[openssl/f17] Revert "New upstream release from the 1.0.1 branch, ABI compatible"
Tomáš Mráz
tmraz at fedoraproject.org
Wed Feb 29 08:36:57 UTC 2012
commit ab8c818557e19f4c9335c5e1d480f8bfb6b9cd04
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Wed Feb 29 09:32:28 2012 +0100
Revert "New upstream release from the 1.0.1 branch, ABI compatible"
This reverts commit ad05b505379c52cf9dc39987695bcaa3aecc7e9c.
.gitignore | 1 -
fixpatch | 15 -
hobble-openssl | 20 +-
openssl-0.9.8g-ia64.patch | 19 +
openssl-1.0.0-beta3-fipscheck.patch | 400 +
openssl-1.0.0-beta3-fipsrng.patch | 79 +
openssl-1.0.0-beta3-soversion.patch | 44 +
openssl-1.0.0-beta4-dtls1-abi.patch | 25 +
...build.patch => openssl-1.0.0-beta4-redhat.patch | 68 +-
...atch => openssl-1.0.0-beta5-cipher-change.patch | 14 +-
openssl-1.0.0-fips-aesni.patch | 47 +
openssl-1.0.0-name-hash.patch | 22 +
openssl-1.0.0-sha2test.patch | 77 +
openssl-1.0.0a-fipsmode.patch | 272 +
openssl-1.0.0a-manfix.patch | 21 +
openssl-1.0.0b-aesni.patch | 2388 +++
...v6-apps.patch => openssl-1.0.0b-ipv6-apps.patch | 79 +-
openssl-1.0.0c-apps-ipv6listen.patch | 57 +
openssl-1.0.0c-fips186-3.patch | 384 +
openssl-1.0.0c-pkcs12-fips-default.patch | 25 +
openssl-1.0.0c-speed-fips.patch | 94 +
openssl-1.0.0d-cavs.patch | 232 +
openssl-1.0.0d-intelopts.patch | 6221 ++++++
...dlock64.patch => openssl-1.0.0d-padlock64.patch | 43 +-
openssl-1.0.0e-doc-noeof.patch | 23 -
openssl-1.0.0f-fips.patch |12164 +++++++++++
openssl-1.0.0g-version.patch | 22 +
openssl-1.0.1-beta2-dtls1-abi.patch | 23 -
openssl-1.0.1-beta2-fips-md5-allow.patch | 21 -
openssl-1.0.1-beta2-fips.patch |21143 --------------------
openssl-1.0.1-beta2-no-srp.patch | 80 -
openssl-1.0.1-beta2-version.patch | 21 -
openssl.spec | 79 +-
sources | 2 +-
34 files changed, 22733 insertions(+), 21492 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index d5674b5..d0e8a97 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,3 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.0e-usa.tar.bz2
/openssl-1.0.0f-usa.tar.bz2
/openssl-1.0.0g-usa.tar.xz
-/openssl-1.0.1-beta2-usa.tar.xz
diff --git a/hobble-openssl b/hobble-openssl
index 291d8a3..a8be844 100755
--- a/hobble-openssl
+++ b/hobble-openssl
@@ -5,37 +5,31 @@ set -e
# Clean out patent-or-otherwise-encumbered code.
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
-# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
+# IDEA: 5,214,703 07/01/2012
# RC5: 5,724,428 01/11/2015
# EC: ????????? ??/??/2020
-# SRP: ????????? ??/??/20??
# Remove assembler portions of IDEA, MDC2, and RC5.
-(find crypto/{rc5}/asm -type f | xargs -r rm -fv)
+(find crypto/{idea,rc5}/asm -type f | xargs -r rm -fv)
-# RC5, EC, SRP.
-for a in rc5 ec ecdh ecdsa srp; do
+# IDEA, MDC2, RC5, EC.
+for a in idea rc5 ec ecdh ecdsa; do
for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
echo Destroying $c
> $c
done
done
-for c in `find crypto/evp -name "*_rc5.c" -o -name "*_ecdsa.c"`; do
- echo Destroying $c
- > $c
-done
-
-for c in `find crypto/bn -name "*gf2m.c"`; do
+for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_ecdsa.c"`; do
echo Destroying $c
> $c
done
for h in `find crypto ssl apps test -name "*.h"` ; do
- echo Removing RC5, SRP and EC references from $h
+ echo Removing IDEA, RC5, and EC references from $h
cat $h | \
awk 'BEGIN {ech=1;} \
- /^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
+ /^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \
/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
diff --git a/openssl-0.9.8g-ia64.patch b/openssl-0.9.8g-ia64.patch
new file mode 100644
index 0000000..ec982d2
--- /dev/null
+++ b/openssl-0.9.8g-ia64.patch
@@ -0,0 +1,19 @@
+diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
+--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200
++++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200
+@@ -279,6 +279,15 @@ extern "C" {
+ # define BN_UMULT_HIGH(a,b) __umulh((a),(b))
+ # define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
+ # endif
++# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
++# if defined(__GNUC__)
++# define BN_UMULT_HIGH(a,b) ({ \
++ register BN_ULONG ret; \
++ asm ("xmpy.hu %0 = %1, %2" \
++ : "=f"(ret) \
++ : "f"(a), "f"(b)); \
++ ret; })
++# endif /* compiler */
+ # endif /* cpu */
+ #endif /* OPENSSL_NO_ASM */
+
diff --git a/openssl-1.0.0-beta3-fipscheck.patch b/openssl-1.0.0-beta3-fipscheck.patch
new file mode 100644
index 0000000..2951b48
--- /dev/null
+++ b/openssl-1.0.0-beta3-fipscheck.patch
@@ -0,0 +1,400 @@
+diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
+--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-10 20:11:59.000000000 +0200
+@@ -47,6 +47,7 @@
+ *
+ */
+
++#define _GNU_SOURCE
+
+ #include <openssl/rand.h>
+ #include <openssl/fips_rand.h>
+@@ -56,6 +57,9 @@
+ #include <openssl/rsa.h>
+ #include <string.h>
+ #include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #include "fips_locl.h"
+
+ #ifdef OPENSSL_FIPS
+@@ -165,6 +169,204 @@ int FIPS_selftest()
+ && FIPS_selftest_dsa();
+ }
+
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
++{
++ Dl_info info;
++ void *dl, *sym;
++ int rv = -1;
++
++ dl = dlopen(libname, RTLD_LAZY);
++ if (dl == NULL) {
++ return -1;
++ }
++
++ sym = dlsym(dl, symbolname);
++
++ if (sym != NULL && dladdr(sym, &info)) {
++ strncpy(path, info.dli_fname, pathlen-1);
++ path[pathlen-1] = '\0';
++ rv = 0;
++ }
++
++ dlclose(dl);
++
++ return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *
++bin2hex(void *buf, size_t len)
++{
++ char *hex, *p;
++ unsigned char *src = buf;
++
++ hex = malloc(len * 2 + 1);
++ if (hex == NULL)
++ return NULL;
++
++ p = hex;
++
++ while (len > 0) {
++ unsigned c;
++
++ c = *src;
++ src++;
++
++ *p = conv[c >> 4];
++ ++p;
++ *p = conv[c & 0x0f];
++ ++p;
++ --len;
++ }
++ *p = '\0';
++ return hex;
++}
++
++#define HMAC_PREFIX "."
++#define HMAC_SUFFIX ".hmac"
++#define READ_BUFFER_LENGTH 16384
++
++static char *
++make_hmac_path(const char *origpath)
++{
++ char *path, *p;
++ const char *fn;
++
++ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++ if(path == NULL) {
++ return NULL;
++ }
++
++ fn = strrchr(origpath, '/');
++ if (fn == NULL) {
++ fn = origpath;
++ } else {
++ ++fn;
++ }
++
++ strncpy(path, origpath, fn-origpath);
++ p = path + (fn - origpath);
++ p = stpcpy(p, HMAC_PREFIX);
++ p = stpcpy(p, fn);
++ p = stpcpy(p, HMAC_SUFFIX);
++
++ return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int
++compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++ FILE *f = NULL;
++ int rv = -1;
++ unsigned char rbuf[READ_BUFFER_LENGTH];
++ size_t len;
++ unsigned int hlen;
++ HMAC_CTX c;
++
++ HMAC_CTX_init(&c);
++
++ f = fopen(path, "r");
++
++ if (f == NULL) {
++ goto end;
++ }
++
++ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
++
++ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++ HMAC_Update(&c, rbuf, len);
++ }
++
++ len = sizeof(rbuf);
++ /* reuse rbuf for hmac */
++ HMAC_Final(&c, rbuf, &hlen);
++
++ *buf = malloc(hlen);
++ if (*buf == NULL) {
++ goto end;
++ }
++
++ *hmaclen = hlen;
++
++ memcpy(*buf, rbuf, hlen);
++
++ rv = 0;
++end:
++ HMAC_CTX_cleanup(&c);
++
++ if (f)
++ fclose(f);
++
++ return rv;
++}
++
++static int
++FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++ char path[PATH_MAX+1];
++ int rv;
++ FILE *hf;
++ char *hmacpath, *p;
++ char *hmac = NULL;
++ size_t n;
++
++ rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++ if (rv < 0)
++ return 0;
++
++ hmacpath = make_hmac_path(path);
++
++ hf = fopen(hmacpath, "r");
++ if (hf == NULL) {
++ free(hmacpath);
++ return 0;
++ }
++
++ if (getline(&hmac, &n, hf) > 0) {
++ void *buf;
++ size_t hmaclen;
++ char *hex;
++
++ if ((p=strchr(hmac, '\n')) != NULL)
++ *p = '\0';
++
++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++ rv = -4;
++ goto end;
++ }
++
++ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
++ free(buf);
++ rv = -5;
++ goto end;
++ }
++
++ if (strcmp(hex, hmac) != 0) {
++ rv = -1;
++ }
++ free(buf);
++ free(hex);
++ }
++
++end:
++ free(hmac);
++ free(hmacpath);
++ fclose(hf);
++
++ if (rv < 0)
++ return 0;
++
++ /* check successful */
++ return 1;
++}
++
+ int FIPS_mode_set(int onoff)
+ {
+ int fips_set_owning_thread();
+@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
+ }
+ #endif
+
++ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
++ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
++ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
+ /* Perform RNG KAT before seeding */
+ if (!FIPS_selftest_rng())
+ {
+diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
+--- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-10 20:11:59.000000000 +0200
+@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
+
+ #ifdef OPENSSL_FIPS
+
+-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
+ const char *key)
+ {
+ size_t len=strlen(key);
+@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+
+ if (len > SHA_CBLOCK)
+ {
+- SHA1_Init(md_ctx);
+- SHA1_Update(md_ctx,key,len);
+- SHA1_Final(keymd,md_ctx);
+- len=20;
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx,key,len);
++ SHA256_Final(keymd,md_ctx);
++ len=SHA256_DIGEST_LENGTH;
+ }
+ else
+ memcpy(keymd,key,len);
+@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
+
+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ pad[i]=0x36^keymd[i];
+- SHA1_Init(md_ctx);
+- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
+
+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
+ pad[i]=0x5c^keymd[i];
+- SHA1_Init(o_ctx);
+- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
++ SHA256_Init(o_ctx);
++ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
+ }
+
+-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
+ {
+- unsigned char buf[20];
++ unsigned char buf[SHA256_DIGEST_LENGTH];
+
+- SHA1_Final(buf,md_ctx);
+- SHA1_Update(o_ctx,buf,sizeof buf);
+- SHA1_Final(md,o_ctx);
++ SHA256_Final(buf,md_ctx);
++ SHA256_Update(o_ctx,buf,sizeof buf);
++ SHA256_Final(md,o_ctx);
+ }
+
+ #endif
+@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
+ int main(int argc,char **argv)
+ {
+ #ifdef OPENSSL_FIPS
+- static char key[]="etaonrishdlcupfm";
++ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
+ int n,binary=0;
+
+ if(argc < 2)
+@@ -125,8 +125,8 @@ int main(int argc,char **argv)
+ for(; n < argc ; ++n)
+ {
+ FILE *f=fopen(argv[n],"rb");
+- SHA_CTX md_ctx,o_ctx;
+- unsigned char md[20];
++ SHA256_CTX md_ctx,o_ctx;
++ unsigned char md[SHA256_DIGEST_LENGTH];
+ int i;
+
+ if(!f)
+@@ -151,18 +151,18 @@ int main(int argc,char **argv)
+ else
+ break;
+ }
+- SHA1_Update(&md_ctx,buf,l);
++ SHA256_Update(&md_ctx,buf,l);
+ }
+ hmac_final(md,&md_ctx,&o_ctx);
+
+ if (binary)
+ {
+- fwrite(md,20,1,stdout);
++ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
+ break; /* ... for single(!) file */
+ }
+
+- printf("HMAC-SHA1(%s)= ",argv[n]);
+- for(i=0 ; i < 20 ; ++i)
++/* printf("HMAC-SHA1(%s)= ",argv[n]); */
++ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
+ printf("%02x",md[i]);
+ printf("\n");
+ }
+diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
+--- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck 2009-08-10 20:11:59.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-10 20:27:45.000000000 +0200
+@@ -16,6 +16,9 @@ GENERAL=Makefile
+ TEST=fips_test_suite.c fips_randtest.c
+ APPS=
+
++PROGRAM= fips_standalone_sha1
++EXE= $(PROGRAM)$(EXE_EXT)
++
+ LIB=$(TOP)/libcrypto.a
+ LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
+ fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
+@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
+ fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
+ fips_rsa_x931g.o
+
++LIBCRYPTO=-L.. -lcrypto
++
+ SRC= $(LIBSRC) fips_standalone_sha1.c
+
+ EXHEADER= fips.h fips_rand.h
+@@ -35,13 +40,15 @@ ALL= $(GENERAL) $(SRC) $(HEADER)
+ top:
+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+-all: lib
++all: lib exe
+
+ lib: $(LIBOBJ)
+ $(AR) $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB) || echo Never mind.
+ @touch lib
+
++exe: $(EXE)
++
+ files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+@@ -77,5 +84,9 @@ dclean:
+ clean:
+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
++$(EXE): $(PROGRAM).o
++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
++ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
++
+ # DO NOT DELETE THIS LINE -- make depend depends on it.
+
diff --git a/openssl-1.0.0-beta3-fipsrng.patch b/openssl-1.0.0-beta3-fipsrng.patch
new file mode 100644
index 0000000..6040421
--- /dev/null
+++ b/openssl-1.0.0-beta3-fipsrng.patch
@@ -0,0 +1,79 @@
+diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
+--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:14:36.000000000 +0200
+@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
+ goto end;
+ }
+
++ /* now switch the RNG into FIPS mode */
++ fips_set_rand_check(FIPS_rand_method());
++ RAND_set_rand_method(FIPS_rand_method());
++
+ /* automagically seed PRNG if not already seeded */
+ if(!FIPS_rand_status())
+ {
+- if(RAND_bytes(buf,sizeof buf) <= 0)
++ RAND_poll();
++ if (!FIPS_rand_status())
+ {
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+- FIPS_rand_set_key(buf,32);
+- FIPS_rand_seed(buf+32,16);
+ }
+
+- /* now switch into FIPS mode */
+- fips_set_rand_check(FIPS_rand_method());
+- RAND_set_rand_method(FIPS_rand_method());
+ if(FIPS_selftest())
+ fips_set_mode(1);
+ else
+diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
+--- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:16:48.000000000 +0200
+@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
+ {
+ int i;
+ if (!ctx->keyed)
+- return 0;
++ {
++ FIPS_RAND_SIZE_T keylen = 16;
++
++ if (seedlen - keylen < AES_BLOCK_LENGTH)
++ return 0;
++ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
++ keylen += 8;
++ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
++ keylen += 8;
++ seedlen -= keylen;
++ fips_set_prng_key(ctx, seed+seedlen, keylen);
++ }
+ /* In test mode seed is just supplied data */
+ if (ctx->test_mode)
+ {
+@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
+ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
+ unsigned char tmp[AES_BLOCK_LENGTH];
+ int i;
++ FIPS_selftest_check();
+ if (ctx->error)
+ {
+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
+diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
+--- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng 2009-08-11 18:12:13.000000000 +0200
++++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h 2009-08-11 18:18:13.000000000 +0200
+@@ -112,8 +112,11 @@
+ #ifndef HEADER_RAND_LCL_H
+ #define HEADER_RAND_LCL_H
+
++#ifndef OPENSSL_FIPS
+ #define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
+-
++#else
++#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
++#endif
+
+ #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
diff --git a/openssl-1.0.0-beta3-soversion.patch b/openssl-1.0.0-beta3-soversion.patch
new file mode 100644
index 0000000..3836e89
--- /dev/null
+++ b/openssl-1.0.0-beta3-soversion.patch
@@ -0,0 +1,44 @@
+diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure
+--- openssl-1.0.0-beta3/Configure.soversion 2009-08-04 23:06:52.000000000 +0200
++++ openssl-1.0.0-beta3/Configure 2009-08-04 23:06:52.000000000 +0200
+@@ -1514,7 +1514,7 @@ while (<IN>)
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ {
+ my $sotmp = $1;
+- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ }
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ {
+diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org
+--- openssl-1.0.0-beta3/Makefile.org.soversion 2009-08-04 23:06:52.000000000 +0200
++++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:11:01.000000000 +0200
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=10
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -289,10 +290,9 @@ clean-shared:
+ link-shared:
+ @ set -e; for i in $(SHLIBDIRS); do \
+ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ symlink.$(SHLIB_TARGET); \
+- libs="$$libs -l$$i"; \
+ done
+
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -303,7 +303,7 @@ do_$(SHLIB_TARGET):
+ libs="$(LIBKRB5) $$libs"; \
+ fi; \
+ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ LIBDEPS="$$libs $(EX_LIBS)" \
+ link_a.$(SHLIB_TARGET); \
diff --git a/openssl-1.0.0-beta4-dtls1-abi.patch b/openssl-1.0.0-beta4-dtls1-abi.patch
new file mode 100644
index 0000000..a50f55d
--- /dev/null
+++ b/openssl-1.0.0-beta4-dtls1-abi.patch
@@ -0,0 +1,25 @@
+Adding struct member is ABI breaker however as the structure is always allocated by
+the library calls we just move it to the end and it should be reasonably safe.
+diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
+--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi 2009-11-12 14:34:37.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/dtls1.h 2009-11-12 14:47:57.000000000 +0100
+@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
+ */
+ record_pqueue buffered_app_data;
+
+- /* Is set when listening for new connections with dtls1_listen() */
+- unsigned int listen;
+-
+ unsigned int mtu; /* max DTLS packet size */
+
+ struct hm_header_st w_msg_hdr;
+@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
+ unsigned int retransmitting;
+ unsigned int change_cipher_spec_ok;
+
++ /* Is set when listening for new connections with dtls1_listen() */
++ unsigned int listen;
++
+ } DTLS1_STATE;
+
+ typedef struct dtls1_record_data_st
diff --git a/openssl-1.0.1-beta2-rpmbuild.patch b/openssl-1.0.0-beta4-redhat.patch
similarity index 66%
rename from openssl-1.0.1-beta2-rpmbuild.patch
rename to openssl-1.0.0-beta4-redhat.patch
index 0a5cef1..4356e41 100644
--- a/openssl-1.0.1-beta2-rpmbuild.patch
+++ b/openssl-1.0.0-beta4-redhat.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
---- openssl-1.0.1-beta2/Configure.rpmbuild 2012-01-05 01:07:34.000000000 +0100
-+++ openssl-1.0.1-beta2/Configure 2012-02-02 12:43:56.547409325 +0100
-@@ -343,23 +343,23 @@ my %table=(
+diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
+--- openssl-1.0.0-beta4/Configure.redhat 2009-11-09 15:11:13.000000000 +0100
++++ openssl-1.0.0-beta4/Configure 2009-11-12 12:15:27.000000000 +0100
+@@ -336,32 +336,32 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
@@ -27,19 +27,10 @@ diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
- # /proc/cpuinfo. The idea is to preserve most significant bits of
-@@ -373,16 +373,16 @@ my %table=(
- # ldconfig and run-time linker to autodiscover. Unfortunately it
- # doesn't work just yet, because of couple of bugs in glibc
- # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
--"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
-+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
#### SPARC Linux setups
# Ray Miller <ray.miller at computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs.
@@ -55,7 +46,7 @@ diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -396,8 +396,8 @@ my %table=(
+@@ -375,8 +375,8 @@ my %table=(
#
# <appro at fy.chalmers.se>
#
@@ -66,44 +57,3 @@ diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-@@ -1678,7 +1678,7 @@ while (<IN>)
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- {
- my $sotmp = $1;
-- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
- }
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- {
-diff -up openssl-1.0.1-beta2/Makefile.org.rpmbuild openssl-1.0.1-beta2/Makefile.org
---- openssl-1.0.1-beta2/Makefile.org.rpmbuild 2011-12-27 16:17:50.000000000 +0100
-+++ openssl-1.0.1-beta2/Makefile.org 2012-02-02 12:30:23.652495435 +0100
-@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
- SHLIB_MAJOR=
- SHLIB_MINOR=
- SHLIB_EXT=
-+SHLIB_SONAMEVER=10
- PLATFORM=dist
- OPTIONS=
- CONFIGURE_ARGS=
-@@ -333,10 +334,9 @@ clean-shared:
- link-shared:
- @ set -e; for i in $(SHLIBDIRS); do \
- $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- symlink.$(SHLIB_TARGET); \
-- libs="$$libs -l$$i"; \
- done
-
- build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
- libs="$(LIBKRB5) $$libs"; \
- fi; \
- $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- LIBDEPS="$$libs $(EX_LIBS)" \
- link_a.$(SHLIB_TARGET); \
diff --git a/openssl-1.0.1-beta2-ssl-op-all.patch b/openssl-1.0.0-beta5-cipher-change.patch
similarity index 63%
rename from openssl-1.0.1-beta2-ssl-op-all.patch
rename to openssl-1.0.0-beta5-cipher-change.patch
index e803386..f3f00cd 100644
--- a/openssl-1.0.1-beta2-ssl-op-all.patch
+++ b/openssl-1.0.0-beta5-cipher-change.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
---- openssl-1.0.1-beta2/ssl/ssl.h.op-all 2012-02-02 12:49:00.828035916 +0100
-+++ openssl-1.0.1-beta2/ssl/ssl.h 2012-02-02 12:52:27.297818182 +0100
-@@ -540,7 +540,7 @@ struct ssl_session_st
+diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
+--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100
++++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100
+@@ -513,7 +513,7 @@ typedef struct ssl_session_st
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
@@ -10,12 +10,12 @@ diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
-@@ -558,7 +558,7 @@ struct ssl_session_st
+@@ -530,7 +530,7 @@ typedef struct ssl_session_st
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
--#define SSL_OP_ALL 0x80000BFFL
-+#define SSL_OP_ALL 0x80000FF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
+-#define SSL_OP_ALL 0x80000FFFL
++#define SSL_OP_ALL 0x80000FF7L
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L
diff --git a/openssl-1.0.0-fips-aesni.patch b/openssl-1.0.0-fips-aesni.patch
new file mode 100644
index 0000000..c12e93e
--- /dev/null
+++ b/openssl-1.0.0-fips-aesni.patch
@@ -0,0 +1,47 @@
+diff -up openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni openssl-1.0.0/crypto/engine/eng_aesni.c
+--- openssl-1.0.0/crypto/engine/eng_aesni.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
++++ openssl-1.0.0/crypto/engine/eng_aesni.c 2011-06-08 14:19:22.000000000 +0200
+@@ -323,7 +323,7 @@ static const EVP_CIPHER aesni_##ksize##_
+ EVP_CIPHER_block_size_##umode, \
+ ksize / 8, \
+ AES_BLOCK_SIZE, \
+- 0 | EVP_CIPH_##umode##_MODE, \
++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_##umode##_MODE, \
+ aesni_init_key, \
+ aesni_cipher_##lmode, \
+ NULL, \
+diff -up openssl-1.0.0/crypto/fips/fips.c.fips-aesni openssl-1.0.0/crypto/fips/fips.c
+--- openssl-1.0.0/crypto/fips/fips.c.fips-aesni 2011-05-24 15:20:29.000000000 +0200
++++ openssl-1.0.0/crypto/fips/fips.c 2011-06-08 17:31:35.000000000 +0200
+@@ -55,6 +55,7 @@
+ #include <openssl/bio.h>
+ #include <openssl/hmac.h>
+ #include <openssl/rsa.h>
++#include <openssl/engine.h>
+ #include <string.h>
+ #include <limits.h>
+ #include <dlfcn.h>
+@@ -444,14 +445,17 @@ int FIPS_mode_set(int onoff)
+ }
+
+ if(FIPS_selftest())
+- fips_set_mode(1);
+- else
+ {
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
++ ENGINE_load_aesni();
++ if (FIPS_selftest_aes())
++ {
++ fips_set_mode(1);
++ ret = 1;
++ goto end;
++ }
+ }
+- ret = 1;
++ fips_selftest_fail = 1;
++ ret = 0;
+ goto end;
+ }
+ fips_set_mode(0);
diff --git a/openssl-1.0.0-name-hash.patch b/openssl-1.0.0-name-hash.patch
new file mode 100644
index 0000000..9098c0a
--- /dev/null
+++ b/openssl-1.0.0-name-hash.patch
@@ -0,0 +1,22 @@
+diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
+--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100
++++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200
+@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
+ {
+ unsigned long ret=0;
+ unsigned char md[16];
++ EVP_MD_CTX ctx;
+
+ /* Make sure X509_NAME structure contains valid cached encoding */
+ i2d_X509_NAME(x,NULL);
+- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
++
++ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
++ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
++ && EVP_DigestFinal_ex(&ctx, md, NULL);
++ EVP_MD_CTX_cleanup(&ctx);
+
+ ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
+ ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/openssl-1.0.0-sha2test.patch b/openssl-1.0.0-sha2test.patch
new file mode 100644
index 0000000..b8bd9e5
--- /dev/null
+++ b/openssl-1.0.0-sha2test.patch
@@ -0,0 +1,77 @@
+diff -up openssl-1.0.0/crypto/fips/fips.c.sha2test openssl-1.0.0/crypto/fips/fips.c
+--- openssl-1.0.0/crypto/fips/fips.c.sha2test 2011-09-12 15:07:42.000000000 +0200
++++ openssl-1.0.0/crypto/fips/fips.c 2011-09-26 11:03:17.000000000 +0200
+@@ -163,6 +163,7 @@ int FIPS_selftest()
+ {
+
+ return FIPS_selftest_sha1()
++ && FIPS_selftest_sha2()
+ && FIPS_selftest_hmac()
+ && FIPS_selftest_aes()
+ && FIPS_selftest_des()
+@@ -323,6 +324,8 @@ FIPSCHECK_verify(const char *libname, co
+ return 0;
+
+ hmacpath = make_hmac_path(path);
++ if (hmacpath == NULL)
++ return 0;
+
+ hf = fopen(hmacpath, "r");
+ if (hf == NULL) {
+@@ -627,6 +630,45 @@ int fips_cipher_test(EVP_CIPHER_CTX *ctx
+ return 1;
+ }
+
++static const unsigned char msg_sha256[] = { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
++ 0xfc };
++static const unsigned char dig_sha256[] = { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a };
++
++static const unsigned char msg_sha512[] = { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd };
++static const unsigned char dig_sha512[] = { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 };
++
++int FIPS_selftest_sha2(void)
++ {
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
++ if(memcmp(dig_sha256, md, sizeof(dig_sha256)))
++ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
++ if(memcmp(dig_sha512, md, sizeof(dig_sha512)))
++ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ return 1;
++ }
++
+ #if 0
+ /* The purpose of this is to ensure the error code exists and the function
+ * name is to keep the error checking script quiet
+diff -up openssl-1.0.0/crypto/fips/fips.h.sha2test openssl-1.0.0/crypto/fips/fips.h
+--- openssl-1.0.0/crypto/fips/fips.h.sha2test 2011-09-12 15:07:42.000000000 +0200
++++ openssl-1.0.0/crypto/fips/fips.h 2011-09-26 11:00:55.000000000 +0200
+@@ -72,6 +72,7 @@ int FIPS_selftest_failed(void);
+ void FIPS_selftest_check(void);
+ void FIPS_corrupt_sha1(void);
+ int FIPS_selftest_sha1(void);
++int FIPS_selftest_sha2(void);
+ void FIPS_corrupt_aes(void);
+ int FIPS_selftest_aes(void);
+ void FIPS_corrupt_des(void);
diff --git a/openssl-1.0.0a-fipsmode.patch b/openssl-1.0.0a-fipsmode.patch
new file mode 100644
index 0000000..352e74e
--- /dev/null
+++ b/openssl-1.0.0a-fipsmode.patch
@@ -0,0 +1,272 @@
+diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
+--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200
++++ openssl-1.0.0a/crypto/engine/eng_all.c 2010-06-04 13:32:13.000000000 +0200
+@@ -58,9 +58,23 @@
+
+ #include "cryptlib.h"
+ #include "eng_int.h"
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ void ENGINE_load_builtin_engines(void)
+ {
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (FIPS_mode()) {
++ /* We allow loading dynamic engine as a third party
++ engine might be FIPS validated.
++ User is disallowed to load non-validated engines
++ by security policy. */
++ ENGINE_load_dynamic();
++ return;
++ }
++#endif
+ #if 0
+ /* There's no longer any need for an "openssl" ENGINE unless, one day,
+ * it is the *only* way for standard builtin implementations to be be
+diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
+--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode 2009-12-25 15:12:24.000000000 +0100
++++ openssl-1.0.0a/crypto/evp/c_allc.c 2010-06-04 13:32:13.000000000 +0200
+@@ -65,6 +65,11 @@
+ void OpenSSL_add_all_ciphers(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if(!FIPS_mode())
++ {
++#endif
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cfb());
+ EVP_add_cipher(EVP_des_cfb1());
+@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
+ EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++ }
++ else
++ {
++#ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede_cfb());
++ EVP_add_cipher(EVP_des_ede3_cfb());
++
++ EVP_add_cipher(EVP_des_ede_ofb());
++ EVP_add_cipher(EVP_des_ede3_ofb());
++
++ EVP_add_cipher(EVP_des_ede_cbc());
++ EVP_add_cipher(EVP_des_ede3_cbc());
++ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
++ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
++
++ EVP_add_cipher(EVP_des_ede());
++ EVP_add_cipher(EVP_des_ede3());
++#endif
++
++#ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_ecb());
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_128_cfb());
++ EVP_add_cipher(EVP_aes_128_cfb1());
++ EVP_add_cipher(EVP_aes_128_cfb8());
++ EVP_add_cipher(EVP_aes_128_ofb());
++#if 0
++ EVP_add_cipher(EVP_aes_128_ctr());
++#endif
++ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
++ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
++ EVP_add_cipher(EVP_aes_192_ecb());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_192_cfb());
++ EVP_add_cipher(EVP_aes_192_cfb1());
++ EVP_add_cipher(EVP_aes_192_cfb8());
++ EVP_add_cipher(EVP_aes_192_ofb());
++#if 0
++ EVP_add_cipher(EVP_aes_192_ctr());
++#endif
++ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
++ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
++ EVP_add_cipher(EVP_aes_256_ecb());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_256_cfb());
++ EVP_add_cipher(EVP_aes_256_cfb1());
++ EVP_add_cipher(EVP_aes_256_cfb8());
++ EVP_add_cipher(EVP_aes_256_ofb());
++#if 0
++ EVP_add_cipher(EVP_aes_256_ctr());
++#endif
++ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
++ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
++#endif
++ }
++#endif
+ }
+diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
+--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
++++ openssl-1.0.0a/crypto/evp/c_alld.c 2010-06-04 13:32:13.000000000 +0200
+@@ -64,6 +64,11 @@
+
+ void OpenSSL_add_all_digests(void)
+ {
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode())
++ {
++#endif
+ #ifndef OPENSSL_NO_MD4
+ EVP_add_digest(EVP_md4());
+ #endif
+@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
+ #ifndef OPENSSL_NO_WHIRLPOOL
+ EVP_add_digest(EVP_whirlpool());
+ #endif
++#ifdef OPENSSL_FIPS
++ }
++ else
++ {
++#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
++#ifndef OPENSSL_NO_DSA
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
++#endif
++#ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++#endif
++#endif
++#ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++#endif
++#ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++#endif
++ }
++#endif
+ }
+diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
+--- openssl-1.0.0a/crypto/o_init.c.fipsmode 2010-06-04 13:32:13.000000000 +0200
++++ openssl-1.0.0a/crypto/o_init.c 2010-06-04 13:32:13.000000000 +0200
+@@ -59,6 +59,43 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+
++#ifdef OPENSSL_FIPS
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
++#include <stdlib.h>
++#include <openssl/fips.h>
++
++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++ {
++ char buf[2] = "0";
++ int fd;
++
++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
++ {
++ buf[0] = '1';
++ }
++ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
++ {
++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
++ close(fd);
++ }
++ /* Failure reading the fips mode switch file means just not
++ * switching into FIPS mode. We would break too many things
++ * otherwise.
++ */
++
++ if (buf[0] == '1')
++ {
++ FIPS_mode_set(1);
++ }
++ }
++#endif
++
+ /* Perform any essential OpenSSL initialization operations.
+ * Currently only sets FIPS callbacks
+ */
+@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
+ #ifdef CRYPTO_MDEBUG
+ CRYPTO_malloc_debug_init();
+ #endif
++ init_fips_mode();
+ done = 1;
+ }
+ #endif
+diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
+--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode 2010-04-07 15:18:30.000000000 +0200
++++ openssl-1.0.0a/ssl/ssl_algs.c 2010-06-04 13:32:48.000000000 +0200
+@@ -64,6 +64,12 @@
+ int SSL_library_init(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode())
++ {
++#endif
++
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+@@ -127,6 +133,48 @@ int SSL_library_init(void)
+ EVP_add_digest(EVP_sha());
+ EVP_add_digest(EVP_dss());
+ #endif
++#ifdef OPENSSL_FIPS
++ }
++ else
++ {
++#ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede3_cbc());
++#endif
++#ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_256_cbc());
++#endif
++#ifndef OPENSSL_NO_MD5
++ /* needed even in the FIPS mode for TLS MAC */
++ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5,"ssl2-md5");
++ EVP_add_digest_alias(SN_md5,"ssl3-md5");
++#endif
++#ifndef OPENSSL_NO_SHA
++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
++ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
++#endif
++#ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++#endif
++#ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++#endif
++#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
++ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
++ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
++#endif
++#ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++#endif
++ }
++#endif
+ #ifndef OPENSSL_NO_COMP
+ /* This will initialise the built-in compression algorithms.
+ The value returned is a STACK_OF(SSL_COMP), but that can
diff --git a/openssl-1.0.0a-manfix.patch b/openssl-1.0.0a-manfix.patch
new file mode 100644
index 0000000..0d3dc04
--- /dev/null
+++ b/openssl-1.0.0a-manfix.patch
@@ -0,0 +1,21 @@
+diff -up openssl-1.0.0a/doc/apps/openssl.pod.manfix openssl-1.0.0a/doc/apps/openssl.pod
+--- openssl-1.0.0a/doc/apps/openssl.pod.manfix 2010-01-21 19:46:28.000000000 +0100
++++ openssl-1.0.0a/doc/apps/openssl.pod 2010-06-30 14:24:50.000000000 +0200
+@@ -287,8 +287,6 @@ SHA Digest
+
+ SHA-1 Digest
+
+-=back
+-
+ =item B<sha224>
+
+ SHA-224 Digest
+@@ -305,6 +303,8 @@ SHA-384 Digest
+
+ SHA-512 Digest
+
++=back
++
+ =head2 ENCODING AND CIPHER COMMANDS
+
+ =over 10
diff --git a/openssl-1.0.0b-aesni.patch b/openssl-1.0.0b-aesni.patch
new file mode 100644
index 0000000..1dda6bf
--- /dev/null
+++ b/openssl-1.0.0b-aesni.patch
@@ -0,0 +1,2388 @@
+diff -up openssl-1.0.0b/Configure.aesni openssl-1.0.0b/Configure
+--- openssl-1.0.0b/Configure.aesni 2010-11-16 17:33:22.000000000 +0100
++++ openssl-1.0.0b/Configure 2010-11-16 17:35:15.000000000 +0100
+@@ -123,11 +123,11 @@ my $tlib="-lnsl -lsocket";
+ my $bits1="THIRTY_TWO_BIT ";
+ my $bits2="SIXTY_FOUR_BIT ";
+
+-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes-586.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o";
++my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes-586.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o";
+
+ my $x86_elf_asm="$x86_asm:elf";
+
+-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o";
++my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o";
+ my $ia64_asm="ia64cpuid.o:bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::void";
+ my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::void";
+ my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::void";
+@@ -491,7 +491,7 @@ my %table=(
+ #
+ # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
+ "VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
+-"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
++"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o aesni-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
+ "debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ias:win32",
+ "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:x86_64cpuid.o:bn_asm.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:auto:win32",
+ # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
+@@ -1419,6 +1419,7 @@ if ($rmd160_obj =~ /\.o$/)
+ if ($aes_obj =~ /\.o$/)
+ {
+ $cflags.=" -DAES_ASM";
++ $aes_obj =~ s/\s*aesni\-x86\.o// if ($no_sse2);
+ }
+ else {
+ $aes_obj=$aes_enc;
+diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl
+--- openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl.aesni 2010-11-16 17:33:23.000000000 +0100
++++ openssl-1.0.0b/crypto/aes/asm/aesni-x86.pl 2010-11-16 17:33:23.000000000 +0100
+@@ -0,0 +1,765 @@
++#!/usr/bin/env perl
++
++# ====================================================================
++# Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
++# project. The module is, however, dual licensed under OpenSSL and
++# CRYPTOGAMS licenses depending on where you obtain it. For further
++# details see http://www.openssl.org/~appro/cryptogams/.
++# ====================================================================
++#
++# This module implements support for Intel AES-NI extension. In
++# OpenSSL context it's used with Intel engine, but can also be used as
++# drop-in replacement for crypto/aes/asm/aes-586.pl [see below for
++# details].
++
++$PREFIX="aesni"; # if $PREFIX is set to "AES", the script
++ # generates drop-in replacement for
++ # crypto/aes/asm/aes-586.pl:-)
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++push(@INC,"${dir}","${dir}../../perlasm");
++require "x86asm.pl";
++
++&asm_init($ARGV[0],$0);
++
++$movekey = eval($RREFIX eq "aseni" ? "*movaps" : "*movups");
++
++$len="eax";
++$rounds="ecx";
++$key="edx";
++$inp="esi";
++$out="edi";
++$rounds_="ebx"; # backup copy for $rounds
++$key_="ebp"; # backup copy for $key
++
++$inout0="xmm0";
++$inout1="xmm1";
++$inout2="xmm2";
++$rndkey0="xmm3";
++$rndkey1="xmm4";
++$ivec="xmm5";
++$in0="xmm6";
++$in1="xmm7"; $inout3="xmm7";
++
++# Inline version of internal aesni_[en|de]crypt1
++sub aesni_inline_generate1
++{ my $p=shift;
++
++ &$movekey ($rndkey0,&QWP(0,$key));
++ &$movekey ($rndkey1,&QWP(16,$key));
++ &lea ($key,&DWP(32,$key));
++ &pxor ($inout0,$rndkey0);
++ &set_label("${p}1_loop");
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &dec ($rounds);
++ &$movekey ($rndkey1,&QWP(0,$key));
++ &lea ($key,&DWP(16,$key));
++ &jnz (&label("${p}1_loop"));
++ eval"&aes${p}last ($inout0,$rndkey1)";
++}
++
++sub aesni_generate1 # fully unrolled loop
++{ my $p=shift;
++
++ &function_begin_B("_aesni_${p}rypt1");
++ &$movekey ($rndkey0,&QWP(0,$key));
++ &$movekey ($rndkey1,&QWP(0x10,$key));
++ &cmp ($rounds,11);
++ &pxor ($inout0,$rndkey0);
++ &$movekey ($rndkey0,&QWP(0x20,$key));
++ &lea ($key,&DWP(0x30,$key));
++ &jb (&label("${p}128"));
++ &lea ($key,&DWP(0x20,$key));
++ &je (&label("${p}192"));
++ &lea ($key,&DWP(0x20,$key));
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(-0x40,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(-0x30,$key));
++ &set_label("${p}192");
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(-0x20,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(-0x10,$key));
++ &set_label("${p}128");
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(0,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(0x10,$key));
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(0x20,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(0x30,$key));
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(0x40,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(0x50,$key));
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(0x60,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(0x70,$key));
++ eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p}last ($inout0,$rndkey0)";
++ &ret();
++ &function_end_B("_aesni_${p}rypt1");
++}
++
++# void $PREFIX_encrypt (const void *inp,void *out,const AES_KEY *key);
++# &aesni_generate1("dec");
++&function_begin_B("${PREFIX}_encrypt");
++ &mov ("eax",&wparam(0));
++ &mov ($key,&wparam(2));
++ &movups ($inout0,&QWP(0,"eax"));
++ &mov ($rounds,&DWP(240,$key));
++ &mov ("eax",&wparam(1));
++ &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1");
++ &movups (&QWP(0,"eax"),$inout0);
++ &ret ();
++&function_end_B("${PREFIX}_encrypt");
++
++# void $PREFIX_decrypt (const void *inp,void *out,const AES_KEY *key);
++# &aesni_generate1("dec");
++&function_begin_B("${PREFIX}_decrypt");
++ &mov ("eax",&wparam(0));
++ &mov ($key,&wparam(2));
++ &movups ($inout0,&QWP(0,"eax"));
++ &mov ($rounds,&DWP(240,$key));
++ &mov ("eax",&wparam(1));
++ &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt1");
++ &movups (&QWP(0,"eax"),$inout0);
++ &ret ();
++&function_end_B("${PREFIX}_decrypt");
++�
++# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave
++# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec]
++# latency is 6, it turned out that it can be scheduled only every
++# *second* cycle. Thus 3x interleave is the one providing optimal
++# utilization, i.e. when subroutine's throughput is virtually same as
++# of non-interleaved subroutine [for number of input blocks up to 3].
++# This is why it makes no sense to implement 2x subroutine. As soon
++# as/if Intel improves throughput by making it possible to schedule
++# the instructions in question *every* cycles I would have to
++# implement 6x interleave and use it in loop...
++sub aesni_generate3
++{ my $p=shift;
++
++ &function_begin_B("_aesni_${p}rypt3");
++ &$movekey ($rndkey0,&QWP(0,$key));
++ &shr ($rounds,1);
++ &$movekey ($rndkey1,&QWP(16,$key));
++ &lea ($key,&DWP(32,$key));
++ &pxor ($inout0,$rndkey0);
++ &pxor ($inout1,$rndkey0);
++ &pxor ($inout2,$rndkey0);
++ &jmp (&label("${p}3_loop"));
++ &set_label("${p}3_loop",16);
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey0,&QWP(0,$key));
++ eval"&aes${p} ($inout1,$rndkey1)";
++ &dec ($rounds);
++ eval"&aes${p} ($inout2,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(16,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &lea ($key,&DWP(32,$key));
++ eval"&aes${p} ($inout1,$rndkey0)";
++ eval"&aes${p} ($inout2,$rndkey0)";
++ &jnz (&label("${p}3_loop"));
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey0,&QWP(0,$key));
++ eval"&aes${p} ($inout1,$rndkey1)";
++ eval"&aes${p} ($inout2,$rndkey1)";
++ eval"&aes${p}last ($inout0,$rndkey0)";
++ eval"&aes${p}last ($inout1,$rndkey0)";
++ eval"&aes${p}last ($inout2,$rndkey0)";
++ &ret();
++ &function_end_B("_aesni_${p}rypt3");
++}
++
++# 4x interleave is implemented to improve small block performance,
++# most notably [and naturally] 4 block by ~30%. One can argue that one
++# should have implemented 5x as well, but improvement would be <20%,
++# so it's not worth it...
++sub aesni_generate4
++{ my $p=shift;
++
++ &function_begin_B("_aesni_${p}rypt4");
++ &$movekey ($rndkey0,&QWP(0,$key));
++ &$movekey ($rndkey1,&QWP(16,$key));
++ &shr ($rounds,1);
++ &lea ($key,&DWP(32,$key));
++ &pxor ($inout0,$rndkey0);
++ &pxor ($inout1,$rndkey0);
++ &pxor ($inout2,$rndkey0);
++ &pxor ($inout3,$rndkey0);
++ &jmp (&label("${p}3_loop"));
++ &set_label("${p}3_loop",16);
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey0,&QWP(0,$key));
++ eval"&aes${p} ($inout1,$rndkey1)";
++ &dec ($rounds);
++ eval"&aes${p} ($inout2,$rndkey1)";
++ eval"&aes${p} ($inout3,$rndkey1)";
++ &$movekey ($rndkey1,&QWP(16,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ &lea ($key,&DWP(32,$key));
++ eval"&aes${p} ($inout1,$rndkey0)";
++ eval"&aes${p} ($inout2,$rndkey0)";
++ eval"&aes${p} ($inout3,$rndkey0)";
++ &jnz (&label("${p}3_loop"));
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &$movekey ($rndkey0,&QWP(0,$key));
++ eval"&aes${p} ($inout1,$rndkey1)";
++ eval"&aes${p} ($inout2,$rndkey1)";
++ eval"&aes${p} ($inout3,$rndkey1)";
++ eval"&aes${p}last ($inout0,$rndkey0)";
++ eval"&aes${p}last ($inout1,$rndkey0)";
++ eval"&aes${p}last ($inout2,$rndkey0)";
++ eval"&aes${p}last ($inout3,$rndkey0)";
++ &ret();
++ &function_end_B("_aesni_${p}rypt4");
++}
++&aesni_generate3("enc") if ($PREFIX eq "aesni");
++&aesni_generate3("dec");
++&aesni_generate4("enc") if ($PREFIX eq "aesni");
++&aesni_generate4("dec");
++
++if ($PREFIX eq "aesni") {
++# void aesni_ecb_encrypt (const void *in, void *out,
++# size_t length, const AES_KEY *key,
++# int enc);
++&function_begin("aesni_ecb_encrypt");
++ &mov ($inp,&wparam(0));
++ &mov ($out,&wparam(1));
++ &mov ($len,&wparam(2));
++ &mov ($key,&wparam(3));
++ &mov ($rounds,&wparam(4));
++ &cmp ($len,16);
++ &jb (&label("ecb_ret"));
++ &and ($len,-16);
++ &test ($rounds,$rounds)
++ &mov ($rounds,&DWP(240,$key));
++ &mov ($key_,$key); # backup $key
++ &mov ($rounds_,$rounds); # backup $rounds
++ &jz (&label("ecb_decrypt"));
++
++ &sub ($len,0x40);
++ &jbe (&label("ecb_enc_tail"));
++ &jmp (&label("ecb_enc_loop3"));
++
++&set_label("ecb_enc_loop3",16);
++ &movups ($inout0,&QWP(0,$inp));
++ &movups ($inout1,&QWP(0x10,$inp));
++ &movups ($inout2,&QWP(0x20,$inp));
++ &call ("_aesni_encrypt3");
++ &sub ($len,0x30);
++ &lea ($inp,&DWP(0x30,$inp));
++ &lea ($out,&DWP(0x30,$out));
++ &movups (&QWP(-0x30,$out),$inout0);
++ &mov ($key,$key_); # restore $key
++ &movups (&QWP(-0x20,$out),$inout1);
++ &mov ($rounds,$rounds_); # restore $rounds
++ &movups (&QWP(-0x10,$out),$inout2);
++ &ja (&label("ecb_enc_loop3"));
++
++&set_label("ecb_enc_tail");
++ &add ($len,0x40);
++ &jz (&label("ecb_ret"));
++
++ &cmp ($len,0x10);
++ &movups ($inout0,&QWP(0,$inp));
++ &je (&label("ecb_enc_one"));
++ &cmp ($len,0x20);
++ &movups ($inout1,&QWP(0x10,$inp));
++ &je (&label("ecb_enc_two"));
++ &cmp ($len,0x30);
++ &movups ($inout2,&QWP(0x20,$inp));
++ &je (&label("ecb_enc_three"));
++ &movups ($inout3,&QWP(0x30,$inp));
++ &call ("_aesni_encrypt4");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &movups (&QWP(0x30,$out),$inout3);
++ jmp (&label("ecb_ret"));
++
++&set_label("ecb_enc_one",16);
++ &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1");
++ &movups (&QWP(0,$out),$inout0);
++ &jmp (&label("ecb_ret"));
++
++&set_label("ecb_enc_two",16);
++ &call ("_aesni_encrypt3");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &jmp (&label("ecb_ret"));
++
++&set_label("ecb_enc_three",16);
++ &call ("_aesni_encrypt3");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &jmp (&label("ecb_ret"));
++
++&set_label("ecb_decrypt",16);
++ &sub ($len,0x40);
++ &jbe (&label("ecb_dec_tail"));
++ &jmp (&label("ecb_dec_loop3"));
++
++&set_label("ecb_dec_loop3",16);
++ &movups ($inout0,&QWP(0,$inp));
++ &movups ($inout1,&QWP(0x10,$inp));
++ &movups ($inout2,&QWP(0x20,$inp));
++ &call ("_aesni_decrypt3");
++ &sub ($len,0x30);
++ &lea ($inp,&DWP(0x30,$inp));
++ &lea ($out,&DWP(0x30,$out));
++ &movups (&QWP(-0x30,$out),$inout0);
++ &mov ($key,$key_); # restore $key
++ &movups (&QWP(-0x20,$out),$inout1);
++ &mov ($rounds,$rounds_); # restore $rounds
++ &movups (&QWP(-0x10,$out),$inout2);
++ &ja (&label("ecb_dec_loop3"));
++
++&set_label("ecb_dec_tail");
++ &add ($len,0x40);
++ &jz (&label("ecb_ret"));
++
++ &cmp ($len,0x10);
++ &movups ($inout0,&QWP(0,$inp));
++ &je (&label("ecb_dec_one"));
++ &cmp ($len,0x20);
++ &movups ($inout1,&QWP(0x10,$inp));
++ &je (&label("ecb_dec_two"));
++ &cmp ($len,0x30);
++ &movups ($inout2,&QWP(0x20,$inp));
++ &je (&label("ecb_dec_three"));
++ &movups ($inout3,&QWP(0x30,$inp));
++ &call ("_aesni_decrypt4");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &movups (&QWP(0x30,$out),$inout3);
++ &jmp (&label("ecb_ret"));
++
++&set_label("ecb_dec_one",16);
++ &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3");
++ &movups (&QWP(0,$out),$inout0);
++ &jmp (&label("ecb_ret"));
++
++&set_label("ecb_dec_two",16);
++ &call ("_aesni_decrypt3");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &jmp (&label("ecb_ret"));
++
++&set_label("ecb_dec_three",16);
++ &call ("_aesni_decrypt3");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++
++&set_label("ecb_ret");
++&function_end("aesni_ecb_encrypt");
++}
++
++# void $PREFIX_cbc_encrypt (const void *inp, void *out,
++# size_t length, const AES_KEY *key,
++# unsigned char *ivp,const int enc);
++&function_begin("${PREFIX}_cbc_encrypt");
++ &mov ($inp,&wparam(0));
++ &mov ($out,&wparam(1));
++ &mov ($len,&wparam(2));
++ &mov ($key,&wparam(3));
++ &test ($len,$len);
++ &mov ($key_,&wparam(4));
++ &jz (&label("cbc_ret"));
++
++ &cmp (&wparam(5),0);
++ &movups ($ivec,&QWP(0,$key_)); # load IV
++ &mov ($rounds,&DWP(240,$key));
++ &mov ($key_,$key); # backup $key
++ &mov ($rounds_,$rounds); # backup $rounds
++ &je (&label("cbc_decrypt"));
++
++ &movaps ($inout0,$ivec);
++ &cmp ($len,16);
++ &jb (&label("cbc_enc_tail"));
++ &sub ($len,16);
++ &jmp (&label("cbc_enc_loop"));
++
++&set_label("cbc_enc_loop",16);
++ &movups ($ivec,&QWP(0,$inp));
++ &lea ($inp,&DWP(16,$inp));
++ &pxor ($inout0,$ivec);
++ &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt3");
++ &sub ($len,16);
++ &lea ($out,&DWP(16,$out));
++ &mov ($rounds,$rounds_); # restore $rounds
++ &mov ($key,$key_); # restore $key
++ &movups (&QWP(-16,$out),$inout0);
++ &jnc (&label("cbc_enc_loop"));
++ &add ($len,16);
++ &jnz (&label("cbc_enc_tail"));
++ &movaps ($ivec,$inout0);
++ &jmp (&label("cbc_ret"));
++
++&set_label("cbc_enc_tail");
++ &mov ("ecx",$len); # zaps $rounds
++ &data_word(0xA4F3F689); # rep movsb
++ &mov ("ecx",16); # zero tail
++ &sub ("ecx",$len);
++ &xor ("eax","eax"); # zaps $len
++ &data_word(0xAAF3F689); # rep stosb
++ &lea ($out,&DWP(-16,$out)); # rewind $out by 1 block
++ &mov ($rounds,$rounds_); # restore $rounds
++ &mov ($inp,$out); # $inp and $out are the same
++ &mov ($key,$key_); # restore $key
++ &jmp (&label("cbc_enc_loop"));
++
++&set_label("cbc_decrypt",16);
++ &sub ($len,0x40);
++ &jbe (&label("cbc_dec_tail"));
++ &jmp (&label("cbc_dec_loop3"));
++
++&set_label("cbc_dec_loop3",16);
++ &movups ($inout0,&QWP(0,$inp));
++ &movups ($inout1,&QWP(0x10,$inp));
++ &movups ($inout2,&QWP(0x20,$inp));
++ &movaps ($in0,$inout0);
++ &movaps ($in1,$inout1);
++ &call ("_aesni_decrypt3");
++ &sub ($len,0x30);
++ &lea ($inp,&DWP(0x30,$inp));
++ &lea ($out,&DWP(0x30,$out));
++ &pxor ($inout0,$ivec);
++ &pxor ($inout1,$in0);
++ &movups ($ivec,&QWP(-0x10,$inp));
++ &pxor ($inout2,$in1);
++ &movups (&QWP(-0x30,$out),$inout0);
++ &mov ($rounds,$rounds_) # restore $rounds
++ &movups (&QWP(-0x20,$out),$inout1);
++ &mov ($key,$key_); # restore $key
++ &movups (&QWP(-0x10,$out),$inout2);
++ &ja (&label("cbc_dec_loop3"));
++
++&set_label("cbc_dec_tail");
++ &add ($len,0x40);
++ &jz (&label("cbc_ret"));
++
++ &movups ($inout0,&QWP(0,$inp));
++ &cmp ($len,0x10);
++ &movaps ($in0,$inout0);
++ &jbe (&label("cbc_dec_one"));
++ &movups ($inout1,&QWP(0x10,$inp));
++ &cmp ($len,0x20);
++ &movaps ($in1,$inout1);
++ &jbe (&label("cbc_dec_two"));
++ &movups ($inout2,&QWP(0x20,$inp));
++ &cmp ($len,0x30);
++ &jbe (&label("cbc_dec_three"));
++ &movups ($inout3,&QWP(0x30,$inp));
++ &call ("_aesni_decrypt4");
++ &movups ($rndkey0,&QWP(0x10,$inp));
++ &movups ($rndkey1,&QWP(0x20,$inp));
++ &pxor ($inout0,$ivec);
++ &pxor ($inout1,$in0);
++ &movups ($ivec,&QWP(0x30,$inp));
++ &movups (&QWP(0,$out),$inout0);
++ &pxor ($inout2,$rndkey0);
++ &pxor ($inout3,$rndkey1);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &movaps ($inout0,$inout3);
++ &lea ($out,&DWP(0x30,$out));
++ &jmp (&label("cbc_dec_tail_collected"));
++
++&set_label("cbc_dec_one");
++ &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3");
++ &pxor ($inout0,$ivec);
++ &movaps ($ivec,$in0);
++ &jmp (&label("cbc_dec_tail_collected"));
++
++&set_label("cbc_dec_two");
++ &call ("_aesni_decrypt3");
++ &pxor ($inout0,$ivec);
++ &pxor ($inout1,$in0);
++ &movups (&QWP(0,$out),$inout0);
++ &movaps ($inout0,$inout1);
++ &movaps ($ivec,$in1);
++ &lea ($out,&DWP(0x10,$out));
++ &jmp (&label("cbc_dec_tail_collected"));
++
++&set_label("cbc_dec_three");
++ &call ("_aesni_decrypt3");
++ &pxor ($inout0,$ivec);
++ &pxor ($inout1,$in0);
++ &pxor ($inout2,$in1);
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movaps ($inout0,$inout2);
++ &movups ($ivec,&QWP(0x20,$inp));
++ &lea ($out,&DWP(0x20,$out));
++
++&set_label("cbc_dec_tail_collected");
++ &and ($len,15);
++ &jnz (&label("cbc_dec_tail_partial"));
++ &movups (&QWP(0,$out),$inout0);
++ &jmp (&label("cbc_ret"));
++
++&set_label("cbc_dec_tail_partial");
++ &mov ($key_,"esp");
++ &sub ("esp",16);
++ &and ("esp",-16);
++ &movaps (&QWP(0,"esp"),$inout0);
++ &mov ($inp,"esp");
++ &mov ("ecx",$len);
++ &data_word(0xA4F3F689); # rep movsb
++ &mov ("esp",$key_);
++
++&set_label("cbc_ret");
++ &mov ($key_,&wparam(4));
++ &movups (&QWP(0,$key_),$ivec); # output IV
++&function_end("${PREFIX}_cbc_encrypt");
++
++# Mechanical port from aesni-x86_64.pl.
++#
++# _aesni_set_encrypt_key is private interface,
++# input:
++# "eax" const unsigned char *userKey
++# $rounds int bits
++# $key AES_KEY *key
++# output:
++# "eax" return code
++# $round rounds
++
++&function_begin_B("_aesni_set_encrypt_key");
++ &test ("eax","eax");
++ &jz (&label("bad_pointer"));
++ &test ($key,$key);
++ &jz (&label("bad_pointer"));
++
++ &movups ("xmm0",&QWP(0,"eax")); # pull first 128 bits of *userKey
++ &pxor ("xmm4","xmm4"); # low dword of xmm4 is assumed 0
++ &lea ($key,&DWP(16,$key));
++ &cmp ($rounds,256);
++ &je (&label("14rounds"));
++ &cmp ($rounds,192);
++ &je (&label("12rounds"));
++ &cmp ($rounds,128);
++ &jne (&label("bad_keybits"));
++
++&set_label("10rounds",16);
++ &mov ($rounds,9);
++ &$movekey (&QWP(-16,$key),"xmm0"); # round 0
++ &aeskeygenassist("xmm1","xmm0",0x01); # round 1
++ &call (&label("key_128_cold"));
++ &aeskeygenassist("xmm1","xmm0",0x2); # round 2
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x04); # round 3
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x08); # round 4
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x10); # round 5
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x20); # round 6
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x40); # round 7
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x80); # round 8
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x1b); # round 9
++ &call (&label("key_128"));
++ &aeskeygenassist("xmm1","xmm0",0x36); # round 10
++ &call (&label("key_128"));
++ &$movekey (&QWP(0,$key),"xmm0");
++ &mov (&DWP(80,$key),$rounds);
++ &xor ("eax","eax");
++ &ret();
++
++&set_label("key_128",16);
++ &$movekey (&QWP(0,$key),"xmm0");
++ &lea ($key,&DWP(16,$key));
++&set_label("key_128_cold");
++ &shufps ("xmm4","xmm0",0b00010000);
++ &pxor ("xmm0","xmm4");
++ &shufps ("xmm4","xmm0",0b10001100,);
++ &pxor ("xmm0","xmm4");
++ &pshufd ("xmm1","xmm1",0b11111111); # critical path
++ &pxor ("xmm0","xmm1");
++ &ret();
++
++&set_label("12rounds",16);
++ &movq ("xmm2",&QWP(16,"eax")); # remaining 1/3 of *userKey
++ &mov ($rounds,11);
++ &$movekey (&QWP(-16,$key),"xmm0") # round 0
++ &aeskeygenassist("xmm1","xmm2",0x01); # round 1,2
++ &call (&label("key_192a_cold"));
++ &aeskeygenassist("xmm1","xmm2",0x02); # round 2,3
++ &call (&label("key_192b"));
++ &aeskeygenassist("xmm1","xmm2",0x04); # round 4,5
++ &call (&label("key_192a"));
++ &aeskeygenassist("xmm1","xmm2",0x08); # round 5,6
++ &call (&label("key_192b"));
++ &aeskeygenassist("xmm1","xmm2",0x10); # round 7,8
++ &call (&label("key_192a"));
++ &aeskeygenassist("xmm1","xmm2",0x20); # round 8,9
++ &call (&label("key_192b"));
++ &aeskeygenassist("xmm1","xmm2",0x40); # round 10,11
++ &call (&label("key_192a"));
++ &aeskeygenassist("xmm1","xmm2",0x80); # round 11,12
++ &call (&label("key_192b"));
++ &$movekey (&QWP(0,$key),"xmm0");
++ &mov (&DWP(48,$key),$rounds);
++ &xor ("eax","eax");
++ &ret();
++
++&set_label("key_192a",16);
++ &$movekey (&QWP(0,$key),"xmm0");
++ &lea ($key,&DWP(16,$key));
++&set_label("key_192a_cold",16);
++ &movaps ("xmm5","xmm2");
++&set_label("key_192b_warm");
++ &shufps ("xmm4","xmm0",0b00010000);
++ &movaps ("xmm3","xmm2");
++ &pxor ("xmm0","xmm4");
++ &shufps ("xmm4","xmm0",0b10001100);
++ &pslldq ("xmm3",4);
++ &pxor ("xmm0","xmm4");
++ &pshufd ("xmm1","xmm1",0b01010101); # critical path
++ &pxor ("xmm2","xmm3");
++ &pxor ("xmm0","xmm1");
++ &pshufd ("xmm3","xmm0",0b11111111);
++ &pxor ("xmm2","xmm3");
++ &ret();
++
++&set_label("key_192b",16);
++ &movaps ("xmm3","xmm0");
++ &shufps ("xmm5","xmm0",0b01000100);
++ &$movekey (&QWP(0,$key),"xmm5");
++ &shufps ("xmm3","xmm2",0b01001110);
++ &$movekey (&QWP(16,$key),"xmm3");
++ &lea ($key,&DWP(32,$key));
++ &jmp (&label("key_192b_warm"));
++
++&set_label("14rounds",16);
++ &movups ("xmm2",&QWP(16,"eax")); # remaining half of *userKey
++ &mov ($rounds,13);
++ &lea ($key,&DWP(16,$key));
++ &$movekey (&QWP(-32,$key),"xmm0"); # round 0
++ &$movekey (&QWP(-16,$key),"xmm2"); # round 1
++ &aeskeygenassist("xmm1","xmm2",0x01); # round 2
++ &call (&label("key_256a_cold"));
++ &aeskeygenassist("xmm1","xmm0",0x01); # round 3
++ &call (&label("key_256b"));
++ &aeskeygenassist("xmm1","xmm2",0x02); # round 4
++ &call (&label("key_256a"));
++ &aeskeygenassist("xmm1","xmm0",0x02); # round 5
++ &call (&label("key_256b"));
++ &aeskeygenassist("xmm1","xmm2",0x04); # round 6
++ &call (&label("key_256a"));
++ &aeskeygenassist("xmm1","xmm0",0x04); # round 7
++ &call (&label("key_256b"));
++ &aeskeygenassist("xmm1","xmm2",0x08); # round 8
++ &call (&label("key_256a"));
++ &aeskeygenassist("xmm1","xmm0",0x08); # round 9
++ &call (&label("key_256b"));
++ &aeskeygenassist("xmm1","xmm2",0x10); # round 10
++ &call (&label("key_256a"));
++ &aeskeygenassist("xmm1","xmm0",0x10); # round 11
++ &call (&label("key_256b"));
++ &aeskeygenassist("xmm1","xmm2",0x20); # round 12
++ &call (&label("key_256a"));
++ &aeskeygenassist("xmm1","xmm0",0x20); # round 13
++ &call (&label("key_256b"));
++ &aeskeygenassist("xmm1","xmm2",0x40); # round 14
++ &call (&label("key_256a"));
++ &$movekey (&QWP(0,$key),"xmm0");
++ &mov (&DWP(16,$key),$rounds);
++ &xor ("eax","eax");
++ &ret();
++
++&set_label("key_256a",16);
++ &$movekey (&QWP(0,$key),"xmm2");
++ &lea ($key,&DWP(16,$key));
++&set_label("key_256a_cold");
++ &shufps ("xmm4","xmm0",0b00010000);
++ &pxor ("xmm0","xmm4");
++ &shufps ("xmm4","xmm0",0b10001100);
++ &pxor ("xmm0","xmm4");
++ &pshufd ("xmm1","xmm1",0b11111111); # critical path
++ &pxor ("xmm0","xmm1");
++ &ret();
++
++&set_label("key_256b",16);
++ &$movekey (&QWP(0,$key),"xmm0");
++ &lea ($key,&DWP(16,$key));
++
++ &shufps ("xmm4","xmm2",0b00010000);
++ &pxor ("xmm2","xmm4");
++ &shufps ("xmm4","xmm2",0b10001100);
++ &pxor ("xmm2","xmm4");
++ &pshufd ("xmm1","xmm1",0b10101010); # critical path
++ &pxor ("xmm2","xmm1");
++ &ret();
++
++&set_label("bad_pointer",4);
++ &mov ("eax",-1);
++ &ret ();
++&set_label("bad_keybits",4);
++ &mov ("eax",-2);
++ &ret ();
++&function_end_B("_aesni_set_encrypt_key");
++
++# int $PREFIX_set_encrypt_key (const unsigned char *userKey, int bits,
++# AES_KEY *key)
++&function_begin_B("${PREFIX}_set_encrypt_key");
++ &mov ("eax",&wparam(0));
++ &mov ($rounds,&wparam(1));
++ &mov ($key,&wparam(2));
++ &call ("_aesni_set_encrypt_key");
++ &ret ();
++&function_end_B("${PREFIX}_set_encrypt_key");
++
++# int $PREFIX_set_decrypt_key (const unsigned char *userKey, int bits,
++# AES_KEY *key)
++&function_begin_B("${PREFIX}_set_decrypt_key");
++ &mov ("eax",&wparam(0));
++ &mov ($rounds,&wparam(1));
++ &mov ($key,&wparam(2));
++ &call ("_aesni_set_encrypt_key");
++ &mov ($key,&wparam(2));
++ &shl ($rounds,4) # rounds-1 after _aesni_set_encrypt_key
++ &test ("eax","eax");
++ &jnz (&label("dec_key_ret"));
++ &lea ("eax",&DWP(16,$key,$rounds)); # end of key schedule
++
++ &$movekey ("xmm0",&QWP(0,$key)); # just swap
++ &$movekey ("xmm1",&QWP(0,"eax"));
++ &$movekey (&QWP(0,"eax"),"xmm0");
++ &$movekey (&QWP(0,$key),"xmm1");
++ &lea ($key,&DWP(16,$key));
++ &lea ("eax",&DWP(-16,"eax"));
++
++&set_label("dec_key_inverse");
++ &$movekey ("xmm0",&QWP(0,$key)); # swap and inverse
++ &$movekey ("xmm1",&QWP(0,"eax"));
++ &aesimc ("xmm0","xmm0");
++ &aesimc ("xmm1","xmm1");
++ &lea ($key,&DWP(16,$key));
++ &lea ("eax",&DWP(-16,"eax"));
++ &cmp ("eax",$key);
++ &$movekey (&QWP(16,"eax"),"xmm0");
++ &$movekey (&QWP(-16,$key),"xmm1");
++ &ja (&label("dec_key_inverse"));
++
++ &$movekey ("xmm0",&QWP(0,$key)); # inverse middle
++ &aesimc ("xmm0","xmm0");
++ &$movekey (&QWP(0,$key),"xmm0");
++
++ &xor ("eax","eax"); # return success
++&set_label("dec_key_ret");
++ &ret ();
++&function_end_B("${PREFIX}_set_decrypt_key");
++&asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
++
++&asm_finish();
+diff -up openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl
+--- openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl.aesni 2010-11-16 17:33:23.000000000 +0100
++++ openssl-1.0.0b/crypto/aes/asm/aesni-x86_64.pl 2010-11-16 17:33:23.000000000 +0100
+@@ -0,0 +1,991 @@
++#!/usr/bin/env perl
++#
++# ====================================================================
++# Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
++# project. The module is, however, dual licensed under OpenSSL and
++# CRYPTOGAMS licenses depending on where you obtain it. For further
++# details see http://www.openssl.org/~appro/cryptogams/.
++# ====================================================================
++#
++# This module implements support for Intel AES-NI extension. In
++# OpenSSL context it's used with Intel engine, but can also be used as
++# drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for
++# details].
++
++$PREFIX="aesni"; # if $PREFIX is set to "AES", the script
++ # generates drop-in replacement for
++ # crypto/aes/asm/aes-x86_64.pl:-)
++
++$flavour = shift;
++$output = shift;
++if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
++
++$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
++die "can't locate x86_64-xlate.pl";
++
++open STDOUT,"| $^X $xlate $flavour $output";
++
++$movkey = $PREFIX eq "aesni" ? "movaps" : "movups";
++ at _4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
++ ("%rdi","%rsi","%rdx","%rcx"); # Unix order
++
++$code=".text\n";
++
++$rounds="%eax"; # input to and changed by aesni_[en|de]cryptN !!!
++# this is natural Unix argument order for public $PREFIX_[ecb|cbc]_encrypt ...
++$inp="%rdi";
++$out="%rsi";
++$len="%rdx";
++$key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!!
++$ivp="%r8"; # cbc
++
++$rnds_="%r10d"; # backup copy for $rounds
++$key_="%r11"; # backup copy for $key
++
++# %xmm register layout
++$inout0="%xmm0"; $inout1="%xmm1";
++$inout2="%xmm2"; $inout3="%xmm3";
++$rndkey0="%xmm4"; $rndkey1="%xmm5";
++
++$iv="%xmm6"; $in0="%xmm7"; # used in CBC decrypt
++$in1="%xmm8"; $in2="%xmm9";
++�
++# Inline version of internal aesni_[en|de]crypt1.
++#
++# Why folded loop? Because aes[enc|dec] is slow enough to accommodate
++# cycles which take care of loop variables...
++{ my $sn;
++sub aesni_generate1 {
++my ($p,$key,$rounds)=@_;
++++$sn;
++$code.=<<___;
++ $movkey ($key),$rndkey0
++ $movkey 16($key),$rndkey1
++ lea 32($key),$key
++ pxor $rndkey0,$inout0
++.Loop_${p}1_$sn:
++ aes${p} $rndkey1,$inout0
++ dec $rounds
++ $movkey ($key),$rndkey1
++ lea 16($key),$key
++ jnz .Loop_${p}1_$sn # loop body is 16 bytes
++ aes${p}last $rndkey1,$inout0
++___
++}}
++# void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key);
++#
++{ my ($inp,$out,$key) = @_4args;
++
++$code.=<<___;
++.globl ${PREFIX}_encrypt
++.type ${PREFIX}_encrypt,\@abi-omnipotent
++.align 16
++${PREFIX}_encrypt:
++ movups ($inp),$inout0 # load input
++ mov 240($key),$rounds # pull $rounds
++___
++ &aesni_generate1("enc",$key,$rounds);
++$code.=<<___;
++ movups $inout0,($out) # output
++ ret
++.size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
++
++.globl ${PREFIX}_decrypt
++.type ${PREFIX}_decrypt,\@abi-omnipotent
++.align 16
++${PREFIX}_decrypt:
++ movups ($inp),$inout0 # load input
++ mov 240($key),$rounds # pull $rounds
++___
++ &aesni_generate1("dec",$key,$rounds);
++$code.=<<___;
++ movups $inout0,($out) # output
++ ret
++.size ${PREFIX}_decrypt, .-${PREFIX}_decrypt
++___
++}
++�
++# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave
++# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec]
++# latency is 6, it turned out that it can be scheduled only every
++# *second* cycle. Thus 3x interleave is the one providing optimal
++# utilization, i.e. when subroutine's throughput is virtually same as
++# of non-interleaved subroutine [for number of input blocks up to 3].
++# This is why it makes no sense to implement 2x subroutine. As soon
++# as/if Intel improves throughput by making it possible to schedule
++# the instructions in question *every* cycles I would have to
++# implement 6x interleave and use it in loop...
++sub aesni_generate3 {
++my $dir=shift;
++# As already mentioned it takes in $key and $rounds, which are *not*
++# preserved. $inout[0-2] is cipher/clear text...
++$code.=<<___;
++.type _aesni_${dir}rypt3,\@abi-omnipotent
++.align 16
++_aesni_${dir}rypt3:
++ $movkey ($key),$rndkey0
++ shr \$1,$rounds
++ $movkey 16($key),$rndkey1
++ lea 32($key),$key
++ pxor $rndkey0,$inout0
++ pxor $rndkey0,$inout1
++ pxor $rndkey0,$inout2
++
++.L${dir}_loop3:
++ aes${dir} $rndkey1,$inout0
++ $movkey ($key),$rndkey0
++ aes${dir} $rndkey1,$inout1
++ dec $rounds
++ aes${dir} $rndkey1,$inout2
++ aes${dir} $rndkey0,$inout0
++ $movkey 16($key),$rndkey1
++ aes${dir} $rndkey0,$inout1
++ lea 32($key),$key
++ aes${dir} $rndkey0,$inout2
++ jnz .L${dir}_loop3
++
++ aes${dir} $rndkey1,$inout0
++ $movkey ($key),$rndkey0
++ aes${dir} $rndkey1,$inout1
++ aes${dir} $rndkey1,$inout2
++ aes${dir}last $rndkey0,$inout0
++ aes${dir}last $rndkey0,$inout1
++ aes${dir}last $rndkey0,$inout2
++ ret
++.size _aesni_${dir}rypt3,.-_aesni_${dir}rypt3
++___
++}
++# 4x interleave is implemented to improve small block performance,
++# most notably [and naturally] 4 block by ~30%. One can argue that one
++# should have implemented 5x as well, but improvement would be <20%,
++# so it's not worth it...
++sub aesni_generate4 {
++my $dir=shift;
++# As already mentioned it takes in $key and $rounds, which are *not*
++# preserved. $inout[0-3] is cipher/clear text...
++$code.=<<___;
++.type _aesni_${dir}rypt4,\@abi-omnipotent
++.align 16
++_aesni_${dir}rypt4:
++ $movkey ($key),$rndkey0
++ shr \$1,$rounds
++ $movkey 16($key),$rndkey1
++ lea 32($key),$key
++ pxor $rndkey0,$inout0
++ pxor $rndkey0,$inout1
++ pxor $rndkey0,$inout2
++ pxor $rndkey0,$inout3
++
++.L${dir}_loop4:
++ aes${dir} $rndkey1,$inout0
++ $movkey ($key),$rndkey0
++ aes${dir} $rndkey1,$inout1
++ dec $rounds
++ aes${dir} $rndkey1,$inout2
++ aes${dir} $rndkey1,$inout3
++ aes${dir} $rndkey0,$inout0
++ $movkey 16($key),$rndkey1
++ aes${dir} $rndkey0,$inout1
++ lea 32($key),$key
++ aes${dir} $rndkey0,$inout2
++ aes${dir} $rndkey0,$inout3
++ jnz .L${dir}_loop4
++
++ aes${dir} $rndkey1,$inout0
++ $movkey ($key),$rndkey0
++ aes${dir} $rndkey1,$inout1
++ aes${dir} $rndkey1,$inout2
++ aes${dir} $rndkey1,$inout3
++ aes${dir}last $rndkey0,$inout0
++ aes${dir}last $rndkey0,$inout1
++ aes${dir}last $rndkey0,$inout2
++ aes${dir}last $rndkey0,$inout3
++ ret
++.size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
++___
++}
++&aesni_generate3("enc") if ($PREFIX eq "aesni");
++&aesni_generate3("dec");
++&aesni_generate4("enc") if ($PREFIX eq "aesni");
++&aesni_generate4("dec");
++�
++if ($PREFIX eq "aesni") {
++# void aesni_ecb_encrypt (const void *in, void *out,
++# size_t length, const AES_KEY *key,
++# int enc);
++$code.=<<___;
++.globl aesni_ecb_encrypt
++.type aesni_ecb_encrypt,\@function,5
++.align 16
++aesni_ecb_encrypt:
++ cmp \$16,$len # check length
++ jb .Lecb_ret
++
++ mov 240($key),$rounds # pull $rounds
++ and \$-16,$len
++ mov $key,$key_ # backup $key
++ test %r8d,%r8d # 5th argument
++ mov $rounds,$rnds_ # backup $rounds
++ jz .Lecb_decrypt
++#--------------------------- ECB ENCRYPT ------------------------------#
++ sub \$0x40,$len
++ jbe .Lecb_enc_tail
++ jmp .Lecb_enc_loop3
++.align 16
++.Lecb_enc_loop3:
++ movups ($inp),$inout0
++ movups 0x10($inp),$inout1
++ movups 0x20($inp),$inout2
++ call _aesni_encrypt3
++ sub \$0x30,$len
++ lea 0x30($inp),$inp
++ lea 0x30($out),$out
++ movups $inout0,-0x30($out)
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout1,-0x20($out)
++ mov $key_,$key # restore $key
++ movups $inout2,-0x10($out)
++ ja .Lecb_enc_loop3
++
++.Lecb_enc_tail:
++ add \$0x40,$len
++ jz .Lecb_ret
++
++ cmp \$0x10,$len
++ movups ($inp),$inout0
++ je .Lecb_enc_one
++ cmp \$0x20,$len
++ movups 0x10($inp),$inout1
++ je .Lecb_enc_two
++ cmp \$0x30,$len
++ movups 0x20($inp),$inout2
++ je .Lecb_enc_three
++ movups 0x30($inp),$inout3
++ call _aesni_encrypt4
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_enc_one:
++___
++ &aesni_generate1("enc",$key,$rounds);
++$code.=<<___;
++ movups $inout0,($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_enc_two:
++ call _aesni_encrypt3
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_enc_three:
++ call _aesni_encrypt3
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ jmp .Lecb_ret
++�#--------------------------- ECB DECRYPT ------------------------------#
++.align 16
++.Lecb_decrypt:
++ sub \$0x40,$len
++ jbe .Lecb_dec_tail
++ jmp .Lecb_dec_loop3
++.align 16
++.Lecb_dec_loop3:
++ movups ($inp),$inout0
++ movups 0x10($inp),$inout1
++ movups 0x20($inp),$inout2
++ call _aesni_decrypt3
++ sub \$0x30,$len
++ lea 0x30($inp),$inp
++ lea 0x30($out),$out
++ movups $inout0,-0x30($out)
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout1,-0x20($out)
++ mov $key_,$key # restore $key
++ movups $inout2,-0x10($out)
++ ja .Lecb_dec_loop3
++
++.Lecb_dec_tail:
++ add \$0x40,$len
++ jz .Lecb_ret
++
++ cmp \$0x10,$len
++ movups ($inp),$inout0
++ je .Lecb_dec_one
++ cmp \$0x20,$len
++ movups 0x10($inp),$inout1
++ je .Lecb_dec_two
++ cmp \$0x30,$len
++ movups 0x20($inp),$inout2
++ je .Lecb_dec_three
++ movups 0x30($inp),$inout3
++ call _aesni_decrypt4
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_dec_one:
++___
++ &aesni_generate1("dec",$key,$rounds);
++$code.=<<___;
++ movups $inout0,($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_dec_two:
++ call _aesni_decrypt3
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_dec_three:
++ call _aesni_decrypt3
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++
++.Lecb_ret:
++ ret
++.size aesni_ecb_encrypt,.-aesni_ecb_encrypt
++___
++}
++�
++# void $PREFIX_cbc_encrypt (const void *inp, void *out,
++# size_t length, const AES_KEY *key,
++# unsigned char *ivp,const int enc);
++$reserved = $win64?0x40:-0x18; # used in decrypt
++$code.=<<___;
++.globl ${PREFIX}_cbc_encrypt
++.type ${PREFIX}_cbc_encrypt,\@function,6
++.align 16
++${PREFIX}_cbc_encrypt:
++ test $len,$len # check length
++ jz .Lcbc_ret
++
++ mov 240($key),$rnds_ # pull $rounds
++ mov $key,$key_ # backup $key
++ test %r9d,%r9d # 6th argument
++ jz .Lcbc_decrypt
++#--------------------------- CBC ENCRYPT ------------------------------#
++ movups ($ivp),$inout0 # load iv as initial state
++ cmp \$16,$len
++ mov $rnds_,$rounds
++ jb .Lcbc_enc_tail
++ sub \$16,$len
++ jmp .Lcbc_enc_loop
++.align 16
++.Lcbc_enc_loop:
++ movups ($inp),$inout1 # load input
++ lea 16($inp),$inp
++ pxor $inout1,$inout0
++___
++ &aesni_generate1("enc",$key,$rounds);
++$code.=<<___;
++ sub \$16,$len
++ lea 16($out),$out
++ mov $rnds_,$rounds # restore $rounds
++ mov $key_,$key # restore $key
++ movups $inout0,-16($out) # store output
++ jnc .Lcbc_enc_loop
++ add \$16,$len
++ jnz .Lcbc_enc_tail
++ movups $inout0,($ivp)
++ jmp .Lcbc_ret
++
++.Lcbc_enc_tail:
++ mov $len,%rcx # zaps $key
++ xchg $inp,$out # $inp is %rsi and $out is %rdi now
++ .long 0x9066A4F3 # rep movsb
++ mov \$16,%ecx # zero tail
++ sub $len,%rcx
++ xor %eax,%eax
++ .long 0x9066AAF3 # rep stosb
++ lea -16(%rdi),%rdi # rewind $out by 1 block
++ mov $rnds_,$rounds # restore $rounds
++ mov %rdi,%rsi # $inp and $out are the same
++ mov $key_,$key # restore $key
++ xor $len,$len # len=16
++ jmp .Lcbc_enc_loop # one more spin
++�#--------------------------- CBC DECRYPT ------------------------------#
++.align 16
++.Lcbc_decrypt:
++___
++$code.=<<___ if ($win64);
++ lea -0x58(%rsp),%rsp
++ movaps %xmm6,(%rsp)
++ movaps %xmm7,0x10(%rsp)
++ movaps %xmm8,0x20(%rsp)
++ movaps %xmm9,0x30(%rsp)
++.Lcbc_decrypt_body:
++___
++$code.=<<___;
++ movups ($ivp),$iv
++ sub \$0x40,$len
++ mov $rnds_,$rounds
++ jbe .Lcbc_dec_tail
++ jmp .Lcbc_dec_loop3
++.align 16
++.Lcbc_dec_loop3:
++ movups ($inp),$inout0
++ movups 0x10($inp),$inout1
++ movups 0x20($inp),$inout2
++ movaps $inout0,$in0
++ movaps $inout1,$in1
++ movaps $inout2,$in2
++ call _aesni_decrypt3
++ sub \$0x30,$len
++ lea 0x30($inp),$inp
++ lea 0x30($out),$out
++ pxor $iv,$inout0
++ pxor $in0,$inout1
++ movaps $in2,$iv
++ pxor $in1,$inout2
++ movups $inout0,-0x30($out)
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout1,-0x20($out)
++ mov $key_,$key # restore $key
++ movups $inout2,-0x10($out)
++ ja .Lcbc_dec_loop3
++
++.Lcbc_dec_tail:
++ add \$0x40,$len
++ movups $iv,($ivp)
++ jz .Lcbc_dec_ret
++
++ movups ($inp),$inout0
++ cmp \$0x10,$len
++ movaps $inout0,$in0
++ jbe .Lcbc_dec_one
++ movups 0x10($inp),$inout1
++ cmp \$0x20,$len
++ movaps $inout1,$in1
++ jbe .Lcbc_dec_two
++ movups 0x20($inp),$inout2
++ cmp \$0x30,$len
++ movaps $inout2,$in2
++ jbe .Lcbc_dec_three
++ movups 0x30($inp),$inout3
++ call _aesni_decrypt4
++ pxor $iv,$inout0
++ movups 0x30($inp),$iv
++ pxor $in0,$inout1
++ movups $inout0,($out)
++ pxor $in1,$inout2
++ movups $inout1,0x10($out)
++ pxor $in2,$inout3
++ movups $inout2,0x20($out)
++ movaps $inout3,$inout0
++ lea 0x30($out),$out
++ jmp .Lcbc_dec_tail_collected
++.align 16
++.Lcbc_dec_one:
++___
++ &aesni_generate1("dec",$key,$rounds);
++$code.=<<___;
++ pxor $iv,$inout0
++ movaps $in0,$iv
++ jmp .Lcbc_dec_tail_collected
++.align 16
++.Lcbc_dec_two:
++ call _aesni_decrypt3
++ pxor $iv,$inout0
++ pxor $in0,$inout1
++ movups $inout0,($out)
++ movaps $in1,$iv
++ movaps $inout1,$inout0
++ lea 0x10($out),$out
++ jmp .Lcbc_dec_tail_collected
++.align 16
++.Lcbc_dec_three:
++ call _aesni_decrypt3
++ pxor $iv,$inout0
++ pxor $in0,$inout1
++ movups $inout0,($out)
++ pxor $in1,$inout2
++ movups $inout1,0x10($out)
++ movaps $in2,$iv
++ movaps $inout2,$inout0
++ lea 0x20($out),$out
++ jmp .Lcbc_dec_tail_collected
++.align 16
++.Lcbc_dec_tail_collected:
++ and \$15,$len
++ movups $iv,($ivp)
++ jnz .Lcbc_dec_tail_partial
++ movups $inout0,($out)
++ jmp .Lcbc_dec_ret
++.Lcbc_dec_tail_partial:
++ movaps $inout0,$reserved(%rsp)
++ mov $out,%rdi
++ mov $len,%rcx
++ lea $reserved(%rsp),%rsi
++ .long 0x9066A4F3 # rep movsb
++
++.Lcbc_dec_ret:
++___
++$code.=<<___ if ($win64);
++ movaps (%rsp),%xmm6
++ movaps 0x10(%rsp),%xmm7
++ movaps 0x20(%rsp),%xmm8
++ movaps 0x30(%rsp),%xmm9
++ lea 0x58(%rsp),%rsp
++___
++$code.=<<___;
++.Lcbc_ret:
++ ret
++.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
++___
++�
++# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey,
++# int bits, AES_KEY *key)
++{ my ($inp,$bits,$key) = @_4args;
++ $bits =~ s/%r/%e/;
++
++$code.=<<___;
++.globl ${PREFIX}_set_decrypt_key
++.type ${PREFIX}_set_decrypt_key,\@abi-omnipotent
++.align 16
++${PREFIX}_set_decrypt_key:
++ .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
++ call _aesni_set_encrypt_key
++ shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key
++ test %eax,%eax
++ jnz .Ldec_key_ret
++ lea 16($key,$bits),$inp # points at the end of key schedule
++
++ $movkey ($key),%xmm0 # just swap
++ $movkey ($inp),%xmm1
++ $movkey %xmm0,($inp)
++ $movkey %xmm1,($key)
++ lea 16($key),$key
++ lea -16($inp),$inp
++
++.Ldec_key_inverse:
++ $movkey ($key),%xmm0 # swap and inverse
++ $movkey ($inp),%xmm1
++ aesimc %xmm0,%xmm0
++ aesimc %xmm1,%xmm1
++ lea 16($key),$key
++ lea -16($inp),$inp
++ cmp $key,$inp
++ $movkey %xmm0,16($inp)
++ $movkey %xmm1,-16($key)
++ ja .Ldec_key_inverse
++
++ $movkey ($key),%xmm0 # inverse middle
++ aesimc %xmm0,%xmm0
++ $movkey %xmm0,($inp)
++.Ldec_key_ret:
++ add \$8,%rsp
++ ret
++.LSEH_end_set_decrypt_key:
++.size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
++___
++�
++# This is based on submission by
++#
++# Huang Ying <ying.huang at intel.com>
++# Vinodh Gopal <vinodh.gopal at intel.com>
++# Kahraman Akdemir
++#
++# Agressively optimized in respect to aeskeygenassist's critical path
++# and is contained in %xmm0-5 to meet Win64 ABI requirement.
