File openssl-1.1.1-fips.patch of Package openssl-1_1
11636
1
diff -up openssl-1.1.1j/apps/pkcs12.c.fips openssl-1.1.1j/apps/pkcs12.c2
--- openssl-1.1.1j/apps/pkcs12.c.fips 2021-02-16 16:24:01.000000000 +01003
+++ openssl-1.1.1j/apps/pkcs12.c 2021-03-03 12:57:42.194734484 +01004
5
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;6
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;7
#ifndef OPENSSL_NO_RC28
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;9
+ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;10
#else11
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;12
#endif13
diff -up openssl-1.1.1j/apps/speed.c.fips openssl-1.1.1j/apps/speed.c14
--- openssl-1.1.1j/apps/speed.c.fips 2021-03-03 12:57:42.185734409 +010015
+++ openssl-1.1.1j/apps/speed.c 2021-03-03 12:57:42.195734492 +010016
17
continue;18
if (strcmp(*argv, "rsa") == 0) {19
for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++)20
- rsa_doit[loop] = 1;21
+ if (!FIPS_mode() || loop != R_RSA_512)22
+ rsa_doit[loop] = 1;23
continue;24
}25
if (found(*argv, rsa_choices, &i)) {26
27
#endif28
#ifndef OPENSSL_NO_DSA29
if (strcmp(*argv, "dsa") == 0) {30
- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] =31
+ if (!FIPS_mode())32
+ dsa_doit[R_DSA_512] = 1;33
+ dsa_doit[R_DSA_1024] =34
dsa_doit[R_DSA_2048] = 1;35
continue;36
}37
38
}39
if (strcmp(*argv, "ecdh") == 0) {40
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)41
- ecdh_doit[loop] = 1;42
+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))43
+ ecdh_doit[loop] = 1;44
continue;45
}46
if (found(*argv, ecdh_choices, &i)) {47
- ecdh_doit[i] = 2;48
+ if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448))49
+ ecdh_doit[i] = 2;50
continue;51
}52
- if (strcmp(*argv, "eddsa") == 0) {53
+ if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) {54
for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)55
eddsa_doit[loop] = 1;56
continue;57
}58
- if (found(*argv, eddsa_choices, &i)) {59
+ if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) {60
eddsa_doit[i] = 2;61
continue;62
}63
64
/* No parameters; turn on everything. */65
if ((argc == 0) && !doit[D_EVP]) {66
for (i = 0; i < ALGOR_NUM; i++)67
- if (i != D_EVP)68
+ if (i != D_EVP &&69
+ (!FIPS_mode() || (i != D_WHIRLPOOL &&70
+ i != D_MD2 && i != D_MD4 &&71
+ i != D_MD5 && i != D_MDC2 &&72
+ i != D_RMD160)))73
doit[i] = 1;74
#ifndef OPENSSL_NO_RSA75
for (i = 0; i < RSA_NUM; i++)76
- rsa_doit[i] = 1;77
+ if (!FIPS_mode() || i != R_RSA_512)78
+ rsa_doit[i] = 1;79
#endif80
#ifndef OPENSSL_NO_DSA81
for (i = 0; i < DSA_NUM; i++)82
- dsa_doit[i] = 1;83
+ if (!FIPS_mode() || i != R_DSA_512)84
+ dsa_doit[i] = 1;85
#endif86
#ifndef OPENSSL_NO_EC87
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)88
ecdsa_doit[loop] = 1;89
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)90
- ecdh_doit[loop] = 1;91
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)92
- eddsa_doit[loop] = 1;93
+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))94
+ ecdh_doit[loop] = 1;95
+ if (!FIPS_mode())96
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)97
+ eddsa_doit[loop] = 1;98
#endif99
}100
for (i = 0; i < ALGOR_NUM; i++)101
102
AES_set_encrypt_key(key24, 192, &aes_ks2);103
AES_set_encrypt_key(key32, 256, &aes_ks3);104
#ifndef OPENSSL_NO_CAMELLIA105
- Camellia_set_key(key16, 128, &camellia_ks1);106
- Camellia_set_key(ckey24, 192, &camellia_ks2);107
- Camellia_set_key(ckey32, 256, &camellia_ks3);108
+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {109
+ Camellia_set_key(key16, 128, &camellia_ks1);110
+ Camellia_set_key(ckey24, 192, &camellia_ks2);111
+ Camellia_set_key(ckey32, 256, &camellia_ks3);112
+ }113
#endif114
#ifndef OPENSSL_NO_IDEA115
- IDEA_set_encrypt_key(key16, &idea_ks);116
+ if (doit[D_CBC_IDEA]) {117
+ IDEA_set_encrypt_key(key16, &idea_ks);118
+ }119
#endif120
#ifndef OPENSSL_NO_SEED121
- SEED_set_key(key16, &seed_ks);122
+ if (doit[D_CBC_SEED]) {123
+ SEED_set_key(key16, &seed_ks);124
+ }125
#endif126
#ifndef OPENSSL_NO_RC4127
- RC4_set_key(&rc4_ks, 16, key16);128
+ if (doit[D_RC4]) {129
+ RC4_set_key(&rc4_ks, 16, key16);130
+ }131
#endif132
#ifndef OPENSSL_NO_RC2133
- RC2_set_key(&rc2_ks, 16, key16, 128);134
+ if (doit[D_CBC_RC2]) {135
+ RC2_set_key(&rc2_ks, 16, key16, 128);136
+ }137
#endif138
#ifndef OPENSSL_NO_RC5139
- RC5_32_set_key(&rc5_ks, 16, key16, 12);140
+ if (doit[D_CBC_RC5]) {141
+ RC5_32_set_key(&rc5_ks, 16, key16, 12);142
+ }143
#endif144
#ifndef OPENSSL_NO_BF145
- BF_set_key(&bf_ks, 16, key16);146
+ if (doit[D_CBC_BF]) {147
+ BF_set_key(&bf_ks, 16, key16);148
+ }149
#endif150
#ifndef OPENSSL_NO_CAST151
- CAST_set_key(&cast_ks, 16, key16);152
+ if (doit[D_CBC_CAST]) {153
+ CAST_set_key(&cast_ks, 16, key16);154
+ }155
#endif156
#ifndef SIGALRM157
# ifndef OPENSSL_NO_DES158
159
160
for (i = 0; i < loopargs_len; i++) {161
loopargs[i].hctx = HMAC_CTX_new();162
+ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);163
if (loopargs[i].hctx == NULL) {164
BIO_printf(bio_err, "HMAC malloc failure, exiting...");165
exit(1);166
diff -up openssl-1.1.1j/Configure.fips openssl-1.1.1j/Configure167
--- openssl-1.1.1j/Configure.fips 2021-03-03 12:57:42.192734467 +0100168
+++ openssl-1.1.1j/Configure 2021-03-03 12:57:42.195734492 +0100169
170
"md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",171
"des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",172
"bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",173
- "buffer", "bio", "stack", "lhash", "rand", "err",174
+ "buffer", "bio", "stack", "lhash", "rand", "err", "fips",175
"evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",176
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"177
];178
diff -up openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1j/crypto/cmac/cm_pmeth.c179
--- openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100180
+++ openssl-1.1.1j/crypto/cmac/cm_pmeth.c 2021-03-03 12:57:42.195734492 +0100181
182
183
const EVP_PKEY_METHOD cmac_pkey_meth = {184
EVP_PKEY_CMAC,185
- EVP_PKEY_FLAG_SIGCTX_CUSTOM,186
+ EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS,187
pkey_cmac_init,188
pkey_cmac_copy,189
pkey_cmac_cleanup,190
diff -up openssl-1.1.1j/crypto/dh/dh_err.c.fips openssl-1.1.1j/crypto/dh/dh_err.c191
--- openssl-1.1.1j/crypto/dh/dh_err.c.fips 2021-02-16 16:24:01.000000000 +0100192
+++ openssl-1.1.1j/crypto/dh/dh_err.c 2021-03-03 12:57:42.195734492 +0100193
194
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},195
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),196
"dh_cms_set_shared_info"},197
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"},198
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"},199
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"},200
{ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"},201
{ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"},202
{ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"},203
204
{ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"},205
{ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},206
{ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"},207
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},208
{ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"},209
{ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"},210
{ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR),211
"not suitable generator"},212
{ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"},213
{ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"},214
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"},215
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),216
"parameter encoding error"},217
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},218
diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips openssl-1.1.1j/crypto/dh/dh_gen.c219
--- openssl-1.1.1j/crypto/dh/dh_gen.c.fips 2021-02-16 16:24:01.000000000 +0100220
+++ openssl-1.1.1j/crypto/dh/dh_gen.c 2021-03-03 12:57:42.195734492 +0100221
222
#include "internal/cryptlib.h"223
#include <openssl/bn.h>224
#include "dh_local.h"225
+#ifdef OPENSSL_FIPS226
+# include <openssl/fips.h>227
+#endif228
229
static int dh_builtin_genparams(DH *ret, int prime_len, int generator,230
BN_GENCB *cb);231
232
int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,233
BN_GENCB *cb)234
{235
+#ifdef OPENSSL_FIPS236
+ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)237
+ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {238
+ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);239
+ return 0;240
+ }241
+#endif242
if (ret->meth->generate_params)243
return ret->meth->generate_params(ret, prime_len, generator, cb);244
return dh_builtin_genparams(ret, prime_len, generator, cb);245
246
int g, ok = -1;247
BN_CTX *ctx = NULL;248
249
+#ifdef OPENSSL_FIPS250
+ if (FIPS_selftest_failed()) {251
+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);252
+ return 0;253
+ }254
+255
+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {256
+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);257
+ goto err;258
+ }259
+#endif260
+261
ctx = BN_CTX_new();262
if (ctx == NULL)263
goto err;264
diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips openssl-1.1.1j/crypto/dh/dh_key.c265
--- openssl-1.1.1j/crypto/dh/dh_key.c.fips 2021-02-16 16:24:01.000000000 +0100266
+++ openssl-1.1.1j/crypto/dh/dh_key.c 2021-03-03 13:02:45.963247596 +0100267
268
#include "internal/cryptlib.h"269
#include "dh_local.h"270
#include "crypto/bn.h"271
+#ifdef OPENSSL_FIPS272
+# include <openssl/fips.h>273
+#endif274
275
static int generate_key(DH *dh);276
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);277
278
int ret = 0, i;279
volatile size_t npad = 0, mask = 1;280
281
+#ifdef OPENSSL_FIPS282
+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)283
+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {284
+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);285
+ return 0;286
+ }287
+#endif288
/* compute the key; ret is constant unless compute_key is external */289
if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0)290
return ret;291
292
BN_MONT_CTX *mont = NULL;293
BIGNUM *pub_key = NULL, *priv_key = NULL;294
295
+#ifdef OPENSSL_FIPS296
+ if (FIPS_mode()297
+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {298
+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);299
+ return 0;300
+ }301
+#endif302
+303
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {304
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);305
return 0;306
307
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);308
goto err;309
}310
+#ifdef OPENSSL_FIPS311
+ if (FIPS_mode()312
+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {313
+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);314
+ goto err;315
+ }316
+#endif317
318
ctx = BN_CTX_new();319
if (ctx == NULL)320
321
322
static int dh_init(DH *dh)323
{324
+#ifdef OPENSSL_FIPS325
+ FIPS_selftest_check();326
+#endif327
dh->flags |= DH_FLAG_CACHE_MONT_P;328
return 1;329
}330
diff -up openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips openssl-1.1.1j/crypto/dh/dh_pmeth.c331
--- openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100332
+++ openssl-1.1.1j/crypto/dh/dh_pmeth.c 2021-03-03 12:57:42.196734500 +0100333
334
335
const EVP_PKEY_METHOD dh_pkey_meth = {336
EVP_PKEY_DH,337
- 0,338
+ EVP_PKEY_FLAG_FIPS,339
pkey_dh_init,340
pkey_dh_copy,341
pkey_dh_cleanup,342
343
344
const EVP_PKEY_METHOD dhx_pkey_meth = {345
EVP_PKEY_DHX,346
- 0,347
+ EVP_PKEY_FLAG_FIPS,348
pkey_dh_init,349
pkey_dh_copy,350
pkey_dh_cleanup,351
diff -up openssl-1.1.1j/crypto/dsa/dsa_err.c.fips openssl-1.1.1j/crypto/dsa/dsa_err.c352
--- openssl-1.1.1j/crypto/dsa/dsa_err.c.fips 2021-02-16 16:24:01.000000000 +0100353
+++ openssl-1.1.1j/crypto/dsa/dsa_err.c 2021-03-03 12:57:42.196734500 +0100354
355
static const ERR_STRING_DATA DSA_str_functs[] = {356
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},357
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"},358
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"},359
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0),360
"dsa_builtin_paramgen"},361
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0),362
"dsa_builtin_paramgen2"},363
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"},364
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},365
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"},366
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"},367
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},368
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},369
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},370
371
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE),372
"invalid digest type"},373
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},374
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"},375
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},376
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},377
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY),378
"missing private key"},379
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},380
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},381
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},382
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),383
"parameter encoding error"},384
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},385
diff -up openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips openssl-1.1.1j/crypto/dsa/dsa_gen.c386
--- openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips 2021-02-16 16:24:01.000000000 +0100387
+++ openssl-1.1.1j/crypto/dsa/dsa_gen.c 2021-03-03 12:57:42.196734500 +0100388
389
#include <openssl/rand.h>390
#include <openssl/sha.h>391
#include "dsa_local.h"392
+#ifdef OPENSSL_FIPS393
+# include <openssl/fips.h>394
+#endif395
396
int DSA_generate_parameters_ex(DSA *ret, int bits,397
const unsigned char *seed_in, int seed_len,398
int *counter_ret, unsigned long *h_ret,399
BN_GENCB *cb)400
{401
+# ifdef OPENSSL_FIPS402
+ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)403
+ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) {404
+ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);405
+ return 0;406
+ }407
+# endif408
if (ret->meth->dsa_paramgen)409
return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,410
counter_ret, h_ret, cb);411
412
const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();413
size_t qbits = EVP_MD_size(evpmd) * 8;414
415
+# ifdef OPENSSL_FIPS416
+ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd,417
+ seed_in, seed_len, -1, NULL, counter_ret,418
+ h_ret, cb);419
+# else420
return dsa_builtin_paramgen(ret, bits, qbits, evpmd,421
seed_in, seed_len, NULL, counter_ret,422
h_ret, cb);423
+# endif424
}425
}426
427
428
int *counter_ret, unsigned long *h_ret,429
BN_GENCB *cb)430
{431
- int ok = -1;432
+ int ok = 0;433
unsigned char *seed = NULL, *seed_tmp = NULL;434
unsigned char md[EVP_MAX_MD_SIZE];435
int mdsize;436
437
goto err;438
}439
440
+# ifdef OPENSSL_FIPS441
+ if (FIPS_selftest_failed()) {442
+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED);443
+ goto err;444
+ }445
+446
+ if (FIPS_mode() &&447
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&448
+ (L != 3072 || N != 256)) {449
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);450
+ goto err;451
+ }452
+# endif453
+454
if (evpmd == NULL) {455
if (N == 160)456
evpmd = EVP_sha1();457
458
goto err;459
/* Provided seed didn't produce a prime: error */460
if (seed_in) {461
- ok = 0;462
- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);463
- goto err;464
+ /* Different seed_out will indicate that seed_in465
+ * did not generate primes.466
+ */467
+ seed_in = NULL;468
}469
470
/* do a callback call */471
472
if (counter >= (int)(4 * L))473
break;474
}475
+#if 0476
+ /* Cannot happen */477
if (seed_in) {478
ok = 0;479
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);480
goto err;481
}482
+#endif483
}484
end:485
if (!BN_GENCB_call(cb, 2, 1))486
487
BN_free(ret->g);488
ret->g = BN_dup(g);489
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {490
- ok = -1;491
+ ok = 0;492
goto err;493
}494
if (counter_ret != NULL)495
496
EVP_MD_CTX_free(mctx);497
return ok;498
}499
+500
+#ifdef OPENSSL_FIPS501
+502
+int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,503
+ const EVP_MD *evpmd, const unsigned char *seed_in,504
+ size_t seed_len, int idx, unsigned char *seed_out,505
+ int *counter_ret, unsigned long *h_ret,506
+ BN_GENCB *cb)507
+{508
+ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len,509
+ idx, seed_out, counter_ret, h_ret, cb);510
+}511
+512
+int FIPS_dsa_paramgen_check_g(DSA *dsa)513
+{514
+ BN_CTX *ctx;515
+ BIGNUM *tmp;516
+ BN_MONT_CTX *mont = NULL;517
+ int rv = -1;518
+519
+ ctx = BN_CTX_new();520
+ if (ctx == NULL)521
+ return -1;522
+ if (BN_cmp(dsa->g, BN_value_one()) <= 0)523
+ return 0;524
+ if (BN_cmp(dsa->g, dsa->p) >= 0)525
+ return 0;526
+ BN_CTX_start(ctx);527
+ tmp = BN_CTX_get(ctx);528
+ if (tmp == NULL)529
+ goto err;530
+ if ((mont=BN_MONT_CTX_new()) == NULL)531
+ goto err;532
+ if (!BN_MONT_CTX_set(mont,dsa->p,ctx))533
+ goto err;534
+ /* Work out g^q mod p */535
+ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont))536
+ goto err;537
+ if (!BN_cmp(tmp, BN_value_one()))538
+ rv = 1;539
+ else540
+ rv = 0;541
+ err:542
+ BN_CTX_end(ctx);543
+ BN_MONT_CTX_free(mont);544
+ BN_CTX_free(ctx);545
+ return rv;546
+}547
+548
+#endif549
diff -up openssl-1.1.1j/crypto/dsa/dsa_key.c.fips openssl-1.1.1j/crypto/dsa/dsa_key.c550
--- openssl-1.1.1j/crypto/dsa/dsa_key.c.fips 2021-02-16 16:24:01.000000000 +0100551
+++ openssl-1.1.1j/crypto/dsa/dsa_key.c 2021-03-03 12:57:42.196734500 +0100552
553
#include <openssl/bn.h>554
#include "dsa_local.h"555
556
+#ifdef OPENSSL_FIPS557
+# include <openssl/fips.h>558
+# include "crypto/fips.h"559
+560
+static int fips_check_dsa(DSA *dsa)561
+{562
+ EVP_PKEY *pk;563
+ unsigned char tbs[] = "DSA Pairwise Check Data";564
+ int ret = 0;565
+566
+ if ((pk = EVP_PKEY_new()) == NULL)567
+ goto err;568
+569
+ EVP_PKEY_set1_DSA(pk, dsa);570
+571
+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))572
+ ret = 1;573
+574
+ err:575
+ if (ret == 0) {576
+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);577
+ fips_set_selftest_fail();578
+ }579
+580
+ if (pk)581
+ EVP_PKEY_free(pk);582
+583
+ return ret;584
+}585
+586
+#endif587
+588
static int dsa_builtin_keygen(DSA *dsa);589
590
int DSA_generate_key(DSA *dsa)591
{592
+#ifdef OPENSSL_FIPS593
+ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)594
+ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) {595
+ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);596
+ return 0;597
+ }598
+#endif599
if (dsa->meth->dsa_keygen)600
return dsa->meth->dsa_keygen(dsa);601
return dsa_builtin_keygen(dsa);602
603
BN_CTX *ctx = NULL;604
BIGNUM *pub_key = NULL, *priv_key = NULL;605
606
+#ifdef OPENSSL_FIPS607
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)608
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {609
+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);610
+ goto err;611
+ }612
+#endif613
+614
if ((ctx = BN_CTX_new()) == NULL)615
goto err;616
617
618
619
dsa->priv_key = priv_key;620
dsa->pub_key = pub_key;621
+#ifdef OPENSSL_FIPS622
+ if (FIPS_mode() && !fips_check_dsa(dsa)) {623
+ dsa->pub_key = NULL;624
+ dsa->priv_key = NULL;625
+ goto err;626
+ }627
+#endif628
ok = 1;629
630
err:631
diff -up openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1j/crypto/dsa/dsa_ossl.c632
--- openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100633
+++ openssl-1.1.1j/crypto/dsa/dsa_ossl.c 2021-03-03 12:57:42.196734500 +0100634
635
#include <openssl/sha.h>636
#include "dsa_local.h"637
#include <openssl/asn1.h>638
+#ifdef OPENSSL_FIPS639
+# include <openssl/fips.h>640
+#endif641
642
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);643
static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,644
645
goto err;646
}647
648
+#ifdef OPENSSL_FIPS649
+ if (FIPS_selftest_failed()) {650
+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);651
+ return NULL;652
+ }653
+654
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)655
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {656
+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);657
+ return NULL;658
+ }659
+#endif660
+661
ret = DSA_SIG_new();662
if (ret == NULL)663
goto err;664
665
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);666
return -1;667
}668
+#ifdef OPENSSL_FIPS669
+ if (FIPS_selftest_failed()) {670
+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);671
+ return -1;672
+ }673
+674
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)675
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {676
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);677
+ return -1;678
+ }679
+#endif680
681
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {682
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);683
684
685
static int dsa_init(DSA *dsa)686
{687
+#ifdef OPENSSL_FIPS688
+ FIPS_selftest_check();689
+#endif690
dsa->flags |= DSA_FLAG_CACHE_MONT_P;691
return 1;692
}693
diff -up openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1j/crypto/dsa/dsa_pmeth.c694
--- openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100695
+++ openssl-1.1.1j/crypto/dsa/dsa_pmeth.c 2021-03-03 12:57:42.196734500 +0100696
697
BN_GENCB_free(pcb);698
return 0;699
}700
- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,701
- NULL, 0, NULL, NULL, NULL, pcb);702
+ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd,703
+ NULL, 0, -1, NULL, NULL, NULL, pcb);704
BN_GENCB_free(pcb);705
if (ret)706
EVP_PKEY_assign_DSA(pkey, dsa);707
708
709
const EVP_PKEY_METHOD dsa_pkey_meth = {710
EVP_PKEY_DSA,711
- EVP_PKEY_FLAG_AUTOARGLEN,712
+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,713
pkey_dsa_init,714
pkey_dsa_copy,715
pkey_dsa_cleanup,716
diff -up openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdh_ossl.c717
--- openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100718
+++ openssl-1.1.1j/crypto/ec/ecdh_ossl.c 2021-03-03 12:57:42.196734500 +0100719
720
#include <openssl/ec.h>721
#include "ec_local.h"722
723
+#ifdef OPENSSL_FIPS724
+# include <openssl/fips.h>725
+#endif726
+727
int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,728
const EC_POINT *pub_key, const EC_KEY *ecdh)729
{730
+#ifdef OPENSSL_FIPS731
+ if (FIPS_selftest_failed()) {732
+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);733
+ return -1;734
+ }735
+#endif736
+737
if (ecdh->group->meth->ecdh_compute_key == NULL) {738
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);739
return 0;740
diff -up openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdsa_ossl.c741
--- openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100742
+++ openssl-1.1.1j/crypto/ec/ecdsa_ossl.c 2021-03-03 12:57:42.196734500 +0100743
744
#include "crypto/bn.h"745
#include "ec_local.h"746
747
+#ifdef OPENSSL_FIPS748
+# include <openssl/fips.h>749
+#endif750
+751
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,752
BIGNUM **rp)753
{754
755
ECDSA_SIG *ret;756
const BIGNUM *priv_key;757
758
+#ifdef OPENSSL_FIPS759
+ if (FIPS_selftest_failed()) {760
+ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);761
+ return NULL;762
+ }763
+#endif764
+765
group = EC_KEY_get0_group(eckey);766
priv_key = EC_KEY_get0_private_key(eckey);767
768
769
const EC_GROUP *group;770
const EC_POINT *pub_key;771
772
+#ifdef OPENSSL_FIPS773
+ if (FIPS_selftest_failed()) {774
+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);775
+ return -1;776
+ }777
+#endif778
+779
/* check input values */780
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||781
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {782
diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips openssl-1.1.1j/crypto/ec/ec_key.c783
--- openssl-1.1.1j/crypto/ec/ec_key.c.fips 2021-02-16 16:24:01.000000000 +0100784
+++ openssl-1.1.1j/crypto/ec/ec_key.c 2021-03-03 12:57:42.196734500 +0100785
786
return eckey->engine;787
}788
789
+#ifdef OPENSSL_FIPS790
+791
+# include <openssl/fips.h>792
+# include "crypto/fips.h"793
+794
+static int fips_check_ec(EC_KEY *key)795
+{796
+ EVP_PKEY *pk;797
+ unsigned char tbs[] = "ECDSA Pairwise Check Data";798
+ int ret = 0;799
+800
+ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */801
+ return 1;802
+803
+ if ((pk = EVP_PKEY_new()) == NULL)804
+ goto err;805
+806
+ EVP_PKEY_set1_EC_KEY(pk, key);807
+808
+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))809
+ ret = 1;810
+811
+ err:812
+ if (ret == 0) {813
+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);814
+ fips_set_selftest_fail();815
+ }816
+ if (pk)817
+ EVP_PKEY_free(pk);818
+ return ret;819
+}820
+821
+#endif822
+823
int EC_KEY_generate_key(EC_KEY *eckey)824
{825
+#ifdef OPENSSL_FIPS826
+ if (FIPS_selftest_failed()) {827
+ ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED);828
+ return 0;829
+ }830
+#endif831
if (eckey == NULL || eckey->group == NULL) {832
ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);833
return 0;834
}835
- if (eckey->meth->keygen != NULL)836
- return eckey->meth->keygen(eckey);837
+ if (eckey->meth->keygen != NULL) {838
+ int rv = eckey->meth->keygen(eckey);839
+840
+#ifdef OPENSSL_FIPS841
+ if (rv > 0 && FIPS_mode()) {842
+ rv = fips_check_ec(eckey);843
+ }844
+#endif845
+ return rv;846
+ }847
ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);848
return 0;849
}850
diff -up openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips openssl-1.1.1j/crypto/ec/ec_pmeth.c851
--- openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100852
+++ openssl-1.1.1j/crypto/ec/ec_pmeth.c 2021-03-03 12:57:42.197734509 +0100853
854
855
const EVP_PKEY_METHOD ec_pkey_meth = {856
EVP_PKEY_EC,857
- 0,858
+ EVP_PKEY_FLAG_FIPS,859
pkey_ec_init,860
pkey_ec_copy,861
pkey_ec_cleanup,862
diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/digest.c863
--- openssl-1.1.1j/crypto/evp/digest.c.fips 2021-02-16 16:24:01.000000000 +0100864
+++ openssl-1.1.1j/crypto/evp/digest.c 2021-03-03 12:57:42.197734509 +0100865
866
#include <openssl/engine.h>867
#include "crypto/evp.h"868
#include "evp_local.h"869
+#ifdef OPENSSL_FIPS870
+# include <openssl/fips.h>871
+#endif872
873
/* This call frees resources associated with the context */874
int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)875
876
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)877
{878
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);879
+#ifdef OPENSSL_FIPS880
+ if (FIPS_selftest_failed()) {881
+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);882
+ return 0;883
+ }884
+#endif885
#ifndef OPENSSL_NO_ENGINE886
/*887
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so888
889
}890
#endif891
if (ctx->digest != type) {892
+#ifdef OPENSSL_FIPS893
+ if (FIPS_mode()) {894
+ if (!(type->flags & EVP_MD_FLAG_FIPS)895
+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {896
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);897
+ return 0;898
+ }899
+ }900
+#endif901
if (ctx->digest && ctx->digest->ctx_size) {902
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);903
ctx->md_data = NULL;904
905
906
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)907
{908
+#ifdef OPENSSL_FIPS909
+ FIPS_selftest_check();910
+#endif911
+912
if (count == 0)913
return 1;914
915
916
{917
int ret;918
919
+#ifdef OPENSSL_FIPS920
+ FIPS_selftest_check();921
+#endif922
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);923
ret = ctx->digest->final(ctx, md);924
if (size != NULL)925
diff -up openssl-1.1.1j/crypto/evp/e_aes.c.fips openssl-1.1.1j/crypto/evp/e_aes.c926
--- openssl-1.1.1j/crypto/evp/e_aes.c.fips 2021-02-16 16:24:01.000000000 +0100927
+++ openssl-1.1.1j/crypto/evp/e_aes.c 2021-03-03 12:57:42.197734509 +0100928
929
* This addresses Rogaway's vulnerability.930
* See comment in aes_xts_init_key() below.931
*/932
- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {933
+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {934
EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);935
return 0;936
}937
938
* This addresses Rogaway's vulnerability.939
* See comment in aes_xts_init_key() below.940
*/941
- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {942
+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {943
EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);944
return 0;945
}946
947
return 1;948
}949
950
-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)951
- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)952
- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)953
+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)954
+ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)955
+ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)956
957
static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)958
{959
960
case EVP_CTRL_AEAD_SET_IVLEN:961
if (arg <= 0)962
return 0;963
+# ifdef OPENSSL_FIPS964
+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)965
+ && arg < 12)966
+ return 0;967
+# endif968
/* Allocate memory for IV if needed */969
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {970
if (gctx->iv != c->iv)971
972
| EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)973
974
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,975
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)976
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |977
+ CUSTOM_FLAGS)978
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,979
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)980
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |981
+ CUSTOM_FLAGS)982
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,983
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)984
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |985
+ CUSTOM_FLAGS)986
987
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)988
{989
990
* BEFORE using the keys in the XTS-AES algorithm to process991
* data with them."992
*/993
- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {994
+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {995
EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);996
return 0;997
}998
999
return 0;1000
if (!out || !in || len < AES_BLOCK_SIZE)1001
return 0;1002
+# ifdef OPENSSL_FIPS1003
+ /* Requirement of SP800-38E */1004
+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&1005
+ (len > (1UL << 20) * 16)) {1006
+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);1007
+ return 0;1008
+ }1009
+# endif1010
if (xctx->stream)1011
(*xctx->stream) (in, out, len,1012
xctx->xts.key1, xctx->xts.key2,1013
1014
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \1015
| EVP_CIPH_CUSTOM_COPY)1016
1017
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)1018
- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)1019
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,1020
+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)1021
+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,1022
+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)1023
1024
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)1025
{1026
1027
#define aes_ccm_cleanup NULL1028
1029
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,1030
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)1031
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)1032
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,1033
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)1034
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)1035
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,1036
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)1037
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)1038
1039
typedef struct {1040
union {1041
1042
return rv ? (int)rv : -1;1043
}1044
1045
-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \1046
+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \1047
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \1048
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)1049
1050
diff -up openssl-1.1.1j/crypto/evp/e_des3.c.fips openssl-1.1.1j/crypto/evp/e_des3.c1051
--- openssl-1.1.1j/crypto/evp/e_des3.c.fips 2021-02-16 16:24:01.000000000 +01001052
+++ openssl-1.1.1j/crypto/evp/e_des3.c 2021-03-03 12:57:42.197734509 +01001053
1054
# define des_ede3_cbc_cipher des_ede_cbc_cipher1055
# define des_ede3_ecb_cipher des_ede_ecb_cipher1056
BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,1057
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,1058
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)1059
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |1060
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,1061
+ des3_ctrl)1062
1063
BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,1064
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,1065
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)1066
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |1067
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,1068
+ NULL, des3_ctrl)1069
1070
BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,1071
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,1072
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)1073
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |1074
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,1075
+ NULL, des3_ctrl)1076
1077
static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,1078
const unsigned char *iv, int enc)1079
diff -up openssl-1.1.1j/crypto/evp/e_null.c.fips openssl-1.1.1j/crypto/evp/e_null.c1080
--- openssl-1.1.1j/crypto/evp/e_null.c.fips 2021-02-16 16:24:01.000000000 +01001081
+++ openssl-1.1.1j/crypto/evp/e_null.c 2021-03-03 12:57:42.197734509 +01001082
1083
const unsigned char *in, size_t inl);1084
static const EVP_CIPHER n_cipher = {1085
NID_undef,1086
- 1, 0, 0, 0,1087
+ 1, 0, 0,1088
+ EVP_CIPH_FLAG_FIPS,1089
null_init_key,1090
null_cipher,1091
NULL,1092
diff -up openssl-1.1.1j/crypto/evp/evp_enc.c.fips openssl-1.1.1j/crypto/evp/evp_enc.c1093
--- openssl-1.1.1j/crypto/evp/evp_enc.c.fips 2021-02-16 16:24:01.000000000 +01001094
+++ openssl-1.1.1j/crypto/evp/evp_enc.c 2021-03-03 12:57:42.197734509 +01001095
1096
#include <openssl/engine.h>1097
#include "crypto/evp.h"1098
#include "evp_local.h"1099
+#ifdef OPENSSL_FIPS1100
+# include <openssl/fips.h>1101
+#endif1102
1103
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)1104
{1105
+#ifdef OPENSSL_FIPS1106
+ if (FIPS_selftest_failed()) {1107
+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);1108
+ return 0;1109
+ }1110
+#endif1111
if (c == NULL)1112
return 1;1113
if (c->cipher != NULL) {1114
1115
1116
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)1117
{1118
+#ifdef OPENSSL_FIPS1119
+ if (FIPS_selftest_failed()) {1120
+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED);1121
+ return NULL;1122
+ }1123
+#endif1124
return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));1125
}1126
1127
1128
enc = 1;1129
ctx->encrypt = enc;1130
}1131
+#ifdef OPENSSL_FIPS1132
+ if (FIPS_selftest_failed()) {1133
+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);1134
+ return 0;1135
+ }1136
+#endif1137
#ifndef OPENSSL_NO_ENGINE1138
/*1139
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so1140
1141
}1142
ctx->key_len = cipher->key_len;1143
/* Preserve wrap enable flag, zero everything else */1144
- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;1145
+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW;1146
if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {1147
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {1148
ctx->cipher = NULL;1149
1150
return 0;1151
}1152
}1153
+#ifdef OPENSSL_FIPS1154
+ /* After 'key' is set no further parameters changes are permissible.1155
+ * So only check for non FIPS enabling at this point.1156
+ */1157
+ if (key && FIPS_mode()) {1158
+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)1159
+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {1160
+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);1161
+ return 0;1162
+ }1163
+ }1164
+#endif1165
1166
if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {1167
if (!ctx->cipher->init(ctx, key, iv, enc))1168
diff -up openssl-1.1.1j/crypto/evp/evp_err.c.fips openssl-1.1.1j/crypto/evp/evp_err.c1169
--- openssl-1.1.1j/crypto/evp/evp_err.c.fips 2021-02-16 16:24:01.000000000 +01001170
+++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 12:57:42.198734517 +01001171
1172
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),1173
"aes_t4_xts_init_key"},1174
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},1175
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},1176
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},1177
{ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},1178
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},1179
1180
"different key types"},1181
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS),1182
"different parameters"},1183
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},1184
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),1185
"error loading section"},1186
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),1187
1188
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),1189
"private key encode error"},1190
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},1191
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"},1192
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},1193
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},1194
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},1195
1196
"wrap mode not allowed"},1197
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),1198
"wrong final block length"},1199
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),1200
+ "xts data unit is too large"},1201
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),1202
"xts duplicated keys"},1203
{0, NULL}1204
diff -up openssl-1.1.1j/crypto/evp/evp_lib.c.fips openssl-1.1.1j/crypto/evp/evp_lib.c1205
--- openssl-1.1.1j/crypto/evp/evp_lib.c.fips 2021-02-16 16:24:01.000000000 +01001206
+++ openssl-1.1.1j/crypto/evp/evp_lib.c 2021-03-03 12:57:42.198734517 +01001207
1208
int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,1209
const unsigned char *in, unsigned int inl)1210
{1211
+#ifdef OPENSSL_FIPS1212
+ FIPS_selftest_check();1213
+#endif1214
return ctx->cipher->do_cipher(ctx, out, in, inl);1215
}1216
1217
diff -up openssl-1.1.1j/crypto/evp/m_sha1.c.fips openssl-1.1.1j/crypto/evp/m_sha1.c1218
--- openssl-1.1.1j/crypto/evp/m_sha1.c.fips 2021-02-16 16:24:01.000000000 +01001219
+++ openssl-1.1.1j/crypto/evp/m_sha1.c 2021-03-03 12:57:42.198734517 +01001220
1221
NID_sha1,1222
NID_sha1WithRSAEncryption,1223
SHA_DIGEST_LENGTH,1224
- EVP_MD_FLAG_DIGALGID_ABSENT,1225
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,1226
init,1227
update,1228
final,1229
1230
NID_sha224,1231
NID_sha224WithRSAEncryption,1232
SHA224_DIGEST_LENGTH,1233
- EVP_MD_FLAG_DIGALGID_ABSENT,1234
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,1235
init224,1236
update224,1237
final224,1238
1239
NID_sha256,1240
NID_sha256WithRSAEncryption,1241
SHA256_DIGEST_LENGTH,1242
- EVP_MD_FLAG_DIGALGID_ABSENT,1243
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,1244
init256,1245
update256,1246
final256,1247
1248
NID_sha512_224,1249
NID_sha512_224WithRSAEncryption,1250
SHA224_DIGEST_LENGTH,1251
- EVP_MD_FLAG_DIGALGID_ABSENT,1252
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,1253
init512_224,1254
update512,1255
final512,1256
1257
NID_sha512_256,1258
NID_sha512_256WithRSAEncryption,1259
SHA256_DIGEST_LENGTH,1260
- EVP_MD_FLAG_DIGALGID_ABSENT,1261
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,1262
init512_256,1263
update512,1264
final512,1265
1266
NID_sha384,1267
NID_sha384WithRSAEncryption,1268
SHA384_DIGEST_LENGTH,1269
- EVP_MD_FLAG_DIGALGID_ABSENT,1270
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,1271
init384,1272
update384,1273
final384,1274
1275
NID_sha512,1276
NID_sha512WithRSAEncryption,1277
SHA512_DIGEST_LENGTH,1278
- EVP_MD_FLAG_DIGALGID_ABSENT,1279
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,1280
init512,1281
update512,1282
final512,1283
diff -up openssl-1.1.1j/crypto/evp/m_sha3.c.fips openssl-1.1.1j/crypto/evp/m_sha3.c1284
--- openssl-1.1.1j/crypto/evp/m_sha3.c.fips 2021-02-16 16:24:01.000000000 +01001285
+++ openssl-1.1.1j/crypto/evp/m_sha3.c 2021-03-03 12:57:42.198734517 +01001286
1287
NID_sha3_##bitlen, \1288
NID_RSA_SHA3_##bitlen, \1289
bitlen / 8, \1290
- EVP_MD_FLAG_DIGALGID_ABSENT, \1291
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \1292
s390x_sha3_init, \1293
s390x_sha3_update, \1294
s390x_sha3_final, \1295
1296
NID_sha3_##bitlen, \1297
NID_RSA_SHA3_##bitlen, \1298
bitlen / 8, \1299
- EVP_MD_FLAG_DIGALGID_ABSENT, \1300
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \1301
sha3_init, \1302
sha3_update, \1303
sha3_final, \1304
1305
NID_shake##bitlen, \1306
0, \1307
bitlen / 8, \1308
- EVP_MD_FLAG_XOF, \1309
+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \1310
s390x_shake_init, \1311
s390x_sha3_update, \1312
s390x_shake_final, \1313
1314
NID_shake##bitlen, \1315
0, \1316
bitlen / 8, \1317
- EVP_MD_FLAG_XOF, \1318
+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \1319
shake_init, \1320
sha3_update, \1321
sha3_final, \1322
1323
NID_sha3_##bitlen, \1324
NID_RSA_SHA3_##bitlen, \1325
bitlen / 8, \1326
- EVP_MD_FLAG_DIGALGID_ABSENT, \1327
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \1328
sha3_init, \1329
sha3_update, \1330
sha3_final, \1331
1332
NID_shake##bitlen, \1333
0, \1334
bitlen / 8, \1335
- EVP_MD_FLAG_XOF, \1336
+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \1337
shake_init, \1338
sha3_update, \1339
sha3_final, \1340
diff -up openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips openssl-1.1.1j/crypto/evp/pmeth_lib.c1341
--- openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips 2021-02-16 16:24:01.000000000 +01001342
+++ openssl-1.1.1j/crypto/evp/pmeth_lib.c 2021-03-03 12:57:42.198734517 +01001343
1344
pmeth = ENGINE_get_pkey_meth(e, id);1345
else1346
#endif1347
+ {1348
pmeth = EVP_PKEY_meth_find(id);1349
+#ifdef OPENSSL_FIPS1350
+ if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) {1351
+ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS);1352
+ return NULL;1353
+ }1354
+#endif1355
+ }1356
1357
if (pmeth == NULL) {1358
#ifndef OPENSSL_NO_ENGINE1359
diff -up openssl-1.1.1j/crypto/fips/build.info.fips openssl-1.1.1j/crypto/fips/build.info1360
--- openssl-1.1.1j/crypto/fips/build.info.fips 2021-03-03 12:57:42.198734517 +01001361
+++ openssl-1.1.1j/crypto/fips/build.info 2021-03-03 12:57:42.198734517 +01001362
1363
+LIBS=../../libcrypto1364
+SOURCE[../../libcrypto]=\1365
+ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \1366
+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \1367
+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \1368
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \1369
+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \1370
+ fips_dh_selftest.c fips_ers.c1371
+1372
+PROGRAMS_NO_INST=\1373
+ fips_standalone_hmac1374
+1375
+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c1376
+INCLUDE[fips_standalone_hmac]=../../include1377
+DEPEND[fips_standalone_hmac]=../../libcrypto1378
diff -up openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_aes_selftest.c1379
--- openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips 2021-03-03 12:57:42.198734517 +01001380
+++ openssl-1.1.1j/crypto/fips/fips_aes_selftest.c 2021-03-03 12:57:42.198734517 +01001381
1382
+/* ====================================================================1383
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.1384
+ *1385
+ * Redistribution and use in source and binary forms, with or without1386
+ * modification, are permitted provided that the following conditions1387
+ * are met:1388
+ *1389
+ * 1. Redistributions of source code must retain the above copyright1390
+ * notice, this list of conditions and the following disclaimer. 1391
+ *1392
+ * 2. Redistributions in binary form must reproduce the above copyright1393
+ * notice, this list of conditions and the following disclaimer in1394
+ * the documentation and/or other materials provided with the1395
+ * distribution.1396
+ *1397
+ * 3. All advertising materials mentioning features or use of this1398
+ * software must display the following acknowledgment:1399
+ * "This product includes software developed by the OpenSSL Project1400
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"1401
+ *1402
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to1403
+ * endorse or promote products derived from this software without1404
+ * prior written permission. For written permission, please contact1405
+ * openssl-core@openssl.org.1406
+ *1407
+ * 5. Products derived from this software may not be called "OpenSSL"1408
+ * nor may "OpenSSL" appear in their names without prior written1409
+ * permission of the OpenSSL Project.1410
+ *1411
+ * 6. Redistributions of any form whatsoever must retain the following1412
+ * acknowledgment:1413
+ * "This product includes software developed by the OpenSSL Project1414
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"1415
+ *1416
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY1417
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE1418
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR1419
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR1420
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,1421
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT1422
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;1423
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)1424
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,1425
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)1426
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED1427
+ * OF THE POSSIBILITY OF SUCH DAMAGE.1428
+ *1429
+ */1430
+1431
+#include <string.h>1432
+#include <openssl/err.h>1433
+#ifdef OPENSSL_FIPS1434
+# include <openssl/fips.h>1435
+# include "crypto/fips.h"1436
+#endif1437
+1438
+#ifdef OPENSSL_FIPS1439
+static const struct {1440
+ const unsigned char key[16];1441
+ const unsigned char plaintext[16];1442
+ const unsigned char ciphertext[16];1443
+} tests[] = {1444
+ {1445
+ {1446
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,1447
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {1448
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,1449
+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {1450
+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,1451
+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};1452
+1453
+int FIPS_selftest_aes()1454
+{1455
+ int n;1456
+ int ret = 0;1457
+ EVP_CIPHER_CTX *ctx;1458
+1459
+ ctx = EVP_CIPHER_CTX_new();1460
+ if (ctx == NULL)1461
+ goto err;1462
+1463
+ for (n = 0; n < 1; ++n) {1464
+ unsigned char key[16];1465
+1466
+ memcpy(key, tests[n].key, sizeof(key));1467
+ if (fips_cipher_test(ctx, EVP_aes_128_ecb(),1468
+ key, NULL,1469
+ tests[n].plaintext,1470
+ tests[n].ciphertext, 16) <= 0)1471
+ goto err;1472
+ }1473
+ ret = 1;1474
+ err:1475
+ EVP_CIPHER_CTX_free(ctx);1476
+ if (ret == 0)1477
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);1478
+ return ret;1479
+}1480
+1481
+/* AES-CCM test data from NIST public test vectors */1482
+1483
+static const unsigned char ccm_key[] = {1484
+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,1485
+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe81486
+};1487
+1488
+static const unsigned char ccm_nonce[] = {1489
+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb71490
+};1491
+1492
+static const unsigned char ccm_adata[] = {1493
+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,1494
+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,1495
+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe41496
+};1497
+1498
+static const unsigned char ccm_pt[] = {1499
+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,1500
+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x101501
+};1502
+1503
+static const unsigned char ccm_ct[] = {1504
+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,1505
+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd1506
+};1507
+1508
+static const unsigned char ccm_tag[] = {1509
+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,1510
+ 0x14, 0xdb, 0x50, 0x6d1511
+};1512
+1513
+int FIPS_selftest_aes_ccm(void)1514
+{1515
+ int ret = 0;1516
+ unsigned char out[128], tag[16];1517
+ EVP_CIPHER_CTX *ctx;1518
+1519
+ ctx = EVP_CIPHER_CTX_new();1520
+ if (ctx == NULL)1521
+ goto err;1522
+1523
+ memset(out, 0, sizeof(out));1524
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))1525
+ goto err;1526
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,1527
+ sizeof(ccm_nonce), NULL))1528
+ goto err;1529
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,1530
+ sizeof(ccm_tag), NULL))1531
+ goto err;1532
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1))1533
+ goto err;1534
+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))1535
+ goto err;1536
+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)1537
+ goto err;1538
+ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))1539
+ goto err;1540
+1541
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))1542
+ goto err;1543
+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))1544
+ || memcmp(out, ccm_ct, sizeof(ccm_ct)))1545
+ goto err;1546
+1547
+ memset(out, 0, sizeof(out));1548
+1549
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))1550
+ goto err;1551
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,1552
+ sizeof(ccm_nonce), NULL))1553
+ goto err;1554
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))1555
+ goto err;1556
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0))1557
+ goto err;1558
+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))1559
+ goto err;1560
+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)1561
+ goto err;1562
+ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))1563
+ goto err;1564
+1565
+ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))1566
+ goto err;1567
+1568
+ ret = 1;1569
+1570
+ err:1571
+ EVP_CIPHER_CTX_free(ctx);1572
+1573
+ if (ret == 0) {1574
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);1575
+ return 0;1576
+ } else1577
+ return ret;1578
+1579
+}1580
+1581
+/* AES-GCM test data from NIST public test vectors */1582
+1583
+static const unsigned char gcm_key[] = {1584
+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,1585
+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,1586
+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f1587
+};1588
+1589
+static const unsigned char gcm_iv[] = {1590
+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x841591
+};1592
+1593
+static const unsigned char gcm_pt[] = {1594
+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,1595
+ 0xcc, 0x2b, 0xf2, 0xa51596
+};1597
+1598
+static const unsigned char gcm_aad[] = {1599
+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,1600
+ 0x7f, 0xec, 0x78, 0xde1601
+};1602
+1603
+static const unsigned char gcm_ct[] = {1604
+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,1605
+ 0xb9, 0xf2, 0x17, 0x361606
+};1607
+1608
+static const unsigned char gcm_tag[] = {1609
+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,1610
+ 0x98, 0xf7, 0x7e, 0x0c1611
+};1612
+1613
+int FIPS_selftest_aes_gcm(void)1614
+{1615
+ int ret = 0;1616
