diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c --- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 08:56:33.531174336 +0200 +++ openssl-1.1.1b/apps/speed.c 2019-05-07 09:43:06.673989992 +0200 @@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) - rsa_doit[loop] = 1; + if (!FIPS_mode() || loop != R_RSA_512) + rsa_doit[loop] = 1; continue; } if (found(*argv, rsa_choices, &i)) { @@ -1602,7 +1603,9 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_DSA if (strcmp(*argv, "dsa") == 0) { - dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] = + if (!FIPS_mode()) + dsa_doit[R_DSA_512] = 1; + dsa_doit[R_DSA_1024] = dsa_doit[R_DSA_2048] = 1; continue; } @@ -1640,12 +1643,12 @@ int speed_main(int argc, char **argv) ecdh_doit[i] = 2; continue; } - if (strcmp(*argv, "eddsa") == 0) { + if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) { for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) eddsa_doit[loop] = 1; continue; } - if (found(*argv, eddsa_choices, &i)) { + if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) { eddsa_doit[i] = 2; continue; } @@ -1734,23 +1737,30 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) - if (i != D_EVP) + if (i != D_EVP && + (!FIPS_mode() || (i != D_WHIRLPOOL && + i != D_MD2 && i != D_MD4 && + i != D_MD5 && i != D_MDC2 && + i != D_RMD160))) doit[i] = 1; #ifndef OPENSSL_NO_RSA for (i = 0; i < RSA_NUM; i++) - rsa_doit[i] = 1; + if (!FIPS_mode() || i != R_RSA_512) + rsa_doit[i] = 1; #endif #ifndef OPENSSL_NO_DSA for (i = 0; i < DSA_NUM; i++) - dsa_doit[i] = 1; + if (!FIPS_mode() || i != R_DSA_512) + dsa_doit[i] = 1; #endif #ifndef OPENSSL_NO_EC for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) ecdsa_doit[loop] = 1; for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) ecdh_doit[loop] = 1; - for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) - eddsa_doit[loop] = 1; + if (!FIPS_mode()) + for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) + eddsa_doit[loop] = 1; #endif } for (i = 0; i < ALGOR_NUM; i++) @@ -1798,30 +1808,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA - Camellia_set_key(key16, 128, &camellia_ks1); - Camellia_set_key(ckey24, 192, &camellia_ks2); - Camellia_set_key(ckey32, 256, &camellia_ks3); + if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { + Camellia_set_key(key16, 128, &camellia_ks1); + Camellia_set_key(ckey24, 192, &camellia_ks2); + Camellia_set_key(ckey32, 256, &camellia_ks3); + } #endif #ifndef OPENSSL_NO_IDEA - IDEA_set_encrypt_key(key16, &idea_ks); + if (doit[D_CBC_IDEA]) { + IDEA_set_encrypt_key(key16, &idea_ks); + } #endif #ifndef OPENSSL_NO_SEED - SEED_set_key(key16, &seed_ks); + if (doit[D_CBC_SEED]) { + SEED_set_key(key16, &seed_ks); + } #endif #ifndef OPENSSL_NO_RC4 - RC4_set_key(&rc4_ks, 16, key16); + if (doit[D_RC4]) { + RC4_set_key(&rc4_ks, 16, key16); + } #endif #ifndef OPENSSL_NO_RC2 - RC2_set_key(&rc2_ks, 16, key16, 128); + if (doit[D_CBC_RC2]) { + RC2_set_key(&rc2_ks, 16, key16, 128); + } #endif #ifndef OPENSSL_NO_RC5 - RC5_32_set_key(&rc5_ks, 16, key16, 12); + if (doit[D_CBC_RC5]) { + RC5_32_set_key(&rc5_ks, 16, key16, 12); + } #endif #ifndef OPENSSL_NO_BF - BF_set_key(&bf_ks, 16, key16); + if (doit[D_CBC_BF]) { + BF_set_key(&bf_ks, 16, key16); + } #endif #ifndef OPENSSL_NO_CAST - CAST_set_key(&cast_ks, 16, key16); + if (doit[D_CBC_CAST]) { + CAST_set_key(&cast_ks, 16, key16); + } #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES @@ -2118,6 +2144,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); + HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); if (loopargs[i].hctx == NULL) { BIO_printf(bio_err, "HMAC malloc failure, exiting..."); exit(1); diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure --- openssl-1.1.1b/Configure.fips 2019-02-28 11:30:06.775746246 +0100 +++ openssl-1.1.1b/Configure 2019-02-28 11:30:06.779746172 +0100 @@ -313,7 +313,7 @@ $config{sdirs} = [ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", - "buffer", "bio", "stack", "lhash", "rand", "err", + "buffer", "bio", "stack", "lhash", "rand", "err", "fips", "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/cm_pmeth.c --- openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/cmac/cm_pmeth.c 2019-05-06 14:55:32.866749109 +0200 @@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD cmac_pkey_meth = { EVP_PKEY_CMAC, - EVP_PKEY_FLAG_SIGCTX_CUSTOM, + EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS, pkey_cmac_init, pkey_cmac_copy, pkey_cmac_cleanup, diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.c --- openssl-1.1.1b/crypto/dh/dh_err.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dh/dh_err.c 2019-02-28 11:30:06.779746172 +0100 @@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), "dh_cms_set_shared_info"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, @@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), "not suitable generator"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen.c --- openssl-1.1.1b/crypto/dh/dh_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-02-28 11:30:06.780746153 +0100 @@ -16,6 +16,9 @@ #include "internal/cryptlib.h" #include #include "dh_locl.h" +#ifdef OPENSSL_FIPS +# include +#endif static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); @@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret, int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) + && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { + DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); + return 0; + } +#endif if (ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); return dh_builtin_genparams(ret, prime_len, generator, cb); @@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret, int g, ok = -1; BN_CTX *ctx = NULL; +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); + return 0; + } + + if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { + DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); + goto err; + } +#endif + ctx = BN_CTX_new(); if (ctx == NULL) goto err; diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.c --- openssl-1.1.1b/crypto/dh/dh_key.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-02-28 11:30:06.780746153 +0100 @@ -11,6 +11,9 @@ #include "internal/cryptlib.h" #include "dh_locl.h" #include "internal/bn_int.h" +#ifdef OPENSSL_FIPS +# include +#endif static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); @@ -22,18 +25,32 @@ static int dh_finish(DH *dh); int DH_generate_key(DH *dh) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) + && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { + DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); + return 0; + } +#endif return dh->meth->generate_key(dh); } int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) + && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { + DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); + return 0; + } +#endif return dh->meth->compute_key(key, pub_key, dh); } int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) { int rv, pad; - rv = dh->meth->compute_key(key, pub_key, dh); + rv = DH_compute_key(key, pub_key, dh); if (rv <= 0) return rv; pad = BN_num_bytes(dh->p) - rv; @@ -82,6 +99,14 @@ static int generate_key(DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; +#ifdef OPENSSL_FIPS + if (FIPS_mode() + && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { + DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); + return 0; + } +#endif + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); return 0; @@ -170,6 +195,13 @@ static int compute_key(unsigned char *ke DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); goto err; } +#ifdef OPENSSL_FIPS + if (FIPS_mode() + && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { + DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); + goto err; + } +#endif ctx = BN_CTX_new(); if (ctx == NULL) @@ -221,6 +253,9 @@ static int dh_bn_mod_exp(const DH *dh, B static int dh_init(DH *dh) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif dh->flags |= DH_FLAG_CACHE_MONT_P; return 1; } diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pmeth.c --- openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dh/dh_pmeth.c 2019-05-06 14:57:29.184723430 +0200 @@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * const EVP_PKEY_METHOD dh_pkey_meth = { EVP_PKEY_DH, - 0, + EVP_PKEY_FLAG_FIPS, pkey_dh_init, pkey_dh_copy, pkey_dh_cleanup, @@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = { const EVP_PKEY_METHOD dhx_pkey_meth = { EVP_PKEY_DHX, - 0, + EVP_PKEY_FLAG_FIPS, pkey_dh_init, pkey_dh_copy, pkey_dh_cleanup, diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_err.c --- openssl-1.1.1b/crypto/dsa/dsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dsa/dsa_err.c 2019-02-28 11:30:06.798745819 +0100 @@ -16,12 +16,15 @@ static const ERR_STRING_DATA DSA_str_functs[] = { {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0), "dsa_builtin_paramgen"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0), "dsa_builtin_paramgen2"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, @@ -51,9 +54,12 @@ static const ERR_STRING_DATA DSA_str_rea {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_gen.c --- openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-02-28 11:30:06.799745800 +0100 @@ -22,12 +22,22 @@ #include #include #include "dsa_locl.h" +#ifdef OPENSSL_FIPS +# include +#endif int DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) { +# ifdef OPENSSL_FIPS + if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) + && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) { + DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); + return 0; + } +# endif if (ret->meth->dsa_paramgen) return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, counter_ret, h_ret, cb); @@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret, const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); size_t qbits = EVP_MD_size(evpmd) * 8; +# ifdef OPENSSL_FIPS + return dsa_builtin_paramgen2(ret, bits, qbits, evpmd, + seed_in, seed_len, -1, NULL, counter_ret, + h_ret, cb); +# else return dsa_builtin_paramgen(ret, bits, qbits, evpmd, seed_in, seed_len, NULL, counter_ret, h_ret, cb); +# endif } } @@ -310,7 +326,7 @@ int dsa_builtin_paramgen2(DSA *ret, size int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) { - int ok = -1; + int ok = 0; unsigned char *seed = NULL, *seed_tmp = NULL; unsigned char md[EVP_MAX_MD_SIZE]; int mdsize; @@ -333,6 +349,20 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; } +# ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED); + goto err; + } + + if (FIPS_mode() && (L != 1024 || N != 160) && + (L != 2048 || N != 224) && (L != 2048 || N != 256) && + (L != 3072 || N != 256)) { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID); + goto err; + } +# endif + if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); @@ -433,9 +463,10 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; /* Provided seed didn't produce a prime: error */ if (seed_in) { - ok = 0; - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME); - goto err; + /* Different seed_out will indicate that seed_in + * did not generate primes. + */ + seed_in = NULL; } /* do a callback call */ @@ -521,11 +552,14 @@ int dsa_builtin_paramgen2(DSA *ret, size if (counter >= (int)(4 * L)) break; } +#if 0 + /* Cannot happen */ if (seed_in) { ok = 0; DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); goto err; } +#endif } end: if (!BN_GENCB_call(cb, 2, 1)) @@ -596,7 +630,7 @@ int dsa_builtin_paramgen2(DSA *ret, size BN_free(ret->g); ret->g = BN_dup(g); if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { - ok = -1; + ok = 0; goto err; } if (counter_ret != NULL) @@ -614,3 +648,53 @@ int dsa_builtin_paramgen2(DSA *ret, size EVP_MD_CTX_free(mctx); return ok; } + +#ifdef OPENSSL_FIPS + +int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, + const EVP_MD *evpmd, const unsigned char *seed_in, + size_t seed_len, int idx, unsigned char *seed_out, + int *counter_ret, unsigned long *h_ret, + BN_GENCB *cb) +{ + return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len, + idx, seed_out, counter_ret, h_ret, cb); +} + +int FIPS_dsa_paramgen_check_g(DSA *dsa) +{ + BN_CTX *ctx; + BIGNUM *tmp; + BN_MONT_CTX *mont = NULL; + int rv = -1; + + ctx = BN_CTX_new(); + if (ctx == NULL) + return -1; + if (BN_cmp(dsa->g, BN_value_one()) <= 0) + return 0; + if (BN_cmp(dsa->g, dsa->p) >= 0) + return 0; + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto err; + if ((mont=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(mont,dsa->p,ctx)) + goto err; + /* Work out g^q mod p */ + if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont)) + goto err; + if (!BN_cmp(tmp, BN_value_one())) + rv = 1; + else + rv = 0; + err: + BN_CTX_end(ctx); + BN_MONT_CTX_free(mont); + BN_CTX_free(ctx); + return rv; +} + +#endif diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_key.c --- openssl-1.1.1b/crypto/dsa/dsa_key.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dsa/dsa_key.c 2019-02-28 11:30:06.799745800 +0100 @@ -13,10 +13,49 @@ #include #include "dsa_locl.h" +#ifdef OPENSSL_FIPS +# include +# include "internal/fips_int.h" + +static int fips_check_dsa(DSA *dsa) +{ + EVP_PKEY *pk; + unsigned char tbs[] = "DSA Pairwise Check Data"; + int ret = 0; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + EVP_PKEY_set1_DSA(pk, dsa); + + if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) + ret = 1; + + err: + if (ret == 0) { + FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED); + fips_set_selftest_fail(); + } + + if (pk) + EVP_PKEY_free(pk); + + return ret; +} + +#endif + static int dsa_builtin_keygen(DSA *dsa); int DSA_generate_key(DSA *dsa) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) + && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { + DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); + return 0; + } +#endif if (dsa->meth->dsa_keygen) return dsa->meth->dsa_keygen(dsa); return dsa_builtin_keygen(dsa); @@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa) BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { + DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); + goto err; + } +#endif + if ((ctx = BN_CTX_new()) == NULL) goto err; @@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa) dsa->priv_key = priv_key; dsa->pub_key = pub_key; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !fips_check_dsa(dsa)) { + dsa->pub_key = NULL; + dsa->priv_key = NULL; + goto err; + } +#endif ok = 1; err: diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa_ossl.c --- openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dsa/dsa_ossl.c 2019-02-28 11:30:06.800745781 +0100 @@ -14,6 +14,9 @@ #include #include "dsa_locl.h" #include +#ifdef OPENSSL_FIPS +# include +#endif static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, @@ -73,6 +76,19 @@ static DSA_SIG *dsa_do_sign(const unsign goto err; } +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } + + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { + DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); + return NULL; + } +#endif + ret = DSA_SIG_new(); if (ret == NULL) goto err; @@ -301,6 +317,18 @@ static int dsa_do_verify(const unsigned DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); return -1; } +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + + if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { + DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } +#endif if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); @@ -389,6 +417,9 @@ static int dsa_do_verify(const unsigned static int dsa_init(DSA *dsa) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif dsa->flags |= DSA_FLAG_CACHE_MONT_P; return 1; } diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/dsa_pmeth.c --- openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/dsa/dsa_pmeth.c 2019-02-28 11:30:06.800745781 +0100 @@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT BN_GENCB_free(pcb); return 0; } - ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, - NULL, 0, NULL, NULL, NULL, pcb); + ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd, + NULL, 0, -1, NULL, NULL, NULL, pcb); BN_GENCB_free(pcb); if (ret) EVP_PKEY_assign_DSA(pkey, dsa); @@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD dsa_pkey_meth = { EVP_PKEY_DSA, - EVP_PKEY_FLAG_AUTOARGLEN, + EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, pkey_dsa_init, pkey_dsa_copy, pkey_dsa_cleanup, diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh_ossl.c --- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-02-28 11:30:06.801745763 +0100 @@ -19,9 +19,20 @@ #include #include "ec_lcl.h" +#ifdef OPENSSL_FIPS +# include +#endif + int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, const EC_POINT *pub_key, const EC_KEY *ecdh) { +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } +#endif + if (ecdh->group->meth->ecdh_compute_key == NULL) { ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); return 0; diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdsa_ossl.c --- openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ecdsa_ossl.c 2019-02-28 11:30:06.801745763 +0100 @@ -14,6 +14,10 @@ #include "internal/bn_int.h" #include "ec_lcl.h" +#ifdef OPENSSL_FIPS +# include +#endif + int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) @@ -159,6 +163,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns ECDSA_SIG *ret; const BIGNUM *priv_key; +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } +#endif + group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); @@ -317,6 +328,13 @@ int ossl_ecdsa_verify_sig(const unsigned const EC_GROUP *group; const EC_POINT *pub_key; +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } +#endif + /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.c --- openssl-1.1.1b/crypto/ec/ec_key.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ec_key.c 2019-02-28 11:30:06.802745744 +0100 @@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY return eckey->engine; } +#ifdef OPENSSL_FIPS + +# include +# include "internal/fips_int.h" + +static int fips_check_ec(EC_KEY *key) +{ + EVP_PKEY *pk; + unsigned char tbs[] = "ECDSA Pairwise Check Data"; + int ret = 0; + + if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */ + return 1; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + EVP_PKEY_set1_EC_KEY(pk, key); + + if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) + ret = 1; + + err: + if (ret == 0) { + FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); + fips_set_selftest_fail(); + } + if (pk) + EVP_PKEY_free(pk); + return ret; +} + +#endif + int EC_KEY_generate_key(EC_KEY *eckey) { +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED); + return 0; + } +#endif if (eckey == NULL || eckey->group == NULL) { ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); return 0; } - if (eckey->meth->keygen != NULL) - return eckey->meth->keygen(eckey); + if (eckey->meth->keygen != NULL) { + int rv = eckey->meth->keygen(eckey); + +#ifdef OPENSSL_FIPS + if (rv > 0 && FIPS_mode()) { + rv = fips_check_ec(eckey); + } +#endif + return rv; + } ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pmeth.c --- openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/ec/ec_pmeth.c 2019-05-06 14:47:34.651077251 +0200 @@ -434,7 +434,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * const EVP_PKEY_METHOD ec_pkey_meth = { EVP_PKEY_EC, - 0, + EVP_PKEY_FLAG_FIPS, pkey_ec_init, pkey_ec_copy, pkey_ec_cleanup, diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_allc.c --- openssl-1.1.1b/crypto/evp/c_allc.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/c_allc.c 2019-02-28 11:30:06.802745744 +0100 @@ -17,6 +17,9 @@ void openssl_add_all_ciphers_int(void) { +#ifdef OPENSSL_FIPS + if (!FIPS_mode()) { +#endif #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cfb()); EVP_add_cipher(EVP_des_cfb1()); @@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void) EVP_add_cipher(EVP_chacha20_poly1305()); # endif #endif +#ifdef OPENSSL_FIPS + } else { +# ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_ede3_cfb()); + + EVP_add_cipher(EVP_des_ede3_ofb()); + + EVP_add_cipher(EVP_des_ede3_cbc()); + EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3"); + EVP_add_cipher_alias(SN_des_ede3_cbc, "des3"); + + EVP_add_cipher(EVP_des_ede3()); + EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB"); + EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb"); + EVP_add_cipher(EVP_des_ede3_wrap()); + EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap"); +# endif + +# ifndef OPENSSL_NO_AES + EVP_add_cipher(EVP_aes_128_ecb()); + EVP_add_cipher(EVP_aes_128_cbc()); + EVP_add_cipher(EVP_aes_128_cfb()); + EVP_add_cipher(EVP_aes_128_cfb1()); + EVP_add_cipher(EVP_aes_128_cfb8()); + EVP_add_cipher(EVP_aes_128_ofb()); + EVP_add_cipher(EVP_aes_128_ctr()); + EVP_add_cipher(EVP_aes_128_gcm()); + EVP_add_cipher(EVP_aes_128_xts()); + EVP_add_cipher(EVP_aes_128_ccm()); + EVP_add_cipher(EVP_aes_128_wrap()); + EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); + EVP_add_cipher(EVP_aes_128_wrap_pad()); + EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); + EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); + EVP_add_cipher(EVP_aes_192_ecb()); + EVP_add_cipher(EVP_aes_192_cbc()); + EVP_add_cipher(EVP_aes_192_cfb()); + EVP_add_cipher(EVP_aes_192_cfb1()); + EVP_add_cipher(EVP_aes_192_cfb8()); + EVP_add_cipher(EVP_aes_192_ofb()); + EVP_add_cipher(EVP_aes_192_ctr()); + EVP_add_cipher(EVP_aes_192_gcm()); + EVP_add_cipher(EVP_aes_192_ccm()); + EVP_add_cipher(EVP_aes_192_wrap()); + EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); + EVP_add_cipher(EVP_aes_192_wrap_pad()); + EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); + EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); + EVP_add_cipher(EVP_aes_256_ecb()); + EVP_add_cipher(EVP_aes_256_cbc()); + EVP_add_cipher(EVP_aes_256_cfb()); + EVP_add_cipher(EVP_aes_256_cfb1()); + EVP_add_cipher(EVP_aes_256_cfb8()); + EVP_add_cipher(EVP_aes_256_ofb()); + EVP_add_cipher(EVP_aes_256_ctr()); + EVP_add_cipher(EVP_aes_256_gcm()); + EVP_add_cipher(EVP_aes_256_xts()); + EVP_add_cipher(EVP_aes_256_ccm()); + EVP_add_cipher(EVP_aes_256_wrap()); + EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap"); + EVP_add_cipher(EVP_aes_256_wrap_pad()); + EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); + EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); +# endif + } +#endif } diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_alld.c --- openssl-1.1.1b/crypto/evp/c_alld.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/c_alld.c 2019-02-28 11:30:06.803745726 +0100 @@ -16,6 +16,9 @@ void openssl_add_all_digests_int(void) { +#ifdef OPENSSL_FIPS + if (!FIPS_mode()) { +#endif #ifndef OPENSSL_NO_MD4 EVP_add_digest(EVP_md4()); #endif @@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void) EVP_add_digest(EVP_sha3_512()); EVP_add_digest(EVP_shake128()); EVP_add_digest(EVP_shake256()); +#ifdef OPENSSL_FIPS + } else { + EVP_add_digest(EVP_md5_sha1()); + EVP_add_digest(EVP_sha1()); + EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); + EVP_add_digest(EVP_sha224()); + EVP_add_digest(EVP_sha256()); + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); + EVP_add_digest(EVP_sha512_224()); + EVP_add_digest(EVP_sha512_256()); + EVP_add_digest(EVP_sha3_224()); + EVP_add_digest(EVP_sha3_256()); + EVP_add_digest(EVP_sha3_384()); + EVP_add_digest(EVP_sha3_512()); + EVP_add_digest(EVP_shake128()); + EVP_add_digest(EVP_shake256()); + } +#endif } diff -up openssl-1.1.1b/crypto/evp/digest.c.fips openssl-1.1.1b/crypto/evp/digest.c --- openssl-1.1.1b/crypto/evp/digest.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/digest.c 2019-02-28 11:30:06.803745726 +0100 @@ -14,6 +14,9 @@ #include #include "internal/evp_int.h" #include "evp_locl.h" +#ifdef OPENSSL_FIPS +# include +#endif /* This call frees resources associated with the context */ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) @@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); + return 0; + } +#endif #ifndef OPENSSL_NO_ENGINE /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so @@ -119,6 +128,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c } #endif if (ctx->digest != type) { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) { + if (!(type->flags & EVP_MD_FLAG_FIPS) + && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { + EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); + return 0; + } + } +#endif if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); ctx->md_data = NULL; @@ -150,6 +168,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif return ctx->update(ctx, data, count); } @@ -167,6 +188,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, { int ret; +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.c --- openssl-1.1.1b/crypto/evp/e_aes.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-05-06 16:32:41.631668333 +0200 @@ -387,22 +387,33 @@ static int aesni_xts_init_key(EVP_CIPHER return 1; if (key) { + /* The key is two half length keys in reality */ + const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; + const int bits = bytes * 8; + + /* + * Verify that the two keys are different. + * + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ + if (memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } + /* key_len is two AES keys */ if (enc) { - aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + aesni_set_encrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) aesni_encrypt; xctx->stream = aesni_xts_encrypt; } else { - aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + aesni_set_decrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) aesni_decrypt; xctx->stream = aesni_xts_decrypt; } - aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks2.ks); + aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); xctx->xts.block2 = (block128_f) aesni_encrypt; xctx->xts.key1 = &xctx->ks1; @@ -791,7 +802,21 @@ static int aes_t4_xts_init_key(EVP_CIPHE return 1; if (key) { - int bits = EVP_CIPHER_CTX_key_length(ctx) * 4; + /* The key is two half length keys in reality */ + const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; + const int bits = bytes * 8; + + /* + * Verify that the two keys are different. + * + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ + if (memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } + xctx->stream = NULL; /* key_len is two AES keys */ if (enc) { @@ -808,8 +833,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE return 0; } } else { - aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) aes_t4_decrypt; switch (bits) { case 128: @@ -823,9 +847,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE } } - aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks2.ks); + aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); xctx->xts.block2 = (block128_f) aes_t4_encrypt; xctx->xts.key1 = &xctx->ks1; @@ -2794,9 +2816,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX return 1; } -BLOCK_CIPHER_generic_pack(NID_aes, 128, 0) - BLOCK_CIPHER_generic_pack(NID_aes, 192, 0) - BLOCK_CIPHER_generic_pack(NID_aes, 256, 0) +BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) + BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) + BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) { @@ -2826,6 +2848,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; +# ifdef OPENSSL_FIPS + if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) + && arg < 12) + return 0; +# endif /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) @@ -3275,11 +3302,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX | EVP_CIPH_CUSTOM_COPY) BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | + CUSTOM_FLAGS) BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | + CUSTOM_FLAGS) BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | + CUSTOM_FLAGS) static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { @@ -3313,8 +3343,33 @@ static int aes_xts_init_key(EVP_CIPHER_C if (!iv && !key) return 1; - if (key) + if (key) { do { + /* The key is two half length keys in reality */ + const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; + const int bits = bytes * 8; + + /* + * Verify that the two keys are different. + * + * This addresses the vulnerability described in Rogaway's + * September 2004 paper: + * + * "Efficient Instantiations of Tweakable Blockciphers and + * Refinements to Modes OCB and PMAC". + * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf) + * + * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states + * that: + * "The check for Key_1 != Key_2 shall be done at any place + * BEFORE using the keys in the XTS-AES algorithm to process + * data with them." + */ + if (memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } + #ifdef AES_XTS_ASM xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; #else @@ -3324,26 +3379,20 @@ static int aes_xts_init_key(EVP_CIPHER_C #ifdef HWAES_CAPABLE if (HWAES_CAPABLE) { if (enc) { - HWAES_set_encrypt_key(key, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) HWAES_encrypt; # ifdef HWAES_xts_encrypt xctx->stream = HWAES_xts_encrypt; # endif } else { - HWAES_set_decrypt_key(key, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) HWAES_decrypt; # ifdef HWAES_xts_decrypt xctx->stream = HWAES_xts_decrypt; #endif } - HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks2.ks); + HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); xctx->xts.block2 = (block128_f) HWAES_encrypt; xctx->xts.key1 = &xctx->ks1; @@ -3358,20 +3407,14 @@ static int aes_xts_init_key(EVP_CIPHER_C #ifdef VPAES_CAPABLE if (VPAES_CAPABLE) { if (enc) { - vpaes_set_encrypt_key(key, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) vpaes_encrypt; } else { - vpaes_set_decrypt_key(key, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) vpaes_decrypt; } - vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks2.ks); + vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); xctx->xts.block2 = (block128_f) vpaes_encrypt; xctx->xts.key1 = &xctx->ks1; @@ -3381,22 +3424,19 @@ static int aes_xts_init_key(EVP_CIPHER_C (void)0; /* terminate potentially open 'else' */ if (enc) { - AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + AES_set_encrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) AES_encrypt; } else { - AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks1.ks); + AES_set_decrypt_key(key, bits, &xctx->ks1.ks); xctx->xts.block1 = (block128_f) AES_decrypt; } - AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, - EVP_CIPHER_CTX_key_length(ctx) * 4, - &xctx->ks2.ks); + AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); xctx->xts.block2 = (block128_f) AES_encrypt; xctx->xts.key1 = &xctx->ks1; } while (0); + } if (iv) { xctx->xts.key2 = &xctx->ks2; @@ -3414,6 +3454,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; +# ifdef OPENSSL_FIPS + /* Requirement of SP800-38E */ + if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && + (len > (1UL << 20) * 16)) { + EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); + return 0; + } +# endif if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, @@ -3431,8 +3479,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | EVP_CIPH_CUSTOM_COPY) -BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) +BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, + EVP_CIPH_FLAG_FIPS | XTS_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, + EVP_CIPH_FLAG_FIPS | XTS_FLAGS) static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { @@ -3697,11 +3747,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX #define aes_ccm_cleanup NULL BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) typedef struct { union { @@ -3794,7 +3844,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT return rv ? (int)rv : -1; } -#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \ +#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des3.c --- openssl-1.1.1b/crypto/evp/e_des3.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/e_des3.c 2019-02-28 11:30:06.804745707 +0100 @@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, # define des_ede3_cbc_cipher des_ede_cbc_cipher # define des_ede3_ecb_cipher des_ede_ecb_cipher BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, - EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, - des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) + EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | + EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL, + des3_ctrl) BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, - EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, - des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) + EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | + EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, + NULL, des3_ctrl) BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, - EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, - des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) + EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | + EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, + NULL, des3_ctrl) static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_null.c --- openssl-1.1.1b/crypto/evp/e_null.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/e_null.c 2019-02-28 11:30:06.805745688 +0100 @@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c const unsigned char *in, size_t inl); static const EVP_CIPHER n_cipher = { NID_undef, - 1, 0, 0, 0, + 1, 0, 0, + EVP_CIPH_FLAG_FIPS, null_init_key, null_cipher, NULL, diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_enc.c --- openssl-1.1.1b/crypto/evp/evp_enc.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-02-28 11:30:06.805745688 +0100 @@ -17,10 +17,19 @@ #include #include "internal/evp_int.h" #include "evp_locl.h" +#ifdef OPENSSL_FIPS +# include +#endif int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c) { - if (c == NULL) +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED); + return 0; + } +#endif + if (c == NULL) return 1; if (c->cipher != NULL) { if (c->cipher->cleanup && !c->cipher->cleanup(c)) @@ -39,6 +48,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } +#endif return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); } @@ -67,6 +82,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct enc = 1; ctx->encrypt = enc; } +#ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); + return 0; + } +#endif #ifndef OPENSSL_NO_ENGINE /* * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so @@ -136,7 +157,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct } ctx->key_len = cipher->key_len; /* Preserve wrap enable flag, zero everything else */ - ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; + ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW; if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { ctx->cipher = NULL; @@ -195,6 +216,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct return 0; } } +#ifdef OPENSSL_FIPS + /* After 'key' is set no further parameters changes are permissible. + * So only check for non FIPS enabling at this point. + */ + if (key && FIPS_mode()) { + if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) + & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) { + EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); + return 0; + } + } +#endif if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if (!ctx->cipher->init(ctx, key, iv, enc)) diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_err.c --- openssl-1.1.1b/crypto/evp/evp_err.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-05-06 16:41:08.565739361 +0200 @@ -15,11 +15,16 @@ static const ERR_STRING_DATA EVP_str_functs[] = { {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), + "aes_t4_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"}, @@ -179,6 +180,7 @@ static const ERR_STRING_DATA EVP_str_rea "different key types"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), "different parameters"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), "error loading section"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), @@ -241,6 +243,7 @@ static const ERR_STRING_DATA EVP_str_rea {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, @@ -266,6 +269,10 @@ static const ERR_STRING_DATA EVP_str_rea "wrap mode not allowed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), + "xts data unit is too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, {0, NULL} }; diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_lib.c --- openssl-1.1.1b/crypto/evp/evp_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/evp_lib.c 2019-02-28 11:30:06.806745670 +0100 @@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { +#ifdef OPENSSL_FIPS + FIPS_selftest_check(); +#endif return ctx->cipher->do_cipher(ctx, out, in, inl); } diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha1.c --- openssl-1.1.1b/crypto/evp/m_sha1.