++#
++$code.=<<___;
++.globl ${PREFIX}_set_encrypt_key
++.type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
++.align 16
++${PREFIX}_set_encrypt_key:
++_aesni_set_encrypt_key:
++ .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
++ test $inp,$inp
++ mov \$-1,%rax
++ jz .Lenc_key_ret
++ test $key,$key
++ jz .Lenc_key_ret
++
++ movups ($inp),%xmm0 # pull first 128 bits of *userKey
++ pxor %xmm4,%xmm4 # low dword of xmm4 is assumed 0
++ lea 16($key),%rax
++ cmp \$256,$bits
++ je .L14rounds
++ cmp \$192,$bits
++ je .L12rounds
++ cmp \$128,$bits
++ jne .Lbad_keybits
++
++.L10rounds:
++ mov \$9,$bits # 10 rounds for 128-bit key
++ $movkey %xmm0,($key) # round 0
++ aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1
++ call .Lkey_expansion_128_cold
++ aeskeygenassist \$0x2,%xmm0,%xmm1 # round 2
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x4,%xmm0,%xmm1 # round 3
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x8,%xmm0,%xmm1 # round 4
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x10,%xmm0,%xmm1 # round 5
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x20,%xmm0,%xmm1 # round 6
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x40,%xmm0,%xmm1 # round 7
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x80,%xmm0,%xmm1 # round 8
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x1b,%xmm0,%xmm1 # round 9
++ call .Lkey_expansion_128
++ aeskeygenassist \$0x36,%xmm0,%xmm1 # round 10
++ call .Lkey_expansion_128
++ $movkey %xmm0,(%rax)
++ mov $bits,80(%rax) # 240(%rdx)
++ xor %eax,%eax
++ jmp .Lenc_key_ret
++
++.align 16
++.L12rounds:
++ movq 16($inp),%xmm2 # remaining 1/3 of *userKey
++ mov \$11,$bits # 12 rounds for 192
++ $movkey %xmm0,($key) # round 0
++ aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2
++ call .Lkey_expansion_192a_cold
++ aeskeygenassist \$0x2,%xmm2,%xmm1 # round 2,3
++ call .Lkey_expansion_192b
++ aeskeygenassist \$0x4,%xmm2,%xmm1 # round 4,5
++ call .Lkey_expansion_192a
++ aeskeygenassist \$0x8,%xmm2,%xmm1 # round 5,6
++ call .Lkey_expansion_192b
++ aeskeygenassist \$0x10,%xmm2,%xmm1 # round 7,8
++ call .Lkey_expansion_192a
++ aeskeygenassist \$0x20,%xmm2,%xmm1 # round 8,9
++ call .Lkey_expansion_192b
++ aeskeygenassist \$0x40,%xmm2,%xmm1 # round 10,11
++ call .Lkey_expansion_192a
++ aeskeygenassist \$0x80,%xmm2,%xmm1 # round 11,12
++ call .Lkey_expansion_192b
++ $movkey %xmm0,(%rax)
++ mov $bits,48(%rax) # 240(%rdx)
++ xor %rax, %rax
++ jmp .Lenc_key_ret
++
++.align 16
++.L14rounds:
++ movups 16($inp),%xmm2 # remaning half of *userKey
++ mov \$13,$bits # 14 rounds for 256
++ lea 16(%rax),%rax
++ $movkey %xmm0,($key) # round 0
++ $movkey %xmm2,16($key) # round 1
++ aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2
++ call .Lkey_expansion_256a_cold
++ aeskeygenassist \$0x1,%xmm0,%xmm1 # round 3
++ call .Lkey_expansion_256b
++ aeskeygenassist \$0x2,%xmm2,%xmm1 # round 4
++ call .Lkey_expansion_256a
++ aeskeygenassist \$0x2,%xmm0,%xmm1 # round 5
++ call .Lkey_expansion_256b
++ aeskeygenassist \$0x4,%xmm2,%xmm1 # round 6
++ call .Lkey_expansion_256a
++ aeskeygenassist \$0x4,%xmm0,%xmm1 # round 7
++ call .Lkey_expansion_256b
++ aeskeygenassist \$0x8,%xmm2,%xmm1 # round 8
++ call .Lkey_expansion_256a
++ aeskeygenassist \$0x8,%xmm0,%xmm1 # round 9
++ call .Lkey_expansion_256b
++ aeskeygenassist \$0x10,%xmm2,%xmm1 # round 10
++ call .Lkey_expansion_256a
++ aeskeygenassist \$0x10,%xmm0,%xmm1 # round 11
++ call .Lkey_expansion_256b
++ aeskeygenassist \$0x20,%xmm2,%xmm1 # round 12
++ call .Lkey_expansion_256a
++ aeskeygenassist \$0x20,%xmm0,%xmm1 # round 13
++ call .Lkey_expansion_256b
++ aeskeygenassist \$0x40,%xmm2,%xmm1 # round 14
++ call .Lkey_expansion_256a
++ $movkey %xmm0,(%rax)
++ mov $bits,16(%rax) # 240(%rdx)
++ xor %rax,%rax
++ jmp .Lenc_key_ret
++
++.align 16
++.Lbad_keybits:
++ mov \$-2,%rax
++.Lenc_key_ret:
++ add \$8,%rsp
++ ret
++.LSEH_end_set_encrypt_key:
++�
++.align 16
++.Lkey_expansion_128:
++ $movkey %xmm0,(%rax)
++ lea 16(%rax),%rax
++.Lkey_expansion_128_cold:
++ shufps \$0b00010000,%xmm0,%xmm4
++ pxor %xmm4, %xmm0
++ shufps \$0b10001100,%xmm0,%xmm4
++ pxor %xmm4, %xmm0
++ pshufd \$0b11111111,%xmm1,%xmm1 # critical path
++ pxor %xmm1,%xmm0
++ ret
++
++.align 16
++.Lkey_expansion_192a:
++ $movkey %xmm0,(%rax)
++ lea 16(%rax),%rax
++.Lkey_expansion_192a_cold:
++ movaps %xmm2, %xmm5
++.Lkey_expansion_192b_warm:
++ shufps \$0b00010000,%xmm0,%xmm4
++ movaps %xmm2,%xmm3
++ pxor %xmm4,%xmm0
++ shufps \$0b10001100,%xmm0,%xmm4
++ pslldq \$4,%xmm3
++ pxor %xmm4,%xmm0
++ pshufd \$0b01010101,%xmm1,%xmm1 # critical path
++ pxor %xmm3,%xmm2
++ pxor %xmm1,%xmm0
++ pshufd \$0b11111111,%xmm0,%xmm3
++ pxor %xmm3,%xmm2
++ ret
++
++.align 16
++.Lkey_expansion_192b:
++ movaps %xmm0,%xmm3
++ shufps \$0b01000100,%xmm0,%xmm5
++ $movkey %xmm5,(%rax)
++ shufps \$0b01001110,%xmm2,%xmm3
++ $movkey %xmm3,16(%rax)
++ lea 32(%rax),%rax
++ jmp .Lkey_expansion_192b_warm
++
++.align 16
++.Lkey_expansion_256a:
++ $movkey %xmm2,(%rax)
++ lea 16(%rax),%rax
++.Lkey_expansion_256a_cold:
++ shufps \$0b00010000,%xmm0,%xmm4
++ pxor %xmm4,%xmm0
++ shufps \$0b10001100,%xmm0,%xmm4
++ pxor %xmm4,%xmm0
++ pshufd \$0b11111111,%xmm1,%xmm1 # critical path
++ pxor %xmm1,%xmm0
++ ret
++
++.align 16
++.Lkey_expansion_256b:
++ $movkey %xmm0,(%rax)
++ lea 16(%rax),%rax
++
++ shufps \$0b00010000,%xmm2,%xmm4
++ pxor %xmm4,%xmm2
++ shufps \$0b10001100,%xmm2,%xmm4
++ pxor %xmm4,%xmm2
++ pshufd \$0b10101010,%xmm1,%xmm1 # critical path
++ pxor %xmm1,%xmm2
++ ret
++.size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
++___
++}
++�
++$code.=<<___;
++.asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
++.align 64
++___
++
++# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
++# CONTEXT *context,DISPATCHER_CONTEXT *disp)
++if ($win64) {
++$rec="%rcx";
++$frame="%rdx";
++$context="%r8";
++$disp="%r9";
++
++$code.=<<___;
++.extern __imp_RtlVirtualUnwind
++.type cbc_se_handler,\@abi-omnipotent
++.align 16
++cbc_se_handler:
++ push %rsi
++ push %rdi
++ push %rbx
++ push %rbp
++ push %r12
++ push %r13
++ push %r14
++ push %r15
++ pushfq
++ sub \$64,%rsp
++
++ mov 152($context),%rax # pull context->Rsp
++ mov 248($context),%rbx # pull context->Rip
++
++ lea .Lcbc_decrypt(%rip),%r10
++ cmp %r10,%rbx # context->Rip<"prologue" label
++ jb .Lin_prologue
++
++ lea .Lcbc_decrypt_body(%rip),%r10
++ cmp %r10,%rbx # context->Rip<cbc_decrypt_body
++ jb .Lrestore_rax
++
++ lea .Lcbc_ret(%rip),%r10
++ cmp %r10,%rbx # context->Rip>="epilogue" label
++ jae .Lin_prologue
++
++ lea 0(%rax),%rsi # top of stack
++ lea 512($context),%rdi # &context.Xmm6
++ mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
++ .long 0xa548f3fc # cld; rep movsq
++ lea 0x58(%rax),%rax # adjust stack pointer
++ jmp .Lin_prologue
++
++.Lrestore_rax:
++ mov 120($context),%rax
++.Lin_prologue:
++ mov 8(%rax),%rdi
++ mov 16(%rax),%rsi
++ mov %rax,152($context) # restore context->Rsp
++ mov %rsi,168($context) # restore context->Rsi
++ mov %rdi,176($context) # restore context->Rdi
++
++ jmp .Lcommon_seh_exit
++.size cbc_se_handler,.-cbc_se_handler
++
++.type ecb_se_handler,\@abi-omnipotent
++.align 16
++ecb_se_handler:
++ push %rsi
++ push %rdi
++ push %rbx
++ push %rbp
++ push %r12
++ push %r13
++ push %r14
++ push %r15
++ pushfq
++ sub \$64,%rsp
++
++ mov 152($context),%rax # pull context->Rsp
++ mov 8(%rax),%rdi
++ mov 16(%rax),%rsi
++ mov %rsi,168($context) # restore context->Rsi
++ mov %rdi,176($context) # restore context->Rdi
++
++.Lcommon_seh_exit:
++
++ mov 40($disp),%rdi # disp->ContextRecord
++ mov $context,%rsi # context
++ mov \$154,%ecx # sizeof(CONTEXT)
++ .long 0xa548f3fc # cld; rep movsq
++
++ mov $disp,%rsi
++ xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER
++ mov 8(%rsi),%rdx # arg2, disp->ImageBase
++ mov 0(%rsi),%r8 # arg3, disp->ControlPc
++ mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
++ mov 40(%rsi),%r10 # disp->ContextRecord
++ lea 56(%rsi),%r11 # &disp->HandlerData
++ lea 24(%rsi),%r12 # &disp->EstablisherFrame
++ mov %r10,32(%rsp) # arg5
++ mov %r11,40(%rsp) # arg6
++ mov %r12,48(%rsp) # arg7
++ mov %rcx,56(%rsp) # arg8, (NULL)
++ call *__imp_RtlVirtualUnwind(%rip)
++
++ mov \$1,%eax # ExceptionContinueSearch
++ add \$64,%rsp
++ popfq
++ pop %r15
++ pop %r14
++ pop %r13
++ pop %r12
++ pop %rbp
++ pop %rbx
++ pop %rdi
++ pop %rsi
++ ret
++.size cbc_se_handler,.-cbc_se_handler
++
++.section .pdata
++.align 4
++ .rva .LSEH_begin_${PREFIX}_ecb_encrypt
++ .rva .LSEH_end_${PREFIX}_ecb_encrypt
++ .rva .LSEH_info_ecb
++
++ .rva .LSEH_begin_${PREFIX}_cbc_encrypt
++ .rva .LSEH_end_${PREFIX}_cbc_encrypt
++ .rva .LSEH_info_cbc
++
++ .rva ${PREFIX}_set_decrypt_key
++ .rva .LSEH_end_set_decrypt_key
++ .rva .LSEH_info_key
++
++ .rva ${PREFIX}_set_encrypt_key
++ .rva .LSEH_end_set_encrypt_key
++ .rva .LSEH_info_key
++.section .xdata
++.align 8
++.LSEH_info_ecb:
++ .byte 9,0,0,0
++ .rva ecb_se_handler
++.LSEH_info_cbc:
++ .byte 9,0,0,0
++ .rva cbc_se_handler
++.LSEH_info_key:
++ .byte 0x01,0x04,0x01,0x00
++ .byte 0x04,0x02,0x00,0x00
++___
++}
++
++sub rex {
++ local *opcode=shift;
++ my ($dst,$src)=@_;
++
++ if ($dst>=8 || $src>=8) {
++ $rex=0x40;
++ $rex|=0x04 if($dst>=8);
++ $rex|=0x01 if($src>=8);
++ push @opcode,$rex;
++ }
++}
++
++sub aesni {
++ my $line=shift;
++ my @opcode=(0x66);
++
++ if ($line=~/(aeskeygenassist)\s+\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
++ rex(\@opcode,$4,$3);
++ push @opcode,0x0f,0x3a,0xdf;
++ push @opcode,0xc0|($3&7)|(($4&7)<<3); # ModR/M
++ my $c=$2;
++ push @opcode,$c=~/^0/?oct($c):$c;
++ return ".byte\t".join(',', at opcode);
++ }
++ elsif ($line=~/(aes[a-z]+)\s+%xmm([0-9]+),\s*%xmm([0-9]+)/) {
++ my %opcodelet = (
++ "aesimc" => 0xdb,
++ "aesenc" => 0xdc, "aesenclast" => 0xdd,
++ "aesdec" => 0xde, "aesdeclast" => 0xdf
++ );
++ return undef if (!defined($opcodelet{$1}));
++ rex(\@opcode,$3,$2);
++ push @opcode,0x0f,0x38,$opcodelet{$1};
++ push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
++ return ".byte\t".join(',', at opcode);
++ }
++ return $line;
++}
++
++$code =~ s/\`([^\`]*)\`/eval($1)/gem;
++$code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;
++
++print $code;
++
++close STDOUT;
+diff -up openssl-1.0.0b/crypto/aes/Makefile.aesni openssl-1.0.0b/crypto/aes/Makefile
+--- openssl-1.0.0b/crypto/aes/Makefile.aesni 2008-12-23 12:33:00.000000000 +0100
++++ openssl-1.0.0b/crypto/aes/Makefile 2010-11-16 17:33:23.000000000 +0100
+@@ -50,9 +50,13 @@ aes-ia64.s: asm/aes-ia64.S
+
+ aes-586.s: asm/aes-586.pl ../perlasm/x86asm.pl
+ $(PERL) asm/aes-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
++aesni-x86.s: asm/aesni-x86.pl ../perlasm/x86asm.pl
++ $(PERL) asm/aesni-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
+
+ aes-x86_64.s: asm/aes-x86_64.pl
+ $(PERL) asm/aes-x86_64.pl $(PERLASM_SCHEME) > $@
++aesni-x86_64.s: asm/aesni-x86_64.pl
++ $(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@
+
+ aes-sparcv9.s: asm/aes-sparcv9.pl
+ $(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
+diff -up openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni openssl-1.0.0b/crypto/engine/eng_aesni.c
+--- openssl-1.0.0b/crypto/engine/eng_aesni.c.aesni 2010-11-16 17:33:23.000000000 +0100
++++ openssl-1.0.0b/crypto/engine/eng_aesni.c 2010-11-16 17:33:23.000000000 +0100
+@@ -0,0 +1,413 @@
++/*
++ * Support for Intel AES-NI intruction set
++ * Author: Huang Ying <ying.huang at intel.com>
++ *
++ * Intel AES-NI is a new set of Single Instruction Multiple Data
++ * (SIMD) instructions that are going to be introduced in the next
++ * generation of Intel processor, as of 2009. These instructions
++ * enable fast and secure data encryption and decryption, using the
++ * Advanced Encryption Standard (AES), defined by FIPS Publication
++ * number 197. The architecture introduces six instructions that
++ * offer full hardware support for AES. Four of them support high
++ * performance data encryption and decryption, and the other two
++ * instructions support the AES key expansion procedure.
++ *
++ * The white paper can be downloaded from:
++ * http://softwarecommunity.intel.com/isn/downloads/intelavx/AES-Instructions-Set_WP.pdf
++ *
++ * This file is based on engines/e_padlock.c
++ */
++
++/* ====================================================================
++ * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AES_NI) && !defined(OPENSSL_NO_AES)
++
++#include <stdio.h>
++#include "cryptlib.h"
++#include <openssl/dso.h>
++#include <openssl/engine.h>
++#include <openssl/evp.h>
++#include <openssl/aes.h>
++#include <openssl/err.h>
++#include <openssl/modes.h>
++
++/* AES-NI is available *ONLY* on some x86 CPUs. Not only that it
++ doesn't exist elsewhere, but it even can't be compiled on other
++ platforms! */
++#undef COMPILE_HW_AESNI
++#if (defined(__x86_64) || defined(__x86_64__) || \
++ defined(_M_AMD64) || defined(_M_X64) || \
++ defined(OPENSSL_IA32_SSE2)) && !defined(OPENSSL_NO_ASM)
++#define COMPILE_HW_AESNI
++static ENGINE *ENGINE_aesni (void);
++#endif
++
++void ENGINE_load_aesni (void)
++{
++/* On non-x86 CPUs it just returns. */
++#ifdef COMPILE_HW_AESNI
++ ENGINE *toadd = ENGINE_aesni();
++ if (!toadd)
++ return;
++ ENGINE_add (toadd);
++ ENGINE_register_complete (toadd);
++ ENGINE_free (toadd);
++ ERR_clear_error ();
++#endif
++}
++
++#ifdef COMPILE_HW_AESNI
++int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
++ AES_KEY *key);
++int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
++ AES_KEY *key);
++
++void aesni_encrypt(const unsigned char *in, unsigned char *out,
++ const AES_KEY *key);
++void aesni_decrypt(const unsigned char *in, unsigned char *out,
++ const AES_KEY *key);
++
++void aesni_ecb_encrypt(const unsigned char *in,
++ unsigned char *out,
++ size_t length,
++ const AES_KEY *key,
++ int enc);
++void aesni_cbc_encrypt(const unsigned char *in,
++ unsigned char *out,
++ size_t length,
++ const AES_KEY *key,
++ unsigned char *ivec, int enc);
++
++/* Function for ENGINE detection and control */
++static int aesni_init(ENGINE *e);
++
++/* Cipher Stuff */
++static int aesni_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
++ const int **nids, int nid);
++
++#define AESNI_MIN_ALIGN 16
++#define AESNI_ALIGN(x) \
++ ((void *)(((unsigned long)(x)+AESNI_MIN_ALIGN-1)&~(AESNI_MIN_ALIGN-1)))
++
++/* Engine names */
++static const char aesni_id[] = "aesni",
++ aesni_name[] = "Intel AES-NI engine",
++ no_aesni_name[] = "Intel AES-NI engine (no-aesni)";
++
++/* ===== Engine "management" functions ===== */
++
++#if defined(_WIN32)
++typedef unsigned __int64 IA32CAP;
++#else
++typedef unsigned long long IA32CAP;
++#endif
++
++/* Prepare the ENGINE structure for registration */
++static int
++aesni_bind_helper(ENGINE *e)
++{
++ int engage;
++ if (sizeof(OPENSSL_ia32cap_P) > 4) {
++ engage = (OPENSSL_ia32cap_P >> 57) & 1;
++ } else {
++ IA32CAP OPENSSL_ia32_cpuid(void);
++ engage = (OPENSSL_ia32_cpuid() >> 57) & 1;
++ }
++
++ /* Register everything or return with an error */
++ if (!ENGINE_set_id(e, aesni_id) ||
++ !ENGINE_set_name(e, engage ? aesni_name : no_aesni_name) ||
++
++ !ENGINE_set_init_function(e, aesni_init) ||
++ (engage && !ENGINE_set_ciphers (e, aesni_ciphers))
++ )
++ return 0;
++
++ /* Everything looks good */
++ return 1;
++}
++
++/* Constructor */
++static ENGINE *
++ENGINE_aesni(void)
++{
++ ENGINE *eng = ENGINE_new();
++
++ if (!eng) {
++ return NULL;
++ }
++
++ if (!aesni_bind_helper(eng)) {
++ ENGINE_free(eng);
++ return NULL;
++ }
++
++ return eng;
++}
++
++/* Check availability of the engine */
++static int
++aesni_init(ENGINE *e)
++{
++ return 1;
++}
++
++#if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
++#define NID_aes_128_cfb NID_aes_128_cfb128
++#endif
++
++#if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
++#define NID_aes_128_ofb NID_aes_128_ofb128
++#endif
++
++#if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
++#define NID_aes_192_cfb NID_aes_192_cfb128
++#endif
++
++#if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
++#define NID_aes_192_ofb NID_aes_192_ofb128
++#endif
++
++#if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
++#define NID_aes_256_cfb NID_aes_256_cfb128
++#endif
++
++#if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
++#define NID_aes_256_ofb NID_aes_256_ofb128
++#endif
++
++/* List of supported ciphers. */
++static int aesni_cipher_nids[] = {
++ NID_aes_128_ecb,
++ NID_aes_128_cbc,
++ NID_aes_128_cfb,
++ NID_aes_128_ofb,
++
++ NID_aes_192_ecb,
++ NID_aes_192_cbc,
++ NID_aes_192_cfb,
++ NID_aes_192_ofb,
++
++ NID_aes_256_ecb,
++ NID_aes_256_cbc,
++ NID_aes_256_cfb,
++ NID_aes_256_ofb,
++};
++static int aesni_cipher_nids_num =
++ (sizeof(aesni_cipher_nids)/sizeof(aesni_cipher_nids[0]));
++
++typedef struct
++{
++ AES_KEY ks;
++ unsigned int _pad1[3];
++} AESNI_KEY;
++
++static int
++aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *user_key,
++ const unsigned char *iv, int enc)
++{
++ int ret;
++ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data);
++
++ if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE
++ || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE
++ || enc)
++ ret=aesni_set_encrypt_key(user_key, ctx->key_len * 8, key);
++ else
++ ret=aesni_set_decrypt_key(user_key, ctx->key_len * 8, key);
++
++ if(ret < 0) {
++ EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
++ return 0;
++ }
++
++ return 1;
++}
++
++static int aesni_cipher_ecb(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, size_t inl)
++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data);
++ aesni_ecb_encrypt(in, out, inl, key, ctx->encrypt);
++ return 1;
++}
++static int aesni_cipher_cbc(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, size_t inl)
++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data);
++ aesni_cbc_encrypt(in, out, inl, key,
++ ctx->iv, ctx->encrypt);
++ return 1;
++}
++static int aesni_cipher_cfb(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, size_t inl)
++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data);
++ CRYPTO_cfb128_encrypt(in, out, inl, key, ctx->iv,
++ &ctx->num, ctx->encrypt,
++ (block128_f)aesni_encrypt);
++ return 1;
++}
++static int aesni_cipher_ofb(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, size_t inl)
++{ AES_KEY *key = AESNI_ALIGN(ctx->cipher_data);
++ CRYPTO_ofb128_encrypt(in, out, inl, key, ctx->iv,
++ &ctx->num, (block128_f)aesni_encrypt);
++ return 1;
++}
++
++#define AES_BLOCK_SIZE 16
++
++#define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE
++#define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE
++#define EVP_CIPHER_block_size_OFB 1
++#define EVP_CIPHER_block_size_CFB 1
++
++/* Declaring so many ciphers by hand would be a pain.
++ Instead introduce a bit of preprocessor magic :-) */
++#define DECLARE_AES_EVP(ksize,lmode,umode) \
++static const EVP_CIPHER aesni_##ksize##_##lmode = { \
++ NID_aes_##ksize##_##lmode, \
++ EVP_CIPHER_block_size_##umode, \
++ ksize / 8, \
++ AES_BLOCK_SIZE, \
++ 0 | EVP_CIPH_##umode##_MODE, \
++ aesni_init_key, \
++ aesni_cipher_##lmode, \
++ NULL, \
++ sizeof(AESNI_KEY), \
++ EVP_CIPHER_set_asn1_iv, \
++ EVP_CIPHER_get_asn1_iv, \
++ NULL, \
++ NULL \
++}
++
++DECLARE_AES_EVP(128,ecb,ECB);
++DECLARE_AES_EVP(128,cbc,CBC);
++DECLARE_AES_EVP(128,cfb,CFB);
++DECLARE_AES_EVP(128,ofb,OFB);
++
++DECLARE_AES_EVP(192,ecb,ECB);
++DECLARE_AES_EVP(192,cbc,CBC);
++DECLARE_AES_EVP(192,cfb,CFB);
++DECLARE_AES_EVP(192,ofb,OFB);
++
++DECLARE_AES_EVP(256,ecb,ECB);
++DECLARE_AES_EVP(256,cbc,CBC);
++DECLARE_AES_EVP(256,cfb,CFB);
++DECLARE_AES_EVP(256,ofb,OFB);
++
++static int
++aesni_ciphers (ENGINE *e, const EVP_CIPHER **cipher,
++ const int **nids, int nid)
++{
++ /* No specific cipher => return a list of supported nids ... */
++ if (!cipher) {
++ *nids = aesni_cipher_nids;
++ return aesni_cipher_nids_num;
++ }
++
++ /* ... or the requested "cipher" otherwise */
++ switch (nid) {
++ case NID_aes_128_ecb:
++ *cipher = &aesni_128_ecb;
++ break;
++ case NID_aes_128_cbc:
++ *cipher = &aesni_128_cbc;
++ break;
++ case NID_aes_128_cfb:
++ *cipher = &aesni_128_cfb;
++ break;
++ case NID_aes_128_ofb:
++ *cipher = &aesni_128_ofb;
++ break;
++
++ case NID_aes_192_ecb:
++ *cipher = &aesni_192_ecb;
++ break;
++ case NID_aes_192_cbc:
++ *cipher = &aesni_192_cbc;
++ break;
++ case NID_aes_192_cfb:
++ *cipher = &aesni_192_cfb;
++ break;
++ case NID_aes_192_ofb:
++ *cipher = &aesni_192_ofb;
++ break;
++
++ case NID_aes_256_ecb:
++ *cipher = &aesni_256_ecb;
++ break;
++ case NID_aes_256_cbc:
++ *cipher = &aesni_256_cbc;
++ break;
++ case NID_aes_256_cfb:
++ *cipher = &aesni_256_cfb;
++ break;
++ case NID_aes_256_ofb:
++ *cipher = &aesni_256_ofb;
++ break;
++
++ default:
++ /* Sorry, we don't support this NID */
++ *cipher = NULL;
++ return 0;
++ }
++
++ return 1;
++}
++
++#endif /* COMPILE_HW_AESNI */
++#endif /* !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) && !defined(OPENSSL_NO_AES) */
+diff -up openssl-1.0.0b/crypto/engine/eng_all.c.aesni openssl-1.0.0b/crypto/engine/eng_all.c
+--- openssl-1.0.0b/crypto/engine/eng_all.c.aesni 2010-11-16 17:33:22.000000000 +0100
++++ openssl-1.0.0b/crypto/engine/eng_all.c 2010-11-16 17:33:23.000000000 +0100
+@@ -85,6 +85,9 @@ void ENGINE_load_builtin_engines(void)
+ #if !defined(OPENSSL_NO_HW) && (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
+ ENGINE_load_cryptodev();
+ #endif
++#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI)
++ ENGINE_load_aesni();
++#endif
+ ENGINE_load_dynamic();
+ #ifndef OPENSSL_NO_STATIC_ENGINE
+ #ifndef OPENSSL_NO_HW
+diff -up openssl-1.0.0b/crypto/engine/engine.h.aesni openssl-1.0.0b/crypto/engine/engine.h
+--- openssl-1.0.0b/crypto/engine/engine.h.aesni 2010-11-16 17:33:22.000000000 +0100
++++ openssl-1.0.0b/crypto/engine/engine.h 2010-11-16 17:33:23.000000000 +0100
+@@ -338,6 +338,7 @@ void ENGINE_load_gost(void);
+ #endif
+ #endif
+ void ENGINE_load_cryptodev(void);
++void ENGINE_load_aesni(void);
+ void ENGINE_load_builtin_engines(void);
+
+ /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
+diff -up openssl-1.0.0b/crypto/engine/Makefile.aesni openssl-1.0.0b/crypto/engine/Makefile
+--- openssl-1.0.0b/crypto/engine/Makefile.aesni 2010-11-15 15:44:49.000000000 +0100
++++ openssl-1.0.0b/crypto/engine/Makefile 2010-11-16 17:33:23.000000000 +0100
+@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c e
+ eng_table.c eng_pkey.c eng_fat.c eng_all.c \
+ tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
+ tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \
+- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c
++ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \
++ eng_aesni.c
+ LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
+ eng_table.o eng_pkey.o eng_fat.o eng_all.o \
+ tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
+ tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \
+- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o
++ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \
++ eng_aesni.o
+
+ SRC= $(LIBSRC)
+
+diff -up openssl-1.0.0b/crypto/evp/evp_err.c.aesni openssl-1.0.0b/crypto/evp/evp_err.c
+--- openssl-1.0.0b/crypto/evp/evp_err.c.aesni 2010-11-16 17:33:22.000000000 +0100
++++ openssl-1.0.0b/crypto/evp/evp_err.c 2010-11-16 17:33:23.000000000 +0100
+@@ -1,6 +1,6 @@
+ /* crypto/evp/evp_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -70,6 +70,7 @@
+
+ static ERR_STRING_DATA EVP_str_functs[]=
+ {
++{ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"},
+ {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
+ {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"},
+ {ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
+@@ -86,7 +87,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
+ {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
+ {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
+ {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
+-{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_SIZE"},
++{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
+ {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
+ {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
+ {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
+diff -up openssl-1.0.0b/crypto/evp/evp.h.aesni openssl-1.0.0b/crypto/evp/evp.h
+--- openssl-1.0.0b/crypto/evp/evp.h.aesni 2010-11-16 17:33:22.000000000 +0100
++++ openssl-1.0.0b/crypto/evp/evp.h 2010-11-16 17:33:23.000000000 +0100
+@@ -1167,6 +1167,7 @@ void ERR_load_EVP_strings(void);
+ /* Error codes for the EVP functions. */
+
+ /* Function codes. */
++#define EVP_F_AESNI_INIT_KEY 163
+ #define EVP_F_AES_INIT_KEY 133
+ #define EVP_F_CAMELLIA_INIT_KEY 159
+ #define EVP_F_D2I_PKEY 100
+diff -up openssl-1.0.0b/test/test_aesni.aesni openssl-1.0.0b/test/test_aesni
+--- openssl-1.0.0b/test/test_aesni.aesni 2010-11-16 17:33:23.000000000 +0100
++++ openssl-1.0.0b/test/test_aesni 2010-11-16 17:33:23.000000000 +0100
+@@ -0,0 +1,69 @@
++#!/bin/sh
++
++PROG=$1
++
++if [ -x $PROG ]; then
++ if expr "x`$PROG version`" : "xOpenSSL" > /dev/null; then
++ :
++ else
++ echo "$PROG is not OpenSSL executable"
++ exit 1
++ fi
++else
++ echo "$PROG is not executable"
++ exit 1;
++fi
++
++if $PROG engine aesni | grep -v no-aesni; then
++
++ HASH=`cat $PROG | $PROG dgst -hex`
++
++ AES_ALGS=" aes-128-ecb aes-192-ecb aes-256-ecb \
++ aes-128-cbc aes-192-cbc aes-256-cbc \
++ aes-128-cfb aes-192-cfb aes-256-cfb \
++ aes-128-ofb aes-192-ofb aes-256-ofb"
++ BUFSIZE="16 32 48 64 80 96 128 144 999"
++
++ nerr=0
++
++ for alg in $AES_ALGS; do
++ echo $alg
++ for bufsize in $BUFSIZE; do
++ TEST=`( cat $PROG | \
++ $PROG enc -e -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \
++ $PROG enc -d -k "$HASH" -$alg | \
++ $PROG dgst -hex ) 2>/dev/null`
++ if [ "$TEST" != "$HASH" ]; then
++ echo "-$alg/$bufsize encrypt test failed"
++ nerr=`expr $nerr + 1`
++ fi
++ done
++ for bufsize in $BUFSIZE; do
++ TEST=`( cat $PROG | \
++ $PROG enc -e -k "$HASH" -$alg | \
++ $PROG enc -d -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \
++ $PROG dgst -hex ) 2>/dev/null`
++ if [ "$TEST" != "$HASH" ]; then
++ echo "-$alg/$bufsize decrypt test failed"
++ nerr=`expr $nerr + 1`
++ fi
++ done
++ TEST=`( cat $PROG | \
++ $PROG enc -e -k "$HASH" -$alg -engine aesni | \
++ $PROG enc -d -k "$HASH" -$alg -engine aesni | \
++ $PROG dgst -hex ) 2>/dev/null`
++ if [ "$TEST" != "$HASH" ]; then
++ echo "-$alg en/decrypt test failed"
++ nerr=`expr $nerr + 1`
++ fi
++ done
++
++ if [ $nerr -gt 0 ]; then
++ echo "AESNI engine test failed."
++ exit 1;
++ fi
++else
++ echo "AESNI engine is not available"
++fi
++
++exit 0
diff --git a/openssl-1.0.1-beta2-ipv6-apps.patch b/openssl-1.0.0b-ipv6-apps.patch
similarity index 84%
rename from openssl-1.0.1-beta2-ipv6-apps.patch
rename to openssl-1.0.0b-ipv6-apps.patch
index 4e2f60c..b85a5d8 100644
--- a/openssl-1.0.1-beta2-ipv6-apps.patch
+++ b/openssl-1.0.0b-ipv6-apps.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.0.1-beta2/apps/s_apps.h.ipv6-apps openssl-1.0.1-beta2/apps/s_apps.h
---- openssl-1.0.1-beta2/apps/s_apps.h.ipv6-apps 2012-02-02 12:56:27.216889198 +0100
-+++ openssl-1.0.1-beta2/apps/s_apps.h 2012-02-02 12:56:27.257889552 +0100
+diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
+--- openssl-1.0.0b/apps/s_apps.h.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
++++ openssl-1.0.0b/apps/s_apps.h 2010-11-16 17:19:29.000000000 +0100
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
@@ -10,7 +10,7 @@ diff -up openssl-1.0.1-beta2/apps/s_apps.h.ipv6-apps openssl-1.0.1-beta2/apps/s_
#ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
-@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
+@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
#endif
@@ -23,10 +23,10 @@ diff -up openssl-1.0.1-beta2/apps/s_apps.h.ipv6-apps openssl-1.0.1-beta2/apps/s_
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
-diff -up openssl-1.0.1-beta2/apps/s_client.c.ipv6-apps openssl-1.0.1-beta2/apps/s_client.c
---- openssl-1.0.1-beta2/apps/s_client.c.ipv6-apps 2012-02-02 12:56:27.238889388 +0100
-+++ openssl-1.0.1-beta2/apps/s_client.c 2012-02-02 12:56:27.258889561 +0100
-@@ -563,7 +563,7 @@ int MAIN(int argc, char **argv)
+diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
+--- openssl-1.0.0b/apps/s_client.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
++++ openssl-1.0.0b/apps/s_client.c 2010-11-16 17:19:29.000000000 +0100
+@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
@@ -35,7 +35,7 @@ diff -up openssl-1.0.1-beta2/apps/s_client.c.ipv6-apps openssl-1.0.1-beta2/apps/
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
-@@ -670,13 +670,12 @@ int MAIN(int argc, char **argv)
+@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-port") == 0)
{
if (--argc < 1) goto bad;
@@ -51,7 +51,7 @@ diff -up openssl-1.0.1-beta2/apps/s_client.c.ipv6-apps openssl-1.0.1-beta2/apps/
goto bad;
}
else if (strcmp(*argv,"-verify") == 0)
-@@ -1260,7 +1259,7 @@ bad:
+@@ -967,7 +966,7 @@ bad:
re_start:
@@ -60,10 +60,10 @@ diff -up openssl-1.0.1-beta2/apps/s_client.c.ipv6-apps openssl-1.0.1-beta2/apps/
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
-diff -up openssl-1.0.1-beta2/apps/s_server.c.ipv6-apps openssl-1.0.1-beta2/apps/s_server.c
---- openssl-1.0.1-beta2/apps/s_server.c.ipv6-apps 2012-02-02 12:56:27.239889397 +0100
-+++ openssl-1.0.1-beta2/apps/s_server.c 2012-02-02 12:56:27.259889570 +0100
-@@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[])
+diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
+--- openssl-1.0.0b/apps/s_server.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
++++ openssl-1.0.0b/apps/s_server.c 2010-11-16 17:19:29.000000000 +0100
+@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
int badarg = 0;
@@ -72,7 +72,7 @@ diff -up openssl-1.0.1-beta2/apps/s_server.c.ipv6-apps openssl-1.0.1-beta2/apps/
char *CApath=NULL,*CAfile=NULL;
unsigned char *context = NULL;
char *dhfile = NULL;
-@@ -1010,8 +1010,7 @@ int MAIN(int argc, char *argv[])
+@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
(strcmp(*argv,"-accept") == 0))
{
if (--argc < 1) goto bad;
@@ -82,7 +82,7 @@ diff -up openssl-1.0.1-beta2/apps/s_server.c.ipv6-apps openssl-1.0.1-beta2/apps/
}
else if (strcmp(*argv,"-verify") == 0)
{
-@@ -1888,9 +1887,9 @@ bad:
+@@ -1700,9 +1699,9 @@ bad:
BIO_printf(bio_s_out,"ACCEPT\n");
(void)BIO_flush(bio_s_out);
if (www)
@@ -94,9 +94,9 @@ diff -up openssl-1.0.1-beta2/apps/s_server.c.ipv6-apps openssl-1.0.1-beta2/apps/
print_stats(bio_s_out,ctx);
ret=0;
end:
-diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/s_socket.c
---- openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps 2011-12-02 15:39:40.000000000 +0100
-+++ openssl-1.0.1-beta2/apps/s_socket.c 2012-01-19 14:53:30.000000000 +0100
+diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
+--- openssl-1.0.0b/apps/s_socket.c.ipv6-apps 2010-07-05 13:03:22.000000000 +0200
++++ openssl-1.0.0b/apps/s_socket.c 2010-11-16 17:27:18.000000000 +0100
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
#endif
@@ -108,7 +108,7 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
static int do_accept(int acc_sock, int *sock, char **host);
static int host_ip(char *str, unsigned char ip[4]);
-@@ -234,57 +232,70 @@ static int ssl_sock_init(void)
+@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
return(1);
}
@@ -117,10 +117,11 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
{
- unsigned char ip[4];
-
-- memset(ip, '\0', sizeof ip);
- if (!host_ip(host,&(ip[0])))
-- return 0;
-- return init_client_ip(sock,ip,port,type);
+- {
+- return(0);
+- }
+- return(init_client_ip(sock,ip,port,type));
- }
-
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
@@ -216,7 +217,7 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
{
int sock;
char *name = NULL;
-@@ -322,33 +333,45 @@ int do_server(int port, int type, int *r
+@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
}
}
@@ -226,8 +227,9 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
- int ret=0;
- struct sockaddr_in server;
- int s= -1;
-+ struct addrinfo *res, *res0 = NULL, hints;
++ struct addrinfo *res, *res0, hints;
+ char * failed_call = NULL;
++ char port_name[8];
+ int s;
+ int e;
@@ -246,8 +248,6 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
- memcpy(&server.sin_addr,ip,4);
-#endif
+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_family = AF_INET6;
-+tryipv4:
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
@@ -274,16 +274,10 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
+ failed_call = "socket";
+ goto nextres;
+ }
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ int j = 0;
-+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-+ (void *) &j, sizeof j);
-+ }
#if defined SOL_SOCKET && defined SO_REUSEADDR
{
int j = 1;
-@@ -356,35 +379,49 @@ static int init_server_long(int *sock, i
+@@ -357,35 +372,39 @@ static int init_server_long(int *sock, i
(void *) &j, sizeof j);
}
#endif
@@ -320,21 +314,12 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
+ close(s);
+ res = res->ai_next;
}
-+ if (res0)
-+ freeaddrinfo(res0);
++ freeaddrinfo(res0);
-static int init_server(int *sock, int port, int type)
-+ if (s == INVALID_SOCKET)
- {
+- {
- return(init_server_long(sock, port, NULL, type));
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ hints.ai_family = AF_INET;
-+ goto tryipv4;
-+ }
-+ perror("socket");
-+ return(0);
-+ }
++ if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+
+ perror(failed_call);
+ return(0);
@@ -350,7 +335,7 @@ diff -up openssl-1.0.1-beta2/apps/s_socket.c.ipv6-apps openssl-1.0.1-beta2/apps/
int len;
/* struct linger ling; */
-@@ -431,135 +468,58 @@ redoit:
+@@ -432,135 +451,58 @@ redoit:
*/
if (host == NULL) goto end;
diff --git a/openssl-1.0.0c-apps-ipv6listen.patch b/openssl-1.0.0c-apps-ipv6listen.patch
new file mode 100644
index 0000000..7c3d4a0
--- /dev/null
+++ b/openssl-1.0.0c-apps-ipv6listen.patch
@@ -0,0 +1,57 @@
+diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
+--- openssl-1.0.0c/apps/s_socket.c.ipv6listen 2011-01-24 16:44:18.000000000 +0100
++++ openssl-1.0.0c/apps/s_socket.c 2011-01-24 16:56:25.000000000 +0100
+@@ -335,15 +335,16 @@ int do_server(char *port, int type, int
+
+ static int init_server(int *sock, char *port, int type)
+ {
+- struct addrinfo *res, *res0, hints;
++ struct addrinfo *res, *res0 = NULL, hints;
+ char * failed_call = NULL;
+- char port_name[8];
+ int s;
+ int e;
+
+ if (!ssl_sock_init()) return(0);
+
+ memset(&hints, '\0', sizeof(hints));
++ hints.ai_family = AF_INET6;
++tryipv4:
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
+
+@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
+ failed_call = "socket";
+ goto nextres;
+ }
++ if (hints.ai_family == AF_INET6)
++ {
++ int j = 0;
++ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
++ (void *) &j, sizeof j);
++ }
+ #if defined SOL_SOCKET && defined SO_REUSEADDR
+ {
+ int j = 1;
+@@ -392,9 +399,19 @@ nextres:
+ close(s);
+ res = res->ai_next;
+ }
+- freeaddrinfo(res0);
++ if (res0)
++ freeaddrinfo(res0);
+
+- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
++ if (s == INVALID_SOCKET)
++ {
++ if (hints.ai_family == AF_INET6)
++ {
++ hints.ai_family = AF_INET;
++ goto tryipv4;
++ }
++ perror("socket");
++ return(0);
++ }
+
+ perror(failed_call);
+ return(0);
diff --git a/openssl-1.0.0c-fips186-3.patch b/openssl-1.0.0c-fips186-3.patch
new file mode 100644
index 0000000..de3e5ab
--- /dev/null
+++ b/openssl-1.0.0c-fips186-3.patch
@@ -0,0 +1,384 @@
+diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c
+--- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 2011-02-03 21:04:14.000000000 +0100
++++ openssl-1.0.0c/crypto/dsa/dsa_gen.c 2011-02-04 08:54:42.000000000 +0100
+@@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ int ok=0;
+ unsigned char seed[SHA256_DIGEST_LENGTH];
+ unsigned char md[SHA256_DIGEST_LENGTH];
+- unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
++ unsigned char buf[SHA256_DIGEST_LENGTH];
+ BIGNUM *r0,*W,*X,*c,*test;
+ BIGNUM *g=NULL,*q=NULL,*p=NULL;
+ BN_MONT_CTX *mont=NULL;
+- int i, k, n=0, m=0, qsize = qbits >> 3;
++ int i, k, b, n=0, m=0, qsize = qbits >> 3;
+ int counter=0;
+ int r=0;
+ BN_CTX *ctx=NULL;
+@@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ goto err;
+ }
+
+- if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
++ if (FIPS_mode() &&
++ (bits != 1024 || qbits != 160) &&
++ (bits != 2048 || qbits != 224) &&
++ (bits != 2048 || qbits != 256) &&
++ (bits != 3072 || qbits != 256))
+ {
+- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
+ goto err;
+ }
+ #endif
+@@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ return 0;
+
+ if (evpmd == NULL)
+- /* use SHA1 as default */
+- evpmd = EVP_sha1();
++ {
++ if (qbits <= 160)
++ evpmd = EVP_sha1();
++ else if (qbits <= 224)
++ evpmd = EVP_sha224();
++ else
++ evpmd = EVP_sha256();
++ }
+
+ if (bits < 512)
+ bits = 512;
+
+ bits = (bits+63)/64*64;
+
+- /* NB: seed_len == 0 is special case: copy generated seed to
+- * seed_in if it is not NULL.
+- */
+ if (seed_len && (seed_len < (size_t)qsize))
+ seed_in = NULL; /* seed buffer too small -- ignore */
+ if (seed_len > (size_t)qsize)
+ seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
+- * but our internal buffers are restricted to 160 bits*/
++ * but our internal buffers are restricted to 256 bits*/
+ if (seed_in != NULL)
+ memcpy(seed, seed_in, seed_len);
+
+@@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_lshift(test,BN_value_one(),bits-1))
+ goto err;
+
++ /* step 3 n = \lceil bits / qbits \rceil - 1 */
++ n = (bits+qbits-1)/qbits - 1;
++ /* step 4 b = bits - 1 - n * qbits */
++ b = bits - 1 - n*qbits;
++
+ for (;;)
+ {
+ for (;;) /* find q */
+ {
+ int seed_is_random;
+
+- /* step 1 */
++ /* step 5 generate seed */
+ if(!BN_GENCB_call(cb, 0, m++))
+ goto err;
+
+@@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
+ }
+ memcpy(buf , seed, qsize);
+- memcpy(buf2, seed, qsize);
+- /* precompute "SEED + 1" for step 7: */
+- for (i = qsize-1; i >= 0; i--)
+- {
+- buf[i]++;
+- if (buf[i] != 0)
+- break;
+- }
+
+- /* step 2 */
++ /* step 6 U = hash(seed) */
+ EVP_Digest(seed, qsize, md, NULL, evpmd, NULL);
+- EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL);
+- for (i = 0; i < qsize; i++)
+- md[i]^=buf2[i];
+
+- /* step 3 */
++ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
+ md[0] |= 0x80;
+ md[qsize-1] |= 0x01;
+ if (!BN_bin2bn(md, qsize, q))
+ goto err;
+
+- /* step 4 */
++ /* step 8 test for prime (64 round of Rabin-Miller) */
+ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
+ seed_is_random, cb);
+ if (r > 0)
+@@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (r != 0)
+ goto err;
+
+- /* do a callback call */
+- /* step 5 */
+ }
+
+ if(!BN_GENCB_call(cb, 2, 0)) goto err;
+ if(!BN_GENCB_call(cb, 3, 0)) goto err;
+
+- /* step 6 */
++ /* step 11 */
+ counter=0;
+- /* "offset = 2" */
+-
+- n=(bits-1)/160;
++ /* "offset = 1" */
+
+ for (;;)
+ {
+ if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
+ goto err;
+
+- /* step 7 */
++ /* step 11.1, 11.2 obtain W */
+ BN_zero(W);
+- /* now 'buf' contains "SEED + offset - 1" */
+ for (k=0; k<=n; k++)
+ {
+ /* obtain "SEED + offset + k" by incrementing: */
+@@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
+
+ EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
+
+- /* step 8 */
+ if (!BN_bin2bn(md, qsize, r0))
+ goto err;
+- if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
++ if (k == n)
++ BN_mask_bits(r0,b);
++ if (!BN_lshift(r0,r0,qbits*k)) goto err;
+ if (!BN_add(W,W,r0)) goto err;
+ }
+
+- /* more of step 8 */
+- if (!BN_mask_bits(W,bits-1)) goto err;
++ /* step 11.3 X = W + 2^(L-1) */
+ if (!BN_copy(X,W)) goto err;
+ if (!BN_add(X,X,test)) goto err;
+
+- /* step 9 */
++ /* step 11.4 c = X mod 2*q */
+ if (!BN_lshift1(r0,q)) goto err;
+ if (!BN_mod(c,X,r0,ctx)) goto err;
++
++ /* step 11.5 p = X - (c - 1) */
+ if (!BN_sub(r0,c,BN_value_one())) goto err;
+ if (!BN_sub(p,X,r0)) goto err;
+
+- /* step 10 */
++ /* step 11.6 */
+ if (BN_cmp(p,test) >= 0)
+ {
+- /* step 11 */
++ /* step 11.7 */
+ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
+ ctx, 1, cb);
+ if (r > 0)
+@@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ goto err;
+ }
+
+- /* step 13 */
++ /* step 11.9 */
+ counter++;
+ /* "offset = offset + n + 1" */
+
+- /* step 14 */
+- if (counter >= 4096) break;
++ /* step 12 */
++ if (counter >= 4*bits) break;
+ }
+ }
+ end:
+diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h
+--- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 2011-02-03 21:04:14.000000000 +0100
++++ openssl-1.0.0c/crypto/dsa/dsa.h 2011-02-03 21:04:14.000000000 +0100
+@@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void);
+ #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
+ #define DSA_R_DECODE_ERROR 104
+ #define DSA_R_INVALID_DIGEST_TYPE 106
++#define DSA_R_KEY_SIZE_INVALID 113
+ #define DSA_R_KEY_SIZE_TOO_SMALL 110
+ #define DSA_R_MISSING_PARAMETERS 101
+ #define DSA_R_MODULUS_TOO_LARGE 103
+diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c
+--- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 2011-02-03 21:14:07.000000000 +0100
++++ openssl-1.0.0c/crypto/dsa/dsatest.c 2011-02-04 08:40:24.000000000 +0100
+@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
+ /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
+ * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
+ static unsigned char seed[20]={
+- 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
+- 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
++ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
++ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
+ };
+
+ static unsigned char out_p[]={
+- 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
+- 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
+- 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+- 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
+- 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
+- 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
+- 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
+- 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
++ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
++ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
++ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
++ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
++ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
++ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
++ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
++ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
++ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
++ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
++ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
+ };
+
+ static unsigned char out_q[]={
+- 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
+- 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
+- 0xda,0xce,0x91,0x5f,
++ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
++ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
+ };
+
+ static unsigned char out_g[]={
+- 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
+- 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
+- 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
+- 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
+- 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
+- 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
+- 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
+- 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
++ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
++ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
++ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
++ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
++ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
++ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
++ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
++ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
++ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
++ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
++ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
+ };
+
+ static const unsigned char str1[]="12345678901234567890";
+@@ -157,7 +162,7 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err,"test generation of DSA parameters\n");
+
+ BN_GENCB_set(&cb, dsa_cb, bio_err);
+- if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
++ if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
+ seed, 20, &counter, &h, &cb))
+ goto end;
+
+@@ -170,9 +175,9 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
+
+ DSA_print(bio_err,dsa,0);
+- if (counter != 105)
++ if (counter != 239)
+ {
+- BIO_printf(bio_err,"counter should be 105\n");
++ BIO_printf(bio_err,"counter should be 239\n");
+ goto end;
+ }
+ if (h != 2)
+diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 2011-02-03 21:04:14.000000000 +0100
++++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c 2011-02-04 09:03:03.000000000 +0100
+@@ -68,44 +68,42 @@
+
+ #ifdef OPENSSL_FIPS
+
+-/* seed, out_p, out_q, out_g are taken the NIST test vectors */
+-
+ static unsigned char seed[20] = {
+- 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34,
+- 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a
+- };
++ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
++ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
++ };
+
+ static unsigned char out_p[] = {
+- 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57,
+- 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b,
+- 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43,
+- 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69,
+- 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12,
+- 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47,
+- 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4,
+- 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8,
+- 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef,
+- 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8,
+- 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef
++ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
++ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
++ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
++ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
++ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
++ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
++ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
++ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
++ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
++ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
++ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
+ };
+
+ static unsigned char out_q[] = {
+- 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c,
+- 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3
++ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
++ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
+ };
+
+ static unsigned char out_g[] = {
+- 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb,
+- 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e,
+- 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63,
+- 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35,
+- 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf,
+- 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a,
+- 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed,
+- 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf,
+- 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2,
+- 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36,
+- 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec
++ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
++ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
++ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
++ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
++ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
++ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
++ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
++ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
++ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
++ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
++ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
+ };
+
+ static const unsigned char str1[]="12345678901234567890";
+@@ -133,7 +131,7 @@ int FIPS_selftest_dsa()
+ goto err;
+ if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL))
+ goto err;
+- if (counter != 378)
++ if (counter != 239)
+ goto err;
+ if (h != 2)
+ goto err;
diff --git a/openssl-1.0.0c-pkcs12-fips-default.patch b/openssl-1.0.0c-pkcs12-fips-default.patch
new file mode 100644
index 0000000..a671722
--- /dev/null
+++ b/openssl-1.0.0c-pkcs12-fips-default.patch
@@ -0,0 +1,25 @@
+diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
+--- openssl-1.0.0c/apps/pkcs12.c.fips-default 2009-07-27 23:08:45.000000000 +0200
++++ openssl-1.0.0c/apps/pkcs12.c 2011-02-04 15:25:38.000000000 +0100
+@@ -67,6 +67,9 @@
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
+ #include <openssl/pkcs12.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ #define PROG pkcs12_main
+
+@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
+
+ apps_startup();
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
++#endif
++
+ enc = EVP_des_ede3_cbc();
+ if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
diff --git a/openssl-1.0.0c-speed-fips.patch b/openssl-1.0.0c-speed-fips.patch
new file mode 100644
index 0000000..048d673
--- /dev/null
+++ b/openssl-1.0.0c-speed-fips.patch
@@ -0,0 +1,94 @@
+diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
+--- openssl-1.0.0c/apps/speed.c.spfips 2010-11-18 14:22:26.000000000 +0100
++++ openssl-1.0.0c/apps/speed.c 2011-01-24 17:25:32.000000000 +0100
+@@ -100,6 +100,9 @@
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ #if !defined(OPENSSL_SYS_MSDOS)
+ #include OPENSSL_UNISTD
+ #endif
+@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
+ #ifndef OPENSSL_NO_RSA
+ if (strcmp(*argv,"rsa") == 0)
+ {
++#ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++#endif
++ {
+ rsa_doit[R_RSA_512]=1;
++ }
+ rsa_doit[R_RSA_1024]=1;
+ rsa_doit[R_RSA_2048]=1;
+ rsa_doit[R_RSA_4096]=1;
+@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
+ #ifndef OPENSSL_NO_DSA
+ if (strcmp(*argv,"dsa") == 0)
+ {
++#ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++#endif
++ {
+ dsa_doit[R_DSA_512]=1;
++ }
+ dsa_doit[R_DSA_1024]=1;
+ dsa_doit[R_DSA_2048]=1;
+ }
+@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
+ AES_set_encrypt_key(key32,256,&aes_ks3);
+ #endif
+ #ifndef OPENSSL_NO_CAMELLIA
++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
++ {
+ Camellia_set_key(key16,128,&camellia_ks1);
+ Camellia_set_key(ckey24,192,&camellia_ks2);
+ Camellia_set_key(ckey32,256,&camellia_ks3);
++ }
+ #endif
+ #ifndef OPENSSL_NO_IDEA
++ if (doit[D_CBC_IDEA])
++ {
+ idea_set_encrypt_key(key16,&idea_ks);
++ }
+ #endif
+ #ifndef OPENSSL_NO_SEED
++ if (doit[D_CBC_SEED])
++ {
+ SEED_set_key(key16,&seed_ks);
++ }
+ #endif
+ #ifndef OPENSSL_NO_RC4
++ if (doit[D_RC4])
++ {
+ RC4_set_key(&rc4_ks,16,key16);
++ }
+ #endif
+ #ifndef OPENSSL_NO_RC2
++ if (doit[D_CBC_RC2])
++ {
+ RC2_set_key(&rc2_ks,16,key16,128);
++ }
+ #endif
+ #ifndef OPENSSL_NO_RC5
++ if (doit[D_CBC_RC5])
++ {
+ RC5_32_set_key(&rc5_ks,16,key16,12);
++ }
+ #endif
+ #ifndef OPENSSL_NO_BF
++ if (doit[D_CBC_BF])
++ {
+ BF_set_key(&bf_ks,16,key16);
++ }
+ #endif
+ #ifndef OPENSSL_NO_CAST
++ if (doit[D_CBC_CAST])
++ {
+ CAST_set_key(&cast_ks,16,key16);
++ }
+ #endif
+ #ifndef OPENSSL_NO_RSA
+ memset(rsa_c,0,sizeof(rsa_c));
diff --git a/openssl-1.0.0d-cavs.patch b/openssl-1.0.0d-cavs.patch
new file mode 100644
index 0000000..eed8559
--- /dev/null
+++ b/openssl-1.0.0d-cavs.patch
@@ -0,0 +1,232 @@
+diff -up openssl-1.0.0d/crypto/dsa/dsa_gen.c.cavs openssl-1.0.0d/crypto/dsa/dsa_gen.c
+--- openssl-1.0.0d/crypto/dsa/dsa_gen.c.cavs 2011-05-23 19:59:56.000000000 +0200
++++ openssl-1.0.0d/crypto/dsa/dsa_gen.c 2011-05-23 22:32:45.000000000 +0200
+@@ -85,6 +85,14 @@
+ #endif
+ #include "dsa_locl.h"
+
++#ifndef OPENSSL_FIPS
++static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
++ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
++static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
++#endif
++
+ int DSA_generate_parameters_ex(DSA *ret, int bits,
+ const unsigned char *seed_in, int seed_len,
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
+@@ -113,22 +121,26 @@ int DSA_generate_parameters_ex(DSA *ret,
+ }
+ }
+
++#ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
++ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
++ {
++ return dsa_builtin_paramgen(ret, bits, qbits,
++ evpmd, seed_in, seed_len,
++ counter_ret, h_ret, cb);
++ }
++#endif
++
+ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
+ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
+ {
+ int ok=0;
+ unsigned char seed[SHA256_DIGEST_LENGTH];
+- unsigned char md[SHA256_DIGEST_LENGTH];
+- unsigned char buf[SHA256_DIGEST_LENGTH];
+- BIGNUM *r0,*W,*X,*c,*test;
+ BIGNUM *g=NULL,*q=NULL,*p=NULL;
+- BN_MONT_CTX *mont=NULL;
+- int i, k, b, n=0, m=0, qsize = qbits >> 3;
+- int counter=0;
+- int r=0;
++ size_t qsize = qbits >> 3;
+ BN_CTX *ctx=NULL;
+- unsigned int h=2;
+
+ #ifdef OPENSSL_FIPS
+ if(FIPS_selftest_failed())
+@@ -148,6 +160,65 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ goto err;
+ }
+ #endif
++ if (seed_len && (seed_len < (size_t)qsize))
++ seed_in = NULL; /* seed buffer too small -- ignore */
++ if (seed_len > sizeof(seed))
++ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
++ * but our internal buffers are restricted to 256 bits*/
++ if (seed_in != NULL)
++ memcpy(seed, seed_in, seed_len);
++ else
++ seed_len = 0;
++
++ if ((ctx=BN_CTX_new()) == NULL)
++ goto err;
++
++ BN_CTX_start(ctx);
++
++ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
++ seed, seed_len, &p, &q, counter_ret, cb))
++ goto err;
++
++ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
++ goto err;
++
++ ok=1;
++err:
++ if (ok)
++ {
++ if(ret->p) BN_free(ret->p);
++ if(ret->q) BN_free(ret->q);
++ if(ret->g) BN_free(ret->g);
++ ret->p=BN_dup(p);
++ ret->q=BN_dup(q);
++ ret->g=BN_dup(g);
++ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
++ ok=0;
++ }
++ if(ctx)
++ {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ return ok;
++ }
++
++#ifndef OPENSSL_FIPS
++static
++#endif
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
++ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb)
++ {
++ int ok=0;
++ unsigned char md[SHA256_DIGEST_LENGTH];
++ unsigned char buf[SHA256_DIGEST_LENGTH];
++ BIGNUM *r0,*W,*X,*c,*test;
++ BIGNUM *g=NULL,*q=NULL,*p=NULL;
++ BN_MONT_CTX *mont=NULL;
++ int i, k, b, n=0, m=0, qsize = qbits >> 3;
++ int counter=0;
++ int r=0;
+
+ if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
+ qsize != SHA256_DIGEST_LENGTH)
+@@ -169,28 +240,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
+
+ bits = (bits+63)/64*64;
+
+- if (seed_len && (seed_len < (size_t)qsize))
+- seed_in = NULL; /* seed buffer too small -- ignore */
+- if (seed_len > (size_t)qsize)
+- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
+- * but our internal buffers are restricted to 256 bits*/
+- if (seed_in != NULL)
+- memcpy(seed, seed_in, seed_len);
+-
+- if ((ctx=BN_CTX_new()) == NULL)
+- goto err;
+-
+- if ((mont=BN_MONT_CTX_new()) == NULL)
+- goto err;
+-
+- BN_CTX_start(ctx);
+ r0 = BN_CTX_get(ctx);
+- g = BN_CTX_get(ctx);
+ W = BN_CTX_get(ctx);
+- q = BN_CTX_get(ctx);
++ *q_ret = q = BN_CTX_get(ctx);
+ X = BN_CTX_get(ctx);
+ c = BN_CTX_get(ctx);
+- p = BN_CTX_get(ctx);
++ *p_ret = p = BN_CTX_get(ctx);
+ test = BN_CTX_get(ctx);
+
+ if (!BN_lshift(test,BN_value_one(),bits-1))
+@@ -312,7 +367,33 @@ end:
+ if(!BN_GENCB_call(cb, 2, 1))
+ goto err;
+
+- /* We now need to generate g */
++ ok=1;
++err:
++ if (ok)
++ {
++ if (counter_ret != NULL) *counter_ret=counter;
++ }
++ return ok;
++ }
++
++#ifndef OPENSSL_FIPS
++static
++#endif
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
++ {
++ int ok=0;
++ BIGNUM *r0, *test, *g = NULL;
++ BN_MONT_CTX *mont;
++ unsigned int h=2;
++
++ if ((mont=BN_MONT_CTX_new()) == NULL)
++ goto err;
++
++ r0 = BN_CTX_get(ctx);
++ *g_ret = g = BN_CTX_get(ctx);
++ test = BN_CTX_get(ctx);
++
+ /* Set r0=(p-1)/q */
+ if (!BN_sub(test,p,BN_value_one())) goto err;
+ if (!BN_div(r0,NULL,test,q,ctx)) goto err;
+@@ -336,25 +417,8 @@ end:
+ err:
+ if (ok)
+ {
+- if(ret->p) BN_free(ret->p);
+- if(ret->q) BN_free(ret->q);
+- if(ret->g) BN_free(ret->g);
+- ret->p=BN_dup(p);
+- ret->q=BN_dup(q);
+- ret->g=BN_dup(g);
+- if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
+- {
+- ok=0;
+- goto err;
+- }
+- if (counter_ret != NULL) *counter_ret=counter;
+ if (h_ret != NULL) *h_ret=h;
+ }
+- if(ctx)
+- {
+- BN_CTX_end(ctx);
+- BN_CTX_free(ctx);
+- }
+ if (mont != NULL) BN_MONT_CTX_free(mont);
+ return ok;
+ }
+diff -up openssl-1.0.0d/crypto/dsa/dsa.h.cavs openssl-1.0.0d/crypto/dsa/dsa.h
+--- openssl-1.0.0d/crypto/dsa/dsa.h.cavs 2011-05-23 19:59:56.000000000 +0200
++++ openssl-1.0.0d/crypto/dsa/dsa.h 2011-05-23 22:33:33.000000000 +0200
+@@ -266,6 +266,17 @@ int DSA_print_fp(FILE *bp, const DSA *x,
+ DH *DSA_dup_DH(const DSA *r);
+ #endif
+
++#ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
++ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
++ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
++#endif
++
+ #define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
+ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
+ EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
diff --git a/openssl-1.0.0d-intelopts.patch b/openssl-1.0.0d-intelopts.patch
new file mode 100644
index 0000000..6aba7b3
--- /dev/null
+++ b/openssl-1.0.0d-intelopts.patch
@@ -0,0 +1,6221 @@
+diff -up openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl.intelopts openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl
+--- openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl.intelopts 2011-08-24 12:50:55.000000000 +0200
++++ openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # ====================================================================
+ # Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
+@@ -11,10 +11,37 @@
+ # OpenSSL context it's used with Intel engine, but can also be used as
+ # drop-in replacement for crypto/aes/asm/aes-586.pl [see below for
+ # details].
++#
++# Performance.
++#
++# To start with see corresponding paragraph in aesni-x86_64.pl...
++# Instead of filling table similar to one found there I've chosen to
++# summarize *comparison* results for raw ECB, CTR and CBC benchmarks.
++# The simplified table below represents 32-bit performance relative
++# to 64-bit one in every given point. Ratios vary for different
++# encryption modes, therefore interval values.
++#
++# 16-byte 64-byte 256-byte 1-KB 8-KB
++# 53-67% 67-84% 91-94% 95-98% 97-99.5%
++#
++# Lower ratios for smaller block sizes are perfectly understandable,
++# because function call overhead is higher in 32-bit mode. Largest
++# 8-KB block performance is virtually same: 32-bit code is less than
++# 1% slower for ECB, CBC and CCM, and ~3% slower otherwise.
++
++# January 2011
++#
++# See aesni-x86_64.pl for details. Unlike x86_64 version this module
++# interleaves at most 6 aes[enc|dec] instructions, because there are
++# not enough registers for 8x interleave [which should be optimal for
++# Sandy Bridge]. Actually, performance results for 6x interleave
++# factor presented in aesni-x86_64.pl (except for CTR) are for this
++# module.
+
+ $PREFIX="aesni"; # if $PREFIX is set to "AES", the script
+ # generates drop-in replacement for
+ # crypto/aes/asm/aes-586.pl:-)
++$inline=1; # inline _aesni_[en|de]crypt
+
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ push(@INC,"${dir}","${dir}../../perlasm");
+@@ -22,7 +49,8 @@ require "x86asm.pl";
+
+ &asm_init($ARGV[0],$0);
+
+-$movekey = eval($RREFIX eq "aseni" ? "*movaps" : "*movups");
++if ($PREFIX eq "aesni") { $movekey=*movups; }
++else { $movekey=*movups; }
+
+ $len="eax";
+ $rounds="ecx";
+@@ -32,114 +60,144 @@ $out="edi";
+ $rounds_="ebx"; # backup copy for $rounds
+ $key_="ebp"; # backup copy for $key
+
+-$inout0="xmm0";
+-$inout1="xmm1";
+-$inout2="xmm2";
+-$rndkey0="xmm3";
+-$rndkey1="xmm4";
+-$ivec="xmm5";
+-$in0="xmm6";
+-$in1="xmm7"; $inout3="xmm7";
+-
++$rndkey0="xmm0";
++$rndkey1="xmm1";
++$inout0="xmm2";
++$inout1="xmm3";
++$inout2="xmm4";
++$inout3="xmm5"; $in1="xmm5";
++$inout4="xmm6"; $in0="xmm6";
++$inout5="xmm7"; $ivec="xmm7";
++
++# AESNI extenstion
++sub aeskeygenassist
++{ my($dst,$src,$imm)=@_;
++ if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
++ { &data_byte(0x66,0x0f,0x3a,0xdf,0xc0|($1<<3)|$2,$imm); }
++}
++sub aescommon
++{ my($opcodelet,$dst,$src)=@_;
++ if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
++ { &data_byte(0x66,0x0f,0x38,$opcodelet,0xc0|($1<<3)|$2);}
++}
++sub aesimc { aescommon(0xdb, at _); }
++sub aesenc { aescommon(0xdc, at _); }
++sub aesenclast { aescommon(0xdd, at _); }
++sub aesdec { aescommon(0xde, at _); }
++sub aesdeclast { aescommon(0xdf, at _); }
++�
+ # Inline version of internal aesni_[en|de]crypt1
++{ my $sn;
+ sub aesni_inline_generate1
+-{ my $p=shift;
++{ my ($p,$inout,$ivec)=@_; $inout=$inout0 if (!defined($inout));
++ $sn++;
+
+ &$movekey ($rndkey0,&QWP(0,$key));
+ &$movekey ($rndkey1,&QWP(16,$key));
++ &xorps ($ivec,$rndkey0) if (defined($ivec));
+ &lea ($key,&DWP(32,$key));
+- &pxor ($inout0,$rndkey0);
+- &set_label("${p}1_loop");
+- eval"&aes${p} ($inout0,$rndkey1)";
++ &xorps ($inout,$ivec) if (defined($ivec));
++ &xorps ($inout,$rndkey0) if (!defined($ivec));
++ &set_label("${p}1_loop_$sn");
++ eval"&aes${p} ($inout,$rndkey1)";
+ &dec ($rounds);
+ &$movekey ($rndkey1,&QWP(0,$key));
+ &lea ($key,&DWP(16,$key));
+- &jnz (&label("${p}1_loop"));
+- eval"&aes${p}last ($inout0,$rndkey1)";
+-}
++ &jnz (&label("${p}1_loop_$sn"));
++ eval"&aes${p}last ($inout,$rndkey1)";
++}}
+
+ sub aesni_generate1 # fully unrolled loop
+-{ my $p=shift;
++{ my ($p,$inout)=@_; $inout=$inout0 if (!defined($inout));
+
+ &function_begin_B("_aesni_${p}rypt1");
+- &$movekey ($rndkey0,&QWP(0,$key));
++ &movups ($rndkey0,&QWP(0,$key));
+ &$movekey ($rndkey1,&QWP(0x10,$key));
+- &cmp ($rounds,11);
+- &pxor ($inout0,$rndkey0);
++ &xorps ($inout,$rndkey0);
+ &$movekey ($rndkey0,&QWP(0x20,$key));
+ &lea ($key,&DWP(0x30,$key));
++ &cmp ($rounds,11);
+ &jb (&label("${p}128"));
+ &lea ($key,&DWP(0x20,$key));
+ &je (&label("${p}192"));
+ &lea ($key,&DWP(0x20,$key));
+- eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(-0x40,$key));
+- eval"&aes${p} ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(-0x30,$key));
+ &set_label("${p}192");
+- eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(-0x20,$key));
+- eval"&aes${p} ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(-0x10,$key));
+ &set_label("${p}128");
+- eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0,$key));
+- eval"&aes${p} ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x10,$key));
+- eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0x20,$key));
+- eval"&aes${p} ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x30,$key));
+- eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0x40,$key));
+- eval"&aes${p} ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x50,$key));
+- eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(0x60,$key));
+- eval"&aes${p} ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout,$rndkey0)";
+ &$movekey ($rndkey0,&QWP(0x70,$key));
+- eval"&aes${p} ($inout0,$rndkey1)";
+- eval"&aes${p}last ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout,$rndkey1)";
++ eval"&aes${p}last ($inout,$rndkey0)";
+ &ret();
+ &function_end_B("_aesni_${p}rypt1");
+ }
+-
++�
+ # void $PREFIX_encrypt (const void *inp,void *out,const AES_KEY *key);
+-# &aesni_generate1("dec");
++&aesni_generate1("enc") if (!$inline);
+ &function_begin_B("${PREFIX}_encrypt");
+ &mov ("eax",&wparam(0));
+ &mov ($key,&wparam(2));
+ &movups ($inout0,&QWP(0,"eax"));
+ &mov ($rounds,&DWP(240,$key));
+ &mov ("eax",&wparam(1));
+- &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1");
++ if ($inline)
++ { &aesni_inline_generate1("enc"); }
++ else
++ { &call ("_aesni_encrypt1"); }
+ &movups (&QWP(0,"eax"),$inout0);
+ &ret ();
+ &function_end_B("${PREFIX}_encrypt");
+
+ # void $PREFIX_decrypt (const void *inp,void *out,const AES_KEY *key);
+-# &aesni_generate1("dec");
++&aesni_generate1("dec") if(!$inline);
+ &function_begin_B("${PREFIX}_decrypt");
+ &mov ("eax",&wparam(0));
+ &mov ($key,&wparam(2));
+ &movups ($inout0,&QWP(0,"eax"));
+ &mov ($rounds,&DWP(240,$key));
+ &mov ("eax",&wparam(1));
+- &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt1");
++ if ($inline)
++ { &aesni_inline_generate1("dec"); }
++ else
++ { &call ("_aesni_decrypt1"); }
+ &movups (&QWP(0,"eax"),$inout0);
+ &ret ();
+ &function_end_B("${PREFIX}_decrypt");
+-�
+-# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave
+-# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec]
+-# latency is 6, it turned out that it can be scheduled only every
+-# *second* cycle. Thus 3x interleave is the one providing optimal
++
++# _aesni_[en|de]cryptN are private interfaces, N denotes interleave
++# factor. Why 3x subroutine were originally used in loops? Even though
++# aes[enc|dec] latency was originally 6, it could be scheduled only
++# every *2nd* cycle. Thus 3x interleave was the one providing optimal
+ # utilization, i.e. when subroutine's throughput is virtually same as
+ # of non-interleaved subroutine [for number of input blocks up to 3].
+-# This is why it makes no sense to implement 2x subroutine. As soon
+-# as/if Intel improves throughput by making it possible to schedule
+-# the instructions in question *every* cycles I would have to
+-# implement 6x interleave and use it in loop...
++# This is why it makes no sense to implement 2x subroutine.
++# aes[enc|dec] latency in next processor generation is 8, but the
++# instructions can be scheduled every cycle. Optimal interleave for
++# new processor is therefore 8x, but it's unfeasible to accommodate it
++# in XMM registers addreassable in 32-bit mode and therefore 6x is
++# used instead...
