epienbro pushed to mingw-openssl (f22). "Synced with native openssl-1.0.2a-1.fc23"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 24 17:14:30 UTC 2015
>From 038bb32a6e859d4e8b2fb2821029e3542d71528b Mon Sep 17 00:00:00 2001
From: Erik van Pienbroek <epienbro at fedoraproject.org>
Date: Fri, 24 Apr 2015 19:12:13 +0200
Subject: Synced with native openssl-1.0.2a-1.fc23
diff --git a/ec_curve.c b/ec_curve.c
index 0c287bf..ea3a479 100644
--- a/ec_curve.c
+++ b/ec_curve.c
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -58,339 +58,398 @@
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
- * Portions of the attached software ("Contribution") are developed by
+ * Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
* license provided above.
*
- * The elliptic curve binary polynomial software is originally written by
+ * The elliptic curve binary polynomial software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
*
*/
+#include <string.h>
#include "ec_lcl.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
typedef struct {
- int field_type, /* either NID_X9_62_prime_field or
- * NID_X9_62_characteristic_two_field */
- seed_len,
- param_len;
- unsigned int cofactor; /* promoted to BN_ULONG */
+ int field_type, /* either NID_X9_62_prime_field or
+ * NID_X9_62_characteristic_two_field */
+ seed_len, param_len;
+ unsigned int cofactor; /* promoted to BN_ULONG */
} EC_CURVE_DATA;
-static const struct { EC_CURVE_DATA h; unsigned char data[20+48*6]; }
- _EC_NIST_PRIME_384 = {
- { NID_X9_62_prime_field,20,48,1 },
- { 0xA3,0x35,0x92,0x6A,0xA3,0x19,0xA2,0x7A,0x1D,0x00, /* seed */
- 0x89,0x6A,0x67,0x73,0xA4,0x82,0x7A,0xCD,0xAC,0x73,
-
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFC,
- 0xB3,0x31,0x2F,0xA7,0xE2,0x3E,0xE7,0xE4,0x98,0x8E, /* b */
- 0x05,0x6B,0xE3,0xF8,0x2D,0x19,0x18,0x1D,0x9C,0x6E,
- 0xFE,0x81,0x41,0x12,0x03,0x14,0x08,0x8F,0x50,0x13,
- 0x87,0x5A,0xC6,0x56,0x39,0x8D,0x8A,0x2E,0xD1,0x9D,
- 0x2A,0x85,0xC8,0xED,0xD3,0xEC,0x2A,0xEF,
- 0xAA,0x87,0xCA,0x22,0xBE,0x8B,0x05,0x37,0x8E,0xB1, /* x */
- 0xC7,0x1E,0xF3,0x20,0xAD,0x74,0x6E,0x1D,0x3B,0x62,
- 0x8B,0xA7,0x9B,0x98,0x59,0xF7,0x41,0xE0,0x82,0x54,
- 0x2A,0x38,0x55,0x02,0xF2,0x5D,0xBF,0x55,0x29,0x6C,
- 0x3A,0x54,0x5E,0x38,0x72,0x76,0x0A,0xB7,
- 0x36,0x17,0xde,0x4a,0x96,0x26,0x2c,0x6f,0x5d,0x9e, /* y */
- 0x98,0xbf,0x92,0x92,0xdc,0x29,0xf8,0xf4,0x1d,0xbd,
- 0x28,0x9a,0x14,0x7c,0xe9,0xda,0x31,0x13,0xb5,0xf0,
- 0xb8,0xc0,0x0a,0x60,0xb1,0xce,0x1d,0x7e,0x81,0x9d,
- 0x7a,0x43,0x1d,0x7c,0x90,0xea,0x0e,0x5f,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xC7,0x63,0x4D,0x81,0xF4,0x37,
- 0x2D,0xDF,0x58,0x1A,0x0D,0xB2,0x48,0xB0,0xA7,0x7A,
- 0xEC,0xEC,0x19,0x6A,0xCC,0xC5,0x29,0x73 }
- };
-
-static const struct { EC_CURVE_DATA h; unsigned char data[20+66*6]; }
- _EC_NIST_PRIME_521 = {
- { NID_X9_62_prime_field,20,66,1 },
- { 0xD0,0x9E,0x88,0x00,0x29,0x1C,0xB8,0x53,0x96,0xCC, /* seed */
- 0x67,0x17,0x39,0x32,0x84,0xAA,0xA0,0xDA,0x64,0xBA,
-
- 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFC,
- 0x00,0x51,0x95,0x3E,0xB9,0x61,0x8E,0x1C,0x9A,0x1F, /* b */
- 0x92,0x9A,0x21,0xA0,0xB6,0x85,0x40,0xEE,0xA2,0xDA,
- 0x72,0x5B,0x99,0xB3,0x15,0xF3,0xB8,0xB4,0x89,0x91,
- 0x8E,0xF1,0x09,0xE1,0x56,0x19,0x39,0x51,0xEC,0x7E,
- 0x93,0x7B,0x16,0x52,0xC0,0xBD,0x3B,0xB1,0xBF,0x07,
- 0x35,0x73,0xDF,0x88,0x3D,0x2C,0x34,0xF1,0xEF,0x45,
- 0x1F,0xD4,0x6B,0x50,0x3F,0x00,
- 0x00,0xC6,0x85,0x8E,0x06,0xB7,0x04,0x04,0xE9,0xCD, /* x */
- 0x9E,0x3E,0xCB,0x66,0x23,0x95,0xB4,0x42,0x9C,0x64,
- 0x81,0x39,0x05,0x3F,0xB5,0x21,0xF8,0x28,0xAF,0x60,
- 0x6B,0x4D,0x3D,0xBA,0xA1,0x4B,0x5E,0x77,0xEF,0xE7,
- 0x59,0x28,0xFE,0x1D,0xC1,0x27,0xA2,0xFF,0xA8,0xDE,
- 0x33,0x48,0xB3,0xC1,0x85,0x6A,0x42,0x9B,0xF9,0x7E,
- 0x7E,0x31,0xC2,0xE5,0xBD,0x66,
- 0x01,0x18,0x39,0x29,0x6a,0x78,0x9a,0x3b,0xc0,0x04, /* y */
- 0x5c,0x8a,0x5f,0xb4,0x2c,0x7d,0x1b,0xd9,0x98,0xf5,
- 0x44,0x49,0x57,0x9b,0x44,0x68,0x17,0xaf,0xbd,0x17,
- 0x27,0x3e,0x66,0x2c,0x97,0xee,0x72,0x99,0x5e,0xf4,
- 0x26,0x40,0xc5,0x50,0xb9,0x01,0x3f,0xad,0x07,0x61,
- 0x35,0x3c,0x70,0x86,0xa2,0x72,0xc2,0x40,0x88,0xbe,
- 0x94,0x76,0x9f,0xd1,0x66,0x50,
- 0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFA,0x51,0x86,0x87,0x83,0xBF,0x2F,
- 0x96,0x6B,0x7F,0xCC,0x01,0x48,0xF7,0x09,0xA5,0xD0,
- 0x3B,0xB5,0xC9,0xB8,0x89,0x9C,0x47,0xAE,0xBB,0x6F,
- 0xB7,0x1E,0x91,0x38,0x64,0x09 }
- };
-
-static const struct { EC_CURVE_DATA h; unsigned char data[20+32*6]; }
- _EC_X9_62_PRIME_256V1 = {
- { NID_X9_62_prime_field,20,32,1 },
- { 0xC4,0x9D,0x36,0x08,0x86,0xE7,0x04,0x93,0x6A,0x66, /* seed */
- 0x78,0xE1,0x13,0x9D,0x26,0xB7,0x81,0x9F,0x7E,0x90,
-
- 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* p */
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* a */
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFC,
- 0x5A,0xC6,0x35,0xD8,0xAA,0x3A,0x93,0xE7,0xB3,0xEB, /* b */
- 0xBD,0x55,0x76,0x98,0x86,0xBC,0x65,0x1D,0x06,0xB0,
- 0xCC,0x53,0xB0,0xF6,0x3B,0xCE,0x3C,0x3E,0x27,0xD2,
- 0x60,0x4B,
- 0x6B,0x17,0xD1,0xF2,0xE1,0x2C,0x42,0x47,0xF8,0xBC, /* x */
- 0xE6,0xE5,0x63,0xA4,0x40,0xF2,0x77,0x03,0x7D,0x81,
- 0x2D,0xEB,0x33,0xA0,0xF4,0xA1,0x39,0x45,0xD8,0x98,
- 0xC2,0x96,
- 0x4f,0xe3,0x42,0xe2,0xfe,0x1a,0x7f,0x9b,0x8e,0xe7, /* y */
- 0xeb,0x4a,0x7c,0x0f,0x9e,0x16,0x2b,0xce,0x33,0x57,
- 0x6b,0x31,0x5e,0xce,0xcb,0xb6,0x40,0x68,0x37,0xbf,
- 0x51,0xf5,
- 0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xFF,0xFF, /* order */
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xBC,0xE6,0xFA,0xAD,
- 0xA7,0x17,0x9E,0x84,0xF3,0xB9,0xCA,0xC2,0xFC,0x63,
- 0x25,0x51 }
- };
+/* the nist prime curves */
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 48 * 6];
+} _EC_NIST_PRIME_384 = {
+ {
+ NID_X9_62_prime_field, 20, 48, 1
+ },
+ {
+ /* seed */
+ 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
+ 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
+ /* p */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
+ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
+ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
+ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
+ /* x */
+ 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
+ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
+ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
+ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
+ /* y */
+ 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
+ 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
+ 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
+ 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
+ /* order */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
+ 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
+ }
+};
+
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 66 * 6];
+} _EC_NIST_PRIME_521 = {
+ {
+ NID_X9_62_prime_field, 20, 66, 1
+ },
+ {
+ /* seed */
+ 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
+ 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
+ /* p */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
+ 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
+ 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
+ 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
+ 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
+ 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
+ /* x */
+ 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
+ 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
+ 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
+ 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
+ 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
+ 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
+ /* y */
+ 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
+ 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
+ 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
+ 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
+ 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
+ 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
+ /* order */
+ 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
+ 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
+ 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
+ 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
+ }
+};
+
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[20 + 32 * 6];
+} _EC_X9_62_PRIME_256V1 = {
+ {
+ NID_X9_62_prime_field, 20, 32, 1
+ },
+ {
+ /* seed */
+ 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
+ 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
+ /* p */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ /* a */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
+ /* b */
+ 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
+ 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
+ 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
+ /* x */
+ 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
+ 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
+ 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
+ /* y */
+ 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
+ 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
+ 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
+ /* order */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
+ 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
+ }
+};
typedef struct _ec_list_element_st {
- int nid;
- const EC_CURVE_DATA *data;
- const EC_METHOD *(*meth)(void);
- const char *comment;
- } ec_list_element;
+ int nid;
+ const EC_CURVE_DATA *data;
+ const EC_METHOD *(*meth) (void);
+ const char *comment;
+} ec_list_element;
static const ec_list_element curve_list[] = {
- /* prime field curves */
- /* secg curves */
- /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
- { NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },
+ /* prime field curves */
+ /* secg curves */
+ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+ {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
+ "NIST/SECG curve over a 384 bit prime field"},
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- { NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" },
+ {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
+ "NIST/SECG curve over a 521 bit prime field"},
#else
- { NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" },
+ {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
+ "NIST/SECG curve over a 521 bit prime field"},
#endif
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" },
+ /* X9.62 curves */
+ {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+#if defined(ECP_NISTZ256_ASM)
+ EC_GFp_nistz256_method,
+#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+ EC_GFp_nistp256_method,
#else
- { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" },
+ 0,
#endif
+ "X9.62/SECG curve over a 256 bit prime field"},
};
#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element))
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
- {
- EC_GROUP *group=NULL;
- EC_POINT *P=NULL;
- BN_CTX *ctx=NULL;
- BIGNUM *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL;
- int ok=0;
- int seed_len,param_len;
- const EC_METHOD *meth;
- const EC_CURVE_DATA *data;
- const unsigned char *params;
-
- if ((ctx = BN_CTX_new()) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- data = curve.data;
- seed_len = data->seed_len;
- param_len = data->param_len;
- params = (const unsigned char *)(data+1); /* skip header */
- params += seed_len; /* skip seed */
-
- if (!(p = BN_bin2bn(params+0*param_len, param_len, NULL))
- || !(a = BN_bin2bn(params+1*param_len, param_len, NULL))
- || !(b = BN_bin2bn(params+2*param_len, param_len, NULL)))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
- goto err;
- }
-
- if (curve.meth != 0)
- {
- meth = curve.meth();
- if (((group = EC_GROUP_new(meth)) == NULL) ||
- (!(group->meth->group_set_curve(group, p, a, b, ctx))))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
- else if (data->field_type == NID_X9_62_prime_field)
- {
- if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
+{
+ EC_GROUP *group = NULL;
+ EC_POINT *P = NULL;
+ BN_CTX *ctx = NULL;
+ BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
+ NULL;
+ int ok = 0;
+ int seed_len, param_len;
+ const EC_METHOD *meth;
+ const EC_CURVE_DATA *data;
+ const unsigned char *params;
+
+ if ((ctx = BN_CTX_new()) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ data = curve.data;
+ seed_len = data->seed_len;
+ param_len = data->param_len;
+ params = (const unsigned char *)(data + 1); /* skip header */
+ params += seed_len; /* skip seed */
+
+ if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL))
+ || !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL))
+ || !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ if (curve.meth != 0) {
+ meth = curve.meth();
+ if (((group = EC_GROUP_new(meth)) == NULL) ||
+ (!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ } else if (data->field_type == NID_X9_62_prime_field) {
+ if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ }
#ifndef OPENSSL_NO_EC2M
- else /* field_type == NID_X9_62_characteristic_two_field */
- {
- if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
+ else { /* field_type ==
+ * NID_X9_62_characteristic_two_field */
+
+ if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ }
#endif
- if ((P = EC_POINT_new(group)) == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
-
- if (!(x = BN_bin2bn(params+3*param_len, param_len, NULL))
- || !(y = BN_bin2bn(params+4*param_len, param_len, NULL)))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
- goto err;
- }
- if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- if (!(order = BN_bin2bn(params+5*param_len, param_len, NULL))
- || !BN_set_word(x, (BN_ULONG)data->cofactor))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
- goto err;
- }
- if (!EC_GROUP_set_generator(group, P, order, x))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- if (seed_len)
- {
- if (!EC_GROUP_set_seed(group, params-seed_len, seed_len))
- {
- ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
- goto err;
- }
- }
- ok=1;
-err:
- if (!ok)
- {
- EC_GROUP_free(group);
- group = NULL;
- }
- if (P)
- EC_POINT_free(P);
- if (ctx)
- BN_CTX_free(ctx);
- if (p)
- BN_free(p);
- if (a)
- BN_free(a);
- if (b)
- BN_free(b);
- if (order)
- BN_free(order);
- if (x)
- BN_free(x);
- if (y)
- BN_free(y);
- return group;
- }
+ if ((P = EC_POINT_new(group)) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+
+ if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL))
+ || !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ if (!(order = BN_bin2bn(params + 5 * param_len, param_len, NULL))
+ || !BN_set_word(x, (BN_ULONG)data->cofactor)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!EC_GROUP_set_generator(group, P, order, x)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ if (seed_len) {
+ if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
+ goto err;
+ }
+ }
+ ok = 1;
+ err:
+ if (!ok) {
+ EC_GROUP_free(group);
+ group = NULL;
+ }
+ if (P)
+ EC_POINT_free(P);
+ if (ctx)
+ BN_CTX_free(ctx);
+ if (p)
+ BN_free(p);
+ if (a)
+ BN_free(a);
+ if (b)
+ BN_free(b);
+ if (order)
+ BN_free(order);
+ if (x)
+ BN_free(x);
+ if (y)
+ BN_free(y);
+ return group;
+}
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
- {
- size_t i;
- EC_GROUP *ret = NULL;
+{
+ size_t i;
+ EC_GROUP *ret = NULL;
- if (nid <= 0)
- return NULL;
+ if (nid <= 0)
+ return NULL;
- for (i=0; i<curve_list_length; i++)
- if (curve_list[i].nid == nid)
- {
- ret = ec_group_new_from_data(curve_list[i]);
- break;
- }
+ for (i = 0; i < curve_list_length; i++)
+ if (curve_list[i].nid == nid) {
+ ret = ec_group_new_from_data(curve_list[i]);
+ break;
+ }
- if (ret == NULL)
- {
- ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
- return NULL;
- }
+ if (ret == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
+ return NULL;
+ }
- EC_GROUP_set_curve_name(ret, nid);
+ EC_GROUP_set_curve_name(ret, nid);
- return ret;
- }
+ return ret;
+}
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
- {
- size_t i, min;
+{
+ size_t i, min;
+
+ if (r == NULL || nitems == 0)
+ return curve_list_length;
+
+ min = nitems < curve_list_length ? nitems : curve_list_length;
- if (r == NULL || nitems == 0)
- return curve_list_length;
+ for (i = 0; i < min; i++) {
+ r[i].nid = curve_list[i].nid;
+ r[i].comment = curve_list[i].comment;
+ }
- min = nitems < curve_list_length ? nitems : curve_list_length;
+ return curve_list_length;
+}
+
+/* Functions to translate between common NIST curve names and NIDs */
+
+typedef struct {
+ const char *name; /* NIST Name of curve */
+ int nid; /* Curve NID */
+} EC_NIST_NAME;
+
+static EC_NIST_NAME nist_curves[] = {
+ {"B-163", NID_sect163r2},
+ {"B-233", NID_sect233r1},
+ {"B-283", NID_sect283r1},
+ {"B-409", NID_sect409r1},
+ {"B-571", NID_sect571r1},
+ {"K-163", NID_sect163k1},
+ {"K-233", NID_sect233k1},
+ {"K-283", NID_sect283k1},
+ {"K-409", NID_sect409k1},
+ {"K-571", NID_sect571k1},
+ {"P-192", NID_X9_62_prime192v1},
+ {"P-224", NID_secp224r1},
+ {"P-256", NID_X9_62_prime256v1},
+ {"P-384", NID_secp384r1},
+ {"P-521", NID_secp521r1}
+};
- for (i = 0; i < min; i++)
- {
- r[i].nid = curve_list[i].nid;
- r[i].comment = curve_list[i].comment;
- }
+const char *EC_curve_nid2nist(int nid)
+{
+ size_t i;
+ for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
+ if (nist_curves[i].nid == nid)
+ return nist_curves[i].name;
+ }
+ return NULL;
+}
- return curve_list_length;
- }
+int EC_curve_nist2nid(const char *name)
+{
+ size_t i;
+ for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
+ if (!strcmp(nist_curves[i].name, name))
+ return nist_curves[i].nid;
+ }
+ return NID_undef;
+}
diff --git a/ectest.c b/ectest.c
index 921edcd..71fef23 100644
--- a/ectest.c
+++ b/ectest.c
@@ -10,7 +10,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -58,13 +58,13 @@
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
- * Portions of the attached software ("Contribution") are developed by
+ * Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
* license provided above.
*
- * The elliptic curve binary polynomial software is originally written by
+ * The elliptic curve binary polynomial software is originally written by
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
*
*/
@@ -72,671 +72,914 @@
#include <stdio.h>
#include <stdlib.h>
#ifdef FLAT_INC
-#include "e_os.h"
+# include "e_os.h"
#else
-#include "../e_os.h"
+# include "../e_os.h"
#endif
#include <string.h>
#include <time.h>
-
#ifdef OPENSSL_NO_EC
-int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); return 0; }
+int main(int argc, char *argv[])
+{
+ puts("Elliptic curves are disabled.");
+ return 0;
+}
#else
-
-#include <openssl/ec.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#include <openssl/err.h>
-#include <openssl/obj_mac.h>
-#include <openssl/objects.h>
-#include <openssl/rand.h>
-#include <openssl/bn.h>
-#include <openssl/opensslconf.h>
-
-#if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
+# include <openssl/ec.h>
+# ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+# endif
+# include <openssl/err.h>
+# include <openssl/obj_mac.h>
+# include <openssl/objects.h>
+# include <openssl/rand.h>
+# include <openssl/bn.h>
+# include <openssl/opensslconf.h>
+
+# if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
/* suppress "too big too optimize" warning */
-#pragma warning(disable:4959)
-#endif
-
-#define ABORT do { \
- fflush(stdout); \
- fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
- ERR_print_errors_fp(stderr); \
- EXIT(1); \
+# pragma warning(disable:4959)
+# endif
+
+# define ABORT do { \
+ fflush(stdout); \
+ fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
+ ERR_print_errors_fp(stderr); \
+ EXIT(1); \
} while (0)
-#define TIMING_BASE_PT 0
-#define TIMING_RAND_PT 1
-#define TIMING_SIMUL 2
+# define TIMING_BASE_PT 0
+# define TIMING_RAND_PT 1
+# define TIMING_SIMUL 2
-#if 0
+# if 0
static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
- {
- clock_t clck;
- int i, j;
- BIGNUM *s;
- BIGNUM *r[10], *r0[10];
- EC_POINT *P;
-
- s = BN_new();
- if (s == NULL) ABORT;
-
- fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
- if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
- fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
- fflush(stdout);
-
- P = EC_POINT_new(group);
- if (P == NULL) ABORT;
- EC_POINT_copy(P, EC_GROUP_get0_generator(group));
-
- for (i = 0; i < 10; i++)
- {
- if ((r[i] = BN_new()) == NULL) ABORT;
- if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0)) ABORT;
- if (type != TIMING_BASE_PT)
- {
- if ((r0[i] = BN_new()) == NULL) ABORT;
- if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0)) ABORT;
- }
- }
-
- clck = clock();
- for (i = 0; i < 10; i++)
- {
- for (j = 0; j < 10; j++)
- {
- if (!EC_POINT_mul(group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
- (type != TIMING_BASE_PT) ? P : NULL, (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx)) ABORT;
- }
- }
- clck = clock() - clck;
-
- fprintf(stdout, "\n");
-
-#ifdef CLOCKS_PER_SEC
- /* "To determine the time in seconds, the value returned
- * by the clock function should be divided by the value
- * of the macro CLOCKS_PER_SEC."
- * -- ISO/IEC 9899 */
-# define UNIT "s"
-#else
- /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
- * -- cc on NeXTstep/OpenStep */
-# define UNIT "units"
-# define CLOCKS_PER_SEC 1
-#endif
-
- if (type == TIMING_BASE_PT) {
- fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
- "base point multiplications", (double)clck/CLOCKS_PER_SEC);
- } else if (type == TIMING_RAND_PT) {
- fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
- "random point multiplications", (double)clck/CLOCKS_PER_SEC);
- } else if (type == TIMING_SIMUL) {
- fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
- "s*P+t*Q operations", (double)clck/CLOCKS_PER_SEC);
- }
- fprintf(stdout, "average: %.4f " UNIT "\n", (double)clck/(CLOCKS_PER_SEC*i*j));
-
- EC_POINT_free(P);
- BN_free(s);
- for (i = 0; i < 10; i++)
- {
- BN_free(r[i]);
- if (type != TIMING_BASE_PT) BN_free(r0[i]);
- }
- }
-#endif
+{
+ clock_t clck;
+ int i, j;
+ BIGNUM *s;
+ BIGNUM *r[10], *r0[10];
+ EC_POINT *P;
+
+ s = BN_new();
+ if (s == NULL)
+ ABORT;
+
+ fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
+ if (!EC_GROUP_get_order(group, s, ctx))
+ ABORT;
+ fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
+ fflush(stdout);
+
+ P = EC_POINT_new(group);
+ if (P == NULL)
+ ABORT;
+ EC_POINT_copy(P, EC_GROUP_get0_generator(group));
+
+ for (i = 0; i < 10; i++) {
+ if ((r[i] = BN_new()) == NULL)
+ ABORT;
+ if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0))
+ ABORT;
+ if (type != TIMING_BASE_PT) {
+ if ((r0[i] = BN_new()) == NULL)
+ ABORT;
+ if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0))
+ ABORT;
+ }
+ }
+
+ clck = clock();
+ for (i = 0; i < 10; i++) {
+ for (j = 0; j < 10; j++) {
+ if (!EC_POINT_mul
+ (group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
+ (type != TIMING_BASE_PT) ? P : NULL,
+ (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx))
+ ABORT;
+ }
+ }
+ clck = clock() - clck;
+
+ fprintf(stdout, "\n");
+
+# ifdef CLOCKS_PER_SEC
+ /*
+ * "To determine the time in seconds, the value returned by the clock
+ * function should be divided by the value of the macro CLOCKS_PER_SEC."
+ * -- ISO/IEC 9899
+ */
+# define UNIT "s"
+# else
+ /*
+ * "`CLOCKS_PER_SEC' undeclared (first use this function)" -- cc on
+ * NeXTstep/OpenStep
+ */
+# define UNIT "units"
+# define CLOCKS_PER_SEC 1
+# endif
+
+ if (type == TIMING_BASE_PT) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "base point multiplications", (double)clck / CLOCKS_PER_SEC);
+ } else if (type == TIMING_RAND_PT) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "random point multiplications",
+ (double)clck / CLOCKS_PER_SEC);
+ } else if (type == TIMING_SIMUL) {
+ fprintf(stdout, "%i %s in %.2f " UNIT "\n", i * j,
+ "s*P+t*Q operations", (double)clck / CLOCKS_PER_SEC);
+ }
+ fprintf(stdout, "average: %.4f " UNIT "\n",
+ (double)clck / (CLOCKS_PER_SEC * i * j));
+
+ EC_POINT_free(P);
+ BN_free(s);
+ for (i = 0; i < 10; i++) {
+ BN_free(r[i]);
+ if (type != TIMING_BASE_PT)
+ BN_free(r0[i]);
+ }
+}
+# endif
/* test multiplication with group order, long and negative scalars */
static void group_order_tests(EC_GROUP *group)
- {
- BIGNUM *n1, *n2, *order;
- EC_POINT *P = EC_POINT_new(group);
- EC_POINT *Q = EC_POINT_new(group);
- BN_CTX *ctx = BN_CTX_new();
-
- n1 = BN_new(); n2 = BN_new(); order = BN_new();
- fprintf(stdout, "verify group order ...");
- fflush(stdout);
- if (!EC_GROUP_get_order(group, order, ctx)) ABORT;
- if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
- fprintf(stdout, ".");
- fflush(stdout);
- if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
- if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
- fprintf(stdout, " ok\n");
- fprintf(stdout, "long/negative scalar tests ... ");
- if (!BN_one(n1)) ABORT;
- /* n1 = 1 - order */
- if (!BN_sub(n1, n1, order)) ABORT;
- if(!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
- /* n2 = 1 + order */
- if (!BN_add(n2, order, BN_value_one())) ABORT;
- if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
- /* n2 = (1 - order) * (1 + order) */
- if (!BN_mul(n2, n1, n2, ctx)) ABORT;
- if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
- fprintf(stdout, "ok\n");
- EC_POINT_free(P);
- EC_POINT_free(Q);
- BN_free(n1);
- BN_free(n2);
- BN_free(order);
- BN_CTX_free(ctx);
- }
+{
+ BIGNUM *n1, *n2, *order;
+ EC_POINT *P = EC_POINT_new(group);
+ EC_POINT *Q = EC_POINT_new(group);
+ BN_CTX *ctx = BN_CTX_new();
+ int i;
+
+ n1 = BN_new();
+ n2 = BN_new();
+ order = BN_new();
+ fprintf(stdout, "verify group order ...");
+ fflush(stdout);
+ if (!EC_GROUP_get_order(group, order, ctx))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ fprintf(stdout, ".");
+ fflush(stdout);
+ if (!EC_GROUP_precompute_mult(group, ctx))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ fprintf(stdout, " ok\n");
+ fprintf(stdout, "long/negative scalar tests ");
+ for (i = 1; i <= 2; i++) {
+ const BIGNUM *scalars[6];
+ const EC_POINT *points[6];
+
+ fprintf(stdout, i == 1 ?
+ "allowing precomputation ... " :
+ "without precomputation ... ");
+ if (!BN_set_word(n1, i))
+ ABORT;
+ /*
+ * If i == 1, P will be the predefined generator for which
+ * EC_GROUP_precompute_mult has set up precomputation.
+ */
+ if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
+ ABORT;
+
+ if (!BN_one(n1))
+ ABORT;
+ /* n1 = 1 - order */
+ if (!BN_sub(n1, n1, order))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, Q, P, ctx))
+ ABORT;
+
+ /* n2 = 1 + order */
+ if (!BN_add(n2, order, BN_value_one()))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, Q, P, ctx))
+ ABORT;
+
+ /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
+ if (!BN_mul(n2, n1, n2, ctx))
+ ABORT;
+ if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, Q, P, ctx))
+ ABORT;
+
+ /* n2 = order^2 - 1 */
+ BN_set_negative(n2, 0);
+ if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx))
+ ABORT;
+ /* Add P to verify the result. */
+ if (!EC_POINT_add(group, Q, Q, P, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+
+ /* Exercise EC_POINTs_mul, including corner cases. */
+ if (EC_POINT_is_at_infinity(group, P))
+ ABORT;
+ scalars[0] = n1;
+ points[0] = Q; /* => infinity */
+ scalars[1] = n2;
+ points[1] = P; /* => -P */
+ scalars[2] = n1;
+ points[2] = Q; /* => infinity */
+ scalars[3] = n2;
+ points[3] = Q; /* => infinity */
+ scalars[4] = n1;
+ points[4] = P; /* => P */
+ scalars[5] = n2;
+ points[5] = Q; /* => infinity */
+ if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, P))
+ ABORT;
+ }
+ fprintf(stdout, "ok\n");
+
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ BN_free(n1);
+ BN_free(n2);
+ BN_free(order);
+ BN_CTX_free(ctx);
+}
static void prime_field_tests(void)
- {
- BN_CTX *ctx = NULL;
- BIGNUM *p, *a, *b;
- EC_GROUP *group;
- EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
- EC_POINT *P, *Q, *R;
- BIGNUM *x, *y, *z;
- unsigned char buf[100];
- size_t i, len;
- int k;
-
-#if 1 /* optional */
- ctx = BN_CTX_new();
- if (!ctx) ABORT;
-#endif
-
- p = BN_new();
- a = BN_new();
- b = BN_new();
- if (!p || !a || !b) ABORT;
-
- group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
- * so that the library gets to choose the EC_METHOD */
- if (!group) ABORT;
-
- P = EC_POINT_new(group);
- Q = EC_POINT_new(group);
- R = EC_POINT_new(group);
- if (!P || !Q || !R) ABORT;
-
- x = BN_new();
- y = BN_new();
- z = BN_new();
- if (!x || !y || !z) ABORT;
-
-/* Curve P-256 (FIPS PUB 186-2, App. 6) */
-
- if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
- if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
-
- if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
- "84F3B9CAC2FC632551")) ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
- fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
- /* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
- if (0 != BN_cmp(y, z)) ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 256) ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
- if (!EC_GROUP_copy(P_256, group)) ABORT;
-
-
- /* Curve P-384 (FIPS PUB 186-2, App. 6) */
-
- if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
- if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
- "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
-
- if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
- "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
- fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
- /* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
- "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
- if (0 != BN_cmp(y, z)) ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 384) ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
- if (!EC_GROUP_copy(P_384, group)) ABORT;
-
-
- /* Curve P-521 (FIPS PUB 186-2, App. 6) */
-
- if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
- if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
- "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
- "DF883D2C34F1EF451FD46B503F00")) ABORT;
- if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
-
- if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
- "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
- "3C1856A429BF97E7E31C2E5BD66")) ABORT;
- if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
- "C9B8899C47AEBB6FB71E91386409")) ABORT;
- if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
-
- if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
- fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
- BN_print_fp(stdout, x);
- fprintf(stdout, "\n y = 0x");
- BN_print_fp(stdout, y);
- fprintf(stdout, "\n");
- /* G_y value taken from the standard: */
- if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
- "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
- "7086A272C24088BE94769FD16650")) ABORT;
- if (0 != BN_cmp(y, z)) ABORT;
-
- fprintf(stdout, "verify degree ...");
- if (EC_GROUP_get_degree(group) != 521) ABORT;
- fprintf(stdout, " ok\n");
-
- group_order_tests(group);
-
- if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
- if (!EC_GROUP_copy(P_521, group)) ABORT;
-
-
- /* more tests using the last curve */
-
- if (!EC_POINT_copy(Q, P)) ABORT;
- if (EC_POINT_is_at_infinity(group, Q)) ABORT;
- if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
- if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
-
- if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
- if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
-
- {
- const EC_POINT *points[4];
- const BIGNUM *scalars[4];
- BIGNUM scalar3;
-
- if (EC_POINT_is_at_infinity(group, Q)) ABORT;
- points[0] = Q;
- points[1] = Q;
- points[2] = Q;
- points[3] = Q;
-
- if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
- if (!BN_add(y, z, BN_value_one())) ABORT;
- if (BN_is_odd(y)) ABORT;
- if (!BN_rshift1(y, y)) ABORT;
- scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
- scalars[1] = y;
-
- fprintf(stdout, "combined multiplication ...");
- fflush(stdout);
-
- /* z is still the group order */
- if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
- if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
- if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
-
- fprintf(stdout, ".");
- fflush(stdout);
-
- if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
- if (!BN_add(z, z, y)) ABORT;
- BN_set_negative(z, 1);
- scalars[0] = y;
- scalars[1] = z; /* z = -(order + y) */
-
- if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, P)) ABORT;
-
- fprintf(stdout, ".");
- fflush(stdout);
-
- if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
- if (!BN_add(z, x, y)) ABORT;
- BN_set_negative(z, 1);
- scalars[0] = x;
- scalars[1] = y;
- scalars[2] = z; /* z = -(x+y) */
-
- BN_init(&scalar3);
- BN_zero(&scalar3);
- scalars[3] = &scalar3;
-
- if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) ABORT;
- if (!EC_POINT_is_at_infinity(group, P)) ABORT;
-
- fprintf(stdout, " ok\n\n");
-
- BN_free(&scalar3);
- }
-
-
-#if 0
- timings(P_256, TIMING_BASE_PT, ctx);
- timings(P_256, TIMING_RAND_PT, ctx);
- timings(P_256, TIMING_SIMUL, ctx);
- timings(P_384, TIMING_BASE_PT, ctx);
- timings(P_384, TIMING_RAND_PT, ctx);
- timings(P_384, TIMING_SIMUL, ctx);
-#endif
-
-
- if (ctx)
- BN_CTX_free(ctx);
- BN_free(p); BN_free(a); BN_free(b);
- EC_GROUP_free(group);
- EC_POINT_free(P);
- EC_POINT_free(Q);
- EC_POINT_free(R);
- BN_free(x); BN_free(y); BN_free(z);
-
- if (P_160) EC_GROUP_free(P_160);
- if (P_192) EC_GROUP_free(P_192);
- if (P_224) EC_GROUP_free(P_224);
- if (P_256) EC_GROUP_free(P_256);
- if (P_384) EC_GROUP_free(P_384);
- if (P_521) EC_GROUP_free(P_521);
-
- }
+{
+ BN_CTX *ctx = NULL;
+ BIGNUM *p, *a, *b;
+ EC_GROUP *group;
+ EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 =
+ NULL, *P_384 = NULL, *P_521 = NULL;
+ EC_POINT *P, *Q, *R;
+ BIGNUM *x, *y, *z;
+ unsigned char buf[100];
+ size_t i, len;
+ int k;
+
+# if 1 /* optional */
+ ctx = BN_CTX_new();
+ if (!ctx)
+ ABORT;
+# endif
+
+ p = BN_new();
+ a = BN_new();
+ b = BN_new();
+ if (!p || !a || !b)
+ ABORT;
+
+ group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use
+ * EC_GROUP_new_curve_GFp so
+ * that the library gets to
+ * choose the EC_METHOD */
+ if (!group)
+ ABORT;
+
+ P = EC_POINT_new(group);
+ Q = EC_POINT_new(group);
+ R = EC_POINT_new(group);
+ if (!P || !Q || !R)
+ ABORT;
+
+ x = BN_new();
+ y = BN_new();
+ z = BN_new();
+ if (!x || !y || !z)
+ ABORT;
+
+ /* Curve P-256 (FIPS PUB 186-2, App. 6) */
+
+ if (!BN_hex2bn
+ (&p,
+ "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn
+ (&a,
+ "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC"))
+ ABORT;
+ if (!BN_hex2bn
+ (&b,
+ "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ ABORT;
+
+ if (!BN_hex2bn
+ (&x,
+ "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"))
+ ABORT;
+ if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
+ ABORT;
+ if (!EC_POINT_is_on_curve(group, P, ctx))
+ ABORT;
+ if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
+ "84F3B9CAC2FC632551"))
+ ABORT;
+ if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ ABORT;
+
+ if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+ fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
+ BN_print_fp(stdout, x);
+ fprintf(stdout, "\n y = 0x");
+ BN_print_fp(stdout, y);
+ fprintf(stdout, "\n");
+ /* G_y value taken from the standard: */
+ if (!BN_hex2bn
+ (&z,
+ "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"))
+ ABORT;
+ if (0 != BN_cmp(y, z))
+ ABORT;
+
+ fprintf(stdout, "verify degree ...");
+ if (EC_GROUP_get_degree(group) != 256)
+ ABORT;
+ fprintf(stdout, " ok\n");
+
+ group_order_tests(group);
+
+ if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group))))
+ ABORT;
+ if (!EC_GROUP_copy(P_256, group))
+ ABORT;
+
+ /* Curve P-384 (FIPS PUB 186-2, App. 6) */
+
+ if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF"))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC"))
+ ABORT;
+ if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
+ "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF"))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ ABORT;
+
+ if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
+ "9859F741E082542A385502F25DBF55296C3A545E3872760AB7"))
+ ABORT;
+ if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
+ ABORT;
+ if (!EC_POINT_is_on_curve(group, P, ctx))
+ ABORT;
+ if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
+ ABORT;
+ if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ ABORT;
+
+ if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+ fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
+ BN_print_fp(stdout, x);
+ fprintf(stdout, "\n y = 0x");
+ BN_print_fp(stdout, y);
+ fprintf(stdout, "\n");
+ /* G_y value taken from the standard: */
+ if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
+ "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F"))
+ ABORT;
+ if (0 != BN_cmp(y, z))
+ ABORT;
+
+ fprintf(stdout, "verify degree ...");
+ if (EC_GROUP_get_degree(group) != 384)
+ ABORT;
+ fprintf(stdout, " ok\n");
+
+ group_order_tests(group);
+
+ if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group))))
+ ABORT;
+ if (!EC_GROUP_copy(P_384, group))
+ ABORT;
+
+ /* Curve P-521 (FIPS PUB 186-2, App. 6) */
+
+ if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF"))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFC"))
+ ABORT;
+ if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
+ "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
+ "DF883D2C34F1EF451FD46B503F00"))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
+ ABORT;
+
+ if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
+ "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
+ "3C1856A429BF97E7E31C2E5BD66"))
+ ABORT;
+ if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
+ ABORT;
+ if (!EC_POINT_is_on_curve(group, P, ctx))
+ ABORT;
+ if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
+ "C9B8899C47AEBB6FB71E91386409"))
+ ABORT;
+ if (!EC_GROUP_set_generator(group, P, z, BN_value_one()))
+ ABORT;
+
+ if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+ fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
+ BN_print_fp(stdout, x);
+ fprintf(stdout, "\n y = 0x");
+ BN_print_fp(stdout, y);
+ fprintf(stdout, "\n");
+ /* G_y value taken from the standard: */
+ if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
+ "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
+ "7086A272C24088BE94769FD16650"))
+ ABORT;
+ if (0 != BN_cmp(y, z))
+ ABORT;
+
+ fprintf(stdout, "verify degree ...");
+ if (EC_GROUP_get_degree(group) != 521)
+ ABORT;
+ fprintf(stdout, " ok\n");
+
+ group_order_tests(group);
+
+ if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group))))
+ ABORT;
+ if (!EC_GROUP_copy(P_521, group))
+ ABORT;
+
+ /* more tests using the last curve */
+
+ if (!EC_POINT_copy(Q, P))
+ ABORT;
+ if (EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ if (!EC_POINT_dbl(group, P, P, ctx))
+ ABORT;
+ if (!EC_POINT_is_on_curve(group, P, ctx))
+ ABORT;
+ if (!EC_POINT_invert(group, Q, ctx))
+ ABORT; /* P = -2Q */
+
+ if (!EC_POINT_add(group, R, P, Q, ctx))
+ ABORT;
+ if (!EC_POINT_add(group, R, R, Q, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, R))
+ ABORT; /* R = P + 2Q */
+
+ {
+ const EC_POINT *points[4];
+ const BIGNUM *scalars[4];
+ BIGNUM scalar3;
+
+ if (EC_POINT_is_at_infinity(group, Q))
+ ABORT;
+ points[0] = Q;
+ points[1] = Q;
+ points[2] = Q;
+ points[3] = Q;
+
+ if (!EC_GROUP_get_order(group, z, ctx))
+ ABORT;
+ if (!BN_add(y, z, BN_value_one()))
+ ABORT;
+ if (BN_is_odd(y))
+ ABORT;
+ if (!BN_rshift1(y, y))
+ ABORT;
+ scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
+ scalars[1] = y;
+
+ fprintf(stdout, "combined multiplication ...");
+ fflush(stdout);
+
+ /* z is still the group order */
+ if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, P, R, ctx))
+ ABORT;
+ if (0 != EC_POINT_cmp(group, R, Q, ctx))
+ ABORT;
+
+ fprintf(stdout, ".");
+ fflush(stdout);
+
+ if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0))
+ ABORT;
+ if (!BN_add(z, z, y))
+ ABORT;
+ BN_set_negative(z, 1);
+ scalars[0] = y;
+ scalars[1] = z; /* z = -(order + y) */
+
+ if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, P))
+ ABORT;
+
+ fprintf(stdout, ".");
+ fflush(stdout);
+
+ if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0))
+ ABORT;
+ if (!BN_add(z, x, y))
+ ABORT;
+ BN_set_negative(z, 1);
+ scalars[0] = x;
+ scalars[1] = y;
+ scalars[2] = z; /* z = -(x+y) */
+
+ BN_init(&scalar3);
+ BN_zero(&scalar3);
+ scalars[3] = &scalar3;
+
+ if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx))
+ ABORT;
+ if (!EC_POINT_is_at_infinity(group, P))
+ ABORT;
+
+ fprintf(stdout, " ok\n\n");
+
+ BN_free(&scalar3);
+ }
+
+# if 0
+ timings(P_256, TIMING_BASE_PT, ctx);
+ timings(P_256, TIMING_RAND_PT, ctx);
+ timings(P_256, TIMING_SIMUL, ctx);
+ timings(P_384, TIMING_BASE_PT, ctx);
+ timings(P_384, TIMING_RAND_PT, ctx);
+ timings(P_384, TIMING_SIMUL, ctx);
+ timings(P_521, TIMING_BASE_PT, ctx);
+ timings(P_521, TIMING_RAND_PT, ctx);
+ timings(P_521, TIMING_SIMUL, ctx);
+# endif
+
+ if (ctx)
+ BN_CTX_free(ctx);
+ BN_free(p);
+ BN_free(a);
+ BN_free(b);
+ EC_GROUP_free(group);
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ EC_POINT_free(R);
+ BN_free(x);
+ BN_free(y);
+ BN_free(z);
+
+ if (P_160)
+ EC_GROUP_free(P_160);
+ if (P_192)
+ EC_GROUP_free(P_192);
+ if (P_224)
+ EC_GROUP_free(P_224);
+ if (P_256)
+ EC_GROUP_free(P_256);
+ if (P_384)
+ EC_GROUP_free(P_384);
+ if (P_521)
+ EC_GROUP_free(P_521);
+
+}
static void internal_curve_test(void)
- {
- EC_builtin_curve *curves = NULL;
- size_t crv_len = 0, n = 0;
- int ok = 1;
-
- crv_len = EC_get_builtin_curves(NULL, 0);
-
- curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
-
- if (curves == NULL)
- return;
-
- if (!EC_get_builtin_curves(curves, crv_len))
- {
- OPENSSL_free(curves);
- return;
- }
-
- fprintf(stdout, "testing internal curves: ");
-
- for (n = 0; n < crv_len; n++)
- {
- EC_GROUP *group = NULL;
- int nid = curves[n].nid;
- if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL)
- {
- ok = 0;
- fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
- " curve %s\n", OBJ_nid2sn(nid));
- /* try next curve */
- continue;
- }
- if (!EC_GROUP_check(group, NULL))
- {
- ok = 0;
- fprintf(stdout, "\nEC_GROUP_check() failed with"
- " curve %s\n", OBJ_nid2sn(nid));
- EC_GROUP_free(group);
- /* try the next curve */
- continue;
- }
- fprintf(stdout, ".");
- fflush(stdout);
- EC_GROUP_free(group);
- }
- if (ok)
- fprintf(stdout, " ok\n\n");
- else
- {
- fprintf(stdout, " failed\n\n");
- ABORT;
- }
- OPENSSL_free(curves);
- return;
- }
-
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-/* nistp_test_params contains magic numbers for testing our optimized
- * implementations of several NIST curves with characteristic > 3. */
-struct nistp_test_params
- {
- const EC_METHOD* (*meth) ();
- int degree;
- /* Qx, Qy and D are taken from
- * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
- * Otherwise, values are standard curve parameters from FIPS 180-3 */
- const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
- };
-
-static const struct nistp_test_params nistp_tests_params[] =
- {
- {
- /* P-256 */
- EC_GFp_nistp256_method,
- 256,
- "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", /* p */
- "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", /* a */
- "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", /* b */
- "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", /* Qx */
- "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", /* Qy */
- "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", /* Gx */
- "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", /* Gy */
- "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", /* order */
- "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", /* d */
- },
- };
-
-void nistp_single_test(const struct nistp_test_params *test)
- {
- BN_CTX *ctx;
- BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
- EC_GROUP *NISTP;
- EC_POINT *G, *P, *Q, *Q_CHECK;
-
- fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", test->degree);
- ctx = BN_CTX_new();
- p = BN_new();
- a = BN_new();
- b = BN_new();
- x = BN_new(); y = BN_new();
- m = BN_new(); n = BN_new(); order = BN_new();
-
- NISTP = EC_GROUP_new(test->meth());
- if(!NISTP) ABORT;
- if (!BN_hex2bn(&p, test->p)) ABORT;
- if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
- if (!BN_hex2bn(&a, test->a)) ABORT;
- if (!BN_hex2bn(&b, test->b)) ABORT;
- if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) ABORT;
- G = EC_POINT_new(NISTP);
- P = EC_POINT_new(NISTP);
- Q = EC_POINT_new(NISTP);
- Q_CHECK = EC_POINT_new(NISTP);
- if(!BN_hex2bn(&x, test->Qx)) ABORT;
- if(!BN_hex2bn(&y, test->Qy)) ABORT;
- if(!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT;
- if (!BN_hex2bn(&x, test->Gx)) ABORT;
- if (!BN_hex2bn(&y, test->Gy)) ABORT;
- if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) ABORT;
- if (!BN_hex2bn(&order, test->order)) ABORT;
- if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
-
- fprintf(stdout, "verify degree ... ");
- if (EC_GROUP_get_degree(NISTP) != test->degree) ABORT;
- fprintf(stdout, "ok\n");
-
- fprintf(stdout, "NIST test vectors ... ");
- if (!BN_hex2bn(&n, test->d)) ABORT;
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- /* set generator to P = 2*G, where G is the standard generator */
- if (!EC_POINT_dbl(NISTP, P, G, ctx)) ABORT;
- if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) ABORT;
- /* set the scalar to m=n/2, where n is the NIST test scalar */
- if (!BN_rshift(m, n, 1)) ABORT;
-
- /* test the non-standard generator */
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- /* now repeat all tests with precomputation */
- if (!EC_GROUP_precompute_mult(NISTP, ctx)) ABORT;
-
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- /* reset generator */
- if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
- /* fixed point multiplication */
- EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
- /* random point multiplication */
- EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
- if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
-
- fprintf(stdout, "ok\n");
- group_order_tests(NISTP);
-#if 0
- timings(NISTP, TIMING_BASE_PT, ctx);
- timings(NISTP, TIMING_RAND_PT, ctx);
-#endif
- EC_GROUP_free(NISTP);
- EC_POINT_free(G);
- EC_POINT_free(P);
- EC_POINT_free(Q);
- EC_POINT_free(Q_CHECK);
- BN_free(n);
- BN_free(m);
- BN_free(p);
- BN_free(a);
- BN_free(b);
- BN_free(x);
- BN_free(y);
- BN_free(order);
- BN_CTX_free(ctx);
- }
-
-void nistp_tests()
- {
- unsigned i;
-
- for (i = 0; i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params); i++)
- {
- nistp_single_test(&nistp_tests_params[i]);
- }
- }
-#endif
-
-static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+{
+ EC_builtin_curve *curves = NULL;
+ size_t crv_len = 0, n = 0;
+ int ok = 1;
+
+ crv_len = EC_get_builtin_curves(NULL, 0);
+
+ curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
+
+ if (curves == NULL)
+ return;
+
+ if (!EC_get_builtin_curves(curves, crv_len)) {
+ OPENSSL_free(curves);
+ return;
+ }
+
+ fprintf(stdout, "testing internal curves: ");
+
+ for (n = 0; n < crv_len; n++) {
+ EC_GROUP *group = NULL;
+ int nid = curves[n].nid;
+ if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
+ ok = 0;
+ fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
+ " curve %s\n", OBJ_nid2sn(nid));
+ /* try next curve */
+ continue;
+ }
+ if (!EC_GROUP_check(group, NULL)) {
+ ok = 0;
+ fprintf(stdout, "\nEC_GROUP_check() failed with"
+ " curve %s\n", OBJ_nid2sn(nid));
+ EC_GROUP_free(group);
+ /* try the next curve */
+ continue;
+ }
+ fprintf(stdout, ".");
+ fflush(stdout);
+ EC_GROUP_free(group);
+ }
+ if (ok)
+ fprintf(stdout, " ok\n\n");
+ else {
+ fprintf(stdout, " failed\n\n");
+ ABORT;
+ }
+ OPENSSL_free(curves);
+ return;
+}
+
+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+/*
+ * nistp_test_params contains magic numbers for testing our optimized
+ * implementations of several NIST curves with characteristic > 3.