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/m_sha1.c 2019-02-28 11:30:06.806745670 +0100 @@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, SHA_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init, update, final, @@ -145,7 +145,7 @@ static const EVP_MD sha224_md = { NID_sha224, NID_sha224WithRSAEncryption, SHA224_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init224, update224, final224, @@ -164,7 +164,7 @@ static const EVP_MD sha256_md = { NID_sha256, NID_sha256WithRSAEncryption, SHA256_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init256, update256, final256, @@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = { NID_sha512_224, NID_sha512_224WithRSAEncryption, SHA224_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init512_224, update512, final512, @@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = { NID_sha512_256, NID_sha512_256WithRSAEncryption, SHA256_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init512_256, update512, final512, @@ -262,7 +262,7 @@ static const EVP_MD sha384_md = { NID_sha384, NID_sha384WithRSAEncryption, SHA384_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init384, update384, final384, @@ -281,7 +281,7 @@ static const EVP_MD sha512_md = { NID_sha512, NID_sha512WithRSAEncryption, SHA512_DIGEST_LENGTH, - EVP_MD_FLAG_DIGALGID_ABSENT, + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, init512, update512, final512, diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha3.c --- openssl-1.1.1b/crypto/evp/m_sha3.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/m_sha3.c 2019-05-06 16:12:23.012851747 +0200 @@ -292,7 +292,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ - EVP_MD_FLAG_DIGALGID_ABSENT, \ + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ s390x_sha3_init, \ s390x_sha3_update, \ s390x_sha3_final, \ @@ -305,7 +305,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ - EVP_MD_FLAG_DIGALGID_ABSENT, \ + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ sha3_init, \ sha3_update, \ sha3_final, \ @@ -326,7 +326,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ - EVP_MD_FLAG_XOF, \ + EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ s390x_shake_init, \ s390x_sha3_update, \ s390x_shake_final, \ @@ -340,7 +340,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ - EVP_MD_FLAG_XOF, \ + EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ shake_init, \ sha3_update, \ sha3_final, \ @@ -364,7 +364,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ - EVP_MD_FLAG_DIGALGID_ABSENT, \ + EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ sha3_init, \ sha3_update, \ sha3_final, \ @@ -383,7 +383,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ - EVP_MD_FLAG_XOF, \ + EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ shake_init, \ sha3_update, \ sha3_final, \ diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pmeth_lib.c --- openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/evp/pmeth_lib.c 2019-05-06 15:11:33.207095983 +0200 @@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE pmeth = ENGINE_get_pkey_meth(e, id); else #endif + { pmeth = EVP_PKEY_meth_find(id); +#ifdef OPENSSL_FIPS + if (!(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) { + EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS); + return NULL; + } +#endif + } if (pmeth == NULL) { #ifndef OPENSSL_NO_ENGINE diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/build.info --- openssl-1.1.1b/crypto/fips/build.info.fips 2019-02-28 11:30:06.806745670 +0100 +++ openssl-1.1.1b/crypto/fips/build.info 2019-02-28 11:30:06.806745670 +0100 @@ -0,0 +1,15 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ + fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ + fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ + fips_dh_selftest.c fips_ers.c + +PROGRAMS_NO_INST=\ + fips_standalone_hmac + +SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c +INCLUDE[fips_standalone_hmac]=../../include +DEPEND[fips_standalone_hmac]=../../libcrypto diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_aes_selftest.c --- openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips 2019-02-28 11:30:06.807745651 +0100 +++ openssl-1.1.1b/crypto/fips/fips_aes_selftest.c 2019-02-28 11:30:06.807745651 +0100 @@ -0,0 +1,372 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#ifdef OPENSSL_FIPS +# include +# include "internal/fips_int.h" +#endif + +#ifdef OPENSSL_FIPS +static const struct { + const unsigned char key[16]; + const unsigned char plaintext[16]; + const unsigned char ciphertext[16]; +} tests[] = { + { + { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, { + 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, + 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, { +0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30, + 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},}; + +int FIPS_selftest_aes() +{ + int n; + int ret = 0; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + goto err; + + for (n = 0; n < 1; ++n) { + unsigned char key[16]; + + memcpy(key, tests[n].key, sizeof(key)); + if (fips_cipher_test(ctx, EVP_aes_128_ecb(), + key, NULL, + tests[n].plaintext, + tests[n].ciphertext, 16) <= 0) + goto err; + } + ret = 1; + err: + EVP_CIPHER_CTX_free(ctx); + if (ret == 0) + FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED); + return ret; +} + +/* AES-CCM test data from NIST public test vectors */ + +static const unsigned char ccm_key[] = { + 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6, + 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8 +}; + +static const unsigned char ccm_nonce[] = { + 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7 +}; + +static const unsigned char ccm_adata[] = { + 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7, + 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5, + 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4 +}; + +static const unsigned char ccm_pt[] = { + 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f, + 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10 +}; + +static const unsigned char ccm_ct[] = { + 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2, + 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd +}; + +static const unsigned char ccm_tag[] = { + 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44, + 0x14, 0xdb, 0x50, 0x6d +}; + +int FIPS_selftest_aes_ccm(void) +{ + int ret = 0; + unsigned char out[128], tag[16]; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + goto err; + + memset(out, 0, sizeof(out)); + if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1)) + goto err; + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, + sizeof(ccm_nonce), NULL)) + goto err; + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, + sizeof(ccm_tag), NULL)) + goto err; + if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1)) + goto err; + if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt)) + goto err; + if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) + goto err; + if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct)) + goto err; + + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag)) + goto err; + if (memcmp(tag, ccm_tag, sizeof(ccm_tag)) + || memcmp(out, ccm_ct, sizeof(ccm_ct))) + goto err; + + memset(out, 0, sizeof(out)); + + if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0)) + goto err; + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, + sizeof(ccm_nonce), NULL)) + goto err; + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag)) + goto err; + if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0)) + goto err; + if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct)) + goto err; + if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) + goto err; + if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt)) + goto err; + + if (memcmp(out, ccm_pt, sizeof(ccm_pt))) + goto err; + + ret = 1; + + err: + EVP_CIPHER_CTX_free(ctx); + + if (ret == 0) { + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED); + return 0; + } else + return ret; + +} + +/* AES-GCM test data from NIST public test vectors */ + +static const unsigned char gcm_key[] = { + 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66, + 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69, + 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f +}; + +static const unsigned char gcm_iv[] = { + 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84 +}; + +static const unsigned char gcm_pt[] = { + 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea, + 0xcc, 0x2b, 0xf2, 0xa5 +}; + +static const unsigned char gcm_aad[] = { + 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43, + 0x7f, 0xec, 0x78, 0xde +}; + +static const unsigned char gcm_ct[] = { + 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e, + 0xb9, 0xf2, 0x17, 0x36 +}; + +static const unsigned char gcm_tag[] = { + 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62, + 0x98, 0xf7, 0x7e, 0x0c +}; + +int FIPS_selftest_aes_gcm(void) +{ + int ret = 0; + unsigned char out[128], tag[16]; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + goto err; + + memset(out, 0, sizeof(out)); + memset(tag, 0, sizeof(tag)); + if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1)) + goto err; + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, + sizeof(gcm_iv), NULL)) + goto err; + if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1)) + goto err; + if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) + goto err; + if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct)) + goto err; + if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) + goto err; + + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) + goto err; + + if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16)) + goto err; + + memset(out, 0, sizeof(out)); + + if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0)) + goto err; + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, + sizeof(gcm_iv), NULL)) + goto err; + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag)) + goto err; + if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0)) + goto err; + if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) + goto err; + if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt)) + goto err; + if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) + goto err; + + if (memcmp(out, gcm_pt, 16)) + goto err; + + ret = 1; + + err: + EVP_CIPHER_CTX_free(ctx); + + if (ret == 0) { + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED); + return 0; + } else + return ret; + +} + +static const unsigned char XTS_128_key[] = { + 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38, + 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18, + 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f +}; + +static const unsigned char XTS_128_i[] = { + 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01, + 0x3e, 0x76, 0x8a, 0xd5 +}; + +static const unsigned char XTS_128_pt[] = { + 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39, + 0x07, 0x90, 0x31, 0x1c +}; + +static const unsigned char XTS_128_ct[] = { + 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5, + 0xbe, 0x47, 0x1c, 0x63 +}; + +static const unsigned char XTS_256_key[] = { + 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f, + 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7, + 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd, + 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3, + 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39, + 0x2c, 0xf4, 0x1b, 0x08 +}; + +static const unsigned char XTS_256_i[] = { + 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, + 0xa9, 0xf8, 0x75, 0x64 +}; + +static const unsigned char XTS_256_pt[] = { + 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8, + 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3, + 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e +}; + +static const unsigned char XTS_256_ct[] = { + 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34, + 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a, + 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb +}; + +int FIPS_selftest_aes_xts() +{ + int ret = 1; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + goto err; + + if (fips_cipher_test(ctx, EVP_aes_128_xts(), + XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct, + sizeof(XTS_128_pt)) <= 0) + ret = 0; + + if (fips_cipher_test(ctx, EVP_aes_256_xts(), + XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct, + sizeof(XTS_256_pt)) <= 0) + ret = 0; + + EVP_CIPHER_CTX_free(ctx); + + err: + if (ret == 0) + FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED); + return ret; +} + +#endif diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips.c --- openssl-1.1.1b/crypto/fips/fips.c.fips 2019-02-28 11:30:06.807745651 +0100 +++ openssl-1.1.1b/crypto/fips/fips.c 2019-02-28 11:30:06.807745651 +0100 @@ -0,0 +1,526 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "fips_locl.h" + +#ifdef OPENSSL_FIPS + +# include +# include "internal/thread_once.h" + +# ifndef PATH_MAX +# define PATH_MAX 1024 +# endif + +static int fips_selftest_fail = 0; +static int fips_mode = 0; +static int fips_started = 0; + +static int fips_is_owning_thread(void); +static int fips_set_owning_thread(void); +static int fips_clear_owning_thread(void); + +static CRYPTO_RWLOCK *fips_lock = NULL; +static CRYPTO_RWLOCK *fips_owning_lock = NULL; +static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT; + +DEFINE_RUN_ONCE_STATIC(do_fips_lock_init) +{ + fips_lock = CRYPTO_THREAD_lock_new(); + fips_owning_lock = CRYPTO_THREAD_lock_new(); + return fips_lock != NULL && fips_owning_lock != NULL; +} + +# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) +# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) +# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) +# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock) + +static void fips_set_mode(int onoff) +{ + int owning_thread = fips_is_owning_thread(); + + if (fips_started) { + if (!owning_thread) + fips_w_lock(); + fips_mode = onoff; + if (!owning_thread) + fips_w_unlock(); + } +} + +int FIPS_module_mode(void) +{ + int ret = 0; + int owning_thread = fips_is_owning_thread(); + + if (fips_started) { + if (!owning_thread) + fips_r_lock(); + ret = fips_mode; + if (!owning_thread) + fips_r_unlock(); + } + return ret; +} + +/* just a compat symbol - return NULL */ +int FIPS_selftest_failed(void) +{ + int ret = 0; + if (fips_started) { + int owning_thread = fips_is_owning_thread(); + + if (!owning_thread) + fips_r_lock(); + ret = fips_selftest_fail; + if (!owning_thread) + fips_r_unlock(); + } + return ret; +} + +/* Selftest failure fatal exit routine. This will be called + * during *any* cryptographic operation. It has the minimum + * overhead possible to avoid too big a performance hit. + */ + +void FIPS_selftest_check(void) +{ + if (fips_selftest_fail) { + OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE"); + } +} + +void fips_set_selftest_fail(void) +{ + fips_selftest_fail = 1; +} + +/* we implement what libfipscheck does ourselves */ + +static int +get_library_path(const char *libname, const char *symbolname, char *path, + size_t pathlen) +{ + Dl_info info; + void *dl, *sym; + int rv = -1; + + dl = dlopen(libname, RTLD_LAZY); + if (dl == NULL) { + return -1; + } + + sym = dlsym(dl, symbolname); + + if (sym != NULL && dladdr(sym, &info)) { + strncpy(path, info.dli_fname, pathlen - 1); + path[pathlen - 1] = '\0'; + rv = 0; + } + + dlclose(dl); + + return rv; +} + +static const char conv[] = "0123456789abcdef"; + +static char *bin2hex(void *buf, size_t len) +{ + char *hex, *p; + unsigned char *src = buf; + + hex = malloc(len * 2 + 1); + if (hex == NULL) + return NULL; + + p = hex; + + while (len > 0) { + unsigned c; + + c = *src; + src++; + + *p = conv[c >> 4]; + ++p; + *p = conv[c & 0x0f]; + ++p; + --len; + } + *p = '\0'; + return hex; +} + +# define HMAC_PREFIX "." +# ifndef HMAC_SUFFIX +# define HMAC_SUFFIX ".hmac" +# endif +# define READ_BUFFER_LENGTH 16384 + +static char *make_hmac_path(const char *origpath) +{ + char *path, *p; + const char *fn; + + path = + malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); + if (path == NULL) { + return NULL; + } + + fn = strrchr(origpath, '/'); + if (fn == NULL) { + fn = origpath; + } else { + ++fn; + } + + strncpy(path, origpath, fn - origpath); + p = path + (fn - origpath); + p = stpcpy(p, HMAC_PREFIX); + p = stpcpy(p, fn); + p = stpcpy(p, HMAC_SUFFIX); + + return path; +} + +static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; + +static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) +{ + FILE *f = NULL; + int rv = -1; + unsigned char rbuf[READ_BUFFER_LENGTH]; + size_t len; + unsigned int hlen; + HMAC_CTX *c; + + c = HMAC_CTX_new(); + if (c == NULL) + return rv; + + f = fopen(path, "r"); + + if (f == NULL) { + goto end; + } + + if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) { + goto end; + } + + while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) { + if (HMAC_Update(c, rbuf, len) <= 0) { + goto end; + } + } + + len = sizeof(rbuf); + /* reuse rbuf for hmac */ + if (HMAC_Final(c, rbuf, &hlen) <= 0) { + goto end; + } + + *buf = malloc(hlen); + if (*buf == NULL) { + goto end; + } + + *hmaclen = hlen; + + memcpy(*buf, rbuf, hlen); + + rv = 0; + end: + HMAC_CTX_free(c); + + if (f) + fclose(f); + + return rv; +} + +static int FIPSCHECK_verify(const char *path) +{ + int rv = 0; + FILE *hf; + char *hmacpath, *p; + char *hmac = NULL; + size_t n; + + hmacpath = make_hmac_path(path); + if (hmacpath == NULL) + return 0; + + hf = fopen(hmacpath, "r"); + if (hf == NULL) { + free(hmacpath); + return 0; + } + + if (getline(&hmac, &n, hf) > 0) { + void *buf; + size_t hmaclen; + char *hex; + + if ((p = strchr(hmac, '\n')) != NULL) + *p = '\0'; + + if (compute_file_hmac(path, &buf, &hmaclen) < 0) { + rv = -4; + goto end; + } + + if ((hex = bin2hex(buf, hmaclen)) == NULL) { + free(buf); + rv = -5; + goto end; + } + + if (strcmp(hex, hmac) != 0) { + rv = -1; + } + free(buf); + free(hex); + } else { + rv = -1; + } + + end: + free(hmac); + free(hmacpath); + fclose(hf); + + if (rv < 0) + return 0; + + /* check successful */ + return 1; +} + +static int verify_checksums(void) +{ + int rv; + char path[PATH_MAX + 1]; + char *p; + + /* we need to avoid dlopening libssl, assume both libcrypto and libssl + are in the same directory */ + + rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, + "FIPS_mode_set", path, sizeof(path)); + if (rv < 0) + return 0; + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + + /* replace libcrypto with libssl */ + while ((p = strstr(path, "libcrypto.so")) != NULL) { + p = stpcpy(p, "libssl"); + memmove(p, p + 3, strlen(p + 2)); + } + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + return 1; +} + +# ifndef FIPS_MODULE_PATH +# define FIPS_MODULE_PATH "/etc/system-fips" +# endif + +int FIPS_module_installed(void) +{ + int rv; + rv = access(FIPS_MODULE_PATH, F_OK); + if (rv < 0 && errno != ENOENT) + rv = 0; + + /* Installed == true */ + return !rv; +} + +int FIPS_module_mode_set(int onoff) +{ + int ret = 0; + + if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init)) + return 0; + + fips_w_lock(); + fips_started = 1; + fips_set_owning_thread(); + + if (onoff) { + + fips_selftest_fail = 0; + + /* Don't go into FIPS mode twice, just so we can do automagic + seeding */ + if (FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, + FIPS_R_FIPS_MODE_ALREADY_SET); + fips_selftest_fail = 1; + ret = 0; + goto end; + } +# ifdef OPENSSL_IA32_SSE2 + { + extern unsigned int OPENSSL_ia32cap_P[2]; + if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) != + (1 << 25 | 1 << 26)) { + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, + FIPS_R_UNSUPPORTED_PLATFORM); + fips_selftest_fail = 1; + ret = 0; + goto end; + } + } +# endif + + if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; + goto end; + } + + if (!verify_checksums()) { + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, + FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; + } + + fips_set_mode(onoff); + ret = 1; + goto end; + } + fips_set_mode(0); + fips_selftest_fail = 0; + ret = 1; + end: + fips_clear_owning_thread(); + fips_w_unlock(); + return ret; +} + +static CRYPTO_THREAD_ID fips_threadid; +static int fips_thread_set = 0; + +static int fips_is_owning_thread(void) +{ + int ret = 0; + + if (fips_started) { + CRYPTO_THREAD_read_lock(fips_owning_lock); + if (fips_thread_set) { + CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); + if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) + ret = 1; + } + CRYPTO_THREAD_unlock(fips_owning_lock); + } + return ret; +} + +int fips_set_owning_thread(void) +{ + int ret = 0; + + if (fips_started) { + CRYPTO_THREAD_write_lock(fips_owning_lock); + if (!fips_thread_set) { + fips_threadid = CRYPTO_THREAD_get_current_id(); + ret = 1; + fips_thread_set = 1; + } + CRYPTO_THREAD_unlock(fips_owning_lock); + } + return ret; +} + +int fips_clear_owning_thread(void) +{ + int ret = 0; + + if (fips_started) { + CRYPTO_THREAD_write_lock(fips_owning_lock); + if (fips_thread_set) { + CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); + if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) + fips_thread_set = 0; + } + CRYPTO_THREAD_unlock(fips_owning_lock); + } + return ret; +} + +#endif diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c --- openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100 +++ openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c 2019-02-28 11:30:06.808745633 +0100 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include +#include "internal/fips_int.h" +#include +#include "fips_locl.h" + +#ifdef OPENSSL_FIPS +typedef struct { + int nid; + const unsigned char key[EVP_MAX_KEY_LENGTH]; + size_t keysize; + const unsigned char msg[64]; + size_t msgsize; + const unsigned char mac[32]; + size_t macsize; +} CMAC_KAT; + +/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */ +static const CMAC_KAT vector[] = { + {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */ + {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3, + 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128, + {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c, + 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e, + 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98, + 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256, + {0xfb, 0xfe, 0xa4, 0x1b,}, 32}, + {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */ + {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9, + 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86, + 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192, + {0x0}, 0, + {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef, + 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128, + }, + {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */ + {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe, + 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14, + 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf, + 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256, + {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb, + 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08, + 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88, + 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84, + 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96, + 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384, + {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40, + }, + {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */ + {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37, + 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5, + 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192, + {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e, + 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2, + 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0, + 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256, + {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64, + }, +}; + +int FIPS_selftest_cmac() +{ + size_t n, outlen; + unsigned char out[32]; + const EVP_CIPHER *cipher; + CMAC_CTX *ctx = CMAC_CTX_new(); + const CMAC_KAT *t; + int rv = 1; + + for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { + cipher = EVP_get_cipherbynid(t->nid); + if (!cipher) { + rv = -1; + goto err; + } + if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) { + rv = -1; + goto err; + } + if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) { + rv = -1; + goto err; + } + + if (!CMAC_Final(ctx, out, &outlen)) { + rv = -1; + goto err; + } + + if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) { + rv = 0; + } + } + + err: + CMAC_CTX_free(ctx); + + if (rv == -1) { + rv = 0; + } + if (!rv) + FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED); + + return rv; +} +#endif diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_des_selftest.c --- openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100 +++ openssl-1.1.1b/crypto/fips/fips_des_selftest.c 2019-02-28 11:30:06.808745633 +0100 @@ -0,0 +1,133 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#ifdef OPENSSL_FIPS +# include +# include "internal/fips_int.h" +#endif +#include + +#ifdef OPENSSL_FIPS + +static const struct { + const unsigned char key[16]; + const unsigned char plaintext[8]; + const unsigned char ciphertext[8]; +} tests2[] = { + { + { + 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec, + 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, { + 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, { + 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd} + }, { + { + 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34, + 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, { + 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, { + 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},} +}; + +static const struct { + const unsigned char key[24]; + const unsigned char plaintext[8]; + const unsigned char ciphertext[8]; +} tests3[] = { + { + { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, { + 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, { + 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, { + { + 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE, + 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, + 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, { + 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, { +0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},}; + +int FIPS_selftest_des() +{ + int n, ret = 0; + EVP_CIPHER_CTX *ctx; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) + goto err; + + /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ + for (n = 0; n < 2; ++n) { + unsigned char plaintext[8]; + + memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext)); + if (!fips_cipher_test(ctx, EVP_des_ede_ecb(), + tests2[n].key, NULL, + plaintext, tests2[n].ciphertext, 8)) + goto err; + } + + /* Encrypt/decrypt with 3DES and compare to known answers */ + for (n = 0; n < 2; ++n) { + if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(), + tests3[n].key, NULL, + tests3[n].plaintext, tests3[n].ciphertext, 8)) + goto err; + } + ret = 1; + err: + EVP_CIPHER_CTX_free(ctx); + if (ret == 0) + FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED); + + return ret; +} +#endif diff -up openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dh_selftest.c --- openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips 2019-02-28 11:30:06.810745596 +0100 +++ openssl-1.1.1b/crypto/fips/fips_dh_selftest.c 2019-02-28 11:30:06.810745596 +0100 @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 2013 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include "fips_locl.h" + +#ifdef OPENSSL_FIPS + +static const unsigned char dh_test_2048_p[] = { + 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, + 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, + 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, + 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, + 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, + 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, + 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, + 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, + 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, + 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, + 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, + 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, + 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, + 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, + 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, + 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, + 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, + 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, + 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, + 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, + 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, + 0x4B, 0xD8, 0x37, 0xEB +}; + +static const unsigned char dh_test_2048_g[] = { + 0x02 +}; + +static const unsigned char dh_test_2048_pub_key[] = { + 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, + 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, + 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, + 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, + 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, + 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, + 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, + 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, + 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, + 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, + 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, + 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, + 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, + 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, + 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, + 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, + 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, + 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, + 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, + 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, + 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, + 0x36, 0x9E, 0xDA, 0xD2 +}; + +static const unsigned char dh_test_2048_priv_key[] = { + 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, + 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, + 0xEC, 0x55, 0xF6, 0xCC +}; + +int FIPS_selftest_dh() +{ + DH *dh = NULL; + int ret = 0; + void *pub_key_bin = NULL; + int len; + BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; + const BIGNUM *pub_key; + + fips_load_key_component(p, dh_test_2048); + fips_load_key_component(g, dh_test_2048); + /* note that the private key is much shorter than normally used + * but still g ** priv_key > p + */ + fips_load_key_component(priv_key, dh_test_2048); + if ((tmp_pub_key = BN_new()) == NULL) + goto err; + + dh = DH_new(); + + if (dh == NULL) + goto err; + + DH_set0_pqg(dh, p, NULL, g); + DH_set0_key(dh, tmp_pub_key, priv_key); + + if (DH_generate_key(dh) <= 0) + goto err; + + DH_get0_key(dh, &pub_key, NULL); + + if (pub_key == NULL) + goto err; + + len = BN_num_bytes(pub_key); + if ((pub_key_bin = OPENSSL_malloc(len)) == NULL) + goto err; + BN_bn2bin(pub_key, pub_key_bin); + + if (len != sizeof(dh_test_2048_pub_key) || + memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) + goto err; + + ret = 1; + + err: + if (dh) + DH_free(dh); + else { + BN_free(p); + BN_free(g); + BN_free(priv_key); + BN_free(tmp_pub_key); + } + + OPENSSL_free(pub_key_bin); + return ret; +} +#endif diff -up openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c --- openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips 2019-02-28 11:30:06.811745577 +0100 +++ openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c 2019-02-28 11:30:06.811745577 +0100 @@ -0,0 +1,406 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include "fips_rand_lcl.h" + +static void inc_128(DRBG_CTR_CTX * cctx) +{ + int i; + unsigned char c; + unsigned char *p = cctx->V + 15; + for (i = 0; i < 16; i++) { + c = *p; + c++; + *p = c; + if (c) + return; + p--; + } +} + +static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in, + size_t inlen) +{ + size_t i, n; + /* Any zero padding will have no effect on the result as we + * are XORing. So just process however much input we have. + */ + + if (!in || !inlen) + return; + + if (inlen < cctx->keylen) + n = inlen; + else + n = cctx->keylen; + + for (i = 0; i < n; i++) + cctx->K[i] ^= in[i]; + if (inlen <= cctx->keylen) + return; + + n = inlen - cctx->keylen; + /* Should never happen */ + if (n > 16) + n = 16; + for (i = 0; i < 16; i++) + cctx->V[i] ^= in[i + cctx->keylen]; +} + +/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */ + +static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out, + const unsigned char *in) +{ + int i; + for (i = 0; i < 16; i++) + out[i] ^= in[i]; + AES_encrypt(out, out, &cctx->df_ks); +#if 0 + fprintf(stderr, "BCC in+out\n"); + BIO_dump_fp(stderr, in, 16); + BIO_dump_fp(stderr, out, 16); +#endif +} + +/* Handle several BCC operations for as much data as we need for K and X */ +static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in) +{ + ctr_BCC_block(cctx, cctx->KX, in); + ctr_BCC_block(cctx, cctx->KX + 16, in); + if (cctx->keylen != 16) + ctr_BCC_block(cctx, cctx->KX + 32, in); +} + +/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: + * see 10.4.2 stage 7. + */ +static void ctr_BCC_init(DRBG_CTR_CTX * cctx) +{ + memset(cctx->KX, 0, 48); + memset(cctx->bltmp, 0, 16); + ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); + cctx->bltmp[3] = 1; + ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); + if (cctx->keylen != 16) { + cctx->bltmp[3] = 2; + ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); + } +} + +/* Process several blocks into BCC algorithm, some possibly partial */ +static void ctr_BCC_update(DRBG_CTR_CTX * cctx, + const unsigned char *in, size_t inlen) +{ + if (!in || !inlen) + return; + /* If we have partial block handle it first */ + if (cctx->bltmp_pos) { + size_t left = 16 - cctx->bltmp_pos; + /* If we now have a complete block process it */ + if (inlen >= left) { + memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); + ctr_BCC_blocks(cctx, cctx->bltmp); + cctx->bltmp_pos = 0; + inlen -= left; + in += left; + } + } + /* Process zero or more complete blocks */ + while (inlen >= 16) { + ctr_BCC_blocks(cctx, in); + in += 16; + inlen -= 16; + } + /* Copy any remaining partial block to the temporary buffer */ + if (inlen > 0) { + memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); + cctx->bltmp_pos += inlen; + } +} + +static void ctr_BCC_final(DRBG_CTR_CTX * cctx) +{ + if (cctx->bltmp_pos) { + memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); + ctr_BCC_blocks(cctx, cctx->bltmp); + } +} + +static void ctr_df(DRBG_CTR_CTX * cctx, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *in3, size_t in3len) +{ + size_t inlen; + unsigned char *p = cctx->bltmp; + static unsigned char c80 = 0x80; + + ctr_BCC_init(cctx); + if (!in1) + in1len = 0; + if (!in2) + in2len = 0; + if (!in3) + in3len = 0; + inlen = in1len + in2len + in3len; + /* Initialise L||N in temporary block */ + *p++ = (inlen >> 24) & 0xff; + *p++ = (inlen >> 16) & 0xff; + *p++ = (inlen >> 8) & 0xff; + *p++ = inlen & 0xff; + /* NB keylen is at most 32 bytes */ + *p++ = 0; + *p++ = 0; + *p++ = 0; + *p = (unsigned char)((cctx->keylen + 16) & 0xff); + cctx->bltmp_pos = 8; + ctr_BCC_update(cctx, in1, in1len); + ctr_BCC_update(cctx, in2, in2len); + ctr_BCC_update(cctx, in3, in3len); + ctr_BCC_update(cctx, &c80, 1); + ctr_BCC_final(cctx); + /* Set up key K */ + AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); + /* X follows key K */ + AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); + AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); + if (cctx->keylen != 16) + AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); +#if 0 + fprintf(stderr, "Output of ctr_df:\n"); + BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16); +#endif +} + +/* NB the no-df Update in SP800-90 specifies a constant input length + * of seedlen, however other uses of this algorithm pad the input with + * zeroes if necessary and have up to two parameters XORed together, + * handle both cases in this function instead. + */ + +static void ctr_Update(DRBG_CTX *dctx, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *nonce, size_t noncelen) +{ + DRBG_CTR_CTX *cctx = &dctx->d.ctr; + /* ks is already setup for correct key */ + inc_128(cctx); + AES_encrypt(cctx->V, cctx->K, &cctx->ks); + /* If keylen longer than 128 bits need extra encrypt */ + if (cctx->keylen != 16) { + inc_128(cctx); + AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); + } + inc_128(cctx); + AES_encrypt(cctx->V, cctx->V, &cctx->ks); + /* If 192 bit key part of V is on end of K */ + if (cctx->keylen == 24) { + memcpy(cctx->V + 8, cctx->V, 8); + memcpy(cctx->V, cctx->K + 24, 8); + } + + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { + /* If no input reuse existing derived value */ + if (in1 || nonce || in2) + ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); + /* If this a reuse input in1len != 0 */ + if (in1len) + ctr_XOR(cctx, cctx->KX, dctx->seedlen); + } else { + ctr_XOR(cctx, in1, in1len); + ctr_XOR(cctx, in2, in2len); + } + + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); +#if 0 + fprintf(stderr, "K+V after update is:\n"); + BIO_dump_fp(stderr, cctx->K, cctx->keylen); + BIO_dump_fp(stderr, cctx->V, 16); +#endif +} + +static int drbg_ctr_instantiate(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *nonce, size_t noncelen, + const unsigned char *pers, size_t perslen) +{ + DRBG_CTR_CTX *cctx = &dctx->d.ctr; + memset(cctx->K, 0, sizeof(cctx->K)); + memset(cctx->V, 0, sizeof(cctx->V)); + AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); + ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen); + return 1; +} + +static int drbg_ctr_reseed(DRBG_CTX *dctx, + const unsigned char *ent, size_t entlen, + const unsigned char *adin, size_t adinlen) +{ + ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0); + return 1; +} + +static int drbg_ctr_generate(DRBG_CTX *dctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adinlen) +{ + DRBG_CTR_CTX *cctx = &dctx->d.ctr; + if (adin && adinlen) { + ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); + /* This means we reuse derived value */ + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { + adin = NULL; + adinlen = 1; + } + } else + adinlen = 0; + + for (;;) { + inc_128(cctx); + if (outlen < 16) { + /* Use K as temp space as it will be updated */ + AES_encrypt(cctx->V, cctx->K, &cctx->ks); + memcpy(out, cctx->K, outlen); + break; + } + AES_encrypt(cctx->V, out, &cctx->ks); + out += 16; + outlen -= 16; + if (outlen == 0) + break; + } + + ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); + + return 1; + +} + +static int drbg_ctr_uninstantiate(DRBG_CTX *dctx) +{ + memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX)); + return 1; +} + +int fips_drbg_ctr_init(DRBG_CTX *dctx) +{ + DRBG_CTR_CTX *cctx = &dctx->d.ctr; + + size_t keylen; + + switch (dctx->type) { + case NID_aes_128_ctr: + keylen = 16; + break; + + case NID_aes_192_ctr: + keylen = 24; + break; + + case NID_aes_256_ctr: + keylen = 32; + break; + + default: + return -2; + } + + dctx->instantiate = drbg_ctr_instantiate; + dctx->reseed = drbg_ctr_reseed; + dctx->generate = drbg_ctr_generate; + dctx->uninstantiate = drbg_ctr_uninstantiate; + + cctx->keylen = keylen; + dctx->strength = keylen * 8; + dctx->blocklength = 16; + dctx->seedlen = keylen + 16; + + if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { + /* df initialisation */ + static unsigned char df_key[32] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f + }; + /* Set key schedule for df_key */ + AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); + + dctx->min_entropy = cctx->keylen; + dctx->max_entropy = DRBG_MAX_LENGTH; + dctx->min_nonce = dctx->min_entropy / 2; + dctx->max_nonce = DRBG_MAX_LENGTH; + dctx->max_pers = DRBG_MAX_LENGTH; + dctx->max_adin = DRBG_MAX_LENGTH; + } else { + dctx->min_entropy = dctx->seedlen; + dctx->max_entropy = dctx->seedlen; + /* Nonce not used */ + dctx->min_nonce = 0; + dctx->max_nonce = 0; + dctx->max_pers = dctx->seedlen; + dctx->max_adin = dctx->seedlen; + } + + dctx->max_request = 1 << 16; + dctx->reseed_interval = 1 << 24; + + return 1; +} diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hash.c --- openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips 2019-02-28 11:30:06.811745577 +0100 +++ openssl-1.1.1b/crypto/fips/fips_drbg_hash.c 2019-02-28 11:30:06.811745577 +0100 @@ -0,0 +1,354 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#define OPENSSL_FIPSAPI + +#include +#include +#include +#include +#include "internal/fips_int.h" +#include +#include "fips_rand_lcl.h" + +/* This is Hash_df from SP 800-90 10.4.1 */ + +static int hash_df(DRBG_CTX *dctx, unsigned char *out, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *in3, size_t in3len, + const unsigned char *in4, size_t in4len) +{ + EVP_MD_CTX *mctx = dctx->d.hash.mctx; + unsigned char *vtmp = dctx->d.hash.vtmp; + unsigned char tmp[6]; + /* Standard only ever needs seedlen bytes which is always less than + * maximum permitted so no need to check length. + */ + size_t outlen = dctx->seedlen; + tmp[0] = 1; + tmp[1] = ((outlen * 8) >> 24) & 0xff; + tmp[2] = ((outlen * 8) >> 16) & 0xff; + tmp[3] = ((outlen * 8) >> 8) & 0xff; + tmp[4] = (outlen * 8) & 0xff; + if (!in1) { + tmp[5] = (unsigned char)in1len; + in1 = tmp + 5; + in1len = 1; + } + for (;;) { + if (!FIPS_digestinit(mctx, dctx->d.hash.md)) + return 0; + if (!FIPS_digestupdate(mctx, tmp, 5)) + return 0; + if (in1 && !FIPS_digestupdate(mctx, in1, in1len)) + return 0; + if (in2 && !FIPS_digestupdate(mctx, in2, in2len)) + return 0; + if (in3 && !FIPS_digestupdate(mctx, in3, in3len)) + return 0; + if (in4 && !FIPS_digestupdate(mctx, in4, in4len)) + return 0; + if (outlen < dctx->blocklength) { + if (!FIPS_digestfinal(mctx, vtmp, NULL)) + return 0; + memcpy(out, vtmp, outlen); + OPENSSL_cleanse(vtmp, dctx->blocklength); + return 1; + } else if (!FIPS_digestfinal(mctx, out, NULL)) + return 0; + + outlen -= dctx->blocklength; + if (outlen == 0) + return 1; + tmp[0]++; + out += dctx->blocklength; + } +} + +/* Add an unsigned buffer to the buf value, storing the result in buf. For + * this algorithm the length of input never exceeds the seed length. + */ + +static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf, + unsigned char *in, size_t inlen) +{ + size_t i = inlen; + const unsigned char *q; + unsigned char c, *p; + p = buf + dctx->seedlen; + q = in + inlen; + + OPENSSL_assert(i <= dctx->seedlen); + + /* Special case: zero length, just increment buffer */ + if (i) + c = 0; + else + c = 1; + + while (i) { + int r; + p--; + q--; + r = *p + *q + c; + /* Carry */ + if (r > 0xff) + c = 1; + else + c = 0; + *p = r & 0xff; + i--; + } + + i = dctx->seedlen - inlen; + + /* If not adding whole buffer handle final carries */ + if (c && i) { + do { + p--; + c = *p; + c++; + *p = c; + if (c) + return; + } while (i--); + } +} + +/* Finalise and add hash to V */ + +static int ctx_add_md(DRBG_CTX *dctx) +{ + if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL)) + return 0; + ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength); + return 1; +} + +static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen) +{ + DRBG_HASH_CTX *hctx = &dctx->d.hash; + if (outlen == 0) + return 1; + memcpy(hctx->vtmp, hctx->V, dctx->seedlen); + for (;;) { + FIPS_digestinit(hctx->mctx, hctx->md); + FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen); + if (outlen < dctx->blocklength) { + FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL); + memcpy(out, hctx->vtmp, outlen); + return 1; + } else { + FIPS_digestfinal(hctx->mctx, out, NULL); + outlen -= dctx->blocklength; + if (outlen == 0) + return 1; + out += dctx->blocklength; + } + ctx_add_buf(dctx, hctx->vtmp, NULL, 0); + } +} + +static int drbg_hash_instantiate(DRBG_CTX *dctx, + const unsigned char *ent, size_t ent_len, + const unsigned char *nonce, size_t nonce_len, + const unsigned char *pstr, size_t pstr_len) +{ + DRBG_HASH_CTX *hctx = &dctx->d.hash; + if (!hash_df(dctx, hctx->V, + ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0)) + return 0; + if (!hash_df(dctx, hctx->C, + NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) + return 0; + +#ifdef HASH_DRBG_TRACE + fprintf(stderr, "V+C after instantiate:\n"); + hexprint(stderr, hctx->V, dctx->seedlen); + hexprint(stderr, hctx->C, dctx->seedlen); +#endif + return 1; +} + +static int drbg_hash_reseed(DRBG_CTX *dctx, + const unsigned char *ent, size_t ent_len, + const unsigned char *adin, size_t adin_len) +{ + DRBG_HASH_CTX *hctx = &dctx->d.hash; + /* V about to be updated so use C as output instead */ + if (!hash_df(dctx, hctx->C, + NULL, 1, hctx->V, dctx->seedlen, + ent, ent_len, adin, adin_len)) + return 0; + memcpy(hctx->V, hctx->C, dctx->seedlen); + if (!hash_df(dctx, hctx->C, NULL, 0, + hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) + return 0; +#ifdef HASH_DRBG_TRACE + fprintf(stderr, "V+C after reseed:\n"); + hexprint(stderr, hctx->V, dctx->seedlen); + hexprint(stderr, hctx->C, dctx->seedlen); +#endif + return 1; +} + +static int drbg_hash_generate(DRBG_CTX *dctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adin_len) +{ + DRBG_HASH_CTX *hctx = &dctx->d.hash; + EVP_MD_CTX *mctx = hctx->mctx; + unsigned char tmp[4]; + if (adin && adin_len) { + tmp[0] = 2; + if (!FIPS_digestinit(mctx, hctx->md)) + return 0; + if (!EVP_DigestUpdate(mctx, tmp, 1)) + return 0; + if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) + return 0; + if (!EVP_DigestUpdate(mctx, adin, adin_len)) + return 0; + if (!ctx_add_md(dctx)) + return 0; + } + if (!hash_gen(dctx, out, outlen)) + return 0; + + tmp[0] = 3; + if (!FIPS_digestinit(mctx, hctx->md)) + return 0; + if (!EVP_DigestUpdate(mctx, tmp, 1)) + return 0; + if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) + return 0; + + if (!ctx_add_md(dctx)) + return 0; + + ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen); + + tmp[0] = (dctx->reseed_counter >> 24) & 0xff; + tmp[1] = (dctx->reseed_counter >> 16) & 0xff; + tmp[2] = (dctx->reseed_counter >> 8) & 0xff; + tmp[3] = dctx->reseed_counter & 0xff; + ctx_add_buf(dctx, hctx->V, tmp, 4); +#ifdef HASH_DRBG_TRACE + fprintf(stderr, "V+C after generate:\n"); + hexprint(stderr, hctx->V, dctx->seedlen); + hexprint(stderr, hctx->C, dctx->seedlen); +#endif + return 1; +} + +static int drbg_hash_uninstantiate(DRBG_CTX *dctx) +{ + EVP_MD_CTX_free(dctx->d.hash.mctx); + OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX)); + return 1; +} + +int fips_drbg_hash_init(DRBG_CTX *dctx) +{ + const EVP_MD *md; + DRBG_HASH_CTX *hctx = &dctx->d.hash; + md = EVP_get_digestbynid(dctx->type); + if (!md) + return -2; + switch (dctx->type) { + case NID_sha1: + dctx->strength = 128; + break; + + case NID_sha224: + dctx->strength = 192; + break; + + default: + dctx->strength = 256; + break; + } + + dctx->instantiate = drbg_hash_instantiate; + dctx->reseed = drbg_hash_reseed; + dctx->generate = drbg_hash_generate; + dctx->uninstantiate = drbg_hash_uninstantiate; + + dctx->d.hash.md = md; + hctx->mctx = EVP_MD_CTX_new(); + if (hctx->mctx == NULL) + return -1; + + /* These are taken from SP 800-90 10.1 table 2 */ + + dctx->blocklength = EVP_MD_size(md); + if (dctx->blocklength > 32) + dctx->seedlen = 111; + else + dctx->seedlen = 55; + + dctx->min_entropy = dctx->strength / 8; + dctx->max_entropy = DRBG_MAX_LENGTH; + + dctx->min_nonce = dctx->min_entropy / 2; + dctx->max_nonce = DRBG_MAX_LENGTH; + + dctx->max_pers = DRBG_MAX_LENGTH; + dctx->max_adin = DRBG_MAX_LENGTH; + + dctx->max_request = 1 << 16; + dctx->reseed_interval = 1 << 24; + + return 1; +} diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c --- openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips 2019-02-28 11:30:06.811745577 +0100 +++ openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c 2019-02-28 11:30:06.811745577 +0100 @@ -0,0 +1,262 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "fips_rand_lcl.h" + +static int drbg_hmac_update(DRBG_CTX *dctx, + const unsigned char *in1, size_t in1len, + const unsigned char *in2, size_t in2len, + const unsigned char *in3, size_t in3len) +{ + static unsigned char c0 = 0, c1 = 1; + DRBG_HMAC_CTX *hmac = &dctx->d.hmac; + HMAC_CTX *hctx = hmac->hctx; + + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) + return 0; + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) + return 0; + if (!HMAC_Update(hctx, &c0, 1)) + return 0; + if (in1len && !HMAC_Update(hctx, in1, in1len)) + return 0; + if (in2len && !HMAC_Update(hctx, in2, in2len)) + return 0; + if (in3len && !HMAC_Update(hctx, in3, in3len)) + return 0; + + if (!HMAC_Final(hctx, hmac->K, NULL)) + return 0; + + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) + return 0; + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) + return 0; + + if (!HMAC_Final(hctx, hmac->V, NULL)) + return 0; + + if (!in1len && !in2len && !in3len) + return 1; + + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) + return 0; + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) + return 0; + if (!HMAC_Update(hctx, &c1, 1)) + return 0; + if (in1len && !HMAC_Update(hctx, in1, in1len)) + return 0; + if (in2len && !HMAC_Update(hctx, in2, in2len)) + return 0; + if (in3len && !HMAC_Update(hctx, in3, in3len)) + return 0; + + if (!HMAC_Final(hctx, hmac->K, NULL)) + return 0; + + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) + return 0; + if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) + return 0; + + if (!HMAC_Final(hctx, hmac->V, NULL)) + return 0; + + return 1; + +} + +static int drbg_hmac_instantiate(DRBG_CTX *dctx, + const unsigned char *ent, size_t ent_len, + const unsigned char *nonce, size_t nonce_len, + const unsigned char *pstr, size_t pstr_len) +{ + DRBG_HMAC_CTX *hmac = &dctx->d.hmac; + memset(hmac->K, 0, dctx->blocklength); + memset(hmac->V, 1, dctx->blocklength); + if (!drbg_hmac_update(dctx, + ent, ent_len, nonce, nonce_len, pstr, pstr_len)) + return 0; + +#ifdef HMAC_DRBG_TRACE + fprintf(stderr, "K+V after instantiate:\n"); + hexprint(stderr, hmac->K, hmac->blocklength); + hexprint(stderr, hmac->V, hmac->blocklength); +#endif + return 1; +} + +static int drbg_hmac_reseed(DRBG_CTX *dctx, + const unsigned char *ent, size_t ent_len, + const unsigned char *adin, size_t adin_len) +{ + if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0)) + return 0; + +#ifdef HMAC_DRBG_TRACE + { + DRBG_HMAC_CTX *hmac = &dctx->d.hmac; + fprintf(stderr, "K+V after reseed:\n"); + hexprint(stderr, hmac->K, hmac->blocklength); + hexprint(stderr, hmac->V, hmac->blocklength); + } +#endif + return 1; +} + +static int drbg_hmac_generate(DRBG_CTX *dctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adin_len) +{ + DRBG_HMAC_CTX *hmac = &dctx->d.hmac; + HMAC_CTX *hctx = hmac->hctx; + const unsigned char *Vtmp = hmac->V; + if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) + return 0; + for (;;) { + if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) + return 0; + if (!HMAC_Update(hctx, Vtmp, dctx->blocklength)) + return 0; + if (outlen > dctx->blocklength) { + if (!HMAC_Final(hctx, out, NULL)) + return 0; + Vtmp = out; + } else { + if (!HMAC_Final(hctx, hmac->V, NULL)) + return 0; + memcpy(out, hmac->V, outlen); + break; + } + out += dctx->blocklength; + outlen -= dctx->blocklength; + } + if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) + return 0; + + return 1; +} + +static int drbg_hmac_uninstantiate(DRBG_CTX *dctx) +{ + HMAC_CTX_free(dctx->d.hmac.hctx); + OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX)); + return 1; +} + +int fips_drbg_hmac_init(DRBG_CTX *dctx) +{ + const EVP_MD *md = NULL; + DRBG_HMAC_CTX *hctx = &dctx->d.hmac; + dctx->strength = 256; + switch (dctx->type) { + case NID_hmacWithSHA1: + md = EVP_sha1(); + dctx->strength = 128; + break; + + case NID_hmacWithSHA224: + md = EVP_sha224(); + dctx->strength = 192; + break; + + case NID_hmacWithSHA256: + md = EVP_sha256(); + break; + + case NID_hmacWithSHA384: + md = EVP_sha384(); + break; + + case NID_hmacWithSHA512: + md = EVP_sha512(); + break; + + default: + dctx->strength = 0; + return -2; + } + dctx->instantiate = drbg_hmac_instantiate; + dctx->reseed = drbg_hmac_reseed; + dctx->generate = drbg_hmac_generate; + dctx->uninstantiate = drbg_hmac_uninstantiate; + hctx->hctx = HMAC_CTX_new(); + if (hctx->hctx == NULL) + return -1; + hctx->md = md; + dctx->blocklength = M_EVP_MD_size(md); + dctx->seedlen = M_EVP_MD_size(md); + + dctx->min_entropy = dctx->strength / 8; + dctx->max_entropy = DRBG_MAX_LENGTH; + + dctx->min_nonce = dctx->min_entropy / 2; + dctx->max_nonce = DRBG_MAX_LENGTH; + + dctx->max_pers = DRBG_MAX_LENGTH; + dctx->max_adin = DRBG_MAX_LENGTH; + + dctx->max_request = 1 << 16; + dctx->reseed_interval = 1 << 24; + + return 1; +} diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_lib.c --- openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips 2019-02-28 11:30:06.812745558 +0100 +++ openssl-1.1.1b/crypto/fips/fips_drbg_lib.c 2019-02-28 11:30:06.812745558 +0100 @@ -0,0 +1,528 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include "internal/fips_int.h" +#include +#include "fips_locl.h" +#include "fips_rand_lcl.h" + +/* Support framework for SP800-90 DRBGs */ + +int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) +{ + int rv; + memset(dctx, 0, sizeof(DRBG_CTX)); + dctx->status = DRBG_STATUS_UNINITIALISED; + dctx->xflags = flags; + dctx->type = type; + + dctx->iflags = 0; + dctx->entropy_blocklen = 0; + dctx->health_check_cnt = 0; + dctx->health_check_interval = DRBG_HEALTH_INTERVAL; + + rv = fips_drbg_hash_init(dctx); + + if (rv == -2) + rv = fips_drbg_ctr_init(dctx); + if (rv == -2) + rv = fips_drbg_hmac_init(dctx); + + if (rv <= 0) { + if (rv == -2) + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE); + else + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG); + } + + /* If not in test mode run selftests on DRBG of the same type */ + + if (!(dctx->xflags & DRBG_FLAG_TEST)) { + if (!FIPS_drbg_health_check(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); + return 0; + } + } + + return rv; +} + +DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) +{ + DRBG_CTX *dctx; + dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); + if (!dctx) { + FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } + + if (type == 0) { + memset(dctx, 0, sizeof(DRBG_CTX)); + dctx->type = 0; + dctx->status = DRBG_STATUS_UNINITIALISED; + return dctx; + } + + if (FIPS_drbg_init(dctx, type, flags) <= 0) { + OPENSSL_free(dctx); + return NULL; + } + + return dctx; +} + +void FIPS_drbg_free(DRBG_CTX *dctx) +{ + if (dctx->uninstantiate) + dctx->uninstantiate(dctx); + /* Don't free up default DRBG */ + if (dctx == FIPS_get_default_drbg()) { + memset(dctx, 0, sizeof(DRBG_CTX)); + dctx->type = 0; + dctx->status = DRBG_STATUS_UNINITIALISED; + } else { + OPENSSL_cleanse(&dctx->d, sizeof(dctx->d)); + OPENSSL_free(dctx); + } +} + +static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + unsigned char *tout, *p; + size_t bl = dctx->entropy_blocklen, rv; + if (!dctx->get_entropy) + return 0; + if (dctx->xflags & DRBG_FLAG_TEST || !bl) + return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); + rv = dctx->get_entropy(dctx, &tout, entropy + bl, + min_len + bl, max_len + bl); + if (tout == NULL) + return 0; + *pout = tout + bl; + if (rv < (min_len + bl) || (rv % bl)) + return 0; + /* Compare consecutive blocks for continuous PRNG test */ + for (p = tout; p < tout + rv - bl; p += bl) { + if (!memcmp(p, p + bl, bl)) { + FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK); + return 0; + } + } + rv -= bl; + if (rv > max_len) + return max_len; + return rv; +} + +static void fips_cleanup_entropy(DRBG_CTX *dctx, + unsigned char *out, size_t olen) +{ + size_t bl; + if (dctx->xflags & DRBG_FLAG_TEST) + bl = 0; + else + bl = dctx->entropy_blocklen; + /* Call cleanup with original arguments */ + dctx->cleanup_entropy(dctx, out - bl, olen + bl); +} + +int FIPS_drbg_instantiate(DRBG_CTX *dctx, + const unsigned char *pers, size_t perslen) +{ + size_t entlen = 0, noncelen = 0; + unsigned char *nonce = NULL, *entropy = NULL; + +#if 0 + /* Put here so error script picks them up */ + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, + FIPS_R_PERSONALISATION_STRING_TOO_LONG); + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE); + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED); + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY); + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE); + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR); + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED); +#endif + + int r = 0; + + if (perslen > dctx->max_pers) { + r = FIPS_R_PERSONALISATION_STRING_TOO_LONG; + goto end; + } + + if (!dctx->instantiate) { + r = FIPS_R_DRBG_NOT_INITIALISED; + goto end; + } + + if (dctx->status != DRBG_STATUS_UNINITIALISED) { + if (dctx->status == DRBG_STATUS_ERROR) + r = FIPS_R_IN_ERROR_STATE; + else + r = FIPS_R_ALREADY_INSTANTIATED; + goto end; + } + + dctx->status = DRBG_STATUS_ERROR; + + entlen = fips_get_entropy(dctx, &entropy, dctx->strength, + dctx->min_entropy, dctx->max_entropy); + + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { + r = FIPS_R_ERROR_RETRIEVING_ENTROPY; + goto end; + } + + if (dctx->max_nonce > 0 && dctx->get_nonce) { + noncelen = dctx->get_nonce(dctx, &nonce, + dctx->strength / 2, + dctx->min_nonce, dctx->max_nonce); + + if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { + r = FIPS_R_ERROR_RETRIEVING_NONCE; + goto end; + } + + } + + if (!dctx->instantiate(dctx, + entropy, entlen, nonce, noncelen, pers, perslen)) { + r = FIPS_R_ERROR_INSTANTIATING_DRBG; + goto end; + } + + dctx->status = DRBG_STATUS_READY; + if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) + dctx->reseed_counter = 1; + + end: + + if (entropy && dctx->cleanup_entropy) + fips_cleanup_entropy(dctx, entropy, entlen); + + if (nonce && dctx->cleanup_nonce) + dctx->cleanup_nonce(dctx, nonce, noncelen); + + if (dctx->status == DRBG_STATUS_READY) + return 1; + + if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) + FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r); + + return 0; + +} + +static int drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen, int hcheck) +{ + unsigned char *entropy = NULL; + size_t entlen = 0; + int r = 0; + +#if 0 + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED); + FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); +#endif + if (dctx->status != DRBG_STATUS_READY + && dctx->status != DRBG_STATUS_RESEED) { + if (dctx->status == DRBG_STATUS_ERROR) + r = FIPS_R_IN_ERROR_STATE; + else if (dctx->status == DRBG_STATUS_UNINITIALISED) + r = FIPS_R_NOT_INSTANTIATED; + goto end; + } + + if (!adin) + adinlen = 0; + else if (adinlen > dctx->max_adin) { + r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; + goto end; + } + + dctx->status = DRBG_STATUS_ERROR; + /* Peform health check on all reseed operations if not a prediction + * resistance request and not in test mode. + */ + if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) { + if (!FIPS_drbg_health_check(dctx)) { + r = FIPS_R_SELFTEST_FAILURE; + goto end; + } + } + + entlen = fips_get_entropy(dctx, &entropy, dctx->strength, + dctx->min_entropy, dctx->max_entropy); + + if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { + r = FIPS_R_ERROR_RETRIEVING_ENTROPY; + goto end; + } + + if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen)) + goto end; + + dctx->status = DRBG_STATUS_READY; + if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) + dctx->reseed_counter = 1; + end: + + if (entropy && dctx->cleanup_entropy) + fips_cleanup_entropy(dctx, entropy, entlen); + + if (dctx->status == DRBG_STATUS_READY) + return 1; + + if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) + FIPSerr(FIPS_F_DRBG_RESEED, r); + + return 0; +} + +int FIPS_drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) +{ + return drbg_reseed(dctx, adin, adinlen, 1); +} + +static int fips_drbg_check(DRBG_CTX *dctx) +{ + if (dctx->xflags & DRBG_FLAG_TEST) + return 1; + dctx->health_check_cnt++; + if (dctx->health_check_cnt >= dctx->health_check_interval) { + if (!FIPS_drbg_health_check(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE); + return 0; + } + } + return 1; +} + +int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, + int prediction_resistance, + const unsigned char *adin, size_t adinlen) +{ + int r = 0; + + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED); + return 0; + } + + if (!fips_drbg_check(dctx)) + return 0; + + if (dctx->status != DRBG_STATUS_READY + && dctx->status != DRBG_STATUS_RESEED) { + if (dctx->status == DRBG_STATUS_ERROR) + r = FIPS_R_IN_ERROR_STATE; + else if (dctx->status == DRBG_STATUS_UNINITIALISED) + r = FIPS_R_NOT_INSTANTIATED; + goto end; + } + + if (outlen > dctx->max_request) { + r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG; + return 0; + } + + if (adinlen > dctx->max_adin) { + r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; + goto end; + } + + if (dctx->iflags & DRBG_CUSTOM_RESEED) + dctx->generate(dctx, NULL, outlen, NULL, 0); + else if (dctx->reseed_counter >= dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + + if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { + /* If prediction resistance request don't do health check */ + int hcheck = prediction_resistance ? 0 : 1; + + if (!drbg_reseed(dctx, adin, adinlen, hcheck)) { + r = FIPS_R_RESEED_ERROR; + goto end; + } + adin = NULL; + adinlen = 0; + } + + if (!dctx->generate(dctx, out, outlen, adin, adinlen)) { + r = FIPS_R_GENERATE_ERROR; + dctx->status = DRBG_STATUS_ERROR; + goto end; + } + if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) { + if (dctx->reseed_counter >= dctx->reseed_interval) + dctx->status = DRBG_STATUS_RESEED; + else + dctx->reseed_counter++; + } + + end: + if (r) { + if (!(dctx->iflags & DRBG_FLAG_NOERR)) + FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r); + return 0; + } + + return 1; +} + +int FIPS_drbg_uninstantiate(DRBG_CTX *dctx) +{ + int rv; + if (!dctx->uninstantiate) + rv = 1; + else + rv = dctx->uninstantiate(dctx); + /* Although we'd like to cleanse here we can't because we have to + * test the uninstantiate really zeroes the data. + */ + memset(&dctx->d, 0, sizeof(dctx->d)); + dctx->status = DRBG_STATUS_UNINITIALISED; + /* If method has problems uninstantiating, return error */ + return rv; +} + +int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, + size_t (*get_entropy) (DRBG_CTX *ctx, + unsigned char **pout, + int entropy, + size_t min_len, + size_t max_len), + void (*cleanup_entropy) (DRBG_CTX *ctx, + unsigned char *out, + size_t olen), + size_t entropy_blocklen, + size_t (*get_nonce) (DRBG_CTX *ctx, + unsigned char **pout, + int entropy, size_t min_len, + size_t max_len), + void (*cleanup_nonce) (DRBG_CTX *ctx, + unsigned char *out, + size_t olen)) +{ + if (dctx->status != DRBG_STATUS_UNINITIALISED) + return 0; + dctx->entropy_blocklen = entropy_blocklen; + dctx->get_entropy = get_entropy; + dctx->cleanup_entropy = cleanup_entropy; + dctx->get_nonce = get_nonce; + dctx->cleanup_nonce = cleanup_nonce; + return 1; +} + +int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, + size_t (*get_adin) (DRBG_CTX *ctx, + unsigned char **pout), + void (*cleanup_adin) (DRBG_CTX *ctx, + unsigned char *out, + size_t olen), + int (*rand_seed_cb) (DRBG_CTX *ctx, + const void *buf, + int num), + int (*rand_add_cb) (DRBG_CTX *ctx, + const void *buf, int num, + double entropy)) +{ + if (dctx->status != DRBG_STATUS_UNINITIALISED) + return 0; + dctx->get_adin = get_adin; + dctx->cleanup_adin = cleanup_adin; + dctx->rand_seed_cb = rand_seed_cb; + dctx->rand_add_cb = rand_add_cb; + return 1; +} + +void *FIPS_drbg_get_app_data(DRBG_CTX *dctx) +{ + return dctx->app_data; +} + +void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data) +{ + dctx->app_data = app_data; +} + +size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx) +{ + return dctx->blocklength; +} + +int FIPS_drbg_get_strength(DRBG_CTX *dctx) +{ + return dctx->strength; +} + +void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval) +{ + dctx->health_check_interval = interval; +} + +void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval) +{ + dctx->reseed_interval = interval; +} + +void FIPS_drbg_stick(int onoff) +{ + /* Just backwards compatibility API call with no effect. */ +} diff -up openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_rand.c --- openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips 2019-02-28 11:30:06.812745558 +0100 +++ openssl-1.1.1b/crypto/fips/fips_drbg_rand.c 2019-02-28 11:30:06.812745558 +0100 @@ -0,0 +1,185 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include "internal/thread_once.h" +#include +#include +#include +#include +#include "fips_rand_lcl.h" + +/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */ + +/* Since we only have one global PRNG used at any time in OpenSSL use a global + * variable to store context. + */ + +static DRBG_CTX ossl_dctx; + +static CRYPTO_RWLOCK *fips_rand_lock = NULL; +static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT; + +DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init) +{ + fips_rand_lock = CRYPTO_THREAD_lock_new(); + return fips_rand_lock != NULL; +} + +DRBG_CTX *FIPS_get_default_drbg(void) +{ + if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init)) + return NULL; + return &ossl_dctx; +} + +static int fips_drbg_bytes(unsigned char *out, int count) +{ + DRBG_CTX *dctx = &ossl_dctx; + int rv = 0; + unsigned char *adin = NULL; + size_t adinlen = 0; + CRYPTO_THREAD_write_lock(fips_rand_lock); + do { + size_t rcnt; + if (count > (int)dctx->max_request) + rcnt = dctx->max_request; + else + rcnt = count; + if (dctx->get_adin) { + adinlen = dctx->get_adin(dctx, &adin); + if (adinlen && !adin) { + FIPSerr(FIPS_F_FIPS_DRBG_BYTES, + FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); + goto err; + } + } + rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen); + if (adin) { + if (dctx->cleanup_adin) + dctx->cleanup_adin(dctx, adin, adinlen); + adin = NULL; + } + if (!rv) + goto err; + out += rcnt; + count -= rcnt; + } + while (count); + rv = 1; + err: + CRYPTO_THREAD_unlock(fips_rand_lock); + return rv; +} + +static int fips_drbg_pseudo(unsigned char *out, int count) +{ + if (fips_drbg_bytes(out, count) <= 0) + return -1; + return 1; +} + +static int fips_drbg_status(void) +{ + DRBG_CTX *dctx = &ossl_dctx; + int rv; + CRYPTO_THREAD_read_lock(fips_rand_lock); + rv = dctx->status == DRBG_STATUS_READY ? 