++
+ sub aesni_generate3
+ { my $p=shift;
+
+@@ -148,24 +206,24 @@ sub aesni_generate3
+ &shr ($rounds,1);
+ &$movekey ($rndkey1,&QWP(16,$key));
+ &lea ($key,&DWP(32,$key));
+- &pxor ($inout0,$rndkey0);
++ &xorps ($inout0,$rndkey0);
+ &pxor ($inout1,$rndkey0);
+ &pxor ($inout2,$rndkey0);
+- &jmp (&label("${p}3_loop"));
+- &set_label("${p}3_loop",16);
+- eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey0,&QWP(0,$key));
++
++ &set_label("${p}3_loop");
++ eval"&aes${p} ($inout0,$rndkey1)";
+ eval"&aes${p} ($inout1,$rndkey1)";
+ &dec ($rounds);
+ eval"&aes${p} ($inout2,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(16,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+- &lea ($key,&DWP(32,$key));
+ eval"&aes${p} ($inout1,$rndkey0)";
++ &lea ($key,&DWP(32,$key));
+ eval"&aes${p} ($inout2,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(0,$key));
+ &jnz (&label("${p}3_loop"));
+ eval"&aes${p} ($inout0,$rndkey1)";
+- &$movekey ($rndkey0,&QWP(0,$key));
+ eval"&aes${p} ($inout1,$rndkey1)";
+ eval"&aes${p} ($inout2,$rndkey1)";
+ eval"&aes${p}last ($inout0,$rndkey0)";
+@@ -187,27 +245,28 @@ sub aesni_generate4
+ &$movekey ($rndkey1,&QWP(16,$key));
+ &shr ($rounds,1);
+ &lea ($key,&DWP(32,$key));
+- &pxor ($inout0,$rndkey0);
++ &xorps ($inout0,$rndkey0);
+ &pxor ($inout1,$rndkey0);
+ &pxor ($inout2,$rndkey0);
+ &pxor ($inout3,$rndkey0);
+- &jmp (&label("${p}3_loop"));
+- &set_label("${p}3_loop",16);
+- eval"&aes${p} ($inout0,$rndkey1)";
+ &$movekey ($rndkey0,&QWP(0,$key));
++
++ &set_label("${p}4_loop");
++ eval"&aes${p} ($inout0,$rndkey1)";
+ eval"&aes${p} ($inout1,$rndkey1)";
+ &dec ($rounds);
+ eval"&aes${p} ($inout2,$rndkey1)";
+ eval"&aes${p} ($inout3,$rndkey1)";
+ &$movekey ($rndkey1,&QWP(16,$key));
+ eval"&aes${p} ($inout0,$rndkey0)";
+- &lea ($key,&DWP(32,$key));
+ eval"&aes${p} ($inout1,$rndkey0)";
++ &lea ($key,&DWP(32,$key));
+ eval"&aes${p} ($inout2,$rndkey0)";
+ eval"&aes${p} ($inout3,$rndkey0)";
+- &jnz (&label("${p}3_loop"));
++ &$movekey ($rndkey0,&QWP(0,$key));
++ &jnz (&label("${p}4_loop"));
++
+ eval"&aes${p} ($inout0,$rndkey1)";
+- &$movekey ($rndkey0,&QWP(0,$key));
+ eval"&aes${p} ($inout1,$rndkey1)";
+ eval"&aes${p} ($inout2,$rndkey1)";
+ eval"&aes${p} ($inout3,$rndkey1)";
+@@ -218,12 +277,76 @@ sub aesni_generate4
+ &ret();
+ &function_end_B("_aesni_${p}rypt4");
+ }
++
++sub aesni_generate6
++{ my $p=shift;
++
++ &function_begin_B("_aesni_${p}rypt6");
++ &static_label("_aesni_${p}rypt6_enter");
++ &$movekey ($rndkey0,&QWP(0,$key));
++ &shr ($rounds,1);
++ &$movekey ($rndkey1,&QWP(16,$key));
++ &lea ($key,&DWP(32,$key));
++ &xorps ($inout0,$rndkey0);
++ &pxor ($inout1,$rndkey0); # pxor does better here
++ eval"&aes${p} ($inout0,$rndkey1)";
++ &pxor ($inout2,$rndkey0);
++ eval"&aes${p} ($inout1,$rndkey1)";
++ &pxor ($inout3,$rndkey0);
++ &dec ($rounds);
++ eval"&aes${p} ($inout2,$rndkey1)";
++ &pxor ($inout4,$rndkey0);
++ eval"&aes${p} ($inout3,$rndkey1)";
++ &pxor ($inout5,$rndkey0);
++ eval"&aes${p} ($inout4,$rndkey1)";
++ &$movekey ($rndkey0,&QWP(0,$key));
++ eval"&aes${p} ($inout5,$rndkey1)";
++ &jmp (&label("_aesni_${p}rypt6_enter"));
++
++ &set_label("${p}6_loop",16);
++ eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout1,$rndkey1)";
++ &dec ($rounds);
++ eval"&aes${p} ($inout2,$rndkey1)";
++ eval"&aes${p} ($inout3,$rndkey1)";
++ eval"&aes${p} ($inout4,$rndkey1)";
++ eval"&aes${p} ($inout5,$rndkey1)";
++ &set_label("_aesni_${p}rypt6_enter",16);
++ &$movekey ($rndkey1,&QWP(16,$key));
++ eval"&aes${p} ($inout0,$rndkey0)";
++ eval"&aes${p} ($inout1,$rndkey0)";
++ &lea ($key,&DWP(32,$key));
++ eval"&aes${p} ($inout2,$rndkey0)";
++ eval"&aes${p} ($inout3,$rndkey0)";
++ eval"&aes${p} ($inout4,$rndkey0)";
++ eval"&aes${p} ($inout5,$rndkey0)";
++ &$movekey ($rndkey0,&QWP(0,$key));
++ &jnz (&label("${p}6_loop"));
++
++ eval"&aes${p} ($inout0,$rndkey1)";
++ eval"&aes${p} ($inout1,$rndkey1)";
++ eval"&aes${p} ($inout2,$rndkey1)";
++ eval"&aes${p} ($inout3,$rndkey1)";
++ eval"&aes${p} ($inout4,$rndkey1)";
++ eval"&aes${p} ($inout5,$rndkey1)";
++ eval"&aes${p}last ($inout0,$rndkey0)";
++ eval"&aes${p}last ($inout1,$rndkey0)";
++ eval"&aes${p}last ($inout2,$rndkey0)";
++ eval"&aes${p}last ($inout3,$rndkey0)";
++ eval"&aes${p}last ($inout4,$rndkey0)";
++ eval"&aes${p}last ($inout5,$rndkey0)";
++ &ret();
++ &function_end_B("_aesni_${p}rypt6");
++}
+ &aesni_generate3("enc") if ($PREFIX eq "aesni");
+ &aesni_generate3("dec");
+ &aesni_generate4("enc") if ($PREFIX eq "aesni");
+ &aesni_generate4("dec");
+-
++&aesni_generate6("enc") if ($PREFIX eq "aesni");
++&aesni_generate6("dec");
++�
+ if ($PREFIX eq "aesni") {
++######################################################################
+ # void aesni_ecb_encrypt (const void *in, void *out,
+ # size_t length, const AES_KEY *key,
+ # int enc);
+@@ -232,62 +355,93 @@ if ($PREFIX eq "aesni") {
+ &mov ($out,&wparam(1));
+ &mov ($len,&wparam(2));
+ &mov ($key,&wparam(3));
+- &mov ($rounds,&wparam(4));
+- &cmp ($len,16);
+- &jb (&label("ecb_ret"));
++ &mov ($rounds_,&wparam(4));
+ &and ($len,-16);
+- &test ($rounds,$rounds)
++ &jz (&label("ecb_ret"));
+ &mov ($rounds,&DWP(240,$key));
++ &test ($rounds_,$rounds_);
++ &jz (&label("ecb_decrypt"));
++
+ &mov ($key_,$key); # backup $key
+ &mov ($rounds_,$rounds); # backup $rounds
+- &jz (&label("ecb_decrypt"));
++ &cmp ($len,0x60);
++ &jb (&label("ecb_enc_tail"));
+
+- &sub ($len,0x40);
+- &jbe (&label("ecb_enc_tail"));
+- &jmp (&label("ecb_enc_loop3"));
++ &movdqu ($inout0,&QWP(0,$inp));
++ &movdqu ($inout1,&QWP(0x10,$inp));
++ &movdqu ($inout2,&QWP(0x20,$inp));
++ &movdqu ($inout3,&QWP(0x30,$inp));
++ &movdqu ($inout4,&QWP(0x40,$inp));
++ &movdqu ($inout5,&QWP(0x50,$inp));
++ &lea ($inp,&DWP(0x60,$inp));
++ &sub ($len,0x60);
++ &jmp (&label("ecb_enc_loop6_enter"));
++
++&set_label("ecb_enc_loop6",16);
++ &movups (&QWP(0,$out),$inout0);
++ &movdqu ($inout0,&QWP(0,$inp));
++ &movups (&QWP(0x10,$out),$inout1);
++ &movdqu ($inout1,&QWP(0x10,$inp));
++ &movups (&QWP(0x20,$out),$inout2);
++ &movdqu ($inout2,&QWP(0x20,$inp));
++ &movups (&QWP(0x30,$out),$inout3);
++ &movdqu ($inout3,&QWP(0x30,$inp));
++ &movups (&QWP(0x40,$out),$inout4);
++ &movdqu ($inout4,&QWP(0x40,$inp));
++ &movups (&QWP(0x50,$out),$inout5);
++ &lea ($out,&DWP(0x60,$out));
++ &movdqu ($inout5,&QWP(0x50,$inp));
++ &lea ($inp,&DWP(0x60,$inp));
++&set_label("ecb_enc_loop6_enter");
++
++ &call ("_aesni_encrypt6");
+
+-&set_label("ecb_enc_loop3",16);
+- &movups ($inout0,&QWP(0,$inp));
+- &movups ($inout1,&QWP(0x10,$inp));
+- &movups ($inout2,&QWP(0x20,$inp));
+- &call ("_aesni_encrypt3");
+- &sub ($len,0x30);
+- &lea ($inp,&DWP(0x30,$inp));
+- &lea ($out,&DWP(0x30,$out));
+- &movups (&QWP(-0x30,$out),$inout0);
+ &mov ($key,$key_); # restore $key
+- &movups (&QWP(-0x20,$out),$inout1);
+ &mov ($rounds,$rounds_); # restore $rounds
+- &movups (&QWP(-0x10,$out),$inout2);
+- &ja (&label("ecb_enc_loop3"));
++ &sub ($len,0x60);
++ &jnc (&label("ecb_enc_loop6"));
+
+-&set_label("ecb_enc_tail");
+- &add ($len,0x40);
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &movups (&QWP(0x30,$out),$inout3);
++ &movups (&QWP(0x40,$out),$inout4);
++ &movups (&QWP(0x50,$out),$inout5);
++ &lea ($out,&DWP(0x60,$out));
++ &add ($len,0x60);
+ &jz (&label("ecb_ret"));
+
+- &cmp ($len,0x10);
++&set_label("ecb_enc_tail");
+ &movups ($inout0,&QWP(0,$inp));
+- &je (&label("ecb_enc_one"));
+ &cmp ($len,0x20);
++ &jb (&label("ecb_enc_one"));
+ &movups ($inout1,&QWP(0x10,$inp));
+ &je (&label("ecb_enc_two"));
+- &cmp ($len,0x30);
+ &movups ($inout2,&QWP(0x20,$inp));
+- &je (&label("ecb_enc_three"));
++ &cmp ($len,0x40);
++ &jb (&label("ecb_enc_three"));
+ &movups ($inout3,&QWP(0x30,$inp));
+- &call ("_aesni_encrypt4");
++ &je (&label("ecb_enc_four"));
++ &movups ($inout4,&QWP(0x40,$inp));
++ &xorps ($inout5,$inout5);
++ &call ("_aesni_encrypt6");
+ &movups (&QWP(0,$out),$inout0);
+ &movups (&QWP(0x10,$out),$inout1);
+ &movups (&QWP(0x20,$out),$inout2);
+ &movups (&QWP(0x30,$out),$inout3);
++ &movups (&QWP(0x40,$out),$inout4);
+ jmp (&label("ecb_ret"));
+
+ &set_label("ecb_enc_one",16);
+- &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1");
++ if ($inline)
++ { &aesni_inline_generate1("enc"); }
++ else
++ { &call ("_aesni_encrypt1"); }
+ &movups (&QWP(0,$out),$inout0);
+ &jmp (&label("ecb_ret"));
+
+ &set_label("ecb_enc_two",16);
++ &xorps ($inout2,$inout2);
+ &call ("_aesni_encrypt3");
+ &movups (&QWP(0,$out),$inout0);
+ &movups (&QWP(0x10,$out),$inout1);
+@@ -300,53 +454,95 @@ if ($PREFIX eq "aesni") {
+ &movups (&QWP(0x20,$out),$inout2);
+ &jmp (&label("ecb_ret"));
+
++&set_label("ecb_enc_four",16);
++ &call ("_aesni_encrypt4");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &movups (&QWP(0x30,$out),$inout3);
++ &jmp (&label("ecb_ret"));
++######################################################################
+ &set_label("ecb_decrypt",16);
+- &sub ($len,0x40);
+- &jbe (&label("ecb_dec_tail"));
+- &jmp (&label("ecb_dec_loop3"));
++ &mov ($key_,$key); # backup $key
++ &mov ($rounds_,$rounds); # backup $rounds
++ &cmp ($len,0x60);
++ &jb (&label("ecb_dec_tail"));
++
++ &movdqu ($inout0,&QWP(0,$inp));
++ &movdqu ($inout1,&QWP(0x10,$inp));
++ &movdqu ($inout2,&QWP(0x20,$inp));
++ &movdqu ($inout3,&QWP(0x30,$inp));
++ &movdqu ($inout4,&QWP(0x40,$inp));
++ &movdqu ($inout5,&QWP(0x50,$inp));
++ &lea ($inp,&DWP(0x60,$inp));
++ &sub ($len,0x60);
++ &jmp (&label("ecb_dec_loop6_enter"));
++
++&set_label("ecb_dec_loop6",16);
++ &movups (&QWP(0,$out),$inout0);
++ &movdqu ($inout0,&QWP(0,$inp));
++ &movups (&QWP(0x10,$out),$inout1);
++ &movdqu ($inout1,&QWP(0x10,$inp));
++ &movups (&QWP(0x20,$out),$inout2);
++ &movdqu ($inout2,&QWP(0x20,$inp));
++ &movups (&QWP(0x30,$out),$inout3);
++ &movdqu ($inout3,&QWP(0x30,$inp));
++ &movups (&QWP(0x40,$out),$inout4);
++ &movdqu ($inout4,&QWP(0x40,$inp));
++ &movups (&QWP(0x50,$out),$inout5);
++ &lea ($out,&DWP(0x60,$out));
++ &movdqu ($inout5,&QWP(0x50,$inp));
++ &lea ($inp,&DWP(0x60,$inp));
++&set_label("ecb_dec_loop6_enter");
++
++ &call ("_aesni_decrypt6");
+
+-&set_label("ecb_dec_loop3",16);
+- &movups ($inout0,&QWP(0,$inp));
+- &movups ($inout1,&QWP(0x10,$inp));
+- &movups ($inout2,&QWP(0x20,$inp));
+- &call ("_aesni_decrypt3");
+- &sub ($len,0x30);
+- &lea ($inp,&DWP(0x30,$inp));
+- &lea ($out,&DWP(0x30,$out));
+- &movups (&QWP(-0x30,$out),$inout0);
+ &mov ($key,$key_); # restore $key
+- &movups (&QWP(-0x20,$out),$inout1);
+ &mov ($rounds,$rounds_); # restore $rounds
+- &movups (&QWP(-0x10,$out),$inout2);
+- &ja (&label("ecb_dec_loop3"));
++ &sub ($len,0x60);
++ &jnc (&label("ecb_dec_loop6"));
+
+-&set_label("ecb_dec_tail");
+- &add ($len,0x40);
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &movups (&QWP(0x30,$out),$inout3);
++ &movups (&QWP(0x40,$out),$inout4);
++ &movups (&QWP(0x50,$out),$inout5);
++ &lea ($out,&DWP(0x60,$out));
++ &add ($len,0x60);
+ &jz (&label("ecb_ret"));
+
+- &cmp ($len,0x10);
++&set_label("ecb_dec_tail");
+ &movups ($inout0,&QWP(0,$inp));
+- &je (&label("ecb_dec_one"));
+ &cmp ($len,0x20);
++ &jb (&label("ecb_dec_one"));
+ &movups ($inout1,&QWP(0x10,$inp));
+ &je (&label("ecb_dec_two"));
+- &cmp ($len,0x30);
+ &movups ($inout2,&QWP(0x20,$inp));
+- &je (&label("ecb_dec_three"));
++ &cmp ($len,0x40);
++ &jb (&label("ecb_dec_three"));
+ &movups ($inout3,&QWP(0x30,$inp));
+- &call ("_aesni_decrypt4");
++ &je (&label("ecb_dec_four"));
++ &movups ($inout4,&QWP(0x40,$inp));
++ &xorps ($inout5,$inout5);
++ &call ("_aesni_decrypt6");
+ &movups (&QWP(0,$out),$inout0);
+ &movups (&QWP(0x10,$out),$inout1);
+ &movups (&QWP(0x20,$out),$inout2);
+ &movups (&QWP(0x30,$out),$inout3);
++ &movups (&QWP(0x40,$out),$inout4);
+ &jmp (&label("ecb_ret"));
+
+ &set_label("ecb_dec_one",16);
+- &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3");
++ if ($inline)
++ { &aesni_inline_generate1("dec"); }
++ else
++ { &call ("_aesni_decrypt1"); }
+ &movups (&QWP(0,$out),$inout0);
+ &jmp (&label("ecb_ret"));
+
+ &set_label("ecb_dec_two",16);
++ &xorps ($inout2,$inout2);
+ &call ("_aesni_decrypt3");
+ &movups (&QWP(0,$out),$inout0);
+ &movups (&QWP(0x10,$out),$inout1);
+@@ -357,28 +553,42 @@ if ($PREFIX eq "aesni") {
+ &movups (&QWP(0,$out),$inout0);
+ &movups (&QWP(0x10,$out),$inout1);
+ &movups (&QWP(0x20,$out),$inout2);
++ &jmp (&label("ecb_ret"));
++
++&set_label("ecb_dec_four",16);
++ &call ("_aesni_decrypt4");
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &movups (&QWP(0x20,$out),$inout2);
++ &movups (&QWP(0x30,$out),$inout3);
+
+ &set_label("ecb_ret");
+ &function_end("aesni_ecb_encrypt");
+ }
+
++######################################################################
+ # void $PREFIX_cbc_encrypt (const void *inp, void *out,
+ # size_t length, const AES_KEY *key,
+ # unsigned char *ivp,const int enc);
+ &function_begin("${PREFIX}_cbc_encrypt");
+ &mov ($inp,&wparam(0));
++ &mov ($rounds_,"esp");
+ &mov ($out,&wparam(1));
++ &sub ($rounds_,24);
+ &mov ($len,&wparam(2));
++ &and ($rounds_,-16);
+ &mov ($key,&wparam(3));
+- &test ($len,$len);
+ &mov ($key_,&wparam(4));
+- &jz (&label("cbc_ret"));
++ &test ($len,$len);
++ &jz (&label("cbc_abort"));
+
+ &cmp (&wparam(5),0);
+- &movups ($ivec,&QWP(0,$key_)); # load IV
++ &xchg ($rounds_,"esp"); # alloca
++ &movups ($ivec,&QWP(0,$key_)); # load IV
+ &mov ($rounds,&DWP(240,$key));
+- &mov ($key_,$key); # backup $key
+- &mov ($rounds_,$rounds); # backup $rounds
++ &mov ($key_,$key); # backup $key
++ &mov (&DWP(16,"esp"),$rounds_); # save original %esp
++ &mov ($rounds_,$rounds); # backup $rounds
+ &je (&label("cbc_decrypt"));
+
+ &movaps ($inout0,$ivec);
+@@ -388,15 +598,17 @@ if ($PREFIX eq "aesni") {
+ &jmp (&label("cbc_enc_loop"));
+
+ &set_label("cbc_enc_loop",16);
+- &movups ($ivec,&QWP(0,$inp));
++ &movups ($ivec,&QWP(0,$inp)); # input actually
+ &lea ($inp,&DWP(16,$inp));
+- &pxor ($inout0,$ivec);
+- &aesni_inline_generate1("enc"); # &call ("_aesni_encrypt3");
+- &sub ($len,16);
+- &lea ($out,&DWP(16,$out));
++ if ($inline)
++ { &aesni_inline_generate1("enc",$inout0,$ivec); }
++ else
++ { &xorps($inout0,$ivec); &call("_aesni_encrypt1"); }
+ &mov ($rounds,$rounds_); # restore $rounds
+ &mov ($key,$key_); # restore $key
+- &movups (&QWP(-16,$out),$inout0);
++ &movups (&QWP(0,$out),$inout0); # store output
++ &lea ($out,&DWP(16,$out));
++ &sub ($len,16);
+ &jnc (&label("cbc_enc_loop"));
+ &add ($len,16);
+ &jnz (&label("cbc_enc_tail"));
+@@ -415,90 +627,151 @@ if ($PREFIX eq "aesni") {
+ &mov ($inp,$out); # $inp and $out are the same
+ &mov ($key,$key_); # restore $key
+ &jmp (&label("cbc_enc_loop"));
+-
++######################################################################
+ &set_label("cbc_decrypt",16);
+- &sub ($len,0x40);
++ &cmp ($len,0x50);
+ &jbe (&label("cbc_dec_tail"));
+- &jmp (&label("cbc_dec_loop3"));
++ &movaps (&QWP(0,"esp"),$ivec); # save IV
++ &sub ($len,0x50);
++ &jmp (&label("cbc_dec_loop6_enter"));
++
++&set_label("cbc_dec_loop6",16);
++ &movaps (&QWP(0,"esp"),$rndkey0); # save IV
++ &movups (&QWP(0,$out),$inout5);
++ &lea ($out,&DWP(0x10,$out));
++&set_label("cbc_dec_loop6_enter");
++ &movdqu ($inout0,&QWP(0,$inp));
++ &movdqu ($inout1,&QWP(0x10,$inp));
++ &movdqu ($inout2,&QWP(0x20,$inp));
++ &movdqu ($inout3,&QWP(0x30,$inp));
++ &movdqu ($inout4,&QWP(0x40,$inp));
++ &movdqu ($inout5,&QWP(0x50,$inp));
+
+-&set_label("cbc_dec_loop3",16);
+- &movups ($inout0,&QWP(0,$inp));
+- &movups ($inout1,&QWP(0x10,$inp));
+- &movups ($inout2,&QWP(0x20,$inp));
+- &movaps ($in0,$inout0);
+- &movaps ($in1,$inout1);
+- &call ("_aesni_decrypt3");
+- &sub ($len,0x30);
+- &lea ($inp,&DWP(0x30,$inp));
+- &lea ($out,&DWP(0x30,$out));
+- &pxor ($inout0,$ivec);
+- &pxor ($inout1,$in0);
+- &movups ($ivec,&QWP(-0x10,$inp));
+- &pxor ($inout2,$in1);
+- &movups (&QWP(-0x30,$out),$inout0);
+- &mov ($rounds,$rounds_) # restore $rounds
+- &movups (&QWP(-0x20,$out),$inout1);
+- &mov ($key,$key_); # restore $key
+- &movups (&QWP(-0x10,$out),$inout2);
+- &ja (&label("cbc_dec_loop3"));
++ &call ("_aesni_decrypt6");
+
++ &movups ($rndkey1,&QWP(0,$inp));
++ &movups ($rndkey0,&QWP(0x10,$inp));
++ &xorps ($inout0,&QWP(0,"esp")); # ^=IV
++ &xorps ($inout1,$rndkey1);
++ &movups ($rndkey1,&QWP(0x20,$inp));
++ &xorps ($inout2,$rndkey0);
++ &movups ($rndkey0,&QWP(0x30,$inp));
++ &xorps ($inout3,$rndkey1);
++ &movups ($rndkey1,&QWP(0x40,$inp));
++ &xorps ($inout4,$rndkey0);
++ &movups ($rndkey0,&QWP(0x50,$inp)); # IV
++ &xorps ($inout5,$rndkey1);
++ &movups (&QWP(0,$out),$inout0);
++ &movups (&QWP(0x10,$out),$inout1);
++ &lea ($inp,&DWP(0x60,$inp));
++ &movups (&QWP(0x20,$out),$inout2);
++ &mov ($rounds,$rounds_) # restore $rounds
++ &movups (&QWP(0x30,$out),$inout3);
++ &mov ($key,$key_); # restore $key
++ &movups (&QWP(0x40,$out),$inout4);
++ &lea ($out,&DWP(0x50,$out));
++ &sub ($len,0x60);
++ &ja (&label("cbc_dec_loop6"));
++
++ &movaps ($inout0,$inout5);
++ &movaps ($ivec,$rndkey0);
++ &add ($len,0x50);
++ &jle (&label("cbc_dec_tail_collected"));
++ &movups (&QWP(0,$out),$inout0);
++ &lea ($out,&DWP(0x10,$out));
+ &set_label("cbc_dec_tail");
+- &add ($len,0x40);
+- &jz (&label("cbc_ret"));
+-
+ &movups ($inout0,&QWP(0,$inp));
+- &cmp ($len,0x10);
+ &movaps ($in0,$inout0);
++ &cmp ($len,0x10);
+ &jbe (&label("cbc_dec_one"));
++
+ &movups ($inout1,&QWP(0x10,$inp));
+- &cmp ($len,0x20);
+ &movaps ($in1,$inout1);
++ &cmp ($len,0x20);
+ &jbe (&label("cbc_dec_two"));
++
+ &movups ($inout2,&QWP(0x20,$inp));
+ &cmp ($len,0x30);
+ &jbe (&label("cbc_dec_three"));
++
+ &movups ($inout3,&QWP(0x30,$inp));
+- &call ("_aesni_decrypt4");
++ &cmp ($len,0x40);
++ &jbe (&label("cbc_dec_four"));
++
++ &movups ($inout4,&QWP(0x40,$inp));
++ &movaps (&QWP(0,"esp"),$ivec); # save IV
++ &movups ($inout0,&QWP(0,$inp));
++ &xorps ($inout5,$inout5);
++ &call ("_aesni_decrypt6");
++ &movups ($rndkey1,&QWP(0,$inp));
+ &movups ($rndkey0,&QWP(0x10,$inp));
++ &xorps ($inout0,&QWP(0,"esp")); # ^= IV
++ &xorps ($inout1,$rndkey1);
+ &movups ($rndkey1,&QWP(0x20,$inp));
+- &pxor ($inout0,$ivec);
+- &pxor ($inout1,$in0);
+- &movups ($ivec,&QWP(0x30,$inp));
++ &xorps ($inout2,$rndkey0);
++ &movups ($rndkey0,&QWP(0x30,$inp));
++ &xorps ($inout3,$rndkey1);
++ &movups ($ivec,&QWP(0x40,$inp)); # IV
++ &xorps ($inout4,$rndkey0);
+ &movups (&QWP(0,$out),$inout0);
+- &pxor ($inout2,$rndkey0);
+- &pxor ($inout3,$rndkey1);
+ &movups (&QWP(0x10,$out),$inout1);
+ &movups (&QWP(0x20,$out),$inout2);
+- &movaps ($inout0,$inout3);
+- &lea ($out,&DWP(0x30,$out));
++ &movups (&QWP(0x30,$out),$inout3);
++ &lea ($out,&DWP(0x40,$out));
++ &movaps ($inout0,$inout4);
++ &sub ($len,0x50);
+ &jmp (&label("cbc_dec_tail_collected"));
+
+-&set_label("cbc_dec_one");
+- &aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3");
+- &pxor ($inout0,$ivec);
++&set_label("cbc_dec_one",16);
++ if ($inline)
++ { &aesni_inline_generate1("dec"); }
++ else
++ { &call ("_aesni_decrypt1"); }
++ &xorps ($inout0,$ivec);
+ &movaps ($ivec,$in0);
++ &sub ($len,0x10);
+ &jmp (&label("cbc_dec_tail_collected"));
+
+-&set_label("cbc_dec_two");
++&set_label("cbc_dec_two",16);
++ &xorps ($inout2,$inout2);
+ &call ("_aesni_decrypt3");
+- &pxor ($inout0,$ivec);
+- &pxor ($inout1,$in0);
++ &xorps ($inout0,$ivec);
++ &xorps ($inout1,$in0);
+ &movups (&QWP(0,$out),$inout0);
+ &movaps ($inout0,$inout1);
+- &movaps ($ivec,$in1);
+ &lea ($out,&DWP(0x10,$out));
++ &movaps ($ivec,$in1);
++ &sub ($len,0x20);
+ &jmp (&label("cbc_dec_tail_collected"));
+
+-&set_label("cbc_dec_three");
++&set_label("cbc_dec_three",16);
+ &call ("_aesni_decrypt3");
+- &pxor ($inout0,$ivec);
+- &pxor ($inout1,$in0);
+- &pxor ($inout2,$in1);
++ &xorps ($inout0,$ivec);
++ &xorps ($inout1,$in0);
++ &xorps ($inout2,$in1);
+ &movups (&QWP(0,$out),$inout0);
+- &movups (&QWP(0x10,$out),$inout1);
+ &movaps ($inout0,$inout2);
+- &movups ($ivec,&QWP(0x20,$inp));
++ &movups (&QWP(0x10,$out),$inout1);
+ &lea ($out,&DWP(0x20,$out));
++ &movups ($ivec,&QWP(0x20,$inp));
++ &sub ($len,0x30);
++ &jmp (&label("cbc_dec_tail_collected"));
++
++&set_label("cbc_dec_four",16);
++ &call ("_aesni_decrypt4");
++ &movups ($rndkey1,&QWP(0x10,$inp));
++ &movups ($rndkey0,&QWP(0x20,$inp));
++ &xorps ($inout0,$ivec);
++ &movups ($ivec,&QWP(0x30,$inp));
++ &xorps ($inout1,$in0);
++ &movups (&QWP(0,$out),$inout0);
++ &xorps ($inout2,$rndkey1);
++ &movups (&QWP(0x10,$out),$inout1);
++ &xorps ($inout3,$rndkey0);
++ &movups (&QWP(0x20,$out),$inout2);
++ &lea ($out,&DWP(0x30,$out));
++ &movaps ($inout0,$inout3);
++ &sub ($len,0x40);
+
+ &set_label("cbc_dec_tail_collected");
+ &and ($len,15);
+@@ -506,21 +779,21 @@ if ($PREFIX eq "aesni") {
+ &movups (&QWP(0,$out),$inout0);
+ &jmp (&label("cbc_ret"));
+
+-&set_label("cbc_dec_tail_partial");
+- &mov ($key_,"esp");
+- &sub ("esp",16);
+- &and ("esp",-16);
++&set_label("cbc_dec_tail_partial",16);
+ &movaps (&QWP(0,"esp"),$inout0);
++ &mov ("ecx",16);
+ &mov ($inp,"esp");
+- &mov ("ecx",$len);
++ &sub ("ecx",$len);
+ &data_word(0xA4F3F689); # rep movsb
+- &mov ("esp",$key_);
+
+ &set_label("cbc_ret");
++ &mov ("esp",&DWP(16,"esp")); # pull original %esp
+ &mov ($key_,&wparam(4));
+ &movups (&QWP(0,$key_),$ivec); # output IV
++&set_label("cbc_abort");
+ &function_end("${PREFIX}_cbc_encrypt");
+-
++�
++######################################################################
+ # Mechanical port from aesni-x86_64.pl.
+ #
+ # _aesni_set_encrypt_key is private interface,
+@@ -539,7 +812,7 @@ if ($PREFIX eq "aesni") {
+ &jz (&label("bad_pointer"));
+
+ &movups ("xmm0",&QWP(0,"eax")); # pull first 128 bits of *userKey
+- &pxor ("xmm4","xmm4"); # low dword of xmm4 is assumed 0
++ &xorps ("xmm4","xmm4"); # low dword of xmm4 is assumed 0
+ &lea ($key,&DWP(16,$key));
+ &cmp ($rounds,256);
+ &je (&label("14rounds"));
+@@ -581,11 +854,11 @@ if ($PREFIX eq "aesni") {
+ &lea ($key,&DWP(16,$key));
+ &set_label("key_128_cold");
+ &shufps ("xmm4","xmm0",0b00010000);
+- &pxor ("xmm0","xmm4");
+- &shufps ("xmm4","xmm0",0b10001100,);
+- &pxor ("xmm0","xmm4");
+- &pshufd ("xmm1","xmm1",0b11111111); # critical path
+- &pxor ("xmm0","xmm1");
++ &xorps ("xmm0","xmm4");
++ &shufps ("xmm4","xmm0",0b10001100);
++ &xorps ("xmm0","xmm4");
++ &shufps ("xmm1","xmm1",0b11111111); # critical path
++ &xorps ("xmm0","xmm1");
+ &ret();
+
+ &set_label("12rounds",16);
+@@ -620,11 +893,11 @@ if ($PREFIX eq "aesni") {
+ &movaps ("xmm5","xmm2");
+ &set_label("key_192b_warm");
+ &shufps ("xmm4","xmm0",0b00010000);
+- &movaps ("xmm3","xmm2");
+- &pxor ("xmm0","xmm4");
++ &movdqa ("xmm3","xmm2");
++ &xorps ("xmm0","xmm4");
+ &shufps ("xmm4","xmm0",0b10001100);
+ &pslldq ("xmm3",4);
+- &pxor ("xmm0","xmm4");
++ &xorps ("xmm0","xmm4");
+ &pshufd ("xmm1","xmm1",0b01010101); # critical path
+ &pxor ("xmm2","xmm3");
+ &pxor ("xmm0","xmm1");
+@@ -683,11 +956,11 @@ if ($PREFIX eq "aesni") {
+ &lea ($key,&DWP(16,$key));
+ &set_label("key_256a_cold");
+ &shufps ("xmm4","xmm0",0b00010000);
+- &pxor ("xmm0","xmm4");
++ &xorps ("xmm0","xmm4");
+ &shufps ("xmm4","xmm0",0b10001100);
+- &pxor ("xmm0","xmm4");
+- &pshufd ("xmm1","xmm1",0b11111111); # critical path
+- &pxor ("xmm0","xmm1");
++ &xorps ("xmm0","xmm4");
++ &shufps ("xmm1","xmm1",0b11111111); # critical path
++ &xorps ("xmm0","xmm1");
+ &ret();
+
+ &set_label("key_256b",16);
+@@ -695,11 +968,11 @@ if ($PREFIX eq "aesni") {
+ &lea ($key,&DWP(16,$key));
+
+ &shufps ("xmm4","xmm2",0b00010000);
+- &pxor ("xmm2","xmm4");
++ &xorps ("xmm2","xmm4");
+ &shufps ("xmm4","xmm2",0b10001100);
+- &pxor ("xmm2","xmm4");
+- &pshufd ("xmm1","xmm1",0b10101010); # critical path
+- &pxor ("xmm2","xmm1");
++ &xorps ("xmm2","xmm4");
++ &shufps ("xmm1","xmm1",0b10101010); # critical path
++ &xorps ("xmm2","xmm1");
+ &ret();
+
+ &set_label("bad_pointer",4);
+@@ -747,9 +1020,9 @@ if ($PREFIX eq "aesni") {
+ &aesimc ("xmm1","xmm1");
+ &lea ($key,&DWP(16,$key));
+ &lea ("eax",&DWP(-16,"eax"));
+- &cmp ("eax",$key);
+ &$movekey (&QWP(16,"eax"),"xmm0");
+ &$movekey (&QWP(-16,$key),"xmm1");
++ &cmp ("eax",$key);
+ &ja (&label("dec_key_inverse"));
+
+ &$movekey ("xmm0",&QWP(0,$key)); # inverse middle
+diff -up openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl.intelopts openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl
+--- openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl.intelopts 2011-08-24 12:50:55.000000000 +0200
++++ openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
+@@ -11,6 +11,145 @@
+ # OpenSSL context it's used with Intel engine, but can also be used as
+ # drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for
+ # details].
++#
++# Performance.
++#
++# Given aes(enc|dec) instructions' latency asymptotic performance for
++# non-parallelizable modes such as CBC encrypt is 3.75 cycles per byte
++# processed with 128-bit key. And given their throughput asymptotic
++# performance for parallelizable modes is 1.25 cycles per byte. Being
++# asymptotic limit it's not something you commonly achieve in reality,
++# but how close does one get? Below are results collected for
++# different modes and block sized. Pairs of numbers are for en-/
++# decryption.
++#
++# 16-byte 64-byte 256-byte 1-KB 8-KB
++# ECB 4.25/4.25 1.38/1.38 1.28/1.28 1.26/1.26 1.26/1.26
++# CTR 5.42/5.42 1.92/1.92 1.44/1.44 1.28/1.28 1.26/1.26
++# CBC 4.38/4.43 4.15/1.43 4.07/1.32 4.07/1.29 4.06/1.28
++# CCM 5.66/9.42 4.42/5.41 4.16/4.40 4.09/4.15 4.06/4.07
++# OFB 5.42/5.42 4.64/4.64 4.44/4.44 4.39/4.39 4.38/4.38
++# CFB 5.73/5.85 5.56/5.62 5.48/5.56 5.47/5.55 5.47/5.55
++#
++# ECB, CTR, CBC and CCM results are free from EVP overhead. This means
++# that otherwise used 'openssl speed -evp aes-128-??? -engine aesni
++# [-decrypt]' will exhibit 10-15% worse results for smaller blocks.
++# The results were collected with specially crafted speed.c benchmark
++# in order to compare them with results reported in "Intel Advanced
++# Encryption Standard (AES) New Instruction Set" White Paper Revision
++# 3.0 dated May 2010. All above results are consistently better. This
++# module also provides better performance for block sizes smaller than
++# 128 bytes in points *not* represented in the above table.
++#
++# Looking at the results for 8-KB buffer.
++#
++# CFB and OFB results are far from the limit, because implementation
++# uses "generic" CRYPTO_[c|o]fb128_encrypt interfaces relying on
++# single-block aesni_encrypt, which is not the most optimal way to go.
++# CBC encrypt result is unexpectedly high and there is no documented
++# explanation for it. Seemingly there is a small penalty for feeding
++# the result back to AES unit the way it's done in CBC mode. There is
++# nothing one can do and the result appears optimal. CCM result is
++# identical to CBC, because CBC-MAC is essentially CBC encrypt without
++# saving output. CCM CTR "stays invisible," because it's neatly
++# interleaved wih CBC-MAC. This provides ~30% improvement over
++# "straghtforward" CCM implementation with CTR and CBC-MAC performed
++# disjointly. Parallelizable modes practically achieve the theoretical
++# limit.
++#
++# Looking at how results vary with buffer size.
++#
++# Curves are practically saturated at 1-KB buffer size. In most cases
++# "256-byte" performance is >95%, and "64-byte" is ~90% of "8-KB" one.
++# CTR curve doesn't follow this pattern and is "slowest" changing one
++# with "256-byte" result being 87% of "8-KB." This is because overhead
++# in CTR mode is most computationally intensive. Small-block CCM
++# decrypt is slower than encrypt, because first CTR and last CBC-MAC
++# iterations can't be interleaved.
++#
++# Results for 192- and 256-bit keys.
++#
++# EVP-free results were observed to scale perfectly with number of
++# rounds for larger block sizes, i.e. 192-bit result being 10/12 times
++# lower and 256-bit one - 10/14. Well, in CBC encrypt case differences
++# are a tad smaller, because the above mentioned penalty biases all
++# results by same constant value. In similar way function call
++# overhead affects small-block performance, as well as OFB and CFB
++# results. Differences are not large, most common coefficients are
++# 10/11.7 and 10/13.4 (as opposite to 10/12.0 and 10/14.0), but one
++# observe even 10/11.2 and 10/12.4 (CTR, OFB, CFB)...
++
++# January 2011
++#
++# While Westmere processor features 6 cycles latency for aes[enc|dec]
++# instructions, which can be scheduled every second cycle, Sandy
++# Bridge spends 8 cycles per instruction, but it can schedule them
++# every cycle. This means that code targeting Westmere would perform
++# suboptimally on Sandy Bridge. Therefore this update.
++#
++# In addition, non-parallelizable CBC encrypt (as well as CCM) is
++# optimized. Relative improvement might appear modest, 8% on Westmere,
++# but in absolute terms it's 3.77 cycles per byte encrypted with
++# 128-bit key on Westmere, and 5.07 - on Sandy Bridge. These numbers
++# should be compared to asymptotic limits of 3.75 for Westmere and
++# 5.00 for Sandy Bridge. Actually, the fact that they get this close
++# to asymptotic limits is quite amazing. Indeed, the limit is
++# calculated as latency times number of rounds, 10 for 128-bit key,
++# and divided by 16, the number of bytes in block, or in other words
++# it accounts *solely* for aesenc instructions. But there are extra
++# instructions, and numbers so close to the asymptotic limits mean
++# that it's as if it takes as little as *one* additional cycle to
++# execute all of them. How is it possible? It is possible thanks to
++# out-of-order execution logic, which manages to overlap post-
++# processing of previous block, things like saving the output, with
++# actual encryption of current block, as well as pre-processing of
++# current block, things like fetching input and xor-ing it with
++# 0-round element of the key schedule, with actual encryption of
++# previous block. Keep this in mind...
++#
++# For parallelizable modes, such as ECB, CBC decrypt, CTR, higher
++# performance is achieved by interleaving instructions working on
++# independent blocks. In which case asymptotic limit for such modes
++# can be obtained by dividing above mentioned numbers by AES
++# instructions' interleave factor. Westmere can execute at most 3
++# instructions at a time, meaning that optimal interleave factor is 3,
++# and that's where the "magic" number of 1.25 come from. "Optimal
++# interleave factor" means that increase of interleave factor does
++# not improve performance. The formula has proven to reflect reality
++# pretty well on Westmere... Sandy Bridge on the other hand can
++# execute up to 8 AES instructions at a time, so how does varying
++# interleave factor affect the performance? Here is table for ECB
++# (numbers are cycles per byte processed with 128-bit key):
++#
++# instruction interleave factor 3x 6x 8x
++# theoretical asymptotic limit 1.67 0.83 0.625
++# measured performance for 8KB block 1.05 0.86 0.84
++#
++# "as if" interleave factor 4.7x 5.8x 6.0x
++#
++# Further data for other parallelizable modes:
++#
++# CBC decrypt 1.16 0.93 0.93
++# CTR 1.14 0.91 n/a
++#
++# Well, given 3x column it's probably inappropriate to call the limit
++# asymptotic, if it can be surpassed, isn't it? What happens there?
++# Rewind to CBC paragraph for the answer. Yes, out-of-order execution
++# magic is responsible for this. Processor overlaps not only the
++# additional instructions with AES ones, but even AES instuctions
++# processing adjacent triplets of independent blocks. In the 6x case
++# additional instructions still claim disproportionally small amount
++# of additional cycles, but in 8x case number of instructions must be
++# a tad too high for out-of-order logic to cope with, and AES unit
++# remains underutilized... As you can see 8x interleave is hardly
++# justifiable, so there no need to feel bad that 32-bit aesni-x86.pl
++# utilizies 6x interleave because of limited register bank capacity.
++#
++# Higher interleave factors do have negative impact on Westmere
++# performance. While for ECB mode it's negligible ~1.5%, other
++# parallelizables perform ~5% worse, which is outweighed by ~25%
++# improvement on Sandy Bridge. To balance regression on Westmere
++# CTR mode was implemented with 6x aesenc interleave factor.
+
+ $PREFIX="aesni"; # if $PREFIX is set to "AES", the script
+ # generates drop-in replacement for
+@@ -29,7 +168,7 @@ die "can't locate x86_64-xlate.pl";
+
+ open STDOUT,"| $^X $xlate $flavour $output";
+
+-$movkey = $PREFIX eq "aesni" ? "movaps" : "movups";
++$movkey = $PREFIX eq "aesni" ? "movups" : "movups";
+ @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
+ ("%rdi","%rsi","%rdx","%rcx"); # Unix order
+
+@@ -41,18 +180,20 @@ $inp="%rdi";
+ $out="%rsi";
+ $len="%rdx";
+ $key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!!
+-$ivp="%r8"; # cbc
++$ivp="%r8"; # cbc, ctr, ...
+
+ $rnds_="%r10d"; # backup copy for $rounds
+ $key_="%r11"; # backup copy for $key
+
+ # %xmm register layout
+-$inout0="%xmm0"; $inout1="%xmm1";
+-$inout2="%xmm2"; $inout3="%xmm3";
+-$rndkey0="%xmm4"; $rndkey1="%xmm5";
++$rndkey0="%xmm0"; $rndkey1="%xmm1";
++$inout0="%xmm2"; $inout1="%xmm3";
++$inout2="%xmm4"; $inout3="%xmm5";
++$inout4="%xmm6"; $inout5="%xmm7";
++$inout6="%xmm8"; $inout7="%xmm9";
+
+-$iv="%xmm6"; $in0="%xmm7"; # used in CBC decrypt
+-$in1="%xmm8"; $in2="%xmm9";
++$in2="%xmm6"; $in1="%xmm7"; # used in CBC decrypt, CTR, ...
++$in0="%xmm8"; $iv="%xmm9";
+ �
+ # Inline version of internal aesni_[en|de]crypt1.
+ #
+@@ -60,20 +201,29 @@ $in1="%xmm8"; $in2="%xmm9";
+ # cycles which take care of loop variables...
+ { my $sn;
+ sub aesni_generate1 {
+-my ($p,$key,$rounds)=@_;
++my ($p,$key,$rounds,$inout,$ivec)=@_; $inout=$inout0 if (!defined($inout));
+ ++$sn;
+ $code.=<<___;
+ $movkey ($key),$rndkey0
+ $movkey 16($key),$rndkey1
++___
++$code.=<<___ if (defined($ivec));
++ xorps $rndkey0,$ivec
+ lea 32($key),$key
+- pxor $rndkey0,$inout0
++ xorps $ivec,$inout
++___
++$code.=<<___ if (!defined($ivec));
++ lea 32($key),$key
++ xorps $rndkey0,$inout
++___
++$code.=<<___;
+ .Loop_${p}1_$sn:
+- aes${p} $rndkey1,$inout0
++ aes${p} $rndkey1,$inout
+ dec $rounds
+ $movkey ($key),$rndkey1
+ lea 16($key),$key
+ jnz .Loop_${p}1_$sn # loop body is 16 bytes
+- aes${p}last $rndkey1,$inout0
++ aes${p}last $rndkey1,$inout
+ ___
+ }}
+ # void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key);
+@@ -86,7 +236,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_encrypt:
+ movups ($inp),$inout0 # load input
+- mov 240($key),$rounds # pull $rounds
++ mov 240($key),$rounds # key->rounds
+ ___
+ &aesni_generate1("enc",$key,$rounds);
+ $code.=<<___;
+@@ -99,7 +249,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_decrypt:
+ movups ($inp),$inout0 # load input
+- mov 240($key),$rounds # pull $rounds
++ mov 240($key),$rounds # key->rounds
+ ___
+ &aesni_generate1("dec",$key,$rounds);
+ $code.=<<___;
+@@ -109,16 +259,16 @@ $code.=<<___;
+ ___
+ }
+ �
+-# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave
+-# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec]
+-# latency is 6, it turned out that it can be scheduled only every
+-# *second* cycle. Thus 3x interleave is the one providing optimal
++# _aesni_[en|de]cryptN are private interfaces, N denotes interleave
++# factor. Why 3x subroutine were originally used in loops? Even though
++# aes[enc|dec] latency was originally 6, it could be scheduled only
++# every *2nd* cycle. Thus 3x interleave was the one providing optimal
+ # utilization, i.e. when subroutine's throughput is virtually same as
+ # of non-interleaved subroutine [for number of input blocks up to 3].
+-# This is why it makes no sense to implement 2x subroutine. As soon
+-# as/if Intel improves throughput by making it possible to schedule
+-# the instructions in question *every* cycles I would have to
+-# implement 6x interleave and use it in loop...
++# This is why it makes no sense to implement 2x subroutine.
++# aes[enc|dec] latency in next processor generation is 8, but the
++# instructions can be scheduled every cycle. Optimal interleave for
++# new processor is therefore 8x...
+ sub aesni_generate3 {
+ my $dir=shift;
+ # As already mentioned it takes in $key and $rounds, which are *not*
+@@ -131,25 +281,25 @@ _aesni_${dir}rypt3:
+ shr \$1,$rounds
+ $movkey 16($key),$rndkey1
+ lea 32($key),$key
+- pxor $rndkey0,$inout0
+- pxor $rndkey0,$inout1
+- pxor $rndkey0,$inout2
++ xorps $rndkey0,$inout0
++ xorps $rndkey0,$inout1
++ xorps $rndkey0,$inout2
++ $movkey ($key),$rndkey0
+
+ .L${dir}_loop3:
+ aes${dir} $rndkey1,$inout0
+- $movkey ($key),$rndkey0
+ aes${dir} $rndkey1,$inout1
+ dec $rounds
+ aes${dir} $rndkey1,$inout2
+- aes${dir} $rndkey0,$inout0
+ $movkey 16($key),$rndkey1
++ aes${dir} $rndkey0,$inout0
+ aes${dir} $rndkey0,$inout1
+ lea 32($key),$key
+ aes${dir} $rndkey0,$inout2
++ $movkey ($key),$rndkey0
+ jnz .L${dir}_loop3
+
+ aes${dir} $rndkey1,$inout0
+- $movkey ($key),$rndkey0
+ aes${dir} $rndkey1,$inout1
+ aes${dir} $rndkey1,$inout2
+ aes${dir}last $rndkey0,$inout0
+@@ -175,28 +325,28 @@ _aesni_${dir}rypt4:
+ shr \$1,$rounds
+ $movkey 16($key),$rndkey1
+ lea 32($key),$key
+- pxor $rndkey0,$inout0
+- pxor $rndkey0,$inout1
+- pxor $rndkey0,$inout2
+- pxor $rndkey0,$inout3
++ xorps $rndkey0,$inout0
++ xorps $rndkey0,$inout1
++ xorps $rndkey0,$inout2
++ xorps $rndkey0,$inout3
++ $movkey ($key),$rndkey0
+
+ .L${dir}_loop4:
+ aes${dir} $rndkey1,$inout0
+- $movkey ($key),$rndkey0
+ aes${dir} $rndkey1,$inout1
+ dec $rounds
+ aes${dir} $rndkey1,$inout2
+ aes${dir} $rndkey1,$inout3
+- aes${dir} $rndkey0,$inout0
+ $movkey 16($key),$rndkey1
++ aes${dir} $rndkey0,$inout0
+ aes${dir} $rndkey0,$inout1
+ lea 32($key),$key
+ aes${dir} $rndkey0,$inout2
+ aes${dir} $rndkey0,$inout3
++ $movkey ($key),$rndkey0
+ jnz .L${dir}_loop4
+
+ aes${dir} $rndkey1,$inout0
+- $movkey ($key),$rndkey0
+ aes${dir} $rndkey1,$inout1
+ aes${dir} $rndkey1,$inout2
+ aes${dir} $rndkey1,$inout3
+@@ -208,12 +358,158 @@ _aesni_${dir}rypt4:
+ .size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
+ ___
+ }
++sub aesni_generate6 {
++my $dir=shift;
++# As already mentioned it takes in $key and $rounds, which are *not*
++# preserved. $inout[0-5] is cipher/clear text...
++$code.=<<___;
++.type _aesni_${dir}rypt6,\@abi-omnipotent
++.align 16
++_aesni_${dir}rypt6:
++ $movkey ($key),$rndkey0
++ shr \$1,$rounds
++ $movkey 16($key),$rndkey1
++ lea 32($key),$key
++ xorps $rndkey0,$inout0
++ pxor $rndkey0,$inout1
++ aes${dir} $rndkey1,$inout0
++ pxor $rndkey0,$inout2
++ aes${dir} $rndkey1,$inout1
++ pxor $rndkey0,$inout3
++ aes${dir} $rndkey1,$inout2
++ pxor $rndkey0,$inout4
++ aes${dir} $rndkey1,$inout3
++ pxor $rndkey0,$inout5
++ dec $rounds
++ aes${dir} $rndkey1,$inout4
++ $movkey ($key),$rndkey0
++ aes${dir} $rndkey1,$inout5
++ jmp .L${dir}_loop6_enter
++.align 16
++.L${dir}_loop6:
++ aes${dir} $rndkey1,$inout0
++ aes${dir} $rndkey1,$inout1
++ dec $rounds
++ aes${dir} $rndkey1,$inout2
++ aes${dir} $rndkey1,$inout3
++ aes${dir} $rndkey1,$inout4
++ aes${dir} $rndkey1,$inout5
++.L${dir}_loop6_enter: # happens to be 16-byte aligned
++ $movkey 16($key),$rndkey1
++ aes${dir} $rndkey0,$inout0
++ aes${dir} $rndkey0,$inout1
++ lea 32($key),$key
++ aes${dir} $rndkey0,$inout2
++ aes${dir} $rndkey0,$inout3
++ aes${dir} $rndkey0,$inout4
++ aes${dir} $rndkey0,$inout5
++ $movkey ($key),$rndkey0
++ jnz .L${dir}_loop6
++
++ aes${dir} $rndkey1,$inout0
++ aes${dir} $rndkey1,$inout1
++ aes${dir} $rndkey1,$inout2
++ aes${dir} $rndkey1,$inout3
++ aes${dir} $rndkey1,$inout4
++ aes${dir} $rndkey1,$inout5
++ aes${dir}last $rndkey0,$inout0
++ aes${dir}last $rndkey0,$inout1
++ aes${dir}last $rndkey0,$inout2
++ aes${dir}last $rndkey0,$inout3
++ aes${dir}last $rndkey0,$inout4
++ aes${dir}last $rndkey0,$inout5
++ ret
++.size _aesni_${dir}rypt6,.-_aesni_${dir}rypt6
++___
++}
++sub aesni_generate8 {
++my $dir=shift;
++# As already mentioned it takes in $key and $rounds, which are *not*
++# preserved. $inout[0-7] is cipher/clear text...
++$code.=<<___;
++.type _aesni_${dir}rypt8,\@abi-omnipotent
++.align 16
++_aesni_${dir}rypt8:
++ $movkey ($key),$rndkey0
++ shr \$1,$rounds
++ $movkey 16($key),$rndkey1
++ lea 32($key),$key
++ xorps $rndkey0,$inout0
++ xorps $rndkey0,$inout1
++ aes${dir} $rndkey1,$inout0
++ pxor $rndkey0,$inout2
++ aes${dir} $rndkey1,$inout1
++ pxor $rndkey0,$inout3
++ aes${dir} $rndkey1,$inout2
++ pxor $rndkey0,$inout4
++ aes${dir} $rndkey1,$inout3
++ pxor $rndkey0,$inout5
++ dec $rounds
++ aes${dir} $rndkey1,$inout4
++ pxor $rndkey0,$inout6
++ aes${dir} $rndkey1,$inout5
++ pxor $rndkey0,$inout7
++ $movkey ($key),$rndkey0
++ aes${dir} $rndkey1,$inout6
++ aes${dir} $rndkey1,$inout7
++ $movkey 16($key),$rndkey1
++ jmp .L${dir}_loop8_enter
++.align 16
++.L${dir}_loop8:
++ aes${dir} $rndkey1,$inout0
++ aes${dir} $rndkey1,$inout1
++ dec $rounds
++ aes${dir} $rndkey1,$inout2
++ aes${dir} $rndkey1,$inout3
++ aes${dir} $rndkey1,$inout4
++ aes${dir} $rndkey1,$inout5
++ aes${dir} $rndkey1,$inout6
++ aes${dir} $rndkey1,$inout7
++ $movkey 16($key),$rndkey1
++.L${dir}_loop8_enter: # happens to be 16-byte aligned
++ aes${dir} $rndkey0,$inout0
++ aes${dir} $rndkey0,$inout1
++ lea 32($key),$key
++ aes${dir} $rndkey0,$inout2
++ aes${dir} $rndkey0,$inout3
++ aes${dir} $rndkey0,$inout4
++ aes${dir} $rndkey0,$inout5
++ aes${dir} $rndkey0,$inout6
++ aes${dir} $rndkey0,$inout7
++ $movkey ($key),$rndkey0
++ jnz .L${dir}_loop8
++
++ aes${dir} $rndkey1,$inout0
++ aes${dir} $rndkey1,$inout1
++ aes${dir} $rndkey1,$inout2
++ aes${dir} $rndkey1,$inout3
++ aes${dir} $rndkey1,$inout4
++ aes${dir} $rndkey1,$inout5
++ aes${dir} $rndkey1,$inout6
++ aes${dir} $rndkey1,$inout7
++ aes${dir}last $rndkey0,$inout0
++ aes${dir}last $rndkey0,$inout1
++ aes${dir}last $rndkey0,$inout2
++ aes${dir}last $rndkey0,$inout3
++ aes${dir}last $rndkey0,$inout4
++ aes${dir}last $rndkey0,$inout5
++ aes${dir}last $rndkey0,$inout6
++ aes${dir}last $rndkey0,$inout7
++ ret
++.size _aesni_${dir}rypt8,.-_aesni_${dir}rypt8
++___
++}
+ &aesni_generate3("enc") if ($PREFIX eq "aesni");
+ &aesni_generate3("dec");
+ &aesni_generate4("enc") if ($PREFIX eq "aesni");
+ &aesni_generate4("dec");
++&aesni_generate6("enc") if ($PREFIX eq "aesni");
++&aesni_generate6("dec");
++&aesni_generate8("enc") if ($PREFIX eq "aesni");
++&aesni_generate8("dec");
+ �
+ if ($PREFIX eq "aesni") {
++########################################################################
+ # void aesni_ecb_encrypt (const void *in, void *out,
+ # size_t length, const AES_KEY *key,
+ # int enc);
+@@ -222,54 +518,98 @@ $code.=<<___;
+ .type aesni_ecb_encrypt,\@function,5
+ .align 16
+ aesni_ecb_encrypt:
+- cmp \$16,$len # check length
+- jb .Lecb_ret
+-
+- mov 240($key),$rounds # pull $rounds
+ and \$-16,$len
++ jz .Lecb_ret
++
++ mov 240($key),$rounds # key->rounds
++ $movkey ($key),$rndkey0
+ mov $key,$key_ # backup $key
+- test %r8d,%r8d # 5th argument
+ mov $rounds,$rnds_ # backup $rounds
++ test %r8d,%r8d # 5th argument
+ jz .Lecb_decrypt
+ #--------------------------- ECB ENCRYPT ------------------------------#
+- sub \$0x40,$len
+- jbe .Lecb_enc_tail
+- jmp .Lecb_enc_loop3
++ cmp \$0x80,$len
++ jb .Lecb_enc_tail
++
++ movdqu ($inp),$inout0
++ movdqu 0x10($inp),$inout1
++ movdqu 0x20($inp),$inout2
++ movdqu 0x30($inp),$inout3
++ movdqu 0x40($inp),$inout4
++ movdqu 0x50($inp),$inout5
++ movdqu 0x60($inp),$inout6
++ movdqu 0x70($inp),$inout7
++ lea 0x80($inp),$inp
++ sub \$0x80,$len
++ jmp .Lecb_enc_loop8_enter
+ .align 16
+-.Lecb_enc_loop3:
+- movups ($inp),$inout0
+- movups 0x10($inp),$inout1
+- movups 0x20($inp),$inout2
+- call _aesni_encrypt3
+- sub \$0x30,$len
+- lea 0x30($inp),$inp
+- lea 0x30($out),$out
+- movups $inout0,-0x30($out)
+- mov $rnds_,$rounds # restore $rounds
+- movups $inout1,-0x20($out)
++.Lecb_enc_loop8:
++ movups $inout0,($out)
+ mov $key_,$key # restore $key
+- movups $inout2,-0x10($out)
+- ja .Lecb_enc_loop3
++ movdqu ($inp),$inout0
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout1,0x10($out)
++ movdqu 0x10($inp),$inout1
++ movups $inout2,0x20($out)
++ movdqu 0x20($inp),$inout2
++ movups $inout3,0x30($out)
++ movdqu 0x30($inp),$inout3
++ movups $inout4,0x40($out)
++ movdqu 0x40($inp),$inout4
++ movups $inout5,0x50($out)
++ movdqu 0x50($inp),$inout5
++ movups $inout6,0x60($out)
++ movdqu 0x60($inp),$inout6
++ movups $inout7,0x70($out)
++ lea 0x80($out),$out
++ movdqu 0x70($inp),$inout7
++ lea 0x80($inp),$inp
++.Lecb_enc_loop8_enter:
+
+-.Lecb_enc_tail:
+- add \$0x40,$len
++ call _aesni_encrypt8
++
++ sub \$0x80,$len
++ jnc .Lecb_enc_loop8
++
++ movups $inout0,($out)
++ mov $key_,$key # restore $key
++ movups $inout1,0x10($out)
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ movups $inout5,0x50($out)
++ movups $inout6,0x60($out)
++ movups $inout7,0x70($out)
++ lea 0x80($out),$out
++ add \$0x80,$len
+ jz .Lecb_ret
+
+- cmp \$0x10,$len
++.Lecb_enc_tail:
+ movups ($inp),$inout0
+- je .Lecb_enc_one
+ cmp \$0x20,$len
++ jb .Lecb_enc_one
+ movups 0x10($inp),$inout1
+ je .Lecb_enc_two
+- cmp \$0x30,$len
+ movups 0x20($inp),$inout2
+- je .Lecb_enc_three
++ cmp \$0x40,$len
++ jb .Lecb_enc_three
+ movups 0x30($inp),$inout3
+- call _aesni_encrypt4
++ je .Lecb_enc_four
++ movups 0x40($inp),$inout4
++ cmp \$0x60,$len
++ jb .Lecb_enc_five
++ movups 0x50($inp),$inout5
++ je .Lecb_enc_six
++ movdqu 0x60($inp),$inout6
++ call _aesni_encrypt8
+ movups $inout0,($out)
+ movups $inout1,0x10($out)
+ movups $inout2,0x20($out)
+ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ movups $inout5,0x50($out)
++ movups $inout6,0x60($out)
+ jmp .Lecb_ret
+ .align 16
+ .Lecb_enc_one:
+@@ -280,6 +620,7 @@ $code.=<<___;
+ jmp .Lecb_ret
+ .align 16
+ .Lecb_enc_two:
++ xorps $inout2,$inout2
+ call _aesni_encrypt3
+ movups $inout0,($out)
+ movups $inout1,0x10($out)
+@@ -291,47 +632,121 @@ $code.=<<___;
+ movups $inout1,0x10($out)
+ movups $inout2,0x20($out)
+ jmp .Lecb_ret
++.align 16
++.Lecb_enc_four:
++ call _aesni_encrypt4
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_enc_five:
++ xorps $inout5,$inout5
++ call _aesni_encrypt6
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_enc_six:
++ call _aesni_encrypt6
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ movups $inout5,0x50($out)
++ jmp .Lecb_ret
+ �#--------------------------- ECB DECRYPT ------------------------------#
+ .align 16
+ .Lecb_decrypt:
+- sub \$0x40,$len
+- jbe .Lecb_dec_tail
+- jmp .Lecb_dec_loop3
++ cmp \$0x80,$len
++ jb .Lecb_dec_tail
++
++ movdqu ($inp),$inout0
++ movdqu 0x10($inp),$inout1
++ movdqu 0x20($inp),$inout2
++ movdqu 0x30($inp),$inout3
++ movdqu 0x40($inp),$inout4
++ movdqu 0x50($inp),$inout5
++ movdqu 0x60($inp),$inout6
++ movdqu 0x70($inp),$inout7
++ lea 0x80($inp),$inp
++ sub \$0x80,$len
++ jmp .Lecb_dec_loop8_enter
+ .align 16
+-.Lecb_dec_loop3:
+- movups ($inp),$inout0
+- movups 0x10($inp),$inout1
+- movups 0x20($inp),$inout2
+- call _aesni_decrypt3
+- sub \$0x30,$len
+- lea 0x30($inp),$inp
+- lea 0x30($out),$out
+- movups $inout0,-0x30($out)
+- mov $rnds_,$rounds # restore $rounds
+- movups $inout1,-0x20($out)
++.Lecb_dec_loop8:
++ movups $inout0,($out)
+ mov $key_,$key # restore $key
+- movups $inout2,-0x10($out)
+- ja .Lecb_dec_loop3
++ movdqu ($inp),$inout0
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout1,0x10($out)
++ movdqu 0x10($inp),$inout1
++ movups $inout2,0x20($out)
++ movdqu 0x20($inp),$inout2
++ movups $inout3,0x30($out)
++ movdqu 0x30($inp),$inout3
++ movups $inout4,0x40($out)
++ movdqu 0x40($inp),$inout4
++ movups $inout5,0x50($out)
++ movdqu 0x50($inp),$inout5
++ movups $inout6,0x60($out)
++ movdqu 0x60($inp),$inout6
++ movups $inout7,0x70($out)
++ lea 0x80($out),$out
++ movdqu 0x70($inp),$inout7
++ lea 0x80($inp),$inp
++.Lecb_dec_loop8_enter:
++
++ call _aesni_decrypt8
++
++ $movkey ($key_),$rndkey0
++ sub \$0x80,$len
++ jnc .Lecb_dec_loop8
+
+-.Lecb_dec_tail:
+- add \$0x40,$len
++ movups $inout0,($out)
++ mov $key_,$key # restore $key
++ movups $inout1,0x10($out)
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ movups $inout5,0x50($out)
++ movups $inout6,0x60($out)
++ movups $inout7,0x70($out)
++ lea 0x80($out),$out
++ add \$0x80,$len
+ jz .Lecb_ret
+
+- cmp \$0x10,$len
++.Lecb_dec_tail:
+ movups ($inp),$inout0
+- je .Lecb_dec_one
+ cmp \$0x20,$len
++ jb .Lecb_dec_one
+ movups 0x10($inp),$inout1
+ je .Lecb_dec_two
+- cmp \$0x30,$len
+ movups 0x20($inp),$inout2
+- je .Lecb_dec_three
++ cmp \$0x40,$len
++ jb .Lecb_dec_three
+ movups 0x30($inp),$inout3
+- call _aesni_decrypt4
++ je .Lecb_dec_four
++ movups 0x40($inp),$inout4
++ cmp \$0x60,$len
++ jb .Lecb_dec_five
++ movups 0x50($inp),$inout5
++ je .Lecb_dec_six
++ movups 0x60($inp),$inout6
++ $movkey ($key),$rndkey0
++ call _aesni_decrypt8
+ movups $inout0,($out)
+ movups $inout1,0x10($out)
+ movups $inout2,0x20($out)
+ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ movups $inout5,0x50($out)
++ movups $inout6,0x60($out)
+ jmp .Lecb_ret
+ .align 16
+ .Lecb_dec_one:
+@@ -342,6 +757,7 @@ $code.=<<___;
+ jmp .Lecb_ret
+ .align 16
+ .Lecb_dec_two:
++ xorps $inout2,$inout2
+ call _aesni_decrypt3
+ movups $inout0,($out)
+ movups $inout1,0x10($out)
+@@ -352,6 +768,34 @@ $code.=<<___;
+ movups $inout0,($out)
+ movups $inout1,0x10($out)
+ movups $inout2,0x20($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_dec_four:
++ call _aesni_decrypt4
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_dec_five:
++ xorps $inout5,$inout5
++ call _aesni_decrypt6
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ jmp .Lecb_ret
++.align 16
++.Lecb_dec_six:
++ call _aesni_decrypt6
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ movups $inout5,0x50($out)
+
+ .Lecb_ret:
+ ret
+@@ -362,7 +806,8 @@ ___
+ # void $PREFIX_cbc_encrypt (const void *inp, void *out,
+ # size_t length, const AES_KEY *key,
+ # unsigned char *ivp,const int enc);
+-$reserved = $win64?0x40:-0x18; # used in decrypt
++{
++my $reserved = $win64?0x40:-0x18; # used in decrypt
+ $code.=<<___;
+ .globl ${PREFIX}_cbc_encrypt
+ .type ${PREFIX}_cbc_encrypt,\@function,6
+@@ -371,30 +816,30 @@ ${PREFIX}_cbc_encrypt:
+ test $len,$len # check length
+ jz .Lcbc_ret
+
+- mov 240($key),$rnds_ # pull $rounds
++ mov 240($key),$rnds_ # key->rounds
+ mov $key,$key_ # backup $key
+ test %r9d,%r9d # 6th argument
+ jz .Lcbc_decrypt
+ #--------------------------- CBC ENCRYPT ------------------------------#
+ movups ($ivp),$inout0 # load iv as initial state
+- cmp \$16,$len
+ mov $rnds_,$rounds
++ cmp \$16,$len
+ jb .Lcbc_enc_tail
+ sub \$16,$len
+ jmp .Lcbc_enc_loop
+-.align 16
++.align 16
+ .Lcbc_enc_loop:
+ movups ($inp),$inout1 # load input
+ lea 16($inp),$inp
+- pxor $inout1,$inout0
++ #xorps $inout1,$inout0
+ ___
+- &aesni_generate1("enc",$key,$rounds);
++ &aesni_generate1("enc",$key,$rounds,$inout0,$inout1);
+ $code.=<<___;
+- sub \$16,$len
+- lea 16($out),$out
+ mov $rnds_,$rounds # restore $rounds
+ mov $key_,$key # restore $key
+- movups $inout0,-16($out) # store output
++ movups $inout0,0($out) # store output
++ lea 16($out),$out
++ sub \$16,$len
+ jnc .Lcbc_enc_loop
+ add \$16,$len
+ jnz .Lcbc_enc_tail
+@@ -429,92 +874,238 @@ $code.=<<___ if ($win64);
+ ___
+ $code.=<<___;
+ movups ($ivp),$iv
+- sub \$0x40,$len
+ mov $rnds_,$rounds
++ cmp \$0x70,$len
+ jbe .Lcbc_dec_tail
+- jmp .Lcbc_dec_loop3
+-.align 16
+-.Lcbc_dec_loop3:
+- movups ($inp),$inout0
++ shr \$1,$rnds_
++ sub \$0x70,$len
++ mov $rnds_,$rounds
++ movaps $iv,$reserved(%rsp)
++ jmp .Lcbc_dec_loop8_enter
++.align 16
++.Lcbc_dec_loop8:
++ movaps $rndkey0,$reserved(%rsp) # save IV
++ movups $inout7,($out)
++ lea 0x10($out),$out
++.Lcbc_dec_loop8_enter:
++ $movkey ($key),$rndkey0
++ movups ($inp),$inout0 # load input
+ movups 0x10($inp),$inout1
+- movups 0x20($inp),$inout2
+- movaps $inout0,$in0
+- movaps $inout1,$in1
+- movaps $inout2,$in2
+- call _aesni_decrypt3
+- sub \$0x30,$len
+- lea 0x30($inp),$inp
+- lea 0x30($out),$out
+- pxor $iv,$inout0
+- pxor $in0,$inout1
+- movaps $in2,$iv
+- pxor $in1,$inout2
+- movups $inout0,-0x30($out)
+- mov $rnds_,$rounds # restore $rounds
+- movups $inout1,-0x20($out)
+- mov $key_,$key # restore $key
+- movups $inout2,-0x10($out)
+- ja .Lcbc_dec_loop3
++ $movkey 16($key),$rndkey1
+
+-.Lcbc_dec_tail:
+- add \$0x40,$len
+- movups $iv,($ivp)
+- jz .Lcbc_dec_ret
++ lea 32($key),$key
++ movdqu 0x20($inp),$inout2
++ xorps $rndkey0,$inout0
++ movdqu 0x30($inp),$inout3
++ xorps $rndkey0,$inout1
++ movdqu 0x40($inp),$inout4
++ aesdec $rndkey1,$inout0
++ pxor $rndkey0,$inout2
++ movdqu 0x50($inp),$inout5
++ aesdec $rndkey1,$inout1
++ pxor $rndkey0,$inout3
++ movdqu 0x60($inp),$inout6
++ aesdec $rndkey1,$inout2
++ pxor $rndkey0,$inout4
++ movdqu 0x70($inp),$inout7
++ aesdec $rndkey1,$inout3
++ pxor $rndkey0,$inout5
++ dec $rounds
++ aesdec $rndkey1,$inout4
++ pxor $rndkey0,$inout6
++ aesdec $rndkey1,$inout5
++ pxor $rndkey0,$inout7
++ $movkey ($key),$rndkey0
++ aesdec $rndkey1,$inout6
++ aesdec $rndkey1,$inout7
++ $movkey 16($key),$rndkey1
++
++ call .Ldec_loop8_enter
+
++ movups ($inp),$rndkey1 # re-load input
++ movups 0x10($inp),$rndkey0
++ xorps $reserved(%rsp),$inout0 # ^= IV
++ xorps $rndkey1,$inout1
++ movups 0x20($inp),$rndkey1
++ xorps $rndkey0,$inout2
++ movups 0x30($inp),$rndkey0
++ xorps $rndkey1,$inout3
++ movups 0x40($inp),$rndkey1
++ xorps $rndkey0,$inout4
++ movups 0x50($inp),$rndkey0
++ xorps $rndkey1,$inout5
++ movups 0x60($inp),$rndkey1
++ xorps $rndkey0,$inout6
++ movups 0x70($inp),$rndkey0 # IV
++ xorps $rndkey1,$inout7
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ mov $rnds_,$rounds # restore $rounds
++ movups $inout4,0x40($out)
++ mov $key_,$key # restore $key
++ movups $inout5,0x50($out)
++ lea 0x80($inp),$inp
++ movups $inout6,0x60($out)
++ lea 0x70($out),$out
++ sub \$0x80,$len
++ ja .Lcbc_dec_loop8
++
++ movaps $inout7,$inout0
++ movaps $rndkey0,$iv
++ add \$0x70,$len
++ jle .Lcbc_dec_tail_collected
++ movups $inout0,($out)
++ lea 1($rnds_,$rnds_),$rounds
++ lea 0x10($out),$out
++.Lcbc_dec_tail:
+ movups ($inp),$inout0
+- cmp \$0x10,$len
+ movaps $inout0,$in0
++ cmp \$0x10,$len
+ jbe .Lcbc_dec_one
++
+ movups 0x10($inp),$inout1
+- cmp \$0x20,$len
+ movaps $inout1,$in1
++ cmp \$0x20,$len
+ jbe .Lcbc_dec_two
++
+ movups 0x20($inp),$inout2
+- cmp \$0x30,$len
+ movaps $inout2,$in2
++ cmp \$0x30,$len
+ jbe .Lcbc_dec_three
++
+ movups 0x30($inp),$inout3
+- call _aesni_decrypt4
+- pxor $iv,$inout0
+- movups 0x30($inp),$iv
+- pxor $in0,$inout1
++ cmp \$0x40,$len
++ jbe .Lcbc_dec_four
++
++ movups 0x40($inp),$inout4
++ cmp \$0x50,$len
++ jbe .Lcbc_dec_five
++
++ movups 0x50($inp),$inout5
++ cmp \$0x60,$len
++ jbe .Lcbc_dec_six
++
++ movups 0x60($inp),$inout6
++ movaps $iv,$reserved(%rsp) # save IV
++ call _aesni_decrypt8
++ movups ($inp),$rndkey1
++ movups 0x10($inp),$rndkey0
++ xorps $reserved(%rsp),$inout0 # ^= IV
++ xorps $rndkey1,$inout1
++ movups 0x20($inp),$rndkey1
++ xorps $rndkey0,$inout2
++ movups 0x30($inp),$rndkey0
++ xorps $rndkey1,$inout3
++ movups 0x40($inp),$rndkey1
++ xorps $rndkey0,$inout4
++ movups 0x50($inp),$rndkey0
++ xorps $rndkey1,$inout5
++ movups 0x60($inp),$iv # IV
++ xorps $rndkey0,$inout6
+ movups $inout0,($out)
+- pxor $in1,$inout2
+ movups $inout1,0x10($out)
+- pxor $in2,$inout3
+ movups $inout2,0x20($out)
+- movaps $inout3,$inout0
+- lea 0x30($out),$out
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ movups $inout5,0x50($out)
++ lea 0x60($out),$out
++ movaps $inout6,$inout0
++ sub \$0x70,$len
+ jmp .Lcbc_dec_tail_collected
+ .align 16
+ .Lcbc_dec_one:
+ ___
+ &aesni_generate1("dec",$key,$rounds);
+ $code.=<<___;
+- pxor $iv,$inout0
++ xorps $iv,$inout0
+ movaps $in0,$iv
++ sub \$0x10,$len
+ jmp .Lcbc_dec_tail_collected
+ .align 16
+ .Lcbc_dec_two:
++ xorps $inout2,$inout2
+ call _aesni_decrypt3
+- pxor $iv,$inout0
+- pxor $in0,$inout1
++ xorps $iv,$inout0
++ xorps $in0,$inout1
+ movups $inout0,($out)
+ movaps $in1,$iv
+ movaps $inout1,$inout0
+ lea 0x10($out),$out
++ sub \$0x20,$len
+ jmp .Lcbc_dec_tail_collected
+ .align 16
+ .Lcbc_dec_three:
+ call _aesni_decrypt3
+- pxor $iv,$inout0
+- pxor $in0,$inout1
++ xorps $iv,$inout0
++ xorps $in0,$inout1
+ movups $inout0,($out)
+- pxor $in1,$inout2
++ xorps $in1,$inout2
+ movups $inout1,0x10($out)
+ movaps $in2,$iv
+ movaps $inout2,$inout0
+ lea 0x20($out),$out
++ sub \$0x30,$len
++ jmp .Lcbc_dec_tail_collected
++.align 16
++.Lcbc_dec_four:
++ call _aesni_decrypt4
++ xorps $iv,$inout0
++ movups 0x30($inp),$iv
++ xorps $in0,$inout1
++ movups $inout0,($out)
++ xorps $in1,$inout2
++ movups $inout1,0x10($out)
++ xorps $in2,$inout3
++ movups $inout2,0x20($out)
++ movaps $inout3,$inout0
++ lea 0x30($out),$out
++ sub \$0x40,$len
++ jmp .Lcbc_dec_tail_collected
++.align 16
++.Lcbc_dec_five:
++ xorps $inout5,$inout5
++ call _aesni_decrypt6
++ movups 0x10($inp),$rndkey1
++ movups 0x20($inp),$rndkey0
++ xorps $iv,$inout0
++ xorps $in0,$inout1
++ xorps $rndkey1,$inout2
++ movups 0x30($inp),$rndkey1
++ xorps $rndkey0,$inout3
++ movups 0x40($inp),$iv
++ xorps $rndkey1,$inout4
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ lea 0x40($out),$out
++ movaps $inout4,$inout0
++ sub \$0x50,$len
++ jmp .Lcbc_dec_tail_collected
++.align 16
++.Lcbc_dec_six:
++ call _aesni_decrypt6
++ movups 0x10($inp),$rndkey1
++ movups 0x20($inp),$rndkey0
++ xorps $iv,$inout0
++ xorps $in0,$inout1
++ xorps $rndkey1,$inout2
++ movups 0x30($inp),$rndkey1
++ xorps $rndkey0,$inout3
++ movups 0x40($inp),$rndkey0
++ xorps $rndkey1,$inout4
++ movups 0x50($inp),$iv
++ xorps $rndkey0,$inout5
++ movups $inout0,($out)
++ movups $inout1,0x10($out)
++ movups $inout2,0x20($out)
++ movups $inout3,0x30($out)
++ movups $inout4,0x40($out)
++ lea 0x50($out),$out
++ movaps $inout5,$inout0
++ sub \$0x60,$len
+ jmp .Lcbc_dec_tail_collected
+ .align 16
+ .Lcbc_dec_tail_collected:
+@@ -523,10 +1114,12 @@ $code.=<<___;
+ jnz .Lcbc_dec_tail_partial
+ movups $inout0,($out)
+ jmp .Lcbc_dec_ret
++.align 16
+ .Lcbc_dec_tail_partial:
+ movaps $inout0,$reserved(%rsp)
++ mov \$16,%rcx
+ mov $out,%rdi
+- mov $len,%rcx
++ sub $len,%rcx
+ lea $reserved(%rsp),%rsi
+ .long 0x9066A4F3 # rep movsb
+
+@@ -544,7 +1137,7 @@ $code.=<<___;
+ ret
+ .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
+ ___
+-�
++} �
+ # int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey,
+ # int bits, AES_KEY *key)
+ { my ($inp,$bits,$key) = @_4args;
+@@ -556,7 +1149,7 @@ $code.=<<___;
+ .align 16
+ ${PREFIX}_set_decrypt_key:
+ .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
+- call _aesni_set_encrypt_key
++ call __aesni_set_encrypt_key
+ shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key
+ test %eax,%eax
+ jnz .Ldec_key_ret
+@@ -576,9 +1169,9 @@ ${PREFIX}_set_decrypt_key:
+ aesimc %xmm1,%xmm1
+ lea 16($key),$key
+ lea -16($inp),$inp
+- cmp $key,$inp
+ $movkey %xmm0,16($inp)
+ $movkey %xmm1,-16($key)
++ cmp $key,$inp
+ ja .Ldec_key_inverse
+
+ $movkey ($key),%xmm0 # inverse middle
+@@ -605,16 +1198,16 @@ $code.=<<___;
+ .type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
+ .align 16
+ ${PREFIX}_set_encrypt_key:
+-_aesni_set_encrypt_key:
++__aesni_set_encrypt_key:
+ .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
+- test $inp,$inp
+ mov \$-1,%rax
++ test $inp,$inp
+ jz .Lenc_key_ret
+ test $key,$key
+ jz .Lenc_key_ret
+
+ movups ($inp),%xmm0 # pull first 128 bits of *userKey
+- pxor %xmm4,%xmm4 # low dword of xmm4 is assumed 0
++ xorps %xmm4,%xmm4 # low dword of xmm4 is assumed 0
+ lea 16($key),%rax
+ cmp \$256,$bits
+ je .L14rounds
+@@ -729,11 +1322,11 @@ _aesni_set_encrypt_key:
+ lea 16(%rax),%rax
+ .Lkey_expansion_128_cold:
+ shufps \$0b00010000,%xmm0,%xmm4
+- pxor %xmm4, %xmm0
++ xorps %xmm4, %xmm0
+ shufps \$0b10001100,%xmm0,%xmm4
+- pxor %xmm4, %xmm0
+- pshufd \$0b11111111,%xmm1,%xmm1 # critical path
+- pxor %xmm1,%xmm0
++ xorps %xmm4, %xmm0
++ shufps \$0b11111111,%xmm1,%xmm1 # critical path
++ xorps %xmm1,%xmm0
+ ret
+
+ .align 16
+@@ -744,11 +1337,11 @@ _aesni_set_encrypt_key:
+ movaps %xmm2, %xmm5
+ .Lkey_expansion_192b_warm:
+ shufps \$0b00010000,%xmm0,%xmm4
+- movaps %xmm2,%xmm3
+- pxor %xmm4,%xmm0
++ movdqa %xmm2,%xmm3
++ xorps %xmm4,%xmm0
+ shufps \$0b10001100,%xmm0,%xmm4
+ pslldq \$4,%xmm3
+- pxor %xmm4,%xmm0
++ xorps %xmm4,%xmm0
+ pshufd \$0b01010101,%xmm1,%xmm1 # critical path
+ pxor %xmm3,%xmm2
+ pxor %xmm1,%xmm0
+@@ -772,11 +1365,11 @@ _aesni_set_encrypt_key:
+ lea 16(%rax),%rax
+ .Lkey_expansion_256a_cold:
+ shufps \$0b00010000,%xmm0,%xmm4
+- pxor %xmm4,%xmm0
++ xorps %xmm4,%xmm0
+ shufps \$0b10001100,%xmm0,%xmm4
+- pxor %xmm4,%xmm0
+- pshufd \$0b11111111,%xmm1,%xmm1 # critical path
+- pxor %xmm1,%xmm0
++ xorps %xmm4,%xmm0
++ shufps \$0b11111111,%xmm1,%xmm1 # critical path
++ xorps %xmm1,%xmm0
+ ret
+
+ .align 16
+@@ -785,17 +1378,28 @@ _aesni_set_encrypt_key:
+ lea 16(%rax),%rax
+
+ shufps \$0b00010000,%xmm2,%xmm4
+- pxor %xmm4,%xmm2
++ xorps %xmm4,%xmm2
+ shufps \$0b10001100,%xmm2,%xmm4
+- pxor %xmm4,%xmm2
+- pshufd \$0b10101010,%xmm1,%xmm1 # critical path
+- pxor %xmm1,%xmm2
++ xorps %xmm4,%xmm2
++ shufps \$0b10101010,%xmm1,%xmm1 # critical path
++ xorps %xmm1,%xmm2
+ ret
+ .size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
++.size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key
+ ___
+ }
+ �
+ $code.=<<___;
++.align 64
++.Lbswap_mask:
++ .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
++.Lincrement32:
++ .long 6,6,6,0
++.Lincrement64:
++ .long 1,0,0,0
++.Lxts_magic:
++ .long 0x87,0,1,0
++
+ .asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
+ .align 64
+ ___
+diff -up openssl-1.0.0d/crypto/cryptlib.c.intelopts openssl-1.0.0d/crypto/cryptlib.c
+--- openssl-1.0.0d/crypto/cryptlib.c.intelopts 2010-11-19 01:11:27.000000000 +0100
++++ openssl-1.0.0d/crypto/cryptlib.c 2011-08-24 12:50:55.000000000 +0200
+@@ -662,22 +662,23 @@ const char *CRYPTO_get_lock_name(int typ
+ defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
+
+ unsigned long OPENSSL_ia32cap_P=0;
++unsigned long long OPENSSL_ia32cap_X=0;
+ unsigned long *OPENSSL_ia32cap_loc(void) { return &OPENSSL_ia32cap_P; }
+
+ #if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
+ #define OPENSSL_CPUID_SETUP
+ void OPENSSL_cpuid_setup(void)
+ { static int trigger=0;
+- unsigned long OPENSSL_ia32_cpuid(void);
++ unsigned long long OPENSSL_ia32_cpuid(void);
+ char *env;
+
+ if (trigger) return;
+
+ trigger=1;
+ if ((env=getenv("OPENSSL_ia32cap")))
+- OPENSSL_ia32cap_P = strtoul(env,NULL,0)|(1<<10);
++ OPENSSL_ia32cap_X = OPENSSL_ia32cap_P = strtoul(env,NULL,0)|(1<<10);
+ else
+- OPENSSL_ia32cap_P = OPENSSL_ia32_cpuid()|(1<<10);
++ OPENSSL_ia32cap_P = OPENSSL_ia32cap_X = OPENSSL_ia32_cpuid()|(1<<10);
+ /*
+ * |(1<<10) sets a reserved bit to signal that variable
+ * was initialized already... This is to avoid interference
+diff -up openssl-1.0.0d/crypto/engine/eng_aesni.c.intelopts openssl-1.0.0d/crypto/engine/eng_aesni.c
+--- openssl-1.0.0d/crypto/engine/eng_aesni.c.intelopts 2011-08-24 12:50:55.000000000 +0200
++++ openssl-1.0.0d/crypto/engine/eng_aesni.c 2011-08-24 12:50:55.000000000 +0200
+@@ -157,16 +157,20 @@ typedef unsigned __int64 IA32CAP;
+ typedef unsigned long long IA32CAP;
+ #endif
+
++extern IA32CAP OPENSSL_ia32cap_X;
++
+ /* Prepare the ENGINE structure for registration */
+ static int
+ aesni_bind_helper(ENGINE *e)
+ {
+ int engage;
+- if (sizeof(OPENSSL_ia32cap_P) > 4) {
+- engage = (OPENSSL_ia32cap_P >> 57) & 1;
+- } else {
+- IA32CAP OPENSSL_ia32_cpuid(void);
+- engage = (OPENSSL_ia32_cpuid() >> 57) & 1;
++ engage = (OPENSSL_ia32cap_X >> 57) & 1;
++
++ /* Disable the AES-NI support if the environment variable
++ * OPENSSL_DISABLE_AES_NI is set to any value
++ */
++ if (getenv("OPENSSL_DISABLE_AES_NI") != NULL) {
++ engage = 0;
+ }
+
+ /* Register everything or return with an error */
+diff -up openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c.intelopts openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c
+--- openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c.intelopts 2011-08-24 12:50:55.000000000 +0200
++++ openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c 2011-08-24 12:50:55.000000000 +0200
+@@ -62,6 +62,8 @@ void OPENSSL_cleanse(void *p,size_t len)
+
+ #ifdef OPENSSL_FIPS
+
++unsigned long long OPENSSL_ia32cap_X = 0;
++
+ static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
+ const char *key)
+ {
+diff -up openssl-1.0.0d/crypto/perlasm/x86asm.pl.intelopts openssl-1.0.0d/crypto/perlasm/x86asm.pl
+--- openssl-1.0.0d/crypto/perlasm/x86asm.pl.intelopts 2008-12-17 20:56:47.000000000 +0100
++++ openssl-1.0.0d/crypto/perlasm/x86asm.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # require 'x86asm.pl';
+ # &asm_init(<flavor>,"des-586.pl"[,$i386only]);
+@@ -80,6 +80,57 @@ sub ::movq
+ { &::generic("movq", at _); }
+ }
+
++# SSE>2 instructions
++my %regrm = ( "eax"=>0, "ecx"=>1, "edx"=>2, "ebx"=>3,
++ "esp"=>4, "ebp"=>5, "esi"=>6, "edi"=>7 );
++sub ::pextrd
++{ my($dst,$src,$imm)=@_;
++ if ("$dst:$src" =~ /(e[a-dsd][ixp]):xmm([0-7])/)
++ { &::data_byte(0x66,0x0f,0x3a,0x16,0xc0|($2<<3)|$regrm{$1},$imm); }
++ else
++ { &::generic("pextrd", at _); }
++}
++
++sub ::pinsrd
++{ my($dst,$src,$imm)=@_;
++ if ("$dst:$src" =~ /xmm([0-7]):(e[a-dsd][ixp])/)
++ { &::data_byte(0x66,0x0f,0x3a,0x22,0xc0|($1<<3)|$regrm{$2},$imm); }
++ else
++ { &::generic("pinsrd", at _); }
++}
++
++sub ::pshufb
++{ my($dst,$src)=@_;
++ if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
++ { &data_byte(0x66,0x0f,0x38,0x00,0xc0|($1<<3)|$2); }
++ else
++ { &::generic("pshufb", at _); }
++}
++
++sub ::palignr
++{ my($dst,$src,$imm)=@_;
++ if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
++ { &::data_byte(0x66,0x0f,0x3a,0x0f,0xc0|($1<<3)|$2,$imm); }
++ else
++ { &::generic("palignr", at _); }
++}
++
++sub ::pclmulqdq
++{ my($dst,$src,$imm)=@_;
++ if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
++ { &::data_byte(0x66,0x0f,0x3a,0x44,0xc0|($1<<3)|$2,$imm); }
++ else
++ { &::generic("pclmulqdq", at _); }
++}
++
++sub ::rdrand
++{ my ($dst)=@_;
++ if ($dst =~ /(e[a-dsd][ixp])/)
++ { &::data_byte(0x0f,0xc7,0xf0|$regrm{$dst}); }
++ else
++ { &::generic("rdrand", at _); }
++}
++
+ # label management
+ $lbdecor="L"; # local label decoration, set by package
+ $label="000";
+diff -up openssl-1.0.0d/crypto/perlasm/x86gas.pl.intelopts openssl-1.0.0d/crypto/perlasm/x86gas.pl
+--- openssl-1.0.0d/crypto/perlasm/x86gas.pl.intelopts 2008-12-17 20:56:47.000000000 +0100
++++ openssl-1.0.0d/crypto/perlasm/x86gas.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ package x86gas;
+
+@@ -91,6 +91,7 @@ sub ::DWP
+ }
+ sub ::QWP { &::DWP(@_); }
+ sub ::BP { &::DWP(@_); }
++sub ::WP { &::DWP(@_); }
+ sub ::BC { @_; }
+ sub ::DWC { @_; }
+
+@@ -161,10 +162,16 @@ sub ::file_end
+ { push(@out,"$non_lazy_ptr{$i}:\n.indirect_symbol\t$i\n.long\t0\n"); }
+ }
+ }
++ if (grep {/\b${nmdecor}OPENSSL_ia32cap_X\b/i} @out) {
++ my $tmp=".comm\t${nmdecor}OPENSSL_ia32cap_X,8";
++ if ($::elf) { push (@out,"$tmp,4\n"); }
++ else { push (@out,"$tmp\n"); }
++ }
+ push(@out,$initseg) if ($initseg);
+ }
+
+ sub ::data_byte { push(@out,".byte\t".join(',', at _)."\n"); }
++sub ::data_short{ push(@out,".value\t".join(',', at _)."\n"); }
+ sub ::data_word { push(@out,".long\t".join(',', at _)."\n"); }
+
+ sub ::align
+diff -up openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl.intelopts openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl
+--- openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl.intelopts 2010-10-10 23:14:17.000000000 +0200
++++ openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # Ascetic x86_64 AT&T to MASM/NASM assembler translator by <appro>.