+ */
+struct nistp_test_params {
+ const EC_METHOD *(*meth) ();
+ int degree;
+ /*
+ * Qx, Qy and D are taken from
+ * http://csrcdocut.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
+ * Otherwise, values are standard curve parameters from FIPS 180-3
+ */
+ const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
+};
+
+static const struct nistp_test_params nistp_tests_params[] = {
+ {
+ /* P-256 */
+ EC_GFp_nistp256_method,
+ 256,
+ /* p */
+ "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
+ /* a */
+ "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
+ /* b */
+ "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
+ /* Qx */
+ "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19",
+ /* Qy */
+ "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09",
+ /* Gx */
+ "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
+ /* Gy */
+ "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
+ /* order */
+ "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+ /* d */
+ "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96",
+ },
+ {
+ /* P-521 */
+ EC_GFp_nistp521_method,
+ 521,
+ /* p */
+ "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+ /* a */
+ "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc",
+ /* b */
+ "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
+ /* Qx */
+ "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4",
+ /* Qy */
+ "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e",
+ /* Gx */
+ "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
+ /* Gy */
+ "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
+ /* order */
+ "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
+ /* d */
+ "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722",
+ },
+};
+
+static void nistp_single_test(const struct nistp_test_params *test)
+{
+ BN_CTX *ctx;
+ BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
+ EC_GROUP *NISTP;
+ EC_POINT *G, *P, *Q, *Q_CHECK;
+
+ fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n",
+ test->degree);
+ ctx = BN_CTX_new();
+ p = BN_new();
+ a = BN_new();
+ b = BN_new();
+ x = BN_new();
+ y = BN_new();
+ m = BN_new();
+ n = BN_new();
+ order = BN_new();
+
+ NISTP = EC_GROUP_new(test->meth());
+ if (!NISTP)
+ ABORT;
+ if (!BN_hex2bn(&p, test->p))
+ ABORT;
+ if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
+ ABORT;
+ if (!BN_hex2bn(&a, test->a))
+ ABORT;
+ if (!BN_hex2bn(&b, test->b))
+ ABORT;
+ if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
+ ABORT;
+ G = EC_POINT_new(NISTP);
+ P = EC_POINT_new(NISTP);
+ Q = EC_POINT_new(NISTP);
+ Q_CHECK = EC_POINT_new(NISTP);
+ if (!BN_hex2bn(&x, test->Qx))
+ ABORT;
+ if (!BN_hex2bn(&y, test->Qy))
+ ABORT;
+ if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx))
+ ABORT;
+ if (!BN_hex2bn(&x, test->Gx))
+ ABORT;
+ if (!BN_hex2bn(&y, test->Gy))
+ ABORT;
+ if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
+ ABORT;
+ if (!BN_hex2bn(&order, test->order))
+ ABORT;
+ if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
+ ABORT;
+
+ fprintf(stdout, "verify degree ... ");
+ if (EC_GROUP_get_degree(NISTP) != test->degree)
+ ABORT;
+ fprintf(stdout, "ok\n");
+
+ fprintf(stdout, "NIST test vectors ... ");
+ if (!BN_hex2bn(&n, test->d))
+ ABORT;
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ /* set generator to P = 2*G, where G is the standard generator */
+ if (!EC_POINT_dbl(NISTP, P, G, ctx))
+ ABORT;
+ if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one()))
+ ABORT;
+ /* set the scalar to m=n/2, where n is the NIST test scalar */
+ if (!BN_rshift(m, n, 1))
+ ABORT;
+
+ /* test the non-standard generator */
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ /* now repeat all tests with precomputation */
+ if (!EC_GROUP_precompute_mult(NISTP, ctx))
+ ABORT;
+
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ /* reset generator */
+ if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
+ ABORT;
+ /* fixed point multiplication */
+ EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+ /* random point multiplication */
+ EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
+ if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))
+ ABORT;
+
+ fprintf(stdout, "ok\n");
+ group_order_tests(NISTP);
+# if 0
+ timings(NISTP, TIMING_BASE_PT, ctx);
+ timings(NISTP, TIMING_RAND_PT, ctx);
+# endif
+ EC_GROUP_free(NISTP);
+ EC_POINT_free(G);
+ EC_POINT_free(P);
+ EC_POINT_free(Q);
+ EC_POINT_free(Q_CHECK);
+ BN_free(n);
+ BN_free(m);
+ BN_free(p);
+ BN_free(a);
+ BN_free(b);
+ BN_free(x);
+ BN_free(y);
+ BN_free(order);
+ BN_CTX_free(ctx);
+}
+
+static void nistp_tests()
+{
+ unsigned i;
+
+ for (i = 0;
+ i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params);
+ i++) {
+ nistp_single_test(&nistp_tests_params[i]);
+ }
+}
+# endif
+
+static const char rnd_seed[] =
+ "string to make the random number generator think it has entropy";
int main(int argc, char *argv[])
- {
-
- /* enable memory leak checking unless explicitly disabled */
- if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
- {
- CRYPTO_malloc_debug_init();
- CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
- }
- else
- {
- /* OPENSSL_DEBUG_MEMORY=off */
- CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
- }
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
- ERR_load_crypto_strings();
-
- RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
-
- prime_field_tests();
- puts("");
-#ifndef OPENSSL_NO_EC2M
- char2_field_tests();
-#endif
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- nistp_tests();
-#endif
- /* test the internal curves */
- internal_curve_test();
-
-#ifndef OPENSSL_NO_ENGINE
- ENGINE_cleanup();
-#endif
- CRYPTO_cleanup_all_ex_data();
- ERR_free_strings();
- ERR_remove_thread_state(NULL);
- CRYPTO_mem_leaks_fp(stderr);
-
- return 0;
- }
+{
+
+ /* enable memory leak checking unless explicitly disabled */
+ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL)
+ && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) {
+ CRYPTO_malloc_debug_init();
+ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+ } else {
+ /* OPENSSL_DEBUG_MEMORY=off */
+ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+ }
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+ ERR_load_crypto_strings();
+
+ RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
+
+ prime_field_tests();
+ puts("");
+# ifndef OPENSSL_NO_EC2M
+ char2_field_tests();
+# endif
+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+ nistp_tests();
+# endif
+ /* test the internal curves */
+ internal_curve_test();
+
+# ifndef OPENSSL_NO_ENGINE
+ ENGINE_cleanup();
+# endif
+ CRYPTO_cleanup_all_ex_data();
+ ERR_free_strings();
+ ERR_remove_thread_state(NULL);
+ CRYPTO_mem_leaks_fp(stderr);
+
+ return 0;
+}
#endif
diff --git a/hobble-openssl b/hobble-openssl
index 3c75ea1..16d148c 100755
--- a/hobble-openssl
+++ b/hobble-openssl
@@ -31,7 +31,7 @@ for c in `find crypto/bn -name "*gf2m.c"`; do
> $c
done
-for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp?2?.c" -o -name "ectest.c"`; do
+for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c" -o -name "ectest.c"`; do
echo Destroying $c
> $c
done
diff --git a/mingw-openssl-fix-fips-build-failure.patch b/mingw-openssl-fix-fips-build-failure.patch
index 34877bd..fccae0f 100644
--- a/mingw-openssl-fix-fips-build-failure.patch
+++ b/mingw-openssl-fix-fips-build-failure.patch
@@ -9,16 +9,15 @@
#include <string.h>
#include <openssl/err.h>
#include <openssl/fips.h>
-@@ -54,9 +56,6 @@
+@@ -54,8 +56,6 @@
#include <openssl/fips_rand.h>
#include "fips_locl.h"
-#ifdef OPENSSL_FIPS
-
--
-
- typedef struct
- {
+ typedef struct {
+ unsigned char DT[16];
+ unsigned char V[16];
--- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.orig 2012-11-03 20:03:20.546180631 +0100
+++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c 2012-11-03 20:03:46.069328396 +0100
@@ -47,6 +47,8 @@
@@ -37,8 +36,8 @@
-#ifdef OPENSSL_FIPS
-
static const unsigned char dsa_test_2048_p[] = {
- 0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
- 0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
--- openssl-1.0.1c/crypto/fips/fips_rand.c.orig 2012-11-03 20:07:49.956891942 +0100
+++ openssl-1.0.1c/crypto/fips/fips_rand.c 2012-11-03 20:08:14.260048118 +0100
@@ -47,6 +47,8 @@
@@ -58,21 +57,21 @@
-
void *OPENSSL_stderr(void);
- #define AES_BLOCK_LENGTH 16
+ # define AES_BLOCK_LENGTH 16
--- openssl-1.0.1c/crypto/rand/md_rand.c.orig 2012-11-03 20:19:31.461754618 +0100
+++ openssl-1.0.1c/crypto/rand/md_rand.c 2012-11-03 20:20:58.294282662 +0100
-@@ -392,7 +392,11 @@
- /* always poll for external entropy in FIPS mode, drbg provides the
- * expansion
- */
+@@ -394,7 +394,11 @@
+ /* always poll for external entropy in FIPS mode, drbg provides the
+ * expansion
+ */
+#ifdef OPENSSL_FIPS
- if (!initialized || FIPS_module_mode())
+ if (!initialized || FIPS_module_mode()) {
+#else
-+ if (!initialized)
++ if (!initialized) {
+#endif
- {
- RAND_poll();
- initialized = 1;
+ RAND_poll();
+ initialized = 1;
+ }
--- openssl-1.0.1c/crypto/opensslconf.h.in 2012-11-09 20:34:03.434391630 +0100
+++ openssl-1.0.1c/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
@@ -1,20 +1,5 @@
diff --git a/mingw-openssl.spec b/mingw-openssl.spec
index f8be0f4..eab0581 100644
--- a/mingw-openssl.spec
+++ b/mingw-openssl.spec
@@ -23,7 +23,7 @@
%global thread_test_threads %{?threads:%{threads}}%{!?threads:1}
Name: mingw-openssl
-Version: 1.0.1j
+Version: 1.0.2a
Release: 1%{?dist}
Summary: MinGW port of the OpenSSL toolkit
@@ -48,61 +48,58 @@ Source12: ec_curve.c
Source13: ectest.c
# Build changes
-Patch1: openssl-1.0.1e-rpmbuild.patch
-Patch2: openssl-1.0.1e-defaults.patch
-Patch4: openssl-1.0.0-beta5-enginesdir.patch
-Patch5: openssl-0.9.8a-no-rpath.patch
-Patch6: openssl-0.9.8b-test-use-localhost.patch
+Patch1: openssl-1.0.2a-rpmbuild.patch
+Patch2: openssl-1.0.2a-defaults.patch
+Patch4: openssl-1.0.2a-enginesdir.patch
+Patch5: openssl-1.0.2a-no-rpath.patch
+Patch6: openssl-1.0.2a-test-use-localhost.patch
Patch7: openssl-1.0.0-timezone.patch
Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch
-# This patch must be applied first
-Patch10: openssl-1.0.1i-ppc-asm-update.patch
# Bug fixes
-Patch23: openssl-1.0.1c-default-paths.patch
-Patch24: openssl-1.0.1e-issuer-hash.patch
+Patch23: openssl-1.0.2a-default-paths.patch
+Patch24: openssl-1.0.2a-issuer-hash.patch
# Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch
-Patch34: openssl-0.9.6-x509.patch
-Patch35: openssl-0.9.8j-version-add-engines.patch
-Patch39: openssl-1.0.1h-ipv6-apps.patch
-Patch40: openssl-1.0.1j-fips.patch
-Patch45: openssl-1.0.1e-env-zlib.patch
-Patch47: openssl-1.0.0-beta5-readme-warning.patch
+Patch34: openssl-1.0.2a-x509.patch
+Patch35: openssl-1.0.2a-version-add-engines.patch
+Patch39: openssl-1.0.2a-ipv6-apps.patch
+Patch40: openssl-1.0.2a-fips.patch
+Patch45: openssl-1.0.2a-env-zlib.patch
+Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch
-Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
-Patch51: openssl-1.0.1e-version.patch
-Patch56: openssl-1.0.0c-rsa-x931.patch
-Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
-Patch60: openssl-1.0.0d-apps-dgst.patch
-Patch63: openssl-1.0.0d-xmpp-starttls.patch
-Patch65: openssl-1.0.0e-chil-fixes.patch
-Patch66: openssl-1.0.1-pkgconfig-krb5.patch
-Patch68: openssl-1.0.1e-secure-getenv.patch
-Patch69: openssl-1.0.1c-dh-1024.patch
-Patch70: openssl-1.0.1j-fips-ec.patch
-Patch71: openssl-1.0.1i-manfix.patch
-Patch72: openssl-1.0.1e-fips-ctor.patch
-Patch73: openssl-1.0.1e-ecc-suiteb.patch
-Patch74: openssl-1.0.1e-no-md5-verify.patch
-Patch75: openssl-1.0.1e-compat-symbols.patch
-Patch76: openssl-1.0.1i-new-fips-reqs.patch
-Patch77: openssl-1.0.1e-weak-ciphers.patch
-Patch90: openssl-1.0.1e-enc-fail.patch
-Patch92: openssl-1.0.1h-system-cipherlist.patch
-Patch93: openssl-1.0.1h-disable-sslv2v3.patch
+Patch50: openssl-1.0.2a-dtls1-abi.patch
+Patch51: openssl-1.0.2a-version.patch
+Patch56: openssl-1.0.2a-rsa-x931.patch
+Patch58: openssl-1.0.2a-fips-md5-allow.patch
+Patch60: openssl-1.0.2a-apps-dgst.patch
+Patch63: openssl-1.0.2a-xmpp-starttls.patch
+Patch65: openssl-1.0.2a-chil-fixes.patch
+Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
+Patch68: openssl-1.0.2a-secure-getenv.patch
+Patch69: openssl-1.0.2a-dh-1024.patch
+Patch70: openssl-1.0.2a-fips-ec.patch
+Patch71: openssl-1.0.2a-manfix.patch
+Patch72: openssl-1.0.2a-fips-ctor.patch
+Patch73: openssl-1.0.2a-ecc-suiteb.patch
+Patch74: openssl-1.0.2a-no-md5-verify.patch
+Patch75: openssl-1.0.2a-compat-symbols.patch
+Patch76: openssl-1.0.2a-new-fips-reqs.patch
+Patch77: openssl-1.0.2a-weak-ciphers.patch
+Patch90: openssl-1.0.2a-enc-fail.patch
+Patch92: openssl-1.0.2a-system-cipherlist.patch
+Patch93: openssl-1.0.2a-disable-sslv2v3.patch
# Backported fixes including security fixes
-Patch80: openssl-1.0.1j-evp-wrap.patch
-Patch81: openssl-1.0.1-beta2-padlock64.patch
-Patch84: openssl-1.0.1i-trusted-first.patch
-Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
-Patch89: openssl-1.0.1j-ephemeral-key-size.patch
+Patch80: openssl-1.0.2a-wrap-pad.patch
+Patch81: openssl-1.0.2a-padlock64.patch
+Patch84: openssl-1.0.2a-trusted-first-doc.patch
+Patch87: openssl-1.0.2a-cc-reqs.patch
# MinGW-specific patches.
# Rename *eay32.dll to lib*.dll
Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch
# Fix engines/ install target after lib rename
-Patch102: mingw32-openssl-1.0.0d-sfx.patch
+Patch102: mingw32-openssl-1.0.2a-sfx.patch
# Some .c file contains in #include <dlfcn.h> while it
# doesn't really use anything from that header
Patch103: mingw-openssl-drop-unneeded-reference-to-dlfcn-h.patch
@@ -213,7 +210,6 @@ Static version of the MinGW port of the OpenSSL toolkit.
cp %{SOURCE12} %{SOURCE13} crypto/ec/
-%patch10 -p1 -b .ppc-asm
%patch1 -p1 -b .rpmbuild
%patch2 -p1 -b .defaults
%patch4 -p1 -b .enginesdir %{?_rawbuild}
@@ -259,8 +255,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
%patch84 -p1 -b .trusted-first
-%patch85 -p1 -b .armcap
-#patch89 -p1 -b .ephemeral
+%patch87 -p1 -b .cc-reqs
# MinGW specific patches
%patch101 -p1 -b .mingw-libversion
@@ -506,6 +501,10 @@ mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA/private
%changelog
+* Fri Apr 24 2015 Erik van Pienbroek <epienbro at fedoraproject.org> - 1.0.2a-1
+- Synced with native openssl-1.0.2a-1.fc23
+- Fixes various CVE's (RHBZ #1203855 #1203856)
+
* Mon Dec 22 2014 Erik van Pienbroek <epienbro at fedoraproject.org> - 1.0.1j-1
- Synced with native openssl-1.0.1j-3.fc22
- Add support for RFC 5649
diff --git a/mingw32-openssl-1.0.0d-sfx.patch b/mingw32-openssl-1.0.0d-sfx.patch
deleted file mode 100644
index bd877b3..0000000
--- a/mingw32-openssl-1.0.0d-sfx.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff -up openssl-1.0.0d/engines/Makefile.mingw-sfx openssl-1.0.0d/engines/Makefile
---- openssl-1.0.0d/engines/Makefile.mingw-sfx 2011-04-23 13:04:15.452843560 +0300
-+++ openssl-1.0.0d/engines/Makefile 2011-04-23 13:04:15.689846190 +0300
-@@ -111,7 +111,10 @@ install:
- for l in $(LIBNAMES); do \
- ( echo installing $$l; \
- pfx=lib; \
-- if [ "$(PLATFORM)" != "Cygwin" ]; then \
-+ if [ "$(PLATFORM)" = "mingw" ]; then \
-+ sfx=.dll; \
-+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
-+ elif [ "$(PLATFORM)" != "Cygwin" ]; then \
- case "$(CFLAGS)" in \
- *DSO_BEOS*) sfx=".so";; \
- *DSO_DLFCN*) sfx=`expr "$(SHLIB_EXT)" : '.*\(\.[a-z][a-z]*\)' \| ".so"`;; \
diff --git a/mingw32-openssl-1.0.2a-sfx.patch b/mingw32-openssl-1.0.2a-sfx.patch
new file mode 100644
index 0000000..8020d57
--- /dev/null
+++ b/mingw32-openssl-1.0.2a-sfx.patch
@@ -0,0 +1,14 @@
+--- openssl-1.0.2a/engines/Makefile.enginesdir 2015-03-19 14:31:14.000000000 +0100
++++ openssl-1.0.2a/engines/Makefile 2015-04-24 18:27:12.875788913 +0200
+@@ -111,7 +111,10 @@
+ for l in $(LIBNAMES); do \
+ ( echo installing $$l; \
+ pfx=lib; \
+- if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
++ if [ "$(PLATFORM)" = "mingw" ]; then \
++ sfx=.dll; \
++ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
++ elif expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
+ sfx=".so"; \
+ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ else \
diff --git a/openssl-0.9.6-x509.patch b/openssl-0.9.6-x509.patch
deleted file mode 100644
index 7b3f49f..0000000
--- a/openssl-0.9.6-x509.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Do not treat duplicate certs as an error.
-
---- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000
-+++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000
-@@ -163,8 +163,12 @@
- }
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-- count++;
-+ /* ignore any problems with current certificate
-+ and continue with the next one */
-+ if (i)
-+ count++;
-+ else
-+ ERR_clear_error();
- X509_free(x);
- x=NULL;
- }
-@@ -179,7 +183,8 @@
- goto err;
- }
- i=X509_STORE_add_cert(ctx->store_ctx,x);
-- if (!i) goto err;
-+ if (!i)
-+ ERR_clear_error();
- ret=i;
- }
- else
diff --git a/openssl-0.9.8a-no-rpath.patch b/openssl-0.9.8a-no-rpath.patch
deleted file mode 100644
index 8f8fb91..0000000
--- a/openssl-0.9.8a-no-rpath.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200
-+++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
-@@ -153,7 +153,7 @@
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
-
- #This is rather special. It's a special target with which one can link
- #applications without bothering with any features that have anything to
diff --git a/openssl-0.9.8b-test-use-localhost.patch b/openssl-0.9.8b-test-use-localhost.patch
deleted file mode 100644
index 08adf1c..0000000
--- a/openssl-0.9.8b-test-use-localhost.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c
---- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100
-+++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200
-@@ -839,19 +839,8 @@ bad:
- #ifndef OPENSSL_NO_KRB5
- if (c_ssl && c_ssl->kssl_ctx)
- {
-- char localhost[MAXHOSTNAMELEN+2];
--
-- if (gethostname(localhost, sizeof localhost-1) == 0)
-- {
-- localhost[sizeof localhost-1]='\0';
-- if(strlen(localhost) == sizeof localhost-1)
-- {
-- BIO_printf(bio_err,"localhost name too long\n");
-- goto end;
-- }
- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
-- localhost);
-- }
-+ "localhost");
- }
- #endif /* OPENSSL_NO_KRB5 */
-
diff --git a/openssl-0.9.8j-version-add-engines.patch b/openssl-0.9.8j-version-add-engines.patch
deleted file mode 100644
index f54326c..0000000
--- a/openssl-0.9.8j-version-add-engines.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
---- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200
-+++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100
-@@ -131,6 +131,7 @@
- #ifndef OPENSSL_NO_BF
- # include <openssl/blowfish.h>
- #endif
-+#include <openssl/engine.h>
-
- #undef PROG
- #define PROG version_main
-@@ -140,7 +141,7 @@ int MAIN(int, char **);
- int MAIN(int argc, char **argv)
- {
- int i,ret=0;
-- int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
-+ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
-
- apps_startup();
-
-@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
- else if (strcmp(argv[i],"-d") == 0)
- dir=1;
- else if (strcmp(argv[i],"-a") == 0)
-- date=version=cflags=options=platform=dir=1;
-+ date=version=cflags=options=platform=dir=engines=1;
- else
- {
- BIO_printf(bio_err,"usage:version -[avbofpd]\n");
-@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
- }
- if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
- if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR));
-+ if (engines)
-+ {
-+ ENGINE *e;
-+ printf("engines: ");
-+ e = ENGINE_get_first();
-+ while (e)
-+ {
-+ printf("%s ", ENGINE_get_id(e));
-+ e = ENGINE_get_next(e);
-+ }
-+ printf("\n");
-+ }
- end:
- apps_shutdown();
- OPENSSL_EXIT(ret);
diff --git a/openssl-1.0.0-beta5-enginesdir.patch b/openssl-1.0.0-beta5-enginesdir.patch
deleted file mode 100644
index d942d6e..0000000
--- a/openssl-1.0.0-beta5-enginesdir.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
---- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100
-+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100
-@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
- my $prefix="";
- my $libdir="";
- my $openssldir="";
-+my $enginesdir="";
- my $exe_ext="";
- my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
- my $cross_compile_prefix="";
-@@ -833,6 +834,10 @@ PROCESS_ARGS:
- {
- $openssldir=$1;
- }
-+ elsif (/^--enginesdir=(.*)$/)
-+ {
-+ $enginesdir=$1;
-+ }
- elsif (/^--install.prefix=(.*)$/)
- {
- $install_prefix=$1;
-@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
-
- $openssldir=$prefix . "/ssl" if $openssldir eq "";
- $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
--
-+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
-
- print "IsMK1MF=$IsMK1MF\n";
-
-@@ -1673,7 +1678,7 @@ while (<IN>)
- }
- elsif (/^#define\s+ENGINESDIR/)
- {
-- my $foo = "$prefix/$libdir/engines";
-+ my $foo = "$enginesdir";
- $foo =~ s/\\/\\\\/g;
- print OUT "#define ENGINESDIR \"$foo\"\n";
- }
-diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
---- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100
-+++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100
-@@ -124,7 +124,7 @@ install:
- sfx=".so"; \
- cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
- fi; \
-- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
-+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
- done; \
- fi
diff --git a/openssl-1.0.0-beta5-readme-warning.patch b/openssl-1.0.0-beta5-readme-warning.patch
deleted file mode 100644
index 0d89720..0000000
--- a/openssl-1.0.0-beta5-readme-warning.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
---- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
-+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
-@@ -5,6 +5,35 @@
- Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
- All rights reserved.
-
-+ WARNING
-+ -------
-+
-+ This version of OpenSSL is built in a way that supports operation in
-+ the so called FIPS mode. Note though that the library as we build it
-+ is not FIPS validated and the FIPS mode is present for testing purposes
-+ only.
-+
-+ This version also contains a few differences from the upstream code
-+ some of which are:
-+ * There are added changes forward ported from the upstream OpenSSL
-+ 0.9.8 FIPS branch however the FIPS integrity verification check
-+ is implemented differently from the upstream FIPS validated OpenSSL
-+ module. It verifies HMAC-SHA256 checksum of the whole shared
-+ libraries. For this reason the changes are ported to files in the
-+ crypto directory and not in a separate fips subdirectory. Also
-+ note that the FIPS integrity verification check requires unmodified
-+ libcrypto and libssl shared library files which means that it will
-+ fail if these files are modified for example by prelink.
-+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
-+ tries to initialize the FIPS mode if it is set to 1 aborting if the
-+ FIPS mode could not be initialized. It is also possible to force the
-+ OpenSSL library to FIPS mode especially for debugging purposes by
-+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
-+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
-+ will not automatically load the built in compression method ZLIB
-+ when initialized. Applications can still explicitely ask for ZLIB
-+ compression method.
-+
- DESCRIPTION
- -----------
-
diff --git a/openssl-1.0.0c-rsa-x931.patch b/openssl-1.0.0c-rsa-x931.patch
deleted file mode 100644
index a60bbcb..0000000
--- a/openssl-1.0.0c-rsa-x931.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-diff -up openssl-1.0.0c/apps/genrsa.c.x931 openssl-1.0.0c/apps/genrsa.c
---- openssl-1.0.0c/apps/genrsa.c.x931 2010-03-01 15:22:02.000000000 +0100
-+++ openssl-1.0.0c/apps/genrsa.c 2011-02-01 18:32:05.000000000 +0100
-@@ -95,6 +95,7 @@ int MAIN(int argc, char **argv)
- int ret=1;
- int i,num=DEFBITS;
- long l;
-+ int use_x931 = 0;
- const EVP_CIPHER *enc=NULL;
- unsigned long f4=RSA_F4;
- char *outfile=NULL;
-@@ -138,6 +139,8 @@ int MAIN(int argc, char **argv)
- f4=3;
- else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
- f4=RSA_F4;
-+ else if (strcmp(*argv,"-x931") == 0)
-+ use_x931 = 1;
- #ifndef OPENSSL_NO_ENGINE
- else if (strcmp(*argv,"-engine") == 0)
- {
-@@ -273,7 +276,14 @@ bad:
- if (!rsa)
- goto err;
-
-- if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
-+ if (use_x931)
-+ {
-+ if (!BN_set_word(bn, f4))
-+ goto err;
-+ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
-+ goto err;
-+ }
-+ else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
- goto err;
-
- app_RAND_write_file(NULL, bio_err);
diff --git a/openssl-1.0.0d-apps-dgst.patch b/openssl-1.0.0d-apps-dgst.patch
deleted file mode 100644
index da20481..0000000
--- a/openssl-1.0.0d-apps-dgst.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-diff -up openssl-1.0.0d/apps/ca.c.dgst openssl-1.0.0d/apps/ca.c
---- openssl-1.0.0d/apps/ca.c.dgst 2009-12-02 15:41:24.000000000 +0100
-+++ openssl-1.0.0d/apps/ca.c 2011-04-05 21:09:42.000000000 +0200
-@@ -157,7 +157,7 @@ static const char *ca_usage[]={
- " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
- " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
- " -days arg - number of days to certify the certificate for\n",
--" -md arg - md to use, one of md2, md5, sha or sha1\n",
-+" -md arg - md to use, see openssl dgst -h for list\n",
- " -policy arg - The CA 'policy' to support\n",
- " -keyfile arg - private key file\n",
- " -keyform arg - private key file format (PEM or ENGINE)\n",
-diff -up openssl-1.0.0d/apps/enc.c.dgst openssl-1.0.0d/apps/enc.c
---- openssl-1.0.0d/apps/enc.c.dgst 2010-06-15 19:25:02.000000000 +0200
-+++ openssl-1.0.0d/apps/enc.c 2011-04-05 21:11:54.000000000 +0200
-@@ -302,7 +302,7 @@ bad:
- BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
- BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
- BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
-- BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n","");
-+ BIO_printf(bio_err,"%-14s from a passphrase. See openssl dgst -h for list.\n","");
- BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");
- BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
- BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
-diff -up openssl-1.0.0d/apps/req.c.dgst openssl-1.0.0d/apps/req.c
---- openssl-1.0.0d/apps/req.c.dgst 2010-03-10 14:48:21.000000000 +0100
-+++ openssl-1.0.0d/apps/req.c 2011-04-05 21:12:33.000000000 +0200
-@@ -421,7 +421,7 @@ bad:
- #ifndef OPENSSL_NO_ECDSA
- BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
- #endif
-- BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
-+ BIO_printf(bio_err," -[digest] Digest to sign with (see openssl dgst -h for list)\n");
- BIO_printf(bio_err," -config file request template file.\n");
- BIO_printf(bio_err," -subj arg set or modify request subject\n");
- BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
-diff -up openssl-1.0.0d/apps/ts.c.dgst openssl-1.0.0d/apps/ts.c
---- openssl-1.0.0d/apps/ts.c.dgst 2009-10-18 16:42:26.000000000 +0200
-+++ openssl-1.0.0d/apps/ts.c 2011-04-05 21:16:07.000000000 +0200
-@@ -368,7 +368,7 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err, "usage:\n"
- "ts -query [-rand file%cfile%c...] [-config configfile] "
- "[-data file_to_hash] [-digest digest_bytes]"
-- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
-+ "[-<hashalg>] "
- "[-policy object_id] [-no_nonce] [-cert] "
- "[-in request.tsq] [-out request.tsq] [-text]\n",
- LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-diff -up openssl-1.0.0d/apps/x509.c.dgst openssl-1.0.0d/apps/x509.c
---- openssl-1.0.0d/apps/x509.c.dgst 2011-04-05 21:13:42.000000000 +0200
-+++ openssl-1.0.0d/apps/x509.c 2011-04-05 21:13:17.000000000 +0200
-@@ -141,7 +141,7 @@ static const char *x509_usage[]={
- " -set_serial - serial number to use\n",
- " -text - print the certificate in text form\n",
- " -C - print out C code forms\n",
--" -md2/-md5/-sha1/-mdc2 - digest to use\n",
-+" -<dgst> - digest to use, see openssl dgst -h output for list\n",
- " -extfile - configuration file with X509V3 extensions to add\n",
- " -extensions - section from config file with X509V3 extensions to add\n",
- " -clrext - delete extensions before signing and input certificate\n",
-diff -up openssl-1.0.0d/doc/apps/ca.pod.dgst openssl-1.0.0d/doc/apps/ca.pod
---- openssl-1.0.0d/doc/apps/ca.pod.dgst 2009-04-10 13:25:53.000000000 +0200
-+++ openssl-1.0.0d/doc/apps/ca.pod 2011-04-05 21:16:39.000000000 +0200
-@@ -160,7 +160,8 @@ the number of days to certify the certif
- =item B<-md alg>
-
- the message digest to use. Possible values include md5, sha1 and mdc2.
--This option also applies to CRLs.
-+For full list of digests see openssl dgst -h output. This option also
-+applies to CRLs.
-
- =item B<-policy arg>
-
-diff -up openssl-1.0.0d/doc/apps/ocsp.pod.dgst openssl-1.0.0d/doc/apps/ocsp.pod
---- openssl-1.0.0d/doc/apps/ocsp.pod.dgst 2008-02-25 19:11:47.000000000 +0100
-+++ openssl-1.0.0d/doc/apps/ocsp.pod 2011-04-05 21:18:17.000000000 +0200
-@@ -210,7 +210,8 @@ check is not performed.
- =item B<-md5|-sha1|-sha256|-ripemod160|...>
-
- this option sets digest algorithm to use for certificate identification
--in the OCSP request. By default SHA-1 is used.
-+in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
-+the list of available algorithms.
-
- =back
-
-diff -up openssl-1.0.0d/doc/apps/req.pod.dgst openssl-1.0.0d/doc/apps/req.pod
---- openssl-1.0.0d/doc/apps/req.pod.dgst 2009-04-10 18:42:28.000000000 +0200
-+++ openssl-1.0.0d/doc/apps/req.pod 2011-04-05 21:20:47.000000000 +0200
-@@ -201,7 +201,8 @@ will not be encrypted.
-
- this specifies the message digest to sign the request with (such as
- B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
--the configuration file.
-+the configuration file. For full list of possible digests see openssl
-+dgst -h output.
-
- Some public key algorithms may override this choice. For instance, DSA
- signatures always use SHA1, GOST R 34.10 signatures always use
-diff -up openssl-1.0.0d/doc/apps/x509.pod.dgst openssl-1.0.0d/doc/apps/x509.pod
---- openssl-1.0.0d/doc/apps/x509.pod.dgst 2010-01-12 18:27:11.000000000 +0100
-+++ openssl-1.0.0d/doc/apps/x509.pod 2011-04-05 21:19:56.000000000 +0200
-@@ -101,6 +101,7 @@ the digest to use. This affects any sign
- digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
- specified then SHA1 is used. If the key being used to sign with is a DSA key
- then this option has no effect: SHA1 is always used with DSA keys.
-+For full list of digests see openssl dgst -h output.
-
- =item B<-engine id>
-
diff --git a/openssl-1.0.0d-xmpp-starttls.patch b/openssl-1.0.0d-xmpp-starttls.patch
deleted file mode 100644
index b3999cc..0000000
--- a/openssl-1.0.0d-xmpp-starttls.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -ru openssl-1.0.0d.old/apps/s_client.c openssl-1.0.0d/apps/s_client.c
---- openssl-1.0.0d.old/apps/s_client.c 2011-07-17 21:05:19.934181169 +0200
-+++ openssl-1.0.0d/apps/s_client.c 2011-07-17 21:11:42.747824990 +0200
-@@ -1186,7 +1186,7 @@
- "xmlns='jabber:client' to='%s' version='1.0'>", host);
- seen = BIO_read(sbio,mbuf,BUFSIZZ);
- mbuf[seen] = 0;
-- while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
-+ while (!strcasestr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && !strcasestr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
- {
- if (strstr(mbuf, "/stream:features>"))
- goto shut;
diff --git a/openssl-1.0.0e-chil-fixes.patch b/openssl-1.0.0e-chil-fixes.patch
deleted file mode 100644
index 58a035f..0000000
--- a/openssl-1.0.0e-chil-fixes.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up openssl-1.0.0e/engines/e_chil.c.chil openssl-1.0.0e/engines/e_chil.c
---- openssl-1.0.0e/engines/e_chil.c.chil 2010-06-15 19:25:12.000000000 +0200
-+++ openssl-1.0.0e/engines/e_chil.c 2011-09-21 17:32:03.000000000 +0200
-@@ -1261,6 +1261,11 @@ static int hwcrhk_insert_card(const char
- UI *ui;
- void *callback_data = NULL;
- UI_METHOD *ui_method = NULL;
-+ /* Despite what the documentation says prompt_info can be
-+ * an empty string.
-+ */
-+ if (prompt_info && !*prompt_info)
-+ prompt_info = NULL;
-
- if (cactx)
- {
-@@ -1287,7 +1292,7 @@ static int hwcrhk_insert_card(const char
-
- if (ui)
- {
-- char answer;
-+ char answer = '\0';
- char buf[BUFSIZ];
- /* Despite what the documentation says wrong_info can be
- * an empty string.
diff --git a/openssl-1.0.1-beta2-dtls1-abi.patch b/openssl-1.0.1-beta2-dtls1-abi.patch
deleted file mode 100644
index 6a556be..0000000
--- a/openssl-1.0.1-beta2-dtls1-abi.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
---- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi 2012-02-06 17:07:34.630336118 +0100
-+++ openssl-1.0.1-beta2/ssl/dtls1.h 2012-02-06 17:10:08.956623707 +0100
-@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
- */
- record_pqueue buffered_app_data;
-
-- /* Is set when listening for new connections with dtls1_listen() */
-- unsigned int listen;
--
- unsigned int mtu; /* max DTLS packet size */
-
- struct hm_header_st w_msg_hdr;
-@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
- unsigned int retransmitting;
- unsigned int change_cipher_spec_ok;
-
-+ /* Is set when listening for new connections with dtls1_listen() */
-+ unsigned int listen;
-+
- #ifndef OPENSSL_NO_SCTP
- /* used when SSL_ST_XX_FLUSH is entered */
- int next_state;
diff --git a/openssl-1.0.1-beta2-fips-md5-allow.patch b/openssl-1.0.1-beta2-fips-md5-allow.patch
deleted file mode 100644
index d654730..0000000
--- a/openssl-1.0.1-beta2-fips-md5-allow.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -up openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.1-beta2/crypto/md5/md5_dgst.c
---- openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow 2012-02-06 20:09:56.000000000 +0100
-+++ openssl-1.0.1-beta2/crypto/md5/md5_dgst.c 2012-02-06 20:14:02.332117603 +0100
-@@ -71,7 +71,16 @@ const char MD5_version[]="MD5" OPENSSL_V
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--nonfips_md_init(MD5)
-+int MD5_Init(MD5_CTX *c)
-+#ifdef OPENSSL_FIPS
-+ {
-+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
-+ OpenSSLDie(__FILE__, __LINE__, \
-+ "Digest MD5 forbidden in FIPS mode!");
-+ return private_MD5_Init(c);
-+ }
-+int private_MD5_Init(MD5_CTX *c)
-+#endif
- {
- memset (c,0,sizeof(*c));
- c->A=INIT_DATA_A;
diff --git a/openssl-1.0.1-beta2-padlock64.patch b/openssl-1.0.1-beta2-padlock64.patch
deleted file mode 100644
index 4b7f7da..0000000
--- a/openssl-1.0.1-beta2-padlock64.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
---- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 2011-06-21 18:42:15.000000000 +0200
-+++ openssl-1.0.1-beta2/engines/e_padlock.c 2012-02-06 20:18:52.039537799 +0100
-@@ -101,7 +101,10 @@
- compiler choice is limited to GCC and Microsoft C. */
- #undef COMPILE_HW_PADLOCK
- #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
--# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
-+# if (defined(__GNUC__) && __GNUC__>=2 && \
-+ (defined(__i386__) || defined(__i386) || \
-+ defined(__x86_64__) || defined(__x86_64)) \
-+ ) || \
- (defined(_MSC_VER) && defined(_M_IX86))
- # define COMPILE_HW_PADLOCK
- # endif
-@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
- # endif
- #elif defined(__GNUC__)
- # ifndef alloca
--# define alloca(s) __builtin_alloca(s)
-+# define alloca(s) __builtin_alloca((s))
- # endif
- #endif
-
-@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
- * =======================================================
- */
- #if defined(__GNUC__) && __GNUC__>=2
-+#if defined(__i386__) || defined(__i386)
- /*
- * As for excessive "push %ebx"/"pop %ebx" found all over.
- * When generating position-independent code GCC won't let
-@@ -383,21 +387,6 @@ padlock_available(void)
- return padlock_use_ace + padlock_use_rng;
- }
-
--#ifndef OPENSSL_NO_AES
--/* Our own htonl()/ntohl() */
--static inline void
--padlock_bswapl(AES_KEY *ks)
--{
-- size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-- unsigned int *key = ks->rd_key;
--
-- while (i--) {
-- asm volatile ("bswapl %0" : "+r"(*key));
-- key++;
-- }
--}
--#endif
--
- /* Force key reload from memory to the CPU microcode.
- Loading EFLAGS from the stack clears EFLAGS[30]
- which does the trick. */
-@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \
- : "edx", "cc", "memory"); \
- return iv; \
- }
-+#endif
-+
-+#elif defined(__x86_64__) || defined(__x86_64)
-+
-+/* Load supported features of the CPU to see if
-+ the PadLock is available. */
-+static int
-+padlock_available(void)
-+{
-+ char vendor_string[16];
-+ unsigned int eax, edx;
-
-+ /* Are we running on the Centaur (VIA) CPU? */
-+ eax = 0x00000000;
-+ vendor_string[12] = 0;
-+ asm volatile (
-+ "cpuid\n"
-+ "movl %%ebx,(%1)\n"
-+ "movl %%edx,4(%1)\n"
-+ "movl %%ecx,8(%1)\n"
-+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
-+ if (strcmp(vendor_string, "CentaurHauls") != 0)
-+ return 0;
-+
-+ /* Check for Centaur Extended Feature Flags presence */
-+ eax = 0xC0000000;
-+ asm volatile ("cpuid"
-+ : "+a"(eax) : : "rbx", "rcx", "rdx");
-+ if (eax < 0xC0000001)
-+ return 0;
-+
-+ /* Read the Centaur Extended Feature Flags */
-+ eax = 0xC0000001;
-+ asm volatile ("cpuid"
-+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
-+
-+ /* Fill up some flags */
-+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
-+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
-+
-+ return padlock_use_ace + padlock_use_rng;
-+}
-+
-+/* Force key reload from memory to the CPU microcode.
-+ Loading EFLAGS from the stack clears EFLAGS[30]
-+ which does the trick. */
-+static inline void
-+padlock_reload_key(void)
-+{
-+ asm volatile ("pushfq; popfq");
-+}
-+
-+#ifndef OPENSSL_NO_AES
-+/*
-+ * This is heuristic key context tracing. At first one
-+ * believes that one should use atomic swap instructions,
-+ * but it's not actually necessary. Point is that if
-+ * padlock_saved_context was changed by another thread
-+ * after we've read it and before we compare it with cdata,
-+ * our key *shall* be reloaded upon thread context switch
-+ * and we are therefore set in either case...
-+ */
-+static inline void
-+padlock_verify_context(struct padlock_cipher_data *cdata)
-+{
-+ asm volatile (
-+ "pushfq\n"
-+" btl $30,(%%rsp)\n"
-+" jnc 1f\n"
-+" cmpq %2,%1\n"
-+" je 1f\n"
-+" popfq\n"
-+" subq $8,%%rsp\n"
-+"1: addq $8,%%rsp\n"
-+" movq %2,%0"
-+ :"+m"(padlock_saved_context)
-+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
-+}
-+
-+/* Template for padlock_xcrypt_* modes */
-+/* BIG FAT WARNING:
-+ * The offsets used with 'leal' instructions
-+ * describe items of the 'padlock_cipher_data'
-+ * structure.
-+ */
-+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
-+static inline void *name(size_t cnt, \
-+ struct padlock_cipher_data *cdata, \
-+ void *out, const void *inp) \
-+{ void *iv; \
-+ asm volatile ( "leaq 16(%0),%%rdx\n" \
-+ " leaq 32(%0),%%rbx\n" \
-+ rep_xcrypt "\n" \
-+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
-+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
-+ : "rbx", "rdx", "cc", "memory"); \
-+ return iv; \
-+}
-+#endif
-+
-+#endif /* cpu */
-+
-+#ifndef OPENSSL_NO_AES
- /* Generate all functions with appropriate opcodes */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
- PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
-+
-+/* Our own htonl()/ntohl() */
-+static inline void
-+padlock_bswapl(AES_KEY *ks)
-+{
-+ size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
-+ unsigned int *key = ks->rd_key;
-+
-+ while (i--) {
-+ asm volatile ("bswapl %0" : "+r"(*key));
-+ key++;
-+ }
-+}
- #endif
-
- /* The RNG call itself */
-@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
- static inline unsigned char *
- padlock_memcpy(void *dst,const void *src,size_t n)
- {
-- long *d=dst;
-- const long *s=src;
-+ size_t *d=dst;
-+ const size_t *s=src;
-
- n /= sizeof(*d);
- do { *d++ = *s++; } while (--n);
diff --git a/openssl-1.0.1-pkgconfig-krb5.patch b/openssl-1.0.1-pkgconfig-krb5.patch
deleted file mode 100644
index 14a17bf..0000000
--- a/openssl-1.0.1-pkgconfig-krb5.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff -up openssl-1.0.1/Makefile.org.krb5 openssl-1.0.1/Makefile.org
---- openssl-1.0.1/Makefile.org.krb5 2012-03-14 21:15:04.000000000 +0100
-+++ openssl-1.0.1/Makefile.org 2012-04-11 16:28:31.254725422 +0200
-@@ -370,7 +370,7 @@ libcrypto.pc: Makefile
- echo 'Requires: '; \
- echo 'Libs: -L$${libdir} -lcrypto'; \
- echo 'Libs.private: $(EX_LIBS)'; \
-- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
-+ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
-
- libssl.pc: Makefile
- @ ( echo 'prefix=$(INSTALLTOP)'; \
-@@ -383,7 +383,7 @@ libssl.pc: Makefile
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
- echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
-- echo 'Libs.private: $(EX_LIBS)'; \
-+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
-
- openssl.pc: Makefile
-@@ -397,7 +397,7 @@ openssl.pc: Makefile
- echo 'Version: '$(VERSION); \
- echo 'Requires: '; \
- echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
-- echo 'Libs.private: $(EX_LIBS)'; \
-+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-
- Makefile: Makefile.org Configure config
diff --git a/openssl-1.0.1c-default-paths.patch b/openssl-1.0.1c-default-paths.patch
deleted file mode 100644
index 364128d..0000000
--- a/openssl-1.0.1c-default-paths.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
---- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100
-+++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100
-@@ -1166,12 +1166,19 @@ bad:
- if (!set_cert_key_stuff(ctx,cert,key))
- goto end;
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (CAfile == NULL && CApath == NULL)
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
- }
-
- #ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
---- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100
-+++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100
-@@ -1565,13 +1565,21 @@ bad:
- }
- #endif
-
-- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx)))
-+ if (CAfile == NULL && CApath == NULL)
- {
-- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (!SSL_CTX_set_default_verify_paths(ctx))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
- }
-+
- if (vpm)
- SSL_CTX_set1_param(ctx, vpm);
-
-@@ -1622,8 +1630,11 @@ bad:
- else
- SSL_CTX_sess_set_cache_size(ctx2,128);
-
-- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx2)))
-+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx2))
- {
- ERR_print_errors(bio_err);
- }
-diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
---- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
-+++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100
-@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
-
- SSL_load_error_strings();
-
-- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
-+ if (CAfile == NULL && CApath == NULL)
- {
-- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
-+ {
-+ ERR_print_errors(bio_err);
-+ }
- }
-
- if (tm_cipher == NULL)
diff --git a/openssl-1.0.1c-dh-1024.patch b/openssl-1.0.1c-dh-1024.patch
deleted file mode 100644
index 89f0f04..0000000
--- a/openssl-1.0.1c-dh-1024.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff -up openssl-1.0.1c/apps/s_server.c.dh1024 openssl-1.0.1c/apps/s_server.c
---- openssl-1.0.1c/apps/s_server.c.dh1024 2012-11-14 20:27:50.000000000 +0100
-+++ openssl-1.0.1c/apps/s_server.c 2012-11-15 20:56:15.247774465 +0100
-@@ -222,27 +222,31 @@ static void s_server_init(void);
- #endif
-
- #ifndef OPENSSL_NO_DH
--static unsigned char dh512_p[]={
-- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
-- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
-- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
-- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
-- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
-- 0x47,0x74,0xE8,0x33,
-- };
--static unsigned char dh512_g[]={
-- 0x02,
-- };
--
--static DH *get_dh512(void)
-+static DH *get_dh1024()
- {
-- DH *dh=NULL;
-+ static unsigned char dh1024_p[]={
-+ 0x99,0x58,0xFA,0x90,0x53,0x2F,0xE0,0x61,0x83,0x9D,0x54,0x63,
-+ 0xBD,0x35,0x5A,0x31,0xF3,0xC6,0x79,0xE5,0xA0,0x0F,0x66,0x79,
-+ 0x3C,0xA0,0x7F,0xE8,0xA2,0x5F,0xDF,0x11,0x08,0xA3,0xF0,0x3C,
-+ 0xC3,0x3C,0x5D,0x50,0x2C,0xD5,0xD6,0x58,0x12,0xDB,0xC1,0xEF,
-+ 0xB4,0x47,0x4A,0x5A,0x39,0x8A,0x4E,0xEB,0x44,0xE2,0x07,0xFB,
-+ 0x3D,0xA3,0xC7,0x6E,0x52,0xF3,0x2B,0x7B,0x10,0xA5,0x98,0xE3,
-+ 0x38,0x2A,0xE2,0x7F,0xA4,0x8F,0x26,0x87,0x9B,0x66,0x7A,0xED,
-+ 0x2D,0x4C,0xE7,0x33,0x77,0x47,0x94,0x43,0xB6,0xAA,0x97,0x23,
-+ 0x8A,0xFC,0xA5,0xA6,0x64,0x09,0xC0,0x27,0xC0,0xEF,0xCB,0x05,
-+ 0x90,0x9D,0xD5,0x75,0xBA,0x00,0xE0,0xFB,0xA8,0x81,0x52,0xA4,
-+ 0xB2,0x83,0x22,0x5B,0xCB,0xD7,0x16,0x93,
-+ };
-+ static unsigned char dh1024_g[]={
-+ 0x02,
-+ };
-+ DH *dh;
-
- if ((dh=DH_new()) == NULL) return(NULL);
-- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
-- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
-+ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
-+ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
-- return(NULL);
-+ { DH_free(dh); return(NULL); }
- return(dh);
- }
- #endif
-@@ -1657,7 +1661,7 @@ bad:
- else
- {
- BIO_printf(bio_s_out,"Using default temp DH parameters\n");
-- dh=get_dh512();
-+ dh=get_dh1024();
- }
- (void)BIO_flush(bio_s_out);
-
diff --git a/openssl-1.0.1e-arm-use-elf-auxv-caps.patch b/openssl-1.0.1e-arm-use-elf-auxv-caps.patch
deleted file mode 100644
index 94a8c42..0000000
--- a/openssl-1.0.1e-arm-use-elf-auxv-caps.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-diff --git a/crypto/armcap.c b/crypto/armcap.c
-index 5258d2f..efb4009 100644
---- a/crypto/armcap.c
-+++ b/crypto/armcap.c
-@@ -9,11 +9,6 @@
-
- unsigned int OPENSSL_armcap_P;
-
--static sigset_t all_masked;
--
--static sigjmp_buf ill_jmp;
--static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
--
- /*
- * Following subroutines could have been inlined, but it's not all
- * ARM compilers support inline assembler...