1 : 0; + CRYPTO_THREAD_unlock(fips_rand_lock); + return rv; +} + +static void fips_drbg_cleanup(void) +{ + DRBG_CTX *dctx = &ossl_dctx; + CRYPTO_THREAD_write_lock(fips_rand_lock); + FIPS_drbg_uninstantiate(dctx); + CRYPTO_THREAD_unlock(fips_rand_lock); +} + +static int fips_drbg_seed(const void *seed, int seedlen) +{ + DRBG_CTX *dctx = &ossl_dctx; + int ret = 1; + CRYPTO_THREAD_write_lock(fips_rand_lock); + if (dctx->rand_seed_cb) + ret = dctx->rand_seed_cb(dctx, seed, seedlen); + CRYPTO_THREAD_unlock(fips_rand_lock); + return ret; +} + +static int fips_drbg_add(const void *seed, int seedlen, double add_entropy) +{ + DRBG_CTX *dctx = &ossl_dctx; + int ret = 1; + CRYPTO_THREAD_write_lock(fips_rand_lock); + if (dctx->rand_add_cb) + ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); + CRYPTO_THREAD_unlock(fips_rand_lock); + return ret; +} + +static const RAND_METHOD rand_drbg_meth = { + fips_drbg_seed, + fips_drbg_bytes, + fips_drbg_cleanup, + fips_drbg_add, + fips_drbg_pseudo, + fips_drbg_status +}; + +const RAND_METHOD *FIPS_drbg_method(void) +{ + return &rand_drbg_meth; +} diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c --- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips 2019-02-28 11:30:06.812745558 +0100 +++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c 2019-02-28 11:30:06.812745558 +0100 @@ -0,0 +1,828 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include "fips_rand_lcl.h" +#include "fips_locl.h" + +#include "fips_drbg_selftest.h" + +typedef struct { + int post; + int nid; + unsigned int flags; + + /* KAT data for no PR */ + const unsigned char *ent; + size_t entlen; + const unsigned char *nonce; + size_t noncelen; + const unsigned char *pers; + size_t perslen; + const unsigned char *adin; + size_t adinlen; + const unsigned char *entreseed; + size_t entreseedlen; + const unsigned char *adinreseed; + size_t adinreseedlen; + const unsigned char *adin2; + size_t adin2len; + const unsigned char *kat; + size_t katlen; + const unsigned char *kat2; + size_t kat2len; + + /* KAT data for PR */ + const unsigned char *ent_pr; + size_t entlen_pr; + const unsigned char *nonce_pr; + size_t noncelen_pr; + const unsigned char *pers_pr; + size_t perslen_pr; + const unsigned char *adin_pr; + size_t adinlen_pr; + const unsigned char *entpr_pr; + size_t entprlen_pr; + const unsigned char *ading_pr; + size_t adinglen_pr; + const unsigned char *entg_pr; + size_t entglen_pr; + const unsigned char *kat_pr; + size_t katlen_pr; + const unsigned char *kat2_pr; + size_t kat2len_pr; + +} DRBG_SELFTEST_DATA; + +#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \ + pr##_entropyinput, sizeof(pr##_entropyinput), \ + pr##_nonce, sizeof(pr##_nonce), \ + pr##_personalizationstring, sizeof(pr##_personalizationstring), \ + pr##_additionalinput, sizeof(pr##_additionalinput), \ + pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ + pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ + pr##_additionalinput2, sizeof(pr##_additionalinput2), \ + pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ + pr##_returnedbits, sizeof(pr##_returnedbits), \ + pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ + pr##_pr_nonce, sizeof(pr##_pr_nonce), \ + pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ + pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ + pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ + pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ + pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ + pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ + pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \ + } + +#define make_drbg_test_data_df(nid, pr, p) \ + make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p) + +#define make_drbg_test_data_ec(curve, md, pr, p) \ + make_drbg_test_data((curve << 16) | md , 0, pr, p) + +static DRBG_SELFTEST_DATA drbg_test[] = { + make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), + make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), + make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), + make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0), + make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0), + make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1), + make_drbg_test_data(NID_sha1, 0, sha1, 0), + make_drbg_test_data(NID_sha224, 0, sha224, 0), + make_drbg_test_data(NID_sha256, 0, sha256, 1), + make_drbg_test_data(NID_sha384, 0, sha384, 0), + make_drbg_test_data(NID_sha512, 0, sha512, 0), + make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0), + make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0), + make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1), + make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0), + make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0), + {0, 0, 0} +}; + +typedef struct { + const unsigned char *ent; + size_t entlen; + int entcnt; + const unsigned char *nonce; + size_t noncelen; + int noncecnt; +} TEST_ENT; + +static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + TEST_ENT *t = FIPS_drbg_get_app_data(dctx); + *pout = (unsigned char *)t->ent; + t->entcnt++; + return t->entlen; +} + +static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len) +{ + TEST_ENT *t = FIPS_drbg_get_app_data(dctx); + *pout = (unsigned char *)t->nonce; + t->noncecnt++; + return t->noncelen; +} + +static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, + int quick) +{ + TEST_ENT t; + int rv = 0; + size_t adinlen; + unsigned char randout[1024]; + + /* Initial test without PR */ + + /* Instantiate DRBG with test entropy, nonce and personalisation + * string. + */ + + if (!FIPS_drbg_init(dctx, td->nid, td->flags)) + return 0; + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) + return 0; + + FIPS_drbg_set_app_data(dctx, &t); + + t.ent = td->ent; + t.entlen = td->entlen; + t.nonce = td->nonce; + t.noncelen = td->noncelen; + t.entcnt = 0; + t.noncecnt = 0; + + if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) + goto err; + + /* Note for CTR without DF some additional input values + * ignore bytes after the keylength: so reduce adinlen + * to half to ensure invalid data is fed in. + */ + if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) + adinlen = td->adinlen / 2; + else + adinlen = td->adinlen; + + /* Generate with no PR and verify output matches expected data */ + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen)) + goto err; + + if (memcmp(randout, td->kat, td->katlen)) { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE); + goto err2; + } + /* If abbreviated POST end of test */ + if (quick) { + rv = 1; + goto err; + } + /* Reseed DRBG with test entropy and additional input */ + t.ent = td->entreseed; + t.entlen = td->entreseedlen; + + if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen)) + goto err; + + /* Generate with no PR and verify output matches expected data */ + if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, + td->adin2, td->adin2len)) + goto err; + + if (memcmp(randout, td->kat2, td->kat2len)) { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE); + goto err2; + } + + FIPS_drbg_uninstantiate(dctx); + + /* Now test with PR */ + + /* Instantiate DRBG with test entropy, nonce and personalisation + * string. + */ + if (!FIPS_drbg_init(dctx, td->nid, td->flags)) + return 0; + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) + return 0; + + FIPS_drbg_set_app_data(dctx, &t); + + t.ent = td->ent_pr; + t.entlen = td->entlen_pr; + t.nonce = td->nonce_pr; + t.noncelen = td->noncelen_pr; + t.entcnt = 0; + t.noncecnt = 0; + + if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr)) + goto err; + + /* Now generate with PR: we need to supply entropy as this will + * perform a reseed operation. Check output matches expected value. + */ + + t.ent = td->entpr_pr; + t.entlen = td->entprlen_pr; + + /* Note for CTR without DF some additional input values + * ignore bytes after the keylength: so reduce adinlen + * to half to ensure invalid data is fed in. + */ + if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) + adinlen = td->adinlen_pr / 2; + else + adinlen = td->adinlen_pr; + if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1, + td->adin_pr, adinlen)) + goto err; + + if (memcmp(randout, td->kat_pr, td->katlen_pr)) { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE); + goto err2; + } + + /* Now generate again with PR: supply new entropy again. + * Check output matches expected value. + */ + + t.ent = td->entg_pr; + t.entlen = td->entglen_pr; + + if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1, + td->ading_pr, td->adinglen_pr)) + goto err; + + if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) { + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE); + goto err2; + } + /* All OK, test complete */ + rv = 1; + + err: + if (rv == 0) + FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED); + err2: + FIPS_drbg_uninstantiate(dctx); + + return rv; + +} + +/* Initialise a DRBG based on selftest data */ + +static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t) +{ + + if (!FIPS_drbg_init(dctx, td->nid, td->flags)) + return 0; + + if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) + return 0; + + FIPS_drbg_set_app_data(dctx, t); + + t->ent = td->ent; + t->entlen = td->entlen; + t->nonce = td->nonce; + t->noncelen = td->noncelen; + t->entcnt = 0; + t->noncecnt = 0; + return 1; +} + +/* Initialise and instantiate DRBG based on selftest data */ +static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, + TEST_ENT * t) +{ + if (!do_drbg_init(dctx, td, t)) + return 0; + if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) + return 0; + + return 1; +} + +/* This function performs extensive error checking as required by SP800-90. + * Induce several failure modes and check an error condition is set. + * This function along with fips_drbg_single_kat peforms the health checking + * operation. + */ + +static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td) +{ + unsigned char randout[1024]; + TEST_ENT t; + size_t i; + unsigned int reseed_counter_tmp; + unsigned char *p = (unsigned char *)dctx; + + /* Initialise DRBG */ + + if (!do_drbg_init(dctx, td, &t)) + goto err; + + /* Don't report induced errors */ + dctx->iflags |= DRBG_FLAG_NOERR; + + /* Personalisation string tests */ + + /* Test detection of too large personlisation string */ + + if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_PERSONALISATION_ERROR_UNDETECTED); + goto err; + } + + /* Entropy source tests */ + + /* Test entropy source failure detecion: i.e. returns no data */ + + t.entlen = 0; + + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + /* Try to generate output from uninstantiated DRBG */ + if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, + td->adin, td->adinlen)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_GENERATE_ERROR_UNDETECTED); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + if (!do_drbg_init(dctx, td, &t)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + /* Test insufficient entropy */ + + t.entlen = dctx->min_entropy - 1; + + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + /* Test too much entropy */ + + if (!do_drbg_init(dctx, td, &t)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + t.entlen = dctx->max_entropy + 1; + + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + /* Nonce tests */ + + /* Test too small nonce */ + + if (dctx->min_nonce) { + + if (!do_drbg_init(dctx, td, &t)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + t.noncelen = dctx->min_nonce - 1; + + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_NONCE_ERROR_UNDETECTED); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + } + + /* Test too large nonce */ + + if (dctx->max_nonce) { + + if (!do_drbg_init(dctx, td, &t)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + t.noncelen = dctx->max_nonce + 1; + + if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_NONCE_ERROR_UNDETECTED); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + } + + /* Instantiate with valid data. */ + if (!do_drbg_instantiate(dctx, td, &t)) + goto err; + + /* Check generation is now OK */ + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, + td->adin, td->adinlen)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + /* Request too much data for one request */ + if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, + td->adin, td->adinlen)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED); + goto err; + } + + /* Try too large additional input */ + if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, + td->adin, dctx->max_adin + 1)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); + goto err; + } + + /* Check prediction resistance request fails if entropy source + * failure. + */ + + t.entlen = 0; + + if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, + td->adin, td->adinlen)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + /* Instantiate again with valid data */ + + if (!do_drbg_instantiate(dctx, td, &t)) + goto err; + /* Test reseed counter works */ + /* Save initial reseed counter */ + reseed_counter_tmp = dctx->reseed_counter; + /* Set reseed counter to beyond interval */ + dctx->reseed_counter = dctx->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entcnt = 0; + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, + td->adin, td->adinlen)) + goto err; + if (t.entcnt != 1) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); + goto err; + } + /* Check reseed counter has been reset */ + if (dctx->reseed_counter != reseed_counter_tmp + 1) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + /* Check prediction resistance request fails if entropy source + * failure. + */ + + t.entlen = 0; + + dctx->iflags |= DRBG_FLAG_NOERR; + if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, + td->adin, td->adinlen)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + if (!do_drbg_instantiate(dctx, td, &t)) + goto err; + /* Test reseed counter works */ + /* Save initial reseed counter */ + reseed_counter_tmp = dctx->reseed_counter; + /* Set reseed counter to beyond interval */ + dctx->reseed_counter = dctx->reseed_interval; + + /* Generate output and check entropy has been requested for reseed */ + t.entcnt = 0; + if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, + td->adin, td->adinlen)) + goto err; + if (t.entcnt != 1) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); + goto err; + } + /* Check reseed counter has been reset */ + if (dctx->reseed_counter != reseed_counter_tmp + 1) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); + goto err; + } + + dctx->iflags &= ~DRBG_FLAG_NOERR; + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + /* Explicit reseed tests */ + + /* Test explicit reseed with too large additional input */ + if (!do_drbg_init(dctx, td, &t)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); + goto err; + } + + /* Test explicit reseed with entropy source failure */ + + t.entlen = 0; + + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + /* Test explicit reseed with too much entropy */ + + if (!do_drbg_init(dctx, td, &t)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + t.entlen = dctx->max_entropy + 1; + + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + /* Test explicit reseed with too little entropy */ + + if (!do_drbg_init(dctx, td, &t)) + goto err; + + dctx->iflags |= DRBG_FLAG_NOERR; + + t.entlen = dctx->min_entropy - 1; + + if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_ENTROPY_ERROR_UNDETECTED); + goto err; + } + + if (!FIPS_drbg_uninstantiate(dctx)) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); + goto err; + } + + p = (unsigned char *)&dctx->d; + /* Standard says we have to check uninstantiate really zeroes + * the data... + */ + for (i = 0; i < sizeof(dctx->d); i++) { + if (*p != 0) { + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, + FIPS_R_UNINSTANTIATE_ZEROISE_ERROR); + goto err; + } + p++; + } + + return 1; + + err: + /* A real error as opposed to an induced one: underlying function will + * indicate the error. + */ + if (!(dctx->iflags & DRBG_FLAG_NOERR)) + FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR); + FIPS_drbg_uninstantiate(dctx); + return 0; + +} + +int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags) +{ + DRBG_SELFTEST_DATA *td; + flags |= DRBG_FLAG_TEST; + for (td = drbg_test; td->nid != 0; td++) { + if (td->nid == nid && td->flags == flags) { + if (!fips_drbg_single_kat(dctx, td, 0)) + return 0; + return fips_drbg_error_check(dctx, td); + } + } + return 0; +} + +int FIPS_drbg_health_check(DRBG_CTX *dctx) +{ + int rv; + DRBG_CTX *tctx = NULL; + tctx = FIPS_drbg_new(0, 0); + fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); + if (!tctx) + return 0; + rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags); + if (tctx) + FIPS_drbg_free(tctx); + if (rv) + fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); + else + fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); + if (!rv) + dctx->status = DRBG_STATUS_ERROR; + else + dctx->health_check_cnt = 0; + return rv; +} + +int FIPS_selftest_drbg(void) +{ + DRBG_CTX *dctx; + DRBG_SELFTEST_DATA *td; + int rv = 1; + dctx = FIPS_drbg_new(0, 0); + if (!dctx) + return 0; + for (td = drbg_test; td->nid != 0; td++) { + if (td->post != 1) + continue; + if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) + return 1; + if (!fips_drbg_single_kat(dctx, td, 1)) { + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); + rv = 0; + continue; + } + if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) + return 0; + } + FIPS_drbg_free(dctx); + return rv; +} + +int FIPS_selftest_drbg_all(void) +{ + DRBG_CTX *dctx; + DRBG_SELFTEST_DATA *td; + int rv = 1; + dctx = FIPS_drbg_new(0, 0); + if (!dctx) + return 0; + for (td = drbg_test; td->nid != 0; td++) { + if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) + return 1; + if (!fips_drbg_single_kat(dctx, td, 0)) { + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); + rv = 0; + continue; + } + if (!fips_drbg_error_check(dctx, td)) { + fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); + rv = 0; + continue; + } + if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) + return 0; + } + FIPS_drbg_free(dctx); + return rv; +} diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h --- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips 2019-02-28 11:30:06.813745540 +0100 +++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h 2019-02-28 11:30:06.813745540 +0100 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* Selftest and health check data for the SP800-90 DRBG */ + +#define __fips_constseg + +/* AES-128 use df PR */ +__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = { + 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, + 0xc8, 0xdb, 0xff, 0x12 +}; + +__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = { + 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_pr_personalizationstring[] = { + 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, + 0xd7, 0xd7, 0x01, 0x67 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_pr_additionalinput[] = { + 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, + 0x9a, 0x47, 0x08, 0x76 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { + 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, + 0x09, 0xfb, 0xa3, 0xb6 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { + 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, + 0x66, 0x1c, 0xea, 0x5b +}; + +__fips_constseg + static const unsigned char aes_128_use_df_pr_additionalinput2[] = { + 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, + 0x3f, 0x5e, 0x31, 0x06 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { + 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, + 0xa7, 0xe3, 0xa8, 0x67 +}; + +__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = { + 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, + 0x0f, 0x38, 0x43, 0xc6 +}; + +/* AES-128 use df No PR */ +__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = { + 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, + 0x9d, 0x7d, 0x1c, 0x9b +}; + +__fips_constseg static const unsigned char aes_128_use_df_nonce[] = { + 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_personalizationstring[] = { + 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, + 0x38, 0x66, 0xba, 0x1b +}; + +__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = { + 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, + 0xb5, 0xe2, 0xb2, 0x41 +}; + +__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = { + 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, + 0xe7, 0x57, 0x11, 0xb4 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_entropyinputreseed[] = { + 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, + 0xc7, 0xc4, 0x9e, 0x39 +}; + +__fips_constseg + static const unsigned char aes_128_use_df_additionalinputreseed[] = { + 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, + 0xc8, 0x93, 0xfa, 0x84 +}; + +__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = { + 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, + 0x06, 0x0c, 0x15, 0x2c +}; + +__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = { + 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, + 0x46, 0x81, 0xc7, 0x19 +}; + +/* AES-192 use df PR */ +__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = { + 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, + 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d +}; + +__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = { + 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, + 0xd1, 0x80, 0x78, 0xfa +}; + +__fips_constseg + static const unsigned char aes_192_use_df_pr_personalizationstring[] = { + 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, + 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, + 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 +}; + +__fips_constseg + static const unsigned char aes_192_use_df_pr_additionalinput[] = { + 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, + 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, + 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 +}; + +__fips_constseg + static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { + 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, + 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5 +}; + +__fips_constseg + static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { + 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, + 0x19, 0x30, 0x6b, 0x67 +}; + +__fips_constseg + static const unsigned char aes_192_use_df_pr_additionalinput2[] = { + 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, + 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, + 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 +}; + +__fips_constseg + static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { + 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, + 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e +}; + +__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = { + 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, + 0x7e, 0x1a, 0x2b, 0x83 +}; + +/* AES-192 use df No PR */ +__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = { + 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, + 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b +}; + +__fips_constseg static const unsigned char aes_192_use_df_nonce[] = { + 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, + 0x77, 0xd7, 0x41, 0x0e +}; + +__fips_constseg + static const unsigned char aes_192_use_df_personalizationstring[] = { + 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, + 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, + 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 +}; + +__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = { + 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, + 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, + 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 +}; + +__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = { + 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, + 0xb7, 0xed, 0xe9, 0xea +}; + +__fips_constseg + static const unsigned char aes_192_use_df_entropyinputreseed[] = { + 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, + 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01 +}; + +__fips_constseg + static const unsigned char aes_192_use_df_additionalinputreseed[] = { + 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, + 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, + 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 +}; + +__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = { + 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, + 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, + 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 +}; + +__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = { + 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, + 0x1a, 0xf9, 0x13, 0x28 +}; + +/* AES-256 use df PR */ +__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = { + 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, + 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, + 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a +}; + +__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = { + 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, + 0x2b, 0x36, 0xff, 0xa4 +}; + +__fips_constseg + static const unsigned char aes_256_use_df_pr_personalizationstring[] = { + 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, + 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, + 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d +}; + +__fips_constseg + static const unsigned char aes_256_use_df_pr_additionalinput[] = { + 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, + 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, + 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde +}; + +__fips_constseg + static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { + 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, + 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, + 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 +}; + +__fips_constseg + static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { + 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, + 0x17, 0xab, 0x3c, 0x7a +}; + +__fips_constseg + static const unsigned char aes_256_use_df_pr_additionalinput2[] = { + 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, + 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, + 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 +}; + +__fips_constseg + static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { + 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, + 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, + 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f +}; + +__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = { + 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, + 0xd9, 0xe2, 0x97, 0x00 +}; + +/* AES-256 use df No PR */ +__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = { + 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, + 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, + 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 +}; + +__fips_constseg static const unsigned char aes_256_use_df_nonce[] = { + 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, + 0x4c, 0x44, 0x84, 0x40 +}; + +__fips_constseg + static const unsigned char aes_256_use_df_personalizationstring[] = { + 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, + 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, + 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 +}; + +__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = { + 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, + 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, + 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 +}; + +__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = { + 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, + 0x28, 0x0c, 0x3b, 0xc1 +}; + +__fips_constseg + static const unsigned char aes_256_use_df_entropyinputreseed[] = { + 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, + 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, + 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e +}; + +__fips_constseg + static const unsigned char aes_256_use_df_additionalinputreseed[] = { + 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, + 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, + 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 +}; + +__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = { + 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, + 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, + 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d +}; + +__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = { + 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, + 0xfa, 0xfd, 0x35, 0x5e +}; + +/* AES-128 no df PR */ +__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = { + 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, + 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, + 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a +}; + +__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = { + 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1 +}; + +__fips_constseg + static const unsigned char aes_128_no_df_pr_personalizationstring[] = { + 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, + 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, + 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 +}; + +__fips_constseg + static const unsigned char aes_128_no_df_pr_additionalinput[] = { + 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, + 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, + 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 +}; + +__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { + 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, + 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, + 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e +}; + +__fips_constseg + static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { + 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, + 0xaf, 0x19, 0x32, 0x16 +}; + +__fips_constseg + static const unsigned char aes_128_no_df_pr_additionalinput2[] = { + 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, + 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, + 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 +}; + +__fips_constseg + static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { + 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, + 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, + 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 +}; + +__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = { + 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, + 0x57, 0x82, 0x33, 0xaf +}; + +/* AES-128 no df No PR */ +__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = { + 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, + 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, + 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 +}; + +__fips_constseg static const unsigned char aes_128_no_df_nonce[] = { + 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13 +}; + +__fips_constseg + static const unsigned char aes_128_no_df_personalizationstring[] = { + 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, + 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, + 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce +}; + +__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = { + 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, + 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, + 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 +}; + +__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = { + 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, + 0xed, 0x3e, 0x65, 0xc2 +}; + +__fips_constseg + static const unsigned char aes_128_no_df_entropyinputreseed[] = { + 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, + 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, + 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 +}; + +__fips_constseg + static const unsigned char aes_128_no_df_additionalinputreseed[] = { + 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, + 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, + 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 +}; + +__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = { + 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, + 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, + 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 +}; + +__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = { + 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, + 0x81, 0x37, 0x19, 0xd4 +}; + +/* AES-192 no df PR */ +__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = { + 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, + 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, + 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, + 0x17, 0x1f, 0x8d, 0x9a +}; + +__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = { + 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, + 0x61, 0x5c, 0xee, 0x0f +}; + +__fips_constseg + static const unsigned char aes_192_no_df_pr_personalizationstring[] = { + 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, + 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, + 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, + 0x57, 0x2e, 0xe7, 0x55 +}; + +__fips_constseg + static const unsigned char aes_192_no_df_pr_additionalinput[] = { + 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, + 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, + 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, + 0xe2, 0xd0, 0x0c, 0x2f +}; + +__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { + 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, + 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, + 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, + 0x1d, 0x30, 0xb3, 0x78 +}; + +__fips_constseg + static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { + 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, + 0x7e, 0x3e, 0x0c, 0x26 +}; + +__fips_constseg + static const unsigned char aes_192_no_df_pr_additionalinput2[] = { + 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, + 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, + 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, + 0x0c, 0x4b, 0xee, 0x6e +}; + +__fips_constseg + static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { + 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, + 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, + 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, + 0x8e, 0x0a, 0x83, 0xdf +}; + +__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = { + 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, + 0xb9, 0xa1, 0x21, 0x68 +}; + +/* AES-192 no df No PR */ +__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = { + 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, + 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, + 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, + 0x94, 0xc3, 0x59, 0x63 +}; + +__fips_constseg static const unsigned char aes_192_no_df_nonce[] = { + 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, + 0x29, 0xfd, 0x45, 0x71 +}; + +__fips_constseg + static const unsigned char aes_192_no_df_personalizationstring[] = { + 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, + 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, + 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, + 0x3b, 0x88, 0xce, 0x35 +}; + +__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = { + 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, + 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, + 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, + 0x3e, 0xbe, 0xd4, 0x8e +}; + +__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = { + 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, + 0x45, 0xe7, 0x4a, 0xc5 +}; + +__fips_constseg + static const unsigned char aes_192_no_df_entropyinputreseed[] = { + 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, + 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, + 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, + 0x9b, 0xcb, 0x7e, 0x75 +}; + +__fips_constseg + static const unsigned char aes_192_no_df_additionalinputreseed[] = { + 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, + 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, + 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, + 0x5d, 0x7a, 0x25, 0x79 +}; + +__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = { + 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, + 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, + 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, + 0x91, 0x6a, 0xe3, 0x5f +}; + +__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = { + 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, + 0x66, 0x67, 0x2c, 0x92 +}; + +/* AES-256 no df PR */ +__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = { + 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, + 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, + 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, + 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c +}; + +__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = { + 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, + 0xcc, 0x4b, 0xee, 0x2e +}; + +__fips_constseg + static const unsigned char aes_256_no_df_pr_personalizationstring[] = { + 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, + 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, + 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, + 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06 +}; + +__fips_constseg + static const unsigned char aes_256_no_df_pr_additionalinput[] = { + 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, + 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, + 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, + 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e +}; + +__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { + 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, + 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, + 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, + 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f +}; + +__fips_constseg + static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { + 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, + 0x79, 0x60, 0x93, 0xcf +}; + +__fips_constseg + static const unsigned char aes_256_no_df_pr_additionalinput2[] = { + 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, + 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, + 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, + 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb +}; + +__fips_constseg + static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { + 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, + 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, + 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, + 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f +}; + +__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = { + 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, + 0x2d, 0x5f, 0x4a, 0x46 +}; + +/* AES-256 no df No PR */ +__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = { + 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, + 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, + 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, + 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3 +}; + +__fips_constseg static const unsigned char aes_256_no_df_nonce[] = { + 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, + 0x43, 0x96, 0xb9, 0xf0 +}; + +__fips_constseg + static const unsigned char aes_256_no_df_personalizationstring[] = { + 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, + 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, + 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, + 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d +}; + +__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = { + 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, + 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, + 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, + 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17 +}; + +__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = { + 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, + 0xd2, 0x25, 0x75, 0x0e +}; + +__fips_constseg + static const unsigned char aes_256_no_df_entropyinputreseed[] = { + 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, + 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, + 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, + 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb +}; + +__fips_constseg + static const unsigned char aes_256_no_df_additionalinputreseed[] = { + 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, + 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, + 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, + 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29 +}; + +__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = { + 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, + 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, + 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, + 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6 +}; + +__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = { + 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, + 0xf6, 0x02, 0x32, 0xe2 +}; + +/* SHA-1 PR */ +__fips_constseg static const unsigned char sha1_pr_entropyinput[] = { + 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2, + 0x31, 0xa5, 0x91, 0x13 +}; + +__fips_constseg static const unsigned char sha1_pr_nonce[] = { + 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3 +}; + +__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = { + 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60, + 0xda, 0xea, 0x77, 0x52 +}; + +__fips_constseg static const unsigned char sha1_pr_additionalinput[] = { + 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22, + 0x6a, 0x51, 0xe3, 0xf8 +}; + +__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = { + 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9, + 0xcb, 0xa9, 0x36, 0x7a +}; + +__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = { + 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e, + 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35 +}; + +__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = { + 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99, + 0x16, 0x03, 0x19, 0x47 +}; + +__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = { + 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2, + 0xae, 0xcd, 0x8c, 0xc4 +}; + +__fips_constseg static const unsigned char sha1_pr_returnedbits[] = { + 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6, + 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87 +}; + +/* SHA-1 No PR */ +__fips_constseg static const unsigned char sha1_entropyinput[] = { + 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9, + 0xe2, 0x7f, 0x4c, 0x7b +}; + +__fips_constseg static const unsigned char sha1_nonce[] = { + 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14 +}; + +__fips_constseg static const unsigned char sha1_personalizationstring[] = { + 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76, + 0x28, 0xec, 0x6d, 0xca +}; + +__fips_constseg static const unsigned char sha1_additionalinput[] = { + 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35, + 0xc0, 0x72, 0xca, 0x28 +}; + +__fips_constseg static const unsigned char sha1_int_returnedbits[] = { + 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72, + 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea +}; + +__fips_constseg static const unsigned char sha1_entropyinputreseed[] = { + 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96, + 0xd6, 0x99, 0x27, 0xed +}; + +__fips_constseg static const unsigned char sha1_additionalinputreseed[] = { + 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda, + 0x84, 0x3d, 0xd4, 0xc0 +}; + +__fips_constseg static const unsigned char sha1_additionalinput2[] = { + 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e, + 0x52, 0x65, 0xcd, 0x96 +}; + +__fips_constseg static const unsigned char sha1_returnedbits[] = { + 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce, + 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7 +}; + +/* SHA-224 PR */ +__fips_constseg static const unsigned char sha224_pr_entropyinput[] = { + 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75, + 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9 +}; + +__fips_constseg static const unsigned char sha224_pr_nonce[] = { + 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71 +}; + +__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = { + 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0, + 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae +}; + +__fips_constseg static const unsigned char sha224_pr_additionalinput[] = { + 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88, + 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50 +}; + +__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = { + 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1, + 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1 +}; + +__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = { + 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a, + 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1, + 0x54, 0x60, 0xee, 0x6a +}; + +__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = { + 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52, + 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60 +}; + +__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = { + 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77, + 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11 +}; + +__fips_constseg static const unsigned char sha224_pr_returnedbits[] = { + 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20, + 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e, + 0xdd, 0x11, 0x4c, 0xc4 +}; + +/* SHA-224 No PR */ +__fips_constseg static const unsigned char sha224_entropyinput[] = { + 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29, + 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb +}; + +__fips_constseg static const unsigned char sha224_nonce[] = { + 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0 +}; + +__fips_constseg static const unsigned char sha224_personalizationstring[] = { + 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda, + 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c +}; + +__fips_constseg static const unsigned char sha224_additionalinput[] = { + 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00, + 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f +}; + +__fips_constseg static const unsigned char sha224_int_returnedbits[] = { + 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa, + 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20, + 0x55, 0x22, 0x9a, 0xad +}; + +__fips_constseg static const unsigned char sha224_entropyinputreseed[] = { + 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5, + 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17 +}; + +__fips_constseg static const unsigned char sha224_additionalinputreseed[] = { + 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6, + 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19 +}; + +__fips_constseg static const unsigned char sha224_additionalinput2[] = { + 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d, + 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6 +}; + +__fips_constseg static const unsigned char sha224_returnedbits[] = { + 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b, + 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a, + 0x3b, 0xa7, 0x5c, 0x93 +}; + +/* SHA-256 PR */ +__fips_constseg static const unsigned char sha256_pr_entropyinput[] = { + 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4, + 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb, + 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe +}; + +__fips_constseg static const unsigned char sha256_pr_nonce[] = { + 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d, + 0x2b, 0x91, 0x4d, 0x38 +}; + +__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = { + 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56, + 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48, + 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba +}; + +__fips_constseg static const unsigned char sha256_pr_additionalinput[] = { + 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac, + 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5, + 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f +}; + +__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = { + 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8, + 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94, + 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78 +}; + +__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = { + 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2, + 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7, + 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76 +}; + +__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = { + 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b, + 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43, + 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09 +}; + +__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = { + 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2, + 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d, + 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86 +}; + +__fips_constseg static const unsigned char sha256_pr_returnedbits[] = { + 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3, + 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64, + 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2 +}; + +/* SHA-256 No PR */ +__fips_constseg static const unsigned char sha256_entropyinput[] = { + 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5, + 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7, + 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c +}; + +__fips_constseg static const unsigned char sha256_nonce[] = { + 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5, + 0x5d, 0x6f, 0x6d, 0x35 +}; + +__fips_constseg static const unsigned char sha256_personalizationstring[] = { + 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde, + 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20, + 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c +}; + +__fips_constseg static const unsigned char sha256_additionalinput[] = { + 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4, + 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a, + 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87 +}; + +__fips_constseg static const unsigned char sha256_int_returnedbits[] = { + 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1, + 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e, + 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76 +}; + +__fips_constseg static const unsigned char sha256_entropyinputreseed[] = { + 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d, + 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34, + 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d +}; + +__fips_constseg static const unsigned char sha256_additionalinputreseed[] = { + 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda, + 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac, + 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8 +}; + +__fips_constseg static const unsigned char sha256_additionalinput2[] = { + 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15, + 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3, + 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda +}; + +__fips_constseg static const unsigned char sha256_returnedbits[] = { + 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d, + 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd, + 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3 +}; + +/* SHA-384 PR */ +__fips_constseg static const unsigned char sha384_pr_entropyinput[] = { + 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24, + 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55, + 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e +}; + +__fips_constseg static const unsigned char sha384_pr_nonce[] = { + 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd, + 0x38, 0x3e, 0x2e, 0x56 +}; + +__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = { + 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96, + 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d, + 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3 +}; + +__fips_constseg static const unsigned char sha384_pr_additionalinput[] = { + 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39, + 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06, + 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e +}; + +__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = { + 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64, + 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc, + 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d +}; + +__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = { + 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f, + 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45, + 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b, + 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf +}; + +__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = { + 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2, + 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03, + 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18 +}; + +__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = { + 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7, + 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90, + 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81 +}; + +__fips_constseg static const unsigned char sha384_pr_returnedbits[] = { + 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb, + 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12, + 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53, + 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66 +}; + +/* SHA-384 No PR */ +__fips_constseg static const unsigned char sha384_entropyinput[] = { + 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69, + 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d, + 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4 +}; + +__fips_constseg static const unsigned char sha384_nonce[] = { + 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77, + 0x44, 0xaf, 0x2f, 0x09 +}; + +__fips_constseg static const unsigned char sha384_personalizationstring[] = { + 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb, + 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca, + 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1 +}; + +__fips_constseg static const unsigned char sha384_additionalinput[] = { + 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb, + 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02, + 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48 +}; + +__fips_constseg static const unsigned char sha384_int_returnedbits[] = { + 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04, + 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63, + 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa, + 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a +}; + +__fips_constseg static const unsigned char sha384_entropyinputreseed[] = { + 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2, + 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27, + 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c +}; + +__fips_constseg static const unsigned char sha384_additionalinputreseed[] = { + 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f, + 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e, + 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22 +}; + +__fips_constseg static const unsigned char sha384_additionalinput2[] = { + 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea, + 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2, + 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94 +}; + +__fips_constseg static const unsigned char sha384_returnedbits[] = { + 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd, + 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9, + 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54, + 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7 +}; + +/* SHA-512 PR */ +__fips_constseg static const unsigned char sha512_pr_entropyinput[] = { + 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f, + 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2, + 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28 +}; + +__fips_constseg static const unsigned char sha512_pr_nonce[] = { + 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67, + 0x88, 0xc7, 0xa2, 0xc4 +}; + +__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = { + 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff, + 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07, + 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b +}; + +__fips_constseg static const unsigned char sha512_pr_additionalinput[] = { + 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce, + 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22, + 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d +}; + +__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = { + 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80, + 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e, + 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08 +}; + +__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = { + 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50, + 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae, + 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5, + 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95, + 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53, + 0xe2, 0xc6, 0x8b, 0xc3 +}; + +__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = { + 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4, + 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40, + 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61 +}; + +__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = { + 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5, + 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34, + 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99 +}; + +__fips_constseg static const unsigned char sha512_pr_returnedbits[] = { + 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51, + 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93, + 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80, + 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7, + 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd, + 0x67, 0xf7, 0x68, 0xdd +}; + +/* SHA-512 No PR */ +__fips_constseg static const unsigned char sha512_entropyinput[] = { + 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17, + 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56, + 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd +}; + +__fips_constseg static const unsigned char sha512_nonce[] = { + 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31, + 0x5a, 0x64, 0xf0, 0xf7 +}; + +__fips_constseg static const unsigned char sha512_personalizationstring[] = { + 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7, + 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b, + 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0 +}; + +__fips_constseg static const unsigned char sha512_additionalinput[] = { + 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad, + 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97, + 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34 +}; + +__fips_constseg static const unsigned char sha512_int_returnedbits[] = { + 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd, + 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9, + 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56, + 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19, + 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04, + 0x28, 0xd4, 0x39, 0x9a +}; + +__fips_constseg static const unsigned char sha512_entropyinputreseed[] = { + 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49, + 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82, + 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee +}; + +__fips_constseg static const unsigned char sha512_additionalinputreseed[] = { + 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29, + 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6, + 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20 +}; + +__fips_constseg static const unsigned char sha512_additionalinput2[] = { + 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85, + 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42, + 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92 +}; + +__fips_constseg static const unsigned char sha512_returnedbits[] = { + 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27, + 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32, + 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b, + 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63, + 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2, + 0x68, 0xde, 0x42, 0xb5 +}; + +/* HMAC SHA-1 PR */ +__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = { + 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc, + 0x2c, 0x18, 0x17, 0x1b +}; + +__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = { + 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e +}; + +__fips_constseg + static const unsigned char hmac_sha1_pr_personalizationstring[] = { + 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85, + 0x80, 0xe2, 0x7f, 0x2a +}; + +__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = { + 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f, + 0xd7, 0xbb, 0x42, 0x09 +}; + +__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = { + 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63, + 0x23, 0x87, 0x2a, 0xed +}; + +__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = { + 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f, + 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c +}; + +__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = { + 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58, + 0xa0, 0x4b, 0x93, 0x6e +}; + +__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = { + 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c, + 0x0f, 0xff, 0x2e, 0xaf +}; + +__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = { + 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16, + 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8 +}; + +/* HMAC SHA-1 No PR */ +__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = { + 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40, + 0x17, 0xfe, 0x47, 0x70 +}; + +__fips_constseg static const unsigned char hmac_sha1_nonce[] = { + 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25 +}; + +__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = { + 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00, + 0x72, 0xf7, 0xd3, 0x5e +}; + +__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = { + 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb, + 0xbb, 0xe3, 0xaa, 0xea +}; + +__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = { + 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11, + 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1 +}; + +__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = { + 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f, + 0x86, 0x52, 0x6d, 0x9c +}; + +__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = { + 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92, + 0x79, 0xc5, 0x82, 0x28 +}; + +__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = { + 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3, + 0x8a, 0xca, 0xa4, 0x7f +}; + +__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = { + 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d, + 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0 +}; + +/* HMAC SHA-224 PR */ +__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = { + 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07, + 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90 +}; + +__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = { + 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23 +}; + +__fips_constseg + static const unsigned char hmac_sha224_pr_personalizationstring[] = { + 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed, + 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd +}; + +__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = { + 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21, + 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b +}; + +__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = { + 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad, + 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab +}; + +__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = { + 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38, + 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13, + 0x41, 0xfe, 0x99, 0xf2 +}; + +__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = { + 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17, + 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f +}; + +__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = { + 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f, + 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0 +}; + +__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = { + 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7, + 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03, + 0x6d, 0xd8, 0x9e, 0x72 +}; + +/* HMAC SHA-224 No PR */ +__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = { + 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54, + 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d +}; + +__fips_constseg static const unsigned char hmac_sha224_nonce[] = { + 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b +}; + +__fips_constseg + static const unsigned char hmac_sha224_personalizationstring[] = { + 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b, + 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37 +}; + +__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = { + 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6, + 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7 +}; + +__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = { + 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42, + 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c, + 0xcd, 0xd6, 0xa9, 0xcc +}; + +__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = { + 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95, + 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9 +}; + +__fips_constseg + static const unsigned char hmac_sha224_additionalinputreseed[] = { + 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20, + 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23 +}; + +__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = { + 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3, + 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96 +}; + +__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = { + 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85, + 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e, + 0x45, 0x84, 0xa8, 0x94 +}; + +/* HMAC SHA-256 PR */ +__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = { + 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea, + 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca, + 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6 +}; + +__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = { + 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15, + 0xaa, 0xd3, 0x30, 0x9a +}; + +__fips_constseg + static const unsigned char hmac_sha256_pr_personalizationstring[] = { + 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24, + 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d, + 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5 +}; + +__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = { + 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9, + 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18, + 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b +}; + +__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = { + 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79, + 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36, + 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5 +}; + +__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = { + 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2, + 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef, + 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56 +}; + +__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = { + 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8, + 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e, + 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3 +}; + +__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = { + 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a, + 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74, + 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91 +}; + +__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = { + 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0, + 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91, + 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e +}; + +/* HMAC SHA-256 No PR */ +__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = { + 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35, + 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d, + 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc +}; + +__fips_constseg static const unsigned char hmac_sha256_nonce[] = { + 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e, + 0xc7, 0xfc, 0xc2, 0x01 +}; + +__fips_constseg + static const unsigned char hmac_sha256_personalizationstring[] = { + 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7, + 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65, + 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32 +}; + +__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = { + 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c, + 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda, + 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27 +}; + +__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = { + 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d, + 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25, + 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90 +}; + +__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = { + 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7, + 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9, + 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d +}; + +__fips_constseg + static const unsigned char hmac_sha256_additionalinputreseed[] = { + 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3, + 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3, + 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e +}; + +__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = { + 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f, + 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8, + 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d +}; + +__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = { + 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3, + 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26, + 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0 +}; + +/* HMAC SHA-384 PR */ +__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = { + 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5, + 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1, + 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9 +}; + +__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = { + 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59, + 0xee, 0x16, 0xc9, 0xde +}; + +__fips_constseg + static const unsigned char hmac_sha384_pr_personalizationstring[] = { + 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4, + 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47, + 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1 +}; + +__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = { + 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f, + 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda, + 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88 +}; + +__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = { + 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0, + 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56, + 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72 +}; + +__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = { + 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6, + 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6, + 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd, + 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba +}; + +__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = { + 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2, + 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff, + 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60 +}; + +__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = { + 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1, + 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94, + 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87 +}; + +__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = { + 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76, + 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b, + 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d, + 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75 +}; + +/* HMAC SHA-384 No PR */ +__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = { + 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3, + 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1, + 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f +}; + +__fips_constseg static const unsigned char hmac_sha384_nonce[] = { + 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1, + 0x38, 0xe3, 0xeb, 0x62 +}; + +__fips_constseg + static const unsigned char hmac_sha384_personalizationstring[] = { + 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5, + 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62, + 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77 +}; + +__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = { + 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81, + 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58, + 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce +}; + +__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = { + 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31, + 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b, + 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b, + 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b +}; + +__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = { + 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48, + 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9, + 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c +}; + +__fips_constseg + static const unsigned char hmac_sha384_additionalinputreseed[] = { + 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c, + 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92, + 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63 +}; + +__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = { + 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf, + 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d, + 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32 +}; + +__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = { + 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19, + 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed, + 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74, + 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb +}; + +/* HMAC SHA-512 PR */ +__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = { + 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b, + 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba, + 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d +}; + +__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = { + 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b, + 0x86, 0xea, 0xaf, 0xa2 +}; + +__fips_constseg + static const unsigned char hmac_sha512_pr_personalizationstring[] = { + 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24, + 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02, + 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad +}; + +__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = { + 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92, + 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c, + 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71 +}; + +__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = { + 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc, + 