+ #
+@@ -121,7 +121,11 @@ my %globals;
+ $self->{sz} = "b";
+ } elsif ($self->{op} =~ /call|jmp/) {
+ $self->{sz} = "";
+- } elsif ($self->{op} =~ /^p/ && $' !~ /^(ush|op)/) { # SSEn
++ } elsif ($self->{op} =~ /^p/ && $' !~ /^(ush|op|insrw)/) { # SSEn
++ $self->{sz} = "";
++ } elsif ($self->{op} =~ /^v/) { # VEX
++ $self->{sz} = "";
++ } elsif ($self->{op} =~ /movq/ && $line =~ /%xmm/) {
+ $self->{sz} = "";
+ } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])$/) {
+ $self->{op} = $1;
+@@ -246,35 +250,38 @@ my %globals;
+ $self->{index} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/;
+ $self->{base} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/;
+
++ # Solaris /usr/ccs/bin/as can't handle multiplications
++ # in $self->{label}, new gas requires sign extension...
++ use integer;
++ $self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
++ $self->{label} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg;
++ $self->{label} =~ s/([0-9]+)/$1<<32>>32/eg;
++
+ if ($gas) {
+- # Solaris /usr/ccs/bin/as can't handle multiplications
+- # in $self->{label}, new gas requires sign extension...
+- use integer;
+- $self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
+- $self->{label} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg;
+- $self->{label} =~ s/([0-9]+)/$1<<32>>32/eg;
+ $self->{label} =~ s/^___imp_/__imp__/ if ($flavour eq "mingw64");
+
+ if (defined($self->{index})) {
+- sprintf "%s%s(%%%s,%%%s,%d)",$self->{asterisk},
+- $self->{label},$self->{base},
++ sprintf "%s%s(%s,%%%s,%d)",$self->{asterisk},
++ $self->{label},
++ $self->{base}?"%$self->{base}":"",
+ $self->{index},$self->{scale};
+ } else {
+ sprintf "%s%s(%%%s)", $self->{asterisk},$self->{label},$self->{base};
+ }
+ } else {
+- %szmap = ( b=>"BYTE$PTR", w=>"WORD$PTR", l=>"DWORD$PTR", q=>"QWORD$PTR" );
++ %szmap = ( b=>"BYTE$PTR", w=>"WORD$PTR", l=>"DWORD$PTR",
++ q=>"QWORD$PTR",o=>"OWORD$PTR",x=>"XMMWORD$PTR" );
+
+ $self->{label} =~ s/\./\$/g;
+ $self->{label} =~ s/(?<![\w\$\.])0x([0-9a-f]+)/0$1h/ig;
+ $self->{label} = "($self->{label})" if ($self->{label} =~ /[\*\+\-\/]/);
+- $sz="q" if ($self->{asterisk});
++ $sz="q" if ($self->{asterisk} || opcode->mnemonic() eq "movq");
+
+ if (defined($self->{index})) {
+- sprintf "%s[%s%s*%d+%s]",$szmap{$sz},
++ sprintf "%s[%s%s*%d%s]",$szmap{$sz},
+ $self->{label}?"$self->{label}+":"",
+ $self->{index},$self->{scale},
+- $self->{base};
++ $self->{base}?"+$self->{base}":"";
+ } elsif ($self->{base} eq "rip") {
+ sprintf "%s[%s]",$szmap{$sz},$self->{label};
+ } else {
+@@ -506,6 +513,11 @@ my %globals;
+ }
+ } elsif ($dir =~ /\.(text|data)/) {
+ $current_segment=".$1";
++ } elsif ($dir =~ /\.hidden/) {
++ if ($flavour eq "macosx") { $self->{value} = ".private_extern\t$prefix$line"; }
++ elsif ($flavour eq "mingw64") { $self->{value} = ""; }
++ } elsif ($dir =~ /\.comm/) {
++ $self->{value} = "$dir\t$prefix$line";
+ }
+ $line = "";
+ return $self;
+@@ -613,6 +625,19 @@ my %globals;
+ .join(",", at str) if (@str);
+ last;
+ };
++ /\.comm/ && do { my @str=split(/,\s*/,$line);
++ my $v=undef;
++ if ($nasm) {
++ $v.="common $prefix at str[0] @str[1]";
++ } else {
++ $v="$current_segment\tENDS\n" if ($current_segment);
++ $current_segment = "_DATA";
++ $v.="$current_segment\tSEGMENT\n";
++ $v.="COMM @str[0]:DWORD:". at str[1]/4;
++ }
++ $self->{value} = $v;
++ last;
++ };
+ }
+ $line = "";
+ }
+@@ -625,9 +650,133 @@ my %globals;
+ }
+ }
+
++sub rex {
++ local *opcode=shift;
++ my ($dst,$src,$rex)=@_;
++
++ $rex|=0x04 if($dst>=8);
++ $rex|=0x01 if($src>=8);
++ push @opcode,($rex|0x40) if ($rex);
++}
++
++# older gas and ml64 don't handle SSE>2 instructions
++my %regrm = ( "%eax"=>0, "%ecx"=>1, "%edx"=>2, "%ebx"=>3,
++ "%esp"=>4, "%ebp"=>5, "%esi"=>6, "%edi"=>7 );
++
++my $movq = sub { # elderly gas can't handle inter-register movq
++ my $arg = shift;
++ my @opcode=(0x66);
++ if ($arg =~ /%xmm([0-9]+),%r(\w+)/) {
++ my ($src,$dst)=($1,$2);
++ if ($dst !~ /[0-9]+/) { $dst = $regrm{"%e$dst"}; }
++ rex(\@opcode,$src,$dst,0x8);
++ push @opcode,0x0f,0x7e;
++ push @opcode,0xc0|(($src&7)<<3)|($dst&7); # ModR/M
++ @opcode;
++ } elsif ($arg =~ /%r(\w+),%xmm([0-9]+)/) {
++ my ($src,$dst)=($2,$1);
++ if ($dst !~ /[0-9]+/) { $dst = $regrm{"%e$dst"}; }
++ rex(\@opcode,$src,$dst,0x8);
++ push @opcode,0x0f,0x6e;
++ push @opcode,0xc0|(($src&7)<<3)|($dst&7); # ModR/M
++ @opcode;
++ } else {
++ ();
++ }
++};
++
++my $pextrd = sub {
++ if (shift =~ /\$([0-9]+),%xmm([0-9]+),(%\w+)/) {
++ my @opcode=(0x66);
++ $imm=$1;
++ $src=$2;
++ $dst=$3;
++ if ($dst =~ /%r([0-9]+)d/) { $dst = $1; }
++ elsif ($dst =~ /%e/) { $dst = $regrm{$dst}; }
++ rex(\@opcode,$src,$dst);
++ push @opcode,0x0f,0x3a,0x16;
++ push @opcode,0xc0|(($src&7)<<3)|($dst&7); # ModR/M
++ push @opcode,$imm;
++ @opcode;
++ } else {
++ ();
++ }
++};
++
++my $pinsrd = sub {
++ if (shift =~ /\$([0-9]+),(%\w+),%xmm([0-9]+)/) {
++ my @opcode=(0x66);
++ $imm=$1;
++ $src=$2;
++ $dst=$3;
++ if ($src =~ /%r([0-9]+)/) { $src = $1; }
++ elsif ($src =~ /%e/) { $src = $regrm{$src}; }
++ rex(\@opcode,$dst,$src);
++ push @opcode,0x0f,0x3a,0x22;
++ push @opcode,0xc0|(($dst&7)<<3)|($src&7); # ModR/M
++ push @opcode,$imm;
++ @opcode;
++ } else {
++ ();
++ }
++};
++
++my $pshufb = sub {
++ if (shift =~ /%xmm([0-9]+),%xmm([0-9]+)/) {
++ my @opcode=(0x66);
++ rex(\@opcode,$2,$1);
++ push @opcode,0x0f,0x38,0x00;
++ push @opcode,0xc0|($1&7)|(($2&7)<<3); # ModR/M
++ @opcode;
++ } else {
++ ();
++ }
++};
++
++my $palignr = sub {
++ if (shift =~ /\$([0-9]+),%xmm([0-9]+),%xmm([0-9]+)/) {
++ my @opcode=(0x66);
++ rex(\@opcode,$3,$2);
++ push @opcode,0x0f,0x3a,0x0f;
++ push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
++ push @opcode,$1;
++ @opcode;
++ } else {
++ ();
++ }
++};
++
++my $pclmulqdq = sub {
++ if (shift =~ /\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
++ my @opcode=(0x66);
++ rex(\@opcode,$3,$2);
++ push @opcode,0x0f,0x3a,0x44;
++ push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
++ my $c=$1;
++ push @opcode,$c=~/^0/?oct($c):$c;
++ @opcode;
++ } else {
++ ();
++ }
++};
++
++my $rdrand = sub {
++ if (shift =~ /%[er](\w+)/) {
++ my @opcode=();
++ my $dst=$1;
++ if ($dst !~ /[0-9]+/) { $dst = $regrm{"%e$dst"}; }
++ rex(\@opcode,0,$1,8);
++ push @opcode,0x0f,0xc7,0xf0|($dst&7);
++ @opcode;
++ } else {
++ ();
++ }
++};
++
+ if ($nasm) {
+ print <<___;
+ default rel
++%define XMMWORD
+ ___
+ } elsif ($masm) {
+ print <<___;
+@@ -644,14 +793,22 @@ while($line=<>) {
+
+ undef $label;
+ undef $opcode;
+- undef $sz;
+ undef @args;
+
+ if ($label=label->re(\$line)) { print $label->out(); }
+
+ if (directive->re(\$line)) {
+ printf "%s",directive->out();
+- } elsif ($opcode=opcode->re(\$line)) { ARGUMENT: while (1) {
++ } elsif ($opcode=opcode->re(\$line)) {
++ my $asm = eval("\$".$opcode->mnemonic());
++ undef @bytes;
++
++ if ((ref($asm) eq 'CODE') && scalar(@bytes=&$asm($line))) {
++ print $gas?".byte\t":"DB\t",join(',', at bytes),"\n";
++ next;
++ }
++
++ ARGUMENT: while (1) {
+ my $arg;
+
+ if ($arg=register->re(\$line)) { opcode->size($arg->size()); }
+@@ -667,19 +824,26 @@ while($line=<>) {
+ $line =~ s/^,\s*//;
+ } # ARGUMENT:
+
+- $sz=opcode->size();
+-
+ if ($#args>=0) {
+ my $insn;
++ my $sz=opcode->size();
++
+ if ($gas) {
+ $insn = $opcode->out($#args>=1?$args[$#args]->size():$sz);
++ @args = map($_->out($sz), at args);
++ printf "\t%s\t%s",$insn,join(",", at args);
+ } else {
+ $insn = $opcode->out();
+- $insn .= $sz if (map($_->out() =~ /x?mm/, at args));
++ foreach (@args) {
++ my $arg = $_->out();
++ # $insn.=$sz compensates for movq, pinsrw, ...
++ if ($arg =~ /^xmm[0-9]+$/) { $insn.=$sz; $sz="x" if(!$sz); last; }
++ if ($arg =~ /^mm[0-9]+$/) { $insn.=$sz; $sz="q" if(!$sz); last; }
++ }
+ @args = reverse(@args);
+ undef $sz if ($nasm && $opcode->mnemonic() eq "lea");
++ printf "\t%s\t%s",$insn,join(",",map($_->out($sz), at args));
+ }
+- printf "\t%s\t%s",$insn,join(",",map($_->out($sz), at args));
+ } else {
+ printf "\t%s",$opcode->out();
+ }
+diff -up openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl.intelopts openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl
+--- openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl.intelopts 2011-08-24 12:50:55.000000000 +0200
++++ openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
+@@ -7,6 +7,8 @@
+ # details see http://www.openssl.org/~appro/cryptogams/.
+ # ====================================================================
+ #
++# July 2004
++#
+ # 2.22x RC4 tune-up:-) It should be noted though that my hand [as in
+ # "hand-coded assembler"] doesn't stand for the whole improvement
+ # coefficient. It turned out that eliminating RC4_CHAR from config
+@@ -19,6 +21,8 @@
+ # to operate on partial registers, it turned out to be the best bet.
+ # At least for AMD... How IA32E would perform remains to be seen...
+
++# November 2004
++#
+ # As was shown by Marc Bevand reordering of couple of load operations
+ # results in even higher performance gain of 3.3x:-) At least on
+ # Opteron... For reference, 1x in this case is RC4_CHAR C-code
+@@ -26,6 +30,8 @@
+ # Latter means that if you want to *estimate* what to expect from
+ # *your* Opteron, then multiply 54 by 3.3 and clock frequency in GHz.
+
++# November 2004
++#
+ # Intel P4 EM64T core was found to run the AMD64 code really slow...
+ # The only way to achieve comparable performance on P4 was to keep
+ # RC4_CHAR. Kind of ironic, huh? As it's apparently impossible to
+@@ -33,10 +39,14 @@
+ # on either AMD and Intel platforms, I implement both cases. See
+ # rc4_skey.c for further details...
+
++# April 2005
++#
+ # P4 EM64T core appears to be "allergic" to 64-bit inc/dec. Replacing
+ # those with add/sub results in 50% performance improvement of folded
+ # loop...
+
++# May 2005
++#
+ # As was shown by Zou Nanhai loop unrolling can improve Intel EM64T
+ # performance by >30% [unlike P4 32-bit case that is]. But this is
+ # provided that loads are reordered even more aggressively! Both code
+@@ -50,6 +60,8 @@
+ # is not implemented, then this final RC4_CHAR code-path should be
+ # preferred, as it provides better *all-round* performance].
+
++# March 2007
++#
+ # Intel Core2 was observed to perform poorly on both code paths:-( It
+ # apparently suffers from some kind of partial register stall, which
+ # occurs in 64-bit mode only [as virtually identical 32-bit loop was
+@@ -58,6 +70,34 @@
+ # fit for Core2 and therefore the code was modified to skip cloop8 on
+ # this CPU.
+
++# May 2010
++#
++# Intel Westmere was observed to perform suboptimally. Adding yet
++# another movzb to cloop1 improved performance by almost 50%! Core2
++# performance is improved too, but nominally...
++
++# May 2011
++#
++# The only code path that was not modified is P4-specific one. Non-P4
++# Intel code path optimization is heavily based on submission by Maxim
++# Perminov, Maxim Locktyukhin and Jim Guilford of Intel. I've used
++# some of the ideas even in attempt to optmize the original RC4_INT
++# code path... Current performance in cycles per processed byte (less
++# is better) and improvement coefficients relative to previous
++# version of this module are:
++#
++# Opteron 5.3/+0%
++# P4 6.5
++# Core2 6.2/+15%(*)
++# Westmere 4.2/+60%
++# Sandy Bridge 4.2/+120%
++# Atom 9.3/+80%
++#
++# (*) Note that Core2 result is ~15% lower than corresponding result
++# for 32-bit code, meaning that it's possible to improve it,
++# but more than likely at the cost of the others (see rc4-586.pl
++# to get the idea)...
++
+ $flavour = shift;
+ $output = shift;
+ if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
+@@ -76,13 +116,10 @@ $len="%rsi"; # arg2
+ $inp="%rdx"; # arg3
+ $out="%rcx"; # arg4
+
+- at XX=("%r8","%r10");
+- at TX=("%r9","%r11");
+-$YY="%r12";
+-$TY="%r13";
+-
++{
+ $code=<<___;
+ .text
++.extern OPENSSL_ia32cap_P
+
+ .globl RC4
+ .type RC4,\@function,4
+@@ -95,48 +132,173 @@ RC4: or $len,$len
+ push %r12
+ push %r13
+ .Lprologue:
++ mov $len,%r11
++ mov $inp,%r12
++ mov $out,%r13
++___
++my $len="%r11"; # reassign input arguments
++my $inp="%r12";
++my $out="%r13";
++
++my @XX=("%r10","%rsi");
++my @TX=("%rax","%rbx");
++my $YY="%rcx";
++my $TY="%rdx";
+
+- add \$8,$dat
+- movl -8($dat),$XX[0]#d
+- movl -4($dat),$YY#d
++$code.=<<___;
++ xor $XX[0],$XX[0]
++ xor $YY,$YY
++
++ lea 8($dat),$dat
++ mov -8($dat),$XX[0]#b
++ mov -4($dat),$YY#b
+ cmpl \$-1,256($dat)
+ je .LRC4_CHAR
++ mov OPENSSL_ia32cap_P(%rip),%r8d
++ xor $TX[1],$TX[1]
+ inc $XX[0]#b
++ sub $XX[0],$TX[1]
++ sub $inp,$out
+ movl ($dat,$XX[0],4),$TX[0]#d
+- test \$-8,$len
++ test \$-16,$len
+ jz .Lloop1
+- jmp .Lloop8
++ bt \$30,%r8d # Intel CPU?
++ jc .Lintel
++ and \$7,$TX[1]
++ lea 1($XX[0]),$XX[1]
++ jz .Loop8
++ sub $TX[1],$len
++.Loop8_warmup:
++ add $TX[0]#b,$YY#b
++ movl ($dat,$YY,4),$TY#d
++ movl $TX[0]#d,($dat,$YY,4)
++ movl $TY#d,($dat,$XX[0],4)
++ add $TY#b,$TX[0]#b
++ inc $XX[0]#b
++ movl ($dat,$TX[0],4),$TY#d
++ movl ($dat,$XX[0],4),$TX[0]#d
++ xorb ($inp),$TY#b
++ movb $TY#b,($out,$inp)
++ lea 1($inp),$inp
++ dec $TX[1]
++ jnz .Loop8_warmup
++
++ lea 1($XX[0]),$XX[1]
++ jmp .Loop8
+ .align 16
+-.Lloop8:
++.Loop8:
+ ___
+ for ($i=0;$i<8;$i++) {
++$code.=<<___ if ($i==7);
++ add \$8,$XX[1]#b
++___
+ $code.=<<___;
+ add $TX[0]#b,$YY#b
+- mov $XX[0],$XX[1]
+ movl ($dat,$YY,4),$TY#d
+- ror \$8,%rax # ror is redundant when $i=0
+- inc $XX[1]#b
+- movl ($dat,$XX[1],4),$TX[1]#d
+- cmp $XX[1],$YY
+ movl $TX[0]#d,($dat,$YY,4)
+- cmove $TX[0],$TX[1]
+- movl $TY#d,($dat,$XX[0],4)
++ movl `4*($i==7?-1:$i)`($dat,$XX[1],4),$TX[1]#d
++ ror \$8,%r8 # ror is redundant when $i=0
++ movl $TY#d,4*$i($dat,$XX[0],4)
+ add $TX[0]#b,$TY#b
+- movb ($dat,$TY,4),%al
++ movb ($dat,$TY,4),%r8b
+ ___
+-push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
++push(@TX,shift(@TX)); #push(@XX,shift(@XX)); # "rotate" registers
+ }
+ $code.=<<___;
+- ror \$8,%rax
++ add \$8,$XX[0]#b
++ ror \$8,%r8
+ sub \$8,$len
+
+- xor ($inp),%rax
+- add \$8,$inp
+- mov %rax,($out)
+- add \$8,$out
++ xor ($inp),%r8
++ mov %r8,($out,$inp)
++ lea 8($inp),$inp
+
+ test \$-8,$len
+- jnz .Lloop8
++ jnz .Loop8
++ cmp \$0,$len
++ jne .Lloop1
++ jmp .Lexit
++
++.align 16
++.Lintel:
++ test \$-32,$len
++ jz .Lloop1
++ and \$15,$TX[1]
++ jz .Loop16_is_hot
++ sub $TX[1],$len
++.Loop16_warmup:
++ add $TX[0]#b,$YY#b
++ movl ($dat,$YY,4),$TY#d
++ movl $TX[0]#d,($dat,$YY,4)
++ movl $TY#d,($dat,$XX[0],4)
++ add $TY#b,$TX[0]#b
++ inc $XX[0]#b
++ movl ($dat,$TX[0],4),$TY#d
++ movl ($dat,$XX[0],4),$TX[0]#d
++ xorb ($inp),$TY#b
++ movb $TY#b,($out,$inp)
++ lea 1($inp),$inp
++ dec $TX[1]
++ jnz .Loop16_warmup
++
++ mov $YY,$TX[1]
++ xor $YY,$YY
++ mov $TX[1]#b,$YY#b
++
++.Loop16_is_hot:
++ lea ($dat,$XX[0],4),$XX[1]
++___
++sub RC4_loop {
++ my $i=shift;
++ my $j=$i<0?0:$i;
++ my $xmm="%xmm".($j&1);
++
++ $code.=" add \$16,$XX[0]#b\n" if ($i==15);
++ $code.=" movdqu ($inp),%xmm2\n" if ($i==15);
++ $code.=" add $TX[0]#b,$YY#b\n" if ($i<=0);
++ $code.=" movl ($dat,$YY,4),$TY#d\n";
++ $code.=" pxor %xmm0,%xmm2\n" if ($i==0);
++ $code.=" psllq \$8,%xmm1\n" if ($i==0);
++ $code.=" pxor $xmm,$xmm\n" if ($i<=1);
++ $code.=" movl $TX[0]#d,($dat,$YY,4)\n";
++ $code.=" add $TY#b,$TX[0]#b\n";
++ $code.=" movl `4*($j+1)`($XX[1]),$TX[1]#d\n" if ($i<15);
++ $code.=" movz $TX[0]#b,$TX[0]#d\n";
++ $code.=" movl $TY#d,`4*$j`($XX[1])\n";
++ $code.=" pxor %xmm1,%xmm2\n" if ($i==0);
++ $code.=" lea ($dat,$XX[0],4),$XX[1]\n" if ($i==15);
++ $code.=" add $TX[1]#b,$YY#b\n" if ($i<15);
++ $code.=" pinsrw \$`$j>>1`,($dat,$TX[0],4),$xmm\n";
++ $code.=" movdqu %xmm2,($out,$inp)\n" if ($i==0);
++ $code.=" lea 16($inp),$inp\n" if ($i==0);
++ $code.=" movl ($XX[1]),$TX[1]#d\n" if ($i==15);
++}
++ RC4_loop(-1);
++$code.=<<___;
++ jmp .Loop16_enter
++.align 16
++.Loop16:
++___
++
++for ($i=0;$i<16;$i++) {
++ $code.=".Loop16_enter:\n" if ($i==1);
++ RC4_loop($i);
++ push(@TX,shift(@TX)); # "rotate" registers
++}
++$code.=<<___;
++ mov $YY,$TX[1]
++ xor $YY,$YY # keyword to partial register
++ sub \$16,$len
++ mov $TX[1]#b,$YY#b
++ test \$-16,$len
++ jnz .Loop16
++
++ psllq \$8,%xmm1
++ pxor %xmm0,%xmm2
++ pxor %xmm1,%xmm2
++ movdqu %xmm2,($out,$inp)
++ lea 16($inp),$inp
++
+ cmp \$0,$len
+ jne .Lloop1
+ jmp .Lexit
+@@ -152,9 +314,8 @@ $code.=<<___;
+ movl ($dat,$TX[0],4),$TY#d
+ movl ($dat,$XX[0],4),$TX[0]#d
+ xorb ($inp),$TY#b
+- inc $inp
+- movb $TY#b,($out)
+- inc $out
++ movb $TY#b,($out,$inp)
++ lea 1($inp),$inp
+ dec $len
+ jnz .Lloop1
+ jmp .Lexit
+@@ -165,13 +326,11 @@ $code.=<<___;
+ movzb ($dat,$XX[0]),$TX[0]#d
+ test \$-8,$len
+ jz .Lcloop1
+- cmpl \$0,260($dat)
+- jnz .Lcloop1
+ jmp .Lcloop8
+ .align 16
+ .Lcloop8:
+- mov ($inp),%eax
+- mov 4($inp),%ebx
++ mov ($inp),%r8d
++ mov 4($inp),%r9d
+ ___
+ # unroll 2x4-wise, because 64-bit rotates kill Intel P4...
+ for ($i=0;$i<4;$i++) {
+@@ -188,8 +347,8 @@ $code.=<<___;
+ mov $TX[0],$TX[1]
+ .Lcmov$i:
+ add $TX[0]#b,$TY#b
+- xor ($dat,$TY),%al
+- ror \$8,%eax
++ xor ($dat,$TY),%r8b
++ ror \$8,%r8d
+ ___
+ push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
+ }
+@@ -207,16 +366,16 @@ $code.=<<___;
+ mov $TX[0],$TX[1]
+ .Lcmov$i:
+ add $TX[0]#b,$TY#b
+- xor ($dat,$TY),%bl
+- ror \$8,%ebx
++ xor ($dat,$TY),%r9b
++ ror \$8,%r9d
+ ___
+ push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
+ }
+ $code.=<<___;
+ lea -8($len),$len
+- mov %eax,($out)
++ mov %r8d,($out)
+ lea 8($inp),$inp
+- mov %ebx,4($out)
++ mov %r9d,4($out)
+ lea 8($out),$out
+
+ test \$-8,$len
+@@ -229,6 +388,7 @@ $code.=<<___;
+ .align 16
+ .Lcloop1:
+ add $TX[0]#b,$YY#b
++ movzb $YY#b,$YY#d
+ movzb ($dat,$YY),$TY#d
+ movb $TX[0]#b,($dat,$YY)
+ movb $TY#b,($dat,$XX[0])
+@@ -260,12 +420,12 @@ $code.=<<___;
+ ret
+ .size RC4,.-RC4
+ ___
++}
+
+ $idx="%r8";
+ $ido="%r9";
+
+ $code.=<<___;
+-.extern OPENSSL_ia32cap_P
+ .globl RC4_set_key
+ .type RC4_set_key,\@function,3
+ .align 16
+@@ -280,12 +440,9 @@ RC4_set_key:
+ xor %r11,%r11
+
+ mov OPENSSL_ia32cap_P(%rip),$idx#d
+- bt \$20,$idx#d
+- jnc .Lw1stloop
+- bt \$30,$idx#d
+- setc $ido#b
+- mov $ido#d,260($dat)
+- jmp .Lc1stloop
++ bt \$20,$idx#d # RC4_CHAR?
++ jc .Lc1stloop
++ jmp .Lw1stloop
+
+ .align 16
+ .Lw1stloop:
+@@ -348,18 +505,20 @@ RC4_options:
+ lea .Lopts(%rip),%rax
+ mov OPENSSL_ia32cap_P(%rip),%edx
+ bt \$20,%edx
+- jnc .Ldone
+- add \$12,%rax
++ jc .L8xchar
+ bt \$30,%edx
+ jnc .Ldone
+- add \$13,%rax
++ add \$25,%rax
++ ret
++.L8xchar:
++ add \$12,%rax
+ .Ldone:
+ ret
+ .align 64
+ .Lopts:
+ .asciz "rc4(8x,int)"
+ .asciz "rc4(8x,char)"
+-.asciz "rc4(1x,char)"
++.asciz "rc4(16x,int)"
+ .asciz "RC4 for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
+ .align 64
+ .size RC4_options,.-RC4_options
+@@ -497,8 +656,17 @@ key_se_handler:
+ ___
+ }
+
+-$code =~ s/#([bwd])/$1/gm;
++sub reg_part {
++my ($reg,$conv)=@_;
++ if ($reg =~ /%r[0-9]+/) { $reg .= $conv; }
++ elsif ($conv eq "b") { $reg =~ s/%[er]([^x]+)x?/%$1l/; }
++ elsif ($conv eq "w") { $reg =~ s/%[er](.+)/%$1/; }
++ elsif ($conv eq "d") { $reg =~ s/%[er](.+)/%e$1/; }
++ return $reg;
++}
+
++$code =~ s/(%[a-z0-9]+)#([bwd])/reg_part($1,$2)/gem;
++$code =~ s/\`([^\`]*)\`/eval $1/gem;
+ $code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne "");
+
+ print $code;
+diff -up openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl.intelopts openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl
+--- openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl.intelopts 2011-08-24 12:50:55.000000000 +0200
++++ openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # ====================================================================
+ # [Re]written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
+@@ -28,6 +28,33 @@
+ #
+ # <appro at fy.chalmers.se>
+
++# May 2011
++#
++# Optimize for Core2 and Westmere [and incidentally Opteron]. Current
++# performance in cycles per processed byte (less is better) is:
++#
++# Pentium 10.2 # original numbers
++# Pentium III 7.8(*)
++# Intel P4 7.5
++#
++# Opteron 6.1/+20% # new MMX numbers
++# Core2 5.3/+67%(**)
++# Westmere 5.1/+94%(**)
++# Sandy Bridge 5.0/+8%
++# Atom 12.6/+6%
++#
++# (*) PIII can actually deliver 6.6 cycles per byte with MMX code,
++# but this specific code performs poorly on Core2. And vice
++# versa, below MMX/SSE code delivering 5.8/7.1 on Core2 performs
++# poorly on PIII, at 8.0/14.5:-( As PIII is not a "hot" CPU
++# [anymore], I chose to discard PIII-specific code path and opt
++# for original IALU-only code, which is why MMX/SSE code path
++# is guarded by SSE2 bit (see below), not MMX/SSE.
++# (**) Performance vs. block size on Core2 and Westmere had a maximum
++# at ... 64 bytes block size. And it was quite a maximum, 40-60%
++# in comparison to largest 8KB block size. Above improvement
++# coefficients are for the largest block size.
++
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ push(@INC,"${dir}","${dir}../../perlasm");
+ require "x86asm.pl";
+@@ -62,6 +89,68 @@ sub RC4_loop {
+ &$func ($out,&DWP(0,$dat,$ty,4));
+ }
+
++if ($alt=0) {
++ # >20% faster on Atom and Sandy Bridge[!], 8% faster on Opteron,
++ # but ~40% slower on Core2 and Westmere... Attempt to add movz
++ # brings down Opteron by 25%, Atom and Sandy Bridge by 15%, yet
++ # on Core2 with movz it's almost 20% slower than below alternative
++ # code... Yes, it's a total mess...
++ my @XX=($xx,$out);
++ $RC4_loop_mmx = sub { # SSE actually...
++ my $i=shift;
++ my $j=$i<=0?0:$i>>1;
++ my $mm=$i<=0?"mm0":"mm".($i&1);
++
++ &add (&LB($yy),&LB($tx));
++ &lea (@XX[1],&DWP(1, at XX[0]));
++ &pxor ("mm2","mm0") if ($i==0);
++ &psllq ("mm1",8) if ($i==0);
++ &and (@XX[1],0xff);
++ &pxor ("mm0","mm0") if ($i<=0);
++ &mov ($ty,&DWP(0,$dat,$yy,4));
++ &mov (&DWP(0,$dat,$yy,4),$tx);
++ &pxor ("mm1","mm2") if ($i==0);
++ &mov (&DWP(0,$dat,$XX[0],4),$ty);
++ &add (&LB($ty),&LB($tx));
++ &movd (@XX[0],"mm7") if ($i==0);
++ &mov ($tx,&DWP(0,$dat, at XX[1],4));
++ &pxor ("mm1","mm1") if ($i==1);
++ &movq ("mm2",&QWP(0,$inp)) if ($i==1);
++ &movq (&QWP(-8,(@XX[0],$inp)),"mm1") if ($i==0);
++ &pinsrw ($mm,&DWP(0,$dat,$ty,4),$j);
++
++ push (@XX,shift(@XX)) if ($i>=0);
++ }
++} else {
++ # Using pinsrw here improves performane on Intel CPUs by 2-3%, but
++ # brings down AMD by 7%...
++ $RC4_loop_mmx = sub {
++ my $i=shift;
++
++ &add (&LB($yy),&LB($tx));
++ &psllq ("mm1",8*(($i-1)&7)) if (abs($i)!=1);
++ &mov ($ty,&DWP(0,$dat,$yy,4));
++ &mov (&DWP(0,$dat,$yy,4),$tx);
++ &mov (&DWP(0,$dat,$xx,4),$ty);
++ &inc ($xx);
++ &add ($ty,$tx);
++ &movz ($xx,&LB($xx)); # (*)
++ &movz ($ty,&LB($ty)); # (*)
++ &pxor ("mm2",$i==1?"mm0":"mm1") if ($i>=0);
++ &movq ("mm0",&QWP(0,$inp)) if ($i<=0);
++ &movq (&QWP(-8,($out,$inp)),"mm2") if ($i==0);
++ &mov ($tx,&DWP(0,$dat,$xx,4));
++ &movd ($i>0?"mm1":"mm2",&DWP(0,$dat,$ty,4));
++
++ # (*) This is the key to Core2 and Westmere performance.
++ # Whithout movz out-of-order execution logic confuses
++ # itself and fails to reorder loads and stores. Problem
++ # appears to be fixed in Sandy Bridge...
++ }
++}
++
++&external_label("OPENSSL_ia32cap_P");
++
+ # void RC4(RC4_KEY *key,size_t len,const unsigned char *inp,unsigned char *out);
+ &function_begin("RC4");
+ &mov ($dat,&wparam(0)); # load key schedule pointer
+@@ -94,11 +183,56 @@ sub RC4_loop {
+ &and ($ty,-4); # how many 4-byte chunks?
+ &jz (&label("loop1"));
+
++ &test ($ty,-8);
++ &mov (&wparam(3),$out); # $out as accumulator in these loops
++ &jz (&label("go4loop4"));
++
++ &picmeup($out,"OPENSSL_ia32cap_P");
++ &bt (&DWP(0,$out),26); # check SSE2 bit [could have been MMX]
++ &jnc (&label("go4loop4"));
++
++ &mov ($out,&wparam(3)) if (!$alt);
++ &movd ("mm7",&wparam(3)) if ($alt);
++ &and ($ty,-8);
++ &lea ($ty,&DWP(-8,$inp,$ty));
++ &mov (&DWP(-4,$dat),$ty); # save input+(len/8)*8-8
++
++ &$RC4_loop_mmx(-1);
++ &jmp(&label("loop_mmx_enter"));
++
++ &set_label("loop_mmx",16);
++ &$RC4_loop_mmx(0);
++ &set_label("loop_mmx_enter");
++ for ($i=1;$i<8;$i++) { &$RC4_loop_mmx($i); }
++ &mov ($ty,$yy);
++ &xor ($yy,$yy); # this is second key to Core2
++ &mov (&LB($yy),&LB($ty)); # and Westmere performance...
++ &cmp ($inp,&DWP(-4,$dat));
++ &lea ($inp,&DWP(8,$inp));
++ &jb (&label("loop_mmx"));
++
++ if ($alt) {
++ &movd ($out,"mm7");
++ &pxor ("mm2","mm0");
++ &psllq ("mm1",8);
++ &pxor ("mm1","mm2");
++ &movq (&QWP(-8,$out,$inp),"mm1");
++ } else {
++ &psllq ("mm1",56);
++ &pxor ("mm2","mm1");
++ &movq (&QWP(-8,$out,$inp),"mm2");
++ }
++ &emms ();
++
++ &cmp ($inp,&wparam(1)); # compare to input+len
++ &je (&label("done"));
++ &jmp (&label("loop1"));
++
++&set_label("go4loop4",16);
+ &lea ($ty,&DWP(-4,$inp,$ty));
+ &mov (&wparam(2),$ty); # save input+(len/4)*4-4
+- &mov (&wparam(3),$out); # $out as accumulator in this loop
+
+- &set_label("loop4",16);
++ &set_label("loop4");
+ for ($i=0;$i<4;$i++) { RC4_loop($i); }
+ &ror ($out,8);
+ &xor ($out,&DWP(0,$inp));
+@@ -151,7 +285,7 @@ sub RC4_loop {
+
+ &set_label("done");
+ &dec (&LB($xx));
+- &mov (&BP(-4,$dat),&LB($yy)); # save key->y
++ &mov (&DWP(-4,$dat),$yy); # save key->y
+ &mov (&BP(-8,$dat),&LB($xx)); # save key->x
+ &set_label("abort");
+ &function_end("RC4");
+@@ -164,12 +298,9 @@ $idi="ebp";
+ $ido="ecx";
+ $idx="edx";
+
+-&external_label("OPENSSL_ia32cap_P");
+-
+ $setkeyfunc = "RC4_set_key";
+ $setkeyfunc = "private_RC4_set_key" if ($ENV{FIPS} ne "");
+
+-
+ # void RC4_set_key(RC4_KEY *key,int len,const unsigned char *data);
+ &function_begin($setkeyfunc);
+ &mov ($out,&wparam(0)); # load key
+@@ -258,14 +389,21 @@ $setkeyfunc = "private_RC4_set_key" if (
+ &blindpop("eax");
+ &lea ("eax",&DWP(&label("opts")."-".&label("pic_point"),"eax"));
+ &picmeup("edx","OPENSSL_ia32cap_P");
+- &bt (&DWP(0,"edx"),20);
+- &jnc (&label("skip"));
+- &add ("eax",12);
+- &set_label("skip");
++ &mov ("edx",&DWP(0,"edx"));
++ &bt ("edx",20);
++ &jc (&label("1xchar"));
++ &bt ("edx",26);
++ &jnc (&label("ret"));
++ &add ("eax",25);
++ &ret ();
++&set_label("1xchar");
++ &add ("eax",12);
++&set_label("ret");
+ &ret ();
+ &set_label("opts",64);
+ &asciz ("rc4(4x,int)");
+ &asciz ("rc4(1x,char)");
++&asciz ("rc4(8x,mmx)");
+ &asciz ("RC4 for x86, CRYPTOGAMS by <appro\@openssl.org>");
+ &align (64);
+ &function_end_B("RC4_options");
+diff -up openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl.intelopts openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl
+--- openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl.intelopts 2010-01-17 17:58:56.000000000 +0100
++++ openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+ #
+ # ====================================================================
+ # Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
+@@ -16,7 +16,7 @@
+ # There was suggestion to mechanically translate 32-bit code, but I
+ # dismissed it, reasoning that x86_64 offers enough register bank
+ # capacity to fully utilize SHA-1 parallelism. Therefore this fresh
+-# implementation:-) However! While 64-bit code does performs better
++# implementation:-) However! While 64-bit code does perform better
+ # on Opteron, I failed to beat 32-bit assembler on EM64T core. Well,
+ # x86_64 does offer larger *addressable* bank, but out-of-order core
+ # reaches for even more registers through dynamic aliasing, and EM64T
+@@ -29,6 +29,38 @@
+ # Xeon P4 +65% +0% 9.9
+ # Core2 +60% +10% 7.0
+
++# August 2009.
++#
++# The code was revised to minimize code size and to maximize
++# "distance" between instructions producing input to 'lea'
++# instruction and the 'lea' instruction itself, which is essential
++# for Intel Atom core.
++
++# October 2010.
++#
++# Add SSSE3, Supplemental[!] SSE3, implementation. The idea behind it
++# is to offload message schedule denoted by Wt in NIST specification,
++# or Xupdate in OpenSSL source, to SIMD unit. See sha1-586.pl module
++# for background and implementation details. The only difference from
++# 32-bit code is that 64-bit code doesn't have to spill @X[] elements
++# to free temporary registers.
++
++# April 2011.
++#
++# Add AVX code path. See sha1-586.pl for further information.
++
++######################################################################
++# Current performance is summarized in following table. Numbers are
++# CPU clock cycles spent to process single byte (less is better).
++#
++# x86_64 SSSE3 AVX
++# P4 9.8 -
++# Opteron 6.6 -
++# Core2 6.7 6.1/+10% -
++# Atom 11.0 9.7/+13% -
++# Westmere 7.1 5.6/+27% -
++# Sandy Bridge 7.9 6.3/+25% 5.2/+51%
++
+ $flavour = shift;
+ $output = shift;
+ if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
+@@ -40,6 +72,13 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
+ die "can't locate x86_64-xlate.pl";
+
++$avx=1 if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
++ =~ /GNU assembler version ([2-9]\.[0-9]+)/ &&
++ $1>=2.19);
++$avx=1 if (!$avx && $flavour =~ /nasm/ &&
++ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/ &&
++ $1>=2.03);
++
+ open STDOUT,"| $^X $xlate $flavour $output";
+
+ $ctx="%rdi"; # 1st arg
+@@ -51,196 +90,994 @@ $ctx="%r8";
+ $inp="%r9";
+ $num="%r10";
+
+-$xi="%eax";
+-$t0="%ebx";
+-$t1="%ecx";
+-$A="%edx";
+-$B="%esi";
+-$C="%edi";
+-$D="%ebp";
+-$E="%r11d";
+-$T="%r12d";
+-
+- at V=($A,$B,$C,$D,$E,$T);
++$t0="%eax";
++$t1="%ebx";
++$t2="%ecx";
++ at xi=("%edx","%ebp");
++$A="%esi";
++$B="%edi";
++$C="%r11d";
++$D="%r12d";
++$E="%r13d";
+
+-sub PROLOGUE {
+-my $func=shift;
+-$code.=<<___;
+-.globl $func
+-.type $func,\@function,3
+-.align 16
+-$func:
+- push %rbx
+- push %rbp
+- push %r12
+- mov %rsp,%r11
+- mov %rdi,$ctx # reassigned argument
+- sub \$`8+16*4`,%rsp
+- mov %rsi,$inp # reassigned argument
+- and \$-64,%rsp
+- mov %rdx,$num # reassigned argument
+- mov %r11,`16*4`(%rsp)
+-.Lprologue:
+-
+- mov 0($ctx),$A
+- mov 4($ctx),$B
+- mov 8($ctx),$C
+- mov 12($ctx),$D
+- mov 16($ctx),$E
+-___
+-}
+-
+-sub EPILOGUE {
+-my $func=shift;
+-$code.=<<___;
+- mov `16*4`(%rsp),%rsi
+- mov (%rsi),%r12
+- mov 8(%rsi),%rbp
+- mov 16(%rsi),%rbx
+- lea 24(%rsi),%rsp
+-.Lepilogue:
+- ret
+-.size $func,.-$func
+-___
+-}
++ at V=($A,$B,$C,$D,$E);
+
+ sub BODY_00_19 {
+-my ($i,$a,$b,$c,$d,$e,$f,$host)=@_;
++my ($i,$a,$b,$c,$d,$e)=@_;
+ my $j=$i+1;
+ $code.=<<___ if ($i==0);
+- mov `4*$i`($inp),$xi
+- `"bswap $xi" if(!defined($host))`
+- mov $xi,`4*$i`(%rsp)
++ mov `4*$i`($inp),$xi[0]
++ bswap $xi[0]
++ mov $xi[0],`4*$i`(%rsp)
+ ___
+ $code.=<<___ if ($i<15);
+- lea 0x5a827999($xi,$e),$f
+ mov $c,$t0
+- mov `4*$j`($inp),$xi
+- mov $a,$e
++ mov `4*$j`($inp),$xi[1]
++ mov $a,$t2
+ xor $d,$t0
+- `"bswap $xi" if(!defined($host))`
+- rol \$5,$e
++ bswap $xi[1]
++ rol \$5,$t2
++ lea 0x5a827999($xi[0],$e),$e
+ and $b,$t0
+- mov $xi,`4*$j`(%rsp)
+- add $e,$f
++ mov $xi[1],`4*$j`(%rsp)
++ add $t2,$e
+ xor $d,$t0
+ rol \$30,$b
+- add $t0,$f
++ add $t0,$e
+ ___
+ $code.=<<___ if ($i>=15);
+- lea 0x5a827999($xi,$e),$f
+- mov `4*($j%16)`(%rsp),$xi
++ mov `4*($j%16)`(%rsp),$xi[1]
+ mov $c,$t0
+- mov $a,$e
+- xor `4*(($j+2)%16)`(%rsp),$xi
++ mov $a,$t2
++ xor `4*(($j+2)%16)`(%rsp),$xi[1]
+ xor $d,$t0
+- rol \$5,$e
+- xor `4*(($j+8)%16)`(%rsp),$xi
++ rol \$5,$t2
++ xor `4*(($j+8)%16)`(%rsp),$xi[1]
+ and $b,$t0
+- add $e,$f
+- xor `4*(($j+13)%16)`(%rsp),$xi
++ lea 0x5a827999($xi[0],$e),$e
++ xor `4*(($j+13)%16)`(%rsp),$xi[1]
+ xor $d,$t0
++ rol \$1,$xi[1]
++ add $t2,$e
+ rol \$30,$b
+- add $t0,$f
+- rol \$1,$xi
+- mov $xi,`4*($j%16)`(%rsp)
++ mov $xi[1],`4*($j%16)`(%rsp)
++ add $t0,$e
+ ___
++unshift(@xi,pop(@xi));
+ }
+
+ sub BODY_20_39 {
+-my ($i,$a,$b,$c,$d,$e,$f)=@_;
++my ($i,$a,$b,$c,$d,$e)=@_;
+ my $j=$i+1;
+ my $K=($i<40)?0x6ed9eba1:0xca62c1d6;
+ $code.=<<___ if ($i<79);
+- lea $K($xi,$e),$f
+- mov `4*($j%16)`(%rsp),$xi
++ mov `4*($j%16)`(%rsp),$xi[1]
+ mov $c,$t0
+- mov $a,$e
+- xor `4*(($j+2)%16)`(%rsp),$xi
++ mov $a,$t2
++ xor `4*(($j+2)%16)`(%rsp),$xi[1]
+ xor $b,$t0
+- rol \$5,$e
+- xor `4*(($j+8)%16)`(%rsp),$xi
++ rol \$5,$t2
++ lea $K($xi[0],$e),$e
++ xor `4*(($j+8)%16)`(%rsp),$xi[1]
+ xor $d,$t0
+- add $e,$f
+- xor `4*(($j+13)%16)`(%rsp),$xi
++ add $t2,$e
++ xor `4*(($j+13)%16)`(%rsp),$xi[1]
+ rol \$30,$b
+- add $t0,$f
+- rol \$1,$xi
++ add $t0,$e
++ rol \$1,$xi[1]
+ ___
+ $code.=<<___ if ($i<76);
+- mov $xi,`4*($j%16)`(%rsp)
++ mov $xi[1],`4*($j%16)`(%rsp)
+ ___
+ $code.=<<___ if ($i==79);
+- lea $K($xi,$e),$f
+ mov $c,$t0
+- mov $a,$e
++ mov $a,$t2
+ xor $b,$t0
+- rol \$5,$e
++ lea $K($xi[0],$e),$e
++ rol \$5,$t2
+ xor $d,$t0
+- add $e,$f
++ add $t2,$e
+ rol \$30,$b
+- add $t0,$f
++ add $t0,$e
+ ___
++unshift(@xi,pop(@xi));
+ }
+
+ sub BODY_40_59 {
+-my ($i,$a,$b,$c,$d,$e,$f)=@_;
++my ($i,$a,$b,$c,$d,$e)=@_;
+ my $j=$i+1;
+ $code.=<<___;
+- lea 0x8f1bbcdc($xi,$e),$f
+- mov `4*($j%16)`(%rsp),$xi
+- mov $b,$t0
+- mov $b,$t1
+- xor `4*(($j+2)%16)`(%rsp),$xi
+- mov $a,$e
+- and $c,$t0
+- xor `4*(($j+8)%16)`(%rsp),$xi
+- or $c,$t1
+- rol \$5,$e
+- xor `4*(($j+13)%16)`(%rsp),$xi
+- and $d,$t1
+- add $e,$f
+- rol \$1,$xi
+- or $t1,$t0
++ mov `4*($j%16)`(%rsp),$xi[1]
++ mov $c,$t0
++ mov $c,$t1
++ xor `4*(($j+2)%16)`(%rsp),$xi[1]
++ and $d,$t0
++ mov $a,$t2
++ xor `4*(($j+8)%16)`(%rsp),$xi[1]
++ xor $d,$t1
++ lea 0x8f1bbcdc($xi[0],$e),$e
++ rol \$5,$t2
++ xor `4*(($j+13)%16)`(%rsp),$xi[1]
++ add $t0,$e
++ and $b,$t1
++ rol \$1,$xi[1]
++ add $t1,$e
+ rol \$30,$b
+- mov $xi,`4*($j%16)`(%rsp)
+- add $t0,$f
++ mov $xi[1],`4*($j%16)`(%rsp)
++ add $t2,$e
+ ___
++unshift(@xi,pop(@xi));
+ }
+
+-$code=".text\n";
++$code.=<<___;
++.text
++.extern OPENSSL_ia32cap_X
++
++.globl sha1_block_data_order
++.type sha1_block_data_order,\@function,3
++.align 16
++sha1_block_data_order:
++ mov OPENSSL_ia32cap_X+0(%rip),%r9d
++ mov OPENSSL_ia32cap_X+4(%rip),%r8d
++ test \$`1<<9`,%r8d # check SSSE3 bit
++ jz .Lialu
++___
++$code.=<<___ if ($avx);
++ and \$`1<<28`,%r8d # mask AVX bit
++ and \$`1<<30`,%r9d # mask "Intel CPU" bit
++ or %r9d,%r8d
++ cmp \$`1<<28|1<<30`,%r8d
++ je _avx_shortcut
++___
++$code.=<<___;
++ jmp _ssse3_shortcut
++
++.align 16
++.Lialu:
++ push %rbx
++ push %rbp
++ push %r12
++ push %r13
++ mov %rsp,%r11
++ mov %rdi,$ctx # reassigned argument
++ sub \$`8+16*4`,%rsp
++ mov %rsi,$inp # reassigned argument
++ and \$-64,%rsp
++ mov %rdx,$num # reassigned argument
++ mov %r11,`16*4`(%rsp)
++.Lprologue:
++
++ mov 0($ctx),$A
++ mov 4($ctx),$B
++ mov 8($ctx),$C
++ mov 12($ctx),$D
++ mov 16($ctx),$E
++ jmp .Lloop
+
+-&PROLOGUE("sha1_block_data_order");
+-$code.=".align 4\n.Lloop:\n";
++.align 16
++.Lloop:
++___
+ for($i=0;$i<20;$i++) { &BODY_00_19($i, at V); unshift(@V,pop(@V)); }
+ for(;$i<40;$i++) { &BODY_20_39($i, at V); unshift(@V,pop(@V)); }
+ for(;$i<60;$i++) { &BODY_40_59($i, at V); unshift(@V,pop(@V)); }
+ for(;$i<80;$i++) { &BODY_20_39($i, at V); unshift(@V,pop(@V)); }
+ $code.=<<___;
+- add 0($ctx),$E
+- add 4($ctx),$T
+- add 8($ctx),$A
+- add 12($ctx),$B
+- add 16($ctx),$C
+- mov $E,0($ctx)
+- mov $T,4($ctx)
+- mov $A,8($ctx)
+- mov $B,12($ctx)
+- mov $C,16($ctx)
+-
+- xchg $E,$A # mov $E,$A
+- xchg $T,$B # mov $T,$B
+- xchg $E,$C # mov $A,$C
+- xchg $T,$D # mov $B,$D
+- # mov $C,$E
+- lea `16*4`($inp),$inp
++ add 0($ctx),$A
++ add 4($ctx),$B
++ add 8($ctx),$C
++ add 12($ctx),$D
++ add 16($ctx),$E
++ mov $A,0($ctx)
++ mov $B,4($ctx)
++ mov $C,8($ctx)
++ mov $D,12($ctx)
++ mov $E,16($ctx)
++
+ sub \$1,$num
++ lea `16*4`($inp),$inp
+ jnz .Lloop
++
++ mov `16*4`(%rsp),%rsi
++ mov (%rsi),%r13
++ mov 8(%rsi),%r12
++ mov 16(%rsi),%rbp
++ mov 24(%rsi),%rbx
++ lea 32(%rsi),%rsp
++.Lepilogue:
++ ret
++.size sha1_block_data_order,.-sha1_block_data_order
+ ___
+-&EPILOGUE("sha1_block_data_order");
++{{{
++my $Xi=4;
++my @X=map("%xmm$_",(4..7,0..3));
++my @Tx=map("%xmm$_",(8..10));
++my @V=($A,$B,$C,$D,$E)=("%eax","%ebx","%ecx","%edx","%ebp"); # size optimization
++my @T=("%esi","%edi");
++my $j=0;
++my $K_XX_XX="%r11";
++
++my $_rol=sub { &rol(@_) };
++my $_ror=sub { &ror(@_) };
++
+ $code.=<<___;
+-.asciz "SHA1 block transform for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
++.type sha1_block_data_order_ssse3,\@function,3
+ .align 16
++sha1_block_data_order_ssse3:
++_ssse3_shortcut:
++ push %rbx
++ push %rbp
++ push %r12
++ lea `-64-($win64?5*16:0)`(%rsp),%rsp
++___
++$code.=<<___ if ($win64);
++ movaps %xmm6,64+0(%rsp)
++ movaps %xmm7,64+16(%rsp)
++ movaps %xmm8,64+32(%rsp)
++ movaps %xmm9,64+48(%rsp)
++ movaps %xmm10,64+64(%rsp)
++.Lprologue_ssse3:
++___
++$code.=<<___;
++ mov %rdi,$ctx # reassigned argument
++ mov %rsi,$inp # reassigned argument
++ mov %rdx,$num # reassigned argument
++
++ shl \$6,$num
++ add $inp,$num
++ lea K_XX_XX(%rip),$K_XX_XX
++
++ mov 0($ctx),$A # load context
++ mov 4($ctx),$B
++ mov 8($ctx),$C
++ mov 12($ctx),$D
++ mov $B, at T[0] # magic seed
++ mov 16($ctx),$E
++
++ movdqa 64($K_XX_XX), at X[2] # pbswap mask
++ movdqa 0($K_XX_XX), at Tx[1] # K_00_19
++ movdqu 0($inp), at X[-4&7] # load input to %xmm[0-3]
++ movdqu 16($inp), at X[-3&7]
++ movdqu 32($inp), at X[-2&7]
++ movdqu 48($inp), at X[-1&7]
++ pshufb @X[2], at X[-4&7] # byte swap
++ add \$64,$inp
++ pshufb @X[2], at X[-3&7]
++ pshufb @X[2], at X[-2&7]
++ pshufb @X[2], at X[-1&7]
++ paddd @Tx[1], at X[-4&7] # add K_00_19
++ paddd @Tx[1], at X[-3&7]
++ paddd @Tx[1], at X[-2&7]
++ movdqa @X[-4&7],0(%rsp) # X[]+K xfer to IALU
++ psubd @Tx[1], at X[-4&7] # restore X[]
++ movdqa @X[-3&7],16(%rsp)
++ psubd @Tx[1], at X[-3&7]
++ movdqa @X[-2&7],32(%rsp)
++ psubd @Tx[1], at X[-2&7]
++ jmp .Loop_ssse3
++___
++
++sub AUTOLOAD() # thunk [simplified] 32-bit style perlasm
++{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://;
++ my $arg = pop;
++ $arg = "\$$arg" if ($arg*1 eq $arg);
++ $code .= "\t$opcode\t".join(',',$arg,reverse @_)."\n";
++}
++
++sub Xupdate_ssse3_16_31() # recall that $Xi starts wtih 4
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
++ my ($a,$b,$c,$d,$e);
++
++ &movdqa (@X[0], at X[-3&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (@Tx[0], at X[-1&7]);
++ &palignr(@X[0], at X[-4&7],8); # compose "X[-14]" in "X[0]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &paddd (@Tx[1], at X[-1&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &psrldq (@Tx[0],4); # "X[-3]", 3 dwords
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &pxor (@X[0], at X[-4&7]); # "X[0]"^="X[-16]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pxor (@Tx[0], at X[-2&7]); # "X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pxor (@X[0], at Tx[0]); # "X[0]"^="X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (eval(16*(($Xi-1)&3))."(%rsp)", at Tx[1]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &movdqa (@Tx[2], at X[0]);
++ &movdqa (@Tx[0], at X[0]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pslldq (@Tx[2],12); # "X[0]"<<96, extract one dword
++ &paddd (@X[0], at X[0]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &psrld (@Tx[0],31);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (@Tx[1], at Tx[2]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &psrld (@Tx[2],30);
++ &por (@X[0], at Tx[0]); # "X[0]"<<<=1
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pslld (@Tx[1],2);
++ &pxor (@X[0], at Tx[2]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (@Tx[2],eval(16*(($Xi)/5))."($K_XX_XX)"); # K_XX_XX
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pxor (@X[0], at Tx[1]); # "X[0]"^=("X[0]">>96)<<<2
++
++ foreach (@insns) { eval; } # remaining instructions [if any]
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++ push(@Tx,shift(@Tx));
++}
++
++sub Xupdate_ssse3_32_79()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 to 48 instructions
++ my ($a,$b,$c,$d,$e);
++
++ &movdqa (@Tx[0], at X[-1&7]) if ($Xi==8);
++ eval(shift(@insns)); # body_20_39
++ &pxor (@X[0], at X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
++ &palignr(@Tx[0], at X[-2&7],8); # compose "X[-6]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &pxor (@X[0], at X[-7&7]); # "X[0]"^="X[-28]"
++ eval(shift(@insns));
++ eval(shift(@insns)) if (@insns[0] !~ /&ro[rl]/);
++ if ($Xi%5) {
++ &movdqa (@Tx[2], at Tx[1]);# "perpetuate" K_XX_XX...
++ } else { # ... or load next one
++ &movdqa (@Tx[2],eval(16*($Xi/5))."($K_XX_XX)");
++ }
++ &paddd (@Tx[1], at X[-1&7]);
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &pxor (@X[0], at Tx[0]); # "X[0]"^="X[-6]"
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &movdqa (@Tx[0], at X[0]);
++ &movdqa (eval(16*(($Xi-1)&3))."(%rsp)", at Tx[1]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &pslld (@X[0],2);
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ &psrld (@Tx[0],30);
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &por (@X[0], at Tx[0]); # "X[0]"<<<=2
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ &movdqa (@Tx[1], at X[0]) if ($Xi<19);
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++ push(@Tx,shift(@Tx));
++}
++
++sub Xuplast_ssse3_80()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ &paddd (@Tx[1], at X[-1&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &movdqa (eval(16*(($Xi-1)&3))."(%rsp)", at Tx[1]); # X[]+K xfer IALU
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ &cmp ($inp,$num);
++ &je (".Ldone_ssse3");
++
++ unshift(@Tx,pop(@Tx));
++
++ &movdqa (@X[2],"64($K_XX_XX)"); # pbswap mask
++ &movdqa (@Tx[1],"0($K_XX_XX)"); # K_00_19
++ &movdqu (@X[-4&7],"0($inp)"); # load input
++ &movdqu (@X[-3&7],"16($inp)");
++ &movdqu (@X[-2&7],"32($inp)");
++ &movdqu (@X[-1&7],"48($inp)");
++ &pshufb (@X[-4&7], at X[2]); # byte swap
++ &add ($inp,64);
++
++ $Xi=0;
++}
++
++sub Xloop_ssse3()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &pshufb (@X[($Xi-3)&7], at X[2]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &paddd (@X[($Xi-4)&7], at Tx[1]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (eval(16*$Xi)."(%rsp)", at X[($Xi-4)&7]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &psubd (@X[($Xi-4)&7], at Tx[1]);
++
++ foreach (@insns) { eval; }
++ $Xi++;
++}
++
++sub Xtail_ssse3()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ foreach (@insns) { eval; }
++}
++
++sub body_00_19 () {
++ (
++ '($a,$b,$c,$d,$e)=@V;'.
++ '&add ($e,eval(4*($j&15))."(%rsp)");', # X[]+K xfer
++ '&xor ($c,$d);',
++ '&mov (@T[1],$a);', # $b in next round
++ '&$_rol ($a,5);',
++ '&and (@T[0],$c);', # ($b&($c^$d))
++ '&xor ($c,$d);', # restore $c
++ '&xor (@T[0],$d);',
++ '&add ($e,$a);',
++ '&$_ror ($b,$j?7:2);', # $b>>>2
++ '&add ($e, at T[0]);' .'$j++; unshift(@V,pop(@V)); unshift(@T,pop(@T));'
++ );
++}
++
++sub body_20_39 () {
++ (
++ '($a,$b,$c,$d,$e)=@V;'.
++ '&add ($e,eval(4*($j++&15))."(%rsp)");', # X[]+K xfer
++ '&xor (@T[0],$d);', # ($b^$d)
++ '&mov (@T[1],$a);', # $b in next round
++ '&$_rol ($a,5);',
++ '&xor (@T[0],$c);', # ($b^$d^$c)
++ '&add ($e,$a);',
++ '&$_ror ($b,7);', # $b>>>2
++ '&add ($e, at T[0]);' .'unshift(@V,pop(@V)); unshift(@T,pop(@T));'
++ );
++}
++
++sub body_40_59 () {
++ (
++ '($a,$b,$c,$d,$e)=@V;'.
++ '&mov (@T[1],$c);',
++ '&xor ($c,$d);',
++ '&add ($e,eval(4*($j++&15))."(%rsp)");', # X[]+K xfer
++ '&and (@T[1],$d);',
++ '&and (@T[0],$c);', # ($b&($c^$d))
++ '&$_ror ($b,7);', # $b>>>2
++ '&add ($e, at T[1]);',
++ '&mov (@T[1],$a);', # $b in next round
++ '&$_rol ($a,5);',
++ '&add ($e, at T[0]);',
++ '&xor ($c,$d);', # restore $c
++ '&add ($e,$a);' .'unshift(@V,pop(@V)); unshift(@T,pop(@T));'
++ );
++}
++$code.=<<___;
++.align 16
++.Loop_ssse3:
++___
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_32_79(\&body_00_19);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xuplast_ssse3_80(\&body_20_39); # can jump to "done"
++
++ $saved_j=$j; @saved_V=@V;
++
++ &Xloop_ssse3(\&body_20_39);
++ &Xloop_ssse3(\&body_20_39);
++ &Xloop_ssse3(\&body_20_39);
++
++$code.=<<___;
++ add 0($ctx),$A # update context
++ add 4($ctx), at T[0]
++ add 8($ctx),$C
++ add 12($ctx),$D
++ mov $A,0($ctx)
++ add 16($ctx),$E
++ mov @T[0],4($ctx)
++ mov @T[0],$B # magic seed
++ mov $C,8($ctx)
++ mov $D,12($ctx)
++ mov $E,16($ctx)
++ jmp .Loop_ssse3
++
++.align 16
++.Ldone_ssse3:
++___
++ $j=$saved_j; @V=@saved_V;
++
++ &Xtail_ssse3(\&body_20_39);
++ &Xtail_ssse3(\&body_20_39);
++ &Xtail_ssse3(\&body_20_39);
++
++$code.=<<___;
++ add 0($ctx),$A # update context
++ add 4($ctx), at T[0]
++ add 8($ctx),$C
++ mov $A,0($ctx)
++ add 12($ctx),$D
++ mov @T[0],4($ctx)
++ add 16($ctx),$E
++ mov $C,8($ctx)
++ mov $D,12($ctx)
++ mov $E,16($ctx)
++___
++$code.=<<___ if ($win64);
++ movaps 64+0(%rsp),%xmm6
++ movaps 64+16(%rsp),%xmm7
++ movaps 64+32(%rsp),%xmm8
++ movaps 64+48(%rsp),%xmm9
++ movaps 64+64(%rsp),%xmm10
++___
++$code.=<<___;
++ lea `64+($win64?6*16:0)`(%rsp),%rsi
++ mov 0(%rsi),%r12
++ mov 8(%rsi),%rbp
++ mov 16(%rsi),%rbx
++ lea 24(%rsi),%rsp
++.Lepilogue_ssse3:
++ ret
++.size sha1_block_data_order_ssse3,.-sha1_block_data_order_ssse3
++___
++
++if ($avx) {
++my $Xi=4;
++my @X=map("%xmm$_",(4..7,0..3));
++my @Tx=map("%xmm$_",(8..10));
++my @V=($A,$B,$C,$D,$E)=("%eax","%ebx","%ecx","%edx","%ebp"); # size optimization
++my @T=("%esi","%edi");
++my $j=0;
++my $K_XX_XX="%r11";
++
++my $_rol=sub { &shld(@_[0], at _) };
++my $_ror=sub { &shrd(@_[0], at _) };
++
++$code.=<<___;
++.type sha1_block_data_order_avx,\@function,3
++.align 16
++sha1_block_data_order_avx:
++_avx_shortcut:
++ push %rbx
++ push %rbp
++ push %r12
++ lea `-64-($win64?5*16:0)`(%rsp),%rsp
++___
++$code.=<<___ if ($win64);
++ movaps %xmm6,64+0(%rsp)
++ movaps %xmm7,64+16(%rsp)
++ movaps %xmm8,64+32(%rsp)
++ movaps %xmm9,64+48(%rsp)
++ movaps %xmm10,64+64(%rsp)
++.Lprologue_avx:
++___
++$code.=<<___;
++ mov %rdi,$ctx # reassigned argument
++ mov %rsi,$inp # reassigned argument
++ mov %rdx,$num # reassigned argument
++ vzeroall
++
++ shl \$6,$num
++ add $inp,$num
++ lea K_XX_XX(%rip),$K_XX_XX
++
++ mov 0($ctx),$A # load context
++ mov 4($ctx),$B
++ mov 8($ctx),$C
++ mov 12($ctx),$D
++ mov $B, at T[0] # magic seed
++ mov 16($ctx),$E
++
++ vmovdqa 64($K_XX_XX), at X[2] # pbswap mask
++ vmovdqa 0($K_XX_XX), at Tx[1] # K_00_19
++ vmovdqu 0($inp), at X[-4&7] # load input to %xmm[0-3]
++ vmovdqu 16($inp), at X[-3&7]
++ vmovdqu 32($inp), at X[-2&7]
++ vmovdqu 48($inp), at X[-1&7]
++ vpshufb @X[2], at X[-4&7], at X[-4&7] # byte swap
++ add \$64,$inp
++ vpshufb @X[2], at X[-3&7], at X[-3&7]
++ vpshufb @X[2], at X[-2&7], at X[-2&7]
++ vpshufb @X[2], at X[-1&7], at X[-1&7]
++ vpaddd @Tx[1], at X[-4&7], at X[0] # add K_00_19
++ vpaddd @Tx[1], at X[-3&7], at X[1]
++ vpaddd @Tx[1], at X[-2&7], at X[2]
++ vmovdqa @X[0],0(%rsp) # X[]+K xfer to IALU
++ vmovdqa @X[1],16(%rsp)
++ vmovdqa @X[2],32(%rsp)
++ jmp .Loop_avx
++___
++
++sub Xupdate_avx_16_31() # recall that $Xi starts wtih 4
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpalignr(@X[0], at X[-3&7], at X[-4&7],8); # compose "X[-14]" in "X[0]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpaddd (@Tx[1], at Tx[1], at X[-1&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpsrldq(@Tx[0], at X[-1&7],4); # "X[-3]", 3 dwords
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpxor (@X[0], at X[0], at X[-4&7]); # "X[0]"^="X[-16]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpxor (@Tx[0], at Tx[0], at X[-2&7]); # "X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpxor (@X[0], at X[0], at Tx[0]); # "X[0]"^="X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vmovdqa (eval(16*(($Xi-1)&3))."(%rsp)", at Tx[1]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpsrld (@Tx[0], at X[0],31);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpslldq(@Tx[2], at X[0],12); # "X[0]"<<96, extract one dword
++ &vpaddd (@X[0], at X[0], at X[0]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpsrld (@Tx[1], at Tx[2],30);
++ &vpor (@X[0], at X[0], at Tx[0]); # "X[0]"<<<=1
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpslld (@Tx[2], at Tx[2],2);
++ &vpxor (@X[0], at X[0], at Tx[1]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpxor (@X[0], at X[0], at Tx[2]); # "X[0]"^=("X[0]">>96)<<<2
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vmovdqa (@Tx[2],eval(16*(($Xi)/5))."($K_XX_XX)"); # K_XX_XX
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++
++ foreach (@insns) { eval; } # remaining instructions [if any]
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++ push(@Tx,shift(@Tx));
++}
++
++sub Xupdate_avx_32_79()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 to 48 instructions
++ my ($a,$b,$c,$d,$e);
++
++ &vpalignr(@Tx[0], at X[-1&7], at X[-2&7],8); # compose "X[-6]"
++ &vpxor (@X[0], at X[0], at X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &vpxor (@X[0], at X[0], at X[-7&7]); # "X[0]"^="X[-28]"
++ eval(shift(@insns));
++ eval(shift(@insns)) if (@insns[0] !~ /&ro[rl]/);
++ if ($Xi%5) {
++ &vmovdqa (@Tx[2], at Tx[1]);# "perpetuate" K_XX_XX...
++ } else { # ... or load next one
++ &vmovdqa (@Tx[2],eval(16*($Xi/5))."($K_XX_XX)");
++ }
++ &vpaddd (@Tx[1], at Tx[1], at X[-1&7]);
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &vpxor (@X[0], at X[0], at Tx[0]); # "X[0]"^="X[-6]"
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &vpsrld (@Tx[0], at X[0],30);
++ &vmovdqa (eval(16*(($Xi-1)&3))."(%rsp)", at Tx[1]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &vpslld (@X[0], at X[0],2);
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &vpor (@X[0], at X[0], at Tx[0]); # "X[0]"<<<=2
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ &vmovdqa (@Tx[1], at X[0]) if ($Xi<19);
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++ push(@Tx,shift(@Tx));
++}
++
++sub Xuplast_avx_80()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ &vpaddd (@Tx[1], at Tx[1], at X[-1&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &movdqa (eval(16*(($Xi-1)&3))."(%rsp)", at Tx[1]); # X[]+K xfer IALU
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ &cmp ($inp,$num);
++ &je (".Ldone_avx");
++
++ unshift(@Tx,pop(@Tx));
++
++ &vmovdqa(@X[2],"64($K_XX_XX)"); # pbswap mask
++ &vmovdqa(@Tx[1],"0($K_XX_XX)"); # K_00_19
++ &vmovdqu(@X[-4&7],"0($inp)"); # load input
++ &vmovdqu(@X[-3&7],"16($inp)");
++ &vmovdqu(@X[-2&7],"32($inp)");
++ &vmovdqu(@X[-1&7],"48($inp)");
++ &vpshufb(@X[-4&7], at X[-4&7], at X[2]); # byte swap
++ &add ($inp,64);
++
++ $Xi=0;
++}
++
++sub Xloop_avx()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpshufb(@X[($Xi-3)&7], at X[($Xi-3)&7], at X[2]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpaddd (@X[$Xi&7], at X[($Xi-4)&7], at Tx[1]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vmovdqa(eval(16*$Xi)."(%rsp)", at X[$Xi&7]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; }
++ $Xi++;
++}
++
++sub Xtail_avx()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ foreach (@insns) { eval; }
++}
++
++$code.=<<___;
++.align 16
++.Loop_avx:
++___
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_32_79(\&body_00_19);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xuplast_avx_80(\&body_20_39); # can jump to "done"
++
++ $saved_j=$j; @saved_V=@V;
++
++ &Xloop_avx(\&body_20_39);
++ &Xloop_avx(\&body_20_39);
++ &Xloop_avx(\&body_20_39);
++
++$code.=<<___;
++ add 0($ctx),$A # update context
++ add 4($ctx), at T[0]
++ add 8($ctx),$C
++ add 12($ctx),$D
++ mov $A,0($ctx)
++ add 16($ctx),$E
++ mov @T[0],4($ctx)
++ mov @T[0],$B # magic seed
++ mov $C,8($ctx)
++ mov $D,12($ctx)
++ mov $E,16($ctx)
++ jmp .Loop_avx
++
++.align 16
++.Ldone_avx:
++___
++ $j=$saved_j; @V=@saved_V;
++
++ &Xtail_avx(\&body_20_39);
++ &Xtail_avx(\&body_20_39);
++ &Xtail_avx(\&body_20_39);
++
++$code.=<<___;
++ vzeroall
++
++ add 0($ctx),$A # update context
++ add 4($ctx), at T[0]
++ add 8($ctx),$C
++ mov $A,0($ctx)
++ add 12($ctx),$D
++ mov @T[0],4($ctx)
++ add 16($ctx),$E
++ mov $C,8($ctx)
++ mov $D,12($ctx)
++ mov $E,16($ctx)
++___
++$code.=<<___ if ($win64);
++ movaps 64+0(%rsp),%xmm6
++ movaps 64+16(%rsp),%xmm7
++ movaps 64+32(%rsp),%xmm8
++ movaps 64+48(%rsp),%xmm9
++ movaps 64+64(%rsp),%xmm10
++___
++$code.=<<___;
++ lea `64+($win64?6*16:0)`(%rsp),%rsi
++ mov 0(%rsi),%r12
++ mov 8(%rsi),%rbp
++ mov 16(%rsi),%rbx
++ lea 24(%rsi),%rsp
++.Lepilogue_avx:
++ ret
++.size sha1_block_data_order_avx,.-sha1_block_data_order_avx
++___
++}
++$code.=<<___;
++.align 64
++K_XX_XX:
++.long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 # K_00_19
++.long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 # K_20_39
++.long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc # K_40_59
++.long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 # K_60_79
++.long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f # pbswap mask
++___
++}}}
++$code.=<<___;
++.asciz "SHA1 block transform for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
++.align 64
+ ___
+
+ # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
+@@ -272,25 +1109,73 @@ se_handler:
+
+ lea .Lprologue(%rip),%r10
+ cmp %r10,%rbx # context->Rip<.Lprologue
+- jb .Lin_prologue
++ jb .Lcommon_seh_tail
+
+ mov 152($context),%rax # pull context->Rsp
+
+ lea .Lepilogue(%rip),%r10
+ cmp %r10,%rbx # context->Rip>=.Lepilogue
+- jae .Lin_prologue
++ jae .Lcommon_seh_tail
+
+ mov `16*4`(%rax),%rax # pull saved stack pointer
+- lea 24(%rax),%rax
++ lea 32(%rax),%rax
+
+ mov -8(%rax),%rbx
+ mov -16(%rax),%rbp
+ mov -24(%rax),%r12
++ mov -32(%rax),%r13
+ mov %rbx,144($context) # restore context->Rbx
+ mov %rbp,160($context) # restore context->Rbp
+ mov %r12,216($context) # restore context->R12
++ mov %r13,224($context) # restore context->R13
++
++ jmp .Lcommon_seh_tail
++.size se_handler,.-se_handler
++
++.type ssse3_handler,\@abi-omnipotent
++.align 16
++ssse3_handler:
++ push %rsi
++ push %rdi
++ push %rbx
++ push %rbp
++ push %r12
++ push %r13
++ push %r14
++ push %r15
++ pushfq
++ sub \$64,%rsp
++
++ mov 120($context),%rax # pull context->Rax
++ mov 248($context),%rbx # pull context->Rip
++
++ mov 8($disp),%rsi # disp->ImageBase
++ mov 56($disp),%r11 # disp->HandlerData
++
++ mov 0(%r11),%r10d # HandlerData[0]
++ lea (%rsi,%r10),%r10 # prologue label
++ cmp %r10,%rbx # context->Rip<prologue label
++ jb .Lcommon_seh_tail
++
++ mov 152($context),%rax # pull context->Rsp
+
+-.Lin_prologue:
++ mov 4(%r11),%r10d # HandlerData[1]
++ lea (%rsi,%r10),%r10 # epilogue label
++ cmp %r10,%rbx # context->Rip>=epilogue label
++ jae .Lcommon_seh_tail
++
++ lea 64(%rax),%rsi
++ lea 512($context),%rdi # &context.Xmm6
++ mov \$10,%ecx
++ .long 0xa548f3fc # cld; rep movsq
++ lea 24+5*16(%rax),%rax # adjust stack pointer
++
++ mov -8(%rax),%rbx
++ mov -16(%rax),%rbp
++ mov %rbx,144($context) # restore context->Rbx
++ mov %rbp,160($context) # restore context->Rbp
++
++.Lcommon_seh_tail:
+ mov 8(%rax),%rdi
+ mov 16(%rax),%rsi
+ mov %rax,152($context) # restore context->Rsp
+@@ -328,19 +1213,38 @@ se_handler:
+ pop %rdi
+ pop %rsi
+ ret
+-.size se_handler,.-se_handler
++.size ssse3_handler,.-ssse3_handler
+
+ .section .pdata
+ .align 4
+ .rva .LSEH_begin_sha1_block_data_order
+ .rva .LSEH_end_sha1_block_data_order
+ .rva .LSEH_info_sha1_block_data_order
+-
++ .rva .LSEH_begin_sha1_block_data_order_ssse3
++ .rva .LSEH_end_sha1_block_data_order_ssse3
++ .rva .LSEH_info_sha1_block_data_order_ssse3
++___
++$code.=<<___ if ($avx);
++ .rva .LSEH_begin_sha1_block_data_order_avx
++ .rva .LSEH_end_sha1_block_data_order_avx
++ .rva .LSEH_info_sha1_block_data_order_avx
++___
++$code.=<<___;
+ .section .xdata
+ .align 8
+ .LSEH_info_sha1_block_data_order:
+ .byte 9,0,0,0
+ .rva se_handler
++.LSEH_info_sha1_block_data_order_ssse3:
++ .byte 9,0,0,0
++ .rva ssse3_handler
++ .rva .Lprologue_ssse3,.Lepilogue_ssse3 # HandlerData[]
++___
++$code.=<<___ if ($avx);
++.LSEH_info_sha1_block_data_order_avx:
++ .byte 9,0,0,0
++ .rva ssse3_handler
++ .rva .Lprologue_avx,.Lepilogue_avx # HandlerData[]
+ ___
+ }
+
+diff -up openssl-1.0.0d/crypto/sha/asm/sha1-586.pl.intelopts openssl-1.0.0d/crypto/sha/asm/sha1-586.pl
+--- openssl-1.0.0d/crypto/sha/asm/sha1-586.pl.intelopts 2008-07-17 11:50:56.000000000 +0200
++++ openssl-1.0.0d/crypto/sha/asm/sha1-586.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ # ====================================================================
+ # [Re]written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
+@@ -12,6 +12,8 @@
+ # commentary below], and in 2006 the rest was rewritten in order to
+ # gain freedom to liberate licensing terms.
+
++# January, September 2004.
++#
+ # It was noted that Intel IA-32 C compiler generates code which
+ # performs ~30% *faster* on P4 CPU than original *hand-coded*
+ # SHA1 assembler implementation. To address this problem (and
+@@ -31,12 +33,92 @@
+ # ----------------------------------------------------------------
+ # <appro at fy.chalmers.se>
+
++# August 2009.
++#
++# George Spelvin has tipped that F_40_59(b,c,d) can be rewritten as
++# '(c&d) + (b&(c^d))', which allows to accumulate partial results
++# and lighten "pressure" on scratch registers. This resulted in
++# >12% performance improvement on contemporary AMD cores (with no
++# degradation on other CPUs:-). Also, the code was revised to maximize
++# "distance" between instructions producing input to 'lea' instruction
++# and the 'lea' instruction itself, which is essential for Intel Atom
++# core and resulted in ~15% improvement.
++
++# October 2010.
++#
++# Add SSSE3, Supplemental[!] SSE3, implementation. The idea behind it
++# is to offload message schedule denoted by Wt in NIST specification,
++# or Xupdate in OpenSSL source, to SIMD unit. The idea is not novel,
++# and in SSE2 context was first explored by Dean Gaudet in 2004, see
++# http://arctic.org/~dean/crypto/sha1.html. Since then several things
++# have changed that made it interesting again:
++#
++# a) XMM units became faster and wider;
++# b) instruction set became more versatile;
++# c) an important observation was made by Max Locktykhin, which made
++# it possible to reduce amount of instructions required to perform
++# the operation in question, for further details see
++# http://software.intel.com/en-us/articles/improving-the-performance-of-the-secure-hash-algorithm-1/.
++
++# April 2011.
++#
++# Add AVX code path, probably most controversial... The thing is that
++# switch to AVX alone improves performance by as little as 4% in
++# comparison to SSSE3 code path. But below result doesn't look like
++# 4% improvement... Trouble is that Sandy Bridge decodes 'ro[rl]' as
++# pair of µ-ops, and it's the additional µ-ops, two per round, that
++# make it run slower than Core2 and Westmere. But 'sh[rl]d' is decoded
++# as single µ-op by Sandy Bridge and it's replacing 'ro[rl]' with
++# equivalent 'sh[rl]d' that is responsible for the impressive 5.1
++# cycles per processed byte. But 'sh[rl]d' is not something that used
++# to be fast, nor does it appear to be fast in upcoming Bulldozer
++# [according to its optimization manual]. Which is why AVX code path
++# is guarded by *both* AVX and synthetic bit denoting Intel CPUs.
++# One can argue that it's unfair to AMD, but without 'sh[rl]d' it
++# makes no sense to keep the AVX code path. If somebody feels that
++# strongly, it's probably more appropriate to discuss possibility of
++# using vector rotate XOP on AMD...
++
++######################################################################
++# Current performance is summarized in following table. Numbers are
++# CPU clock cycles spent to process single byte (less is better).
++#
++# x86 SSSE3 AVX
++# Pentium 15.7 -
++# PIII 11.5 -
++# P4 10.6 -
++# AMD K8 7.1 -
++# Core2 7.3 6.1/+20% -
++# Atom 12.5 9.5(*)/+32% -
++# Westmere 7.3 5.6/+30% -
++# Sandy Bridge 8.8 6.2/+40% 5.1(**)/+70%
++#
++# (*) Loop is 1056 instructions long and expected result is ~8.25.
++# It remains mystery [to me] why ILP is limited to 1.7.
++#
++# (**) As per above comment, the result is for AVX *plus* sh[rl]d.