-@@ -29,24 +24,26 @@ unsigned int OPENSSL_rdtsc(void)
- return 0;
- }
-
--#if defined(__GNUC__) && __GNUC__>=2
--void OPENSSL_cpuid_setup(void) __attribute__((constructor));
--#endif
--void OPENSSL_cpuid_setup(void)
-+#if defined(__GLIBC__) && __GLIBC__>=2 && __GLIBC_MINOR__>=16
-+#include <sys/auxv.h>
-+
-+void OPENSSL_cpuid_find(void)
-+ {
-+ unsigned long hwcap = getauxval(AT_HWCAP);
-+ char *plat = (char *)getauxval(AT_PLATFORM);
-+
-+ OPENSSL_armcap_P |= hwcap & HWCAP_ARM_NEON ? ARMV7_NEON : 0;
-+ OPENSSL_armcap_P |= plat ? (plat[1] == '7' ? ARMV7_TICK : 0) : 0;
-+ }
-+#else
-+static sigset_t all_masked;
-+static sigjmp_buf ill_jmp;
-+static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
-+
-+void OPENSSL_cpuid_find(void)
- {
-- char *e;
- struct sigaction ill_oact,ill_act;
- sigset_t oset;
-- static int trigger=0;
--
-- if (trigger) return;
-- trigger=1;
--
-- if ((e=getenv("OPENSSL_armcap")))
-- {
-- OPENSSL_armcap_P=strtoul(e,NULL,0);
-- return;
-- }
-
- sigfillset(&all_masked);
- sigdelset(&all_masked,SIGILL);
-@@ -55,8 +52,6 @@ void OPENSSL_cpuid_setup(void)
- sigdelset(&all_masked,SIGBUS);
- sigdelset(&all_masked,SIGSEGV);
-
-- OPENSSL_armcap_P = 0;
--
- memset(&ill_act,0,sizeof(ill_act));
- ill_act.sa_handler = ill_handler;
- ill_act.sa_mask = all_masked;
-@@ -78,3 +73,25 @@ void OPENSSL_cpuid_setup(void)
- sigaction (SIGILL,&ill_oact,NULL);
- sigprocmask(SIG_SETMASK,&oset,NULL);
- }
-+#endif
-+
-+#if defined(__GNUC__) && __GNUC__>=2
-+void OPENSSL_cpuid_setup(void) __attribute__((constructor));
-+#endif
-+void OPENSSL_cpuid_setup(void)
-+ {
-+ char *e;
-+ static int trigger=0;
-+
-+ if (trigger) return;
-+ trigger=1;
-+
-+ if ((e=getenv("OPENSSL_armcap")))
-+ {
-+ OPENSSL_armcap_P=strtoul(e,NULL,0);
-+ return;
-+ }
-+
-+ OPENSSL_armcap_P = 0;
-+ OPENSSL_cpuid_find();
-+ }
diff --git a/openssl-1.0.1e-compat-symbols.patch b/openssl-1.0.1e-compat-symbols.patch
deleted file mode 100644
index 25a9d02..0000000
--- a/openssl-1.0.1e-compat-symbols.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.compat openssl-1.0.1e/crypto/dsa/dsa_key.c
---- openssl-1.0.1e/crypto/dsa/dsa_key.c.compat 2013-11-26 14:36:35.000000000 +0100
-+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-12-11 16:34:58.638549687 +0100
-@@ -68,6 +68,11 @@
- #include <openssl/fips.h>
- #include <openssl/evp.h>
-
-+/* just a compatibility symbol - no-op */
-+void FIPS_corrupt_dsa_keygen(void)
-+ {
-+ }
-+
- static int fips_check_dsa(DSA *dsa)
- {
- EVP_PKEY *pk;
-diff -up openssl-1.0.1e/crypto/engine/eng_all.c.compat openssl-1.0.1e/crypto/engine/eng_all.c
---- openssl-1.0.1e/crypto/engine/eng_all.c.compat 2013-11-26 14:36:35.000000000 +0100
-+++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-12-11 16:32:13.512820424 +0100
-@@ -62,6 +62,11 @@
- #include <openssl/fips.h>
- #endif
-
-+/* just backwards compatibility symbol - no-op */
-+void ENGINE_load_aesni (void)
-+{
-+}
-+
- void ENGINE_load_builtin_engines(void)
- {
- /* Some ENGINEs need this */
-diff -up openssl-1.0.1e/crypto/fips/fips.c.compat openssl-1.0.1e/crypto/fips/fips.c
---- openssl-1.0.1e/crypto/fips/fips.c.compat 2013-11-26 14:36:35.000000000 +0100
-+++ openssl-1.0.1e/crypto/fips/fips.c 2013-12-11 16:38:52.524831858 +0100
-@@ -111,6 +111,12 @@ int FIPS_module_mode(void)
- return ret;
- }
-
-+/* just a compat symbol - return NULL */
-+const void *FIPS_rand_check(void)
-+ {
-+ return NULL;
-+ }
-+
- int FIPS_selftest_failed(void)
- {
- int ret = 0;
diff --git a/openssl-1.0.1e-defaults.patch b/openssl-1.0.1e-defaults.patch
deleted file mode 100644
index 4323e87..0000000
--- a/openssl-1.0.1e-defaults.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
---- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100
-@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
-
- default_days = 365 # how long to certify for
- default_crl_days= 30 # how long before next CRL
--default_md = default # use public key default MD
-+default_md = sha256 # use SHA-256 by default
- preserve = no # keep passed DN ordering
-
- # A few difference way of specifying how similar the request should look
-@@ -103,7 +103,8 @@ emailAddress = optional
-
- ####################################################################
- [ req ]
--default_bits = 1024
-+default_bits = 2048
-+default_md = sha256
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
-@@ -126,17 +127,18 @@ string_mask = utf8only
-
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
--countryName_default = AU
-+countryName_default = XX
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
--stateOrProvinceName_default = Some-State
-+#stateOrProvinceName_default = Default Province
-
- localityName = Locality Name (eg, city)
-+localityName_default = Default City
-
- 0.organizationName = Organization Name (eg, company)
--0.organizationName_default = Internet Widgits Pty Ltd
-+0.organizationName_default = Default Company Ltd
-
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
-@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
- organizationalUnitName = Organizational Unit Name (eg, section)
- #organizationalUnitName_default =
-
--commonName = Common Name (e.g. server FQDN or YOUR name)
-+commonName = Common Name (eg, your name or your server\'s hostname)
- commonName_max = 64
-
- emailAddress = Email Address
-@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
- default_policy = tsa_policy1 # Policy if request did not specify it
- # (optional)
- other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
--digests = md5, sha1 # Acceptable message digests (mandatory)
-+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
- accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
- clock_precision_digits = 0 # number of digits after dot. (optional)
- ordering = yes # Is ordering defined for timestamps?
diff --git a/openssl-1.0.1e-ecc-suiteb.patch b/openssl-1.0.1e-ecc-suiteb.patch
deleted file mode 100644
index dc87b00..0000000
--- a/openssl-1.0.1e-ecc-suiteb.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
---- openssl-1.0.1e/apps/speed.c.suiteb 2013-11-08 18:02:53.815229706 +0100
-+++ openssl-1.0.1e/apps/speed.c 2013-11-08 18:04:47.016724297 +0100
-@@ -966,49 +966,23 @@ int MAIN(int argc, char **argv)
- else
- #endif
- #ifndef OPENSSL_NO_ECDSA
-- if (strcmp(*argv,"ecdsap160") == 0) ecdsa_doit[R_EC_P160]=2;
-- else if (strcmp(*argv,"ecdsap192") == 0) ecdsa_doit[R_EC_P192]=2;
-- else if (strcmp(*argv,"ecdsap224") == 0) ecdsa_doit[R_EC_P224]=2;
-- else if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
-+ if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
- else if (strcmp(*argv,"ecdsap384") == 0) ecdsa_doit[R_EC_P384]=2;
- else if (strcmp(*argv,"ecdsap521") == 0) ecdsa_doit[R_EC_P521]=2;
-- else if (strcmp(*argv,"ecdsak163") == 0) ecdsa_doit[R_EC_K163]=2;
-- else if (strcmp(*argv,"ecdsak233") == 0) ecdsa_doit[R_EC_K233]=2;
-- else if (strcmp(*argv,"ecdsak283") == 0) ecdsa_doit[R_EC_K283]=2;
-- else if (strcmp(*argv,"ecdsak409") == 0) ecdsa_doit[R_EC_K409]=2;
-- else if (strcmp(*argv,"ecdsak571") == 0) ecdsa_doit[R_EC_K571]=2;
-- else if (strcmp(*argv,"ecdsab163") == 0) ecdsa_doit[R_EC_B163]=2;
-- else if (strcmp(*argv,"ecdsab233") == 0) ecdsa_doit[R_EC_B233]=2;
-- else if (strcmp(*argv,"ecdsab283") == 0) ecdsa_doit[R_EC_B283]=2;
-- else if (strcmp(*argv,"ecdsab409") == 0) ecdsa_doit[R_EC_B409]=2;
-- else if (strcmp(*argv,"ecdsab571") == 0) ecdsa_doit[R_EC_B571]=2;
- else if (strcmp(*argv,"ecdsa") == 0)
- {
-- for (i=0; i < EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdsa_doit[i]=1;
- }
- else
- #endif
- #ifndef OPENSSL_NO_ECDH
-- if (strcmp(*argv,"ecdhp160") == 0) ecdh_doit[R_EC_P160]=2;
-- else if (strcmp(*argv,"ecdhp192") == 0) ecdh_doit[R_EC_P192]=2;
-- else if (strcmp(*argv,"ecdhp224") == 0) ecdh_doit[R_EC_P224]=2;
-- else if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
-+ if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
- else if (strcmp(*argv,"ecdhp384") == 0) ecdh_doit[R_EC_P384]=2;
- else if (strcmp(*argv,"ecdhp521") == 0) ecdh_doit[R_EC_P521]=2;
-- else if (strcmp(*argv,"ecdhk163") == 0) ecdh_doit[R_EC_K163]=2;
-- else if (strcmp(*argv,"ecdhk233") == 0) ecdh_doit[R_EC_K233]=2;
-- else if (strcmp(*argv,"ecdhk283") == 0) ecdh_doit[R_EC_K283]=2;
-- else if (strcmp(*argv,"ecdhk409") == 0) ecdh_doit[R_EC_K409]=2;
-- else if (strcmp(*argv,"ecdhk571") == 0) ecdh_doit[R_EC_K571]=2;
-- else if (strcmp(*argv,"ecdhb163") == 0) ecdh_doit[R_EC_B163]=2;
-- else if (strcmp(*argv,"ecdhb233") == 0) ecdh_doit[R_EC_B233]=2;
-- else if (strcmp(*argv,"ecdhb283") == 0) ecdh_doit[R_EC_B283]=2;
-- else if (strcmp(*argv,"ecdhb409") == 0) ecdh_doit[R_EC_B409]=2;
-- else if (strcmp(*argv,"ecdhb571") == 0) ecdh_doit[R_EC_B571]=2;
- else if (strcmp(*argv,"ecdh") == 0)
- {
-- for (i=0; i < EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdh_doit[i]=1;
- }
- else
-@@ -1097,15 +1071,11 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err,"dsa512 dsa1024 dsa2048\n");
- #endif
- #ifndef OPENSSL_NO_ECDSA
-- BIO_printf(bio_err,"ecdsap160 ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521\n");
-- BIO_printf(bio_err,"ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
-- BIO_printf(bio_err,"ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
-+ BIO_printf(bio_err,"ecdsap256 ecdsap384 ecdsap521\n");
- BIO_printf(bio_err,"ecdsa\n");
- #endif
- #ifndef OPENSSL_NO_ECDH
-- BIO_printf(bio_err,"ecdhp160 ecdhp192 ecdhp224 ecdhp256 ecdhp384 ecdhp521\n");
-- BIO_printf(bio_err,"ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
-- BIO_printf(bio_err,"ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
-+ BIO_printf(bio_err,"ecdhp256 ecdhp384 ecdhp521\n");
- BIO_printf(bio_err,"ecdh\n");
- #endif
-
-@@ -1184,11 +1154,11 @@ int MAIN(int argc, char **argv)
- if (!FIPS_mode() || i != R_DSA_512)
- dsa_doit[i]=1;
- #ifndef OPENSSL_NO_ECDSA
-- for (i=0; i<EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdsa_doit[i]=1;
- #endif
- #ifndef OPENSSL_NO_ECDH
-- for (i=0; i<EC_NUM; i++)
-+ for (i=R_EC_P256; i <= R_EC_P521; i++)
- ecdh_doit[i]=1;
- #endif
- }
-diff -up openssl-1.0.1e/ssl/t1_lib.c.suiteb openssl-1.0.1e/ssl/t1_lib.c
---- openssl-1.0.1e/ssl/t1_lib.c.suiteb 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/t1_lib.c 2013-11-08 18:05:27.551617554 +0100
-@@ -204,31 +204,9 @@ static int nid_list[] =
-
- static int pref_list[] =
- {
-- NID_sect571r1, /* sect571r1 (14) */
-- NID_sect571k1, /* sect571k1 (13) */
- NID_secp521r1, /* secp521r1 (25) */
-- NID_sect409k1, /* sect409k1 (11) */
-- NID_sect409r1, /* sect409r1 (12) */
- NID_secp384r1, /* secp384r1 (24) */
-- NID_sect283k1, /* sect283k1 (9) */
-- NID_sect283r1, /* sect283r1 (10) */
-- NID_secp256k1, /* secp256k1 (22) */
- NID_X9_62_prime256v1, /* secp256r1 (23) */
-- NID_sect239k1, /* sect239k1 (8) */
-- NID_sect233k1, /* sect233k1 (6) */
-- NID_sect233r1, /* sect233r1 (7) */
-- NID_secp224k1, /* secp224k1 (20) */
-- NID_secp224r1, /* secp224r1 (21) */
-- NID_sect193r1, /* sect193r1 (4) */
-- NID_sect193r2, /* sect193r2 (5) */
-- NID_secp192k1, /* secp192k1 (18) */
-- NID_X9_62_prime192v1, /* secp192r1 (19) */
-- NID_sect163k1, /* sect163k1 (1) */
-- NID_sect163r1, /* sect163r1 (2) */
-- NID_sect163r2, /* sect163r2 (3) */
-- NID_secp160k1, /* secp160k1 (15) */
-- NID_secp160r1, /* secp160r1 (16) */
-- NID_secp160r2, /* secp160r2 (17) */
- };
-
- int tls1_ec_curve_id2nid(int curve_id)
diff --git a/openssl-1.0.1e-enc-fail.patch b/openssl-1.0.1e-enc-fail.patch
deleted file mode 100644
index a5a43f0..0000000
--- a/openssl-1.0.1e-enc-fail.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up openssl-1.0.1e/crypto/evp/bio_enc.c.enc-fail openssl-1.0.1e/crypto/evp/bio_enc.c
---- openssl-1.0.1e/crypto/evp/bio_enc.c.enc-fail 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/evp/bio_enc.c 2014-03-04 15:21:12.185821738 +0100
-@@ -198,10 +198,15 @@ static int enc_read(BIO *b, char *out, i
- }
- else
- {
-- EVP_CipherUpdate(&(ctx->cipher),
-+ if (!EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf,&ctx->buf_len,
-- (unsigned char *)&(ctx->buf[BUF_OFFSET]),i);
-- ctx->cont=1;
-+ (unsigned char *)&(ctx->buf[BUF_OFFSET]),i))
-+ {
-+ ctx->ok = 0;
-+ ctx->cont = 0;
-+ }
-+ else
-+ ctx->cont=1;
- /* Note: it is possible for EVP_CipherUpdate to
- * decrypt zero bytes because this is or looks like
- * the final block: if this happens we should retry
-@@ -257,9 +262,14 @@ static int enc_write(BIO *b, const char
- while (inl > 0)
- {
- n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
-- EVP_CipherUpdate(&(ctx->cipher),
-+ if (!EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf,&ctx->buf_len,
-- (unsigned char *)in,n);
-+ (unsigned char *)in,n))
-+ {
-+ BIO_copy_next_retry(b);
-+ ctx->ok = 0;
-+ return ret - inl;
-+ }
- inl-=n;
- in+=n;
-
diff --git a/openssl-1.0.1e-env-zlib.patch b/openssl-1.0.1e-env-zlib.patch
deleted file mode 100644
index b702acb..0000000
--- a/openssl-1.0.1e-env-zlib.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
---- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100
-+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100
-@@ -47,6 +47,13 @@ Once the identities of the compression m
- been standardized, the compression API will most likely be changed. Using
- it in the current state is not recommended.
-
-+It is also not recommended to use compression if data transfered contain
-+untrusted parts that can be manipulated by an attacker as he could then
-+get information about the encrypted data. See the CRIME attack. For
-+that reason the default loading of the zlib compression method is
-+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
-+is present during the library initialization.
-+
- =head1 RETURN VALUES
-
- SSL_COMP_add_compression_method() may return the following values:
-diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c
---- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100
-@@ -140,6 +140,8 @@
- * OTHERWISE.
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <openssl/objects.h>
- #ifndef OPENSSL_NO_COMP
-@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo
-
- MemCheck_off();
- ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-- if (ssl_comp_methods != NULL)
-+ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
- {
- comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
- if (comp != NULL)
diff --git a/openssl-1.0.1e-fips-ctor.patch b/openssl-1.0.1e-fips-ctor.patch
deleted file mode 100644
index 44576ef..0000000
--- a/openssl-1.0.1e-fips-ctor.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
---- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-26 13:52:30.767885457 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-26 14:01:29.406010187 +0200
-@@ -60,6 +60,8 @@
- #include <dlfcn.h>
- #include <stdio.h>
- #include <stdlib.h>
-+#include <unistd.h>
-+#include <errno.h>
- #include "fips_locl.h"
-
- #ifdef OPENSSL_FIPS
-@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
- return hex;
- }
-
--#define HMAC_PREFIX "."
--#define HMAC_SUFFIX ".hmac"
-+#define HMAC_PREFIX "."
-+#ifndef HMAC_SUFFIX
-+#define HMAC_SUFFIX ".hmac"
-+#endif
- #define READ_BUFFER_LENGTH 16384
-
- static char *
-@@ -279,19 +283,13 @@ end:
- }
-
- static int
--FIPSCHECK_verify(const char *libname, const char *symbolname)
-+FIPSCHECK_verify(const char *path)
- {
-- char path[PATH_MAX+1];
-- int rv;
-+ int rv = 0;
- FILE *hf;
- char *hmacpath, *p;
- char *hmac = NULL;
- size_t n;
--
-- rv = get_library_path(libname, symbolname, path, sizeof(path));
--
-- if (rv < 0)
-- return 0;
-
- hmacpath = make_hmac_path(path);
- if (hmacpath == NULL)
-@@ -341,6 +339,53 @@ end:
- return 1;
- }
-
-+static int
-+verify_checksums(void)
-+ {
-+ int rv;
-+ char path[PATH_MAX+1];
-+ char *p;
-+
-+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
-+ are in the same directory */
-+
-+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
-+ if (rv < 0)
-+ return 0;
-+
-+ rv = FIPSCHECK_verify(path);
-+ if (!rv)
-+ return 0;
-+
-+ /* replace libcrypto with libssl */
-+ while ((p = strstr(path, "libcrypto.so")) != NULL)
-+ {
-+ p = stpcpy(p, "libssl");
-+ memmove(p, p+3, strlen(p+2));
-+ }
-+
-+ rv = FIPSCHECK_verify(path);
-+ if (!rv)
-+ return 0;
-+ return 1;
-+ }
-+
-+#ifndef FIPS_MODULE_PATH
-+#define FIPS_MODULE_PATH "/etc/system-fips"
-+#endif
-+
-+int
-+FIPS_module_installed(void)
-+ {
-+ int rv;
-+ rv = access(FIPS_MODULE_PATH, F_OK);
-+ if (rv < 0 && errno != ENOENT)
-+ rv = 0;
-+
-+ /* Installed == true */
-+ return !rv;
-+ }
-+
- int FIPS_module_mode_set(int onoff, const char *auth)
- {
- int ret = 0;
-@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
- }
- #endif
-
-- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
-- {
-- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-- fips_selftest_fail = 1;
-- ret = 0;
-- goto end;
-- }
--
-- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
-+ if(!verify_checksums())
- {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
-diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
---- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-26 13:52:30.814886515 +0200
-+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-26 13:52:30.816886560 +0200
-@@ -74,6 +74,7 @@ struct hmac_ctx_st;
-
- int FIPS_module_mode_set(int onoff, const char *auth);
- int FIPS_module_mode(void);
-+int FIPS_module_installed(void);
- const void *FIPS_rand_check(void);
- int FIPS_selftest(void);
- int FIPS_selftest_failed(void);
-diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
---- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-26 13:52:30.807886357 +0200
-+++ openssl-1.0.1e/crypto/o_init.c 2013-09-26 14:00:21.000000000 +0200
-@@ -71,6 +71,9 @@ static void init_fips_mode(void)
- char buf[2] = "0";
- int fd;
-
-+ /* Ensure the selftests always run */
-+ FIPS_mode_set(1);
-+
- if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
- {
- buf[0] = '1';
-@@ -85,9 +88,15 @@ static void init_fips_mode(void)
- * otherwise.
- */
-
-- if (buf[0] == '1')
-+ if (buf[0] != '1')
-+ {
-+ /* drop down to non-FIPS mode if it is not requested */
-+ FIPS_mode_set(0);
-+ }
-+ else
- {
-- FIPS_mode_set(1);
-+ /* abort if selftest failed */
-+ FIPS_selftest_check();
- }
- }
- #endif
-@@ -96,13 +105,17 @@ static void init_fips_mode(void)
- * Currently only sets FIPS callbacks
- */
-
--void OPENSSL_init_library(void)
-+void __attribute__ ((constructor)) OPENSSL_init_library(void)
- {
- static int done = 0;
- if (done)
- return;
- done = 1;
- #ifdef OPENSSL_FIPS
-+ if (!FIPS_module_installed())
-+ {
-+ return;
-+ }
- RAND_init_fips();
- init_fips_mode();
- if (!FIPS_mode())
diff --git a/openssl-1.0.1e-issuer-hash.patch b/openssl-1.0.1e-issuer-hash.patch
deleted file mode 100644
index 0f3bfdb..0000000
--- a/openssl-1.0.1e-issuer-hash.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1e/crypto/x509/x509_cmp.c
---- openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/x509_cmp.c 2013-02-19 12:46:11.315788592 +0100
-@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
- char *f;
-
- EVP_MD_CTX_init(&ctx);
-+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
- if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
- goto err;
diff --git a/openssl-1.0.1e-no-md5-verify.patch b/openssl-1.0.1e-no-md5-verify.patch
deleted file mode 100644
index f379735..0000000
--- a/openssl-1.0.1e-no-md5-verify.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
---- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/asn1/a_verify.c 2013-11-13 16:30:04.628791616 +0100
-@@ -56,6 +56,9 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-+
- #include <stdio.h>
- #include <time.h>
-
-@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
- goto err;
- ret = -1;
- }
-+ else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
-+ {
-+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
-+ goto err;
-+ }
- else
- {
- const EVP_MD *type;
diff --git a/openssl-1.0.1e-ppc-asm-update.patch b/openssl-1.0.1e-ppc-asm-update.patch
deleted file mode 100644
index caa92ec..0000000
--- a/openssl-1.0.1e-ppc-asm-update.patch
+++ /dev/null
@@ -1,6664 +0,0 @@
-diff --git a/Configure b/Configure
-index 9c803dc..5a5c2d8 100755
---- a/Configure
-+++ b/Configure
-@@ -139,8 +139,8 @@ my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes
- my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
- my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
- my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
--my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
--my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
-+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
-+my $ppc32_asm=$ppc64_asm;
- my $no_asm=":::::::::::::::void";
-
- # As for $BSDthreads. Idea is to maintain "collective" set of flags,
-@@ -357,6 +357,7 @@ my %table=(
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
- "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -462,8 +463,8 @@ my %table=(
-
- #### IBM's AIX.
- "aix3-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
--"aix-gcc", "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
--"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
-+"aix-gcc", "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:$ppc32_asm:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
-+"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:$ppc64_asm:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
- # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
- # at build time. $OBJECT_MODE is respected at ./config stage!
- "aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-@@ -1525,7 +1526,7 @@ else {
- $wp_obj="wp_block.o";
- }
- $cmll_obj=$cmll_enc unless ($cmll_obj =~ /.o$/);
--if ($modes_obj =~ /ghash/)
-+if ($modes_obj =~ /ghash\-/)
- {
- $cflags.=" -DGHASH_ASM";
- }
-diff --git a/config b/config
-index 88b9bc6..8b80802 100755
---- a/config
-+++ b/config
-@@ -587,13 +587,20 @@ case "$GUESSOS" in
- fi
- ;;
- ppc64-*-linux2)
-- echo "WARNING! If you wish to build 64-bit library, then you have to"
-- echo " invoke './Configure linux-ppc64' *manually*."
-- if [ "$TEST" = "false" -a -t 1 ]; then
-- echo " You have about 5 seconds to press Ctrl-C to abort."
-- (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
-+ if [ -z "$KERNEL_BITS" ]; then
-+ echo "WARNING! If you wish to build 64-bit library, then you have to"
-+ echo " invoke './Configure linux-ppc64' *manually*."
-+ if [ "$TEST" = "false" -a -t 1 ]; then
-+ echo " You have about 5 seconds to press Ctrl-C to abort."
-+ (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
-+ fi
-+ fi
-+ if [ "$KERNEL_BITS" = "64" ]; then
-+ OUT="linux-ppc64"
-+ else
-+ OUT="linux-ppc"
-+ (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
- fi
-- OUT="linux-ppc"
- ;;
- ppc-*-linux2) OUT="linux-ppc" ;;
- ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
-diff --git a/crypto/aes/Makefile b/crypto/aes/Makefile
-index 45ede0a..847f4ee 100644
---- a/crypto/aes/Makefile
-+++ b/crypto/aes/Makefile
-@@ -71,6 +71,10 @@ aes-sparcv9.s: asm/aes-sparcv9.pl
-
- aes-ppc.s: asm/aes-ppc.pl
- $(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@
-+vpaes-ppc.s: asm/vpaes-ppc.pl
-+ $(PERL) asm/vpaes-ppc.pl $(PERLASM_SCHEME) $@
-+aesp8-ppc.s: asm/aesp8-ppc.pl
-+ $(PERL) asm/aesp8-ppc.pl $(PERLASM_SCHEME) $@
-
- aes-parisc.s: asm/aes-parisc.pl
- $(PERL) asm/aes-parisc.pl $(PERLASM_SCHEME) $@
-diff --git a/crypto/aes/asm/aes-ppc.pl b/crypto/aes/asm/aes-ppc.pl
-index 7c52cbe..7a99fc3 100644
---- a/crypto/aes/asm/aes-ppc.pl
-+++ b/crypto/aes/asm/aes-ppc.pl
-@@ -45,6 +45,8 @@ if ($flavour =~ /64/) {
- $PUSH ="stw";
- } else { die "nonsense $flavour"; }
-
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -68,7 +70,7 @@ $key="r5";
- $Tbl0="r3";
- $Tbl1="r6";
- $Tbl2="r7";
--$Tbl3="r2";
-+$Tbl3=$out; # stay away from "r2"; $out is offloaded to stack
-
- $s0="r8";
- $s1="r9";
-@@ -76,7 +78,7 @@ $s2="r10";
- $s3="r11";
-
- $t0="r12";
--$t1="r13";
-+$t1="r0"; # stay away from "r13";
- $t2="r14";
- $t3="r15";
-
-@@ -100,9 +102,6 @@ $acc13="r29";
- $acc14="r30";
- $acc15="r31";
-
--# stay away from TLS pointer
--if ($SIZE_T==8) { die if ($t1 ne "r13"); $t1="r0"; }
--else { die if ($Tbl3 ne "r2"); $Tbl3=$t0; $t0="r0"; }
- $mask80=$Tbl2;
- $mask1b=$Tbl3;
-
-@@ -337,8 +336,7 @@ $code.=<<___;
- $STU $sp,-$FRAME($sp)
- mflr r0
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
-+ $PUSH $out,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -365,16 +363,61 @@ $code.=<<___;
- bne Lenc_unaligned
-
- Lenc_unaligned_ok:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- lwz $s0,0($inp)
- lwz $s1,4($inp)
- lwz $s2,8($inp)
- lwz $s3,12($inp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $t0,0($inp)
-+ lwz $t1,4($inp)
-+ lwz $t2,8($inp)
-+ lwz $t3,12($inp)
-+ rotlwi $s0,$t0,8
-+ rotlwi $s1,$t1,8
-+ rotlwi $s2,$t2,8
-+ rotlwi $s3,$t3,8
-+ rlwimi $s0,$t0,24,0,7
-+ rlwimi $s1,$t1,24,0,7
-+ rlwimi $s2,$t2,24,0,7
-+ rlwimi $s3,$t3,24,0,7
-+ rlwimi $s0,$t0,24,16,23
-+ rlwimi $s1,$t1,24,16,23
-+ rlwimi $s2,$t2,24,16,23
-+ rlwimi $s3,$t3,24,16,23
-+___
-+$code.=<<___;
- bl LAES_Te
- bl Lppc_AES_encrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ rotlwi $t0,$s0,8
-+ rotlwi $t1,$s1,8
-+ rotlwi $t2,$s2,8
-+ rotlwi $t3,$s3,8
-+ rlwimi $t0,$s0,24,0,7
-+ rlwimi $t1,$s1,24,0,7
-+ rlwimi $t2,$s2,24,0,7
-+ rlwimi $t3,$s3,24,0,7
-+ rlwimi $t0,$s0,24,16,23
-+ rlwimi $t1,$s1,24,16,23
-+ rlwimi $t2,$s2,24,16,23
-+ rlwimi $t3,$s3,24,16,23
-+ stw $t0,0($out)
-+ stw $t1,4($out)
-+ stw $t2,8($out)
-+ stw $t3,12($out)
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- stw $s0,0($out)
- stw $s1,4($out)
- stw $s2,8($out)
- stw $s3,12($out)
-+___
-+$code.=<<___;
- b Lenc_done
-
- Lenc_unaligned:
-@@ -417,6 +460,7 @@ Lenc_xpage:
-
- bl LAES_Te
- bl Lppc_AES_encrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-
- extrwi $acc00,$s0,8,0
- extrwi $acc01,$s0,8,8
-@@ -449,8 +493,6 @@ Lenc_xpage:
-
- Lenc_done:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -764,6 +806,7 @@ Lenc_compact_done:
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .AES_encrypt,.-.AES_encrypt
-
- .globl .AES_decrypt
- .align 7
-@@ -771,8 +814,7 @@ Lenc_compact_done:
- $STU $sp,-$FRAME($sp)
- mflr r0
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
-+ $PUSH $out,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -799,16 +841,61 @@ Lenc_compact_done:
- bne Ldec_unaligned
-
- Ldec_unaligned_ok:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- lwz $s0,0($inp)
- lwz $s1,4($inp)
- lwz $s2,8($inp)
- lwz $s3,12($inp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $t0,0($inp)
-+ lwz $t1,4($inp)
-+ lwz $t2,8($inp)
-+ lwz $t3,12($inp)
-+ rotlwi $s0,$t0,8
-+ rotlwi $s1,$t1,8
-+ rotlwi $s2,$t2,8
-+ rotlwi $s3,$t3,8
-+ rlwimi $s0,$t0,24,0,7
-+ rlwimi $s1,$t1,24,0,7
-+ rlwimi $s2,$t2,24,0,7
-+ rlwimi $s3,$t3,24,0,7
-+ rlwimi $s0,$t0,24,16,23
-+ rlwimi $s1,$t1,24,16,23
-+ rlwimi $s2,$t2,24,16,23
-+ rlwimi $s3,$t3,24,16,23
-+___
-+$code.=<<___;
- bl LAES_Td
- bl Lppc_AES_decrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ rotlwi $t0,$s0,8
-+ rotlwi $t1,$s1,8
-+ rotlwi $t2,$s2,8
-+ rotlwi $t3,$s3,8
-+ rlwimi $t0,$s0,24,0,7
-+ rlwimi $t1,$s1,24,0,7
-+ rlwimi $t2,$s2,24,0,7
-+ rlwimi $t3,$s3,24,0,7
-+ rlwimi $t0,$s0,24,16,23
-+ rlwimi $t1,$s1,24,16,23
-+ rlwimi $t2,$s2,24,16,23
-+ rlwimi $t3,$s3,24,16,23
-+ stw $t0,0($out)
-+ stw $t1,4($out)
-+ stw $t2,8($out)
-+ stw $t3,12($out)
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- stw $s0,0($out)
- stw $s1,4($out)
- stw $s2,8($out)
- stw $s3,12($out)
-+___
-+$code.=<<___;
- b Ldec_done
-
- Ldec_unaligned:
-@@ -851,6 +938,7 @@ Ldec_xpage:
-
- bl LAES_Td
- bl Lppc_AES_decrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-
- extrwi $acc00,$s0,8,0
- extrwi $acc01,$s0,8,8
-@@ -883,8 +971,6 @@ Ldec_xpage:
-
- Ldec_done:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -1355,6 +1441,7 @@ Ldec_compact_done:
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .AES_decrypt,.-.AES_decrypt
-
- .asciz "AES for PPC, CRYPTOGAMS by <appro\@openssl.org>"
- .align 7
-diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
-new file mode 100755
-index 0000000..3ee8979
---- /dev/null
-+++ b/crypto/aes/asm/aesp8-ppc.pl
-@@ -0,0 +1,1940 @@
-+#!/usr/bin/env perl
-+#
-+# ====================================================================
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+#
-+# This module implements support for AES instructions as per PowerISA
-+# specification version 2.07, first implemented by POWER8 processor.
-+# The module is endian-agnostic in sense that it supports both big-
-+# and little-endian cases. Data alignment in parallelizable modes is
-+# handled with VSX loads and stores, which implies MSR.VSX flag being
-+# set. It should also be noted that ISA specification doesn't prohibit
-+# alignment exceptions for these instructions on page boundaries.
-+# Initially alignment was handled in pure AltiVec/VMX way [when data
-+# is aligned programmatically, which in turn guarantees exception-
-+# free execution], but it turned to hamper performance when vcipher
-+# instructions are interleaved. It's reckoned that eventual
-+# misalignment penalties at page boundaries are in average lower
-+# than additional overhead in pure AltiVec approach.
-+
-+$flavour = shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T =8;
-+ $LRSAVE =2*$SIZE_T;
-+ $STU ="stdu";
-+ $POP ="ld";
-+ $PUSH ="std";
-+ $UCMP ="cmpld";
-+ $SHL ="sldi";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T =4;
-+ $LRSAVE =$SIZE_T;
-+ $STU ="stwu";
-+ $POP ="lwz";
-+ $PUSH ="stw";
-+ $UCMP ="cmplw";
-+ $SHL ="slwi";
-+} else { die "nonsense $flavour"; }
-+
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
-+
-+$FRAME=8*$SIZE_T;
-+$prefix="aes_p8";
-+
-+$sp="r1";
-+$vrsave="r12";
-+
-+#########################################################################
-+{{{ # Key setup procedures #
-+my ($inp,$bits,$out,$ptr,$cnt,$rounds)=map("r$_",(3..8));
-+my ($zero,$in0,$in1,$key,$rcon,$mask,$tmp)=map("v$_",(0..6));
-+my ($stage,$outperm,$outmask,$outhead,$outtail)=map("v$_",(7..11));
-+
-+$code.=<<___;
-+.machine "any"
-+
-+.text
-+
-+.align 7
-+rcon:
-+.long 0x01000000, 0x01000000, 0x01000000, 0x01000000 ?rev
-+.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
-+.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
-+.long 0,0,0,0 ?asis
-+Lconsts:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr $ptr #vvvvv "distance between . and rcon
-+ addi $ptr,$ptr,-0x48
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.asciz "AES for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+
-+.globl .${prefix}_set_encrypt_key
-+.align 5
-+.${prefix}_set_encrypt_key:
-+Lset_encrypt_key:
-+ mflr r11
-+ $PUSH r11,$LRSAVE($sp)
-+
-+ li $ptr,-1
-+ ${UCMP}i $inp,0
-+ beq- Lenc_key_abort # if ($inp==0) return -1;
-+ ${UCMP}i $out,0
-+ beq- Lenc_key_abort # if ($out==0) return -1;
-+ li $ptr,-2
-+ cmpwi $bits,128
-+ blt- Lenc_key_abort
-+ cmpwi $bits,256
-+ bgt- Lenc_key_abort
-+ andi. r0,$bits,0x3f
-+ bne- Lenc_key_abort
-+
-+ lis r0,0xfff0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ bl Lconsts
-+ mtlr r11
-+
-+ neg r9,$inp
-+ lvx $in0,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ lvsr $key,0,r9 # borrow $key
-+ li r8,0x20
-+ cmpwi $bits,192
-+ lvx $in1,0,$inp
-+ le?vspltisb $mask,0x0f # borrow $mask
-+ lvx $rcon,0,$ptr
-+ le?vxor $key,$key,$mask # adjust for byte swap
-+ lvx $mask,r8,$ptr
-+ addi $ptr,$ptr,0x10
-+ vperm $in0,$in0,$in1,$key # align [and byte swap in LE]
-+ li $cnt,8
-+ vxor $zero,$zero,$zero
-+ mtctr $cnt
-+
-+ ?lvsr $outperm,0,$out
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$zero,$outmask,$outperm
-+
-+ blt Loop128
-+ addi $inp,$inp,8
-+ beq L192
-+ addi $inp,$inp,8
-+ b L256
-+
-+.align 4
-+Loop128:
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+ bdnz Loop128
-+
-+ lvx $rcon,0,$ptr # last two round keys
-+
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vxor $in0,$in0,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,0x50
-+
-+ li $rounds,10
-+ b Ldone
-+
-+.align 4
-+L192:
-+ lvx $tmp,0,$inp
-+ li $cnt,4
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+ vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
-+ vspltisb $key,8 # borrow $key
-+ mtctr $cnt
-+ vsububm $mask,$mask,$key # adjust the mask
-+
-+Loop192:
-+ vperm $key,$in1,$in1,$mask # roate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vcipherlast $key,$key,$rcon
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+
-+ vsldoi $stage,$zero,$in1,8
-+ vspltw $tmp,$in0,3
-+ vxor $tmp,$tmp,$in1
-+ vsldoi $in1,$zero,$in1,12 # >>32
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in1,$in1,$tmp
-+ vxor $in0,$in0,$key
-+ vxor $in1,$in1,$key
-+ vsldoi $stage,$stage,$in0,8
-+
-+ vperm $key,$in1,$in1,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$stage,$stage,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vsldoi $stage,$in0,$in1,8
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vperm $outtail,$stage,$stage,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vspltw $tmp,$in0,3
-+ vxor $tmp,$tmp,$in1
-+ vsldoi $in1,$zero,$in1,12 # >>32
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in1,$in1,$tmp
-+ vxor $in0,$in0,$key
-+ vxor $in1,$in1,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,16
-+ bdnz Loop192
-+
-+ li $rounds,12
-+ addi $out,$out,0x20
-+ b Ldone
-+
-+.align 4
-+L256:
-+ lvx $tmp,0,$inp
-+ li $cnt,7
-+ li $rounds,14
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+ vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
-+ mtctr $cnt
-+
-+Loop256:
-+ vperm $key,$in1,$in1,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in1,$in1,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,16
-+ bdz Ldone
-+
-+ vspltw $key,$in0,3 # just splat
-+ vsldoi $tmp,$zero,$in1,12 # >>32
-+ vsbox $key,$key
-+
-+ vxor $in1,$in1,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in1,$in1,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in1,$in1,$tmp
-+
-+ vxor $in1,$in1,$key
-+ b Loop256
-+
-+.align 4
-+Ldone:
-+ lvx $in1,0,$inp # redundant in aligned case
-+ vsel $in1,$outhead,$in1,$outmask
-+ stvx $in1,0,$inp
-+ li $ptr,0
-+ mtspr 256,$vrsave
-+ stw $rounds,0($out)
-+
-+Lenc_key_abort:
-+ mr r3,$ptr
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,1,0,0,3,0
-+ .long 0
-+.size .${prefix}_set_encrypt_key,.-.${prefix}_set_encrypt_key
-+
-+.globl .${prefix}_set_decrypt_key
-+.align 5
-+.${prefix}_set_decrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ mflr r10
-+ $PUSH r10,$FRAME+$LRSAVE($sp)
-+ bl Lset_encrypt_key
-+ mtlr r10
-+
-+ cmpwi r3,0
-+ bne- Ldec_key_abort
-+
-+ slwi $cnt,$rounds,4
-+ subi $inp,$out,240 # first round key
-+ srwi $rounds,$rounds,1
-+ add $out,$inp,$cnt # last round key
-+ mtctr $rounds
-+
-+Ldeckey:
-+ lwz r0, 0($inp)
-+ lwz r6, 4($inp)
-+ lwz r7, 8($inp)
-+ lwz r8, 12($inp)
-+ addi $inp,$inp,16
-+ lwz r9, 0($out)
-+ lwz r10,4($out)
-+ lwz r11,8($out)
-+ lwz r12,12($out)
-+ stw r0, 0($out)
-+ stw r6, 4($out)
-+ stw r7, 8($out)
-+ stw r8, 12($out)
-+ subi $out,$out,16
-+ stw r9, -16($inp)
-+ stw r10,-12($inp)
-+ stw r11,-8($inp)
-+ stw r12,-4($inp)
-+ bdnz Ldeckey
-+
-+ xor r3,r3,r3 # return value
-+Ldec_key_abort:
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,4,1,0x80,0,3,0
-+ .long 0
-+.size .${prefix}_set_decrypt_key,.-.${prefix}_set_decrypt_key
-+___
-+}}}
-+#########################################################################
-+{{{ # Single block en- and decrypt procedures #
-+sub gen_block () {
-+my $dir = shift;
-+my $n = $dir eq "de" ? "n" : "";
-+my ($inp,$out,$key,$rounds,$idx)=map("r$_",(3..7));
-+
-+$code.=<<___;
-+.globl .${prefix}_${dir}crypt
-+.align 5
-+.${prefix}_${dir}crypt:
-+ lwz $rounds,240($key)
-+ lis r0,0xfc00
-+ mfspr $vrsave,256
-+ li $idx,15 # 15 is not typo
-+ mtspr 256,r0
-+
-+ lvx v0,0,$inp
-+ neg r11,$out
-+ lvx v1,$idx,$inp
-+ lvsl v2,0,$inp # inpperm
-+ le?vspltisb v4,0x0f
-+ ?lvsl v3,0,r11 # outperm
-+ le?vxor v2,v2,v4
-+ li $idx,16
-+ vperm v0,v0,v1,v2 # align [and byte swap in LE]
-+ lvx v1,0,$key
-+ ?lvsl v5,0,$key # keyperm
-+ srwi $rounds,$rounds,1
-+ lvx v2,$idx,$key
-+ addi $idx,$idx,16
-+ subi $rounds,$rounds,1
-+ ?vperm v1,v1,v2,v5 # align round key
-+
-+ vxor v0,v0,v1
-+ lvx v1,$idx,$key
-+ addi $idx,$idx,16
-+ mtctr $rounds
-+
-+Loop_${dir}c:
-+ ?vperm v2,v2,v1,v5
-+ v${n}cipher v0,v0,v2
-+ lvx v2,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm v1,v1,v2,v5
-+ v${n}cipher v0,v0,v1
-+ lvx v1,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_${dir}c
-+
-+ ?vperm v2,v2,v1,v5
-+ v${n}cipher v0,v0,v2
-+ lvx v2,$idx,$key
-+ ?vperm v1,v1,v2,v5
-+ v${n}cipherlast v0,v0,v1
-+
-+ vspltisb v2,-1
-+ vxor v1,v1,v1
-+ li $idx,15 # 15 is not typo
-+ ?vperm v2,v1,v2,v3 # outmask
-+ le?vxor v3,v3,v4
-+ lvx v1,0,$out # outhead
-+ vperm v0,v0,v0,v3 # rotate [and byte swap in LE]
-+ vsel v1,v1,v0,v2
-+ lvx v4,$idx,$out
-+ stvx v1,0,$out
-+ vsel v0,v0,v4,v2
-+ stvx v0,$idx,$out
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,3,0
-+ .long 0
-+.size .${prefix}_${dir}crypt,.-.${prefix}_${dir}crypt
-+___
-+}
-+&gen_block("en");
-+&gen_block("de");
-+}}}
-+#########################################################################
-+{{{ # CBC en- and decrypt procedures #
-+my ($inp,$out,$len,$key,$ivp,$enc,$rounds,$idx)=map("r$_",(3..10));
-+my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
-+my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm)=
-+ map("v$_",(4..10));
-+$code.=<<___;
-+.globl .${prefix}_cbc_encrypt
-+.align 5
-+.${prefix}_cbc_encrypt:
-+ ${UCMP}i $len,16
-+ bltlr-
-+
-+ cmpwi $enc,0 # test direction
-+ lis r0,0xffe0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ li $idx,15
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+
-+ lvx $ivec,0,$ivp # load [unaligned] iv
-+ lvsl $inpperm,0,$ivp
-+ lvx $inptail,$idx,$ivp
-+ le?vxor $inpperm,$inpperm,$tmp
-+ vperm $ivec,$ivec,$inptail,$inpperm
-+
-+ neg r11,$inp
-+ ?lvsl $keyperm,0,$key # prepare for unaligned key
-+ lwz $rounds,240($key)
-+
-+ lvsr $inpperm,0,r11 # prepare for unaligned load
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ le?vxor $inpperm,$inpperm,$tmp
-+
-+ ?lvsr $outperm,0,$out # prepare for unaligned store
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+
-+ srwi $rounds,$rounds,1
-+ li $idx,16
-+ subi $rounds,$rounds,1
-+ beq Lcbc_dec
-+
-+Lcbc_enc:
-+ vmr $inout,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ mtctr $rounds
-+ subi $len,$len,16 # len-=16
-+
-+ lvx $rndkey0,0,$key
-+ vperm $inout,$inout,$inptail,$inpperm
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ vxor $inout,$inout,$ivec
-+
-+Loop_cbc_enc:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_cbc_enc
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ li $idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipherlast $ivec,$inout,$rndkey0
-+ ${UCMP}i $len,16
-+
-+ vperm $tmp,$ivec,$ivec,$outperm
-+ vsel $inout,$outhead,$tmp,$outmask
-+ vmr $outhead,$tmp
-+ stvx $inout,0,$out
-+ addi $out,$out,16
-+ bge Lcbc_enc
-+
-+ b Lcbc_done
-+
-+.align 4
-+Lcbc_dec:
-+ ${UCMP}i $len,128
-+ bge _aesp8_cbc_decrypt8x
-+ vmr $tmp,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ mtctr $rounds
-+ subi $len,$len,16 # len-=16
-+
-+ lvx $rndkey0,0,$key
-+ vperm $tmp,$tmp,$inptail,$inpperm
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$tmp,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+
-+Loop_cbc_dec:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vncipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vncipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_cbc_dec
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vncipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ li $idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vncipherlast $inout,$inout,$rndkey0
-+ ${UCMP}i $len,16
-+
-+ vxor $inout,$inout,$ivec
-+ vmr $ivec,$tmp
-+ vperm $tmp,$inout,$inout,$outperm
-+ vsel $inout,$outhead,$tmp,$outmask
-+ vmr $outhead,$tmp
-+ stvx $inout,0,$out
-+ addi $out,$out,16
-+ bge Lcbc_dec
-+
-+Lcbc_done:
-+ addi $out,$out,-1
-+ lvx $inout,0,$out # redundant in aligned case
-+ vsel $inout,$outhead,$inout,$outmask
-+ stvx $inout,0,$out
-+
-+ neg $enc,$ivp # write [unaligned] iv
-+ li $idx,15 # 15 is not typo
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ vspltisb $outmask,-1
-+ le?vspltisb $tmp,0x0f
-+ ?lvsl $outperm,0,$enc
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+ lvx $outhead,0,$ivp
-+ vperm $ivec,$ivec,$ivec,$outperm
-+ vsel $inout,$outhead,$ivec,$outmask
-+ lvx $inptail,$idx,$ivp
-+ stvx $inout,0,$ivp
-+ vsel $inout,$ivec,$inptail,$outmask
-+ stvx $inout,$idx,$ivp
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,6,0
-+ .long 0
-+___
-+#########################################################################
-+{{ # Optimized CBC decrypt procedure #
-+my $key_="r11";
-+my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
-+my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10..13));
-+my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(14..21));
-+my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
-+ # v26-v31 last 6 round keys
-+my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
-+
-+$code.=<<___;
-+.align 5
-+_aesp8_cbc_decrypt8x:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r0,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ mtspr 256,r0
-+
-+ subi $rounds,$rounds,3 # -4 in total
-+ subi $len,$len,128 # bias
-+
-+ lvx $rndkey0,$x00,$key # load key schedule
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ lvx v31,$x00,$key
-+ ?vperm $rndkey0,$rndkey0,v30,$keyperm
-+ addi $key_,$sp,$FRAME+15
-+ mtctr $rounds
-+
-+Load_cbc_dec_key:
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ stvx v24,$x00,$key_ # off-load round[1]
-+ ?vperm v25,v31,v30,$keyperm
-+ lvx v31,$x00,$key
-+ stvx v25,$x10,$key_ # off-load round[2]
-+ addi $key_,$key_,0x20
-+ bdnz Load_cbc_dec_key
-+
-+ lvx v26,$x10,$key
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v27,$x20,$key
-+ stvx v24,$x00,$key_ # off-load round[3]
-+ ?vperm v25,v31,v26,$keyperm
-+ lvx v28,$x30,$key
-+ stvx v25,$x10,$key_ # off-load round[4]
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ ?vperm v26,v26,v27,$keyperm
-+ lvx v29,$x40,$key
-+ ?vperm v27,v27,v28,$keyperm
-+ lvx v30,$x50,$key
-+ ?vperm v28,v28,v29,$keyperm
-+ lvx v31,$x60,$key
-+ ?vperm v29,v29,v30,$keyperm
-+ lvx $out0,$x70,$key # borrow $out0
-+ ?vperm v30,v30,v31,$keyperm
-+ lvx v24,$x00,$key_ # pre-load round[1]
-+ ?vperm v31,v31,$out0,$keyperm
-+ lvx v25,$x10,$key_ # pre-load round[2]
-+
-+ #lvx $inptail,0,$inp # "caller" already did this
-+ #addi $inp,$inp,15 # 15 is not typo
-+ subi $inp,$inp,15 # undo "caller"
-+
-+ le?li $idx,8
-+ lvx_u $in0,$x00,$inp # load first 8 "words"
-+ le?lvsl $inpperm,0,$idx
-+ le?vspltisb $tmp,0x0f
-+ lvx_u $in1,$x10,$inp
-+ le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
-+ lvx_u $in2,$x20,$inp
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ lvx_u $in3,$x30,$inp
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ lvx_u $in4,$x40,$inp
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vxor $out0,$in0,$rndkey0
-+ lvx_u $in5,$x50,$inp
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vxor $out1,$in1,$rndkey0
-+ lvx_u $in6,$x60,$inp
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vxor $out2,$in2,$rndkey0
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vxor $out3,$in3,$rndkey0
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vxor $out4,$in4,$rndkey0
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vxor $out5,$in5,$rndkey0
-+ vxor $out6,$in6,$rndkey0
-+ vxor $out7,$in7,$rndkey0
-+
-+ mtctr $rounds
-+ b Loop_cbc_dec8x
-+.align 5
-+Loop_cbc_dec8x:
-+ vncipher $out0,$out0,v24
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vncipher $out0,$out0,v25
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_cbc_dec8x
-+
-+ subic $len,$len,128 # $len-=128
-+ vncipher $out0,$out0,v24
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vncipher $out0,$out0,v25
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+
-+ and r0,r0,$len
-+ vncipher $out0,$out0,v26
-+ vncipher $out1,$out1,v26
-+ vncipher $out2,$out2,v26
-+ vncipher $out3,$out3,v26
-+ vncipher $out4,$out4,v26
-+ vncipher $out5,$out5,v26
-+ vncipher $out6,$out6,v26
-+ vncipher $out7,$out7,v26
-+
-+ add $inp,$inp,r0 # $inp is adjusted in such
-+ # way that at exit from the
-+ # loop inX-in7 are loaded
-+ # with last "words"
-+ vncipher $out0,$out0,v27
-+ vncipher $out1,$out1,v27
-+ vncipher $out2,$out2,v27
-+ vncipher $out3,$out3,v27
-+ vncipher $out4,$out4,v27
-+ vncipher $out5,$out5,v27
-+ vncipher $out6,$out6,v27
-+ vncipher $out7,$out7,v27
-+
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ vncipher $out0,$out0,v28
-+ vncipher $out1,$out1,v28
-+ vncipher $out2,$out2,v28
-+ vncipher $out3,$out3,v28
-+ vncipher $out4,$out4,v28
-+ vncipher $out5,$out5,v28
-+ vncipher $out6,$out6,v28
-+ vncipher $out7,$out7,v28
-+ lvx v24,$x00,$key_ # re-pre-load round[1]
-+
-+ vncipher $out0,$out0,v29
-+ vncipher $out1,$out1,v29
-+ vncipher $out2,$out2,v29
-+ vncipher $out3,$out3,v29
-+ vncipher $out4,$out4,v29
-+ vncipher $out5,$out5,v29
-+ vncipher $out6,$out6,v29
-+ vncipher $out7,$out7,v29
-+ lvx v25,$x10,$key_ # re-pre-load round[2]
-+
-+ vncipher $out0,$out0,v30
-+ vxor $ivec,$ivec,v31 # xor with last round key
-+ vncipher $out1,$out1,v30
-+ vxor $in0,$in0,v31
-+ vncipher $out2,$out2,v30
-+ vxor $in1,$in1,v31
-+ vncipher $out3,$out3,v30
-+ vxor $in2,$in2,v31
-+ vncipher $out4,$out4,v30
-+ vxor $in3,$in3,v31
-+ vncipher $out5,$out5,v30
-+ vxor $in4,$in4,v31
-+ vncipher $out6,$out6,v30
-+ vxor $in5,$in5,v31
-+ vncipher $out7,$out7,v30
-+ vxor $in6,$in6,v31
-+
-+ vncipherlast $out0,$out0,$ivec
-+ vncipherlast $out1,$out1,$in0
-+ lvx_u $in0,$x00,$inp # load next input block
-+ vncipherlast $out2,$out2,$in1
-+ lvx_u $in1,$x10,$inp
-+ vncipherlast $out3,$out3,$in2
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ lvx_u $in2,$x20,$inp
-+ vncipherlast $out4,$out4,$in3
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ lvx_u $in3,$x30,$inp
-+ vncipherlast $out5,$out5,$in4
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ lvx_u $in4,$x40,$inp
-+ vncipherlast $out6,$out6,$in5
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ lvx_u $in5,$x50,$inp
-+ vncipherlast $out7,$out7,$in6
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ lvx_u $in6,$x60,$inp
-+ vmr $ivec,$in7
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vxor $out0,$in0,$rndkey0
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vxor $out1,$in1,$rndkey0
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ vxor $out2,$in2,$rndkey0
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ vxor $out3,$in3,$rndkey0
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ vxor $out4,$in4,$rndkey0
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ vxor $out5,$in5,$rndkey0
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x60,$out
-+ vxor $out6,$in6,$rndkey0
-+ stvx_u $out7,$x70,$out
-+ addi $out,$out,0x80
-+ vxor $out7,$in7,$rndkey0
-+
-+ mtctr $rounds
-+ beq Loop_cbc_dec8x # did $len-=128 borrow?
-+
-+ addic. $len,$len,128
-+ beq Lcbc_dec8x_done
-+ nop
-+ nop
-+
-+Loop_cbc_dec8x_tail: # up to 7 "words" tail...