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03, + 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10 +}; + +__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = { + 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56, + 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c, + 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd, + 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50, + 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35, + 0x05, 0x17, 0xbe, 0x0d +}; + +__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = { + 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08, + 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c, + 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa +}; + +__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = { + 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71, + 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe, + 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7 +}; + +__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = { + 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35, + 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21, + 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4, + 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3, + 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00, + 0xb6, 0xaf, 0xbc, 0xd3 +}; + +/* HMAC SHA-512 No PR */ +__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = { + 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa, + 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe, + 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95 +}; + +__fips_constseg static const unsigned char hmac_sha512_nonce[] = { + 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e, + 0xd9, 0xaf, 0x43, 0x3c +}; + +__fips_constseg + static const unsigned char hmac_sha512_personalizationstring[] = { + 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f, + 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01, + 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20 +}; + +__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = { + 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5, + 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d, + 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73 +}; + +__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = { + 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90, + 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18, + 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b, + 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34, + 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1, + 0xb1, 0x57, 0x69, 0xe8 +}; + +__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = { + 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41, + 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca, + 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73 +}; + +__fips_constseg + static const unsigned char hmac_sha512_additionalinputreseed[] = { + 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a, + 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86, + 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c +}; + +__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = { + 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5, + 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb, + 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48 +}; + +__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = { + 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f, + 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a, + 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25, + 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d, + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c --- openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 +++ openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c 2019-02-28 11:30:06.814745521 +0100 @@ -0,0 +1,195 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include +#include +#include "internal/fips_int.h" +#include +#include +#include +#include "fips_locl.h" + +#ifdef OPENSSL_FIPS + +static const unsigned char dsa_test_2048_p[] = { + 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, + 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62, + 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59, + 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6, + 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3, + 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52, + 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7, + 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a, + 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1, + 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03, + 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40, + 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34, + 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e, + 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b, + 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1, + 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7, + 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6, + 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57, + 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54, + 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a, + 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7, + 0xdb, 0xa0, 0x69, 0xe9 +}; + +static const unsigned char dsa_test_2048_q[] = { + 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a, + 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56, + 0x74, 0x41, 0xa0, 0xa5 +}; + +static const unsigned char dsa_test_2048_g[] = { + 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5, + 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8, + 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19, + 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba, + 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b, + 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a, + 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53, + 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b, + 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5, + 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a, + 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e, + 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23, + 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96, + 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7, + 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16, + 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a, + 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f, + 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95, + 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69, + 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e, + 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91, + 0xb3, 0xc2, 0xa9, 0x66 +}; + +static const unsigned char dsa_test_2048_pub_key[] = { + 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60, + 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb, + 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64, + 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44, + 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c, + 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c, + 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2, + 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c, + 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71, + 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c, + 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99, + 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75, + 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e, + 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc, + 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf, + 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90, + 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d, + 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d, + 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07, + 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3, + 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93, + 0xf7, 0xda, 0xb1, 0x4f +}; + +static const unsigned char dsa_test_2048_priv_key[] = { + 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91, + 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00, + 0xec, 0x55, 0xf6, 0xcc +}; + +int FIPS_selftest_dsa() +{ + DSA *dsa = NULL; + EVP_PKEY *pk = NULL; + int ret = -1; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + + fips_load_key_component(p, dsa_test_2048); + fips_load_key_component(q, dsa_test_2048); + fips_load_key_component(g, dsa_test_2048); + fips_load_key_component(pub_key, dsa_test_2048); + fips_load_key_component(priv_key, dsa_test_2048); + + dsa = DSA_new(); + + if (dsa == NULL) + goto err; + + DSA_set0_pqg(dsa, p, q, g); + + DSA_set0_key(dsa, pub_key, priv_key); + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + EVP_PKEY_assign_DSA(pk, dsa); + + if (!fips_pkey_signature_test(pk, NULL, 0, + NULL, 0, EVP_sha256(), 0, "DSA SHA256")) + goto err; + ret = 1; + + err: + if (pk) + EVP_PKEY_free(pk); + else if (dsa) + DSA_free(dsa); + else { + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(pub_key); + BN_free(priv_key); + } + return ret; +} +#endif diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c --- openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 +++ openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c 2019-02-28 11:30:06.814745521 +0100 @@ -0,0 +1,242 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2011. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + */ + +#define OPENSSL_FIPSAPI + +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef OPENSSL_FIPS + +# include "fips_locl.h" + +static const unsigned char p256_qcavsx[] = { + 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, + 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, + 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 +}; + +static const unsigned char p256_qcavsy[] = { + 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, + 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, + 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e +}; + +static const unsigned char p256_qiutx[] = { + 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, + 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, + 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f +}; + +static const unsigned char p256_qiuty[] = { + 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, + 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, + 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 +}; + +static const unsigned char p256_qiutd[] = { + 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, + 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, + 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 +}; + +static const unsigned char p256_ziut[] = { + 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, + 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, + 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f +}; + +typedef struct { + int curve; + const unsigned char *x1; + size_t x1len; + const unsigned char *y1; + size_t y1len; + const unsigned char *d1; + size_t d1len; + const unsigned char *x2; + size_t x2len; + const unsigned char *y2; + size_t y2len; + const unsigned char *z; + size_t zlen; +} ECDH_SELFTEST_DATA; + +# define make_ecdh_test(nid, pr) { nid, \ + pr##_qiutx, sizeof(pr##_qiutx), \ + pr##_qiuty, sizeof(pr##_qiuty), \ + pr##_qiutd, sizeof(pr##_qiutd), \ + pr##_qcavsx, sizeof(pr##_qcavsx), \ + pr##_qcavsy, sizeof(pr##_qcavsy), \ + pr##_ziut, sizeof(pr##_ziut) } + +static ECDH_SELFTEST_DATA test_ecdh_data[] = { + make_ecdh_test(NID_X9_62_prime256v1, p256), +}; + +int FIPS_selftest_ecdh(void) +{ + EC_KEY *ec1 = NULL, *ec2 = NULL; + const EC_POINT *ecp = NULL; + BIGNUM *x = NULL, *y = NULL, *d = NULL; + unsigned char *ztmp = NULL; + int rv = 1; + size_t i; + + for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { + ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; + if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) + continue; + ztmp = OPENSSL_malloc(ecd->zlen); + + x = BN_bin2bn(ecd->x1, ecd->x1len, x); + y = BN_bin2bn(ecd->y1, ecd->y1len, y); + d = BN_bin2bn(ecd->d1, ecd->d1len, d); + + if (!x || !y || !d || !ztmp) { + rv = -1; + goto err; + } + + ec1 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec1) { + rv = -1; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { + rv = -1; + goto err; + } + + if (!EC_KEY_set_private_key(ec1, d)) { + rv = -1; + goto err; + } + + x = BN_bin2bn(ecd->x2, ecd->x2len, x); + y = BN_bin2bn(ecd->y2, ecd->y2len, y); + + if (!x || !y) { + rv = -1; + goto err; + } + + ec2 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec2) { + rv = -1; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { + rv = -1; + goto err; + } + + ecp = EC_KEY_get0_public_key(ec2); + if (!ecp) { + rv = -1; + goto err; + } + + if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { + rv = -1; + goto err; + } + + if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) + ztmp[0] ^= 0x1; + + if (memcmp(ztmp, ecd->z, ecd->zlen)) { + fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); + rv = 0; + } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) + goto err; + + EC_KEY_free(ec1); + ec1 = NULL; + EC_KEY_free(ec2); + ec2 = NULL; + OPENSSL_free(ztmp); + ztmp = NULL; + } + + err: + + if (x) + BN_clear_free(x); + if (y) + BN_clear_free(y); + if (d) + BN_clear_free(d); + if (ec1) + EC_KEY_free(ec1); + if (ec2) + EC_KEY_free(ec2); + if (ztmp) + OPENSSL_free(ztmp); + + return rv; + +} + +#endif diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c --- openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 +++ openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c 2019-02-28 11:30:06.814745521 +0100 @@ -0,0 +1,166 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2011. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + */ + +#define OPENSSL_FIPSAPI + +#include +#include +#include +#include +#include +#include "internal/fips_int.h" +#include +#include +#include + +#ifdef OPENSSL_FIPS + +static const char P_256_name[] = "ECDSA P-256"; + +static const unsigned char P_256_d[] = { + 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, + 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, + 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 +}; + +static const unsigned char P_256_qx[] = { + 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, + 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, + 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 +}; + +static const unsigned char P_256_qy[] = { + 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, + 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, + 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb +}; + +typedef struct { + int curve; + const char *name; + const unsigned char *x; + size_t xlen; + const unsigned char *y; + size_t ylen; + const unsigned char *d; + size_t dlen; +} EC_SELFTEST_DATA; + +# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ + pr##_qx, sizeof(pr##_qx), \ + pr##_qy, sizeof(pr##_qy), \ + pr##_d, sizeof(pr##_d)} + +static EC_SELFTEST_DATA test_ec_data[] = { + make_ecdsa_test(NID_X9_62_prime256v1, P_256), +}; + +int FIPS_selftest_ecdsa() +{ + EC_KEY *ec = NULL; + BIGNUM *x = NULL, *y = NULL, *d = NULL; + EVP_PKEY *pk = NULL; + int rv = 0; + size_t i; + + for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { + EC_SELFTEST_DATA *ecd = test_ec_data + i; + + x = BN_bin2bn(ecd->x, ecd->xlen, x); + y = BN_bin2bn(ecd->y, ecd->ylen, y); + d = BN_bin2bn(ecd->d, ecd->dlen, d); + + if (!x || !y || !d) + goto err; + + ec = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec) + goto err; + + if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) + goto err; + + if (!EC_KEY_set_private_key(ec, d)) + goto err; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + EVP_PKEY_assign_EC_KEY(pk, ec); + + if (!fips_pkey_signature_test(pk, NULL, 0, + NULL, 0, EVP_sha256(), 0, ecd->name)) + goto err; + } + + rv = 1; + + err: + + if (x) + BN_clear_free(x); + if (y) + BN_clear_free(y); + if (d) + BN_clear_free(d); + if (pk) + EVP_PKEY_free(pk); + else if (ec) + EC_KEY_free(ec); + + return rv; + +} + +#endif diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/fips_err.h --- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-05-06 16:08:46.792598211 +0200 +++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-05-06 16:19:56.403993551 +0200 @@ -0,0 +1,197 @@ +/* crypto/fips_err.h */ +/* ==================================================================== + * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* + * NOTE: this file was auto generated by the mkerr.pl script: any changes + * made to it will be overwritten when the script next updates this file, + * only reason strings will be preserved. + */ + +#include +#include +#include + +/* BEGIN ERROR CODES */ +#ifndef OPENSSL_NO_ERR + +# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0) +# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason) + +static ERR_STRING_DATA FIPS_str_functs[] = { + {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"}, + {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"}, + {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"}, + {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, + {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, + {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, + {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"}, + {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"}, + {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"}, + {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"}, + {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"}, + {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"}, + {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"}, + {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"}, + {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, + {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"}, + {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"}, + {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"}, + {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"}, + {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"}, + {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"}, + {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"}, + {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"}, + {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"}, + {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"}, + {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"}, + {0, NULL} +}; + +static ERR_STRING_DATA FIPS_str_reasons[] = { + {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), + "additional input error undetected"}, + {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG), + "additional input too long"}, + {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"}, + {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, + {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, + {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, + {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), + "entropy not requested for reseed"}, + {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, + {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"}, + {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"}, + {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), + "error retrieving additional input"}, + {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"}, + {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"}, + {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH), + "fingerprint does not match"}, + {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"}, + {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"}, + {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"}, + {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"}, + {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED), + "generate error undetected"}, + {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, + {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"}, + {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"}, + {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"}, + {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"}, + {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"}, + {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"}, + {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"}, + {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"}, + {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"}, + {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"}, + {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED), + "personalisation error undetected"}, + {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG), + "personalisation string too long"}, + {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, + {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, + {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), + "request length error undetected"}, + {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), + "request too large for drbg"}, + {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"}, + {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"}, + {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"}, + {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"}, + {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"}, + {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"}, + {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), + "uninstantiate zeroise error"}, + {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"}, + {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"}, + {0, NULL} +}; + +#endif + +int ERR_load_FIPS_strings(void) +{ +#ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { + ERR_load_strings(0, FIPS_str_functs); + ERR_load_strings(0, FIPS_str_reasons); + } +#endif + return 1; +} diff -up openssl-1.1.1b/crypto/fips/fips_ers.c.fips openssl-1.1.1b/crypto/fips/fips_ers.c --- openssl-1.1.1b/crypto/fips/fips_ers.c.fips 2019-02-28 11:30:06.815745503 +0100 +++ openssl-1.1.1b/crypto/fips/fips_ers.c 2019-02-28 11:30:06.815745503 +0100 @@ -0,0 +1,7 @@ +#include + +#ifdef OPENSSL_FIPS +# include "fips_err.h" +#else +static void *dummy = &dummy; +#endif diff -up openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c --- openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips 2019-02-28 11:30:06.815745503 +0100 +++ openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c 2019-02-28 11:30:06.815745503 +0100 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#ifdef OPENSSL_FIPS +# include +#endif +#include + +#ifdef OPENSSL_FIPS +typedef struct { + const EVP_MD *(*alg) (void); + const char *key, *iv; + unsigned char kaval[EVP_MAX_MD_SIZE]; +} HMAC_KAT; + +static const HMAC_KAT vector[] = { + {EVP_sha1, + /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ + "0123456789:;<=>?@ABC", + "Sample #2", + {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19, + 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c, + 0xc6, 0xc7, 0x5d, 0x24} + }, + {EVP_sha224, + /* just keep extending the above... */ + "0123456789:;<=>?@ABC", + "Sample #2", + {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb, + 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa, + 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b, + 0x8c, 0x8d, 0x12, 0xc7} + }, + {EVP_sha256, + "0123456789:;<=>?@ABC", + "Sample #2", + {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09, + 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34, + 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38, + 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9} + }, + {EVP_sha384, + "0123456789:;<=>?@ABC", + "Sample #2", + {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad, + 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6, + 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04, + 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f, + 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50, + 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f} + }, + {EVP_sha512, + "0123456789:;<=>?@ABC", + "Sample #2", + {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41, + 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac, + 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0, + 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68, + 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f, + 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7, + 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45, + 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05} + }, +}; + +int FIPS_selftest_hmac() +{ + int n; + unsigned int outlen; + unsigned char out[EVP_MAX_MD_SIZE]; + const EVP_MD *md; + const HMAC_KAT *t; + + for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { + md = (*t->alg) (); + HMAC(md, t->key, strlen(t->key), + (const unsigned char *)t->iv, strlen(t->iv), out, &outlen); + + if (memcmp(out, t->kaval, outlen)) { + FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); + return 0; + } + } + return 1; +} +#endif diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/fips_locl.h --- openssl-1.1.1b/crypto/fips/fips_locl.h.fips 2019-02-28 11:30:06.815745503 +0100 +++ openssl-1.1.1b/crypto/fips/fips_locl.h 2019-02-28 11:30:06.815745503 +0100 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifdef OPENSSL_FIPS + +# ifdef __cplusplus +extern "C" { +# endif + +# define FIPS_MAX_CIPHER_TEST_SIZE 32 +# define fips_load_key_component(comp, pre) \ + comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \ + if (!comp) \ + goto err + +# define fips_post_started(id, subid, ex) 1 +# define fips_post_success(id, subid, ex) 1 +# define fips_post_failed(id, subid, ex) 1 +# define fips_post_corrupt(id, subid, ex) 1 +# define fips_post_status() 1 + +# ifdef __cplusplus +} +# endif +#endif diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/fips_post.c --- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-05-06 16:08:46.794598177 +0200 +++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-05-06 16:08:46.794598177 +0200 @@ -0,0 +1,224 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#define OPENSSL_FIPSAPI + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef OPENSSL_FIPS + +/* Power on self test (POST) support functions */ + +# include +# include "internal/fips_int.h" +# include "fips_locl.h" + +/* Run all selftests */ +int FIPS_selftest(void) +{ + int rv = 1; + if (!FIPS_selftest_drbg()) + rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) + rv = 0; + if (!FIPS_selftest_sha3()) + rv = 0; + if (!FIPS_selftest_hmac()) + rv = 0; + if (!FIPS_selftest_cmac()) + rv = 0; + if (!FIPS_selftest_aes()) + rv = 0; + if (!FIPS_selftest_aes_ccm()) + rv = 0; + if (!FIPS_selftest_aes_gcm()) + rv = 0; + if (!FIPS_selftest_aes_xts()) + rv = 0; + if (!FIPS_selftest_des()) + rv = 0; + if (!FIPS_selftest_rsa()) + rv = 0; + if (!FIPS_selftest_ecdsa()) + rv = 0; + if (!FIPS_selftest_dsa()) + rv = 0; + if (!FIPS_selftest_dh()) + rv = 0; + if (!FIPS_selftest_ecdh()) + rv = 0; + return rv; +} + +/* Generalized public key test routine. Signs and verifies the data + * supplied in tbs using mesage digest md and setting option digest + * flags md_flags. If the 'kat' parameter is not NULL it will + * additionally check the signature matches it: a known answer test + * The string "fail_str" is used for identification purposes in case + * of failure. If "pkey" is NULL just perform a message digest check. + */ + +int fips_pkey_signature_test(EVP_PKEY *pkey, + const unsigned char *tbs, int tbslen, + const unsigned char *kat, unsigned int katlen, + const EVP_MD *digest, unsigned int flags, + const char *fail_str) +{ + int ret = 0; + unsigned char sigtmp[256], *sig = sigtmp; + size_t siglen = sizeof(sigtmp); + EVP_MD_CTX *mctx; + EVP_PKEY_CTX *pctx; + + if (digest == NULL) + digest = EVP_sha256(); + + mctx = EVP_MD_CTX_new(); + + if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA) + && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) { + sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey))); + siglen = RSA_size(EVP_PKEY_get0_RSA(pkey)); + } + if (!sig || ! mctx) { + EVP_MD_CTX_free(mctx); + FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE); + return 0; + } + + if (tbslen == -1) + tbslen = strlen((char *)tbs); + + if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0) + goto error; + + if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { + EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); + } + + if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0) + goto error; + + if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) + goto error; + + if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) + goto error; + + if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0) + goto error; + + if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { + EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); + EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); + } + + if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0) + goto error; + + ret = EVP_DigestVerifyFinal(mctx, sig, siglen); + + error: + if (sig != sigtmp) + OPENSSL_free(sig); + EVP_MD_CTX_free(mctx); + if (ret <= 0) { + FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE); + if (fail_str) + ERR_add_error_data(2, "Type=", fail_str); + return 0; + } + return 1; +} + +/* Generalized symmetric cipher test routine. Encrypt data, verify result + * against known answer, decrypt and compare with original plaintext. + */ + +int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, + const unsigned char *iv, + const unsigned char *plaintext, + const unsigned char *ciphertext, int len) +{ + unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; + unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; + + OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); + memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); + memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); + + if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) + return 0; + if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0) + return 0; + if (memcmp(citmp, ciphertext, len)) + return 0; + if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) + return 0; + if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0) + return 0; + if (memcmp(pltmp, plaintext, len)) + return 0; + return 1; +} +#endif diff -up openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1b/crypto/fips/fips_rand_lcl.h --- openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips 2019-02-28 11:30:06.816745484 +0100 +++ openssl-1.1.1b/crypto/fips/fips_rand_lcl.h 2019-02-28 11:30:06.816745484 +0100 @@ -0,0 +1,203 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; +typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; +typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; + +/* 888 bits from 10.1 table 2 */ +#define HASH_PRNG_MAX_SEEDLEN 111 + +struct drbg_hash_ctx_st { + const EVP_MD *md; + EVP_MD_CTX *mctx; + unsigned char V[HASH_PRNG_MAX_SEEDLEN]; + unsigned char C[HASH_PRNG_MAX_SEEDLEN]; + /* Temporary value storage: should always exceed max digest length */ + unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; +}; + +struct drbg_hmac_ctx_st { + const EVP_MD *md; + HMAC_CTX *hctx; + unsigned char K[EVP_MAX_MD_SIZE]; + unsigned char V[EVP_MAX_MD_SIZE]; +}; + +struct drbg_ctr_ctx_st { + AES_KEY ks; + size_t keylen; + unsigned char K[32]; + unsigned char V[16]; + /* Temp variables used by derivation function */ + AES_KEY df_ks; + AES_KEY df_kxks; + /* Temporary block storage used by ctr_df */ + unsigned char bltmp[16]; + size_t bltmp_pos; + unsigned char KX[48]; +}; + +/* DRBG internal flags */ + +/* Functions shouldn't call err library */ +#define DRBG_FLAG_NOERR 0x1 +/* Custom reseed checking */ +#define DRBG_CUSTOM_RESEED 0x2 + +/* DRBG status values */ +/* not initialised */ +#define DRBG_STATUS_UNINITIALISED 0 +/* ok and ready to generate random bits */ +#define DRBG_STATUS_READY 1 +/* reseed required */ +#define DRBG_STATUS_RESEED 2 +/* fatal error condition */ +#define DRBG_STATUS_ERROR 3 + +/* A default maximum length: larger than any reasonable value used in pratice */ + +#define DRBG_MAX_LENGTH 0x7ffffff0 +/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes + * so use max digest length. + */ +#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE + +#define DRBG_HEALTH_INTERVAL (1 << 24) + +/* DRBG context structure */ + +struct drbg_ctx_st { + /* First types common to all implementations */ + /* DRBG type: a NID for the underlying algorithm */ + int type; + /* Various external flags */ + unsigned int xflags; + /* Various internal use only flags */ + unsigned int iflags; + /* Used for periodic health checks */ + int health_check_cnt, health_check_interval; + + /* The following parameters are setup by mechanism drbg_init() call */ + int strength; + size_t blocklength; + size_t max_request; + + size_t min_entropy, max_entropy; + size_t min_nonce, max_nonce; + size_t max_pers, max_adin; + unsigned int reseed_counter; + unsigned int reseed_interval; + size_t seedlen; + int status; + /* Application data: typically used by test get_entropy */ + void *app_data; + /* Implementation specific structures */ + union { + DRBG_HASH_CTX hash; + DRBG_HMAC_CTX hmac; + DRBG_CTR_CTX ctr; + } d; + /* Initialiase PRNG and setup callbacks below */ + int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags); + /* Intantiate PRNG */ + int (*instantiate) (DRBG_CTX *ctx, + const unsigned char *ent, size_t entlen, + const unsigned char *nonce, size_t noncelen, + const unsigned char *pers, size_t perslen); + /* reseed */ + int (*reseed) (DRBG_CTX *ctx, + const unsigned char *ent, size_t entlen, + const unsigned char *adin, size_t adinlen); + /* generat output */ + int (*generate) (DRBG_CTX *ctx, + unsigned char *out, size_t outlen, + const unsigned char *adin, size_t adinlen); + /* uninstantiate */ + int (*uninstantiate) (DRBG_CTX *ctx); + + /* Entropy source block length */ + size_t entropy_blocklen; + + /* entropy gathering function */ + size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len); + /* Indicates we have finished with entropy buffer */ + void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen); + + /* nonce gathering function */ + size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout, + int entropy, size_t min_len, size_t max_len); + /* Indicates we have finished with nonce buffer */ + void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen); + + /* Callbacks used when called through RAND interface */ + /* Get any additional input for generate */ + size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout); + void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); + /* Callback for RAND_seed(), RAND_add() */ + int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num); + int (*rand_add_cb) (DRBG_CTX *ctx, + const void *buf, int num, double entropy); +}; + +int fips_drbg_ctr_init(DRBG_CTX *dctx); +int fips_drbg_hash_init(DRBG_CTX *dctx); +int fips_drbg_hmac_init(DRBG_CTX *dctx); +int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags); +int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); + +#define FIPS_digestinit EVP_DigestInit +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/fips/fips_rand_lib.c --- openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips 2019-02-28 11:30:06.816745484 +0100 +++ openssl-1.1.1b/crypto/fips/fips_rand_lib.c 2019-02-28 11:30:06.816745484 +0100 @@ -0,0 +1,234 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't + be defined and gettimeofday() won't be declared with strict compilers + like DEC C in ANSI C mode. */ +#ifndef _XOPEN_SOURCE_EXTENDED +# define _XOPEN_SOURCE_EXTENDED 1 +#endif + +#include +#include +#include +#include +#include "internal/fips_int.h" +#include +#include "e_os.h" + +#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) +# include +#endif +#if defined(OPENSSL_SYS_VXWORKS) +# include +#endif +#ifndef OPENSSL_SYS_WIN32 +# ifdef OPENSSL_UNISTD +# include OPENSSL_UNISTD +# else +# include +# endif +#endif + +/* FIPS API for PRNG use. Similar