++
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ push(@INC,"${dir}","${dir}../../perlasm");
+ require "x86asm.pl";
+
+ &asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386");
+
++$xmm=1; $ymm=0;
++for (@ARGV) { $xmm=1 if (/-DOPENSSL_IA32_SSE2/); }
++
++$ymm=1 if ($xmm &&
++ `$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
++ =~ /GNU assembler version ([2-9]\.[0-9]+)/ &&
++ $1>=2.19); # first version supporting AVX
++
++$ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32n" &&
++ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/ &&
++ $1>=2.03); # first version supporting AVX
++
++&external_label("OPENSSL_ia32cap_X") if ($xmm);
++
++
+ $A="eax";
+ $B="ebx";
+ $C="ecx";
+@@ -47,6 +129,10 @@ $tmp1="ebp";
+
+ @V=($A,$B,$C,$D,$E,$T);
+
++$alt=0; # 1 denotes alternative IALU implementation, which performs
++ # 8% *worse* on P4, same on Westmere and Atom, 2% better on
++ # Sandy Bridge...
++
+ sub BODY_00_15
+ {
+ local($n,$a,$b,$c,$d,$e,$f)=@_;
+@@ -59,16 +145,18 @@ sub BODY_00_15
+ &rotl($tmp1,5); # tmp1=ROTATE(a,5)
+ &xor($f,$d);
+ &add($tmp1,$e); # tmp1+=e;
+- &and($f,$b);
+- &mov($e,&swtmp($n%16)); # e becomes volatile and is loaded
++ &mov($e,&swtmp($n%16)); # e becomes volatile and is loaded
+ # with xi, also note that e becomes
+ # f in next round...
+- &xor($f,$d); # f holds F_00_19(b,c,d)
++ &and($f,$b);
+ &rotr($b,2); # b=ROTATE(b,30)
+- &lea($tmp1,&DWP(0x5a827999,$tmp1,$e)); # tmp1+=K_00_19+xi
++ &xor($f,$d); # f holds F_00_19(b,c,d)
++ &lea($tmp1,&DWP(0x5a827999,$tmp1,$e)); # tmp1+=K_00_19+xi
+
+- if ($n==15) { &add($f,$tmp1); } # f+=tmp1
++ if ($n==15) { &mov($e,&swtmp(($n+1)%16));# pre-fetch f for next round
++ &add($f,$tmp1); } # f+=tmp1
+ else { &add($tmp1,$f); } # f becomes a in next round
++ &mov($tmp1,$a) if ($alt && $n==15);
+ }
+
+ sub BODY_16_19
+@@ -77,22 +165,41 @@ sub BODY_16_19
+
+ &comment("16_19 $n");
+
+- &mov($f,&swtmp($n%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
+- &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d)
+- &xor($f,&swtmp(($n+2)%16));
+- &xor($tmp1,$d);
+- &xor($f,&swtmp(($n+8)%16));
+- &and($tmp1,$b); # tmp1 holds F_00_19(b,c,d)
+- &rotr($b,2); # b=ROTATE(b,30)
++if ($alt) {
++ &xor($c,$d);
++ &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
++ &and($tmp1,$c); # tmp1 to hold F_00_19(b,c,d), b&=c^d
++ &xor($f,&swtmp(($n+8)%16));
++ &xor($tmp1,$d); # tmp1=F_00_19(b,c,d)
++ &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
++ &rotl($f,1); # f=ROTATE(f,1)
++ &add($e,$tmp1); # e+=F_00_19(b,c,d)
++ &xor($c,$d); # restore $c
++ &mov($tmp1,$a); # b in next round
++ &rotr($b,$n==16?2:7); # b=ROTATE(b,30)
++ &mov(&swtmp($n%16),$f); # xi=f
++ &rotl($a,5); # ROTATE(a,5)
++ &lea($f,&DWP(0x5a827999,$f,$e));# f+=F_00_19(b,c,d)+e
++ &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
++ &add($f,$a); # f+=ROTATE(a,5)
++} else {
++ &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d)
++ &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
++ &xor($tmp1,$d);
++ &xor($f,&swtmp(($n+8)%16));
++ &and($tmp1,$b);
+ &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
+ &rotl($f,1); # f=ROTATE(f,1)
+ &xor($tmp1,$d); # tmp1=F_00_19(b,c,d)
+- &mov(&swtmp($n%16),$f); # xi=f
+- &lea($f,&DWP(0x5a827999,$f,$e));# f+=K_00_19+e
+- &mov($e,$a); # e becomes volatile
+- &rotl($e,5); # e=ROTATE(a,5)
+- &add($f,$tmp1); # f+=F_00_19(b,c,d)
+- &add($f,$e); # f+=ROTATE(a,5)
++ &add($e,$tmp1); # e+=F_00_19(b,c,d)
++ &mov($tmp1,$a);
++ &rotr($b,2); # b=ROTATE(b,30)
++ &mov(&swtmp($n%16),$f); # xi=f
++ &rotl($tmp1,5); # ROTATE(a,5)
++ &lea($f,&DWP(0x5a827999,$f,$e));# f+=F_00_19(b,c,d)+e
++ &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
++ &add($f,$tmp1); # f+=ROTATE(a,5)
++}
+ }
+
+ sub BODY_20_39
+@@ -102,21 +209,41 @@ sub BODY_20_39
+
+ &comment("20_39 $n");
+
++if ($alt) {
++ &xor($tmp1,$c); # tmp1 to hold F_20_39(b,c,d), b^=c
++ &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
++ &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d)
++ &xor($f,&swtmp(($n+8)%16));
++ &add($e,$tmp1); # e+=F_20_39(b,c,d)
++ &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
++ &rotl($f,1); # f=ROTATE(f,1)
++ &mov($tmp1,$a); # b in next round
++ &rotr($b,7); # b=ROTATE(b,30)
++ &mov(&swtmp($n%16),$f) if($n<77);# xi=f
++ &rotl($a,5); # ROTATE(a,5)
++ &xor($b,$c) if($n==39);# warm up for BODY_40_59
++ &and($tmp1,$b) if($n==39);
++ &lea($f,&DWP($K,$f,$e)); # f+=e+K_XX_YY
++ &mov($e,&swtmp(($n+1)%16)) if($n<79);# pre-fetch f for next round
++ &add($f,$a); # f+=ROTATE(a,5)
++ &rotr($a,5) if ($n==79);
++} else {
+ &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d)
+- &mov($f,&swtmp($n%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
+- &rotr($b,2); # b=ROTATE(b,30)
+- &xor($f,&swtmp(($n+2)%16));
++ &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
+ &xor($tmp1,$c);
+ &xor($f,&swtmp(($n+8)%16));
+ &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d)
+ &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
+ &rotl($f,1); # f=ROTATE(f,1)
+- &add($tmp1,$e);
+- &mov(&swtmp($n%16),$f); # xi=f
+- &mov($e,$a); # e becomes volatile
+- &rotl($e,5); # e=ROTATE(a,5)
+- &lea($f,&DWP($K,$f,$tmp1)); # f+=K_20_39+e
+- &add($f,$e); # f+=ROTATE(a,5)
++ &add($e,$tmp1); # e+=F_20_39(b,c,d)
++ &rotr($b,2); # b=ROTATE(b,30)
++ &mov($tmp1,$a);
++ &rotl($tmp1,5); # ROTATE(a,5)
++ &mov(&swtmp($n%16),$f) if($n<77);# xi=f
++ &lea($f,&DWP($K,$f,$e)); # f+=e+K_XX_YY
++ &mov($e,&swtmp(($n+1)%16)) if($n<79);# pre-fetch f for next round
++ &add($f,$tmp1); # f+=ROTATE(a,5)
++}
+ }
+
+ sub BODY_40_59
+@@ -125,41 +252,86 @@ sub BODY_40_59
+
+ &comment("40_59 $n");
+
+- &mov($f,&swtmp($n%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
+- &mov($tmp1,&swtmp(($n+2)%16));
+- &xor($f,$tmp1);
+- &mov($tmp1,&swtmp(($n+8)%16));
+- &xor($f,$tmp1);
+- &mov($tmp1,&swtmp(($n+13)%16));
+- &xor($f,$tmp1); # f holds xa^xb^xc^xd
+- &mov($tmp1,$b); # tmp1 to hold F_40_59(b,c,d)
++if ($alt) {
++ &add($e,$tmp1); # e+=b&(c^d)
++ &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
++ &mov($tmp1,$d);
++ &xor($f,&swtmp(($n+8)%16));
++ &xor($c,$d); # restore $c
++ &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
+ &rotl($f,1); # f=ROTATE(f,1)
+- &or($tmp1,$c);
+- &mov(&swtmp($n%16),$f); # xi=f
+- &and($tmp1,$d);
+- &lea($f,&DWP(0x8f1bbcdc,$f,$e));# f+=K_40_59+e
+- &mov($e,$b); # e becomes volatile and is used
+- # to calculate F_40_59(b,c,d)
++ &and($tmp1,$c);
++ &rotr($b,7); # b=ROTATE(b,30)
++ &add($e,$tmp1); # e+=c&d
++ &mov($tmp1,$a); # b in next round
++ &mov(&swtmp($n%16),$f); # xi=f
++ &rotl($a,5); # ROTATE(a,5)
++ &xor($b,$c) if ($n<59);
++ &and($tmp1,$b) if ($n<59);# tmp1 to hold F_40_59(b,c,d)
++ &lea($f,&DWP(0x8f1bbcdc,$f,$e));# f+=K_40_59+e+(b&(c^d))
++ &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
++ &add($f,$a); # f+=ROTATE(a,5)
++} else {
++ &mov($tmp1,$c); # tmp1 to hold F_40_59(b,c,d)
++ &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
++ &xor($tmp1,$d);
++ &xor($f,&swtmp(($n+8)%16));
++ &and($tmp1,$b);
++ &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
++ &rotl($f,1); # f=ROTATE(f,1)
++ &add($tmp1,$e); # b&(c^d)+=e
+ &rotr($b,2); # b=ROTATE(b,30)
+- &and($e,$c);
+- &or($tmp1,$e); # tmp1 holds F_40_59(b,c,d)
+- &mov($e,$a);
+- &rotl($e,5); # e=ROTATE(a,5)
+- &add($f,$tmp1); # f+=tmp1;
++ &mov($e,$a); # e becomes volatile
++ &rotl($e,5); # ROTATE(a,5)
++ &mov(&swtmp($n%16),$f); # xi=f
++ &lea($f,&DWP(0x8f1bbcdc,$f,$tmp1));# f+=K_40_59+e+(b&(c^d))
++ &mov($tmp1,$c);
+ &add($f,$e); # f+=ROTATE(a,5)
++ &and($tmp1,$d);
++ &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
++ &add($f,$tmp1); # f+=c&d
++}
+ }
+
+ &function_begin("sha1_block_data_order");
++if ($xmm) {
++ &static_label("ssse3_shortcut");
++ &static_label("avx_shortcut") if ($ymm);
++ &static_label("K_XX_XX");
++
++ &call (&label("pic_point")); # make it PIC!
++ &set_label("pic_point");
++ &blindpop($tmp1);
++ &picmeup($T,"OPENSSL_ia32cap_X",$tmp1,&label("pic_point"));
++ &lea ($tmp1,&DWP(&label("K_XX_XX")."-".&label("pic_point"),$tmp1));
++
++ &mov ($A,&DWP(0,$T));
++ &mov ($D,&DWP(4,$T));
++ &test ($D,1<<9); # check SSSE3 bit
++ &jz (&label("x86"));
++ &test ($A,1<<24); # check FXSR bit
++ &jz (&label("x86"));
++ if ($ymm) {
++ &and ($D,1<<28); # mask AVX bit
++ &and ($A,1<<30); # mask "Intel CPU" bit
++ &or ($A,$D);
++ &cmp ($A,1<<28|1<<30);
++ &je (&label("avx_shortcut"));
++ }
++ &jmp (&label("ssse3_shortcut"));
++ &set_label("x86",16);
++}
+ &mov($tmp1,&wparam(0)); # SHA_CTX *c
+ &mov($T,&wparam(1)); # const void *input
+ &mov($A,&wparam(2)); # size_t num
+- &stack_push(16); # allocate X[16]
++ &stack_push(16+3); # allocate X[16]
+ &shl($A,6);
+ &add($A,$T);
+ &mov(&wparam(2),$A); # pointer beyond the end of input
+ &mov($E,&DWP(16,$tmp1));# pre-load E
++ &jmp(&label("loop"));
+
+- &set_label("loop",16);
++&set_label("loop",16);
+
+ # copy input chunk to X, but reversing byte order!
+ for ($i=0; $i<16; $i+=4)
+@@ -213,8 +385,845 @@ sub BODY_40_59
+ &mov(&DWP(16,$tmp1),$C);
+ &jb(&label("loop"));
+
+- &stack_pop(16);
++ &stack_pop(16+3);
+ &function_end("sha1_block_data_order");
++
++if ($xmm) {
++######################################################################
++# The SSSE3 implementation.
++#
++# %xmm[0-7] are used as ring @X[] buffer containing quadruples of last
++# 32 elements of the message schedule or Xupdate outputs. First 4
++# quadruples are simply byte-swapped input, next 4 are calculated
++# according to method originally suggested by Dean Gaudet (modulo
++# being implemented in SSSE3). Once 8 quadruples or 32 elements are
++# collected, it switches to routine proposed by Max Locktyukhin.
++#
++# Calculations inevitably require temporary reqisters, and there are
++# no %xmm registers left to spare. For this reason part of the ring
++# buffer, X[2..4] to be specific, is offloaded to 3 quadriples ring
++# buffer on the stack. Keep in mind that X[2] is alias X[-6], X[3] -
++# X[-5], and X[4] - X[-4]...
++#
++# Another notable optimization is aggressive stack frame compression
++# aiming to minimize amount of 9-byte instructions...
++#
++# Yet another notable optimization is "jumping" $B variable. It means
++# that there is no register permanently allocated for $B value. This
++# allowed to eliminate one instruction from body_20_39...
++#
++my $Xi=4; # 4xSIMD Xupdate round, start pre-seeded
++my @X=map("xmm$_",(4..7,0..3)); # pre-seeded for $Xi=4
++my @V=($A,$B,$C,$D,$E);
++my $j=0; # hash round
++my @T=($T,$tmp1);
++my $inp;
++
++my $_rol=sub { &rol(@_) };
++my $_ror=sub { &ror(@_) };
++
++&function_begin("_sha1_block_data_order_ssse3");
++ &call (&label("pic_point")); # make it PIC!
++ &set_label("pic_point");
++ &blindpop($tmp1);
++ &lea ($tmp1,&DWP(&label("K_XX_XX")."-".&label("pic_point"),$tmp1));
++&set_label("ssse3_shortcut");
++
++ &movdqa (@X[3],&QWP(0,$tmp1)); # K_00_19
++ &movdqa (@X[4],&QWP(16,$tmp1)); # K_20_39
++ &movdqa (@X[5],&QWP(32,$tmp1)); # K_40_59
++ &movdqa (@X[6],&QWP(48,$tmp1)); # K_60_79
++ &movdqa (@X[2],&QWP(64,$tmp1)); # pbswap mask
++
++ &mov ($E,&wparam(0)); # load argument block
++ &mov ($inp=@T[1],&wparam(1));
++ &mov ($D,&wparam(2));
++ &mov (@T[0],"esp");
++
++ # stack frame layout
++ #
++ # +0 X[0]+K X[1]+K X[2]+K X[3]+K # XMM->IALU xfer area
++ # X[4]+K X[5]+K X[6]+K X[7]+K
++ # X[8]+K X[9]+K X[10]+K X[11]+K
++ # X[12]+K X[13]+K X[14]+K X[15]+K
++ #
++ # +64 X[0] X[1] X[2] X[3] # XMM->XMM backtrace area
++ # X[4] X[5] X[6] X[7]
++ # X[8] X[9] X[10] X[11] # even borrowed for K_00_19
++ #
++ # +112 K_20_39 K_20_39 K_20_39 K_20_39 # constants
++ # K_40_59 K_40_59 K_40_59 K_40_59
++ # K_60_79 K_60_79 K_60_79 K_60_79
++ # K_00_19 K_00_19 K_00_19 K_00_19
++ # pbswap mask
++ #
++ # +192 ctx # argument block
++ # +196 inp
++ # +200 end
++ # +204 esp
++ &sub ("esp",208);
++ &and ("esp",-64);
++
++ &movdqa (&QWP(112+0,"esp"), at X[4]); # copy constants
++ &movdqa (&QWP(112+16,"esp"), at X[5]);
++ &movdqa (&QWP(112+32,"esp"), at X[6]);
++ &shl ($D,6); # len*64
++ &movdqa (&QWP(112+48,"esp"), at X[3]);
++ &add ($D,$inp); # end of input
++ &movdqa (&QWP(112+64,"esp"), at X[2]);
++ &add ($inp,64);
++ &mov (&DWP(192+0,"esp"),$E); # save argument block
++ &mov (&DWP(192+4,"esp"),$inp);
++ &mov (&DWP(192+8,"esp"),$D);
++ &mov (&DWP(192+12,"esp"), at T[0]); # save original %esp
++
++ &mov ($A,&DWP(0,$E)); # load context
++ &mov ($B,&DWP(4,$E));
++ &mov ($C,&DWP(8,$E));
++ &mov ($D,&DWP(12,$E));
++ &mov ($E,&DWP(16,$E));
++ &mov (@T[0],$B); # magic seed
++
++ &movdqu (@X[-4&7],&QWP(-64,$inp)); # load input to %xmm[0-3]
++ &movdqu (@X[-3&7],&QWP(-48,$inp));
++ &movdqu (@X[-2&7],&QWP(-32,$inp));
++ &movdqu (@X[-1&7],&QWP(-16,$inp));
++ &pshufb (@X[-4&7], at X[2]); # byte swap
++ &pshufb (@X[-3&7], at X[2]);
++ &pshufb (@X[-2&7], at X[2]);
++ &movdqa (&QWP(112-16,"esp"), at X[3]); # borrow last backtrace slot
++ &pshufb (@X[-1&7], at X[2]);
++ &paddd (@X[-4&7], at X[3]); # add K_00_19
++ &paddd (@X[-3&7], at X[3]);
++ &paddd (@X[-2&7], at X[3]);
++ &movdqa (&QWP(0,"esp"), at X[-4&7]); # X[]+K xfer to IALU
++ &psubd (@X[-4&7], at X[3]); # restore X[]
++ &movdqa (&QWP(0+16,"esp"), at X[-3&7]);
++ &psubd (@X[-3&7], at X[3]);
++ &movdqa (&QWP(0+32,"esp"), at X[-2&7]);
++ &psubd (@X[-2&7], at X[3]);
++ &movdqa (@X[0], at X[-3&7]);
++ &jmp (&label("loop"));
++
++######################################################################
++# SSE instruction sequence is first broken to groups of indepentent
++# instructions, independent in respect to their inputs and shifter
++# (not all architectures have more than one). Then IALU instructions
++# are "knitted in" between the SSE groups. Distance is maintained for
++# SSE latency of 2 in hope that it fits better upcoming AMD Bulldozer
++# [which allegedly also implements SSSE3]...
++#
++# Temporary registers usage. X[2] is volatile at the entry and at the
++# end is restored from backtrace ring buffer. X[3] is expected to
++# contain current K_XX_XX constant and is used to caclulate X[-1]+K
++# from previous round, it becomes volatile the moment the value is
++# saved to stack for transfer to IALU. X[4] becomes volatile whenever
++# X[-4] is accumulated and offloaded to backtrace ring buffer, at the
++# end it is loaded with next K_XX_XX [which becomes X[3] in next
++# round]...
++#
++sub Xupdate_ssse3_16_31() # recall that $Xi starts wtih 4
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &palignr(@X[0], at X[-4&7],8); # compose "X[-14]" in "X[0]"
++ &movdqa (@X[2], at X[-1&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &paddd (@X[3], at X[-1&7]);
++ &movdqa (&QWP(64+16*(($Xi-4)%3),"esp"), at X[-4&7]);# save X[] to backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &psrldq (@X[2],4); # "X[-3]", 3 dwords
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &pxor (@X[0], at X[-4&7]); # "X[0]"^="X[-16]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pxor (@X[2], at X[-2&7]); # "X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pxor (@X[0], at X[2]); # "X[0]"^="X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (&QWP(0+16*(($Xi-1)&3),"esp"), at X[3]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &movdqa (@X[4], at X[0]);
++ &movdqa (@X[2], at X[0]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pslldq (@X[4],12); # "X[0]"<<96, extract one dword
++ &paddd (@X[0], at X[0]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &psrld (@X[2],31);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (@X[3], at X[4]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &psrld (@X[4],30);
++ &por (@X[0], at X[2]); # "X[0]"<<<=1
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if ($Xi>5); # restore X[] from backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pslld (@X[3],2);
++ &pxor (@X[0], at X[4]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (@X[4],&QWP(112-16+16*(($Xi)/5),"esp")); # K_XX_XX
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &pxor (@X[0], at X[3]); # "X[0]"^=("X[0]"<<96)<<<2
++ &movdqa (@X[1], at X[-2&7]) if ($Xi<7);
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; } # remaining instructions [if any]
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++}
++
++sub Xupdate_ssse3_32_79()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 to 48 instructions
++ my ($a,$b,$c,$d,$e);
++
++ &movdqa (@X[2], at X[-1&7]) if ($Xi==8);
++ eval(shift(@insns)); # body_20_39
++ &pxor (@X[0], at X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
++ &palignr(@X[2], at X[-2&7],8); # compose "X[-6]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &pxor (@X[0], at X[-7&7]); # "X[0]"^="X[-28]"
++ &movdqa (&QWP(64+16*(($Xi-4)%3),"esp"), at X[-4&7]); # save X[] to backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns));
++ if ($Xi%5) {
++ &movdqa (@X[4], at X[3]); # "perpetuate" K_XX_XX...
++ } else { # ... or load next one
++ &movdqa (@X[4],&QWP(112-16+16*($Xi/5),"esp"));
++ }
++ &paddd (@X[3], at X[-1&7]);
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &pxor (@X[0], at X[2]); # "X[0]"^="X[-6]"
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &movdqa (@X[2], at X[0]);
++ &movdqa (&QWP(0+16*(($Xi-1)&3),"esp"), at X[3]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &pslld (@X[0],2);
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ &psrld (@X[2],30);
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &por (@X[0], at X[2]); # "X[0]"<<<=2
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ &movdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if($Xi<19); # restore X[] from backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ &movdqa (@X[3], at X[0]) if ($Xi<19);
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++}
++
++sub Xuplast_ssse3_80()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ &paddd (@X[3], at X[-1&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &movdqa (&QWP(0+16*(($Xi-1)&3),"esp"), at X[3]); # X[]+K xfer IALU
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ &mov ($inp=@T[1],&DWP(192+4,"esp"));
++ &cmp ($inp,&DWP(192+8,"esp"));
++ &je (&label("done"));
++
++ &movdqa (@X[3],&QWP(112+48,"esp")); # K_00_19
++ &movdqa (@X[2],&QWP(112+64,"esp")); # pbswap mask
++ &movdqu (@X[-4&7],&QWP(0,$inp)); # load input
++ &movdqu (@X[-3&7],&QWP(16,$inp));
++ &movdqu (@X[-2&7],&QWP(32,$inp));
++ &movdqu (@X[-1&7],&QWP(48,$inp));
++ &add ($inp,64);
++ &pshufb (@X[-4&7], at X[2]); # byte swap
++ &mov (&DWP(192+4,"esp"),$inp);
++ &movdqa (&QWP(112-16,"esp"), at X[3]); # borrow last backtrace slot
++
++ $Xi=0;
++}
++
++sub Xloop_ssse3()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &pshufb (@X[($Xi-3)&7], at X[2]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &paddd (@X[($Xi-4)&7], at X[3]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &movdqa (&QWP(0+16*$Xi,"esp"), at X[($Xi-4)&7]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &psubd (@X[($Xi-4)&7], at X[3]);
++
++ foreach (@insns) { eval; }
++ $Xi++;
++}
++
++sub Xtail_ssse3()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ foreach (@insns) { eval; }
++}
++
++sub body_00_19 () {
++ (
++ '($a,$b,$c,$d,$e)=@V;'.
++ '&add ($e,&DWP(4*($j&15),"esp"));', # X[]+K xfer
++ '&xor ($c,$d);',
++ '&mov (@T[1],$a);', # $b in next round
++ '&$_rol ($a,5);',
++ '&and (@T[0],$c);', # ($b&($c^$d))
++ '&xor ($c,$d);', # restore $c
++ '&xor (@T[0],$d);',
++ '&add ($e,$a);',
++ '&$_ror ($b,$j?7:2);', # $b>>>2
++ '&add ($e, at T[0]);' .'$j++; unshift(@V,pop(@V)); unshift(@T,pop(@T));'
++ );
++}
++
++sub body_20_39 () {
++ (
++ '($a,$b,$c,$d,$e)=@V;'.
++ '&add ($e,&DWP(4*($j++&15),"esp"));', # X[]+K xfer
++ '&xor (@T[0],$d);', # ($b^$d)
++ '&mov (@T[1],$a);', # $b in next round
++ '&$_rol ($a,5);',
++ '&xor (@T[0],$c);', # ($b^$d^$c)
++ '&add ($e,$a);',
++ '&$_ror ($b,7);', # $b>>>2
++ '&add ($e, at T[0]);' .'unshift(@V,pop(@V)); unshift(@T,pop(@T));'
++ );
++}
++
++sub body_40_59 () {
++ (
++ '($a,$b,$c,$d,$e)=@V;'.
++ '&mov (@T[1],$c);',
++ '&xor ($c,$d);',
++ '&add ($e,&DWP(4*($j++&15),"esp"));', # X[]+K xfer
++ '&and (@T[1],$d);',
++ '&and (@T[0],$c);', # ($b&($c^$d))
++ '&$_ror ($b,7);', # $b>>>2
++ '&add ($e, at T[1]);',
++ '&mov (@T[1],$a);', # $b in next round
++ '&$_rol ($a,5);',
++ '&add ($e, at T[0]);',
++ '&xor ($c,$d);', # restore $c
++ '&add ($e,$a);' .'unshift(@V,pop(@V)); unshift(@T,pop(@T));'
++ );
++}
++
++&set_label("loop",16);
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_16_31(\&body_00_19);
++ &Xupdate_ssse3_32_79(\&body_00_19);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_40_59);
++ &Xupdate_ssse3_32_79(\&body_20_39);
++ &Xuplast_ssse3_80(\&body_20_39); # can jump to "done"
++
++ $saved_j=$j; @saved_V=@V;
++
++ &Xloop_ssse3(\&body_20_39);
++ &Xloop_ssse3(\&body_20_39);
++ &Xloop_ssse3(\&body_20_39);
++
++ &mov (@T[1],&DWP(192,"esp")); # update context
++ &add ($A,&DWP(0, at T[1]));
++ &add (@T[0],&DWP(4, at T[1])); # $b
++ &add ($C,&DWP(8, at T[1]));
++ &mov (&DWP(0, at T[1]),$A);
++ &add ($D,&DWP(12, at T[1]));
++ &mov (&DWP(4, at T[1]), at T[0]);
++ &add ($E,&DWP(16, at T[1]));
++ &mov (&DWP(8, at T[1]),$C);
++ &mov ($B, at T[0]);
++ &mov (&DWP(12, at T[1]),$D);
++ &mov (&DWP(16, at T[1]),$E);
++ &movdqa (@X[0], at X[-3&7]);
++
++ &jmp (&label("loop"));
++
++&set_label("done",16); $j=$saved_j; @V=@saved_V;
++
++ &Xtail_ssse3(\&body_20_39);
++ &Xtail_ssse3(\&body_20_39);
++ &Xtail_ssse3(\&body_20_39);
++
++ &mov (@T[1],&DWP(192,"esp")); # update context
++ &add ($A,&DWP(0, at T[1]));
++ &mov ("esp",&DWP(192+12,"esp")); # restore %esp
++ &add (@T[0],&DWP(4, at T[1])); # $b
++ &add ($C,&DWP(8, at T[1]));
++ &mov (&DWP(0, at T[1]),$A);
++ &add ($D,&DWP(12, at T[1]));
++ &mov (&DWP(4, at T[1]), at T[0]);
++ &add ($E,&DWP(16, at T[1]));
++ &mov (&DWP(8, at T[1]),$C);
++ &mov (&DWP(12, at T[1]),$D);
++ &mov (&DWP(16, at T[1]),$E);
++
++&function_end("_sha1_block_data_order_ssse3");
++
++if ($ymm) {
++my $Xi=4; # 4xSIMD Xupdate round, start pre-seeded
++my @X=map("xmm$_",(4..7,0..3)); # pre-seeded for $Xi=4
++my @V=($A,$B,$C,$D,$E);
++my $j=0; # hash round
++my @T=($T,$tmp1);
++my $inp;
++
++my $_rol=sub { &shld(@_[0], at _) };
++my $_ror=sub { &shrd(@_[0], at _) };
++
++&function_begin("_sha1_block_data_order_avx");
++ &call (&label("pic_point")); # make it PIC!
++ &set_label("pic_point");
++ &blindpop($tmp1);
++ &lea ($tmp1,&DWP(&label("K_XX_XX")."-".&label("pic_point"),$tmp1));
++&set_label("avx_shortcut");
++ &vzeroall();
++
++ &vmovdqa(@X[3],&QWP(0,$tmp1)); # K_00_19
++ &vmovdqa(@X[4],&QWP(16,$tmp1)); # K_20_39
++ &vmovdqa(@X[5],&QWP(32,$tmp1)); # K_40_59
++ &vmovdqa(@X[6],&QWP(48,$tmp1)); # K_60_79
++ &vmovdqa(@X[2],&QWP(64,$tmp1)); # pbswap mask
++
++ &mov ($E,&wparam(0)); # load argument block
++ &mov ($inp=@T[1],&wparam(1));
++ &mov ($D,&wparam(2));
++ &mov (@T[0],"esp");
++
++ # stack frame layout
++ #
++ # +0 X[0]+K X[1]+K X[2]+K X[3]+K # XMM->IALU xfer area
++ # X[4]+K X[5]+K X[6]+K X[7]+K
++ # X[8]+K X[9]+K X[10]+K X[11]+K
++ # X[12]+K X[13]+K X[14]+K X[15]+K
++ #
++ # +64 X[0] X[1] X[2] X[3] # XMM->XMM backtrace area
++ # X[4] X[5] X[6] X[7]
++ # X[8] X[9] X[10] X[11] # even borrowed for K_00_19
++ #
++ # +112 K_20_39 K_20_39 K_20_39 K_20_39 # constants
++ # K_40_59 K_40_59 K_40_59 K_40_59
++ # K_60_79 K_60_79 K_60_79 K_60_79
++ # K_00_19 K_00_19 K_00_19 K_00_19
++ # pbswap mask
++ #
++ # +192 ctx # argument block
++ # +196 inp
++ # +200 end
++ # +204 esp
++ &sub ("esp",208);
++ &and ("esp",-64);
++
++ &vmovdqa(&QWP(112+0,"esp"), at X[4]); # copy constants
++ &vmovdqa(&QWP(112+16,"esp"), at X[5]);
++ &vmovdqa(&QWP(112+32,"esp"), at X[6]);
++ &shl ($D,6); # len*64
++ &vmovdqa(&QWP(112+48,"esp"), at X[3]);
++ &add ($D,$inp); # end of input
++ &vmovdqa(&QWP(112+64,"esp"), at X[2]);
++ &add ($inp,64);
++ &mov (&DWP(192+0,"esp"),$E); # save argument block
++ &mov (&DWP(192+4,"esp"),$inp);
++ &mov (&DWP(192+8,"esp"),$D);
++ &mov (&DWP(192+12,"esp"), at T[0]); # save original %esp
++
++ &mov ($A,&DWP(0,$E)); # load context
++ &mov ($B,&DWP(4,$E));
++ &mov ($C,&DWP(8,$E));
++ &mov ($D,&DWP(12,$E));
++ &mov ($E,&DWP(16,$E));
++ &mov (@T[0],$B); # magic seed
++
++ &vmovdqu(@X[-4&7],&QWP(-64,$inp)); # load input to %xmm[0-3]
++ &vmovdqu(@X[-3&7],&QWP(-48,$inp));
++ &vmovdqu(@X[-2&7],&QWP(-32,$inp));
++ &vmovdqu(@X[-1&7],&QWP(-16,$inp));
++ &vpshufb(@X[-4&7], at X[-4&7], at X[2]); # byte swap
++ &vpshufb(@X[-3&7], at X[-3&7], at X[2]);
++ &vpshufb(@X[-2&7], at X[-2&7], at X[2]);
++ &vmovdqa(&QWP(112-16,"esp"), at X[3]); # borrow last backtrace slot
++ &vpshufb(@X[-1&7], at X[-1&7], at X[2]);
++ &vpaddd (@X[0], at X[-4&7], at X[3]); # add K_00_19
++ &vpaddd (@X[1], at X[-3&7], at X[3]);
++ &vpaddd (@X[2], at X[-2&7], at X[3]);
++ &vmovdqa(&QWP(0,"esp"), at X[0]); # X[]+K xfer to IALU
++ &vmovdqa(&QWP(0+16,"esp"), at X[1]);
++ &vmovdqa(&QWP(0+32,"esp"), at X[2]);
++ &jmp (&label("loop"));
++
++sub Xupdate_avx_16_31() # recall that $Xi starts wtih 4
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpalignr(@X[0], at X[-3&7], at X[-4&7],8); # compose "X[-14]" in "X[0]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpaddd (@X[3], at X[3], at X[-1&7]);
++ &vmovdqa (&QWP(64+16*(($Xi-4)%3),"esp"), at X[-4&7]);# save X[] to backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpsrldq(@X[2], at X[-1&7],4); # "X[-3]", 3 dwords
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpxor (@X[0], at X[0], at X[-4&7]); # "X[0]"^="X[-16]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpxor (@X[2], at X[2], at X[-2&7]); # "X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vmovdqa (&QWP(0+16*(($Xi-1)&3),"esp"), at X[3]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpxor (@X[0], at X[0], at X[2]); # "X[0]"^="X[-3]"^"X[-8]"
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpsrld (@X[2], at X[0],31);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpslldq(@X[4], at X[0],12); # "X[0]"<<96, extract one dword
++ &vpaddd (@X[0], at X[0], at X[0]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpsrld (@X[3], at X[4],30);
++ &vpor (@X[0], at X[0], at X[2]); # "X[0]"<<<=1
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpslld (@X[4], at X[4],2);
++ &vmovdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if ($Xi>5); # restore X[] from backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpxor (@X[0], at X[0], at X[3]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vpxor (@X[0], at X[0], at X[4]); # "X[0]"^=("X[0]"<<96)<<<2
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vmovdqa (@X[4],&QWP(112-16+16*(($Xi)/5),"esp")); # K_XX_XX
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; } # remaining instructions [if any]
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++}
++
++sub Xupdate_avx_32_79()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 to 48 instructions
++ my ($a,$b,$c,$d,$e);
++
++ &vpalignr(@X[2], at X[-1&7], at X[-2&7],8); # compose "X[-6]"
++ &vpxor (@X[0], at X[0], at X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &vpxor (@X[0], at X[0], at X[-7&7]); # "X[0]"^="X[-28]"
++ &vmovdqa (&QWP(64+16*(($Xi-4)%3),"esp"), at X[-4&7]); # save X[] to backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns));
++ if ($Xi%5) {
++ &vmovdqa (@X[4], at X[3]); # "perpetuate" K_XX_XX...
++ } else { # ... or load next one
++ &vmovdqa (@X[4],&QWP(112-16+16*($Xi/5),"esp"));
++ }
++ &vpaddd (@X[3], at X[3], at X[-1&7]);
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &vpxor (@X[0], at X[0], at X[2]); # "X[0]"^="X[-6]"
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++
++ &vpsrld (@X[2], at X[0],30);
++ &vmovdqa (&QWP(0+16*(($Xi-1)&3),"esp"), at X[3]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &vpslld (@X[0], at X[0],2);
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ &vpor (@X[0], at X[0], at X[2]); # "X[0]"<<<=2
++ eval(shift(@insns)); # body_20_39
++ eval(shift(@insns));
++ &vmovdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if($Xi<19); # restore X[] from backtrace buffer
++ eval(shift(@insns));
++ eval(shift(@insns)); # rol
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns)); # ror
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ $Xi++; push(@X,shift(@X)); # "rotate" X[]
++}
++
++sub Xuplast_avx_80()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ &vpaddd (@X[3], at X[3], at X[-1&7]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ &vmovdqa (&QWP(0+16*(($Xi-1)&3),"esp"), at X[3]); # X[]+K xfer IALU
++
++ foreach (@insns) { eval; } # remaining instructions
++
++ &mov ($inp=@T[1],&DWP(192+4,"esp"));
++ &cmp ($inp,&DWP(192+8,"esp"));
++ &je (&label("done"));
++
++ &vmovdqa(@X[3],&QWP(112+48,"esp")); # K_00_19
++ &vmovdqa(@X[2],&QWP(112+64,"esp")); # pbswap mask
++ &vmovdqu(@X[-4&7],&QWP(0,$inp)); # load input
++ &vmovdqu(@X[-3&7],&QWP(16,$inp));
++ &vmovdqu(@X[-2&7],&QWP(32,$inp));
++ &vmovdqu(@X[-1&7],&QWP(48,$inp));
++ &add ($inp,64);
++ &vpshufb(@X[-4&7], at X[-4&7], at X[2]); # byte swap
++ &mov (&DWP(192+4,"esp"),$inp);
++ &vmovdqa(&QWP(112-16,"esp"), at X[3]); # borrow last backtrace slot
++
++ $Xi=0;
++}
++
++sub Xloop_avx()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpshufb (@X[($Xi-3)&7], at X[($Xi-3)&7], at X[2]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vpaddd (@X[$Xi&7], at X[($Xi-4)&7], at X[3]);
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ eval(shift(@insns));
++ &vmovdqa (&QWP(0+16*$Xi,"esp"), at X[$Xi&7]); # X[]+K xfer to IALU
++ eval(shift(@insns));
++ eval(shift(@insns));
++
++ foreach (@insns) { eval; }
++ $Xi++;
++}
++
++sub Xtail_avx()
++{ use integer;
++ my $body = shift;
++ my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
++ my ($a,$b,$c,$d,$e);
++
++ foreach (@insns) { eval; }
++}
++
++&set_label("loop",16);
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_16_31(\&body_00_19);
++ &Xupdate_avx_32_79(\&body_00_19);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_40_59);
++ &Xupdate_avx_32_79(\&body_20_39);
++ &Xuplast_avx_80(\&body_20_39); # can jump to "done"
++
++ $saved_j=$j; @saved_V=@V;
++
++ &Xloop_avx(\&body_20_39);
++ &Xloop_avx(\&body_20_39);
++ &Xloop_avx(\&body_20_39);
++
++ &mov (@T[1],&DWP(192,"esp")); # update context
++ &add ($A,&DWP(0, at T[1]));
++ &add (@T[0],&DWP(4, at T[1])); # $b
++ &add ($C,&DWP(8, at T[1]));
++ &mov (&DWP(0, at T[1]),$A);
++ &add ($D,&DWP(12, at T[1]));
++ &mov (&DWP(4, at T[1]), at T[0]);
++ &add ($E,&DWP(16, at T[1]));
++ &mov (&DWP(8, at T[1]),$C);
++ &mov ($B, at T[0]);
++ &mov (&DWP(12, at T[1]),$D);
++ &mov (&DWP(16, at T[1]),$E);
++
++ &jmp (&label("loop"));
++
++&set_label("done",16); $j=$saved_j; @V=@saved_V;
++
++ &Xtail_avx(\&body_20_39);
++ &Xtail_avx(\&body_20_39);
++ &Xtail_avx(\&body_20_39);
++
++ &vzeroall();
++
++ &mov (@T[1],&DWP(192,"esp")); # update context
++ &add ($A,&DWP(0, at T[1]));
++ &mov ("esp",&DWP(192+12,"esp")); # restore %esp
++ &add (@T[0],&DWP(4, at T[1])); # $b
++ &add ($C,&DWP(8, at T[1]));
++ &mov (&DWP(0, at T[1]),$A);
++ &add ($D,&DWP(12, at T[1]));
++ &mov (&DWP(4, at T[1]), at T[0]);
++ &add ($E,&DWP(16, at T[1]));
++ &mov (&DWP(8, at T[1]),$C);
++ &mov (&DWP(12, at T[1]),$D);
++ &mov (&DWP(16, at T[1]),$E);
++&function_end("_sha1_block_data_order_avx");
++}
++&set_label("K_XX_XX",64);
++&data_word(0x5a827999,0x5a827999,0x5a827999,0x5a827999); # K_00_19
++&data_word(0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1); # K_20_39
++&data_word(0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc); # K_40_59
++&data_word(0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6); # K_60_79
++&data_word(0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f); # pbswap mask
++}
+ &asciz("SHA1 block transform for x86, CRYPTOGAMS by <appro\@openssl.org>");
+
+ &asm_finish();
+diff -up openssl-1.0.0d/crypto/x86cpuid.pl.intelopts openssl-1.0.0d/crypto/x86cpuid.pl
+--- openssl-1.0.0d/crypto/x86cpuid.pl.intelopts 2010-02-12 18:02:12.000000000 +0100
++++ openssl-1.0.0d/crypto/x86cpuid.pl 2011-11-03 09:55:42.000000000 +0100
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ push(@INC, "${dir}perlasm", "perlasm");
+@@ -20,7 +20,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &pop ("eax");
+ &xor ("ecx","eax");
+ &bt ("ecx",21);
+- &jnc (&label("done"));
++ &jnc (&label("generic"));
+ &xor ("eax","eax");
+ &cpuid ();
+ &mov ("edi","eax"); # max value for standard query level
+@@ -51,7 +51,14 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ # AMD specific
+ &mov ("eax",0x80000000);
+ &cpuid ();
+- &cmp ("eax",0x80000008);
++ &cmp ("eax",0x80000001);
++ &jb (&label("intel"));
++ &mov ("esi","eax");
++ &mov ("eax",0x80000001);
++ &cpuid ();
++ &or ("ebp","ecx");
++ &and ("ebp",1<<11|1); # isolate XOP bit
++ &cmp ("esi",0x80000008);
+ &jb (&label("intel"));
+
+ &mov ("eax",0x80000008);
+@@ -62,13 +69,13 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &mov ("eax",1);
+ &cpuid ();
+ &bt ("edx",28);
+- &jnc (&label("done"));
++ &jnc (&label("generic"));
+ &shr ("ebx",16);
+ &and ("ebx",0xff);
+ &cmp ("ebx","esi");
+- &ja (&label("done"));
++ &ja (&label("generic"));
+ &and ("edx",0xefffffff); # clear hyper-threading bit
+- &jmp (&label("done"));
++ &jmp (&label("generic"));
+
+ &set_label("intel");
+ &cmp ("edi",4);
+@@ -85,27 +92,45 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &set_label("nocacheinfo");
+ &mov ("eax",1);
+ &cpuid ();
++ &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
+ &cmp ("ebp",0);
+- &jne (&label("notP4"));
++ &jne (&label("notintel"));
++ &or ("edx",1<<30); # set reserved bit#30 on Intel CPUs
+ &and (&HB("eax"),15); # familiy ID
+ &cmp (&HB("eax"),15); # P4?
+- &jne (&label("notP4"));
+- &or ("edx",1<<20); # use reserved bit to engage RC4_CHAR
+-&set_label("notP4");
++ &jne (&label("notintel"));
++ &or ("edx",1<<20); # set reserved bit#20 to engage RC4_CHAR
++&set_label("notintel");
+ &bt ("edx",28); # test hyper-threading bit
+- &jnc (&label("done"));
++ &jnc (&label("generic"));
+ &and ("edx",0xefffffff);
+ &cmp ("edi",0);
+- &je (&label("done"));
++ &je (&label("generic"));
+
+ &or ("edx",0x10000000);
+ &shr ("ebx",16);
+ &cmp (&LB("ebx"),1);
+- &ja (&label("done"));
++ &ja (&label("generic"));
+ &and ("edx",0xefffffff); # clear hyper-threading bit if not
++
++&set_label("generic");
++ &and ("ebp",1<<11); # isolate AMD XOP flag
++ &and ("ecx",0xfffff7ff); # force 11th bit to 0
++ &mov ("esi","edx");
++ &or ("ebp","ecx"); # merge AMD XOP flag
++
++ &bt ("ecx",27); # check OSXSAVE bit
++ &jnc (&label("clear_avx"));
++ &xor ("ecx","ecx"); # XCR0
++ &data_byte(0x0f,0x01,0xd0); # xgetbv
++ &and ("eax",6); # isolate XMM and YMM state support
++ &cmp ("eax",6);
++ &je (&label("done"));
++&set_label("clear_avx");
++ &and ("ebp",0xefffe7ff); # clear AVX, FMA and AMD XOP bits
+ &set_label("done");
+- &mov ("eax","edx");
+- &mov ("edx","ecx");
++ &mov ("eax","esi");
++ &mov ("edx","ebp");
+ &function_end("OPENSSL_ia32_cpuid");
+
+ &external_label("OPENSSL_ia32cap_P");
+@@ -199,8 +224,9 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ &bt (&DWP(0,"ecx"),1);
+ &jnc (&label("no_x87"));
+ if ($sse2) {
+- &bt (&DWP(0,"ecx"),26);
+- &jnc (&label("no_sse2"));
++ &and ("ecx",1<<26|1<<24); # check SSE2 and FXSR bits
++ &cmp ("ecx",1<<26|1<<24);
++ &jne (&label("no_sse2"));
+ &pxor ("xmm0","xmm0");
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+diff -up openssl-1.0.0d/crypto/x86_64cpuid.pl.intelopts openssl-1.0.0d/crypto/x86_64cpuid.pl
+--- openssl-1.0.0d/crypto/x86_64cpuid.pl.intelopts 2010-04-14 21:25:09.000000000 +0200
++++ openssl-1.0.0d/crypto/x86_64cpuid.pl 2011-08-24 12:50:56.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env perl
++#!/usr/bin/perl
+
+ $flavour = shift;
+ $output = shift;
+@@ -7,12 +7,18 @@ if ($flavour =~ /\./) { $output = $flavo
+ $win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
+
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+-open STDOUT,"| $^X ${dir}perlasm/x86_64-xlate.pl $flavour $output";
++( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or
++die "can't locate x86_64-xlate.pl";
++
++open STDOUT,"| $^X $xlate $flavour $output";
++
++($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
++ ("%rdi","%rsi","%rdx","%rcx"); # Unix order
+
+-if ($win64) { $arg1="%rcx"; $arg2="%rdx"; }
+-else { $arg1="%rdi"; $arg2="%rsi"; }
+ print<<___;
+ .extern OPENSSL_cpuid_setup
++.hidden OPENSSL_cpuid_setup
+ .section .init
+ call OPENSSL_cpuid_setup
+
+@@ -46,7 +52,7 @@ OPENSSL_rdtsc:
+ .type OPENSSL_ia32_cpuid,\@abi-omnipotent
+ .align 16
+ OPENSSL_ia32_cpuid:
+- mov %rbx,%r8
++ mov %rbx,%r8 # save %rbx
+
+ xor %eax,%eax
+ cpuid
+@@ -78,7 +84,15 @@ OPENSSL_ia32_cpuid:
+ # AMD specific
+ mov \$0x80000000,%eax
+ cpuid
+- cmp \$0x80000008,%eax
++ cmp \$0x80000001,%eax
++ jb .Lintel
++ mov %eax,%r10d
++ mov \$0x80000001,%eax
++ cpuid
++ or %ecx,%r9d
++ and \$0x00000801,%r9d # isolate AMD XOP bit, 1<<11
++
++ cmp \$0x80000008,%r10d
+ jb .Lintel
+
+ mov \$0x80000008,%eax
+@@ -89,12 +103,12 @@ OPENSSL_ia32_cpuid:
+ mov \$1,%eax
+ cpuid
+ bt \$28,%edx # test hyper-threading bit
+- jnc .Ldone
++ jnc .Lgeneric
+ shr \$16,%ebx # number of logical processors
+ cmp %r10b,%bl
+- ja .Ldone
++ ja .Lgeneric
+ and \$0xefffffff,%edx # ~(1<<28)
+- jmp .Ldone
++ jmp .Lgeneric
+
+ .Lintel:
+ cmp \$4,%r11d
+@@ -111,30 +125,47 @@ OPENSSL_ia32_cpuid:
+ .Lnocacheinfo:
+ mov \$1,%eax
+ cpuid
++ and \$0xbfefffff,%edx # force reserved bits to 0
+ cmp \$0,%r9d
+ jne .Lnotintel
+- or \$0x00100000,%edx # use reserved 20th bit to engage RC4_CHAR
++ or \$0x40000000,%edx # set reserved bit#30 on Intel CPUs
+ and \$15,%ah
+ cmp \$15,%ah # examine Family ID
+- je .Lnotintel
+- or \$0x40000000,%edx # use reserved bit to skip unrolled loop
++ jne .Lnotintel
++ or \$0x00100000,%edx # set reserved bit#20 to engage RC4_CHAR
+ .Lnotintel:
+ bt \$28,%edx # test hyper-threading bit
+- jnc .Ldone
++ jnc .Lgeneric
+ and \$0xefffffff,%edx # ~(1<<28)
+ cmp \$0,%r10d
+- je .Ldone
++ je .Lgeneric
+
+ or \$0x10000000,%edx # 1<<28
+ shr \$16,%ebx
+ cmp \$1,%bl # see if cache is shared
+- ja .Ldone
++ ja .Lgeneric
+ and \$0xefffffff,%edx # ~(1<<28)
++.Lgeneric:
++ and \$0x00000800,%r9d # isolate AMD XOP flag
++ and \$0xfffff7ff,%ecx
++ or %ecx,%r9d # merge AMD XOP flag
++
++ mov %edx,%r10d # %r9d:%r10d is copy of %ecx:%edx
++ bt \$27,%r9d # check OSXSAVE bit
++ jnc .Lclear_avx
++ xor %ecx,%ecx # XCR0
++ .byte 0x0f,0x01,0xd0 # xgetbv
++ and \$6,%eax # isolate XMM and YMM state support
++ cmp \$6,%eax
++ je .Ldone
++.Lclear_avx:
++ mov \$0xefffe7ff,%eax # ~(1<<28|1<<12|1<<11)
++ and %eax,%r9d # clear AVX, FMA and AMD XOP bits
+ .Ldone:
+- shl \$32,%rcx
+- mov %edx,%eax
+- mov %r8,%rbx
+- or %rcx,%rax
++ shl \$32,%r9
++ mov %r10d,%eax
++ mov %r8,%rbx # restore %rbx
++ or %r9,%rax
+ ret
+ .size OPENSSL_ia32_cpuid,.-OPENSSL_ia32_cpuid
+
diff --git a/openssl-1.0.1-beta2-padlock64.patch b/openssl-1.0.0d-padlock64.patch
similarity index 84%
rename from openssl-1.0.1-beta2-padlock64.patch
rename to openssl-1.0.0d-padlock64.patch
index 4b7f7da..11efbe8 100644
--- a/openssl-1.0.1-beta2-padlock64.patch
+++ b/openssl-1.0.0d-padlock64.patch
@@ -1,7 +1,7 @@
-diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
---- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 2011-06-21 18:42:15.000000000 +0200
-+++ openssl-1.0.1-beta2/engines/e_padlock.c 2012-02-06 20:18:52.039537799 +0100
-@@ -101,7 +101,10 @@
+diff -up openssl-1.0.0d/engines/e_padlock.c.padlock64 openssl-1.0.0d/engines/e_padlock.c
+--- openssl-1.0.0d/engines/e_padlock.c.padlock64 2011-01-30 02:05:38.000000000 +0100
++++ openssl-1.0.0d/engines/e_padlock.c 2011-04-28 21:03:26.000000000 +0200
+@@ -101,10 +101,15 @@
compiler choice is limited to GCC and Microsoft C. */
#undef COMPILE_HW_PADLOCK
#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
@@ -12,8 +12,13 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
++# ifdef OPENSSL_NO_DYNAMIC_ENGINE
+ static ENGINE *ENGINE_padlock (void);
++# endif
# endif
-@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
+ #endif
+
+@@ -135,7 +140,7 @@ void ENGINE_load_padlock (void)
# endif
#elif defined(__GNUC__)
# ifndef alloca
@@ -22,7 +27,23 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
# endif
#endif
-@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
+@@ -197,6 +202,7 @@ padlock_bind_helper(ENGINE *e)
+ return 1;
+ }
+
++#ifdef OPENSSL_NO_DYNAMIC_ENGINE
+ /* Constructor */
+ static ENGINE *
+ ENGINE_padlock(void)
+@@ -214,6 +220,7 @@ ENGINE_padlock(void)
+
+ return eng;
+ }
++#endif
+
+ /* Check availability of the engine */
+ static int
+@@ -298,6 +305,7 @@ static volatile struct padlock_cipher_da
* =======================================================
*/
#if defined(__GNUC__) && __GNUC__>=2
@@ -30,7 +51,7 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
+@@ -377,21 +385,6 @@ padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
@@ -52,7 +73,7 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
/* Force key reload from memory to the CPU microcode.
Loading EFLAGS from the stack clears EFLAGS[30]
which does the trick. */
-@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \
+@@ -449,12 +442,127 @@ static inline void *name(size_t cnt, \
: "edx", "cc", "memory"); \
return iv; \
}
@@ -67,7 +88,7 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
-
++
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
@@ -98,7 +119,7 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
+
+ return padlock_use_ace + padlock_use_rng;
+}
-+
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
@@ -180,7 +201,7 @@ diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/e
#endif
/* The RNG call itself */
-@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
+@@ -485,8 +593,8 @@ padlock_xstore(void *addr, unsigned int
static inline unsigned char *
padlock_memcpy(void *dst,const void *src,size_t n)
{
diff --git a/openssl-1.0.0f-fips.patch b/openssl-1.0.0f-fips.patch
new file mode 100644
index 0000000..435d72f
--- /dev/null
+++ b/openssl-1.0.0f-fips.patch
@@ -0,0 +1,12164 @@
+diff -up openssl-1.0.0f/Configure.fips openssl-1.0.0f/Configure
+--- openssl-1.0.0f/Configure.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/Configure 2012-01-05 13:22:30.000000000 +0100
+@@ -663,6 +663,7 @@ my $cmll_enc="camellia.o cmll_misc.o cml
+ my $processor="";
+ my $default_ranlib;
+ my $perl;
++my $fips=0;
+
+
+ # All of the following is disabled by default (RC5 was enabled before 0.9.8):
+@@ -809,6 +810,10 @@ PROCESS_ARGS:
+ }
+ elsif (/^386$/)
+ { $processor=386; }
++ elsif (/^fips$/)
++ {
++ $fips=1;
++ }
+ elsif (/^rsaref$/)
+ {
+ # No RSAref support any more since it's not needed.
+@@ -1383,6 +1388,11 @@ $cflags.=" -DOPENSSL_IA32_SSE2" if (!$no
+
+ $cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /-mont/);
+
++if ($fips)
++ {
++ $openssl_other_defines.="#define OPENSSL_FIPS\n";
++ }
++
+ $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
+ $des_obj=$des_enc unless ($des_obj =~ /\.o$/);
+ $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
+@@ -1550,6 +1560,10 @@ while (<IN>)
+ s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
+ s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
+ s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
++ if ($fips)
++ {
++ s/^FIPS=.*/FIPS=yes/;
++ }
+ s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
+ s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
+ s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+diff -up openssl-1.0.0f/crypto/bf/bf_skey.c.fips openssl-1.0.0f/crypto/bf/bf_skey.c
+--- openssl-1.0.0f/crypto/bf/bf_skey.c.fips 2008-11-12 04:57:52.000000000 +0100
++++ openssl-1.0.0f/crypto/bf/bf_skey.c 2012-01-05 13:22:30.000000000 +0100
+@@ -59,10 +59,15 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <openssl/blowfish.h>
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ #include "bf_locl.h"
+ #include "bf_pi.h"
+
+-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
++FIPS_NON_FIPS_VCIPHER_Init(BF)
+ {
+ int i;
+ BF_LONG *p,ri,in[2];
+diff -up openssl-1.0.0f/crypto/bf/blowfish.h.fips openssl-1.0.0f/crypto/bf/blowfish.h
+--- openssl-1.0.0f/crypto/bf/blowfish.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/bf/blowfish.h 2012-01-05 13:22:30.000000000 +0100
+@@ -104,7 +104,9 @@ typedef struct bf_key_st
+ BF_LONG S[4*256];
+ } BF_KEY;
+
+-
++#ifdef OPENSSL_FIPS
++void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
++#endif
+ void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+
+ void BF_encrypt(BF_LONG *data,const BF_KEY *key);
+diff -up openssl-1.0.0f/crypto/bn/bn.h.fips openssl-1.0.0f/crypto/bn/bn.h
+--- openssl-1.0.0f/crypto/bn/bn.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/bn/bn.h 2012-01-05 13:22:30.000000000 +0100
+@@ -558,6 +558,17 @@ int BN_is_prime_ex(const BIGNUM *p,int n
+ int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
+ int do_trial_division, BN_GENCB *cb);
+
++int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
++
++int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
++ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
++int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
++ BIGNUM *Xp1, BIGNUM *Xp2,
++ const BIGNUM *Xp,
++ const BIGNUM *e, BN_CTX *ctx,
++ BN_GENCB *cb);
++
+ BN_MONT_CTX *BN_MONT_CTX_new(void );
+ void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+ int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
+diff -up openssl-1.0.0f/crypto/bn/bn_x931p.c.fips openssl-1.0.0f/crypto/bn/bn_x931p.c
+--- openssl-1.0.0f/crypto/bn/bn_x931p.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/bn/bn_x931p.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,272 @@
++/* bn_x931p.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project 2005.
++ */
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <openssl/bn.h>
++
++/* X9.31 routines for prime derivation */
++
++/* X9.31 prime derivation. This is used to generate the primes pi
++ * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd
++ * integers.
++ */
++
++static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
++ BN_GENCB *cb)
++ {
++ int i = 0;
++ if (!BN_copy(pi, Xpi))
++ return 0;
++ if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
++ return 0;
++ for(;;)
++ {
++ i++;
++ BN_GENCB_call(cb, 0, i);
++ /* NB 27 MR is specificed in X9.31 */
++ if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb))
++ break;
++ if (!BN_add_word(pi, 2))
++ return 0;
++ }
++ BN_GENCB_call(cb, 2, i);
++ return 1;
++ }
++
++/* This is the main X9.31 prime derivation function. From parameters
++ * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are
++ * not NULL they will be returned too: this is needed for testing.
++ */
++
++int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
++ const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb)
++ {
++ int ret = 0;
++
++ BIGNUM *t, *p1p2, *pm1;
++
++ /* Only even e supported */
++ if (!BN_is_odd(e))
++ return 0;
++
++ BN_CTX_start(ctx);
++ if (!p1)
++ p1 = BN_CTX_get(ctx);
++
++ if (!p2)
++ p2 = BN_CTX_get(ctx);
++
++ t = BN_CTX_get(ctx);
++
++ p1p2 = BN_CTX_get(ctx);
++
++ pm1 = BN_CTX_get(ctx);
++
++ if (!bn_x931_derive_pi(p1, Xp1, ctx, cb))
++ goto err;
++
++ if (!bn_x931_derive_pi(p2, Xp2, ctx, cb))
++ goto err;
++
++ if (!BN_mul(p1p2, p1, p2, ctx))
++ goto err;
++
++ /* First set p to value of Rp */
++
++ if (!BN_mod_inverse(p, p2, p1, ctx))
++ goto err;
++
++ if (!BN_mul(p, p, p2, ctx))
++ goto err;
++
++ if (!BN_mod_inverse(t, p1, p2, ctx))
++ goto err;
++
++ if (!BN_mul(t, t, p1, ctx))
++ goto err;
++
++ if (!BN_sub(p, p, t))
++ goto err;
++
++ if (p->neg && !BN_add(p, p, p1p2))
++ goto err;
++
++ /* p now equals Rp */
++
++ if (!BN_mod_sub(p, p, Xp, p1p2, ctx))
++ goto err;
++
++ if (!BN_add(p, p, Xp))
++ goto err;
++
++ /* p now equals Yp0 */
++
++ for (;;)
++ {
++ int i = 1;
++ BN_GENCB_call(cb, 0, i++);
++ if (!BN_copy(pm1, p))
++ goto err;
++ if (!BN_sub_word(pm1, 1))
++ goto err;
++ if (!BN_gcd(t, pm1, e, ctx))
++ goto err;
++ if (BN_is_one(t)
++ /* X9.31 specifies 8 MR and 1 Lucas test or any prime test
++ * offering similar or better guarantees 50 MR is considerably
++ * better.
++ */
++ && BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb))
++ break;
++ if (!BN_add(p, p, p1p2))
++ goto err;
++ }
++
++ BN_GENCB_call(cb, 3, 0);
++
++ ret = 1;
++
++ err:
++
++ BN_CTX_end(ctx);
++
++ return ret;
++ }
++
++/* Generate pair of paramters Xp, Xq for X9.31 prime generation.
++ * Note: nbits paramter is sum of number of bits in both.
++ */
++
++int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
++ {
++ BIGNUM *t;
++ int i;
++ /* Number of bits for each prime is of the form
++ * 512+128s for s = 0, 1, ...
++ */
++ if ((nbits < 1024) || (nbits & 0xff))
++ return 0;
++ nbits >>= 1;
++ /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and
++ * 2^nbits - 1. By setting the top two bits we ensure that the lower
++ * bound is exceeded.
++ */
++ if (!BN_rand(Xp, nbits, 1, 0))
++ return 0;
++
++ BN_CTX_start(ctx);
++ t = BN_CTX_get(ctx);
++
++ for (i = 0; i < 1000; i++)
++ {
++ if (!BN_rand(Xq, nbits, 1, 0))
++ return 0;
++ /* Check that |Xp - Xq| > 2^(nbits - 100) */
++ BN_sub(t, Xp, Xq);
++ if (BN_num_bits(t) > (nbits - 100))
++ break;
++ }
++
++ BN_CTX_end(ctx);
++
++ if (i < 1000)
++ return 1;
++
++ return 0;
++
++ }
++
++/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1
++ * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL
++ * the relevant parameter will be stored in it.
++ *
++ * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq
++ * are generated using the previous function and supplied as input.
++ */
++
++int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
++ BIGNUM *Xp1, BIGNUM *Xp2,
++ const BIGNUM *Xp,
++ const BIGNUM *e, BN_CTX *ctx,
++ BN_GENCB *cb)
++ {
++ int ret = 0;
++
++ BN_CTX_start(ctx);
++ if (!Xp1)
++ Xp1 = BN_CTX_get(ctx);
++ if (!Xp2)
++ Xp2 = BN_CTX_get(ctx);
++
++ if (!BN_rand(Xp1, 101, 0, 0))
++ goto error;
++ if (!BN_rand(Xp2, 101, 0, 0))
++ goto error;
++ if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb))
++ goto error;
++
++ ret = 1;
++
++ error:
++ BN_CTX_end(ctx);
++
++ return ret;
++
++ }
++
+diff -up openssl-1.0.0f/crypto/bn/Makefile.fips openssl-1.0.0f/crypto/bn/Makefile
+--- openssl-1.0.0f/crypto/bn/Makefile.fips 2008-11-12 09:19:02.000000000 +0100
++++ openssl-1.0.0f/crypto/bn/Makefile 2012-01-05 13:22:30.000000000 +0100
+@@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_li
+ bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
+ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
+ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
+- bn_depr.c bn_const.c
++ bn_depr.c bn_const.c bn_x931p.c
+
+ LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
+ bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
+ bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
+ bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
+- bn_depr.o bn_const.o
++ bn_depr.o bn_const.o bn_x931p.o
+
+ SRC= $(LIBSRC)
+
+diff -up openssl-1.0.0f/crypto/camellia/asm/cmll-x86.pl.fips openssl-1.0.0f/crypto/camellia/asm/cmll-x86.pl
+--- openssl-1.0.0f/crypto/camellia/asm/cmll-x86.pl.fips 2009-04-06 16:25:02.000000000 +0200
++++ openssl-1.0.0f/crypto/camellia/asm/cmll-x86.pl 2012-01-05 13:22:30.000000000 +0100
+@@ -722,12 +722,15 @@ my $bias=int(@T[0])?shift(@T):0;
+ }
+ &function_end("Camellia_Ekeygen");
+
++$setkeyfunc = "Camellia_set_key";
++$setkeyfunc = "private_Camellia_set_key" if ($ENV{FIPS} ne "");
++
+ if ($OPENSSL) {
+ # int Camellia_set_key (
+ # const unsigned char *userKey,
+ # int bits,
+ # CAMELLIA_KEY *key)
+-&function_begin_B("Camellia_set_key");
++&function_begin_B($setkeyfunc);
+ &push ("ebx");
+ &mov ("ecx",&wparam(0)); # pull arguments
+ &mov ("ebx",&wparam(1));
+@@ -760,7 +763,7 @@ if ($OPENSSL) {
+ &set_label("done",4);
+ &pop ("ebx");
+ &ret ();
+-&function_end_B("Camellia_set_key");
++&function_end_B($setkeyfunc);
+ }
+
+ @SBOX=(
+diff -up openssl-1.0.0f/crypto/camellia/camellia.h.fips openssl-1.0.0f/crypto/camellia/camellia.h
+--- openssl-1.0.0f/crypto/camellia/camellia.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/camellia/camellia.h 2012-01-05 13:22:30.000000000 +0100
+@@ -88,6 +88,11 @@ struct camellia_key_st
+ };
+ typedef struct camellia_key_st CAMELLIA_KEY;
+
++#ifdef OPENSSL_FIPS
++int private_Camellia_set_key(const unsigned char *userKey, const int bits,
++ CAMELLIA_KEY *key);
++#endif
++
+ int Camellia_set_key(const unsigned char *userKey, const int bits,
+ CAMELLIA_KEY *key);
+
+diff -up openssl-1.0.0f/crypto/camellia/cmll_fblk.c.fips openssl-1.0.0f/crypto/camellia/cmll_fblk.c
+--- openssl-1.0.0f/crypto/camellia/cmll_fblk.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/camellia/cmll_fblk.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,68 @@
++/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */
++/* ====================================================================
++ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#include <openssl/opensslv.h>
++#include <openssl/camellia.h>
++#include "cmll_locl.h"
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
++#ifdef OPENSSL_FIPS
++int Camellia_set_key(const unsigned char *userKey, const int bits,
++ CAMELLIA_KEY *key)
++ {
++ if (FIPS_mode())
++ FIPS_BAD_ABORT(CAMELLIA)
++ return private_Camellia_set_key(userKey, bits, key);
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/camellia/cmll_misc.c.fips openssl-1.0.0f/crypto/camellia/cmll_misc.c
+--- openssl-1.0.0f/crypto/camellia/cmll_misc.c.fips 2008-10-28 13:13:52.000000000 +0100
++++ openssl-1.0.0f/crypto/camellia/cmll_misc.c 2012-01-05 13:22:30.000000000 +0100
+@@ -52,11 +52,20 @@
+ #include <openssl/opensslv.h>
+ #include <openssl/camellia.h>
+ #include "cmll_locl.h"
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ const char CAMELLIA_version[]="CAMELLIA" OPENSSL_VERSION_PTEXT;
+
++#ifdef OPENSSL_FIPS
++int private_Camellia_set_key(const unsigned char *userKey, const int bits,
++ CAMELLIA_KEY *key)
++#else
+ int Camellia_set_key(const unsigned char *userKey, const int bits,
+ CAMELLIA_KEY *key)
++#endif
+ {
+ if(!userKey || !key)
+ return -1;
+diff -up openssl-1.0.0f/crypto/camellia/Makefile.fips openssl-1.0.0f/crypto/camellia/Makefile
+--- openssl-1.0.0f/crypto/camellia/Makefile.fips 2008-12-23 12:33:00.000000000 +0100
++++ openssl-1.0.0f/crypto/camellia/Makefile 2012-01-05 13:22:30.000000000 +0100
+@@ -23,9 +23,9 @@ APPS=
+
+ LIB=$(TOP)/libcrypto.a
+ LIBSRC=camellia.c cmll_misc.c cmll_ecb.c cmll_cbc.c cmll_ofb.c \
+- cmll_cfb.c cmll_ctr.c
++ cmll_cfb.c cmll_ctr.c cmll_fblk.c
+
+-LIBOBJ= cmll_ecb.o cmll_ofb.o cmll_cfb.o cmll_ctr.o $(CMLL_ENC)
++LIBOBJ= cmll_ecb.o cmll_ofb.o cmll_cfb.o cmll_ctr.o $(CMLL_ENC) cmll_fblk.o
+
+ SRC= $(LIBSRC)
+
+diff -up openssl-1.0.0f/crypto/cast/cast.h.fips openssl-1.0.0f/crypto/cast/cast.h
+--- openssl-1.0.0f/crypto/cast/cast.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/cast/cast.h 2012-01-05 13:22:30.000000000 +0100
+@@ -83,7 +83,9 @@ typedef struct cast_key_st
+ int short_key; /* Use reduced rounds for short key */
+ } CAST_KEY;
+
+-
++#ifdef OPENSSL_FIPS
++void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
++#endif
+ void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
+ void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key,
+ int enc);
+diff -up openssl-1.0.0f/crypto/cast/c_skey.c.fips openssl-1.0.0f/crypto/cast/c_skey.c
+--- openssl-1.0.0f/crypto/cast/c_skey.c.fips 2000-06-03 16:13:35.000000000 +0200
++++ openssl-1.0.0f/crypto/cast/c_skey.c 2012-01-05 13:22:30.000000000 +0100
+@@ -57,6 +57,11 @@
+ */
+
+ #include <openssl/cast.h>
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ #include "cast_lcl.h"
+ #include "cast_s.h"
+
+@@ -72,7 +77,7 @@
+ #define S6 CAST_S_table6
+ #define S7 CAST_S_table7
+
+-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
++FIPS_NON_FIPS_VCIPHER_Init(CAST)
+ {
+ CAST_LONG x[16];
+ CAST_LONG z[16];
+diff -up openssl-1.0.0f/crypto/crypto.h.fips openssl-1.0.0f/crypto/crypto.h
+--- openssl-1.0.0f/crypto/crypto.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/crypto.h 2012-01-05 13:22:30.000000000 +0100
+@@ -547,12 +547,70 @@ unsigned long *OPENSSL_ia32cap_loc(void)
+ #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+ int OPENSSL_isservice(void);
+
++
++#ifdef OPENSSL_FIPS
++#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
++ alg " previous FIPS forbidden algorithm error ignored");
++
++#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
++ #alg " Algorithm forbidden in FIPS mode");
++
++#ifdef OPENSSL_FIPS_STRICT
++#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg)
++#else
++#define FIPS_BAD_ALGORITHM(alg) \
++ { \
++ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \
++ ERR_add_error_data(2, "Algorithm=", #alg); \
++ return 0; \
++ }
++#endif
++
++/* Low level digest API blocking macro */
++
++#define FIPS_NON_FIPS_MD_Init(alg) \
++ int alg##_Init(alg##_CTX *c) \
++ { \
++ if (FIPS_mode()) \
++ FIPS_BAD_ALGORITHM(alg) \
++ return private_##alg##_Init(c); \
++ } \
++ int private_##alg##_Init(alg##_CTX *c)
++
++/* For ciphers the API often varies from cipher to cipher and each needs to
++ * be treated as a special case. Variable key length ciphers (Blowfish, RC4,
++ * CAST) however are very similar and can use a blocking macro.
++ */
++
++#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
++ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \
++ { \
++ if (FIPS_mode()) \
++ FIPS_BAD_ABORT(alg) \
++ private_##alg##_set_key(key, len, data); \
++ } \
++ void private_##alg##_set_key(alg##_KEY *key, int len, \
++ const unsigned char *data)
++
++#else
++
++#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
++ void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data)
++
++#define FIPS_NON_FIPS_MD_Init(alg) \
++ int alg##_Init(alg##_CTX *c)
++
++#endif /* def OPENSSL_FIPS */
++
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+ void ERR_load_CRYPTO_strings(void);
+
++#define OPENSSL_HAVE_INIT 1
++void OPENSSL_init_library(void);
++
+ /* Error codes for the CRYPTO functions. */
+
+ /* Function codes. */
+diff -up openssl-1.0.0f/crypto/dh/dh_err.c.fips openssl-1.0.0f/crypto/dh/dh_err.c
+--- openssl-1.0.0f/crypto/dh/dh_err.c.fips 2006-11-21 22:29:37.000000000 +0100
++++ openssl-1.0.0f/crypto/dh/dh_err.c 2012-01-05 13:22:30.000000000 +0100
+@@ -73,6 +73,8 @@ static ERR_STRING_DATA DH_str_functs[]=
+ {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"},
+ {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"},
+ {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"},
++{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
++{ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"},
+ {ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"},
+ {ERR_FUNC(DH_F_DH_PARAM_DECODE), "DH_PARAM_DECODE"},
+ {ERR_FUNC(DH_F_DH_PRIV_DECODE), "DH_PRIV_DECODE"},
+@@ -94,6 +96,7 @@ static ERR_STRING_DATA DH_str_reasons[]=
+ {ERR_REASON(DH_R_BN_ERROR) ,"bn error"},
+ {ERR_REASON(DH_R_DECODE_ERROR) ,"decode error"},
+ {ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"},
++{ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
+ {ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"},
+ {ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"},
+ {ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"},
+diff -up openssl-1.0.0f/crypto/dh/dh_gen.c.fips openssl-1.0.0f/crypto/dh/dh_gen.c
+--- openssl-1.0.0f/crypto/dh/dh_gen.c.fips 2005-04-26 20:53:15.000000000 +0200
++++ openssl-1.0.0f/crypto/dh/dh_gen.c 2012-01-05 13:22:30.000000000 +0100
+@@ -65,6 +65,10 @@
+ #include "cryptlib.h"
+ #include <openssl/bn.h>
+ #include <openssl/dh.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
+
+@@ -106,6 +110,20 @@ static int dh_builtin_genparams(DH *ret,
+ int g,ok= -1;
+ BN_CTX *ctx=NULL;
+
++#ifdef OPENSSL_FIPS
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
++ {
++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ ctx=BN_CTX_new();
+ if (ctx == NULL) goto err;
+ BN_CTX_start(ctx);
+diff -up openssl-1.0.0f/crypto/dh/dh.h.fips openssl-1.0.0f/crypto/dh/dh.h
+--- openssl-1.0.0f/crypto/dh/dh.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/dh/dh.h 2012-01-05 13:22:30.000000000 +0100
+@@ -77,6 +77,8 @@
+ # define OPENSSL_DH_MAX_MODULUS_BITS 10000
+ #endif
+
++#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++
+ #define DH_FLAG_CACHE_MONT_P 0x01
+ #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
+ * implementation now uses constant time
+@@ -241,6 +243,8 @@ void ERR_load_DH_strings(void);
+ #define DH_F_GENERATE_PARAMETERS 104
+ #define DH_F_PKEY_DH_DERIVE 112
+ #define DH_F_PKEY_DH_KEYGEN 113
++#define DH_F_DH_COMPUTE_KEY 114
++#define DH_F_DH_GENERATE_KEY 115
+
+ /* Reason codes. */
+ #define DH_R_BAD_GENERATOR 101
+@@ -253,6 +257,7 @@ void ERR_load_DH_strings(void);
+ #define DH_R_NO_PARAMETERS_SET 107
+ #define DH_R_NO_PRIVATE_VALUE 100
+ #define DH_R_PARAMETER_ENCODING_ERROR 105
++#define DH_R_KEY_SIZE_TOO_SMALL 110
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.0.0f/crypto/dh/dh_key.c.fips openssl-1.0.0f/crypto/dh/dh_key.c
+--- openssl-1.0.0f/crypto/dh/dh_key.c.fips 2007-03-28 02:15:23.000000000 +0200
++++ openssl-1.0.0f/crypto/dh/dh_key.c 2012-01-05 13:22:30.000000000 +0100
+@@ -61,6 +61,9 @@
+ #include <openssl/bn.h>
+ #include <openssl/rand.h>
+ #include <openssl/dh.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ static int generate_key(DH *dh);
+ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+@@ -107,6 +110,14 @@ static int generate_key(DH *dh)
+ BN_MONT_CTX *mont=NULL;
+ BIGNUM *pub_key=NULL,*priv_key=NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
++ {
++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL) goto err;
+
+@@ -184,6 +195,13 @@ static int compute_key(unsigned char *ke
+ DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
+ goto err;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
++ {
++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL) goto err;
+@@ -251,6 +269,9 @@ static int dh_bn_mod_exp(const DH *dh, B
+
+ static int dh_init(DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dh->flags |= DH_FLAG_CACHE_MONT_P;
+ return(1);
+ }
+diff -up openssl-1.0.0f/crypto/dsa/dsa_gen.c.fips openssl-1.0.0f/crypto/dsa/dsa_gen.c
+--- openssl-1.0.0f/crypto/dsa/dsa_gen.c.fips 2010-06-15 19:25:07.000000000 +0200
++++ openssl-1.0.0f/crypto/dsa/dsa_gen.c 2012-01-05 13:22:30.000000000 +0100
+@@ -77,8 +77,12 @@
+ #include "cryptlib.h"
+ #include <openssl/evp.h>
+ #include <openssl/bn.h>
++#include <openssl/dsa.h>
+ #include <openssl/rand.h>
+ #include <openssl/sha.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ #include "dsa_locl.h"
+
+ int DSA_generate_parameters_ex(DSA *ret, int bits,
+@@ -126,6 +130,21 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ BN_CTX *ctx=NULL;
+ unsigned int h=2;
+
++#ifdef OPENSSL_FIPS
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
++ {
++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
+ qsize != SHA256_DIGEST_LENGTH)
+ /* invalid q size */
+diff -up openssl-1.0.0f/crypto/dsa/dsa.h.fips openssl-1.0.0f/crypto/dsa/dsa.h
+--- openssl-1.0.0f/crypto/dsa/dsa.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/dsa/dsa.h 2012-01-05 13:22:30.000000000 +0100
+@@ -88,6 +88,8 @@
+ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
+ #endif
+
++#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++
+ #define DSA_FLAG_CACHE_MONT_P 0x01
+ #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
+ * implementation now uses constant time
+@@ -97,6 +99,21 @@
+ * be used for all exponents.
+ */
+
++/* If this flag is set the DSA method is FIPS compliant and can be used
++ * in FIPS mode. This is set in the validated module method. If an
++ * application sets this flag in its own methods it is its reposibility
++ * to ensure the result is compliant.
++ */
++
++#define DSA_FLAG_FIPS_METHOD 0x0400
++
++/* If this flag is set the operations normally disabled in FIPS mode are
++ * permitted it is then the applications responsibility to ensure that the
++ * usage is compliant.
++ */
++
++#define DSA_FLAG_NON_FIPS_ALLOW 0x0400
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -270,8 +287,11 @@ void ERR_load_DSA_strings(void);
+ #define DSA_F_DO_DSA_PRINT 104
+ #define DSA_F_DSAPARAMS_PRINT 100
+ #define DSA_F_DSAPARAMS_PRINT_FP 101
++#define DSA_F_DSA_BUILTIN_KEYGEN 124
++#define DSA_F_DSA_BUILTIN_PARAMGEN 123
+ #define DSA_F_DSA_DO_SIGN 112
+ #define DSA_F_DSA_DO_VERIFY 113
++#define DSA_F_DSA_GENERATE_PARAMETERS 125
+ #define DSA_F_DSA_NEW_METHOD 103
+ #define DSA_F_DSA_PARAM_DECODE 119
+ #define DSA_F_DSA_PRINT_FP 105
+@@ -296,9 +316,12 @@ void ERR_load_DSA_strings(void);
+ #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
+ #define DSA_R_DECODE_ERROR 104
+ #define DSA_R_INVALID_DIGEST_TYPE 106
++#define DSA_R_KEY_SIZE_TOO_SMALL 110
+ #define DSA_R_MISSING_PARAMETERS 101
+ #define DSA_R_MODULUS_TOO_LARGE 103
++#define DSA_R_NON_FIPS_METHOD 111
+ #define DSA_R_NO_PARAMETERS_SET 107
++#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 112
+ #define DSA_R_PARAMETER_ENCODING_ERROR 105
+
+ #ifdef __cplusplus
+diff -up openssl-1.0.0f/crypto/dsa/dsa_key.c.fips openssl-1.0.0f/crypto/dsa/dsa_key.c
+--- openssl-1.0.0f/crypto/dsa/dsa_key.c.fips 2007-03-28 02:15:25.000000000 +0200
++++ openssl-1.0.0f/crypto/dsa/dsa_key.c 2012-01-05 13:22:30.000000000 +0100
+@@ -63,9 +63,55 @@
+ #include <openssl/bn.h>
+ #include <openssl/dsa.h>
+ #include <openssl/rand.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include "fips_locl.h"
+
+ static int dsa_builtin_keygen(DSA *dsa);
+
++#ifdef OPENSSL_FIPS
++
++static int fips_dsa_pairwise_fail = 0;
++
++void FIPS_corrupt_dsa_keygen(void)
++ {
++ fips_dsa_pairwise_fail = 1;
++ }
++
++int fips_check_dsa(DSA *dsa)
++ {
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "DSA Pairwise Check Data";
++ int ret = 0;
++
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_DSA(pk, dsa);
++
++ if (!fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(), 0, NULL))
++ goto err;
++
++ ret = 1;
++
++err:
++ if (ret == 0)
++ {
++ fips_set_selftest_fail();
++ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
++ }
++
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++ }
++#endif
++
+ int DSA_generate_key(DSA *dsa)
+ {
+ if(dsa->meth->dsa_keygen)
+@@ -79,6 +125,14 @@ static int dsa_builtin_keygen(DSA *dsa)
+ BN_CTX *ctx=NULL;
+ BIGNUM *pub_key=NULL,*priv_key=NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
++ {
++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ if ((ctx=BN_CTX_new()) == NULL) goto err;
+
+ if (dsa->priv_key == NULL)
+@@ -117,6 +171,15 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ dsa->priv_key=priv_key;
+ dsa->pub_key=pub_key;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ {
++ if (fips_dsa_pairwise_fail)
++ BN_add_word(dsa->pub_key, 1);
++ if(!fips_check_dsa(dsa))
++ goto err;
++ }
++#endif
+ ok=1;
+
+ err:
+diff -up openssl-1.0.0f/crypto/dsa/dsa_ossl.c.fips openssl-1.0.0f/crypto/dsa/dsa_ossl.c
+--- openssl-1.0.0f/crypto/dsa/dsa_ossl.c.fips 2011-02-01 13:54:04.000000000 +0100
++++ openssl-1.0.0f/crypto/dsa/dsa_ossl.c 2012-01-05 13:22:30.000000000 +0100
+@@ -65,6 +65,9 @@
+ #include <openssl/dsa.h>
+ #include <openssl/rand.h>
+ #include <openssl/asn1.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+@@ -82,7 +85,7 @@ NULL, /* dsa_mod_exp, */
+ NULL, /* dsa_bn_mod_exp, */
+ dsa_init,
+ dsa_finish,
+-0,
++DSA_FLAG_FIPS_METHOD,
+ NULL,
+ NULL,
+ NULL
+@@ -137,6 +140,20 @@ static DSA_SIG *dsa_do_sign(const unsign
+ int reason=ERR_R_BN_LIB;
+ DSA_SIG *ret=NULL;
+
++#ifdef OPENSSL_FIPS
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++
++ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
++ {
++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
++ return NULL;
++ }
++#endif
++
+ BN_init(&m);
+ BN_init(&xr);
+
+@@ -303,6 +320,20 @@ static int dsa_do_verify(const unsigned
+ return -1;
+ }
+
++#ifdef OPENSSL_FIPS
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
++ {
++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++#endif
++
+ i = BN_num_bits(dsa->q);
+ /* fips 186-3 allows only different sizes for q */
+ if (i != 160 && i != 224 && i != 256)
+@@ -385,6 +416,9 @@ static int dsa_do_verify(const unsigned
+
+ static int dsa_init(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dsa->flags|=DSA_FLAG_CACHE_MONT_P;
+ return(1);
+ }
+diff -up openssl-1.0.0f/crypto/err/err_all.c.fips openssl-1.0.0f/crypto/err/err_all.c
+--- openssl-1.0.0f/crypto/err/err_all.c.fips 2009-08-09 16:58:05.000000000 +0200
++++ openssl-1.0.0f/crypto/err/err_all.c 2012-01-05 13:22:30.000000000 +0100
+@@ -96,6 +96,9 @@
+ #include <openssl/ocsp.h>
+ #include <openssl/err.h>
+ #include <openssl/ts.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+ #ifndef OPENSSL_NO_CMS
+ #include <openssl/cms.h>
+ #endif
+@@ -149,6 +152,9 @@ void ERR_load_crypto_strings(void)
+ #endif
+ ERR_load_OCSP_strings();
+ ERR_load_UI_strings();
++#ifdef OPENSSL_FIPS
++ ERR_load_FIPS_strings();
++#endif
+ #ifndef OPENSSL_NO_CMS
+ ERR_load_CMS_strings();
+ #endif
+diff -up openssl-1.0.0f/crypto/evp/digest.c.fips openssl-1.0.0f/crypto/evp/digest.c
+--- openssl-1.0.0f/crypto/evp/digest.c.fips 2010-03-05 14:33:43.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/digest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -116,6 +116,7 @@
+ #ifndef OPENSSL_NO_ENGINE
+ #include <openssl/engine.h>
+ #endif
++#include "evp_locl.h"
+
+ void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
+ {
+@@ -138,9 +139,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
+ return EVP_DigestInit_ex(ctx, type, NULL);
+ }
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_MD_CTX *ctx)
++ { FIPS_ERROR_IGNORED("Digest init"); return 0;}
++
++static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count)
++ { FIPS_ERROR_IGNORED("Digest update"); return 0;}
++
++static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
++ { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
++
++static const EVP_MD bad_md =
++ {
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_update,
++ bad_final,
++ NULL,
++ NULL,
++ NULL,
++ 0,
++ {0,0,0,0},
++ };
++
++#endif
++
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+ {
+ EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
++#ifdef OPENSSL_FIPS
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->digest = &bad_md;
++ return 0;
++ }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
+ * so this context may already have an ENGINE! Try to avoid releasing
+@@ -197,6 +239,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ #endif
+ if (ctx->digest != type)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ {
++ if (!(type->flags & EVP_MD_FLAG_FIPS)
++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
++ {
++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->digest = &bad_md;
++ return 0;
++ }
++ }
++#endif
+ if (ctx->digest && ctx->digest->ctx_size)
+ OPENSSL_free(ctx->md_data);
+ ctx->digest=type;
+@@ -230,6 +284,9 @@ skip_to_init:
+
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ return ctx->update(ctx,data,count);
+ }
+
+@@ -246,6 +303,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
+ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
+ {
+ int ret;
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+
+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
+ ret=ctx->digest->final(ctx,md);
+diff -up openssl-1.0.0f/crypto/evp/e_aes.c.fips openssl-1.0.0f/crypto/evp/e_aes.c
+--- openssl-1.0.0f/crypto/evp/e_aes.c.fips 2004-01-28 20:05:33.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/e_aes.c 2012-01-05 13:22:30.000000000 +0100
+@@ -69,32 +69,29 @@ typedef struct
+
+ IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
+ NID_aes_128, 16, 16, 16, 128,
+- 0, aes_init_key, NULL,
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL)
++ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
++ aes_init_key,
++ NULL, NULL, NULL, NULL)
+ IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
+ NID_aes_192, 16, 24, 16, 128,
+- 0, aes_init_key, NULL,
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL)
++ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
++ aes_init_key,
++ NULL, NULL, NULL, NULL)
+ IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
+ NID_aes_256, 16, 32, 16, 128,
+- 0, aes_init_key, NULL,
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
+- NULL)
+-
+-#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16)
+-
+-IMPLEMENT_AES_CFBR(128,1)
+-IMPLEMENT_AES_CFBR(192,1)
+-IMPLEMENT_AES_CFBR(256,1)
+-
+-IMPLEMENT_AES_CFBR(128,8)
+-IMPLEMENT_AES_CFBR(192,8)
+-IMPLEMENT_AES_CFBR(256,8)
++ EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
++ aes_init_key,
++ NULL, NULL, NULL, NULL)
++
++#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
++
++IMPLEMENT_AES_CFBR(128,1,EVP_CIPH_FLAG_FIPS)
++IMPLEMENT_AES_CFBR(192,1,EVP_CIPH_FLAG_FIPS)
++IMPLEMENT_AES_CFBR(256,1,EVP_CIPH_FLAG_FIPS)
++
++IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
++IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
++IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS)
+
+ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+ const unsigned char *iv, int enc)
+diff -up openssl-1.0.0f/crypto/evp/e_camellia.c.fips openssl-1.0.0f/crypto/evp/e_camellia.c
+--- openssl-1.0.0f/crypto/evp/e_camellia.c.fips 2006-08-31 22:56:20.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/e_camellia.c 2012-01-05 13:22:30.000000000 +0100
+@@ -93,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(camellia_256, ks,
+ EVP_CIPHER_get_asn1_iv,
+ NULL)
+
+-#define IMPLEMENT_CAMELLIA_CFBR(ksize,cbits) IMPLEMENT_CFBR(camellia,Camellia,EVP_CAMELLIA_KEY,ks,ksize,cbits,16)
++#define IMPLEMENT_CAMELLIA_CFBR(ksize,cbits) IMPLEMENT_CFBR(camellia,Camellia,EVP_CAMELLIA_KEY,ks,ksize,cbits,16,0)
+
+ IMPLEMENT_CAMELLIA_CFBR(128,1)
+ IMPLEMENT_CAMELLIA_CFBR(192,1)
+diff -up openssl-1.0.0f/crypto/evp/e_des3.c.fips openssl-1.0.0f/crypto/evp/e_des3.c
+--- openssl-1.0.0f/crypto/evp/e_des3.c.fips 2008-12-29 13:35:47.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/e_des3.c 2012-01-05 13:22:30.000000000 +0100
+@@ -206,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH
+ }
+
+ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
+- EVP_CIPH_RAND_KEY, des_ede_init_key, NULL,
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
++ des_ede_init_key,
++ NULL, NULL, NULL,
+ des3_ctrl)
+
+ #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
+@@ -217,21 +217,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
+ #define des_ede3_ecb_cipher des_ede_ecb_cipher
+
+ BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
+- EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL,
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
++ des_ede3_init_key,
++ NULL, NULL, NULL,
+ des3_ctrl)
+
+ BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
+- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
++ des_ede3_init_key,
++ NULL, NULL, NULL,
+ des3_ctrl)
+
+ BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
+- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
+- EVP_CIPHER_set_asn1_iv,
+- EVP_CIPHER_get_asn1_iv,
++ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
++ des_ede3_init_key,
++ NULL, NULL, NULL,
+ des3_ctrl)
+
+ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+diff -up openssl-1.0.0f/crypto/evp/e_null.c.fips openssl-1.0.0f/crypto/evp/e_null.c
+--- openssl-1.0.0f/crypto/evp/e_null.c.fips 2008-10-31 20:48:24.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/e_null.c 2012-01-05 13:22:30.000000000 +0100
+@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher=
+ {
+ NID_undef,
+ 1,0,0,
+- 0,
++ EVP_CIPH_FLAG_FIPS,
+ null_init_key,
+ null_cipher,
+ NULL,
+diff -up openssl-1.0.0f/crypto/evp/e_rc4.c.fips openssl-1.0.0f/crypto/evp/e_rc4.c
+--- openssl-1.0.0f/crypto/evp/e_rc4.c.fips 2008-10-31 20:48:24.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/e_rc4.c 2012-01-05 13:22:30.000000000 +0100
+@@ -64,6 +64,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/rc4.h>
++#include "evp_locl.h"
+
+ /* FIXME: surely this is available elsewhere? */
+ #define EVP_RC4_KEY_SIZE 16
+diff -up openssl-1.0.0f/crypto/evp/evp_enc.c.fips openssl-1.0.0f/crypto/evp/evp_enc.c
+--- openssl-1.0.0f/crypto/evp/evp_enc.c.fips 2010-10-12 01:24:49.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/evp_enc.c 2012-01-05 13:22:30.000000000 +0100
+@@ -68,8 +68,53 @@
+
+ const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++ const unsigned char *iv, int enc)
++ { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
++
++static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, unsigned int inl)
++ { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
++
++/* NB: no cleanup because it is allowed after failed init */
++
++static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++ { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
++static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++ { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
++static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
++ { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
++
++static const EVP_CIPHER bad_cipher =
++ {
++ 0,
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_do_cipher,
++ NULL,
++ 0,
++ bad_set_asn1,
++ bad_get_asn1,
++ bad_ctrl,
++ NULL
++ };
++
++#endif
++
+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ memset(ctx,0,sizeof(EVP_CIPHER_CTX));
+ /* ctx->cipher=NULL; */
+ }
+@@ -101,6 +146,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ enc = 1;
+ ctx->encrypt = enc;
+ }
++#ifdef OPENSSL_FIPS
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
+ * so this context may already have an ENGINE! Try to avoid releasing
+@@ -220,6 +273,22 @@ skip_to_init:
+ }
+ }
+
++#ifdef OPENSSL_FIPS
++ /* After 'key' is set no further parameters changes are permissible.
++ * So only check for non FIPS enabling at this point.
++ */
++ if (key && FIPS_mode())
++ {
++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
++ {
++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++ }
++#endif
++
+ if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+ if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
+ }
+diff -up openssl-1.0.0f/crypto/evp/evp_err.c.fips openssl-1.0.0f/crypto/evp/evp_err.c
+--- openssl-1.0.0f/crypto/evp/evp_err.c.fips 2010-02-07 14:41:23.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/evp_err.c 2012-01-05 13:22:30.000000000 +0100
+@@ -155,6 +155,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
+ {ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"},
+ {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"},
+ {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"},
++{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"},
+ {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"},
+ {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
+ {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"},
+diff -up openssl-1.0.0f/crypto/evp/evp.h.fips openssl-1.0.0f/crypto/evp/evp.h
+--- openssl-1.0.0f/crypto/evp/evp.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/evp.h 2012-01-05 13:22:30.000000000 +0100
+@@ -75,6 +75,10 @@
+ #include <openssl/bio.h>
+ #endif
+
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ /*
+ #define EVP_RC2_KEY_SIZE 16
+ #define EVP_RC4_KEY_SIZE 16
+@@ -197,6 +201,8 @@ typedef int evp_verify_method(int type,c
+
+ #define EVP_MD_FLAG_PKEY_METHOD_SIGNATURE 0x0004
+
++#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */
++
+ /* DigestAlgorithmIdentifier flags... */
+
+ #define EVP_MD_FLAG_DIGALGID_MASK 0x0018
+@@ -269,10 +275,6 @@ struct env_md_ctx_st
+ * cleaned */
+ #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
+ * in EVP_MD_CTX_cleanup */
+-/* FIPS and pad options are ignored in 1.0.0, definitions are here
+- * so we don't accidentally reuse the values for other purposes.
+- */
+-
+ #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
+ * in FIPS mode */
+
+@@ -284,6 +286,10 @@ struct env_md_ctx_st
+ #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */
+ #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */
+ #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */
++#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
++ ((ctx->flags>>16) &0xFFFF) /* seed length */
++#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */
++#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */
+
+ #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */
+
+@@ -330,12 +336,16 @@ struct evp_cipher_st
+ #define EVP_CIPH_NO_PADDING 0x100
+ /* cipher handles random key generation */
+ #define EVP_CIPH_RAND_KEY 0x200
+-/* cipher has its own additional copying logic */
+-#define EVP_CIPH_CUSTOM_COPY 0x400
++/* Note if suitable for use in FIPS mode */
++#define EVP_CIPH_FLAG_FIPS 0x400
++/* Allow non FIPS cipher in FIPS mode */
++#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
+ /* Allow use default ASN1 get/set iv */
+ #define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
+ /* Buffer length in bits not bytes: CFB1 mode only */
+ #define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
++/* cipher has its own additional copying logic */
++#define EVP_CIPH_CUSTOM_COPY 0x4000
+
+ /* ctrl() values */
+
+@@ -1239,6 +1249,7 @@ void ERR_load_EVP_strings(void);
+ #define EVP_R_DECODE_ERROR 114
+ #define EVP_R_DIFFERENT_KEY_TYPES 101
+ #define EVP_R_DIFFERENT_PARAMETERS 153
++#define EVP_R_DISABLED_FOR_FIPS 160
+ #define EVP_R_ENCODE_ERROR 115
+ #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
+ #define EVP_R_EXPECTING_AN_RSA_KEY 127
+diff -up openssl-1.0.0f/crypto/evp/evp_lib.c.fips openssl-1.0.0f/crypto/evp/evp_lib.c
+--- openssl-1.0.0f/crypto/evp/evp_lib.c.fips 2010-01-26 15:33:51.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/evp_lib.c 2012-01-05 13:22:30.000000000 +0100
+@@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_
+
+ if (c->cipher->set_asn1_parameters != NULL)
+ ret=c->cipher->set_asn1_parameters(c,type);
++ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
++ ret=EVP_CIPHER_set_asn1_iv(c, type);
+ else
+ ret=-1;
+ return(ret);
+@@ -78,6 +80,8 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_
+
+ if (c->cipher->get_asn1_parameters != NULL)
+ ret=c->cipher->get_asn1_parameters(c,type);
++ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
++ ret=EVP_CIPHER_get_asn1_iv(c, type);
+ else
+ ret=-1;
+ return(ret);
+@@ -186,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
+
+ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ return ctx->cipher->do_cipher(ctx,out,in,inl);
+ }
+
+diff -up openssl-1.0.0f/crypto/evp/evp_locl.h.fips openssl-1.0.0f/crypto/evp/evp_locl.h
+--- openssl-1.0.0f/crypto/evp/evp_locl.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/evp_locl.h 2012-01-05 13:22:30.000000000 +0100
+@@ -254,14 +254,32 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
+
+ #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data)
+
+-#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \
++#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,fl) \
+ BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+ NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+- 0, cipher##_init_key, NULL, \
+- EVP_CIPHER_set_asn1_iv, \
+- EVP_CIPHER_get_asn1_iv, \
+- NULL)
++ (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \
++ cipher##_init_key, NULL, NULL, NULL, NULL)
++
++#ifdef OPENSSL_FIPS
++#define RC2_set_key private_RC2_set_key
++#define RC4_set_key private_RC4_set_key
++#define CAST_set_key private_CAST_set_key
++#define RC5_32_set_key private_RC5_32_set_key
++#define BF_set_key private_BF_set_key
++#define SEED_set_key private_SEED_set_key
++#define Camellia_set_key private_Camellia_set_key
++#define idea_set_encrypt_key private_idea_set_encrypt_key
++
++#define MD5_Init private_MD5_Init
++#define MD4_Init private_MD4_Init
++#define MD2_Init private_MD2_Init
++#define MDC2_Init private_MDC2_Init
++#define SHA_Init private_SHA_Init
++#define RIPEMD160_Init private_RIPEMD160_Init
++#define WHIRLPOOL_Init private_WHIRLPOOL_Init
++
++#endif
+
+ struct evp_pkey_ctx_st
+ {
+diff -up openssl-1.0.0f/crypto/evp/m_dss.c.fips openssl-1.0.0f/crypto/evp/m_dss.c
+--- openssl-1.0.0f/crypto/evp/m_dss.c.fips 2006-04-19 19:05:57.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/m_dss.c 2012-01-05 13:22:30.000000000 +0100
+@@ -81,7 +81,7 @@ static const EVP_MD dsa_md=
+ NID_dsaWithSHA,
+ NID_dsaWithSHA,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.0f/crypto/evp/m_dss1.c.fips openssl-1.0.0f/crypto/evp/m_dss1.c
+--- openssl-1.0.0f/crypto/evp/m_dss1.c.fips 2006-04-19 19:05:57.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/m_dss1.c 2012-01-05 13:22:30.000000000 +0100
+@@ -82,7 +82,7 @@ static const EVP_MD dss1_md=
+ NID_dsa,
+ NID_dsaWithSHA1,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.0f/crypto/evp/m_mdc2.c.fips openssl-1.0.0f/crypto/evp/m_mdc2.c
+--- openssl-1.0.0f/crypto/evp/m_mdc2.c.fips 2010-02-02 14:36:05.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/m_mdc2.c 2012-01-05 13:22:30.000000000 +0100
+@@ -68,6 +68,7 @@
+ #ifndef OPENSSL_NO_RSA
+ #include <openssl/rsa.h>
+ #endif
++#include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ { return MDC2_Init(ctx->md_data); }
+diff -up openssl-1.0.0f/crypto/evp/m_md2.c.fips openssl-1.0.0f/crypto/evp/m_md2.c
+--- openssl-1.0.0f/crypto/evp/m_md2.c.fips 2005-07-16 14:37:32.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/m_md2.c 2012-01-05 13:22:30.000000000 +0100
+@@ -68,6 +68,7 @@
+ #ifndef OPENSSL_NO_RSA
+ #include <openssl/rsa.h>
+ #endif
++#include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ { return MD2_Init(ctx->md_data); }
+diff -up openssl-1.0.0f/crypto/evp/m_md4.c.fips openssl-1.0.0f/crypto/evp/m_md4.c
+--- openssl-1.0.0f/crypto/evp/m_md4.c.fips 2005-07-16 14:37:32.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/m_md4.c 2012-01-05 13:22:30.000000000 +0100
+@@ -68,6 +68,7 @@
+ #ifndef OPENSSL_NO_RSA
+ #include <openssl/rsa.h>
+ #endif
++#include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ { return MD4_Init(ctx->md_data); }
+diff -up openssl-1.0.0f/crypto/evp/m_md5.c.fips openssl-1.0.0f/crypto/evp/m_md5.c
+--- openssl-1.0.0f/crypto/evp/m_md5.c.fips 2005-07-16 14:37:32.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/m_md5.c 2012-01-05 13:22:30.000000000 +0100
+@@ -68,6 +68,7 @@
+ #ifndef OPENSSL_NO_RSA
+ #include <openssl/rsa.h>
+ #endif
++#include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ { return MD5_Init(ctx->md_data); }
+diff -up openssl-1.0.0f/crypto/evp/m_ripemd.c.fips openssl-1.0.0f/crypto/evp/m_ripemd.c
+--- openssl-1.0.0f/crypto/evp/m_ripemd.c.fips 2005-07-16 14:37:32.000000000 +0200
++++ openssl-1.0.0f/crypto/evp/m_ripemd.c 2012-01-05 13:22:30.000000000 +0100
+@@ -68,6 +68,7 @@
+ #ifndef OPENSSL_NO_RSA
+ #include <openssl/rsa.h>
+ #endif
++#include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ { return RIPEMD160_Init(ctx->md_data); }
+diff -up openssl-1.0.0f/crypto/evp/m_sha1.c.fips openssl-1.0.0f/crypto/evp/m_sha1.c
+--- openssl-1.0.0f/crypto/evp/m_sha1.c.fips 2008-03-12 22:14:24.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/m_sha1.c 2012-01-05 13:22:30.000000000 +0100
+@@ -82,7 +82,8 @@ static const EVP_MD sha1_md=
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
++ EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+@@ -119,7 +120,8 @@ static const EVP_MD sha224_md=
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
++ EVP_MD_FLAG_FIPS,
+ init224,
+ update256,
+ final256,
+@@ -138,7 +140,8 @@ static const EVP_MD sha256_md=
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
++ EVP_MD_FLAG_FIPS,
+ init256,
+ update256,
+ final256,
+@@ -169,7 +172,8 @@ static const EVP_MD sha384_md=
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
++ EVP_MD_FLAG_FIPS,
+ init384,
+ update512,
+ final512,
+@@ -188,7 +192,8 @@ static const EVP_MD sha512_md=
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
++ EVP_MD_FLAG_FIPS,
+ init512,
+ update512,
+ final512,
+diff -up openssl-1.0.0f/crypto/evp/m_wp.c.fips openssl-1.0.0f/crypto/evp/m_wp.c
+--- openssl-1.0.0f/crypto/evp/m_wp.c.fips 2005-11-30 21:57:23.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/m_wp.c 2012-01-05 13:22:30.000000000 +0100
+@@ -9,6 +9,7 @@
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
+ #include <openssl/whrlpool.h>
++#include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ { return WHIRLPOOL_Init(ctx->md_data); }
+diff -up openssl-1.0.0f/crypto/evp/names.c.fips openssl-1.0.0f/crypto/evp/names.c
+--- openssl-1.0.0f/crypto/evp/names.c.fips 2010-03-06 21:47:45.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/names.c 2012-01-05 13:22:30.000000000 +0100
+@@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c)
+ {
+ int r;
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++#endif
++
+ r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
+ if (r == 0) return(0);
+ check_defer(c->nid);
+@@ -79,6 +83,10 @@ int EVP_add_digest(const EVP_MD *md)
+ int r;
+ const char *name;
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++#endif
++
+ name=OBJ_nid2sn(md->type);
+ r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md);
+ if (r == 0) return(0);
+diff -up openssl-1.0.0f/crypto/evp/p_sign.c.fips openssl-1.0.0f/crypto/evp/p_sign.c
+--- openssl-1.0.0f/crypto/evp/p_sign.c.fips 2010-11-27 18:34:57.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/p_sign.c 2012-01-05 13:22:30.000000000 +0100
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ #ifdef undef
+ void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
++ {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
+ goto err;
+ *siglen = sltmp;
+diff -up openssl-1.0.0f/crypto/evp/p_verify.c.fips openssl-1.0.0f/crypto/evp/p_verify.c
+--- openssl-1.0.0f/crypto/evp/p_verify.c.fips 2010-11-27 18:34:57.000000000 +0100
++++ openssl-1.0.0f/crypto/evp/p_verify.c 2012-01-05 13:22:30.000000000 +0100
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
+ unsigned int siglen, EVP_PKEY *pkey)
+@@ -86,6 +87,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
++ {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
+ err:
+ EVP_PKEY_CTX_free(pkctx);
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_aesavs.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_aesavs.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_aesavs.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,939 @@
++/* ====================================================================
++ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++/*---------------------------------------------
++ NIST AES Algorithm Validation Suite
++ Test Program
++
++ Donated to OpenSSL by:
++ V-ONE Corporation
++ 20250 Century Blvd, Suite 300
++ Germantown, MD 20874
++ U.S.A.
++ ----------------------------------------------*/
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <assert.h>
++#include <ctype.h>
++#include <openssl/aes.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#include <openssl/err.h>
++#include "e_os.h"
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char *argv[])
++{
++ printf("No FIPS AES support\n");
++ return(0);
++}
++
++#else
++
++#include <openssl/fips.h>
++#include "fips_utl.h"
++
++#define AES_BLOCK_SIZE 16
++
++#define VERBOSE 0
++
++/*-----------------------------------------------*/
++
++int AESTest(EVP_CIPHER_CTX *ctx,
++ char *amode, int akeysz, unsigned char *aKey,
++ unsigned char *iVec,
++ int dir, /* 0 = decrypt, 1 = encrypt */
++ unsigned char *plaintext, unsigned char *ciphertext, int len)
++ {
++ const EVP_CIPHER *cipher = NULL;
++
++ if (strcasecmp(amode, "CBC") == 0)
++ {
++ switch (akeysz)
++ {
++ case 128:
++ cipher = EVP_aes_128_cbc();
++ break;
++
++ case 192:
++ cipher = EVP_aes_192_cbc();
++ break;
++
++ case 256:
++ cipher = EVP_aes_256_cbc();
++ break;
++ }
++
++ }
++ else if (strcasecmp(amode, "ECB") == 0)
++ {
++ switch (akeysz)
++ {
++ case 128:
++ cipher = EVP_aes_128_ecb();
++ break;
++
++ case 192:
++ cipher = EVP_aes_192_ecb();
++ break;
++
++ case 256:
++ cipher = EVP_aes_256_ecb();
++ break;
++ }
++ }
++ else if (strcasecmp(amode, "CFB128") == 0)
++ {
++ switch (akeysz)
++ {
++ case 128:
++ cipher = EVP_aes_128_cfb128();
++ break;
++
++ case 192:
++ cipher = EVP_aes_192_cfb128();
++ break;
++
++ case 256:
++ cipher = EVP_aes_256_cfb128();
++ break;
++ }
++
++ }
++ else if (strncasecmp(amode, "OFB", 3) == 0)
++ {
++ switch (akeysz)
++ {
++ case 128:
++ cipher = EVP_aes_128_ofb();
++ break;
++
++ case 192:
++ cipher = EVP_aes_192_ofb();
++ break;
++
++ case 256:
++ cipher = EVP_aes_256_ofb();
++ break;
++ }
++ }
++ else if(!strcasecmp(amode,"CFB1"))
++ {
++ switch (akeysz)
++ {
++ case 128:
++ cipher = EVP_aes_128_cfb1();
++ break;
++
++ case 192:
++ cipher = EVP_aes_192_cfb1();
++ break;
++
++ case 256:
++ cipher = EVP_aes_256_cfb1();
++ break;
++ }
++ }
++ else if(!strcasecmp(amode,"CFB8"))
++ {
++ switch (akeysz)
++ {
++ case 128:
++ cipher = EVP_aes_128_cfb8();
++ break;
++
++ case 192:
++ cipher = EVP_aes_192_cfb8();
++ break;
++
++ case 256:
++ cipher = EVP_aes_256_cfb8();
++ break;
++ }
++ }
++ else
++ {
++ printf("Unknown mode: %s\n", amode);
++ return 0;
++ }
++ if (!cipher)
++ {
++ printf("Invalid key size: %d\n", akeysz);
++ return 0;
++ }
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
++ return 0;
++ if(!strcasecmp(amode,"CFB1"))
++ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
++ if (dir)
++ EVP_Cipher(ctx, ciphertext, plaintext, len);
++ else
++ EVP_Cipher(ctx, plaintext, ciphertext, len);
++ return 1;
++ }
++
++/*-----------------------------------------------*/
++char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
++char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"};
++enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128};
++enum XCrypt {XDECRYPT, XENCRYPT};
++
++/*=============================*/
++/* Monte Carlo Tests */
++/*-----------------------------*/
++
++/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/
++/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/
++
++#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
++#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
++
++int do_mct(char *amode,
++ int akeysz, unsigned char *aKey,unsigned char *iVec,
++ int dir, unsigned char *text, int len,
++ FILE *rfp)
++ {
++ int ret = 0;
++ unsigned char key[101][32];
++ unsigned char iv[101][AES_BLOCK_SIZE];
++ unsigned char ptext[1001][32];
++ unsigned char ctext[1001][32];
++ unsigned char ciphertext[64+4];
++ int i, j, n, n1, n2;
++ int imode = 0, nkeysz = akeysz/8;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ if (len > 32)
++ {
++ printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n",
++ amode, akeysz);
++ return -1;
++ }
++ for (imode = 0; imode < 6; ++imode)
++ if (strcmp(amode, t_mode[imode]) == 0)
++ break;
++ if (imode == 6)
++ {
++ printf("Unrecognized mode: %s\n", amode);
++ return -1;
++ }
++
++ memcpy(key[0], aKey, nkeysz);
++ if (iVec)
++ memcpy(iv[0], iVec, AES_BLOCK_SIZE);
++ if (dir == XENCRYPT)
++ memcpy(ptext[0], text, len);
++ else
++ memcpy(ctext[0], text, len);
++ for (i = 0; i < 100; ++i)
++ {
++ /* printf("Iteration %d\n", i); */
++ if (i > 0)
++ {
++ fprintf(rfp,"COUNT = %d\n",i);
++ OutputValue("KEY",key[i],nkeysz,rfp,0);
++ if (imode != ECB) /* ECB */
++ OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0);
++ /* Output Ciphertext | Plaintext */
++ OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp,
++ imode == CFB1);
++ }
++ for (j = 0; j < 1000; ++j)
++ {
++ switch (imode)
++ {
++ case ECB:
++ if (j == 0)
++ { /* set up encryption */
++ ret = AESTest(&ctx, amode, akeysz, key[i], NULL,
++ dir, /* 0 = decrypt, 1 = encrypt */
++ ptext[j], ctext[j], len);
++ if (dir == XENCRYPT)
++ memcpy(ptext[j+1], ctext[j], len);
++ else
++ memcpy(ctext[j+1], ptext[j], len);
++ }
++ else
++ {
++ if (dir == XENCRYPT)
++ {
++ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
++ memcpy(ptext[j+1], ctext[j], len);
++ }
++ else
++ {
++ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
++ memcpy(ctext[j+1], ptext[j], len);
++ }
++ }
++ break;
++
++ case CBC:
++ case OFB:
++ case CFB128:
++ if (j == 0)
++ {
++ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
++ dir, /* 0 = decrypt, 1 = encrypt */
++ ptext[j], ctext[j], len);
++ if (dir == XENCRYPT)
++ memcpy(ptext[j+1], iv[i], len);
++ else
++ memcpy(ctext[j+1], iv[i], len);
++ }
++ else
++ {
++ if (dir == XENCRYPT)
++ {
++ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
++ memcpy(ptext[j+1], ctext[j-1], len);
++ }
++ else
++ {
++ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
++ memcpy(ctext[j+1], ptext[j-1], len);
++ }
++ }
++ break;
++
++ case CFB8:
++ if (j == 0)
++ {
++ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
++ dir, /* 0 = decrypt, 1 = encrypt */
++ ptext[j], ctext[j], len);
++ }
++ else
++ {
++ if (dir == XENCRYPT)
++ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
++ else
++ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
++ }
++ if (dir == XENCRYPT)
++ {
++ if (j < 16)
++ memcpy(ptext[j+1], &iv[i][j], len);
++ else
++ memcpy(ptext[j+1], ctext[j-16], len);
++ }
++ else
++ {
++ if (j < 16)
++ memcpy(ctext[j+1], &iv[i][j], len);
++ else
++ memcpy(ctext[j+1], ptext[j-16], len);
++ }
++ break;
++
++ case CFB1:
++ if(j == 0)
++ {
++#if 0
++ /* compensate for wrong endianness of input file */
++ if(i == 0)
++ ptext[0][0]<<=7;
++#endif
++ ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir,
++ ptext[j], ctext[j], len);
++ }
++ else
++ {
++ if (dir == XENCRYPT)
++ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
++ else
++ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
++
++ }
++ if(dir == XENCRYPT)
++ {
++ if(j < 128)
++ sb(ptext[j+1],0,gb(iv[i],j));
++ else
++ sb(ptext[j+1],0,gb(ctext[j-128],0));
++ }
++ else
++ {
++ if(j < 128)
++ sb(ctext[j+1],0,gb(iv[i],j));
++ else
++ sb(ctext[j+1],0,gb(ptext[j-128],0));
++ }
++ break;
++ }
++ }
++ --j; /* reset to last of range */
++ /* Output Ciphertext | Plaintext */
++ OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp,
++ imode == CFB1);
++ fprintf(rfp, "\n"); /* add separator */
++
++ /* Compute next KEY */
++ if (dir == XENCRYPT)
++ {
++ if (imode == CFB8)
++ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
++ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
++ ciphertext[n1] = ctext[j-n2][0];
++ }
++ else if(imode == CFB1)
++ {
++ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
++ sb(ciphertext,n1,gb(ctext[j-n2],0));
++ }
++ else
++ switch (akeysz)
++ {
++ case 128:
++ memcpy(ciphertext, ctext[j], 16);
++ break;
++ case 192:
++ memcpy(ciphertext, ctext[j-1]+8, 8);
++ memcpy(ciphertext+8, ctext[j], 16);
++ break;
++ case 256:
++ memcpy(ciphertext, ctext[j-1], 16);
++ memcpy(ciphertext+16, ctext[j], 16);
++ break;
++ }
++ }
++ else
++ {
++ if (imode == CFB8)
++ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
++ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
++ ciphertext[n1] = ptext[j-n2][0];
++ }
++ else if(imode == CFB1)
++ {
++ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
++ sb(ciphertext,n1,gb(ptext[j-n2],0));
++ }
++ else
++ switch (akeysz)
++ {
++ case 128:
++ memcpy(ciphertext, ptext[j], 16);
++ break;
++ case 192:
++ memcpy(ciphertext, ptext[j-1]+8, 8);
++ memcpy(ciphertext+8, ptext[j], 16);
++ break;
++ case 256:
++ memcpy(ciphertext, ptext[j-1], 16);
++ memcpy(ciphertext+16, ptext[j], 16);
++ break;
++ }
++ }
++ /* Compute next key: Key[i+1] = Key[i] xor ct */
++ for (n = 0; n < nkeysz; ++n)
++ key[i+1][n] = key[i][n] ^ ciphertext[n];
++
++ /* Compute next IV and text */
++ if (dir == XENCRYPT)
++ {
++ switch (imode)
++ {
++ case ECB:
++ memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE);
++ break;
++ case CBC:
++ case OFB:
++ case CFB128:
++ memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE);
++ memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE);
++ break;
++ case CFB8:
++ /* IV[i+1] = ct */
++ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
++ iv[i+1][n1] = ctext[j-n2][0];
++ ptext[0][0] = ctext[j-16][0];
++ break;
++ case CFB1:
++ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
++ sb(iv[i+1],n1,gb(ctext[j-n2],0));
++ ptext[0][0]=ctext[j-128][0]&0x80;
++ break;
++ }
++ }
++ else
++ {
++ switch (imode)
++ {
++ case ECB:
++ memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE);
++ break;
++ case CBC:
++ case OFB:
++ case CFB128:
++ memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE);
++ memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE);
++ break;
++ case CFB8:
++ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
++ iv[i+1][n1] = ptext[j-n2][0];
++ ctext[0][0] = ptext[j-16][0];
++ break;
++ case CFB1:
++ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
++ sb(iv[i+1],n1,gb(ptext[j-n2],0));
++ ctext[0][0]=ptext[j-128][0]&0x80;
++ break;
++ }
++ }
++ }
++
++ return ret;
++ }
++
++/*================================================*/
++/*----------------------------
++ # Config info for v-one
++ # AESVS MMT test data for ECB
++ # State : Encrypt and Decrypt
++ # Key Length : 256
++ # Fri Aug 30 04:07:22 PM
++ ----------------------------*/
++
++int proc_file(char *rqfile, char *rspfile)
++ {
++ char afn[256], rfn[256];
++ FILE *afp = NULL, *rfp = NULL;
++ char ibuf[2048];
++ char tbuf[2048];
++ int ilen, len, ret = 0;
++ char algo[8] = "";
++ char amode[8] = "";
++ char atest[8] = "";
++ int akeysz = 0;
++ unsigned char iVec[20], aKey[40];
++ int dir = -1, err = 0, step = 0;
++ unsigned char plaintext[2048];
++ unsigned char ciphertext[2048];
++ char *rp;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ if (!rqfile || !(*rqfile))
++ {
++ printf("No req file\n");
++ return -1;
++ }
++ strcpy(afn, rqfile);
++
++ if ((afp = fopen(afn, "r")) == NULL)
++ {
++ printf("Cannot open file: %s, %s\n",
++ afn, strerror(errno));
++ return -1;
++ }
++ if (!rspfile)
++ {
++ strcpy(rfn,afn);
++ rp=strstr(rfn,"req/");
++#ifdef OPENSSL_SYS_WIN32
++ if (!rp)
++ rp=strstr(rfn,"req\\");
++#endif
++ assert(rp);
++ memcpy(rp,"rsp",3);
++ rp = strstr(rfn, ".req");
++ memcpy(rp, ".rsp", 4);
++ rspfile = rfn;
++ }
++ if ((rfp = fopen(rspfile, "w")) == NULL)
++ {
++ printf("Cannot open file: %s, %s\n",
++ rfn, strerror(errno));
++ fclose(afp);
++ afp = NULL;
++ return -1;
++ }
++ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
++ {
++ tidy_line(tbuf, ibuf);
++ ilen = strlen(ibuf);
++ /* printf("step=%d ibuf=%s",step,ibuf); */
++ switch (step)
++ {
++ case 0: /* read preamble */
++ if (ibuf[0] == '\n')
++ { /* end of preamble */
++ if ((*algo == '\0') ||
++ (*amode == '\0') ||
++ (akeysz == 0))
++ {
++ printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n",
++ algo,amode,akeysz);
++ err = 1;
++ }
++ else
++ {
++ fputs(ibuf, rfp);
++ ++ step;
++ }
++ }
++ else if (ibuf[0] != '#')
++ {
++ printf("Invalid preamble item: %s\n", ibuf);
++ err = 1;
++ }
++ else
++ { /* process preamble */
++ char *xp, *pp = ibuf+2;
++ int n;
++ if (akeysz)
++ { /* insert current time & date */
++ time_t rtim = time(0);
++ fprintf(rfp, "# %s", ctime(&rtim));
++ }
++ else
++ {
++ fputs(ibuf, rfp);
++ if (strncmp(pp, "AESVS ", 6) == 0)
++ {
++ strcpy(algo, "AES");
++ /* get test type */
++ pp += 6;
++ xp = strchr(pp, ' ');
++ n = xp-pp;
++ strncpy(atest, pp, n);
++ atest[n] = '\0';
++ /* get mode */
++ xp = strrchr(pp, ' '); /* get mode" */
++ n = strlen(xp+1)-1;
++ strncpy(amode, xp+1, n);
++ amode[n] = '\0';
++ /* amode[3] = '\0'; */
++ if (VERBOSE)
++ printf("Test = %s, Mode = %s\n", atest, amode);
++ }
++ else if (strncasecmp(pp, "Key Length : ", 13) == 0)
++ {
++ akeysz = atoi(pp+13);
++ if (VERBOSE)
++ printf("Key size = %d\n", akeysz);
++ }
++ }
++ }
++ break;
++
++ case 1: /* [ENCRYPT] | [DECRYPT] */
++ if (ibuf[0] == '[')
++ {
++ fputs(ibuf, rfp);
++ ++step;
++ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
++ dir = 1;
++ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
++ dir = 0;
++ else
++ {
++ printf("Invalid keyword: %s\n", ibuf);
++ err = 1;
++ }
++ break;
++ }
++ else if (dir == -1)
++ {
++ err = 1;
++ printf("Missing ENCRYPT/DECRYPT keyword\n");
++ break;
++ }
++ else
++ step = 2;
++
++ case 2: /* KEY = xxxx */
++ fputs(ibuf, rfp);
++ if(*ibuf == '\n')
++ break;
++ if(!strncasecmp(ibuf,"COUNT = ",8))
++ break;
++
++ if (strncasecmp(ibuf, "KEY = ", 6) != 0)
++ {
++ printf("Missing KEY\n");
++ err = 1;
++ }
++ else
++ {
++ len = hex2bin((char*)ibuf+6, aKey);
++ if (len < 0)
++ {
++ printf("Invalid KEY\n");
++ err =1;
++ break;
++ }
++ PrintValue("KEY", aKey, len);
++ if (strcmp(amode, "ECB") == 0)
++ {
++ memset(iVec, 0, sizeof(iVec));
++ step = (dir)? 4: 5; /* no ivec for ECB */
++ }
++ else
++ ++step;
++ }
++ break;
++
++ case 3: /* IV = xxxx */
++ fputs(ibuf, rfp);
++ if (strncasecmp(ibuf, "IV = ", 5) != 0)
++ {
++ printf("Missing IV\n");
++ err = 1;
++ }
++ else
++ {
++ len = hex2bin((char*)ibuf+5, iVec);
++ if (len < 0)
++ {
++ printf("Invalid IV\n");
++ err =1;
++ break;
++ }
++ PrintValue("IV", iVec, len);
++ step = (dir)? 4: 5;
++ }
++ break;
++
++ case 4: /* PLAINTEXT = xxxx */
++ fputs(ibuf, rfp);
++ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
++ {
++ printf("Missing PLAINTEXT\n");
++ err = 1;
++ }
++ else
++ {
++ int nn = strlen(ibuf+12);
++ if(!strcmp(amode,"CFB1"))
++ len=bint2bin(ibuf+12,nn-1,plaintext);
++ else
++ len=hex2bin(ibuf+12, plaintext);
++ if (len < 0)
++ {
++ printf("Invalid PLAINTEXT: %s", ibuf+12);
++ err =1;
++ break;
++ }
++ if (len >= sizeof(plaintext))
++ {
++ printf("Buffer overflow\n");
++ }
++ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
++ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
++ {
++ if(do_mct(amode, akeysz, aKey, iVec,
++ dir, (unsigned char*)plaintext, len,
++ rfp) < 0)
++ EXIT(1);
++ }
++ else
++ {
++ ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
++ dir, /* 0 = decrypt, 1 = encrypt */
++ plaintext, ciphertext, len);
++ OutputValue("CIPHERTEXT",ciphertext,len,rfp,
++ !strcmp(amode,"CFB1"));
++ }
++ step = 6;
++ }
++ break;
++
++ case 5: /* CIPHERTEXT = xxxx */
++ fputs(ibuf, rfp);
++ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
++ {
++ printf("Missing KEY\n");
++ err = 1;
++ }
++ else
++ {
++ if(!strcmp(amode,"CFB1"))
++ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
++ else
++ len = hex2bin(ibuf+13,ciphertext);
++ if (len < 0)
++ {
++ printf("Invalid CIPHERTEXT\n");
++ err =1;
++ break;
++ }
++
++ PrintValue("CIPHERTEXT", ciphertext, len);
++ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
++ {
++ do_mct(amode, akeysz, aKey, iVec,
++ dir, ciphertext, len, rfp);
++ }
++ else
++ {
++ ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
++ dir, /* 0 = decrypt, 1 = encrypt */
++ plaintext, ciphertext, len);
++ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
++ !strcmp(amode,"CFB1"));
++ }
++ step = 6;
++ }
++ break;
++
++ case 6:
++ if (ibuf[0] != '\n')
++ {
++ err = 1;
++ printf("Missing terminator\n");
++ }
++ else if (strcmp(atest, "MCT") != 0)
++ { /* MCT already added terminating nl */
++ fputs(ibuf, rfp);
++ }
++ step = 1;
++ break;
++ }
++ }
++ if (rfp)
++ fclose(rfp);
++ if (afp)
++ fclose(afp);
++ return err;
++ }
++
++/*--------------------------------------------------
++ Processes either a single file or
++ a set of files whose names are passed in a file.
++ A single file is specified as:
++ aes_test -f xxx.req
++ A set of files is specified as:
++ aes_test -d xxxxx.xxx
++ The default is: -d req.txt
++--------------------------------------------------*/
++int main(int argc, char **argv)
++ {
++ char *rqlist = "req.txt", *rspfile = NULL;
++ FILE *fp = NULL;
++ char fn[250] = "", rfn[256] = "";
++ int f_opt = 0, d_opt = 1;
++
++#ifdef OPENSSL_FIPS
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ EXIT(1);
++ }
++#endif
++ if (argc > 1)
++ {
++ if (strcasecmp(argv[1], "-d") == 0)
++ {
++ d_opt = 1;
++ }
++ else if (strcasecmp(argv[1], "-f") == 0)
++ {
++ f_opt = 1;
++ d_opt = 0;
++ }
++ else
++ {
++ printf("Invalid parameter: %s\n", argv[1]);
++ return 0;
++ }
++ if (argc < 3)
++ {
++ printf("Missing parameter\n");
++ return 0;
++ }
++ if (d_opt)
++ rqlist = argv[2];
++ else
++ {
++ strcpy(fn, argv[2]);
++ rspfile = argv[3];
++ }
++ }
++ if (d_opt)
++ { /* list of files (directory) */
++ if (!(fp = fopen(rqlist, "r")))
++ {
++ printf("Cannot open req list file\n");
++ return -1;
++ }
++ while (fgets(fn, sizeof(fn), fp))
++ {
++ strtok(fn, "\r\n");
++ strcpy(rfn, fn);
++ if (VERBOSE)
++ printf("Processing: %s\n", rfn);
++ if (proc_file(rfn, rspfile))
++ {
++ printf(">>> Processing failed for: %s <<<\n", rfn);
++ EXIT(1);
++ }
++ }
++ fclose(fp);
++ }
++ else /* single file */
++ {
++ if (VERBOSE)
++ printf("Processing: %s\n", fn);
++ if (proc_file(fn, rspfile))
++ {
++ printf(">>> Processing failed for: %s <<<\n", fn);
++ }
++ }
++ EXIT(0);
++ return 0;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_desmovs.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_desmovs.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_desmovs.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,702 @@
++/* ====================================================================
++ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++/*---------------------------------------------
++ NIST DES Modes of Operation Validation System
++ Test Program
++
++ Based on the AES Validation Suite, which was:
++ Donated to OpenSSL by:
++ V-ONE Corporation
++ 20250 Century Blvd, Suite 300
++ Germantown, MD 20874
++ U.S.A.
++ ----------------------------------------------*/
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <errno.h>
++#include <assert.h>
++#include <ctype.h>
++#include <openssl/des.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#include <openssl/err.h>
++#include "e_os.h"
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char *argv[])
++{
++ printf("No FIPS DES support\n");
++ return(0);
++}
++
++#else
++
++#include <openssl/fips.h>
++#include "fips_utl.h"
++
++#define DES_BLOCK_SIZE 8
++
++#define VERBOSE 0
++
++int DESTest(EVP_CIPHER_CTX *ctx,
++ char *amode, int akeysz, unsigned char *aKey,
++ unsigned char *iVec,
++ int dir, /* 0 = decrypt, 1 = encrypt */
++ unsigned char *out, unsigned char *in, int len)
++ {
++ const EVP_CIPHER *cipher = NULL;
++
++ if (akeysz != 192)
++ {
++ printf("Invalid key size: %d\n", akeysz);
++ EXIT(1);
++ }
++
++ if (strcasecmp(amode, "CBC") == 0)
++ cipher = EVP_des_ede3_cbc();
++ else if (strcasecmp(amode, "ECB") == 0)
++ cipher = EVP_des_ede3_ecb();
++ else if (strcasecmp(amode, "CFB64") == 0)
++ cipher = EVP_des_ede3_cfb64();
++ else if (strncasecmp(amode, "OFB", 3) == 0)
++ cipher = EVP_des_ede3_ofb();
++ else if(!strcasecmp(amode,"CFB8"))
++ cipher = EVP_des_ede3_cfb8();
++ else if(!strcasecmp(amode,"CFB1"))
++ cipher = EVP_des_ede3_cfb1();
++ else
++ {
++ printf("Unknown mode: %s\n", amode);
++ EXIT(1);
++ }
++
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
++ return 0;
++ if(!strcasecmp(amode,"CFB1"))
++ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
++ EVP_Cipher(ctx, out, in, len);
++
++ return 1;
++ }
++
++void DebugValue(char *tag, unsigned char *val, int len)
++ {
++ char obuf[2048];
++ int olen;
++ olen = bin2hex(val, len, obuf);
++ printf("%s = %.*s\n", tag, olen, obuf);
++ }
++
++void shiftin(unsigned char *dst,unsigned char *src,int nbits)
++ {
++ int n;
++
++ /* move the bytes... */
++ memmove(dst,dst+nbits/8,3*8-nbits/8);
++ /* append new data */
++ memcpy(dst+3*8-nbits/8,src,(nbits+7)/8);
++ /* left shift the bits */
++ if(nbits%8)
++ for(n=0 ; n < 3*8 ; ++n)
++ dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8));
++ }
++
++/*-----------------------------------------------*/
++char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
++char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"};
++enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64};
++int Sizes[6]={64,64,64,1,8,64};
++
++void do_mct(char *amode,
++ int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec,
++ int dir, unsigned char *text, int len,
++ FILE *rfp)
++ {
++ int i,imode;
++ unsigned char nk[4*8]; /* longest key+8 */
++ unsigned char text0[8];
++
++ for (imode=0 ; imode < 6 ; ++imode)
++ if(!strcmp(amode,t_mode[imode]))
++ break;
++ if (imode == 6)
++ {
++ printf("Unrecognized mode: %s\n", amode);
++ EXIT(1);
++ }
++
++ for(i=0 ; i < 400 ; ++i)
++ {
++ int j;
++ int n;
++ int kp=akeysz/64;
++ unsigned char old_iv[8];
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ fprintf(rfp,"\nCOUNT = %d\n",i);
++ if(kp == 1)
++ OutputValue("KEY",akey,8,rfp,0);
++ else
++ for(n=0 ; n < kp ; ++n)
++ {
++ fprintf(rfp,"KEY%d",n+1);
++ OutputValue("",akey+n*8,8,rfp,0);
++ }
++
++ if(imode != ECB)
++ OutputValue("IV",ivec,8,rfp,0);
++ OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1);
++#if 0
++ /* compensate for endianness */
++ if(imode == CFB1)
++ text[0]<<=7;
++#endif
++ memcpy(text0,text,8);
++
++ for(j=0 ; j < 10000 ; ++j)
++ {
++ unsigned char old_text[8];
++
++ memcpy(old_text,text,8);
++ if(j == 0)
++ {
++ memcpy(old_iv,ivec,8);
++ DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len);
++ }
++ else
++ {
++ memcpy(old_iv,ctx.iv,8);
++ EVP_Cipher(&ctx,text,text,len);
++ }
++ if(j == 9999)
++ {
++ OutputValue(t_tag[dir],text,len,rfp,imode == CFB1);
++ /* memcpy(ivec,text,8); */
++ }
++ /* DebugValue("iv",ctx.iv,8); */
++ /* accumulate material for the next key */
++ shiftin(nk,text,Sizes[imode]);
++ /* DebugValue("nk",nk,24);*/
++ if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64
++ || imode == CBC)) || imode == OFB)
++ memcpy(text,old_iv,8);
++
++ if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64))
++ {
++ /* the test specifies using the output of the raw DES operation
++ which we don't have, so reconstruct it... */
++ for(n=0 ; n < 8 ; ++n)
++ text[n]^=old_text[n];
++ }
++ }
++ for(n=0 ; n < 8 ; ++n)
++ akey[n]^=nk[16+n];
++ for(n=0 ; n < 8 ; ++n)
++ akey[8+n]^=nk[8+n];
++ for(n=0 ; n < 8 ; ++n)
++ akey[16+n]^=nk[n];
++ if(numkeys < 3)
++ memcpy(&akey[2*8],akey,8);
++ if(numkeys < 2)
++ memcpy(&akey[8],akey,8);
++ DES_set_odd_parity((DES_cblock *)akey);
++ DES_set_odd_parity((DES_cblock *)(akey+8));
++ DES_set_odd_parity((DES_cblock *)(akey+16));
++ memcpy(ivec,ctx.iv,8);
++
++ /* pointless exercise - the final text doesn't depend on the
++ initial text in OFB mode, so who cares what it is? (Who
++ designed these tests?) */
++ if(imode == OFB)
++ for(n=0 ; n < 8 ; ++n)
++ text[n]=text0[n]^old_iv[n];
++ }
++ }
++
++int proc_file(char *rqfile, char *rspfile)
++ {
++ char afn[256], rfn[256];
++ FILE *afp = NULL, *rfp = NULL;
++ char ibuf[2048], tbuf[2048];
++ int ilen, len, ret = 0;
++ char amode[8] = "";
++ char atest[100] = "";
++ int akeysz=0;
++ unsigned char iVec[20], aKey[40];
++ int dir = -1, err = 0, step = 0;
++ unsigned char plaintext[2048];
++ unsigned char ciphertext[2048];
++ char *rp;
++ EVP_CIPHER_CTX ctx;
++ int numkeys=1;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ if (!rqfile || !(*rqfile))
++ {
++ printf("No req file\n");
++ return -1;
++ }
++ strcpy(afn, rqfile);
++
++ if ((afp = fopen(afn, "r")) == NULL)
++ {
++ printf("Cannot open file: %s, %s\n",
++ afn, strerror(errno));
++ return -1;
++ }
++ if (!rspfile)
++ {
++ strcpy(rfn,afn);
++ rp=strstr(rfn,"req/");
++#ifdef OPENSSL_SYS_WIN32
++ if (!rp)
++ rp=strstr(rfn,"req\\");
++#endif
++ assert(rp);
++ memcpy(rp,"rsp",3);
++ rp = strstr(rfn, ".req");
++ memcpy(rp, ".rsp", 4);
++ rspfile = rfn;
++ }
++ if ((rfp = fopen(rspfile, "w")) == NULL)
++ {
++ printf("Cannot open file: %s, %s\n",
++ rfn, strerror(errno));
++ fclose(afp);
++ afp = NULL;
++ return -1;
++ }
++ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
++ {
++ tidy_line(tbuf, ibuf);
++ ilen = strlen(ibuf);
++ /* printf("step=%d ibuf=%s",step,ibuf);*/
++ if(step == 3 && !strcmp(amode,"ECB"))
++ {
++ memset(iVec, 0, sizeof(iVec));
++ step = (dir)? 4: 5; /* no ivec for ECB */
++ }
++ switch (step)
++ {
++ case 0: /* read preamble */
++ if (ibuf[0] == '\n')
++ { /* end of preamble */
++ if (*amode == '\0')
++ {
++ printf("Missing Mode\n");
++ err = 1;
++ }
++ else
++ {
++ fputs(ibuf, rfp);
++ ++ step;
++ }
++ }
++ else if (ibuf[0] != '#')
++ {
++ printf("Invalid preamble item: %s\n", ibuf);
++ err = 1;
++ }
++ else
++ { /* process preamble */
++ char *xp, *pp = ibuf+2;
++ int n;
++ if(*amode)
++ { /* insert current time & date */
++ time_t rtim = time(0);
++ fprintf(rfp, "# %s", ctime(&rtim));
++ }
++ else
++ {
++ fputs(ibuf, rfp);
++ if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4)
++ || !strncmp(pp,"TDES ",5)
++ || !strncmp(pp,"PERMUTATION ",12)
++ || !strncmp(pp,"SUBSTITUTION ",13)
++ || !strncmp(pp,"VARIABLE ",9))
++ {
++ /* get test type */
++ if(!strncmp(pp,"DES ",4))
++ pp+=4;
++ else if(!strncmp(pp,"TDES ",5))
++ pp+=5;
++ xp = strchr(pp, ' ');
++ n = xp-pp;
++ strncpy(atest, pp, n);
++ atest[n] = '\0';
++ /* get mode */
++ xp = strrchr(pp, ' '); /* get mode" */
++ n = strlen(xp+1)-1;
++ strncpy(amode, xp+1, n);
++ amode[n] = '\0';
++ /* amode[3] = '\0'; */
++ if (VERBOSE)
++ printf("Test=%s, Mode=%s\n",atest,amode);
++ }
++ }
++ }
++ break;
++
++ case 1: /* [ENCRYPT] | [DECRYPT] */
++ if(ibuf[0] == '\n')
++ break;
++ if (ibuf[0] == '[')
++ {
++ fputs(ibuf, rfp);
++ ++step;
++ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
++ dir = 1;
++ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
++ dir = 0;
++ else
++ {
++ printf("Invalid keyword: %s\n", ibuf);
++ err = 1;
++ }
++ break;
++ }
++ else if (dir == -1)
++ {
++ err = 1;
++ printf("Missing ENCRYPT/DECRYPT keyword\n");
++ break;
++ }
++ else
++ step = 2;
++
++ case 2: /* KEY = xxxx */
++ if(*ibuf == '\n')
++ {
++ fputs(ibuf, rfp);
++ break;
++ }
++ if(!strncasecmp(ibuf,"COUNT = ",8))
++ {
++ fputs(ibuf, rfp);
++ break;
++ }
++ if(!strncasecmp(ibuf,"COUNT=",6))
++ {
++ fputs(ibuf, rfp);
++ break;
++ }
++ if(!strncasecmp(ibuf,"NumKeys = ",10))
++ {
++ numkeys=atoi(ibuf+10);
++ break;
++ }
++
++ fputs(ibuf, rfp);
++ if(!strncasecmp(ibuf,"KEY = ",6))
++ {
++ akeysz=64;
++ len = hex2bin((char*)ibuf+6, aKey);
++ if (len < 0)
++ {
++ printf("Invalid KEY\n");
++ err=1;
++ break;
++ }
++ PrintValue("KEY", aKey, len);
++ ++step;
++ }
++ else if(!strncasecmp(ibuf,"KEYs = ",7))
++ {
++ akeysz=64*3;
++ len=hex2bin(ibuf+7,aKey);
++ if(len != 8)
++ {
++ printf("Invalid KEY\n");
++ err=1;
++ break;
++ }
++ memcpy(aKey+8,aKey,8);
++ memcpy(aKey+16,aKey,8);
++ ibuf[4]='\0';
++ PrintValue("KEYs",aKey,len);
++ ++step;
++ }
++ else if(!strncasecmp(ibuf,"KEY",3))
++ {
++ int n=ibuf[3]-'1';
++
++ akeysz=64*3;
++ len=hex2bin(ibuf+7,aKey+n*8);
++ if(len != 8)
++ {
++ printf("Invalid KEY\n");
++ err=1;
++ break;
++ }
++ ibuf[4]='\0';
++ PrintValue(ibuf,aKey,len);
++ if(n == 2)
++ ++step;
++ }
++ else
++ {
++ printf("Missing KEY\n");
++ err = 1;
++ }
++ break;
++
++ case 3: /* IV = xxxx */
++ fputs(ibuf, rfp);
++ if (strncasecmp(ibuf, "IV = ", 5) != 0)
++ {
++ printf("Missing IV\n");
++ err = 1;
++ }
++ else
++ {
++ len = hex2bin((char*)ibuf+5, iVec);
++ if (len < 0)
++ {
++ printf("Invalid IV\n");
++ err =1;
++ break;
++ }
++ PrintValue("IV", iVec, len);
++ step = (dir)? 4: 5;
++ }
++ break;
++
++ case 4: /* PLAINTEXT = xxxx */
++ fputs(ibuf, rfp);
++ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
++ {
++ printf("Missing PLAINTEXT\n");
++ err = 1;
++ }
++ else
++ {
++ int nn = strlen(ibuf+12);
++ if(!strcmp(amode,"CFB1"))
++ len=bint2bin(ibuf+12,nn-1,plaintext);
++ else
++ len=hex2bin(ibuf+12, plaintext);
++ if (len < 0)
++ {
++ printf("Invalid PLAINTEXT: %s", ibuf+12);
++ err =1;
++ break;
++ }
++ if (len >= sizeof(plaintext))
++ {
++ printf("Buffer overflow\n");
++ }
++ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
++ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
++ {
++ do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp);
++ }
++ else
++ {
++ assert(dir == 1);
++ ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
++ dir, /* 0 = decrypt, 1 = encrypt */
++ ciphertext, plaintext, len);
++ OutputValue("CIPHERTEXT",ciphertext,len,rfp,
++ !strcmp(amode,"CFB1"));
++ }
++ step = 6;
++ }
++ break;
++
++ case 5: /* CIPHERTEXT = xxxx */
++ fputs(ibuf, rfp);
++ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
++ {
++ printf("Missing KEY\n");
++ err = 1;
++ }
++ else
++ {
++ if(!strcmp(amode,"CFB1"))
++ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
++ else
++ len = hex2bin(ibuf+13,ciphertext);
++ if (len < 0)
++ {
++ printf("Invalid CIPHERTEXT\n");
++ err =1;
++ break;
++ }
++
++ PrintValue("CIPHERTEXT", ciphertext, len);
++ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
++ {
++ do_mct(amode, akeysz, numkeys, aKey, iVec,
++ dir, ciphertext, len, rfp);
++ }
++ else
++ {
++ assert(dir == 0);
++ ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
++ dir, /* 0 = decrypt, 1 = encrypt */
++ plaintext, ciphertext, len);
++ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
++ !strcmp(amode,"CFB1"));
++ }
++ step = 6;
++ }
++ break;
++
++ case 6:
++ if (ibuf[0] != '\n')
++ {
++ err = 1;
++ printf("Missing terminator\n");
++ }
++ else if (strcmp(atest, "MCT") != 0)
++ { /* MCT already added terminating nl */
++ fputs(ibuf, rfp);
++ }
++ step = 1;
++ break;
++ }
++ }
++ if (rfp)
++ fclose(rfp);
++ if (afp)
++ fclose(afp);
++ return err;
++ }
++
++/*--------------------------------------------------
++ Processes either a single file or
++ a set of files whose names are passed in a file.
++ A single file is specified as:
++ aes_test -f xxx.req
++ A set of files is specified as:
++ aes_test -d xxxxx.xxx
++ The default is: -d req.txt
++--------------------------------------------------*/
++int main(int argc, char **argv)
++ {
++ char *rqlist = "req.txt", *rspfile = NULL;
++ FILE *fp = NULL;
++ char fn[250] = "", rfn[256] = "";
++ int f_opt = 0, d_opt = 1;
++
++#ifdef OPENSSL_FIPS
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ EXIT(1);
++ }
++#endif
++ if (argc > 1)
++ {
++ if (strcasecmp(argv[1], "-d") == 0)
++ {
++ d_opt = 1;
++ }
++ else if (strcasecmp(argv[1], "-f") == 0)
++ {
++ f_opt = 1;
++ d_opt = 0;
++ }
++ else
++ {
++ printf("Invalid parameter: %s\n", argv[1]);
++ return 0;
++ }
++ if (argc < 3)
++ {
++ printf("Missing parameter\n");
++ return 0;
++ }
++ if (d_opt)
++ rqlist = argv[2];
++ else
++ {
++ strcpy(fn, argv[2]);
++ rspfile = argv[3];
++ }
++ }
++ if (d_opt)
++ { /* list of files (directory) */
++ if (!(fp = fopen(rqlist, "r")))
++ {
++ printf("Cannot open req list file\n");
++ return -1;
++ }
++ while (fgets(fn, sizeof(fn), fp))
++ {
++ strtok(fn, "\r\n");
++ strcpy(rfn, fn);
++ printf("Processing: %s\n", rfn);
++ if (proc_file(rfn, rspfile))
++ {
++ printf(">>> Processing failed for: %s <<<\n", rfn);
++ EXIT(1);
++ }
++ }
++ fclose(fp);
++ }
++ else /* single file */
++ {
++ if (VERBOSE)
++ printf("Processing: %s\n", fn);
++ if (proc_file(fn, rspfile))
++ {
++ printf(">>> Processing failed for: %s <<<\n", fn);
++ }
++ }
++ EXIT(0);
++ return 0;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_dssvs.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_dssvs.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_dssvs.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,537 @@
++#include <openssl/opensslconf.h>
++
++#ifndef OPENSSL_FIPS
++#include <stdio.h>
++
++int main(int argc, char **argv)
++{
++ printf("No FIPS DSA support\n");
++ return(0);
++}
++#else
++
++#include <openssl/bn.h>
++#include <openssl/dsa.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <string.h>
++#include <ctype.h>
++
++#include "fips_utl.h"
++
++static void pbn(const char *name, BIGNUM *bn)
++ {
++ int len, i;
++ unsigned char *tmp;
++ len = BN_num_bytes(bn);
++ tmp = OPENSSL_malloc(len);
++ if (!tmp)
++ {
++ fprintf(stderr, "Memory allocation error\n");
++ return;
++ }
++ BN_bn2bin(bn, tmp);
++ printf("%s = ", name);
++ for (i = 0; i < len; i++)
++ printf("%02X", tmp[i]);
++ fputs("\n", stdout);
++ OPENSSL_free(tmp);
++ return;
++ }
++
++void primes()
++ {
++ char buf[10240];
++ char lbuf[10240];
++ char *keyword, *value;
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ fputs(buf,stdout);
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if(!strcmp(keyword,"Prime"))
++ {
++ BIGNUM *pp;
++
++ pp=BN_new();
++ do_hex2bn(&pp,value);
++ printf("result= %c\n",
++ BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F');
++ }
++ }
++ }
++
++void pqg()
++ {
++ char buf[1024];
++ char lbuf[1024];
++ char *keyword, *value;
++ int nmod=0;
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ {
++ fputs(buf,stdout);
++ continue;
++ }
++ if(!strcmp(keyword,"[mod"))
++ nmod=atoi(value);
++ else if(!strcmp(keyword,"N"))
++ {
++ int n=atoi(value);
++
++ printf("[mod = %d]\n\n",nmod);
++
++ while(n--)
++ {
++ unsigned char seed[20];
++ DSA *dsa;
++ int counter;
++ unsigned long h;
++ dsa = FIPS_dsa_new();
++
++ if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL))
++ {
++ do_print_errors();
++ exit(1);
++ }
++ pbn("P",dsa->p);
++ pbn("Q",dsa->q);
++ pbn("G",dsa->g);
++ pv("Seed",seed,20);
++ printf("c = %d\n",counter);
++ printf("H = %lx\n",h);
++ putc('\n',stdout);
++ }
++ }
++ else
++ fputs(buf,stdout);
++ }
++ }
++
++void pqgver()
++ {
++ char buf[1024];
++ char lbuf[1024];
++ char *keyword, *value;
++ BIGNUM *p = NULL, *q = NULL, *g = NULL;
++ int counter, counter2;
++ unsigned long h, h2;
++ DSA *dsa=NULL;
++ int nmod=0;
++ unsigned char seed[1024];
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ {
++ fputs(buf,stdout);
++ continue;
++ }
++ fputs(buf, stdout);
++ if(!strcmp(keyword,"[mod"))
++ nmod=atoi(value);
++ else if(!strcmp(keyword,"P"))
++ p=hex2bn(value);
++ else if(!strcmp(keyword,"Q"))
++ q=hex2bn(value);
++ else if(!strcmp(keyword,"G"))
++ g=hex2bn(value);
++ else if(!strcmp(keyword,"Seed"))
++ {
++ int slen = hex2bin(value, seed);
++ if (slen != 20)
++ {
++ fprintf(stderr, "Seed parse length error\n");
++ exit (1);
++ }
++ }
++ else if(!strcmp(keyword,"c"))
++ counter =atoi(buf+4);
++ else if(!strcmp(keyword,"H"))
++ {
++ h = atoi(value);
++ if (!p || !q || !g)
++ {
++ fprintf(stderr, "Parse Error\n");
++ exit (1);
++ }
++ dsa = FIPS_dsa_new();
++ if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL))
++ {
++ do_print_errors();
++ exit(1);
++ }
++ if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g)
++ || (counter != counter2) || (h != h2))
++ printf("Result = F\n");
++ else
++ printf("Result = P\n");
++ BN_free(p);
++ BN_free(q);
++ BN_free(g);
++ p = NULL;
++ q = NULL;
++ g = NULL;
++ FIPS_dsa_free(dsa);
++ dsa = NULL;
++ }
++ }
++ }
++
++/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2
++ * algorithm tests. It is an additional test to perform sanity checks on the
++ * output of the KeyPair test.
++ */
++
++static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
++ BN_CTX *ctx)
++ {
++ BIGNUM *rem = NULL;
++ if (BN_num_bits(p) != nmod)
++ return 0;
++ if (BN_num_bits(q) != 160)
++ return 0;
++ if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1)
++ return 0;
++ if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1)
++ return 0;
++ rem = BN_new();
++ if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
++ || (BN_cmp(g, BN_value_one()) <= 0)
++ || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
++ {
++ BN_free(rem);
++ return 0;
++ }
++ /* Todo: check g */
++ BN_free(rem);
++ return 1;
++ }
++
++void keyver()
++ {
++ char buf[1024];
++ char lbuf[1024];
++ char *keyword, *value;
++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
++ BIGNUM *Y2;
++ BN_CTX *ctx = NULL;
++ int nmod=0, paramcheck = 0;
++
++ ctx = BN_CTX_new();
++ Y2 = BN_new();
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ {
++ fputs(buf,stdout);
++ continue;
++ }
++ if(!strcmp(keyword,"[mod"))
++ {
++ if (p)
++ BN_free(p);
++ p = NULL;
++ if (q)
++ BN_free(q);
++ q = NULL;
++ if (g)
++ BN_free(g);
++ g = NULL;
++ paramcheck = 0;
++ nmod=atoi(value);
++ }
++ else if(!strcmp(keyword,"P"))
++ p=hex2bn(value);
++ else if(!strcmp(keyword,"Q"))
++ q=hex2bn(value);
++ else if(!strcmp(keyword,"G"))
++ g=hex2bn(value);
++ else if(!strcmp(keyword,"X"))
++ X=hex2bn(value);
++ else if(!strcmp(keyword,"Y"))
++ {
++ Y=hex2bn(value);
++ if (!p || !q || !g || !X || !Y)
++ {
++ fprintf(stderr, "Parse Error\n");
++ exit (1);
++ }
++ pbn("P",p);
++ pbn("Q",q);
++ pbn("G",g);
++ pbn("X",X);
++ pbn("Y",Y);
++ if (!paramcheck)
++ {
++ if (dss_paramcheck(nmod, p, q, g, ctx))
++ paramcheck = 1;
++ else
++ paramcheck = -1;
++ }
++ if (paramcheck != 1)
++ printf("Result = F\n");
++ else
++ {
++ if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
++ printf("Result = F\n");
++ else
++ printf("Result = P\n");
++ }
++ BN_free(X);
++ BN_free(Y);
++ X = NULL;
++ Y = NULL;
++ }
++ }
++ if (p)
++ BN_free(p);
++ if (q)
++ BN_free(q);
++ if (g)
++ BN_free(g);
++ if (Y2)
++ BN_free(Y2);
++ }
++
++void keypair()
++ {
++ char buf[1024];
++ char lbuf[1024];
++ char *keyword, *value;
++ int nmod=0;
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ {
++ fputs(buf,stdout);
++ continue;
++ }
++ if(!strcmp(keyword,"[mod"))
++ nmod=atoi(value);
++ else if(!strcmp(keyword,"N"))
++ {
++ DSA *dsa;
++ int n=atoi(value);
++
++ printf("[mod = %d]\n\n",nmod);
++ dsa = FIPS_dsa_new();
++ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
++ {
++ do_print_errors();
++ exit(1);
++ }
++ pbn("P",dsa->p);
++ pbn("Q",dsa->q);
++ pbn("G",dsa->g);
++ putc('\n',stdout);
++
++ while(n--)
++ {
++ if (!DSA_generate_key(dsa))
++ {
++ do_print_errors();
++ exit(1);
++ }
++
++ pbn("X",dsa->priv_key);
++ pbn("Y",dsa->pub_key);
++ putc('\n',stdout);
++ }
++ }
++ }
++ }
++
++void siggen()
++ {
++ char buf[1024];
++ char lbuf[1024];
++ char *keyword, *value;
++ int nmod=0;
++ DSA *dsa=NULL;
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ {
++ fputs(buf,stdout);
++ continue;
++ }
++ if(!strcmp(keyword,"[mod"))
++ {
++ nmod=atoi(value);
++ printf("[mod = %d]\n\n",nmod);
++ if (dsa)
++ FIPS_dsa_free(dsa);
++ dsa = FIPS_dsa_new();
++ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
++ {
++ do_print_errors();
++ exit(1);
++ }
++ pbn("P",dsa->p);
++ pbn("Q",dsa->q);
++ pbn("G",dsa->g);
++ putc('\n',stdout);
++ }
++ else if(!strcmp(keyword,"Msg"))
++ {
++ unsigned char msg[1024];
++ unsigned char sbuf[60];
++ unsigned int slen;
++ int n;
++ EVP_PKEY pk;
++ EVP_MD_CTX mctx;
++ DSA_SIG *sig;
++ EVP_MD_CTX_init(&mctx);
++
++ n=hex2bin(value,msg);
++ pv("Msg",msg,n);
++
++ if (!DSA_generate_key(dsa))
++ {
++ do_print_errors();
++ exit(1);
++ }
++ pk.type = EVP_PKEY_DSA;
++ pk.pkey.dsa = dsa;
++ pbn("Y",dsa->pub_key);
++
++ EVP_SignInit_ex(&mctx, EVP_dss1(), NULL);
++ EVP_SignUpdate(&mctx, msg, n);
++ EVP_SignFinal(&mctx, sbuf, &slen, &pk);
++
++ sig = DSA_SIG_new();
++ FIPS_dsa_sig_decode(sig, sbuf, slen);
++
++ pbn("R",sig->r);
++ pbn("S",sig->s);
++ putc('\n',stdout);
++ DSA_SIG_free(sig);
++ EVP_MD_CTX_cleanup(&mctx);
++ }
++ }
++ if (dsa)
++ FIPS_dsa_free(dsa);
++ }
++
++void sigver()
++ {
++ DSA *dsa=NULL;
++ char buf[1024];
++ char lbuf[1024];
++ unsigned char msg[1024];
++ char *keyword, *value;
++ int nmod=0, n=0;
++ DSA_SIG sg, *sig = &sg;
++
++ sig->r = NULL;
++ sig->s = NULL;
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ {
++ fputs(buf,stdout);
++ continue;
++ }
++ if(!strcmp(keyword,"[mod"))
++ {
++ nmod=atoi(value);
++ if(dsa)
++ FIPS_dsa_free(dsa);
++ dsa=FIPS_dsa_new();
++ }
++ else if(!strcmp(keyword,"P"))
++ dsa->p=hex2bn(value);
++ else if(!strcmp(keyword,"Q"))
++ dsa->q=hex2bn(value);
++ else if(!strcmp(keyword,"G"))
++ {
++ dsa->g=hex2bn(value);
++
++ printf("[mod = %d]\n\n",nmod);
++ pbn("P",dsa->p);
++ pbn("Q",dsa->q);
++ pbn("G",dsa->g);
++ putc('\n',stdout);
++ }
++ else if(!strcmp(keyword,"Msg"))
++ {
++ n=hex2bin(value,msg);
++ pv("Msg",msg,n);
++ }
++ else if(!strcmp(keyword,"Y"))
++ dsa->pub_key=hex2bn(value);
++ else if(!strcmp(keyword,"R"))
++ sig->r=hex2bn(value);
++ else if(!strcmp(keyword,"S"))
++ {
++ EVP_MD_CTX mctx;
++ EVP_PKEY pk;
++ unsigned char sigbuf[60];
++ unsigned int slen;
++ int r;
++ EVP_MD_CTX_init(&mctx);
++ pk.type = EVP_PKEY_DSA;
++ pk.pkey.dsa = dsa;
++ sig->s=hex2bn(value);
++
++ pbn("Y",dsa->pub_key);
++ pbn("R",sig->r);
++ pbn("S",sig->s);
++
++ slen = FIPS_dsa_sig_encode(sigbuf, sig);
++ EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL);
++ EVP_VerifyUpdate(&mctx, msg, n);
++ r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk);
++ EVP_MD_CTX_cleanup(&mctx);
++
++ printf("Result = %c\n", r == 1 ? 'P' : 'F');
++ putc('\n',stdout);
++ }
++ }
++ }
++
++int main(int argc,char **argv)
++ {
++ if(argc != 2)
++ {
++ fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]);
++ exit(1);
++ }
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ exit(1);
++ }
++ if(!strcmp(argv[1],"prime"))
++ primes();
++ else if(!strcmp(argv[1],"pqg"))
++ pqg();
++ else if(!strcmp(argv[1],"pqgver"))
++ pqgver();
++ else if(!strcmp(argv[1],"keypair"))
++ keypair();
++ else if(!strcmp(argv[1],"keyver"))
++ keyver();
++ else if(!strcmp(argv[1],"siggen"))
++ siggen();
++ else if(!strcmp(argv[1],"sigver"))
++ sigver();
++ else
++ {
++ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
++ exit(1);
++ }
++
++ return 0;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_rngvs.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_rngvs.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_rngvs.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,230 @@
++/*
++ * Crude test driver for processing the VST and MCT testvector files
++ * generated by the CMVP RNGVS product.
++ *
++ * Note the input files are assumed to have a _very_ specific format
++ * as described in the NIST document "The Random Number Generator
++ * Validation System (RNGVS)", May 25, 2004.
++ *
++ */
++#include <openssl/opensslconf.h>
++
++#ifndef OPENSSL_FIPS
++#include <stdio.h>
++
++int main(int argc, char **argv)
++{
++ printf("No FIPS RNG support\n");
++ return 0;
++}
++#else
++
++#include <openssl/bn.h>
++#include <openssl/dsa.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/x509v3.h>
++#include <string.h>
++#include <ctype.h>
++
++#include "fips_utl.h"
++
++void vst()
++ {
++ unsigned char *key = NULL;
++ unsigned char *v = NULL;
++ unsigned char *dt = NULL;
++ unsigned char ret[16];
++ char buf[1024];
++ char lbuf[1024];
++ char *keyword, *value;
++ long i, keylen;
++
++ keylen = 0;
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ fputs(buf,stdout);
++ if(!strncmp(buf,"[AES 128-Key]", 13))
++ keylen = 16;
++ else if(!strncmp(buf,"[AES 192-Key]", 13))
++ keylen = 24;
++ else if(!strncmp(buf,"[AES 256-Key]", 13))
++ keylen = 32;
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if(!strcmp(keyword,"Key"))
++ {
++ key=hex2bin_m(value,&i);
++ if (i != keylen)
++ {
++ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
++ return;
++ }
++ }
++ else if(!strcmp(keyword,"DT"))
++ {
++ dt=hex2bin_m(value,&i);
++ if (i != 16)
++ {
++ fprintf(stderr, "Invalid DT length\n");
++ return;
++ }
++ }
++ else if(!strcmp(keyword,"V"))
++ {
++ v=hex2bin_m(value,&i);
++ if (i != 16)
++ {
++ fprintf(stderr, "Invalid V length\n");
++ return;
++ }
++
++ if (!key || !dt)
++ {
++ fprintf(stderr, "Missing key or DT\n");
++ return;
++ }
++
++ FIPS_rand_set_key(key, keylen);
++ FIPS_rand_seed(v,16);
++ FIPS_rand_set_dt(dt);
++ if (FIPS_rand_bytes(ret,16) <= 0)
++ {
++ fprintf(stderr, "Error getting PRNG value\n");
++ return;
++ }
++
++ pv("R",ret,16);
++ OPENSSL_free(key);
++ key = NULL;
++ OPENSSL_free(dt);
++ dt = NULL;
++ OPENSSL_free(v);
++ v = NULL;
++ }
++ }
++ }
++
++void mct()
++ {
++ unsigned char *key = NULL;
++ unsigned char *v = NULL;
++ unsigned char *dt = NULL;
++ unsigned char ret[16];
++ char buf[1024];
++ char lbuf[1024];
++ char *keyword, *value;
++ long i, keylen;
++ int j;
++
++ keylen = 0;
++
++ while(fgets(buf,sizeof buf,stdin) != NULL)
++ {
++ fputs(buf,stdout);
++ if(!strncmp(buf,"[AES 128-Key]", 13))
++ keylen = 16;
++ else if(!strncmp(buf,"[AES 192-Key]", 13))
++ keylen = 24;
++ else if(!strncmp(buf,"[AES 256-Key]", 13))
++ keylen = 32;
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if(!strcmp(keyword,"Key"))
++ {
++ key=hex2bin_m(value,&i);
++ if (i != keylen)
++ {
++ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
++ return;
++ }
++ }
++ else if(!strcmp(keyword,"DT"))
++ {
++ dt=hex2bin_m(value,&i);
++ if (i != 16)
++ {
++ fprintf(stderr, "Invalid DT length\n");
++ return;
++ }
++ }
++ else if(!strcmp(keyword,"V"))
++ {
++ v=hex2bin_m(value,&i);
++ if (i != 16)
++ {
++ fprintf(stderr, "Invalid V length\n");
++ return;
++ }
++
++ if (!key || !dt)
++ {
++ fprintf(stderr, "Missing key or DT\n");
++ return;
++ }
++
++ FIPS_rand_set_key(key, keylen);
++ FIPS_rand_seed(v,16);
++ for (i = 0; i < 10000; i++)
++ {
++ FIPS_rand_set_dt(dt);
++ if (FIPS_rand_bytes(ret,16) <= 0)
++ {
++ fprintf(stderr, "Error getting PRNG value\n");
++ return;
++ }
++ /* Increment DT */
++ for (j = 15; j >= 0; j--)
++ {
++ dt[j]++;
++ if (dt[j])
++ break;
++ }
++ }
++
++ pv("R",ret,16);
++ OPENSSL_free(key);
++ key = NULL;
++ OPENSSL_free(dt);
++ dt = NULL;
++ OPENSSL_free(v);
++ v = NULL;
++ }
++ }
++ }
++
++int main(int argc,char **argv)
++ {
++ if(argc != 2)
++ {
++ fprintf(stderr,"%s [mct|vst]\n",argv[0]);
++ exit(1);
++ }
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ exit(1);
++ }
++ FIPS_rand_reset();
++ if (!FIPS_rand_test_mode())
++ {
++ fprintf(stderr, "Error setting PRNG test mode\n");
++ do_print_errors();
++ exit(1);
++ }
++ if(!strcmp(argv[1],"mct"))
++ mct();
++ else if(!strcmp(argv[1],"vst"))
++ vst();
++ else
++ {
++ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
++ exit(1);
++ }
++
++ return 0;
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_rsagtest.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_rsagtest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_rsagtest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,390 @@
++/* fips_rsagtest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project 2005.
++ */
++/* ====================================================================
++ * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <ctype.h>
++#include <string.h>
++#include <openssl/bio.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/err.h>
++#include <openssl/rsa.h>
++#include <openssl/bn.h>
++#include <openssl/x509v3.h>
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RSA support\n");
++ return(0);
++}
++
++#else
++
++#include "fips_utl.h"
++
++int rsa_test(FILE *out, FILE *in);
++static int rsa_printkey1(FILE *out, RSA *rsa,
++ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
++ BIGNUM *e);
++static int rsa_printkey2(FILE *out, RSA *rsa,
++ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq);
++
++int main(int argc, char **argv)
++ {
++ FILE *in = NULL, *out = NULL;
++
++ int ret = 1;
++
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ goto end;
++ }
++
++ if (argc == 1)
++ in = stdin;
++ else
++ in = fopen(argv[1], "r");
++
++ if (argc < 2)
++ out = stdout;
++ else
++ out = fopen(argv[2], "w");
++
++ if (!in)
++ {
++ fprintf(stderr, "FATAL input initialization error\n");
++ goto end;
++ }
++
++ if (!out)
++ {
++ fprintf(stderr, "FATAL output initialization error\n");
++ goto end;
++ }
++
++ if (!rsa_test(out, in))
++ {
++ fprintf(stderr, "FATAL RSAGTEST file processing error\n");
++ goto end;
++ }
++ else
++ ret = 0;
++
++ end:
++
++ if (ret)
++ do_print_errors();
++
++ if (in && (in != stdin))
++ fclose(in);
++ if (out && (out != stdout))
++ fclose(out);
++
++ return ret;
++
++ }
++
++#define RSA_TEST_MAXLINELEN 10240
++
++int rsa_test(FILE *out, FILE *in)
++ {
++ char *linebuf, *olinebuf, *p, *q;
++ char *keyword, *value;
++ RSA *rsa = NULL;
++ BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL;
++ BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL;
++ BIGNUM *e = NULL;
++ int ret = 0;
++ int lnum = 0;
++
++ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
++ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
++
++ if (!linebuf || !olinebuf)
++ goto error;
++
++ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
++ {
++ lnum++;
++ strcpy(linebuf, olinebuf);
++ keyword = linebuf;
++ /* Skip leading space */
++ while (isspace((unsigned char)*keyword))
++ keyword++;
++
++ /* Look for = sign */
++ p = strchr(linebuf, '=');
++
++ /* If no = or starts with [ (for [foo = bar] line) just copy */
++ if (!p || *keyword=='[')
++ {
++ if (fputs(olinebuf, out) < 0)
++ goto error;
++ continue;
++ }
++
++ q = p - 1;
++
++ /* Remove trailing space */
++ while (isspace((unsigned char)*q))
++ *q-- = 0;
++
++ *p = 0;
++ value = p + 1;
++
++ /* Remove leading space from value */
++ while (isspace((unsigned char)*value))
++ value++;
++
++ /* Remove trailing space from value */
++ p = value + strlen(value) - 1;
++
++ while (*p == '\n' || isspace((unsigned char)*p))
++ *p-- = 0;
++
++ if (!strcmp(keyword, "xp1"))
++ {
++ if (Xp1 || !do_hex2bn(&Xp1,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "xp2"))
++ {
++ if (Xp2 || !do_hex2bn(&Xp2,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "Xp"))
++ {
++ if (Xp || !do_hex2bn(&Xp,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "xq1"))
++ {
++ if (Xq1 || !do_hex2bn(&Xq1,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "xq2"))
++ {
++ if (Xq2 || !do_hex2bn(&Xq2,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "Xq"))
++ {
++ if (Xq || !do_hex2bn(&Xq,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "e"))
++ {
++ if (e || !do_hex2bn(&e,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "p1"))
++ continue;
++ else if (!strcmp(keyword, "p2"))
++ continue;
++ else if (!strcmp(keyword, "p"))
++ continue;
++ else if (!strcmp(keyword, "q1"))
++ continue;
++ else if (!strcmp(keyword, "q2"))
++ continue;
++ else if (!strcmp(keyword, "q"))
++ continue;
++ else if (!strcmp(keyword, "n"))
++ continue;
++ else if (!strcmp(keyword, "d"))
++ continue;
++ else
++ goto parse_error;
++
++ fputs(olinebuf, out);
++
++ if (e && Xp1 && Xp2 && Xp)
++ {
++ rsa = FIPS_rsa_new();
++ if (!rsa)
++ goto error;
++ if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e))
++ goto error;
++ BN_free(Xp1);
++ Xp1 = NULL;
++ BN_free(Xp2);
++ Xp2 = NULL;
++ BN_free(Xp);
++ Xp = NULL;
++ BN_free(e);
++ e = NULL;
++ }
++
++ if (rsa && Xq1 && Xq2 && Xq)
++ {
++ if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq))
++ goto error;
++ BN_free(Xq1);
++ Xq1 = NULL;
++ BN_free(Xq2);
++ Xq2 = NULL;
++ BN_free(Xq);
++ Xq = NULL;
++ FIPS_rsa_free(rsa);
++ rsa = NULL;
++ }
++ }
++
++ ret = 1;
++
++ error:
++
++ if (olinebuf)
++ OPENSSL_free(olinebuf);
++ if (linebuf)
++ OPENSSL_free(linebuf);
++
++ if (Xp1)
++ BN_free(Xp1);
++ if (Xp2)
++ BN_free(Xp2);
++ if (Xp)
++ BN_free(Xp);
++ if (Xq1)
++ BN_free(Xq1);
++ if (Xq1)
++ BN_free(Xq1);
++ if (Xq2)
++ BN_free(Xq2);
++ if (Xq)
++ BN_free(Xq);
++ if (e)
++ BN_free(e);
++ if (rsa)
++ FIPS_rsa_free(rsa);
++
++ return ret;
++
++ parse_error:
++
++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
++
++ goto error;
++
++ }
++
++static int rsa_printkey1(FILE *out, RSA *rsa,
++ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
++ BIGNUM *e)
++ {
++ int ret = 0;
++ BIGNUM *p1 = NULL, *p2 = NULL;
++ p1 = BN_new();
++ p2 = BN_new();
++ if (!p1 || !p2)
++ goto error;
++
++ if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp,
++ NULL, NULL, NULL, e, NULL))
++ goto error;
++
++ do_bn_print_name(out, "p1", p1);
++ do_bn_print_name(out, "p2", p2);
++ do_bn_print_name(out, "p", rsa->p);
++
++ ret = 1;
++
++ error:
++ if (p1)
++ BN_free(p1);
++ if (p2)
++ BN_free(p2);
++
++ return ret;
++ }
++
++static int rsa_printkey2(FILE *out, RSA *rsa,
++ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq)
++ {
++ int ret = 0;
++ BIGNUM *q1 = NULL, *q2 = NULL;
++ q1 = BN_new();
++ q2 = BN_new();
++ if (!q1 || !q2)
++ goto error;
++
++ if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL,
++ Xq1, Xq2, Xq, NULL, NULL))
++ goto error;
++
++ do_bn_print_name(out, "q1", q1);
++ do_bn_print_name(out, "q2", q2);
++ do_bn_print_name(out, "q", rsa->q);
++ do_bn_print_name(out, "n", rsa->n);
++ do_bn_print_name(out, "d", rsa->d);
++
++ ret = 1;
++
++ error:
++ if (q1)
++ BN_free(q1);
++ if (q2)
++ BN_free(q2);
++
++ return ret;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_rsastest.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_rsastest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_rsastest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,370 @@
++/* fips_rsastest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project 2005.