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_cbc_dec8x_tail
-+
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+
-+ vncipher $out1,$out1,v26
-+ vncipher $out2,$out2,v26
-+ vncipher $out3,$out3,v26
-+ vncipher $out4,$out4,v26
-+ vncipher $out5,$out5,v26
-+ vncipher $out6,$out6,v26
-+ vncipher $out7,$out7,v26
-+
-+ vncipher $out1,$out1,v27
-+ vncipher $out2,$out2,v27
-+ vncipher $out3,$out3,v27
-+ vncipher $out4,$out4,v27
-+ vncipher $out5,$out5,v27
-+ vncipher $out6,$out6,v27
-+ vncipher $out7,$out7,v27
-+
-+ vncipher $out1,$out1,v28
-+ vncipher $out2,$out2,v28
-+ vncipher $out3,$out3,v28
-+ vncipher $out4,$out4,v28
-+ vncipher $out5,$out5,v28
-+ vncipher $out6,$out6,v28
-+ vncipher $out7,$out7,v28
-+
-+ vncipher $out1,$out1,v29
-+ vncipher $out2,$out2,v29
-+ vncipher $out3,$out3,v29
-+ vncipher $out4,$out4,v29
-+ vncipher $out5,$out5,v29
-+ vncipher $out6,$out6,v29
-+ vncipher $out7,$out7,v29
-+
-+ vncipher $out1,$out1,v30
-+ vxor $ivec,$ivec,v31 # last round key
-+ vncipher $out2,$out2,v30
-+ vxor $in1,$in1,v31
-+ vncipher $out3,$out3,v30
-+ vxor $in2,$in2,v31
-+ vncipher $out4,$out4,v30
-+ vxor $in3,$in3,v31
-+ vncipher $out5,$out5,v30
-+ vxor $in4,$in4,v31
-+ vncipher $out6,$out6,v30
-+ vxor $in5,$in5,v31
-+ vncipher $out7,$out7,v30
-+ vxor $in6,$in6,v31
-+
-+ cmplwi $len,32 # switch($len)
-+ blt Lcbc_dec8x_one
-+ nop
-+ beq Lcbc_dec8x_two
-+ cmplwi $len,64
-+ blt Lcbc_dec8x_three
-+ nop
-+ beq Lcbc_dec8x_four
-+ cmplwi $len,96
-+ blt Lcbc_dec8x_five
-+ nop
-+ beq Lcbc_dec8x_six
-+
-+Lcbc_dec8x_seven:
-+ vncipherlast $out1,$out1,$ivec
-+ vncipherlast $out2,$out2,$in1
-+ vncipherlast $out3,$out3,$in2
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x00,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x10,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x20,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x30,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x40,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x50,$out
-+ stvx_u $out7,$x60,$out
-+ addi $out,$out,0x70
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_six:
-+ vncipherlast $out2,$out2,$ivec
-+ vncipherlast $out3,$out3,$in2
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x00,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x10,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x20,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x30,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x40,$out
-+ stvx_u $out7,$x50,$out
-+ addi $out,$out,0x60
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_five:
-+ vncipherlast $out3,$out3,$ivec
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x00,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x10,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x20,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x30,$out
-+ stvx_u $out7,$x40,$out
-+ addi $out,$out,0x50
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_four:
-+ vncipherlast $out4,$out4,$ivec
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x00,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x10,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x20,$out
-+ stvx_u $out7,$x30,$out
-+ addi $out,$out,0x40
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_three:
-+ vncipherlast $out5,$out5,$ivec
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x00,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x10,$out
-+ stvx_u $out7,$x20,$out
-+ addi $out,$out,0x30
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_two:
-+ vncipherlast $out6,$out6,$ivec
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x00,$out
-+ stvx_u $out7,$x10,$out
-+ addi $out,$out,0x20
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_one:
-+ vncipherlast $out7,$out7,$ivec
-+ vmr $ivec,$in7
-+
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out7,0,$out
-+ addi $out,$out,0x10
-+
-+Lcbc_dec8x_done:
-+ le?vperm $ivec,$ivec,$ivec,$inpperm
-+ stvx_u $ivec,0,$ivp # write [unaligned] iv
-+
-+ li r10,`$FRAME+15`
-+ li r11,`$FRAME+31`
-+ stvx $inpperm,r10,$sp # wipe copies of round keys
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0x80,6,6,0
-+ .long 0
-+.size .${prefix}_cbc_encrypt,.-.${prefix}_cbc_encrypt
-+___
-+}} }}}
-+
-+#########################################################################
-+{{{ # CTR procedure[s] #
-+my ($inp,$out,$len,$key,$ivp,$x10,$rounds,$idx)=map("r$_",(3..10));
-+my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
-+my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm,$one)=
-+ map("v$_",(4..11));
-+my $dat=$tmp;
-+
-+$code.=<<___;
-+.globl .${prefix}_ctr32_encrypt_blocks
-+.align 5
-+.${prefix}_ctr32_encrypt_blocks:
-+ ${UCMP}i $len,1
-+ bltlr-
-+
-+ lis r0,0xfff0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ li $idx,15
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+
-+ lvx $ivec,0,$ivp # load [unaligned] iv
-+ lvsl $inpperm,0,$ivp
-+ lvx $inptail,$idx,$ivp
-+ vspltisb $one,1
-+ le?vxor $inpperm,$inpperm,$tmp
-+ vperm $ivec,$ivec,$inptail,$inpperm
-+ vsldoi $one,$rndkey0,$one,1
-+
-+ neg r11,$inp
-+ ?lvsl $keyperm,0,$key # prepare for unaligned key
-+ lwz $rounds,240($key)
-+
-+ lvsr $inpperm,0,r11 # prepare for unaligned load
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ le?vxor $inpperm,$inpperm,$tmp
-+
-+ srwi $rounds,$rounds,1
-+ li $idx,16
-+ subi $rounds,$rounds,1
-+
-+ ${UCMP}i $len,8
-+ bge _aesp8_ctr32_encrypt8x
-+
-+ ?lvsr $outperm,0,$out # prepare for unaligned store
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+
-+ lvx $rndkey0,0,$key
-+ mtctr $rounds
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$ivec,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ b Loop_ctr32_enc
-+
-+.align 5
-+Loop_ctr32_enc:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_ctr32_enc
-+
-+ vadduwm $ivec,$ivec,$one
-+ vmr $dat,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ subic. $len,$len,1 # blocks--
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ vperm $dat,$dat,$inptail,$inpperm
-+ li $idx,16
-+ ?vperm $rndkey1,$rndkey0,$rndkey1,$keyperm
-+ lvx $rndkey0,0,$key
-+ vxor $dat,$dat,$rndkey1 # last round key
-+ vcipherlast $inout,$inout,$dat
-+
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ vperm $inout,$inout,$inout,$outperm
-+ vsel $dat,$outhead,$inout,$outmask
-+ mtctr $rounds
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vmr $outhead,$inout
-+ vxor $inout,$ivec,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ stvx $dat,0,$out
-+ addi $out,$out,16
-+ bne Loop_ctr32_enc
-+
-+ addi $out,$out,-1
-+ lvx $inout,0,$out # redundant in aligned case
-+ vsel $inout,$outhead,$inout,$outmask
-+ stvx $inout,0,$out
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,6,0
-+ .long 0
-+___
-+#########################################################################
-+{{ # Optimized CTR procedure #
-+my $key_="r11";
-+my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
-+my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10,12..14));
-+my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(15..22));
-+my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
-+ # v26-v31 last 6 round keys
-+my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
-+my ($two,$three,$four)=($outhead,$outperm,$outmask);
-+
-+$code.=<<___;
-+.align 5
-+_aesp8_ctr32_encrypt8x:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r0,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ mtspr 256,r0
-+
-+ subi $rounds,$rounds,3 # -4 in total
-+
-+ lvx $rndkey0,$x00,$key # load key schedule
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ lvx v31,$x00,$key
-+ ?vperm $rndkey0,$rndkey0,v30,$keyperm
-+ addi $key_,$sp,$FRAME+15
-+ mtctr $rounds
-+
-+Load_ctr32_enc_key:
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ stvx v24,$x00,$key_ # off-load round[1]
-+ ?vperm v25,v31,v30,$keyperm
-+ lvx v31,$x00,$key
-+ stvx v25,$x10,$key_ # off-load round[2]
-+ addi $key_,$key_,0x20
-+ bdnz Load_ctr32_enc_key
-+
-+ lvx v26,$x10,$key
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v27,$x20,$key
-+ stvx v24,$x00,$key_ # off-load round[3]
-+ ?vperm v25,v31,v26,$keyperm
-+ lvx v28,$x30,$key
-+ stvx v25,$x10,$key_ # off-load round[4]
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ ?vperm v26,v26,v27,$keyperm
-+ lvx v29,$x40,$key
-+ ?vperm v27,v27,v28,$keyperm
-+ lvx v30,$x50,$key
-+ ?vperm v28,v28,v29,$keyperm
-+ lvx v31,$x60,$key
-+ ?vperm v29,v29,v30,$keyperm
-+ lvx $out0,$x70,$key # borrow $out0
-+ ?vperm v30,v30,v31,$keyperm
-+ lvx v24,$x00,$key_ # pre-load round[1]
-+ ?vperm v31,v31,$out0,$keyperm
-+ lvx v25,$x10,$key_ # pre-load round[2]
-+
-+ vadduwm $two,$one,$one
-+ subi $inp,$inp,15 # undo "caller"
-+ $SHL $len,$len,4
-+
-+ vadduwm $out1,$ivec,$one # counter values ...
-+ vadduwm $out2,$ivec,$two
-+ vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
-+ le?li $idx,8
-+ vadduwm $out3,$out1,$two
-+ vxor $out1,$out1,$rndkey0
-+ le?lvsl $inpperm,0,$idx
-+ vadduwm $out4,$out2,$two
-+ vxor $out2,$out2,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+ vadduwm $out5,$out3,$two
-+ vxor $out3,$out3,$rndkey0
-+ le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
-+ vadduwm $out6,$out4,$two
-+ vxor $out4,$out4,$rndkey0
-+ vadduwm $out7,$out5,$two
-+ vxor $out5,$out5,$rndkey0
-+ vadduwm $ivec,$out6,$two # next counter value
-+ vxor $out6,$out6,$rndkey0
-+ vxor $out7,$out7,$rndkey0
-+
-+ mtctr $rounds
-+ b Loop_ctr32_enc8x
-+.align 5
-+Loop_ctr32_enc8x:
-+ vcipher $out0,$out0,v24
-+ vcipher $out1,$out1,v24
-+ vcipher $out2,$out2,v24
-+ vcipher $out3,$out3,v24
-+ vcipher $out4,$out4,v24
-+ vcipher $out5,$out5,v24
-+ vcipher $out6,$out6,v24
-+ vcipher $out7,$out7,v24
-+Loop_ctr32_enc8x_middle:
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vcipher $out0,$out0,v25
-+ vcipher $out1,$out1,v25
-+ vcipher $out2,$out2,v25
-+ vcipher $out3,$out3,v25
-+ vcipher $out4,$out4,v25
-+ vcipher $out5,$out5,v25
-+ vcipher $out6,$out6,v25
-+ vcipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_ctr32_enc8x
-+
-+ subic r11,$len,256 # $len-256, borrow $key_
-+ vcipher $out0,$out0,v24
-+ vcipher $out1,$out1,v24
-+ vcipher $out2,$out2,v24
-+ vcipher $out3,$out3,v24
-+ vcipher $out4,$out4,v24
-+ vcipher $out5,$out5,v24
-+ vcipher $out6,$out6,v24
-+ vcipher $out7,$out7,v24
-+
-+ subfe r0,r0,r0 # borrow?-1:0
-+ vcipher $out0,$out0,v25
-+ vcipher $out1,$out1,v25
-+ vcipher $out2,$out2,v25
-+ vcipher $out3,$out3,v25
-+ vcipher $out4,$out4,v25
-+ vcipher $out5,$out5,v25
-+ vcipher $out6,$out6,v25
-+ vcipher $out7,$out7,v25
-+
-+ and r0,r0,r11
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ vcipher $out0,$out0,v26
-+ vcipher $out1,$out1,v26
-+ vcipher $out2,$out2,v26
-+ vcipher $out3,$out3,v26
-+ vcipher $out4,$out4,v26
-+ vcipher $out5,$out5,v26
-+ vcipher $out6,$out6,v26
-+ vcipher $out7,$out7,v26
-+ lvx v24,$x00,$key_ # re-pre-load round[1]
-+
-+ subic $len,$len,129 # $len-=129
-+ vcipher $out0,$out0,v27
-+ addi $len,$len,1 # $len-=128 really
-+ vcipher $out1,$out1,v27
-+ vcipher $out2,$out2,v27
-+ vcipher $out3,$out3,v27
-+ vcipher $out4,$out4,v27
-+ vcipher $out5,$out5,v27
-+ vcipher $out6,$out6,v27
-+ vcipher $out7,$out7,v27
-+ lvx v25,$x10,$key_ # re-pre-load round[2]
-+
-+ vcipher $out0,$out0,v28
-+ lvx_u $in0,$x00,$inp # load input
-+ vcipher $out1,$out1,v28
-+ lvx_u $in1,$x10,$inp
-+ vcipher $out2,$out2,v28
-+ lvx_u $in2,$x20,$inp
-+ vcipher $out3,$out3,v28
-+ lvx_u $in3,$x30,$inp
-+ vcipher $out4,$out4,v28
-+ lvx_u $in4,$x40,$inp
-+ vcipher $out5,$out5,v28
-+ lvx_u $in5,$x50,$inp
-+ vcipher $out6,$out6,v28
-+ lvx_u $in6,$x60,$inp
-+ vcipher $out7,$out7,v28
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+
-+ vcipher $out0,$out0,v29
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ vcipher $out1,$out1,v29
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ vcipher $out2,$out2,v29
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vcipher $out3,$out3,v29
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vcipher $out4,$out4,v29
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vcipher $out5,$out5,v29
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vcipher $out6,$out6,v29
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vcipher $out7,$out7,v29
-+ le?vperm $in7,$in7,$in7,$inpperm
-+
-+ add $inp,$inp,r0 # $inp is adjusted in such
-+ # way that at exit from the
-+ # loop inX-in7 are loaded
-+ # with last "words"
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vcipher $out0,$out0,v30
-+ vxor $in0,$in0,v31 # xor with last round key
-+ vcipher $out1,$out1,v30
-+ vxor $in1,$in1,v31
-+ vcipher $out2,$out2,v30
-+ vxor $in2,$in2,v31
-+ vcipher $out3,$out3,v30
-+ vxor $in3,$in3,v31
-+ vcipher $out4,$out4,v30
-+ vxor $in4,$in4,v31
-+ vcipher $out5,$out5,v30
-+ vxor $in5,$in5,v31
-+ vcipher $out6,$out6,v30
-+ vxor $in6,$in6,v31
-+ vcipher $out7,$out7,v30
-+ vxor $in7,$in7,v31
-+
-+ bne Lctr32_enc8x_break # did $len-129 borrow?
-+
-+ vcipherlast $in0,$out0,$in0
-+ vcipherlast $in1,$out1,$in1
-+ vadduwm $out1,$ivec,$one # counter values ...
-+ vcipherlast $in2,$out2,$in2
-+ vadduwm $out2,$ivec,$two
-+ vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
-+ vcipherlast $in3,$out3,$in3
-+ vadduwm $out3,$out1,$two
-+ vxor $out1,$out1,$rndkey0
-+ vcipherlast $in4,$out4,$in4
-+ vadduwm $out4,$out2,$two
-+ vxor $out2,$out2,$rndkey0
-+ vcipherlast $in5,$out5,$in5
-+ vadduwm $out5,$out3,$two
-+ vxor $out3,$out3,$rndkey0
-+ vcipherlast $in6,$out6,$in6
-+ vadduwm $out6,$out4,$two
-+ vxor $out4,$out4,$rndkey0
-+ vcipherlast $in7,$out7,$in7
-+ vadduwm $out7,$out5,$two
-+ vxor $out5,$out5,$rndkey0
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ vadduwm $ivec,$out6,$two # next counter value
-+ vxor $out6,$out6,$rndkey0
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ vxor $out7,$out7,$rndkey0
-+ mtctr $rounds
-+
-+ vcipher $out0,$out0,v24
-+ stvx_u $in0,$x00,$out
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vcipher $out1,$out1,v24
-+ stvx_u $in1,$x10,$out
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vcipher $out2,$out2,v24
-+ stvx_u $in2,$x20,$out
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vcipher $out3,$out3,v24
-+ stvx_u $in3,$x30,$out
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vcipher $out4,$out4,v24
-+ stvx_u $in4,$x40,$out
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vcipher $out5,$out5,v24
-+ stvx_u $in5,$x50,$out
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vcipher $out6,$out6,v24
-+ stvx_u $in6,$x60,$out
-+ vcipher $out7,$out7,v24
-+ stvx_u $in7,$x70,$out
-+ addi $out,$out,0x80
-+
-+ b Loop_ctr32_enc8x_middle
-+
-+.align 5
-+Lctr32_enc8x_break:
-+ cmpwi $len,-0x60
-+ blt Lctr32_enc8x_one
-+ nop
-+ beq Lctr32_enc8x_two
-+ cmpwi $len,-0x40
-+ blt Lctr32_enc8x_three
-+ nop
-+ beq Lctr32_enc8x_four
-+ cmpwi $len,-0x20
-+ blt Lctr32_enc8x_five
-+ nop
-+ beq Lctr32_enc8x_six
-+ cmpwi $len,0x00
-+ blt Lctr32_enc8x_seven
-+
-+Lctr32_enc8x_eight:
-+ vcipherlast $out0,$out0,$in0
-+ vcipherlast $out1,$out1,$in1
-+ vcipherlast $out2,$out2,$in2
-+ vcipherlast $out3,$out3,$in3
-+ vcipherlast $out4,$out4,$in4
-+ vcipherlast $out5,$out5,$in5
-+ vcipherlast $out6,$out6,$in6
-+ vcipherlast $out7,$out7,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x60,$out
-+ stvx_u $out7,$x70,$out
-+ addi $out,$out,0x80
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_seven:
-+ vcipherlast $out0,$out0,$in1
-+ vcipherlast $out1,$out1,$in2
-+ vcipherlast $out2,$out2,$in3
-+ vcipherlast $out3,$out3,$in4
-+ vcipherlast $out4,$out4,$in5
-+ vcipherlast $out5,$out5,$in6
-+ vcipherlast $out6,$out6,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ stvx_u $out6,$x60,$out
-+ addi $out,$out,0x70
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_six:
-+ vcipherlast $out0,$out0,$in2
-+ vcipherlast $out1,$out1,$in3
-+ vcipherlast $out2,$out2,$in4
-+ vcipherlast $out3,$out3,$in5
-+ vcipherlast $out4,$out4,$in6
-+ vcipherlast $out5,$out5,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ stvx_u $out5,$x50,$out
-+ addi $out,$out,0x60
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_five:
-+ vcipherlast $out0,$out0,$in3
-+ vcipherlast $out1,$out1,$in4
-+ vcipherlast $out2,$out2,$in5
-+ vcipherlast $out3,$out3,$in6
-+ vcipherlast $out4,$out4,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ stvx_u $out4,$x40,$out
-+ addi $out,$out,0x50
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_four:
-+ vcipherlast $out0,$out0,$in4
-+ vcipherlast $out1,$out1,$in5
-+ vcipherlast $out2,$out2,$in6
-+ vcipherlast $out3,$out3,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ stvx_u $out3,$x30,$out
-+ addi $out,$out,0x40
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_three:
-+ vcipherlast $out0,$out0,$in5
-+ vcipherlast $out1,$out1,$in6
-+ vcipherlast $out2,$out2,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ stvx_u $out2,$x20,$out
-+ addi $out,$out,0x30
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lctr32_enc8x_two:
-+ vcipherlast $out0,$out0,$in6
-+ vcipherlast $out1,$out1,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ stvx_u $out1,$x10,$out
-+ addi $out,$out,0x20
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lctr32_enc8x_one:
-+ vcipherlast $out0,$out0,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ stvx_u $out0,0,$out
-+ addi $out,$out,0x10
-+
-+Lctr32_enc8x_done:
-+ li r10,`$FRAME+15`
-+ li r11,`$FRAME+31`
-+ stvx $inpperm,r10,$sp # wipe copies of round keys
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0x80,6,6,0
-+ .long 0
-+.size .${prefix}_ctr32_encrypt_blocks,.-.${prefix}_ctr32_encrypt_blocks
-+___
-+}} }}}
-+
-+my $consts=1;
-+foreach(split("\n",$code)) {
-+ s/\`([^\`]*)\`/eval($1)/geo;
-+
-+ # constants table endian-specific conversion
-+ if ($consts && m/\.(long|byte)\s+(.+)\s+(\?[a-z]*)$/o) {
-+ my $conv=$3;
-+ my @bytes=();
-+
-+ # convert to endian-agnostic format
-+ if ($1 eq "long") {
-+ foreach (split(/,\s*/,$2)) {
-+ my $l = /^0/?oct:int;
-+ push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
-+ }
-+ } else {
-+ @bytes = map(/^0/?oct:int,split(/,\s*/,$2));
-+ }
-+
-+ # little-endian conversion
-+ if ($flavour =~ /le$/o) {
-+ SWITCH: for($conv) {
-+ /\?inv/ && do { @bytes=map($_^0xf, at bytes); last; };
-+ /\?rev/ && do { @bytes=reverse(@bytes); last; };
-+ }
-+ }
-+
-+ #emit
-+ print ".byte\t",join(',',map (sprintf("0x%02x",$_), at bytes)),"\n";
-+ next;
-+ }
-+ $consts=0 if (m/Lconsts:/o); # end of table
-+
-+ # instructions prefixed with '?' are endian-specific and need
-+ # to be adjusted accordingly...
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/le\?//o or
-+ s/be\?/#be#/o or
-+ s/\?lvsr/lvsl/o or
-+ s/\?lvsl/lvsr/o or
-+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
-+ s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
-+ s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
-+ } else { # big-endian
-+ s/le\?/#le#/o or
-+ s/be\?//o or
-+ s/\?([a-z]+)/$1/o;
-+ }
-+
-+ print $_,"\n";
-+}
-+
-+close STDOUT;
-diff --git a/crypto/aes/asm/vpaes-ppc.pl b/crypto/aes/asm/vpaes-ppc.pl
-new file mode 100644
-index 0000000..7fda60e
---- /dev/null
-+++ b/crypto/aes/asm/vpaes-ppc.pl
-@@ -0,0 +1,1512 @@
-+#!/usr/bin/env perl
-+
-+######################################################################
-+## Constant-time SSSE3 AES core implementation.
-+## version 0.1
-+##
-+## By Mike Hamburg (Stanford University), 2009
-+## Public domain.
-+##
-+## For details see http://shiftleft.org/papers/vector_aes/ and
-+## http://crypto.stanford.edu/vpaes/.
-+
-+# CBC encrypt/decrypt performance in cycles per byte processed with
-+# 128-bit key.
-+#
-+# aes-ppc.pl this
-+# G4e 35.5/52.1/(23.8) 11.9(*)/15.4
-+# POWER6 42.7/54.3/(28.2) 63.0/92.8(**)
-+# POWER7 32.3/42.9/(18.4) 18.5/23.3
-+#
-+# (*) This is ~10% worse than reported in paper. The reason is
-+# twofold. This module doesn't make any assumption about
-+# key schedule (or data for that matter) alignment and handles
-+# it in-line. Secondly it, being transliterated from
-+# vpaes-x86_64.pl, relies on "nested inversion" better suited
-+# for Intel CPUs.
-+# (**) Inadequate POWER6 performance is due to astronomic AltiVec
-+# latency, 9 cycles per simple logical operation.
-+
-+$flavour = shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T =8;
-+ $LRSAVE =2*$SIZE_T;
-+ $STU ="stdu";
-+ $POP ="ld";
-+ $PUSH ="std";
-+ $UCMP ="cmpld";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T =4;
-+ $LRSAVE =$SIZE_T;
-+ $STU ="stwu";
-+ $POP ="lwz";
-+ $PUSH ="stw";
-+ $UCMP ="cmplw";
-+} else { die "nonsense $flavour"; }
-+
-+$sp="r1";
-+$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
-+
-+$code.=<<___;
-+.machine "any"
-+
-+.text
-+
-+.align 7 # totally strategic alignment
-+_vpaes_consts:
-+Lk_mc_forward: # mc_forward
-+ .long 0x01020300, 0x05060704, 0x090a0b08, 0x0d0e0f0c ?inv
-+ .long 0x05060704, 0x090a0b08, 0x0d0e0f0c, 0x01020300 ?inv
-+ .long 0x090a0b08, 0x0d0e0f0c, 0x01020300, 0x05060704 ?inv
-+ .long 0x0d0e0f0c, 0x01020300, 0x05060704, 0x090a0b08 ?inv
-+Lk_mc_backward: # mc_backward
-+ .long 0x03000102, 0x07040506, 0x0b08090a, 0x0f0c0d0e ?inv
-+ .long 0x0f0c0d0e, 0x03000102, 0x07040506, 0x0b08090a ?inv
-+ .long 0x0b08090a, 0x0f0c0d0e, 0x03000102, 0x07040506 ?inv
-+ .long 0x07040506, 0x0b08090a, 0x0f0c0d0e, 0x03000102 ?inv
-+Lk_sr: # sr
-+ .long 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f ?inv
-+ .long 0x00050a0f, 0x04090e03, 0x080d0207, 0x0c01060b ?inv
-+ .long 0x0009020b, 0x040d060f, 0x08010a03, 0x0c050e07 ?inv
-+ .long 0x000d0a07, 0x04010e0b, 0x0805020f, 0x0c090603 ?inv
-+
-+##
-+## "Hot" constants
-+##
-+Lk_inv: # inv, inva
-+ .long 0xf001080d, 0x0f06050e, 0x020c0b0a, 0x09030704 ?rev
-+ .long 0xf0070b0f, 0x060a0401, 0x09080502, 0x0c0e0d03 ?rev
-+Lk_ipt: # input transform (lo, hi)
-+ .long 0x00702a5a, 0x98e8b2c2, 0x08782252, 0x90e0baca ?rev
-+ .long 0x004d7c31, 0x7d30014c, 0x81ccfdb0, 0xfcb180cd ?rev
-+Lk_sbo: # sbou, sbot
-+ .long 0x00c7bd6f, 0x176dd2d0, 0x78a802c5, 0x7abfaa15 ?rev
-+ .long 0x006abb5f, 0xa574e4cf, 0xfa352b41, 0xd1901e8e ?rev
-+Lk_sb1: # sb1u, sb1t
-+ .long 0x0023e2fa, 0x15d41836, 0xefd92e0d, 0xc1ccf73b ?rev
-+ .long 0x003e50cb, 0x8fe19bb1, 0x44f52a14, 0x6e7adfa5 ?rev
-+Lk_sb2: # sb2u, sb2t
-+ .long 0x0029e10a, 0x4088eb69, 0x4a2382ab, 0xc863a1c2 ?rev
-+ .long 0x0024710b, 0xc6937ae2, 0xcd2f98bc, 0x55e9b75e ?rev
-+
-+##
-+## Decryption stuff
-+##
-+Lk_dipt: # decryption input transform
-+ .long 0x005f540b, 0x045b500f, 0x1a454e11, 0x1e414a15 ?rev
-+ .long 0x00650560, 0xe683e386, 0x94f191f4, 0x72177712 ?rev
-+Lk_dsbo: # decryption sbox final output
-+ .long 0x0040f97e, 0x53ea8713, 0x2d3e94d4, 0xb96daac7 ?rev
-+ .long 0x001d4493, 0x0f56d712, 0x9c8ec5d8, 0x59814bca ?rev
-+Lk_dsb9: # decryption sbox output *9*u, *9*t
-+ .long 0x00d6869a, 0x53031c85, 0xc94c994f, 0x501fd5ca ?rev
-+ .long 0x0049d7ec, 0x89173bc0, 0x65a5fbb2, 0x9e2c5e72 ?rev
-+Lk_dsbd: # decryption sbox output *D*u, *D*t
-+ .long 0x00a2b1e6, 0xdfcc577d, 0x39442a88, 0x139b6ef5 ?rev
-+ .long 0x00cbc624, 0xf7fae23c, 0xd3efde15, 0x0d183129 ?rev
-+Lk_dsbb: # decryption sbox output *B*u, *B*t
-+ .long 0x0042b496, 0x926422d0, 0x04d4f2b0, 0xf6462660 ?rev
-+ .long 0x006759cd, 0xa69894c1, 0x6baa5532, 0x3e0cfff3 ?rev
-+Lk_dsbe: # decryption sbox output *E*u, *E*t
-+ .long 0x00d0d426, 0x9692f246, 0xb0f6b464, 0x04604222 ?rev
-+ .long 0x00c1aaff, 0xcda6550c, 0x323e5998, 0x6bf36794 ?rev
-+
-+##
-+## Key schedule constants
-+##
-+Lk_dksd: # decryption key schedule: invskew x*D
-+ .long 0x0047e4a3, 0x5d1ab9fe, 0xf9be1d5a, 0xa4e34007 ?rev
-+ .long 0x008336b5, 0xf477c241, 0x1e9d28ab, 0xea69dc5f ?rev
-+Lk_dksb: # decryption key schedule: invskew x*B
-+ .long 0x00d55085, 0x1fca4f9a, 0x994cc91c, 0x8653d603 ?rev
-+ .long 0x004afcb6, 0xa7ed5b11, 0xc882347e, 0x6f2593d9 ?rev
-+Lk_dkse: # decryption key schedule: invskew x*E + 0x63
-+ .long 0x00d6c91f, 0xca1c03d5, 0x86504f99, 0x4c9a8553 ?rev
-+ .long 0xe87bdc4f, 0x059631a2, 0x8714b320, 0x6af95ecd ?rev
-+Lk_dks9: # decryption key schedule: invskew x*9
-+ .long 0x00a7d97e, 0xc86f11b6, 0xfc5b2582, 0x3493ed4a ?rev
-+ .long 0x00331427, 0x62517645, 0xcefddae9, 0xac9fb88b ?rev
-+
-+Lk_rcon: # rcon
-+ .long 0xb6ee9daf, 0xb991831f, 0x817d7c4d, 0x08982a70 ?asis
-+Lk_s63:
-+ .long 0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b ?asis
-+
-+Lk_opt: # output transform
-+ .long 0x0060b6d6, 0x29499fff, 0x0868bede, 0x214197f7 ?rev
-+ .long 0x00ecbc50, 0x51bded01, 0xe00c5cb0, 0xb15d0de1 ?rev
-+Lk_deskew: # deskew tables: inverts the sbox's "skew"
-+ .long 0x00e3a447, 0x40a3e407, 0x1af9be5d, 0x5ab9fe1d ?rev
-+ .long 0x0069ea83, 0xdcb5365f, 0x771e9df4, 0xabc24128 ?rev
-+.align 5
-+Lconsts:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr r12 #vvvvv "distance between . and _vpaes_consts
-+ addi r12,r12,-0x308
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.asciz "Vector Permutation AES for AltiVec, Mike Hamburg (Stanford University)"
-+.align 6
-+___
-+
-+my ($inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm) = map("v$_",(26..31));
-+{
-+my ($inp,$out,$key) = map("r$_",(3..5));
-+
-+my ($invlo,$invhi,$iptlo,$ipthi,$sbou,$sbot) = map("v$_",(10..15));
-+my ($sb1u,$sb1t,$sb2u,$sb2t) = map("v$_",(16..19));
-+my ($sb9u,$sb9t,$sbdu,$sbdt,$sbbu,$sbbt,$sbeu,$sbet)=map("v$_",(16..23));
-+
-+$code.=<<___;
-+##
-+## _aes_preheat
-+##
-+## Fills register %r10 -> .aes_consts (so you can -fPIC)
-+## and %xmm9-%xmm15 as specified below.
-+##
-+.align 4
-+_vpaes_encrypt_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0xe0 # Lk_ipt
-+ li r8, 0xf0
-+ vxor v7, v7, v7 # 0x00..00
-+ vspltisb v8,4 # 0x04..04
-+ vspltisb v9,0x0f # 0x0f..0f
-+ lvx $invlo, r12, r11
-+ li r11, 0x100
-+ lvx $invhi, r12, r10
-+ li r10, 0x110
-+ lvx $iptlo, r12, r9
-+ li r9, 0x120
-+ lvx $ipthi, r12, r8
-+ li r8, 0x130
-+ lvx $sbou, r12, r11
-+ li r11, 0x140
-+ lvx $sbot, r12, r10
-+ li r10, 0x150
-+ lvx $sb1u, r12, r9
-+ lvx $sb1t, r12, r8
-+ lvx $sb2u, r12, r11
-+ lvx $sb2t, r12, r10
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## _aes_encrypt_core
-+##
-+## AES-encrypt %xmm0.
-+##
-+## Inputs:
-+## %xmm0 = input
-+## %xmm9-%xmm15 as in _vpaes_preheat
-+## (%rdx) = scheduled keys
-+##
-+## Output in %xmm0
-+## Clobbers %xmm1-%xmm6, %r9, %r10, %r11, %rax
-+##
-+##
-+.align 5
-+_vpaes_encrypt_core:
-+ lwz r8, 240($key) # pull rounds
-+ li r9, 16
-+ lvx v5, 0, $key # vmovdqu (%r9), %xmm5 # round0 key
-+ li r11, 0x10
-+ lvx v6, r9, $key
-+ addi r9, r9, 16
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ addi r10, r11, 0x40
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm1
-+ vperm v1, $ipthi, $ipthi, v1 # vpshufb %xmm0, %xmm3, %xmm2
-+ vxor v0, v0, v5 # vpxor %xmm5, %xmm1, %xmm0
-+ vxor v0, v0, v1 # vpxor %xmm2, %xmm0, %xmm0
-+ mtctr r8
-+ b Lenc_entry
-+
-+.align 4
-+Lenc_loop:
-+ # middle of middle round
-+ vperm v4, $sb1t, v7, v2 # vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u
-+ lvx v1, r12, r11 # vmovdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[]
-+ addi r11, r11, 16
-+ vperm v0, $sb1u, v7, v3 # vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
-+ andi. r11, r11, 0x30 # and \$0x30, %r11 # ... mod 4
-+ vperm v5, $sb2t, v7, v2 # vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = A
-+ vperm v2, $sb2u, v7, v3 # vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t
-+ lvx v4, r12, r10 # vmovdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[]
-+ addi r10, r11, 0x40
-+ vperm v3, v0, v7, v1 # vpshufb %xmm1, %xmm0, %xmm3 # 0 = B
-+ vxor v2, v2, v5 # vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A
-+ vperm v0, v0, v7, v4 # vpshufb %xmm4, %xmm0, %xmm0 # 3 = D
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B
-+ vperm v4, v3, v7, v1 # vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C
-+ vxor v0, v0, v3 # vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D
-+
-+Lenc_entry:
-+ # top of round
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vperm v5, $invhi, $invhi, v0 # vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k
-+ vxor v0, v0, v1 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, $invlo, v1 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vperm v4, $invlo, $invlo, v0 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vand v0, v0, v9
-+ vxor v3, v3, v5 # vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v7, v3 # vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
-+ vmr v5, v6
-+ lvx v6, r9, $key # vmovdqu (%r9), %xmm5
-+ vperm v3, $invlo, v7, v4 # vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
-+ addi r9, r9, 16
-+ vxor v2, v2, v0 # vpxor %xmm1, %xmm2, %xmm2 # 2 = io
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vxor v3, v3, v1 # vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
-+ bdnz Lenc_loop
-+
-+ # middle of last round
-+ addi r10, r11, 0x80
-+ # vmovdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo
-+ # vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16
-+ vperm v4, $sbou, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
-+ lvx v1, r12, r10 # vmovdqa 0x40(%r11,%r10), %xmm1 # .Lk_sr[]
-+ vperm v0, $sbot, v7, v3 # vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = A
-+ vperm v0, v0, v7, v1 # vpshufb %xmm1, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_encrypt
-+.align 5
-+.vpaes_encrypt:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r6
-+ mfspr r7, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r7,`$FRAME-4`($sp) # save vrsave
-+ li r0, -1
-+ $PUSH r6,`$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r0 # preserve all AltiVec registers
-+
-+ bl _vpaes_encrypt_preheat
-+
-+ ?lvsl $inpperm, 0, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ ?lvsr $outperm, 0, $out
-+ ?lvsl $keyperm, 0, $key # prepare for unaligned access
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp # redundant in aligned case
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, $out
-+ ?vperm v0, v0, $inptail, $inpperm
-+
-+ bl _vpaes_encrypt_core
-+
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 15 # 15 is not a typo
-+ ########
-+
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtlr r6
-+ mtspr 256, r7 # restore vrsave
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_encrypt,.-.vpaes_encrypt
-+
-+.align 4
-+_vpaes_decrypt_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0x160 # Ldipt
-+ li r8, 0x170
-+ vxor v7, v7, v7 # 0x00..00
-+ vspltisb v8,4 # 0x04..04
-+ vspltisb v9,0x0f # 0x0f..0f
-+ lvx $invlo, r12, r11
-+ li r11, 0x180
-+ lvx $invhi, r12, r10
-+ li r10, 0x190
-+ lvx $iptlo, r12, r9
-+ li r9, 0x1a0
-+ lvx $ipthi, r12, r8
-+ li r8, 0x1b0
-+ lvx $sbou, r12, r11
-+ li r11, 0x1c0
-+ lvx $sbot, r12, r10
-+ li r10, 0x1d0
-+ lvx $sb9u, r12, r9
-+ li r9, 0x1e0
-+ lvx $sb9t, r12, r8
-+ li r8, 0x1f0
-+ lvx $sbdu, r12, r11
-+ li r11, 0x200
-+ lvx $sbdt, r12, r10
-+ li r10, 0x210
-+ lvx $sbbu, r12, r9
-+ lvx $sbbt, r12, r8
-+ lvx $sbeu, r12, r11
-+ lvx $sbet, r12, r10
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## Decryption core
-+##
-+## Same API as encryption core.
-+##
-+.align 4
-+_vpaes_decrypt_core:
-+ lwz r8, 240($key) # pull rounds
-+ li r9, 16
-+ lvx v5, 0, $key # vmovdqu (%r9), %xmm4 # round0 key
-+ li r11, 0x30
-+ lvx v6, r9, $key
-+ addi r9, r9, 16
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm2
-+ vperm v1, $ipthi, $ipthi, v1 # vpshufb %xmm0, %xmm1, %xmm0
-+ vxor v0, v0, v5 # vpxor %xmm4, %xmm2, %xmm2
-+ vxor v0, v0, v1 # vpxor %xmm2, %xmm0, %xmm0
-+ mtctr r8
-+ b Ldec_entry
-+
-+.align 4
-+Ldec_loop:
-+#
-+# Inverse mix columns
-+#
-+ lvx v0, r12, r11 # v5 and v0 are flipped
-+ # vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u
-+ # vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t
-+ vperm v4, $sb9u, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u
-+ subi r11, r11, 16
-+ vperm v1, $sb9t, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t
-+ andi. r11, r11, 0x30
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0
-+ # vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt
-+
-+ vperm v4, $sbdu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbdt, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ # vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt
-+
-+ vperm v4, $sbbu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbbt, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ # vmovdqa 0x40(%r10), %xmm4 # 4 : sbeu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x50(%r10), %xmm1 # 0 : sbet
-+
-+ vperm v4, $sbeu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbet, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet
-+ vxor v0, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ vxor v0, v0, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+
-+Ldec_entry:
-+ # top of round
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vperm v2, $invhi, $invhi, v0 # vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
-+ vxor v0, v0, v1 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, $invlo, v1 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vperm v4, $invlo, $invlo, v0 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vand v0, v0, v9
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vxor v4, v4, v2 # vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v7, v3 # vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
-+ vmr v5, v6
-+ lvx v6, r9, $key # vmovdqu (%r9), %xmm0
-+ vperm v3, $invlo, v7, v4 # vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
-+ addi r9, r9, 16
-+ vxor v2, v2, v0 # vpxor %xmm1, %xmm2, %xmm2 # 2 = io
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vxor v3, v3, v1 # vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
-+ bdnz Ldec_loop
-+
-+ # middle of last round
-+ addi r10, r11, 0x80
-+ # vmovdqa 0x60(%r10), %xmm4 # 3 : sbou
-+ vperm v4, $sbou, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
-+ # vmovdqa 0x70(%r10), %xmm1 # 0 : sbot
-+ lvx v2, r12, r10 # vmovdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
-+ vperm v1, $sbot, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k
-+ vxor v0, v1, v4 # vpxor %xmm4, %xmm1, %xmm0 # 0 = A
-+ vperm v0, v0, v7, v2 # vpshufb %xmm2, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_decrypt
-+.align 5
-+.vpaes_decrypt:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r6
-+ mfspr r7, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r7,`$FRAME-4`($sp) # save vrsave
-+ li r0, -1
-+ $PUSH r6,`$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r0 # preserve all AltiVec registers
-+
-+ bl _vpaes_decrypt_preheat
-+
-+ ?lvsl $inpperm, 0, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ ?lvsr $outperm, 0, $out
-+ ?lvsl $keyperm, 0, $key
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp # redundant in aligned case
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, $out
-+ ?vperm v0, v0, $inptail, $inpperm
-+
-+ bl _vpaes_decrypt_core
-+
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 15 # 15 is not a typo
-+ ########
-+
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtlr r6
-+ mtspr 256, r7 # restore vrsave
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_decrypt,.-.vpaes_decrypt
-+
-+.globl .vpaes_cbc_encrypt
-+.align 5
-+.vpaes_cbc_encrypt:
-+ ${UCMP}i r5,16
-+ bltlr-
-+
-+ $STU $sp,-`($FRAME+2*$SIZE_T)`($sp)
-+ mflr r0
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mfspr r12, 256
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r12,`$FRAME-4`($sp) # save vrsave
-+ $PUSH r30,`$FRAME+$SIZE_T*0`($sp)
-+ $PUSH r31,`$FRAME+$SIZE_T*1`($sp)
-+ li r9, -16
-+ $PUSH r0, `$FRAME+$SIZE_T*2+$LRSAVE`($sp)
-+
-+ and r30, r5, r9 # copy length&-16
-+ mr r5, r6 # copy pointer to key
-+ mr r31, r7 # copy pointer to iv
-+ blt Lcbc_abort
-+ cmpwi r8, 0 # test direction
-+ li r6, -1
-+ mr r7, r12 # copy vrsave
-+ mtspr 256, r6 # preserve all AltiVec registers
-+
-+ lvx v24, 0, r31 # load [potentially unaligned] iv
-+ li r9, 15
-+ ?lvsl $inpperm, 0, r31
-+ lvx v25, r9, r31
-+ ?vperm v24, v24, v25, $inpperm
-+
-+ neg r8, $inp # prepare for unaligned access
-+ vxor v7, v7, v7
-+ ?lvsl $keyperm, 0, $key
-+ ?lvsr $outperm, 0, $out
-+ ?lvsr $inpperm, 0, r8 # -$inp
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ lvx $outhead, 0, $out
-+
-+ beq Lcbc_decrypt
-+
-+ bl _vpaes_encrypt_preheat
-+ li r0, 16
-+
-+Lcbc_enc_loop:
-+ vmr v0, $inptail
-+ lvx $inptail, 0, $inp
-+ addi $inp, $inp, 16
-+ ?vperm v0, v0, $inptail, $inpperm
-+ vxor v0, v0, v24 # ^= iv
-+
-+ bl _vpaes_encrypt_core
-+
-+ vmr v24, v0 # put aside iv
-+ sub. r30, r30, r0 # len -= 16
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 16
-+ bne Lcbc_enc_loop
-+
-+ b Lcbc_done
-+
-+.align 5
-+Lcbc_decrypt:
-+ bl _vpaes_decrypt_preheat
-+ li r0, 16
-+
-+Lcbc_dec_loop:
-+ vmr v0, $inptail
-+ lvx $inptail, 0, $inp
-+ addi $inp, $inp, 16
-+ ?vperm v0, v0, $inptail, $inpperm
-+ vmr v25, v0 # put aside input
-+
-+ bl _vpaes_decrypt_core
-+
-+ vxor v0, v0, v24 # ^= iv
-+ vmr v24, v25
-+ sub. r30, r30, r0 # len -= 16
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 16
-+ bne Lcbc_dec_loop
-+
-+Lcbc_done:
-+ addi $out, $out, -1
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ neg r8, r31 # write [potentially unaligned] iv
-+ ?lvsl $outperm, 0, r8
-+ li r6, 15
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, r31
-+ vperm v24, v24, v24, $outperm # rotate right/left
-+ vsel v0, $outhead, v24, $outmask
-+ lvx v1, r6, r31
-+ stvx v0, 0, r31
-+ vsel v1, v24, v1, $outmask
-+ stvx v1, r6, r31
-+
-+ mtspr 256, r7 # restore vrsave
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+Lcbc_abort:
-+ $POP r0, `$FRAME+$SIZE_T*2+$LRSAVE`($sp)
-+ $POP r30,`$FRAME+$SIZE_T*0`($sp)
-+ $POP r31,`$FRAME+$SIZE_T*1`($sp)
-+ mtlr r0
-+ addi $sp,$sp,`$FRAME+$SIZE_T*2`
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,2,6,0
-+ .long 0
-+.size .vpaes_cbc_encrypt,.-.vpaes_cbc_encrypt
-+___
-+}
-+{
-+my ($inp,$bits,$out)=map("r$_",(3..5));
-+my $dir="cr1";
-+my ($invlo,$invhi,$iptlo,$ipthi,$rcon) = map("v$_",(10..13,24));
-+
-+$code.=<<___;
-+########################################################
-+## ##
-+## AES key schedule ##
-+## ##
-+########################################################
-+.align 4
-+_vpaes_key_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0xe0 # L_ipt
-+ li r8, 0xf0
-+
-+ vspltisb v8,4 # 0x04..04
-+ vxor v9,v9,v9 # 0x00..00
-+ lvx $invlo, r12, r11 # Lk_inv
-+ li r11, 0x120
-+ lvx $invhi, r12, r10
-+ li r10, 0x130
-+ lvx $iptlo, r12, r9 # Lk_ipt
-+ li r9, 0x220
-+ lvx $ipthi, r12, r8
-+ li r8, 0x230
-+
-+ lvx v14, r12, r11 # Lk_sb1
-+ li r11, 0x240
-+ lvx v15, r12, r10
-+ li r10, 0x250
-+
-+ lvx v16, r12, r9 # Lk_dksd
-+ li r9, 0x260
-+ lvx v17, r12, r8
-+ li r8, 0x270
-+ lvx v18, r12, r11 # Lk_dksb
-+ li r11, 0x280
-+ lvx v19, r12, r10
-+ li r10, 0x290
-+ lvx v20, r12, r9 # Lk_dkse
-+ li r9, 0x2a0
-+ lvx v21, r12, r8
-+ li r8, 0x2b0
-+ lvx v22, r12, r11 # Lk_dks9
-+ lvx v23, r12, r10
-+
-+ lvx v24, r12, r9 # Lk_rcon
-+ lvx v25, 0, r12 # Lk_mc_forward[0]
-+ lvx v26, r12, r8 # Lks63
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.align 4
-+_vpaes_schedule_core:
-+ mflr r7
-+
-+ bl _vpaes_key_preheat # load the tables
-+
-+ #lvx v0, 0, $inp # vmovdqu (%rdi), %xmm0 # load key (unaligned)
-+ neg r8, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not typo
-+ ?lvsr $inpperm, 0, r8 # -$inp
-+ lvx v6, 0, $inp # v6 serves as inptail
-+ addi $inp, $inp, 8
-+ ?vperm v0, v0, v6, $inpperm
-+
-+ # input transform
-+ vmr v3, v0 # vmovdqa %xmm0, %xmm3
-+ bl _vpaes_schedule_transform
-+ vmr v7, v0 # vmovdqa %xmm0, %xmm7
-+
-+ bne $dir, Lschedule_am_decrypting
-+
-+ # encrypting, output zeroth round key after transform
-+ li r8, 0x30 # mov \$0x30,%r8d
-+ addi r10, r12, 0x80 # lea .Lk_sr(%rip),%r10
-+
-+ ?lvsr $outperm, 0, $out # prepare for unaligned access
-+ vnor $outmask, v9, v9 # 0xff..ff
-+ lvx $outhead, 0, $out
-+ ?vperm $outmask, v9, $outmask, $outperm
-+
-+ #stvx v0, 0, $out # vmovdqu %xmm0, (%rdx)
-+ vperm v1, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ b Lschedule_go
-+
-+Lschedule_am_decrypting:
-+ srwi r8, $bits, 1 # shr \$1,%r8d
-+ andi. r8, r8, 32 # and \$32,%r8d
-+ xori r8, r8, 32 # xor \$32,%r8d # nbits==192?0:32
-+ addi r10, r12, 0x80 # lea .Lk_sr(%rip),%r10
-+ # decrypting, output zeroth round key after shiftrows
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vperm v4, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+
-+ neg r0, $out # prepare for unaligned access
-+ ?lvsl $outperm, 0, r0
-+ addi $out, $out, 15 # 15 is not typo
-+ vnor $outmask, v9, v9 # 0xff..ff
-+ lvx $outhead, 0, $out
-+ ?vperm $outmask, $outmask, v9, $outperm
-+
-+ #stvx v4, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v4, v4, v4, $outperm # rotate right/left
-+ vsel v2, $outhead, v4, $outmask
-+ vmr $outhead, v4
-+ stvx v2, 0, $out
-+ xori r8, r8, 0x30 # xor \$0x30, %r8
-+
-+Lschedule_go:
-+ cmplwi $bits, 192 # cmp \$192, %esi
-+ bgt Lschedule_256
-+ beq Lschedule_192
-+ # 128: fall though
-+
-+##
-+## .schedule_128
-+##
-+## 128-bit specific part of key schedule.
-+##
-+## This schedule is really simple, because all its parts
-+## are accomplished by the subroutines.
-+##
-+Lschedule_128:
-+ li r0, 10 # mov \$10, %esi
-+ mtctr r0
-+
-+Loop_schedule_128:
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle # write output
-+ b Loop_schedule_128
-+
-+##
-+## .aes_schedule_192
-+##
-+## 192-bit specific part of key schedule.
-+##
-+## The main body of this schedule is the same as the 128-bit
-+## schedule, but with more smearing. The long, high side is
-+## stored in %xmm7 as before, and the short, low side is in
-+## the high bits of %xmm6.
-+##
-+## This schedule is somewhat nastier, however, because each
-+## round produces 192 bits of key material, or 1.5 round keys.
-+## Therefore, on each cycle we do 2 rounds and produce 3 round
-+## keys.
-+##
-+.align 4
-+Lschedule_192:
-+ li r0, 4 # mov \$4, %esi
-+ lvx v0, 0, $inp
-+ ?vperm v0, v6, v0, $inpperm
-+ ?vsldoi v0, v3, v0, 8 # vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned)
-+ bl _vpaes_schedule_transform # input transform
-+ ?vsldoi v6, v0, v9, 8
-+ ?vsldoi v6, v9, v6, 8 # clobber "low" side with zeros
-+ mtctr r0
-+
-+Loop_schedule_192:
-+ bl _vpaes_schedule_round
-+ ?vsldoi v0, v6, v0, 8 # vpalignr \$8,%xmm6,%xmm0,%xmm0
-+ bl _vpaes_schedule_mangle # save key n
-+ bl _vpaes_schedule_192_smear
-+ bl _vpaes_schedule_mangle # save key n+1
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle # save key n+2
-+ bl _vpaes_schedule_192_smear
-+ b Loop_schedule_192
-+
-+##
-+## .aes_schedule_256
-+##
-+## 256-bit specific part of key schedule.
-+##
-+## The structure here is very similar to the 128-bit
-+## schedule, but with an additional "low side" in
-+## %xmm6. The low side's rounds are the same as the
-+## high side's, except no rcon and no rotation.
-+##
-+.align 4
-+Lschedule_256:
-+ li r0, 7 # mov \$7, %esi
-+ addi $inp, $inp, 8
-+ lvx v0, 0, $inp # vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned)
-+ ?vperm v0, v6, v0, $inpperm
-+ bl _vpaes_schedule_transform # input transform
-+ mtctr r0
-+
-+Loop_schedule_256:
-+ bl _vpaes_schedule_mangle # output low result
-+ vmr v6, v0 # vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6
-+
-+ # high round
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle
-+
-+ # low round. swap xmm7 and xmm6
-+ ?vspltw v0, v0, 3 # vpshufd \$0xFF, %xmm0, %xmm0
-+ vmr v5, v7 # vmovdqa %xmm7, %xmm5
-+ vmr v7, v6 # vmovdqa %xmm6, %xmm7
-+ bl _vpaes_schedule_low_round
-+ vmr v7, v5 # vmovdqa %xmm5, %xmm7
-+
-+ b Loop_schedule_256
-+##
-+## .aes_schedule_mangle_last
-+##
-+## Mangler for last round of key schedule
-+## Mangles %xmm0
-+## when encrypting, outputs out(%xmm0) ^ 63
-+## when decrypting, outputs unskew(%xmm0)
-+##
-+## Always called right before return... jumps to cleanup and exits
-+##
-+.align 4
-+Lschedule_mangle_last:
-+ # schedule last round key from xmm0
-+ li r11, 0x2e0 # lea .Lk_deskew(%rip),%r11
-+ li r9, 0x2f0
-+ bne $dir, Lschedule_mangle_last_dec
-+
-+ # encrypting
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10),%xmm1
-+ li r11, 0x2c0 # lea .Lk_opt(%rip), %r11 # prepare to output transform
-+ li r9, 0x2d0 # prepare to output transform
-+ vperm v0, v0, v0, v1 # vpshufb %xmm1, %xmm0, %xmm0 # output permute
-+
-+ lvx $iptlo, r11, r12 # reload $ipt
-+ lvx $ipthi, r9, r12
-+ addi $out, $out, 16 # add \$16, %rdx
-+ vxor v0, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm0
-+ bl _vpaes_schedule_transform # output transform
-+
-+ #stvx v0, r0, $out # vmovdqu %xmm0, (%rdx) # save last key
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v2, 0, $out
-+
-+ addi $out, $out, 15 # 15 is not typo
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+ b Lschedule_mangle_done
-+
-+.align 4
-+Lschedule_mangle_last_dec:
-+ lvx $iptlo, r11, r12 # reload $ipt
-+ lvx $ipthi, r9, r12
-+ addi $out, $out, -16 # add \$-16, %rdx
-+ vxor v0, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm0
-+ bl _vpaes_schedule_transform # output transform
-+
-+ #stvx v0, r0, $out # vmovdqu %xmm0, (%rdx) # save last key
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v2, 0, $out
-+
-+ addi $out, $out, -15 # -15 is not typo
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+Lschedule_mangle_done:
-+ mtlr r7
-+ # cleanup
-+ vxor v0, v0, v0 # vpxor %xmm0, %xmm0, %xmm0
-+ vxor v1, v1, v1 # vpxor %xmm1, %xmm1, %xmm1
-+ vxor v2, v2, v2 # vpxor %xmm2, %xmm2, %xmm2
-+ vxor v3, v3, v3 # vpxor %xmm3, %xmm3, %xmm3
-+ vxor v4, v4, v4 # vpxor %xmm4, %xmm4, %xmm4
-+ vxor v5, v5, v5 # vpxor %xmm5, %xmm5, %xmm5
-+ vxor v6, v6, v6 # vpxor %xmm6, %xmm6, %xmm6
-+ vxor v7, v7, v7 # vpxor %xmm7, %xmm7, %xmm7
-+
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_192_smear
-+##
-+## Smear the short, low side in the 192-bit key schedule.