+ unsigned char out[128], tag[16];1617
+ EVP_CIPHER_CTX *ctx;1618
+1619
+ ctx = EVP_CIPHER_CTX_new();1620
+ if (ctx == NULL)1621
+ goto err;1622
+1623
+ memset(out, 0, sizeof(out));1624
+ memset(tag, 0, sizeof(tag));1625
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))1626
+ goto err;1627
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,1628
+ sizeof(gcm_iv), NULL))1629
+ goto err;1630
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1))1631
+ goto err;1632
+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)1633
+ goto err;1634
+ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))1635
+ goto err;1636
+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)1637
+ goto err;1638
+1639
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))1640
+ goto err;1641
+1642
+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))1643
+ goto err;1644
+1645
+ memset(out, 0, sizeof(out));1646
+1647
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))1648
+ goto err;1649
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,1650
+ sizeof(gcm_iv), NULL))1651
+ goto err;1652
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))1653
+ goto err;1654
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0))1655
+ goto err;1656
+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)1657
+ goto err;1658
+ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))1659
+ goto err;1660
+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)1661
+ goto err;1662
+1663
+ if (memcmp(out, gcm_pt, 16))1664
+ goto err;1665
+1666
+ ret = 1;1667
+1668
+ err:1669
+ EVP_CIPHER_CTX_free(ctx);1670
+1671
+ if (ret == 0) {1672
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);1673
+ return 0;1674
+ } else1675
+ return ret;1676
+1677
+}1678
+1679
+static const unsigned char XTS_128_key[] = {1680
+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,1681
+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,1682
+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f1683
+};1684
+1685
+static const unsigned char XTS_128_i[] = {1686
+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,1687
+ 0x3e, 0x76, 0x8a, 0xd51688
+};1689
+1690
+static const unsigned char XTS_128_pt[] = {1691
+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,1692
+ 0x07, 0x90, 0x31, 0x1c1693
+};1694
+1695
+static const unsigned char XTS_128_ct[] = {1696
+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,1697
+ 0xbe, 0x47, 0x1c, 0x631698
+};1699
+1700
+static const unsigned char XTS_256_key[] = {1701
+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,1702
+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,1703
+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,1704
+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,1705
+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,1706
+ 0x2c, 0xf4, 0x1b, 0x081707
+};1708
+1709
+static const unsigned char XTS_256_i[] = {1710
+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,1711
+ 0xa9, 0xf8, 0x75, 0x641712
+};1713
+1714
+static const unsigned char XTS_256_pt[] = {1715
+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,1716
+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,1717
+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e1718
+};1719
+1720
+static const unsigned char XTS_256_ct[] = {1721
+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,1722
+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,1723
+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb1724
+};1725
+1726
+int FIPS_selftest_aes_xts()1727
+{1728
+ int ret = 1;1729
+ EVP_CIPHER_CTX *ctx;1730
+1731
+ ctx = EVP_CIPHER_CTX_new();1732
+ if (ctx == NULL)1733
+ goto err;1734
+1735
+ if (fips_cipher_test(ctx, EVP_aes_128_xts(),1736
+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,1737
+ sizeof(XTS_128_pt)) <= 0)1738
+ ret = 0;1739
+1740
+ if (fips_cipher_test(ctx, EVP_aes_256_xts(),1741
+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,1742
+ sizeof(XTS_256_pt)) <= 0)1743
+ ret = 0;1744
+1745
+ EVP_CIPHER_CTX_free(ctx);1746
+1747
+ err:1748
+ if (ret == 0)1749
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);1750
+ return ret;1751
+}1752
+1753
+#endif1754
diff -up openssl-1.1.1j/crypto/fips/fips.c.fips openssl-1.1.1j/crypto/fips/fips.c1755
--- openssl-1.1.1j/crypto/fips/fips.c.fips 2021-03-03 12:57:42.198734517 +01001756
+++ openssl-1.1.1j/crypto/fips/fips.c 2021-03-03 12:57:42.198734517 +01001757
1758
+/* ====================================================================1759
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.1760
+ *1761
+ * Redistribution and use in source and binary forms, with or without1762
+ * modification, are permitted provided that the following conditions1763
+ * are met:1764
+ *1765
+ * 1. Redistributions of source code must retain the above copyright1766
+ * notice, this list of conditions and the following disclaimer. 1767
+ *1768
+ * 2. Redistributions in binary form must reproduce the above copyright1769
+ * notice, this list of conditions and the following disclaimer in1770
+ * the documentation and/or other materials provided with the1771
+ * distribution.1772
+ *1773
+ * 3. All advertising materials mentioning features or use of this1774
+ * software must display the following acknowledgment:1775
+ * "This product includes software developed by the OpenSSL Project1776
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"1777
+ *1778
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to1779
+ * endorse or promote products derived from this software without1780
+ * prior written permission. For written permission, please contact1781
+ * openssl-core@openssl.org.1782
+ *1783
+ * 5. Products derived from this software may not be called "OpenSSL"1784
+ * nor may "OpenSSL" appear in their names without prior written1785
+ * permission of the OpenSSL Project.1786
+ *1787
+ * 6. Redistributions of any form whatsoever must retain the following1788
+ * acknowledgment:1789
+ * "This product includes software developed by the OpenSSL Project1790
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"1791
+ *1792
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY1793
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE1794
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR1795
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR1796
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,1797
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT1798
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;1799
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)1800
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,1801
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)1802
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED1803
+ * OF THE POSSIBILITY OF SUCH DAMAGE.1804
+ *1805
+ */1806
+1807
+#define _GNU_SOURCE1808
+1809
+#include <openssl/rand.h>1810
+#include <openssl/fips_rand.h>1811
+#include <openssl/err.h>1812
+#include <openssl/bio.h>1813
+#include <openssl/hmac.h>1814
+#include <openssl/rsa.h>1815
+#include <string.h>1816
+#include <limits.h>1817
+#include <dlfcn.h>1818
+#include <stdio.h>1819
+#include <stdlib.h>1820
+#include <unistd.h>1821
+#include <errno.h>1822
+#include "fips_locl.h"1823
+1824
+#ifdef OPENSSL_FIPS1825
+1826
+# include <openssl/fips.h>1827
+# include "internal/thread_once.h"1828
+1829
+# ifndef PATH_MAX1830
+# define PATH_MAX 10241831
+# endif1832
+1833
+static int fips_selftest_fail = 0;1834
+static int fips_mode = 0;1835
+static int fips_started = 0;1836
+1837
+static int fips_is_owning_thread(void);1838
+static int fips_set_owning_thread(void);1839
+static int fips_clear_owning_thread(void);1840
+1841
+static CRYPTO_RWLOCK *fips_lock = NULL;1842
+static CRYPTO_RWLOCK *fips_owning_lock = NULL;1843
+static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT;1844
+1845
+DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)1846
+{1847
+ fips_lock = CRYPTO_THREAD_lock_new();1848
+ fips_owning_lock = CRYPTO_THREAD_lock_new();1849
+ return fips_lock != NULL && fips_owning_lock != NULL;1850
+}1851
+1852
+# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock)1853
+# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock)1854
+# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock)1855
+# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock)1856
+1857
+static void fips_set_mode(int onoff)1858
+{1859
+ int owning_thread = fips_is_owning_thread();1860
+1861
+ if (fips_started) {1862
+ if (!owning_thread)1863
+ fips_w_lock();1864
+ fips_mode = onoff;1865
+ if (!owning_thread)1866
+ fips_w_unlock();1867
+ }1868
+}1869
+1870
+int FIPS_module_mode(void)1871
+{1872
+ int ret = 0;1873
+ int owning_thread = fips_is_owning_thread();1874
+1875
+ if (fips_started) {1876
+ if (!owning_thread)1877
+ fips_r_lock();1878
+ ret = fips_mode;1879
+ if (!owning_thread)1880
+ fips_r_unlock();1881
+ }1882
+ return ret;1883
+}1884
+1885
+/* just a compat symbol - return NULL */1886
+int FIPS_selftest_failed(void)1887
+{1888
+ int ret = 0;1889
+ if (fips_started) {1890
+ int owning_thread = fips_is_owning_thread();1891
+1892
+ if (!owning_thread)1893
+ fips_r_lock();1894
+ ret = fips_selftest_fail;1895
+ if (!owning_thread)1896
+ fips_r_unlock();1897
+ }1898
+ return ret;1899
+}1900
+1901
+/* Selftest failure fatal exit routine. This will be called1902
+ * during *any* cryptographic operation. It has the minimum1903
+ * overhead possible to avoid too big a performance hit.1904
+ */1905
+1906
+void FIPS_selftest_check(void)1907
+{1908
+ if (fips_selftest_fail) {1909
+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");1910
+ }1911
+}1912
+1913
+void fips_set_selftest_fail(void)1914
+{1915
+ fips_selftest_fail = 1;1916
+}1917
+1918
+/* we implement what libfipscheck does ourselves */1919
+1920
+static int1921
+get_library_path(const char *libname, const char *symbolname, char *path,1922
+ size_t pathlen)1923
+{1924
+ Dl_info info;1925
+ void *dl, *sym;1926
+ int rv = -1;1927
+1928
+ dl = dlopen(libname, RTLD_LAZY);1929
+ if (dl == NULL) {1930
+ return -1;1931
+ }1932
+1933
+ sym = dlsym(dl, symbolname);1934
+1935
+ if (sym != NULL && dladdr(sym, &info)) {1936
+ strncpy(path, info.dli_fname, pathlen - 1);1937
+ path[pathlen - 1] = '\0';1938
+ rv = 0;1939
+ }1940
+1941
+ dlclose(dl);1942
+1943
+ return rv;1944
+}1945
+1946
+static const char conv[] = "0123456789abcdef";1947
+1948
+static char *bin2hex(void *buf, size_t len)1949
+{1950
+ char *hex, *p;1951
+ unsigned char *src = buf;1952
+1953
+ hex = malloc(len * 2 + 1);1954
+ if (hex == NULL)1955
+ return NULL;1956
+1957
+ p = hex;1958
+1959
+ while (len > 0) {1960
+ unsigned c;1961
+1962
+ c = *src;1963
+ src++;1964
+1965
+ *p = conv[c >> 4];1966
+ ++p;1967
+ *p = conv[c & 0x0f];1968
+ ++p;1969
+ --len;1970
+ }1971
+ *p = '\0';1972
+ return hex;1973
+}1974
+1975
+# define HMAC_PREFIX "."1976
+# ifndef HMAC_SUFFIX1977
+# define HMAC_SUFFIX ".hmac"1978
+# endif1979
+# define READ_BUFFER_LENGTH 163841980
+1981
+static char *make_hmac_path(const char *origpath)1982
+{1983
+ char *path, *p;1984
+ const char *fn;1985
+1986
+ path =1987
+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));1988
+ if (path == NULL) {1989
+ return NULL;1990
+ }1991
+1992
+ fn = strrchr(origpath, '/');1993
+ if (fn == NULL) {1994
+ fn = origpath;1995
+ } else {1996
+ ++fn;1997
+ }1998
+1999
+ strncpy(path, origpath, fn - origpath);2000
+ p = path + (fn - origpath);2001
+ p = stpcpy(p, HMAC_PREFIX);2002
+ p = stpcpy(p, fn);2003
+ p = stpcpy(p, HMAC_SUFFIX);2004
+2005
+ return path;2006
+}2007
+2008
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";2009
+2010
+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)2011
+{2012
+ FILE *f = NULL;2013
+ int rv = -1;2014
+ unsigned char rbuf[READ_BUFFER_LENGTH];2015
+ size_t len;2016
+ unsigned int hlen;2017
+ HMAC_CTX *c;2018
+2019
+ c = HMAC_CTX_new();2020
+ if (c == NULL)2021
+ return rv;2022
+2023
+ f = fopen(path, "r");2024
+2025
+ if (f == NULL) {2026
+ goto end;2027
+ }2028
+2029
+ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) {2030
+ goto end;2031
+ }2032
+2033
+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {2034
+ if (HMAC_Update(c, rbuf, len) <= 0) {2035
+ goto end;2036
+ }2037
+ }2038
+2039
+ len = sizeof(rbuf);2040
+ /* reuse rbuf for hmac */2041
+ if (HMAC_Final(c, rbuf, &hlen) <= 0) {2042
+ goto end;2043
+ }2044
+2045
+ *buf = malloc(hlen);2046
+ if (*buf == NULL) {2047
+ goto end;2048
+ }2049
+2050
+ *hmaclen = hlen;2051
+2052
+ memcpy(*buf, rbuf, hlen);2053
+2054
+ rv = 0;2055
+ end:2056
+ HMAC_CTX_free(c);2057
+2058
+ if (f)2059
+ fclose(f);2060
+2061
+ return rv;2062
+}2063
+2064
+static int FIPSCHECK_verify(const char *path)2065
+{2066
+ int rv = 0;2067
+ FILE *hf;2068
+ char *hmacpath, *p;2069
+ char *hmac = NULL;2070
+ size_t n;2071
+2072
+ hmacpath = make_hmac_path(path);2073
+ if (hmacpath == NULL)2074
+ return 0;2075
+2076
+ hf = fopen(hmacpath, "r");2077
+ if (hf == NULL) {2078
+ free(hmacpath);2079
+ return 0;2080
+ }2081
+2082
+ if (getline(&hmac, &n, hf) > 0) {2083
+ void *buf;2084
+ size_t hmaclen;2085
+ char *hex;2086
+2087
+ if ((p = strchr(hmac, '\n')) != NULL)2088
+ *p = '\0';2089
+2090
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {2091
+ rv = -4;2092
+ goto end;2093
+ }2094
+2095
+ if ((hex = bin2hex(buf, hmaclen)) == NULL) {2096
+ free(buf);2097
+ rv = -5;2098
+ goto end;2099
+ }2100
+2101
+ if (strcmp(hex, hmac) != 0) {2102
+ rv = -1;2103
+ }2104
+ free(buf);2105
+ free(hex);2106
+ } else {2107
+ rv = -1;2108
+ }2109
+2110
+ end:2111
+ free(hmac);2112
+ free(hmacpath);2113
+ fclose(hf);2114
+2115
+ if (rv < 0)2116
+ return 0;2117
+2118
+ /* check successful */2119
+ return 1;2120
+}2121
+2122
+static int verify_checksums(void)2123
+{2124
+ int rv;2125
+ char path[PATH_MAX + 1];2126
+ char *p;2127
+2128
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl2129
+ are in the same directory */2130
+2131
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,2132
+ "FIPS_mode_set", path, sizeof(path));2133
+ if (rv < 0)2134
+ return 0;2135
+2136
+ rv = FIPSCHECK_verify(path);2137
+ if (!rv)2138
+ return 0;2139
+2140
+ /* replace libcrypto with libssl */2141
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {2142
+ p = stpcpy(p, "libssl");2143
+ memmove(p, p + 3, strlen(p + 2));2144
+ }2145
+2146
+ rv = FIPSCHECK_verify(path);2147
+ if (!rv)2148
+ return 0;2149
+ return 1;2150
+}2151
+2152
+# ifndef FIPS_MODULE_PATH2153
+# define FIPS_MODULE_PATH "/etc/system-fips"2154
+# endif2155
+2156
+int FIPS_module_installed(void)2157
+{2158
+ int rv;2159
+ rv = access(FIPS_MODULE_PATH, F_OK);2160
+ if (rv < 0 && errno != ENOENT)2161
+ rv = 0;2162
+2163
+ /* Installed == true */2164
+ return !rv || FIPS_module_mode();2165
+}2166
+2167
+int FIPS_module_mode_set(int onoff)2168
+{2169
+ int ret = 0;2170
+2171
+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))2172
+ return 0;2173
+2174
+ fips_w_lock();2175
+ fips_started = 1;2176
+ fips_set_owning_thread();2177
+2178
+ if (onoff) {2179
+2180
+ fips_selftest_fail = 0;2181
+2182
+ /* Don't go into FIPS mode twice, just so we can do automagic2183
+ seeding */2184
+ if (FIPS_module_mode()) {2185
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,2186
+ FIPS_R_FIPS_MODE_ALREADY_SET);2187
+ fips_selftest_fail = 1;2188
+ ret = 0;2189
+ goto end;2190
+ }2191
+# ifdef OPENSSL_IA32_SSE22192
+ {2193
+ extern unsigned int OPENSSL_ia32cap_P[2];2194
+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=2195
+ (1 << 25 | 1 << 26)) {2196
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,2197
+ FIPS_R_UNSUPPORTED_PLATFORM);2198
+ fips_selftest_fail = 1;2199
+ ret = 0;2200
+ goto end;2201
+ }2202
+ }2203
+# endif2204
+2205
+ if (!FIPS_selftest()) {2206
+ fips_selftest_fail = 1;2207
+ ret = 0;2208
+ goto end;2209
+ }2210
+2211
+ if (!verify_checksums()) {2212
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,2213
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);2214
+ fips_selftest_fail = 1;2215
+ ret = 0;2216
+ goto end;2217
+ }2218
+2219
+ fips_set_mode(onoff);2220
+ ret = 1;2221
+ goto end;2222
+ }2223
+ fips_set_mode(0);2224
+ fips_selftest_fail = 0;2225
+ ret = 1;2226
+ end:2227
+ fips_clear_owning_thread();2228
+ fips_w_unlock();2229
+ return ret;2230
+}2231
+2232
+static CRYPTO_THREAD_ID fips_threadid;2233
+static int fips_thread_set = 0;2234
+2235
+static int fips_is_owning_thread(void)2236
+{2237
+ int ret = 0;2238
+2239
+ if (fips_started) {2240
+ CRYPTO_THREAD_read_lock(fips_owning_lock);2241
+ if (fips_thread_set) {2242
+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();2243
+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))2244
+ ret = 1;2245
+ }2246
+ CRYPTO_THREAD_unlock(fips_owning_lock);2247
+ }2248
+ return ret;2249
+}2250
+2251
+int fips_set_owning_thread(void)2252
+{2253
+ int ret = 0;2254
+2255
+ if (fips_started) {2256
+ CRYPTO_THREAD_write_lock(fips_owning_lock);2257
+ if (!fips_thread_set) {2258
+ fips_threadid = CRYPTO_THREAD_get_current_id();2259
+ ret = 1;2260
+ fips_thread_set = 1;2261
+ }2262
+ CRYPTO_THREAD_unlock(fips_owning_lock);2263
+ }2264
+ return ret;2265
+}2266
+2267
+int fips_clear_owning_thread(void)2268
+{2269
+ int ret = 0;2270
+2271
+ if (fips_started) {2272
+ CRYPTO_THREAD_write_lock(fips_owning_lock);2273
+ if (fips_thread_set) {2274
+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();2275
+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))2276
+ fips_thread_set = 0;2277
+ }2278
+ CRYPTO_THREAD_unlock(fips_owning_lock);2279
+ }2280
+ return ret;2281
+}2282
+2283
+#endif2284
diff -up openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c2285
--- openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips 2021-03-03 12:57:42.199734525 +01002286
+++ openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c 2021-03-03 12:57:42.199734525 +01002287
2288
+/* ====================================================================2289
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.2290
+ *2291
+ * Redistribution and use in source and binary forms, with or without2292
+ * modification, are permitted provided that the following conditions2293
+ * are met:2294
+ *2295
+ * 1. Redistributions of source code must retain the above copyright2296
+ * notice, this list of conditions and the following disclaimer. 2297
+ *2298
+ * 2. Redistributions in binary form must reproduce the above copyright2299
+ * notice, this list of conditions and the following disclaimer in2300
+ * the documentation and/or other materials provided with the2301
+ * distribution.2302
+ *2303
+ * 3. All advertising materials mentioning features or use of this2304
+ * software must display the following acknowledgment:2305
+ * "This product includes software developed by the OpenSSL Project2306
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"2307
+ *2308
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to2309
+ * endorse or promote products derived from this software without2310
+ * prior written permission. For written permission, please contact2311
+ * openssl-core@openssl.org.2312
+ *2313
+ * 5. Products derived from this software may not be called "OpenSSL"2314
+ * nor may "OpenSSL" appear in their names without prior written2315
+ * permission of the OpenSSL Project.2316
+ *2317
+ * 6. Redistributions of any form whatsoever must retain the following2318
+ * acknowledgment:2319
+ * "This product includes software developed by the OpenSSL Project2320
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"2321
+ *2322
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY2323
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE2324
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR2325
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR2326
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,2327
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT2328
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;2329
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)2330
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,2331
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)2332
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED2333
+ * OF THE POSSIBILITY OF SUCH DAMAGE.2334
+ *2335
+ */2336
+2337
+#include <string.h>2338
+#include <openssl/err.h>2339
+#include <openssl/fips.h>2340
+#include "crypto/fips.h"2341
+#include <openssl/cmac.h>2342
+#include "fips_locl.h"2343
+2344
+#ifdef OPENSSL_FIPS2345
+typedef struct {2346
+ int nid;2347
+ const unsigned char key[EVP_MAX_KEY_LENGTH];2348
+ size_t keysize;2349
+ const unsigned char msg[64];2350
+ size_t msgsize;2351
+ const unsigned char mac[32];2352
+ size_t macsize;2353
+} CMAC_KAT;2354
+2355
+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */2356
+static const CMAC_KAT vector[] = {2357
+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */2358
+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,2359
+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,2360
+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,2361
+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,2362
+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,2363
+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,2364
+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},2365
+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */2366
+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,2367
+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,2368
+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,2369
+ {0x0}, 0,2370
+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,2371
+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,2372
+ },2373
+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */2374
+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,2375
+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,2376
+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,2377
+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,2378
+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,2379
+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,2380
+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,2381
+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,2382
+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,2383
+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,2384
+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,2385
+ },2386
+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */2387
+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,2388
+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,2389
+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,2390
+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,2391
+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,2392
+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,2393
+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,2394
+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,2395
+ },2396
+};2397
+2398
+int FIPS_selftest_cmac()2399
+{2400
+ size_t n, outlen;2401
+ unsigned char out[32];2402
+ const EVP_CIPHER *cipher;2403
+ CMAC_CTX *ctx = CMAC_CTX_new();2404
+ const CMAC_KAT *t;2405
+ int rv = 1;2406
+2407
+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {2408
+ cipher = EVP_get_cipherbynid(t->nid);2409
+ if (!cipher) {2410
+ rv = -1;2411
+ goto err;2412
+ }2413
+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {2414
+ rv = -1;2415
+ goto err;2416
+ }2417
+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {2418
+ rv = -1;2419
+ goto err;2420
+ }2421
+2422
+ if (!CMAC_Final(ctx, out, &outlen)) {2423
+ rv = -1;2424
+ goto err;2425
+ }2426
+2427
+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {2428
+ rv = 0;2429
+ }2430
+ }2431
+2432
+ err:2433
+ CMAC_CTX_free(ctx);2434
+2435
+ if (rv == -1) {2436
+ rv = 0;2437
+ }2438
+ if (!rv)2439
+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);2440
+2441
+ return rv;2442
+}2443
+#endif2444
diff -up openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_des_selftest.c2445
--- openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips 2021-03-03 12:57:42.199734525 +01002446
+++ openssl-1.1.1j/crypto/fips/fips_des_selftest.c 2021-03-03 12:57:42.199734525 +01002447
2448
+/* ====================================================================2449
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.2450
+ *2451
+ * Redistribution and use in source and binary forms, with or without2452
+ * modification, are permitted provided that the following conditions2453
+ * are met:2454
+ *2455
+ * 1. Redistributions of source code must retain the above copyright2456
+ * notice, this list of conditions and the following disclaimer. 2457
+ *2458
+ * 2. Redistributions in binary form must reproduce the above copyright2459
+ * notice, this list of conditions and the following disclaimer in2460
+ * the documentation and/or other materials provided with the2461
+ * distribution.2462
+ *2463
+ * 3. All advertising materials mentioning features or use of this2464
+ * software must display the following acknowledgment:2465
+ * "This product includes software developed by the OpenSSL Project2466
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"2467
+ *2468
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to2469
+ * endorse or promote products derived from this software without2470
+ * prior written permission. For written permission, please contact2471
+ * openssl-core@openssl.org.2472
+ *2473
+ * 5. Products derived from this software may not be called "OpenSSL"2474
+ * nor may "OpenSSL" appear in their names without prior written2475
+ * permission of the OpenSSL Project.2476
+ *2477
+ * 6. Redistributions of any form whatsoever must retain the following2478
+ * acknowledgment:2479
+ * "This product includes software developed by the OpenSSL Project2480
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"2481
+ *2482
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY2483
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE2484
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR2485
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR2486
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,2487
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT2488
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;2489
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)2490
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,2491
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)2492
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED2493
+ * OF THE POSSIBILITY OF SUCH DAMAGE.2494
+ *2495
+ */2496
+2497
+#include <string.h>2498
+#include <openssl/err.h>2499
+#ifdef OPENSSL_FIPS2500
+# include <openssl/fips.h>2501
+# include "crypto/fips.h"2502
+#endif2503
+#include <openssl/opensslconf.h>2504
+2505
+#ifdef OPENSSL_FIPS2506
+2507
+static const struct {2508
+ const unsigned char key[16];2509
+ const unsigned char plaintext[8];2510
+ const unsigned char ciphertext[8];2511
+} tests2[] = {2512
+ {2513
+ {2514
+ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,2515
+ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {2516
+ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {2517
+ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}2518
+ }, {2519
+ {2520
+ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,2521
+ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {2522
+ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {2523
+ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}2524
+};2525
+2526
+static const struct {2527
+ const unsigned char key[24];2528
+ const unsigned char plaintext[8];2529
+ const unsigned char ciphertext[8];2530
+} tests3[] = {2531
+ {2532
+ {2533
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,2534
+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,2535
+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {2536
+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {2537
+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {2538
+ {2539
+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,2540
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,2541
+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {2542
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {2543
+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};2544
+2545
+int FIPS_selftest_des()2546
+{2547
+ int n, ret = 0;2548
+ EVP_CIPHER_CTX *ctx;2549
+2550
+ ctx = EVP_CIPHER_CTX_new();2551
+ if (ctx == NULL)2552
+ goto err;2553
+2554
+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */2555
+ for (n = 0; n < 2; ++n) {2556
+ unsigned char plaintext[8];2557
+2558
+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));2559
+ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(),2560
+ tests2[n].key, NULL,2561
+ plaintext, tests2[n].ciphertext, 8))2562
+ goto err;2563
+ }2564
+2565
+ /* Encrypt/decrypt with 3DES and compare to known answers */2566
+ for (n = 0; n < 2; ++n) {2567
+ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(),2568
+ tests3[n].key, NULL,2569
+ tests3[n].plaintext, tests3[n].ciphertext, 8))2570
+ goto err;2571
+ }2572
+ ret = 1;2573
+ err:2574
+ EVP_CIPHER_CTX_free(ctx);2575
+ if (ret == 0)2576
+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);2577
+2578
+ return ret;2579
+}2580
+#endif2581
diff -up openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dh_selftest.c2582
--- openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips 2021-03-03 12:57:42.199734525 +01002583
+++ openssl-1.1.1j/crypto/fips/fips_dh_selftest.c 2021-03-03 12:57:42.199734525 +01002584
2585
+/* ====================================================================2586
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.2587
+ * Copyright (c) 2013 Red Hat, Inc.2588
+ *2589
+ * Redistribution and use in source and binary forms, with or without2590
+ * modification, are permitted provided that the following conditions2591
+ * are met:2592
+ *2593
+ * 1. Redistributions of source code must retain the above copyright2594
+ * notice, this list of conditions and the following disclaimer. 2595
+ *2596
+ * 2. Redistributions in binary form must reproduce the above copyright2597
+ * notice, this list of conditions and the following disclaimer in2598
+ * the documentation and/or other materials provided with the2599
+ * distribution.2600
+ *2601
+ * 3. All advertising materials mentioning features or use of this2602
+ * software must display the following acknowledgment:2603
+ * "This product includes software developed by the OpenSSL Project2604
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"2605
+ *2606
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to2607
+ * endorse or promote products derived from this software without2608
+ * prior written permission. For written permission, please contact2609
+ * openssl-core@openssl.org.2610
+ *2611
+ * 5. Products derived from this software may not be called "OpenSSL"2612
+ * nor may "OpenSSL" appear in their names without prior written2613
+ * permission of the OpenSSL Project.2614
+ *2615
+ * 6. Redistributions of any form whatsoever must retain the following2616
+ * acknowledgment:2617
+ * "This product includes software developed by the OpenSSL Project2618
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"2619
+ *2620
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY2621
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE2622
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR2623
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR2624
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,2625
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT2626
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;2627
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)2628
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,2629
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)2630
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED2631
+ * OF THE POSSIBILITY OF SUCH DAMAGE.2632
+ *2633
+ */2634
+2635
+#include <string.h>2636
+#include <openssl/crypto.h>2637
+#include <openssl/dh.h>2638
+#include <openssl/fips.h>2639
+#include <openssl/err.h>2640
+#include <openssl/evp.h>2641
+#include <openssl/bn.h>2642
+#include "fips_locl.h"2643
+2644
+#ifdef OPENSSL_FIPS2645
+2646
+static const unsigned char dh_test_2048_p[] = {2647
+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,2648
+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,2649
+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,2650
+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,2651
+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,2652
+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,2653
+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,2654
+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,2655
+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,2656
+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,2657
+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,2658
+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,2659
+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,2660
+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,2661
+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,2662
+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,2663
+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,2664
+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,2665
+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,2666
+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,2667
+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,2668
+ 0x4B, 0xD8, 0x37, 0xEB2669
+};2670
+2671
+static const unsigned char dh_test_2048_g[] = {2672
+ 0x022673
+};2674
+2675
+static const unsigned char dh_test_2048_pub_key[] = {2676
+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,2677
+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,2678
+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,2679
+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,2680
+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,2681
+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,2682
+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,2683
+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,2684
+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,2685
+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,2686
+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,2687
+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,2688
+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,2689
+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,2690
+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,2691
+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,2692
+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,2693
+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,2694
+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,2695
+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,2696
+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,2697
+ 0x36, 0x9E, 0xDA, 0xD22698
+};2699
+2700
+static const unsigned char dh_test_2048_priv_key[] = {2701
+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,2702
+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,2703
+ 0xEC, 0x55, 0xF6, 0xCC2704
+};2705
+2706
+int FIPS_selftest_dh()2707
+{2708
+ DH *dh = NULL;2709
+ int ret = 0;2710
+ void *pub_key_bin = NULL;2711
+ int len;2712
+ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL;2713
+ const BIGNUM *pub_key;2714
+2715
+ fips_load_key_component(p, dh_test_2048);2716
+ fips_load_key_component(g, dh_test_2048);2717
+ /* note that the private key is much shorter than normally used2718
+ * but still g ** priv_key > p2719
+ */2720
+ fips_load_key_component(priv_key, dh_test_2048);2721
+ if ((tmp_pub_key = BN_new()) == NULL)2722
+ goto err;2723
+2724
+ dh = DH_new();2725
+2726
+ if (dh == NULL)2727
+ goto err;2728
+2729
+ DH_set0_pqg(dh, p, NULL, g);2730
+ DH_set0_key(dh, tmp_pub_key, priv_key);2731
+2732
+ if (DH_generate_key(dh) <= 0)2733
+ goto err;2734
+2735
+ DH_get0_key(dh, &pub_key, NULL);2736
+2737
+ if (pub_key == NULL)2738
+ goto err;2739
+2740
+ len = BN_num_bytes(pub_key);2741
+ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL)2742
+ goto err;2743
+ BN_bn2bin(pub_key, pub_key_bin);2744
+2745
+ if (len != sizeof(dh_test_2048_pub_key) ||2746
+ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0)2747
+ goto err;2748
+2749
+ ret = 1;2750
+2751
+ err:2752
+ if (dh)2753
+ DH_free(dh);2754
+ else {2755
+ BN_free(p);2756
+ BN_free(g);2757
+ BN_free(priv_key);2758
+ BN_free(tmp_pub_key);2759
+ }2760
+2761
+ OPENSSL_free(pub_key_bin);2762
+ return ret;2763
+}2764
+#endif2765
diff -up openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c2766
--- openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips 2021-03-03 12:57:42.199734525 +01002767
+++ openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c 2021-03-03 12:57:42.199734525 +01002768
2769
+/* fips/rand/fips_drbg_ctr.c */2770
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL2771
+ * project.2772
+ */2773
+/* ====================================================================2774
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.2775
+ *2776
+ * Redistribution and use in source and binary forms, with or without2777
+ * modification, are permitted provided that the following conditions2778
+ * are met:2779
+ *2780
+ * 1. Redistributions of source code must retain the above copyright2781
+ * notice, this list of conditions and the following disclaimer. 2782
+ *2783
+ * 2. Redistributions in binary form must reproduce the above copyright2784
+ * notice, this list of conditions and the following disclaimer in2785
+ * the documentation and/or other materials provided with the2786
+ * distribution.2787
+ *2788
+ * 3. All advertising materials mentioning features or use of this2789
+ * software must display the following acknowledgment:2790
+ * "This product includes software developed by the OpenSSL Project2791
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"2792
+ *2793
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to2794
+ * endorse or promote products derived from this software without2795
+ * prior written permission. For written permission, please contact2796
+ * licensing@OpenSSL.org.2797
+ *2798
+ * 5. Products derived from this software may not be called "OpenSSL"2799
+ * nor may "OpenSSL" appear in their names without prior written2800
+ * permission of the OpenSSL Project.2801
+ *2802
+ * 6. Redistributions of any form whatsoever must retain the following2803
+ * acknowledgment:2804
+ * "This product includes software developed by the OpenSSL Project2805
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"2806
+ *2807
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY2808
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE2809
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR2810
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR2811
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,2812
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT2813
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;2814
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)2815
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,2816
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)2817
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED2818
+ * OF THE POSSIBILITY OF SUCH DAMAGE.2819
+ * ====================================================================2820
+ */2821
+2822
+#include <stdlib.h>2823
+#include <string.h>2824
+#include <openssl/crypto.h>2825
+#include <openssl/fips.h>2826
+#include <openssl/fips_rand.h>2827
+#include "fips_rand_lcl.h"2828
+2829
+static void inc_128(DRBG_CTR_CTX * cctx)2830
+{2831
+ int i;2832
+ unsigned char c;2833
+ unsigned char *p = cctx->V + 15;2834
+ for (i = 0; i < 16; i++) {2835
+ c = *p;2836
+ c++;2837
+ *p = c;2838
+ if (c)2839
+ return;2840
+ p--;2841
+ }2842
+}2843
+2844
+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,2845
+ size_t inlen)2846
+{2847
+ size_t i, n;2848
+ /* Any zero padding will have no effect on the result as we2849
+ * are XORing. So just process however much input we have.2850
+ */2851
+2852
+ if (!in || !inlen)2853
+ return;2854
+2855
+ if (inlen < cctx->keylen)2856
+ n = inlen;2857
+ else2858
+ n = cctx->keylen;2859
+2860
+ for (i = 0; i < n; i++)2861
+ cctx->K[i] ^= in[i];2862
+ if (inlen <= cctx->keylen)2863
+ return;2864
+2865
+ n = inlen - cctx->keylen;2866
+ /* Should never happen */2867
+ if (n > 16)2868
+ n = 16;2869
+ for (i = 0; i < 16; i++)2870
+ cctx->V[i] ^= in[i + cctx->keylen];2871
+}2872
+2873
+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */2874
+2875
+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,2876
+ const unsigned char *in)2877
+{2878
+ int i;2879
+ for (i = 0; i < 16; i++)2880
+ out[i] ^= in[i];2881
+ AES_encrypt(out, out, &cctx->df_ks);2882
+#if 02883
+ fprintf(stderr, "BCC in+out\n");2884
+ BIO_dump_fp(stderr, in, 16);2885
+ BIO_dump_fp(stderr, out, 16);2886
+#endif2887
+}2888
+2889
+/* Handle several BCC operations for as much data as we need for K and X */2890
+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)2891
+{2892
+ ctr_BCC_block(cctx, cctx->KX, in);2893
+ ctr_BCC_block(cctx, cctx->KX + 16, in);2894
+ if (cctx->keylen != 16)2895
+ ctr_BCC_block(cctx, cctx->KX + 32, in);2896
+}2897
+2898
+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:2899
+ * see 10.4.2 stage 7.2900
+ */2901
+static void ctr_BCC_init(DRBG_CTR_CTX * cctx)2902
+{2903
+ memset(cctx->KX, 0, 48);2904
+ memset(cctx->bltmp, 0, 16);2905
+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);2906
+ cctx->bltmp[3] = 1;2907
+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);2908
+ if (cctx->keylen != 16) {2909
+ cctx->bltmp[3] = 2;2910
+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);2911
+ }2912
+}2913
+2914
+/* Process several blocks into BCC algorithm, some possibly partial */2915
+static void ctr_BCC_update(DRBG_CTR_CTX * cctx,2916
+ const unsigned char *in, size_t inlen)2917
+{2918
+ if (!in || !inlen)2919
+ return;2920
+ /* If we have partial block handle it first */2921
+ if (cctx->bltmp_pos) {2922
+ size_t left = 16 - cctx->bltmp_pos;2923
+ /* If we now have a complete block process it */2924
+ if (inlen >= left) {2925
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);2926
+ ctr_BCC_blocks(cctx, cctx->bltmp);2927
+ cctx->bltmp_pos = 0;2928
+ inlen -= left;2929
+ in += left;2930
+ }2931
+ }2932
+ /* Process zero or more complete blocks */2933
+ while (inlen >= 16) {2934
+ ctr_BCC_blocks(cctx, in);2935
+ in += 16;2936
+ inlen -= 16;2937
+ }2938
+ /* Copy any remaining partial block to the temporary buffer */2939
+ if (inlen > 0) {2940
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);2941
+ cctx->bltmp_pos += inlen;2942
+ }2943
+}2944
+2945
+static void ctr_BCC_final(DRBG_CTR_CTX * cctx)2946
+{2947
+ if (cctx->bltmp_pos) {2948
+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);2949
+ ctr_BCC_blocks(cctx, cctx->bltmp);2950
+ }2951
+}2952
+2953
+static void ctr_df(DRBG_CTR_CTX * cctx,2954
+ const unsigned char *in1, size_t in1len,2955
+ const unsigned char *in2, size_t in2len,2956
+ const unsigned char *in3, size_t in3len)2957
+{2958
+ size_t inlen;2959
+ unsigned char *p = cctx->bltmp;2960
+ static unsigned char c80 = 0x80;2961
+2962
+ ctr_BCC_init(cctx);2963
+ if (!in1)2964
+ in1len = 0;2965
+ if (!in2)2966
+ in2len = 0;2967
+ if (!in3)2968
+ in3len = 0;2969
+ inlen = in1len + in2len + in3len;2970
+ /* Initialise L||N in temporary block */2971
+ *p++ = (inlen >> 24) & 0xff;2972
+ *p++ = (inlen >> 16) & 0xff;2973
+ *p++ = (inlen >> 8) & 0xff;2974
+ *p++ = inlen & 0xff;2975
+ /* NB keylen is at most 32 bytes */2976
+ *p++ = 0;2977
+ *p++ = 0;2978
+ *p++ = 0;2979
+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);2980
+ cctx->bltmp_pos = 8;2981
+ ctr_BCC_update(cctx, in1, in1len);2982
+ ctr_BCC_update(cctx, in2, in2len);2983
+ ctr_BCC_update(cctx, in3, in3len);2984
+ ctr_BCC_update(cctx, &c80, 1);2985
+ ctr_BCC_final(cctx);2986
+ /* Set up key K */2987
+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);2988
+ /* X follows key K */2989
+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);2990
+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);2991
+ if (cctx->keylen != 16)2992
+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);2993
+#if 02994
+ fprintf(stderr, "Output of ctr_df:\n");2995
+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);2996
+#endif2997
+}2998
+2999
+/* NB the no-df Update in SP800-90 specifies a constant input length3000
+ * of seedlen, however other uses of this algorithm pad the input with3001
+ * zeroes if necessary and have up to two parameters XORed together,3002
+ * handle both cases in this function instead.3003
+ */3004
+3005
+static void ctr_Update(DRBG_CTX *dctx,3006
+ const unsigned char *in1, size_t in1len,3007
+ const unsigned char *in2, size_t in2len,3008
+ const unsigned char *nonce, size_t noncelen)3009
+{3010
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;3011
+ /* ks is already setup for correct key */3012
+ inc_128(cctx);3013
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);3014
+ /* If keylen longer than 128 bits need extra encrypt */3015
+ if (cctx->keylen != 16) {3016
+ inc_128(cctx);3017
+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);3018
+ }3019
+ inc_128(cctx);3020
+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);3021
+ /* If 192 bit key part of V is on end of K */3022
+ if (cctx->keylen == 24) {3023
+ memcpy(cctx->V + 8, cctx->V, 8);3024
+ memcpy(cctx->V, cctx->K + 24, 8);3025
+ }3026
+3027
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {3028
+ /* If no input reuse existing derived value */3029
+ if (in1 || nonce || in2)3030
+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);3031
+ /* If this a reuse input in1len != 0 */3032
+ if (in1len)3033
+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);3034
+ } else {3035
+ ctr_XOR(cctx, in1, in1len);3036
+ ctr_XOR(cctx, in2, in2len);3037
+ }3038
+3039
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);3040
+#if 03041
+ fprintf(stderr, "K+V after update is:\n");3042
+ BIO_dump_fp(stderr, cctx->K, cctx->keylen);3043
+ BIO_dump_fp(stderr, cctx->V, 16);3044
+#endif3045
+}3046
+3047
+static int drbg_ctr_instantiate(DRBG_CTX *dctx,3048
+ const unsigned char *ent, size_t entlen,3049
+ const unsigned char *nonce, size_t noncelen,3050
+ const unsigned char *pers, size_t perslen)3051
+{3052
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;3053
+ memset(cctx->K, 0, sizeof(cctx->K));3054
+ memset(cctx->V, 0, sizeof(cctx->V));3055
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);3056
+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);3057
+ return 1;3058
+}3059
+3060
+static int drbg_ctr_reseed(DRBG_CTX *dctx,3061
+ const unsigned char *ent, size_t entlen,3062
+ const unsigned char *adin, size_t adinlen)3063
+{3064
+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);3065
+ return 1;3066
+}3067
+3068
+static int drbg_ctr_generate(DRBG_CTX *dctx,3069
+ unsigned char *out, size_t outlen,3070
+ const unsigned char *adin, size_t adinlen)3071
+{3072
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;3073
+ if (adin && adinlen) {3074
+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);3075
+ /* This means we reuse derived value */3076
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {3077
+ adin = NULL;3078
+ adinlen = 1;3079
+ }3080
+ } else3081
+ adinlen = 0;3082
+3083
+ for (;;) {3084
+ inc_128(cctx);3085
+ if (outlen < 16) {3086
+ /* Use K as temp space as it will be updated */3087
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);3088
+ memcpy(out, cctx->K, outlen);3089
+ break;3090
+ }3091
+ AES_encrypt(cctx->V, out, &cctx->ks);3092
+ out += 16;3093
+ outlen -= 16;3094
+ if (outlen == 0)3095
+ break;3096
+ }3097
+3098
+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);3099
+3100
+ return 1;3101
+3102
+}3103
+3104
+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)3105
+{3106
+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));3107
+ return 1;3108
+}3109
+3110
+int fips_drbg_ctr_init(DRBG_CTX *dctx)3111
+{3112
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;3113
+3114
+ size_t keylen;3115
+3116
+ switch (dctx->type) {3117
+ case NID_aes_128_ctr:3118
+ keylen = 16;3119
+ break;3120
+3121
+ case NID_aes_192_ctr:3122
+ keylen = 24;3123
+ break;3124
+3125
+ case NID_aes_256_ctr:3126
+ keylen = 32;3127
+ break;3128
+3129
+ default:3130
+ return -2;3131
+ }3132
+3133
+ dctx->instantiate = drbg_ctr_instantiate;3134
+ dctx->reseed = drbg_ctr_reseed;3135
+ dctx->generate = drbg_ctr_generate;3136
+ dctx->uninstantiate = drbg_ctr_uninstantiate;3137
+3138
+ cctx->keylen = keylen;3139
+ dctx->strength = keylen * 8;3140
+ dctx->blocklength = 16;3141
+ dctx->seedlen = keylen + 16;3142
+3143
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {3144
+ /* df initialisation */3145
+ static unsigned char df_key[32] = {3146
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,3147
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,3148
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,3149
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f3150
+ };3151
+ /* Set key schedule for df_key */3152
+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);3153
+3154
+ dctx->min_entropy = cctx->keylen;3155
+ dctx->max_entropy = DRBG_MAX_LENGTH;3156
+ dctx->min_nonce = dctx->min_entropy / 2;3157
+ dctx->max_nonce = DRBG_MAX_LENGTH;3158
+ dctx->max_pers = DRBG_MAX_LENGTH;3159
+ dctx->max_adin = DRBG_MAX_LENGTH;3160
+ } else {3161
+ dctx->min_entropy = dctx->seedlen;3162
+ dctx->max_entropy = dctx->seedlen;3163
+ /* Nonce not used */3164
+ dctx->min_nonce = 0;3165
+ dctx->max_nonce = 0;3166
+ dctx->max_pers = dctx->seedlen;3167
+ dctx->max_adin = dctx->seedlen;3168
+ }3169
+3170
+ dctx->max_request = 1 << 16;3171
+ dctx->reseed_interval = 1 << 24;3172
+3173
+ return 1;3174
+}3175
diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hash.c3176
--- openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips 2021-03-03 12:57:42.199734525 +01003177
+++ openssl-1.1.1j/crypto/fips/fips_drbg_hash.c 2021-03-03 12:57:42.199734525 +01003178
3179
+/* fips/rand/fips_drbg_hash.c */3180
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL3181
+ * project.3182
+ */3183
+/* ====================================================================3184
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.3185
+ *3186
+ * Redistribution and use in source and binary forms, with or without3187
+ * modification, are permitted provided that the following conditions3188
+ * are met:3189
+ *3190
+ * 1. Redistributions of source code must retain the above copyright3191
+ * notice, this list of conditions and the following disclaimer. 3192
+ *3193
+ * 2. Redistributions in binary form must reproduce the above copyright3194
+ * notice, this list of conditions and the following disclaimer in3195
+ * the documentation and/or other materials provided with the3196
+ * distribution.3197
+ *3198
+ * 3. All advertising materials mentioning features or use of this3199
+ * software must display the following acknowledgment:3200
+ * "This product includes software developed by the OpenSSL Project3201
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"3202
+ *3203
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to3204