++ */
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <ctype.h>
++#include <string.h>
++#include <openssl/bio.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/err.h>
++#include <openssl/rsa.h>
++#include <openssl/bn.h>
++#include <openssl/x509v3.h>
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RSA support\n");
++ return(0);
++}
++
++#else
++
++#include "fips_utl.h"
++
++static int rsa_stest(FILE *out, FILE *in, int Saltlen);
++static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
++ unsigned char *Msg, long Msglen, int Saltlen);
++
++int main(int argc, char **argv)
++ {
++ FILE *in = NULL, *out = NULL;
++
++ int ret = 1, Saltlen = -1;
++
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ goto end;
++ }
++
++ if ((argc > 2) && !strcmp("-saltlen", argv[1]))
++ {
++ Saltlen = atoi(argv[2]);
++ if (Saltlen < 0)
++ {
++ fprintf(stderr, "FATAL: Invalid salt length\n");
++ goto end;
++ }
++ argc -= 2;
++ argv += 2;
++ }
++ else if ((argc > 1) && !strcmp("-x931", argv[1]))
++ {
++ Saltlen = -2;
++ argc--;
++ argv++;
++ }
++
++ if (argc == 1)
++ in = stdin;
++ else
++ in = fopen(argv[1], "r");
++
++ if (argc < 2)
++ out = stdout;
++ else
++ out = fopen(argv[2], "w");
++
++ if (!in)
++ {
++ fprintf(stderr, "FATAL input initialization error\n");
++ goto end;
++ }
++
++ if (!out)
++ {
++ fprintf(stderr, "FATAL output initialization error\n");
++ goto end;
++ }
++
++ if (!rsa_stest(out, in, Saltlen))
++ {
++ fprintf(stderr, "FATAL RSASTEST file processing error\n");
++ goto end;
++ }
++ else
++ ret = 0;
++
++ end:
++
++ if (ret)
++ do_print_errors();
++
++ if (in && (in != stdin))
++ fclose(in);
++ if (out && (out != stdout))
++ fclose(out);
++
++ return ret;
++
++ }
++
++#define RSA_TEST_MAXLINELEN 10240
++
++int rsa_stest(FILE *out, FILE *in, int Saltlen)
++ {
++ char *linebuf, *olinebuf, *p, *q;
++ char *keyword, *value;
++ RSA *rsa = NULL;
++ const EVP_MD *dgst = NULL;
++ unsigned char *Msg = NULL;
++ long Msglen = -1;
++ int keylen = -1, current_keylen = -1;
++ int ret = 0;
++ int lnum = 0;
++
++ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
++ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
++
++ if (!linebuf || !olinebuf)
++ goto error;
++
++ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
++ {
++ lnum++;
++ strcpy(linebuf, olinebuf);
++ keyword = linebuf;
++ /* Skip leading space */
++ while (isspace((unsigned char)*keyword))
++ keyword++;
++
++ /* Look for = sign */
++ p = strchr(linebuf, '=');
++
++ /* If no = just copy */
++ if (!p)
++ {
++ if (fputs(olinebuf, out) < 0)
++ goto error;
++ continue;
++ }
++
++ q = p - 1;
++
++ /* Remove trailing space */
++ while (isspace((unsigned char)*q))
++ *q-- = 0;
++
++ *p = 0;
++ value = p + 1;
++
++ /* Remove leading space from value */
++ while (isspace((unsigned char)*value))
++ value++;
++
++ /* Remove trailing space from value */
++ p = value + strlen(value) - 1;
++
++ while (*p == '\n' || isspace((unsigned char)*p))
++ *p-- = 0;
++
++ /* Look for [mod = XXX] for key length */
++
++ if (!strcmp(keyword, "[mod"))
++ {
++ p = value + strlen(value) - 1;
++ if (*p != ']')
++ goto parse_error;
++ *p = 0;
++ keylen = atoi(value);
++ if (keylen < 0)
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "SHAAlg"))
++ {
++ if (!strcmp(value, "SHA1"))
++ dgst = EVP_sha1();
++ else if (!strcmp(value, "SHA224"))
++ dgst = EVP_sha224();
++ else if (!strcmp(value, "SHA256"))
++ dgst = EVP_sha256();
++ else if (!strcmp(value, "SHA384"))
++ dgst = EVP_sha384();
++ else if (!strcmp(value, "SHA512"))
++ dgst = EVP_sha512();
++ else
++ {
++ fprintf(stderr,
++ "FATAL: unsupported algorithm \"%s\"\n",
++ value);
++ goto parse_error;
++ }
++ }
++ else if (!strcmp(keyword, "Msg"))
++ {
++ if (Msg)
++ goto parse_error;
++ if (strlen(value) & 1)
++ *(--value) = '0';
++ Msg = hex2bin_m(value, &Msglen);
++ if (!Msg)
++ goto parse_error;
++ }
++
++ fputs(olinebuf, out);
++
++ /* If key length has changed, generate and output public
++ * key components of new RSA private key.
++ */
++
++ if (keylen != current_keylen)
++ {
++ BIGNUM *bn_e;
++ if (rsa)
++ FIPS_rsa_free(rsa);
++ rsa = FIPS_rsa_new();
++ if (!rsa)
++ goto error;
++ bn_e = BN_new();
++ if (!bn_e || !BN_set_word(bn_e, 0x1001))
++ goto error;
++ if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL))
++ goto error;
++ BN_free(bn_e);
++ fputs("n = ", out);
++ do_bn_print(out, rsa->n);
++ fputs("\ne = ", out);
++ do_bn_print(out, rsa->e);
++ fputs("\n", out);
++ current_keylen = keylen;
++ }
++
++ if (Msg && dgst)
++ {
++ if (!rsa_printsig(out, rsa, dgst, Msg, Msglen,
++ Saltlen))
++ goto error;
++ OPENSSL_free(Msg);
++ Msg = NULL;
++ }
++
++ }
++
++ ret = 1;
++
++ error:
++
++ if (olinebuf)
++ OPENSSL_free(olinebuf);
++ if (linebuf)
++ OPENSSL_free(linebuf);
++ if (rsa)
++ FIPS_rsa_free(rsa);
++
++ return ret;
++
++ parse_error:
++
++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
++
++ goto error;
++
++ }
++
++static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
++ unsigned char *Msg, long Msglen, int Saltlen)
++ {
++ int ret = 0;
++ unsigned char *sigbuf = NULL;
++ int i, siglen;
++ /* EVP_PKEY structure */
++ EVP_PKEY pk;
++ EVP_MD_CTX ctx;
++ pk.type = EVP_PKEY_RSA;
++ pk.pkey.rsa = rsa;
++
++ siglen = RSA_size(rsa);
++ sigbuf = OPENSSL_malloc(siglen);
++ if (!sigbuf)
++ goto error;
++
++ EVP_MD_CTX_init(&ctx);
++
++ if (Saltlen >= 0)
++ {
++ M_EVP_MD_CTX_set_flags(&ctx,
++ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
++ }
++ else if (Saltlen == -2)
++ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
++ if (!EVP_SignInit_ex(&ctx, dgst, NULL))
++ goto error;
++ if (!EVP_SignUpdate(&ctx, Msg, Msglen))
++ goto error;
++ if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk))
++ goto error;
++
++ EVP_MD_CTX_cleanup(&ctx);
++
++ fputs("S = ", out);
++
++ for (i = 0; i < siglen; i++)
++ fprintf(out, "%02X", sigbuf[i]);
++
++ fputs("\n", out);
++
++ ret = 1;
++
++ error:
++
++ return ret;
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_rsavtest.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_rsavtest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_rsavtest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,377 @@
++/* fips_rsavtest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project 2005.
++ */
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <ctype.h>
++#include <string.h>
++#include <openssl/bio.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/err.h>
++#include <openssl/x509v3.h>
++#include <openssl/bn.h>
++#include <openssl/rsa.h>
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RSA support\n");
++ return(0);
++}
++
++#else
++
++#include "fips_utl.h"
++
++int rsa_test(FILE *out, FILE *in, int saltlen);
++static int rsa_printver(FILE *out,
++ BIGNUM *n, BIGNUM *e,
++ const EVP_MD *dgst,
++ unsigned char *Msg, long Msglen,
++ unsigned char *S, long Slen, int Saltlen);
++
++int main(int argc, char **argv)
++ {
++ FILE *in = NULL, *out = NULL;
++
++ int ret = 1;
++ int Saltlen = -1;
++
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ goto end;
++ }
++
++ if ((argc > 2) && !strcmp("-saltlen", argv[1]))
++ {
++ Saltlen = atoi(argv[2]);
++ if (Saltlen < 0)
++ {
++ fprintf(stderr, "FATAL: Invalid salt length\n");
++ goto end;
++ }
++ argc -= 2;
++ argv += 2;
++ }
++ else if ((argc > 1) && !strcmp("-x931", argv[1]))
++ {
++ Saltlen = -2;
++ argc--;
++ argv++;
++ }
++
++ if (argc == 1)
++ in = stdin;
++ else
++ in = fopen(argv[1], "r");
++
++ if (argc < 2)
++ out = stdout;
++ else
++ out = fopen(argv[2], "w");
++
++ if (!in)
++ {
++ fprintf(stderr, "FATAL input initialization error\n");
++ goto end;
++ }
++
++ if (!out)
++ {
++ fprintf(stderr, "FATAL output initialization error\n");
++ goto end;
++ }
++
++ if (!rsa_test(out, in, Saltlen))
++ {
++ fprintf(stderr, "FATAL RSAVTEST file processing error\n");
++ goto end;
++ }
++ else
++ ret = 0;
++
++ end:
++
++ if (ret)
++ do_print_errors();
++
++ if (in && (in != stdin))
++ fclose(in);
++ if (out && (out != stdout))
++ fclose(out);
++
++ return ret;
++
++ }
++
++#define RSA_TEST_MAXLINELEN 10240
++
++int rsa_test(FILE *out, FILE *in, int Saltlen)
++ {
++ char *linebuf, *olinebuf, *p, *q;
++ char *keyword, *value;
++ const EVP_MD *dgst = NULL;
++ BIGNUM *n = NULL, *e = NULL;
++ unsigned char *Msg = NULL, *S = NULL;
++ long Msglen, Slen;
++ int ret = 0;
++ int lnum = 0;
++
++ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
++ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
++
++ if (!linebuf || !olinebuf)
++ goto error;
++
++ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
++ {
++ lnum++;
++ strcpy(linebuf, olinebuf);
++ keyword = linebuf;
++ /* Skip leading space */
++ while (isspace((unsigned char)*keyword))
++ keyword++;
++
++ /* Look for = sign */
++ p = strchr(linebuf, '=');
++
++ /* If no = or starts with [ (for [foo = bar] line) just copy */
++ if (!p || *keyword=='[')
++ {
++ if (fputs(olinebuf, out) < 0)
++ goto error;
++ continue;
++ }
++
++ q = p - 1;
++
++ /* Remove trailing space */
++ while (isspace((unsigned char)*q))
++ *q-- = 0;
++
++ *p = 0;
++ value = p + 1;
++
++ /* Remove leading space from value */
++ while (isspace((unsigned char)*value))
++ value++;
++
++ /* Remove trailing space from value */
++ p = value + strlen(value) - 1;
++
++ while (*p == '\n' || isspace((unsigned char)*p))
++ *p-- = 0;
++
++ if (!strcmp(keyword, "n"))
++ {
++ if (!do_hex2bn(&n,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "e"))
++ {
++ if (!do_hex2bn(&e,value))
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "SHAAlg"))
++ {
++ if (!strcmp(value, "SHA1"))
++ dgst = EVP_sha1();
++ else if (!strcmp(value, "SHA224"))
++ dgst = EVP_sha224();
++ else if (!strcmp(value, "SHA256"))
++ dgst = EVP_sha256();
++ else if (!strcmp(value, "SHA384"))
++ dgst = EVP_sha384();
++ else if (!strcmp(value, "SHA512"))
++ dgst = EVP_sha512();
++ else
++ {
++ fprintf(stderr,
++ "FATAL: unsupported algorithm \"%s\"\n",
++ value);
++ goto parse_error;
++ }
++ }
++ else if (!strcmp(keyword, "Msg"))
++ {
++ if (Msg)
++ goto parse_error;
++ if (strlen(value) & 1)
++ *(--value) = '0';
++ Msg = hex2bin_m(value, &Msglen);
++ if (!Msg)
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "S"))
++ {
++ if (S)
++ goto parse_error;
++ if (strlen(value) & 1)
++ *(--value) = '0';
++ S = hex2bin_m(value, &Slen);
++ if (!S)
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "Result"))
++ continue;
++ else
++ goto parse_error;
++
++ fputs(olinebuf, out);
++
++ if (n && e && Msg && S && dgst)
++ {
++ if (!rsa_printver(out, n, e, dgst,
++ Msg, Msglen, S, Slen, Saltlen))
++ goto error;
++ OPENSSL_free(Msg);
++ Msg = NULL;
++ OPENSSL_free(S);
++ S = NULL;
++ }
++
++ }
++
++
++ ret = 1;
++
++
++ error:
++
++ if (olinebuf)
++ OPENSSL_free(olinebuf);
++ if (linebuf)
++ OPENSSL_free(linebuf);
++ if (n)
++ BN_free(n);
++ if (e)
++ BN_free(e);
++
++ return ret;
++
++ parse_error:
++
++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
++
++ goto error;
++
++ }
++
++static int rsa_printver(FILE *out,
++ BIGNUM *n, BIGNUM *e,
++ const EVP_MD *dgst,
++ unsigned char *Msg, long Msglen,
++ unsigned char *S, long Slen, int Saltlen)
++ {
++ int ret = 0, r;
++ /* Setup RSA and EVP_PKEY structures */
++ RSA *rsa_pubkey = NULL;
++ EVP_PKEY pk;
++ EVP_MD_CTX ctx;
++ unsigned char *buf = NULL;
++ rsa_pubkey = FIPS_rsa_new();
++ if (!rsa_pubkey)
++ goto error;
++ rsa_pubkey->n = BN_dup(n);
++ rsa_pubkey->e = BN_dup(e);
++ if (!rsa_pubkey->n || !rsa_pubkey->e)
++ goto error;
++ pk.type = EVP_PKEY_RSA;
++ pk.pkey.rsa = rsa_pubkey;
++
++ EVP_MD_CTX_init(&ctx);
++
++ if (Saltlen >= 0)
++ {
++ M_EVP_MD_CTX_set_flags(&ctx,
++ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
++ }
++ else if (Saltlen == -2)
++ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
++ if (!EVP_VerifyInit_ex(&ctx, dgst, NULL))
++ goto error;
++ if (!EVP_VerifyUpdate(&ctx, Msg, Msglen))
++ goto error;
++
++ r = EVP_VerifyFinal(&ctx, S, Slen, &pk);
++
++
++ EVP_MD_CTX_cleanup(&ctx);
++
++ if (r < 0)
++ goto error;
++ ERR_clear_error();
++
++ if (r == 0)
++ fputs("Result = F\n", out);
++ else
++ fputs("Result = P\n", out);
++
++ ret = 1;
++
++ error:
++ if (rsa_pubkey)
++ FIPS_rsa_free(rsa_pubkey);
++ if (buf)
++ OPENSSL_free(buf);
++
++ return ret;
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.0f/crypto/fips/cavs/fips_shatest.c
+--- openssl-1.0.0f/crypto/fips/cavs/fips_shatest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_shatest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,388 @@
++/* fips_shatest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project 2005.
++ */
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <ctype.h>
++#include <string.h>
++#include <openssl/bio.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/x509v3.h>
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char *argv[])
++{
++ printf("No FIPS SHAXXX support\n");
++ return(0);
++}
++
++#else
++
++#include "fips_utl.h"
++
++static int dgst_test(FILE *out, FILE *in);
++static int print_dgst(const EVP_MD *md, FILE *out,
++ unsigned char *Msg, int Msglen);
++static int print_monte(const EVP_MD *md, FILE *out,
++ unsigned char *Seed, int SeedLen);
++
++int main(int argc, char **argv)
++ {
++ FILE *in = NULL, *out = NULL;
++
++ int ret = 1;
++
++ if(!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ goto end;
++ }
++
++ if (argc == 1)
++ in = stdin;
++ else
++ in = fopen(argv[1], "r");
++
++ if (argc < 2)
++ out = stdout;
++ else
++ out = fopen(argv[2], "w");
++
++ if (!in)
++ {
++ fprintf(stderr, "FATAL input initialization error\n");
++ goto end;
++ }
++
++ if (!out)
++ {
++ fprintf(stderr, "FATAL output initialization error\n");
++ goto end;
++ }
++
++ if (!dgst_test(out, in))
++ {
++ fprintf(stderr, "FATAL digest file processing error\n");
++ goto end;
++ }
++ else
++ ret = 0;
++
++ end:
++
++ if (ret)
++ do_print_errors();
++
++ if (in && (in != stdin))
++ fclose(in);
++ if (out && (out != stdout))
++ fclose(out);
++
++ return ret;
++
++ }
++
++#define SHA_TEST_MAX_BITS 102400
++#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100)
++
++int dgst_test(FILE *out, FILE *in)
++ {
++ const EVP_MD *md = NULL;
++ char *linebuf, *olinebuf, *p, *q;
++ char *keyword, *value;
++ unsigned char *Msg = NULL, *Seed = NULL;
++ long MsgLen = -1, Len = -1, SeedLen = -1;
++ int ret = 0;
++ int lnum = 0;
++
++ olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
++ linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
++
++ if (!linebuf || !olinebuf)
++ goto error;
++
++
++ while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in))
++ {
++ lnum++;
++ strcpy(linebuf, olinebuf);
++ keyword = linebuf;
++ /* Skip leading space */
++ while (isspace((unsigned char)*keyword))
++ keyword++;
++
++ /* Look for = sign */
++ p = strchr(linebuf, '=');
++
++ /* If no = or starts with [ (for [L=20] line) just copy */
++ if (!p)
++ {
++ fputs(olinebuf, out);
++ continue;
++ }
++
++ q = p - 1;
++
++ /* Remove trailing space */
++ while (isspace((unsigned char)*q))
++ *q-- = 0;
++
++ *p = 0;
++ value = p + 1;
++
++ /* Remove leading space from value */
++ while (isspace((unsigned char)*value))
++ value++;
++
++ /* Remove trailing space from value */
++ p = value + strlen(value) - 1;
++ while (*p == '\n' || isspace((unsigned char)*p))
++ *p-- = 0;
++
++ if (!strcmp(keyword,"[L") && *p==']')
++ {
++ switch (atoi(value))
++ {
++ case 20: md=EVP_sha1(); break;
++ case 28: md=EVP_sha224(); break;
++ case 32: md=EVP_sha256(); break;
++ case 48: md=EVP_sha384(); break;
++ case 64: md=EVP_sha512(); break;
++ default: goto parse_error;
++ }
++ }
++ else if (!strcmp(keyword, "Len"))
++ {
++ if (Len != -1)
++ goto parse_error;
++ Len = atoi(value);
++ if (Len < 0)
++ goto parse_error;
++ /* Only handle multiples of 8 bits */
++ if (Len & 0x7)
++ goto parse_error;
++ if (Len > SHA_TEST_MAX_BITS)
++ goto parse_error;
++ MsgLen = Len >> 3;
++ }
++
++ else if (!strcmp(keyword, "Msg"))
++ {
++ long tmplen;
++ if (strlen(value) & 1)
++ *(--value) = '0';
++ if (Msg)
++ goto parse_error;
++ Msg = hex2bin_m(value, &tmplen);
++ if (!Msg)
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "Seed"))
++ {
++ if (strlen(value) & 1)
++ *(--value) = '0';
++ if (Seed)
++ goto parse_error;
++ Seed = hex2bin_m(value, &SeedLen);
++ if (!Seed)
++ goto parse_error;
++ }
++ else if (!strcmp(keyword, "MD"))
++ continue;
++ else
++ goto parse_error;
++
++ fputs(olinebuf, out);
++
++ if (md && Msg && (MsgLen >= 0))
++ {
++ if (!print_dgst(md, out, Msg, MsgLen))
++ goto error;
++ OPENSSL_free(Msg);
++ Msg = NULL;
++ MsgLen = -1;
++ Len = -1;
++ }
++ else if (md && Seed && (SeedLen > 0))
++ {
++ if (!print_monte(md, out, Seed, SeedLen))
++ goto error;
++ OPENSSL_free(Seed);
++ Seed = NULL;
++ SeedLen = -1;
++ }
++
++
++ }
++
++
++ ret = 1;
++
++
++ error:
++
++ if (olinebuf)
++ OPENSSL_free(olinebuf);
++ if (linebuf)
++ OPENSSL_free(linebuf);
++ if (Msg)
++ OPENSSL_free(Msg);
++ if (Seed)
++ OPENSSL_free(Seed);
++
++ return ret;
++
++ parse_error:
++
++ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
++
++ goto error;
++
++ }
++
++static int print_dgst(const EVP_MD *emd, FILE *out,
++ unsigned char *Msg, int Msglen)
++ {
++ int i, mdlen;
++ unsigned char md[EVP_MAX_MD_SIZE];
++ if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL))
++ {
++ fputs("Error calculating HASH\n", stderr);
++ return 0;
++ }
++ fputs("MD = ", out);
++ for (i = 0; i < mdlen; i++)
++ fprintf(out, "%02x", md[i]);
++ fputs("\n", out);
++ return 1;
++ }
++
++static int print_monte(const EVP_MD *md, FILE *out,
++ unsigned char *Seed, int SeedLen)
++ {
++ unsigned int i, j, k;
++ int ret = 0;
++ EVP_MD_CTX ctx;
++ unsigned char *m1, *m2, *m3, *p;
++ unsigned int mlen, m1len, m2len, m3len;
++
++ EVP_MD_CTX_init(&ctx);
++
++ if (SeedLen > EVP_MAX_MD_SIZE)
++ mlen = SeedLen;
++ else
++ mlen = EVP_MAX_MD_SIZE;
++
++ m1 = OPENSSL_malloc(mlen);
++ m2 = OPENSSL_malloc(mlen);
++ m3 = OPENSSL_malloc(mlen);
++
++ if (!m1 || !m2 || !m3)
++ goto mc_error;
++
++ m1len = m2len = m3len = SeedLen;
++ memcpy(m1, Seed, SeedLen);
++ memcpy(m2, Seed, SeedLen);
++ memcpy(m3, Seed, SeedLen);
++
++ fputs("\n", out);
++
++ for (j = 0; j < 100; j++)
++ {
++ for (i = 0; i < 1000; i++)
++ {
++ EVP_DigestInit_ex(&ctx, md, NULL);
++ EVP_DigestUpdate(&ctx, m1, m1len);
++ EVP_DigestUpdate(&ctx, m2, m2len);
++ EVP_DigestUpdate(&ctx, m3, m3len);
++ p = m1;
++ m1 = m2;
++ m1len = m2len;
++ m2 = m3;
++ m2len = m3len;
++ m3 = p;
++ EVP_DigestFinal_ex(&ctx, m3, &m3len);
++ }
++ fprintf(out, "COUNT = %d\n", j);
++ fputs("MD = ", out);
++ for (k = 0; k < m3len; k++)
++ fprintf(out, "%02x", m3[k]);
++ fputs("\n\n", out);
++ memcpy(m1, m3, m3len);
++ memcpy(m2, m3, m3len);
++ m1len = m2len = m3len;
++ }
++
++ ret = 1;
++
++ mc_error:
++ if (m1)
++ OPENSSL_free(m1);
++ if (m2)
++ OPENSSL_free(m2);
++ if (m3)
++ OPENSSL_free(m3);
++
++ EVP_MD_CTX_cleanup(&ctx);
++
++ return ret;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.0f/crypto/fips/cavs/fips_utl.h
+--- openssl-1.0.0f/crypto/fips/cavs/fips_utl.h.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/cavs/fips_utl.h 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,343 @@
++/* ====================================================================
++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++void do_print_errors(void)
++ {
++ const char *file, *data;
++ int line, flags;
++ unsigned long l;
++ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)))
++ {
++ fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d"
++ ":file=%s:line=%d:%s\n",
++ l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l),
++ file, line, flags & ERR_TXT_STRING ? data : "");
++ }
++ }
++
++int hex2bin(const char *in, unsigned char *out)
++ {
++ int n1, n2;
++ unsigned char ch;
++
++ for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; )
++ { /* first byte */
++ if ((in[n1] >= '0') && (in[n1] <= '9'))
++ ch = in[n1++] - '0';
++ else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
++ ch = in[n1++] - 'A' + 10;
++ else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
++ ch = in[n1++] - 'a' + 10;
++ else
++ return -1;
++ if(!in[n1])
++ {
++ out[n2++]=ch;
++ break;
++ }
++ out[n2] = ch << 4;
++ /* second byte */
++ if ((in[n1] >= '0') && (in[n1] <= '9'))
++ ch = in[n1++] - '0';
++ else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
++ ch = in[n1++] - 'A' + 10;
++ else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
++ ch = in[n1++] - 'a' + 10;
++ else
++ return -1;
++ out[n2++] |= ch;
++ }
++ return n2;
++ }
++
++unsigned char *hex2bin_m(const char *in, long *plen)
++ {
++ unsigned char *p;
++ p = OPENSSL_malloc((strlen(in) + 1)/2);
++ *plen = hex2bin(in, p);
++ return p;
++ }
++
++int do_hex2bn(BIGNUM **pr, const char *in)
++ {
++ unsigned char *p;
++ long plen;
++ int r = 0;
++ p = hex2bin_m(in, &plen);
++ if (!p)
++ return 0;
++ if (!*pr)
++ *pr = BN_new();
++ if (!*pr)
++ return 0;
++ if (BN_bin2bn(p, plen, *pr))
++ r = 1;
++ OPENSSL_free(p);
++ return r;
++ }
++
++int do_bn_print(FILE *out, BIGNUM *bn)
++ {
++ int len, i;
++ unsigned char *tmp;
++ len = BN_num_bytes(bn);
++ if (len == 0)
++ {
++ fputs("00", out);
++ return 1;
++ }
++
++ tmp = OPENSSL_malloc(len);
++ if (!tmp)
++ {
++ fprintf(stderr, "Memory allocation error\n");
++ return 0;
++ }
++ BN_bn2bin(bn, tmp);
++ for (i = 0; i < len; i++)
++ fprintf(out, "%02x", tmp[i]);
++ OPENSSL_free(tmp);
++ return 1;
++ }
++
++int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn)
++ {
++ int r;
++ fprintf(out, "%s = ", name);
++ r = do_bn_print(out, bn);
++ if (!r)
++ return 0;
++ fputs("\n", out);
++ return 1;
++ }
++
++int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf)
++ {
++ char *keyword, *value, *p, *q;
++ strcpy(linebuf, olinebuf);
++ keyword = linebuf;
++ /* Skip leading space */
++ while (isspace((unsigned char)*keyword))
++ keyword++;
++
++ /* Look for = sign */
++ p = strchr(linebuf, '=');
++
++ /* If no '=' exit */
++ if (!p)
++ return 0;
++
++ q = p - 1;
++
++ /* Remove trailing space */
++ while (isspace((unsigned char)*q))
++ *q-- = 0;
++
++ *p = 0;
++ value = p + 1;
++
++ /* Remove leading space from value */
++ while (isspace((unsigned char)*value))
++ value++;
++
++ /* Remove trailing space from value */
++ p = value + strlen(value) - 1;
++
++ while (*p == '\n' || isspace((unsigned char)*p))
++ *p-- = 0;
++
++ *pkw = keyword;
++ *pval = value;
++ return 1;
++ }
++
++BIGNUM *hex2bn(const char *in)
++ {
++ BIGNUM *p=NULL;
++
++ if (!do_hex2bn(&p, in))
++ return NULL;
++
++ return p;
++ }
++
++int bin2hex(const unsigned char *in,int len,char *out)
++ {
++ int n1, n2;
++ unsigned char ch;
++
++ for (n1=0,n2=0 ; n1 < len ; ++n1)
++ {
++ ch=in[n1] >> 4;
++ if (ch <= 0x09)
++ out[n2++]=ch+'0';
++ else
++ out[n2++]=ch-10+'a';
++ ch=in[n1] & 0x0f;
++ if(ch <= 0x09)
++ out[n2++]=ch+'0';
++ else
++ out[n2++]=ch-10+'a';
++ }
++ out[n2]='\0';
++ return n2;
++ }
++
++void pv(const char *tag,const unsigned char *val,int len)
++ {
++ char obuf[2048];
++
++ bin2hex(val,len,obuf);
++ printf("%s = %s\n",tag,obuf);
++ }
++
++/* To avoid extensive changes to test program at this stage just convert
++ * the input line into an acceptable form. Keyword lines converted to form
++ * "keyword = value\n" no matter what white space present, all other lines
++ * just have leading and trailing space removed.
++ */
++
++int tidy_line(char *linebuf, char *olinebuf)
++ {
++ char *keyword, *value, *p, *q;
++ strcpy(linebuf, olinebuf);
++ keyword = linebuf;
++ /* Skip leading space */
++ while (isspace((unsigned char)*keyword))
++ keyword++;
++ /* Look for = sign */
++ p = strchr(linebuf, '=');
++
++ /* If no '=' just chop leading, trailing ws */
++ if (!p)
++ {
++ p = keyword + strlen(keyword) - 1;
++ while (*p == '\n' || isspace((unsigned char)*p))
++ *p-- = 0;
++ strcpy(olinebuf, keyword);
++ strcat(olinebuf, "\n");
++ return 1;
++ }
++
++ q = p - 1;
++
++ /* Remove trailing space */
++ while (isspace((unsigned char)*q))
++ *q-- = 0;
++
++ *p = 0;
++ value = p + 1;
++
++ /* Remove leading space from value */
++ while (isspace((unsigned char)*value))
++ value++;
++
++ /* Remove trailing space from value */
++ p = value + strlen(value) - 1;
++
++ while (*p == '\n' || isspace((unsigned char)*p))
++ *p-- = 0;
++
++ strcpy(olinebuf, keyword);
++ strcat(olinebuf, " = ");
++ strcat(olinebuf, value);
++ strcat(olinebuf, "\n");
++
++ return 1;
++ }
++
++/* NB: this return the number of _bits_ read */
++int bint2bin(const char *in, int len, unsigned char *out)
++ {
++ int n;
++
++ memset(out,0,len);
++ for(n=0 ; n < len ; ++n)
++ if(in[n] == '1')
++ out[n/8]|=(0x80 >> (n%8));
++ return len;
++ }
++
++int bin2bint(const unsigned char *in,int len,char *out)
++ {
++ int n;
++
++ for(n=0 ; n < len ; ++n)
++ out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0';
++ return n;
++ }
++
++/*-----------------------------------------------*/
++
++void PrintValue(char *tag, unsigned char *val, int len)
++{
++#if VERBOSE
++ char obuf[2048];
++ int olen;
++ olen = bin2hex(val, len, obuf);
++ printf("%s = %.*s\n", tag, olen, obuf);
++#endif
++}
++
++void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode)
++ {
++ char obuf[2048];
++ int olen;
++
++ if(bitmode)
++ olen=bin2bint(val,len,obuf);
++ else
++ olen=bin2hex(val,len,obuf);
++
++ fprintf(rfp, "%s = %.*s\n", tag, olen, obuf);
++#if VERBOSE
++ printf("%s = %.*s\n", tag, olen, obuf);
++#endif
++ }
++
+diff -up openssl-1.0.0f/crypto/fips_err.c.fips openssl-1.0.0f/crypto/fips_err.c
+--- openssl-1.0.0f/crypto/fips_err.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips_err.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,7 @@
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++# include "fips_err.h"
++#else
++static void *dummy=&dummy;
++#endif
+diff -up openssl-1.0.0f/crypto/fips_err.h.fips openssl-1.0.0f/crypto/fips_err.h
+--- openssl-1.0.0f/crypto/fips_err.h.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips_err.h 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,137 @@
++/* crypto/fips_err.h */
++/* ====================================================================
++ * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++/* NOTE: this file was auto generated by the mkerr.pl script: any changes
++ * made to it will be overwritten when the script next updates this file,
++ * only reason strings will be preserved.
++ */
++
++#include <stdio.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++/* BEGIN ERROR CODES */
++#ifndef OPENSSL_NO_ERR
++
++#define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0)
++#define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason)
++
++static ERR_STRING_DATA FIPS_str_functs[]=
++ {
++{ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"},
++{ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN), "DSA_BUILTIN_PARAMGEN"},
++{ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
++{ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},
++{ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"},
++{ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
++{ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "FIPS_CHECK_DSA"},
++{ERR_FUNC(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT), "FIPS_CHECK_INCORE_FINGERPRINT"},
++{ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "FIPS_CHECK_RSA"},
++{ERR_FUNC(FIPS_F_FIPS_DSA_CHECK), "FIPS_DSA_CHECK"},
++{ERR_FUNC(FIPS_F_FIPS_MODE_SET), "FIPS_mode_set"},
++{ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},
++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_RNG), "FIPS_selftest_rng"},
++{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
++{ERR_FUNC(FIPS_F_HASH_FINAL), "HASH_FINAL"},
++{ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
++{ERR_FUNC(FIPS_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
++{ERR_FUNC(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
++{ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
++{ERR_FUNC(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
++{ERR_FUNC(FIPS_F_RSA_X931_GENERATE_KEY_EX), "RSA_X931_generate_key_ex"},
++{ERR_FUNC(FIPS_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"},
++{0,NULL}
++ };
++
++static ERR_STRING_DATA FIPS_str_reasons[]=
++ {
++{ERR_REASON(FIPS_R_CANNOT_READ_EXE) ,"cannot read exe"},
++{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot read exe digest"},
++{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"contradicting evidence"},
++{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"exe digest does not match"},
++{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),"fingerprint does not match"},
++{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match nonpic relocated"},
++{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match segment aliasing"},
++{ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET),"fips mode already set"},
++{ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"},
++{ERR_REASON(FIPS_R_INVALID_KEY_LENGTH) ,"invalid key length"},
++{ERR_REASON(FIPS_R_KEY_TOO_SHORT) ,"key too short"},
++{ERR_REASON(FIPS_R_NON_FIPS_METHOD) ,"non fips method"},
++{ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED) ,"pairwise test failed"},
++{ERR_REASON(FIPS_R_RSA_DECRYPT_ERROR) ,"rsa decrypt error"},
++{ERR_REASON(FIPS_R_RSA_ENCRYPT_ERROR) ,"rsa encrypt error"},
++{ERR_REASON(FIPS_R_SELFTEST_FAILED) ,"selftest failed"},
++{ERR_REASON(FIPS_R_TEST_FAILURE) ,"test failure"},
++{ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM) ,"unsupported platform"},
++{0,NULL}
++ };
++
++#endif
++
++void ERR_load_FIPS_strings(void)
++ {
++#ifndef OPENSSL_NO_ERR
++
++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL)
++ {
++ ERR_load_strings(0,FIPS_str_functs);
++ ERR_load_strings(0,FIPS_str_reasons);
++ }
++#endif
++ }
+diff -up openssl-1.0.0f/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.0f/crypto/fips/fips_aes_selftest.c
+--- openssl-1.0.0f/crypto/fips/fips_aes_selftest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_aes_selftest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,103 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++
++#ifdef OPENSSL_FIPS
++static struct
++ {
++ unsigned char key[16];
++ unsigned char plaintext[16];
++ unsigned char ciphertext[16];
++ } tests[]=
++ {
++ {
++ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
++ 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F },
++ { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
++ 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF },
++ { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30,
++ 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A },
++ },
++ };
++
++void FIPS_corrupt_aes()
++ {
++ tests[0].key[0]++;
++ }
++
++int FIPS_selftest_aes()
++ {
++ int n;
++ int ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ for(n=0 ; n < 1 ; ++n)
++ {
++ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
++ tests[n].key, NULL,
++ tests[n].plaintext,
++ tests[n].ciphertext,
++ 16) <= 0)
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED);
++ return ret;
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips.c.fips openssl-1.0.0f/crypto/fips/fips.c
+--- openssl-1.0.0f/crypto/fips/fips.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,419 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <string.h>
++#include <limits.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++#include <openssl/fips.h>
++
++#ifndef PATH_MAX
++#define PATH_MAX 1024
++#endif
++
++static int fips_selftest_fail;
++static int fips_mode;
++static const void *fips_rand_check;
++
++static void fips_set_mode(int onoff)
++ {
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_is_started())
++ {
++ if (!owning_thread) fips_w_lock();
++ fips_mode = onoff;
++ if (!owning_thread) fips_w_unlock();
++ }
++ }
++
++static void fips_set_rand_check(const void *rand_check)
++ {
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_is_started())
++ {
++ if (!owning_thread) fips_w_lock();
++ fips_rand_check = rand_check;
++ if (!owning_thread) fips_w_unlock();
++ }
++ }
++
++int FIPS_mode(void)
++ {
++ int ret = 0;
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_is_started())
++ {
++ if (!owning_thread) fips_r_lock();
++ ret = fips_mode;
++ if (!owning_thread) fips_r_unlock();
++ }
++ return ret;
++ }
++
++const void *FIPS_rand_check(void)
++ {
++ const void *ret = 0;
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_is_started())
++ {
++ if (!owning_thread) fips_r_lock();
++ ret = fips_rand_check;
++ if (!owning_thread) fips_r_unlock();
++ }
++ return ret;
++ }
++
++int FIPS_selftest_failed(void)
++ {
++ int ret = 0;
++ if (fips_is_started())
++ {
++ int owning_thread = fips_is_owning_thread();
++
++ if (!owning_thread) fips_r_lock();
++ ret = fips_selftest_fail;
++ if (!owning_thread) fips_r_unlock();
++ }
++ return ret;
++ }
++
++/* Selftest failure fatal exit routine. This will be called
++ * during *any* cryptographic operation. It has the minimum
++ * overhead possible to avoid too big a performance hit.
++ */
++
++void FIPS_selftest_check(void)
++ {
++ if (fips_selftest_fail)
++ {
++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
++ }
++ }
++
++void fips_set_selftest_fail(void)
++ {
++ fips_selftest_fail = 1;
++ }
++
++int FIPS_selftest()
++ {
++
++ return FIPS_selftest_sha1()
++ && FIPS_selftest_hmac()
++ && FIPS_selftest_aes()
++ && FIPS_selftest_des()
++ && FIPS_selftest_rsa()
++ && FIPS_selftest_dsa();
++ }
++
++int FIPS_mode_set(int onoff)
++ {
++ int fips_set_owning_thread();
++ int fips_clear_owning_thread();
++ int ret = 0;
++
++ fips_w_lock();
++ fips_set_started();
++ fips_set_owning_thread();
++
++ if(onoff)
++ {
++ unsigned char buf[48];
++
++ fips_selftest_fail = 0;
++
++ /* Don't go into FIPS mode twice, just so we can do automagic
++ seeding */
++ if(FIPS_mode())
++ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++#ifdef OPENSSL_IA32_SSE2
++ if ((OPENSSL_ia32cap & (1<<25|1<<26)) != (1<<25|1<<26))
++ {
++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++#endif
++
++ /* Perform RNG KAT before seeding */
++ if (!FIPS_selftest_rng())
++ {
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ /* automagically seed PRNG if not already seeded */
++ if(!FIPS_rand_status())
++ {
++ if(RAND_bytes(buf,sizeof buf) <= 0)
++ {
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ FIPS_rand_set_key(buf,32);
++ FIPS_rand_seed(buf+32,16);
++ }
++
++ /* now switch into FIPS mode */
++ fips_set_rand_check(FIPS_rand_method());
++ RAND_set_rand_method(FIPS_rand_method());
++ if(FIPS_selftest())
++ fips_set_mode(1);
++ else
++ {
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ ret = 1;
++ goto end;
++ }
++ fips_set_mode(0);
++ fips_selftest_fail = 0;
++ ret = 1;
++end:
++ fips_clear_owning_thread();
++ fips_w_unlock();
++ return ret;
++ }
++
++void fips_w_lock(void) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); }
++void fips_w_unlock(void) { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); }
++void fips_r_lock(void) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); }
++void fips_r_unlock(void) { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); }
++
++static int fips_started = 0;
++static unsigned long fips_thread = 0;
++
++void fips_set_started(void)
++ {
++ fips_started = 1;
++ }
++
++int fips_is_started(void)
++ {
++ return fips_started;
++ }
++
++int fips_is_owning_thread(void)
++ {
++ int ret = 0;
++
++ if (fips_is_started())
++ {
++ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread != 0 && fips_thread == CRYPTO_thread_id())
++ ret = 1;
++ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++ }
++
++int fips_set_owning_thread(void)
++ {
++ int ret = 0;
++
++ if (fips_is_started())
++ {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread == 0)
++ {
++ fips_thread = CRYPTO_thread_id();
++ ret = 1;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++ }
++
++int fips_clear_owning_thread(void)
++ {
++ int ret = 0;
++
++ if (fips_is_started())
++ {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread == CRYPTO_thread_id())
++ {
++ fips_thread = 0;
++ ret = 1;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++ }
++
++/* Generalized public key test routine. Signs and verifies the data
++ * supplied in tbs using mesage digest md and setting option digest
++ * flags md_flags. If the 'kat' parameter is not NULL it will
++ * additionally check the signature matches it: a known answer test
++ * The string "fail_str" is used for identification purposes in case
++ * of failure.
++ */
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat, unsigned int katlen,
++ const EVP_MD *digest, unsigned int md_flags,
++ const char *fail_str)
++ {
++ int ret = 0;
++ unsigned char sigtmp[256], *sig = sigtmp;
++ unsigned int siglen;
++ EVP_MD_CTX mctx;
++ EVP_MD_CTX_init(&mctx);
++
++ if ((pkey->type == EVP_PKEY_RSA)
++ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp)))
++ {
++ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
++ if (!sig)
++ {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ }
++
++ if (tbslen == -1)
++ tbslen = strlen((char *)tbs);
++
++ if (md_flags)
++ EVP_MD_CTX_set_flags(&mctx, md_flags);
++
++ if (!EVP_SignInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_SignUpdate(&mctx, tbs, tbslen))
++ goto error;
++ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
++ goto error;
++
++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
++ goto error;
++
++ if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
++ goto error;
++ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
++
++ error:
++ if (sig != sigtmp)
++ OPENSSL_free(sig);
++ EVP_MD_CTX_cleanup(&mctx);
++ if (ret != 1)
++ {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE);
++ if (fail_str)
++ ERR_add_error_data(2, "Type=", fail_str);
++ return 0;
++ }
++ return 1;
++ }
++
++/* Generalized symmetric cipher test routine. Encrypt data, verify result
++ * against known answer, decrypt and compare with original plaintext.
++ */
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext,
++ int len)
++ {
++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
++ return 0;
++ EVP_Cipher(ctx, citmp, plaintext, len);
++ if (memcmp(citmp, ciphertext, len))
++ return 0;
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
++ return 0;
++ EVP_Cipher(ctx, pltmp, citmp, len);
++ if (memcmp(pltmp, plaintext, len))
++ return 0;
++ return 1;
++ }
++
++#if 0
++/* The purpose of this is to ensure the error code exists and the function
++ * name is to keep the error checking script quiet
++ */
++void hash_final(void)
++ {
++ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
++ }
++#endif
++
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_des_selftest.c.fips openssl-1.0.0f/crypto/fips/fips_des_selftest.c
+--- openssl-1.0.0f/crypto/fips/fips_des_selftest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_des_selftest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,139 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static struct
++ {
++ unsigned char key[16];
++ unsigned char plaintext[8];
++ unsigned char ciphertext[8];
++ } tests2[]=
++ {
++ {
++ { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec,
++ 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 },
++ { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef },
++ { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd }
++ },
++ {
++ { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34,
++ 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 },
++ { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e },
++ { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff },
++ }
++ };
++
++static struct
++ {
++ unsigned char key[24];
++ unsigned char plaintext[8];
++ unsigned char ciphertext[8];
++ } tests3[]=
++ {
++ {
++ { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,
++ 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 },
++ { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c },
++ { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b },
++ },
++ {
++ { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE,
++ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
++ 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 },
++ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
++ { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 },
++ },
++ };
++
++void FIPS_corrupt_des()
++ {
++ tests2[0].plaintext[0]++;
++ }
++
++int FIPS_selftest_des()
++ {
++ int n, ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
++ for(n=0 ; n < 2 ; ++n)
++ {
++ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
++ tests2[n].key, NULL,
++ tests2[n].plaintext, tests2[n].ciphertext, 8))
++ goto err;
++ }
++
++ /* Encrypt/decrypt with 3DES and compare to known answers */
++ for(n=0 ; n < 2 ; ++n)
++ {
++ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
++ tests3[n].key, NULL,
++ tests3[n].plaintext, tests3[n].ciphertext, 8))
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED);
++
++ return ret;
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.0f/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.0f/crypto/fips/fips_dsa_selftest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_dsa_selftest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,186 @@
++/* crypto/dsa/dsatest.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dsa.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++/* seed, out_p, out_q, out_g are taken the NIST test vectors */
++
++static unsigned char seed[20] = {
++ 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34,
++ 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a
++ };
++
++static unsigned char out_p[] = {
++ 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57,
++ 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b,
++ 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43,
++ 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69,
++ 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12,
++ 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47,
++ 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4,
++ 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8,
++ 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef,
++ 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8,
++ 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef
++ };
++
++static unsigned char out_q[] = {
++ 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c,
++ 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3
++ };
++
++static unsigned char out_g[] = {
++ 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb,
++ 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e,
++ 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63,
++ 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35,
++ 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf,
++ 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a,
++ 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed,
++ 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf,
++ 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2,
++ 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36,
++ 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec
++ };
++
++static const unsigned char str1[]="12345678901234567890";
++
++void FIPS_corrupt_dsa()
++ {
++ ++seed[0];
++ }
++
++int FIPS_selftest_dsa()
++ {
++ DSA *dsa;
++ int counter,i,j, ret = 0;
++ unsigned int slen;
++ unsigned char buf[256];
++ unsigned long h;
++ EVP_MD_CTX mctx;
++ EVP_PKEY *pk = NULL;
++
++ EVP_MD_CTX_init(&mctx);
++
++ dsa = DSA_new();
++
++ if(dsa == NULL)
++ goto err;
++ if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL))
++ goto err;
++ if (counter != 378)
++ goto err;
++ if (h != 2)
++ goto err;
++ i=BN_bn2bin(dsa->q,buf);
++ j=sizeof(out_q);
++ if (i != j || memcmp(buf,out_q,i) != 0)
++ goto err;
++
++ i=BN_bn2bin(dsa->p,buf);
++ j=sizeof(out_p);
++ if (i != j || memcmp(buf,out_p,i) != 0)
++ goto err;
++
++ i=BN_bn2bin(dsa->g,buf);
++ j=sizeof(out_g);
++ if (i != j || memcmp(buf,out_g,i) != 0)
++ goto err;
++ DSA_generate_key(dsa);
++
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
++ EVP_PKEY_assign_DSA(pk, dsa);
++
++ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
++ goto err;
++ if (!EVP_SignUpdate(&mctx, str1, 20))
++ goto err;
++ if (!EVP_SignFinal(&mctx, buf, &slen, pk))
++ goto err;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
++ goto err;
++ if (!EVP_VerifyUpdate(&mctx, str1, 20))
++ goto err;
++ if (EVP_VerifyFinal(&mctx, buf, slen, pk) != 1)
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (dsa)
++ DSA_free(dsa);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED);
++ return ret;
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips.h.fips openssl-1.0.0f/crypto/fips/fips.h
+--- openssl-1.0.0f/crypto/fips/fips.h.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips.h 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,163 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++
++#ifndef OPENSSL_FIPS
++#error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++struct dsa_st;
++struct evp_pkey_st;
++struct env_md_st;
++struct evp_cipher_st;
++struct evp_cipher_ctx_st;
++
++int FIPS_mode_set(int onoff);
++int FIPS_mode(void);
++const void *FIPS_rand_check(void);
++int FIPS_selftest_failed(void);
++void FIPS_selftest_check(void);
++void FIPS_corrupt_sha1(void);
++int FIPS_selftest_sha1(void);
++void FIPS_corrupt_aes(void);
++int FIPS_selftest_aes(void);
++void FIPS_corrupt_des(void);
++int FIPS_selftest_des(void);
++void FIPS_corrupt_rsa(void);
++void FIPS_corrupt_rsa_keygen(void);
++int FIPS_selftest_rsa(void);
++void FIPS_corrupt_dsa(void);
++void FIPS_corrupt_dsa_keygen(void);
++int FIPS_selftest_dsa(void);
++void FIPS_corrupt_rng(void);
++void FIPS_rng_stick(void);
++int FIPS_selftest_rng(void);
++int FIPS_selftest_hmac(void);
++
++int fips_pkey_signature_test(struct evp_pkey_st *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat, unsigned int katlen,
++ const struct env_md_st *digest, unsigned int md_flags,
++ const char *fail_str);
++
++int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
++ const struct evp_cipher_st *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext,
++ int len);
++
++/* BEGIN ERROR CODES */
++/* The following lines are auto generated by the script mkerr.pl. Any changes
++ * made after this point may be overwritten when the script is next run.
++ */
++void ERR_load_FIPS_strings(void);
++
++/* Error codes for the FIPS functions. */
++
++/* Function codes. */
++#define FIPS_F_DH_BUILTIN_GENPARAMS 100
++#define FIPS_F_DSA_BUILTIN_PARAMGEN 101
++#define FIPS_F_DSA_DO_SIGN 102
++#define FIPS_F_DSA_DO_VERIFY 103
++#define FIPS_F_EVP_CIPHERINIT_EX 124
++#define FIPS_F_EVP_DIGESTINIT_EX 125
++#define FIPS_F_FIPS_CHECK_DSA 104
++#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
++#define FIPS_F_FIPS_CHECK_RSA 106
++#define FIPS_F_FIPS_DSA_CHECK 107
++#define FIPS_F_FIPS_MODE_SET 108
++#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
++#define FIPS_F_FIPS_SELFTEST_AES 110
++#define FIPS_F_FIPS_SELFTEST_DES 111
++#define FIPS_F_FIPS_SELFTEST_DSA 112
++#define FIPS_F_FIPS_SELFTEST_HMAC 113
++#define FIPS_F_FIPS_SELFTEST_RNG 114
++#define FIPS_F_FIPS_SELFTEST_SHA1 115
++#define FIPS_F_HASH_FINAL 123
++#define FIPS_F_RSA_BUILTIN_KEYGEN 116
++#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
++#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
++#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
++#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
++#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
++#define FIPS_F_SSLEAY_RAND_BYTES 122
++
++/* Reason codes. */
++#define FIPS_R_CANNOT_READ_EXE 103
++#define FIPS_R_CANNOT_READ_EXE_DIGEST 104
++#define FIPS_R_CONTRADICTING_EVIDENCE 114
++#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH 105
++#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
++#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
++#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
++#define FIPS_R_FIPS_MODE_ALREADY_SET 102
++#define FIPS_R_FIPS_SELFTEST_FAILED 106
++#define FIPS_R_INVALID_KEY_LENGTH 109
++#define FIPS_R_KEY_TOO_SHORT 108
++#define FIPS_R_NON_FIPS_METHOD 100
++#define FIPS_R_PAIRWISE_TEST_FAILED 107
++#define FIPS_R_RSA_DECRYPT_ERROR 115
++#define FIPS_R_RSA_ENCRYPT_ERROR 116
++#define FIPS_R_SELFTEST_FAILED 101
++#define FIPS_R_TEST_FAILURE 117
++#define FIPS_R_UNSUPPORTED_PLATFORM 113
++
++#ifdef __cplusplus
++}
++#endif
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.0f/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.0.0f/crypto/fips/fips_hmac_selftest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_hmac_selftest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,137 @@
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include <openssl/hmac.h>
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ const EVP_MD *(*alg)(void);
++ const char *key, *iv;
++ unsigned char kaval[EVP_MAX_MD_SIZE];
++} HMAC_KAT;
++
++static const HMAC_KAT vector[] = {
++ { EVP_sha1,
++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19,
++ 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c,
++ 0xc6,0xc7,0x5d,0x24 }
++ },
++ { EVP_sha224,
++ /* just keep extending the above... */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb,
++ 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa,
++ 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b,
++ 0x8c,0x8d,0x12,0xc7 }
++ },
++ { EVP_sha256,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09,
++ 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34,
++ 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38,
++ 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 }
++ },
++ { EVP_sha384,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad,
++ 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6,
++ 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04,
++ 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f,
++ 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50,
++ 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f }
++ },
++ { EVP_sha512,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41,
++ 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac,
++ 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0,
++ 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68,
++ 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f,
++ 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7,
++ 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45,
++ 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 }
++ },
++};
++
++int FIPS_selftest_hmac()
++ {
++ int n;
++ unsigned int outlen;
++ unsigned char out[EVP_MAX_MD_SIZE];
++ const EVP_MD *md;
++ const HMAC_KAT *t;
++
++ for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
++ {
++ md = (*t->alg)();
++ HMAC(md,t->key,strlen(t->key),
++ (const unsigned char *)t->iv,strlen(t->iv),
++ out,&outlen);
++
++ if(memcmp(out,t->kaval,outlen))
++ {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++ }
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_rand.c.fips openssl-1.0.0f/crypto/fips/fips_rand.c
+--- openssl-1.0.0f/crypto/fips/fips_rand.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_rand.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,412 @@
++/* ====================================================================
++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/*
++ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
++ */
++
++#include "e_os.h"
++
++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
++ be defined and gettimeofday() won't be declared with strict compilers
++ like DEC C in ANSI C mode. */
++#ifndef _XOPEN_SOURCE_EXTENDED
++#define _XOPEN_SOURCE_EXTENDED 1
++#endif
++
++#include <openssl/rand.h>
++#include <openssl/aes.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#ifndef OPENSSL_SYS_WIN32
++#include <sys/time.h>
++#endif
++#include <assert.h>
++#ifndef OPENSSL_SYS_WIN32
++# ifdef OPENSSL_UNISTD
++# include OPENSSL_UNISTD
++# else
++# include <unistd.h>
++# endif
++#endif
++#include <string.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++void *OPENSSL_stderr(void);
++
++#define AES_BLOCK_LENGTH 16
++
++
++/* AES FIPS PRNG implementation */
++
++typedef struct
++ {
++ int seeded;
++ int keyed;
++ int test_mode;
++ int second;
++ int error;
++ unsigned long counter;
++ AES_KEY ks;
++ int vpos;
++ /* Temporary storage for key if it equals seed length */
++ unsigned char tmp_key[AES_BLOCK_LENGTH];
++ unsigned char V[AES_BLOCK_LENGTH];
++ unsigned char DT[AES_BLOCK_LENGTH];
++ unsigned char last[AES_BLOCK_LENGTH];
++ } FIPS_PRNG_CTX;
++
++static FIPS_PRNG_CTX sctx;
++
++static int fips_prng_fail = 0;
++
++void FIPS_rng_stick(void)
++ {
++ fips_prng_fail = 1;
++ }
++
++void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
++ {
++ ctx->seeded = 0;
++ ctx->keyed = 0;
++ ctx->test_mode = 0;
++ ctx->counter = 0;
++ ctx->second = 0;
++ ctx->error = 0;
++ ctx->vpos = 0;
++ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
++ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
++ }
++
++
++static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
++ const unsigned char *key, FIPS_RAND_SIZE_T keylen)
++ {
++ FIPS_selftest_check();
++ if (keylen != 16 && keylen != 24 && keylen != 32)
++ {
++ /* error: invalid key size */
++ return 0;
++ }
++ AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
++ if (keylen == 16)
++ {
++ memcpy(ctx->tmp_key, key, 16);
++ ctx->keyed = 2;
++ }
++ else
++ ctx->keyed = 1;
++ ctx->seeded = 0;
++ ctx->second = 0;
++ return 1;
++ }
++
++static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
++ const unsigned char *seed, FIPS_RAND_SIZE_T seedlen)
++ {
++ int i;
++ if (!ctx->keyed)
++ return 0;
++ /* In test mode seed is just supplied data */
++ if (ctx->test_mode)
++ {
++ if (seedlen != AES_BLOCK_LENGTH)
++ return 0;
++ memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
++ ctx->seeded = 1;
++ return 1;
++ }
++ /* Outside test mode XOR supplied data with existing seed */
++ for (i = 0; i < seedlen; i++)
++ {
++ ctx->V[ctx->vpos++] ^= seed[i];
++ if (ctx->vpos == AES_BLOCK_LENGTH)
++ {
++ ctx->vpos = 0;
++ /* Special case if first seed and key length equals
++ * block size check key and seed do not match.
++ */
++ if (ctx->keyed == 2)
++ {
++ if (!memcmp(ctx->tmp_key, ctx->V, 16))
++ {
++ RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
++ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
++ return 0;
++ }
++ OPENSSL_cleanse(ctx->tmp_key, 16);
++ ctx->keyed = 1;
++ }
++ ctx->seeded = 1;
++ }
++ }
++ return 1;
++ }
++
++int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
++ {
++ if (ctx->keyed)
++ {
++ RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
++ return 0;
++ }
++ ctx->test_mode = 1;
++ return 1;
++ }
++
++int FIPS_rand_test_mode(void)
++ {
++ return fips_set_test_mode(&sctx);
++ }
++
++int FIPS_rand_set_dt(unsigned char *dt)
++ {
++ if (!sctx.test_mode)
++ {
++ RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE);
++ return 0;
++ }
++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
++ return 1;
++ }
++
++static void fips_get_dt(FIPS_PRNG_CTX *ctx)
++ {
++#ifdef OPENSSL_SYS_WIN32
++ FILETIME ft;
++#else
++ struct timeval tv;
++#endif
++ unsigned char *buf = ctx->DT;
++
++#ifndef GETPID_IS_MEANINGLESS
++ unsigned long pid;
++#endif
++
++#ifdef OPENSSL_SYS_WIN32
++ GetSystemTimeAsFileTime(&ft);
++ buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
++ buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
++ buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
++ buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
++ buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
++ buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
++ buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
++ buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
++#else
++ gettimeofday(&tv,NULL);
++ buf[0] = (unsigned char) (tv.tv_sec & 0xff);
++ buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char) (tv.tv_usec & 0xff);
++ buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
++ buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
++ buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
++#endif
++ buf[8] = (unsigned char) (ctx->counter & 0xff);
++ buf[9] = (unsigned char) ((ctx->counter >> 8) & 0xff);
++ buf[10] = (unsigned char) ((ctx->counter >> 16) & 0xff);
++ buf[11] = (unsigned char) ((ctx->counter >> 24) & 0xff);
++
++ ctx->counter++;
++
++
++#ifndef GETPID_IS_MEANINGLESS
++ pid=(unsigned long)getpid();
++ buf[12] = (unsigned char) (pid & 0xff);
++ buf[13] = (unsigned char) ((pid >> 8) & 0xff);
++ buf[14] = (unsigned char) ((pid >> 16) & 0xff);
++ buf[15] = (unsigned char) ((pid >> 24) & 0xff);
++#endif
++ }
++
++static int fips_rand(FIPS_PRNG_CTX *ctx,
++ unsigned char *out, FIPS_RAND_SIZE_T outlen)
++ {
++ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
++ unsigned char tmp[AES_BLOCK_LENGTH];
++ int i;
++ if (ctx->error)
++ {
++ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
++ return 0;
++ }
++ if (!ctx->keyed)
++ {
++ RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
++ return 0;
++ }
++ if (!ctx->seeded)
++ {
++ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
++ return 0;
++ }
++ for (;;)
++ {
++ if (!ctx->test_mode)
++ fips_get_dt(ctx);
++ AES_encrypt(ctx->DT, I, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = I[i] ^ ctx->V[i];
++ AES_encrypt(tmp, R, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = R[i] ^ I[i];
++ AES_encrypt(tmp, ctx->V, &ctx->ks);
++ /* Continuous PRNG test */
++ if (ctx->second)
++ {
++ if (fips_prng_fail)
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
++ {
++ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
++ ctx->error = 1;
++ fips_set_selftest_fail();
++ return 0;
++ }
++ }
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!ctx->second)
++ {
++ ctx->second = 1;
++ if (!ctx->test_mode)
++ continue;
++ }
++
++ if (outlen <= AES_BLOCK_LENGTH)
++ {
++ memcpy(out, R, outlen);
++ break;
++ }
++
++ memcpy(out, R, AES_BLOCK_LENGTH);
++ out += AES_BLOCK_LENGTH;
++ outlen -= AES_BLOCK_LENGTH;
++ }
++ return 1;
++ }
++
++
++int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
++ {
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_key(&sctx, key, keylen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++ }
++
++int FIPS_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen)
++ {
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_seed(&sctx, seed, seedlen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++ }
++
++
++int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T count)
++ {
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_rand(&sctx, out, count);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++ }
++
++int FIPS_rand_status(void)
++ {
++ int ret;
++ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
++ ret = sctx.seeded;
++ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++ }
++
++void FIPS_rand_reset(void)
++ {
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ fips_rand_prng_reset(&sctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ }
++
++static void fips_do_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen)
++ {
++ FIPS_rand_seed(seed, seedlen);
++ }
++
++static void fips_do_rand_add(const void *seed, FIPS_RAND_SIZE_T seedlen,
++ double add_entropy)
++ {
++ FIPS_rand_seed(seed, seedlen);
++ }
++
++static const RAND_METHOD rand_fips_meth=
++ {
++ fips_do_rand_seed,
++ FIPS_rand_bytes,
++ FIPS_rand_reset,
++ fips_do_rand_add,
++ FIPS_rand_bytes,
++ FIPS_rand_status
++ };
++
++const RAND_METHOD *FIPS_rand_method(void)
++{
++ return &rand_fips_meth;
++}
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_rand.h.fips openssl-1.0.0f/crypto/fips/fips_rand.h
+--- openssl-1.0.0f/crypto/fips/fips_rand.h.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_rand.h 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,77 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifndef HEADER_FIPS_RAND_H
++#define HEADER_FIPS_RAND_H
++
++#include "des.h"
++
++#ifdef OPENSSL_FIPS
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
++int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
++int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
++
++int FIPS_rand_test_mode(void);
++void FIPS_rand_reset(void);
++int FIPS_rand_set_dt(unsigned char *dt);
++
++int FIPS_rand_status(void);
++
++const RAND_METHOD *FIPS_rand_method(void);
++
++#ifdef __cplusplus
++}
++#endif
++#endif
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.0f/crypto/fips/fips_rand_selftest.c
+--- openssl-1.0.0f/crypto/fips/fips_rand_selftest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_rand_selftest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,373 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++
++#ifdef OPENSSL_FIPS
++
++
++
++typedef struct
++ {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++ } AES_PRNG_TV;
++
++/* The following test vectors are taken directly from the RGNVS spec */
++
++static unsigned char aes_128_key[16] =
++ {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42,
++ 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02};
++
++static AES_PRNG_TV aes_128_tv[] = {
++ {
++ /* DT */
++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9},
++ /* V */
++ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55,
++ 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41}
++ },
++ {
++ /* DT */
++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfa},
++ /* V */
++ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x7c,0x22,0x2c,0xf4,0xca,0x8f,0xa2,0x4c,
++ 0x1c,0x9c,0xb6,0x41,0xa9,0xf3,0x22,0x0d}
++ },
++ {
++ /* DT */
++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfb},
++ /* V */
++ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x8a,0xaa,0x00,0x39,0x66,0x67,0x5b,0xe5,
++ 0x29,0x14,0x28,0x81,0xa9,0x4d,0x4e,0xc7}
++ },
++ {
++ /* DT */
++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfc},
++ /* V */
++ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x88,0xdd,0xa4,0x56,0x30,0x24,0x23,0xe5,
++ 0xf6,0x9d,0xa5,0x7e,0x7b,0x95,0xc7,0x3a}
++ },
++ {
++ /* DT */
++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfd},
++ /* V */
++ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x05,0x25,0x92,0x46,0x61,0x79,0xd2,0xcb,
++ 0x78,0xc4,0x0b,0x14,0x0a,0x5a,0x9a,0xc8}
++ },
++ {
++ /* DT */
++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x77},
++ /* V */
++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
++ /* R */
++ {0x0d,0xd5,0xa0,0x36,0x7a,0x59,0x26,0xbc,
++ 0x48,0xd9,0x38,0xbf,0xf0,0x85,0x8f,0xea}
++ },
++ {
++ /* DT */
++ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
++ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x78},
++ /* V */
++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
++ /* R */
++ {0xae,0x53,0x87,0xee,0x8c,0xd9,0x12,0xf5,
++ 0x73,0x53,0xae,0x03,0xf9,0xd5,0x13,0x33}
++ },
++};
++
++static unsigned char aes_192_key[24] =
++ {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e,
++ 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc,
++ 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b};
++
++static AES_PRNG_TV aes_192_tv[] = {
++ {
++ /* DT */
++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b},
++ /* V */
++ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef,
++ 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93}
++ },
++ {
++ /* DT */
++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4c},
++ /* V */
++ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x92,0x8d,0xbe,0x07,0xdd,0xc7,0x58,0xc0,
++ 0x6f,0x35,0x41,0x9b,0x17,0xc9,0xbd,0x9b}
++ },
++ {
++ /* DT */
++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4d},
++ /* V */
++ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0xd5,0xde,0xf4,0x50,0xf3,0xb7,0x10,0x4e,
++ 0xb8,0xc6,0xf8,0xcf,0xe2,0xb1,0xca,0xa2}
++ },
++ {
++ /* DT */
++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4e},
++ /* V */
++ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0xce,0x29,0x08,0x43,0xfc,0x34,0x41,0xe7,
++ 0x47,0x8f,0xb3,0x66,0x2b,0x46,0xb1,0xbb}
++ },
++ {
++ /* DT */
++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4f},
++ /* V */
++ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0xb3,0x26,0x0f,0xf5,0xd6,0xca,0xa8,0xbf,
++ 0x89,0xb8,0x5e,0x2f,0x22,0x56,0x92,0x2f}
++ },
++ {
++ /* DT */
++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xc9},
++ /* V */
++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
++ /* R */
++ {0x05,0xeb,0x18,0x52,0x34,0x43,0x00,0x43,
++ 0x6e,0x5a,0xa5,0xfe,0x7b,0x32,0xc4,0x2d}
++ },
++ {
++ /* DT */
++ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
++ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xca},
++ /* V */
++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
++ /* R */
++ {0x15,0x3c,0xe8,0xd1,0x04,0xc7,0xad,0x50,
++ 0x0b,0xf0,0x07,0x16,0xe7,0x56,0x7a,0xea}
++ },
++};
++
++static unsigned char aes_256_key[32] =
++ {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d,
++ 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f,
++ 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5,
++ 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb};
++
++static AES_PRNG_TV aes_256_tv[] = {
++ {
++ /* DT */
++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88},
++ /* V */
++ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc,
++ 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72}
++ },
++ {
++ /* DT */
++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x89},
++ /* V */
++ {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x6c,0xf4,0x42,0x5d,0xc7,0x04,0x1a,0x41,
++ 0x28,0x2a,0x78,0xa9,0xb0,0x12,0xc4,0x95}
++ },
++ {
++ /* DT */
++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8a},
++ /* V */
++ {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x16,0x90,0xa4,0xff,0x7b,0x7e,0xb9,0x30,
++ 0xdb,0x67,0x4b,0xac,0x2d,0xe1,0xd1,0x75}
++ },
++ {
++ /* DT */
++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8b},
++ /* V */
++ {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x14,0x6f,0xf5,0x95,0xa1,0x46,0x65,0x30,
++ 0xbc,0x57,0xe2,0x4a,0xf7,0x45,0x62,0x05}
++ },
++ {
++ /* DT */
++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8c},
++ /* V */
++ {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
++ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
++ /* R */
++ {0x96,0xe2,0xb4,0x1e,0x66,0x5e,0x0f,0xa4,
++ 0xc5,0xcd,0xa2,0x07,0xcc,0xb7,0x94,0x40}
++ },
++ {
++ /* DT */
++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x06},
++ /* V */
++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
++ /* R */
++ {0x61,0xce,0x1d,0x6a,0x48,0x75,0x97,0x28,
++ 0x4b,0x41,0xde,0x18,0x44,0x4f,0x56,0xec}
++ },
++ {
++ /* DT */
++ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
++ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x07},
++ /* V */
++ {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
++ 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
++ /* R */
++ {0x52,0x89,0x59,0x79,0x2d,0xaa,0x28,0xb3,
++ 0xb0,0x8a,0x3e,0x70,0xfa,0x71,0x59,0x84}
++ },
++};
++
++
++void FIPS_corrupt_rng()
++ {
++ aes_192_tv[0].V[0]++;
++ }
++
++#define fips_rand_test(key, tv) \
++ do_rand_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV))
++
++static int do_rand_test(unsigned char *key, int keylen,
++ AES_PRNG_TV *tv, int ntv)
++ {
++ unsigned char R[16];
++ int i;
++ if (!FIPS_rand_set_key(key, keylen))
++ return 0;
++ for (i = 0; i < ntv; i++)
++ {
++ FIPS_rand_seed(tv[i].V, 16);
++ FIPS_rand_set_dt(tv[i].DT);
++ FIPS_rand_bytes(R, 16);
++ if (memcmp(R, tv[i].R, 16))
++ return 0;
++ }
++ return 1;
++ }
++
++
++int FIPS_selftest_rng()
++ {
++ FIPS_rand_reset();
++ if (!FIPS_rand_test_mode())
++ {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ if (!fips_rand_test(aes_128_key,aes_128_tv)
++ || !fips_rand_test(aes_192_key, aes_192_tv)
++ || !fips_rand_test(aes_256_key, aes_256_tv))
++ {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ FIPS_rand_reset();
++ return 1;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_randtest.c.fips openssl-1.0.0f/crypto/fips/fips_randtest.c
+--- openssl-1.0.0f/crypto/fips/fips_randtest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_randtest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,248 @@
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++
++#include "e_os.h"
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RAND support\n");
++ return(0);
++}
++
++#else
++
++#include "fips_utl.h"
++
++typedef struct
++ {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++ } AES_PRNG_MCT;
++
++static unsigned char aes_128_mct_key[16] =
++ {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5,
++ 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48};
++
++static AES_PRNG_MCT aes_128_mct_tv = {
++ /* DT */
++ {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b,
++ 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac},
++ /* V */
++ {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97,
++ 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1},
++ /* R */
++ {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb,
++ 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73}
++};
++
++static unsigned char aes_192_mct_key[24] =
++ {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73,
++ 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91,
++ 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a};
++
++static AES_PRNG_MCT aes_192_mct_tv = {
++ /* DT */
++ {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9,
++ 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52},
++ /* V */
++ {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64,
++ 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d},
++ /* R */
++ {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21,
++ 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47}
++};
++
++static unsigned char aes_256_mct_key[32] =
++ {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a,
++ 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0,
++ 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d,
++ 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50};
++
++static AES_PRNG_MCT aes_256_mct_tv = {
++ /* DT */
++ {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee,
++ 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c},
++ /* V */
++ {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1,
++ 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca},
++ /* R */
++ {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1,
++ 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d}
++};
++
++static void dump(const unsigned char *b,int n)
++ {
++ while(n-- > 0)
++ {
++ printf(" %02x",*b++);
++ }
++ }
++
++static void compare(const unsigned char *result,const unsigned char *expected,
++ int n)
++ {
++ int i;
++
++ for(i=0 ; i < n ; ++i)
++ if(result[i] != expected[i])
++ {
++ puts("Random test failed, got:");
++ dump(result,n);
++ puts("\n expected:");
++ dump(expected,n);
++ putchar('\n');
++ EXIT(1);
++ }
++ }
++
++
++static void run_test(unsigned char *key, int keylen, AES_PRNG_MCT *tv)
++ {
++ unsigned char buf[16], dt[16];
++ int i, j;
++ FIPS_rand_reset();
++ FIPS_rand_test_mode();
++ FIPS_rand_set_key(key, keylen);
++ FIPS_rand_seed(tv->V, 16);
++ memcpy(dt, tv->DT, 16);
++ for (i = 0; i < 10000; i++)
++ {
++ FIPS_rand_set_dt(dt);
++ FIPS_rand_bytes(buf, 16);
++ /* Increment DT */
++ for (j = 15; j >= 0; j--)
++ {
++ dt[j]++;
++ if (dt[j])
++ break;
++ }
++ }
++
++ compare(buf,tv->R, 16);
++ }
++
++int main()
++ {
++ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
++ printf("FIPS PRNG test 1 done\n");
++ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
++ printf("FIPS PRNG test 2 done\n");
++ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
++ printf("FIPS PRNG test 3 done\n");
++ return 0;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.0f/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.0f/crypto/fips/fips_rsa_selftest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_rsa_selftest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,441 @@
++/* ====================================================================
++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include <openssl/rsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static unsigned char n[] =
++"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
++"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
++"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
++"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
++"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
++"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
++"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
++"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
++"\xCB";
++
++
++static int setrsakey(RSA *key)
++ {
++ static const unsigned char e[] = "\x11";
++
++ static const unsigned char d[] =
++"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
++"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
++"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
++"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
++"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
++"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
++"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
++"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
++"\xC1";
++
++ static const unsigned char p[] =
++"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
++"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
++"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
++"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
++"\x99";
++
++ static const unsigned char q[] =
++"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
++"\x03";
++
++ static const unsigned char dmp1[] =
++"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
++"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
++"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
++"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
++
++ static const unsigned char dmq1[] =
++"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
++"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
++"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
++"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
++
++ static const unsigned char iqmp[] =
++"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
++"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
++"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
++"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
++"\xF7";
++
++ key->n = BN_bin2bn(n, sizeof(n)-1, key->n);
++ key->e = BN_bin2bn(e, sizeof(e)-1, key->e);
++ key->d = BN_bin2bn(d, sizeof(d)-1, key->d);
++ key->p = BN_bin2bn(p, sizeof(p)-1, key->p);
++ key->q = BN_bin2bn(q, sizeof(q)-1, key->q);
++ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1);
++ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1);
++ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp);
++ return 1;
++ }
++
++void FIPS_corrupt_rsa()
++ {
++ n[0]++;
++ }
++
++/* Known Answer Test (KAT) data for the above RSA private key signing
++ * kat_tbs.
++ */
++
++static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT";
++
++static const unsigned char kat_RSA_PSS_SHA1[] = {
++ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
++ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
++ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
++ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
++ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
++ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
++ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
++ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
++ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
++ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
++ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
++};
++
++static const unsigned char kat_RSA_PSS_SHA224[] = {
++ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
++ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
++ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
++ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
++ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
++ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
++ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
++ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
++ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
++ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
++ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
++};
++
++static const unsigned char kat_RSA_PSS_SHA256[] = {
++ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
++ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
++ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
++ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
++ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
++ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
++ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
++ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
++ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
++ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
++ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
++};
++
++static const unsigned char kat_RSA_PSS_SHA384[] = {
++ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
++ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
++ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
++ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
++ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
++ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
++ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
++ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
++ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
++ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
++ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
++};
++
++static const unsigned char kat_RSA_PSS_SHA512[] = {
++ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
++ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
++ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
++ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
++ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
++ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
++ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
++ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
++ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
++ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
++ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
++};
++
++static const unsigned char kat_RSA_SHA1[] = {
++ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
++ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
++ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
++ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
++ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
++ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
++ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
++ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
++ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
++ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
++ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
++};
++
++static const unsigned char kat_RSA_SHA224[] = {
++ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
++ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
++ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
++ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
++ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
++ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
++ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
++ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
++ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
++ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
++ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
++};
++
++static const unsigned char kat_RSA_SHA256[] = {
++ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
++ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
++ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
++ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
++ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
++ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
++ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
++ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
++ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
++ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
++ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
++};
++
++static const unsigned char kat_RSA_SHA384[] = {
++ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
++ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
++ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
++ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
++ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
++ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
++ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
++ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
++ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
++ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
++ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
++};
++
++static const unsigned char kat_RSA_SHA512[] = {
++ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
++ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
++ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
++ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
++ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
++ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
++ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
++ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
++ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
++ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
++ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
++};
++
++static const unsigned char kat_RSA_X931_SHA1[] = {
++ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
++ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
++ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
++ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
++ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
++ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
++ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
++ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
++ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
++ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
++ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
++};
++
++static const unsigned char kat_RSA_X931_SHA256[] = {
++ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
++ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
++ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
++ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
++ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
++ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
++ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
++ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
++ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
++ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
++ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
++};
++
++static const unsigned char kat_RSA_X931_SHA384[] = {
++ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
++ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
++ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
++ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
++ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
++ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
++ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
++ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
++ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
++ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
++ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
++};
++
++static const unsigned char kat_RSA_X931_SHA512[] = {
++ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
++ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
++ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
++ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
++ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
++ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
++ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
++ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
++ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
++ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
++ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
++};
++
++
++int FIPS_selftest_rsa()
++ {
++ int ret = 0;
++ RSA *key;
++ EVP_PKEY *pk = NULL;
++
++ if ((key=RSA_new()) == NULL)
++ goto err;
++ setrsakey(key);
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_RSA(pk, key);
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA1 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA224 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA256 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA384 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA512 PKCS#1"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA1 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224),
++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA224 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256),
++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA256 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384),
++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA384 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512),
++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA512 PSS"))
++ goto err;
++
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA1 X931"))
++ goto err;
++ /* NB: SHA224 not supported in X9.31 */
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA256 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA384 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA512 X931"))
++ goto err;
++
++
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (key)
++ RSA_free(key);
++ return ret;
++ }
++
++#endif /* def OPENSSL_FIPS */
+diff -up openssl-1.0.0f/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.0f/crypto/fips/fips_rsa_x931g.c
+--- openssl-1.0.0f/crypto/fips/fips_rsa_x931g.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_rsa_x931g.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,281 @@
++/* crypto/rsa/rsa_gen.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <time.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/rsa.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++
++extern int fips_check_rsa(RSA *rsa);
++#endif
++
++/* X9.31 RSA key derivation and generation */
++
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
++ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
++ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
++ const BIGNUM *e, BN_GENCB *cb)
++ {
++ BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL;
++ BN_CTX *ctx=NULL,*ctx2=NULL;
++
++ if (!rsa)
++ goto err;
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto err;
++ BN_CTX_start(ctx);
++
++ r0 = BN_CTX_get(ctx);
++ r1 = BN_CTX_get(ctx);
++ r2 = BN_CTX_get(ctx);
++ r3 = BN_CTX_get(ctx);
++
++ if (r3 == NULL)
++ goto err;
++ if (!rsa->e)
++ {
++ rsa->e = BN_dup(e);
++ if (!rsa->e)
++ goto err;
++ }
++ else
++ e = rsa->e;
++
++ /* If not all parameters present only calculate what we can.
++ * This allows test programs to output selective parameters.
++ */
++
++ if (Xp && !rsa->p)
++ {
++ rsa->p = BN_new();
++ if (!rsa->p)
++ goto err;
++
++ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
++ Xp, Xp1, Xp2, e, ctx, cb))
++ goto err;
++ }
++
++ if (Xq && !rsa->q)
++ {
++ rsa->q = BN_new();
++ if (!rsa->q)
++ goto err;
++ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
++ Xq, Xq1, Xq2, e, ctx, cb))
++ goto err;
++ }
++
++ if (!rsa->p || !rsa->q)
++ {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ return 2;
++ }
++
++ /* Since both primes are set we can now calculate all remaining
++ * components.
++ */
++
++ /* calculate n */
++ rsa->n=BN_new();
++ if (rsa->n == NULL)
++ goto err;
++ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx))
++ goto err;
++
++ /* calculate d */
++ if (!BN_sub(r1,rsa->p,BN_value_one()))
++ goto err; /* p-1 */
++ if (!BN_sub(r2,rsa->q,BN_value_one()))
++ goto err; /* q-1 */
++ if (!BN_mul(r0,r1,r2,ctx))
++ goto err; /* (p-1)(q-1) */
++
++ if (!BN_gcd(r3, r1, r2, ctx))
++ goto err;
++
++ if (!BN_div(r0, NULL, r0, r3, ctx))
++ goto err; /* LCM((p-1)(q-1)) */
++
++ ctx2 = BN_CTX_new();
++ if (!ctx2)
++ goto err;
++
++ rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
++ if (rsa->d == NULL)
++ goto err;
++
++ /* calculate d mod (p-1) */
++ rsa->dmp1=BN_new();
++ if (rsa->dmp1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx))
++ goto err;
++
++ /* calculate d mod (q-1) */
++ rsa->dmq1=BN_new();
++ if (rsa->dmq1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx))
++ goto err;
++
++ /* calculate inverse of q mod p */
++ rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
++
++ err:
++ if (ctx)
++ {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ if (ctx2)
++ BN_CTX_free(ctx2);
++ /* If this is set all calls successful */
++ if (rsa && rsa->iqmp != NULL)
++ return 1;
++
++ return 0;
++
++ }
++
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
++ {
++ int ok = 0;
++ BIGNUM *Xp = NULL, *Xq = NULL;
++ BN_CTX *ctx = NULL;
++
++#ifdef OPENSSL_FIPS
++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
++ {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++
++ if (bits & 0xff)
++ {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++#endif
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto error;
++
++ BN_CTX_start(ctx);
++ Xp = BN_CTX_get(ctx);
++ Xq = BN_CTX_get(ctx);
++ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
++ goto error;
++
++ rsa->p = BN_new();
++ rsa->q = BN_new();
++ if (!rsa->p || !rsa->q)
++ goto error;
++
++ /* Generate two primes from Xp, Xq */
++
++ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
++ e, ctx, cb))
++ goto error;
++
++ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
++ e, ctx, cb))
++ goto error;
++
++ /* Since rsa->p and rsa->q are valid this call will just derive
++ * remaining RSA components.
++ */
++
++ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
++ goto error;
++
++#ifdef OPENSSL_FIPS
++ if(!fips_check_rsa(rsa))
++ goto error;
++#endif
++
++ ok = 1;
++
++ error:
++ if (ctx)
++ {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++
++ if (ok)
++ return 1;
++
++ return 0;
++
++ }
+diff -up openssl-1.0.0f/crypto/fips/fips_sha1_selftest.c.fips openssl-1.0.0f/crypto/fips/fips_sha1_selftest.c
+--- openssl-1.0.0f/crypto/fips/fips_sha1_selftest.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_sha1_selftest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,99 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++
++#ifdef OPENSSL_FIPS
++static char test[][60]=
++ {
++ "",
++ "abc",
++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
++ };
++
++static const unsigned char ret[][SHA_DIGEST_LENGTH]=
++ {
++ { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55,
++ 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 },
++ { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e,
++ 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d },
++ { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae,
++ 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 },
++ };
++
++void FIPS_corrupt_sha1()
++ {
++ test[2][0]++;
++ }
++
++int FIPS_selftest_sha1()
++ {
++ int n;
++
++ for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n)
++ {
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ EVP_Digest(test[n],strlen(test[n]),md, NULL, EVP_sha1(), NULL);
++ if(memcmp(md,ret[n],sizeof md))
++ {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1,FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips/fips_standalone_sha1.c.fips openssl-1.0.0f/crypto/fips/fips_standalone_sha1.c
+--- openssl-1.0.0f/crypto/fips/fips_standalone_sha1.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_standalone_sha1.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,173 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
++
++#ifndef FIPSCANISTER_O
++int FIPS_selftest_failed() { return 0; }
++void FIPS_selftest_check() {}
++void OPENSSL_cleanse(void *p,size_t len) {}
++#endif
++
++#ifdef OPENSSL_FIPS
++
++static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
++ const char *key)
++ {
++ size_t len=strlen(key);
++ int i;
++ unsigned char keymd[HMAC_MAX_MD_CBLOCK];
++ unsigned char pad[HMAC_MAX_MD_CBLOCK];
++
++ if (len > SHA_CBLOCK)
++ {
++ SHA1_Init(md_ctx);
++ SHA1_Update(md_ctx,key,len);
++ SHA1_Final(keymd,md_ctx);
++ len=20;
++ }
++ else
++ memcpy(keymd,key,len);
++ memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len);
++
++ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
++ pad[i]=0x36^keymd[i];
++ SHA1_Init(md_ctx);
++ SHA1_Update(md_ctx,pad,SHA_CBLOCK);
++
++ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
++ pad[i]=0x5c^keymd[i];
++ SHA1_Init(o_ctx);
++ SHA1_Update(o_ctx,pad,SHA_CBLOCK);
++ }
++
++static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
++ {
++ unsigned char buf[20];
++
++ SHA1_Final(buf,md_ctx);
++ SHA1_Update(o_ctx,buf,sizeof buf);
++ SHA1_Final(md,o_ctx);
++ }
++
++#endif
++
++int main(int argc,char **argv)
++ {
++#ifdef OPENSSL_FIPS
++ static char key[]="etaonrishdlcupfm";
++ int n,binary=0;
++
++ if(argc < 2)
++ {
++ fprintf(stderr,"%s [<file>]+\n",argv[0]);
++ exit(1);
++ }
++
++ n=1;
++ if (!strcmp(argv[n],"-binary"))
++ {
++ n++;
++ binary=1; /* emit binary fingerprint... */
++ }
++
++ for(; n < argc ; ++n)
++ {
++ FILE *f=fopen(argv[n],"rb");
++ SHA_CTX md_ctx,o_ctx;
++ unsigned char md[20];
++ int i;
++
++ if(!f)
++ {
++ perror(argv[n]);
++ exit(2);
++ }
++
++ hmac_init(&md_ctx,&o_ctx,key);
++ for( ; ; )
++ {
++ char buf[1024];
++ size_t l=fread(buf,1,sizeof buf,f);
++
++ if(l == 0)
++ {
++ if(ferror(f))
++ {
++ perror(argv[n]);
++ exit(3);
++ }
++ else
++ break;
++ }
++ SHA1_Update(&md_ctx,buf,l);
++ }
++ hmac_final(md,&md_ctx,&o_ctx);
++
++ if (binary)
++ {
++ fwrite(md,20,1,stdout);
++ break; /* ... for single(!) file */
++ }
++
++ printf("HMAC-SHA1(%s)= ",argv[n]);
++ for(i=0 ; i < 20 ; ++i)
++ printf("%02x",md[i]);
++ printf("\n");
++ }
++#endif
++ return 0;
++ }
++
++
+diff -up openssl-1.0.0f/crypto/fips/fips_test_suite.c.fips openssl-1.0.0f/crypto/fips/fips_test_suite.c
+--- openssl-1.0.0f/crypto/fips/fips_test_suite.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/fips_test_suite.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,588 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ *
++ * This command is intended as a test driver for the FIPS-140 testing
++ * lab performing FIPS-140 validation. It demonstrates the use of the
++ * OpenSSL library ito perform a variety of common cryptographic
++ * functions. A power-up self test is demonstrated by deliberately
++ * pointing to an invalid executable hash
++ *
++ * Contributed by Steve Marquess.
++ *
++ */
++#include <stdio.h>
++#include <assert.h>
++#include <ctype.h>
++#include <string.h>
++#include <stdlib.h>
++#include <openssl/aes.h>
++#include <openssl/des.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <openssl/dh.h>
++#include <openssl/hmac.h>
++#include <openssl/err.h>
++
++#include <openssl/bn.h>
++#include <openssl/rand.h>
++#include <openssl/sha.h>
++
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++ {
++ printf("No FIPS support\n");
++ return(0);
++ }
++#else
++
++#include <openssl/fips.h>
++#include "fips_utl.h"
++
++/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
++*/
++static int FIPS_aes_test(void)
++ {
++ int ret = 0;
++ unsigned char pltmp[16];
++ unsigned char citmp[16];
++ unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
++ unsigned char plaintext[16] = "etaonrishdlcu";
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 16);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 16);
++ if (memcmp(pltmp, plaintext, 16))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++ }
++
++static int FIPS_des3_test(void)
++ {
++ int ret = 0;
++ unsigned char pltmp[8];
++ unsigned char citmp[8];
++ unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
++ 19,20,21,22,23,24};
++ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 8);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 8);
++ if (memcmp(pltmp, plaintext, 8))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++ }
++
++/*
++ * DSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_dsa_test(int bad)
++ {
++ DSA *dsa = NULL;
++ EVP_PKEY pk;
++ unsigned char dgst[] = "etaonrishdlc";
++ unsigned char buf[60];
++ unsigned int slen;
++ int r = 0;
++ EVP_MD_CTX mctx;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ dsa = DSA_new();
++ if (!dsa)
++ goto end;
++ if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
++ goto end;
++ if (!DSA_generate_key(dsa))
++ goto end;
++ if (bad)
++ BN_add_word(dsa->pub_key, 1);
++
++ pk.type = EVP_PKEY_DSA;
++ pk.pkey.dsa = dsa;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (dsa)
++ DSA_free(dsa);
++ if (r != 1)
++ return 0;
++ return 1;
++ }
++
++/*
++ * RSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_rsa_test(int bad)
++ {
++ RSA *key;
++ unsigned char input_ptext[] = "etaonrishdlc";
++ unsigned char buf[256];
++ unsigned int slen;
++ BIGNUM *bn;
++ EVP_MD_CTX mctx;
++ EVP_PKEY pk;
++ int r = 0;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ key = RSA_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024,bn,NULL))
++ return 0;
++ BN_free(bn);
++ if (bad)
++ BN_add_word(key->n, 1);
++
++ pk.type = EVP_PKEY_RSA;
++ pk.pkey.rsa = key;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (key)
++ RSA_free(key);
++ if (r != 1)
++ return 0;
++ return 1;
++ }
++
++/* SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha1_test()
++ {
++ unsigned char digest[SHA_DIGEST_LENGTH] =
++ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
++ if (memcmp(md,digest,sizeof(md)))
++ return 0;
++ return 1;
++ }
++
++/* SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha256_test()
++ {
++ unsigned char digest[SHA256_DIGEST_LENGTH] =
++ {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
++ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA256_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
++ if (memcmp(md,digest,sizeof(md)))
++ return 0;
++ return 1;
++ }
++
++/* SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha512_test()
++ {
++ unsigned char digest[SHA512_DIGEST_LENGTH] =
++ {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
++ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
++ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
++ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
++ if (memcmp(md,digest,sizeof(md)))
++ return 0;
++ return 1;
++ }
++
++/* HMAC-SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha1_test()
++ {
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
++ 0xb2, 0xfb, 0xec, 0xc6};
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
++ if (memcmp(out,kaval,outlen))
++ return 0;
++ return 1;
++ }
++
++/* HMAC-SHA224: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha224_test()
++ {
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
++ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
++ if (memcmp(out,kaval,outlen))
++ return 0;
++ return 1;
++ }
++
++/* HMAC-SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha256_test()
++ {
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
++ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
++ if (memcmp(out,kaval,outlen))
++ return 0;
++ return 1;
++ }
++
++/* HMAC-SHA384: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha384_test()
++ {
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
++ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
++ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
++ if (memcmp(out,kaval,outlen))
++ return 0;
++ return 1;
++ }
++
++/* HMAC-SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha512_test()
++ {
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
++ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
++ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
++ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
++ if (memcmp(out,kaval,outlen))
++ return 0;
++ return 1;
++ }
++
++
++/* DH: generate shared parameters
++*/
++static int dh_test()
++ {
++ DH *dh;
++ ERR_clear_error();
++ dh = FIPS_dh_new();
++ if (!dh)
++ return 0;
++ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
++ return 0;
++ FIPS_dh_free(dh);
++ return 1;
++ }
++
++/* Zeroize
++*/
++static int Zeroize()
++ {
++ RSA *key;
++ BIGNUM *bn;
++ unsigned char userkey[16] =
++ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
++ int i, n;
++
++ key = FIPS_rsa_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024,bn,NULL))
++ return 0;
++ BN_free(bn);
++
++ n = BN_num_bytes(key->d);
++ printf(" Generated %d byte RSA private key\n", n);
++ printf("\tBN key before overwriting:\n");
++ do_bn_print(stdout, key->d);
++ BN_rand(key->d,n*8,-1,0);
++ printf("\tBN key after overwriting:\n");
++ do_bn_print(stdout, key->d);
++
++ printf("\tchar buffer key before overwriting: \n\t\t");
++ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
++ printf("\n");
++ RAND_bytes(userkey, sizeof userkey);
++ printf("\tchar buffer key after overwriting: \n\t\t");
++ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
++ printf("\n");
++
++ return 1;
++ }
++
++static int Error;
++const char * Fail(const char *msg)
++ {
++ do_print_errors();
++ Error++;
++ return msg;
++ }
++
++int main(int argc,char **argv)
++ {
++
++ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
++ int bad_rsa = 0, bad_dsa = 0;
++ int do_rng_stick = 0;
++ int no_exit = 0;
++
++ printf("\tFIPS-mode test application\n\n");
++
++ /* Load entropy from external file, if any */
++ RAND_load_file(".rnd", 1024);
++
++ if (argv[1]) {
++ /* Corrupted KAT tests */
++ if (!strcmp(argv[1], "aes")) {
++ FIPS_corrupt_aes();
++ printf("AES encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "des")) {
++ FIPS_corrupt_des();
++ printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "dsa")) {
++ FIPS_corrupt_dsa();
++ printf("DSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsa")) {
++ FIPS_corrupt_rsa();
++ printf("RSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsakey")) {
++ printf("RSA key generation and signature validation with corrupted key...\n");
++ bad_rsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "rsakeygen")) {
++ do_corrupt_rsa_keygen = 1;
++ no_exit = 1;
++ printf("RSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "dsakey")) {
++ printf("DSA key generation and signature validation with corrupted key...\n");
++ bad_dsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "dsakeygen")) {
++ do_corrupt_dsa_keygen = 1;
++ no_exit = 1;
++ printf("DSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "sha1")) {
++ FIPS_corrupt_sha1();
++ printf("SHA-1 hash with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rng")) {
++ FIPS_corrupt_rng();
++ } else if (!strcmp(argv[1], "rngstick")) {
++ do_rng_stick = 1;
++ no_exit = 1;
++ printf("RNG test with stuck continuous test...\n");
++ } else {
++ printf("Bad argument \"%s\"\n", argv[1]);
++ exit(1);
++ }
++ if (!no_exit) {
++ if (!FIPS_mode_set(1)) {
++ do_print_errors();
++ printf("Power-up self test failed\n");
++ exit(1);
++ }
++ printf("Power-up self test successful\n");
++ exit(0);
++ }
++ }
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("1. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* Power-up self test
++ */
++ ERR_clear_error();
++ printf("2. Automatic power-up self test...");
++ if (!FIPS_mode_set(1))
++ {
++ do_print_errors();
++ printf(Fail("FAILED!\n"));
++ exit(1);
++ }
++ printf("successful\n");
++ if (do_corrupt_dsa_keygen)
++ FIPS_corrupt_dsa_keygen();
++ if (do_corrupt_rsa_keygen)
++ FIPS_corrupt_rsa_keygen();
++ if (do_rng_stick)
++ FIPS_rng_stick();
++
++ /* AES encryption/decryption
++ */
++ printf("3. AES encryption/decryption...");
++ printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* RSA key generation and encryption/decryption
++ */
++ printf("4. RSA key generation and encryption/decryption...");
++ printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") );
++
++ /* DES-CBC encryption/decryption
++ */
++ printf("5. DES-ECB encryption/decryption...");
++ printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* DSA key generation and signature validation
++ */
++ printf("6. DSA key generation and signature validation...");
++ printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") );
++
++ /* SHA-1 hash
++ */
++ printf("7a. SHA-1 hash...");
++ printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* SHA-256 hash
++ */
++ printf("7b. SHA-256 hash...");
++ printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* SHA-512 hash
++ */
++ printf("7c. SHA-512 hash...");
++ printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* HMAC-SHA-1 hash
++ */
++ printf("7d. HMAC-SHA-1 hash...");
++ printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* HMAC-SHA-224 hash
++ */
++ printf("7e. HMAC-SHA-224 hash...");
++ printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* HMAC-SHA-256 hash
++ */
++ printf("7f. HMAC-SHA-256 hash...");
++ printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* HMAC-SHA-384 hash
++ */
++ printf("7g. HMAC-SHA-384 hash...");
++ printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* HMAC-SHA-512 hash
++ */
++ printf("7h. HMAC-SHA-512 hash...");
++ printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("8. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf( dh_test() ? "successful as expected\n"
++ : Fail("failed INCORRECTLY!\n") );
++
++ /* Zeroization
++ */
++ printf("9. Zero-ization...\n");
++ printf( Zeroize() ? "\tsuccessful as expected\n"
++ : Fail("\tfailed INCORRECTLY!\n") );
++
++ printf("\nAll tests completed with %d errors\n", Error);
++ return Error ? 1 : 0;
++ }
++
++#endif
+diff -up openssl-1.0.0f/crypto/fips_locl.h.fips openssl-1.0.0f/crypto/fips_locl.h
+--- openssl-1.0.0f/crypto/fips_locl.h.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips_locl.h 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,72 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifdef OPENSSL_FIPS
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++void fips_w_lock(void);
++void fips_w_unlock(void);
++void fips_r_lock(void);
++void fips_r_unlock(void);
++int fips_is_started(void);
++void fips_set_started(void);
++int fips_is_owning_thread(void);
++int fips_set_owning_thread(void);
++void fips_set_selftest_fail(void);
++int fips_clear_owning_thread(void);
++
++#define FIPS_MAX_CIPHER_TEST_SIZE 16
++
++#ifdef __cplusplus
++}
++#endif
++#endif
+diff -up openssl-1.0.0f/crypto/fips/Makefile.fips openssl-1.0.0f/crypto/fips/Makefile
+--- openssl-1.0.0f/crypto/fips/Makefile.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/fips/Makefile 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,81 @@
++#
++# OpenSSL/crypto/fips/Makefile
++#
++
++DIR= fips
++TOP= ../..
++CC= cc
++INCLUDES=
++CFLAG=-g
++MAKEFILE= Makefile
++AR= ar r
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++
++GENERAL=Makefile
++TEST=fips_test_suite.c fips_randtest.c
++APPS=
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
++ fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
++ fips_rsa_x931g.c
++
++LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
++ fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
++ fips_rsa_x931g.o
++
++SRC= $(LIBSRC) fips_standalone_sha1.c
++
++EXHEADER= fips.h fips_rand.h
++HEADER= $(EXHEADER)
++
++ALL= $(GENERAL) $(SRC) $(HEADER)
++
++top:
++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all: lib
++
++lib: $(LIBOBJ)
++ $(AR) $(LIB) $(LIBOBJ)
++ $(RANLIB) $(LIB) || echo Never mind.
++ @touch lib
++
++files:
++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++ do \
++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++ done;
++
++tags:
++ ctags $(SRC)
++
++tests:
++
++lint:
++ lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++ mv -f Makefile.new $(MAKEFILE)
++
++clean:
++ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
+diff -up openssl-1.0.0f/crypto/hmac/hmac.c.fips openssl-1.0.0f/crypto/hmac/hmac.c
+--- openssl-1.0.0f/crypto/hmac/hmac.c.fips 2010-06-15 19:25:09.000000000 +0200
++++ openssl-1.0.0f/crypto/hmac/hmac.c 2012-01-05 13:22:30.000000000 +0100
+@@ -77,6 +77,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+
+ if (key != NULL)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
++ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
++ goto err;
++#endif
+ reset=1;
+ j=EVP_MD_block_size(md);
+ OPENSSL_assert(j <= (int)sizeof(ctx->key));
+diff -up openssl-1.0.0f/crypto/Makefile.fips openssl-1.0.0f/crypto/Makefile
+--- openssl-1.0.0f/crypto/Makefile.fips 2010-07-27 00:09:59.000000000 +0200
++++ openssl-1.0.0f/crypto/Makefile 2012-01-05 13:22:30.000000000 +0100
+@@ -34,14 +34,14 @@ GENERAL=Makefile README crypto-lib.com i
+
+ LIB= $(TOP)/libcrypto.a
+ SHARED_LIB= libcrypto$(SHLIB_EXT)
+-LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c
+-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o $(CPUID_OBJ)
++LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c o_init.c fips_err.c
++LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o o_init.o fips_err.o $(CPUID_OBJ)
+
+ SRC= $(LIBSRC)
+
+ EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
+ ossl_typ.h
+-HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER)
++HEADER= cryptlib.h buildinf.h fips_locl.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER)
+
+ ALL= $(GENERAL) $(SRC) $(HEADER)
+
+diff -up openssl-1.0.0f/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.0f/crypto/mdc2/mdc2dgst.c
+--- openssl-1.0.0f/crypto/mdc2/mdc2dgst.c.fips 2004-07-25 21:10:41.000000000 +0200
++++ openssl-1.0.0f/crypto/mdc2/mdc2dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -61,6 +61,11 @@
+ #include <string.h>
+ #include <openssl/des.h>
+ #include <openssl/mdc2.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ #undef c2l
+ #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \
+@@ -75,7 +80,7 @@
+ *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+ static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
+-int MDC2_Init(MDC2_CTX *c)
++FIPS_NON_FIPS_MD_Init(MDC2)
+ {
+ c->num=0;
+ c->pad_type=1;
+diff -up openssl-1.0.0f/crypto/mdc2/mdc2.h.fips openssl-1.0.0f/crypto/mdc2/mdc2.h
+--- openssl-1.0.0f/crypto/mdc2/mdc2.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/mdc2/mdc2.h 2012-01-05 13:22:30.000000000 +0100
+@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st
+ int pad_type; /* either 1 or 2, default 1 */
+ } MDC2_CTX;
+
+-
++#ifdef OPENSSL_FIPS
++int private_MDC2_Init(MDC2_CTX *c);
++#endif
+ int MDC2_Init(MDC2_CTX *c);
+ int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
+ int MDC2_Final(unsigned char *md, MDC2_CTX *c);
+diff -up openssl-1.0.0f/crypto/md2/md2_dgst.c.fips openssl-1.0.0f/crypto/md2/md2_dgst.c
+--- openssl-1.0.0f/crypto/md2/md2_dgst.c.fips 2007-08-31 12:12:35.000000000 +0200
++++ openssl-1.0.0f/crypto/md2/md2_dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -62,6 +62,11 @@
+ #include <openssl/md2.h>
+ #include <openssl/opensslv.h>
+ #include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
++#include <openssl/err.h>
+
+ const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT;
+
+@@ -116,7 +121,7 @@ const char *MD2_options(void)
+ return("md2(int)");
+ }
+
+-int MD2_Init(MD2_CTX *c)
++FIPS_NON_FIPS_MD_Init(MD2)
+ {
+ c->num=0;
+ memset(c->state,0,sizeof c->state);
+diff -up openssl-1.0.0f/crypto/md2/md2.h.fips openssl-1.0.0f/crypto/md2/md2.h
+--- openssl-1.0.0f/crypto/md2/md2.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/md2/md2.h 2012-01-05 13:22:30.000000000 +0100
+@@ -81,6 +81,9 @@ typedef struct MD2state_st
+ } MD2_CTX;
+
+ const char *MD2_options(void);
++#ifdef OPENSSL_FIPS
++int private_MD2_Init(MD2_CTX *c);
++#endif
+ int MD2_Init(MD2_CTX *c);
+ int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
+ int MD2_Final(unsigned char *md, MD2_CTX *c);
+diff -up openssl-1.0.0f/crypto/md4/md4_dgst.c.fips openssl-1.0.0f/crypto/md4/md4_dgst.c
+--- openssl-1.0.0f/crypto/md4/md4_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100
++++ openssl-1.0.0f/crypto/md4/md4_dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -59,6 +59,11 @@
+ #include <stdio.h>
+ #include "md4_locl.h"
+ #include <openssl/opensslv.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT;
+
+@@ -70,7 +75,7 @@ const char MD4_version[]="MD4" OPENSSL_V
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-int MD4_Init(MD4_CTX *c)
++FIPS_NON_FIPS_MD_Init(MD4)
+ {
+ memset (c,0,sizeof(*c));
+ c->A=INIT_DATA_A;
+diff -up openssl-1.0.0f/crypto/md4/md4.h.fips openssl-1.0.0f/crypto/md4/md4.h
+--- openssl-1.0.0f/crypto/md4/md4.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/md4/md4.h 2012-01-05 13:22:30.000000000 +0100
+@@ -105,6 +105,9 @@ typedef struct MD4state_st
+ unsigned int num;
+ } MD4_CTX;
+
++#ifdef OPENSSL_FIPS
++int private_MD4_Init(MD4_CTX *c);
++#endif
+ int MD4_Init(MD4_CTX *c);
+ int MD4_Update(MD4_CTX *c, const void *data, size_t len);
+ int MD4_Final(unsigned char *md, MD4_CTX *c);
+diff -up openssl-1.0.0f/crypto/md5/md5_dgst.c.fips openssl-1.0.0f/crypto/md5/md5_dgst.c
+--- openssl-1.0.0f/crypto/md5/md5_dgst.c.fips 2007-01-21 14:07:11.000000000 +0100
++++ openssl-1.0.0f/crypto/md5/md5_dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -59,6 +59,11 @@
+ #include <stdio.h>
+ #include "md5_locl.h"
+ #include <openssl/opensslv.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
+
+@@ -70,7 +75,7 @@ const char MD5_version[]="MD5" OPENSSL_V
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-int MD5_Init(MD5_CTX *c)
++FIPS_NON_FIPS_MD_Init(MD5)
+ {
+ memset (c,0,sizeof(*c));
+ c->A=INIT_DATA_A;
+diff -up openssl-1.0.0f/crypto/md5/md5.h.fips openssl-1.0.0f/crypto/md5/md5.h
+--- openssl-1.0.0f/crypto/md5/md5.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/md5/md5.h 2012-01-05 13:22:30.000000000 +0100
+@@ -105,6 +105,9 @@ typedef struct MD5state_st
+ unsigned int num;
+ } MD5_CTX;
+
++#ifdef OPENSSL_FIPS
++int private_MD5_Init(MD5_CTX *c);
++#endif
+ int MD5_Init(MD5_CTX *c);
+ int MD5_Update(MD5_CTX *c, const void *data, size_t len);
+ int MD5_Final(unsigned char *md, MD5_CTX *c);
+diff -up openssl-1.0.0f/crypto/mem.c.fips openssl-1.0.0f/crypto/mem.c
+--- openssl-1.0.0f/crypto/mem.c.fips 2008-11-12 04:57:47.000000000 +0100
++++ openssl-1.0.0f/crypto/mem.c 2012-01-05 13:22:30.000000000 +0100
+@@ -101,7 +101,7 @@ static void (*free_locked_func)(void *)
+
+ /* may be changed as long as 'allow_customize_debug' is set */
+ /* XXX use correct function pointer types */
+-#ifdef CRYPTO_MDEBUG
++#if defined(CRYPTO_MDEBUG) && !defined(OPENSSL_FIPS)
+ /* use default functions from mem_dbg.c */
+ static void (*malloc_debug_func)(void *,int,const char *,int,int)
+ = CRYPTO_dbg_malloc;
+diff -up openssl-1.0.0f/crypto/o_init.c.fips openssl-1.0.0f/crypto/o_init.c
+--- openssl-1.0.0f/crypto/o_init.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/o_init.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,80 @@
++/* o_init.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++#include <e_os.h>
++#include <openssl/err.h>
++
++/* Perform any essential OpenSSL initialization operations.
++ * Currently only sets FIPS callbacks
++ */
++
++void OPENSSL_init_library(void)
++ {
++#ifdef OPENSSL_FIPS
++ static int done = 0;
++ if (!done)
++ {
++#ifdef CRYPTO_MDEBUG
++ CRYPTO_malloc_debug_init();
++#endif
++ done = 1;
++ }
++#endif
++ }
++
++
+diff -up openssl-1.0.0f/crypto/opensslconf.h.in.fips openssl-1.0.0f/crypto/opensslconf.h.in
+--- openssl-1.0.0f/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
++++ openssl-1.0.0f/crypto/opensslconf.h.in 2012-01-05 13:22:30.000000000 +0100
+@@ -1,5 +1,20 @@
+ /* crypto/opensslconf.h.in */
+
++#ifdef OPENSSL_DOING_MAKEDEPEND
++
++/* Include any symbols here that have to be explicitly set to enable a feature
++ * that should be visible to makedepend.
++ *
++ * [Our "make depend" doesn't actually look at this, we use actual build settings
++ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
++ */
++
++#ifndef OPENSSL_FIPS
++#define OPENSSL_FIPS
++#endif
++
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+
+diff -up openssl-1.0.0f/crypto/pkcs12/p12_crt.c.fips openssl-1.0.0f/crypto/pkcs12/p12_crt.c
+--- openssl-1.0.0f/crypto/pkcs12/p12_crt.c.fips 2009-03-09 14:08:04.000000000 +0100
++++ openssl-1.0.0f/crypto/pkcs12/p12_crt.c 2012-01-05 13:22:30.000000000 +0100
+@@ -59,6 +59,10 @@
+ #include <stdio.h>
+ #include "cryptlib.h"
+ #include <openssl/pkcs12.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+
+ static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
+@@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char *
+
+ /* Set defaults */
+ if (!nid_cert)
++ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
++ else
++#endif
+ nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
++ }
+ if (!nid_key)
+ nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ if (!iter)
+diff -up openssl-1.0.0f/crypto/rand/md_rand.c.fips openssl-1.0.0f/crypto/rand/md_rand.c
+--- openssl-1.0.0f/crypto/rand/md_rand.c.fips 2010-06-16 15:17:22.000000000 +0200
++++ openssl-1.0.0f/crypto/rand/md_rand.c 2012-01-05 13:22:30.000000000 +0100
+@@ -126,6 +126,10 @@
+
+ #include <openssl/crypto.h>
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ #ifdef BN_DEBUG
+ # define PREDICT
+@@ -342,6 +346,14 @@ static int ssleay_rand_bytes(unsigned ch
+ #endif
+ int do_stir_pool = 0;
+
++#ifdef OPENSSL_FIPS
++ if(FIPS_mode())
++ {
++ FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
++
+ #ifdef PREDICT
+ if (rand_predictable)
+ {
+diff -up openssl-1.0.0f/crypto/rand/rand_err.c.fips openssl-1.0.0f/crypto/rand/rand_err.c
+--- openssl-1.0.0f/crypto/rand/rand_err.c.fips 2006-11-21 22:29:41.000000000 +0100
++++ openssl-1.0.0f/crypto/rand/rand_err.c 2012-01-05 13:22:30.000000000 +0100
+@@ -70,6 +70,13 @@
+
+ static ERR_STRING_DATA RAND_str_functs[]=
+ {
++{ERR_FUNC(RAND_F_ENG_RAND_GET_RAND_METHOD), "ENG_RAND_GET_RAND_METHOD"},
++{ERR_FUNC(RAND_F_FIPS_RAND), "FIPS_RAND"},
++{ERR_FUNC(RAND_F_FIPS_RAND_BYTES), "FIPS_RAND_BYTES"},
++{ERR_FUNC(RAND_F_FIPS_RAND_SET_DT), "FIPS_RAND_SET_DT"},
++{ERR_FUNC(RAND_F_FIPS_SET_DT), "FIPS_SET_DT"},
++{ERR_FUNC(RAND_F_FIPS_SET_PRNG_SEED), "FIPS_SET_PRNG_SEED"},
++{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE), "FIPS_SET_TEST_MODE"},
+ {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"},
+ {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"},
+ {0,NULL}
+@@ -77,7 +84,17 @@ static ERR_STRING_DATA RAND_str_functs[]
+
+ static ERR_STRING_DATA RAND_str_reasons[]=
+ {
++{ERR_REASON(RAND_R_NON_FIPS_METHOD) ,"non fips method"},
++{ERR_REASON(RAND_R_NOT_IN_TEST_MODE) ,"not in test mode"},
++{ERR_REASON(RAND_R_NO_KEY_SET) ,"no key set"},
++{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"},
++{ERR_REASON(RAND_R_PRNG_ERROR) ,"prng error"},
++{ERR_REASON(RAND_R_PRNG_KEYED) ,"prng keyed"},
++{ERR_REASON(RAND_R_PRNG_NOT_REKEYED) ,"prng not rekeyed"},
++{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED) ,"prng not reseeded"},
+ {ERR_REASON(RAND_R_PRNG_NOT_SEEDED) ,"PRNG not seeded"},
++{ERR_REASON(RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY),"prng seed must not match key"},
++{ERR_REASON(RAND_R_PRNG_STUCK) ,"prng stuck"},
+ {0,NULL}
+ };
+
+diff -up openssl-1.0.0f/crypto/rand/rand.h.fips openssl-1.0.0f/crypto/rand/rand.h
+--- openssl-1.0.0f/crypto/rand/rand.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/rand/rand.h 2012-01-05 13:22:30.000000000 +0100
+@@ -128,11 +128,28 @@ void ERR_load_RAND_strings(void);
+ /* Error codes for the RAND functions. */
+
+ /* Function codes. */
++#define RAND_F_ENG_RAND_GET_RAND_METHOD 108
++#define RAND_F_FIPS_RAND 103
++#define RAND_F_FIPS_RAND_BYTES 102
++#define RAND_F_FIPS_RAND_SET_DT 106
++#define RAND_F_FIPS_SET_DT 104
++#define RAND_F_FIPS_SET_PRNG_SEED 107
++#define RAND_F_FIPS_SET_TEST_MODE 105
+ #define RAND_F_RAND_GET_RAND_METHOD 101
+ #define RAND_F_SSLEAY_RAND_BYTES 100
+
+ /* Reason codes. */
++#define RAND_R_NON_FIPS_METHOD 105
++#define RAND_R_NOT_IN_TEST_MODE 106
++#define RAND_R_NO_KEY_SET 107
++#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
++#define RAND_R_PRNG_ERROR 108
++#define RAND_R_PRNG_KEYED 109
++#define RAND_R_PRNG_NOT_REKEYED 102
++#define RAND_R_PRNG_NOT_RESEEDED 103
+ #define RAND_R_PRNG_NOT_SEEDED 100
++#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
++#define RAND_R_PRNG_STUCK 104
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.0.0f/crypto/rand/rand_lib.c.fips openssl-1.0.0f/crypto/rand/rand_lib.c
+--- openssl-1.0.0f/crypto/rand/rand_lib.c.fips 2008-11-12 04:58:04.000000000 +0100
++++ openssl-1.0.0f/crypto/rand/rand_lib.c 2012-01-05 13:22:30.000000000 +0100
+@@ -60,6 +60,12 @@
+ #include <time.h>
+ #include "cryptlib.h"
+ #include <openssl/rand.h>
++#include "rand_lcl.h"
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#endif
++
+ #ifndef OPENSSL_NO_ENGINE
+ #include <openssl/engine.h>
+ #endif
+@@ -102,8 +108,19 @@ const RAND_METHOD *RAND_get_rand_method(
+ funct_ref = e;
+ else
+ #endif
++#ifdef OPENSSL_FIPS
++ default_RAND_meth = FIPS_mode() ? FIPS_rand_method() : RAND_SSLeay();
++ }
++ if (FIPS_mode()
++ && default_RAND_meth != FIPS_rand_check())
++ {
++ RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#else
+ default_RAND_meth = RAND_SSLeay();
+ }
++#endif
+ return default_RAND_meth;
+ }
+
+diff -up openssl-1.0.0f/crypto/rc2/rc2.h.fips openssl-1.0.0f/crypto/rc2/rc2.h
+--- openssl-1.0.0f/crypto/rc2/rc2.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/rc2/rc2.h 2012-01-05 13:22:30.000000000 +0100
+@@ -79,7 +79,9 @@ typedef struct rc2_key_st
+ RC2_INT data[64];
+ } RC2_KEY;
+
+-
++#ifdef OPENSSL_FIPS
++void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
++#endif
+ void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
+ void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
+ int enc);
+diff -up openssl-1.0.0f/crypto/rc2/rc2_skey.c.fips openssl-1.0.0f/crypto/rc2/rc2_skey.c
+--- openssl-1.0.0f/crypto/rc2/rc2_skey.c.fips 2007-09-18 23:10:32.000000000 +0200
++++ openssl-1.0.0f/crypto/rc2/rc2_skey.c 2012-01-05 13:22:30.000000000 +0100
+@@ -57,6 +57,11 @@
+ */
+
+ #include <openssl/rc2.h>
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ #include "rc2_locl.h"
+
+ static const unsigned char key_table[256]={
+@@ -94,8 +99,20 @@ static const unsigned char key_table[256
+ * BSAFE uses the 'retarded' version. What I previously shipped is
+ * the same as specifying 1024 for the 'bits' parameter. Bsafe uses
+ * a version where the bits parameter is the same as len*8 */
++
++#ifdef OPENSSL_FIPS
+ void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+ {
++ if (FIPS_mode())
++ FIPS_BAD_ABORT(RC2)
++ private_RC2_set_key(key, len, data, bits);
++ }
++void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
++ int bits)
++#else
++void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
++#endif
++ {
+ int i,j;
+ unsigned char *k;
+ RC2_INT *ki;
+diff -up openssl-1.0.0f/crypto/rc4/asm/rc4-s390x.pl.fips openssl-1.0.0f/crypto/rc4/asm/rc4-s390x.pl
+--- openssl-1.0.0f/crypto/rc4/asm/rc4-s390x.pl.fips 2009-02-12 15:48:49.000000000 +0100
++++ openssl-1.0.0f/crypto/rc4/asm/rc4-s390x.pl 2012-01-05 13:22:30.000000000 +0100
+@@ -202,4 +202,6 @@ RC4_options:
+ .string "rc4(8x,char)"
+ ___
+
++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne "");
++
+ print $code;
+diff -up openssl-1.0.0f/crypto/rc4/asm/rc4-x86_64.pl.fips openssl-1.0.0f/crypto/rc4/asm/rc4-x86_64.pl
+--- openssl-1.0.0f/crypto/rc4/asm/rc4-x86_64.pl.fips 2009-04-27 21:31:04.000000000 +0200
++++ openssl-1.0.0f/crypto/rc4/asm/rc4-x86_64.pl 2012-01-05 13:22:30.000000000 +0100
+@@ -499,6 +499,8 @@ ___
+
+ $code =~ s/#([bwd])/$1/gm;
+
++$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPS} ne "");
++
+ print $code;
+
+ close STDOUT;
+diff -up openssl-1.0.0f/crypto/rc4/asm/rc4-586.pl.fips openssl-1.0.0f/crypto/rc4/asm/rc4-586.pl
+--- openssl-1.0.0f/crypto/rc4/asm/rc4-586.pl.fips 2007-12-02 22:32:03.000000000 +0100
++++ openssl-1.0.0f/crypto/rc4/asm/rc4-586.pl 2012-01-05 13:22:30.000000000 +0100
+@@ -166,8 +166,12 @@ $idx="edx";
+
+ &external_label("OPENSSL_ia32cap_P");
+
++$setkeyfunc = "RC4_set_key";
++$setkeyfunc = "private_RC4_set_key" if ($ENV{FIPS} ne "");
++
++
+ # void RC4_set_key(RC4_KEY *key,int len,const unsigned char *data);
+-&function_begin("RC4_set_key");
++&function_begin($setkeyfunc);
+ &mov ($out,&wparam(0)); # load key
+ &mov ($idi,&wparam(1)); # load len
+ &mov ($inp,&wparam(2)); # load data
+@@ -245,7 +249,7 @@ $idx="edx";
+ &xor ("eax","eax");
+ &mov (&DWP(-8,$out),"eax"); # key->x=0;
+ &mov (&DWP(-4,$out),"eax"); # key->y=0;
+-&function_end("RC4_set_key");
++&function_end($setkeyfunc);
+
+ # const char *RC4_options(void);
+ &function_begin_B("RC4_options");
+diff -up openssl-1.0.0f/crypto/rc4/Makefile.fips openssl-1.0.0f/crypto/rc4/Makefile
+--- openssl-1.0.0f/crypto/rc4/Makefile.fips 2009-02-11 11:01:36.000000000 +0100
++++ openssl-1.0.0f/crypto/rc4/Makefile 2012-01-05 13:22:30.000000000 +0100
+@@ -21,8 +21,8 @@ TEST=rc4test.c
+ APPS=
+
+ LIB=$(TOP)/libcrypto.a
+-LIBSRC=rc4_skey.c rc4_enc.c
+-LIBOBJ=$(RC4_ENC)
++LIBSRC=rc4_skey.c rc4_enc.c rc4_fblk.c
++LIBOBJ=$(RC4_ENC) rc4_fblk.o
+
+ SRC= $(LIBSRC)
+
+diff -up openssl-1.0.0f/crypto/rc4/rc4_fblk.c.fips openssl-1.0.0f/crypto/rc4/rc4_fblk.c
+--- openssl-1.0.0f/crypto/rc4/rc4_fblk.c.fips 2012-01-05 13:22:30.000000000 +0100
++++ openssl-1.0.0f/crypto/rc4/rc4_fblk.c 2012-01-05 13:22:30.000000000 +0100
+@@ -0,0 +1,75 @@
++/* crypto/rc4/rc4_fblk.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++
++#include <openssl/rc4.h>
++#include "rc4_locl.h"
++#include <openssl/opensslv.h>
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
++/* FIPS mode blocking for RC4 has to be done separately since RC4_set_key
++ * may be implemented in an assembly language file.
++ */
++
++#ifdef OPENSSL_FIPS
++void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
++ {
++ if (FIPS_mode())
++ FIPS_BAD_ABORT(RC4)
++ private_RC4_set_key(key, len, data);
++ }
++#endif
++
+diff -up openssl-1.0.0f/crypto/rc4/rc4.h.fips openssl-1.0.0f/crypto/rc4/rc4.h
+--- openssl-1.0.0f/crypto/rc4/rc4.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/rc4/rc4.h 2012-01-05 13:22:30.000000000 +0100
+@@ -78,6 +78,9 @@ typedef struct rc4_key_st
+
+
+ const char *RC4_options(void);
++#ifdef OPENSSL_FIPS
++void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
++#endif
+ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
+ unsigned char *outdata);
+diff -up openssl-1.0.0f/crypto/rc4/rc4_skey.c.fips openssl-1.0.0f/crypto/rc4/rc4_skey.c
+--- openssl-1.0.0f/crypto/rc4/rc4_skey.c.fips 2007-01-21 14:07:13.000000000 +0100
++++ openssl-1.0.0f/crypto/rc4/rc4_skey.c 2012-01-05 13:22:30.000000000 +0100
+@@ -59,6 +59,11 @@
+ #include <openssl/rc4.h>
+ #include "rc4_locl.h"
+ #include <openssl/opensslv.h>
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ const char RC4_version[]="RC4" OPENSSL_VERSION_PTEXT;
+
+@@ -85,7 +90,11 @@ const char *RC4_options(void)
+ * Date: Wed, 14 Sep 1994 06:35:31 GMT
+ */
+
++#ifdef OPENSSL_FIPS
++void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
++#else
+ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
++#endif
+ {
+ register RC4_INT tmp;
+ register int id1,id2;
+@@ -126,7 +135,12 @@ void RC4_set_key(RC4_KEY *key, int len,
+ * module...
+ * <appro at fy.chalmers.se>
+ */
++#ifdef OPENSSL_FIPS
++ unsigned long *ia32cap_ptr = OPENSSL_ia32cap_loc();
++ if (ia32cap_ptr && (*ia32cap_ptr & (1<<28))) {
++#else
+ if (OPENSSL_ia32cap_P & (1<<28)) {
++#endif
+ unsigned char *cp=(unsigned char *)d;
+
+ for (i=0;i<256;i++) cp[i]=i;
+diff -up openssl-1.0.0f/crypto/ripemd/ripemd.h.fips openssl-1.0.0f/crypto/ripemd/ripemd.h
+--- openssl-1.0.0f/crypto/ripemd/ripemd.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/ripemd/ripemd.h 2012-01-05 13:22:30.000000000 +0100
+@@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st
+ unsigned int num;
+ } RIPEMD160_CTX;
+
++#ifdef OPENSSL_FIPS
++int private_RIPEMD160_Init(RIPEMD160_CTX *c);
++#endif
+ int RIPEMD160_Init(RIPEMD160_CTX *c);
+ int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
+ int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
+diff -up openssl-1.0.0f/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.0f/crypto/ripemd/rmd_dgst.c
+--- openssl-1.0.0f/crypto/ripemd/rmd_dgst.c.fips 2007-01-21 14:07:13.000000000 +0100
++++ openssl-1.0.0f/crypto/ripemd/rmd_dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -59,6 +59,11 @@
+ #include <stdio.h>
+ #include "rmd_locl.h"
+ #include <openssl/opensslv.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT;
+
+@@ -69,7 +74,7 @@ const char RMD160_version[]="RIPE-MD160"
+ void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
+ # endif
+
+-int RIPEMD160_Init(RIPEMD160_CTX *c)
++FIPS_NON_FIPS_MD_Init(RIPEMD160)
+ {
+ memset (c,0,sizeof(*c));
+ c->A=RIPEMD160_A;
+diff -up openssl-1.0.0f/crypto/rsa/rsa_eay.c.fips openssl-1.0.0f/crypto/rsa/rsa_eay.c
+--- openssl-1.0.0f/crypto/rsa/rsa_eay.c.fips 2011-10-19 16:58:34.000000000 +0200
++++ openssl-1.0.0f/crypto/rsa/rsa_eay.c 2012-01-05 13:27:00.000000000 +0100
+@@ -114,6 +114,10 @@
+ #include <openssl/bn.h>
+ #include <openssl/rsa.h>
+ #include <openssl/rand.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ #ifndef RSA_NULL
+
+@@ -138,7 +142,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
+ BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
+ RSA_eay_init,
+ RSA_eay_finish,
+- 0, /* flags */
++ RSA_FLAG_FIPS_METHOD, /* flags */
+ NULL,
+ 0, /* rsa_sign */
+ 0, /* rsa_verify */
+@@ -150,6 +154,16 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
+ return(&rsa_pkcs1_eay_meth);
+ }
+
++/* Usage example;
++ * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
++ */
++#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
++ if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
++ !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
++ CRYPTO_LOCK_RSA, \
++ (rsa)->m, (ctx))) \
++ err_instr
++
+ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+ {
+@@ -158,6 +172,23 @@ static int RSA_eay_public_encrypt(int fl
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+
++#ifdef OPENSSL_FIPS
++ if(FIPS_mode())
++ {
++ if (FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++#endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
+ {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+@@ -223,9 +254,7 @@ static int RSA_eay_public_encrypt(int fl
+ goto err;
+ }
+
+- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+- goto err;
++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+
+ if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
+ rsa->_method_mod_n)) goto err;
+@@ -361,6 +390,23 @@ static int RSA_eay_private_encrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ {
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++#endif
++
+ if ((ctx=BN_CTX_new()) == NULL) goto err;
+ BN_CTX_start(ctx);
+ f = BN_CTX_get(ctx);
+@@ -444,9 +490,7 @@ static int RSA_eay_private_encrypt(int f
+ else
+ d= rsa->d;
+
+- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+- if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+- goto err;
++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+
+ if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
+ rsa->_method_mod_n)) goto err;
+@@ -504,6 +548,23 @@ static int RSA_eay_private_decrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ {
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++#endif
++
+ if((ctx = BN_CTX_new()) == NULL) goto err;
+ BN_CTX_start(ctx);
+ f = BN_CTX_get(ctx);
+@@ -577,9 +638,7 @@ static int RSA_eay_private_decrypt(int f
+ else
+ d = rsa->d;
+
+- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+- goto err;
++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+ if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
+ rsa->_method_mod_n))
+ goto err;
+@@ -639,6 +698,23 @@ static int RSA_eay_public_decrypt(int fl
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ {
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++#endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
+ {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+@@ -689,9 +765,7 @@ static int RSA_eay_public_decrypt(int fl
+ goto err;
+ }
+
+- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+- goto err;
++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+
+ if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
+ rsa->_method_mod_n)) goto err;
+@@ -739,6 +813,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c
+ BIGNUM *r1,*m1,*vrfy;
+ BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
+ BIGNUM *dmp1,*dmq1,*c,*pr1;
++ int bn_flags;
+ int ret=0;
+
+ BN_CTX_start(ctx);
+@@ -746,41 +821,31 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c
+ m1 = BN_CTX_get(ctx);
+ vrfy = BN_CTX_get(ctx);
+
+- {
+- BIGNUM local_p, local_q;
+- BIGNUM *p = NULL, *q = NULL;
+-
+- /* Make sure BN_mod_inverse in Montgomery intialization uses the
+- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+- */
+- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+- {
+- BN_init(&local_p);
+- p = &local_p;
+- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+-
+- BN_init(&local_q);
+- q = &local_q;
+- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
+- }
+- else
+- {
+- p = rsa->p;
+- q = rsa->q;
+- }
++ /* Make sure mod_inverse in montgomerey intialization use correct
++ * BN_FLG_CONSTTIME flag.
++ */
++ bn_flags = rsa->p->flags;
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
++ {
++ rsa->p->flags |= BN_FLG_CONSTTIME;
++ }
++ MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
++ /* We restore bn_flags back */
++ rsa->p->flags = bn_flags;
+
+- if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+- {
+- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
+- goto err;
+- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+- goto err;
+- }
+- }
++ /* Make sure mod_inverse in montgomerey intialization use correct
++ * BN_FLG_CONSTTIME flag.
++ */
++ bn_flags = rsa->q->flags;
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
++ {
++ rsa->q->flags |= BN_FLG_CONSTTIME;
++ }
++ MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
++ /* We restore bn_flags back */
++ rsa->q->flags = bn_flags;
+
+- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+- goto err;
++ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+
+ /* compute I mod q */
+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+@@ -897,6 +962,9 @@ err:
+
+ static int RSA_eay_init(RSA *rsa)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
+ return(1);
+ }
+diff -up openssl-1.0.0f/crypto/rsa/rsa_err.c.fips openssl-1.0.0f/crypto/rsa/rsa_err.c
+--- openssl-1.0.0f/crypto/rsa/rsa_err.c.fips 2008-12-29 17:11:56.000000000 +0100
++++ openssl-1.0.0f/crypto/rsa/rsa_err.c 2012-01-05 13:22:30.000000000 +0100
+@@ -111,8 +111,12 @@ static ERR_STRING_DATA RSA_str_functs[]=
+ {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
+ {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
+ {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
++{ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
+ {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
++{ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
+ {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
++{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
++{ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
+ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
+ {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
+ {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
+@@ -155,10 +159,12 @@ static ERR_STRING_DATA RSA_str_reasons[]
+ {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
+ {ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
+ {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
++{ERR_REASON(RSA_R_NON_FIPS_METHOD) ,"non fips method"},
+ {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
+ {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
+ {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
+ {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
++{ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"},
+ {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
+ {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
+ {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
+diff -up openssl-1.0.0f/crypto/rsa/rsa_gen.c.fips openssl-1.0.0f/crypto/rsa/rsa_gen.c
+--- openssl-1.0.0f/crypto/rsa/rsa_gen.c.fips 2007-03-28 02:15:27.000000000 +0200
++++ openssl-1.0.0f/crypto/rsa/rsa_gen.c 2012-01-05 13:22:30.000000000 +0100
+@@ -67,6 +67,82 @@
+ #include "cryptlib.h"
+ #include <openssl/bn.h>
+ #include <openssl/rsa.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/fips.h>
++#include "fips_locl.h"
++
++static int fips_rsa_pairwise_fail = 0;
++
++void FIPS_corrupt_rsa_keygen(void)
++ {
++ fips_rsa_pairwise_fail = 1;
++ }
++
++int fips_check_rsa(RSA *rsa)
++ {
++ const unsigned char tbs[] = "RSA Pairwise Check Data";
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int len, ret = 0;
++ EVP_PKEY *pk;
++
++ if ((pk=EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_RSA(pk, rsa);
++
++ /* Perform pairwise consistency signature test */
++ if (!fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL))
++ goto err;
++ /* Now perform pairwise consistency encrypt/decrypt test */
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
++
++ len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
++ goto err;
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++
++ if (!ptbuf)
++ goto err;
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != (sizeof(tbs) - 1))
++ goto err;
++ if (memcmp(ptbuf, tbs, len))
++ goto err;
++
++ ret = 1;
++
++ if (!ptbuf)
++ goto err;
++
++ err:
++ if (ret == 0)
++ {
++ fips_set_selftest_fail();
++ FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
++ }
++
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++ }
++#endif
+
+ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
+
+@@ -90,6 +166,23 @@ static int rsa_builtin_keygen(RSA *rsa,
+ int bitsp,bitsq,ok= -1,n=0;
+ BN_CTX *ctx=NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ {
++ if(FIPS_selftest_failed())
++ {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
++ {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++ }
++#endif
++
+ ctx=BN_CTX_new();
+ if (ctx == NULL) goto err;
+ BN_CTX_start(ctx);
+@@ -201,6 +294,17 @@ static int rsa_builtin_keygen(RSA *rsa,
+ p = rsa->p;
+ if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode())
++ {
++ if (fips_rsa_pairwise_fail)
++ BN_add_word(rsa->n, 1);
++
++ if(!fips_check_rsa(rsa))
++ goto err;
++ }
++#endif
++
+ ok=1;
+ err:
+ if (ok == -1)
+diff -up openssl-1.0.0f/crypto/rsa/rsa.h.fips openssl-1.0.0f/crypto/rsa/rsa.h
+--- openssl-1.0.0f/crypto/rsa/rsa.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/rsa/rsa.h 2012-01-05 13:22:30.000000000 +0100
+@@ -74,6 +74,21 @@
+ #error RSA is disabled.
+ #endif
+
++/* If this flag is set the RSA method is FIPS compliant and can be used
++ * in FIPS mode. This is set in the validated module method. If an
++ * application sets this flag in its own methods it is its reposibility
++ * to ensure the result is compliant.
++ */
++
++#define RSA_FLAG_FIPS_METHOD 0x0400
++
++/* If this flag is set the operations normally disabled in FIPS mode are
++ * permitted it is then the applications responsibility to ensure that the
++ * usage is compliant.
++ */
++
++#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -164,6 +179,8 @@ struct rsa_st
+ # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
+ #endif
+
++#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
++
+ #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
+ # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
+ #endif
+@@ -267,6 +284,11 @@ RSA * RSA_generate_key(int bits, unsigne
+
+ /* New version */
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
++ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
++ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
++ const BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb);
+
+ int RSA_check_key(const RSA *);
+ /* next 4 return -1 on error */
+@@ -438,8 +460,12 @@ void ERR_load_RSA_strings(void);
+ #define RSA_F_RSA_PRINT_FP 116
+ #define RSA_F_RSA_PRIV_DECODE 137
+ #define RSA_F_RSA_PRIV_ENCODE 138
++#define RSA_F_RSA_PRIVATE_ENCRYPT 148
+ #define RSA_F_RSA_PUB_DECODE 139
++#define RSA_F_RSA_PUBLIC_DECRYPT 149
+ #define RSA_F_RSA_SETUP_BLINDING 136
++#define RSA_F_RSA_SET_DEFAULT_METHOD 150
++#define RSA_F_RSA_SET_METHOD 151
+ #define RSA_F_RSA_SIGN 117
+ #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
+ #define RSA_F_RSA_VERIFY 119
+@@ -479,10 +505,12 @@ void ERR_load_RSA_strings(void);
+ #define RSA_R_KEY_SIZE_TOO_SMALL 120
+ #define RSA_R_LAST_OCTET_INVALID 134
+ #define RSA_R_MODULUS_TOO_LARGE 105
++#define RSA_R_NON_FIPS_METHOD 149
+ #define RSA_R_NO_PUBLIC_EXPONENT 140
+ #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
+ #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
+ #define RSA_R_OAEP_DECODING_ERROR 121
++#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
+ #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
+ #define RSA_R_PADDING_CHECK_FAILED 114
+ #define RSA_R_P_NOT_PRIME 128
+diff -up openssl-1.0.0f/crypto/rsa/rsa_lib.c.fips openssl-1.0.0f/crypto/rsa/rsa_lib.c
+--- openssl-1.0.0f/crypto/rsa/rsa_lib.c.fips 2009-12-09 14:38:20.000000000 +0100
++++ openssl-1.0.0f/crypto/rsa/rsa_lib.c 2012-01-05 13:22:30.000000000 +0100
+@@ -80,6 +80,13 @@ RSA *RSA_new(void)
+
+ void RSA_set_default_method(const RSA_METHOD *meth)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
++ {
++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
++ return;
++ }
++#endif
+ default_RSA_meth = meth;
+ }
+
+@@ -111,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_M
+ /* NB: The caller is specifically setting a method, so it's not up to us
+ * to deal with which ENGINE it comes from. */
+ const RSA_METHOD *mtmp;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
++ {
++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
+ mtmp = rsa->meth;
+ if (mtmp->finish) mtmp->finish(rsa);
+ #ifndef OPENSSL_NO_ENGINE
+@@ -163,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine)
+ }
+ }
+ #endif
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD))
++ {
++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
++#ifndef OPENSSL_NO_ENGINE
++ if (ret->engine)
++ ENGINE_finish(ret->engine);
++#endif
++ OPENSSL_free(ret);
++ return NULL;
++ }
++#endif
+
+ ret->pad=0;
+ ret->version=0;
+@@ -294,6 +320,13 @@ int RSA_public_encrypt(int flen, const u
+ int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
+ RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
++ {
++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
++ return 0;
++ }
++#endif
+ return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
+ }
+
+@@ -306,6 +339,13 @@ int RSA_private_decrypt(int flen, const
+ int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
+ RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
++ {
++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
++ return 0;
++ }
++#endif
+ return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
+ }
+
+diff -up openssl-1.0.0f/crypto/rsa/rsa_sign.c.fips openssl-1.0.0f/crypto/rsa/rsa_sign.c
+--- openssl-1.0.0f/crypto/rsa/rsa_sign.c.fips 2007-04-24 03:05:42.000000000 +0200
++++ openssl-1.0.0f/crypto/rsa/rsa_sign.c 2012-01-05 13:22:30.000000000 +0100
+@@ -130,7 +130,8 @@ int RSA_sign(int type, const unsigned ch
+ i2d_X509_SIG(&sig,&p);
+ s=tmps;
+ }
+- i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING) : 0;
+ if (i <= 0)
+ ret=0;
+ else
+@@ -161,8 +162,8 @@ int int_rsa_verify(int dtype, const unsi
+
+ if((dtype == NID_md5_sha1) && rm)
+ {
+- i = RSA_public_decrypt((int)siglen,
+- sigbuf,rm,rsa,RSA_PKCS1_PADDING);
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
++ sigbuf,rm,rsa,RSA_PKCS1_PADDING) : 0;
+ if (i <= 0)
+ return 0;
+ *prm_len = i;
+@@ -179,7 +180,8 @@ int int_rsa_verify(int dtype, const unsi
+ RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
+ goto err;
+ }
+- i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING) : 0;
+
+ if (i <= 0) goto err;
+
+diff -up openssl-1.0.0f/crypto/seed/seed.c.fips openssl-1.0.0f/crypto/seed/seed.c
+--- openssl-1.0.0f/crypto/seed/seed.c.fips 2008-12-16 08:41:21.000000000 +0100
++++ openssl-1.0.0f/crypto/seed/seed.c 2012-01-05 13:22:30.000000000 +0100
+@@ -34,6 +34,9 @@
+
+ #include <openssl/seed.h>
+ #include "seed_locl.h"
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+ static const seed_word SS[4][256] = { {
+ 0x2989a1a8, 0x05858184, 0x16c6d2d4, 0x13c3d3d0, 0x14445054, 0x1d0d111c, 0x2c8ca0ac, 0x25052124,
+@@ -193,7 +196,18 @@ static const seed_word KC[] = {
+ KC8, KC9, KC10, KC11, KC12, KC13, KC14, KC15 };
+ #endif
+
++#ifdef OPENSSL_FIPS
+ void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
++ {
++ if (FIPS_mode())
++ FIPS_BAD_ABORT(SEED)
++ private_SEED_set_key(rawkey, ks);
++ }
++
++void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
++#else
++void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks)
++#endif
+ {
+ seed_word x1, x2, x3, x4;
+ seed_word t0, t1;
+diff -up openssl-1.0.0f/crypto/seed/seed.h.fips openssl-1.0.0f/crypto/seed/seed.h
+--- openssl-1.0.0f/crypto/seed/seed.h.fips 2012-01-05 13:22:28.000000000 +0100
++++ openssl-1.0.0f/crypto/seed/seed.h 2012-01-05 13:22:30.000000000 +0100
+@@ -117,6 +117,9 @@ typedef struct seed_key_st {
+ } SEED_KEY_SCHEDULE;
+
+
++#ifdef OPENSSL_FIPS
++void private_SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
++#endif
+ void SEED_set_key(const unsigned char rawkey[SEED_KEY_LENGTH], SEED_KEY_SCHEDULE *ks);
+
+ void SEED_encrypt(const unsigned char s[SEED_BLOCK_SIZE], unsigned char d[SEED_BLOCK_SIZE], const SEED_KEY_SCHEDULE *ks);
+diff -up openssl-1.0.0f/crypto/sha/sha_dgst.c.fips openssl-1.0.0f/crypto/sha/sha_dgst.c
+--- openssl-1.0.0f/crypto/sha/sha_dgst.c.fips 2007-01-21 14:07:14.000000000 +0100
++++ openssl-1.0.0f/crypto/sha/sha_dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -57,6 +57,12 @@
+ */
+
+ #include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
++#include <openssl/err.h>
+ #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
+
+ #undef SHA_1
+diff -up openssl-1.0.0f/crypto/sha/sha.h.fips openssl-1.0.0f/crypto/sha/sha.h
+--- openssl-1.0.0f/crypto/sha/sha.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/sha/sha.h 2012-01-05 13:22:30.000000000 +0100
+@@ -106,6 +106,9 @@ typedef struct SHAstate_st
+ } SHA_CTX;
+
+ #ifndef OPENSSL_NO_SHA0
++#ifdef OPENSSL_FIPS
++int private_SHA_Init(SHA_CTX *c);
++#endif
+ int SHA_Init(SHA_CTX *c);
+ int SHA_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA_Final(unsigned char *md, SHA_CTX *c);
+diff -up openssl-1.0.0f/crypto/sha/sha_locl.h.fips openssl-1.0.0f/crypto/sha/sha_locl.h
+--- openssl-1.0.0f/crypto/sha/sha_locl.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/sha/sha_locl.h 2012-01-05 13:22:30.000000000 +0100
+@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c,
+ #define INIT_DATA_h3 0x10325476UL
+ #define INIT_DATA_h4 0xc3d2e1f0UL
+
++#if defined(SHA_0) && defined(OPENSSL_FIPS)
++FIPS_NON_FIPS_MD_Init(SHA)
++#else
+ int HASH_INIT (SHA_CTX *c)
++#endif
+ {
++#if defined(SHA_1) && defined(OPENSSL_FIPS)
++ FIPS_selftest_check();
++#endif
+ memset (c,0,sizeof(*c));
+ c->h0=INIT_DATA_h0;
+ c->h1=INIT_DATA_h1;
+diff -up openssl-1.0.0f/crypto/sha/sha1dgst.c.fips openssl-1.0.0f/crypto/sha/sha1dgst.c
+--- openssl-1.0.0f/crypto/sha/sha1dgst.c.fips 2007-01-21 14:07:14.000000000 +0100
++++ openssl-1.0.0f/crypto/sha/sha1dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -63,6 +63,10 @@
+ #define SHA_1
+
+ #include <openssl/opensslv.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+
+ const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT;
+
+diff -up openssl-1.0.0f/crypto/sha/sha256.c.fips openssl-1.0.0f/crypto/sha/sha256.c
+--- openssl-1.0.0f/crypto/sha/sha256.c.fips 2007-01-21 14:07:14.000000000 +0100
++++ openssl-1.0.0f/crypto/sha/sha256.c 2012-01-05 13:22:30.000000000 +0100
+@@ -12,12 +12,19 @@
+
+ #include <openssl/crypto.h>
+ #include <openssl/sha.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ #include <openssl/opensslv.h>
+
+ const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
+
+ int SHA224_Init (SHA256_CTX *c)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ memset (c,0,sizeof(*c));
+ c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL;
+ c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL;
+@@ -29,6 +36,9 @@ int SHA224_Init (SHA256_CTX *c)
+
+ int SHA256_Init (SHA256_CTX *c)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ memset (c,0,sizeof(*c));
+ c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
+ c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL;
+diff -up openssl-1.0.0f/crypto/sha/sha512.c.fips openssl-1.0.0f/crypto/sha/sha512.c
+--- openssl-1.0.0f/crypto/sha/sha512.c.fips 2009-12-30 12:53:33.000000000 +0100
++++ openssl-1.0.0f/crypto/sha/sha512.c 2012-01-05 13:22:30.000000000 +0100
+@@ -5,6 +5,10 @@
+ * ====================================================================
+ */
+ #include <openssl/opensslconf.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
+ /*
+ * IMPLEMENTATION NOTES.
+@@ -61,6 +65,9 @@ const char SHA512_version[]="SHA-512" OP
+
+ int SHA384_Init (SHA512_CTX *c)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
+ /* maintain dword order required by assembler module */
+ unsigned int *h = (unsigned int *)c->h;
+@@ -90,6 +97,9 @@ int SHA384_Init (SHA512_CTX *c)
+
+ int SHA512_Init (SHA512_CTX *c)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
+ /* maintain dword order required by assembler module */
+ unsigned int *h = (unsigned int *)c->h;
+diff -up openssl-1.0.0f/crypto/whrlpool/whrlpool.h.fips openssl-1.0.0f/crypto/whrlpool/whrlpool.h
+--- openssl-1.0.0f/crypto/whrlpool/whrlpool.h.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/crypto/whrlpool/whrlpool.h 2012-01-05 13:22:30.000000000 +0100
+@@ -24,6 +24,9 @@ typedef struct {
+ } WHIRLPOOL_CTX;
+
+ #ifndef OPENSSL_NO_WHIRLPOOL
++#ifdef OPENSSL_FIPS
++int private_WHIRLPOOL_Init(WHIRLPOOL_CTX *c);
++#endif
+ int WHIRLPOOL_Init (WHIRLPOOL_CTX *c);
+ int WHIRLPOOL_Update (WHIRLPOOL_CTX *c,const void *inp,size_t bytes);
+ void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits);
+diff -up openssl-1.0.0f/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.0f/crypto/whrlpool/wp_dgst.c
+--- openssl-1.0.0f/crypto/whrlpool/wp_dgst.c.fips 2008-12-29 13:35:49.000000000 +0100
++++ openssl-1.0.0f/crypto/whrlpool/wp_dgst.c 2012-01-05 13:22:30.000000000 +0100
+@@ -53,8 +53,12 @@
+
+ #include "wp_locl.h"
+ #include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
+
+-int WHIRLPOOL_Init (WHIRLPOOL_CTX *c)
++FIPS_NON_FIPS_MD_Init(WHIRLPOOL)
+ {
+ memset (c,0,sizeof(*c));
+ return(1);
+diff -up openssl-1.0.0f/Makefile.org.fips openssl-1.0.0f/Makefile.org
+--- openssl-1.0.0f/Makefile.org.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/Makefile.org 2012-01-05 13:22:30.000000000 +0100
+@@ -110,6 +110,9 @@ LIBKRB5=
+ ZLIB_INCLUDE=
+ LIBZLIB=
+
++# Non-empty if FIPS enabled
++FIPS=
++
+ DIRS= crypto ssl engines apps test tools
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+@@ -122,7 +125,7 @@ SDIRS= \
+ bn ec rsa dsa ecdsa dh ecdh dso engine \
+ buffer bio stack lhash rand err \
+ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+- cms pqueue ts jpake store
++ cms pqueue ts jpake store fips
+ # keep in mind that the above list is adjusted by ./Configure
+ # according to no-xxx arguments...
+
+@@ -206,6 +209,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
+ RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \
+ WP_ASM_OBJ='$(WP_ASM_OBJ)' \
+ PERLASM_SCHEME='$(PERLASM_SCHEME)' \
++ FIPS="$${FIPS:-$(FIPS)}" \
+ THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
+ # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
+ # which in turn eliminates ambiguities in variable treatment with -e.
+diff -up openssl-1.0.0f/ssl/ssl_ciph.c.fips openssl-1.0.0f/ssl/ssl_ciph.c
+--- openssl-1.0.0f/ssl/ssl_ciph.c.fips 2011-12-02 13:51:05.000000000 +0100
++++ openssl-1.0.0f/ssl/ssl_ciph.c 2012-01-05 13:22:30.000000000 +0100
+@@ -728,6 +728,9 @@ static void ssl_cipher_collect_ciphers(c
+ !(c->algorithm_auth & disabled_auth) &&
+ !(c->algorithm_enc & disabled_enc) &&
+ !(c->algorithm_mac & disabled_mac) &&
++#ifdef OPENSSL_FIPS
++ (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
++#endif
+ !(c->algorithm_ssl & disabled_ssl))
+ {
+ co_list[co_list_num].cipher = c;
+@@ -1423,7 +1426,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ */
+ for (curr = head; curr != NULL; curr = curr->next)
+ {
++#ifdef OPENSSL_FIPS
++ if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
++#else
+ if (curr->active)
++#endif
+ {
+ sk_SSL_CIPHER_push(cipherstack, curr->cipher);
+ #ifdef CIPHER_DEBUG
+diff -up openssl-1.0.0f/ssl/ssl_lib.c.fips openssl-1.0.0f/ssl/ssl_lib.c
+--- openssl-1.0.0f/ssl/ssl_lib.c.fips 2011-09-26 19:04:49.000000000 +0200
++++ openssl-1.0.0f/ssl/ssl_lib.c 2012-01-05 13:22:30.000000000 +0100
+@@ -1524,6 +1524,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ return(NULL);
+ }
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && (meth->version < TLS1_VERSION))
++ {
++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
++ return NULL;
++ }
++#endif
++
+ if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
+ {
+ SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+diff -up openssl-1.0.0f/ssl/ssltest.c.fips openssl-1.0.0f/ssl/ssltest.c
+--- openssl-1.0.0f/ssl/ssltest.c.fips 2012-01-05 13:22:29.000000000 +0100
++++ openssl-1.0.0f/ssl/ssltest.c 2012-01-05 13:22:30.000000000 +0100
+@@ -268,6 +268,9 @@ static void sv_usage(void)
+ {
+ fprintf(stderr,"usage: ssltest [args ...]\n");
+ fprintf(stderr,"\n");
++#ifdef OPENSSL_FIPS
++ fprintf(stderr,"-F - run test in FIPS mode\n");
++#endif
+ fprintf(stderr," -server_auth - check server certificate\n");
+ fprintf(stderr," -client_auth - do client authentication\n");
+ fprintf(stderr," -proxy - allow proxy certificates\n");
+@@ -487,6 +490,9 @@ int main(int argc, char *argv[])
+ #endif
+ STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+ int test_cipherlist = 0;
++#ifdef OPENSSL_FIPS
++ int fips_mode=0;
++#endif
+
+ verbose = 0;
+ debug = 0;
+@@ -518,7 +524,16 @@ int main(int argc, char *argv[])
+
+ while (argc >= 1)
+ {
+- if (strcmp(*argv,"-server_auth") == 0)
++ if(!strcmp(*argv,"-F"))
++ {
++#ifdef OPENSSL_FIPS
++ fips_mode=1;
++#else
++ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
++ EXIT(0);
++#endif
++ }
++ else if (strcmp(*argv,"-server_auth") == 0)
+ server_auth=1;
+ else if (strcmp(*argv,"-client_auth") == 0)
+ client_auth=1;
+@@ -714,6 +729,20 @@ bad:
+ EXIT(1);
+ }
+
++#ifdef OPENSSL_FIPS
++ if(fips_mode)
++ {
++ if(!FIPS_mode_set(1))
++ {
++ ERR_load_crypto_strings();
++ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
++ EXIT(1);
++ }
++ else
++ fprintf(stderr,"*** IN FIPS MODE ***\n");
++ }
++#endif
++
+ if (print_time)
+ {
+ if (!bio_pair)
+@@ -2153,12 +2182,12 @@ static int MS_CALLBACK app_verify_callba
+ }
+
+ #ifndef OPENSSL_NO_X509_VERIFY
+-# ifdef OPENSSL_FIPS
++# if 0
+ if(s->version == TLS1_VERSION)
+ FIPS_allow_md5(1);
+ # endif
+ ok = X509_verify_cert(ctx);
+-# ifdef OPENSSL_FIPS
++# if 0
+ if(s->version == TLS1_VERSION)
+ FIPS_allow_md5(0);
+ # endif
+diff -up openssl-1.0.0f/ssl/s23_clnt.c.fips openssl-1.0.0f/ssl/s23_clnt.c
+--- openssl-1.0.0f/ssl/s23_clnt.c.fips 2010-02-16 15:20:40.000000000 +0100
++++ openssl-1.0.0f/ssl/s23_clnt.c 2012-01-05 13:22:30.000000000 +0100
+@@ -334,6 +334,14 @@ static int ssl23_client_hello(SSL *s)
+ version_major = TLS1_VERSION_MAJOR;
+ version_minor = TLS1_VERSION_MINOR;
+ }
++#ifdef OPENSSL_FIPS
++ else if(FIPS_mode())
++ {
++ SSLerr(SSL_F_SSL23_CLIENT_HELLO,
++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
++ return -1;
++ }
++#endif
+ else if (version == SSL3_VERSION)
+ {
+ version_major = SSL3_VERSION_MAJOR;
+@@ -617,6 +625,14 @@ static int ssl23_get_server_hello(SSL *s
+ if ((p[2] == SSL3_VERSION_MINOR) &&
+ !(s->options & SSL_OP_NO_SSLv3))
+ {
++#ifdef OPENSSL_FIPS
++ if(FIPS_mode())
++ {
++ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
++ goto err;
++ }
++#endif
+ s->version=SSL3_VERSION;
+ s->method=SSLv3_client_method();
+ }
+diff -up openssl-1.0.0f/ssl/s23_srvr.c.fips openssl-1.0.0f/ssl/s23_srvr.c
+--- openssl-1.0.0f/ssl/s23_srvr.c.fips 2010-02-16 15:20:40.000000000 +0100
++++ openssl-1.0.0f/ssl/s23_srvr.c 2012-01-05 13:22:30.000000000 +0100
+@@ -393,6 +393,15 @@ int ssl23_get_client_hello(SSL *s)
+ }
+ }
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && (s->version < TLS1_VERSION))
++ {
++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
++ SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
++ goto err;
++ }
++#endif
++
+ if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
+ {
+ /* we have SSLv3/TLSv1 in an SSLv2 header
+diff -up openssl-1.0.0f/ssl/s3_clnt.c.fips openssl-1.0.0f/ssl/s3_clnt.c
+--- openssl-1.0.0f/ssl/s3_clnt.c.fips 2011-12-26 20:38:19.000000000 +0100
++++ openssl-1.0.0f/ssl/s3_clnt.c 2012-01-05 13:22:30.000000000 +0100
+@@ -156,6 +156,10 @@
+ #include <openssl/objects.h>
+ #include <openssl/evp.h>
+ #include <openssl/md5.h>
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif
++
+ #ifndef OPENSSL_NO_DH
+ #include <openssl/dh.h>
+ #endif
+@@ -1550,6 +1554,8 @@ int ssl3_get_key_exchange(SSL *s)
+ q=md_buf;
+ for (num=2; num > 0; num--)
+ {
++ EVP_MD_CTX_set_flags(&md_ctx,
++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&md_ctx,(num == 2)
+ ?s->ctx->md5:s->ctx->sha1, NULL);
+ EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+diff -up openssl-1.0.0f/ssl/s3_enc.c.fips openssl-1.0.0f/ssl/s3_enc.c
+--- openssl-1.0.0f/ssl/s3_enc.c.fips 2012-01-04 16:38:54.000000000 +0100
++++ openssl-1.0.0f/ssl/s3_enc.c 2012-01-05 13:22:30.000000000 +0100
+@@ -170,6 +170,7 @@ static int ssl3_generate_key_block(SSL *
+ #endif
+ k=0;
+ EVP_MD_CTX_init(&m5);
++ EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_MD_CTX_init(&s1);
+ for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
+ {
+@@ -616,6 +617,8 @@ int ssl3_digest_cached_records(SSL *s)
+ if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
+ {
+ s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
++ EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
+ EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
+ }
+@@ -672,6 +675,7 @@ static int ssl3_handshake_mac(SSL *s, in
+ return 0;
+ }
+ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_MD_CTX_copy_ex(&ctx,d);
+ n=EVP_MD_CTX_size(&ctx);
+ if (n < 0)
+diff -up openssl-1.0.0f/ssl/s3_srvr.c.fips openssl-1.0.0f/ssl/s3_srvr.c
+--- openssl-1.0.0f/ssl/s3_srvr.c.fips 2012-01-04 16:27:54.000000000 +0100
++++ openssl-1.0.0f/ssl/s3_srvr.c 2012-01-05 13:22:30.000000000 +0100
+@@ -1770,6 +1770,8 @@ int ssl3_send_server_key_exchange(SSL *s
+ j=0;
+ for (num=2; num > 0; num--)
+ {
++ EVP_MD_CTX_set_flags(&md_ctx,
++ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&md_ctx,(num == 2)
+ ?s->ctx->md5:s->ctx->sha1, NULL);
+ EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
+diff -up openssl-1.0.0f/ssl/t1_enc.c.fips openssl-1.0.0f/ssl/t1_enc.c
+--- openssl-1.0.0f/ssl/t1_enc.c.fips 2010-06-15 19:25:15.000000000 +0200
++++ openssl-1.0.0f/ssl/t1_enc.c 2012-01-05 13:22:30.000000000 +0100
+@@ -170,6 +170,8 @@ static int tls1_P_hash(const EVP_MD *md,
+
+ HMAC_CTX_init(&ctx);
+ HMAC_CTX_init(&ctx_tmp);
++ HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++ HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL))
+ goto err;
+ if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL))
diff --git a/openssl-1.0.0g-version.patch b/openssl-1.0.0g-version.patch
new file mode 100644
index 0000000..55aa0c0
--- /dev/null
+++ b/openssl-1.0.0g-version.patch
@@ -0,0 +1,22 @@
+diff -up openssl-1.0.0g/crypto/opensslv.h.version openssl-1.0.0g/crypto/opensslv.h
+--- openssl-1.0.0g/crypto/opensslv.h.version 2012-01-19 14:50:50.094028047 +0100
++++ openssl-1.0.0g/crypto/opensslv.h 2012-01-19 14:51:48.655529671 +0100
+@@ -25,7 +25,8 @@
+ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
+ * major minor fix final patch/beta)
+ */
+-#define OPENSSL_VERSION_NUMBER 0x1000007fL
++/* we have to keep the version number to not break the abi */
++#define OPENSSL_VERSION_NUMBER 0x10000003
+ #ifdef OPENSSL_FIPS
+ #define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0g-fips 18 Jan 2012"
+ #else
+@@ -83,7 +84,7 @@
+ * should only keep the versions that are binary compatible with the current.
+ */
+ #define SHLIB_VERSION_HISTORY ""
+-#define SHLIB_VERSION_NUMBER "1.0.0"
++#define SHLIB_VERSION_NUMBER "1.0.0g"
+
+
+ #endif /* HEADER_OPENSSLV_H */
diff --git a/openssl.spec b/openssl.spec
index a1ccdc3..95ee2b8 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -20,12 +20,12 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.0.1
-Release: 0.1.beta2%{?dist}
+Version: 1.0.0g
+Release: 1%{?dist}
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-beta2-usa.tar.xz
+Source: openssl-%{version}-usa.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
@@ -34,8 +34,9 @@ Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
Source11: README.FIPS
# Build changes
-Patch1: openssl-1.0.1-beta2-rpmbuild.patch
-Patch2: openssl-1.0.0f-defaults.patch
+Patch0: openssl-1.0.0-beta4-redhat.patch
+Patch1: openssl-1.0.0f-defaults.patch
+Patch3: openssl-1.0.0-beta3-soversion.patch
Patch4: openssl-1.0.0-beta5-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
@@ -43,29 +44,42 @@ Patch7: openssl-1.0.0-timezone.patch
# Bug fixes
Patch23: openssl-1.0.0-beta4-default-paths.patch
Patch24: openssl-0.9.8j-bad-mime.patch
+Patch25: openssl-1.0.0a-manfix.patch
Patch26: openssl-1.0.0a-load-certs.patch
# Functionality changes
+Patch32: openssl-0.9.8g-ia64.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
-Patch36: openssl-1.0.0e-doc-noeof.patch
-Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
-Patch39: openssl-1.0.1-beta2-ipv6-apps.patch
-Patch40: openssl-1.0.1-beta2-fips.patch
-Patch42: openssl-1.0.1-beta2-no-srp.patch
+Patch38: openssl-1.0.0-beta5-cipher-change.patch
+Patch39: openssl-1.0.0b-ipv6-apps.patch
+Patch40: openssl-1.0.0f-fips.patch
+Patch41: openssl-1.0.0-beta3-fipscheck.patch
+Patch43: openssl-1.0.0a-fipsmode.patch
+Patch44: openssl-1.0.0-beta3-fipsrng.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
Patch47: openssl-1.0.0-beta5-readme-warning.patch
Patch49: openssl-1.0.0-beta4-algo-doc.patch
-Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
-Patch51: openssl-1.0.1-beta2-version.patch
+Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
+Patch51: openssl-1.0.0g-version.patch
+Patch52: openssl-1.0.0b-aesni.patch
+Patch53: openssl-1.0.0-name-hash.patch
+Patch54: openssl-1.0.0c-speed-fips.patch
+Patch55: openssl-1.0.0c-apps-ipv6listen.patch
Patch56: openssl-1.0.0c-rsa-x931.patch
-Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
+Patch57: openssl-1.0.0c-fips186-3.patch
+Patch58: openssl-1.0.0c-fips-md5-allow.patch
+Patch59: openssl-1.0.0c-pkcs12-fips-default.patch
Patch60: openssl-1.0.0d-apps-dgst.patch
+Patch61: openssl-1.0.0d-cavs.patch
+Patch62: openssl-1.0.0-fips-aesni.patch
Patch63: openssl-1.0.0d-xmpp-starttls.patch
+Patch64: openssl-1.0.0d-intelopts.patch
Patch65: openssl-1.0.0e-chil-fixes.patch
+Patch66: openssl-1.0.0-sha2test.patch
Patch67: openssl-1.0.0e-pkgconfig-private.patch
# Backported fixes including security fixes
-Patch81: openssl-1.0.1-beta2-padlock64.patch
+Patch81: openssl-1.0.0d-padlock64.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -115,13 +129,14 @@ package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.
%prep
-%setup -q -n %{name}-%{version}-beta2
+%setup -q -n %{name}-%{version}
# The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed.
%{SOURCE1} > /dev/null
-%patch1 -p1 -b .rpmbuild
-%patch2 -p1 -b .defaults
+%patch0 -p1 -b .redhat
+%patch1 -p1 -b .defaults
+%patch3 -p1 -b .soversion
%patch4 -p1 -b .enginesdir %{?_rawbuild}
%patch5 -p1 -b .no-rpath
%patch6 -p1 -b .use-localhost
@@ -129,29 +144,43 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch23 -p1 -b .default-paths
%patch24 -p1 -b .bad-mime
+%patch25 -p1 -b .manfix
%patch26 -p1 -b .load-certs
+%patch32 -p1 -b .ia64
%patch33 -p1 -b .ca-dir
%patch34 -p1 -b .x509
%patch35 -p1 -b .version-add-engines
-%patch36 -p1 -b .doc-noeof
-%patch38 -p1 -b .op-all
+%patch38 -p1 -b .cipher-change
%patch39 -p1 -b .ipv6-apps
%patch40 -p1 -b .fips
-%patch42 -p1 -b .no-srp
+%patch41 -p1 -b .fipscheck
+%patch43 -p1 -b .fipsmode
+%patch44 -p1 -b .fipsrng
%patch45 -p1 -b .env-nozlib
%patch47 -p1 -b .warning
%patch49 -p1 -b .algo-doc
%patch50 -p1 -b .dtls1-abi
%patch51 -p1 -b .version
+%patch52 -p1 -b .aesni
+%patch53 -p1 -b .name-hash
+%patch54 -p1 -b .spfips
+%patch55 -p1 -b .ipv6listen
%patch56 -p1 -b .x931
+%patch57 -p1 -b .fips186-3
%patch58 -p1 -b .md5-allow
+%patch59 -p1 -b .fips-default
%patch60 -p1 -b .dgst
+%patch61 -p1 -b .cavs
+%patch62 -p1 -b .fips-aesni
%patch63 -p1 -b .starttls
+%patch64 -p1 -b .intelopts
%patch65 -p1 -b .chil
+%patch66 -p1 -b .sha2test
%patch67 -p1 -b .private
%patch81 -p1 -b .padlock64
+
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -196,7 +225,7 @@ sslarch=linux-generic32
./Configure \
--prefix=/usr --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
- enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \
+ enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
@@ -237,9 +266,9 @@ make -C test apps tests
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
- crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
+ crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
- crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
+ crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
%{nil}
@@ -400,10 +429,6 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
-* Tue Feb 7 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1-0.1.beta2
-- new upstream release from the 1.0.1 branch, ABI compatible
-- add documentation for the -no_ign_eof option
-
* Thu Jan 19 2012 Tomas Mraz <tmraz at redhat.com> 1.0.0g-1
- new upstream release fixing CVE-2012-0050 - DoS regression in
DTLS support introduced by the previous release (#782795)
diff --git a/sources b/sources
index 1b556b7..45e0449 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-08cff5d4024ab8ff1a52d261d7d49623 openssl-1.0.1-beta2-usa.tar.xz
+9d7281bdc7ec0845c240eb6c0adc8dc3 openssl-1.0.0g-usa.tar.xz
More information about the scm-commits
mailing list