-+##
-+## Inputs:
-+## %xmm7: high side, b a x y
-+## %xmm6: low side, d c 0 0
-+## %xmm13: 0
-+##
-+## Outputs:
-+## %xmm6: b+c+d b+c 0 0
-+## %xmm0: b+c+d b+c b a
-+##
-+.align 4
-+_vpaes_schedule_192_smear:
-+ ?vspltw v0, v7, 3
-+ ?vsldoi v1, v9, v6, 12 # vpshufd \$0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0
-+ ?vsldoi v0, v7, v0, 8 # vpshufd \$0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a
-+ vxor v6, v6, v1 # vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0
-+ vxor v6, v6, v0 # vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a
-+ vmr v0, v6
-+ ?vsldoi v6, v6, v9, 8
-+ ?vsldoi v6, v9, v6, 8 # clobber low side with zeros
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_round
-+##
-+## Runs one main round of the key schedule on %xmm0, %xmm7
-+##
-+## Specifically, runs subbytes on the high dword of %xmm0
-+## then rotates it by one byte and xors into the low dword of
-+## %xmm7.
-+##
-+## Adds rcon from low byte of %xmm8, then rotates %xmm8 for
-+## next rcon.
-+##
-+## Smears the dwords of %xmm7 by xoring the low into the
-+## second low, result into third, result into highest.
-+##
-+## Returns results in %xmm7 = %xmm0.
-+## Clobbers %xmm1-%xmm4, %r11.
-+##
-+.align 4
-+_vpaes_schedule_round:
-+ # extract rcon from xmm8
-+ #vxor v4, v4, v4 # vpxor %xmm4, %xmm4, %xmm4
-+ ?vsldoi v1, $rcon, v9, 15 # vpalignr \$15, %xmm8, %xmm4, %xmm1
-+ ?vsldoi $rcon, $rcon, $rcon, 15 # vpalignr \$15, %xmm8, %xmm8, %xmm8
-+ vxor v7, v7, v1 # vpxor %xmm1, %xmm7, %xmm7
-+
-+ # rotate
-+ ?vspltw v0, v0, 3 # vpshufd \$0xFF, %xmm0, %xmm0
-+ ?vsldoi v0, v0, v0, 1 # vpalignr \$1, %xmm0, %xmm0, %xmm0
-+
-+ # fall through...
-+
-+ # low round: same as high round, but no rotation and no rcon.
-+_vpaes_schedule_low_round:
-+ # smear xmm7
-+ ?vsldoi v1, v9, v7, 12 # vpslldq \$4, %xmm7, %xmm1
-+ vxor v7, v7, v1 # vpxor %xmm1, %xmm7, %xmm7
-+ vspltisb v1, 0x0f # 0x0f..0f
-+ ?vsldoi v4, v9, v7, 8 # vpslldq \$8, %xmm7, %xmm4
-+
-+ # subbytes
-+ vand v1, v1, v0 # vpand %xmm9, %xmm0, %xmm1 # 0 = k
-+ vsrb v0, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vxor v7, v7, v4 # vpxor %xmm4, %xmm7, %xmm7
-+ vperm v2, $invhi, v9, v1 # vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
-+ vxor v1, v1, v0 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, v9, v0 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vperm v4, $invlo, v9, v1 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vxor v7, v7, v26 # vpxor .Lk_s63(%rip), %xmm7, %xmm7
-+ vperm v3, $invlo, v9, v3 # vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak
-+ vxor v4, v4, v2 # vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v9, v4 # vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak
-+ vxor v3, v3, v1 # vpxor %xmm1, %xmm3, %xmm3 # 2 = io
-+ vxor v2, v2, v0 # vpxor %xmm0, %xmm2, %xmm2 # 3 = jo
-+ vperm v4, v15, v9, v3 # vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou
-+ vperm v1, v14, v9, v2 # vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t
-+ vxor v1, v1, v4 # vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output
-+
-+ # add in smeared stuff
-+ vxor v0, v1, v7 # vpxor %xmm7, %xmm1, %xmm0
-+ vxor v7, v1, v7 # vmovdqa %xmm0, %xmm7
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_transform
-+##
-+## Linear-transform %xmm0 according to tables at (%r11)
-+##
-+## Requires that %xmm9 = 0x0F0F... as in preheat
-+## Output in %xmm0
-+## Clobbers %xmm2
-+##
-+.align 4
-+_vpaes_schedule_transform:
-+ #vand v1, v0, v9 # vpand %xmm9, %xmm0, %xmm1
-+ vsrb v2, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ # vmovdqa (%r11), %xmm2 # lo
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm2
-+ # vmovdqa 16(%r11), %xmm1 # hi
-+ vperm v2, $ipthi, $ipthi, v2 # vpshufb %xmm0, %xmm1, %xmm0
-+ vxor v0, v0, v2 # vpxor %xmm2, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_mangle
-+##
-+## Mangle xmm0 from (basis-transformed) standard version
-+## to our version.
-+##
-+## On encrypt,
-+## xor with 0x63
-+## multiply by circulant 0,1,1,1
-+## apply shiftrows transform
-+##
-+## On decrypt,
-+## xor with 0x63
-+## multiply by "inverse mixcolumns" circulant E,B,D,9
-+## deskew
-+## apply shiftrows transform
-+##
-+##
-+## Writes out to (%rdx), and increments or decrements it
-+## Keeps track of round number mod 4 in %r8
-+## Preserves xmm0
-+## Clobbers xmm1-xmm5
-+##
-+.align 4
-+_vpaes_schedule_mangle:
-+ #vmr v4, v0 # vmovdqa %xmm0, %xmm4 # save xmm0 for later
-+ # vmovdqa .Lk_mc_forward(%rip),%xmm5
-+ bne $dir, Lschedule_mangle_dec
-+
-+ # encrypting
-+ vxor v4, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm4
-+ addi $out, $out, 16 # add \$16, %rdx
-+ vperm v4, v4, v4, v25 # vpshufb %xmm5, %xmm4, %xmm4
-+ vperm v1, v4, v4, v25 # vpshufb %xmm5, %xmm4, %xmm1
-+ vperm v3, v1, v1, v25 # vpshufb %xmm5, %xmm1, %xmm3
-+ vxor v4, v4, v1 # vpxor %xmm1, %xmm4, %xmm4
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vxor v3, v3, v4 # vpxor %xmm4, %xmm3, %xmm3
-+
-+ vperm v3, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ addi r8, r8, -16 # add \$-16, %r8
-+ andi. r8, r8, 0x30 # and \$0x30, %r8
-+
-+ #stvx v3, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v1, v3, v3, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ blr
-+
-+.align 4
-+Lschedule_mangle_dec:
-+ # inverse mix columns
-+ # lea .Lk_dksd(%rip),%r11
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm4, %xmm1 # 1 = hi
-+ #and v4, v0, v9 # vpand %xmm9, %xmm4, %xmm4 # 4 = lo
-+
-+ # vmovdqa 0x00(%r11), %xmm2
-+ vperm v2, v16, v16, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ # vmovdqa 0x10(%r11), %xmm3
-+ vperm v3, v17, v17, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+
-+ # vmovdqa 0x20(%r11), %xmm2
-+ vperm v2, v18, v18, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ # vmovdqa 0x30(%r11), %xmm3
-+ vperm v3, v19, v19, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+
-+ # vmovdqa 0x40(%r11), %xmm2
-+ vperm v2, v20, v20, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ # vmovdqa 0x50(%r11), %xmm3
-+ vperm v3, v21, v21, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+
-+ # vmovdqa 0x60(%r11), %xmm2
-+ vperm v2, v22, v22, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+ # vmovdqa 0x70(%r11), %xmm4
-+ vperm v4, v23, v23, v1 # vpshufb %xmm1, %xmm4, %xmm4
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ vxor v3, v4, v2 # vpxor %xmm2, %xmm4, %xmm3
-+
-+ addi $out, $out, -16 # add \$-16, %rdx
-+
-+ vperm v3, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ addi r8, r8, -16 # add \$-16, %r8
-+ andi. r8, r8, 0x30 # and \$0x30, %r8
-+
-+ #stvx v3, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v1, v3, v3, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_set_encrypt_key
-+.align 5
-+.vpaes_set_encrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r0
-+ mfspr r6, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r6,`$FRAME-4`($sp) # save vrsave
-+ li r7, -1
-+ $PUSH r0, `$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r7 # preserve all AltiVec registers
-+
-+ srwi r9, $bits, 5 # shr \$5,%eax
-+ addi r9, r9, 6 # add \$5,%eax
-+ stw r9, 240($out) # mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
-+
-+ cmplw $dir, $bits, $bits # set encrypt direction
-+ li r8, 0x30 # mov \$0x30,%r8d
-+ bl _vpaes_schedule_core
-+
-+ $POP r0, `$FRAME+$LRSAVE`($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtspr 256, r6 # restore vrsave
-+ mtlr r0
-+ xor r3, r3, r3
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_set_encrypt_key,.-.vpaes_set_encrypt_key
-+
-+.globl .vpaes_set_decrypt_key
-+.align 4
-+.vpaes_set_decrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r0
-+ mfspr r6, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r6,`$FRAME-4`($sp) # save vrsave
-+ li r7, -1
-+ $PUSH r0, `$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r7 # preserve all AltiVec registers
-+
-+ srwi r9, $bits, 5 # shr \$5,%eax
-+ addi r9, r9, 6 # add \$5,%eax
-+ stw r9, 240($out) # mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
-+
-+ slwi r9, r9, 4 # shl \$4,%eax
-+ add $out, $out, r9 # lea (%rdx,%rax),%rdx
-+
-+ cmplwi $dir, $bits, 0 # set decrypt direction
-+ srwi r8, $bits, 1 # shr \$1,%r8d
-+ andi. r8, r8, 32 # and \$32,%r8d
-+ xori r8, r8, 32 # xor \$32,%r8d # nbits==192?0:32
-+ bl _vpaes_schedule_core
-+
-+ $POP r0, `$FRAME+$LRSAVE`($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtspr 256, r6 # restore vrsave
-+ mtlr r0
-+ xor r3, r3, r3
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_set_decrypt_key,.-.vpaes_set_decrypt_key
-+___
-+}
-+
-+my $consts=1;
-+foreach (split("\n",$code)) {
-+ s/\`([^\`]*)\`/eval $1/geo;
-+
-+ # constants table endian-specific conversion
-+ if ($consts && m/\.long\s+(.+)\s+(\?[a-z]*)$/o) {
-+ my $conv=$2;
-+ my @bytes=();
-+
-+ # convert to endian-agnostic format
-+ foreach (split(/,\s+/,$1)) {
-+ my $l = /^0/?oct:int;
-+ push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
-+ }
-+
-+ # little-endian conversion
-+ if ($flavour =~ /le$/o) {
-+ SWITCH: for($conv) {
-+ /\?inv/ && do { @bytes=map($_^0xf, at bytes); last; };
-+ /\?rev/ && do { @bytes=reverse(@bytes); last; };
-+ }
-+ }
-+
-+ #emit
-+ print ".byte\t",join(',',map (sprintf("0x%02x",$_), at bytes)),"\n";
-+ next;
-+ }
-+ $consts=0 if (m/Lconsts:/o); # end of table
-+
-+ # instructions prefixed with '?' are endian-specific and need
-+ # to be adjusted accordingly...
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/\?lvsr/lvsl/o or
-+ s/\?lvsl/lvsr/o or
-+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
-+ s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
-+ s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
-+ } else { # big-endian
-+ s/\?([a-z]+)/$1/o;
-+ }
-+
-+ print $_,"\n";
-+}
-+
-+close STDOUT;
-diff --git a/crypto/bn/asm/ppc-mont.pl b/crypto/bn/asm/ppc-mont.pl
-index f9b6992..da69c6a 100644
---- a/crypto/bn/asm/ppc-mont.pl
-+++ b/crypto/bn/asm/ppc-mont.pl
-@@ -325,6 +325,7 @@ Lcopy: ; copy or in-place refresh
- .long 0
- .byte 0,12,4,0,0x80,12,6,0
- .long 0
-+.size .bn_mul_mont_int,.-.bn_mul_mont_int
-
- .asciz "Montgomery Multiplication for PPC, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-diff --git a/crypto/bn/asm/ppc.pl b/crypto/bn/asm/ppc.pl
-index 1249ce2..04df1fe 100644
---- a/crypto/bn/asm/ppc.pl
-+++ b/crypto/bn/asm/ppc.pl
-@@ -392,6 +392,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .bn_sqr_comba4,.-.bn_sqr_comba4
-
- #
- # NOTE: The following label name should be changed to
-@@ -819,6 +820,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .bn_sqr_comba8,.-.bn_sqr_comba8
-
- #
- # NOTE: The following label name should be changed to
-@@ -972,6 +974,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_mul_comba4,.-.bn_mul_comba4
-
- #
- # NOTE: The following label name should be changed to
-@@ -1510,6 +1513,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_mul_comba8,.-.bn_mul_comba8
-
- #
- # NOTE: The following label name should be changed to
-@@ -1560,6 +1564,7 @@ Lppcasm_sub_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_sub_words,.-.bn_sub_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1605,6 +1610,7 @@ Lppcasm_add_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_add_words,.-.bn_add_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1720,6 +1726,7 @@ Lppcasm_div9:
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_div_words,.-.bn_div_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1761,6 +1768,7 @@ Lppcasm_sqr_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_sqr_words,.-.bn_sqr_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1866,6 +1874,7 @@ Lppcasm_mw_OVER:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size bn_mul_words,.-bn_mul_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1991,6 +2000,7 @@ Lppcasm_maw_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_mul_add_words,.-.bn_mul_add_words
- .align 4
- EOF
- $data =~ s/\`([^\`]*)\`/eval $1/gem;
-diff --git a/crypto/bn/asm/ppc64-mont.pl b/crypto/bn/asm/ppc64-mont.pl
-index a14e769..68e3733 100644
---- a/crypto/bn/asm/ppc64-mont.pl
-+++ b/crypto/bn/asm/ppc64-mont.pl
-@@ -1,7 +1,7 @@
- #!/usr/bin/env perl
-
- # ====================================================================
--# Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
-@@ -65,6 +65,14 @@
- # others alternative would be to break dependence on upper halves of
- # GPRs by sticking to 32-bit integer operations...
-
-+# December 2012
-+
-+# Remove above mentioned dependence on GPRs' upper halves in 32-bit
-+# build. No signal masking overhead, but integer instructions are
-+# *more* numerous... It's still "universally" faster than 32-bit
-+# ppc-mont.pl, but improvement coefficient is not as impressive
-+# for longer keys...
-+
- $flavour = shift;
-
- if ($flavour =~ /32/) {
-@@ -110,6 +118,9 @@ $tp="r10";
- $j="r11";
- $i="r12";
- # non-volatile registers
-+$c1="r19";
-+$n1="r20";
-+$a1="r21";
- $nap_d="r22"; # interleaved ap and np in double format
- $a0="r23"; # ap[0]
- $t0="r24"; # temporary registers
-@@ -180,8 +191,8 @@ $T3a="f30"; $T3b="f31";
- # . .
- # +-------------------------------+
- # . .
--# -12*size_t +-------------------------------+
--# | 10 saved gpr, r22-r31 |
-+# -13*size_t +-------------------------------+
-+# | 13 saved gpr, r19-r31 |
- # . .
- # . .
- # -12*8 +-------------------------------+
-@@ -215,6 +226,9 @@ $code=<<___;
- mr $i,$sp
- $STUX $sp,$sp,$tp ; alloca
-
-+ $PUSH r19,`-12*8-13*$SIZE_T`($i)
-+ $PUSH r20,`-12*8-12*$SIZE_T`($i)
-+ $PUSH r21,`-12*8-11*$SIZE_T`($i)
- $PUSH r22,`-12*8-10*$SIZE_T`($i)
- $PUSH r23,`-12*8-9*$SIZE_T`($i)
- $PUSH r24,`-12*8-8*$SIZE_T`($i)
-@@ -237,40 +251,26 @@ $code=<<___;
- stfd f29,`-3*8`($i)
- stfd f30,`-2*8`($i)
- stfd f31,`-1*8`($i)
--___
--$code.=<<___ if ($SIZE_T==8);
-- ld $a0,0($ap) ; pull ap[0] value
-- ld $n0,0($n0) ; pull n0[0] value
-- ld $t3,0($bp) ; bp[0]
--___
--$code.=<<___ if ($SIZE_T==4);
-- mr $t1,$n0
-- lwz $a0,0($ap) ; pull ap[0,1] value
-- lwz $t0,4($ap)
-- lwz $n0,0($t1) ; pull n0[0,1] value
-- lwz $t1,4($t1)
-- lwz $t3,0($bp) ; bp[0,1]
-- lwz $t2,4($bp)
-- insrdi $a0,$t0,32,0
-- insrdi $n0,$t1,32,0
-- insrdi $t3,$t2,32,0
--___
--$code.=<<___;
-+
- addi $tp,$sp,`$FRAME+$TRANSFER+8+64`
- li $i,-64
- add $nap_d,$tp,$num
- and $nap_d,$nap_d,$i ; align to 64 bytes
--
-- mulld $t7,$a0,$t3 ; ap[0]*bp[0]
- ; nap_d is off by 1, because it's used with stfdu/lfdu
- addi $nap_d,$nap_d,-8
- srwi $j,$num,`3+1` ; counter register, num/2
-- mulld $t7,$t7,$n0 ; tp[0]*n0
- addi $j,$j,-1
- addi $tp,$sp,`$FRAME+$TRANSFER-8`
- li $carry,0
- mtctr $j
-+___
-+
-+$code.=<<___ if ($SIZE_T==8);
-+ ld $a0,0($ap) ; pull ap[0] value
-+ ld $t3,0($bp) ; bp[0]
-+ ld $n0,0($n0) ; pull n0[0] value
-
-+ mulld $t7,$a0,$t3 ; ap[0]*bp[0]
- ; transfer bp[0] to FPU as 4x16-bit values
- extrdi $t0,$t3,16,48
- extrdi $t1,$t3,16,32
-@@ -280,6 +280,8 @@ $code.=<<___;
- std $t1,`$FRAME+8`($sp)
- std $t2,`$FRAME+16`($sp)
- std $t3,`$FRAME+24`($sp)
-+
-+ mulld $t7,$t7,$n0 ; tp[0]*n0
- ; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
- extrdi $t4,$t7,16,48
- extrdi $t5,$t7,16,32
-@@ -289,21 +291,61 @@ $code.=<<___;
- std $t5,`$FRAME+40`($sp)
- std $t6,`$FRAME+48`($sp)
- std $t7,`$FRAME+56`($sp)
--___
--$code.=<<___ if ($SIZE_T==8);
-- lwz $t0,4($ap) ; load a[j] as 32-bit word pair
-- lwz $t1,0($ap)
-- lwz $t2,12($ap) ; load a[j+1] as 32-bit word pair
-+
-+ extrdi $t0,$a0,32,32 ; lwz $t0,4($ap)
-+ extrdi $t1,$a0,32,0 ; lwz $t1,0($ap)
-+ lwz $t2,12($ap) ; load a[1] as 32-bit word pair
- lwz $t3,8($ap)
-- lwz $t4,4($np) ; load n[j] as 32-bit word pair
-+ lwz $t4,4($np) ; load n[0] as 32-bit word pair
- lwz $t5,0($np)
-- lwz $t6,12($np) ; load n[j+1] as 32-bit word pair
-+ lwz $t6,12($np) ; load n[1] as 32-bit word pair
- lwz $t7,8($np)
- ___
- $code.=<<___ if ($SIZE_T==4);
-- lwz $t0,0($ap) ; load a[j..j+3] as 32-bit word pairs
-- lwz $t1,4($ap)
-- lwz $t2,8($ap)
-+ lwz $a0,0($ap) ; pull ap[0,1] value
-+ mr $n1,$n0
-+ lwz $a1,4($ap)
-+ li $c1,0
-+ lwz $t1,0($bp) ; bp[0,1]
-+ lwz $t3,4($bp)
-+ lwz $n0,0($n1) ; pull n0[0,1] value
-+ lwz $n1,4($n1)
-+
-+ mullw $t4,$a0,$t1 ; mulld ap[0]*bp[0]
-+ mulhwu $t5,$a0,$t1
-+ mullw $t6,$a1,$t1
-+ mullw $t7,$a0,$t3
-+ add $t5,$t5,$t6
-+ add $t5,$t5,$t7
-+ ; transfer bp[0] to FPU as 4x16-bit values
-+ extrwi $t0,$t1,16,16
-+ extrwi $t1,$t1,16,0
-+ extrwi $t2,$t3,16,16
-+ extrwi $t3,$t3,16,0
-+ std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
-+ std $t1,`$FRAME+8`($sp)
-+ std $t2,`$FRAME+16`($sp)
-+ std $t3,`$FRAME+24`($sp)
-+
-+ mullw $t0,$t4,$n0 ; mulld tp[0]*n0
-+ mulhwu $t1,$t4,$n0
-+ mullw $t2,$t5,$n0
-+ mullw $t3,$t4,$n1
-+ add $t1,$t1,$t2
-+ add $t1,$t1,$t3
-+ ; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
-+ extrwi $t4,$t0,16,16
-+ extrwi $t5,$t0,16,0
-+ extrwi $t6,$t1,16,16
-+ extrwi $t7,$t1,16,0
-+ std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
-+ std $t5,`$FRAME+40`($sp)
-+ std $t6,`$FRAME+48`($sp)
-+ std $t7,`$FRAME+56`($sp)
-+
-+ mr $t0,$a0 ; lwz $t0,0($ap)
-+ mr $t1,$a1 ; lwz $t1,4($ap)
-+ lwz $t2,8($ap) ; load a[j..j+3] as 32-bit word pairs
- lwz $t3,12($ap)
- lwz $t4,0($np) ; load n[j..j+3] as 32-bit word pairs
- lwz $t5,4($np)
-@@ -319,7 +361,7 @@ $code.=<<___;
- lfd $nb,`$FRAME+40`($sp)
- lfd $nc,`$FRAME+48`($sp)
- lfd $nd,`$FRAME+56`($sp)
-- std $t0,`$FRAME+64`($sp)
-+ std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
- std $t1,`$FRAME+72`($sp)
- std $t2,`$FRAME+80`($sp)
- std $t3,`$FRAME+88`($sp)
-@@ -441,7 +483,7 @@ $code.=<<___ if ($SIZE_T==4);
- lwz $t7,12($np)
- ___
- $code.=<<___;
-- std $t0,`$FRAME+64`($sp)
-+ std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
- std $t1,`$FRAME+72`($sp)
- std $t2,`$FRAME+80`($sp)
- std $t3,`$FRAME+88`($sp)
-@@ -449,6 +491,9 @@ $code.=<<___;
- std $t5,`$FRAME+104`($sp)
- std $t6,`$FRAME+112`($sp)
- std $t7,`$FRAME+120`($sp)
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -457,6 +502,20 @@ $code.=<<___;
- ld $t5,`$FRAME+40`($sp)
- ld $t6,`$FRAME+48`($sp)
- ld $t7,`$FRAME+56`($sp)
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+___
-+}
-+$code.=<<___;
- lfd $A0,`$FRAME+64`($sp)
- lfd $A1,`$FRAME+72`($sp)
- lfd $A2,`$FRAME+80`($sp)
-@@ -488,7 +547,9 @@ $code.=<<___;
- fmadd $T0b,$A0,$bb,$dotb
- stfd $A2,24($nap_d) ; save a[j+1] in double format
- stfd $A3,32($nap_d)
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- fmadd $T1a,$A0,$bc,$T1a
- fmadd $T1b,$A0,$bd,$T1b
- fmadd $T2a,$A1,$bc,$T2a
-@@ -561,11 +622,123 @@ $code.=<<___;
- stfd $T3b,`$FRAME+56`($sp)
- std $t0,8($tp) ; tp[j-1]
- stdu $t4,16($tp) ; tp[j]
-+___
-+} else {
-+$code.=<<___;
-+ fmadd $T1a,$A0,$bc,$T1a
-+ fmadd $T1b,$A0,$bd,$T1b
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fmadd $T2a,$A1,$bc,$T2a
-+ fmadd $T2b,$A1,$bd,$T2b
-+ stfd $N0,40($nap_d) ; save n[j] in double format
-+ stfd $N1,48($nap_d)
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+ fmadd $T3a,$A2,$bc,$T3a
-+ fmadd $T3b,$A2,$bd,$T3b
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmul $dota,$A3,$bc
-+ fmul $dotb,$A3,$bd
-+ stfd $N2,56($nap_d) ; save n[j+1] in double format
-+ stfdu $N3,64($nap_d)
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+
-+ fmadd $T1a,$N1,$na,$T1a
-+ fmadd $T1b,$N1,$nb,$T1b
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fmadd $T2a,$N2,$na,$T2a
-+ fmadd $T2b,$N2,$nb,$T2b
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+ fmadd $T3a,$N3,$na,$T3a
-+ fmadd $T3b,$N3,$nb,$T3b
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fmadd $T0a,$N0,$na,$T0a
-+ fmadd $T0b,$N0,$nb,$T0b
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+
-+ fmadd $T1a,$N0,$nc,$T1a
-+ fmadd $T1b,$N0,$nd,$T1b
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmadd $T2a,$N1,$nc,$T2a
-+ fmadd $T2b,$N1,$nd,$T2b
-+ stw $t0,12($tp) ; tp[j-1]
-+ stw $t4,8($tp)
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ fmadd $T3a,$N2,$nc,$T3a
-+ fmadd $T3b,$N2,$nd,$T3b
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fmadd $dota,$N3,$nc,$dota
-+ fmadd $dotb,$N3,$nd,$dotb
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+
-+ fctid $T0a,$T0a
-+ fctid $T0b,$T0b
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fctid $T1a,$T1a
-+ fctid $T1b,$T1b
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+ fctid $T2a,$T2a
-+ fctid $T2b,$T2b
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fctid $T3a,$T3a
-+ fctid $T3b,$T3b
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+
-+ stfd $T0a,`$FRAME+0`($sp)
-+ stfd $T0b,`$FRAME+8`($sp)
-+ stfd $T1a,`$FRAME+16`($sp)
-+ stfd $T1b,`$FRAME+24`($sp)
-+ stfd $T2a,`$FRAME+32`($sp)
-+ stfd $T2b,`$FRAME+40`($sp)
-+ stfd $T3a,`$FRAME+48`($sp)
-+ stfd $T3b,`$FRAME+56`($sp)
-+ stw $t2,20($tp) ; tp[j]
-+ stwu $t0,16($tp)
-+___
-+}
-+$code.=<<___;
- bdnz- L1st
-
- fctid $dota,$dota
- fctid $dotb,$dotb
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -611,33 +784,117 @@ $code.=<<___;
- insrdi $t6,$t7,48,0
- srdi $ovf,$t7,48
- std $t6,8($tp) ; tp[num-1]
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ stfd $dota,`$FRAME+64`($sp)
-+ stfd $dotb,`$FRAME+72`($sp)
-
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ stw $t0,12($tp) ; tp[j-1]
-+ stw $t4,8($tp)
-+
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ stw $t2,20($tp) ; tp[j]
-+ stwu $t0,16($tp)
-+
-+ lwz $t7,`$FRAME+64`($sp)
-+ lwz $t6,`$FRAME+68`($sp)
-+ lwz $t5,`$FRAME+72`($sp)
-+ lwz $t4,`$FRAME+76`($sp)
-+
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+
-+ insrwi $t6,$t4,16,0
-+ srwi $t4,$t4,16
-+ insrwi $t4,$t5,16,0
-+ srwi $ovf,$t5,16
-+ stw $t6,12($tp) ; tp[num-1]
-+ stw $t4,8($tp)
-+___
-+}
-+$code.=<<___;
- slwi $t7,$num,2
- subf $nap_d,$t7,$nap_d ; rewind pointer
-
- li $i,8 ; i=1
- .align 5
- Louter:
--___
--$code.=<<___ if ($SIZE_T==8);
-- ldx $t3,$bp,$i ; bp[i]
--___
--$code.=<<___ if ($SIZE_T==4);
-- add $t0,$bp,$i
-- lwz $t3,0($t0) ; bp[i,i+1]
-- lwz $t0,4($t0)
-- insrdi $t3,$t0,32,0
--___
--$code.=<<___;
-- ld $t6,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-- mulld $t7,$a0,$t3 ; ap[0]*bp[i]
--
- addi $tp,$sp,`$FRAME+$TRANSFER`
-- add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
- li $carry,0
-- mulld $t7,$t7,$n0 ; tp[0]*n0
- mtctr $j
-+___
-+$code.=<<___ if ($SIZE_T==8);
-+ ldx $t3,$bp,$i ; bp[i]
-
-+ ld $t6,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-+ mulld $t7,$a0,$t3 ; ap[0]*bp[i]
-+ add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
- ; transfer bp[i] to FPU as 4x16-bit values
- extrdi $t0,$t3,16,48
- extrdi $t1,$t3,16,32
-@@ -647,6 +904,8 @@ $code.=<<___;
- std $t1,`$FRAME+8`($sp)
- std $t2,`$FRAME+16`($sp)
- std $t3,`$FRAME+24`($sp)
-+
-+ mulld $t7,$t7,$n0 ; tp[0]*n0
- ; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
- extrdi $t4,$t7,16,48
- extrdi $t5,$t7,16,32
-@@ -656,7 +915,50 @@ $code.=<<___;
- std $t5,`$FRAME+40`($sp)
- std $t6,`$FRAME+48`($sp)
- std $t7,`$FRAME+56`($sp)
-+___
-+$code.=<<___ if ($SIZE_T==4);
-+ add $t0,$bp,$i
-+ li $c1,0
-+ lwz $t1,0($t0) ; bp[i,i+1]
-+ lwz $t3,4($t0)
-+
-+ mullw $t4,$a0,$t1 ; ap[0]*bp[i]
-+ lwz $t0,`$FRAME+$TRANSFER+8+4`($sp) ; tp[0]
-+ mulhwu $t5,$a0,$t1
-+ lwz $t2,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-+ mullw $t6,$a1,$t1
-+ mullw $t7,$a0,$t3
-+ add $t5,$t5,$t6
-+ add $t5,$t5,$t7
-+ addc $t4,$t4,$t0 ; ap[0]*bp[i]+tp[0]
-+ adde $t5,$t5,$t2
-+ ; transfer bp[i] to FPU as 4x16-bit values
-+ extrwi $t0,$t1,16,16
-+ extrwi $t1,$t1,16,0
-+ extrwi $t2,$t3,16,16
-+ extrwi $t3,$t3,16,0
-+ std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
-+ std $t1,`$FRAME+8`($sp)
-+ std $t2,`$FRAME+16`($sp)
-+ std $t3,`$FRAME+24`($sp)
-
-+ mullw $t0,$t4,$n0 ; mulld tp[0]*n0
-+ mulhwu $t1,$t4,$n0
-+ mullw $t2,$t5,$n0
-+ mullw $t3,$t4,$n1
-+ add $t1,$t1,$t2
-+ add $t1,$t1,$t3
-+ ; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
-+ extrwi $t4,$t0,16,16
-+ extrwi $t5,$t0,16,0
-+ extrwi $t6,$t1,16,16
-+ extrwi $t7,$t1,16,0
-+ std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
-+ std $t5,`$FRAME+40`($sp)
-+ std $t6,`$FRAME+48`($sp)
-+ std $t7,`$FRAME+56`($sp)
-+___
-+$code.=<<___;
- lfd $A0,8($nap_d) ; load a[j] in double format
- lfd $A1,16($nap_d)
- lfd $A2,24($nap_d) ; load a[j+1] in double format
-@@ -769,7 +1071,9 @@ Linner:
- fmul $dotb,$A3,$bd
- lfd $A2,24($nap_d) ; load a[j+1] in double format
- lfd $A3,32($nap_d)
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- fmadd $T1a,$N1,$na,$T1a
- fmadd $T1b,$N1,$nb,$T1b
- ld $t0,`$FRAME+0`($sp)
-@@ -856,10 +1160,131 @@ $code.=<<___;
- addze $carry,$carry
- std $t3,-16($tp) ; tp[j-1]
- std $t5,-8($tp) ; tp[j]
-+___
-+} else {
-+$code.=<<___;
-+ fmadd $T1a,$N1,$na,$T1a
-+ fmadd $T1b,$N1,$nb,$T1b
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ fmadd $T2a,$N2,$na,$T2a
-+ fmadd $T2b,$N2,$nb,$T2b
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ fmadd $T3a,$N3,$na,$T3a
-+ fmadd $T3b,$N3,$nb,$T3b
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fmadd $T0a,$N0,$na,$T0a
-+ fmadd $T0b,$N0,$nb,$T0b
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+
-+ fmadd $T1a,$N0,$nc,$T1a
-+ fmadd $T1b,$N0,$nd,$T1b
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmadd $T2a,$N1,$nc,$T2a
-+ fmadd $T2b,$N1,$nd,$T2b
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ fmadd $T3a,$N2,$nc,$T3a
-+ fmadd $T3b,$N2,$nd,$T3b
-+ lwz $t2,12($tp) ; tp[j]
-+ lwz $t3,8($tp)
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fmadd $dota,$N3,$nc,$dota
-+ fmadd $dotb,$N3,$nd,$dotb
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+
-+ fctid $T0a,$T0a
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fctid $T0b,$T0b
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+ fctid $T1a,$T1a
-+ addc $t0,$t0,$t2
-+ adde $t4,$t4,$t3
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ fctid $T1b,$T1b
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ stw $t0,4($tp) ; tp[j-1]
-+ stw $t4,0($tp)
-+ fctid $T2a,$T2a
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ fctid $T2b,$T2b
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ fctid $T3a,$T3a
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+ fctid $T3b,$T3b
-+
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ lwz $t6,20($tp)
-+ lwzu $t7,16($tp)
-+ addc $t0,$t0,$carry
-+ stfd $T0a,`$FRAME+0`($sp)
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ stfd $T0b,`$FRAME+8`($sp)
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ stfd $T1a,`$FRAME+16`($sp)
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ stfd $T1b,`$FRAME+24`($sp)
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+
-+ addc $t2,$t2,$t6
-+ stfd $T2a,`$FRAME+32`($sp)
-+ adde $t0,$t0,$t7
-+ stfd $T2b,`$FRAME+40`($sp)
-+ addze $carry,$carry
-+ stfd $T3a,`$FRAME+48`($sp)
-+ addze $c1,$c1
-+ stfd $T3b,`$FRAME+56`($sp)
-+ stw $t2,-4($tp) ; tp[j]
-+ stw $t0,-8($tp)
-+___
-+}
-+$code.=<<___;
- bdnz- Linner
-
- fctid $dota,$dota
- fctid $dotb,$dotb
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -926,7 +1351,116 @@ $code.=<<___;
- insrdi $t6,$t7,48,0
- srdi $ovf,$t7,48
- std $t6,0($tp) ; tp[num-1]
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ stfd $dota,`$FRAME+64`($sp)
-+ stfd $dotb,`$FRAME+72`($sp)
-
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ lwz $t2,12($tp) ; tp[j]
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ lwz $t3,8($tp)
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+
-+ addc $t0,$t0,$t2
-+ adde $t4,$t4,$t3
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ stw $t0,4($tp) ; tp[j-1]
-+ stw $t4,0($tp)
-+
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ lwz $t6,20($tp)
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ lwzu $t7,16($tp)
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+
-+ addc $t2,$t2,$t6
-+ adde $t0,$t0,$t7
-+ lwz $t7,`$FRAME+64`($sp)
-+ lwz $t6,`$FRAME+68`($sp)
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ lwz $t5,`$FRAME+72`($sp)
-+ lwz $t4,`$FRAME+76`($sp)
-+
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ stw $t2,-4($tp) ; tp[j]
-+ stw $t0,-8($tp)
-+ addc $t6,$t6,$ovf
-+ addze $t7,$t7
-+ srwi $carry,$t6,16
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+
-+ insrwi $t6,$t4,16,0
-+ srwi $t4,$t4,16
-+ insrwi $t4,$t5,16,0
-+ srwi $ovf,$t5,16
-+ stw $t6,4($tp) ; tp[num-1]
-+ stw $t4,0($tp)
-+___
-+}
-+$code.=<<___;
- slwi $t7,$num,2
- addi $i,$i,8
- subf $nap_d,$t7,$nap_d ; rewind pointer
-@@ -994,14 +1528,14 @@ $code.=<<___ if ($SIZE_T==4);
- mtctr $j
-
- .align 4
--Lsub: ld $t0,8($tp) ; load tp[j..j+3] in 64-bit word order
-- ldu $t2,16($tp)
-+Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order
-+ lwz $t1,8($tp)
-+ lwz $t2,20($tp)
-+ lwzu $t3,16($tp)
- lwz $t4,4($np) ; load np[j..j+3] in 32-bit word order
- lwz $t5,8($np)
- lwz $t6,12($np)
- lwzu $t7,16($np)
-- extrdi $t1,$t0,32,0
-- extrdi $t3,$t2,32,0
- subfe $t4,$t4,$t0 ; tp[j]-np[j]
- stw $t0,4($ap) ; save tp[j..j+3] in 32-bit word order
- subfe $t5,$t5,$t1 ; tp[j+1]-np[j+1]
-@@ -1052,6 +1586,9 @@ ___
- $code.=<<___;
- $POP $i,0($sp)
- li r3,1 ; signal "handled"
-+ $POP r19,`-12*8-13*$SIZE_T`($i)
-+ $POP r20,`-12*8-12*$SIZE_T`($i)
-+ $POP r21,`-12*8-11*$SIZE_T`($i)
- $POP r22,`-12*8-10*$SIZE_T`($i)
- $POP r23,`-12*8-9*$SIZE_T`($i)
- $POP r24,`-12*8-8*$SIZE_T`($i)
-@@ -1077,8 +1614,9 @@ $code.=<<___;
- mr $sp,$i
- blr
- .long 0
-- .byte 0,12,4,0,0x8c,10,6,0
-+ .byte 0,12,4,0,0x8c,13,6,0
- .long 0
-+.size .$fname,.-.$fname
-
- .asciz "Montgomery Multiplication for PPC64, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
-index 1bfb5d9..51137fd 100644
---- a/crypto/evp/e_aes.c
-+++ b/crypto/evp/e_aes.c
-@@ -153,6 +153,20 @@ void AES_xts_decrypt(const char *inp,char *out,size_t len,
- const unsigned char iv[16]);
- #endif
-
-+#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-+# include "ppc_arch.h"
-+# ifdef VPAES_ASM
-+# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
-+# endif
-+# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
-+# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
-+# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
-+# define HWAES_encrypt aes_p8_encrypt
-+# define HWAES_decrypt aes_p8_decrypt
-+# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
-+# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
-+#endif
-+
- #if defined(AES_ASM) && !defined(I386_ONLY) && ( \
- ((defined(__i386) || defined(__i386__) || \
- defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
-diff --git a/crypto/modes/Makefile b/crypto/modes/Makefile
-index c825b12..e684e02 100644
---- a/crypto/modes/Makefile
-+++ b/crypto/modes/Makefile
-@@ -56,6 +56,10 @@ ghash-alpha.s: asm/ghash-alpha.pl
- $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
- ghash-parisc.s: asm/ghash-parisc.pl
- $(PERL) asm/ghash-parisc.pl $(PERLASM_SCHEME) $@
-+ghashv8-armx.S: asm/ghashv8-armx.pl
-+ $(PERL) asm/ghashv8-armx.pl $(PERLASM_SCHEME) $@
-+ghashp8-ppc.s: asm/ghashp8-ppc.pl
-+ $(PERL) asm/ghashp8-ppc.pl $(PERLASM_SCHEME) $@
-
- # GNU make "catch all"
- ghash-%.S: asm/ghash-%.pl; $(PERL) $< $(PERLASM_SCHEME) $@
-diff --git a/crypto/modes/asm/ghashp8-ppc.pl b/crypto/modes/asm/ghashp8-ppc.pl
-new file mode 100755
-index 0000000..e76a58c
---- /dev/null
-+++ b/crypto/modes/asm/ghashp8-ppc.pl
-@@ -0,0 +1,234 @@
-+#!/usr/bin/env perl
-+#
-+# ====================================================================
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+#
-+# GHASH for for PowerISA v2.07.
-+#
-+# July 2014
-+#
-+# Accurate performance measurements are problematic, because it's
-+# always virtualized setup with possibly throttled processor.
-+# Relative comparison is therefore more informative. This initial
-+# version is ~2.1x slower than hardware-assisted AES-128-CTR, ~12x
-+# faster than "4-bit" integer-only compiler-generated 64-bit code.
-+# "Initial version" means that there is room for futher improvement.
-+
-+$flavour=shift;
-+$output =shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T=8;
-+ $LRSAVE=2*$SIZE_T;
-+ $STU="stdu";
-+ $POP="ld";
-+ $PUSH="std";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T=4;
-+ $LRSAVE=$SIZE_T;
-+ $STU="stwu";
-+ $POP="lwz";
-+ $PUSH="stw";
-+} else { die "nonsense $flavour"; }
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-+
-+my ($Xip,$Htbl,$inp,$len)=map("r$_",(3..6)); # argument block
-+
-+my ($Xl,$Xm,$Xh,$IN)=map("v$_",(0..3));
-+my ($zero,$t0,$t1,$t2,$xC2,$H,$Hh,$Hl,$lemask)=map("v$_",(4..12));
-+my $vrsave="r12";
-+
-+$code=<<___;
-+.machine "any"
-+
-+.text
-+
-+.globl .gcm_init_p8
-+.align 5
-+.gcm_init_p8:
-+ lis r0,0xfff0
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $H,0,r4 # load H
-+
-+ vspltisb $xC2,-16 # 0xf0
-+ vspltisb $t0,1 # one
-+ vaddubm $xC2,$xC2,$xC2 # 0xe0
-+ vxor $zero,$zero,$zero
-+ vor $xC2,$xC2,$t0 # 0xe1
-+ vsldoi $xC2,$xC2,$zero,15 # 0xe1...
-+ vsldoi $t1,$zero,$t0,1 # ...1
-+ vaddubm $xC2,$xC2,$xC2 # 0xc2...
-+ vspltisb $t2,7
-+ vor $xC2,$xC2,$t1 # 0xc2....01
-+ vspltb $t1,$H,0 # most significant byte
-+ vsl $H,$H,$t0 # H<<=1
-+ vsrab $t1,$t1,$t2 # broadcast carry bit
-+ vand $t1,$t1,$xC2
-+ vxor $H,$H,$t1 # twisted H
-+
-+ vsldoi $H,$H,$H,8 # twist even more ...
-+ vsldoi $xC2,$zero,$xC2,8 # 0xc2.0
-+ vsldoi $Hl,$zero,$H,8 # ... and split
-+ vsldoi $Hh,$H,$zero,8
-+
-+ stvx_u $xC2,0,r3 # save pre-computed table
-+ stvx_u $Hl,r8,r3
-+ stvx_u $H, r9,r3
-+ stvx_u $Hh,r10,r3
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .gcm_init_p8,.-.gcm_init_p8
-+
-+.globl .gcm_gmult_p8
-+.align 5
-+.gcm_gmult_p8:
-+ lis r0,0xfff8
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $IN,0,$Xip # load Xi
-+
-+ lvx_u $Hl,r8,$Htbl # load pre-computed table
-+ le?lvsl $lemask,r0,r0
-+ lvx_u $H, r9,$Htbl
-+ le?vspltisb $t0,0x07
-+ lvx_u $Hh,r10,$Htbl
-+ le?vxor $lemask,$lemask,$t0
-+ lvx_u $xC2,0,$Htbl
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $zero,$zero,$zero
-+
-+ vpmsumd $Xl,$IN,$Hl # H.lo�Xi.lo
-+ vpmsumd $Xm,$IN,$H # H.hi�Xi.lo+H.lo�Xi.hi
-+ vpmsumd $Xh,$IN,$Hh # H.hi�Xi.hi
-+
-+ vpmsumd $t2,$Xl,$xC2 # 1st phase
-+
-+ vsldoi $t0,$Xm,$zero,8
-+ vsldoi $t1,$zero,$Xm,8
-+ vxor $Xl,$Xl,$t0
-+ vxor $Xh,$Xh,$t1
-+
-+ vsldoi $Xl,$Xl,$Xl,8
-+ vxor $Xl,$Xl,$t2
-+
-+ vsldoi $t1,$Xl,$Xl,8 # 2nd phase
-+ vpmsumd $Xl,$Xl,$xC2
-+ vxor $t1,$t1,$Xh
-+ vxor $Xl,$Xl,$t1
-+
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ stvx_u $Xl,0,$Xip # write out Xi
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .gcm_gmult_p8,.-.gcm_gmult_p8
-+
-+.globl .gcm_ghash_p8
-+.align 5
-+.gcm_ghash_p8:
-+ lis r0,0xfff8
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $Xl,0,$Xip # load Xi
-+
-+ lvx_u $Hl,r8,$Htbl # load pre-computed table
-+ le?lvsl $lemask,r0,r0
-+ lvx_u $H, r9,$Htbl
-+ le?vspltisb $t0,0x07
-+ lvx_u $Hh,r10,$Htbl
-+ le?vxor $lemask,$lemask,$t0
-+ lvx_u $xC2,0,$Htbl
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ vxor $zero,$zero,$zero
-+
-+ lvx_u $IN,0,$inp
-+ addi $inp,$inp,16
-+ subi $len,$len,16
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $IN,$IN,$Xl
-+ b Loop
-+
-+.align 5
-+Loop:
-+ subic $len,$len,16
-+ vpmsumd $Xl,$IN,$Hl # H.lo�Xi.lo
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vpmsumd $Xm,$IN,$H # H.hi�Xi.lo+H.lo�Xi.hi
-+ and r0,r0,$len
-+ vpmsumd $Xh,$IN,$Hh # H.hi�Xi.hi
-+ add $inp,$inp,r0
-+
-+ vpmsumd $t2,$Xl,$xC2 # 1st phase
-+
-+ vsldoi $t0,$Xm,$zero,8
-+ vsldoi $t1,$zero,$Xm,8
-+ vxor $Xl,$Xl,$t0
-+ vxor $Xh,$Xh,$t1
-+
-+ vsldoi $Xl,$Xl,$Xl,8
-+ vxor $Xl,$Xl,$t2
-+ lvx_u $IN,0,$inp
-+ addi $inp,$inp,16
-+
-+ vsldoi $t1,$Xl,$Xl,8 # 2nd phase
-+ vpmsumd $Xl,$Xl,$xC2
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $t1,$t1,$Xh
-+ vxor $IN,$IN,$t1
-+ vxor $IN,$IN,$Xl
-+ beq Loop # did $len-=16 borrow?
-+
-+ vxor $Xl,$Xl,$t1
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ stvx_u $Xl,0,$Xip # write out Xi
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,4,0
-+ .long 0
-+.size .gcm_ghash_p8,.-.gcm_ghash_p8
-+
-+.asciz "GHASH for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+.align 2
-+___
-+
-+foreach (split("\n",$code)) {
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/le\?//o or
-+ s/be\?/#be#/o;
-+ } else {
-+ s/le\?/#le#/o or
-+ s/be\?//o;
-+ }
-+ print $_,"\n";
-+}
-+
-+close STDOUT; # enforce flush
-diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
-index 0e6ff8b..6f8e7ee 100644
---- a/crypto/modes/gcm128.c
-+++ b/crypto/modes/gcm128.c
-@@ -671,6 +671,21 @@ void gcm_ghash_4bit_x86(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len
- void gcm_gmult_neon(u64 Xi[2],const u128 Htable[16]);
- void gcm_ghash_neon(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
- # endif
-+# elif defined(__sparc__) || defined(__sparc)
-+# include "sparc_arch.h"
-+# define GHASH_ASM_SPARC
-+# define GCM_FUNCREF_4BIT
-+extern unsigned int OPENSSL_sparcv9cap_P[];
-+void gcm_init_vis3(u128 Htable[16],const u64 Xi[2]);
-+void gcm_gmult_vis3(u64 Xi[2],const u128 Htable[16]);
-+void gcm_ghash_vis3(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
-+#elif defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-+# include "ppc_arch.h"
-+# define GHASH_ASM_PPC
-+# define GCM_FUNCREF_4BIT
-+void gcm_init_p8(u128 Htable[16],const u64 Xi[2]);
-+void gcm_gmult_p8(u64 Xi[2],const u128 Htable[16]);
-+void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
- # endif
- #endif
-
-@@ -747,6 +762,16 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
- ctx->gmult = gcm_gmult_4bit;
- ctx->ghash = gcm_ghash_4bit;
- }
-+# elif defined(GHASH_ASM_PPC)
-+ if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
-+ gcm_init_p8(ctx->Htable,ctx->H.u);
-+ ctx->gmult = gcm_gmult_p8;
-+ ctx->ghash = gcm_ghash_p8;
-+ } else {
-+ gcm_init_4bit(ctx->Htable,ctx->H.u);
-+ ctx->gmult = gcm_gmult_4bit;
-+ ctx->ghash = gcm_ghash_4bit;
-+ }
- # else
- gcm_init_4bit(ctx->Htable,ctx->H.u);
- # endif
-diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
-index a3edd98..f89e814 100755
---- a/crypto/perlasm/ppc-xlate.pl
-+++ b/crypto/perlasm/ppc-xlate.pl
-@@ -27,7 +27,8 @@ my $globl = sub {
- /osx/ && do { $name = "_$name";
- last;
- };
-- /linux.*32/ && do { $ret .= ".globl $name\n";
-+ /linux.*(32|64le)/
-+ && do { $ret .= ".globl $name\n";
- $ret .= ".type $name,\@function";
- last;
- };
-@@ -37,7 +38,6 @@ my $globl = sub {
- $ret .= ".align 3\n";
- $ret .= "$name:\n";
- $ret .= ".quad .$name,.TOC.\@tocbase,0\n";
-- $ret .= ".size $name,24\n";
- $ret .= ".previous\n";
-
- $name = ".$name";
-@@ -50,7 +50,9 @@ my $globl = sub {
- $ret;
- };
- my $text = sub {
-- ($flavour =~ /aix/) ? ".csect" : ".text";
-+ my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text";
-+ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/);
-+ $ret;
- };
- my $machine = sub {
- my $junk = shift;
-@@ -62,9 +64,12 @@ my $machine = sub {
- ".machine $arch";
- };
- my $size = sub {
-- if ($flavour =~ /linux.*32/)
-+ if ($flavour =~ /linux/)
- { shift;
-- ".size " . join(",", at _);
-+ my $name = shift; $name =~ s|^[\.\_]||;
-+ my $ret = ".size $name,.-".($flavour=~/64$/?".":"").$name;
-+ $ret .= "\n.size .$name,.-.$name" if ($flavour=~/64$/);
-+ $ret;
- }
- else
- { ""; }
-@@ -77,6 +82,25 @@ my $asciz = sub {
- else
- { ""; }
- };
-+my $quad = sub {
-+ shift;
-+ my @ret;
-+ my ($hi,$lo);
-+ for (@_) {
-+ if (/^0x([0-9a-f]*?)([0-9a-f]{1,8})$/io)
-+ { $hi=$1?"0x$1":"0"; $lo="0x$2"; }
-+ elsif (/^([0-9]+)$/o)
-+ { $hi=$1>>32; $lo=$1&0xffffffff; } # error-prone with 32-bit perl
-+ else
-+ { $hi=undef; $lo=$_; }
-+
-+ if (defined($hi))
-+ { push(@ret,$flavour=~/le$/o?".long\t$lo,$hi":".long\t$hi,$lo"); }
-+ else
-+ { push(@ret,".quad $lo"); }
-+ }
-+ join("\n", at ret);
-+};
-
- ################################################################
- # simplified mnemonics not handled by at least one assembler
-@@ -122,6 +146,46 @@ my $extrdi = sub {
- $b = ($b+$n)&63; $n = 64-$n;
- " rldicl $ra,$rs,$b,$n";
- };
-+my $vmr = sub {
-+ my ($f,$vx,$vy) = @_;
-+ " vor $vx,$vy,$vy";
-+};
-+
-+# PowerISA 2.06 stuff
-+sub vsxmem_op {
-+ my ($f, $vrt, $ra, $rb, $op) = @_;
-+ " .long ".sprintf "0x%X",(31<<26)|($vrt<<21)|($ra<<16)|($rb<<11)|($op*2+1);
-+}
-+# made-up unaligned memory reference AltiVec/VMX instructions
-+my $lvx_u = sub { vsxmem_op(@_, 844); }; # lxvd2x
-+my $stvx_u = sub { vsxmem_op(@_, 972); }; # stxvd2x
-+my $lvdx_u = sub { vsxmem_op(@_, 588); }; # lxsdx
-+my $stvdx_u = sub { vsxmem_op(@_, 716); }; # stxsdx
-+my $lvx_4w = sub { vsxmem_op(@_, 780); }; # lxvw4x
-+my $stvx_4w = sub { vsxmem_op(@_, 908); }; # stxvw4x
-+
-+# PowerISA 2.07 stuff
-+sub vcrypto_op {
-+ my ($f, $vrt, $vra, $vrb, $op) = @_;
-+ " .long ".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|$op;
-+}
-+my $vcipher = sub { vcrypto_op(@_, 1288); };
-+my $vcipherlast = sub { vcrypto_op(@_, 1289); };
-+my $vncipher = sub { vcrypto_op(@_, 1352); };
-+my $vncipherlast= sub { vcrypto_op(@_, 1353); };
-+my $vsbox = sub { vcrypto_op(@_, 0, 1480); };
-+my $vshasigmad = sub { my ($st,$six)=splice(@_,-2); vcrypto_op(@_, $st<<4|$six, 1730); };
-+my $vshasigmaw = sub { my ($st,$six)=splice(@_,-2); vcrypto_op(@_, $st<<4|$six, 1666); };
-+my $vpmsumb = sub { vcrypto_op(@_, 1032); };
-+my $vpmsumd = sub { vcrypto_op(@_, 1224); };
-+my $vpmsubh = sub { vcrypto_op(@_, 1096); };
-+my $vpmsumw = sub { vcrypto_op(@_, 1160); };
-+my $vaddudm = sub { vcrypto_op(@_, 192); };
-+
-+my $mtsle = sub {
-+ my ($f, $arg) = @_;
-+ " .long ".sprintf "0x%X",(31<<26)|($arg<<21)|(147*2);
-+};
-
- while($line=<>) {
-
-@@ -138,7 +202,10 @@ while($line=<>) {
- {
- $line =~ s|(^[\.\w]+)\:\s*||;
- my $label = $1;
-- printf "%s:",($GLOBALS{$label} or $label) if ($label);
-+ if ($label) {
-+ printf "%s:",($GLOBALS{$label} or $label);
-+ printf "\n.localentry\t$GLOBALS{$label},0" if ($GLOBALS{$label} && $flavour =~ /linux.*64le/);
-+ }
- }
-
- {
-@@ -147,7 +214,7 @@ while($line=<>) {
- my $mnemonic = $2;
- my $f = $3;
- my $opcode = eval("\$$mnemonic");
-- $line =~ s|\bc?[rf]([0-9]+)\b|$1|g if ($c ne "." and $flavour !~ /osx/);
-+ $line =~ s/\b(c?[rf]|v|vs)([0-9]+)\b/$2/g if ($c ne "." and $flavour !~ /osx/);
- if (ref($opcode) eq 'CODE') { $line = &$opcode($f,split(',',$line)); }
- elsif ($mnemonic) { $line = $c.$mnemonic.$f."\t".$line; }
- }
-diff --git a/crypto/ppc_arch.h b/crypto/ppc_arch.h
-new file mode 100644
-index 0000000..1192edf
---- /dev/null
-+++ b/crypto/ppc_arch.h
-@@ -0,0 +1,10 @@
-+#ifndef __PPC_ARCH_H__
-+#define __PPC_ARCH_H__
-+
-+extern unsigned int OPENSSL_ppccap_P;
-+
-+#define PPC_FPU64 (1<<0)
-+#define PPC_ALTIVEC (1<<1)
-+#define PPC_CRYPTO207 (1<<2)
-+
-+#endif
-diff --git a/crypto/ppccap.c b/crypto/ppccap.c
-index f71ba66..13c2ca5 100644
---- a/crypto/ppccap.c
-+++ b/crypto/ppccap.c
-@@ -4,13 +4,15 @@
- #include <setjmp.h>
- #include <signal.h>
- #include <unistd.h>
-+#if defined(__linux) || defined(_AIX)
-+#include <sys/utsname.h>
-+#endif
- #include <crypto.h>
- #include <openssl/bn.h>
-
--#define PPC_FPU64 (1<<0)
--#define PPC_ALTIVEC (1<<1)
-+#include "ppc_arch.h"
-
--static int OPENSSL_ppccap_P = 0;
-+unsigned int OPENSSL_ppccap_P = 0;
-
- static sigset_t all_masked;
-
-@@ -22,7 +24,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_U
-
- if (sizeof(size_t)==4)
- {
--#if (defined(__APPLE__) && defined(__MACH__))
-+#if 1 || (defined(__APPLE__) && defined(__MACH__))
- if (num>=8 && (num&3)==0 && (OPENSSL_ppccap_P&PPC_FPU64))
- return bn_mul_mont_fpu64(rp,ap,bp,np,n0,num);
- #else
-@@ -50,11 +52,28 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_U
- }
- #endif
-
-+void sha256_block_p8(void *ctx,const void *inp,size_t len);
-+void sha256_block_ppc(void *ctx,const void *inp,size_t len);
-+void sha256_block_data_order(void *ctx,const void *inp,size_t len)
-+ {
-+ OPENSSL_ppccap_P&PPC_CRYPTO207? sha256_block_p8(ctx,inp,len):
-+ sha256_block_ppc(ctx,inp,len);
-+ }
-+
-+void sha512_block_p8(void *ctx,const void *inp,size_t len);
-+void sha512_block_ppc(void *ctx,const void *inp,size_t len);
-+void sha512_block_data_order(void *ctx,const void *inp,size_t len)
-+ {
-+ OPENSSL_ppccap_P&PPC_CRYPTO207? sha512_block_p8(ctx,inp,len):
-+ sha512_block_ppc(ctx,inp,len);
-+ }
-+
- static sigjmp_buf ill_jmp;
- static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
-
- void OPENSSL_ppc64_probe(void);
- void OPENSSL_altivec_probe(void);
-+void OPENSSL_crypto207_probe(void);
-
- void OPENSSL_cpuid_setup(void)
- {
-@@ -85,12 +104,14 @@ void OPENSSL_cpuid_setup(void)
- OPENSSL_ppccap_P = 0;
-
- #if defined(_AIX)
-- if (sizeof(size_t)==4
-+ if (sizeof(size_t)==4)
-+ {
-+ struct utsname uts;
- # if defined(_SC_AIX_KERNEL_BITMODE)
-- && sysconf(_SC_AIX_KERNEL_BITMODE)!=64
-+ if (sysconf(_SC_AIX_KERNEL_BITMODE)!=64) return;
- # endif
-- )
-- return;
-+ if (uname(&uts)!=0 || atoi(uts.version)<6) return;
-+ }
- #endif
-
- memset(&ill_act,0,sizeof(ill_act));
-@@ -102,6 +123,10 @@ void OPENSSL_cpuid_setup(void)
-
- if (sizeof(size_t)==4)
- {
-+#ifdef __linux
-+ struct utsname uts;
-+ if (uname(&uts)==0 && strcmp(uts.machine,"ppc64")==0)
-+#endif
- if (sigsetjmp(ill_jmp,1) == 0)
- {
- OPENSSL_ppc64_probe();
-@@ -119,6 +144,11 @@ void OPENSSL_cpuid_setup(void)
- {
- OPENSSL_altivec_probe();
- OPENSSL_ppccap_P |= PPC_ALTIVEC;
-+ if (sigsetjmp(ill_jmp,1) == 0)
-+ {
-+ OPENSSL_crypto207_probe();
-+ OPENSSL_ppccap_P |= PPC_CRYPTO207;
-+ }
- }
-
- sigaction (SIGILL,&ill_oact,NULL);
-diff --git a/crypto/ppccpuid.pl b/crypto/ppccpuid.pl
-index 4ba736a..56cc851 100755
---- a/crypto/ppccpuid.pl
-+++ b/crypto/ppccpuid.pl
-@@ -31,6 +31,7 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_ppc64_probe,.-.OPENSSL_ppc64_probe
-
- .globl .OPENSSL_altivec_probe
- .align 4
-@@ -39,6 +40,17 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_altivec_probe,.-..OPENSSL_altivec_probe
-+
-+.globl .OPENSSL_crypto207_probe
-+.align 4
-+.OPENSSL_crypto207_probe:
-+ lvx_u v0,0,r1
-+ vcipher v0,v0,v0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_crypto207_probe,.-.OPENSSL_crypto207_probe
-
- .globl .OPENSSL_wipe_cpu
- .align 4
-@@ -71,6 +83,7 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_wipe_cpu,.-.OPENSSL_wipe_cpu
-
- .globl .OPENSSL_atomic_add
- .align 4
-@@ -84,6 +97,7 @@ Ladd: lwarx r5,0,r3
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .OPENSSL_atomic_add,.-.OPENSSL_atomic_add
-
- .globl .OPENSSL_rdtsc
- .align 4
-@@ -93,6 +107,7 @@ Ladd: lwarx r5,0,r3
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_rdtsc,.-.OPENSSL_rdtsc
-
- .globl .OPENSSL_cleanse
- .align 4
-@@ -125,7 +140,99 @@ Laligned:
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .OPENSSL_cleanse,.-.OPENSSL_cleanse
-+___
-+{
-+my ($out,$cnt,$max)=("r3","r4","r5");
-+my ($tick,$lasttick)=("r6","r7");
-+my ($diff,$lastdiff)=("r8","r9");
-+
-+$code.=<<___;
-+.globl .OPENSSL_instrument_bus
-+.align 4
-+.OPENSSL_instrument_bus:
-+ mtctr $cnt
-+
-+ mftb $lasttick # collect 1st tick
-+ li $diff,0
-+
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+Loop: mftb $tick
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+ addi $out,$out,4 # ++$out
-+ bdnz Loop
-+
-+ mr r3,$cnt
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .OPENSSL_instrument_bus,.-.OPENSSL_instrument_bus
-+
-+.globl .OPENSSL_instrument_bus2
-+.align 4
-+.OPENSSL_instrument_bus2:
-+ mr r0,$cnt
-+ slwi $cnt,$cnt,2
-+
-+ mftb $lasttick # collect 1st tick
-+ li $diff,0
-+
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+ mftb $tick # collect 1st diff
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ mr $lastdiff,$diff
-+Loop2:
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+ addic. $max,$max,-1
-+ beq Ldone2
-+
-+ mftb $tick
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ cmplw 7,$diff,$lastdiff
-+ mr $lastdiff,$diff
-+
-+ mfcr $tick # pull cr
-+ not $tick,$tick # flip bits
-+ rlwinm $tick,$tick,1,29,29 # isolate flipped eq bit and scale
-+
-+ sub. $cnt,$cnt,$tick # conditional --$cnt
-+ add $out,$out,$tick # conditional ++$out
-+ bne Loop2
-+
-+Ldone2:
-+ srwi $cnt,$cnt,2
-+ sub r3,r0,$cnt
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,3,0
-+ .long 0
-+.size .OPENSSL_instrument_bus2,.-.OPENSSL_instrument_bus2
- ___
-+}
-
- $code =~ s/\`([^\`]*)\`/eval $1/gem;
- print $code;
-diff --git a/crypto/sha/Makefile b/crypto/sha/Makefile
-index 6d191d3..58c6705 100644
---- a/crypto/sha/Makefile
-+++ b/crypto/sha/Makefile
-@@ -73,6 +73,8 @@ sha512-sparcv9.s:asm/sha512-sparcv9.pl; $(PERL) asm/sha512-sparcv9.pl $@ $(CFLAG
- sha1-ppc.s: asm/sha1-ppc.pl; $(PERL) asm/sha1-ppc.pl $(PERLASM_SCHEME) $@
- sha256-ppc.s: asm/sha512-ppc.pl; $(PERL) asm/sha512-ppc.pl $(PERLASM_SCHEME) $@
- sha512-ppc.s: asm/sha512-ppc.pl; $(PERL) asm/sha512-ppc.pl $(PERLASM_SCHEME) $@
-+sha256p8-ppc.s: asm/sha512p8-ppc.pl; $(PERL) asm/sha512p8-ppc.pl $(PERLASM_SCHEME) $@
-+sha512p8-ppc.s: asm/sha512p8-ppc.pl; $(PERL) asm/sha512p8-ppc.pl $(PERLASM_SCHEME) $@
-
- sha1-parisc.s: asm/sha1-parisc.pl; $(PERL) asm/sha1-parisc.pl $(PERLASM_SCHEME) $@
- sha256-parisc.s:asm/sha512-parisc.pl; $(PERL) asm/sha512-parisc.pl $(PERLASM_SCHEME) $@
-diff --git a/crypto/sha/asm/sha1-ppc.pl b/crypto/sha/asm/sha1-ppc.pl
-index 2140dd2..df59896 100755
---- a/crypto/sha/asm/sha1-ppc.pl
-+++ b/crypto/sha/asm/sha1-ppc.pl
-@@ -9,8 +9,7 @@
-
- # I let hardware handle unaligned input(*), except on page boundaries
- # (see below for details). Otherwise straightforward implementation
--# with X vector in register bank. The module is big-endian [which is
--# not big deal as there're no little-endian targets left around].
-+# with X vector in register bank.
- #
- # (*) this means that this module is inappropriate for PPC403? Does
- # anybody know if pre-POWER3 can sustain unaligned load?
-@@ -38,6 +37,10 @@ if ($flavour =~ /64/) {
- $PUSH ="stw";
- } else { die "nonsense $flavour"; }
-
-+# Define endianess based on flavour
-+# i.e.: linux64le
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -68,14 +71,28 @@ $T ="r12";
- @X=("r16","r17","r18","r19","r20","r21","r22","r23",
- "r24","r25","r26","r27","r28","r29","r30","r31");
-
-+sub loadbe {
-+my ($dst, $src, $temp_reg) = @_;
-+$code.=<<___ if (!$LITTLE_ENDIAN);
-+ lwz $dst,$src
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $temp_reg,$src
-+ rotlwi $dst,$temp_reg,8
-+ rlwimi $dst,$temp_reg,24,0,7
-+ rlwimi $dst,$temp_reg,24,16,23
-+___
-+}
-+
- sub BODY_00_19 {
- my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
--$code.=<<___ if ($i==0);
-- lwz @X[$i],`$i*4`($inp)
--___
-+
-+ # Since the last value of $f is discarded, we can use
-+ # it as a temp reg to swap byte-order when needed.
-+ loadbe("@X[$i]","`$i*4`($inp)",$f) if ($i==0);
-+ loadbe("@X[$j]","`$j*4`($inp)",$f) if ($i<15);
- $code.=<<___ if ($i<15);
-- lwz @X[$j],`$j*4`($inp)
- add $f,$K,$e
- rotlwi $e,$a,5
- add $f,$f, at X[$i]
-@@ -108,31 +125,31 @@ my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
- $code.=<<___ if ($i<79);
- add $f,$K,$e
-+ xor $t0,$b,$d
- rotlwi $e,$a,5
- xor @X[$j%16], at X[$j%16], at X[($j+2)%16]
- add $f,$f, at X[$i%16]
-- xor $t0,$b,$c
-+ xor $t0,$t0,$c
- xor @X[$j%16], at X[$j%16], at X[($j+8)%16]
-- add $f,$f,$e
-+ add $f,$f,$t0
- rotlwi $b,$b,30
-- xor $t0,$t0,$d
- xor @X[$j%16], at X[$j%16], at X[($j+13)%16]
-- add $f,$f,$t0
-+ add $f,$f,$e
- rotlwi @X[$j%16], at X[$j%16],1
- ___
- $code.=<<___ if ($i==79);
- add $f,$K,$e
-+ xor $t0,$b,$d
- rotlwi $e,$a,5
- lwz r16,0($ctx)
- add $f,$f, at X[$i%16]
-- xor $t0,$b,$c
-+ xor $t0,$t0,$c
- lwz r17,4($ctx)
-- add $f,$f,$e
-+ add $f,$f,$t0
- rotlwi $b,$b,30
- lwz r18,8($ctx)
-- xor $t0,$t0,$d
- lwz r19,12($ctx)
-- add $f,$f,$t0
-+ add $f,$f,$e
- lwz r20,16($ctx)
- ___
- }
-@@ -316,6 +333,7 @@ $code.=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .sha1_block_data_order,.-.sha1_block_data_order
- ___
- $code.=<<___;
- .asciz "SHA1 block transform for PPC, CRYPTOGAMS by <appro\@fy.chalmers.se>"
-diff --git a/crypto/sha/asm/sha512-ppc.pl b/crypto/sha/asm/sha512-ppc.pl
-index 6b44a68..734f3c1 100755
---- a/crypto/sha/asm/sha512-ppc.pl
-+++ b/crypto/sha/asm/sha512-ppc.pl
-@@ -1,7 +1,7 @@
- #!/usr/bin/env perl
-
- # ====================================================================
--# Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
-@@ -9,8 +9,7 @@
-
- # I let hardware handle unaligned input, except on page boundaries
- # (see below for details). Otherwise straightforward implementation
--# with X vector in register bank. The module is big-endian [which is
--# not big deal as there're no little-endian targets left around].
-+# with X vector in register bank.
-
- # sha256 | sha512
- # -m64 -m32 | -m64 -m32
-@@ -56,6 +55,8 @@ if ($flavour =~ /64/) {
- $PUSH="stw";
- } else { die "nonsense $flavour"; }
-
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -64,7 +65,7 @@ die "can't locate ppc-xlate.pl";
- open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-
- if ($output =~ /512/) {
-- $func="sha512_block_data_order";
-+ $func="sha512_block_ppc";
- $SZ=8;
- @Sigma0=(28,34,39);
- @Sigma1=(14,18,41);
-@@ -76,7 +77,7 @@ if ($output =~ /512/) {
- $ROR="rotrdi";
- $SHR="srdi";
- } else {
-- $func="sha256_block_data_order";
-+ $func="sha256_block_ppc";
- $SZ=4;
- @Sigma0=( 2,13,22);
- @Sigma1=( 6,11,25);
-@@ -110,7 +111,7 @@ $B ="r9";
- $C ="r10";
- $D ="r11";
- $E ="r12";
--$F ="r13"; $F="r2" if ($SIZE_T==8);# reassigned to exempt TLS pointer
-+$F =$t1; $t1 = "r0"; # stay away from "r13";
- $G ="r14";
- $H ="r15";
-
-@@ -118,24 +119,23 @@ $H ="r15";
- @X=("r16","r17","r18","r19","r20","r21","r22","r23",
- "r24","r25","r26","r27","r28","r29","r30","r31");
-
--$inp="r31"; # reassigned $inp! aliases with @X[15]
-+$inp="r31" if($SZ==4 || $SIZE_T==8); # reassigned $inp! aliases with @X[15]
-
- sub ROUND_00_15 {
- my ($i,$a,$b,$c,$d,$e,$f,$g,$h)=@_;
- $code.=<<___;
-- $LD $T,`$i*$SZ`($Tbl)
- $ROR $a0,$e,$Sigma1[0]
- $ROR $a1,$e,$Sigma1[1]
- and $t0,$f,$e
-- andc $t1,$g,$e
-- add $T,$T,$h
- xor $a0,$a0,$a1
-+ add $h,$h,$t1
-+ andc $t1,$g,$e
- $ROR $a1,$a1,`$Sigma1[2]-$Sigma1[1]`
- or $t0,$t0,$t1 ; Ch(e,f,g)
-- add $T,$T, at X[$i]
-+ add $h,$h, at X[$i%16]
- xor $a0,$a0,$a1 ; Sigma1(e)
-- add $T,$T,$t0
-- add $T,$T,$a0
-+ add $h,$h,$t0
-+ add $h,$h,$a0
-
- $ROR $a0,$a,$Sigma0[0]
- $ROR $a1,$a,$Sigma0[1]
-@@ -146,9 +146,14 @@ $code.=<<___;
- xor $t0,$t0,$t1
- and $t1,$b,$c
- xor $a0,$a0,$a1 ; Sigma0(a)
-- add $d,$d,$T
-+ add $d,$d,$h
- xor $t0,$t0,$t1 ; Maj(a,b,c)
-- add $h,$T,$a0
-+___
-+$code.=<<___ if ($i<15);
-+ $LD $t1,`($i+1)*$SZ`($Tbl)
-+___
-+$code.=<<___;
-+ add $h,$h,$a0
- add $h,$h,$t0
-
- ___
-@@ -169,10 +174,11 @@ $code.=<<___;
- add @X[$i], at X[$i], at X[($i+9)%16]
- xor $a0,$a0,$a1 ; sigma0(X[(i+1)&0x0f])
- xor $t0,$t0,$t1 ; sigma1(X[(i+14)&0x0f])
-+ $LD $t1,`$i*$SZ`($Tbl)
- add @X[$i], at X[$i],$a0
- add @X[$i], at X[$i],$t0
- ___
--&ROUND_00_15($i,$a,$b,$c,$d,$e,$f,$g,$h);
-+&ROUND_00_15($i+16,$a,$b,$c,$d,$e,$f,$g,$h);
- }
-
- $code=<<___;
-@@ -188,8 +194,6 @@ $func:
-
- $PUSH $ctx,`$FRAME-$SIZE_T*22`($sp)
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -209,7 +213,10 @@ $func:
- $PUSH r30,`$FRAME-$SIZE_T*2`($sp)
- $PUSH r31,`$FRAME-$SIZE_T*1`($sp)
- $PUSH r0,`$FRAME+$LRSAVE`($sp)
-+___
-
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- $LD $A,`0*$SZ`($ctx)
- mr $inp,r4 ; incarnate $inp
- $LD $B,`1*$SZ`($ctx)
-@@ -219,7 +226,16 @@ $func:
- $LD $F,`5*$SZ`($ctx)
- $LD $G,`6*$SZ`($ctx)
- $LD $H,`7*$SZ`($ctx)
-+___
-+} else {
-+ for ($i=16;$i<32;$i++) {
-+ $code.=<<___;
-+ lwz r$i,`$LITTLE_ENDIAN^(4*($i-16))`($ctx)
-+___
-+ }
-+}
-
-+$code.=<<___;
- bl LPICmeup
- LPICedup:
- andi. r0,$inp,3
-@@ -255,6 +271,9 @@ Lunaligned:
- Lcross_page:
- li $t1,`16*$SZ/4`
- mtctr $t1
-+___
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- addi r20,$sp,$LOCALS ; aligned spot below the frame
- Lmemcpy:
- lbz r16,0($inp)
-@@ -268,7 +287,26 @@ Lmemcpy:
- stb r19,3(r20)
- addi r20,r20,4
- bdnz Lmemcpy
-+___
-+} else {
-+$code.=<<___;
-+ addi r12,$sp,$LOCALS ; aligned spot below the frame
-+Lmemcpy:
-+ lbz r8,0($inp)
-+ lbz r9,1($inp)
-+ lbz r10,2($inp)
-+ lbz r11,3($inp)
-+ addi $inp,$inp,4
-+ stb r8,0(r12)
-+ stb r9,1(r12)
-+ stb r10,2(r12)
-+ stb r11,3(r12)
-+ addi r12,r12,4
-+ bdnz Lmemcpy
-+___
-+}
-
-+$code.=<<___;
- $PUSH $inp,`$FRAME-$SIZE_T*26`($sp) ; save real inp
- addi $t1,$sp,`$LOCALS+16*$SZ` ; fictitious end pointer
- addi $inp,$sp,$LOCALS ; fictitious inp pointer
-@@ -283,8 +321,6 @@ Lmemcpy:
-
- Ldone:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -309,27 +345,48 @@ Ldone:
- .long 0
- .byte 0,12,4,1,0x80,18,3,0
- .long 0
-+___
-
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- .align 4
- Lsha2_block_private:
-+ $LD $t1,0($Tbl)
- ___
- for($i=0;$i<16;$i++) {
--$code.=<<___ if ($SZ==4);
-+$code.=<<___ if ($SZ==4 && !$LITTLE_ENDIAN);
- lwz @X[$i],`$i*$SZ`($inp)
- ___
-+$code.=<<___ if ($SZ==4 && $LITTLE_ENDIAN);
-+ lwz $a0,`$i*$SZ`($inp)
-+ rotlwi @X[$i],$a0,8
-+ rlwimi @X[$i],$a0,24,0,7
-+ rlwimi @X[$i],$a0,24,16,23
-+___
- # 64-bit loads are split to 2x32-bit ones, as CPU can't handle
- # unaligned 64-bit loads, only 32-bit ones...
--$code.=<<___ if ($SZ==8);
-+$code.=<<___ if ($SZ==8 && !$LITTLE_ENDIAN);
- lwz $t0,`$i*$SZ`($inp)
- lwz @X[$i],`$i*$SZ+4`($inp)
- insrdi @X[$i],$t0,32,0
- ___
-+$code.=<<___ if ($SZ==8 && $LITTLE_ENDIAN);
-+ lwz $a0,`$i*$SZ`($inp)
-+ lwz $a1,`$i*$SZ+4`($inp)
-+ rotlwi $t0,$a0,8
-+ rotlwi @X[$i],$a1,8
-+ rlwimi $t0,$a0,24,0,7
-+ rlwimi @X[$i],$a1,24,0,7
-+ rlwimi $t0,$a0,24,16,23
-+ rlwimi @X[$i],$a1,24,16,23
-+ insrdi @X[$i],$t0,32,0
-+___
- &ROUND_00_15($i, at V);
- unshift(@V,pop(@V));
- }
- $code.=<<___;
-- li $T,`$rounds/16-1`
-- mtctr $T
-+ li $t0,`$rounds/16-1`
-+ mtctr $t0
- .align 4
- Lrounds:
- addi $Tbl,$Tbl,`16*$SZ`
-@@ -377,7 +434,282 @@ $code.=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size $func,.-$func
-+___
-+} else {
-+########################################################################
-+# SHA512 for PPC32, X vector is off-loaded to stack...
-+#
-+# | sha512
-+# | -m32
-+# ----------------------+-----------------------
-+# PPC74x0,gcc-4.0.1 | +48%
-+# POWER6,gcc-4.4.6 | +124%(*)
-+# POWER7,gcc-4.4.6 | +79%(*)
-+# e300,gcc-4.1.0 | +167%
-+#
-+# (*) ~1/3 of -m64 result [and ~20% better than -m32 code generated
-+# by xlc-12.1]
-+
-+my $XOFF=$LOCALS;
-+
-+my @V=map("r$_",(16..31)); # A..H
-+
-+my ($s0,$s1,$t0,$t1,$t2,$t3,$a0,$a1,$a2,$a3)=map("r$_",(0,5,6,8..12,14,15));
-+my ($x0,$x1)=("r3","r4"); # zaps $ctx and $inp
-+
-+sub ROUND_00_15_ppc32 {
-+my ($i, $ahi,$alo,$bhi,$blo,$chi,$clo,$dhi,$dlo,
-+ $ehi,$elo,$fhi,$flo,$ghi,$glo,$hhi,$hlo)=@_;
-+
-+$code.=<<___;
-+ lwz $t2,`$SZ*($i%16)+($LITTLE_ENDIAN^4)`($Tbl)
-+ xor $a0,$flo,$glo
-+ lwz $t3,`$SZ*($i%16)+($LITTLE_ENDIAN^0)`($Tbl)
-+ xor $a1,$fhi,$ghi
-+ addc $hlo,$hlo,$t0 ; h+=x[i]
-+ stw $t0,`$XOFF+0+$SZ*($i%16)`($sp) ; save x[i]
-+
-+ srwi $s0,$elo,$Sigma1[0]
-+ srwi $s1,$ehi,$Sigma1[0]
-+ and $a0,$a0,$elo
-+ adde $hhi,$hhi,$t1
-+ and $a1,$a1,$ehi
-+ stw $t1,`$XOFF+4+$SZ*($i%16)`($sp)
-+ srwi $t0,$elo,$Sigma1[1]
-+ srwi $t1,$ehi,$Sigma1[1]
-+ addc $hlo,$hlo,$t2 ; h+=K512[i]
-+ insrwi $s0,$ehi,$Sigma1[0],0
-+ insrwi $s1,$elo,$Sigma1[0],0
-+ xor $a0,$a0,$glo ; Ch(e,f,g)
-+ adde $hhi,$hhi,$t3
-+ xor $a1,$a1,$ghi
-+ insrwi $t0,$ehi,$Sigma1[1],0
-+ insrwi $t1,$elo,$Sigma1[1],0
-+ addc $hlo,$hlo,$a0 ; h+=Ch(e,f,g)
-+ srwi $t2,$ehi,$Sigma1[2]-32
-+ srwi $t3,$elo,$Sigma1[2]-32
-+ xor $s0,$s0,$t0
-+ xor $s1,$s1,$t1
-+ insrwi $t2,$elo,$Sigma1[2]-32,0
-+ insrwi $t3,$ehi,$Sigma1[2]-32,0
-+ xor $a0,$alo,$blo ; a^b, b^c in next round
-+ adde $hhi,$hhi,$a1
-+ xor $a1,$ahi,$bhi
-+ xor $s0,$s0,$t2 ; Sigma1(e)
-+ xor $s1,$s1,$t3
-+
-+ srwi $t0,$alo,$Sigma0[0]
-+ and $a2,$a2,$a0
-+ addc $hlo,$hlo,$s0 ; h+=Sigma1(e)
-+ and $a3,$a3,$a1
-+ srwi $t1,$ahi,$Sigma0[0]
-+ srwi $s0,$ahi,$Sigma0[1]-32
-+ adde $hhi,$hhi,$s1
-+ srwi $s1,$alo,$Sigma0[1]-32
-+ insrwi $t0,$ahi,$Sigma0[0],0
-+ insrwi $t1,$alo,$Sigma0[0],0
-+ xor $a2,$a2,$blo ; Maj(a,b,c)
-+ addc $dlo,$dlo,$hlo ; d+=h
-+ xor $a3,$a3,$bhi
-+ insrwi $s0,$alo,$Sigma0[1]-32,0
-+ insrwi $s1,$ahi,$Sigma0[1]-32,0
-+ adde $dhi,$dhi,$hhi
-+ srwi $t2,$ahi,$Sigma0[2]-32
-+ srwi $t3,$alo,$Sigma0[2]-32
-+ xor $s0,$s0,$t0
-+ addc $hlo,$hlo,$a2 ; h+=Maj(a,b,c)
-+ xor $s1,$s1,$t1
-+ insrwi $t2,$alo,$Sigma0[2]-32,0
-+ insrwi $t3,$ahi,$Sigma0[2]-32,0
-+ adde $hhi,$hhi,$a3
-+___
-+$code.=<<___ if ($i>=15);
-+ lwz $t0,`$XOFF+0+$SZ*(($i+2)%16)`($sp)
-+ lwz $t1,`$XOFF+4+$SZ*(($i+2)%16)`($sp)
-+___
-+$code.=<<___ if ($i<15 && !$LITTLE_ENDIAN);
-+ lwz $t1,`$SZ*($i+1)+0`($inp)
-+ lwz $t0,`$SZ*($i+1)+4`($inp)
- ___
-+$code.=<<___ if ($i<15 && $LITTLE_ENDIAN);
-+ lwz $a2,`$SZ*($i+1)+0`($inp)
-+ lwz $a3,`$SZ*($i+1)+4`($inp)
-+ rotlwi $t1,$a2,8
-+ rotlwi $t0,$a3,8
-+ rlwimi $t1,$a2,24,0,7
-+ rlwimi $t0,$a3,24,0,7
-+ rlwimi $t1,$a2,24,16,23
-+ rlwimi $t0,$a3,24,16,23
-+___
-+$code.=<<___;
-+ xor $s0,$s0,$t2 ; Sigma0(a)
-+ xor $s1,$s1,$t3
-+ addc $hlo,$hlo,$s0 ; h+=Sigma0(a)
-+ adde $hhi,$hhi,$s1
-+___
-+$code.=<<___ if ($i==15);
-+ lwz $x0,`$XOFF+0+$SZ*(($i+1)%16)`($sp)
-+ lwz $x1,`$XOFF+4+$SZ*(($i+1)%16)`($sp)
-+___
-+}
-+sub ROUND_16_xx_ppc32 {
-+my ($i, $ahi,$alo,$bhi,$blo,$chi,$clo,$dhi,$dlo,
-+ $ehi,$elo,$fhi,$flo,$ghi,$glo,$hhi,$hlo)=@_;
-+
-+$code.=<<___;
-+ srwi $s0,$t0,$sigma0[0]
-+ srwi $s1,$t1,$sigma0[0]
-+ srwi $t2,$t0,$sigma0[1]
-+ srwi $t3,$t1,$sigma0[1]
-+ insrwi $s0,$t1,$sigma0[0],0
-+ insrwi $s1,$t0,$sigma0[0],0
-+ srwi $a0,$t0,$sigma0[2]
-+ insrwi $t2,$t1,$sigma0[1],0
-+ insrwi $t3,$t0,$sigma0[1],0
-+ insrwi $a0,$t1,$sigma0[2],0
-+ xor $s0,$s0,$t2
-+ lwz $t2,`$XOFF+0+$SZ*(($i+14)%16)`($sp)
-+ srwi $a1,$t1,$sigma0[2]
-+ xor $s1,$s1,$t3
-+ lwz $t3,`$XOFF+4+$SZ*(($i+14)%16)`($sp)
-+ xor $a0,$a0,$s0
-+ srwi $s0,$t2,$sigma1[0]
-+ xor $a1,$a1,$s1
-+ srwi $s1,$t3,$sigma1[0]
-+ addc $x0,$x0,$a0 ; x[i]+=sigma0(x[i+1])
-+ srwi $a0,$t3,$sigma1[1]-32
-+ insrwi $s0,$t3,$sigma1[0],0
-+ insrwi $s1,$t2,$sigma1[0],0
-+ adde $x1,$x1,$a1
-+ srwi $a1,$t2,$sigma1[1]-32
-+
-+ insrwi $a0,$t2,$sigma1[1]-32,0
-+ srwi $t2,$t2,$sigma1[2]
-+ insrwi $a1,$t3,$sigma1[1]-32,0
-+ insrwi $t2,$t3,$sigma1[2],0
-+ xor $s0,$s0,$a0
-+ lwz $a0,`$XOFF+0+$SZ*(($i+9)%16)`($sp)
-+ srwi $t3,$t3,$sigma1[2]
-+ xor $s1,$s1,$a1
-+ lwz $a1,`$XOFF+4+$SZ*(($i+9)%16)`($sp)
-+ xor $s0,$s0,$t2
-+ addc $x0,$x0,$a0 ; x[i]+=x[i+9]
-+ xor $s1,$s1,$t3
-+ adde $x1,$x1,$a1
-+ addc $x0,$x0,$s0 ; x[i]+=sigma1(x[i+14])
-+ adde $x1,$x1,$s1
-+___
-+ ($t0,$t1,$x0,$x1) = ($x0,$x1,$t0,$t1);
-+ &ROUND_00_15_ppc32(@_);
-+}
-+
-+$code.=<<___;
-+.align 4
-+Lsha2_block_private:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
-+ lwz $t1,0($inp)
-+ xor $a2, at V[3], at V[5] ; B^C, magic seed
-+ lwz $t0,4($inp)
-+ xor $a3, at V[2], at V[4]
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $a1,0($inp)
-+ xor $a2, at V[3], at V[5] ; B^C, magic seed
-+ lwz $a0,4($inp)
-+ xor $a3, at V[2], at V[4]
-+ rotlwi $t1,$a1,8
-+ rotlwi $t0,$a0,8
-+ rlwimi $t1,$a1,24,0,7
-+ rlwimi $t0,$a0,24,0,7
-+ rlwimi $t1,$a1,24,16,23
-+ rlwimi $t0,$a0,24,16,23
-+___
-+for($i=0;$i<16;$i++) {
-+ &ROUND_00_15_ppc32($i, at V);
-+ unshift(@V,pop(@V)); unshift(@V,pop(@V));
-+ ($a0,$a1,$a2,$a3) = ($a2,$a3,$a0,$a1);
-+}
-+$code.=<<___;
-+ li $a0,`$rounds/16-1`
-+ mtctr $a0
-+.align 4
-+Lrounds:
-+ addi $Tbl,$Tbl,`16*$SZ`
-+___
-+for(;$i<32;$i++) {
-+ &ROUND_16_xx_ppc32($i, at V);
-+ unshift(@V,pop(@V)); unshift(@V,pop(@V));
-+ ($a0,$a1,$a2,$a3) = ($a2,$a3,$a0,$a1);
-+}
-+$code.=<<___;
-+ bdnz- Lrounds
-+
-+ $POP $ctx,`$FRAME-$SIZE_T*22`($sp)
-+ $POP $inp,`$FRAME-$SIZE_T*23`($sp) ; inp pointer
-+ $POP $num,`$FRAME-$SIZE_T*24`($sp) ; end pointer
-+ subi $Tbl,$Tbl,`($rounds-16)*$SZ` ; rewind Tbl
-+
-+ lwz $t0,`$LITTLE_ENDIAN^0`($ctx)
-+ lwz $t1,`$LITTLE_ENDIAN^4`($ctx)
-+ lwz $t2,`$LITTLE_ENDIAN^8`($ctx)
-+ lwz $t3,`$LITTLE_ENDIAN^12`($ctx)
-+ lwz $a0,`$LITTLE_ENDIAN^16`($ctx)
-+ lwz $a1,`$LITTLE_ENDIAN^20`($ctx)
-+ lwz $a2,`$LITTLE_ENDIAN^24`($ctx)
-+ addc @V[1], at V[1],$t1
-+ lwz $a3,`$LITTLE_ENDIAN^28`($ctx)
-+ adde @V[0], at V[0],$t0
-+ lwz $t0,`$LITTLE_ENDIAN^32`($ctx)
-+ addc @V[3], at V[3],$t3
-+ lwz $t1,`$LITTLE_ENDIAN^36`($ctx)
-+ adde @V[2], at V[2],$t2
-+ lwz $t2,`$LITTLE_ENDIAN^40`($ctx)
-+ addc @V[5], at V[5],$a1
-+ lwz $t3,`$LITTLE_ENDIAN^44`($ctx)
-+ adde @V[4], at V[4],$a0
-+ lwz $a0,`$LITTLE_ENDIAN^48`($ctx)
-+ addc @V[7], at V[7],$a3
-+ lwz $a1,`$LITTLE_ENDIAN^52`($ctx)
-+ adde @V[6], at V[6],$a2
-+ lwz $a2,`$LITTLE_ENDIAN^56`($ctx)
-+ addc @V[9], at V[9],$t1
-+ lwz $a3,`$LITTLE_ENDIAN^60`($ctx)
-+ adde @V[8], at V[8],$t0
-+ stw @V[0],`$LITTLE_ENDIAN^0`($ctx)
-+ stw @V[1],`$LITTLE_ENDIAN^4`($ctx)
-+ addc @V[11], at V[11],$t3
-+ stw @V[2],`$LITTLE_ENDIAN^8`($ctx)
-+ stw @V[3],`$LITTLE_ENDIAN^12`($ctx)
-+ adde @V[10], at V[10],$t2
-+ stw @V[4],`$LITTLE_ENDIAN^16`($ctx)
-+ stw @V[5],`$LITTLE_ENDIAN^20`($ctx)
-+ addc @V[13], at V[13],$a1
-+ stw @V[6],`$LITTLE_ENDIAN^24`($ctx)
-+ stw @V[7],`$LITTLE_ENDIAN^28`($ctx)
-+ adde @V[12], at V[12],$a0
-+ stw @V[8],`$LITTLE_ENDIAN^32`($ctx)
-+ stw @V[9],`$LITTLE_ENDIAN^36`($ctx)
-+ addc @V[15], at V[15],$a3
-+ stw @V[10],`$LITTLE_ENDIAN^40`($ctx)
-+ stw @V[11],`$LITTLE_ENDIAN^44`($ctx)
-+ adde @V[14], at V[14],$a2
-+ stw @V[12],`$LITTLE_ENDIAN^48`($ctx)
-+ stw @V[13],`$LITTLE_ENDIAN^52`($ctx)
-+ stw @V[14],`$LITTLE_ENDIAN^56`($ctx)
-+ stw @V[15],`$LITTLE_ENDIAN^60`($ctx)
-+
-+ addi $inp,$inp,`16*$SZ` ; advance inp
-+ $PUSH $inp,`$FRAME-$SIZE_T*23`($sp)
-+ $UCMP $inp,$num
-+ bne Lsha2_block_private
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.size $func,.-$func
-+___
-+}
-
- # Ugly hack here, because PPC assembler syntax seem to vary too
- # much from platforms to platform...
-@@ -395,46 +727,46 @@ LPICmeup:
- .space `64-9*4`
- ___
- $code.=<<___ if ($SZ==8);
-- .long 0x428a2f98,0xd728ae22,0x71374491,0x23ef65cd
-- .long 0xb5c0fbcf,0xec4d3b2f,0xe9b5dba5,0x8189dbbc
-- .long 0x3956c25b,0xf348b538,0x59f111f1,0xb605d019
-- .long 0x923f82a4,0xaf194f9b,0xab1c5ed5,0xda6d8118
-- .long 0xd807aa98,0xa3030242,0x12835b01,0x45706fbe
-- .long 0x243185be,0x4ee4b28c,0x550c7dc3,0xd5ffb4e2
-- .long 0x72be5d74,0xf27b896f,0x80deb1fe,0x3b1696b1
-- .long 0x9bdc06a7,0x25c71235,0xc19bf174,0xcf692694
-- .long 0xe49b69c1,0x9ef14ad2,0xefbe4786,0x384f25e3
-- .long 0x0fc19dc6,0x8b8cd5b5,0x240ca1cc,0x77ac9c65
-- .long 0x2de92c6f,0x592b0275,0x4a7484aa,0x6ea6e483
-- .long 0x5cb0a9dc,0xbd41fbd4,0x76f988da,0x831153b5
-- .long 0x983e5152,0xee66dfab,0xa831c66d,0x2db43210
-- .long 0xb00327c8,0x98fb213f,0xbf597fc7,0xbeef0ee4
-- .long 0xc6e00bf3,0x3da88fc2,0xd5a79147,0x930aa725
-- .long 0x06ca6351,0xe003826f,0x14292967,0x0a0e6e70
-- .long 0x27b70a85,0x46d22ffc,0x2e1b2138,0x5c26c926
-- .long 0x4d2c6dfc,0x5ac42aed,0x53380d13,0x9d95b3df
-- .long 0x650a7354,0x8baf63de,0x766a0abb,0x3c77b2a8
-- .long 0x81c2c92e,0x47edaee6,0x92722c85,0x1482353b
-- .long 0xa2bfe8a1,0x4cf10364,0xa81a664b,0xbc423001
-- .long 0xc24b8b70,0xd0f89791,0xc76c51a3,0x0654be30
-- .long 0xd192e819,0xd6ef5218,0xd6990624,0x5565a910
-- .long 0xf40e3585,0x5771202a,0x106aa070,0x32bbd1b8
-- .long 0x19a4c116,0xb8d2d0c8,0x1e376c08,0x5141ab53
-- .long 0x2748774c,0xdf8eeb99,0x34b0bcb5,0xe19b48a8
-- .long 0x391c0cb3,0xc5c95a63,0x4ed8aa4a,0xe3418acb
-- .long 0x5b9cca4f,0x7763e373,0x682e6ff3,0xd6b2b8a3
-- .long 0x748f82ee,0x5defb2fc,0x78a5636f,0x43172f60
-- .long 0x84c87814,0xa1f0ab72,0x8cc70208,0x1a6439ec
-- .long 0x90befffa,0x23631e28,0xa4506ceb,0xde82bde9
-- .long 0xbef9a3f7,0xb2c67915,0xc67178f2,0xe372532b
-- .long 0xca273ece,0xea26619c,0xd186b8c7,0x21c0c207
-- .long 0xeada7dd6,0xcde0eb1e,0xf57d4f7f,0xee6ed178
-- .long 0x06f067aa,0x72176fba,0x0a637dc5,0xa2c898a6
-- .long 0x113f9804,0xbef90dae,0x1b710b35,0x131c471b
-- .long 0x28db77f5,0x23047d84,0x32caab7b,0x40c72493
-- .long 0x3c9ebe0a,0x15c9bebc,0x431d67c4,0x9c100d4c
-- .long 0x4cc5d4be,0xcb3e42b6,0x597f299c,0xfc657e2a
-- .long 0x5fcb6fab,0x3ad6faec,0x6c44198c,0x4a475817
-+ .quad 0x428a2f98d728ae22,0x7137449123ef65cd
-+ .quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
-+ .quad 0x3956c25bf348b538,0x59f111f1b605d019
-+ .quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118
-+ .quad 0xd807aa98a3030242,0x12835b0145706fbe
-+ .quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
-+ .quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1
-+ .quad 0x9bdc06a725c71235,0xc19bf174cf692694
-+ .quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3
-+ .quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65
-+ .quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483
-+ .quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5
-+ .quad 0x983e5152ee66dfab,0xa831c66d2db43210
-+ .quad 0xb00327c898fb213f,0xbf597fc7beef0ee4
-+ .quad 0xc6e00bf33da88fc2,0xd5a79147930aa725
-+ .quad 0x06ca6351e003826f,0x142929670a0e6e70
-+ .quad 0x27b70a8546d22ffc,0x2e1b21385c26c926
-+ .quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df
-+ .quad 0x650a73548baf63de,0x766a0abb3c77b2a8
-+ .quad 0x81c2c92e47edaee6,0x92722c851482353b
-+ .quad 0xa2bfe8a14cf10364,0xa81a664bbc423001
-+ .quad 0xc24b8b70d0f89791,0xc76c51a30654be30
-+ .quad 0xd192e819d6ef5218,0xd69906245565a910
-+ .quad 0xf40e35855771202a,0x106aa07032bbd1b8
-+ .quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53
-+ .quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
-+ .quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
-+ .quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
-+ .quad 0x748f82ee5defb2fc,0x78a5636f43172f60
-+ .quad 0x84c87814a1f0ab72,0x8cc702081a6439ec
-+ .quad 0x90befffa23631e28,0xa4506cebde82bde9
-+ .quad 0xbef9a3f7b2c67915,0xc67178f2e372532b
-+ .quad 0xca273eceea26619c,0xd186b8c721c0c207
-+ .quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
-+ .quad 0x06f067aa72176fba,0x0a637dc5a2c898a6
-+ .quad 0x113f9804bef90dae,0x1b710b35131c471b
-+ .quad 0x28db77f523047d84,0x32caab7b40c72493
-+ .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
-+ .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a
-+ .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817
- ___
- $code.=<<___ if ($SZ==4);
- .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
-diff --git a/crypto/sha/asm/sha512p8-ppc.pl b/crypto/sha/asm/sha512p8-ppc.pl
-new file mode 100755
-index 0000000..a316b31
---- /dev/null
-+++ b/crypto/sha/asm/sha512p8-ppc.pl
-@@ -0,0 +1,423 @@
-+#!/usr/bin/env perl
-+
-+# ====================================================================
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+
-+# SHA256/512 for PowerISA v2.07.
-+#
-+# Accurate performance measurements are problematic, because it's
-+# always virtualized setup with possibly throttled processor.
-+# Relative comparison is therefore more informative. This module is
-+# ~60% faster than integer-only sha512-ppc.pl. To anchor to something
-+# else, SHA256 is 24% slower than sha1-ppc.pl and 2.5x slower than
-+# hardware-assisted aes-128-cbc encrypt. SHA512 is 20% faster than
-+# sha1-ppc.pl and 1.6x slower than aes-128-cbc. Another interesting
-+# result is degree of computational resources' utilization. POWER8 is
-+# "massively multi-threaded chip" and difference between single- and
-+# maximum multi-process benchmark results tells that utlization is
-+# whooping 94%. For sha512-ppc.pl we get [not unimpressive] 84% and
-+# for sha1-ppc.pl - 73%. 100% means that multi-process result equals
-+# to single-process one, given that all threads end up on the same
-+# physical core.
-+
-+$flavour=shift;
-+$output =shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T=8;
-+ $LRSAVE=2*$SIZE_T;
-+ $STU="stdu";
-+ $POP="ld";
-+ $PUSH="std";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T=4;
-+ $LRSAVE=$SIZE_T;
-+ $STU="stwu";
-+ $POP="lwz";
-+ $PUSH="stw";
-+} else { die "nonsense $flavour"; }
-+
-+$LENDIAN=($flavour=~/le/);
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-+
-+if ($output =~ /512/) {
-+ $bits=512;
-+ $SZ=8;
-+ $sz="d";
-+ $rounds=80;
-+} else {
-+ $bits=256;
-+ $SZ=4;
-+ $sz="w";
-+ $rounds=64;
-+}
-+
-+$func="sha${bits}_block_p8";
-+$FRAME=8*$SIZE_T;
-+
-+$sp ="r1";
-+$toc="r2";
-+$ctx="r3";
-+$inp="r4";
-+$num="r5";
-+$Tbl="r6";
-+$idx="r7";
-+$lrsave="r8";
-+$offload="r11";
-+$vrsave="r12";
-+($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,10,26..31));
-+
-+ at V=($A,$B,$C,$D,$E,$F,$G,$H)=map("v$_",(0..7));
-+ at X=map("v$_",(8..23));
-+($Ki,$Func,$S0,$S1,$s0,$s1,$lemask)=map("v$_",(24..31));
-+
-+sub ROUND {
-+my ($i,$a,$b,$c,$d,$e,$f,$g,$h)=@_;
-+my $j=($i+1)%16;
-+
-+$code.=<<___ if ($i<15 && ($i%(16/$SZ))==(16/$SZ-1));
-+ lvx_u @X[$i+1],0,$inp ; load X[i] in advance
-+ addi $inp,$inp,16
-+___
-+$code.=<<___ if ($i<16 && ($i%(16/$SZ)));
-+ vsldoi @X[$i], at X[$i-1], at X[$i-1],$SZ
-+___
-+$code.=<<___ if ($LENDIAN && $i<16 && ($i%(16/$SZ))==0);
-+ vperm @X[$i], at X[$i], at X[$i],$lemask
-+___
-+$code.=<<___;
-+ `"vshasigma${sz} $s0, at X[($j+1)%16],0,0" if ($i>=15)`
-+ vsel $Func,$g,$f,$e ; Ch(e,f,g)
-+ vshasigma${sz} $S1,$e,1,15 ; Sigma1(e)
-+ vaddu${sz}m $h,$h, at X[$i%16] ; h+=X[i]
-+ vshasigma${sz} $S0,$a,1,0 ; Sigma0(a)
-+ `"vshasigma${sz} $s1, at X[($j+14)%16],0,15" if ($i>=15)`
-+ vaddu${sz}m $h,$h,$Func ; h+=Ch(e,f,g)
-+ vxor $Func,$a,$b
-+ `"vaddu${sz}m @X[$j], at X[$j], at X[($j+9)%16]" if ($i>=15)`
-+ vaddu${sz}m $h,$h,$S1 ; h+=Sigma1(e)
-+ vsel $Func,$b,$c,$Func ; Maj(a,b,c)
-+ vaddu${sz}m $g,$g,$Ki ; future h+=K[i]
-+ vaddu${sz}m $d,$d,$h ; d+=h
-+ vaddu${sz}m $S0,$S0,$Func ; Sigma0(a)+Maj(a,b,c)
-+ `"vaddu${sz}m @X[$j], at X[$j],$s0" if ($i>=15)`
-+ lvx $Ki,$idx,$Tbl ; load next K[i]
-+ addi $idx,$idx,16
-+ vaddu${sz}m $h,$h,$S0 ; h+=Sigma0(a)+Maj(a,b,c)
-+ `"vaddu${sz}m @X[$j], at X[$j],$s1" if ($i>=15)`
-+___
-+}
-+
-+$code=<<___;
-+.machine "any"
-+.text
-+
-+.globl $func
-+.align 6
-+$func:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ mflr $lrsave
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ mfspr $vrsave,256
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r11,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ $PUSH $lrsave,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
-+ mtspr 256,r11
-+
-+ bl LPICmeup
-+ addi $offload,$sp,$FRAME+15
-+___
-+$code.=<<___ if ($LENDIAN);
-+ li $idx,8
-+ lvsl $lemask,0,$idx
-+ vspltisb $Ki,0x0f
-+ vxor $lemask,$lemask,$Ki
-+___
-+$code.=<<___ if ($SZ==4);
-+ lvx_4w $A,$x00,$ctx
-+ lvx_4w $E,$x10,$ctx
-+ vsldoi $B,$A,$A,4 # unpack
-+ vsldoi $C,$A,$A,8
-+ vsldoi $D,$A,$A,12
-+ vsldoi $F,$E,$E,4
-+ vsldoi $G,$E,$E,8
-+ vsldoi $H,$E,$E,12
-+___
-+$code.=<<___ if ($SZ==8);
-+ lvx_u $A,$x00,$ctx
-+ lvx_u $C,$x10,$ctx
-+ lvx_u $E,$x20,$ctx
-+ vsldoi $B,$A,$A,8 # unpack
-+ lvx_u $G,$x30,$ctx
-+ vsldoi $D,$C,$C,8
-+ vsldoi $F,$E,$E,8
-+ vsldoi $H,$G,$G,8
-+___
-+$code.=<<___;
-+ li r0,`($rounds-16)/16` # inner loop counter
-+ b Loop
-+.align 5
-+Loop:
-+ lvx $Ki,$x00,$Tbl
-+ li $idx,16
-+ lvx_u @X[0],0,$inp
-+ addi $inp,$inp,16
-+ stvx $A,$x00,$offload # offload $A-$H
-+ stvx $B,$x10,$offload
-+ stvx $C,$x20,$offload
-+ stvx $D,$x30,$offload
-+ stvx $E,$x40,$offload
-+ stvx $F,$x50,$offload
-+ stvx $G,$x60,$offload
-+ stvx $H,$x70,$offload
-+ vaddu${sz}m $H,$H,$Ki # h+K[i]
-+ lvx $Ki,$idx,$Tbl
-+ addi $idx,$idx,16
-+___
-+for ($i=0;$i<16;$i++) { &ROUND($i, at V); unshift(@V,pop(@V)); }
-+$code.=<<___;
-+ mtctr r0
-+ b L16_xx
-+.align 5
-+L16_xx:
-+___
-+for (;$i<32;$i++) { &ROUND($i, at V); unshift(@V,pop(@V)); }
-+$code.=<<___;
-+ bdnz L16_xx
-+
-+ lvx @X[2],$x00,$offload
-+ subic. $num,$num,1
-+ lvx @X[3],$x10,$offload
-+ vaddu${sz}m $A,$A, at X[2]
-+ lvx @X[4],$x20,$offload
-+ vaddu${sz}m $B,$B, at X[3]
-+ lvx @X[5],$x30,$offload
-+ vaddu${sz}m $C,$C, at X[4]
-+ lvx @X[6],$x40,$offload
-+ vaddu${sz}m $D,$D, at X[5]
-+ lvx @X[7],$x50,$offload
-+ vaddu${sz}m $E,$E, at X[6]
-+ lvx @X[8],$x60,$offload
-+ vaddu${sz}m $F,$F, at X[7]
-+ lvx @X[9],$x70,$offload
-+ vaddu${sz}m $G,$G, at X[8]
-+ vaddu${sz}m $H,$H, at X[9]
-+ bne Loop
-+___
-+$code.=<<___ if ($SZ==4);
-+ lvx @X[0],$idx,$Tbl
-+ addi $idx,$idx,16
-+ vperm $A,$A,$B,$Ki # pack the answer
-+ lvx @X[1],$idx,$Tbl
-+ vperm $E,$E,$F,$Ki
-+ vperm $A,$A,$C, at X[0]
-+ vperm $E,$E,$G, at X[0]
-+ vperm $A,$A,$D, at X[1]
-+ vperm $E,$E,$H, at X[1]
-+ stvx_4w $A,$x00,$ctx
-+ stvx_4w $E,$x10,$ctx
-+___
-+$code.=<<___ if ($SZ==8);
-+ vperm $A,$A,$B,$Ki # pack the answer
-+ vperm $C,$C,$D,$Ki
-+ vperm $E,$E,$F,$Ki
-+ vperm $G,$G,$H,$Ki
-+ stvx_u $A,$x00,$ctx
-+ stvx_u $C,$x10,$ctx
-+ stvx_u $E,$x20,$ctx
-+ stvx_u $G,$x30,$ctx
-+___
-+$code.=<<___;
-+ li r10,`$FRAME+8*16+15`
-+ mtlr $lrsave
-+ li r11,`$FRAME+8*16+31`
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,4,1,0x80,6,3,0
-+ .long 0
-+.size $func,.-$func
-+___
-+
-+# Ugly hack here, because PPC assembler syntax seem to vary too
-+# much from platforms to platform...
-+$code.=<<___;
-+.align 6
-+LPICmeup:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr $Tbl ; vvvvvv "distance" between . and 1st data entry
-+ addi $Tbl,$Tbl,`64-8`
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+ .space `64-9*4`
-+___
-+
-+if ($SZ==8) {
-+ local *table = sub {
-+ foreach(@_) { $code.=".quad $_,$_\n"; }
-+ };
-+ table(
-+ "0x428a2f98d728ae22","0x7137449123ef65cd",
-+ "0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc",
-+ "0x3956c25bf348b538","0x59f111f1b605d019",
-+ "0x923f82a4af194f9b","0xab1c5ed5da6d8118",
-+ "0xd807aa98a3030242","0x12835b0145706fbe",
-+ "0x243185be4ee4b28c","0x550c7dc3d5ffb4e2",
-+ "0x72be5d74f27b896f","0x80deb1fe3b1696b1",
-+ "0x9bdc06a725c71235","0xc19bf174cf692694",
-+ "0xe49b69c19ef14ad2","0xefbe4786384f25e3",
-+ "0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65",
-+ "0x2de92c6f592b0275","0x4a7484aa6ea6e483",
-+ "0x5cb0a9dcbd41fbd4","0x76f988da831153b5",
-+ "0x983e5152ee66dfab","0xa831c66d2db43210",
-+ "0xb00327c898fb213f","0xbf597fc7beef0ee4",
-+ "0xc6e00bf33da88fc2","0xd5a79147930aa725",
-+ "0x06ca6351e003826f","0x142929670a0e6e70",
-+ "0x27b70a8546d22ffc","0x2e1b21385c26c926",
-+ "0x4d2c6dfc5ac42aed","0x53380d139d95b3df",
-+ "0x650a73548baf63de","0x766a0abb3c77b2a8",
-+ "0x81c2c92e47edaee6","0x92722c851482353b",
-+ "0xa2bfe8a14cf10364","0xa81a664bbc423001",
-+ "0xc24b8b70d0f89791","0xc76c51a30654be30",
-+ "0xd192e819d6ef5218","0xd69906245565a910",
-+ "0xf40e35855771202a","0x106aa07032bbd1b8",
-+ "0x19a4c116b8d2d0c8","0x1e376c085141ab53",
-+ "0x2748774cdf8eeb99","0x34b0bcb5e19b48a8",
-+ "0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb",
-+ "0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3",
-+ "0x748f82ee5defb2fc","0x78a5636f43172f60",
-+ "0x84c87814a1f0ab72","0x8cc702081a6439ec",
-+ "0x90befffa23631e28","0xa4506cebde82bde9",
-+ "0xbef9a3f7b2c67915","0xc67178f2e372532b",
-+ "0xca273eceea26619c","0xd186b8c721c0c207",
-+ "0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178",
-+ "0x06f067aa72176fba","0x0a637dc5a2c898a6",
-+ "0x113f9804bef90dae","0x1b710b35131c471b",
-+ "0x28db77f523047d84","0x32caab7b40c72493",
-+ "0x3c9ebe0a15c9bebc","0x431d67c49c100d4c",
-+ "0x4cc5d4becb3e42b6","0x597f299cfc657e2a",
-+ "0x5fcb6fab3ad6faec","0x6c44198c4a475817","0");
-+$code.=<<___ if (!$LENDIAN);
-+.quad 0x0001020304050607,0x1011121314151617
-+___
-+$code.=<<___ if ($LENDIAN); # quad-swapped
-+.quad 0x1011121314151617,0x0001020304050607
-+___
-+} else {
-+ local *table = sub {
-+ foreach(@_) { $code.=".long $_,$_,$_,$_\n"; }
-+ };
-+ table(
-+ "0x428a2f98","0x71374491","0xb5c0fbcf","0xe9b5dba5",
-+ "0x3956c25b","0x59f111f1","0x923f82a4","0xab1c5ed5",
-+ "0xd807aa98","0x12835b01","0x243185be","0x550c7dc3",
-+ "0x72be5d74","0x80deb1fe","0x9bdc06a7","0xc19bf174",
-+ "0xe49b69c1","0xefbe4786","0x0fc19dc6","0x240ca1cc",
-+ "0x2de92c6f","0x4a7484aa","0x5cb0a9dc","0x76f988da",
-+ "0x983e5152","0xa831c66d","0xb00327c8","0xbf597fc7",
-+ "0xc6e00bf3","0xd5a79147","0x06ca6351","0x14292967",
-+ "0x27b70a85","0x2e1b2138","0x4d2c6dfc","0x53380d13",
-+ "0x650a7354","0x766a0abb","0x81c2c92e","0x92722c85",
-+ "0xa2bfe8a1","0xa81a664b","0xc24b8b70","0xc76c51a3",
-+ "0xd192e819","0xd6990624","0xf40e3585","0x106aa070",
-+ "0x19a4c116","0x1e376c08","0x2748774c","0x34b0bcb5",
-+ "0x391c0cb3","0x4ed8aa4a","0x5b9cca4f","0x682e6ff3",
-+ "0x748f82ee","0x78a5636f","0x84c87814","0x8cc70208",
-+ "0x90befffa","0xa4506ceb","0xbef9a3f7","0xc67178f2","0");
-+$code.=<<___ if (!$LENDIAN);
-+.long 0x00010203,0x10111213,0x10111213,0x10111213
-+.long 0x00010203,0x04050607,0x10111213,0x10111213
-+.long 0x00010203,0x04050607,0x08090a0b,0x10111213
-+___
-+$code.=<<___ if ($LENDIAN); # word-swapped
-+.long 0x10111213,0x10111213,0x10111213,0x00010203
-+.long 0x10111213,0x10111213,0x04050607,0x00010203
-+.long 0x10111213,0x08090a0b,0x04050607,0x00010203
-+___
-+}
-+$code.=<<___;
-+.asciz "SHA${bits} for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+.align 2
-+___
-+
-+$code =~ s/\`([^\`]*)\`/eval $1/gem;
-+print $code;
-+close STDOUT;
diff --git a/openssl-1.0.1e-rpmbuild.patch b/openssl-1.0.1e-rpmbuild.patch
deleted file mode 100644
index 14b2ba9..0000000
--- a/openssl-1.0.1e-rpmbuild.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-diff -up openssl-1.0.1e/Configure.rpmbuild openssl-1.0.1e/Configure
---- openssl-1.0.1e/Configure.rpmbuild 2014-08-13 19:19:53.211005598 +0200
-+++ openssl-1.0.1e/Configure 2014-08-13 19:29:21.704099285 +0200
-@@ -345,24 +345,24 @@ my %table=(
- ####
- # *-generic* is endian-neutral target, but ./config is free to
- # throw in -D[BL]_ENDIAN, whichever appropriate...
--"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # It's believed that majority of ARM toolchains predefine appropriate -march.
- # If you compiler does not, do complement config command line with one!
--"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- #### IA-32 targets...
- "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
- ####
--"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
--"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
- # /proc/cpuinfo. The idea is to preserve most significant bits of
-@@ -376,16 +376,17 @@ my %table=(
- # ldconfig and run-time linker to autodiscover. Unfortunately it
- # doesn't work just yet, because of couple of bugs in glibc
- # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
--"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
-+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
- #### SPARC Linux setups
- # Ray Miller <ray.miller at computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
--"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # it's a real mess with -mcpu=ultrasparc option under Linux, but
- # -Wa,-Av8plus should do the trick no matter what.
--"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # GCC 3.1 is a requirement
--"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-aarch64","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### Alpha Linux with GNU C and Compaq C setups
- # Special notes:
- # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -399,8 +400,8 @@ my %table=(
- #
- # <appro at fy.chalmers.se>
- #
--"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-
-@@ -1675,7 +1676,7 @@ while (<IN>)
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- {
- my $sotmp = $1;
-- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
- }
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- {
-diff -up openssl-1.0.1e/Makefile.org.rpmbuild openssl-1.0.1e/Makefile.org
---- openssl-1.0.1e/Makefile.org.rpmbuild 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/Makefile.org 2014-08-13 19:19:53.218005759 +0200
-@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
- SHLIB_MAJOR=
- SHLIB_MINOR=
- SHLIB_EXT=
-+SHLIB_SONAMEVER=10
- PLATFORM=dist
- OPTIONS=
- CONFIGURE_ARGS=
-@@ -333,10 +334,9 @@ clean-shared:
- link-shared:
- @ set -e; for i in $(SHLIBDIRS); do \
- $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- symlink.$(SHLIB_TARGET); \
-- libs="$$libs -l$$i"; \
- done
-
- build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
- libs="$(LIBKRB5) $$libs"; \
- fi; \
- $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- LIBDEPS="$$libs $(EX_LIBS)" \
- link_a.$(SHLIB_TARGET); \
diff --git a/openssl-1.0.1e-secure-getenv.patch b/openssl-1.0.1e-secure-getenv.patch
deleted file mode 100644
index eb8034d..0000000
--- a/openssl-1.0.1e-secure-getenv.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-diff -up openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_api.c
---- openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/conf/conf_api.c 2013-02-19 13:02:02.531188124 +0100
-@@ -63,6 +63,8 @@
- # define NDEBUG
- #endif
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <assert.h>
- #include <stdlib.h>
- #include <string.h>
-@@ -142,7 +144,7 @@ char *_CONF_get_string(const CONF *conf,
- if (v != NULL) return(v->value);
- if (strcmp(section,"ENV") == 0)
- {
-- p=getenv(name);
-+ p=secure_getenv(name);
- if (p != NULL) return(p);
- }
- }
-@@ -155,7 +157,7 @@ char *_CONF_get_string(const CONF *conf,
- return(NULL);
- }
- else
-- return(getenv(name));
-+ return (secure_getenv(name));
- }
-
- #if 0 /* There's no way to provide error checking with this function, so
-diff -up openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_mod.c
---- openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/conf/conf_mod.c 2013-02-19 13:02:02.531188124 +0100
-@@ -56,6 +56,8 @@
- *
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <ctype.h>
- #include <openssl/crypto.h>
-@@ -548,8 +550,8 @@ char *CONF_get1_default_config_file(void
- char *file;
- int len;
-
-- file = getenv("OPENSSL_CONF");
-- if (file)
-+ file = secure_getenv("OPENSSL_CONF");
-+ if (file)
- return BUF_strdup(file);
-
- len = strlen(X509_get_default_cert_area());
-diff -up openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1e/crypto/engine/eng_list.c
---- openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/engine/eng_list.c 2013-02-19 13:02:02.536188233 +0100
-@@ -61,6 +61,8 @@
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include "eng_int.h"
-
- /* The linked-list of pointers to engine types. engine_list_head
-@@ -399,9 +401,9 @@ ENGINE *ENGINE_by_id(const char *id)
- if (strcmp(id, "dynamic"))
- {
- #ifdef OPENSSL_SYS_VMS
-- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
-+ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
- #else
-- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
-+ if((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
- #endif
- iterator = ENGINE_by_id("dynamic");
- if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1e/crypto/md5/md5_dgst.c
---- openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv 2013-02-19 13:02:02.492187275 +0100
-+++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 13:02:02.537188254 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include "md5_locl.h"
- #include <openssl/opensslv.h>
-@@ -74,7 +76,7 @@ const char MD5_version[]="MD5" OPENSSL_V
- int MD5_Init(MD5_CTX *c)
- #ifdef OPENSSL_FIPS
- {
-- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
-+ if (FIPS_mode() && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
- OpenSSLDie(__FILE__, __LINE__, \
- "Digest MD5 forbidden in FIPS mode!");
- return private_MD5_Init(c);
-diff -up openssl-1.0.1e/crypto/o_init.c.secure-getenv openssl-1.0.1e/crypto/o_init.c
---- openssl-1.0.1e/crypto/o_init.c.secure-getenv 2013-02-19 13:02:02.428185882 +0100
-+++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 13:02:02.538188276 +0100
-@@ -52,6 +52,8 @@
- *
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <e_os.h>
- #include <openssl/err.h>
- #ifdef OPENSSL_FIPS
-@@ -71,7 +73,7 @@ static void init_fips_mode(void)
- char buf[2] = "0";
- int fd;
-
-- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
- {
- buf[0] = '1';
- }
-diff -up openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv openssl-1.0.1e/crypto/rand/randfile.c
---- openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/rand/randfile.c 2013-02-19 13:03:06.971591052 +0100
-@@ -60,6 +60,8 @@
- #if !defined(OPENSSL_SYS_VXWORKS)
- #define _XOPEN_SOURCE 500
- #endif
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-
- #include <errno.h>
- #include <stdio.h>
-@@ -277,8 +279,7 @@ const char *RAND_file_name(char *buf, si
- struct stat sb;
- #endif
-
-- if (OPENSSL_issetugid() == 0)
-- s=getenv("RANDFILE");
-+ s=secure_getenv("RANDFILE");
- if (s != NULL && *s && strlen(s) + 1 < size)
- {
- if (BUF_strlcpy(buf,s,size) >= size)
-@@ -286,8 +287,7 @@ const char *RAND_file_name(char *buf, si
- }
- else
- {
-- if (OPENSSL_issetugid() == 0)
-- s=getenv("HOME");
-+ s=secure_getenv("HOME");
- #ifdef DEFAULT_HOME
- if (s == NULL)
- {
-diff -up openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1e/crypto/x509/by_dir.c
---- openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/by_dir.c 2013-02-19 13:02:02.539188298 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -135,7 +137,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
- case X509_L_ADD_DIR:
- if (argl == X509_FILETYPE_DEFAULT)
- {
-- dir=(char *)getenv(X509_get_default_cert_dir_env());
-+ dir=(char *)secure_getenv(X509_get_default_cert_dir_env());
- if (dir)
- ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
- else
-diff -up openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv openssl-1.0.1e/crypto/x509/by_file.c
---- openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv 2013-02-19 13:02:02.236181701 +0100
-+++ openssl-1.0.1e/crypto/x509/by_file.c 2013-02-19 13:02:02.554188624 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -100,7 +102,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
- case X509_L_FILE_LOAD:
- if (argl == X509_FILETYPE_DEFAULT)
- {
-- file = (char *)getenv(X509_get_default_cert_file_env());
-+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
- if (file)
- ok = (X509_load_cert_crl_file(ctx,file,
- X509_FILETYPE_PEM) != 0);
-diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1e/crypto/x509/x509_vfy.c
---- openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-02-19 13:02:02.556188668 +0100
-@@ -56,6 +56,8 @@
- * [including the GNU Public Licence.]
- */
-
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <time.h>
- #include <errno.h>
-@@ -481,7 +483,7 @@ static int check_chain_extensions(X509_S
- !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
- /* A hack to keep people who don't want to modify their
- software happy */
-- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
-+ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
- allow_proxy_certs = 1;
- purpose = ctx->param->purpose;
- }
-diff -up openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1e/engines/ccgost/gost_ctl.c
---- openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/engines/ccgost/gost_ctl.c 2013-02-19 13:02:02.557188690 +0100
-@@ -6,6 +6,8 @@
- * Implementation of control commands for GOST engine *
- * OpenSSL 0.9.9 libraries required *
- **********************************************************************/
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdlib.h>
- #include <string.h>
- #include <openssl/crypto.h>
-@@ -65,7 +67,7 @@ const char *get_gost_engine_param(int pa
- {
- return gost_params[param];
- }
-- tmp = getenv(gost_envnames[param]);
-+ tmp = secure_getenv(gost_envnames[param]);
- if (tmp)
- {
- if (gost_params[param]) OPENSSL_free(gost_params[param]);
-@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
- {
- const char *tmp;
- if (param <0 || param >GOST_PARAM_MAX) return 0;
-- tmp = getenv(gost_envnames[param]);
-+ tmp = secure_getenv(gost_envnames[param]);
- /* if there is value in the environment, use it, else -passed string * */
- if (!tmp) tmp=value;
- if (gost_params[param]) OPENSSL_free(gost_params[param]);
diff --git a/openssl-1.0.1e-version.patch b/openssl-1.0.1e-version.patch
deleted file mode 100644
index e73f2c9..0000000
--- a/openssl-1.0.1e-version.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -up openssl-1.0.1e/crypto/cversion.c.version openssl-1.0.1e/crypto/cversion.c
---- openssl-1.0.1e/crypto/cversion.c.version 2013-02-11 16:02:47.000000000 +0100
-+++ openssl-1.0.1e/crypto/cversion.c 2013-07-26 12:28:12.739161925 +0200
-@@ -62,7 +62,7 @@
- #include "buildinf.h"
- #endif
-
--const char *SSLeay_version(int t)
-+const char *_current_SSLeay_version(int t)
- {
- if (t == SSLEAY_VERSION)
- return OPENSSL_VERSION_TEXT;
-@@ -110,8 +110,25 @@ const char *SSLeay_version(int t)
- return("not available");
- }
-
--unsigned long SSLeay(void)
-+const char *_original_SSLeay_version(int t)
-+ {
-+ if (t == SSLEAY_VERSION)
-+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
-+ else
-+ return _current_SSLeay_version(t);
-+ }
-+
-+unsigned long _original_SSLeay(void)
-+ {
-+ return(0x10000003);
-+ }
-+
-+unsigned long _current_SSLeay(void)
- {
- return(SSLEAY_VERSION_NUMBER);
- }
-
-+__asm__(".symver _original_SSLeay,SSLeay@");
-+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
-+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
-+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.1");
-diff -up openssl-1.0.1e/Makefile.shared.version openssl-1.0.1e/Makefile.shared
---- openssl-1.0.1e/Makefile.shared.version 2013-07-26 12:23:43.615545603 +0200
-+++ openssl-1.0.1e/Makefile.shared 2013-07-26 12:23:43.701547398 +0200
-@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
- SHLIB_SUFFIX=; \
- ALLSYMSFLAGS='-Wl,--whole-archive'; \
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
- DO_GNU_APP=LDFLAGS="$(CFLAGS)"
-
-diff -up openssl-1.0.1e/version.map.version openssl-1.0.1e/version.map
---- openssl-1.0.1e/version.map.version 2013-07-26 12:23:43.701547398 +0200
-+++ openssl-1.0.1e/version.map 2013-07-26 12:29:10.698371472 +0200
-@@ -0,0 +1,8 @@
-+OPENSSL_1.0.1 {
-+ global:
-+ SSLeay;
-+ SSLeay_version;
-+ local:
-+ _original*;
-+ _current*;
-+};
diff --git a/openssl-1.0.1e-weak-ciphers.patch b/openssl-1.0.1e-weak-ciphers.patch
deleted file mode 100644
index 8657345..0000000
--- a/openssl-1.0.1e-weak-ciphers.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssl-1.0.1e/ssl/ssl.h.weak-ciphers openssl-1.0.1e/ssl/ssl.h
---- openssl-1.0.1e/ssl/ssl.h.weak-ciphers 2013-12-18 15:50:40.881620314 +0100
-+++ openssl-1.0.1e/ssl/ssl.h 2013-12-18 14:25:25.596566704 +0100
-@@ -331,7 +331,7 @@ extern "C" {
- /* The following cipher list is used by default.
- * It also is substituted when an application-defined cipher list string
- * starts with 'DEFAULT'. */
--#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
-+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
- /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
- * starts with a reasonable order, and all we have to do for DEFAULT is
- * throwing out anonymous and unencrypted ciphersuites!
diff --git a/openssl-1.0.1h-disable-sslv2v3.patch b/openssl-1.0.1h-disable-sslv2v3.patch
deleted file mode 100644
index 7a028aa..0000000
--- a/openssl-1.0.1h-disable-sslv2v3.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
---- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200
-+++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200
-@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- */
- ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
-
-+ /* Disable SSLv2 by default (affects the SSLv23_method() only) */
-+ ret->options |= SSL_OP_NO_SSLv2;
-+
- return(ret);
- err:
- SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
diff --git a/openssl-1.0.1h-ipv6-apps.patch b/openssl-1.0.1h-ipv6-apps.patch
deleted file mode 100644
index db6b543..0000000
--- a/openssl-1.0.1h-ipv6-apps.patch
+++ /dev/null
@@ -1,529 +0,0 @@
-diff -up openssl-1.0.1h/apps/s_apps.h.ipv6-apps openssl-1.0.1h/apps/s_apps.h
---- openssl-1.0.1h/apps/s_apps.h.ipv6-apps 2014-06-05 14:33:38.515668750 +0200
-+++ openssl-1.0.1h/apps/s_apps.h 2014-06-05 14:33:38.540669335 +0200
-@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
- #define PORT_STR "4433"
- #define PROTOCOL "tcp"
-
--int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
-+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
- #ifdef HEADER_X509_H
- int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
- #endif
-@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
--int init_client(int *sock, char *server, int port, int type);
-+int init_client(int *sock, char *server, char *port, int type);
- int should_retry(int i);
--int extract_port(char *str, short *port_ptr);
--int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
-+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-
- long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
- int argi, long argl, long ret);
-diff -up openssl-1.0.1h/apps/s_client.c.ipv6-apps openssl-1.0.1h/apps/s_client.c
---- openssl-1.0.1h/apps/s_client.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200
-+++ openssl-1.0.1h/apps/s_client.c 2014-06-05 14:33:38.540669335 +0200
-@@ -567,7 +567,7 @@ int MAIN(int argc, char **argv)
- int cbuf_len,cbuf_off;
- int sbuf_len,sbuf_off;
- fd_set readfds,writefds;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- int full_log=1;
- char *host=SSL_HOST_NAME;
- char *cert_file=NULL,*key_file=NULL;
-@@ -668,13 +668,12 @@ int MAIN(int argc, char **argv)
- else if (strcmp(*argv,"-port") == 0)
- {
- if (--argc < 1) goto bad;
-- port=atoi(*(++argv));
-- if (port == 0) goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-connect") == 0)
- {
- if (--argc < 1) goto bad;
-- if (!extract_host_port(*(++argv),&host,NULL,&port))
-+ if (!extract_host_port(*(++argv),&host,&port_str))
- goto bad;
- }
- else if (strcmp(*argv,"-verify") == 0)
-@@ -1267,7 +1266,7 @@ bad:
-
- re_start:
-
-- if (init_client(&s,host,port,socket_type) == 0)
-+ if (init_client(&s,host,port_str,socket_type) == 0)
- {
- BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
- SHUTDOWN(s);
-diff -up openssl-1.0.1h/apps/s_server.c.ipv6-apps openssl-1.0.1h/apps/s_server.c
---- openssl-1.0.1h/apps/s_server.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200
-+++ openssl-1.0.1h/apps/s_server.c 2014-06-05 14:33:38.541669358 +0200
-@@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[])
- {
- X509_VERIFY_PARAM *vpm = NULL;
- int badarg = 0;
-- short port=PORT;
-+ char *port_str = PORT_STR;
- char *CApath=NULL,*CAfile=NULL;
- unsigned char *context = NULL;
- char *dhfile = NULL;
-@@ -1004,8 +1004,7 @@ int MAIN(int argc, char *argv[])
- (strcmp(*argv,"-accept") == 0))
- {
- if (--argc < 1) goto bad;
-- if (!extract_port(*(++argv),&port))
-- goto bad;
-+ port_str= *(++argv);
- }
- else if (strcmp(*argv,"-verify") == 0)
- {
-@@ -1892,9 +1891,9 @@ bad:
- BIO_printf(bio_s_out,"ACCEPT\n");
- (void)BIO_flush(bio_s_out);
- if (www)
-- do_server(port,socket_type,&accept_socket,www_body, context);
-+ do_server(port_str,socket_type,&accept_socket,www_body, context);
- else
-- do_server(port,socket_type,&accept_socket,sv_body, context);
-+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
- print_stats(bio_s_out,ctx);
- ret=0;
- end:
-diff -up openssl-1.0.1h/apps/s_socket.c.ipv6-apps openssl-1.0.1h/apps/s_socket.c
---- openssl-1.0.1h/apps/s_socket.c.ipv6-apps 2014-06-05 11:44:33.000000000 +0200
-+++ openssl-1.0.1h/apps/s_socket.c 2014-06-05 14:39:53.226442195 +0200
-@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
- static void ssl_sock_cleanup(void);
- #endif
- static int ssl_sock_init(void);
--static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
--static int init_server(int *sock, int port, int type);
--static int init_server_long(int *sock, int port,char *ip, int type);
-+static int init_server(int *sock, char *port, int type);
- static int do_accept(int acc_sock, int *sock, char **host);
- static int host_ip(char *str, unsigned char ip[4]);
-
-@@ -234,57 +232,71 @@ static int ssl_sock_init(void)
- return(1);
- }
-
--int init_client(int *sock, char *host, int port, int type)
-+int init_client(int *sock, char *host, char *port, int type)
- {
-- unsigned char ip[4];
--
-- memset(ip, '\0', sizeof ip);
-- if (!host_ip(host,&(ip[0])))
-- return 0;
-- return init_client_ip(sock,ip,port,type);
-- }
--
--static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
-- {
-- unsigned long addr;
-- struct sockaddr_in them;
-- int s,i;
-+ struct addrinfo *res, *res0, hints;
-+ char * failed_call = NULL;
-+ int s;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&them,0,sizeof(them));
-- them.sin_family=AF_INET;
-- them.sin_port=htons((unsigned short)port);
-- addr=(unsigned long)
-- ((unsigned long)ip[0]<<24L)|
-- ((unsigned long)ip[1]<<16L)|
-- ((unsigned long)ip[2]<< 8L)|
-- ((unsigned long)ip[3]);
-- them.sin_addr.s_addr=htonl(addr);
--
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* ( type == SOCK_DGRAM) */
-- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
--
-- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_ADDRCONFIG;
-+
-+ e = getaddrinfo(host, port, &hints, &res);
-+ if (e)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
- #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
- if (type == SOCK_STREAM)
- {
-- i=0;
-- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-- if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
-+ int i=0;
-+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
-+ (char *)&i,sizeof(i));
-+ if (i < 0) {
-+ failed_call = "keepalive";
-+ goto nextres;
-+ }
- }
- #endif
--
-- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
-- { closesocket(s); perror("connect"); return(0); }
-+ if (connect(s,(struct sockaddr *)res->ai_addr,
-+ res->ai_addrlen) == 0)
-+ {
-+ freeaddrinfo(res0);
- *sock=s;
- return(1);
- }
-
--int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
-+ failed_call = "socket";
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
-+ }
-+ freeaddrinfo(res0);
-+ closesocket(s);
-+
-+ perror(failed_call);
-+ return(0);
-+ }
-+
-+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
- {
- int sock;
- char *name = NULL;
-@@ -322,33 +334,50 @@ int do_server(int port, int type, int *r
- }
- }
-
--static int init_server_long(int *sock, int port, char *ip, int type)
-+static int init_server(int *sock, char *port, int type)
- {
-- int ret=0;
-- struct sockaddr_in server;
-- int s= -1;
-+ struct addrinfo *res, *res0 = NULL, hints;
-+ char * failed_call = NULL;
-+ int s = INVALID_SOCKET;
-+ int e;
-
- if (!ssl_sock_init()) return(0);
-
-- memset((char *)&server,0,sizeof(server));
-- server.sin_family=AF_INET;
-- server.sin_port=htons((unsigned short)port);
-- if (ip == NULL)
-- server.sin_addr.s_addr=INADDR_ANY;
-- else
--/* Added for T3E, address-of fails on bit field (beckman at acl.lanl.gov) */
--#ifndef BIT_FIELD_LIMITS
-- memcpy(&server.sin_addr.s_addr,ip,4);
--#else
-- memcpy(&server.sin_addr,ip,4);
--#endif
-+ memset(&hints, '\0', sizeof(hints));
-+ hints.ai_family = AF_INET6;
-+tryipv4:
-+ hints.ai_socktype = type;
-+ hints.ai_flags = AI_PASSIVE;
-
-- if (type == SOCK_STREAM)
-- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
-- else /* type == SOCK_DGRAM */
-- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
-+ e = getaddrinfo(NULL, port, &hints, &res);
-+ if (e)
-+ {
-+ if (hints.ai_family == AF_INET)
-+ {
-+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
-+ if (e == EAI_SYSTEM)
-+ perror("getaddrinfo");
-+ return (0);
-+ }
-+ else
-+ res = NULL;
-+ }
-
-- if (s == INVALID_SOCKET) goto err;
-+ res0 = res;
-+ while (res)
-+ {
-+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+ if (s == INVALID_SOCKET)
-+ {
-+ failed_call = "socket";
-+ goto nextres;
-+ }
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ int j = 0;
-+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-+ (void *) &j, sizeof j);
-+ }
- #if defined SOL_SOCKET && defined SO_REUSEADDR
- {
- int j = 1;
-@@ -356,35 +385,49 @@ static int init_server_long(int *sock, i
- (void *) &j, sizeof j);
- }
- #endif
-- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
-+
-+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
- {
--#ifndef OPENSSL_SYS_WINDOWS
-- perror("bind");
--#endif
-- goto err;
-+ failed_call = "bind";
-+ goto nextres;
- }
-- /* Make it 128 for linux */
-- if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
-- *sock=s;
-- ret=1;
--err:
-- if ((ret == 0) && (s != -1))
-+ if (type==SOCK_STREAM && listen(s,128) == -1)
- {
-- SHUTDOWN(s);
-+ failed_call = "listen";
-+ goto nextres;
- }
-- return(ret);
-+
-+ *sock=s;
-+ return(1);
-+
-+nextres:
-+ if (s != INVALID_SOCKET)
-+ close(s);
-+ res = res->ai_next;
- }
-+ if (res0)
-+ freeaddrinfo(res0);
-
--static int init_server(int *sock, int port, int type)
-+ if (s == INVALID_SOCKET)
- {
-- return(init_server_long(sock, port, NULL, type));
-+ if (hints.ai_family == AF_INET6)
-+ {
-+ hints.ai_family = AF_INET;
-+ goto tryipv4;
-+ }
-+ perror("socket");
-+ return(0);
-+ }
-+
-+ perror(failed_call);
-+ return(0);
- }
-
- static int do_accept(int acc_sock, int *sock, char **host)
- {
-+ static struct sockaddr_storage from;
-+ char buffer[NI_MAXHOST];
- int ret;
-- struct hostent *h1,*h2;
-- static struct sockaddr_in from;
- int len;
- /* struct linger ling; */
-
-@@ -424,145 +467,66 @@ redoit:
- ling.l_onoff=1;
- ling.l_linger=0;
- i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
-- if (i < 0) { perror("linger"); return(0); }
-+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
- i=0;
- i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-- if (i < 0) { perror("keepalive"); return(0); }
-+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
- */
-
- if (host == NULL) goto end;
--#ifndef BIT_FIELD_LIMITS
-- /* I should use WSAAsyncGetHostByName() under windows */
-- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
-- sizeof(from.sin_addr.s_addr),AF_INET);
--#else
-- h1=gethostbyaddr((char *)&from.sin_addr,
-- sizeof(struct in_addr),AF_INET);
--#endif
-- if (h1 == NULL)
-+
-+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
-+ buffer, sizeof(buffer),
-+ NULL, 0, 0))
- {
-- BIO_printf(bio_err,"bad gethostbyaddr\n");
-+ BIO_printf(bio_err,"getnameinfo failed\n");
- *host=NULL;
- /* return(0); */
- }
- else
- {
-- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
-+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
- {
- perror("OPENSSL_malloc");
- closesocket(ret);
- return(0);
- }
-- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
--
-- h2=GetHostByName(*host);
-- if (h2 == NULL)
-- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-- closesocket(ret);
-- return(0);
-- }
-- if (h2->h_addrtype != AF_INET)
-- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-- closesocket(ret);
-- return(0);
-- }
-+ strcpy(*host, buffer);
- }
- end:
- *sock=ret;
- return(1);
- }
-
--int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-- short *port_ptr)
-+int extract_host_port(char *str, char **host_ptr,
-+ char **port_ptr)
- {
-- char *h,*p;
-+ char *h,*p,*x;
-
-- h=str;
-- p=strchr(str,':');
-+ x=h=str;
-+ if (*h == '[')
-+ {
-+ h++;
-+ p=strchr(h,']');
- if (p == NULL)
- {
-- BIO_printf(bio_err,"no port defined\n");
-+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
- return(0);
- }
- *(p++)='\0';
--
-- if ((ip != NULL) && !host_ip(str,ip))
-- goto err;
-- if (host_ptr != NULL) *host_ptr=h;
--
-- if (!extract_port(p,port_ptr))
-- goto err;
-- return(1);
--err:
-- return(0);
-+ x = p;
- }
--
--static int host_ip(char *str, unsigned char ip[4])
-- {
-- unsigned int in[4];
-- int i;
--
-- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
-- {
-- for (i=0; i<4; i++)
-- if (in[i] > 255)
-- {
-- BIO_printf(bio_err,"invalid IP address\n");
-- goto err;
-- }
-- ip[0]=in[0];
-- ip[1]=in[1];
-- ip[2]=in[2];
-- ip[3]=in[3];
-- }
-- else
-- { /* do a gethostbyname */
-- struct hostent *he;
--
-- if (!ssl_sock_init()) return(0);
--
-- he=GetHostByName(str);
-- if (he == NULL)
-- {
-- BIO_printf(bio_err,"gethostbyname failure\n");
-- goto err;
-- }
-- /* cast to short because of win16 winsock definition */
-- if ((short)he->h_addrtype != AF_INET)
-+ p=strchr(x,':');
-+ if (p == NULL)
- {
-- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-- return(0);
-- }
-- ip[0]=he->h_addr_list[0][0];
-- ip[1]=he->h_addr_list[0][1];
-- ip[2]=he->h_addr_list[0][2];
-- ip[3]=he->h_addr_list[0][3];
-- }
-- return(1);
--err:
-+ BIO_printf(bio_err,"no port defined\n");
- return(0);
- }
-+ *(p++)='\0';
-
--int extract_port(char *str, short *port_ptr)
-- {
-- int i;
-- struct servent *s;
-+ if (host_ptr != NULL) *host_ptr=h;
-+ if (port_ptr != NULL) *port_ptr=p;
-
-- i=atoi(str);
-- if (i != 0)
-- *port_ptr=(unsigned short)i;
-- else
-- {
-- s=getservbyname(str,"tcp");
-- if (s == NULL)
-- {
-- BIO_printf(bio_err,"getservbyname failure for %s\n",str);
-- return(0);
-- }
-- *port_ptr=ntohs((unsigned short)s->s_port);
-- }
- return(1);
- }
-
diff --git a/openssl-1.0.1h-system-cipherlist.patch b/openssl-1.0.1h-system-cipherlist.patch
deleted file mode 100644
index c7c5106..0000000
--- a/openssl-1.0.1h-system-cipherlist.patch
+++ /dev/null
@@ -1,289 +0,0 @@
-diff -up openssl-1.0.1h/Configure.system openssl-1.0.1h/Configure
---- openssl-1.0.1h/Configure.system 2014-06-05 14:47:37.509312875 +0200
-+++ openssl-1.0.1h/Configure 2014-06-11 14:05:28.560359069 +0200
-@@ -10,7 +10,7 @@ use strict;
-
- # see INSTALL for instructions.
-
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-
- # Options:
- #
-@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
- # --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
- # supported values are "MIT" and "Heimdal". A value is required.
- #
-+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
-+# cipher is specified (default).
-+#
- # --test-sanity Make a number of sanity checks on the data in this file.
- # This is a debugging tool for OpenSSL developers.
- #
-@@ -663,6 +666,7 @@ my $prefix="";
- my $libdir="";
- my $openssldir="";
- my $enginesdir="";
-+my $system_ciphers_file="";
- my $exe_ext="";
- my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
- my $cross_compile_prefix="";
-@@ -895,6 +899,10 @@ PROCESS_ARGS:
- {
- $enginesdir=$1;
- }
-+ elsif (/^--system-ciphers-file=(.*)$/)
-+ {
-+ $system_ciphers_file=$1;
-+ }
- elsif (/^--install.prefix=(.*)$/)
- {
- $install_prefix=$1;
-@@ -1053,6 +1061,7 @@ print "Configuring for $target\n";
-
- &usage if (!defined($table{$target}));
-
-+chop $system_ciphers_file if $system_ciphers_file =~ /\/$/;
-
- foreach (sort (keys %disabled))
- {
-@@ -1607,6 +1616,7 @@ while (<IN>)
- s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
- s/^MULTILIB=.*$/MULTILIB=$multilib/;
- s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
-+ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/;
- s/^LIBDIR=.*$/LIBDIR=$libdir/;
- s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
- s/^PLATFORM=.*$/PLATFORM=$target/;
-@@ -1812,6 +1822,14 @@ while (<IN>)
- $foo =~ s/\\/\\\\/g;
- print OUT "#define ENGINESDIR \"$foo\"\n";
- }
-+ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/)
-+ {
-+ my $foo = "$system_ciphers_file";
-+ if ($foo ne '') {
-+ $foo =~ s/\\/\\\\/g;
-+ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n";
-+ }
-+ }
- elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
- { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
- if $export_var_as_fn;
-diff -up openssl-1.0.1h/crypto/opensslconf.h.in.system openssl-1.0.1h/crypto/opensslconf.h.in
---- openssl-1.0.1h/crypto/opensslconf.h.in.system 2014-06-05 14:47:37.437311188 +0200
-+++ openssl-1.0.1h/crypto/opensslconf.h.in 2014-06-11 13:31:44.497722345 +0200
-@@ -25,6 +25,8 @@
- #endif
- #endif
-
-+#undef SYSTEM_CIPHERS_FILE
-+
- #undef OPENSSL_UNISTD
- #define OPENSSL_UNISTD <unistd.h>
-
-diff -up openssl-1.0.1h/ssl/ssl_ciph.c.system openssl-1.0.1h/ssl/ssl_ciph.c
---- openssl-1.0.1h/ssl/ssl_ciph.c.system 2014-06-05 14:47:37.441311282 +0200
-+++ openssl-1.0.1h/ssl/ssl_ciph.c 2014-06-11 13:55:28.194381937 +0200
-@@ -1352,6 +1352,54 @@ static int ssl_cipher_process_rulestr(co
- return(retval);
- }
-
-+#ifdef SYSTEM_CIPHERS_FILE
-+static char* load_system_str(const char* suffix)
-+ {
-+ FILE* fp;
-+ char buf[1024];
-+ char *new_rules;
-+ unsigned len, slen;
-+
-+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
-+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL)
-+ {
-+ /* cannot open or file is empty */
-+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
-+ }
-+
-+ if (fp)
-+ fclose(fp);
-+
-+ slen = strlen(suffix);
-+ len = strlen(buf);
-+
-+ if (buf[len-1] == '\n')
-+ {
-+ len--;
-+ buf[len] = 0;
-+ }
-+ if (buf[len-1] == '\r')
-+ {
-+ len--;
-+ buf[len] = 0;
-+ }
-+
-+ new_rules = OPENSSL_malloc(len + slen + 1);
-+ if (new_rules == 0)
-+ return NULL;
-+
-+ memcpy(new_rules, buf, len);
-+ if (slen > 0)
-+ {
-+ memcpy(&new_rules[len], suffix, slen);
-+ len += slen;
-+ }
-+ new_rules[len] = 0;
-+
-+ return new_rules;
-+ }
-+#endif
-+
- STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
- STACK_OF(SSL_CIPHER) **cipher_list,
- STACK_OF(SSL_CIPHER) **cipher_list_by_id,
-@@ -1359,16 +1407,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- {
- int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
- unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
-- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
-+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
- const char *rule_p;
- CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
- const SSL_CIPHER **ca_list = NULL;
-+#ifdef SYSTEM_CIPHERS_FILE
-+ char *new_rules = NULL;
-+
-+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0)
-+ {
-+ char *p = rule_str + 14;
-+
-+ new_rules = load_system_str(p);
-+ rule_str = new_rules;
-+ }
-+#endif
-
- /*
- * Return with error if nothing to do.
- */
- if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
-- return NULL;
-+ {
-+ goto end;
-+ }
-
- /*
- * To reduce the work to do we only want to process the compiled
-@@ -1389,7 +1450,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- if (co_list == NULL)
- {
- SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
-- return(NULL); /* Failure */
-+ goto end;
- }
-
- ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1431,8 +1492,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- * in force within each class */
- if (!ssl_cipher_strength_sort(&head, &tail))
- {
-- OPENSSL_free(co_list);
-- return NULL;
-+ goto end;
- }
-
- /* Now disable everything (maintaining the ordering!) */
-@@ -1452,9 +1512,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
- if (ca_list == NULL)
- {
-- OPENSSL_free(co_list);
- SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
-- return(NULL); /* Failure */
-+ goto end;
- }
- ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
- disabled_mkey, disabled_auth, disabled_enc,
-@@ -1482,8 +1541,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
-
- if (!ok)
- { /* Rule processing failure */
-- OPENSSL_free(co_list);
-- return(NULL);
-+ goto end;
- }
-
- /*
-@@ -1492,8 +1550,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- */
- if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
- {
-- OPENSSL_free(co_list);
-- return(NULL);
-+ goto end;
- }
-
- /*
-@@ -1514,13 +1571,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- #endif
- }
- }
-- OPENSSL_free(co_list); /* Not needed any longer */
-
- tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
- if (tmp_cipher_list == NULL)
- {
- sk_SSL_CIPHER_free(cipherstack);
-- return NULL;
-+ cipherstack = NULL;
-+ goto end;
- }
- if (*cipher_list != NULL)
- sk_SSL_CIPHER_free(*cipher_list);
-@@ -1531,6 +1588,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
- (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
-
- sk_SSL_CIPHER_sort(*cipher_list_by_id);
-+
-+end:
-+ OPENSSL_free(co_list);
-+#ifdef SYSTEM_CIPHERS_FILE
-+ OPENSSL_free(new_rules);
-+#endif
- return(cipherstack);
- }
-
-diff -up openssl-1.0.1h/ssl/ssl.h.system openssl-1.0.1h/ssl/ssl.h
---- openssl-1.0.1h/ssl/ssl.h.system 2014-06-05 14:47:37.000000000 +0200
-+++ openssl-1.0.1h/ssl/ssl.h 2014-06-11 14:08:35.243461447 +0200
-@@ -338,6 +338,11 @@ extern "C" {
- * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
- * some of them.)
- */
-+#ifdef SYSTEM_CIPHERS_FILE
-+#define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
-+#else
-+#define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
-+#endif
-
- /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
- #define SSL_SENT_SHUTDOWN 1
-diff -up openssl-1.0.1h/ssl/ssl_lib.c.system openssl-1.0.1h/ssl/ssl_lib.c
---- openssl-1.0.1h/ssl/ssl_lib.c.system 2014-06-05 11:44:33.000000000 +0200
-+++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-11 13:59:40.696578139 +0200
-@@ -263,7 +263,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
-
- sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
- &(ctx->cipher_list_by_id),
-- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
-+ meth->version == SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST);
- if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
- {
- SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
-@@ -1767,7 +1767,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
-
- ssl_create_cipher_list(ret->method,
- &ret->cipher_list,&ret->cipher_list_by_id,
-- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
-+ meth->version == SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST);
- if (ret->cipher_list == NULL
- || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
- {
diff --git a/openssl-1.0.1i-manfix.patch b/openssl-1.0.1i-manfix.patch
deleted file mode 100644
index f2f8be7..0000000
--- a/openssl-1.0.1i-manfix.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-diff -up openssl-1.0.1i/doc/apps/ec.pod.manfix openssl-1.0.1i/doc/apps/ec.pod
---- openssl-1.0.1i/doc/apps/ec.pod.manfix 2014-07-22 21:41:23.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/ec.pod 2014-08-07 11:21:57.258887741 +0200
-@@ -93,10 +93,6 @@ prints out the public, private key compo
-
- this option prevents output of the encoded version of the key.
-
--=item B<-modulus>
--
--this option prints out the value of the public key component of the key.
--
- =item B<-pubin>
-
- by default a private key is read from the input file: with this option a
-diff -up openssl-1.0.1i/doc/apps/openssl.pod.manfix openssl-1.0.1i/doc/apps/openssl.pod
---- openssl-1.0.1i/doc/apps/openssl.pod.manfix 2014-07-22 21:43:11.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/openssl.pod 2014-08-07 11:21:57.259887746 +0200
-@@ -163,7 +163,7 @@ Create or examine a netscape certificate
-
- Online Certificate Status Protocol utility.
-
--=item L<B<passwd>|passwd(1)>
-+=item L<B<passwd>|sslpasswd(1)>
-
- Generation of hashed passwords.
-
-@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
-
- Public key algorithm cryptographic operation utility.
-
--=item L<B<rand>|rand(1)>
-+=item L<B<rand>|sslrand(1)>
-
- Generate pseudo-random bytes.