+ * endorse or promote products derived from this software without3205
+ * prior written permission. For written permission, please contact3206
+ * licensing@OpenSSL.org.3207
+ *3208
+ * 5. Products derived from this software may not be called "OpenSSL"3209
+ * nor may "OpenSSL" appear in their names without prior written3210
+ * permission of the OpenSSL Project.3211
+ *3212
+ * 6. Redistributions of any form whatsoever must retain the following3213
+ * acknowledgment:3214
+ * "This product includes software developed by the OpenSSL Project3215
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"3216
+ *3217
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY3218
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE3219
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR3220
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR3221
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,3222
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT3223
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;3224
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)3225
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,3226
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)3227
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED3228
+ * OF THE POSSIBILITY OF SUCH DAMAGE.3229
+ * ====================================================================3230
+ */3231
+3232
+#define OPENSSL_FIPSAPI3233
+3234
+#include <stdlib.h>3235
+#include <string.h>3236
+#include <openssl/crypto.h>3237
+#include <openssl/fips.h>3238
+#include "crypto/fips.h"3239
+#include <openssl/fips_rand.h>3240
+#include "fips_rand_lcl.h"3241
+3242
+/* This is Hash_df from SP 800-90 10.4.1 */3243
+3244
+static int hash_df(DRBG_CTX *dctx, unsigned char *out,3245
+ const unsigned char *in1, size_t in1len,3246
+ const unsigned char *in2, size_t in2len,3247
+ const unsigned char *in3, size_t in3len,3248
+ const unsigned char *in4, size_t in4len)3249
+{3250
+ EVP_MD_CTX *mctx = dctx->d.hash.mctx;3251
+ unsigned char *vtmp = dctx->d.hash.vtmp;3252
+ unsigned char tmp[6];3253
+ /* Standard only ever needs seedlen bytes which is always less than3254
+ * maximum permitted so no need to check length.3255
+ */3256
+ size_t outlen = dctx->seedlen;3257
+ tmp[0] = 1;3258
+ tmp[1] = ((outlen * 8) >> 24) & 0xff;3259
+ tmp[2] = ((outlen * 8) >> 16) & 0xff;3260
+ tmp[3] = ((outlen * 8) >> 8) & 0xff;3261
+ tmp[4] = (outlen * 8) & 0xff;3262
+ if (!in1) {3263
+ tmp[5] = (unsigned char)in1len;3264
+ in1 = tmp + 5;3265
+ in1len = 1;3266
+ }3267
+ for (;;) {3268
+ if (!FIPS_digestinit(mctx, dctx->d.hash.md))3269
+ return 0;3270
+ if (!FIPS_digestupdate(mctx, tmp, 5))3271
+ return 0;3272
+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))3273
+ return 0;3274
+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))3275
+ return 0;3276
+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))3277
+ return 0;3278
+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))3279
+ return 0;3280
+ if (outlen < dctx->blocklength) {3281
+ if (!FIPS_digestfinal(mctx, vtmp, NULL))3282
+ return 0;3283
+ memcpy(out, vtmp, outlen);3284
+ OPENSSL_cleanse(vtmp, dctx->blocklength);3285
+ return 1;3286
+ } else if (!FIPS_digestfinal(mctx, out, NULL))3287
+ return 0;3288
+3289
+ outlen -= dctx->blocklength;3290
+ if (outlen == 0)3291
+ return 1;3292
+ tmp[0]++;3293
+ out += dctx->blocklength;3294
+ }3295
+}3296
+3297
+/* Add an unsigned buffer to the buf value, storing the result in buf. For3298
+ * this algorithm the length of input never exceeds the seed length.3299
+ */3300
+3301
+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,3302
+ unsigned char *in, size_t inlen)3303
+{3304
+ size_t i = inlen;3305
+ const unsigned char *q;3306
+ unsigned char c, *p;3307
+ p = buf + dctx->seedlen;3308
+ q = in + inlen;3309
+3310
+ OPENSSL_assert(i <= dctx->seedlen);3311
+3312
+ /* Special case: zero length, just increment buffer */3313
+ if (i)3314
+ c = 0;3315
+ else3316
+ c = 1;3317
+3318
+ while (i) {3319
+ int r;3320
+ p--;3321
+ q--;3322
+ r = *p + *q + c;3323
+ /* Carry */3324
+ if (r > 0xff)3325
+ c = 1;3326
+ else3327
+ c = 0;3328
+ *p = r & 0xff;3329
+ i--;3330
+ }3331
+3332
+ i = dctx->seedlen - inlen;3333
+3334
+ /* If not adding whole buffer handle final carries */3335
+ if (c && i) {3336
+ do {3337
+ p--;3338
+ c = *p;3339
+ c++;3340
+ *p = c;3341
+ if (c)3342
+ return;3343
+ } while (i--);3344
+ }3345
+}3346
+3347
+/* Finalise and add hash to V */3348
+3349
+static int ctx_add_md(DRBG_CTX *dctx)3350
+{3351
+ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))3352
+ return 0;3353
+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);3354
+ return 1;3355
+}3356
+3357
+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)3358
+{3359
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;3360
+ if (outlen == 0)3361
+ return 1;3362
+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);3363
+ for (;;) {3364
+ FIPS_digestinit(hctx->mctx, hctx->md);3365
+ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen);3366
+ if (outlen < dctx->blocklength) {3367
+ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL);3368
+ memcpy(out, hctx->vtmp, outlen);3369
+ return 1;3370
+ } else {3371
+ FIPS_digestfinal(hctx->mctx, out, NULL);3372
+ outlen -= dctx->blocklength;3373
+ if (outlen == 0)3374
+ return 1;3375
+ out += dctx->blocklength;3376
+ }3377
+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);3378
+ }3379
+}3380
+3381
+static int drbg_hash_instantiate(DRBG_CTX *dctx,3382
+ const unsigned char *ent, size_t ent_len,3383
+ const unsigned char *nonce, size_t nonce_len,3384
+ const unsigned char *pstr, size_t pstr_len)3385
+{3386
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;3387
+ if (!hash_df(dctx, hctx->V,3388
+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))3389
+ return 0;3390
+ if (!hash_df(dctx, hctx->C,3391
+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))3392
+ return 0;3393
+3394
+#ifdef HASH_DRBG_TRACE3395
+ fprintf(stderr, "V+C after instantiate:\n");3396
+ hexprint(stderr, hctx->V, dctx->seedlen);3397
+ hexprint(stderr, hctx->C, dctx->seedlen);3398
+#endif3399
+ return 1;3400
+}3401
+3402
+static int drbg_hash_reseed(DRBG_CTX *dctx,3403
+ const unsigned char *ent, size_t ent_len,3404
+ const unsigned char *adin, size_t adin_len)3405
+{3406
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;3407
+ /* V about to be updated so use C as output instead */3408
+ if (!hash_df(dctx, hctx->C,3409
+ NULL, 1, hctx->V, dctx->seedlen,3410
+ ent, ent_len, adin, adin_len))3411
+ return 0;3412
+ memcpy(hctx->V, hctx->C, dctx->seedlen);3413
+ if (!hash_df(dctx, hctx->C, NULL, 0,3414
+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))3415
+ return 0;3416
+#ifdef HASH_DRBG_TRACE3417
+ fprintf(stderr, "V+C after reseed:\n");3418
+ hexprint(stderr, hctx->V, dctx->seedlen);3419
+ hexprint(stderr, hctx->C, dctx->seedlen);3420
+#endif3421
+ return 1;3422
+}3423
+3424
+static int drbg_hash_generate(DRBG_CTX *dctx,3425
+ unsigned char *out, size_t outlen,3426
+ const unsigned char *adin, size_t adin_len)3427
+{3428
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;3429
+ EVP_MD_CTX *mctx = hctx->mctx;3430
+ unsigned char tmp[4];3431
+ if (adin && adin_len) {3432
+ tmp[0] = 2;3433
+ if (!FIPS_digestinit(mctx, hctx->md))3434
+ return 0;3435
+ if (!EVP_DigestUpdate(mctx, tmp, 1))3436
+ return 0;3437
+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))3438
+ return 0;3439
+ if (!EVP_DigestUpdate(mctx, adin, adin_len))3440
+ return 0;3441
+ if (!ctx_add_md(dctx))3442
+ return 0;3443
+ }3444
+ if (!hash_gen(dctx, out, outlen))3445
+ return 0;3446
+3447
+ tmp[0] = 3;3448
+ if (!FIPS_digestinit(mctx, hctx->md))3449
+ return 0;3450
+ if (!EVP_DigestUpdate(mctx, tmp, 1))3451
+ return 0;3452
+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))3453
+ return 0;3454
+3455
+ if (!ctx_add_md(dctx))3456
+ return 0;3457
+3458
+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);3459
+3460
+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;3461
+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;3462
+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;3463
+ tmp[3] = dctx->reseed_counter & 0xff;3464
+ ctx_add_buf(dctx, hctx->V, tmp, 4);3465
+#ifdef HASH_DRBG_TRACE3466
+ fprintf(stderr, "V+C after generate:\n");3467
+ hexprint(stderr, hctx->V, dctx->seedlen);3468
+ hexprint(stderr, hctx->C, dctx->seedlen);3469
+#endif3470
+ return 1;3471
+}3472
+3473
+static int drbg_hash_uninstantiate(DRBG_CTX *dctx)3474
+{3475
+ EVP_MD_CTX_free(dctx->d.hash.mctx);3476
+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));3477
+ return 1;3478
+}3479
+3480
+int fips_drbg_hash_init(DRBG_CTX *dctx)3481
+{3482
+ const EVP_MD *md;3483
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;3484
+ md = EVP_get_digestbynid(dctx->type);3485
+ if (!md)3486
+ return -2;3487
+ switch (dctx->type) {3488
+ case NID_sha1:3489
+ dctx->strength = 128;3490
+ break;3491
+3492
+ case NID_sha224:3493
+ dctx->strength = 192;3494
+ break;3495
+3496
+ default:3497
+ dctx->strength = 256;3498
+ break;3499
+ }3500
+3501
+ dctx->instantiate = drbg_hash_instantiate;3502
+ dctx->reseed = drbg_hash_reseed;3503
+ dctx->generate = drbg_hash_generate;3504
+ dctx->uninstantiate = drbg_hash_uninstantiate;3505
+3506
+ dctx->d.hash.md = md;3507
+ hctx->mctx = EVP_MD_CTX_new();3508
+ if (hctx->mctx == NULL)3509
+ return -1;3510
+3511
+ /* These are taken from SP 800-90 10.1 table 2 */3512
+3513
+ dctx->blocklength = EVP_MD_size(md);3514
+ if (dctx->blocklength > 32)3515
+ dctx->seedlen = 111;3516
+ else3517
+ dctx->seedlen = 55;3518
+3519
+ dctx->min_entropy = dctx->strength / 8;3520
+ dctx->max_entropy = DRBG_MAX_LENGTH;3521
+3522
+ dctx->min_nonce = dctx->min_entropy / 2;3523
+ dctx->max_nonce = DRBG_MAX_LENGTH;3524
+3525
+ dctx->max_pers = DRBG_MAX_LENGTH;3526
+ dctx->max_adin = DRBG_MAX_LENGTH;3527
+3528
+ dctx->max_request = 1 << 16;3529
+ dctx->reseed_interval = 1 << 24;3530
+3531
+ return 1;3532
+}3533
diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c3534
--- openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips 2021-03-03 12:57:42.199734525 +01003535
+++ openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c 2021-03-03 12:57:42.199734525 +01003536
3537
+/* fips/rand/fips_drbg_hmac.c */3538
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL3539
+ * project.3540
+ */3541
+/* ====================================================================3542
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.3543
+ *3544
+ * Redistribution and use in source and binary forms, with or without3545
+ * modification, are permitted provided that the following conditions3546
+ * are met:3547
+ *3548
+ * 1. Redistributions of source code must retain the above copyright3549
+ * notice, this list of conditions and the following disclaimer. 3550
+ *3551
+ * 2. Redistributions in binary form must reproduce the above copyright3552
+ * notice, this list of conditions and the following disclaimer in3553
+ * the documentation and/or other materials provided with the3554
+ * distribution.3555
+ *3556
+ * 3. All advertising materials mentioning features or use of this3557
+ * software must display the following acknowledgment:3558
+ * "This product includes software developed by the OpenSSL Project3559
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"3560
+ *3561
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to3562
+ * endorse or promote products derived from this software without3563
+ * prior written permission. For written permission, please contact3564
+ * licensing@OpenSSL.org.3565
+ *3566
+ * 5. Products derived from this software may not be called "OpenSSL"3567
+ * nor may "OpenSSL" appear in their names without prior written3568
+ * permission of the OpenSSL Project.3569
+ *3570
+ * 6. Redistributions of any form whatsoever must retain the following3571
+ * acknowledgment:3572
+ * "This product includes software developed by the OpenSSL Project3573
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"3574
+ *3575
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY3576
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE3577
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR3578
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR3579
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,3580
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT3581
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;3582
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)3583
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,3584
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)3585
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED3586
+ * OF THE POSSIBILITY OF SUCH DAMAGE.3587
+ * ====================================================================3588
+ */3589
+3590
+#include <stdlib.h>3591
+#include <string.h>3592
+#include <openssl/crypto.h>3593
+#include <openssl/evp.h>3594
+#include <openssl/hmac.h>3595
+#include <openssl/aes.h>3596
+#include <openssl/fips.h>3597
+#include <openssl/fips_rand.h>3598
+#include "fips_rand_lcl.h"3599
+3600
+static int drbg_hmac_update(DRBG_CTX *dctx,3601
+ const unsigned char *in1, size_t in1len,3602
+ const unsigned char *in2, size_t in2len,3603
+ const unsigned char *in3, size_t in3len)3604
+{3605
+ static unsigned char c0 = 0, c1 = 1;3606
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;3607
+ HMAC_CTX *hctx = hmac->hctx;3608
+3609
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))3610
+ return 0;3611
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))3612
+ return 0;3613
+ if (!HMAC_Update(hctx, &c0, 1))3614
+ return 0;3615
+ if (in1len && !HMAC_Update(hctx, in1, in1len))3616
+ return 0;3617
+ if (in2len && !HMAC_Update(hctx, in2, in2len))3618
+ return 0;3619
+ if (in3len && !HMAC_Update(hctx, in3, in3len))3620
+ return 0;3621
+3622
+ if (!HMAC_Final(hctx, hmac->K, NULL))3623
+ return 0;3624
+3625
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))3626
+ return 0;3627
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))3628
+ return 0;3629
+3630
+ if (!HMAC_Final(hctx, hmac->V, NULL))3631
+ return 0;3632
+3633
+ if (!in1len && !in2len && !in3len)3634
+ return 1;3635
+3636
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))3637
+ return 0;3638
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))3639
+ return 0;3640
+ if (!HMAC_Update(hctx, &c1, 1))3641
+ return 0;3642
+ if (in1len && !HMAC_Update(hctx, in1, in1len))3643
+ return 0;3644
+ if (in2len && !HMAC_Update(hctx, in2, in2len))3645
+ return 0;3646
+ if (in3len && !HMAC_Update(hctx, in3, in3len))3647
+ return 0;3648
+3649
+ if (!HMAC_Final(hctx, hmac->K, NULL))3650
+ return 0;3651
+3652
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))3653
+ return 0;3654
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))3655
+ return 0;3656
+3657
+ if (!HMAC_Final(hctx, hmac->V, NULL))3658
+ return 0;3659
+3660
+ return 1;3661
+3662
+}3663
+3664
+static int drbg_hmac_instantiate(DRBG_CTX *dctx,3665
+ const unsigned char *ent, size_t ent_len,3666
+ const unsigned char *nonce, size_t nonce_len,3667
+ const unsigned char *pstr, size_t pstr_len)3668
+{3669
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;3670
+ memset(hmac->K, 0, dctx->blocklength);3671
+ memset(hmac->V, 1, dctx->blocklength);3672
+ if (!drbg_hmac_update(dctx,3673
+ ent, ent_len, nonce, nonce_len, pstr, pstr_len))3674
+ return 0;3675
+3676
+#ifdef HMAC_DRBG_TRACE3677
+ fprintf(stderr, "K+V after instantiate:\n");3678
+ hexprint(stderr, hmac->K, hmac->blocklength);3679
+ hexprint(stderr, hmac->V, hmac->blocklength);3680
+#endif3681
+ return 1;3682
+}3683
+3684
+static int drbg_hmac_reseed(DRBG_CTX *dctx,3685
+ const unsigned char *ent, size_t ent_len,3686
+ const unsigned char *adin, size_t adin_len)3687
+{3688
+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))3689
+ return 0;3690
+3691
+#ifdef HMAC_DRBG_TRACE3692
+ {3693
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;3694
+ fprintf(stderr, "K+V after reseed:\n");3695
+ hexprint(stderr, hmac->K, hmac->blocklength);3696
+ hexprint(stderr, hmac->V, hmac->blocklength);3697
+ }3698
+#endif3699
+ return 1;3700
+}3701
+3702
+static int drbg_hmac_generate(DRBG_CTX *dctx,3703
+ unsigned char *out, size_t outlen,3704
+ const unsigned char *adin, size_t adin_len)3705
+{3706
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;3707
+ HMAC_CTX *hctx = hmac->hctx;3708
+ const unsigned char *Vtmp = hmac->V;3709
+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))3710
+ return 0;3711
+ for (;;) {3712
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))3713
+ return 0;3714
+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))3715
+ return 0;3716
+ if (outlen > dctx->blocklength) {3717
+ if (!HMAC_Final(hctx, out, NULL))3718
+ return 0;3719
+ Vtmp = out;3720
+ } else {3721
+ if (!HMAC_Final(hctx, hmac->V, NULL))3722
+ return 0;3723
+ memcpy(out, hmac->V, outlen);3724
+ break;3725
+ }3726
+ out += dctx->blocklength;3727
+ outlen -= dctx->blocklength;3728
+ }3729
+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))3730
+ return 0;3731
+3732
+ return 1;3733
+}3734
+3735
+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)3736
+{3737
+ HMAC_CTX_free(dctx->d.hmac.hctx);3738
+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));3739
+ return 1;3740
+}3741
+3742
+int fips_drbg_hmac_init(DRBG_CTX *dctx)3743
+{3744
+ const EVP_MD *md = NULL;3745
+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;3746
+ dctx->strength = 256;3747
+ switch (dctx->type) {3748
+ case NID_hmacWithSHA1:3749
+ md = EVP_sha1();3750
+ dctx->strength = 128;3751
+ break;3752
+3753
+ case NID_hmacWithSHA224:3754
+ md = EVP_sha224();3755
+ dctx->strength = 192;3756
+ break;3757
+3758
+ case NID_hmacWithSHA256:3759
+ md = EVP_sha256();3760
+ break;3761
+3762
+ case NID_hmacWithSHA384:3763
+ md = EVP_sha384();3764
+ break;3765
+3766
+ case NID_hmacWithSHA512:3767
+ md = EVP_sha512();3768
+ break;3769
+3770
+ default:3771
+ dctx->strength = 0;3772
+ return -2;3773
+ }3774
+ dctx->instantiate = drbg_hmac_instantiate;3775
+ dctx->reseed = drbg_hmac_reseed;3776
+ dctx->generate = drbg_hmac_generate;3777
+ dctx->uninstantiate = drbg_hmac_uninstantiate;3778
+ hctx->hctx = HMAC_CTX_new();3779
+ if (hctx->hctx == NULL)3780
+ return -1;3781
+ hctx->md = md;3782
+ dctx->blocklength = M_EVP_MD_size(md);3783
+ dctx->seedlen = M_EVP_MD_size(md);3784
+3785
+ dctx->min_entropy = dctx->strength / 8;3786
+ dctx->max_entropy = DRBG_MAX_LENGTH;3787
+3788
+ dctx->min_nonce = dctx->min_entropy / 2;3789
+ dctx->max_nonce = DRBG_MAX_LENGTH;3790
+3791
+ dctx->max_pers = DRBG_MAX_LENGTH;3792
+ dctx->max_adin = DRBG_MAX_LENGTH;3793
+3794
+ dctx->max_request = 1 << 16;3795
+ dctx->reseed_interval = 1 << 24;3796
+3797
+ return 1;3798
+}3799
diff -up openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_lib.c3800
--- openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips 2021-03-03 12:57:42.199734525 +01003801
+++ openssl-1.1.1j/crypto/fips/fips_drbg_lib.c 2021-03-03 12:57:42.199734525 +01003802
3803
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL3804
+ * project.3805
+ */3806
+/* ====================================================================3807
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.3808
+ *3809
+ * Redistribution and use in source and binary forms, with or without3810
+ * modification, are permitted provided that the following conditions3811
+ * are met:3812
+ *3813
+ * 1. Redistributions of source code must retain the above copyright3814
+ * notice, this list of conditions and the following disclaimer. 3815
+ *3816
+ * 2. Redistributions in binary form must reproduce the above copyright3817
+ * notice, this list of conditions and the following disclaimer in3818
+ * the documentation and/or other materials provided with the3819
+ * distribution.3820
+ *3821
+ * 3. All advertising materials mentioning features or use of this3822
+ * software must display the following acknowledgment:3823
+ * "This product includes software developed by the OpenSSL Project3824
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"3825
+ *3826
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to3827
+ * endorse or promote products derived from this software without3828
+ * prior written permission. For written permission, please contact3829
+ * licensing@OpenSSL.org.3830
+ *3831
+ * 5. Products derived from this software may not be called "OpenSSL"3832
+ * nor may "OpenSSL" appear in their names without prior written3833
+ * permission of the OpenSSL Project.3834
+ *3835
+ * 6. Redistributions of any form whatsoever must retain the following3836
+ * acknowledgment:3837
+ * "This product includes software developed by the OpenSSL Project3838
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"3839
+ *3840
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY3841
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE3842
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR3843
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR3844
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,3845
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT3846
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;3847
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)3848
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,3849
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)3850
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED3851
+ * OF THE POSSIBILITY OF SUCH DAMAGE.3852
+ * ====================================================================3853
+ */3854
+3855
+#include <string.h>3856
+#include <openssl/crypto.h>3857
+#include <openssl/err.h>3858
+#include <openssl/fips.h>3859
+#include "crypto/fips.h"3860
+#include <openssl/fips_rand.h>3861
+#include "fips_locl.h"3862
+#include "fips_rand_lcl.h"3863
+3864
+/* Support framework for SP800-90 DRBGs */3865
+3866
+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)3867
+{3868
+ int rv;3869
+ memset(dctx, 0, sizeof(DRBG_CTX));3870
+ dctx->status = DRBG_STATUS_UNINITIALISED;3871
+ dctx->xflags = flags;3872
+ dctx->type = type;3873
+3874
+ dctx->iflags = 0;3875
+ dctx->entropy_blocklen = 0;3876
+ dctx->health_check_cnt = 0;3877
+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;3878
+3879
+ rv = fips_drbg_hash_init(dctx);3880
+3881
+ if (rv == -2)3882
+ rv = fips_drbg_ctr_init(dctx);3883
+ if (rv == -2)3884
+ rv = fips_drbg_hmac_init(dctx);3885
+3886
+ if (rv <= 0) {3887
+ if (rv == -2)3888
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);3889
+ else3890
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);3891
+ }3892
+3893
+ /* If not in test mode run selftests on DRBG of the same type */3894
+3895
+ if (!(dctx->xflags & DRBG_FLAG_TEST)) {3896
+ if (!FIPS_drbg_health_check(dctx)) {3897
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);3898
+ return 0;3899
+ }3900
+ }3901
+3902
+ return rv;3903
+}3904
+3905
+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)3906
+{3907
+ DRBG_CTX *dctx;3908
+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));3909
+ if (!dctx) {3910
+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);3911
+ return NULL;3912
+ }3913
+3914
+ if (type == 0) {3915
+ memset(dctx, 0, sizeof(DRBG_CTX));3916
+ dctx->type = 0;3917
+ dctx->status = DRBG_STATUS_UNINITIALISED;3918
+ return dctx;3919
+ }3920
+3921
+ if (FIPS_drbg_init(dctx, type, flags) <= 0) {3922
+ OPENSSL_free(dctx);3923
+ return NULL;3924
+ }3925
+3926
+ return dctx;3927
+}3928
+3929
+void FIPS_drbg_free(DRBG_CTX *dctx)3930
+{3931
+ if (dctx->uninstantiate)3932
+ dctx->uninstantiate(dctx);3933
+ /* Don't free up default DRBG */3934
+ if (dctx == FIPS_get_default_drbg()) {3935
+ memset(dctx, 0, sizeof(DRBG_CTX));3936
+ dctx->type = 0;3937
+ dctx->status = DRBG_STATUS_UNINITIALISED;3938
+ } else {3939
+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));3940
+ OPENSSL_free(dctx);3941
+ }3942
+}3943
+3944
+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,3945
+ int entropy, size_t min_len, size_t max_len)3946
+{3947
+ unsigned char *tout, *p;3948
+ size_t bl = dctx->entropy_blocklen, rv;3949
+ if (!dctx->get_entropy)3950
+ return 0;3951
+ if (dctx->xflags & DRBG_FLAG_TEST || !bl)3952
+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);3953
+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,3954
+ min_len + bl, max_len + bl);3955
+ if (tout == NULL)3956
+ return 0;3957
+ *pout = tout + bl;3958
+ if (rv < (min_len + bl) || (rv % bl))3959
+ return 0;3960
+ /* Compare consecutive blocks for continuous PRNG test */3961
+ for (p = tout; p < tout + rv - bl; p += bl) {3962
+ if (!memcmp(p, p + bl, bl)) {3963
+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);3964
+ return 0;3965
+ }3966
+ }3967
+ rv -= bl;3968
+ if (rv > max_len)3969
+ return max_len;3970
+ return rv;3971
+}3972
+3973
+static void fips_cleanup_entropy(DRBG_CTX *dctx,3974
+ unsigned char *out, size_t olen)3975
+{3976
+ size_t bl;3977
+ if (dctx->xflags & DRBG_FLAG_TEST)3978
+ bl = 0;3979
+ else3980
+ bl = dctx->entropy_blocklen;3981
+ /* Call cleanup with original arguments */3982
+ dctx->cleanup_entropy(dctx, out - bl, olen + bl);3983
+}3984
+3985
+int FIPS_drbg_instantiate(DRBG_CTX *dctx,3986
+ const unsigned char *pers, size_t perslen)3987
+{3988
+ size_t entlen = 0, noncelen = 0;3989
+ unsigned char *nonce = NULL, *entropy = NULL;3990
+3991
+#if 03992
+ /* Put here so error script picks them up */3993
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,3994
+ FIPS_R_PERSONALISATION_STRING_TOO_LONG);3995
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);3996
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);3997
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);3998
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);3999
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);4000
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);4001
+#endif4002
+4003
+ int r = 0;4004
+4005
+ if (perslen > dctx->max_pers) {4006
+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;4007
+ goto end;4008
+ }4009
+4010
+ if (!dctx->instantiate) {4011
+ r = FIPS_R_DRBG_NOT_INITIALISED;4012
+ goto end;4013
+ }4014
+4015
+ if (dctx->status != DRBG_STATUS_UNINITIALISED) {4016
+ if (dctx->status == DRBG_STATUS_ERROR)4017
+ r = FIPS_R_IN_ERROR_STATE;4018
+ else4019
+ r = FIPS_R_ALREADY_INSTANTIATED;4020
+ goto end;4021
+ }4022
+4023
+ dctx->status = DRBG_STATUS_ERROR;4024
+4025
+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,4026
+ dctx->min_entropy, dctx->max_entropy);4027
+4028
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {4029
+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;4030
+ goto end;4031
+ }4032
+4033
+ if (dctx->max_nonce > 0 && dctx->get_nonce) {4034
+ noncelen = dctx->get_nonce(dctx, &nonce,4035
+ dctx->strength / 2,4036
+ dctx->min_nonce, dctx->max_nonce);4037
+4038
+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {4039
+ r = FIPS_R_ERROR_RETRIEVING_NONCE;4040
+ goto end;4041
+ }4042
+4043
+ }4044
+4045
+ if (!dctx->instantiate(dctx,4046
+ entropy, entlen, nonce, noncelen, pers, perslen)) {4047
+ r = FIPS_R_ERROR_INSTANTIATING_DRBG;4048
+ goto end;4049
+ }4050
+4051
+ dctx->status = DRBG_STATUS_READY;4052
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))4053
+ dctx->reseed_counter = 1;4054
+4055
+ end:4056
+4057
+ if (entropy && dctx->cleanup_entropy)4058
+ fips_cleanup_entropy(dctx, entropy, entlen);4059
+4060
+ if (nonce && dctx->cleanup_nonce)4061
+ dctx->cleanup_nonce(dctx, nonce, noncelen);4062
+4063
+ if (dctx->status == DRBG_STATUS_READY)4064
+ return 1;4065
+4066
+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))4067
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);4068
+4069
+ return 0;4070
+4071
+}4072
+4073
+static int drbg_reseed(DRBG_CTX *dctx,4074
+ const unsigned char *adin, size_t adinlen, int hcheck)4075
+{4076
+ unsigned char *entropy = NULL;4077
+ size_t entlen = 0;4078
+ int r = 0;4079
+4080
+#if 04081
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);4082
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);4083
+#endif4084
+ if (dctx->status != DRBG_STATUS_READY4085
+ && dctx->status != DRBG_STATUS_RESEED) {4086
+ if (dctx->status == DRBG_STATUS_ERROR)4087
+ r = FIPS_R_IN_ERROR_STATE;4088
+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)4089
+ r = FIPS_R_NOT_INSTANTIATED;4090
+ goto end;4091
+ }4092
+4093
+ if (!adin)4094
+ adinlen = 0;4095
+ else if (adinlen > dctx->max_adin) {4096
+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;4097
+ goto end;4098
+ }4099
+4100
+ dctx->status = DRBG_STATUS_ERROR;4101
+ /* Peform health check on all reseed operations if not a prediction4102
+ * resistance request and not in test mode.4103
+ */4104
+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {4105
+ if (!FIPS_drbg_health_check(dctx)) {4106
+ r = FIPS_R_SELFTEST_FAILURE;4107
+ goto end;4108
+ }4109
+ }4110
+4111
+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,4112
+ dctx->min_entropy, dctx->max_entropy);4113
+4114
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {4115
+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;4116
+ goto end;4117
+ }4118
+4119
+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))4120
+ goto end;4121
+4122
+ dctx->status = DRBG_STATUS_READY;4123
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))4124
+ dctx->reseed_counter = 1;4125
+ end:4126
+4127
+ if (entropy && dctx->cleanup_entropy)4128
+ fips_cleanup_entropy(dctx, entropy, entlen);4129
+4130
+ if (dctx->status == DRBG_STATUS_READY)4131
+ return 1;4132
+4133
+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))4134
+ FIPSerr(FIPS_F_DRBG_RESEED, r);4135
+4136
+ return 0;4137
+}4138
+4139
+int FIPS_drbg_reseed(DRBG_CTX *dctx,4140
+ const unsigned char *adin, size_t adinlen)4141
+{4142
+ return drbg_reseed(dctx, adin, adinlen, 1);4143
+}4144
+4145
+static int fips_drbg_check(DRBG_CTX *dctx)4146
+{4147
+ if (dctx->xflags & DRBG_FLAG_TEST)4148
+ return 1;4149
+ dctx->health_check_cnt++;4150
+ if (dctx->health_check_cnt >= dctx->health_check_interval) {4151
+ if (!FIPS_drbg_health_check(dctx)) {4152
+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);4153
+ return 0;4154
+ }4155
+ }4156
+ return 1;4157
+}4158
+4159
+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,4160
+ int prediction_resistance,4161
+ const unsigned char *adin, size_t adinlen)4162
+{4163
+ int r = 0;4164
+4165
+ if (FIPS_selftest_failed()) {4166
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);4167
+ return 0;4168
+ }4169
+4170
+ if (!fips_drbg_check(dctx))4171
+ return 0;4172
+4173
+ if (dctx->status != DRBG_STATUS_READY4174
+ && dctx->status != DRBG_STATUS_RESEED) {4175
+ if (dctx->status == DRBG_STATUS_ERROR)4176
+ r = FIPS_R_IN_ERROR_STATE;4177
+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)4178
+ r = FIPS_R_NOT_INSTANTIATED;4179
+ goto end;4180
+ }4181
+4182
+ if (outlen > dctx->max_request) {4183
+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;4184
+ return 0;4185
+ }4186
+4187
+ if (adinlen > dctx->max_adin) {4188
+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;4189
+ goto end;4190
+ }4191
+4192
+ if (dctx->iflags & DRBG_CUSTOM_RESEED)4193
+ dctx->generate(dctx, NULL, outlen, NULL, 0);4194
+ else if (dctx->reseed_counter >= dctx->reseed_interval)4195
+ dctx->status = DRBG_STATUS_RESEED;4196
+4197
+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {4198
+ /* If prediction resistance request don't do health check */4199
+ int hcheck = prediction_resistance ? 0 : 1;4200
+4201
+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {4202
+ r = FIPS_R_RESEED_ERROR;4203
+ goto end;4204
+ }4205
+ adin = NULL;4206
+ adinlen = 0;4207
+ }4208
+4209
+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {4210
+ r = FIPS_R_GENERATE_ERROR;4211
+ dctx->status = DRBG_STATUS_ERROR;4212
+ goto end;4213
+ }4214
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {4215
+ if (dctx->reseed_counter >= dctx->reseed_interval)4216
+ dctx->status = DRBG_STATUS_RESEED;4217
+ else4218
+ dctx->reseed_counter++;4219
+ }4220
+4221
+ end:4222
+ if (r) {4223
+ if (!(dctx->iflags & DRBG_FLAG_NOERR))4224
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);4225
+ return 0;4226
+ }4227
+4228
+ return 1;4229
+}4230
+4231
+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)4232
+{4233
+ int rv;4234
+ if (!dctx->uninstantiate)4235
+ rv = 1;4236
+ else4237
+ rv = dctx->uninstantiate(dctx);4238
+ /* Although we'd like to cleanse here we can't because we have to4239
+ * test the uninstantiate really zeroes the data.4240
+ */4241
+ memset(&dctx->d, 0, sizeof(dctx->d));4242
+ dctx->status = DRBG_STATUS_UNINITIALISED;4243
+ /* If method has problems uninstantiating, return error */4244
+ return rv;4245
+}4246
+4247
+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,4248
+ size_t (*get_entropy) (DRBG_CTX *ctx,4249
+ unsigned char **pout,4250
+ int entropy,4251
+ size_t min_len,4252
+ size_t max_len),4253
+ void (*cleanup_entropy) (DRBG_CTX *ctx,4254
+ unsigned char *out,4255
+ size_t olen),4256
+ size_t entropy_blocklen,4257
+ size_t (*get_nonce) (DRBG_CTX *ctx,4258
+ unsigned char **pout,4259
+ int entropy, size_t min_len,4260
+ size_t max_len),4261
+ void (*cleanup_nonce) (DRBG_CTX *ctx,4262
+ unsigned char *out,4263
+ size_t olen))4264
+{4265
+ if (dctx->status != DRBG_STATUS_UNINITIALISED)4266
+ return 0;4267
+ dctx->entropy_blocklen = entropy_blocklen;4268
+ dctx->get_entropy = get_entropy;4269
+ dctx->cleanup_entropy = cleanup_entropy;4270
+ dctx->get_nonce = get_nonce;4271
+ dctx->cleanup_nonce = cleanup_nonce;4272
+ return 1;4273
+}4274
+4275
+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,4276
+ size_t (*get_adin) (DRBG_CTX *ctx,4277
+ unsigned char **pout),4278
+ void (*cleanup_adin) (DRBG_CTX *ctx,4279
+ unsigned char *out,4280
+ size_t olen),4281
+ int (*rand_seed_cb) (DRBG_CTX *ctx,4282
+ const void *buf,4283
+ int num),4284
+ int (*rand_add_cb) (DRBG_CTX *ctx,4285
+ const void *buf, int num,4286
+ double entropy))4287
+{4288
+ if (dctx->status != DRBG_STATUS_UNINITIALISED)4289
+ return 0;4290
+ dctx->get_adin = get_adin;4291
+ dctx->cleanup_adin = cleanup_adin;4292
+ dctx->rand_seed_cb = rand_seed_cb;4293
+ dctx->rand_add_cb = rand_add_cb;4294
+ return 1;4295
+}4296
+4297
+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)4298
+{4299
+ return dctx->app_data;4300
+}4301
+4302
+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)4303
+{4304
+ dctx->app_data = app_data;4305
+}4306
+4307
+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)4308
+{4309
+ return dctx->blocklength;4310
+}4311
+4312
+int FIPS_drbg_get_strength(DRBG_CTX *dctx)4313
+{4314
+ return dctx->strength;4315
+}4316
+4317
+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)4318
+{4319
+ dctx->health_check_interval = interval;4320
+}4321
+4322
+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)4323
+{4324
+ dctx->reseed_interval = interval;4325
+}4326
+4327
+void FIPS_drbg_stick(int onoff)4328
+{4329
+ /* Just backwards compatibility API call with no effect. */4330
+}4331
diff -up openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_rand.c4332
--- openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips 2021-03-03 12:57:42.199734525 +01004333
+++ openssl-1.1.1j/crypto/fips/fips_drbg_rand.c 2021-03-03 12:57:42.199734525 +01004334
4335
+/* fips/rand/fips_drbg_rand.c */4336
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL4337
+ * project.4338
+ */4339
+/* ====================================================================4340
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.4341
+ *4342
+ * Redistribution and use in source and binary forms, with or without4343
+ * modification, are permitted provided that the following conditions4344
+ * are met:4345
+ *4346
+ * 1. Redistributions of source code must retain the above copyright4347
+ * notice, this list of conditions and the following disclaimer. 4348
+ *4349
+ * 2. Redistributions in binary form must reproduce the above copyright4350
+ * notice, this list of conditions and the following disclaimer in4351
+ * the documentation and/or other materials provided with the4352
+ * distribution.4353
+ *4354
+ * 3. All advertising materials mentioning features or use of this4355
+ * software must display the following acknowledgment:4356
+ * "This product includes software developed by the OpenSSL Project4357
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"4358
+ *4359
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to4360
+ * endorse or promote products derived from this software without4361
+ * prior written permission. For written permission, please contact4362
+ * licensing@OpenSSL.org.4363
+ *4364
+ * 5. Products derived from this software may not be called "OpenSSL"4365
+ * nor may "OpenSSL" appear in their names without prior written4366
+ * permission of the OpenSSL Project.4367
+ *4368
+ * 6. Redistributions of any form whatsoever must retain the following4369
+ * acknowledgment:4370
+ * "This product includes software developed by the OpenSSL Project4371
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"4372
+ *4373
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY4374
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE4375
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR4376
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR4377
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,4378
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT4379
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;4380
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)4381
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,4382
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)4383
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED4384
+ * OF THE POSSIBILITY OF SUCH DAMAGE.4385
+ * ====================================================================4386
+ */4387
+4388
+#include <string.h>4389
+#include <openssl/crypto.h>4390
+#include "internal/thread_once.h"4391
+#include <openssl/err.h>4392
+#include <openssl/rand.h>4393
+#include <openssl/fips.h>4394
+#include <openssl/fips_rand.h>4395
+#include "fips_rand_lcl.h"4396
+4397
+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */4398
+4399
+/* Since we only have one global PRNG used at any time in OpenSSL use a global4400
+ * variable to store context.4401
+ */4402
+4403
+static DRBG_CTX ossl_dctx;4404
+4405
+static CRYPTO_RWLOCK *fips_rand_lock = NULL;4406
+static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT;4407
+4408
+DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init)4409
+{4410
+ fips_rand_lock = CRYPTO_THREAD_lock_new();4411
+ return fips_rand_lock != NULL;4412
+}4413
+4414
+DRBG_CTX *FIPS_get_default_drbg(void)4415
+{4416
+ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init))4417
+ return NULL;4418
+ return &ossl_dctx;4419
+}4420
+4421
+static int fips_drbg_bytes(unsigned char *out, int count)4422
+{4423
+ DRBG_CTX *dctx = &ossl_dctx;4424
+ int rv = 0;4425
+ unsigned char *adin = NULL;4426
+ size_t adinlen = 0;4427
+ CRYPTO_THREAD_write_lock(fips_rand_lock);4428
+ do {4429
+ size_t rcnt;4430
+ if (count > (int)dctx->max_request)4431
+ rcnt = dctx->max_request;4432
+ else4433
+ rcnt = count;4434
+ if (dctx->get_adin) {4435
+ adinlen = dctx->get_adin(dctx, &adin);4436
+ if (adinlen && !adin) {4437
+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,4438
+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);4439
+ goto err;4440
+ }4441
+ }4442
+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);4443
+ if (adin) {4444
+ if (dctx->cleanup_adin)4445
+ dctx->cleanup_adin(dctx, adin, adinlen);4446
+ adin = NULL;4447
+ }4448
+ if (!rv)4449
+ goto err;4450
+ out += rcnt;4451
+ count -= rcnt;4452
+ }4453
+ while (count);4454
+ rv = 1;4455
+ err:4456
+ CRYPTO_THREAD_unlock(fips_rand_lock);4457
+ return rv;4458
+}4459
+4460
+static int fips_drbg_pseudo(unsigned char *out, int count)4461
+{4462
+ if (fips_drbg_bytes(out, count) <= 0)4463
+ return -1;4464
+ return 1;4465
+}4466
+4467
+static int fips_drbg_status(void)4468
+{4469
+ DRBG_CTX *dctx = &ossl_dctx;4470
+ int rv;4471
+ CRYPTO_THREAD_read_lock(fips_rand_lock);4472
+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;4473
+ CRYPTO_THREAD_unlock(fips_rand_lock);4474
+ return rv;4475
+}4476
+4477
+static void fips_drbg_cleanup(void)4478
+{4479
+ DRBG_CTX *dctx = &ossl_dctx;4480
+ CRYPTO_THREAD_write_lock(fips_rand_lock);4481
+ FIPS_drbg_uninstantiate(dctx);4482
+ CRYPTO_THREAD_unlock(fips_rand_lock);4483
+}4484
+4485
+static int fips_drbg_seed(const void *seed, int seedlen)4486
+{4487
+ DRBG_CTX *dctx = &ossl_dctx;4488
+ int ret = 1;4489
+ CRYPTO_THREAD_write_lock(fips_rand_lock);4490
+ if (dctx->rand_seed_cb)4491
+ ret = dctx->rand_seed_cb(dctx, seed, seedlen);4492
+ CRYPTO_THREAD_unlock(fips_rand_lock);4493
+ return ret;4494
+}4495
+4496
+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)4497
+{4498
+ DRBG_CTX *dctx = &ossl_dctx;4499
+ int ret = 1;4500
+ CRYPTO_THREAD_write_lock(fips_rand_lock);4501
+ if (dctx->rand_add_cb)4502
+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);4503
+ CRYPTO_THREAD_unlock(fips_rand_lock);4504
+ return ret;4505
+}4506
+4507
+static const RAND_METHOD rand_drbg_meth = {4508
+ fips_drbg_seed,4509
+ fips_drbg_bytes,4510
+ fips_drbg_cleanup,4511
+ fips_drbg_add,4512
+ fips_drbg_pseudo,4513
+ fips_drbg_status4514
+};4515
+4516
+const RAND_METHOD *FIPS_drbg_method(void)4517
+{4518
+ return &rand_drbg_meth;4519
+}4520
diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c4521
--- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips 2021-03-03 12:57:42.200734534 +01004522
+++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c 2021-03-03 12:57:42.200734534 +01004523
4524
+/* fips/rand/fips_drbg_selftest.c */4525
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL4526
+ * project.4527
+ */4528
+/* ====================================================================4529
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.4530
+ *4531
+ * Redistribution and use in source and binary forms, with or without4532
+ * modification, are permitted provided that the following conditions4533
+ * are met:4534
+ *4535
+ * 1. Redistributions of source code must retain the above copyright4536
+ * notice, this list of conditions and the following disclaimer. 4537
+ *4538
+ * 2. Redistributions in binary form must reproduce the above copyright4539
+ * notice, this list of conditions and the following disclaimer in4540
+ * the documentation and/or other materials provided with the4541
+ * distribution.4542
+ *4543
+ * 3. All advertising materials mentioning features or use of this4544
+ * software must display the following acknowledgment:4545
+ * "This product includes software developed by the OpenSSL Project4546
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"4547
+ *4548
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to4549
+ * endorse or promote products derived from this software without4550
+ * prior written permission. For written permission, please contact4551
+ * licensing@OpenSSL.org.4552
+ *4553
+ * 5. Products derived from this software may not be called "OpenSSL"4554
+ * nor may "OpenSSL" appear in their names without prior written4555
+ * permission of the OpenSSL Project.4556
+ *4557
+ * 6. Redistributions of any form whatsoever must retain the following4558
+ * acknowledgment:4559
+ * "This product includes software developed by the OpenSSL Project4560
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"4561
+ *4562
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY4563
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE4564
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR4565
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR4566
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,4567
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT4568
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;4569
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)4570
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,4571
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)4572
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED4573
+ * OF THE POSSIBILITY OF SUCH DAMAGE.4574
+ * ====================================================================4575
+ */4576
+4577
+#include <string.h>4578
+#include <openssl/crypto.h>4579
+#include <openssl/err.h>4580
+#include <openssl/fips.h>4581
+#include <openssl/fips_rand.h>4582
+#include "fips_rand_lcl.h"4583
+#include "fips_locl.h"4584
+4585
+#include "fips_drbg_selftest.h"4586
+4587
+typedef struct {4588
+ int post;4589
+ int nid;4590
+ unsigned int flags;4591
+4592
+ /* KAT data for no PR */4593
+ const unsigned char *ent;4594
+ size_t entlen;4595
+ const unsigned char *nonce;4596
+ size_t noncelen;4597
+ const unsigned char *pers;4598
+ size_t perslen;4599
+ const unsigned char *adin;4600
+ size_t adinlen;4601
+ const unsigned char *entreseed;4602
+ size_t entreseedlen;4603
+ const unsigned char *adinreseed;4604
+ size_t adinreseedlen;4605
+ const unsigned char *adin2;4606
+ size_t adin2len;4607
+ const unsigned char *kat;4608
+ size_t katlen;4609
+ const unsigned char *kat2;4610
+ size_t kat2len;4611
+4612
+ /* KAT data for PR */4613
+ const unsigned char *ent_pr;4614
+ size_t entlen_pr;4615
+ const unsigned char *nonce_pr;4616
+ size_t noncelen_pr;4617
+ const unsigned char *pers_pr;4618
+ size_t perslen_pr;4619
+ const unsigned char *adin_pr;4620
+ size_t adinlen_pr;4621
+ const unsigned char *entpr_pr;4622
+ size_t entprlen_pr;4623
+ const unsigned char *ading_pr;4624
+ size_t adinglen_pr;4625
+ const unsigned char *entg_pr;4626
+ size_t entglen_pr;4627
+ const unsigned char *kat_pr;4628
+ size_t katlen_pr;4629
+ const unsigned char *kat2_pr;4630
+ size_t kat2len_pr;4631
+4632
+} DRBG_SELFTEST_DATA;4633
+4634
+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \4635
+ pr##_entropyinput, sizeof(pr##_entropyinput), \4636
+ pr##_nonce, sizeof(pr##_nonce), \4637
+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \4638
+ pr##_additionalinput, sizeof(pr##_additionalinput), \4639
+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \4640
+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \4641
+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \4642
+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \4643
+ pr##_returnedbits, sizeof(pr##_returnedbits), \4644
+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \4645
+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \4646
+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \4647
+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \4648
+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \4649
+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \4650
+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \4651
+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \4652
+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \4653
+ }4654
+4655
+#define make_drbg_test_data_df(nid, pr, p) \4656
+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)4657
+4658
+#define make_drbg_test_data_ec(curve, md, pr, p) \4659
+ make_drbg_test_data((curve << 16) | md , 0, pr, p)4660
+4661
+static DRBG_SELFTEST_DATA drbg_test[] = {4662
+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),4663
+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),4664
+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),4665
+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),4666
+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),4667
+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),4668
+ make_drbg_test_data(NID_sha1, 0, sha1, 0),4669
+ make_drbg_test_data(NID_sha224, 0, sha224, 0),4670
+ make_drbg_test_data(NID_sha256, 0, sha256, 1),4671
+ make_drbg_test_data(NID_sha384, 0, sha384, 0),4672
+ make_drbg_test_data(NID_sha512, 0, sha512, 0),4673
+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),4674
+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),4675
+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),4676
+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),4677
+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),4678
+ {0, 0, 0}4679
+};4680
+4681
+typedef struct {4682
+ const unsigned char *ent;4683
+ size_t entlen;4684
+ int entcnt;4685
+ const unsigned char *nonce;4686
+ size_t noncelen;4687
+ int noncecnt;4688
+} TEST_ENT;4689
+4690
+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,4691
+ int entropy, size_t min_len, size_t max_len)4692
+{4693
+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);4694
+ *pout = (unsigned char *)t->ent;4695
+ t->entcnt++;4696
+ return t->entlen;4697
+}4698
+4699
+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,4700
+ int entropy, size_t min_len, size_t max_len)4701
+{4702
+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);4703
+ *pout = (unsigned char *)t->nonce;4704
+ t->noncecnt++;4705
+ return t->noncelen;4706
+}4707
+4708
+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,4709
+ int quick)4710
+{4711
+ TEST_ENT t;4712
+ int rv = 0;4713
+ size_t adinlen;4714
+ unsigned char randout[1024];4715
+4716
+ /* Initial test without PR */4717
+4718
+ /* Instantiate DRBG with test entropy, nonce and personalisation4719
+ * string.4720
+ */4721
+4722
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))4723
+ return 0;4724
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))4725
+ return 0;4726
+4727
+ FIPS_drbg_set_app_data(dctx, &t);4728
+4729
+ t.ent = td->ent;4730
+ t.entlen = td->entlen;4731
+ t.nonce = td->nonce;4732
+ t.noncelen = td->noncelen;4733
+ t.entcnt = 0;4734
+ t.noncecnt = 0;4735
+4736
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))4737
+ goto err;4738
+4739
+ /* Note for CTR without DF some additional input values4740
+ * ignore bytes after the keylength: so reduce adinlen4741
+ * to half to ensure invalid data is fed in.4742
+ */4743
+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))4744
+ adinlen = td->adinlen / 2;4745
+ else4746
+ adinlen = td->adinlen;4747
+4748
+ /* Generate with no PR and verify output matches expected data */4749
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))4750
+ goto err;4751
+4752
+ if (memcmp(randout, td->kat, td->katlen)) {4753
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);4754
+ goto err2;4755
+ }4756
+ /* If abbreviated POST end of test */4757
+ if (quick) {4758
+ rv = 1;4759
+ goto err;4760
+ }4761
+ /* Reseed DRBG with test entropy and additional input */4762
+ t.ent = td->entreseed;4763
+ t.entlen = td->entreseedlen;4764
+4765
+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))4766
+ goto err;4767
+4768
+ /* Generate with no PR and verify output matches expected data */4769
+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,4770
+ td->adin2, td->adin2len))4771
+ goto err;4772
+4773
+ if (memcmp(randout, td->kat2, td->kat2len)) {4774
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);4775
+ goto err2;4776
+ }4777
+4778
+ FIPS_drbg_uninstantiate(dctx);4779
+4780
+ /* Now test with PR */4781
+4782
+ /* Instantiate DRBG with test entropy, nonce and personalisation4783
+ * string.4784
+ */4785
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))4786
+ return 0;4787
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))4788
+ return 0;4789
+4790
+ FIPS_drbg_set_app_data(dctx, &t);4791
+4792
+ t.ent = td->ent_pr;4793
+ t.entlen = td->entlen_pr;4794