to RAND functionality but without + * ENGINE and additional checking for non-FIPS rand methods. + */ + +static const RAND_METHOD *fips_rand_meth = NULL; +static int fips_approved_rand_meth = 0; +static int fips_rand_bits = 0; + +/* Allows application to override number of bits and uses non-FIPS methods */ +void FIPS_rand_set_bits(int nbits) +{ + fips_rand_bits = nbits; +} + +int FIPS_rand_set_method(const RAND_METHOD *meth) +{ + if (!fips_rand_bits) { + if (meth == FIPS_drbg_method()) + fips_approved_rand_meth = 1; + else { + fips_approved_rand_meth = 0; + if (FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD); + return 0; + } + } + } + fips_rand_meth = meth; + return 1; +} + +const RAND_METHOD *FIPS_rand_get_method(void) +{ + return fips_rand_meth; +} + +void FIPS_rand_reset(void) +{ + if (fips_rand_meth && fips_rand_meth->cleanup) + fips_rand_meth->cleanup(); +} + +int FIPS_rand_seed(const void *buf, int num) +{ + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); + return 0; + } + if (fips_rand_meth && fips_rand_meth->seed) + fips_rand_meth->seed(buf, num); + return 1; +} + +int FIPS_rand_bytes(unsigned char *buf, int num) +{ + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); + return 0; + } + if (fips_rand_meth && fips_rand_meth->bytes) + return fips_rand_meth->bytes(buf, num); + return 0; +} + +int FIPS_rand_status(void) +{ + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); + return 0; + } + if (fips_rand_meth && fips_rand_meth->status) + return fips_rand_meth->status(); + return 0; +} + +/* Return instantiated strength of PRNG. For DRBG this is an internal + * parameter. Any other type of PRNG is not approved and returns 0 in + * FIPS mode and maximum 256 outside FIPS mode. + */ + +int FIPS_rand_strength(void) +{ + if (fips_rand_bits) + return fips_rand_bits; + if (fips_approved_rand_meth == 1) + return FIPS_drbg_get_strength(FIPS_get_default_drbg()); + else if (fips_approved_rand_meth == 0) { + if (FIPS_module_mode()) + return 0; + else + return 256; + } + return 0; +} + +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) +{ +# ifdef OPENSSL_SYS_WIN32 + FILETIME ft; +# elif defined(OPENSSL_SYS_VXWORKS) + struct timespec ts; +# else + struct timeval tv; +# endif + +# ifndef GETPID_IS_MEANINGLESS + unsigned long pid; +# endif + +# ifdef OPENSSL_SYS_WIN32 + GetSystemTimeAsFileTime(&ft); + buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff); + buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff); + buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff); + buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff); + buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff); + buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff); + buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff); + buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff); +# elif defined(OPENSSL_SYS_VXWORKS) + clock_gettime(CLOCK_REALTIME, &ts); + buf[0] = (unsigned char)(ts.tv_sec & 0xff); + buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff); + buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff); + buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff); + buf[4] = (unsigned char)(ts.tv_nsec & 0xff); + buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff); + buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff); + buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff); +# else + gettimeofday(&tv, NULL); + buf[0] = (unsigned char)(tv.tv_sec & 0xff); + buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff); + buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff); + buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff); + buf[4] = (unsigned char)(tv.tv_usec & 0xff); + buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff); + buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff); + buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff); +# endif + buf[8] = (unsigned char)(*pctr & 0xff); + buf[9] = (unsigned char)((*pctr >> 8) & 0xff); + buf[10] = (unsigned char)((*pctr >> 16) & 0xff); + buf[11] = (unsigned char)((*pctr >> 24) & 0xff); + + (*pctr)++; + +# ifndef GETPID_IS_MEANINGLESS + pid = (unsigned long)getpid(); + buf[12] = (unsigned char)(pid & 0xff); + buf[13] = (unsigned char)((pid >> 8) & 0xff); + buf[14] = (unsigned char)((pid >> 16) & 0xff); + buf[15] = (unsigned char)((pid >> 24) & 0xff); +# endif +} + diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c --- openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips 2019-02-28 11:30:06.816745484 +0100 +++ openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c 2019-02-28 11:30:06.816745484 +0100 @@ -0,0 +1,338 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#ifdef OPENSSL_FIPS +# include +# include "internal/fips_int.h" +#endif +#include +#include +#include +#include +#include "fips_locl.h" + +#ifdef OPENSSL_FIPS + +static int setrsakey(RSA *key) +{ + static const unsigned char keydata_n[] = { + 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a, + 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00, + 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca, + 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a, + 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba, + 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe, + 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1, + 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75, + 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f, + 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc, + 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e, + 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1, + 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9, + 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4, + 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40, + 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4, + 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e, + 0x03, 0x71 + }; + + static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 }; + + static const unsigned char keydata_d[] = { + 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23, + 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58, + 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06, + 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4, + 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53, + 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde, + 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe, + 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b, + 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3, + 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76, + 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6, + 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c, + 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44, + 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34, + 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32, + 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20, + 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d, + 0x01 + }; + + static const unsigned char keydata_p[] = { + 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f, + 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43, + 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec, + 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66, + 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3, + 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1, + 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3, + 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c, + 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad + }; + + static const unsigned char keydata_q[] = { + 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8, + 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e, + 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c, + 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e, + 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c, + 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f, + 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7, + 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b, + 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55 + }; + + static const unsigned char keydata_dmp1[] = { + 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e, + 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16, + 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74, + 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34, + 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7, + 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3, + 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff, + 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6, + 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1 + }; + + static const unsigned char keydata_dmq1[] = { + 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75, + 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f, + 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1, + 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b, + 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c, + 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e, + 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78, + 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab, + 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61 + }; + + static const unsigned char keydata_iqmp[] = { + 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d, + 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38, + 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91, + 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80, + 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b, + 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b, + 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6, + 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf, + 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf + }; + + int rv = 0; + BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; + + fips_load_key_component(n, keydata); + fips_load_key_component(e, keydata); + fips_load_key_component(d, keydata); + fips_load_key_component(p, keydata); + fips_load_key_component(q, keydata); + fips_load_key_component(dmp1, keydata); + fips_load_key_component(dmq1, keydata); + fips_load_key_component(iqmp, keydata); + + RSA_set0_key(key, n, e, d); + RSA_set0_factors(key, p, q); + RSA_set0_crt_params(key, dmp1, dmq1, iqmp); + + rv = 1; +err: + if (!rv) { + BN_free(n); + BN_free(e); + BN_free(d); + BN_free(p); + BN_free(q); + BN_free(dmp1); + BN_free(dmq1); + BN_free(iqmp); + } + return rv; +} + +/* Known Answer Test (KAT) data for the above RSA private key signing + * kat_tbs. + */ + +static const unsigned char kat_tbs[] = + "OpenSSL FIPS 140-2 Public Key RSA KAT"; + +static const unsigned char kat_RSA_PSS_SHA256[] = { + 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, + 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, + 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, + 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, + 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, + 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, + 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, + 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, + 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, + 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, + 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, + 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, + 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, + 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, + 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, + 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, + 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, + 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, + 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, + 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, + 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, + 0x2B, 0x31, 0xB9, 0x7D +}; + +static const unsigned char kat_RSA_SHA256[] = { + 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, + 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, + 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, + 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, + 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, + 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, + 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, + 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, + 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, + 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, + 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, + 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, + 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, + 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, + 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, + 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, + 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, + 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, + 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, + 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, + 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, + 0x47, 0x9D, 0x18, 0xD7 +}; + +static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, + int ptlen) +{ + unsigned char *ctbuf = NULL, *ptbuf = NULL; + int ret = 0; + int len; + + ctbuf = OPENSSL_malloc(RSA_size(rsa)); + if (!ctbuf) + goto err; + + len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); + if (len <= 0) + goto err; + /* Check ciphertext doesn't match plaintext */ + if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) + goto err; + + ptbuf = OPENSSL_malloc(RSA_size(rsa)); + if (!ptbuf) + goto err; + + len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); + if (len != ptlen) + goto err; + if (memcmp(ptbuf, plaintext, len)) + goto err; + + ret = 1; + + err: + if (ctbuf) + OPENSSL_free(ctbuf); + if (ptbuf) + OPENSSL_free(ptbuf); + return ret; +} + +int FIPS_selftest_rsa() +{ + int ret = 0; + RSA *key; + EVP_PKEY *pk = NULL; + + if ((key = RSA_new()) == NULL) + goto err; + + if (!setrsakey(key)) + goto err; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + EVP_PKEY_set1_RSA(pk, key); + + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_SHA256, sizeof(kat_RSA_SHA256), + EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, + "RSA SHA256 PKCS#1")) + goto err; + + if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, + kat_RSA_PSS_SHA256, + sizeof(kat_RSA_PSS_SHA256), EVP_sha256(), + EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS")) + goto err; + + if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) + goto err; + + ret = 1; + + err: + if (pk) + EVP_PKEY_free(pk); + if (key) + RSA_free(key); + return ret; +} + +#endif /* def OPENSSL_FIPS */ diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_sha_selftest.c --- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-05-06 16:08:46.795598159 +0200 +++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-05-06 17:35:40.211316880 +0200 @@ -0,0 +1,223 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#ifdef OPENSSL_FIPS +# include +#endif +#include +#include + +#ifdef OPENSSL_FIPS +static const char test[][60] = { + "", + "abc", + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +}; + +static const unsigned char ret[][SHA_DIGEST_LENGTH] = { + {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, + 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09}, + {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, + 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d}, + {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae, + 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1}, +}; + +int FIPS_selftest_sha1() +{ + int n; + + for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) { + unsigned char md[SHA_DIGEST_LENGTH]; + + EVP_Digest(test[n], strlen(test[n]), md, NULL, + EVP_sha1(), NULL); + if (memcmp(md, ret[n], sizeof md)) { + FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED); + return 0; + } + } + return 1; +} + +static const unsigned char msg_sha256[] = + { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30, + 0xfc +}; + +static const unsigned char dig_sha256[] = + { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b, + 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01, + 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83, + 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a +}; + +static const unsigned char msg_sha512[] = + { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7, + 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd +}; + +static const unsigned char dig_sha512[] = + { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16, + 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44, + 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0, + 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f, + 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38, + 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04, + 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1, + 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 +}; + +int FIPS_selftest_sha2(void) +{ + unsigned char md[SHA512_DIGEST_LENGTH]; + + EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); + if (memcmp(dig_sha256, md, sizeof(dig_sha256))) { + FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); + if (memcmp(dig_sha512, md, sizeof(dig_sha512))) { + FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); + return 0; + } + + return 1; +} + +static const unsigned char msg_sha3_256[] = { + 0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6, + 0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f, + 0x35, 0x23 +}; + +static const unsigned char dig_sha3_256[] = { + 0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21, + 0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0, + 0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78, + 0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed +}; + +static const unsigned char msg_sha3_512[] = { + 0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73, + 0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f, + 0x05, 0xf4 +}; + +static const unsigned char dig_sha3_512[] = { + 0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2, + 0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a, + 0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f, + 0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4, + 0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd, + 0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e, + 0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c, + 0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac +}; + +static const unsigned char msg_shake_128[] = { + 0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f, + 0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4, + 0x28, 0x98 +}; + +static const unsigned char dig_shake_128[] = { + 0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a, + 0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x75 +}; + +static const unsigned char msg_shake_256[] = { + 0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6, + 0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23, + 0x9b, 0xfc +}; + +static const unsigned char dig_shake_256[] = { + 0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5, + 0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f, + 0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd, + 0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf +}; + +int FIPS_selftest_sha3(void) +{ + unsigned char md[SHA512_DIGEST_LENGTH]; + + EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL); + if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) { + FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL); + if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) { + FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL); + if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) { + FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL); + if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) { + FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); + return 0; + } + + return 1; +} + +#endif diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c --- openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips 2019-02-28 11:30:06.817745466 +0100 +++ openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c 2019-02-28 11:30:06.817745466 +0100 @@ -0,0 +1,127 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ +#ifdef OPENSSL_FIPS + static char key[] = "orboDeJITITejsirpADONivirpUkvarP"; + int n, binary = 0; + + if (argc < 2) { + fprintf(stderr, "%s []+\n", argv[0]); + exit(1); + } + + n = 1; + if (!strcmp(argv[n], "-binary")) { + n++; + binary = 1; /* emit binary fingerprint... */ + } + + for (; n < argc; ++n) { + FILE *f = fopen(argv[n], "rb"); + HMAC_CTX *hmac_ctx; + unsigned char mac[EVP_MAX_MD_SIZE]; + unsigned int len; + unsigned int i; + + if (!f) { + perror(argv[n]); + exit(2); + } + hmac_ctx = HMAC_CTX_new(); + if (!hmac_ctx) + exit(3); + + if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) { + fprintf(stderr, "HMAC SHA256 initialization failed.\n"); + exit(4); + } + + for (;;) { + unsigned char buf[1024]; + size_t l = fread(buf, 1, sizeof buf, f); + + if (l == 0) { + if (ferror(f)) { + perror(argv[n]); + exit(3); + } else + break; + } + if (HMAC_Update(hmac_ctx, buf, l) <= 0) { + fprintf(stderr, "HMAC_Update() failed.\n"); + exit(4); + } + } + if (HMAC_Final(hmac_ctx, mac, &len) <= 0) { + fprintf(stderr, "HMAC_Final() failed.\n"); + exit(4); + } + + if (binary) { + fwrite(mac, len, 1, stdout); + break; /* ... for single(!) file */ + } + +/* printf("HMAC-SHA1(%s)= ",argv[n]); */ + for (i = 0; i < len; ++i) + printf("%02x", mac[i]); + printf("\n"); + } +#endif + return 0; +} diff -up openssl-1.1.1b/crypto/hmac/hmac.c.fips openssl-1.1.1b/crypto/hmac/hmac.c --- openssl-1.1.1b/crypto/hmac/hmac.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/hmac/hmac.c 2019-02-28 11:30:06.817745466 +0100 @@ -36,6 +36,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo } if (key != NULL) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) + && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) + goto err; +#endif reset = 1; j = EVP_MD_block_size(md); if (!ossl_assert(j <= (int)sizeof(ctx->key))) diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/hm_pmeth.c --- openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/hmac/hm_pmeth.c 2019-05-06 14:56:01.123257022 +0200 @@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD hmac_pkey_meth = { EVP_PKEY_HMAC, - 0, + EVP_PKEY_FLAG_FIPS, pkey_hmac_init, pkey_hmac_copy, pkey_hmac_cleanup, diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h --- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100 +++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100 @@ -0,0 +1,97 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include + +#ifndef OPENSSL_FIPS +# error FIPS is disabled. +#endif + +#ifdef OPENSSL_FIPS + +int FIPS_module_mode_set(int onoff); +int FIPS_module_mode(void); +int FIPS_module_installed(void); +int FIPS_selftest_sha1(void); +int FIPS_selftest_sha2(void); +int FIPS_selftest_aes_ccm(void); +int FIPS_selftest_aes_gcm(void); +int FIPS_selftest_aes_xts(void); +int FIPS_selftest_aes(void); +int FIPS_selftest_des(void); +int FIPS_selftest_rsa(void); +int FIPS_selftest_dsa(void); +int FIPS_selftest_ecdsa(void); +int FIPS_selftest_ecdh(void); +int FIPS_selftest_dh(void); +void FIPS_drbg_stick(int onoff); +int FIPS_selftest_hmac(void); +int FIPS_selftest_drbg(void); +int FIPS_selftest_cmac(void); + +int fips_pkey_signature_test(EVP_PKEY *pkey, + const unsigned char *tbs, int tbslen, + const unsigned char *kat, + unsigned int katlen, + const EVP_MD *digest, + unsigned int md_flags, const char *fail_str); + +int fips_cipher_test(EVP_CIPHER_CTX *ctx, + const EVP_CIPHER *cipher, + const unsigned char *key, + const unsigned char *iv, + const unsigned char *plaintext, + const unsigned char *ciphertext, int len); + +void fips_set_selftest_fail(void); + +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +#endif diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c --- openssl-1.1.1b/crypto/o_fips.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/o_fips.c 2019-02-28 11:30:06.817745466 +0100 @@ -8,17 +8,28 @@ */ #include "internal/cryptlib.h" +#include "internal/fips_int.h" int FIPS_mode(void) { +#ifdef OPENSSL_FIPS + return FIPS_module_mode(); +#else /* This version of the library does not support FIPS mode. */ return 0; +#endif } int FIPS_mode_set(int r) { +#ifdef OPENSSL_FIPS + if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ + return 1; + return FIPS_module_mode_set(r); +#else if (r == 0) return 1; CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); return 0; +#endif } diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c --- openssl-1.1.1b/crypto/o_init.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/o_init.c 2019-02-28 11:30:06.817745466 +0100 @@ -7,8 +7,68 @@ * https://www.openssl.org/source/license.html */ +/* for secure_getenv */ +#define _GNU_SOURCE #include "e_os.h" #include +#ifdef OPENSSL_FIPS +# include +# include +# include +# include +# include +# include +# include +# include +# include "internal/fips_int.h" + +# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + +static void init_fips_mode(void) +{ + char buf[2] = "0"; + int fd; + + /* Ensure the selftests always run */ + /* XXX: TO SOLVE - premature initialization due to selftests */ + FIPS_mode_set(1); + + if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + close(fd); + } + /* Failure reading the fips mode switch file means just not + * switching into FIPS mode. We would break too many things + * otherwise.. + */ + + if (buf[0] != '1') { + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); + } else { + /* abort if selftest failed */ + FIPS_selftest_check(); + } +} + +/* + * Perform FIPS module power on selftest and automatic FIPS mode switch. + */ + +void __attribute__ ((constructor)) OPENSSL_init_library(void) +{ + static int done = 0; + if (done) + return; + done = 1; + if (!FIPS_module_installed()) { + return; + } + init_fips_mode(); +} +#endif /* * Perform any essential OpenSSL initialization operations. Currently does diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/rand_lib.c --- openssl-1.1.1b/crypto/rand/rand_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rand/rand_lib.c 2019-02-28 11:30:06.818745447 +0100 @@ -16,6 +16,10 @@ #include "internal/thread_once.h" #include "rand_lcl.h" #include "e_os.h" +#ifdef OPENSSL_FIPS +# include +# include +#endif #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ @@ -857,3 +861,15 @@ int RAND_status(void) return meth->status(); return 0; } + +#ifdef OPENSSL_FIPS +void RAND_set_fips_drbg_type(int type, int flags) +{ /* just a stub for ABI compatibility */ +} + +int RAND_init_fips(void) +{ + /* just a stub for ABI compatibility */ + return 1; +} +#endif diff -up openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1b/crypto/rsa/rsa_crpt.c --- openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_crpt.c 2019-02-28 11:30:06.818745447 +0100 @@ -27,24 +27,52 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) + && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { + RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); + return -1; + } +#endif return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding); } int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { + RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, + RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); + return -1; + } +#endif return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding); } int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) + && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { + RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); + return -1; + } +#endif return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding); } int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { + RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, + RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); + return -1; + } +#endif return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); } diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_err.c --- openssl-1.1.1b/crypto/rsa/rsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_err.c 2019-02-28 11:30:06.818745447 +0100 @@ -16,6 +16,8 @@ static const ERR_STRING_DATA RSA_str_functs[] = { {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0), + "fips_rsa_builtin_keygen"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0), "old_rsa_priv_decode"}, @@ -32,6 +34,9 @@ static const ERR_STRING_DATA RSA_str_fun {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0), + "RSA_generate_multi_prime_key"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"}, @@ -90,9 +95,13 @@ static const ERR_STRING_DATA RSA_str_fun {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0), @@ -102,6 +111,8 @@ static const ERR_STRING_DATA RSA_str_fun "RSA_verify_ASN1_OCTET_STRING"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0), "RSA_verify_PKCS1_PSS_mgf1"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, {0, NULL} }; @@ -181,6 +192,7 @@ static const ERR_STRING_DATA RSA_str_rea "mp exponent not congruent to d"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), "null before block missing"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), @@ -189,6 +201,8 @@ static const ERR_STRING_DATA RSA_str_rea "n does not equal p q"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), "oaep decoding error"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), + "operation not allowed in FIPS mode"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), @@ -224,6 +238,8 @@ static const ERR_STRING_DATA RSA_str_rea "unsupported mask algorithm"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS), + "unsupported parameters"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips openssl-1.1.1b/crypto/rsa/rsa_gen.c --- openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-02-28 11:30:06.818745447 +0100 @@ -18,6 +18,76 @@ #include "internal/cryptlib.h" #include #include "rsa_locl.h" +#ifdef OPENSSL_FIPS +# include +# include "internal/fips_int.h" + +int fips_check_rsa(RSA *rsa) +{ + const unsigned char tbs[] = "RSA Pairwise Check Data"; + unsigned char *ctbuf = NULL, *ptbuf = NULL; + int len, ret = 0; + EVP_PKEY *pk; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + EVP_PKEY_set1_RSA(pk, rsa); + + /* Perform pairwise consistency signature test */ + if (!fips_pkey_signature_test(pk, tbs, -1, + NULL, 0, EVP_sha256(), + EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) + || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(), + EVP_MD_CTX_FLAG_PAD_PSS, NULL)) + goto err; + /* Now perform pairwise consistency encrypt/decrypt test */ + ctbuf = OPENSSL_malloc(RSA_size(rsa)); + if (!ctbuf) + goto err; + + len = + RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, + RSA_PKCS1_PADDING); + if (len <= 0) + goto err; + /* Check ciphertext doesn't match plaintext */ + if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) + goto err; + ptbuf = OPENSSL_malloc(RSA_size(rsa)); + + if (!ptbuf) + goto err; + len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); + if (len != (sizeof(tbs) - 1)) + goto err; + if (memcmp(ptbuf, tbs, len)) + goto err; + + ret = 1; + + if (!ptbuf) + goto err; + + err: + if (ret == 0) { + fips_set_selftest_fail(); + FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED); + } + + if (ctbuf) + OPENSSL_free(ctbuf); + if (ptbuf) + OPENSSL_free(ptbuf); + if (pk) + EVP_PKEY_free(pk); + + return ret; +} + +static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + BN_GENCB *cb); +#endif static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb); @@ -31,6 +101,13 @@ static int rsa_builtin_keygen(RSA *rsa, */ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) + && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { + RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); + return 0; + } +#endif if (rsa->meth->rsa_keygen != NULL) return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); @@ -41,6 +118,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) + && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { + RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD); + return 0; + } +#endif /* multi-prime is only supported with the builtin key generation */ if (rsa->meth->rsa_multi_prime_keygen != NULL) { return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes, @@ -57,10 +141,285 @@ int RSA_generate_multi_prime_key(RSA *rs else return 0; } - +#ifdef OPENSSL_FIPS + if (FIPS_mode()) { + if (primes != 2) { + RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS); + return 0; + } + return fips_rsa_builtin_keygen(rsa, bits, e_value, cb); + } +#endif return rsa_builtin_keygen(rsa, bits, primes, e_value, cb); } +#ifdef OPENSSL_FIPS +static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + BN_GENCB *cb) +{ + BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; + BN_CTX *ctx = NULL; + int ok = -1; + int i; + int n = 0; + int test = 0; + int pbits = bits / 2; + unsigned long error = 0; + + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); + return 0; + } + + if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS + || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) { + FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); + return 0; + } + if ((pbits & 0xFF) != 0) { + FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); + return 0; + } + + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + BN_CTX_start(ctx); + r0 = BN_CTX_get(ctx); + r1 = BN_CTX_get(ctx); + r2 = BN_CTX_get(ctx); + r3 = BN_CTX_get(ctx); + + if (r3 == NULL) + goto err; + + /* We need the RSA components non-NULL */ + if (!rsa->n && ((rsa->n = BN_new()) == NULL)) + goto err; + if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL)) + goto err; + if (!rsa->e && ((rsa->e = BN_new()) == NULL)) + goto err; + if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL)) + goto err; + if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) + goto err; + if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) + goto err; + if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) + goto err; + if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) + goto err; + + if (!BN_set_word(r0, RSA_F4)) + goto err; + if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { + ok = 0; /* we set our own err */ + RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); + goto err; + } + + /* prepare approximate minimum p and q */ + if (!BN_set_word(r0, 0xB504F334)) + goto err; + if (!BN_lshift(r0, r0, pbits - 32)) + goto err; + + /* prepare minimum p and q difference */ + if (!BN_one(r3)) + goto err; + if (!BN_lshift(r3, r3, pbits - 100)) + goto err; + + BN_copy(rsa->e, e_value); + + if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) + test = 1; + + BN_set_flags(r0, BN_FLG_CONSTTIME); + BN_set_flags(r1, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + + retry: + /* generate p and q */ + for (i = 0; i < 5 * pbits; i++) { + ploop: + if (!test) + if (!BN_rand(rsa->p, pbits, 0, 1)) + goto err; + if (BN_cmp(rsa->p, r0) < 0) { + if (test) + goto err; + goto ploop; + } + + if (!BN_sub(r2, rsa->p, BN_value_one())) + goto err; + ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + int r; + r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, + cb); + if (r == -1 || (test && r <= 0)) + goto err; + if (r > 0) + break; + } else { + error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ + ERR_pop_to_mark(); + } else { + goto err; + } + } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } + + if (!BN_GENCB_call(cb, 3, 0)) + goto err; + + if (i >= 5 * pbits) + /* prime not found */ + goto err; + + for (i = 0; i < 5 * pbits; i++) { + qloop: + if (!test) + if (!BN_rand(rsa->q, pbits, 0, 1)) + goto err; + if (BN_cmp(rsa->q, r0) < 0) { + if (test) + goto err; + goto qloop; + } + if (!BN_sub(r2, rsa->q, rsa->p)) + goto err; + if (BN_ucmp(r2, r3) <= 0) { + if (test) + goto err; + goto qloop; + } + + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; + ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ + int r; + r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, + cb); + if (r == -1 || (test && r <= 0)) + goto err; + if (r > 0) + break; + } else { + error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ + ERR_pop_to_mark(); + } else { + goto err; + } + } + if (!BN_GENCB_call(cb, 2, n++)) + goto err; + } + + if (!BN_GENCB_call(cb, 3, 1)) + goto err; + + if (i >= 5 * pbits) + /* prime not found */ + goto err; + + if (test) { + /* do not try to calculate the remaining key values */ + BN_clear(rsa->n); + ok = 1; + goto err; + } + + if (BN_cmp(rsa->p, rsa->q) < 0) { + tmp = rsa->p; + rsa->p = rsa->q; + rsa->q = tmp; + } + + /* calculate n */ + if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) + goto err; + + /* calculate d */ + if (!BN_sub(r1, rsa->p, BN_value_one())) + goto err; /* p-1 */ + if (!BN_sub(r2, rsa->q, BN_value_one())) + goto err; /* q-1 */ + + /* note that computing gcd is not safe to timing attacks */ + if (!BN_gcd(r0, r1, r2, ctx)) + goto err; + + { + if (!BN_div(r0, NULL, r1, r0, ctx)) + goto err; + + if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */ + goto err; + + if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */ + goto err; + } + + if (BN_num_bits(rsa->d) < pbits) + goto retry; /* d is too small */ + + { + BIGNUM *d = BN_new(); + + if (d == NULL) + goto err; + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); + + if (/* calculate d mod (p-1) */ + !BN_mod(rsa->dmp1, d, r1, ctx) + /* calculate d mod (q-1) */ + || !BN_mod(rsa->dmq1, d, r2, ctx)) { + BN_free(d); + goto err; + } + /* We MUST free d before any further use of rsa->d */ + BN_free(d); + } + + /* calculate inverse of q mod p */ + if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) + goto err; + + if (!fips_check_rsa(rsa)) + goto err; + + ok = 1; + err: + if (ok == -1) { + RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); + ok = 0; + } + if (ctx != NULL) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + + return ok; +} +#endif + static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { diff -up openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips openssl-1.1.1b/crypto/rsa/rsa_lib.c --- openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_lib.c 2019-02-28 11:30:06.819745428 +0100 @@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M * to deal with which ENGINE it comes from. */ const RSA_METHOD *mtmp; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { + RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD); + return 0; + } +#endif mtmp = rsa->meth; if (mtmp->finish) mtmp->finish(rsa); @@ -66,7 +72,6 @@ RSA *RSA_new_method(ENGINE *engine) ret->meth = RSA_get_default_method(); #ifndef OPENSSL_NO_ENGINE - ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; if (engine) { if (!ENGINE_init(engine)) { RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB); @@ -84,8 +89,19 @@ RSA *RSA_new_method(ENGINE *engine) } } #endif +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) { + RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD); +# ifndef OPENSSL_NO_ENGINE + if (ret->engine) + ENGINE_finish(ret->engine); +# endif + OPENSSL_free(ret); + return NULL; + } +#endif - ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; + ret->flags = ret->meth->flags; if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { goto err; } diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa_ossl.c --- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-02-28 11:31:57.315691372 +0100 @@ -12,6 +12,10 @@ #include "rsa_locl.h" #include "internal/constant_time_locl.h" +#ifdef OPENSSL_FIPS +# include +#endif + static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, @@ -47,6 +51,12 @@ static const RSA_METHOD *default_RSA_met void RSA_set_default_method(const RSA_METHOD *meth) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { + RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD); + return; + } +#endif default_RSA_meth = meth; } @@ -73,6 +83,22 @@ static int rsa_ossl_public_encrypt(int f unsigned char *buf = NULL; BN_CTX *ctx = NULL; +# ifdef OPENSSL_FIPS + if (FIPS_mode()) { + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, + FIPS_R_FIPS_SELFTEST_FAILED); + goto err; + } + + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { + RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + } +# endif + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; @@ -247,6 +273,22 @@ static int rsa_ossl_private_encrypt(int BIGNUM *unblind = NULL; BN_BLINDING *blinding = NULL; +# ifdef OPENSSL_FIPS + if (FIPS_mode()) { + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, + FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + } +# endif + if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); @@ -377,6 +419,22 @@ static int rsa_ossl_private_decrypt(int BIGNUM *unblind = NULL; BN_BLINDING *blinding = NULL; +# ifdef OPENSSL_FIPS + if (FIPS_mode()) { + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, + FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + } +# endif + if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); @@ -500,6 +558,22 @@ static int rsa_ossl_public_decrypt(int f unsigned char *buf = NULL; BN_CTX *ctx = NULL; +# ifdef OPENSSL_FIPS + if (FIPS_mode()) { + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, + FIPS_R_FIPS_SELFTEST_FAILED); + goto err; + } + + if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) + && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { + RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + } +# endif + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rsa_pmeth.c --- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips 2019-05-06 14:48:26.514174053 +0200 +++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-06 14:45:46.732956649 +0200 @@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD rsa_pkey_meth = { EVP_PKEY_RSA, - EVP_PKEY_FLAG_AUTOARGLEN, + EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, @@ -838,7 +838,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c const EVP_PKEY_METHOD rsa_pss_pkey_meth = { EVP_PKEY_RSA_PSS, - EVP_PKEY_FLAG_AUTOARGLEN, + EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa_sign.c --- openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/rsa/rsa_sign.c 2019-02-28 11:30:06.819745428 +0100 @@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch unsigned char *tmps = NULL; const unsigned char *encoded = NULL; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) + && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { + RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); + return 0; + } +#endif if (rsa->meth->rsa_sign) { return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); } @@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); goto err; } - encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa, - RSA_PKCS1_PADDING); + /* NB: call underlying method directly to avoid FIPS blocking */ + encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa, + RSA_PKCS1_PADDING) : 0; if (encrypt_len <= 0) goto err; diff -up openssl-1.1.1b/crypto/sha/sha256.c.fips openssl-1.1.1b/crypto/sha/sha256.c --- openssl-1.1.1b/crypto/sha/sha256.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/sha/sha256.c 2019-02-28 11:30:06.819745428 +0100 @@ -18,6 +18,9 @@ int SHA224_Init(SHA256_CTX *c) { +# ifdef OPENSSL_FIPS + FIPS_selftest_check(); +# endif memset(c, 0, sizeof(*c)); c->h[0] = 0xc1059ed8UL; c->h[1] = 0x367cd507UL; @@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c) int SHA256_Init(SHA256_CTX *c) { +# ifdef OPENSSL_FIPS + FIPS_selftest_check(); +# endif memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; diff -up openssl-1.1.1b/crypto/sha/sha512.c.fips openssl-1.1.1b/crypto/sha/sha512.c --- openssl-1.1.1b/crypto/sha/sha512.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/crypto/sha/sha512.c 2019-02-28 11:30:06.820745410 +0100 @@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) int SHA384_Init(SHA512_CTX *c) { +# ifdef OPENSSL_FIPS + FIPS_selftest_check(); +# endif c->h[0] = U64(0xcbbb9d5dc1059ed8); c->h[1] = U64(0x629a292a367cd507); c->h[2] = U64(0x9159015a3070dd17); @@ -116,6 +119,9 @@ int SHA384_Init(SHA512_CTX *c) int SHA512_Init(SHA512_CTX *c) { +# ifdef OPENSSL_FIPS + FIPS_selftest_check(); +# endif c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); diff -up openssl-1.1.1b/crypto/sha/sha_locl.h.fips openssl-1.1.1b/crypto/sha/sha_locl.h --- openssl-1.1.1b/crypto/sha/sha_locl.h.fips 2019-02-28 11:30:06.628748979 +0100 +++ openssl-1.1.1b/crypto/sha/sha_locl.h 2019-02-28 11:30:06.820745410 +0100 @@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c int HASH_INIT(SHA_CTX *c) { +#if defined(OPENSSL_FIPS) + FIPS_selftest_check(); +#endif memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; diff -up openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod --- openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod 2019-02-28 11:30:06.820745410 +0100 @@ -30,8 +30,10 @@ B is the length of the prime p to For lengths under 2048 bits, the length of q is 160 bits; for lengths greater than or equal to 2048 bits, the length of q is set to 256 bits. -If B is NULL, the primes will be generated at random. -If B is less than the length of q, an error is returned. +If B is NULL, or it does not generate primes, the primes will be +generated at random. +If B is less than the length of q, an error is returned +if old DSA parameter generation method is used as a backend. DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in diff -up openssl-1.1.1b/include/openssl/crypto.h.fips openssl-1.1.1b/include/openssl/crypto.h --- openssl-1.1.1b/include/openssl/crypto.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/crypto.h 2019-02-28 11:30:06.820745410 +0100 @@ -331,6 +331,11 @@ int OPENSSL_isservice(void); int FIPS_mode(void); int FIPS_mode_set(int r); +# ifdef OPENSSL_FIPS +/* die if FIPS selftest failed */ +void FIPS_selftest_check(void); +# endif + void OPENSSL_init(void); # ifdef OPENSSL_SYS_UNIX void OPENSSL_fork_prepare(void); diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/openssl/dherr.h --- openssl-1.1.1b/include/openssl/dherr.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/dherr.h 2019-02-28 11:30:06.820745410 +0100 @@ -32,6 +32,9 @@ int ERR_load_DH_strings(void); # define DH_F_DH_CMS_DECRYPT 114 # define DH_F_DH_CMS_SET_PEERKEY 115 # define DH_F_DH_CMS_SET_SHARED_INFO 116 +# define DH_F_DH_COMPUTE_KEY 203 +# define DH_F_DH_GENERATE_KEY 202 +# define DH_F_DH_GENERATE_PARAMETERS_EX 201 # define DH_F_DH_METH_DUP 117 # define DH_F_DH_METH_NEW 118 # define DH_F_DH_METH_SET1_NAME 119 @@ -69,12 +72,14 @@ int ERR_load_DH_strings(void); # define DH_R_INVALID_PARAMETER_NID 114 # define DH_R_INVALID_PUBKEY 102 # define DH_R_KDF_PARAMETER_ERROR 112 +# define DH_R_KEY_SIZE_TOO_SMALL 201 # define DH_R_KEYS_NOT_SET 108 # define DH_R_MISSING_PUBKEY 125 # define DH_R_MODULUS_TOO_LARGE 103 # define DH_R_NOT_SUITABLE_GENERATOR 120 # define DH_R_NO_PARAMETERS_SET 107 # define DH_R_NO_PRIVATE_VALUE 100 +# define DH_R_NON_FIPS_METHOD 202 # define DH_R_PARAMETER_ENCODING_ERROR 105 # define DH_R_PEER_KEY_ERROR 111 # define DH_R_SHARED_INFO_ERROR 113 diff -up openssl-1.1.1b/include/openssl/dh.h.fips openssl-1.1.1b/include/openssl/dh.h --- openssl-1.1.1b/include/openssl/dh.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/dh.h 2019-02-28 11:30:06.820745410 +0100 @@ -31,6 +31,7 @@ extern "C" { # endif # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 +# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 # define DH_FLAG_CACHE_MONT_P 0x01 diff -up openssl-1.1.1b/include/openssl/dsaerr.h.fips openssl-1.1.1b/include/openssl/dsaerr.h --- openssl-1.1.1b/include/openssl/dsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/dsaerr.h 2019-02-28 11:30:06.821745391 +0100 @@ -25,8 +25,11 @@ int ERR_load_DSA_strings(void); */ # define DSA_F_DSAPARAMS_PRINT 100 # define DSA_F_DSAPARAMS_PRINT_FP 101 +# define DSA_F_DSA_BUILTIN_KEYGEN 202 # define DSA_F_DSA_BUILTIN_PARAMGEN 125 # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 +# define DSA_F_DSA_GENERATE_KEY 201 +# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 # define DSA_F_DSA_DO_SIGN 112 # define DSA_F_DSA_DO_VERIFY 113 # define DSA_F_DSA_METH_DUP 127 @@ -56,9 +59,12 @@ int ERR_load_DSA_strings(void); # define DSA_R_DECODE_ERROR 104 # define DSA_R_INVALID_DIGEST_TYPE 106 # define DSA_R_INVALID_PARAMETERS 112 +# define DSA_R_KEY_SIZE_INVALID 201 +# define DSA_R_KEY_SIZE_TOO_SMALL 202 # define DSA_R_MISSING_PARAMETERS 101 # define DSA_R_MODULUS_TOO_LARGE 103 # define DSA_R_NO_PARAMETERS_SET 107 +# define DSA_R_NON_FIPS_DSA_METHOD 200 # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openssl/dsa.h --- openssl-1.1.1b/include/openssl/dsa.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/dsa.h 2019-02-28 11:30:06.821745391 +0100 @@ -31,6 +31,7 @@ extern "C" { # endif # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 +# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048 # define DSA_FLAG_CACHE_MONT_P 0x01 # if OPENSSL_API_COMPAT < 0x10100000L diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/openssl/evperr.h --- openssl-1.1.1b/include/openssl/evperr.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/evperr.h 2019-05-06 16:40:21.324571446 +0200 @@ -20,11 +20,15 @@ int ERR_load_EVP_strings(void); * EVP function codes. */ # define EVP_F_AESNI_INIT_KEY 165 +# define EVP_F_AESNI_XTS_INIT_KEY 233 # define EVP_F_AES_GCM_CTRL 196 # define EVP_F_AES_INIT_KEY 133 # define EVP_F_AES_OCB_CIPHER 169 # define EVP_F_AES_T4_INIT_KEY 178 +# define EVP_F_AES_T4_XTS_INIT_KEY 234 # define EVP_F_AES_WRAP_CIPHER 170 +# define EVP_F_AES_XTS_CIPHER 229 +# define EVP_F_AES_XTS_INIT_KEY 235 # define EVP_F_ALG_MODULE_INIT 177 # define EVP_F_ARIA_CCM_INIT_KEY 175 # define EVP_F_ARIA_GCM_CTRL 197 @@ -133,6 +134,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 # define EVP_R_DECODE_ERROR 114 +# define EVP_R_DISABLED_FOR_FIPS 200 # define EVP_R_DIFFERENT_KEY_TYPES 101 # define EVP_R_DIFFERENT_PARAMETERS 153 # define EVP_R_ERROR_LOADING_SECTION 165 @@ -175,6 +177,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 # define EVP_R_PUBLIC_KEY_NOT_RSA 106 +# define EVP_R_TOO_LARGE 201 # define EVP_R_UNKNOWN_CIPHER 160 # define EVP_R_UNKNOWN_DIGEST 161 # define EVP_R_UNKNOWN_OPTION 169 @@ -190,5 +193,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_UNSUPPORTED_SALT_TYPE 126 # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 +# define EVP_R_XTS_DUPLICATED_KEYS 192 #endif diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openssl/evp.h --- openssl-1.1.1b/include/openssl/evp.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/evp.h 2019-05-06 14:54:13.213136281 +0200 @@ -1319,6 +1319,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP */ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 +/* Downstream modification, large value to avoid conflict */ +# define EVP_PKEY_FLAG_FIPS 0x4000 + const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/openssl/fips.h --- openssl-1.1.1b/include/openssl/fips.h.fips 2019-05-06 16:08:46.800598073 +0200 +++ openssl-1.1.1b/include/openssl/fips.h 2019-05-06 16:43:12.874549821 +0200 @@ -0,0 +1,187 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include +#include + +#ifndef OPENSSL_FIPS +# error FIPS is disabled. +#endif + +#ifdef OPENSSL_FIPS + +# ifdef __cplusplus +extern "C" { +# endif + + int FIPS_selftest(void); + int FIPS_selftest_failed(void); + int FIPS_selftest_drbg_all(void); + + int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, + const EVP_MD *evpmd, const unsigned char *seed_in, + size_t seed_len, int idx, unsigned char *seed_out, + int *counter_ret, unsigned long *h_ret, + BN_GENCB *cb); + int FIPS_dsa_paramgen_check_g(DSA *dsa); + +/* BEGIN ERROR CODES */ +/* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ + int ERR_load_FIPS_strings(void); + +/* Error codes for the FIPS functions. */ + +/* Function codes. */ +# define FIPS_F_DH_BUILTIN_GENPARAMS 100 +# define FIPS_F_DRBG_RESEED 121 +# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107 +# define FIPS_F_DSA_DO_SIGN 102 +# define FIPS_F_DSA_DO_VERIFY 103 +# define FIPS_F_EVP_CIPHER_CTX_NEW 137 +# define FIPS_F_EVP_CIPHER_CTX_RESET 122 +# define FIPS_F_ECDH_COMPUTE_KEY 123 +# define FIPS_F_EVP_CIPHERINIT_EX 124 +# define FIPS_F_EVP_DIGESTINIT_EX 125 +# define FIPS_F_FIPS_CHECK_DSA 104 +# define FIPS_F_FIPS_CHECK_EC 142 +# define FIPS_F_FIPS_CHECK_RSA 106 +# define FIPS_F_FIPS_DRBG_BYTES 131 +# define FIPS_F_FIPS_DRBG_CHECK 146 +# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132 +# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136 +# define FIPS_F_FIPS_DRBG_GENERATE 134 +# define FIPS_F_FIPS_DRBG_INIT 135 +# define FIPS_F_FIPS_DRBG_INSTANTIATE 138 +# define FIPS_F_FIPS_DRBG_NEW 139 +# define FIPS_F_FIPS_DRBG_RESEED 140 +# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141 +# define FIPS_F_FIPS_GET_ENTROPY 147 +# define FIPS_F_FIPS_MODULE_MODE_SET 108 +# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 +# define FIPS_F_FIPS_RAND_BYTES 114 +# define FIPS_F_FIPS_RAND_SEED 128 +# define FIPS_F_FIPS_RAND_SET_METHOD 126 +# define FIPS_F_FIPS_RAND_STATUS 127 +# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101 +# define FIPS_F_FIPS_SELFTEST 150 +# define FIPS_F_FIPS_SELFTEST_AES 110 +# define FIPS_F_FIPS_SELFTEST_AES_CCM 145 +# define FIPS_F_FIPS_SELFTEST_AES_GCM 129 +# define FIPS_F_FIPS_SELFTEST_AES_XTS 144 +# define FIPS_F_FIPS_SELFTEST_CMAC 130 +# define FIPS_F_FIPS_SELFTEST_DES 111 +# define FIPS_F_FIPS_SELFTEST_DSA 112 +# define FIPS_F_FIPS_SELFTEST_ECDSA 133 +# define FIPS_F_FIPS_SELFTEST_HMAC 113 +# define FIPS_F_FIPS_SELFTEST_SHA1 115 +# define FIPS_F_FIPS_SELFTEST_SHA2 105 +# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 +# define FIPS_F_RSA_BUILTIN_KEYGEN 116 +# define FIPS_F_RSA_OSSL_INIT 149 +# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 +# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118 +# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119 +# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120 + +/* Reason codes. */ +# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 +# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125 +# define FIPS_R_ALREADY_INSTANTIATED 134 +# define FIPS_R_DRBG_NOT_INITIALISED 152 +# define FIPS_R_DRBG_STUCK 103 +# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 +# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 +# define FIPS_R_ENTROPY_SOURCE_STUCK 142 +# define FIPS_R_ERROR_INITIALISING_DRBG 115 +# define FIPS_R_ERROR_INSTANTIATING_DRBG 127 +# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124 +# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 +# define FIPS_R_ERROR_RETRIEVING_NONCE 140 +# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 +# define FIPS_R_FIPS_MODE_ALREADY_SET 102 +# define FIPS_R_FIPS_SELFTEST_FAILED 106 +# define FIPS_R_FUNCTION_ERROR 116 +# define FIPS_R_GENERATE_ERROR 137 +# define FIPS_R_GENERATE_ERROR_UNDETECTED 118 +# define FIPS_R_INSTANTIATE_ERROR 119 +# define FIPS_R_INTERNAL_ERROR 121 +# define FIPS_R_INVALID_KEY_LENGTH 109 +# define FIPS_R_IN_ERROR_STATE 123 +# define FIPS_R_KEY_TOO_SHORT 108 +# define FIPS_R_NONCE_ERROR_UNDETECTED 149 +# define FIPS_R_NON_FIPS_METHOD 100 +# define FIPS_R_NOPR_TEST1_FAILURE 145 +# define FIPS_R_NOPR_TEST2_FAILURE 146 +# define FIPS_R_NOT_INSTANTIATED 126 +# define FIPS_R_PAIRWISE_TEST_FAILED 107 +# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 +# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 +# define FIPS_R_PR_TEST1_FAILURE 147 +# define FIPS_R_PR_TEST2_FAILURE 148 +# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 +# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 +# define FIPS_R_RESEED_COUNTER_ERROR 132 +# define FIPS_R_RESEED_ERROR 133 +# define FIPS_R_SELFTEST_FAILED 101 +# define FIPS_R_SELFTEST_FAILURE 135 +# define FIPS_R_TEST_FAILURE 117 +# define FIPS_R_UNINSTANTIATE_ERROR 141 +# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 +# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 +# define FIPS_R_UNSUPPORTED_PLATFORM 113 + +# ifdef __cplusplus +} +# endif +#endif diff -up openssl-1.1.1b/include/openssl/fips_rand.h.fips openssl-1.1.1b/include/openssl/fips_rand.h --- openssl-1.1.1b/include/openssl/fips_rand.h.fips 2019-02-28 11:30:06.821745391 +0100 +++ openssl-1.1.1b/include/openssl/fips_rand.h 2019-02-28 11:30:06.821745391 +0100 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef HEADER_FIPS_RAND_H +# define HEADER_FIPS_RAND_H + +# include +# include +# include +# include + +# ifdef OPENSSL_FIPS + +# ifdef __cplusplus +extern "C" { +# endif + typedef struct drbg_ctx_st DRBG_CTX; +/* DRBG external flags */ +/* Flag for CTR mode only: use derivation function ctr_df */ +# define DRBG_FLAG_CTR_USE_DF 0x1 +/* PRNG is in test state */ +# define DRBG_FLAG_TEST 0x2 + + DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags); + int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags); + int FIPS_drbg_instantiate(DRBG_CTX *dctx, + const unsigned char *pers, size_t perslen); + int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, + size_t adinlen); + int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, + int prediction_resistance, + const unsigned char *adin, size_t adinlen); + + int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); + void FIPS_drbg_free(DRBG_CTX *dctx); + + int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, + size_t (*get_entropy) (DRBG_CTX *ctx, + unsigned char **pout, + int entropy, + size_t min_len, + size_t max_len), + void (*cleanup_entropy) (DRBG_CTX *ctx, + unsigned char *out, + size_t olen), + size_t entropy_blocklen, + size_t (*get_nonce) (DRBG_CTX *ctx, + unsigned char **pout, + int entropy, + size_t min_len, + size_t max_len), + void (*cleanup_nonce) (DRBG_CTX *ctx, + unsigned char *out, + size_t olen)); + + int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, + size_t (*get_adin) (DRBG_CTX *ctx, + unsigned char + **pout), + void (*cleanup_adin) (DRBG_CTX *ctx, + unsigned char *out, + size_t olen), + int (*rand_seed_cb) (DRBG_CTX *ctx, + const void *buf, + int num), + int (*rand_add_cb) (DRBG_CTX *ctx, + const void *buf, + int num, + double entropy)); + + void *FIPS_drbg_get_app_data(DRBG_CTX *ctx); + void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data); + size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx); + int FIPS_drbg_get_strength(DRBG_CTX *dctx); + void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval); + void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval); + + int FIPS_drbg_health_check(DRBG_CTX *dctx); + + DRBG_CTX *FIPS_get_default_drbg(void); + const RAND_METHOD *FIPS_drbg_method(void); + + int FIPS_rand_set_method(const RAND_METHOD *meth); + const RAND_METHOD *FIPS_rand_get_method(void); + + void FIPS_rand_set_bits(int nbits); + + int FIPS_rand_strength(void); + +/* 1.0.0 compat functions */ + int FIPS_rand_seed(const void *buf, int num); + int FIPS_rand_bytes(unsigned char *out, int outlen); + void FIPS_rand_reset(void); + int FIPS_rand_status(void); +# ifdef __cplusplus +} +# endif +# endif +#endif diff -up openssl-1.1.1b/include/openssl/opensslconf.h.in.fips openssl-1.1.1b/include/openssl/opensslconf.h.in --- openssl-1.1.1b/include/openssl/opensslconf.h.in.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/opensslconf.h.in 2019-02-28 11:30:06.822745372 +0100 @@ -150,6 +150,11 @@ extern "C" { #define RC4_INT {- $config{rc4_int} -} +/* Always build FIPS module */ +#ifndef OPENSSL_FIPS +# define OPENSSL_FIPS +#endif + #ifdef __cplusplus } #endif diff -up openssl-1.1.1b/include/openssl/randerr.h.fips openssl-1.1.1b/include/openssl/randerr.h --- openssl-1.1.1b/include/openssl/randerr.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/randerr.h 2019-02-28 11:30:06.822745372 +0100 @@ -35,6 +35,7 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_DRBG_SET 104 # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 # define RAND_F_RAND_DRBG_UNINSTANTIATE 118 +# define RAND_F_RAND_INIT_FIPS 200 # define RAND_F_RAND_LOAD_FILE 111 # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 # define RAND_F_RAND_POOL_ADD 103 diff -up openssl-1.1.1b/include/openssl/rand.h.fips openssl-1.1.1b/include/openssl/rand.h --- openssl-1.1.1b/include/openssl/rand.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/rand.h 2019-02-28 11:30:06.822745372 +0100 @@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) # endif +# ifdef OPENSSL_FIPS +/* just stubs for API compatibility */ +void RAND_set_fips_drbg_type(int type, int flags); +int RAND_init_fips(void); +# endif #ifdef __cplusplus } diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/openssl/rsaerr.h --- openssl-1.1.1b/include/openssl/rsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/include/openssl/rsaerr.h 2019-02-28 11:30:06.822745372 +0100 @@ -21,6 +21,7 @@ int ERR_load_RSA_strings(void); */ # define RSA_F_CHECK_PADDING_MD 140 # define RSA_F_ENCODE_PKCS1 146 +# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 # define RSA_F_INT_RSA_VERIFY 145 # define RSA_F_OLD_RSA_PRIV_DECODE 147 # define RSA_F_PKEY_PSS_INIT 165 @@ -35,6 +36,8 @@ int ERR_load_RSA_strings(void); # define RSA_F_RSA_CHECK_KEY_EX 160 # define RSA_F_RSA_CMS_DECRYPT 159 # define RSA_F_RSA_CMS_VERIFY 158 +# define RSA_F_RSA_GENERATE_KEY_EX 204 +# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207 # define RSA_F_RSA_ITEM_VERIFY 148 # define RSA_F_RSA_METH_DUP 161 # define RSA_F_RSA_METH_NEW 162 @@ -72,10 +75,16 @@ int ERR_load_RSA_strings(void); # define RSA_F_RSA_PRINT_FP 116 # define RSA_F_RSA_PRIV_DECODE 150 # define RSA_F_RSA_PRIV_ENCODE 138 +# define RSA_F_RSA_PRIVATE_DECRYPT 200 +# define RSA_F_RSA_PRIVATE_ENCRYPT 201 # define RSA_F_RSA_PSS_GET_PARAM 151 # define RSA_F_RSA_PSS_TO_CTX 155 # define RSA_F_RSA_PUB_DECODE 139 +# define RSA_F_RSA_PUBLIC_DECRYPT 202 +# define RSA_F_RSA_PUBLIC_ENCRYPT 203 # define RSA_F_RSA_SETUP_BLINDING 136 +# define RSA_F_RSA_SET_DEFAULT_METHOD 205 +# define RSA_F_RSA_SET_METHOD 204 # define RSA_F_RSA_SIGN 117 # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 # define RSA_F_RSA_VERIFY 119 @@ -132,10 +141,12 @@ int ERR_load_RSA_strings(void); # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 # define RSA_R_MP_R_NOT_PRIME 170 # define RSA_R_NO_PUBLIC_EXPONENT 140 +# define RSA_R_NON_FIPS_RSA_METHOD 200 # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172 # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 # define RSA_R_OAEP_DECODING_ERROR 121 +# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 @@ -155,6 +166,7 @@ int ERR_load_RSA_strings(void); # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 +# define RSA_R_UNSUPPORTED_PARAMETERS 202 # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 # define RSA_R_VALUE_MISSING 147 # define RSA_R_WRONG_SIGNATURE_LENGTH 119 diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c --- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100 +++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100 @@ -387,7 +387,7 @@ int ssl_load_ciphers(void) } } /* Make sure we can access MD5 and SHA1 */ - if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) + if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) return 0; if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL)) return 0; @@ -559,6 +559,9 @@ int ssl_cipher_get_evp(const SSL_SESSION s->ssl_version < TLS1_VERSION) return 1; + if (FIPS_mode()) + return 1; + if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) @@ -667,6 +670,8 @@ static void ssl_cipher_collect_ciphers(c /* drop those that use any of that is not available */ if (c == NULL || !c->valid) continue; + if (FIPS_mode() && !(c->algo_strength & SSL_FIPS)) + continue; if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || @@ -1670,7 +1675,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { - if (curr->active) { + if (curr->active + && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); diff -up openssl-1.1.1b/ssl/ssl_init.c.fips openssl-1.1.1b/ssl/ssl_init.c --- openssl-1.1.1b/ssl/ssl_init.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/ssl/ssl_init.c 2019-02-28 11:30:06.823745354 +0100 @@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "Adding SSL ciphers and digests\n"); #endif +#ifdef OPENSSL_FIPS + if (!FIPS_mode()) { +#endif + #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_des_ede3_cbc()); @@ -87,6 +91,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas EVP_add_digest(EVP_sha256()); EVP_add_digest(EVP_sha384()); EVP_add_digest(EVP_sha512()); +#ifdef OPENSSL_FIPS + } else { +# ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_ede3_cbc()); +# endif + EVP_add_cipher(EVP_aes_128_cbc()); + EVP_add_cipher(EVP_aes_192_cbc()); + EVP_add_cipher(EVP_aes_256_cbc()); + EVP_add_cipher(EVP_aes_128_gcm()); + EVP_add_cipher(EVP_aes_256_gcm()); + EVP_add_cipher(EVP_aes_128_ccm()); + EVP_add_cipher(EVP_aes_256_ccm()); +# ifndef OPENSSL_NO_MD5 + /* needed even in the FIPS mode for TLS-1.0 */ + EVP_add_digest(EVP_md5_sha1()); +# endif + EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ + EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); + EVP_add_digest(EVP_sha224()); + EVP_add_digest(EVP_sha256()); + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); + } +#endif #ifndef OPENSSL_NO_COMP # ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c --- openssl-1.1.1b/ssl/ssl_lib.c.fips 2019-02-28 11:30:06.776746228 +0100 +++ openssl-1.1.1b/ssl/ssl_lib.c 2019-02-28 11:30:06.823745354 +0100 @@ -2908,6 +2908,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; + if (FIPS_mode() && (meth->version < TLS1_VERSION)) { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE); + return NULL; + } + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; @@ -2964,13 +2969,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (ret->param == NULL) goto err; - if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); - goto err2; - } - if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); - goto err2; + if (!FIPS_mode()) { + if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); + goto err2; + } + if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); + goto err2; + } + } else { + ret->min_proto_version = TLS1_VERSION; } if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c --- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100 +++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100 @@ -24,41 +24,42 @@ #ifndef OPENSSL_NO_DSA static int dsa_cb(int p, int n, BN_GENCB *arg); -/* - * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS - * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 - */ static unsigned char seed[20] = { - 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40, - 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, + 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62, + 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3, }; static unsigned char out_p[] = { - 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, - 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, - 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, - 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, - 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, - 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, - 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, - 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, + 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E, + 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99, + 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD, + 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB, + 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18, + 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B, + 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E, + 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD, + 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93, + 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D, + 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F, }; static unsigned char out_q[] = { - 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, - 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, - 0xda, 0xce, 0x91, 0x5f, + 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B, + 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87, }; static unsigned char out_g[] = { - 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, - 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, - 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, - 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, - 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, - 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, - 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, - 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, + 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C, + 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE, + 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36, + 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13, + 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C, + 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D, + 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9, + 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F, + 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E, + 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41, + 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29, }; static const unsigned char str1[] = "12345678901234567890"; @@ -79,11 +80,11 @@ static int dsa_test(void) BN_GENCB_set(cb, dsa_cb, NULL); if (!TEST_ptr(dsa = DSA_new()) - || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20, + || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20, &counter, &h, cb))) goto end; - if (!TEST_int_eq(counter, 105)) + if (!TEST_int_eq(counter, 239)) goto end; if (!TEST_int_eq(h, 2)) goto end; diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt --- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips 2019-05-06 16:08:46.857597085 +0200 +++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-06 16:35:37.917563292 +0200 @@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e +Result = KEY_SET_ERROR Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 diff -up openssl-1.1.1b/util/libcrypto.num.fips openssl-1.1.1b/util/libcrypto.num --- openssl-1.1.1b/util/libcrypto.num.fips 2019-02-28 11:30:06.824745335 +0100 +++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 11:33:54.284516991 +0100 @@ -4579,3 +4579,38 @@ EVP_PKEY_meth_set_digest_custom EVP_PKEY_meth_get_digest_custom 4533 1_1_1 EXIST::FUNCTION: OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO +FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: +FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: +FIPS_get_default_drbg 6351 1_1_0g EXIST::FUNCTION: +FIPS_drbg_set_reseed_interval 6352 1_1_0g EXIST::FUNCTION: +FIPS_drbg_set_app_data 6353 1_1_0g EXIST::FUNCTION: +FIPS_drbg_method 6354 1_1_0g EXIST::FUNCTION: +FIPS_rand_status 6355 1_1_0g EXIST::FUNCTION: +FIPS_drbg_instantiate 6356 1_1_0g EXIST::FUNCTION: +FIPS_drbg_set_callbacks 6357 1_1_0g EXIST::FUNCTION: +FIPS_drbg_new 6358 1_1_0g EXIST::FUNCTION: +FIPS_dsa_paramgen_check_g 6359 1_1_0g EXIST::FUNCTION: +FIPS_selftest 6360 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_bits 6361 1_1_0g EXIST::FUNCTION: +FIPS_rand_bytes 6362 1_1_0g EXIST::FUNCTION: +FIPS_drbg_get_app_data 6363 1_1_0g EXIST::FUNCTION: +FIPS_selftest_failed 6364 1_1_0g EXIST::FUNCTION: +FIPS_dsa_builtin_paramgen2 6365 1_1_0g EXIST::FUNCTION: +FIPS_rand_reset 6366 1_1_0g EXIST::FUNCTION: +ERR_load_FIPS_strings 6367 1_1_0g EXIST::FUNCTION: +FIPS_drbg_generate 6368 1_1_0g EXIST::FUNCTION: +FIPS_drbg_uninstantiate 6369 1_1_0g EXIST::FUNCTION: +FIPS_drbg_set_check_interval 6370 1_1_0g EXIST::FUNCTION: +FIPS_drbg_free 6371 1_1_0g EXIST::FUNCTION: +FIPS_selftest_drbg_all 6372 1_1_0g EXIST::FUNCTION: +FIPS_rand_get_method 6373 1_1_0g EXIST::FUNCTION: +RAND_set_fips_drbg_type 6374 1_1_0g EXIST::FUNCTION: +FIPS_drbg_health_check 6375 1_1_0g EXIST::FUNCTION: +RAND_init_fips 6376 1_1_0g EXIST::FUNCTION: +FIPS_drbg_set_rand_callbacks 6377 1_1_0g EXIST::FUNCTION: +FIPS_rand_seed 6378 1_1_0g EXIST::FUNCTION: +FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION: +FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: +FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: +FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: