return EVP_aes_256_ccm();
-+
-+ case NID_aes_256_cfb1:
-+ return EVP_aes_256_cfb1();
-+
-+ case NID_aes_256_cfb128:
-+ return EVP_aes_256_cfb128();
-+
-+ case NID_aes_256_cfb8:
-+ return EVP_aes_256_cfb8();
-+
-+ case NID_aes_256_ctr:
-+ return EVP_aes_256_ctr();
-+
-+ case NID_aes_256_ecb:
-+ return EVP_aes_256_ecb();
-+
-+ case NID_aes_256_gcm:
-+ return EVP_aes_256_gcm();
-+
-+ case NID_aes_256_ofb128:
-+ return EVP_aes_256_ofb();
-+
-+ case NID_aes_256_xts:
-+ return EVP_aes_256_xts();
-+
-+ case NID_des_ede_ecb:
-+ return EVP_des_ede();
-+
-+ case NID_des_ede3_ecb:
-+ return EVP_des_ede3();
-+
-+ case NID_des_ede3_cbc:
-+ return EVP_des_ede3_cbc();
-+
-+ case NID_des_ede3_cfb1:
-+ return EVP_des_ede3_cfb1();
-+
-+ case NID_des_ede3_cfb64:
-+ return EVP_des_ede3_cfb64();
-+
-+ case NID_des_ede3_cfb8:
-+ return EVP_des_ede3_cfb8();
-+
-+ case NID_des_ede3_ofb64:
-+ return EVP_des_ede3_ofb();
-+
-+ case NID_des_ede_cbc:
-+ return EVP_des_ede_cbc();
-+
-+ case NID_des_ede_cfb64:
-+ return EVP_des_ede_cfb64();
-+
-+ case NID_des_ede_ofb64:
-+ return EVP_des_ede_ofb();
-+
-+ default:
-+ return NULL;
-+
-+ }
-+}
diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/fips_err.h
---- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-02-28 11:30:06.815745503 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-02-28 11:30:06.815745503 +0100
-@@ -0,0 +1,196 @@
+--- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-05-06 16:08:46.792598211 +0200
++++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-05-06 16:19:56.403993551 +0200
+@@ -0,0 +1,197 @@
+/* crypto/fips_err.h */
+/* ====================================================================
+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
@@ -7981,6 +8165,7 @@ diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/f
+ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},
+ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},
@@ -8300,158 +8485,10 @@ diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/
+}
+# endif
+#endif
-diff -up openssl-1.1.1b/crypto/fips/fips_md.c.fips openssl-1.1.1b/crypto/fips/fips_md.c
---- openssl-1.1.1b/crypto/fips/fips_md.c.fips 2019-02-28 11:30:06.815745503 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_md.c 2019-02-28 11:30:06.815745503 +0100
-@@ -0,0 +1,144 @@
-+/* fips/evp/fips_md.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay@cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* Minimal standalone FIPS versions of Digest operations */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/objects.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_MD *FIPS_get_digestbynid(int nid)
-+{
-+ switch (nid) {
-+ case NID_sha1:
-+ return EVP_sha1();
-+
-+ case NID_sha224:
-+ return EVP_sha224();
-+
-+ case NID_sha256:
-+ return EVP_sha256();
-+
-+ case NID_sha384:
-+ return EVP_sha384();
-+
-+ case NID_sha512:
-+ return EVP_sha512();
-+
-+ default:
-+ return NULL;
-+ }
-+}
diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/fips_post.c
---- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-02-28 11:30:06.816745484 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-02-28 11:30:06.816745484 +0100
-@@ -0,0 +1,222 @@
+--- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-05-06 16:08:46.794598177 +0200
++++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-05-06 16:08:46.794598177 +0200
+@@ -0,0 +1,224 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
@@ -8533,6 +8570,8 @@ diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/
+ rv = 0;
+ if (!FIPS_selftest_sha2())
+ rv = 0;
++ if (!FIPS_selftest_sha3())
++ rv = 0;
+ if (!FIPS_selftest_hmac())
+ rv = 0;
+ if (!FIPS_selftest_cmac())
@@ -9462,9 +9501,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/cryp
+
+#endif /* def OPENSSL_FIPS */
diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_sha_selftest.c
---- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-02-28 11:30:06.817745466 +0100
-+++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-02-28 11:30:06.816745484 +0100
-@@ -0,0 +1,138 @@
+--- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-05-06 16:08:46.795598159 +0200
++++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-05-06 17:35:40.211316880 +0200
+@@ -0,0 +1,223 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -9602,6 +9641,91 @@ diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/cryp
+ return 1;
+}
+
++static const unsigned char msg_sha3_256[] = {
++ 0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6,
++ 0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f,
++ 0x35, 0x23
++};
++
++static const unsigned char dig_sha3_256[] = {
++ 0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21,
++ 0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0,
++ 0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78,
++ 0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed
++};
++
++static const unsigned char msg_sha3_512[] = {
++ 0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73,
++ 0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f,
++ 0x05, 0xf4
++};
++
++static const unsigned char dig_sha3_512[] = {
++ 0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2,
++ 0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a,
++ 0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f,
++ 0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4,
++ 0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd,
++ 0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e,
++ 0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c,
++ 0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac
++};
++
++static const unsigned char msg_shake_128[] = {
++ 0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f,
++ 0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4,
++ 0x28, 0x98
++};
++
++static const unsigned char dig_shake_128[] = {
++ 0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a,
++ 0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x75
++};
++
++static const unsigned char msg_shake_256[] = {
++ 0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6,
++ 0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23,
++ 0x9b, 0xfc
++};
++
++static const unsigned char dig_shake_256[] = {
++ 0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5,
++ 0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f,
++ 0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd,
++ 0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf
++};
++
++int FIPS_selftest_sha3(void)
++{
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL);
++ if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL);
++ if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL);
++ if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL);
++ if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ return 1;
++}
++
+#endif
diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c
--- openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips 2019-02-28 11:30:06.817745466 +0100
@@ -9751,10 +9875,22 @@ diff -up openssl-1.1.1b/crypto/hmac/hmac.c.fips openssl-1.1.1b/crypto/hmac/hmac.
reset = 1;
j = EVP_MD_block_size(md);
if (!ossl_assert(j <= (int)sizeof(ctx->key)))
+diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/hm_pmeth.c
+--- openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/crypto/hmac/hm_pmeth.c 2019-05-06 14:56:01.123257022 +0200
+@@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
+
+ const EVP_PKEY_METHOD hmac_pkey_meth = {
+ EVP_PKEY_HMAC,
+- 0,
++ EVP_PKEY_FLAG_FIPS,
+ pkey_hmac_init,
+ pkey_hmac_copy,
+ pkey_hmac_cleanup,
diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h
--- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100
+++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,97 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -9849,10 +9985,6 @@ diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/c
+
+void fips_set_selftest_fail(void);
+
-+const EVP_MD *FIPS_get_digestbynid(int nid);
-+
-+const EVP_CIPHER *FIPS_get_cipherbynid(int nid);
-+
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+
+#endif
@@ -10676,6 +10808,27 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
+diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rsa_pmeth.c
+--- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips 2019-05-06 14:48:26.514174053 +0200
++++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-06 14:45:46.732956649 +0200
+@@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
+
+ const EVP_PKEY_METHOD rsa_pkey_meth = {
+ EVP_PKEY_RSA,
+- EVP_PKEY_FLAG_AUTOARGLEN,
++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+ pkey_rsa_init,
+ pkey_rsa_copy,
+ pkey_rsa_cleanup,
+@@ -838,7 +838,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c
+
+ const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
+ EVP_PKEY_RSA_PSS,
+- EVP_PKEY_FLAG_AUTOARGLEN,
++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+ pkey_rsa_init,
+ pkey_rsa_copy,
+ pkey_rsa_cleanup,
diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa_sign.c
--- openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rsa/rsa_sign.c 2019-02-28 11:30:06.819745428 +0100
@@ -10875,12 +11028,20 @@ diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openss
# if OPENSSL_API_COMPAT < 0x10100000L
diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/openssl/evperr.h
--- openssl-1.1.1b/include/openssl/evperr.h.fips 2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/include/openssl/evperr.h 2019-02-28 11:30:06.821745391 +0100
-@@ -25,6 +25,7 @@ int ERR_load_EVP_strings(void);
++++ openssl-1.1.1b/include/openssl/evperr.h 2019-05-06 16:40:21.324571446 +0200
+@@ -20,11 +20,15 @@ int ERR_load_EVP_strings(void);
+ * EVP function codes.
+ */
+ # define EVP_F_AESNI_INIT_KEY 165
++# define EVP_F_AESNI_XTS_INIT_KEY 233
+ # define EVP_F_AES_GCM_CTRL 196
+ # define EVP_F_AES_INIT_KEY 133
# define EVP_F_AES_OCB_CIPHER 169
# define EVP_F_AES_T4_INIT_KEY 178
++# define EVP_F_AES_T4_XTS_INIT_KEY 234
# define EVP_F_AES_WRAP_CIPHER 170
-+# define EVP_F_AES_XTS_CIPHER 300
++# define EVP_F_AES_XTS_CIPHER 229
++# define EVP_F_AES_XTS_INIT_KEY 235
# define EVP_F_ALG_MODULE_INIT 177
# define EVP_F_ARIA_CCM_INIT_KEY 175
# define EVP_F_ARIA_GCM_CTRL 197
@@ -10900,10 +11061,31 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope
# define EVP_R_UNKNOWN_CIPHER 160
# define EVP_R_UNKNOWN_DIGEST 161
# define EVP_R_UNKNOWN_OPTION 169
+@@ -190,5 +193,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_UNSUPPORTED_SALT_TYPE 126
+ # define EVP_R_WRAP_MODE_NOT_ALLOWED 170
+ # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
++# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191
++# define EVP_R_XTS_DUPLICATED_KEYS 192
+
+ #endif
+diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openssl/evp.h
+--- openssl-1.1.1b/include/openssl/evp.h.fips 2019-02-26 15:15:30.000000000 +0100
++++ openssl-1.1.1b/include/openssl/evp.h 2019-05-06 14:54:13.213136281 +0200
+@@ -1319,6 +1319,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP
+ */
+ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4
+
++/* Downstream modification, large value to avoid conflict */
++# define EVP_PKEY_FLAG_FIPS 0x4000
++
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
+ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
+ void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/openssl/fips.h
---- openssl-1.1.1b/include/openssl/fips.h.fips 2019-02-28 11:30:06.821745391 +0100
-+++ openssl-1.1.1b/include/openssl/fips.h 2019-02-28 11:30:06.821745391 +0100
-@@ -0,0 +1,186 @@
+--- openssl-1.1.1b/include/openssl/fips.h.fips 2019-05-06 16:08:46.800598073 +0200
++++ openssl-1.1.1b/include/openssl/fips.h 2019-05-06 16:43:12.874549821 +0200
+@@ -0,0 +1,187 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
@@ -11019,6 +11201,7 @@ diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/opens
+# define FIPS_F_FIPS_RAND_SET_METHOD 126
+# define FIPS_F_FIPS_RAND_STATUS 127
+# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101
++# define FIPS_F_FIPS_SELFTEST 150
+# define FIPS_F_FIPS_SELFTEST_AES 110
+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
@@ -11550,6 +11733,17 @@ diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c
goto end;
if (!TEST_int_eq(h, 2))
goto end;
+diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt
+--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips 2019-05-06 16:08:46.857597085 +0200
++++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-06 16:35:37.917563292 +0200
+@@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000
+ IV = 00000000000000000000000000000000
+ Plaintext = 0000000000000000000000000000000000000000000000000000000000000000
+ Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
++Result = KEY_SET_ERROR
+
+ Cipher = aes-128-xts
+ Key = 1111111111111111111111111111111122222222222222222222222222222222
diff -up openssl-1.1.1b/util/libcrypto.num.fips openssl-1.1.1b/util/libcrypto.num
--- openssl-1.1.1b/util/libcrypto.num.fips 2019-02-28 11:30:06.824745335 +0100
+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 11:33:54.284516991 +0100
diff --git a/openssl.spec b/openssl.spec
index 2e3cbdb..1814eed 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1b
-Release: 7%{?dist}
+Release: 8%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -64,6 +64,7 @@ Patch50: openssl-1.1.1-ssh-kdf.patch
# Backported fixes including security fixes
Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
+Patch53: openssl-1.1.1-fips-crng-test.patch
License: OpenSSL
URL: http://www.openssl.org/
@@ -162,6 +163,7 @@ cp %{SOURCE13} test/
%patch50 -p1 -b .ssh-kdf
%patch51 -p1 -b .upstream-sync
%patch52 -p1 -b .s390x-update
+%patch53 -p1 -b .crng-test
%build
@@ -448,6 +450,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Tue May 7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-8
+- FIPS compliance fixes
+
* Mon May 6 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-7
- add S390x chacha20-poly1305 assembler support from master branch