+ t.nonce = td->nonce_pr;4795
+ t.noncelen = td->noncelen_pr;4796
+ t.entcnt = 0;4797
+ t.noncecnt = 0;4798
+4799
+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))4800
+ goto err;4801
+4802
+ /* Now generate with PR: we need to supply entropy as this will4803
+ * perform a reseed operation. Check output matches expected value.4804
+ */4805
+4806
+ t.ent = td->entpr_pr;4807
+ t.entlen = td->entprlen_pr;4808
+4809
+ /* Note for CTR without DF some additional input values4810
+ * ignore bytes after the keylength: so reduce adinlen4811
+ * to half to ensure invalid data is fed in.4812
+ */4813
+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))4814
+ adinlen = td->adinlen_pr / 2;4815
+ else4816
+ adinlen = td->adinlen_pr;4817
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,4818
+ td->adin_pr, adinlen))4819
+ goto err;4820
+4821
+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {4822
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);4823
+ goto err2;4824
+ }4825
+4826
+ /* Now generate again with PR: supply new entropy again.4827
+ * Check output matches expected value.4828
+ */4829
+4830
+ t.ent = td->entg_pr;4831
+ t.entlen = td->entglen_pr;4832
+4833
+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,4834
+ td->ading_pr, td->adinglen_pr))4835
+ goto err;4836
+4837
+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {4838
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);4839
+ goto err2;4840
+ }4841
+ /* All OK, test complete */4842
+ rv = 1;4843
+4844
+ err:4845
+ if (rv == 0)4846
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);4847
+ err2:4848
+ FIPS_drbg_uninstantiate(dctx);4849
+4850
+ return rv;4851
+4852
+}4853
+4854
+/* Initialise a DRBG based on selftest data */4855
+4856
+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)4857
+{4858
+4859
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))4860
+ return 0;4861
+4862
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))4863
+ return 0;4864
+4865
+ FIPS_drbg_set_app_data(dctx, t);4866
+4867
+ t->ent = td->ent;4868
+ t->entlen = td->entlen;4869
+ t->nonce = td->nonce;4870
+ t->noncelen = td->noncelen;4871
+ t->entcnt = 0;4872
+ t->noncecnt = 0;4873
+ return 1;4874
+}4875
+4876
+/* Initialise and instantiate DRBG based on selftest data */4877
+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,4878
+ TEST_ENT * t)4879
+{4880
+ if (!do_drbg_init(dctx, td, t))4881
+ return 0;4882
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))4883
+ return 0;4884
+4885
+ return 1;4886
+}4887
+4888
+/* This function performs extensive error checking as required by SP800-90.4889
+ * Induce several failure modes and check an error condition is set.4890
+ * This function along with fips_drbg_single_kat peforms the health checking4891
+ * operation.4892
+ */4893
+4894
+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)4895
+{4896
+ unsigned char randout[1024];4897
+ TEST_ENT t;4898
+ size_t i;4899
+ unsigned int reseed_counter_tmp;4900
+ unsigned char *p = (unsigned char *)dctx;4901
+4902
+ /* Initialise DRBG */4903
+4904
+ if (!do_drbg_init(dctx, td, &t))4905
+ goto err;4906
+4907
+ /* Don't report induced errors */4908
+ dctx->iflags |= DRBG_FLAG_NOERR;4909
+4910
+ /* Personalisation string tests */4911
+4912
+ /* Test detection of too large personlisation string */4913
+4914
+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {4915
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,4916
+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);4917
+ goto err;4918
+ }4919
+4920
+ /* Entropy source tests */4921
+4922
+ /* Test entropy source failure detecion: i.e. returns no data */4923
+4924
+ t.entlen = 0;4925
+4926
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {4927
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,4928
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);4929
+ goto err;4930
+ }4931
+4932
+ /* Try to generate output from uninstantiated DRBG */4933
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,4934
+ td->adin, td->adinlen)) {4935
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,4936
+ FIPS_R_GENERATE_ERROR_UNDETECTED);4937
+ goto err;4938
+ }4939
+4940
+ dctx->iflags &= ~DRBG_FLAG_NOERR;4941
+ if (!FIPS_drbg_uninstantiate(dctx)) {4942
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);4943
+ goto err;4944
+ }4945
+4946
+ if (!do_drbg_init(dctx, td, &t))4947
+ goto err;4948
+4949
+ dctx->iflags |= DRBG_FLAG_NOERR;4950
+4951
+ /* Test insufficient entropy */4952
+4953
+ t.entlen = dctx->min_entropy - 1;4954
+4955
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {4956
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,4957
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);4958
+ goto err;4959
+ }4960
+4961
+ dctx->iflags &= ~DRBG_FLAG_NOERR;4962
+ if (!FIPS_drbg_uninstantiate(dctx)) {4963
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);4964
+ goto err;4965
+ }4966
+4967
+ /* Test too much entropy */4968
+4969
+ if (!do_drbg_init(dctx, td, &t))4970
+ goto err;4971
+4972
+ dctx->iflags |= DRBG_FLAG_NOERR;4973
+4974
+ t.entlen = dctx->max_entropy + 1;4975
+4976
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {4977
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,4978
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);4979
+ goto err;4980
+ }4981
+4982
+ dctx->iflags &= ~DRBG_FLAG_NOERR;4983
+ if (!FIPS_drbg_uninstantiate(dctx)) {4984
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);4985
+ goto err;4986
+ }4987
+4988
+ /* Nonce tests */4989
+4990
+ /* Test too small nonce */4991
+4992
+ if (dctx->min_nonce) {4993
+4994
+ if (!do_drbg_init(dctx, td, &t))4995
+ goto err;4996
+4997
+ dctx->iflags |= DRBG_FLAG_NOERR;4998
+4999
+ t.noncelen = dctx->min_nonce - 1;5000
+5001
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {5002
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5003
+ FIPS_R_NONCE_ERROR_UNDETECTED);5004
+ goto err;5005
+ }5006
+5007
+ dctx->iflags &= ~DRBG_FLAG_NOERR;5008
+ if (!FIPS_drbg_uninstantiate(dctx)) {5009
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5010
+ goto err;5011
+ }5012
+5013
+ }5014
+5015
+ /* Test too large nonce */5016
+5017
+ if (dctx->max_nonce) {5018
+5019
+ if (!do_drbg_init(dctx, td, &t))5020
+ goto err;5021
+5022
+ dctx->iflags |= DRBG_FLAG_NOERR;5023
+5024
+ t.noncelen = dctx->max_nonce + 1;5025
+5026
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {5027
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5028
+ FIPS_R_NONCE_ERROR_UNDETECTED);5029
+ goto err;5030
+ }5031
+5032
+ dctx->iflags &= ~DRBG_FLAG_NOERR;5033
+ if (!FIPS_drbg_uninstantiate(dctx)) {5034
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5035
+ goto err;5036
+ }5037
+5038
+ }5039
+5040
+ /* Instantiate with valid data. */5041
+ if (!do_drbg_instantiate(dctx, td, &t))5042
+ goto err;5043
+5044
+ /* Check generation is now OK */5045
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,5046
+ td->adin, td->adinlen))5047
+ goto err;5048
+5049
+ dctx->iflags |= DRBG_FLAG_NOERR;5050
+5051
+ /* Request too much data for one request */5052
+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,5053
+ td->adin, td->adinlen)) {5054
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5055
+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);5056
+ goto err;5057
+ }5058
+5059
+ /* Try too large additional input */5060
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,5061
+ td->adin, dctx->max_adin + 1)) {5062
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5063
+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);5064
+ goto err;5065
+ }5066
+5067
+ /* Check prediction resistance request fails if entropy source5068
+ * failure.5069
+ */5070
+5071
+ t.entlen = 0;5072
+5073
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,5074
+ td->adin, td->adinlen)) {5075
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5076
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);5077
+ goto err;5078
+ }5079
+5080
+ dctx->iflags &= ~DRBG_FLAG_NOERR;5081
+ if (!FIPS_drbg_uninstantiate(dctx)) {5082
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5083
+ goto err;5084
+ }5085
+5086
+ /* Instantiate again with valid data */5087
+5088
+ if (!do_drbg_instantiate(dctx, td, &t))5089
+ goto err;5090
+ /* Test reseed counter works */5091
+ /* Save initial reseed counter */5092
+ reseed_counter_tmp = dctx->reseed_counter;5093
+ /* Set reseed counter to beyond interval */5094
+ dctx->reseed_counter = dctx->reseed_interval;5095
+5096
+ /* Generate output and check entropy has been requested for reseed */5097
+ t.entcnt = 0;5098
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,5099
+ td->adin, td->adinlen))5100
+ goto err;5101
+ if (t.entcnt != 1) {5102
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5103
+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);5104
+ goto err;5105
+ }5106
+ /* Check reseed counter has been reset */5107
+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {5108
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);5109
+ goto err;5110
+ }5111
+5112
+ dctx->iflags &= ~DRBG_FLAG_NOERR;5113
+ if (!FIPS_drbg_uninstantiate(dctx)) {5114
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5115
+ goto err;5116
+ }5117
+5118
+ /* Check prediction resistance request fails if entropy source5119
+ * failure.5120
+ */5121
+5122
+ t.entlen = 0;5123
+5124
+ dctx->iflags |= DRBG_FLAG_NOERR;5125
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,5126
+ td->adin, td->adinlen)) {5127
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5128
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);5129
+ goto err;5130
+ }5131
+5132
+ dctx->iflags &= ~DRBG_FLAG_NOERR;5133
+5134
+ if (!FIPS_drbg_uninstantiate(dctx)) {5135
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5136
+ goto err;5137
+ }5138
+5139
+ if (!do_drbg_instantiate(dctx, td, &t))5140
+ goto err;5141
+ /* Test reseed counter works */5142
+ /* Save initial reseed counter */5143
+ reseed_counter_tmp = dctx->reseed_counter;5144
+ /* Set reseed counter to beyond interval */5145
+ dctx->reseed_counter = dctx->reseed_interval;5146
+5147
+ /* Generate output and check entropy has been requested for reseed */5148
+ t.entcnt = 0;5149
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,5150
+ td->adin, td->adinlen))5151
+ goto err;5152
+ if (t.entcnt != 1) {5153
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5154
+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);5155
+ goto err;5156
+ }5157
+ /* Check reseed counter has been reset */5158
+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {5159
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);5160
+ goto err;5161
+ }5162
+5163
+ dctx->iflags &= ~DRBG_FLAG_NOERR;5164
+ if (!FIPS_drbg_uninstantiate(dctx)) {5165
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5166
+ goto err;5167
+ }5168
+5169
+ /* Explicit reseed tests */5170
+5171
+ /* Test explicit reseed with too large additional input */5172
+ if (!do_drbg_init(dctx, td, &t))5173
+ goto err;5174
+5175
+ dctx->iflags |= DRBG_FLAG_NOERR;5176
+5177
+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {5178
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5179
+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);5180
+ goto err;5181
+ }5182
+5183
+ /* Test explicit reseed with entropy source failure */5184
+5185
+ t.entlen = 0;5186
+5187
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {5188
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5189
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);5190
+ goto err;5191
+ }5192
+5193
+ if (!FIPS_drbg_uninstantiate(dctx)) {5194
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5195
+ goto err;5196
+ }5197
+5198
+ /* Test explicit reseed with too much entropy */5199
+5200
+ if (!do_drbg_init(dctx, td, &t))5201
+ goto err;5202
+5203
+ dctx->iflags |= DRBG_FLAG_NOERR;5204
+5205
+ t.entlen = dctx->max_entropy + 1;5206
+5207
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {5208
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5209
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);5210
+ goto err;5211
+ }5212
+5213
+ if (!FIPS_drbg_uninstantiate(dctx)) {5214
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5215
+ goto err;5216
+ }5217
+5218
+ /* Test explicit reseed with too little entropy */5219
+5220
+ if (!do_drbg_init(dctx, td, &t))5221
+ goto err;5222
+5223
+ dctx->iflags |= DRBG_FLAG_NOERR;5224
+5225
+ t.entlen = dctx->min_entropy - 1;5226
+5227
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {5228
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5229
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);5230
+ goto err;5231
+ }5232
+5233
+ if (!FIPS_drbg_uninstantiate(dctx)) {5234
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);5235
+ goto err;5236
+ }5237
+5238
+ p = (unsigned char *)&dctx->d;5239
+ /* Standard says we have to check uninstantiate really zeroes5240
+ * the data...5241
+ */5242
+ for (i = 0; i < sizeof(dctx->d); i++) {5243
+ if (*p != 0) {5244
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,5245
+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);5246
+ goto err;5247
+ }5248
+ p++;5249
+ }5250
+5251
+ return 1;5252
+5253
+ err:5254
+ /* A real error as opposed to an induced one: underlying function will5255
+ * indicate the error.5256
+ */5257
+ if (!(dctx->iflags & DRBG_FLAG_NOERR))5258
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);5259
+ FIPS_drbg_uninstantiate(dctx);5260
+ return 0;5261
+5262
+}5263
+5264
+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)5265
+{5266
+ DRBG_SELFTEST_DATA *td;5267
+ flags |= DRBG_FLAG_TEST;5268
+ for (td = drbg_test; td->nid != 0; td++) {5269
+ if (td->nid == nid && td->flags == flags) {5270
+ if (!fips_drbg_single_kat(dctx, td, 0))5271
+ return 0;5272
+ return fips_drbg_error_check(dctx, td);5273
+ }5274
+ }5275
+ return 0;5276
+}5277
+5278
+int FIPS_drbg_health_check(DRBG_CTX *dctx)5279
+{5280
+ int rv;5281
+ DRBG_CTX *tctx = NULL;5282
+ tctx = FIPS_drbg_new(0, 0);5283
+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);5284
+ if (!tctx)5285
+ return 0;5286
+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);5287
+ if (tctx)5288
+ FIPS_drbg_free(tctx);5289
+ if (rv)5290
+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);5291
+ else5292
+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);5293
+ if (!rv)5294
+ dctx->status = DRBG_STATUS_ERROR;5295
+ else5296
+ dctx->health_check_cnt = 0;5297
+ return rv;5298
+}5299
+5300
+int FIPS_selftest_drbg(void)5301
+{5302
+ DRBG_CTX *dctx;5303
+ DRBG_SELFTEST_DATA *td;5304
+ int rv = 1;5305
+ dctx = FIPS_drbg_new(0, 0);5306
+ if (!dctx)5307
+ return 0;5308
+ for (td = drbg_test; td->nid != 0; td++) {5309
+ if (td->post != 1)5310
+ continue;5311
+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))5312
+ return 1;5313
+ if (!fips_drbg_single_kat(dctx, td, 1)) {5314
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);5315
+ rv = 0;5316
+ continue;5317
+ }5318
+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))5319
+ return 0;5320
+ }5321
+ FIPS_drbg_free(dctx);5322
+ return rv;5323
+}5324
+5325
+int FIPS_selftest_drbg_all(void)5326
+{5327
+ DRBG_CTX *dctx;5328
+ DRBG_SELFTEST_DATA *td;5329
+ int rv = 1;5330
+ dctx = FIPS_drbg_new(0, 0);5331
+ if (!dctx)5332
+ return 0;5333
+ for (td = drbg_test; td->nid != 0; td++) {5334
+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))5335
+ return 1;5336
+ if (!fips_drbg_single_kat(dctx, td, 0)) {5337
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);5338
+ rv = 0;5339
+ continue;5340
+ }5341
+ if (!fips_drbg_error_check(dctx, td)) {5342
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);5343
+ rv = 0;5344
+ continue;5345
+ }5346
+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))5347
+ return 0;5348
+ }5349
+ FIPS_drbg_free(dctx);5350
+ return rv;5351
+}5352
diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h5353
--- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips 2021-03-03 12:57:42.200734534 +01005354
+++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h 2021-03-03 12:57:42.200734534 +01005355
5356
+/* ====================================================================5357
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.5358
+ *5359
+ * Redistribution and use in source and binary forms, with or without5360
+ * modification, are permitted provided that the following conditions5361
+ * are met:5362
+ *5363
+ * 1. Redistributions of source code must retain the above copyright5364
+ * notice, this list of conditions and the following disclaimer. 5365
+ *5366
+ * 2. Redistributions in binary form must reproduce the above copyright5367
+ * notice, this list of conditions and the following disclaimer in5368
+ * the documentation and/or other materials provided with the5369
+ * distribution.5370
+ *5371
+ * 3. All advertising materials mentioning features or use of this5372
+ * software must display the following acknowledgment:5373
+ * "This product includes software developed by the OpenSSL Project5374
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"5375
+ *5376
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to5377
+ * endorse or promote products derived from this software without5378
+ * prior written permission. For written permission, please contact5379
+ * openssl-core.org.5380
+ *5381
+ * 5. Products derived from this software may not be called "OpenSSL"5382
+ * nor may "OpenSSL" appear in their names without prior written5383
+ * permission of the OpenSSL Project.5384
+ *5385
+ * 6. Redistributions of any form whatsoever must retain the following5386
+ * acknowledgment:5387
+ * "This product includes software developed by the OpenSSL Project5388
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"5389
+ *5390
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY5391
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE5392
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR5393
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR5394
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,5395
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT5396
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;5397
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)5398
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,5399
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)5400
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED5401
+ * OF THE POSSIBILITY OF SUCH DAMAGE.5402
+ *5403
+ */5404
+5405
+/* Selftest and health check data for the SP800-90 DRBG */5406
+5407
+#define __fips_constseg5408
+5409
+/* AES-128 use df PR */5410
+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {5411
+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,5412
+ 0xc8, 0xdb, 0xff, 0x125413
+};5414
+5415
+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {5416
+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x285417
+};5418
+5419
+__fips_constseg5420
+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {5421
+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,5422
+ 0xd7, 0xd7, 0x01, 0x675423
+};5424
+5425
+__fips_constseg5426
+ static const unsigned char aes_128_use_df_pr_additionalinput[] = {5427
+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,5428
+ 0x9a, 0x47, 0x08, 0x765429
+};5430
+5431
+__fips_constseg5432
+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {5433
+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,5434
+ 0x09, 0xfb, 0xa3, 0xb65435
+};5436
+5437
+__fips_constseg5438
+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {5439
+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,5440
+ 0x66, 0x1c, 0xea, 0x5b5441
+};5442
+5443
+__fips_constseg5444
+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {5445
+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,5446
+ 0x3f, 0x5e, 0x31, 0x065447
+};5448
+5449
+__fips_constseg5450
+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {5451
+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,5452
+ 0xa7, 0xe3, 0xa8, 0x675453
+};5454
+5455
+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {5456
+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,5457
+ 0x0f, 0x38, 0x43, 0xc65458
+};5459
+5460
+/* AES-128 use df No PR */5461
+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {5462
+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,5463
+ 0x9d, 0x7d, 0x1c, 0x9b5464
+};5465
+5466
+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {5467
+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x965468
+};5469
+5470
+__fips_constseg5471
+ static const unsigned char aes_128_use_df_personalizationstring[] = {5472
+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,5473
+ 0x38, 0x66, 0xba, 0x1b5474
+};5475
+5476
+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {5477
+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,5478
+ 0xb5, 0xe2, 0xb2, 0x415479
+};5480
+5481
+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {5482
+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,5483
+ 0xe7, 0x57, 0x11, 0xb45484
+};5485
+5486
+__fips_constseg5487
+ static const unsigned char aes_128_use_df_entropyinputreseed[] = {5488
+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,5489
+ 0xc7, 0xc4, 0x9e, 0x395490
+};5491
+5492
+__fips_constseg5493
+ static const unsigned char aes_128_use_df_additionalinputreseed[] = {5494
+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,5495
+ 0xc8, 0x93, 0xfa, 0x845496
+};5497
+5498
+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {5499
+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,5500
+ 0x06, 0x0c, 0x15, 0x2c5501
+};5502
+5503
+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {5504
+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,5505
+ 0x46, 0x81, 0xc7, 0x195506
+};5507
+5508
+/* AES-192 use df PR */5509
+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {5510
+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,5511
+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d5512
+};5513
+5514
+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {5515
+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,5516
+ 0xd1, 0x80, 0x78, 0xfa5517
+};5518
+5519
+__fips_constseg5520
+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {5521
+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,5522
+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,5523
+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x045524
+};5525
+5526
+__fips_constseg5527
+ static const unsigned char aes_192_use_df_pr_additionalinput[] = {5528
+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,5529
+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,5530
+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x365531
+};5532
+5533
+__fips_constseg5534
+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {5535
+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,5536
+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd55537
+};5538
+5539
+__fips_constseg5540
+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {5541
+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,5542
+ 0x19, 0x30, 0x6b, 0x675543
+};5544
+5545
+__fips_constseg5546
+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {5547
+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,5548
+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,5549
+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x995550
+};5551
+5552
+__fips_constseg5553
+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {5554
+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,5555
+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e5556
+};5557
+5558
+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {5559
+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,5560
+ 0x7e, 0x1a, 0x2b, 0x835561
+};5562
+5563
+/* AES-192 use df No PR */5564
+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {5565
+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,5566
+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b5567
+};5568
+5569
+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {5570
+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,5571
+ 0x77, 0xd7, 0x41, 0x0e5572
+};5573
+5574
+__fips_constseg5575
+ static const unsigned char aes_192_use_df_personalizationstring[] = {5576
+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,5577
+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,5578
+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x705579
+};5580
+5581
+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {5582
+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,5583
+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,5584
+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd75585
+};5586
+5587
+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {5588
+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,5589
+ 0xb7, 0xed, 0xe9, 0xea5590
+};5591
+5592
+__fips_constseg5593
+ static const unsigned char aes_192_use_df_entropyinputreseed[] = {5594
+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,5595
+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x015596
+};5597
+5598
+__fips_constseg5599
+ static const unsigned char aes_192_use_df_additionalinputreseed[] = {5600
+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,5601
+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,5602
+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x655603
+};5604
+5605
+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {5606
+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,5607
+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,5608
+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x775609
+};5610
+5611
+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {5612
+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,5613
+ 0x1a, 0xf9, 0x13, 0x285614
+};5615
+5616
+/* AES-256 use df PR */5617
+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {5618
+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,5619
+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,5620
+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a5621
+};5622
+5623
+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {5624
+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,5625
+ 0x2b, 0x36, 0xff, 0xa45626
+};5627
+5628
+__fips_constseg5629
+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {5630
+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,5631
+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,5632
+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d5633
+};5634
+5635
+__fips_constseg5636
+ static const unsigned char aes_256_use_df_pr_additionalinput[] = {5637
+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,5638
+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,5639
+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde5640
+};5641
+5642
+__fips_constseg5643
+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {5644
+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,5645
+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,5646
+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa95647
+};5648
+5649
+__fips_constseg5650
+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {5651
+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,5652
+ 0x17, 0xab, 0x3c, 0x7a5653
+};5654
+5655
+__fips_constseg5656
+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {5657
+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,5658
+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,5659
+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc35660
+};5661
+5662
+__fips_constseg5663
+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {5664
+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,5665
+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,5666
+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f5667
+};5668
+5669
+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {5670
+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,5671
+ 0xd9, 0xe2, 0x97, 0x005672
+};5673
+5674
+/* AES-256 use df No PR */5675
+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {5676
+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,5677
+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,5678
+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x475679
+};5680
+5681
+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {5682
+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,5683
+ 0x4c, 0x44, 0x84, 0x405684
+};5685
+5686
+__fips_constseg5687
+ static const unsigned char aes_256_use_df_personalizationstring[] = {5688
+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,5689
+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,5690
+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd25691
+};5692
+5693
+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {5694
+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,5695
+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,5696
+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x465697
+};5698
+5699
+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {5700
+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,5701
+ 0x28, 0x0c, 0x3b, 0xc15702
+};5703
+5704
+__fips_constseg5705
+ static const unsigned char aes_256_use_df_entropyinputreseed[] = {5706
+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,5707
+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,5708
+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e5709
+};5710
+5711
+__fips_constseg5712
+ static const unsigned char aes_256_use_df_additionalinputreseed[] = {5713
+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,5714
+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,5715
+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x755716
+};5717
+5718
+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {5719
+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,5720
+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,5721
+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d5722
+};5723
+5724
+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {5725
+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,5726
+ 0xfa, 0xfd, 0x35, 0x5e5727
+};5728
+5729
+/* AES-128 no df PR */5730
+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {5731
+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,5732
+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,5733
+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a5734
+};5735
+5736
+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {5737
+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf15738
+};5739
+5740
+__fips_constseg5741
+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {5742
+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,5743
+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,5744
+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa85745
+};5746
+5747
+__fips_constseg5748
+ static const unsigned char aes_128_no_df_pr_additionalinput[] = {5749
+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,5750
+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,5751
+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x125752
+};5753
+5754
+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {5755
+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,5756
+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,5757
+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e5758
+};5759
+5760
+__fips_constseg5761
+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {5762
+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,5763
+ 0xaf, 0x19, 0x32, 0x165764
+};5765
+5766
+__fips_constseg5767
+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {5768
+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,5769
+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,5770
+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x505771
+};5772
+5773
+__fips_constseg5774
+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {5775
+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,5776
+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,5777
+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf95778
+};5779
+5780
+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {5781
+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,5782
+ 0x57, 0x82, 0x33, 0xaf5783
+};5784
+5785
+/* AES-128 no df No PR */5786
+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {5787
+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,5788
+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,5789
+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x605790
+};5791
+5792
+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {5793
+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x135794
+};5795
+5796
+__fips_constseg5797
+ static const unsigned char aes_128_no_df_personalizationstring[] = {5798
+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,5799
+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,5800
+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce5801
+};5802
+5803
+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {5804
+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,5805
+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,5806
+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x955807
+};5808
+5809
+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {5810
+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,5811
+ 0xed, 0x3e, 0x65, 0xc25812
+};5813
+5814
+__fips_constseg5815
+ static const unsigned char aes_128_no_df_entropyinputreseed[] = {5816
+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,5817
+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,5818
+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x005819
+};5820
+5821
+__fips_constseg5822
+ static const unsigned char aes_128_no_df_additionalinputreseed[] = {5823
+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,5824
+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,5825
+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb45826
+};5827
+5828
+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {5829
+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,5830
+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,5831
+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd65832
+};5833
+5834
+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {5835
+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,5836
+ 0x81, 0x37, 0x19, 0xd45837
+};5838
+5839
+/* AES-192 no df PR */5840
+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {5841
+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,5842
+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,5843
+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,5844
+ 0x17, 0x1f, 0x8d, 0x9a5845
+};5846
+5847
+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {5848
+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,5849
+ 0x61, 0x5c, 0xee, 0x0f5850
+};5851
+5852
+__fips_constseg5853
+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {5854
+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,5855
+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,5856
+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,5857
+ 0x57, 0x2e, 0xe7, 0x555858
+};5859
+5860
+__fips_constseg5861
+ static const unsigned char aes_192_no_df_pr_additionalinput[] = {5862
+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,5863
+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,5864
+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,5865
+ 0xe2, 0xd0, 0x0c, 0x2f5866
+};5867
+5868
+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {5869
+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,5870
+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,5871
+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,5872
+ 0x1d, 0x30, 0xb3, 0x785873
+};5874
+5875
+__fips_constseg5876
+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {5877
+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,5878
+ 0x7e, 0x3e, 0x0c, 0x265879
+};5880
+5881
+__fips_constseg5882
+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {5883
+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,5884
+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,5885
+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,5886
+ 0x0c, 0x4b, 0xee, 0x6e5887
+};5888
+5889
+__fips_constseg5890
+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {5891
+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,5892
+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,5893
+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,5894
+ 0x8e, 0x0a, 0x83, 0xdf5895
+};5896
+5897
+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {5898
+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,5899
+ 0xb9, 0xa1, 0x21, 0x685900
+};5901
+5902
+/* AES-192 no df No PR */5903
+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {5904
+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,5905
+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,5906
+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,5907
+ 0x94, 0xc3, 0x59, 0x635908
+};5909
+5910
+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {5911
+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,5912
+ 0x29, 0xfd, 0x45, 0x715913
+};5914
+5915
+__fips_constseg5916
+ static const unsigned char aes_192_no_df_personalizationstring[] = {5917
+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,5918
+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,5919
+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,5920
+ 0x3b, 0x88, 0xce, 0x355921
+};5922
+5923
+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {5924
+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,5925
+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,5926
+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,5927
+ 0x3e, 0xbe, 0xd4, 0x8e5928
+};5929
+5930
+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {5931
+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,5932
+ 0x45, 0xe7, 0x4a, 0xc55933
+};5934
+5935
+__fips_constseg5936
+ static const unsigned char aes_192_no_df_entropyinputreseed[] = {5937
+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,5938
+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,5939
+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,5940
+ 0x9b, 0xcb, 0x7e, 0x755941
+};5942
+5943
+__fips_constseg5944
+ static const unsigned char aes_192_no_df_additionalinputreseed[] = {5945
+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,5946
+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,5947
+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,5948
+ 0x5d, 0x7a, 0x25, 0x795949
+};5950
+5951
+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {5952
+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,5953
+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,5954
+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,5955
+ 0x91, 0x6a, 0xe3, 0x5f5956
+};5957
+5958
+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {5959
+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,5960
+ 0x66, 0x67, 0x2c, 0x925961
+};5962
+5963
+/* AES-256 no df PR */5964
+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {5965
+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,5966
+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,5967
+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,5968
+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c5969
+};5970
+5971
+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {5972
+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,5973
+ 0xcc, 0x4b, 0xee, 0x2e5974
+};5975
+5976
+__fips_constseg5977
+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {5978
+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,5979
+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,5980
+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,5981
+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x065982
+};5983
+5984
+__fips_constseg5985
+ static const unsigned char aes_256_no_df_pr_additionalinput[] = {5986
+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,5987
+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,5988
+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,5989
+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e5990
+};5991
+5992
+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {5993
+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,5994
+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,5995
+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,5996
+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f5997
+};5998
+5999
+__fips_constseg6000
+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {6001
+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,6002
+ 0x79, 0x60, 0x93, 0xcf6003
+};6004
+6005
+__fips_constseg6006
+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {6007
+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,6008
+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,6009
+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,6010
+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb6011
+};6012
+6013
+__fips_constseg6014
+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {6015
+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,6016
+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,6017
+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,6018
+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f6019
+};6020
+6021
+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {6022
+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,6023
+ 0x2d, 0x5f, 0x4a, 0x466024
+};6025
+6026
+/* AES-256 no df No PR */6027
+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {6028
+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,6029
+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,6030
+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,6031
+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb36032
+};6033
+6034
+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {6035
+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,6036
+ 0x43, 0x96, 0xb9, 0xf06037
+};6038
+6039
+__fips_constseg6040
+ static const unsigned char aes_256_no_df_personalizationstring[] = {6041
+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,6042
+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,6043
+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,6044
+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d6045
+};6046
+6047
+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {6048
+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,6049
+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,6050
+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,6051
+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x176052
+};6053
+6054
+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {6055
+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,6056
+ 0xd2, 0x25, 0x75, 0x0e6057
+};6058
+6059
+__fips_constseg6060
+ static const unsigned char aes_256_no_df_entropyinputreseed[] = {6061
+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,6062
+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,6063
+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,6064
+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb6065
+};6066
+6067
+__fips_constseg6068
+ static const unsigned char aes_256_no_df_additionalinputreseed[] = {6069
+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,6070
+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,6071
+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,6072
+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x296073
+};6074
+6075
+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {6076
+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,6077
+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,6078
+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,6079
+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc66080
+};6081
+6082
+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {6083
+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,6084
+ 0xf6, 0x02, 0x32, 0xe26085
+};6086
+6087
+/* SHA-1 PR */6088
+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {6089
+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,6090
+ 0x31, 0xa5, 0x91, 0x136091
+};6092
+6093
+__fips_constseg static const unsigned char sha1_pr_nonce[] = {6094
+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf36095
+};6096
+6097
+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {6098
+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,6099
+ 0xda, 0xea, 0x77, 0x526100
+};6101
+6102
+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {6103
+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,6104
+ 0x6a, 0x51, 0xe3, 0xf86105
+};6106
+6107
+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {6108
+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,6109
+ 0xcb, 0xa9, 0x36, 0x7a6110
+};6111
+6112
+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {6113
+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,6114
+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x356115
+};6116
+6117
+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {6118
+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,6119
+ 0x16, 0x03, 0x19, 0x476120
+};6121
+6122
+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {6123
+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,6124
+ 0xae, 0xcd, 0x8c, 0xc46125
+};6126
+6127
+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {6128
+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,6129
+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x876130
+};6131
+6132
+/* SHA-1 No PR */6133
+__fips_constseg static const unsigned char sha1_entropyinput[] = {6134
+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,6135
+ 0xe2, 0x7f, 0x4c, 0x7b6136
+};6137
+6138
+__fips_constseg static const unsigned char sha1_nonce[] = {6139
+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x146140
+};6141
+6142
+__fips_constseg static const unsigned char sha1_personalizationstring[] = {6143
+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,6144
+ 0x28, 0xec, 0x6d, 0xca6145
+};6146
+6147
+__fips_constseg static const unsigned char sha1_additionalinput[] = {6148
+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,6149
+ 0xc0, 0x72, 0xca, 0x286150
+};6151
+6152
+__fips_constseg static const unsigned char sha1_int_returnedbits[] = {6153
+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,6154
+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea6155
+};6156
+6157
+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {6158
+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,6159
+ 0xd6, 0x99, 0x27, 0xed6160
+};6161
+6162
+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {6163
+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,6164
+ 0x84, 0x3d, 0xd4, 0xc06165
+};6166
+6167
+__fips_constseg static const unsigned char sha1_additionalinput2[] = {6168
+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,6169
+ 0x52, 0x65, 0xcd, 0x966170
+};6171
+6172
+__fips_constseg static const unsigned char sha1_returnedbits[] = {6173
+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,6174
+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd76175
+};6176
+6177
+/* SHA-224 PR */6178
+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {6179
+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,6180
+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd96181
+};6182
+6183
+__fips_constseg static const unsigned char sha224_pr_nonce[] = {6184
+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x716185
+};6186
+6187
+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {6188
+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,6189
+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae6190
+};6191
+6192
+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {6193
+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,6194
+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x506195
+};6196
+6197
+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {6198
+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,6199
+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe16200
+};6201
+6202
+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {6203
+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,6204
+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,6205
+ 0x54, 0x60, 0xee, 0x6a6206
+};6207
+6208
+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {6209
+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,6210
+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x606211
+};6212
+6213
+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {6214
+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,6215
+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x116216
+};6217
+6218
+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {6219
+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,6220
+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,6221
+ 0xdd, 0x11, 0x4c, 0xc46222
+};6223
+6224
+/* SHA-224 No PR */6225
+__fips_constseg static const unsigned char sha224_entropyinput[] = {6226
+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,6227
+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb6228
+};6229
+6230
+__fips_constseg static const unsigned char sha224_nonce[] = {6231
+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe06232
+};6233
+6234
+__fips_constseg static const unsigned char sha224_personalizationstring[] = {6235
+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,6236
+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c6237
+};6238
+6239
+__fips_constseg static const unsigned char sha224_additionalinput[] = {6240
+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,6241
+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f6242
+};6243
+6244
+__fips_constseg static const unsigned char sha224_int_returnedbits[] = {6245
+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,6246
+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,6247
+ 0x55, 0x22, 0x9a, 0xad6248
+};6249
+6250
+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {6251
+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,6252
+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x176253
+};6254
+6255
+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {6256
+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,6257
+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x196258
+};6259
+6260
+__fips_constseg static const unsigned char sha224_additionalinput2[] = {6261
+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,6262
+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf66263
+};6264
+6265
+__fips_constseg static const unsigned char sha224_returnedbits[] = {6266
+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,6267
+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,6268
+ 0x3b, 0xa7, 0x5c, 0x936269
+};6270
+6271
+/* SHA-256 PR */6272
+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {6273
+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,6274
+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,6275
+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe6276
+};6277
+6278
+__fips_constseg static const unsigned char sha256_pr_nonce[] = {6279
+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,6280
+ 0x2b, 0x91, 0x4d, 0x386281
+};6282
+6283
+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {6284
+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,6285
+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,6286
+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba6287
+};6288
+6289
+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {6290
+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,6291
+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,6292
+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f6293
+};6294
+6295
+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {6296
+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,6297
+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,6298
+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x786299
+};6300
+6301
+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {6302
+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,6303
+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,6304
+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x766305
+};6306
+6307
+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {6308
+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,6309
+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,6310
+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x096311
+};6312
+6313
+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {6314
+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,6315
+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,6316
+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x866317
+};6318
+6319
+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {6320
+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,6321
+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,6322
+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa26323
+};6324
+6325
+/* SHA-256 No PR */6326
+__fips_constseg static const unsigned char sha256_entropyinput[] = {6327
+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,6328
+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,6329
+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c6330
+};6331
+6332
+__fips_constseg static const unsigned char sha256_nonce[] = {6333
+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,6334
+ 0x5d, 0x6f, 0x6d, 0x356335
+};6336
+6337
+__fips_constseg static const unsigned char sha256_personalizationstring[] = {6338
+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,6339
+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,6340
+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c6341
+};6342
+6343
+__fips_constseg static const unsigned char sha256_additionalinput[] = {6344
+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,6345
+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,6346
+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x876347
+};6348
+6349
+__fips_constseg static const unsigned char sha256_int_returnedbits[] = {6350
+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,6351
+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,6352
+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x766353
+};6354
+6355
+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {6356
+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,6357
+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,6358
+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d6359
+};6360
+6361
+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {6362
+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,6363
+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,6364
+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa86365
+};6366
+6367
+__fips_constseg static const unsigned char sha256_additionalinput2[] = {6368
+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,6369
+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,6370
+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda6371
+};6372
+6373
+__fips_constseg static const unsigned char sha256_returnedbits[] = {6374
+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,6375
+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,6376
+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa36377
+};6378
+6379
+/* SHA-384 PR */6380
+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {6381
+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,6382
+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,6383
+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e6384
+};6385
+6386
+__fips_constseg static const unsigned char sha384_pr_nonce[] = {6387
+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,6388
+ 0x38, 0x3e, 0x2e, 0x566389
+};6390
+6391
+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {6392
+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,6393
+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,6394
+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe36395
+};6396
+6397
+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {6398
+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,6399
+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,6400
+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e6401
+};6402
+6403
+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {6404
+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,6405
+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,6406
+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d6407
+};6408
+6409
+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {6410
+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,6411
+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,6412
+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,6413
+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf6414
+};6415
+6416
+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {6417
+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,6418
+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,6419
+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x186420
+};6421
+6422
+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {6423
+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,6424
+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,6425
+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x816426
+};6427
+6428
+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {6429
+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,6430
+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,6431
+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,6432
+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x666433
+};6434
+6435
+/* SHA-384 No PR */6436
+__fips_constseg static const unsigned char sha384_entropyinput[] = {6437
+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,6438
+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,6439
+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf46440
+};6441
+6442
+__fips_constseg static const unsigned char sha384_nonce[] = {6443
+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,6444
+ 0x44, 0xaf, 0x2f, 0x096445
+};6446
+6447
+__fips_constseg static const unsigned char sha384_personalizationstring[] = {6448
+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,6449
+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,6450
+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb16451
+};6452
+6453
+__fips_constseg static const unsigned char sha384_additionalinput[] = {6454
+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,6455
+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,6456
+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x486457
+};6458
+6459
+__fips_constseg static const unsigned char sha384_int_returnedbits[] = {6460
+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,6461
+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,6462
+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,6463
+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a6464
+};6465
+6466
+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {6467
+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,6468
+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,6469
+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c6470
+};6471
+6472
+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {6473
+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,6474
+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,6475
+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x226476
+};6477
+6478
+__fips_constseg static const unsigned char sha384_additionalinput2[] = {6479
+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,6480
+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,6481
+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x946482
+};6483
+6484
+__fips_constseg static const unsigned char sha384_returnedbits[] = {6485
+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,6486
+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,6487
+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,6488
+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd76489
+};6490
+6491
+/* SHA-512 PR */6492
+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {6493
+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,6494
+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,6495
+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x286496
+};6497
+6498
+__fips_constseg static const unsigned char sha512_pr_nonce[] = {6499
+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,6500
+ 0x88, 0xc7, 0xa2, 0xc46501
+};6502
+6503
+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {6504
+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,6505
+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,6506
+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b6507
+};6508
+6509
+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {6510
+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,6511
+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,6512
+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d6513
+};6514
+6515
+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {6516
+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,6517
+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,6518
+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x086519
+};6520
+6521
+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {6522
+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,6523
+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,6524
+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,6525
+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,6526
+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,6527
+ 0xe2, 0xc6, 0x8b, 0xc36528
+};6529
+6530
+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {6531
+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,6532
+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,6533
+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x616534
+};6535
+6536
+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {6537
+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,6538
+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,6539
+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x996540
+};6541
+6542
+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {6543
+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,6544
+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,6545
+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,6546
+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,6547
+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,6548
+ 0x67, 0xf7, 0x68, 0xdd6549
+};6550
+6551
+/* SHA-512 No PR */6552
+__fips_constseg static const unsigned char sha512_entropyinput[] = {6553
+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,6554
+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,6555
+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd6556
+};6557
+6558
+__fips_constseg static const unsigned char sha512_nonce[] = {6559
+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,6560
+ 0x5a, 0x64, 0xf0, 0xf76561
+};6562
+6563
+__fips_constseg static const unsigned char sha512_personalizationstring[] = {6564
+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,6565
+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,6566
+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc06567
+};6568
+6569
+__fips_constseg static const unsigned char sha512_additionalinput[] = {6570
+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,6571
+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,6572
+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x346573
+};6574
+6575
+__fips_constseg static const unsigned char sha512_int_returnedbits[] = {6576
+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,6577
+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,6578
+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,6579
+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,6580
+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,6581
+ 0x28, 0xd4, 0x39, 0x9a6582
+};6583
+6584
+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {6585
+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,6586
+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,6587
+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee6588
+};6589
+6590
+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {6591
+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,6592
+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,6593
+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x206594
+};6595
+6596
+__fips_constseg static const unsigned char sha512_additionalinput2[] = {6597
+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,6598
+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,6599
+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x926600
+};6601
+6602
+__fips_constseg static const unsigned char sha512_returnedbits[] = {6603
+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,6604
+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,6605
+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,6606
+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,6607
+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,6608
+ 0x68, 0xde, 0x42, 0xb56609
+};6610
+6611
+/* HMAC SHA-1 PR */6612
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {6613
+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,6614
+ 0x2c, 0x18, 0x17, 0x1b6615
+};6616
+6617
+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {6618
+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e6619
+};6620
+6621
+__fips_constseg6622
+ static const unsigned char hmac_sha1_pr_personalizationstring[] = {6623
+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,6624
+ 0x80, 0xe2, 0x7f, 0x2a6625
+};6626
+6627
+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {6628
+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,6629
+ 0xd7, 0xbb, 0x42, 0x096630
+};6631
+6632
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {6633
+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,6634
+ 0x23, 0x87, 0x2a, 0xed6635
+};6636
+6637
+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {6638
+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,6639
+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c6640
+};6641
+6642
+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {6643
+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,6644
+ 0xa0, 0x4b, 0x93, 0x6e6645
+};6646
+6647
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {6648
+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,6649
+ 0x0f, 0xff, 0x2e, 0xaf6650
+};6651
+6652
+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {6653
+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,6654
+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd86655
+};6656
+6657
+/* HMAC SHA-1 No PR */6658
+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {6659
+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,6660
+ 0x17, 0xfe, 0x47, 0x706661
+};6662
+6663
+__fips_constseg static const unsigned char hmac_sha1_nonce[] = {6664
+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x256665
+};6666
+6667
+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {6668
+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,6669
+ 0x72, 0xf7, 0xd3, 0x5e6670
+};6671
+6672
+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {6673
+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,6674
+ 0xbb, 0xe3, 0xaa, 0xea6675
+};6676
+6677
+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {6678
+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,6679
+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd16680
+};6681
+6682
+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {6683
+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,6684
+ 0x86, 0x52, 0x6d, 0x9c6685
+};6686
+6687
+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {6688
+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,6689
+ 0x79, 0xc5, 0x82, 0x286690
+};6691
+6692
+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {6693
+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,6694
+ 0x8a, 0xca, 0xa4, 0x7f6695
+};6696
+6697
+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {6698
+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,6699
+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb06700
+};6701
+6702
+/* HMAC SHA-224 PR */6703
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {6704
+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,6705
+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x906706
+};6707
+6708
+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {6709
+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x236710
+};6711
+6712
+__fips_constseg6713
+ static const unsigned char hmac_sha224_pr_personalizationstring[] = {6714
+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,6715
+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd6716
+};6717
+6718
+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {6719
+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,6720
+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b6721
+};6722
+6723
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {6724
+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,6725
+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab6726
+};6727
+6728
+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {6729
+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,6730
+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,6731
+ 0x41, 0xfe, 0x99, 0xf26732
+};6733
+6734
+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {6735
+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,6736
+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f6737
+};6738
+6739
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {6740
+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,6741
+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe06742
+};6743
+6744
+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {6745
+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,6746
+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,6747
+ 0x6d, 0xd8, 0x9e, 0x726748
+};6749
+6750
+/* HMAC SHA-224 No PR */6751
+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {6752
+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,6753
+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d6754
+};6755
+6756
+__fips_constseg static const unsigned char hmac_sha224_nonce[] = {6757
+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b6758
+};6759
+6760
+__fips_constseg6761
+ static const unsigned char hmac_sha224_personalizationstring[] = {6762
+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,6763
+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x376764
+};6765
+6766
+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {6767
+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,6768
+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe76769
+};6770
+6771
+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {6772
+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,6773
+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,6774
+ 0xcd, 0xd6, 0xa9, 0xcc6775
+};6776
+6777
+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {6778
+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,6779
+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc96780
+};6781
+6782
+__fips_constseg6783
+ static const unsigned char hmac_sha224_additionalinputreseed[] = {6784
+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,6785
+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x236786
+};6787
+6788
+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {6789
+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,6790
+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x966791
+};6792
+6793
+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {6794
+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,6795
+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,6796
+ 0x45, 0x84, 0xa8, 0x946797
+};6798
+6799
+/* HMAC SHA-256 PR */6800
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {6801
+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,6802
+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,6803
+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa66804
+};6805
+6806
+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {6807
+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,6808
+ 0xaa, 0xd3, 0x30, 0x9a6809
+};6810
+6811
+__fips_constseg6812
+ static const unsigned char hmac_sha256_pr_personalizationstring[] = {6813
+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,6814
+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,6815
+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb56816
+};6817
+6818
+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {6819
+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,6820
+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,6821
+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b6822
+};6823
+6824
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {6825
+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,6826
+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,6827
+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe56828
+};6829
+6830
+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {6831
+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,6832
+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,6833
+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x566834
+};6835
+6836
+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {6837
+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,6838
+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,6839
+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf36840
+};6841
+6842
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {6843
+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,6844
+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,6845
+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x916846
+};6847
+6848
+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {6849
+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,6850
+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,6851
+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e6852
+};6853
+6854
+/* HMAC SHA-256 No PR */6855
+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {6856
+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,6857
+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,6858
+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc6859
+};6860
+6861
+__fips_constseg static const unsigned char hmac_sha256_nonce[] = {6862
+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,6863
+ 0xc7, 0xfc, 0xc2, 0x016864
+};6865
+6866
+__fips_constseg6867
+ static const unsigned char hmac_sha256_personalizationstring[] = {6868
+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,6869
+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,6870
+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x326871
+};6872
+6873
+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {6874
+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,6875
+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,6876
+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x276877
+};6878
+6879
+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {6880
+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,6881
+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,6882
+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x906883
+};6884
+6885
+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {6886
+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,6887
+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,6888
+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d6889
+};6890
+6891
+__fips_constseg6892
+ static const unsigned char hmac_sha256_additionalinputreseed[] = {6893
+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,6894
+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,6895
+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e6896
+};6897
+6898
+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {6899
+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,6900
+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,6901
+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d6902
+};6903
+6904
+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {6905
+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,6906
+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,6907
+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe06908
+};6909
+6910
+/* HMAC SHA-384 PR */6911
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {6912
+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,6913
+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,6914
+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa96915
+};6916
+6917
+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {6918
+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,6919
+ 0xee, 0x16, 0xc9, 0xde6920
+};6921
+6922
+__fips_constseg6923
+ static const unsigned char hmac_sha384_pr_personalizationstring[] = {6924
+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,6925
+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,6926
+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa16927
+};6928
+6929
+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {6930
+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,6931
+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,6932
+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x886933
+};6934
+6935
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {6936
+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,6937
+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,6938
+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x726939
+};6940
+6941
+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {6942
+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,6943
+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,6944
+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,6945
+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba6946
+};6947
+6948
+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {6949
+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,6950
+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,6951
+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x606952
+};6953
+6954
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {6955
+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,6956
+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,6957
+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x876958
+};6959
+6960
+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {6961
+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,6962
+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,6963
+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,6964
+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x756965
+};6966
+6967
+/* HMAC SHA-384 No PR */6968
+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {6969
+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,6970
+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,6971
+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f6972
+};6973
+6974
+__fips_constseg static const unsigned char hmac_sha384_nonce[] = {6975
+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,6976
+ 0x38, 0xe3, 0xeb, 0x626977
+};6978
+6979
+__fips_constseg6980
+ static const unsigned char hmac_sha384_personalizationstring[] = {6981
+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,6982
+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,6983
+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x776984
+};6985
+6986
+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {6987
+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,6988
+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,6989
+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce6990
+};6991
+6992
+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {6993
+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,6994
+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,6995
+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,6996
+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b6997
+};6998
+6999
+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {7000
+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,7001
+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,7002
+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c7003
+};7004
+7005
+__fips_constseg7006
+ static const unsigned char hmac_sha384_additionalinputreseed[] = {7007
+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,7008
+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,7009
+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x637010
+};7011
+7012
+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {7013
+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,7014
+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,7015
+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x327016
+};7017
+7018
+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {7019
+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,7020
+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,7021
+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,7022
+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb7023
+};7024
+7025
+/* HMAC SHA-512 PR */7026
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {7027
+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,7028
+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,7029
+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d7030
+};7031
+7032
+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {7033
+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,7034
+ 0x86, 0xea, 0xaf, 0xa27035
+};7036
+7037
+__fips_constseg7038
+ static const unsigned char hmac_sha512_pr_personalizationstring[] = {7039
+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,7040
+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,7041
+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad7042
+};7043
+7044
+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {7045
+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,7046
+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,7047
+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x717048
+};7049
+7050
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {7051
+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,7052
+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,7053
+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x107054
+};7055
+7056
+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {7057
+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,7058
+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,7059
+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,7060
+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,7061
+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,7062
+ 0x05, 0x17, 0xbe, 0x0d7063
+};7064
+7065
+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {7066
+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,7067
+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,7068
+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa7069
+};7070
+7071
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {7072
+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,7073
+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,7074
+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe77075
+};7076
+7077
+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {7078
+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,7079
+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,7080
+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,7081
+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,7082
+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,7083
+ 0xb6, 0xaf, 0xbc, 0xd37084
+};7085
+7086
+/* HMAC SHA-512 No PR */7087
+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {7088
+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,7089
+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,7090
+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x957091
+};7092
+7093
+__fips_constseg static const unsigned char hmac_sha512_nonce[] = {7094
+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,7095
+ 0xd9, 0xaf, 0x43, 0x3c7096
+};7097
+7098
+__fips_constseg7099
+ static const unsigned char hmac_sha512_personalizationstring[] = {7100
+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,7101
+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,7102
+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x207103
+};7104
+7105
+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {7106
+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,7107
+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,7108
+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x737109
+};7110
+7111
+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {7112
+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,7113
+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,7114
+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,7115
+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,7116
+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,7117
+ 0xb1, 0x57, 0x69, 0xe87118
+};7119
+7120
+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {7121
+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,7122
+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,7123
+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x737124
+};7125
+7126
+__fips_constseg7127
+ static const unsigned char hmac_sha512_additionalinputreseed[] = {7128
+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,7129
+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,7130
+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c7131
+};7132
+7133
+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {7134
+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,7135
+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,7136
+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x487137
+};7138
+7139
+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {7140
+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,7141
+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,7142
+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,7143
+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,7144
+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,7145
+ 0xc2, 0xd6, 0xfd, 0xa57146
+};7147
diff -up openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c7148
--- openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips 2021-03-03 12:57:42.200734534 +01007149
+++ openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c 2021-03-03 12:57:42.200734534 +01007150
7151
+/* ====================================================================7152
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.7153
+ *7154
+ * Redistribution and use in source and binary forms, with or without7155
+ * modification, are permitted provided that the following conditions7156
+ * are met:7157
+ *7158
+ * 1. Redistributions of source code must retain the above copyright7159
+ * notice, this list of conditions and the following disclaimer. 7160
+ *7161
+ * 2. Redistributions in binary form must reproduce the above copyright7162
+ * notice, this list of conditions and the following disclaimer in7163
+ * the documentation and/or other materials provided with the7164
+ * distribution.7165
+ *7166
+ * 3. All advertising materials mentioning features or use of this7167
+ * software must display the following acknowledgment:7168
+ * "This product includes software developed by the OpenSSL Project7169
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"7170
+ *7171
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to7172
+ * endorse or promote products derived from this software without7173
+ * prior written permission. For written permission, please contact7174
+ * openssl-core@openssl.org.7175
+ *7176
+ * 5. Products derived from this software may not be called "OpenSSL"7177
+ * nor may "OpenSSL" appear in their names without prior written7178
+ * permission of the OpenSSL Project.7179
+ *7180
+ * 6. Redistributions of any form whatsoever must retain the following7181
+ * acknowledgment:7182
+ * "This product includes software developed by the OpenSSL Project7183
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"7184
+ *7185
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY7186
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE7187
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR7188
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR7189
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,7190
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT7191
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;7192
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)7193
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,7194
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)7195
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED7196
+ * OF THE POSSIBILITY OF SUCH DAMAGE.7197
+ *7198
+ */7199
+7200
+#include <string.h>7201
+#include <openssl/crypto.h>7202
+#include <openssl/dsa.h>7203
+#include <openssl/fips.h>7204
+#include "crypto/fips.h"7205
+#include <openssl/err.h>7206
+#include <openssl/evp.h>7207
+#include <openssl/bn.h>7208
+#include "fips_locl.h"7209
+7210
+#ifdef OPENSSL_FIPS7211
+7212
+static const unsigned char dsa_test_2048_p[] = {7213
+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,7214
+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,7215
+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,7216
+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,7217
+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,7218
+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,7219
+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,7220
+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,7221
+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,7222
+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,7223
+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,7224
+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,7225
+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,7226
+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,7227
+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,7228
+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,7229
+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,7230
+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,7231
+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,7232
+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,7233
+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,7234
+ 0xdb, 0xa0, 0x69, 0xe97235
+};7236
+7237
+static const unsigned char dsa_test_2048_q[] = {7238
+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,7239
+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,7240
+ 0x74, 0x41, 0xa0, 0xa57241
+};7242
+7243
+static const unsigned char dsa_test_2048_g[] = {7244
+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,7245
+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,7246
+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,7247
+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,7248
+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,7249
+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,7250
+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,7251
+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,7252
+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,7253
+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,7254
+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,7255
+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,7256
+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,7257
+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,7258
+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,7259
+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,7260
+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,7261
+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,7262
+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,7263
+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,7264
+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,7265
+ 0xb3, 0xc2, 0xa9, 0x667266
+};7267
+7268
+static const unsigned char dsa_test_2048_pub_key[] = {7269
+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,7270
+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,7271
+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,7272
+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,7273
+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,7274
+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,7275
+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,7276
+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,7277
+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,7278
+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,7279
+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,7280
+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,7281
+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,7282
+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,7283
+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,7284
+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,7285
+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,7286
+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,7287
+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,7288
+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,7289
+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,7290
+ 0xf7, 0xda, 0xb1, 0x4f7291
+};7292
+7293
+static const unsigned char dsa_test_2048_priv_key[] = {7294
+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,7295
+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,7296
+ 0xec, 0x55, 0xf6, 0xcc7297
+};7298
+7299
+int FIPS_selftest_dsa()7300
+{7301
+ DSA *dsa = NULL;7302
+ EVP_PKEY *pk = NULL;7303
+ int ret = 0;7304
+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;7305
+7306
+ fips_load_key_component(p, dsa_test_2048);7307
+ fips_load_key_component(q, dsa_test_2048);7308
+ fips_load_key_component(g, dsa_test_2048);7309
+ fips_load_key_component(pub_key, dsa_test_2048);7310
+ fips_load_key_component(priv_key, dsa_test_2048);7311
+7312
+ dsa = DSA_new();7313
+7314
+ if (dsa == NULL)7315
+ goto err;7316
+7317
+ DSA_set0_pqg(dsa, p, q, g);7318
+7319
+ DSA_set0_key(dsa, pub_key, priv_key);7320
+7321
+ if ((pk = EVP_PKEY_new()) == NULL)7322
+ goto err;7323
+7324
+ EVP_PKEY_assign_DSA(pk, dsa);7325
+7326
+ if (!fips_pkey_signature_test(pk, NULL, 0,7327
+ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))7328
+ goto err;7329
+ ret = 1;7330
+7331
+ err:7332
+ if (pk)7333
+ EVP_PKEY_free(pk);7334
+ else if (dsa)7335
+ DSA_free(dsa);7336
+ else {7337
+ BN_free(p);7338
+ BN_free(q);7339
+ BN_free(g);7340
+ BN_free(pub_key);7341
+ BN_free(priv_key);7342
+ }7343
+ return ret;7344
+}7345
+#endif7346
diff -up openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c7347
--- openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips 2021-03-03 12:57:42.200734534 +01007348
+++ openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c 2021-03-03 12:57:42.200734534 +01007349
7350
+/* fips/ecdh/fips_ecdh_selftest.c */7351
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL7352
+ * project 2011.7353
+ */7354
+/* ====================================================================7355
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.7356
+ *7357
+ * Redistribution and use in source and binary forms, with or without7358
+ * modification, are permitted provided that the following conditions7359
+ * are met:7360
+ *7361
+ * 1. Redistributions of source code must retain the above copyright7362
+ * notice, this list of conditions and the following disclaimer. 7363
+ *7364
+ * 2. Redistributions in binary form must reproduce the above copyright7365
+ * notice, this list of conditions and the following disclaimer in7366
+ * the documentation and/or other materials provided with the7367
+ * distribution.7368
+ *7369
+ * 3. All advertising materials mentioning features or use of this7370
+ * software must display the following acknowledgment:7371
+ * "This product includes software developed by the OpenSSL Project7372
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"7373
+ *7374
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to7375
+ * endorse or promote products derived from this software without7376
+ * prior written permission. For written permission, please contact7377
+ * licensing@OpenSSL.org.7378
+ *7379
+ * 5. Products derived from this software may not be called "OpenSSL"7380
+ * nor may "OpenSSL" appear in their names without prior written7381
+ * permission of the OpenSSL Project.7382
+ *7383
+ * 6. Redistributions of any form whatsoever must retain the following7384
+ * acknowledgment:7385
+ * "This product includes software developed by the OpenSSL Project7386
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"7387
+ *7388
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY7389
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE7390
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR7391
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR7392
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,7393
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT7394
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;7395
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)7396
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,7397
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)7398
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED7399
+ * OF THE POSSIBILITY OF SUCH DAMAGE.7400
+ * ====================================================================7401
+ *7402
+ */7403
+7404
+#define OPENSSL_FIPSAPI7405
+7406
+#include <string.h>7407
+#include <openssl/crypto.h>7408
+#include <openssl/ec.h>7409
+#include <openssl/ecdh.h>7410
+#include <openssl/fips.h>7411
+#include <openssl/err.h>7412
+#include <openssl/evp.h>7413
+#include <openssl/bn.h>7414
+7415
+#ifdef OPENSSL_FIPS7416
+7417
+# include "fips_locl.h"7418
+7419
+static const unsigned char p256_qcavsx[] = {7420
+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,7421
+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,7422
+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x507423
+};7424
+7425
+static const unsigned char p256_qcavsy[] = {7426
+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,7427
+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,7428
+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e7429
+};7430
+7431
+static const unsigned char p256_qiutx[] = {7432
+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,7433
+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,7434
+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f7435
+};7436
+7437
+static const unsigned char p256_qiuty[] = {7438
+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,7439
+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,7440
+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf87441
+};7442
+7443
+static const unsigned char p256_qiutd[] = {7444
+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,7445
+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,7446
+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc87447
+};7448
+7449
+static const unsigned char p256_ziut[] = {7450
+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,7451
+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,7452
+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f7453
+};7454
+7455
+typedef struct {7456
+ int curve;7457
+ const unsigned char *x1;7458
+ size_t x1len;7459
+ const unsigned char *y1;7460
+ size_t y1len;7461
+ const unsigned char *d1;7462
+ size_t d1len;7463
+ const unsigned char *x2;7464
+ size_t x2len;7465
+ const unsigned char *y2;7466
+ size_t y2len;7467
+ const unsigned char *z;7468
+ size_t zlen;7469
+} ECDH_SELFTEST_DATA;7470
+7471
+# define make_ecdh_test(nid, pr) { nid, \7472
+ pr##_qiutx, sizeof(pr##_qiutx), \7473
+ pr##_qiuty, sizeof(pr##_qiuty), \7474
+ pr##_qiutd, sizeof(pr##_qiutd), \7475
+ pr##_qcavsx, sizeof(pr##_qcavsx), \7476
+ pr##_qcavsy, sizeof(pr##_qcavsy), \7477
+ pr##_ziut, sizeof(pr##_ziut) }7478
+7479
+static ECDH_SELFTEST_DATA test_ecdh_data[] = {7480
+ make_ecdh_test(NID_X9_62_prime256v1, p256),7481
+};7482
+7483
+int FIPS_selftest_ecdh(void)7484
+{7485
+ EC_KEY *ec1 = NULL, *ec2 = NULL;7486
+ const EC_POINT *ecp = NULL;7487
+ BIGNUM *x = NULL, *y = NULL, *d = NULL;7488
+ unsigned char *ztmp = NULL;7489
+ int rv = 1;7490
+ size_t i;7491
+7492
+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {7493
+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;7494
+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))7495
+ continue;7496
+ ztmp = OPENSSL_malloc(ecd->zlen);7497
+7498
+ x = BN_bin2bn(ecd->x1, ecd->x1len, x);7499
+ y = BN_bin2bn(ecd->y1, ecd->y1len, y);7500
+ d = BN_bin2bn(ecd->d1, ecd->d1len, d);7501
+7502
+ if (!x || !y || !d || !ztmp) {7503
+ rv = 0;7504
+ goto err;7505
+ }7506
+7507
+ ec1 = EC_KEY_new_by_curve_name(ecd->curve);7508
+ if (!ec1) {7509
+ rv = 0;7510
+ goto err;7511
+ }7512
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);7513
+7514
+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {7515
+ rv = 0;7516
+ goto err;7517
+ }7518
+7519
+ if (!EC_KEY_set_private_key(ec1, d)) {7520
+ rv = 0;7521
+ goto err;7522
+ }7523
+7524
+ x = BN_bin2bn(ecd->x2, ecd->x2len, x);7525
+ y = BN_bin2bn(ecd->y2, ecd->y2len, y);7526
+7527
+ if (!x || !y) {7528
+ rv = 0;7529
+ goto err;7530
+ }7531
+7532
+ ec2 = EC_KEY_new_by_curve_name(ecd->curve);7533
+ if (!ec2) {7534
+ rv = 0;7535
+ goto err;7536
+ }7537
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);7538
+7539
+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {7540
+ rv = 0;7541
+ goto err;7542
+ }7543
+7544
+ ecp = EC_KEY_get0_public_key(ec2);7545
+ if (!ecp) {7546
+ rv = 0;7547
+ goto err;7548
+ }7549
+7550
+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {7551
+ rv = 0;7552
+ goto err;7553
+ }7554
+7555
+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))7556
+ ztmp[0] ^= 0x1;7557
+7558
+ if (memcmp(ztmp, ecd->z, ecd->zlen)) {7559
+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);7560
+ rv = 0;7561
+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))7562
+ goto err;7563
+7564
+ EC_KEY_free(ec1);7565
+ ec1 = NULL;7566
+ EC_KEY_free(ec2);7567
+ ec2 = NULL;7568
+ OPENSSL_free(ztmp);7569
+ ztmp = NULL;7570
+ }7571
+7572
+ err:7573
+7574
+ if (x)7575
+ BN_clear_free(x);7576
+ if (y)7577
+ BN_clear_free(y);7578
+ if (d)7579
+ BN_clear_free(d);7580
+ if (ec1)7581
+ EC_KEY_free(ec1);7582
+ if (ec2)7583
+ EC_KEY_free(ec2);7584
+ if (ztmp)7585
+ OPENSSL_free(ztmp);7586
+7587
+ return rv;7588
+7589
+}7590
+7591
+#endif7592
diff -up openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c7593
--- openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips 2021-03-03 12:57:42.200734534 +01007594
+++ openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c 2021-03-03 12:57:42.200734534 +01007595
7596
+/* fips/ecdsa/fips_ecdsa_selftest.c */7597
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL7598
+ * project 2011.7599
+ */7600
+/* ====================================================================7601
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.7602
+ *7603
+ * Redistribution and use in source and binary forms, with or without7604
+ * modification, are permitted provided that the following conditions7605
+ * are met:7606
+ *7607
+ * 1. Redistributions of source code must retain the above copyright7608
+ * notice, this list of conditions and the following disclaimer. 7609
+ *7610
+ * 2. Redistributions in binary form must reproduce the above copyright7611
+ * notice, this list of conditions and the following disclaimer in7612
+ * the documentation and/or other materials provided with the7613
+ * distribution.7614
+ *7615
+ * 3. All advertising materials mentioning features or use of this7616
+ * software must display the following acknowledgment:7617
+ * "This product includes software developed by the OpenSSL Project7618
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"7619
+ *7620
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to7621
+ * endorse or promote products derived from this software without7622
+ * prior written permission. For written permission, please contact7623
+ * licensing@OpenSSL.org.7624
+ *7625
+ * 5. Products derived from this software may not be called "OpenSSL"7626
+ * nor may "OpenSSL" appear in their names without prior written7627
+ * permission of the OpenSSL Project.7628
+ *7629
+ * 6. Redistributions of any form whatsoever must retain the following7630
+ * acknowledgment:7631
+ * "This product includes software developed by the OpenSSL Project7632
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"7633
+ *7634
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY7635
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE7636
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR7637
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR7638
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,7639
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT7640
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;7641
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)7642
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,7643
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)7644
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED7645
+ * OF THE POSSIBILITY OF SUCH DAMAGE.7646
+ * ====================================================================7647
+ *7648
+ */7649
+7650
+#define OPENSSL_FIPSAPI7651
+7652
+#include <string.h>7653
+#include <openssl/crypto.h>7654
+#include <openssl/ec.h>7655
+#include <openssl/ecdsa.h>7656
+#include <openssl/fips.h>7657
+#include "crypto/fips.h"7658
+#include <openssl/err.h>7659
+#include <openssl/evp.h>7660
+#include <openssl/bn.h>7661
+7662
+#ifdef OPENSSL_FIPS7663
+7664
+static const char P_256_name[] = "ECDSA P-256";7665
+7666
+static const unsigned char P_256_d[] = {7667
+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,7668
+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,7669
+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x647670
+};7671
+7672
+static const unsigned char P_256_qx[] = {7673
+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,7674
+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,7675
+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x077676
+};7677
+7678
+static const unsigned char P_256_qy[] = {7679
+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,7680
+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,7681
+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb7682
+};7683
+7684
+typedef struct {7685
+ int curve;7686
+ const char *name;7687
+ const unsigned char *x;7688
+ size_t xlen;7689
+ const unsigned char *y;7690
+ size_t ylen;7691
+ const unsigned char *d;7692
+ size_t dlen;7693
+} EC_SELFTEST_DATA;7694
+7695
+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \7696
+ pr##_qx, sizeof(pr##_qx), \7697
+ pr##_qy, sizeof(pr##_qy), \7698
+ pr##_d, sizeof(pr##_d)}7699
+7700
+static EC_SELFTEST_DATA test_ec_data[] = {7701
+ make_ecdsa_test(NID_X9_62_prime256v1, P_256),7702
+};7703
+7704
+int FIPS_selftest_ecdsa()7705
+{7706
+ EC_KEY *ec = NULL;7707
+ BIGNUM *x = NULL, *y = NULL, *d = NULL;7708
+ EVP_PKEY *pk = NULL;7709
+ int rv = 0;7710
+ size_t i;7711
+7712
+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {7713
+ EC_SELFTEST_DATA *ecd = test_ec_data + i;7714
+7715
+ x = BN_bin2bn(ecd->x, ecd->xlen, x);7716
+ y = BN_bin2bn(ecd->y, ecd->ylen, y);7717
+ d = BN_bin2bn(ecd->d, ecd->dlen, d);7718
+7719
+ if (!x || !y || !d)7720
+ goto err;7721
+7722
+ ec = EC_KEY_new_by_curve_name(ecd->curve);7723
+ if (!ec)7724
+ goto err;7725
+7726
+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))7727
+ goto err;7728
+7729
+ if (!EC_KEY_set_private_key(ec, d))7730
+ goto err;7731
+7732
+ if ((pk = EVP_PKEY_new()) == NULL)7733
+ goto err;7734
+7735
+ EVP_PKEY_assign_EC_KEY(pk, ec);7736
+7737
+ if (!fips_pkey_signature_test(pk, NULL, 0,7738
+ NULL, 0, EVP_sha256(), 0, ecd->name))7739
+ goto err;7740
+ }7741
+7742
+ rv = 1;7743
+7744
+ err:7745
+7746
+ if (x)7747
+ BN_clear_free(x);7748
+ if (y)7749
+ BN_clear_free(y);7750
+ if (d)7751
+ BN_clear_free(d);7752
+ if (pk)7753
+ EVP_PKEY_free(pk);7754
+ else if (ec)7755
+ EC_KEY_free(ec);7756
+7757
+ return rv;7758
+7759
+}7760
+7761
+#endif7762
diff -up openssl-1.1.1j/crypto/fips/fips_err.h.fips openssl-1.1.1j/crypto/fips/fips_err.h7763
--- openssl-1.1.1j/crypto/fips/fips_err.h.fips 2021-03-03 12:57:42.201734542 +01007764
+++ openssl-1.1.1j/crypto/fips/fips_err.h 2021-03-03 12:57:42.201734542 +01007765
7766
+/* crypto/fips_err.h */7767
+/* ====================================================================7768
+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.7769
+ *7770
+ * Redistribution and use in source and binary forms, with or without7771
+ * modification, are permitted provided that the following conditions7772
+ * are met:7773
+ *7774
+ * 1. Redistributions of source code must retain the above copyright7775
+ * notice, this list of conditions and the following disclaimer.7776
+ *7777
+ * 2. Redistributions in binary form must reproduce the above copyright7778
+ * notice, this list of conditions and the following disclaimer in7779
+ * the documentation and/or other materials provided with the7780
+ * distribution.7781
+ *7782
+ * 3. All advertising materials mentioning features or use of this7783
+ * software must display the following acknowledgment:7784
+ * "This product includes software developed by the OpenSSL Project7785
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"7786
+ *7787
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to7788
+ * endorse or promote products derived from this software without7789
+ * prior written permission. For written permission, please contact7790
+ * openssl-core@OpenSSL.org.7791
+ *7792
+ * 5. Products derived from this software may not be called "OpenSSL"7793
+ * nor may "OpenSSL" appear in their names without prior written7794
+ * permission of the OpenSSL Project.7795
+ *7796
+ * 6. Redistributions of any form whatsoever must retain the following7797
+ * acknowledgment:7798
+ * "This product includes software developed by the OpenSSL Project7799
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"7800
+ *7801
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY7802
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE7803
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR7804
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR7805
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,7806
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT7807
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;7808
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)7809
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,7810
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)7811
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED7812
+ * OF THE POSSIBILITY OF SUCH DAMAGE.7813
+ * ====================================================================7814
+ *7815
+ * This product includes cryptographic software written by Eric Young7816
+ * (eay@cryptsoft.com). This product includes software written by Tim7817
+ * Hudson (tjh@cryptsoft.com).7818
+ *7819
+ */7820
+7821
+/*7822
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes7823
+ * made to it will be overwritten when the script next updates this file,7824
+ * only reason strings will be preserved.7825
+ */7826
+7827
+#include <stdio.h>7828
+#include <openssl/err.h>7829
+#include <openssl/fips.h>7830
+7831
+/* BEGIN ERROR CODES */7832
+#ifndef OPENSSL_NO_ERR7833
+7834
+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0)7835
+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason)7836
+7837
+static ERR_STRING_DATA FIPS_str_functs[] = {7838
+ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"},7839
+ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"},7840
+ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},7841
+ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},7842
+ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},7843
+ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},7844
+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"},7845
+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"},7846
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"},7847
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"},7848
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"},7849
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"},7850
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"},7851
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"},7852
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"},7853
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"},7854
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"},7855
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"},7856
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"},7857
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"},7858
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"},7859
+ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"},7860
+ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"},7861
+ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},7862
+ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"},7863
+ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"},7864
+ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},7865
+ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},7866
+ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},7867
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"},7868
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},7869
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"},7870
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},7871
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"},7872
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"},7873
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},7874
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},7875
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},7876
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},7877
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},7878
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},7879
+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},7880
+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},7881
+ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},7882
+ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"},7883
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"},7884
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"},7885
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"},7886
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"},7887
+ {0, NULL}7888
+};7889
+7890
+static ERR_STRING_DATA FIPS_str_reasons[] = {7891
+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED),7892
+ "additional input error undetected"},7893
+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG),7894
+ "additional input too long"},7895
+ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"},7896
+ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"},7897
+ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"},7898
+ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"},7899
+ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),7900
+ "entropy not requested for reseed"},7901
+ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"},7902
+ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},7903
+ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},7904
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),7905
+ "error retrieving additional input"},7906
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"},7907
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"},7908
+ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),7909
+ "fingerprint does not match"},7910
+ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"},7911
+ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"},7912
+ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"},7913
+ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"},7914
+ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),7915
+ "generate error undetected"},7916
+ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"},7917
+ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"},7918
+ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"},7919
+ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"},7920
+ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"},7921
+ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"},7922
+ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"},7923
+ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"},7924
+ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"},7925
+ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"},7926
+ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"},7927
+ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),7928
+ "personalisation error undetected"},7929
+ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),7930
+ "personalisation string too long"},7931
+ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"},7932
+ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"},7933
+ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),7934
+ "request length error undetected"},7935
+ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),7936
+ "request too large for drbg"},7937
+ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"},7938
+ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"},7939
+ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"},7940
+ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"},7941
+ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"},7942
+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"},7943
+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),7944
+ "uninstantiate zeroise error"},7945
+ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"},7946
+ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"},7947
+ {0, NULL}7948
+};7949
+7950
+#endif7951
+7952
+int ERR_load_FIPS_strings(void)7953
+{7954
+#ifndef OPENSSL_NO_ERR7955
+7956
+ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) {7957
+ ERR_load_strings(0, FIPS_str_functs);7958
+ ERR_load_strings(0, FIPS_str_reasons);7959
+ }7960
+#endif7961
+ return 1;7962
+}7963
diff -up openssl-1.1.1j/crypto/fips/fips_ers.c.fips openssl-1.1.1j/crypto/fips/fips_ers.c7964
--- openssl-1.1.1j/crypto/fips/fips_ers.c.fips 2021-03-03 12:57:42.201734542 +01007965
+++ openssl-1.1.1j/crypto/fips/fips_ers.c 2021-03-03 12:57:42.201734542 +01007966
7967
+#include <openssl/opensslconf.h>7968
+7969
+#ifdef OPENSSL_FIPS7970
+# include "fips_err.h"7971
+#else7972
+static void *dummy = &dummy;7973
+#endif7974
diff -up openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c7975
--- openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips 2021-03-03 12:57:42.201734542 +01007976
+++ openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c 2021-03-03 12:57:42.201734542 +01007977
7978
+/* ====================================================================7979
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.7980
+ *7981
+ * Redistribution and use in source and binary forms, with or without7982
+ * modification, are permitted provided that the following conditions7983
+ * are met:7984
+ *7985
+ * 1. Redistributions of source code must retain the above copyright7986
+ * notice, this list of conditions and the following disclaimer. 7987
+ *7988
+ * 2. Redistributions in binary form must reproduce the above copyright7989
+ * notice, this list of conditions and the following disclaimer in7990
+ * the documentation and/or other materials provided with the7991
+ * distribution.7992
+ *7993
+ * 3. All advertising materials mentioning features or use of this7994
+ * software must display the following acknowledgment:7995
+ * "This product includes software developed by the OpenSSL Project7996
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"7997
+ *7998
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to7999
+ * endorse or promote products derived from this software without8000
+ * prior written permission. For written permission, please contact8001
+ * openssl-core@openssl.org.8002
+ *8003
+ * 5. Products derived from this software may not be called "OpenSSL"8004
+ * nor may "OpenSSL" appear in their names without prior written8005
+ * permission of the OpenSSL Project.8006
+ *8007
+ * 6. Redistributions of any form whatsoever must retain the following8008
+ * acknowledgment:8009
+ * "This product includes software developed by the OpenSSL Project8010
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"8011
+ *8012
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY8013
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE8014
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR8015
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR8016
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,8017
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT8018
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;8019
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)8020
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,8021
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)8022
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED8023
+ * OF THE POSSIBILITY OF SUCH DAMAGE.8024
+ *8025
+ */8026
+8027
+#include <string.h>8028
+#include <openssl/err.h>8029
+#ifdef OPENSSL_FIPS8030
+# include <openssl/fips.h>8031
+#endif8032
+#include <openssl/hmac.h>8033
+8034
+#ifdef OPENSSL_FIPS8035
+typedef struct {8036
+ const EVP_MD *(*alg) (void);8037
+ const char *key, *iv;8038
+ unsigned char kaval[EVP_MAX_MD_SIZE];8039
+} HMAC_KAT;8040
+8041
+static const HMAC_KAT vector[] = {8042
+ {EVP_sha1,8043
+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */8044
+ "0123456789:;<=>?@ABC",8045
+ "Sample #2",8046
+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,8047
+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,8048
+ 0xc6, 0xc7, 0x5d, 0x24}8049
+ },8050
+ {EVP_sha224,8051
+ /* just keep extending the above... */8052
+ "0123456789:;<=>?@ABC",8053
+ "Sample #2",8054
+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,8055
+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,8056
+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,8057
+ 0x8c, 0x8d, 0x12, 0xc7}8058
+ },8059
+ {EVP_sha256,8060
+ "0123456789:;<=>?@ABC",8061
+ "Sample #2",8062
+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,8063
+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,8064
+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,8065
+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}8066
+ },8067
+ {EVP_sha384,8068
+ "0123456789:;<=>?@ABC",8069
+ "Sample #2",8070
+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,8071
+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,8072
+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,8073
+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,8074
+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,8075
+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}8076
+ },8077
+ {EVP_sha512,8078
+ "0123456789:;<=>?@ABC",8079
+ "Sample #2",8080
+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,8081
+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,8082
+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,8083
+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,8084
+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,8085
+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,8086
+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,8087
+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}8088
+ },8089
+};8090
+8091
+int FIPS_selftest_hmac()8092
+{8093
+ int n;8094
+ unsigned int outlen;8095
+ unsigned char out[EVP_MAX_MD_SIZE];8096
+ const EVP_MD *md;8097
+ const HMAC_KAT *t;8098
+8099
+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {8100
+ md = (*t->alg) ();8101
+ HMAC(md, t->key, strlen(t->key),8102
+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);8103
+8104
+ if (memcmp(out, t->kaval, outlen)) {8105
+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);8106
+ return 0;8107
+ }8108
+ }8109
+ return 1;8110
+}8111
+#endif8112
diff -up openssl-1.1.1j/crypto/fips/fips_locl.h.fips openssl-1.1.1j/crypto/fips/fips_locl.h8113
--- openssl-1.1.1j/crypto/fips/fips_locl.h.fips 2021-03-03 12:57:42.201734542 +01008114
+++ openssl-1.1.1j/crypto/fips/fips_locl.h 2021-03-03 12:57:42.201734542 +01008115
8116
+/* ====================================================================8117
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.8118
+ *8119
+ * Redistribution and use in source and binary forms, with or without8120
+ * modification, are permitted provided that the following conditions8121
+ * are met:8122
+ *8123
+ * 1. Redistributions of source code must retain the above copyright8124
+ * notice, this list of conditions and the following disclaimer. 8125
+ *8126
+ * 2. Redistributions in binary form must reproduce the above copyright8127
+ * notice, this list of conditions and the following disclaimer in8128
+ * the documentation and/or other materials provided with the8129
+ * distribution.8130
+ *8131
+ * 3. All advertising materials mentioning features or use of this8132
+ * software must display the following acknowledgment:8133
+ * "This product includes software developed by the OpenSSL Project8134
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"8135
+ *8136
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to8137
+ * endorse or promote products derived from this software without8138
+ * prior written permission. For written permission, please contact8139
+ * openssl-core@openssl.org.8140
+ *8141
+ * 5. Products derived from this software may not be called "OpenSSL"8142
+ * nor may "OpenSSL" appear in their names without prior written8143
+ * permission of the OpenSSL Project.8144
+ *8145
+ * 6. Redistributions of any form whatsoever must retain the following8146
+ * acknowledgment:8147
+ * "This product includes software developed by the OpenSSL Project8148
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"8149
+ *8150
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY8151
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE8152
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR8153
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR8154
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,8155
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT8156
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;8157
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)8158
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,8159
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)8160
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED8161
+ * OF THE POSSIBILITY OF SUCH DAMAGE.8162
+ *8163
+ */8164
+8165
+#ifdef OPENSSL_FIPS8166
+8167
+# ifdef __cplusplus8168
+extern "C" {8169
+# endif8170
+8171
+# define FIPS_MAX_CIPHER_TEST_SIZE 328172
+# define fips_load_key_component(comp, pre) \8173
+ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \8174
+ if (!comp) \8175
+ goto err8176
+8177
+# define fips_post_started(id, subid, ex) 18178
+# define fips_post_success(id, subid, ex) 18179
+# define fips_post_failed(id, subid, ex) 18180
+# define fips_post_corrupt(id, subid, ex) 18181
+# define fips_post_status() 18182
+8183
+# ifdef __cplusplus8184
+}8185
+# endif8186
+#endif8187
diff -up openssl-1.1.1j/crypto/fips/fips_post.c.fips openssl-1.1.1j/crypto/fips/fips_post.c8188
--- openssl-1.1.1j/crypto/fips/fips_post.c.fips 2021-03-03 12:57:42.201734542 +01008189
+++ openssl-1.1.1j/crypto/fips/fips_post.c 2021-03-03 12:57:42.201734542 +01008190
8191
+/* ====================================================================8192
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.8193
+ *8194
+ * Redistribution and use in source and binary forms, with or without8195
+ * modification, are permitted provided that the following conditions8196
+ * are met:8197
+ *8198
+ * 1. Redistributions of source code must retain the above copyright8199
+ * notice, this list of conditions and the following disclaimer. 8200
+ *8201
+ * 2. Redistributions in binary form must reproduce the above copyright8202
+ * notice, this list of conditions and the following disclaimer in8203
+ * the documentation and/or other materials provided with the8204
+ * distribution.8205
+ *8206
+ * 3. All advertising materials mentioning features or use of this8207
+ * software must display the following acknowledgment:8208
+ * "This product includes software developed by the OpenSSL Project8209
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"8210
+ *8211
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to8212
+ * endorse or promote products derived from this software without8213
+ * prior written permission. For written permission, please contact8214
+ * openssl-core@openssl.org.8215
+ *8216
+ * 5. Products derived from this software may not be called "OpenSSL"8217
+ * nor may "OpenSSL" appear in their names without prior written8218
+ * permission of the OpenSSL Project.8219
+ *8220
+ * 6. Redistributions of any form whatsoever must retain the following8221
+ * acknowledgment:8222
+ * "This product includes software developed by the OpenSSL Project8223
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"8224
+ *8225
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY8226
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE8227
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR8228
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR8229
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,8230
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT8231
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;8232
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)8233
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,8234
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)8235
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED8236
+ * OF THE POSSIBILITY OF SUCH DAMAGE.8237
+ *8238
+ */8239
+8240
+#define OPENSSL_FIPSAPI8241
+8242
+#include <openssl/crypto.h>8243
+#include <openssl/rand.h>8244
+#include <openssl/fips_rand.h>8245
+#include <openssl/err.h>8246
+#include <openssl/bio.h>8247
+#include <openssl/hmac.h>8248
+#include <openssl/rsa.h>8249
+#include <openssl/dsa.h>8250
+#include <openssl/evp.h>8251
+#include <string.h>8252
+#include <limits.h>8253
+8254
+#ifdef OPENSSL_FIPS8255
+8256
+/* Power on self test (POST) support functions */8257
+8258
+# include <openssl/fips.h>8259
+# include "crypto/fips.h"8260
+# include "fips_locl.h"8261
+8262
+/* Run all selftests */8263
+int FIPS_selftest(void)8264
+{8265
+ int rv = 1;8266
+ if (!FIPS_selftest_drbg())8267
+ rv = 0;8268
+ if (!FIPS_selftest_sha1())8269
+ rv = 0;8270
+ if (!FIPS_selftest_sha2())8271
+ rv = 0;8272
+ if (!FIPS_selftest_sha3())8273
+ rv = 0;8274
+ if (!FIPS_selftest_hmac())8275
+ rv = 0;8276
+ if (!FIPS_selftest_cmac())8277
+ rv = 0;8278
+ if (!FIPS_selftest_aes())8279
+ rv = 0;8280
+ if (!FIPS_selftest_aes_ccm())8281
+ rv = 0;8282
+ if (!FIPS_selftest_aes_gcm())8283
+ rv = 0;8284
+ if (!FIPS_selftest_aes_xts())8285
+ rv = 0;8286
+ if (!FIPS_selftest_des())8287
+ rv = 0;8288
+ if (!FIPS_selftest_rsa())8289
+ rv = 0;8290
+ if (!FIPS_selftest_ecdsa())8291
+ rv = 0;8292
+ if (!FIPS_selftest_dsa())8293
+ rv = 0;8294
+ if (!FIPS_selftest_dh())8295
+ rv = 0;8296
+ if (!FIPS_selftest_ecdh())8297
+ rv = 0;8298
+ return rv;8299
+}8300
+8301
+/* Generalized public key test routine. Signs and verifies the data8302
+ * supplied in tbs using mesage digest md and setting option digest8303
+ * flags md_flags. If the 'kat' parameter is not NULL it will8304
+ * additionally check the signature matches it: a known answer test8305
+ * The string "fail_str" is used for identification purposes in case8306
+ * of failure. If "pkey" is NULL just perform a message digest check.8307
+ */8308
+8309
+int fips_pkey_signature_test(EVP_PKEY *pkey,8310
+ const unsigned char *tbs, int tbslen,8311
+ const unsigned char *kat, unsigned int katlen,8312
+ const EVP_MD *digest, unsigned int flags,8313
+ const char *fail_str)8314
+{8315
+ int ret = 0;8316
+ unsigned char sigtmp[256], *sig = sigtmp;8317
+ size_t siglen = sizeof(sigtmp);8318
+ EVP_MD_CTX *mctx;8319
+ EVP_PKEY_CTX *pctx;8320
+8321
+ if (digest == NULL)8322
+ digest = EVP_sha256();8323
+8324
+ mctx = EVP_MD_CTX_new();8325
+8326
+ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA)8327
+ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) {8328
+ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey)));8329
+ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey));8330
+ }8331
+ if (!sig || ! mctx) {8332
+ EVP_MD_CTX_free(mctx);8333
+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);8334
+ return 0;8335
+ }8336
+8337
+ if (tbslen == -1)8338
+ tbslen = strlen((char *)tbs);8339
+8340
+ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0)8341
+ goto error;8342
+8343
+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {8344
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);8345
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);8346
+ }8347
+8348
+ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0)8349
+ goto error;8350
+8351
+ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0)8352
+ goto error;8353
+8354
+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))8355
+ goto error;8356
+8357
+ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0)8358
+ goto error;8359
+8360
+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {8361
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);8362
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);8363
+ }8364
+8365
+ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0)8366
+ goto error;8367
+8368
+ ret = EVP_DigestVerifyFinal(mctx, sig, siglen);8369
+8370
+ error:8371
+ if (sig != sigtmp)8372
+ OPENSSL_free(sig);8373
+ EVP_MD_CTX_free(mctx);8374
+ if (ret <= 0) {8375
+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);8376
+ if (fail_str)8377
+ ERR_add_error_data(2, "Type=", fail_str);8378
+ return 0;8379
+ }8380
+ return 1;8381
+}8382
+8383
+/* Generalized symmetric cipher test routine. Encrypt data, verify result8384
+ * against known answer, decrypt and compare with original plaintext.8385
+ */8386
+8387
+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,8388
+ const unsigned char *key,8389
+ const unsigned char *iv,8390
+ const unsigned char *plaintext,8391
+ const unsigned char *ciphertext, int len)8392
+{8393
+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];8394
+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];8395
+8396
+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);8397
+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);8398
+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);8399
+8400
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)8401
+ return 0;8402
+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)8403
+ return 0;8404
+ if (memcmp(citmp, ciphertext, len))8405
+ return 0;8406
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)8407
+ return 0;8408
+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)8409
+ return 0;8410
+ if (memcmp(pltmp, plaintext, len))8411
+ return 0;8412
+ return 1;8413
+}8414
+#endif8415
diff -up openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1j/crypto/fips/fips_rand_lcl.h8416
--- openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips 2021-03-03 12:57:42.201734542 +01008417
+++ openssl-1.1.1j/crypto/fips/fips_rand_lcl.h 2021-03-03 12:57:42.201734542 +01008418
8419
+/* fips/rand/fips_rand_lcl.h */8420
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL8421
+ * project.8422
+ */8423
+/* ====================================================================8424
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.8425
+ *8426
+ * Redistribution and use in source and binary forms, with or without8427
+ * modification, are permitted provided that the following conditions8428
+ * are met:8429
+ *8430
+ * 1. Redistributions of source code must retain the above copyright8431
+ * notice, this list of conditions and the following disclaimer. 8432
+ *8433
+ * 2. Redistributions in binary form must reproduce the above copyright8434
+ * notice, this list of conditions and the following disclaimer in8435
+ * the documentation and/or other materials provided with the8436
+ * distribution.8437
+ *8438
+ * 3. All advertising materials mentioning features or use of this8439
+ * software must display the following acknowledgment:8440
+ * "This product includes software developed by the OpenSSL Project8441
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"8442
+ *8443
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to8444
+ * endorse or promote products derived from this software without8445
+ * prior written permission. For written permission, please contact8446
+ * licensing@OpenSSL.org.8447
+ *8448
+ * 5. Products derived from this software may not be called "OpenSSL"8449
+ * nor may "OpenSSL" appear in their names without prior written8450
+ * permission of the OpenSSL Project.8451
+ *8452
+ * 6. Redistributions of any form whatsoever must retain the following8453
+ * acknowledgment:8454
+ * "This product includes software developed by the OpenSSL Project8455
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"8456
+ *8457
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY8458
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE8459
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR8460
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR8461
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,8462
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT8463
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;8464
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)8465
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,8466
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)8467
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED8468
+ * OF THE POSSIBILITY OF SUCH DAMAGE.8469
+ * ====================================================================8470
+ */8471
+8472
+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;8473
+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;8474
+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;8475
+8476
+/* 888 bits from 10.1 table 2 */8477
+#define HASH_PRNG_MAX_SEEDLEN 1118478
+8479
+struct drbg_hash_ctx_st {8480
+ const EVP_MD *md;8481
+ EVP_MD_CTX *mctx;8482
+ unsigned char V[HASH_PRNG_MAX_SEEDLEN];8483
+ unsigned char C[HASH_PRNG_MAX_SEEDLEN];8484
+ /* Temporary value storage: should always exceed max digest length */8485
+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];8486
+};8487
+8488
+struct drbg_hmac_ctx_st {8489
+ const EVP_MD *md;8490
+ HMAC_CTX *hctx;8491
+ unsigned char K[EVP_MAX_MD_SIZE];8492
+ unsigned char V[EVP_MAX_MD_SIZE];8493
+};8494
+8495
+struct drbg_ctr_ctx_st {8496
+ AES_KEY ks;8497
+ size_t keylen;8498
+ unsigned char K[32];8499
+ unsigned char V[16];8500
+ /* Temp variables used by derivation function */8501
+ AES_KEY df_ks;8502
+ AES_KEY df_kxks;8503
+ /* Temporary block storage used by ctr_df */8504
+ unsigned char bltmp[16];8505
+ size_t bltmp_pos;8506
+ unsigned char KX[48];8507
+};8508
+8509
+/* DRBG internal flags */8510
+8511
+/* Functions shouldn't call err library */8512
+#define DRBG_FLAG_NOERR 0x18513
+/* Custom reseed checking */8514
+#define DRBG_CUSTOM_RESEED 0x28515
+8516
+/* DRBG status values */8517
+/* not initialised */8518
+#define DRBG_STATUS_UNINITIALISED 08519
+/* ok and ready to generate random bits */8520
+#define DRBG_STATUS_READY 18521
+/* reseed required */8522
+#define DRBG_STATUS_RESEED 28523
+/* fatal error condition */8524
+#define DRBG_STATUS_ERROR 38525
+8526
+/* A default maximum length: larger than any reasonable value used in pratice */8527
+8528
+#define DRBG_MAX_LENGTH 0x7ffffff08529
+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes8530
+ * so use max digest length.8531
+ */8532
+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE8533
+8534
+#define DRBG_HEALTH_INTERVAL (1 << 24)8535
+8536
+/* DRBG context structure */8537
+8538
+struct drbg_ctx_st {8539
+ /* First types common to all implementations */8540
+ /* DRBG type: a NID for the underlying algorithm */8541
+ int type;8542
+ /* Various external flags */8543
+ unsigned int xflags;8544
+ /* Various internal use only flags */8545
+ unsigned int iflags;8546
+ /* Used for periodic health checks */8547
+ int health_check_cnt, health_check_interval;8548
+8549
+ /* The following parameters are setup by mechanism drbg_init() call */8550
+ int strength;8551
+ size_t blocklength;8552
+ size_t max_request;8553
+8554
+ size_t min_entropy, max_entropy;8555
+ size_t min_nonce, max_nonce;8556
+ size_t max_pers, max_adin;8557
+ unsigned int reseed_counter;8558
+ unsigned int reseed_interval;8559
+ size_t seedlen;8560
+ int status;8561
+ /* Application data: typically used by test get_entropy */8562
+ void *app_data;8563
+ /* Implementation specific structures */8564
+ union {8565
+ DRBG_HASH_CTX hash;8566
+ DRBG_HMAC_CTX hmac;8567
+ DRBG_CTR_CTX ctr;8568
+ } d;8569
+ /* Initialiase PRNG and setup callbacks below */8570
+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);8571
+ /* Intantiate PRNG */8572
+ int (*instantiate) (DRBG_CTX *ctx,8573
+ const unsigned char *ent, size_t entlen,8574
+ const unsigned char *nonce, size_t noncelen,8575
+ const unsigned char *pers, size_t perslen);8576
+ /* reseed */8577
+ int (*reseed) (DRBG_CTX *ctx,8578
+ const unsigned char *ent, size_t entlen,8579
+ const unsigned char *adin, size_t adinlen);8580
+ /* generat output */8581
+ int (*generate) (DRBG_CTX *ctx,8582
+ unsigned char *out, size_t outlen,8583
+ const unsigned char *adin, size_t adinlen);8584
+ /* uninstantiate */8585
+ int (*uninstantiate) (DRBG_CTX *ctx);8586
+8587
+ /* Entropy source block length */8588
+ size_t entropy_blocklen;8589
+8590
+ /* entropy gathering function */8591
+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,8592
+ int entropy, size_t min_len, size_t max_len);8593
+ /* Indicates we have finished with entropy buffer */8594
+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);8595
+8596
+ /* nonce gathering function */8597
+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,8598
+ int entropy, size_t min_len, size_t max_len);8599
+ /* Indicates we have finished with nonce buffer */8600
+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);8601
+8602
+ /* Callbacks used when called through RAND interface */8603
+ /* Get any additional input for generate */8604
+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);8605
+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);8606
+ /* Callback for RAND_seed(), RAND_add() */8607
+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);8608
+ int (*rand_add_cb) (DRBG_CTX *ctx,8609
+ const void *buf, int num, double entropy);8610
+};8611
+8612
+int fips_drbg_ctr_init(DRBG_CTX *dctx);8613
+int fips_drbg_hash_init(DRBG_CTX *dctx);8614
+int fips_drbg_hmac_init(DRBG_CTX *dctx);8615
+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);8616
+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);8617
+8618
+#define FIPS_digestinit EVP_DigestInit8619
+#define FIPS_digestupdate EVP_DigestUpdate8620
+#define FIPS_digestfinal EVP_DigestFinal8621
+#define M_EVP_MD_size EVP_MD_size8622
diff -up openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1j/crypto/fips/fips_rand_lib.c8623
--- openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips 2021-03-03 12:57:42.201734542 +01008624
+++ openssl-1.1.1j/crypto/fips/fips_rand_lib.c 2021-03-03 12:57:42.201734542 +01008625
8626
+/* ====================================================================8627
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.8628
+ *8629
+ * Redistribution and use in source and binary forms, with or without8630
+ * modification, are permitted provided that the following conditions8631
+ * are met:8632
+ *8633
+ * 1. Redistributions of source code must retain the above copyright8634
+ * notice, this list of conditions and the following disclaimer. 8635
+ *8636
+ * 2. Redistributions in binary form must reproduce the above copyright8637
+ * notice, this list of conditions and the following disclaimer in8638
+ * the documentation and/or other materials provided with the8639
+ * distribution.8640
+ *8641
+ * 3. All advertising materials mentioning features or use of this8642
+ * software must display the following acknowledgment:8643
+ * "This product includes software developed by the OpenSSL Project8644
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"8645
+ *8646
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to8647
+ * endorse or promote products derived from this software without8648
+ * prior written permission. For written permission, please contact8649
+ * openssl-core@openssl.org.8650
+ *8651
+ * 5. Products derived from this software may not be called "OpenSSL"8652
+ * nor may "OpenSSL" appear in their names without prior written8653
+ * permission of the OpenSSL Project.8654
+ *8655
+ * 6. Redistributions of any form whatsoever must retain the following8656
+ * acknowledgment:8657
+ * "This product includes software developed by the OpenSSL Project8658
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"8659
+ *8660
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY8661
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE8662
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR8663
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR8664
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,8665
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT8666
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;8667
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)8668
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,8669
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)8670
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED8671
+ * OF THE POSSIBILITY OF SUCH DAMAGE.8672
+ *8673
+ */8674
+8675
+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't8676
+ be defined and gettimeofday() won't be declared with strict compilers8677
+ like DEC C in ANSI C mode. */8678
+#ifndef _XOPEN_SOURCE_EXTENDED8679
+# define _XOPEN_SOURCE_EXTENDED 18680
+#endif8681
+8682
+#include <openssl/crypto.h>8683
+#include <openssl/rand.h>8684
+#include <openssl/err.h>8685
+#include <openssl/fips.h>8686
+#include "crypto/fips.h"8687
+#include <openssl/fips_rand.h>8688
+#include "e_os.h"8689
+8690
+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))8691
+# include <sys/time.h>8692
+#endif8693
+#if defined(OPENSSL_SYS_VXWORKS)8694
+# include <time.h>8695
+#endif8696
+#ifndef OPENSSL_SYS_WIN328697
+# ifdef OPENSSL_UNISTD8698
+# include OPENSSL_UNISTD8699
+# else8700
+# include <unistd.h>8701
+# endif8702
+#endif8703
+8704
+/* FIPS API for PRNG use. Similar to RAND functionality but without8705
+ * ENGINE and additional checking for non-FIPS rand methods.8706
+ */8707
+8708
+static const RAND_METHOD *fips_rand_meth = NULL;8709
+static int fips_approved_rand_meth = 0;8710
+static int fips_rand_bits = 0;8711
+8712
+/* Allows application to override number of bits and uses non-FIPS methods */8713
+void FIPS_rand_set_bits(int nbits)8714
+{8715
+ fips_rand_bits = nbits;8716
+}8717
+8718
+int FIPS_rand_set_method(const RAND_METHOD *meth)8719
+{8720
+ if (!fips_rand_bits) {8721
+ if (meth == FIPS_drbg_method())8722
+ fips_approved_rand_meth = 1;8723
+ else {8724
+ fips_approved_rand_meth = 0;8725
+ if (FIPS_module_mode()) {8726
+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);8727
+ return 0;8728
+ }8729
+ }8730
+ }8731
+ fips_rand_meth = meth;8732
+ return 1;8733
+}8734
+8735
+const RAND_METHOD *FIPS_rand_get_method(void)8736
+{8737
+ return fips_rand_meth;8738
+}8739
+8740
+void FIPS_rand_reset(void)8741
+{8742
+ if (fips_rand_meth && fips_rand_meth->cleanup)8743
+ fips_rand_meth->cleanup();8744
+}8745
+8746
+int FIPS_rand_seed(const void *buf, int num)8747
+{8748
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {8749
+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);8750
+ return 0;8751
+ }8752
+ if (fips_rand_meth && fips_rand_meth->seed)8753
+ fips_rand_meth->seed(buf, num);8754
+ return 1;8755
+}8756
+8757
+int FIPS_rand_bytes(unsigned char *buf, int num)8758
+{8759
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {8760
+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);8761
+ return 0;8762
+ }8763
+ if (fips_rand_meth && fips_rand_meth->bytes)8764
+ return fips_rand_meth->bytes(buf, num);8765
+ return 0;8766
+}8767
+8768
+int FIPS_rand_status(void)8769
+{8770
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {8771
+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);8772
+ return 0;8773
+ }8774
+ if (fips_rand_meth && fips_rand_meth->status)8775
+ return fips_rand_meth->status();8776
+ return 0;8777
+}8778
+8779
+/* Return instantiated strength of PRNG. For DRBG this is an internal8780
+ * parameter. Any other type of PRNG is not approved and returns 0 in8781
+ * FIPS mode and maximum 256 outside FIPS mode.8782
+ */8783
+8784
+int FIPS_rand_strength(void)8785
+{8786
+ if (fips_rand_bits)8787
+ return fips_rand_bits;8788
+ if (fips_approved_rand_meth == 1)8789
+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());8790
+ else if (fips_approved_rand_meth == 0) {8791
+ if (FIPS_module_mode())8792
+ return 0;8793
+ else8794
+ return 256;8795
+ }8796
+ return 0;8797
+}8798
+8799
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)8800
+{8801
+# ifdef OPENSSL_SYS_WIN328802
+ FILETIME ft;8803
+# elif defined(OPENSSL_SYS_VXWORKS)8804
+ struct timespec ts;8805
+# else8806
+ struct timeval tv;8807
+# endif8808
+8809
+# ifndef GETPID_IS_MEANINGLESS8810
+ unsigned long pid;8811
+# endif8812
+8813
+# ifdef OPENSSL_SYS_WIN328814
+ GetSystemTimeAsFileTime(&ft);8815
+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);8816
+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);8817
+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);8818
+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);8819
+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);8820
+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);8821
+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);8822
+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);8823
+# elif defined(OPENSSL_SYS_VXWORKS)8824
+ clock_gettime(CLOCK_REALTIME, &ts);8825
+ buf[0] = (unsigned char)(ts.tv_sec & 0xff);8826
+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);8827
+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);8828
+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);8829
+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);8830
+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);8831
+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);8832
+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);8833
+# else8834
+ gettimeofday(&tv, NULL);8835
+ buf[0] = (unsigned char)(tv.tv_sec & 0xff);8836
+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);8837
+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);8838
+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);8839
+ buf[4] = (unsigned char)(tv.tv_usec & 0xff);8840
+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);8841
+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);8842
+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);8843
+# endif8844
+ buf[8] = (unsigned char)(*pctr & 0xff);8845
+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);8846
+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);8847
+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);8848
+8849
+ (*pctr)++;8850
+8851
+# ifndef GETPID_IS_MEANINGLESS8852
+ pid = (unsigned long)getpid();8853
+ buf[12] = (unsigned char)(pid & 0xff);8854
+ buf[13] = (unsigned char)((pid >> 8) & 0xff);8855
+ buf[14] = (unsigned char)((pid >> 16) & 0xff);8856
+ buf[15] = (unsigned char)((pid >> 24) & 0xff);8857
+# endif8858
+}8859
+8860
diff -up openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c8861
--- openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips 2021-03-03 12:57:42.201734542 +01008862
+++ openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c 2021-03-03 12:57:42.201734542 +01008863
8864
+/* ====================================================================8865
+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.8866
+ *8867
+ * Redistribution and use in source and binary forms, with or without8868
+ * modification, are permitted provided that the following conditions8869
+ * are met:8870
+ *8871
+ * 1. Redistributions of source code must retain the above copyright8872
+ * notice, this list of conditions and the following disclaimer. 8873
+ *8874
+ * 2. Redistributions in binary form must reproduce the above copyright8875
+ * notice, this list of conditions and the following disclaimer in8876
+ * the documentation and/or other materials provided with the8877
+ * distribution.8878
+ *8879
+ * 3. All advertising materials mentioning features or use of this8880
+ * software must display the following acknowledgment:8881
+ * "This product includes software developed by the OpenSSL Project8882
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"8883
+ *8884
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to8885
+ * endorse or promote products derived from this software without8886
+ * prior written permission. For written permission, please contact8887
+ * openssl-core@openssl.org.8888
+ *8889
+ * 5. Products derived from this software may not be called "OpenSSL"8890
+ * nor may "OpenSSL" appear in their names without prior written8891
+ * permission of the OpenSSL Project.8892
+ *8893
+ * 6. Redistributions of any form whatsoever must retain the following8894
+ * acknowledgment:8895
+ * "This product includes software developed by the OpenSSL Project8896
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"8897
+ *8898
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY8899
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE8900
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR8901
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR8902
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,8903
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT8904
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;8905
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)8906
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,8907
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)8908
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED8909
+ * OF THE POSSIBILITY OF SUCH DAMAGE.8910
+ *8911
+ */8912
+8913
+#include <string.h>8914
+#include <openssl/err.h>8915
+#ifdef OPENSSL_FIPS8916
+# include <openssl/fips.h>8917
+# include "crypto/fips.h"8918
+#endif8919
+#include <openssl/rsa.h>8920
+#include <openssl/evp.h>8921
+#include <openssl/bn.h>8922
+#include <openssl/opensslconf.h>8923
+#include "fips_locl.h"8924
+8925
+#ifdef OPENSSL_FIPS8926
+8927
+static int setrsakey(RSA *key)8928
+{8929
+ static const unsigned char keydata_n[] = {8930
+ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a,8931
+ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00,8932
+ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca,8933
+ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a,8934
+ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba,8935
+ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe,8936
+ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1,8937
+ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75,8938
+ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f,8939
+ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc,8940
+ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e,8941
+ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1,8942
+ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9,8943
+ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4,8944
+ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40,8945
+ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4,8946
+ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e,8947
+ 0x03, 0x718948
+ };8949
+8950
+ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 };8951
+8952
+ static const unsigned char keydata_d[] = {8953
+ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23,8954
+ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58,8955
+ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06,8956
+ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4,8957
+ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53,8958
+ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde,8959
+ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe,8960
+ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b,8961
+ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3,8962
+ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76,8963
+ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6,8964
+ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c,8965
+ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44,8966
+ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34,8967
+ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32,8968
+ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20,8969
+ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d,8970
+ 0x018971
+ };8972
+8973
+ static const unsigned char keydata_p[] = {8974
+ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f,8975
+ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43,8976
+ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec,8977
+ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66,8978
+ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3,8979
+ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1,8980
+ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3,8981
+ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c,8982
+ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad8983
+ };8984
+8985
+ static const unsigned char keydata_q[] = {8986
+ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8,8987
+ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e,8988
+ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c,8989
+ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e,8990
+ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c,8991
+ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f,8992
+ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7,8993
+ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b,8994
+ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x558995
+ };8996
+8997
+ static const unsigned char keydata_dmp1[] = {8998
+ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e,8999
+ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16,9000
+ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74,9001
+ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34,9002
+ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7,9003
+ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3,9004
+ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff,9005
+ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6,9006
+ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd19007
+ };9008
+9009
+ static const unsigned char keydata_dmq1[] = {9010
+ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75,9011
+ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f,9012
+ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1,9013
+ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b,9014
+ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c,9015
+ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e,9016
+ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78,9017
+ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab,9018
+ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x619019
+ };9020
+9021
+ static const unsigned char keydata_iqmp[] = {9022
+ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d,9023
+ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38,9024
+ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91,9025
+ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80,9026
+ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b,9027
+ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b,9028
+ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6,9029
+ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf,9030
+ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf9031
+ };9032
+9033
+ int rv = 0;9034
+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;9035
+9036
+ fips_load_key_component(n, keydata);9037
+ fips_load_key_component(e, keydata);9038
+ fips_load_key_component(d, keydata);9039
+ fips_load_key_component(p, keydata);9040
+ fips_load_key_component(q, keydata);9041
+ fips_load_key_component(dmp1, keydata);9042
+ fips_load_key_component(dmq1, keydata);9043
+ fips_load_key_component(iqmp, keydata);9044
+9045
+ RSA_set0_key(key, n, e, d);9046
+ RSA_set0_factors(key, p, q);9047
+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp);9048
+9049
+ rv = 1;9050
+err:9051
+ if (!rv) {9052
+ BN_free(n);9053
+ BN_free(e);9054
+ BN_free(d);9055
+ BN_free(p);9056
+ BN_free(q);9057
+ BN_free(dmp1);9058
+ BN_free(dmq1);9059
+ BN_free(iqmp);9060
+ }9061
+ return rv;9062
+}9063
+9064
+/* Known Answer Test (KAT) data for the above RSA private key signing9065
+ * kat_tbs.9066
+ */9067
+9068
+static const unsigned char kat_tbs[] =9069
+ "OpenSSL FIPS 140-2 Public Key RSA KAT";9070
+9071
+static const unsigned char kat_RSA_PSS_SHA256[] = {9072
+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,9073
+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,9074
+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,9075
+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,9076
+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,9077
+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,9078
+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,9079
+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,9080
+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,9081
+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,9082
+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,9083
+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,9084
+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,9085
+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,9086
+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,9087
+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,9088
+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,9089
+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,9090
+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,9091
+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,9092
+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,9093
+ 0x2B, 0x31, 0xB9, 0x7D9094
+};9095
+9096
+static const unsigned char kat_RSA_SHA256[] = {9097
+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,9098
+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,9099
+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,9100
+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,9101
+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,9102
+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,9103
+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,9104
+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,9105
+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,9106
+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,9107
+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,9108
+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,9109
+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,9110
+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,9111
+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,9112
+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,9113
+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,9114
+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,9115
+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,9116
+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,9117
+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,9118
+ 0x47, 0x9D, 0x18, 0xD79119
+};9120
+9121
+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,9122
+ int ptlen)9123
+{9124
+ unsigned char *ctbuf = NULL, *ptbuf = NULL;9125
+ int ret = 0;9126
+ int len;9127
+9128
+ ctbuf = OPENSSL_malloc(RSA_size(rsa));9129
+ if (!ctbuf)9130
+ goto err;9131
+9132
+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);9133
+ if (len <= 0)9134
+ goto err;9135
+ /* Check ciphertext doesn't match plaintext */9136
+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))9137
+ goto err;9138
+9139
+ ptbuf = OPENSSL_malloc(RSA_size(rsa));9140
+ if (!ptbuf)9141
+ goto err;9142
+9143
+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);9144
+ if (len != ptlen)9145
+ goto err;9146
+ if (memcmp(ptbuf, plaintext, len))9147
+ goto err;9148
+9149
+ ret = 1;9150
+9151
+ err:9152
+ if (ctbuf)9153
+ OPENSSL_free(ctbuf);9154
+ if (ptbuf)9155
+ OPENSSL_free(ptbuf);9156
+ return ret;9157
+}9158
+9159
+int FIPS_selftest_rsa()9160
+{9161
+ int ret = 0;9162
+ RSA *key;9163
+ EVP_PKEY *pk = NULL;9164
+9165
+ if ((key = RSA_new()) == NULL)9166
+ goto err;9167
+9168
+ if (!setrsakey(key))9169
+ goto err;9170
+9171
+ if ((pk = EVP_PKEY_new()) == NULL)9172
+ goto err;9173
+9174
+ EVP_PKEY_set1_RSA(pk, key);9175
+9176
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,9177
+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),9178
+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,9179
+ "RSA SHA256 PKCS#1"))9180
+ goto err;9181
+9182
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,9183
+ kat_RSA_PSS_SHA256,9184
+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),9185
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))9186
+ goto err;9187
+9188
+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))9189
+ goto err;9190
+9191
+ ret = 1;9192
+9193
+ err:9194
+ if (pk)9195
+ EVP_PKEY_free(pk);9196
+ if (key)9197
+ RSA_free(key);9198
+ return ret;9199
+}9200
+9201
+#endif /* def OPENSSL_FIPS */9202
diff -up openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_sha_selftest.c9203
--- openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips 2021-03-03 12:57:42.201734542 +01009204
+++ openssl-1.1.1j/crypto/fips/fips_sha_selftest.c 2021-03-03 12:57:42.201734542 +01009205
9206
+/* ====================================================================9207
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.9208
+ *9209
+ * Redistribution and use in source and binary forms, with or without9210
+ * modification, are permitted provided that the following conditions9211
+ * are met:9212
+ *9213
+ * 1. Redistributions of source code must retain the above copyright9214
+ * notice, this list of conditions and the following disclaimer. 9215
+ *9216
+ * 2. Redistributions in binary form must reproduce the above copyright9217
+ * notice, this list of conditions and the following disclaimer in9218
+ * the documentation and/or other materials provided with the9219
+ * distribution.9220
+ *9221
+ * 3. All advertising materials mentioning features or use of this9222
+ * software must display the following acknowledgment:9223
+ * "This product includes software developed by the OpenSSL Project9224
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"9225
+ *9226
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to9227
+ * endorse or promote products derived from this software without9228
+ * prior written permission. For written permission, please contact9229
+ * openssl-core@openssl.org.9230
+ *9231
+ * 5. Products derived from this software may not be called "OpenSSL"9232
+ * nor may "OpenSSL" appear in their names without prior written9233
+ * permission of the OpenSSL Project.9234
+ *9235
+ * 6. Redistributions of any form whatsoever must retain the following9236
+ * acknowledgment:9237
+ * "This product includes software developed by the OpenSSL Project9238
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"9239
+ *9240
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY9241
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE9242
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR9243
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR9244
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,9245
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT9246
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;9247
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)9248
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,9249
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)9250
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED9251
+ * OF THE POSSIBILITY OF SUCH DAMAGE.9252
+ *9253
+ */9254
+9255
+#include <string.h>9256
+#include <openssl/err.h>9257
+#ifdef OPENSSL_FIPS9258
+# include <openssl/fips.h>9259
+#endif9260
+#include <openssl/evp.h>9261
+#include <openssl/sha.h>9262
+9263
+#ifdef OPENSSL_FIPS9264
+static const char test[][60] = {9265
+ "",9266
+ "abc",9267
+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"9268
+};9269
+9270
+static const unsigned char ret[][SHA_DIGEST_LENGTH] = {9271
+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,9272
+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},9273
+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,9274
+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},9275
+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,9276
+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},9277
+};9278
+9279
+int FIPS_selftest_sha1()9280
+{9281
+ int n;9282
+9283
+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {9284
+ unsigned char md[SHA_DIGEST_LENGTH];9285
+9286
+ EVP_Digest(test[n], strlen(test[n]), md, NULL,9287
+ EVP_sha1(), NULL);9288
+ if (memcmp(md, ret[n], sizeof md)) {9289
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);9290
+ return 0;9291
+ }9292
+ }9293
+ return 1;9294
+}9295
+9296
+static const unsigned char msg_sha256[] =9297
+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,9298
+ 0xfc9299
+};9300
+9301
+static const unsigned char dig_sha256[] =9302
+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,9303
+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,9304
+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,9305
+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a9306
+};9307
+9308
+static const unsigned char msg_sha512[] =9309
+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,9310
+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd9311
+};9312
+9313
+static const unsigned char dig_sha512[] =9314
+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,9315
+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,9316
+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,9317
+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,9318
+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,9319
+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,9320
+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,9321
+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x439322
+};9323
+9324
+int FIPS_selftest_sha2(void)9325
+{9326
+ unsigned char md[SHA512_DIGEST_LENGTH];9327
+9328
+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);9329
+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {9330
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);9331
+ return 0;9332
+ }9333
+9334
+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);9335
+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {9336
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);9337
+ return 0;9338
+ }9339
+9340
+ return 1;9341
+}9342
+9343
+static const unsigned char msg_sha3_256[] = {9344
+ 0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6,9345
+ 0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f,9346
+ 0x35, 0x239347
+};9348
+9349
+static const unsigned char dig_sha3_256[] = {9350
+ 0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21,9351
+ 0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0,9352
+ 0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78,9353
+ 0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed9354
+};9355
+9356
+static const unsigned char msg_sha3_512[] = {9357
+ 0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73,9358
+ 0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f,9359
+ 0x05, 0xf49360
+};9361
+9362
+static const unsigned char dig_sha3_512[] = {9363
+ 0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2,9364
+ 0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a,9365
+ 0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f,9366
+ 0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4,9367
+ 0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd,9368
+ 0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e,9369
+ 0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c,9370
+ 0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac9371
+};9372
+9373
+static const unsigned char msg_shake_128[] = {9374
+ 0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f,9375
+ 0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4,9376
+ 0x28, 0x989377
+};9378
+9379
+static const unsigned char dig_shake_128[] = {9380
+ 0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a,9381
+ 0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x759382
+};9383
+9384
+static const unsigned char msg_shake_256[] = {9385
+ 0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6,9386
+ 0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23,9387
+ 0x9b, 0xfc9388
+};9389
+9390
+static const unsigned char dig_shake_256[] = {9391
+ 0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5,9392
+ 0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f,9393
+ 0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd,9394
+ 0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf9395
+};9396
+9397
+int FIPS_selftest_sha3(void)9398
+{9399
+ unsigned char md[SHA512_DIGEST_LENGTH];9400
+9401
+ EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL);9402
+ if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) {9403
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);9404
+ return 0;9405
+ }9406
+9407
+ EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL);9408
+ if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) {9409
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);9410
+ return 0;9411
+ }9412
+9413
+ EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL);9414
+ if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) {9415
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);9416
+ return 0;9417
+ }9418
+9419
+ EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL);9420
+ if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) {9421
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);9422
+ return 0;9423
+ }9424
+9425
+ return 1;9426
+}9427
+9428
+#endif9429
diff -up openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c9430
--- openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips 2021-03-03 12:57:42.201734542 +01009431
+++ openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c 2021-03-03 12:57:42.201734542 +01009432
9433
+/* ====================================================================9434
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.9435
+ *9436
+ * Redistribution and use in source and binary forms, with or without9437
+ * modification, are permitted provided that the following conditions9438
+ * are met:9439
+ *9440
+ * 1. Redistributions of source code must retain the above copyright9441
+ * notice, this list of conditions and the following disclaimer. 9442
+ *9443
+ * 2. Redistributions in binary form must reproduce the above copyright9444
+ * notice, this list of conditions and the following disclaimer in9445
+ * the documentation and/or other materials provided with the9446
+ * distribution.9447
+ *9448
+ * 3. All advertising materials mentioning features or use of this9449
+ * software must display the following acknowledgment:9450
+ * "This product includes software developed by the OpenSSL Project9451
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"9452
+ *9453
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to9454
+ * endorse or promote products derived from this software without9455
+ * prior written permission. For written permission, please contact9456
+ * openssl-core@openssl.org.9457
+ *9458
+ * 5. Products derived from this software may not be called "OpenSSL"9459
+ * nor may "OpenSSL" appear in their names without prior written9460
+ * permission of the OpenSSL Project.9461
+ *9462
+ * 6. Redistributions of any form whatsoever must retain the following9463
+ * acknowledgment:9464
+ * "This product includes software developed by the OpenSSL Project9465
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"9466
+ *9467
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY9468
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE9469
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR9470
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR9471
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,9472
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT9473
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;9474
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)9475
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,9476
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)9477
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED9478
+ * OF THE POSSIBILITY OF SUCH DAMAGE.9479
+ *9480
+ */9481
+9482
+#include <stdio.h>9483
+#include <stdlib.h>9484
+#include <string.h>9485
+#include <openssl/opensslconf.h>9486
+#include <openssl/hmac.h>9487
+#include <openssl/sha.h>9488
+9489
+int main(int argc, char **argv)9490
+{9491
+#ifdef OPENSSL_FIPS9492
+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";9493
+ int n, binary = 0;9494
+9495
+ if (argc < 2) {9496
+ fprintf(stderr, "%s [<file>]+\n", argv[0]);9497
+ exit(1);9498
+ }9499
+9500
+ n = 1;9501
+ if (!strcmp(argv[n], "-binary")) {9502
+ n++;9503
+ binary = 1; /* emit binary fingerprint... */9504
+ }9505
+9506
+ for (; n < argc; ++n) {9507
+ FILE *f = fopen(argv[n], "rb");9508
+ HMAC_CTX *hmac_ctx;9509
+ unsigned char mac[EVP_MAX_MD_SIZE];9510
+ unsigned int len;9511
+ unsigned int i;9512
+9513
+ if (!f) {9514
+ perror(argv[n]);9515
+ exit(2);9516
+ }9517
+ hmac_ctx = HMAC_CTX_new();9518
+ if (!hmac_ctx)9519
+ exit(3);9520
+9521
+ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) {9522
+ fprintf(stderr, "HMAC SHA256 initialization failed.\n");9523
+ exit(4);9524
+ }9525
+9526
+ for (;;) {9527
+ unsigned char buf[1024];9528
+ size_t l = fread(buf, 1, sizeof buf, f);9529
+9530
+ if (l == 0) {9531
+ if (ferror(f)) {9532
+ perror(argv[n]);9533
+ exit(3);9534
+ } else9535
+ break;9536
+ }9537
+ if (HMAC_Update(hmac_ctx, buf, l) <= 0) {9538
+ fprintf(stderr, "HMAC_Update() failed.\n");9539
+ exit(4);9540
+ }9541
+ }9542
+ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) {9543
+ fprintf(stderr, "HMAC_Final() failed.\n");9544
+ exit(4);9545
+ }9546
+9547
+ if (binary) {9548
+ fwrite(mac, len, 1, stdout);9549
+ break; /* ... for single(!) file */9550
+ }9551
+9552
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */9553
+ for (i = 0; i < len; ++i)9554
+ printf("%02x", mac[i]);9555
+ printf("\n");9556
+ }9557
+#endif9558
+ return 0;9559
+}9560
diff -up openssl-1.1.1j/crypto/hmac/hmac.c.fips openssl-1.1.1j/crypto/hmac/hmac.c9561
--- openssl-1.1.1j/crypto/hmac/hmac.c.fips 2021-02-16 16:24:01.000000000 +01009562
+++ openssl-1.1.1j/crypto/hmac/hmac.c 2021-03-03 12:57:42.202734550 +01009563
9564
return 0;9565
9566
if (key != NULL) {9567
+#ifdef OPENSSL_FIPS9568
+ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)9569
+ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)9570
+ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)9571
+ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))9572
+ goto err;9573
+#endif9574
reset = 1;9575
9576
j = EVP_MD_block_size(md);9577
diff -up openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1j/crypto/hmac/hm_pmeth.c9578
--- openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips 2021-02-16 16:24:01.000000000 +01009579
+++ openssl-1.1.1j/crypto/hmac/hm_pmeth.c 2021-03-03 12:57:42.202734550 +01009580
9581
9582
const EVP_PKEY_METHOD hmac_pkey_meth = {9583
EVP_PKEY_HMAC,9584
- 0,9585
+ EVP_PKEY_FLAG_FIPS,9586
pkey_hmac_init,9587
pkey_hmac_copy,9588
pkey_hmac_cleanup,9589
diff -up openssl-1.1.1j/crypto/o_fips.c.fips openssl-1.1.1j/crypto/o_fips.c9590
--- openssl-1.1.1j/crypto/o_fips.c.fips 2021-02-16 16:24:01.000000000 +01009591
+++ openssl-1.1.1j/crypto/o_fips.c 2021-03-03 12:57:42.202734550 +01009592
9593
*/9594
9595
#include "internal/cryptlib.h"9596
+#include "crypto/fips.h"9597
9598
int FIPS_mode(void)9599
{9600
+#ifdef OPENSSL_FIPS9601
+ return FIPS_module_mode();9602
+#else9603
/* This version of the library does not support FIPS mode. */9604
return 0;9605
+#endif9606
}9607
9608
int FIPS_mode_set(int r)9609
{9610
+#ifdef OPENSSL_FIPS9611
+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */9612
+ return 1;9613
+ return FIPS_module_mode_set(r);9614
+#else9615
if (r == 0)9616
return 1;9617
CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);9618
return 0;9619
+#endif9620
}9621
diff -up openssl-1.1.1j/crypto/o_init.c.fips openssl-1.1.1j/crypto/o_init.c9622
--- openssl-1.1.1j/crypto/o_init.c.fips 2021-02-16 16:24:01.000000000 +01009623
+++ openssl-1.1.1j/crypto/o_init.c 2021-03-03 12:57:42.202734550 +01009624
9625
* https://www.openssl.org/source/license.html9626
*/9627
9628
+/* for secure_getenv */9629
+#define _GNU_SOURCE9630
#include "e_os.h"9631
#include <openssl/err.h>9632
+#ifdef OPENSSL_FIPS9633
+# include <sys/types.h>9634
+# include <sys/stat.h>9635
+# include <fcntl.h>9636
+# include <unistd.h>9637
+# include <errno.h>9638
+# include <stdlib.h>9639
+# include <openssl/rand.h>9640
+# include <openssl/fips.h>9641
+# include "crypto/fips.h"9642
+9643
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"9644
+9645
+static void init_fips_mode(void)9646
+{9647
+ char buf[2] = "0";9648
+ int fd;9649
+9650
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {9651
+ buf[0] = '1';9652
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {9653
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;9654
+ close(fd);9655
+ }9656
+9657
+ if (buf[0] != '1' && !FIPS_module_installed())9658
+ return;9659
+9660
+ /* Ensure the selftests always run */9661
+ /* XXX: TO SOLVE - premature initialization due to selftests */9662
+ FIPS_mode_set(1);9663
+9664
+ /* Failure reading the fips mode switch file means just not9665
+ * switching into FIPS mode. We would break too many things9666
+ * otherwise..9667
+ */9668
+9669
+ if (buf[0] != '1') {9670
+ /* drop down to non-FIPS mode if it is not requested */9671
+ FIPS_mode_set(0);9672
+ } else {9673
+ /* abort if selftest failed */9674
+ FIPS_selftest_check();9675
+ }9676
+}9677
+9678
+/*9679
+ * Perform FIPS module power on selftest and automatic FIPS mode switch.9680
+ */9681
+9682
+void __attribute__ ((constructor)) OPENSSL_init_library(void)9683
+{9684
+ static int done = 0;9685
+ if (done)9686
+ return;9687
+ done = 1;9688
+ init_fips_mode();9689
+}9690
+#endif9691
9692
/*9693
* Perform any essential OpenSSL initialization operations. Currently does9694
diff -up openssl-1.1.1j/crypto/rand/rand_lib.c.fips openssl-1.1.1j/crypto/rand/rand_lib.c9695
--- openssl-1.1.1j/crypto/rand/rand_lib.c.fips 2021-02-16 16:24:01.000000000 +01009696
+++ openssl-1.1.1j/crypto/rand/rand_lib.c 2021-03-03 12:57:42.202734550 +01009697
9698
#include "internal/thread_once.h"9699
#include "rand_local.h"9700
#include "e_os.h"9701
+#ifdef OPENSSL_FIPS9702
+# include <openssl/fips.h>9703
+# include <openssl/fips_rand.h>9704
+#endif9705
9706
#ifndef OPENSSL_NO_ENGINE9707
/* non-NULL if default_RAND_meth is ENGINE-provided */9708
9709
return meth->status();9710
return 0;9711
}9712
+9713
+#ifdef OPENSSL_FIPS9714
+void RAND_set_fips_drbg_type(int type, int flags)9715
+{ /* just a stub for ABI compatibility */9716
+}9717
+9718
+int RAND_init_fips(void)9719
+{9720
+ /* just a stub for ABI compatibility */9721
+ return 1;9722
+}9723
+#endif9724
diff -up openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1j/crypto/rsa/rsa_crpt.c9725
--- openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips 2021-02-16 16:24:01.000000000 +01009726
+++ openssl-1.1.1j/crypto/rsa/rsa_crpt.c 2021-03-03 12:57:42.202734550 +01009727
9728
int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,9729
RSA *rsa, int padding)9730
{9731
+#ifdef OPENSSL_FIPS9732
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)9733
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {9734
+ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);9735
+ return -1;9736
+ }9737
+#endif9738
return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);9739
}9740
9741
int RSA_private_encrypt(int flen, const unsigned char *from,9742
unsigned char *to, RSA *rsa, int padding)9743
{9744
+#ifdef OPENSSL_FIPS9745
+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {9746
+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,9747
+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);9748
+ return -1;9749
+ }9750
+#endif9751
return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);9752
}9753
9754
int RSA_private_decrypt(int flen, const unsigned char *from,9755
unsigned char *to, RSA *rsa, int padding)9756
{9757
+#ifdef OPENSSL_FIPS9758
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)9759
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {9760
+ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);9761
+ return -1;9762
+ }9763
+#endif9764
return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);9765
}9766
9767
int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,9768
RSA *rsa, int padding)9769
{9770
+#ifdef OPENSSL_FIPS9771
+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {9772
+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,9773
+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);9774
+ return -1;9775
+ }9776
+#endif9777
return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);9778
}9779
9780
diff -up openssl-1.1.1j/crypto/rsa/rsa_err.c.fips openssl-1.1.1j/crypto/rsa/rsa_err.c9781
--- openssl-1.1.1j/crypto/rsa/rsa_err.c.fips 2021-02-16 16:24:01.000000000 +01009782
+++ openssl-1.1.1j/crypto/rsa/rsa_err.c 2021-03-03 12:57:42.202734550 +01009783
9784
static const ERR_STRING_DATA RSA_str_functs[] = {9785
{ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"},9786
{ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"},9787
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0),9788
+ "fips_rsa_builtin_keygen"},9789
{ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"},9790
{ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0),9791
"old_rsa_priv_decode"},9792
9793
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"},9794
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"},9795
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"},9796
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"},9797
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0),9798
+ "RSA_generate_multi_prime_key"},9799
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"},9800
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"},9801
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"},9802
9803
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"},9804
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"},9805
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"},9806
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"},9807
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"},9808
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"},9809
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"},9810
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"},9811
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"},9812
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"},9813
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"},9814
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"},9815
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0),9816
9817
"RSA_verify_ASN1_OCTET_STRING"},9818
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0),9819
"RSA_verify_PKCS1_PSS_mgf1"},9820
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"},9821
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"},9822
{ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"},9823
{0, NULL}9824
};9825
9826
"mp exponent not congruent to d"},9827
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"},9828
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},9829
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"},9830
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING),9831
"null before block missing"},9832
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES),9833
9834
"n does not equal p q"},9835
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR),9836
"oaep decoding error"},9837
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),9838
+ "operation not allowed in FIPS mode"},9839
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),9840
"operation not supported for this keytype"},9841
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED),9842
9843
"unsupported mask algorithm"},9844
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER),9845
"unsupported mask parameter"},9846
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS),9847
+ "unsupported parameters"},9848
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE),9849
"unsupported signature type"},9850
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"},9851
diff -up openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips openssl-1.1.1j/crypto/rsa/rsa_gen.c9852
--- openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips 2021-02-16 16:24:01.000000000 +01009853
+++ openssl-1.1.1j/crypto/rsa/rsa_gen.c 2021-03-03 12:57:42.202734550 +01009854
9855
#include "internal/cryptlib.h"9856
#include <openssl/bn.h>9857
#include "rsa_local.h"9858
+#ifdef OPENSSL_FIPS9859
+# include <openssl/fips.h>9860
+# include "crypto/fips.h"9861
+9862
+int fips_check_rsa(RSA *rsa)9863
+{9864
+ const unsigned char tbs[] = "RSA Pairwise Check Data";9865
+ unsigned char *ctbuf = NULL, *ptbuf = NULL;9866
+ int len, ret = 0;9867
+ EVP_PKEY *pk;9868
+9869
+ if ((pk = EVP_PKEY_new()) == NULL)9870
+ goto err;9871
+9872
+ EVP_PKEY_set1_RSA(pk, rsa);9873
+9874
+ /* Perform pairwise consistency signature test */9875
+ if (!fips_pkey_signature_test(pk, tbs, -1,9876
+ NULL, 0, EVP_sha256(),9877
+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)9878
+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(),9879
+ EVP_MD_CTX_FLAG_PAD_PSS, NULL))9880
+ goto err;9881
+ /* Now perform pairwise consistency encrypt/decrypt test */9882
+ ctbuf = OPENSSL_malloc(RSA_size(rsa));9883
+ if (!ctbuf)9884
+ goto err;9885
+9886
+ len =9887
+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,9888
+ RSA_PKCS1_PADDING);9889
+ if (len <= 0)9890
+ goto err;9891
+ /* Check ciphertext doesn't match plaintext */9892
+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))9893
+ goto err;9894
+ ptbuf = OPENSSL_malloc(RSA_size(rsa));9895
+9896
+ if (!ptbuf)9897
+ goto err;9898
+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);9899
+ if (len != (sizeof(tbs) - 1))9900
+ goto err;9901
+ if (memcmp(ptbuf, tbs, len))9902
+ goto err;9903
+9904
+ ret = 1;9905
+9906
+ if (!ptbuf)9907
+ goto err;9908
+9909
+ err:9910
+ if (ret == 0) {9911
+ fips_set_selftest_fail();9912
+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);9913
+ }9914
+9915
+ if (ctbuf)9916
+ OPENSSL_free(ctbuf);9917
+ if (ptbuf)9918
+ OPENSSL_free(ptbuf);9919
+ if (pk)9920
+ EVP_PKEY_free(pk);9921
+9922
+ return ret;9923
+}9924
+9925
+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,9926
+ BN_GENCB *cb);9927
+#endif9928
9929
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,9930
BN_GENCB *cb);9931
9932
*/9933
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)9934
{9935
+#ifdef OPENSSL_FIPS9936
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)9937
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {9938
+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);9939
+ return 0;9940
+ }9941
+#endif9942
if (rsa->meth->rsa_keygen != NULL)9943
return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);9944
9945
9946
int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,9947
BIGNUM *e_value, BN_GENCB *cb)9948
{9949
+#ifdef OPENSSL_FIPS9950
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)9951
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {9952
+ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD);9953
+ return 0;9954
+ }9955
+#endif9956
/* multi-prime is only supported with the builtin key generation */9957
if (rsa->meth->rsa_multi_prime_keygen != NULL) {9958
return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,9959
9960
else9961
return 0;9962
}9963
-9964
+#ifdef OPENSSL_FIPS9965
+ if (FIPS_mode()) {9966
+ if (primes != 2) {9967
+ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS);9968
+ return 0;9969
+ }9970
+ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb);9971
+ }9972
+#endif9973
return rsa_builtin_keygen(rsa, bits, primes, e_value, cb);9974
}9975
9976
+#ifdef OPENSSL_FIPS9977
+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,9978
+ BN_GENCB *cb)9979
+{9980
+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;9981
+ BN_CTX *ctx = NULL;9982
+ int ok = -1;9983
+ int i;9984
+ int n = 0;9985
+ int test = 0;9986
+ int pbits = bits / 2;9987
+ unsigned long error = 0;9988
+9989
+ if (FIPS_selftest_failed()) {9990
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);9991
+ return 0;9992
+ }9993
+9994
+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS9995
+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) {9996
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);9997
+ return 0;9998
+ }9999
+ if ((pbits & 0xFF) != 0) {10000
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);10001
+ return 0;10002
+ }10003
+10004
+ ctx = BN_CTX_new();10005
+ if (ctx == NULL)10006
+ goto err;10007
+ BN_CTX_start(ctx);10008
+ r0 = BN_CTX_get(ctx);10009
+ r1 = BN_CTX_get(ctx);10010
+ r2 = BN_CTX_get(ctx);10011
+ r3 = BN_CTX_get(ctx);10012
+10013
+ if (r3 == NULL)10014
+ goto err;10015
+10016
+ /* We need the RSA components non-NULL */10017
+ if (!rsa->n && ((rsa->n = BN_new()) == NULL))10018
+ goto err;10019
+ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))10020
+ goto err;10021
+ if (!rsa->e && ((rsa->e = BN_new()) == NULL))10022
+ goto err;10023
+ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))10024
+ goto err;10025
+ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))10026
+ goto err;10027
+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))10028
+ goto err;10029
+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))10030
+ goto err;10031
+ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))10032
+ goto err;10033
+10034
+ if (!BN_set_word(r0, RSA_F4))10035
+ goto err;10036
+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {10037
+ ok = 0; /* we set our own err */10038
+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);10039
+ goto err;10040
+ }10041
+10042
+ /* prepare approximate minimum p and q */10043
+ if (!BN_set_word(r0, 0xB504F334))10044
+ goto err;10045
+ if (!BN_lshift(r0, r0, pbits - 32))10046
+ goto err;10047
+10048
+ /* prepare minimum p and q difference */10049
+ if (!BN_one(r3))10050
+ goto err;10051
+ if (!BN_lshift(r3, r3, pbits - 100))10052
+ goto err;10053
+10054
+ BN_copy(rsa->e, e_value);10055
+10056
+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))10057
+ test = 1;10058
+10059
+ BN_set_flags(r0, BN_FLG_CONSTTIME);10060
+ BN_set_flags(r1, BN_FLG_CONSTTIME);10061
+ BN_set_flags(r2, BN_FLG_CONSTTIME);10062
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);10063
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);10064
+10065
+ retry:10066
+ /* generate p and q */10067
+ for (i = 0; i < 5 * pbits; i++) {10068
+ ploop:10069
+ if (!test)10070
+ if (!BN_rand(rsa->p, pbits, 0, 1))10071
+ goto err;10072
+ if (BN_cmp(rsa->p, r0) < 0) {10073
+ if (test)10074
+ goto err;10075
+ goto ploop;10076
+ }10077
+10078
+ if (!BN_sub(r2, rsa->p, BN_value_one()))10079
+ goto err;10080
+ ERR_set_mark();10081
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {10082
+ /* GCD == 1 since inverse exists */10083
+ int r;10084
+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,10085
+ cb);10086
+ if (r == -1 || (test && r <= 0))10087
+ goto err;10088
+ if (r > 0)10089
+ break;10090
+ } else {10091
+ error = ERR_peek_last_error();10092
+ if (ERR_GET_LIB(error) == ERR_LIB_BN10093
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {10094
+ /* GCD != 1 */10095
+ ERR_pop_to_mark();10096
+ } else {10097
+ goto err;10098
+ }10099
+ }10100
+ if (!BN_GENCB_call(cb, 2, n++))10101
+ goto err;10102
+ }10103
+10104
+ if (!BN_GENCB_call(cb, 3, 0))10105
+ goto err;10106
+10107
+ if (i >= 5 * pbits)10108
+ /* prime not found */10109
+ goto err;10110
+10111
+ for (i = 0; i < 5 * pbits; i++) {10112
+ qloop:10113
+ if (!test)10114
+ if (!BN_rand(rsa->q, pbits, 0, 1))10115
+ goto err;10116
+ if (BN_cmp(rsa->q, r0) < 0) {10117
+ if (test)10118
+ goto err;10119
+ goto qloop;10120
+ }10121
+ if (!BN_sub(r2, rsa->q, rsa->p))10122
+ goto err;10123
+ if (BN_ucmp(r2, r3) <= 0) {10124
+ if (test)10125
+ goto err;10126
+ goto qloop;10127
+ }10128
+10129
+ if (!BN_sub(r2, rsa->q, BN_value_one()))10130
+ goto err;10131
+ ERR_set_mark();10132
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {10133
+ /* GCD == 1 since inverse exists */10134
+ int r;10135
+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,10136
+ cb);10137
+ if (r == -1 || (test && r <= 0))10138
+ goto err;10139
+ if (r > 0)10140
+ break;10141
+ } else {10142
+ error = ERR_peek_last_error();10143
+ if (ERR_GET_LIB(error) == ERR_LIB_BN10144
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {10145
+ /* GCD != 1 */10146
+ ERR_pop_to_mark();10147
+ } else {10148
+ goto err;10149
+ }10150
+ }10151
+ if (!BN_GENCB_call(cb, 2, n++))10152
+ goto err;10153
+ }10154
+10155
+ if (!BN_GENCB_call(cb, 3, 1))10156
+ goto err;10157
+10158
+ if (i >= 5 * pbits)10159
+ /* prime not found */10160
+ goto err;10161
+10162
+ if (test) {10163
+ /* do not try to calculate the remaining key values */10164
+ BN_clear(rsa->n);10165
+ ok = 1;10166
+ goto err;10167
+ }10168
+10169
+ if (BN_cmp(rsa->p, rsa->q) < 0) {10170
+ tmp = rsa->p;10171
+ rsa->p = rsa->q;10172
+ rsa->q = tmp;10173
+ }10174
+10175
+ /* calculate n */10176
+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))10177
+ goto err;10178
+10179
+ /* calculate d */10180
+ if (!BN_sub(r1, rsa->p, BN_value_one()))10181
+ goto err; /* p-1 */10182
+ if (!BN_sub(r2, rsa->q, BN_value_one()))10183
+ goto err; /* q-1 */10184
+10185
+ /* note that computing gcd is not safe to timing attacks */10186
+ if (!BN_gcd(r0, r1, r2, ctx))10187
+ goto err;10188
+10189
+ {10190
+ if (!BN_div(r0, NULL, r1, r0, ctx))10191
+ goto err;10192
+10193
+ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */10194
+ goto err;10195
+10196
+ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */10197
+ goto err;10198
+ }10199
+10200
+ if (BN_num_bits(rsa->d) < pbits)10201
+ goto retry; /* d is too small */10202
+10203
+ {10204
+ BIGNUM *d = BN_new();10205
+10206
+ if (d == NULL)10207
+ goto err;10208
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);10209
+10210
+ if (/* calculate d mod (p-1) */10211
+ !BN_mod(rsa->dmp1, d, r1, ctx)10212
+ /* calculate d mod (q-1) */10213
+ || !BN_mod(rsa->dmq1, d, r2, ctx)) {10214
+ BN_free(d);10215
+ goto err;10216
+ }10217
+ /* We MUST free d before any further use of rsa->d */10218
+ BN_free(d);10219
+ }10220
+10221
+ /* calculate inverse of q mod p */10222
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx))10223
+ goto err;10224
+10225
+ if (!fips_check_rsa(rsa))10226
+ goto err;10227
+10228
+ ok = 1;10229
+ err:10230
+ if (ok == -1) {10231
+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);10232
+ ok = 0;10233
+ }10234
+ if (ctx != NULL) {10235
+ BN_CTX_end(ctx);10236
+ BN_CTX_free(ctx);10237
+ }10238
+10239
+ return ok;10240
+}10241
+#endif10242
+10243
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,10244
BN_GENCB *cb)10245
{10246
diff -up openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips openssl-1.1.1j/crypto/rsa/rsa_lib.c10247
--- openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips 2021-02-16 16:24:01.000000000 +010010248
+++ openssl-1.1.1j/crypto/rsa/rsa_lib.c 2021-03-03 12:57:42.203734558 +010010249
10250
* to deal with which ENGINE it comes from.10251
*/10252
const RSA_METHOD *mtmp;10253
+#ifdef OPENSSL_FIPS10254
+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {10255
+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD);10256
+ return 0;10257
+ }10258
+#endif10259
mtmp = rsa->meth;10260
if (mtmp->finish)10261
mtmp->finish(rsa);10262
10263
10264
ret->meth = RSA_get_default_method();10265
#ifndef OPENSSL_NO_ENGINE10266
- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;10267
if (engine) {10268
if (!ENGINE_init(engine)) {10269
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);10270
10271
}10272
}10273
#endif10274
+#ifdef OPENSSL_FIPS10275
+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {10276
+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD);10277
+# ifndef OPENSSL_NO_ENGINE10278
+ if (ret->engine)10279
+ ENGINE_finish(ret->engine);10280
+# endif10281
+ OPENSSL_free(ret);10282
+ return NULL;10283
+ }10284
+#endif10285
10286
- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;10287
+ ret->flags = ret->meth->flags;10288
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {10289
goto err;10290
}10291
diff -up openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1j/crypto/rsa/rsa_ossl.c10292
--- openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +010010293
+++ openssl-1.1.1j/crypto/rsa/rsa_ossl.c 2021-03-03 12:57:42.203734558 +010010294
10295
#include "rsa_local.h"10296
#include "internal/constant_time.h"10297
10298
+#ifdef OPENSSL_FIPS10299
+# include <openssl/fips.h>10300
+#endif10301
+10302
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,10303
unsigned char *to, RSA *rsa, int padding);10304
static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,10305
10306
10307
void RSA_set_default_method(const RSA_METHOD *meth)10308
{10309
+#ifdef OPENSSL_FIPS10310
+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {10311
+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD);10312
+ return;10313
+ }10314
+#endif10315
default_RSA_meth = meth;10316
}10317
10318
10319
unsigned char *buf = NULL;10320
BN_CTX *ctx = NULL;10321
10322
+# ifdef OPENSSL_FIPS10323
+ if (FIPS_mode()) {10324
+ if (FIPS_selftest_failed()) {10325
+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT,10326
+ FIPS_R_FIPS_SELFTEST_FAILED);10327
+ goto err;10328
+ }10329
+10330
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)10331
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {10332
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);10333
+ return -1;10334
+ }10335
+ }10336
+# endif10337
+10338
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {10339
RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);10340
return -1;10341
10342
BIGNUM *unblind = NULL;10343
BN_BLINDING *blinding = NULL;10344
10345
+# ifdef OPENSSL_FIPS10346
+ if (FIPS_mode()) {10347
+ if (FIPS_selftest_failed()) {10348
+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT,10349
+ FIPS_R_FIPS_SELFTEST_FAILED);10350
+ return -1;10351
+ }10352
+10353
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)10354
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {10355
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);10356
+ return -1;10357
+ }10358
+ }10359
+# endif10360
+10361
if ((ctx = BN_CTX_new()) == NULL)10362
goto err;10363
BN_CTX_start(ctx);10364
10365
BIGNUM *unblind = NULL;10366
BN_BLINDING *blinding = NULL;10367
10368
+# ifdef OPENSSL_FIPS10369
+ if (FIPS_mode()) {10370
+ if (FIPS_selftest_failed()) {10371
+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT,10372
+ FIPS_R_FIPS_SELFTEST_FAILED);10373
+ return -1;10374
+ }10375
+10376
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)10377
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {10378
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);10379
+ return -1;10380
+ }10381
+ }10382
+# endif10383
+10384
if ((ctx = BN_CTX_new()) == NULL)10385
goto err;10386
BN_CTX_start(ctx);10387
10388
unsigned char *buf = NULL;10389
BN_CTX *ctx = NULL;10390
10391
+# ifdef OPENSSL_FIPS10392
+ if (FIPS_mode()) {10393
+ if (FIPS_selftest_failed()) {10394
+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT,10395
+ FIPS_R_FIPS_SELFTEST_FAILED);10396
+ goto err;10397
+ }10398
+10399
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)10400
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {10401
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);10402
+ return -1;10403
+ }10404
+ }10405
+# endif10406
+10407
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {10408
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);10409
return -1;10410
diff -up openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1j/crypto/rsa/rsa_pmeth.c10411
--- openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips 2021-02-16 16:24:01.000000000 +010010412
+++ openssl-1.1.1j/crypto/rsa/rsa_pmeth.c 2021-03-03 12:57:42.203734558 +010010413
10414
10415
const EVP_PKEY_METHOD rsa_pkey_meth = {10416
EVP_PKEY_RSA,10417
- EVP_PKEY_FLAG_AUTOARGLEN,10418
+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,10419
pkey_rsa_init,10420
pkey_rsa_copy,10421
pkey_rsa_cleanup,10422
10423
10424
const EVP_PKEY_METHOD rsa_pss_pkey_meth = {10425
EVP_PKEY_RSA_PSS,10426
- EVP_PKEY_FLAG_AUTOARGLEN,10427
+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,10428
pkey_rsa_init,10429
pkey_rsa_copy,10430
pkey_rsa_cleanup,10431
diff -up openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips openssl-1.1.1j/crypto/rsa/rsa_sign.c10432
--- openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips 2021-02-16 16:24:01.000000000 +010010433
+++ openssl-1.1.1j/crypto/rsa/rsa_sign.c 2021-03-03 12:57:42.203734558 +010010434
10435
unsigned char *tmps = NULL;10436
const unsigned char *encoded = NULL;10437
10438
+#ifdef OPENSSL_FIPS10439
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)10440
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {10441
+ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);10442
+ return 0;10443
+ }10444
+#endif10445
if (rsa->meth->rsa_sign) {10446
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);10447
}10448
10449
RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);10450
goto err;10451
}10452
- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa,10453
- RSA_PKCS1_PADDING);10454
+ /* NB: call underlying method directly to avoid FIPS blocking */10455
+ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa,10456
+ RSA_PKCS1_PADDING) : 0;10457
if (encrypt_len <= 0)10458
goto err;10459
10460
diff -up openssl-1.1.1j/crypto/sha/sha256.c.fips openssl-1.1.1j/crypto/sha/sha256.c10461
--- openssl-1.1.1j/crypto/sha/sha256.c.fips 2021-02-16 16:24:01.000000000 +010010462
+++ openssl-1.1.1j/crypto/sha/sha256.c 2021-03-03 12:57:42.203734558 +010010463
10464
10465
int SHA224_Init(SHA256_CTX *c)10466
{10467
+# ifdef OPENSSL_FIPS10468
+ FIPS_selftest_check();10469
+# endif10470
memset(c, 0, sizeof(*c));10471
c->h[0] = 0xc1059ed8UL;10472
c->h[1] = 0x367cd507UL;10473
10474
10475
int SHA256_Init(SHA256_CTX *c)10476
{10477
+# ifdef OPENSSL_FIPS10478
+ FIPS_selftest_check();10479
+# endif10480
memset(c, 0, sizeof(*c));10481
c->h[0] = 0x6a09e667UL;10482
c->h[1] = 0xbb67ae85UL;10483
diff -up openssl-1.1.1j/crypto/sha/sha512.c.fips openssl-1.1.1j/crypto/sha/sha512.c10484
--- openssl-1.1.1j/crypto/sha/sha512.c.fips 2021-02-16 16:24:01.000000000 +010010485
+++ openssl-1.1.1j/crypto/sha/sha512.c 2021-03-03 12:57:42.203734558 +010010486
10487
10488
int SHA384_Init(SHA512_CTX *c)10489
{10490
+# ifdef OPENSSL_FIPS10491
+ FIPS_selftest_check();10492
+# endif10493
c->h[0] = U64(0xcbbb9d5dc1059ed8);10494
c->h[1] = U64(0x629a292a367cd507);10495
c->h[2] = U64(0x9159015a3070dd17);10496
10497
10498
int SHA512_Init(SHA512_CTX *c)10499
{10500
+# ifdef OPENSSL_FIPS10501
+ FIPS_selftest_check();10502
+# endif10503
c->h[0] = U64(0x6a09e667f3bcc908);10504
c->h[1] = U64(0xbb67ae8584caa73b);10505
c->h[2] = U64(0x3c6ef372fe94f82b);10506
diff -up openssl-1.1.1j/crypto/sha/sha_local.h.fips openssl-1.1.1j/crypto/sha/sha_local.h10507
--- openssl-1.1.1j/crypto/sha/sha_local.h.fips 2021-03-03 12:57:41.941732391 +010010508
+++ openssl-1.1.1j/crypto/sha/sha_local.h 2021-03-03 12:57:42.203734558 +010010509
10510
10511
int HASH_INIT(SHA_CTX *c)10512
{10513
+#if defined(OPENSSL_FIPS)10514
+ FIPS_selftest_check();10515
+#endif10516
memset(c, 0, sizeof(*c));10517
c->h0 = INIT_DATA_h0;10518
c->h1 = INIT_DATA_h1;10519
diff -up openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod10520
--- openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips 2021-02-16 16:24:01.000000000 +010010521
+++ openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod 2021-03-03 12:57:42.203734558 +010010522
10523
For lengths under 2048 bits, the length of q is 160 bits; for lengths10524
greater than or equal to 2048 bits, the length of q is set to 256 bits.10525
10526
-If B<seed> is NULL, the primes will be generated at random.10527
-If B<seed_len> is less than the length of q, an error is returned.10528
+If B<seed> is NULL, or it does not generate primes, the primes will be10529
+generated at random.10530
+If B<seed_len> is less than the length of q, an error is returned10531
+if old DSA parameter generation method is used as a backend.10532
10533
DSA_generate_parameters_ex() places the iteration count in10534
*B<counter_ret> and a counter used for finding a generator in10535
diff -up openssl-1.1.1j/include/crypto/fips.h.fips openssl-1.1.1j/include/crypto/fips.h10536
--- openssl-1.1.1j/include/crypto/fips.h.fips 2021-03-03 12:57:42.202734550 +010010537
+++ openssl-1.1.1j/include/crypto/fips.h 2021-03-03 12:57:42.202734550 +010010538
10539
+/* ====================================================================10540
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.10541
+ *10542
+ * Redistribution and use in source and binary forms, with or without10543
+ * modification, are permitted provided that the following conditions10544
+ * are met:10545
+ *10546
+ * 1. Redistributions of source code must retain the above copyright10547
+ * notice, this list of conditions and the following disclaimer. 10548
+ *10549
+ * 2. Redistributions in binary form must reproduce the above copyright10550
+ * notice, this list of conditions and the following disclaimer in10551
+ * the documentation and/or other materials provided with the10552
+ * distribution.10553
+ *10554
+ * 3. All advertising materials mentioning features or use of this10555
+ * software must display the following acknowledgment:10556
+ * "This product includes software developed by the OpenSSL Project10557
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"10558
+ *10559
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to10560
+ * endorse or promote products derived from this software without10561
+ * prior written permission. For written permission, please contact10562
+ * openssl-core@openssl.org.10563
+ *10564
+ * 5. Products derived from this software may not be called "OpenSSL"10565
+ * nor may "OpenSSL" appear in their names without prior written10566
+ * permission of the OpenSSL Project.10567
+ *10568
+ * 6. Redistributions of any form whatsoever must retain the following10569
+ * acknowledgment:10570
+ * "This product includes software developed by the OpenSSL Project10571
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"10572
+ *10573
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY10574
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE10575
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR10576
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR10577
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,10578
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT10579
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;10580
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)10581
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,10582
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)10583
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED10584
+ * OF THE POSSIBILITY OF SUCH DAMAGE.10585
+ *10586
+ */10587
+10588
+#include <openssl/opensslconf.h>10589
+#include <openssl/evp.h>10590
+10591
+#ifndef OPENSSL_FIPS10592
+# error FIPS is disabled.10593
+#endif10594
+10595
+#ifdef OPENSSL_FIPS10596
+10597
+int FIPS_module_mode_set(int onoff);10598
+int FIPS_module_mode(void);10599
+int FIPS_module_installed(void);10600
+int FIPS_selftest_sha1(void);10601
+int FIPS_selftest_sha2(void);10602
+int FIPS_selftest_sha3(void);10603
+int FIPS_selftest_aes_ccm(void);10604
+int FIPS_selftest_aes_gcm(void);10605
+int FIPS_selftest_aes_xts(void);10606
+int FIPS_selftest_aes(void);10607
+int FIPS_selftest_des(void);10608
+int FIPS_selftest_rsa(void);10609
+int FIPS_selftest_dsa(void);10610
+int FIPS_selftest_ecdsa(void);10611
+int FIPS_selftest_ecdh(void);10612
+int FIPS_selftest_dh(void);10613
+void FIPS_drbg_stick(int onoff);10614
+int FIPS_selftest_hmac(void);10615
+int FIPS_selftest_drbg(void);10616
+int FIPS_selftest_cmac(void);10617
+10618
+int fips_pkey_signature_test(EVP_PKEY *pkey,10619
+ const unsigned char *tbs, int tbslen,10620
+ const unsigned char *kat,10621
+ unsigned int katlen,10622
+ const EVP_MD *digest,10623
+ unsigned int md_flags, const char *fail_str);10624
+10625
+int fips_cipher_test(EVP_CIPHER_CTX *ctx,10626
+ const EVP_CIPHER *cipher,10627
+ const unsigned char *key,10628
+ const unsigned char *iv,10629
+ const unsigned char *plaintext,10630
+ const unsigned char *ciphertext, int len);10631
+10632
+void fips_set_selftest_fail(void);10633
+10634
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);10635
+10636
+#endif10637
diff -up openssl-1.1.1j/include/openssl/crypto.h.fips openssl-1.1.1j/include/openssl/crypto.h10638
--- openssl-1.1.1j/include/openssl/crypto.h.fips 2021-02-16 16:24:01.000000000 +010010639
+++ openssl-1.1.1j/include/openssl/crypto.h 2021-03-03 12:57:42.204734567 +010010640
10641
int FIPS_mode(void);10642
int FIPS_mode_set(int r);10643
10644
+# ifdef OPENSSL_FIPS10645
+/* die if FIPS selftest failed */10646
+void FIPS_selftest_check(void);10647
+# endif10648
+10649
void OPENSSL_init(void);10650
# ifdef OPENSSL_SYS_UNIX10651
void OPENSSL_fork_prepare(void);10652
diff -up openssl-1.1.1j/include/openssl/dherr.h.fips openssl-1.1.1j/include/openssl/dherr.h10653
--- openssl-1.1.1j/include/openssl/dherr.h.fips 2021-02-16 16:24:01.000000000 +010010654
+++ openssl-1.1.1j/include/openssl/dherr.h 2021-03-03 12:57:42.204734567 +010010655
10656
# define DH_F_DH_CMS_DECRYPT 11410657
# define DH_F_DH_CMS_SET_PEERKEY 11510658
# define DH_F_DH_CMS_SET_SHARED_INFO 11610659
+# define DH_F_DH_COMPUTE_KEY 20310660
+# define DH_F_DH_GENERATE_KEY 20210661
+# define DH_F_DH_GENERATE_PARAMETERS_EX 20110662
# define DH_F_DH_METH_DUP 11710663
# define DH_F_DH_METH_NEW 11810664
# define DH_F_DH_METH_SET1_NAME 11910665
10666
# define DH_R_INVALID_PARAMETER_NID 11410667
# define DH_R_INVALID_PUBKEY 10210668
# define DH_R_KDF_PARAMETER_ERROR 11210669
+# define DH_R_KEY_SIZE_TOO_SMALL 20110670
# define DH_R_KEYS_NOT_SET 10810671
# define DH_R_MISSING_PUBKEY 12510672
# define DH_R_MODULUS_TOO_LARGE 10310673
# define DH_R_NOT_SUITABLE_GENERATOR 12010674
# define DH_R_NO_PARAMETERS_SET 10710675
# define DH_R_NO_PRIVATE_VALUE 10010676
+# define DH_R_NON_FIPS_METHOD 20210677
# define DH_R_PARAMETER_ENCODING_ERROR 10510678
# define DH_R_PEER_KEY_ERROR 11110679
# define DH_R_SHARED_INFO_ERROR 11310680
diff -up openssl-1.1.1j/include/openssl/dh.h.fips openssl-1.1.1j/include/openssl/dh.h10681
--- openssl-1.1.1j/include/openssl/dh.h.fips 2021-02-16 16:24:01.000000000 +010010682
+++ openssl-1.1.1j/include/openssl/dh.h 2021-03-03 12:57:42.204734567 +010010683
10684
# endif10685
10686
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 102410687
+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 204810688
10689
# define DH_FLAG_CACHE_MONT_P 0x0110690
10691
diff -up openssl-1.1.1j/include/openssl/dsaerr.h.fips openssl-1.1.1j/include/openssl/dsaerr.h10692
--- openssl-1.1.1j/include/openssl/dsaerr.h.fips 2021-02-16 16:24:01.000000000 +010010693
+++ openssl-1.1.1j/include/openssl/dsaerr.h 2021-03-03 12:57:42.204734567 +010010694
10695
*/10696
# define DSA_F_DSAPARAMS_PRINT 10010697
# define DSA_F_DSAPARAMS_PRINT_FP 10110698
+# define DSA_F_DSA_BUILTIN_KEYGEN 20210699
# define DSA_F_DSA_BUILTIN_PARAMGEN 12510700
# define DSA_F_DSA_BUILTIN_PARAMGEN2 12610701
+# define DSA_F_DSA_GENERATE_KEY 20110702
+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 20010703
# define DSA_F_DSA_DO_SIGN 11210704
# define DSA_F_DSA_DO_VERIFY 11310705
# define DSA_F_DSA_METH_DUP 12710706
10707
# define DSA_R_DECODE_ERROR 10410708
# define DSA_R_INVALID_DIGEST_TYPE 10610709
# define DSA_R_INVALID_PARAMETERS 11210710
+# define DSA_R_KEY_SIZE_INVALID 20110711
+# define DSA_R_KEY_SIZE_TOO_SMALL 20210712
# define DSA_R_MISSING_PARAMETERS 10110713
# define DSA_R_MISSING_PRIVATE_KEY 11110714
# define DSA_R_MODULUS_TOO_LARGE 10310715
# define DSA_R_NO_PARAMETERS_SET 10710716
+# define DSA_R_NON_FIPS_DSA_METHOD 20010717
# define DSA_R_PARAMETER_ENCODING_ERROR 10510718
# define DSA_R_Q_NOT_PRIME 11310719
# define DSA_R_SEED_LEN_SMALL 11010720
diff -up openssl-1.1.1j/include/openssl/dsa.h.fips openssl-1.1.1j/include/openssl/dsa.h10721
--- openssl-1.1.1j/include/openssl/dsa.h.fips 2021-02-16 16:24:01.000000000 +010010722
+++ openssl-1.1.1j/include/openssl/dsa.h 2021-03-03 12:57:42.204734567 +010010723
10724
# endif10725
10726
# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 102410727
+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 204810728
10729
# define DSA_FLAG_CACHE_MONT_P 0x0110730
# if OPENSSL_API_COMPAT < 0x10100000L10731
diff -up openssl-1.1.1j/include/openssl/evperr.h.fips openssl-1.1.1j/include/openssl/evperr.h10732
--- openssl-1.1.1j/include/openssl/evperr.h.fips 2021-02-16 16:24:01.000000000 +010010733
+++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 12:57:42.204734567 +010010734
10735
* EVP function codes.10736
*/10737
# define EVP_F_AESNI_INIT_KEY 16510738
-# define EVP_F_AESNI_XTS_INIT_KEY 20710739
+# define EVP_F_AESNI_XTS_INIT_KEY 23310740
# define EVP_F_AES_GCM_CTRL 19610741
# define EVP_F_AES_INIT_KEY 13310742
# define EVP_F_AES_OCB_CIPHER 16910743
# define EVP_F_AES_T4_INIT_KEY 17810744
-# define EVP_F_AES_T4_XTS_INIT_KEY 20810745
+# define EVP_F_AES_T4_XTS_INIT_KEY 23410746
# define EVP_F_AES_WRAP_CIPHER 17010747
-# define EVP_F_AES_XTS_INIT_KEY 20910748
+# define EVP_F_AES_XTS_CIPHER 22910749
+# define EVP_F_AES_XTS_INIT_KEY 23510750
# define EVP_F_ALG_MODULE_INIT 17710751
# define EVP_F_ARIA_CCM_INIT_KEY 17510752
# define EVP_F_ARIA_GCM_CTRL 19710753
10754
# define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 13310755
# define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 13810756
# define EVP_R_DECODE_ERROR 11410757
+# define EVP_R_DISABLED_FOR_FIPS 20010758
# define EVP_R_DIFFERENT_KEY_TYPES 10110759
# define EVP_R_DIFFERENT_PARAMETERS 15310760
# define EVP_R_ERROR_LOADING_SECTION 16510761
10762
# define EVP_R_PRIVATE_KEY_DECODE_ERROR 14510763
# define EVP_R_PRIVATE_KEY_ENCODE_ERROR 14610764
# define EVP_R_PUBLIC_KEY_NOT_RSA 10610765
+# define EVP_R_TOO_LARGE 20110766
# define EVP_R_UNKNOWN_CIPHER 16010767
# define EVP_R_UNKNOWN_DIGEST 16110768
# define EVP_R_UNKNOWN_OPTION 16910769
10770
# define EVP_R_UNSUPPORTED_SALT_TYPE 12610771
# define EVP_R_WRAP_MODE_NOT_ALLOWED 17010772
# define EVP_R_WRONG_FINAL_BLOCK_LENGTH 10910773
-# define EVP_R_XTS_DUPLICATED_KEYS 18310774
+# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 19110775
+# define EVP_R_XTS_DUPLICATED_KEYS 19210776
10777
#endif10778
diff -up openssl-1.1.1j/include/openssl/evp.h.fips openssl-1.1.1j/include/openssl/evp.h10779
--- openssl-1.1.1j/include/openssl/evp.h.fips 2021-02-16 16:24:01.000000000 +010010780
+++ openssl-1.1.1j/include/openssl/evp.h 2021-03-03 12:57:42.204734567 +010010781
10782
*/10783
# define EVP_PKEY_FLAG_SIGCTX_CUSTOM 410784
10785
+/* Downstream modification, large value to avoid conflict */10786
+# define EVP_PKEY_FLAG_FIPS 0x400010787
+10788
const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);10789
EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);10790
void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,10791
diff -up openssl-1.1.1j/include/openssl/fips.h.fips openssl-1.1.1j/include/openssl/fips.h10792
--- openssl-1.1.1j/include/openssl/fips.h.fips 2021-03-03 12:57:42.204734567 +010010793
+++ openssl-1.1.1j/include/openssl/fips.h 2021-03-03 12:57:42.204734567 +010010794
10795
+/* ====================================================================10796
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.10797
+ *10798
+ * Redistribution and use in source and binary forms, with or without10799
+ * modification, are permitted provided that the following conditions10800
+ * are met:10801
+ *10802
+ * 1. Redistributions of source code must retain the above copyright10803
+ * notice, this list of conditions and the following disclaimer. 10804
+ *10805
+ * 2. Redistributions in binary form must reproduce the above copyright10806
+ * notice, this list of conditions and the following disclaimer in10807
+ * the documentation and/or other materials provided with the10808
+ * distribution.10809
+ *10810
+ * 3. All advertising materials mentioning features or use of this10811
+ * software must display the following acknowledgment:10812
+ * "This product includes software developed by the OpenSSL Project10813
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"10814
+ *10815
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to10816
+ * endorse or promote products derived from this software without10817
+ * prior written permission. For written permission, please contact10818
+ * openssl-core@openssl.org.10819
+ *10820
+ * 5. Products derived from this software may not be called "OpenSSL"10821
+ * nor may "OpenSSL" appear in their names without prior written10822
+ * permission of the OpenSSL Project.10823
+ *10824
+ * 6. Redistributions of any form whatsoever must retain the following10825
+ * acknowledgment:10826
+ * "This product includes software developed by the OpenSSL Project10827
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"10828
+ *10829
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY10830
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE10831
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR10832
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR10833
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,10834
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT10835
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;10836
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)10837
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,10838
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)10839
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED10840
+ * OF THE POSSIBILITY OF SUCH DAMAGE.10841
+ *10842
+ */10843
+10844
+#include <openssl/opensslconf.h>10845
+#include <openssl/dsa.h>10846
+#include <openssl/evp.h>10847
+#include <openssl/bn.h>10848
+10849
+#ifndef OPENSSL_FIPS10850
+# error FIPS is disabled.10851
+#endif10852
+10853
+#ifdef OPENSSL_FIPS10854
+10855
+# ifdef __cplusplus10856
+extern "C" {10857
+# endif10858
+10859
+ int FIPS_selftest(void);10860
+ int FIPS_selftest_failed(void);10861
+ int FIPS_selftest_drbg_all(void);10862
+10863
+ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,10864
+ const EVP_MD *evpmd, const unsigned char *seed_in,10865
+ size_t seed_len, int idx, unsigned char *seed_out,10866
+ int *counter_ret, unsigned long *h_ret,10867
+ BN_GENCB *cb);10868
+ int FIPS_dsa_paramgen_check_g(DSA *dsa);10869
+10870
+/* BEGIN ERROR CODES */10871
+/* The following lines are auto generated by the script mkerr.pl. Any changes10872
+ * made after this point may be overwritten when the script is next run.10873
+ */10874
+ int ERR_load_FIPS_strings(void);10875
+10876
+/* Error codes for the FIPS functions. */10877
+10878
+/* Function codes. */10879
+# define FIPS_F_DH_BUILTIN_GENPARAMS 10010880
+# define FIPS_F_DRBG_RESEED 12110881
+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 10710882
+# define FIPS_F_DSA_DO_SIGN 10210883
+# define FIPS_F_DSA_DO_VERIFY 10310884
+# define FIPS_F_EVP_CIPHER_CTX_NEW 13710885
+# define FIPS_F_EVP_CIPHER_CTX_RESET 12210886
+# define FIPS_F_ECDH_COMPUTE_KEY 12310887
+# define FIPS_F_EVP_CIPHERINIT_EX 12410888
+# define FIPS_F_EVP_DIGESTINIT_EX 12510889
+# define FIPS_F_FIPS_CHECK_DSA 10410890
+# define FIPS_F_FIPS_CHECK_EC 14210891
+# define FIPS_F_FIPS_CHECK_RSA 10610892
+# define FIPS_F_FIPS_DRBG_BYTES 13110893
+# define FIPS_F_FIPS_DRBG_CHECK 14610894
+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 13210895
+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 13610896
+# define FIPS_F_FIPS_DRBG_GENERATE 13410897
+# define FIPS_F_FIPS_DRBG_INIT 13510898
+# define FIPS_F_FIPS_DRBG_INSTANTIATE 13810899
+# define FIPS_F_FIPS_DRBG_NEW 13910900
+# define FIPS_F_FIPS_DRBG_RESEED 14010901
+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 14110902
+# define FIPS_F_FIPS_GET_ENTROPY 14710903
+# define FIPS_F_FIPS_MODULE_MODE_SET 10810904
+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 10910905
+# define FIPS_F_FIPS_RAND_BYTES 11410906
+# define FIPS_F_FIPS_RAND_SEED 12810907
+# define FIPS_F_FIPS_RAND_SET_METHOD 12610908
+# define FIPS_F_FIPS_RAND_STATUS 12710909
+# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 10110910
+# define FIPS_F_FIPS_SELFTEST 15010911
+# define FIPS_F_FIPS_SELFTEST_AES 11010912
+# define FIPS_F_FIPS_SELFTEST_AES_CCM 14510913
+# define FIPS_F_FIPS_SELFTEST_AES_GCM 12910914
+# define FIPS_F_FIPS_SELFTEST_AES_XTS 14410915
+# define FIPS_F_FIPS_SELFTEST_CMAC 13010916
+# define FIPS_F_FIPS_SELFTEST_DES 11110917
+# define FIPS_F_FIPS_SELFTEST_DSA 11210918
+# define FIPS_F_FIPS_SELFTEST_ECDSA 13310919
+# define FIPS_F_FIPS_SELFTEST_HMAC 11310920
+# define FIPS_F_FIPS_SELFTEST_SHA1 11510921
+# define FIPS_F_FIPS_SELFTEST_SHA2 10510922
+# define FIPS_F_OSSL_ECDSA_SIGN_SIG 14310923
+# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 14810924
+# define FIPS_F_RSA_BUILTIN_KEYGEN 11610925
+# define FIPS_F_RSA_OSSL_INIT 14910926
+# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 11710927
+# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 11810928
+# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 11910929
+# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 12010930
+10931
+/* Reason codes. */10932
+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 15010933
+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 12510934
+# define FIPS_R_ALREADY_INSTANTIATED 13410935
+# define FIPS_R_DRBG_NOT_INITIALISED 15210936
+# define FIPS_R_DRBG_STUCK 10310937
+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 10410938
+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 10510939
+# define FIPS_R_ENTROPY_SOURCE_STUCK 14210940
+# define FIPS_R_ERROR_INITIALISING_DRBG 11510941
+# define FIPS_R_ERROR_INSTANTIATING_DRBG 12710942
+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 12410943
+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 12210944
+# define FIPS_R_ERROR_RETRIEVING_NONCE 14010945
+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 11010946
+# define FIPS_R_FIPS_MODE_ALREADY_SET 10210947
+# define FIPS_R_FIPS_SELFTEST_FAILED 10610948
+# define FIPS_R_FUNCTION_ERROR 11610949
+# define FIPS_R_GENERATE_ERROR 13710950
+# define FIPS_R_GENERATE_ERROR_UNDETECTED 11810951
+# define FIPS_R_INSTANTIATE_ERROR 11910952
+# define FIPS_R_INTERNAL_ERROR 12110953
+# define FIPS_R_INVALID_KEY_LENGTH 10910954
+# define FIPS_R_IN_ERROR_STATE 12310955
+# define FIPS_R_KEY_TOO_SHORT 10810956
+# define FIPS_R_NONCE_ERROR_UNDETECTED 14910957
+# define FIPS_R_NON_FIPS_METHOD 10010958
+# define FIPS_R_NOPR_TEST1_FAILURE 14510959
+# define FIPS_R_NOPR_TEST2_FAILURE 14610960
+# define FIPS_R_NOT_INSTANTIATED 12610961
+# define FIPS_R_PAIRWISE_TEST_FAILED 10710962
+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 12810963
+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 12910964
+# define FIPS_R_PR_TEST1_FAILURE 14710965
+# define FIPS_R_PR_TEST2_FAILURE 14810966
+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 13010967
+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 13110968
+# define FIPS_R_RESEED_COUNTER_ERROR 13210969
+# define FIPS_R_RESEED_ERROR 13310970
+# define FIPS_R_SELFTEST_FAILED 10110971
+# define FIPS_R_SELFTEST_FAILURE 13510972
+# define FIPS_R_TEST_FAILURE 11710973
+# define FIPS_R_UNINSTANTIATE_ERROR 14110974
+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 13810975
+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 13910976
+# define FIPS_R_UNSUPPORTED_PLATFORM 11310977
+10978
+# ifdef __cplusplus10979
+}10980
+# endif10981
+#endif10982
diff -up openssl-1.1.1j/include/openssl/fips_rand.h.fips openssl-1.1.1j/include/openssl/fips_rand.h10983
--- openssl-1.1.1j/include/openssl/fips_rand.h.fips 2021-03-03 12:57:42.204734567 +010010984
+++ openssl-1.1.1j/include/openssl/fips_rand.h 2021-03-03 12:57:42.204734567 +010010985
10986
+/* ====================================================================10987
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.10988
+ *10989
+ * Redistribution and use in source and binary forms, with or without10990
+ * modification, are permitted provided that the following conditions10991
+ * are met:10992
+ *10993
+ * 1. Redistributions of source code must retain the above copyright10994
+ * notice, this list of conditions and the following disclaimer. 10995
+ *10996
+ * 2. Redistributions in binary form must reproduce the above copyright10997
+ * notice, this list of conditions and the following disclaimer in10998
+ * the documentation and/or other materials provided with the10999
+ * distribution.11000
+ *11001
+ * 3. All advertising materials mentioning features or use of this11002
+ * software must display the following acknowledgment:11003
+ * "This product includes software developed by the OpenSSL Project11004
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"11005
+ *11006
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to11007
+ * endorse or promote products derived from this software without11008
+ * prior written permission. For written permission, please contact11009
+ * openssl-core@openssl.org.11010
+ *11011
+ * 5. Products derived from this software may not be called "OpenSSL"11012
+ * nor may "OpenSSL" appear in their names without prior written11013
+ * permission of the OpenSSL Project.11014
+ *11015
+ * 6. Redistributions of any form whatsoever must retain the following11016
+ * acknowledgment:11017
+ * "This product includes software developed by the OpenSSL Project11018
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"11019
+ *11020
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY11021
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE11022
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR11023
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR11024
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,11025
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT11026
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;11027
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)11028
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,11029
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)11030
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED11031
+ * OF THE POSSIBILITY OF SUCH DAMAGE.11032
+ *11033
+ */11034
+11035
+#ifndef HEADER_FIPS_RAND_H11036
+# define HEADER_FIPS_RAND_H11037
+11038
+# include <openssl/aes.h>11039
+# include <openssl/evp.h>11040
+# include <openssl/hmac.h>11041
+# include <openssl/rand.h>11042
+11043
+# ifdef OPENSSL_FIPS11044
+11045
+# ifdef __cplusplus11046
+extern "C" {11047
+# endif11048
+ typedef struct drbg_ctx_st DRBG_CTX;11049
+/* DRBG external flags */11050
+/* Flag for CTR mode only: use derivation function ctr_df */11051
+# define DRBG_FLAG_CTR_USE_DF 0x111052
+/* PRNG is in test state */11053
+# define DRBG_FLAG_TEST 0x211054
+11055
+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);11056
+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);11057
+ int FIPS_drbg_instantiate(DRBG_CTX *dctx,11058
+ const unsigned char *pers, size_t perslen);11059
+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,11060
+ size_t adinlen);11061
+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,11062
+ int prediction_resistance,11063
+ const unsigned char *adin, size_t adinlen);11064
+11065
+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);11066
+ void FIPS_drbg_free(DRBG_CTX *dctx);11067
+11068
+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,11069
+ size_t (*get_entropy) (DRBG_CTX *ctx,11070
+ unsigned char **pout,11071
+ int entropy,11072
+ size_t min_len,11073
+ size_t max_len),11074
+ void (*cleanup_entropy) (DRBG_CTX *ctx,11075
+ unsigned char *out,11076
+ size_t olen),11077
+ size_t entropy_blocklen,11078
+ size_t (*get_nonce) (DRBG_CTX *ctx,11079
+ unsigned char **pout,11080
+ int entropy,11081
+ size_t min_len,11082
+ size_t max_len),11083
+ void (*cleanup_nonce) (DRBG_CTX *ctx,11084
+ unsigned char *out,11085
+ size_t olen));11086
+11087
+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,11088
+ size_t (*get_adin) (DRBG_CTX *ctx,11089
+ unsigned char11090
+ **pout),11091
+ void (*cleanup_adin) (DRBG_CTX *ctx,11092
+ unsigned char *out,11093
+ size_t olen),11094
+ int (*rand_seed_cb) (DRBG_CTX *ctx,11095
+ const void *buf,11096
+ int num),11097
+ int (*rand_add_cb) (DRBG_CTX *ctx,11098
+ const void *buf,11099
+ int num,11100
+ double entropy));11101
+11102
+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);11103
+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);11104
+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);11105
+ int FIPS_drbg_get_strength(DRBG_CTX *dctx);11106
+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);11107
+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);11108
+11109
+ int FIPS_drbg_health_check(DRBG_CTX *dctx);11110
+11111
+ DRBG_CTX *FIPS_get_default_drbg(void);11112
+ const RAND_METHOD *FIPS_drbg_method(void);11113
+11114
+ int FIPS_rand_set_method(const RAND_METHOD *meth);11115
+ const RAND_METHOD *FIPS_rand_get_method(void);11116
+11117
+ void FIPS_rand_set_bits(int nbits);11118
+11119
+ int FIPS_rand_strength(void);11120
+11121
+/* 1.0.0 compat functions */11122
+ int FIPS_rand_seed(const void *buf, int num);11123
+ int FIPS_rand_bytes(unsigned char *out, int outlen);11124
+ void FIPS_rand_reset(void);11125
+ int FIPS_rand_status(void);11126
+# ifdef __cplusplus11127
+}11128
+# endif11129
+# endif11130
+#endif11131
diff -up openssl-1.1.1j/include/openssl/opensslconf.h.in.fips openssl-1.1.1j/include/openssl/opensslconf.h.in11132
--- openssl-1.1.1j/include/openssl/opensslconf.h.in.fips 2021-02-16 16:24:01.000000000 +010011133
+++ openssl-1.1.1j/include/openssl/opensslconf.h.in 2021-03-03 12:57:42.205734575 +010011134
11135
11136
#define RC4_INT {- $config{rc4_int} -}11137
11138
+/* Always build FIPS module */11139
+#ifndef OPENSSL_FIPS11140
+# define OPENSSL_FIPS11141
+#endif11142
+11143
#ifdef __cplusplus11144
}11145
#endif11146
diff -up openssl-1.1.1j/include/openssl/randerr.h.fips openssl-1.1.1j/include/openssl/randerr.h11147
--- openssl-1.1.1j/include/openssl/randerr.h.fips 2021-02-16 16:24:01.000000000 +010011148
+++ openssl-1.1.1j/include/openssl/randerr.h 2021-03-03 12:57:42.205734575 +010011149
11150
# define RAND_F_RAND_DRBG_SET 10411151
# define RAND_F_RAND_DRBG_SET_DEFAULTS 12111152
# define RAND_F_RAND_DRBG_UNINSTANTIATE 11811153
+# define RAND_F_RAND_INIT_FIPS 20011154
# define RAND_F_RAND_LOAD_FILE 11111155
# define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 12211156
# define RAND_F_RAND_POOL_ADD 10311157
diff -up openssl-1.1.1j/include/openssl/rand.h.fips openssl-1.1.1j/include/openssl/rand.h11158
--- openssl-1.1.1j/include/openssl/rand.h.fips 2021-02-16 16:24:01.000000000 +010011159
+++ openssl-1.1.1j/include/openssl/rand.h 2021-03-03 12:57:42.205734575 +010011160
11161
DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))11162
# endif11163
11164
+# ifdef OPENSSL_FIPS11165
+/* just stubs for API compatibility */11166
+void RAND_set_fips_drbg_type(int type, int flags);11167
+int RAND_init_fips(void);11168
+# endif11169
11170
#ifdef __cplusplus11171
}11172
diff -up openssl-1.1.1j/include/openssl/rsaerr.h.fips openssl-1.1.1j/include/openssl/rsaerr.h11173
--- openssl-1.1.1j/include/openssl/rsaerr.h.fips 2021-02-16 16:24:01.000000000 +010011174
+++ openssl-1.1.1j/include/openssl/rsaerr.h 2021-03-03 12:57:42.205734575 +010011175
11176
*/11177
# define RSA_F_CHECK_PADDING_MD 14011178
# define RSA_F_ENCODE_PKCS1 14611179
+# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 20611180
# define RSA_F_INT_RSA_VERIFY 14511181
# define RSA_F_OLD_RSA_PRIV_DECODE 14711182
# define RSA_F_PKEY_PSS_INIT 16511183
11184
# define RSA_F_RSA_CHECK_KEY_EX 16011185
# define RSA_F_RSA_CMS_DECRYPT 15911186
# define RSA_F_RSA_CMS_VERIFY 15811187
+# define RSA_F_RSA_GENERATE_KEY_EX 20411188
+# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 20711189
# define RSA_F_RSA_ITEM_VERIFY 14811190
# define RSA_F_RSA_METH_DUP 16111191
# define RSA_F_RSA_METH_NEW 16211192
11193
# define RSA_F_RSA_PRINT_FP 11611194
# define RSA_F_RSA_PRIV_DECODE 15011195
# define RSA_F_RSA_PRIV_ENCODE 13811196
+# define RSA_F_RSA_PRIVATE_DECRYPT 20011197
+# define RSA_F_RSA_PRIVATE_ENCRYPT 20111198
# define RSA_F_RSA_PSS_GET_PARAM 15111199
# define RSA_F_RSA_PSS_TO_CTX 15511200
# define RSA_F_RSA_PUB_DECODE 13911201
+# define RSA_F_RSA_PUBLIC_DECRYPT 20211202
+# define RSA_F_RSA_PUBLIC_ENCRYPT 20311203
# define RSA_F_RSA_SETUP_BLINDING 13611204
+# define RSA_F_RSA_SET_DEFAULT_METHOD 20511205
+# define RSA_F_RSA_SET_METHOD 20411206
# define RSA_F_RSA_SIGN 11711207
# define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 11811208
# define RSA_F_RSA_VERIFY 11911209
11210
# define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 16911211
# define RSA_R_MP_R_NOT_PRIME 17011212
# define RSA_R_NO_PUBLIC_EXPONENT 14011213
+# define RSA_R_NON_FIPS_RSA_METHOD 20011214
# define RSA_R_NULL_BEFORE_BLOCK_MISSING 11311215
# define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 17211216
# define RSA_R_N_DOES_NOT_EQUAL_P_Q 12711217
# define RSA_R_OAEP_DECODING_ERROR 12111218
+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 20111219
# define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 14811220
# define RSA_R_PADDING_CHECK_FAILED 11411221
# define RSA_R_PKCS_DECODING_ERROR 15911222
11223
# define RSA_R_UNSUPPORTED_LABEL_SOURCE 16311224
# define RSA_R_UNSUPPORTED_MASK_ALGORITHM 15311225
# define RSA_R_UNSUPPORTED_MASK_PARAMETER 15411226
+# define RSA_R_UNSUPPORTED_PARAMETERS 20211227
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 15511228
# define RSA_R_VALUE_MISSING 14711229
# define RSA_R_WRONG_SIGNATURE_LENGTH 11911230
diff -up openssl-1.1.1j/ssl/s3_lib.c.fips openssl-1.1.1j/ssl/s3_lib.c11231
--- openssl-1.1.1j/ssl/s3_lib.c.fips 2021-02-16 16:24:01.000000000 +010011232
+++ openssl-1.1.1j/ssl/s3_lib.c 2021-03-03 12:57:42.205734575 +010011233
11234
SSL_AEAD,11235
TLS1_3_VERSION, TLS1_3_VERSION,11236
0, 0,11237
- SSL_HIGH,11238
+ SSL_HIGH | SSL_FIPS,11239
SSL_HANDSHAKE_MAC_SHA256,11240
128,11241
128,11242
11243
SSL_AEAD,11244
TLS1_3_VERSION, TLS1_3_VERSION,11245
0, 0,11246
- SSL_HIGH,11247
+ SSL_HIGH | SSL_FIPS,11248
SSL_HANDSHAKE_MAC_SHA384,11249
256,11250
256,11251
11252
SSL_AEAD,11253
TLS1_3_VERSION, TLS1_3_VERSION,11254
0, 0,11255
- SSL_NOT_DEFAULT | SSL_HIGH,11256
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11257
SSL_HANDSHAKE_MAC_SHA256,11258
128,11259
128,11260
11261
SSL_AEAD,11262
TLS1_2_VERSION, TLS1_2_VERSION,11263
DTLS1_2_VERSION, DTLS1_2_VERSION,11264
- SSL_NOT_DEFAULT | SSL_HIGH,11265
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11266
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11267
128,11268
128,11269
11270
SSL_AEAD,11271
TLS1_2_VERSION, TLS1_2_VERSION,11272
DTLS1_2_VERSION, DTLS1_2_VERSION,11273
- SSL_NOT_DEFAULT | SSL_HIGH,11274
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11275
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11276
256,11277
256,11278
11279
SSL_AEAD,11280
TLS1_2_VERSION, TLS1_2_VERSION,11281
DTLS1_2_VERSION, DTLS1_2_VERSION,11282
- SSL_NOT_DEFAULT | SSL_HIGH,11283
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11284
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11285
128,11286
128,11287
11288
SSL_AEAD,11289
TLS1_2_VERSION, TLS1_2_VERSION,11290
DTLS1_2_VERSION, DTLS1_2_VERSION,11291
- SSL_NOT_DEFAULT | SSL_HIGH,11292
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11293
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11294
256,11295
256,11296
11297
SSL_AEAD,11298
TLS1_2_VERSION, TLS1_2_VERSION,11299
DTLS1_2_VERSION, DTLS1_2_VERSION,11300
- SSL_NOT_DEFAULT | SSL_HIGH,11301
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11302
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11303
128,11304
128,11305
11306
SSL_AEAD,11307
TLS1_2_VERSION, TLS1_2_VERSION,11308
DTLS1_2_VERSION, DTLS1_2_VERSION,11309
- SSL_NOT_DEFAULT | SSL_HIGH,11310
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11311
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11312
256,11313
256,11314
11315
SSL_AEAD,11316
TLS1_2_VERSION, TLS1_2_VERSION,11317
DTLS1_2_VERSION, DTLS1_2_VERSION,11318
- SSL_NOT_DEFAULT | SSL_HIGH,11319
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11320
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11321
128,11322
128,11323
11324
SSL_AEAD,11325
TLS1_2_VERSION, TLS1_2_VERSION,11326
DTLS1_2_VERSION, DTLS1_2_VERSION,11327
- SSL_NOT_DEFAULT | SSL_HIGH,11328
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,11329
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,11330
256,11331
256,11332
diff -up openssl-1.1.1j/ssl/ssl_ciph.c.fips openssl-1.1.1j/ssl/ssl_ciph.c11333
--- openssl-1.1.1j/ssl/ssl_ciph.c.fips 2021-03-03 12:57:42.193734476 +010011334
+++ openssl-1.1.1j/ssl/ssl_ciph.c 2021-03-03 12:57:42.206734583 +010011335
11336
}11337
}11338
/* Make sure we can access MD5 and SHA1 */11339
- if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))11340
+ if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))11341
return 0;11342
if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))11343
return 0;11344
11345
s->ssl_version < TLS1_VERSION)11346
return 1;11347
11348
+ if (FIPS_mode())11349
+ return 1;11350
+11351
if (c->algorithm_enc == SSL_RC4 &&11352
c->algorithm_mac == SSL_MD5 &&11353
(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))11354
11355
/* drop those that use any of that is not available */11356
if (c == NULL || !c->valid)11357
continue;11358
+ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))11359
+ continue;11360
if ((c->algorithm_mkey & disabled_mkey) ||11361
(c->algorithm_auth & disabled_auth) ||11362
(c->algorithm_enc & disabled_enc) ||11363
11364
* to the resulting precedence to the STACK_OF(SSL_CIPHER).11365
*/11366
for (curr = head; curr != NULL; curr = curr->next) {11367
- if (curr->active) {11368
+ if (curr->active11369
+ && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {11370
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {11371
OPENSSL_free(co_list);11372
sk_SSL_CIPHER_free(cipherstack);11373
diff -up openssl-1.1.1j/ssl/ssl_init.c.fips openssl-1.1.1j/ssl/ssl_init.c11374
--- openssl-1.1.1j/ssl/ssl_init.c.fips 2021-02-16 16:24:01.000000000 +010011375
+++ openssl-1.1.1j/ssl/ssl_init.c 2021-03-03 12:57:42.206734583 +010011376
11377
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "11378
"Adding SSL ciphers and digests\n");11379
#endif11380
+#ifdef OPENSSL_FIPS11381
+ if (!FIPS_mode()) {11382
+#endif11383
+11384
#ifndef OPENSSL_NO_DES11385
EVP_add_cipher(EVP_des_cbc());11386
EVP_add_cipher(EVP_des_ede3_cbc());11387
11388
EVP_add_digest(EVP_sha256());11389
EVP_add_digest(EVP_sha384());11390
EVP_add_digest(EVP_sha512());11391
+#ifdef OPENSSL_FIPS11392
+ } else {11393
+# ifndef OPENSSL_NO_DES11394
+ EVP_add_cipher(EVP_des_ede3_cbc());11395
+# endif11396
+ EVP_add_cipher(EVP_aes_128_cbc());11397
+ EVP_add_cipher(EVP_aes_192_cbc());11398
+ EVP_add_cipher(EVP_aes_256_cbc());11399
+ EVP_add_cipher(EVP_aes_128_gcm());11400
+ EVP_add_cipher(EVP_aes_256_gcm());11401
+ EVP_add_cipher(EVP_aes_128_ccm());11402
+ EVP_add_cipher(EVP_aes_256_ccm());11403
+# ifndef OPENSSL_NO_MD511404
+ /* needed even in the FIPS mode for TLS-1.0 */11405
+ EVP_add_digest(EVP_md5_sha1());11406
+# endif11407
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */11408
+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");11409
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);11410
+ EVP_add_digest(EVP_sha224());11411
+ EVP_add_digest(EVP_sha256());11412
+ EVP_add_digest(EVP_sha384());11413
+ EVP_add_digest(EVP_sha512());11414
+ }11415
+#endif11416
#ifndef OPENSSL_NO_COMP11417
# ifdef OPENSSL_INIT_DEBUG11418
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "11419
diff -up openssl-1.1.1j/ssl/ssl_lib.c.fips openssl-1.1.1j/ssl/ssl_lib.c11420
--- openssl-1.1.1j/ssl/ssl_lib.c.fips 2021-03-03 12:57:42.193734476 +010011421
+++ openssl-1.1.1j/ssl/ssl_lib.c 2021-03-03 12:57:42.206734583 +010011422
11423
if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))11424
return NULL;11425
11426
+ if (FIPS_mode() && (meth->version < TLS1_VERSION)) {11427
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);11428
+ return NULL;11429
+ }11430
+11431
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {11432
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);11433
goto err;11434
11435
if (ret->param == NULL)11436
goto err;11437
11438
- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {11439
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);11440
- goto err2;11441
- }11442
- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {11443
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);11444
- goto err2;11445
+ if (!FIPS_mode()) {11446
+ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {11447
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);11448
+ goto err2;11449
+ }11450
+ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {11451
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);11452
+ goto err2;11453
+ }11454
+ } else {11455
+ ret->min_proto_version = TLS1_VERSION;11456
}11457
11458
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)11459
diff -up openssl-1.1.1j/ssl/ssl_local.h.fips openssl-1.1.1j/ssl/ssl_local.h11460
--- openssl-1.1.1j/ssl/ssl_local.h.fips 2021-03-03 12:57:42.100733706 +010011461
+++ openssl-1.1.1j/ssl/ssl_local.h 2021-03-03 12:57:42.206734583 +010011462
11463
# define TLS_CURVE_PRIME 0x011464
# define TLS_CURVE_CHAR2 0x111465
# define TLS_CURVE_CUSTOM 0x211466
+# define TLS_CURVE_FIPS 0x8011467
11468
typedef struct cert_pkey_st CERT_PKEY;11469
11470
diff -up openssl-1.1.1j/ssl/t1_lib.c.fips openssl-1.1.1j/ssl/t1_lib.c11471
--- openssl-1.1.1j/ssl/t1_lib.c.fips 2021-02-16 16:24:01.000000000 +010011472
+++ openssl-1.1.1j/ssl/t1_lib.c 2021-03-03 12:57:42.207734591 +010011473
11474
{NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */11475
{NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */11476
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */11477
- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */11478
+ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */11479
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */11480
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */11481
- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */11482
- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */11483
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */11484
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */11485
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */11486
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */11487
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */11488
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */11489
11490
if (cinfo->flags & TLS_CURVE_CHAR2)11491
return 0;11492
# endif11493
+ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))11494
+ return 0;11495
ctmp[0] = curve >> 8;11496
ctmp[1] = curve & 0xff;11497
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);11498
diff -up openssl-1.1.1j/test/dsatest.c.fips openssl-1.1.1j/test/dsatest.c11499
--- openssl-1.1.1j/test/dsatest.c.fips 2021-02-16 16:24:01.000000000 +010011500
+++ openssl-1.1.1j/test/dsatest.c 2021-03-03 12:57:42.207734591 +010011501
11502
#ifndef OPENSSL_NO_DSA11503
static int dsa_cb(int p, int n, BN_GENCB *arg);11504
11505
-/*11506
- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS11507
- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-111508
- */11509
static unsigned char seed[20] = {11510
- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,11511
- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,11512
+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,11513
+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,11514
};11515
11516
static unsigned char out_p[] = {11517
- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,11518
- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,11519
- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,11520
- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,11521
- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,11522
- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,11523
- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,11524
- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,11525
+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,11526
+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,11527
+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,11528
+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,11529
+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,11530
+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,11531
+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,11532
+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,11533
+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,11534
+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,11535
+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,11536
};11537
11538
static unsigned char out_q[] = {11539
- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,11540
- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,11541
- 0xda, 0xce, 0x91, 0x5f,11542
+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,11543
+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,11544
};11545
11546
static unsigned char out_g[] = {11547
- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,11548
- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,11549
- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,11550
- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,11551
- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,11552
- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,11553
- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,11554
- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,11555
+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,11556
+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,11557
+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,11558
+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,11559
+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,11560
+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,11561
+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,11562
+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,11563
+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,11564
+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,11565
+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,11566
};11567
11568
static const unsigned char str1[] = "12345678901234567890";11569
11570
11571
BN_GENCB_set(cb, dsa_cb, NULL);11572
if (!TEST_ptr(dsa = DSA_new())11573
- || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20,11574
+ || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20,11575
&counter, &h, cb)))11576
goto end;11577
11578
- if (!TEST_int_eq(counter, 105))11579
+ if (!TEST_int_eq(counter, 239))11580
goto end;11581
if (!TEST_int_eq(h, 2))11582
goto end;11583
diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt11584
--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips 2021-02-16 16:24:01.000000000 +010011585
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt 2021-03-03 12:57:42.207734591 +010011586
11587
IV = 0000000000000000000000000000000011588
Plaintext = 000000000000000000000000000000000000000000000000000000000000000011589
Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e11590
+Result = KEY_SET_ERROR11591
11592
Cipher = aes-128-xts11593
Key = 111111111111111111111111111111112222222222222222222222222222222211594
diff -up openssl-1.1.1j/util/libcrypto.num.fips openssl-1.1.1j/util/libcrypto.num11595
--- openssl-1.1.1j/util/libcrypto.num.fips 2021-02-16 16:24:01.000000000 +010011596
+++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 12:57:42.208734600 +010011597
11598
X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:11599
X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:11600
EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC11601
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:11602
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:11603
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:11604
+FIPS_get_default_drbg 6351 1_1_0g EXIST::FUNCTION:11605
+FIPS_drbg_set_reseed_interval 6352 1_1_0g EXIST::FUNCTION:11606
+FIPS_drbg_set_app_data 6353 1_1_0g EXIST::FUNCTION:11607
+FIPS_drbg_method 6354 1_1_0g EXIST::FUNCTION:11608
+FIPS_rand_status 6355 1_1_0g EXIST::FUNCTION:11609
+FIPS_drbg_instantiate 6356 1_1_0g EXIST::FUNCTION:11610
+FIPS_drbg_set_callbacks 6357 1_1_0g EXIST::FUNCTION:11611
+FIPS_drbg_new 6358 1_1_0g EXIST::FUNCTION:11612
+FIPS_dsa_paramgen_check_g 6359 1_1_0g EXIST::FUNCTION:11613
+FIPS_selftest 6360 1_1_0g EXIST::FUNCTION:11614
+FIPS_rand_set_bits 6361 1_1_0g EXIST::FUNCTION:11615
+FIPS_rand_bytes 6362 1_1_0g EXIST::FUNCTION:11616
+FIPS_drbg_get_app_data 6363 1_1_0g EXIST::FUNCTION:11617
+FIPS_selftest_failed 6364 1_1_0g EXIST::FUNCTION:11618
+FIPS_dsa_builtin_paramgen2 6365 1_1_0g EXIST::FUNCTION:11619
+FIPS_rand_reset 6366 1_1_0g EXIST::FUNCTION:11620
+ERR_load_FIPS_strings 6367 1_1_0g EXIST::FUNCTION:11621
+FIPS_drbg_generate 6368 1_1_0g EXIST::FUNCTION:11622
+FIPS_drbg_uninstantiate 6369 1_1_0g EXIST::FUNCTION:11623
+FIPS_drbg_set_check_interval 6370 1_1_0g EXIST::FUNCTION:11624
+FIPS_drbg_free 6371 1_1_0g EXIST::FUNCTION:11625
+FIPS_selftest_drbg_all 6372 1_1_0g EXIST::FUNCTION:11626
+FIPS_rand_get_method 6373 1_1_0g EXIST::FUNCTION:11627
+RAND_set_fips_drbg_type 6374 1_1_0g EXIST::FUNCTION:11628
+FIPS_drbg_health_check 6375 1_1_0g EXIST::FUNCTION:11629
+RAND_init_fips 6376 1_1_0g EXIST::FUNCTION:11630
+FIPS_drbg_set_rand_callbacks 6377 1_1_0g EXIST::FUNCTION:11631
+FIPS_rand_seed 6378 1_1_0g EXIST::FUNCTION:11632
+FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION:11633
+FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:11634
+FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:11635
+FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:11636