-
-@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
- L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
- L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
- L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
--L<passwd(1)|passwd(1)>,
-+L<sslpasswd(1)|sslpasswd(1)>,
- L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
--L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
-+L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
- L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
- L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
- L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
-diff -up openssl-1.0.1i/doc/apps/s_client.pod.manfix openssl-1.0.1i/doc/apps/s_client.pod
---- openssl-1.0.1i/doc/apps/s_client.pod.manfix 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 11:24:28.736604443 +0200
-@@ -34,9 +34,14 @@ B<openssl> B<s_client>
- [B<-ssl2>]
- [B<-ssl3>]
- [B<-tls1>]
-+[B<-tls1_1>]
-+[B<-tls1_2>]
-+[B<-dtls1>]
- [B<-no_ssl2>]
- [B<-no_ssl3>]
- [B<-no_tls1>]
-+[B<-no_tls1_1>]
-+[B<-no_tls1_2>]
- [B<-bugs>]
- [B<-cipher cipherlist>]
- [B<-serverpref>]
-@@ -196,7 +201,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
-
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
-diff -up openssl-1.0.1i/doc/apps/s_server.pod.manfix openssl-1.0.1i/doc/apps/s_server.pod
---- openssl-1.0.1i/doc/apps/s_server.pod.manfix 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 11:21:57.259887746 +0200
-@@ -216,7 +216,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
-
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
diff --git a/openssl-1.0.1i-new-fips-reqs.patch b/openssl-1.0.1i-new-fips-reqs.patch
deleted file mode 100644
index e33494c..0000000
--- a/openssl-1.0.1i-new-fips-reqs.patch
+++ /dev/null
@@ -1,1377 +0,0 @@
-diff -up openssl-1.0.1i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.1i/crypto/bn/bn_rand.c
---- openssl-1.0.1i/crypto/bn/bn_rand.c.fips-reqs 2014-07-22 21:43:11.000000000 +0200
-+++ openssl-1.0.1i/crypto/bn/bn_rand.c 2014-08-13 19:58:06.818832577 +0200
-@@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
- goto err;
- }
-
-- /* make a random number and set the top and bottom bits */
-- time(&tim);
-- RAND_add(&tim,sizeof(tim),0.0);
-+ if (!FIPS_mode()) /* in FIPS mode the RNG is always properly seeded or the module fails */
-+ {
-+ /* make a random number and set the top and bottom bits */
-+ time(&tim);
-+ RAND_add(&tim,sizeof(tim),0.0);
-+ }
-
- if (pseudorand)
- {
-diff -up openssl-1.0.1i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.1i/crypto/dh/dh_gen.c
---- openssl-1.0.1i/crypto/dh/dh_gen.c.fips-reqs 2014-08-13 19:58:06.765831356 +0200
-+++ openssl-1.0.1i/crypto/dh/dh_gen.c 2014-08-13 19:58:06.818832577 +0200
-@@ -125,7 +125,7 @@ static int dh_builtin_genparams(DH *ret,
- return 0;
- }
-
-- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN))
- {
- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
- goto err;
-diff -up openssl-1.0.1i/crypto/dh/dh.h.fips-reqs openssl-1.0.1i/crypto/dh/dh.h
---- openssl-1.0.1i/crypto/dh/dh.h.fips-reqs 2014-08-13 19:58:06.765831356 +0200
-+++ openssl-1.0.1i/crypto/dh/dh.h 2014-08-13 19:58:06.818832577 +0200
-@@ -78,6 +78,7 @@
- #endif
-
- #define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-+#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
-
- #define DH_FLAG_CACHE_MONT_P 0x01
- #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-diff -up openssl-1.0.1i/crypto/dh/dh_check.c.fips-reqs openssl-1.0.1i/crypto/dh/dh_check.c
---- openssl-1.0.1i/crypto/dh/dh_check.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/dh/dh_check.c 2014-08-13 19:58:06.818832577 +0200
-@@ -134,7 +134,33 @@ int DH_check_pub_key(const DH *dh, const
- BN_sub_word(q,1);
- if (BN_cmp(pub_key,q)>=0)
- *ret|=DH_CHECK_PUBKEY_TOO_LARGE;
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && dh->q != NULL)
-+ {
-+ BN_CTX *ctx = NULL;
-
-+ ctx = BN_CTX_new();
-+ if (ctx == NULL)
-+ goto err;
-+
-+ if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0)
-+ {
-+ BN_CTX_free(ctx);
-+ goto err;
-+ }
-+ if (!BN_is_one(q))
-+ {
-+ /* it would be more correct to add new return flag
-+ * for this test, but we do not want to do it
-+ * so just error out
-+ */
-+ BN_CTX_free(ctx);
-+ goto err;
-+ }
-+
-+ BN_CTX_free(ctx);
-+ }
-+#endif
- ok = 1;
- err:
- if (q != NULL) BN_free(q);
-diff -up openssl-1.0.1i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.1i/crypto/dsa/dsa_gen.c
---- openssl-1.0.1i/crypto/dsa/dsa_gen.c.fips-reqs 2014-08-13 19:58:06.766831380 +0200
-+++ openssl-1.0.1i/crypto/dsa/dsa_gen.c 2014-08-13 19:58:06.818832577 +0200
-@@ -159,7 +159,7 @@ int dsa_builtin_paramgen(DSA *ret, size_
- }
-
- if (FIPS_module_mode() &&
-- (bits != 1024 || qbits != 160) &&
-+ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024 || qbits != 160) &&
- (bits != 2048 || qbits != 224) &&
- (bits != 2048 || qbits != 256) &&
- (bits != 3072 || qbits != 256))
-diff -up openssl-1.0.1i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.1i/crypto/dsa/dsa.h
---- openssl-1.0.1i/crypto/dsa/dsa.h.fips-reqs 2014-08-13 19:58:06.766831380 +0200
-+++ openssl-1.0.1i/crypto/dsa/dsa.h 2014-08-13 19:58:06.818832577 +0200
-@@ -89,6 +89,7 @@
- #endif
-
- #define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
-+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024)
-
- #define DSA_FLAG_CACHE_MONT_P 0x01
- #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
-@@ -254,9 +255,9 @@ int DSAparams_print_fp(FILE *fp, const D
- int DSA_print_fp(FILE *bp, const DSA *x, int off);
- #endif
-
--#define DSS_prime_checks 50
--/* Primality test according to FIPS PUB 186[-1], Appendix 2.1:
-- * 50 rounds of Rabin-Miller */
-+#define DSS_prime_checks 64
-+/* Primality test according to FIPS PUB 186[-4], Appendix 2.1:
-+ * 64 rounds of Rabin-Miller */
- #define DSA_is_prime(n, callback, cb_arg) \
- BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
-
-diff -up openssl-1.0.1i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.1i/crypto/dsa/dsa_key.c
---- openssl-1.0.1i/crypto/dsa/dsa_key.c.fips-reqs 2014-08-13 19:58:06.816832531 +0200
-+++ openssl-1.0.1i/crypto/dsa/dsa_key.c 2014-08-13 19:58:06.818832577 +0200
-@@ -127,7 +127,7 @@ static int dsa_builtin_keygen(DSA *dsa)
-
- #ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN))
- {
- DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
- goto err;
-diff -up openssl-1.0.1i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_dh_selftest.c
---- openssl-1.0.1i/crypto/fips/fips_dh_selftest.c.fips-reqs 2014-08-13 19:58:06.819832600 +0200
-+++ openssl-1.0.1i/crypto/fips/fips_dh_selftest.c 2014-08-13 19:58:06.819832600 +0200
-@@ -0,0 +1,162 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 2013 Red Hat, Inc.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char dh_test_2048_p[] = {
-+ 0xAE,0xEC,0xEE,0x22,0xFA,0x3A,0xA5,0x22,0xC0,0xDE,0x0F,0x09,
-+ 0x7E,0x17,0xC0,0x05,0xF9,0xF1,0xE7,0xC6,0x87,0x14,0x6D,0x11,
-+ 0xE7,0xAE,0xED,0x2F,0x72,0x59,0xC5,0xA9,0x9B,0xB8,0x02,0xA5,
-+ 0xF3,0x69,0x70,0xD6,0xDD,0x90,0xF9,0x19,0x79,0xBE,0x60,0x8F,
-+ 0x25,0x92,0x30,0x1C,0x51,0x51,0x38,0x26,0x82,0x25,0xE6,0xFC,
-+ 0xED,0x65,0x96,0x8F,0x57,0xE5,0x53,0x8B,0x38,0x63,0xC7,0xCE,
-+ 0xBC,0x1B,0x4D,0x18,0x2A,0x5B,0x04,0x3F,0x6A,0x3C,0x94,0x39,
-+ 0xAE,0x36,0xD6,0x5E,0x0F,0xA2,0xCC,0xD0,0xD4,0xD5,0xC6,0x1E,
-+ 0xF6,0xA0,0xF5,0x89,0x4E,0xB4,0x0B,0xA4,0xB3,0x2B,0x3D,0xE2,
-+ 0x4E,0xE1,0x49,0x25,0x99,0x5F,0x32,0x16,0x33,0x32,0x1B,0x7A,
-+ 0xA5,0x5C,0x6B,0x34,0x0D,0x39,0x99,0xDC,0xF0,0x76,0xE5,0x5A,
-+ 0xD4,0x71,0x00,0xED,0x5A,0x73,0xFB,0xC8,0x01,0xAD,0x99,0xCF,
-+ 0x99,0x52,0x7C,0x9C,0x64,0xC6,0x76,0x40,0x57,0xAF,0x59,0xD7,
-+ 0x38,0x0B,0x40,0xDE,0x33,0x0D,0xB8,0x76,0xEC,0xA9,0xD8,0x73,
-+ 0xF8,0xEF,0x26,0x66,0x06,0x27,0xDD,0x7C,0xA4,0x10,0x9C,0xA6,
-+ 0xAA,0xF9,0x53,0x62,0x73,0x1D,0xBA,0x1C,0xF1,0x67,0xF4,0x35,
-+ 0xED,0x6F,0x37,0x92,0xE8,0x4F,0x6C,0xBA,0x52,0x6E,0xA1,0xED,
-+ 0xDA,0x9F,0x85,0x11,0x82,0x52,0x62,0x08,0x44,0xF1,0x30,0x03,
-+ 0xC3,0x38,0x2C,0x79,0xBD,0xD4,0x43,0x45,0xEE,0x8E,0x50,0xFC,
-+ 0x29,0x46,0x9A,0xFE,0x54,0x1A,0x19,0x8F,0x4B,0x84,0x08,0xDE,
-+ 0x20,0x62,0x73,0xCC,0xDD,0x7E,0xF0,0xEF,0xA2,0xFD,0x86,0x58,
-+ 0x4B,0xD8,0x37,0xEB
-+};
-+
-+static const unsigned char dh_test_2048_g[] = {
-+ 0x02
-+};
-+
-+static const unsigned char dh_test_2048_pub_key[] = {
-+ 0xA0,0x39,0x11,0x77,0x9A,0xC1,0x30,0x1F,0xBE,0x48,0xA7,0xAA,
-+ 0xA0,0x84,0x54,0x64,0xAD,0x1B,0x70,0xFA,0x13,0x55,0x63,0xD2,
-+ 0x1F,0x62,0x32,0x93,0x8E,0xC9,0x3E,0x09,0xA7,0x64,0xE4,0x12,
-+ 0x6E,0x1B,0xF2,0x92,0x3B,0xB9,0xCB,0x56,0xEA,0x07,0x88,0xB5,
-+ 0xA6,0xBC,0x16,0x1F,0x27,0xFE,0xD8,0xAA,0x40,0xB2,0xB0,0x2D,
-+ 0x37,0x76,0xA6,0xA4,0x82,0x2C,0x0E,0x22,0x64,0x9D,0xCB,0xD1,
-+ 0x00,0xB7,0x89,0x14,0x72,0x4E,0xBE,0x48,0x41,0xF8,0xB2,0x51,
-+ 0x11,0x09,0x4B,0x22,0x01,0x23,0x39,0x96,0xE0,0x15,0xD7,0x9F,
-+ 0x60,0xD1,0xB7,0xAE,0xFE,0x5F,0xDB,0xE7,0x03,0x17,0x97,0xA6,
-+ 0x16,0x74,0xBD,0x53,0x81,0x19,0xC5,0x47,0x5E,0xCE,0x8D,0xED,
-+ 0x45,0x5D,0x3C,0x00,0xA0,0x0A,0x68,0x6A,0xE0,0x8E,0x06,0x46,
-+ 0x6F,0xD7,0xF9,0xDF,0x31,0x7E,0x77,0x44,0x0D,0x98,0xE0,0xCA,
-+ 0x98,0x09,0x52,0x04,0x90,0xEA,0x6D,0xF4,0x30,0x69,0x8F,0xB1,
-+ 0x9B,0xC1,0x43,0xDB,0xD5,0x8D,0xC8,0x8E,0xB6,0x0B,0x05,0xBE,
-+ 0x0E,0xC5,0x99,0xC8,0x6E,0x4E,0xF3,0xCB,0xC3,0x5E,0x9B,0x53,
-+ 0xF7,0x06,0x1C,0x4F,0xC7,0xB8,0x6E,0x30,0x18,0xCA,0x9B,0xB9,
-+ 0xBC,0x5F,0x17,0x72,0x29,0x5A,0xE5,0xD9,0x96,0xB7,0x0B,0xF3,
-+ 0x2D,0x8C,0xF1,0xE1,0x0E,0x0D,0x74,0xD5,0x9D,0xF0,0x06,0xA9,
-+ 0xB4,0x95,0x63,0x76,0x46,0x55,0x48,0x82,0x39,0x90,0xEF,0x56,
-+ 0x75,0x34,0xB8,0x34,0xC3,0x18,0x6E,0x1E,0xAD,0xE3,0x48,0x7E,
-+ 0x93,0x2C,0x23,0xE7,0xF8,0x90,0x73,0xB1,0x77,0x80,0x67,0xA9,
-+ 0x36,0x9E,0xDA,0xD2
-+};
-+
-+static const unsigned char dh_test_2048_priv_key[] = {
-+ 0x0C,0x4B,0x30,0x89,0xD1,0xB8,0x62,0xCB,0x3C,0x43,0x64,0x91,
-+ 0xF0,0x91,0x54,0x70,0xC5,0x27,0x96,0xE3,0xAC,0xBE,0xE8,0x00,
-+ 0xEC,0x55,0xF6,0xCC
-+};
-+
-+int FIPS_selftest_dh()
-+ {
-+ DH *dh = NULL;
-+ int ret = 0;
-+ void *pub_key = NULL;
-+ int len;
-+
-+ dh = DH_new();
-+
-+ if(dh == NULL)
-+ goto err;
-+
-+ fips_load_key_component(dh, p, dh_test_2048);
-+ fips_load_key_component(dh, g, dh_test_2048);
-+ /* note that the private key is much shorter than normally used
-+ * but still g ** priv_key > p
-+ */
-+ fips_load_key_component(dh, priv_key, dh_test_2048);
-+
-+ if (DH_generate_key(dh) <= 0)
-+ goto err;
-+
-+ len = BN_num_bytes(dh->pub_key);
-+ if ((pub_key = OPENSSL_malloc(len)) == NULL)
-+ goto err;
-+ BN_bn2bin(dh->pub_key, pub_key);
-+
-+ if (len != sizeof(dh_test_2048_pub_key) ||
-+ memcmp(pub_key, dh_test_2048_pub_key, len) != 0)
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ if (dh)
-+ DH_free(dh);
-+
-+ OPENSSL_free(pub_key);
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1i/crypto/fips/fips.h.fips-reqs openssl-1.0.1i/crypto/fips/fips.h
---- openssl-1.0.1i/crypto/fips/fips.h.fips-reqs 2014-08-13 19:58:06.812832439 +0200
-+++ openssl-1.0.1i/crypto/fips/fips.h 2014-08-13 19:58:06.819832600 +0200
-@@ -96,6 +96,7 @@ void FIPS_corrupt_dsa_keygen(void);
- int FIPS_selftest_dsa(void);
- int FIPS_selftest_ecdsa(void);
- int FIPS_selftest_ecdh(void);
-+int FIPS_selftest_dh(void);
- void FIPS_corrupt_rng(void);
- void FIPS_rng_stick(void);
- void FIPS_x931_stick(int onoff);
-diff -up openssl-1.0.1i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_post.c
---- openssl-1.0.1i/crypto/fips/fips_post.c.fips-reqs 2014-08-13 19:58:06.809832370 +0200
-+++ openssl-1.0.1i/crypto/fips/fips_post.c 2014-08-13 19:58:06.819832600 +0200
-@@ -99,6 +99,8 @@ int FIPS_selftest(void)
- rv = 0;
- if (!FIPS_selftest_dsa())
- rv = 0;
-+ if (!FIPS_selftest_dh())
-+ rv = 0;
- if (!FIPS_selftest_ecdh())
- rv = 0;
- return rv;
-diff -up openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c
---- openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c.fips-reqs 2014-08-13 19:58:06.779831679 +0200
-+++ openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c 2014-08-13 19:59:16.491437297 +0200
-@@ -60,69 +60,113 @@
- #ifdef OPENSSL_FIPS
-
- static const unsigned char n[] =
--"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
--"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
--"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
--"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
--"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
--"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
--"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
--"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
--"\xCB";
-+"\x00\xc9\xd5\x6d\x9d\x90\xdb\x43\xd6\x02\xed\x96\x88\x13\x8a"
-+"\xb2\xbf\x6e\xa1\x06\x10\xb2\x78\x37\xa7\x14\xa8\xff\xdd\x00"
-+"\xdd\xb4\x93\xa0\x45\xcc\x96\x90\xed\xad\xa9\xdd\xc4\xd6\xca"
-+"\x0c\xf0\xed\x4f\x72\x5e\x21\x49\x9a\x18\x12\x15\x8f\x90\x5a"
-+"\xdb\xb6\x33\x99\xa3\xe6\xb4\xf0\xc4\x97\x21\x26\xbb\xe3\xba"
-+"\xf2\xff\xa0\x72\xda\x89\x63\x8e\x8b\x3e\x08\x9d\x92\x2a\xbe"
-+"\x16\xe1\x43\x15\xfc\x57\xc7\x1f\x09\x11\x67\x1c\xa9\x96\xd1"
-+"\x8b\x3e\x80\x93\xc1\x59\xd0\x6d\x39\xf2\xac\x95\xcc\x10\x75"
-+"\xe9\x31\x24\xd1\x43\xaf\x68\x52\x4b\xe7\x16\xd7\x49\x65\x6f"
-+"\x26\xc0\x86\xad\xc0\x07\x0a\xc1\xe1\x2f\x87\x85\x86\x3b\xdc"
-+"\x5a\x99\xbe\xe9\xf9\xb9\xe9\x82\x27\x51\x04\x15\xab\x06\x0e"
-+"\x76\x5a\x28\x8d\x92\xbd\xc5\xb5\x7b\xa8\xdf\x4e\x47\xa2\xc1"
-+"\xe7\x52\xbf\x47\xf7\x62\xe0\x3a\x6f\x4d\x6a\x4d\x4e\xd4\xb9"
-+"\x59\x69\xfa\xb2\x14\xc1\xee\xe6\x2f\x95\xcd\x94\x72\xae\xe4"
-+"\xdb\x18\x9a\xc4\xcd\x70\xbd\xee\x31\x16\xb7\x49\x65\xac\x40"
-+"\x19\x0e\xb5\x6d\x83\xf1\x36\xbb\x08\x2f\x2e\x4e\x92\x62\xa4"
-+"\xff\x50\xdb\x20\x45\xa2\xeb\x16\x7a\xf2\xd5\x28\xc1\xfd\x4e"
-+"\x03\x71";
-+
-
- static int corrupt_rsa;
-
- static int setrsakey(RSA *key)
- {
-- static const unsigned char e[] = "\x11";
-+ static const unsigned char e[] = "\x01\x00\x01";
-
- static const unsigned char d[] =
--"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
--"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
--"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
--"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
--"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
--"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
--"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
--"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
--"\xC1";
-+"\x36\x27\x3d\xb1\xf9\x1b\xdb\xa7\xa0\x41\x7f\x12\x23\xac\x23"
-+"\x29\x99\xd5\x3a\x7b\x60\x67\x41\x07\x63\x53\xb4\xd2\xe7\x58"
-+"\x95\x0a\xc7\x05\xf3\x4e\xb2\xb4\x12\xd4\x70\xdc\x4f\x85\x06"
-+"\xd3\xdd\xd8\x63\x27\x3e\x67\x31\x21\x24\x39\x04\xbc\x06\xa4"
-+"\xcc\xce\x2b\x7a\xfe\x7b\xad\xde\x11\x6e\xa3\xa5\xe6\x04\x53"
-+"\x0e\xa3\x4e\x2d\xb4\x8f\x31\xbf\xca\x75\x25\x52\x02\x85\xde"
-+"\x3d\xb2\x72\x43\xb2\x89\x8a\x9a\x34\x41\x26\x3f\x9a\x67\xbe"
-+"\xa4\x96\x7b\x0e\x75\xba\xa6\x93\xd5\xb8\xd8\xb8\x57\xf2\x4b"
-+"\x0f\x14\x81\xd1\x57\x4e\xf6\x45\x4c\xa6\x3b\xd0\x70\xca\xd3"
-+"\x9d\x55\xde\x22\x05\xe7\x8e\x28\x4d\xee\x11\xcf\xb6\x67\x76"
-+"\x09\xd3\xe3\x3c\x13\xf9\x99\x34\x10\x7b\xec\x81\x38\xf0\xb6"
-+"\x34\x9c\x9b\x50\x6f\x0b\x91\x81\x4d\x89\x94\x04\x7b\xf0\x3c"
-+"\xf4\xb1\xb2\x00\x48\x8d\x5a\x8f\x88\x9e\xc5\xab\x3a\x9e\x44"
-+"\x3f\x54\xe7\xd9\x6e\x47\xaa\xa1\xbd\x40\x46\x31\xf9\xf0\x34"
-+"\xb6\x04\xe1\x2b\x5b\x73\x86\xdd\x3a\x92\x1b\x71\xc7\x3f\x32"
-+"\xe5\xc3\xc2\xab\xa1\x7e\xbf\xa4\x52\xa0\xb0\x68\x90\xd1\x20"
-+"\x12\x79\xe9\xd7\xc9\x40\xba\xf2\x19\xc7\xa5\x00\x92\x86\x0d"
-+"\x01";
-
- static const unsigned char p[] =
--"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
--"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
--"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
--"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
--"\x99";
-+"\x00\xfc\x5c\x6e\x16\xce\x1f\x03\x7b\xcd\xf7\xb3\x72\xb2\x8f"
-+"\x16\x72\xb8\x56\xae\xf7\xcd\x67\xd8\x4e\x7d\x07\xaf\xd5\x43"
-+"\x26\xc3\x35\xbe\x43\x8f\x4e\x2f\x1c\x43\x4e\x6b\xd2\xb2\xec"
-+"\x52\x6d\x97\x52\x2b\xcc\x5c\x3a\x6b\xf4\x14\xc6\x74\xda\x66"
-+"\x38\x1c\x7a\x3f\x84\x2f\xe3\xf9\x5a\xb8\x65\x69\x46\x06\xa3"
-+"\x37\x79\xb2\xa1\x5b\x58\xed\x5e\xa7\x5f\x8c\x65\x66\xbb\xd1"
-+"\x24\x36\xe6\x37\xa7\x3d\x49\x77\x8a\x8c\x34\xd8\x69\x29\xf3"
-+"\x4d\x58\x22\xb0\x51\x24\xb6\x40\xa8\x86\x59\x0a\xb7\xba\x5c"
-+"\x97\xda\x57\xe8\x36\xda\x7a\x9c\xad";
-
- static const unsigned char q[] =
--"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
--"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
--"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
--"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
--"\x03";
-+"\x00\xcc\xbe\x7b\x09\x69\x06\xee\x45\xbf\x88\x47\x38\xa8\xf8"
-+"\x17\xe5\xb6\xba\x67\x55\xe3\xe8\x05\x8b\xb8\xe2\x53\xd6\x8e"
-+"\xef\x2c\xe7\x4f\x4a\xf7\x4e\x26\x8d\x85\x0b\x3f\xec\xc3\x1c"
-+"\xd4\xeb\xec\x6a\xc8\x72\x2a\x25\x7d\xfd\xa6\x77\x96\xf0\x1e"
-+"\xcd\x28\x57\xf8\x37\x30\x75\x6b\xbd\xd4\x7b\x0c\x87\xc5\x6c"
-+"\x87\x40\xa5\xbb\x27\x2c\x78\xc9\x74\x5a\x54\x5b\x0b\x30\x6f"
-+"\x44\x4a\xfa\x71\xe4\x21\x61\x66\xf9\xee\x65\xde\x7c\x04\xd7"
-+"\xfd\xa9\x15\x5b\x7f\xe2\x7a\xba\x69\x86\x72\xa6\x06\x8d\x9b"
-+"\x90\x55\x60\x9e\x4c\x5d\xa9\xb6\x55";
-+
-
- static const unsigned char dmp1[] =
--"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
--"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
--"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
--"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
-+"\x7a\xd6\x12\xd0\x0e\xec\x91\xa9\x85\x8b\xf8\x50\xf0\x11\x2e"
-+"\x00\x11\x32\x40\x60\x66\x1f\x11\xee\xc2\x75\x27\x65\x4b\x16"
-+"\x67\x16\x95\xd2\x14\xc3\x1d\xb3\x48\x1f\xb7\xe4\x0b\x2b\x74"
-+"\xc3\xdb\x50\x27\xf9\x85\x3a\xfa\xa9\x08\x23\xc1\x65\x3d\x34"
-+"\x3a\xc8\x56\x7a\x65\x45\x36\x6e\xae\x2a\xce\x9f\x43\x43\xd7"
-+"\x10\xe9\x9e\x18\xf4\xa4\x35\xda\x8a\x6b\xb0\x3f\xdd\x53\xe3"
-+"\xa8\xc5\x4e\x79\x9d\x1f\x51\x8c\xa2\xca\x66\x3c\x6a\x2a\xff"
-+"\x8e\xd2\xf3\xb7\xcb\x82\xda\xde\x2c\xe6\xd2\x8c\xb3\xad\xb6"
-+"\x4c\x95\x55\x76\xbd\xc9\xc8\xd1";
-+
-
- static const unsigned char dmq1[] =
--"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
--"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
--"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
--"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
--
-+"\x00\x83\x23\x1d\xbb\x11\x42\x17\x2b\x25\x5a\x2c\x03\xe6\x75"
-+"\xc1\x18\xa8\xc9\x0b\x96\xbf\xba\xc4\x92\x91\x80\xa5\x22\x2f"
-+"\xba\x91\x90\x36\x01\x56\x15\x00\x2c\x74\xa2\x97\xf7\x15\xa1"
-+"\x49\xdf\x32\x35\xd2\xdd\x0c\x91\xa6\xf8\xe7\xbe\x81\x36\x9b"
-+"\x03\xdc\x6b\x3b\xd8\x5d\x79\x57\xe0\xe6\x4f\x49\xdf\x4c\x5c"
-+"\x0e\xe5\x21\x41\x95\xfd\xad\xff\x9a\x3e\xa0\xf9\x0f\x59\x9e"
-+"\x6a\xa7\x7b\x71\xa7\x24\x9a\x36\x52\xae\x97\x20\xc1\x5e\x78"
-+"\xd9\x47\x8b\x1e\x67\xf2\xaf\x98\xe6\x2d\xef\x10\xd7\xf1\xab"
-+"\x49\xee\xe5\x4b\x7e\xae\x1f\x1d\x61";
-+
-+
- static const unsigned char iqmp[] =
--"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
--"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
--"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
--"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
--"\xF7";
-+"\x23\x96\xc1\x91\x17\x5e\x0a\x83\xd2\xdc\x7b\x69\xb2\x59\x1d"
-+"\x33\x58\x52\x3f\x18\xc7\x09\x50\x1c\xb9\xa1\xbb\x4c\xa2\x38"
-+"\x40\x4c\x9a\x8e\xfe\x9c\x90\x92\xd0\x71\x9f\x89\x99\x50\x91"
-+"\x1f\x34\x8b\x74\x53\x11\x11\x4a\x70\xe2\xf7\x30\xd8\x8c\x80"
-+"\xe1\xcc\x9f\xf1\x63\x17\x1a\x7d\x67\x29\x4c\xcb\x4e\x74\x7b"
-+"\xe0\x3e\x9e\x2f\xf4\x67\x8f\xec\xb9\x5c\x00\x1e\x7e\xa2\x7b"
-+"\x92\xc9\x6f\x4c\xe4\x0e\xf9\x48\x63\xcd\x50\x22\x5d\xbf\xb6"
-+"\x9d\x01\x33\x6a\xf4\x50\xbe\x86\x98\x4f\xca\x3f\x3a\xfa\xcf"
-+"\x07\x40\xc4\xaa\xad\xae\xbe\xbf";
-
- key->n = BN_bin2bn(n, sizeof(n)-1, key->n);
- if (corrupt_rsa)
-- BN_set_bit(key->n, 1024);
-+ BN_set_bit(key->n, 2048);
- key->e = BN_bin2bn(e, sizeof(e)-1, key->e);
- key->d = BN_bin2bn(d, sizeof(d)-1, key->d);
- key->p = BN_bin2bn(p, sizeof(p)-1, key->p);
-@@ -145,201 +189,291 @@ void FIPS_corrupt_rsa()
- static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT";
-
- static const unsigned char kat_RSA_PSS_SHA1[] = {
-- 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
-- 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
-- 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
-- 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
-- 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
-- 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
-- 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
-- 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
-- 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
-- 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
-- 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
-+ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
-+ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
-+ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
-+ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
-+ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
-+ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
-+ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
-+ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
-+ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
-+ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
-+ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
-+ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
-+ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
-+ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
-+ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
-+ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
-+ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
-+ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
-+ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
-+ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
-+ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
-+ 0xCE, 0x08, 0x1D, 0x89
- };
-
- static const unsigned char kat_RSA_PSS_SHA224[] = {
-- 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
-- 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
-- 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
-- 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
-- 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
-- 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
-- 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
-- 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
-- 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
-- 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
-- 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
-+ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
-+ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
-+ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
-+ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
-+ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
-+ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
-+ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
-+ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
-+ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
-+ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
-+ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
-+ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
-+ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
-+ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
-+ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
-+ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
-+ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
-+ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
-+ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
-+ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
-+ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
-+ 0x2D, 0x84, 0x03, 0xB7
- };
-
- static const unsigned char kat_RSA_PSS_SHA256[] = {
-- 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
-- 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
-- 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
-- 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
-- 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
-- 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
-- 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
-- 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
-- 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
-- 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
-- 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
-+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
-+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
-+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
-+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
-+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
-+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
-+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
-+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
-+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
-+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
-+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
-+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
-+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
-+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
-+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
-+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
-+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
-+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
-+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
-+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
-+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
-+ 0x2B, 0x31, 0xB9, 0x7D
- };
-
- static const unsigned char kat_RSA_PSS_SHA384[] = {
-- 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
-- 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
-- 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
-- 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
-- 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
-- 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
-- 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
-- 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
-- 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
-- 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
-- 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
-+ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
-+ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
-+ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
-+ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
-+ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
-+ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
-+ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
-+ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
-+ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
-+ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
-+ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
-+ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
-+ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
-+ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
-+ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
-+ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
-+ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
-+ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
-+ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
-+ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
-+ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
-+ 0x90, 0xD2, 0xA6, 0x2B
- };
-
- static const unsigned char kat_RSA_PSS_SHA512[] = {
-- 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
-- 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
-- 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
-- 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
-- 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
-- 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
-- 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
-- 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
-- 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
-- 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
-- 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
-+ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
-+ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
-+ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
-+ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
-+ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
-+ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
-+ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
-+ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
-+ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
-+ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
-+ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
-+ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
-+ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
-+ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
-+ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
-+ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
-+ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
-+ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
-+ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
-+ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
-+ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
-+ 0x17, 0x2C, 0x13, 0xE0
- };
-
- static const unsigned char kat_RSA_SHA1[] = {
-- 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
-- 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
-- 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
-- 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
-- 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
-- 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
-- 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
-- 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
-- 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
-- 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
-- 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
-+ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
-+ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
-+ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
-+ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
-+ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
-+ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
-+ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
-+ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
-+ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
-+ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
-+ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
-+ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
-+ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
-+ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
-+ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
-+ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
-+ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
-+ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
-+ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
-+ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
-+ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
-+ 0x27, 0x90, 0xE2, 0x01
- };
-
- static const unsigned char kat_RSA_SHA224[] = {
-- 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
-- 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
-- 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
-- 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
-- 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
-- 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
-- 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
-- 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
-- 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
-- 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
-- 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
-+ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
-+ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
-+ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
-+ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
-+ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
-+ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
-+ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
-+ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
-+ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
-+ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
-+ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
-+ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
-+ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
-+ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
-+ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
-+ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
-+ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
-+ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
-+ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
-+ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
-+ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
-+ 0xDB, 0x70, 0x00, 0xF6
- };
-
- static const unsigned char kat_RSA_SHA256[] = {
-- 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
-- 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
-- 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
-- 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
-- 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
-- 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
-- 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
-- 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
-- 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
-- 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
-- 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
-+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
-+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
-+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
-+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
-+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
-+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
-+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
-+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
-+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
-+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
-+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
-+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
-+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
-+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
-+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
-+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
-+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
-+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
-+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
-+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
-+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
-+ 0x47, 0x9D, 0x18, 0xD7
- };
-
- static const unsigned char kat_RSA_SHA384[] = {
-- 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
-- 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
-- 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
-- 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
-- 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
-- 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
-- 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
-- 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
-- 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
-- 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
-- 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
-+ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
-+ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
-+ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
-+ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
-+ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
-+ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
-+ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
-+ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
-+ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
-+ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
-+ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
-+ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
-+ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
-+ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
-+ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
-+ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
-+ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
-+ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
-+ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
-+ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
-+ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
-+ 0x7E, 0x37, 0x1D, 0x96
- };
-
- static const unsigned char kat_RSA_SHA512[] = {
-- 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
-- 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
-- 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
-- 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
-- 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
-- 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
-- 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
-- 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
-- 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
-- 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
-- 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
-+ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
-+ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
-+ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
-+ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
-+ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
-+ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
-+ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
-+ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
-+ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
-+ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
-+ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
-+ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
-+ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
-+ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
-+ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
-+ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
-+ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
-+ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
-+ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
-+ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
-+ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
-+ 0x43, 0xA8, 0x34, 0x0A
- };
-
--static const unsigned char kat_RSA_X931_SHA1[] = {
-- 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
-- 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
-- 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
-- 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
-- 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
-- 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
-- 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
-- 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
-- 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
-- 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
-- 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
--};
-+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, int ptlen)
-+ {
-+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
-+ int ret = 0;
-+ int len;
-
--static const unsigned char kat_RSA_X931_SHA256[] = {
-- 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
-- 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
-- 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
-- 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
-- 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
-- 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
-- 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
-- 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
-- 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
-- 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
-- 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
--};
-+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ctbuf)
-+ goto err;
-
--static const unsigned char kat_RSA_X931_SHA384[] = {
-- 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
-- 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
-- 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
-- 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
-- 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
-- 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
-- 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
-- 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
-- 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
-- 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
-- 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
--};
-+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len <= 0)
-+ goto err;
-+ /* Check ciphertext doesn't match plaintext */
-+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
-+ goto err;
-
--static const unsigned char kat_RSA_X931_SHA512[] = {
-- 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
-- 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
-- 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
-- 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
-- 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
-- 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
-- 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
-- 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
-- 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
-- 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
-- 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
--};
-+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ptbuf)
-+ goto err;
-+
-+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len != ptlen)
-+ goto err;
-+ if (memcmp(ptbuf, plaintext, len))
-+ goto err;
-+
-+ ret = 1;
-
-+ err:
-+ if (ctbuf)
-+ OPENSSL_free(ctbuf);
-+ if (ptbuf)
-+ OPENSSL_free(ptbuf);
-+ return ret;
-+ }
-
- int FIPS_selftest_rsa()
- {
-@@ -353,7 +487,7 @@ int FIPS_selftest_rsa()
- if ((pk=EVP_PKEY_new()) == NULL)
- goto err;
-
-- EVP_PKEY_assign_RSA(pk, key);
-+ EVP_PKEY_set1_RSA(pk, key);
-
- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
- kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
-@@ -407,36 +541,15 @@ int FIPS_selftest_rsa()
- "RSA SHA512 PSS"))
- goto err;
-
--
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
-- EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA1 X931"))
-- goto err;
-- /* NB: SHA224 not supported in X9.31 */
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
-- EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA256 X931"))
-- goto err;
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
-- EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA384 X931"))
-- goto err;
-- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-- kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
-- EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
-- "RSA SHA512 X931"))
-+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
- goto err;
-
--
- ret = 1;
-
- err:
- if (pk)
- EVP_PKEY_free(pk);
-- else if (key)
-+ if (key)
- RSA_free(key);
- return ret;
- }
-diff -up openssl-1.0.1i/crypto/fips/Makefile.fips-reqs openssl-1.0.1i/crypto/fips/Makefile
---- openssl-1.0.1i/crypto/fips/Makefile.fips-reqs 2014-08-13 19:58:06.809832370 +0200
-+++ openssl-1.0.1i/crypto/fips/Makefile 2014-08-13 19:58:06.820832624 +0200
-@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
- fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
- fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
- fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
-+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \
-+ fips_dh_selftest.c
-
- LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
- fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
- fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
- fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
-- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
-+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \
-+ fips_dh_selftest.o
-
- LIBCRYPTO=-L.. -lcrypto
-
-diff -up openssl-1.0.1i/crypto/modes/gcm128.c.fips-reqs openssl-1.0.1i/crypto/modes/gcm128.c
---- openssl-1.0.1i/crypto/modes/gcm128.c.fips-reqs 2014-08-13 19:58:06.740830781 +0200
-+++ openssl-1.0.1i/crypto/modes/gcm128.c 2014-08-13 19:58:06.820832624 +0200
-@@ -931,6 +931,10 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT
- # endif
- #endif
-
-+ ctx->totlen += len;
-+ if (ctx->totlen>(U64(1)<<36) || (sizeof(len)==8 && ctx->totlen<len))
-+ return -1;
-+
- #if 0
- n = (unsigned int)mlen%16; /* alternative to ctx->mres */
- #endif
-@@ -1294,6 +1298,10 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_C
- # endif
- #endif
-
-+ ctx->totlen += len;
-+ if (ctx->totlen>(U64(1)<<36) || (sizeof(len)==8 && ctx->totlen<len))
-+ return -1;
-+
- mlen += len;
- if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
- return -1;
-diff -up openssl-1.0.1i/crypto/modes/modes_lcl.h.fips-reqs openssl-1.0.1i/crypto/modes/modes_lcl.h
---- openssl-1.0.1i/crypto/modes/modes_lcl.h.fips-reqs 2014-08-13 19:58:06.410823180 +0200
-+++ openssl-1.0.1i/crypto/modes/modes_lcl.h 2014-08-13 19:58:06.820832624 +0200
-@@ -112,6 +112,7 @@ struct gcm128_context {
- unsigned int mres, ares;
- block128_f block;
- void *key;
-+ u64 totlen;
- };
-
- struct xts128_context {
-diff -up openssl-1.0.1i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.1i/crypto/rand/rand_lcl.h
---- openssl-1.0.1i/crypto/rand/rand_lcl.h.fips-reqs 2014-08-13 19:58:06.525825829 +0200
-+++ openssl-1.0.1i/crypto/rand/rand_lcl.h 2014-08-13 19:58:06.820832624 +0200
-@@ -112,7 +112,7 @@
- #ifndef HEADER_RAND_LCL_H
- #define HEADER_RAND_LCL_H
-
--#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
-+#define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */
-
-
- #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-diff -up openssl-1.0.1i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.1i/crypto/rand/rand_lib.c
---- openssl-1.0.1i/crypto/rand/rand_lib.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/rand/rand_lib.c 2014-08-13 19:58:06.820832624 +0200
-@@ -240,12 +240,24 @@ static int drbg_rand_add(DRBG_CTX *ctx,
- double entropy)
- {
- RAND_SSLeay()->add(in, inlen, entropy);
-+ if (FIPS_rand_status())
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ FIPS_drbg_reseed(ctx, NULL, 0);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ }
- return 1;
- }
-
- static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
- {
- RAND_SSLeay()->seed(in, inlen);
-+ if (FIPS_rand_status())
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ FIPS_drbg_reseed(ctx, NULL, 0);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ }
- return 1;
- }
-
-diff -up openssl-1.0.1i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.1i/crypto/rsa/rsa_gen.c
---- openssl-1.0.1i/crypto/rsa/rsa_gen.c.fips-reqs 2014-08-13 19:58:06.782831748 +0200
-+++ openssl-1.0.1i/crypto/rsa/rsa_gen.c 2014-08-13 19:58:06.821832646 +0200
-@@ -1,5 +1,6 @@
- /* crypto/rsa/rsa_gen.c */
- /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * Copyright (C) 2013 Red Hat, Inc.
- * All rights reserved.
- *
- * This package is an SSL implementation written
-@@ -165,6 +166,222 @@ int RSA_generate_key_ex(RSA *rsa, int bi
- return rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
-
-+#ifdef OPENSSL_FIPS
-+static int FIPS_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
-+ {
-+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
-+ BIGNUM local_r0, local_d, local_p;
-+ BIGNUM *pr0, *d, *p;
-+ BN_CTX *ctx = NULL;
-+ int ok = -1;
-+ int i;
-+ int n = 0;
-+ int test = 0;
-+ int pbits = bits/2;
-+
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if ((pbits & 0xFF) || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048 && bits != 3072))
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
-+ return 0;
-+ }
-+
-+ ctx = BN_CTX_new();
-+ if (ctx == NULL) goto err;
-+ BN_CTX_start(ctx);
-+ r0 = BN_CTX_get(ctx);
-+ r1 = BN_CTX_get(ctx);
-+ r2 = BN_CTX_get(ctx);
-+ r3 = BN_CTX_get(ctx);
-+
-+ if (r3 == NULL) goto err;
-+
-+ /* We need the RSA components non-NULL */
-+ if (!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err;
-+ if (!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err;
-+ if (!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err;
-+ if (!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err;
-+ if (!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err;
-+ if (!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err;
-+ if (!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
-+ if (!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
-+
-+ if (!BN_set_word(r0, RSA_F4)) goto err;
-+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256)
-+ {
-+ ok = 0; /* we set our own err */
-+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_BAD_E_VALUE);
-+ goto err;
-+ }
-+
-+ /* prepare approximate minimum p and q */
-+ if (!BN_set_word(r0, 0xB504F334)) goto err;
-+ if (!BN_lshift(r0, r0, pbits - 32)) goto err;
-+
-+ /* prepare minimum p and q difference */
-+ if (!BN_one(r3)) goto err;
-+ if (!BN_lshift(r3, r3, pbits - 100)) goto err;
-+
-+ BN_copy(rsa->e, e_value);
-+
-+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
-+ test = 1;
-+
-+ /* generate p and q */
-+ for (i = 0; i < 5 * pbits; i++)
-+ {
-+ ploop:
-+ if (!test)
-+ if (!BN_rand(rsa->p, pbits, 0, 1)) goto err;
-+ if (BN_cmp(rsa->p, r0) < 0)
-+ {
-+ if (test) goto err;
-+ goto ploop;
-+ }
-+
-+ if (!BN_sub(r2, rsa->p, BN_value_one())) goto err;
-+ if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err;
-+ if (BN_is_one(r1))
-+ {
-+ int r;
-+ r = BN_is_prime_fasttest_ex(rsa->p, pbits>1024?4:5, ctx, 0, cb);
-+ if (r == -1 || (test && r <= 0)) goto err;
-+ if (r > 0) break;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 2, n++))
-+ goto err;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 3, 0))
-+ goto err;
-+
-+ if(i >= 5*pbits)
-+ /* prime not found */
-+ goto err;
-+
-+ for (i = 0; i < 5 * pbits; i++)
-+ {
-+ qloop:
-+ if (!test)
-+ if (!BN_rand(rsa->q, pbits, 0, 1)) goto err;
-+ if (BN_cmp(rsa->q, r0) < 0)
-+ {
-+ if (test) goto err;
-+ goto qloop;
-+ }
-+ if (!BN_sub(r2, rsa->q, rsa->p)) goto err;
-+ if (BN_ucmp(r2, r3) <= 0)
-+ {
-+ if (test) goto err;
-+ goto qloop;
-+ }
-+
-+ if (!BN_sub(r2, rsa->q, BN_value_one())) goto err;
-+ if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err;
-+ if (BN_is_one(r1))
-+ {
-+ int r;
-+ r = BN_is_prime_fasttest_ex(rsa->q, pbits>1024?4:5, ctx, 0, cb);
-+ if (r == -1 || (test && r <= 0)) goto err;
-+ if (r > 0) break;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 2, n++))
-+ goto err;
-+ }
-+
-+ if(!BN_GENCB_call(cb, 3, 1))
-+ goto err;
-+
-+ if(i >= 5*pbits)
-+ /* prime not found */
-+ goto err;
-+
-+ if (test)
-+ {
-+ /* do not try to calculate the remaining key values */
-+ BN_clear(rsa->n);
-+ ok = 1;
-+ goto err;
-+ }
-+
-+ if (BN_cmp(rsa->p,rsa->q) < 0)
-+ {
-+ tmp=rsa->p;
-+ rsa->p=rsa->q;
-+ rsa->q=tmp;
-+ }
-+
-+ /* calculate n */
-+ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err;
-+
-+ /* calculate d */
-+ if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */
-+ if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */
-+ if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */
-+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-+ {
-+ pr0 = &local_r0;
-+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-+ }
-+ else
-+ pr0 = r0;
-+ if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */
-+
-+ /* set up d for correct BN_FLG_CONSTTIME flag */
-+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-+ {
-+ d = &local_d;
-+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-+ }
-+ else
-+ d = rsa->d;
-+
-+ /* calculate d mod (p-1) */
-+ if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err;
-+
-+ /* calculate d mod (q-1) */
-+ if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err;
-+
-+ /* calculate inverse of q mod p */
-+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-+ {
-+ p = &local_p;
-+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-+ }
-+ else
-+ p = rsa->p;
-+ if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
-+
-+ if (fips_rsa_pairwise_fail)
-+ BN_add_word(rsa->n, 1);
-+
-+ if(!fips_check_rsa(rsa))
-+ goto err;
-+
-+ ok=1;
-+err:
-+ if (ok == -1)
-+ {
-+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
-+ ok = 0;
-+ }
-+ if (ctx != NULL)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+
-+ return ok;
-+ }
-+#endif
-+
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
- {
- BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
-@@ -176,17 +393,12 @@ static int rsa_builtin_keygen(RSA *rsa,
- #ifdef OPENSSL_FIPS
- if (FIPS_module_mode())
- {
-- if(FIPS_selftest_failed())
-- {
-- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED);
-- return 0;
-- }
--
- if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
- {
- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
- return 0;
- }
-+ return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
- #endif
-
-@@ -301,17 +513,6 @@ static int rsa_builtin_keygen(RSA *rsa,
- p = rsa->p;
- if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_module_mode())
-- {
-- if (fips_rsa_pairwise_fail)
-- BN_add_word(rsa->n, 1);
--
-- if(!fips_check_rsa(rsa))
-- goto err;
-- }
--#endif
--
- ok=1;
- err:
- if (ok == -1)
-diff -up openssl-1.0.1i/ssl/t1_enc.c.fips-reqs openssl-1.0.1i/ssl/t1_enc.c
---- openssl-1.0.1i/ssl/t1_enc.c.fips-reqs 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/ssl/t1_enc.c 2014-08-13 19:58:06.821832646 +0200
-@@ -291,6 +291,27 @@ static int tls1_PRF(long digest_mask,
- err:
- return ret;
- }
-+
-+int private_tls1_PRF(long digest_mask,
-+ const void *seed1, int seed1_len,
-+ const void *seed2, int seed2_len,
-+ const void *seed3, int seed3_len,
-+ const void *seed4, int seed4_len,
-+ const void *seed5, int seed5_len,
-+ const unsigned char *sec, int slen,
-+ unsigned char *out1,
-+ unsigned char *out2, int olen)
-+ {
-+ return tls1_PRF(digest_mask,
-+ seed1, seed1_len,
-+ seed2, seed2_len,
-+ seed3, seed3_len,
-+ seed4, seed4_len,
-+ seed5, seed5_len,
-+ sec, slen,
-+ out1, out2, olen);
-+ }
-+
- static int tls1_generate_key_block(SSL *s, unsigned char *km,
- unsigned char *tmp, int num)
- {
diff --git a/openssl-1.0.1i-ppc-asm-update.patch b/openssl-1.0.1i-ppc-asm-update.patch
deleted file mode 100644
index cbf220c..0000000
--- a/openssl-1.0.1i-ppc-asm-update.patch
+++ /dev/null
@@ -1,6636 +0,0 @@
-diff -up openssl-1.0.1i/config.ppc-asm openssl-1.0.1i/config
---- openssl-1.0.1i/config.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/config 2014-08-13 19:46:21.092578104 +0200
-@@ -587,13 +587,20 @@ case "$GUESSOS" in
- fi
- ;;
- ppc64-*-linux2)
-- echo "WARNING! If you wish to build 64-bit library, then you have to"
-- echo " invoke './Configure linux-ppc64' *manually*."
-- if [ "$TEST" = "false" -a -t 1 ]; then
-- echo " You have about 5 seconds to press Ctrl-C to abort."
-- (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
-+ if [ -z "$KERNEL_BITS" ]; then
-+ echo "WARNING! If you wish to build 64-bit library, then you have to"
-+ echo " invoke './Configure linux-ppc64' *manually*."
-+ if [ "$TEST" = "false" -a -t 1 ]; then
-+ echo " You have about 5 seconds to press Ctrl-C to abort."
-+ (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
-+ fi
-+ fi
-+ if [ "$KERNEL_BITS" = "64" ]; then
-+ OUT="linux-ppc64"
-+ else
-+ OUT="linux-ppc"
-+ (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
- fi
-- OUT="linux-ppc"
- ;;
- ppc-*-linux2) OUT="linux-ppc" ;;
- ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
-diff -up openssl-1.0.1i/Configure.ppc-asm openssl-1.0.1i/Configure
---- openssl-1.0.1i/Configure.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/Configure 2014-08-13 19:46:21.092578104 +0200
-@@ -139,8 +139,8 @@ my $s390x_asm="s390xcap.o s390xcpuid.o:b
- my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
- my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
- my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
--my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
--my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
-+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
-+my $ppc32_asm=$ppc64_asm;
- my $no_asm=":::::::::::::::void";
-
- # As for $BSDthreads. Idea is to maintain "collective" set of flags,
-@@ -357,6 +357,7 @@ my %table=(
- ####
- "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
- "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -462,8 +463,8 @@ my %table=(
-
- #### IBM's AIX.
- "aix3-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
--"aix-gcc", "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
--"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
-+"aix-gcc", "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:$ppc32_asm:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
-+"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:$ppc64_asm:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
- # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
- # at build time. $OBJECT_MODE is respected at ./config stage!
- "aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-@@ -1526,7 +1527,7 @@ else {
- $wp_obj="wp_block.o";
- }
- $cmll_obj=$cmll_enc unless ($cmll_obj =~ /.o$/);
--if ($modes_obj =~ /ghash/)
-+if ($modes_obj =~ /ghash\-/)
- {
- $cflags.=" -DGHASH_ASM";
- }
-diff -up openssl-1.0.1i/crypto/aes/asm/aes-ppc.pl.ppc-asm openssl-1.0.1i/crypto/aes/asm/aes-ppc.pl
---- openssl-1.0.1i/crypto/aes/asm/aes-ppc.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/aes/asm/aes-ppc.pl 2014-08-13 19:46:21.092578104 +0200
-@@ -45,6 +45,8 @@ if ($flavour =~ /64/) {
- $PUSH ="stw";
- } else { die "nonsense $flavour"; }
-
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -68,7 +70,7 @@ $key="r5";
- $Tbl0="r3";
- $Tbl1="r6";
- $Tbl2="r7";
--$Tbl3="r2";
-+$Tbl3=$out; # stay away from "r2"; $out is offloaded to stack
-
- $s0="r8";
- $s1="r9";
-@@ -76,7 +78,7 @@ $s2="r10";
- $s3="r11";
-
- $t0="r12";
--$t1="r13";
-+$t1="r0"; # stay away from "r13";
- $t2="r14";
- $t3="r15";
-
-@@ -100,9 +102,6 @@ $acc13="r29";
- $acc14="r30";
- $acc15="r31";
-
--# stay away from TLS pointer
--if ($SIZE_T==8) { die if ($t1 ne "r13"); $t1="r0"; }
--else { die if ($Tbl3 ne "r2"); $Tbl3=$t0; $t0="r0"; }
- $mask80=$Tbl2;
- $mask1b=$Tbl3;
-
-@@ -337,8 +336,7 @@ $code.=<<___;
- $STU $sp,-$FRAME($sp)
- mflr r0
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
-+ $PUSH $out,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -365,16 +363,61 @@ $code.=<<___;
- bne Lenc_unaligned
-
- Lenc_unaligned_ok:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- lwz $s0,0($inp)
- lwz $s1,4($inp)
- lwz $s2,8($inp)
- lwz $s3,12($inp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $t0,0($inp)
-+ lwz $t1,4($inp)
-+ lwz $t2,8($inp)
-+ lwz $t3,12($inp)
-+ rotlwi $s0,$t0,8
-+ rotlwi $s1,$t1,8
-+ rotlwi $s2,$t2,8
-+ rotlwi $s3,$t3,8
-+ rlwimi $s0,$t0,24,0,7
-+ rlwimi $s1,$t1,24,0,7
-+ rlwimi $s2,$t2,24,0,7
-+ rlwimi $s3,$t3,24,0,7
-+ rlwimi $s0,$t0,24,16,23
-+ rlwimi $s1,$t1,24,16,23
-+ rlwimi $s2,$t2,24,16,23
-+ rlwimi $s3,$t3,24,16,23
-+___
-+$code.=<<___;
- bl LAES_Te
- bl Lppc_AES_encrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ rotlwi $t0,$s0,8
-+ rotlwi $t1,$s1,8
-+ rotlwi $t2,$s2,8
-+ rotlwi $t3,$s3,8
-+ rlwimi $t0,$s0,24,0,7
-+ rlwimi $t1,$s1,24,0,7
-+ rlwimi $t2,$s2,24,0,7
-+ rlwimi $t3,$s3,24,0,7
-+ rlwimi $t0,$s0,24,16,23
-+ rlwimi $t1,$s1,24,16,23
-+ rlwimi $t2,$s2,24,16,23
-+ rlwimi $t3,$s3,24,16,23
-+ stw $t0,0($out)
-+ stw $t1,4($out)
-+ stw $t2,8($out)
-+ stw $t3,12($out)
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- stw $s0,0($out)
- stw $s1,4($out)
- stw $s2,8($out)
- stw $s3,12($out)
-+___
-+$code.=<<___;
- b Lenc_done
-
- Lenc_unaligned:
-@@ -417,6 +460,7 @@ Lenc_xpage:
-
- bl LAES_Te
- bl Lppc_AES_encrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-
- extrwi $acc00,$s0,8,0
- extrwi $acc01,$s0,8,8
-@@ -449,8 +493,6 @@ Lenc_xpage:
-
- Lenc_done:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -764,6 +806,7 @@ Lenc_compact_done:
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .AES_encrypt,.-.AES_encrypt
-
- .globl .AES_decrypt
- .align 7
-@@ -771,8 +814,7 @@ Lenc_compact_done:
- $STU $sp,-$FRAME($sp)
- mflr r0
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
-+ $PUSH $out,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -799,16 +841,61 @@ Lenc_compact_done:
- bne Ldec_unaligned
-
- Ldec_unaligned_ok:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- lwz $s0,0($inp)
- lwz $s1,4($inp)
- lwz $s2,8($inp)
- lwz $s3,12($inp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $t0,0($inp)
-+ lwz $t1,4($inp)
-+ lwz $t2,8($inp)
-+ lwz $t3,12($inp)
-+ rotlwi $s0,$t0,8
-+ rotlwi $s1,$t1,8
-+ rotlwi $s2,$t2,8
-+ rotlwi $s3,$t3,8
-+ rlwimi $s0,$t0,24,0,7
-+ rlwimi $s1,$t1,24,0,7
-+ rlwimi $s2,$t2,24,0,7
-+ rlwimi $s3,$t3,24,0,7
-+ rlwimi $s0,$t0,24,16,23
-+ rlwimi $s1,$t1,24,16,23
-+ rlwimi $s2,$t2,24,16,23
-+ rlwimi $s3,$t3,24,16,23
-+___
-+$code.=<<___;
- bl LAES_Td
- bl Lppc_AES_decrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ rotlwi $t0,$s0,8
-+ rotlwi $t1,$s1,8
-+ rotlwi $t2,$s2,8
-+ rotlwi $t3,$s3,8
-+ rlwimi $t0,$s0,24,0,7
-+ rlwimi $t1,$s1,24,0,7
-+ rlwimi $t2,$s2,24,0,7
-+ rlwimi $t3,$s3,24,0,7
-+ rlwimi $t0,$s0,24,16,23
-+ rlwimi $t1,$s1,24,16,23
-+ rlwimi $t2,$s2,24,16,23
-+ rlwimi $t3,$s3,24,16,23
-+ stw $t0,0($out)
-+ stw $t1,4($out)
-+ stw $t2,8($out)
-+ stw $t3,12($out)
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
- stw $s0,0($out)
- stw $s1,4($out)
- stw $s2,8($out)
- stw $s3,12($out)
-+___
-+$code.=<<___;
- b Ldec_done
-
- Ldec_unaligned:
-@@ -851,6 +938,7 @@ Ldec_xpage:
-
- bl LAES_Td
- bl Lppc_AES_decrypt_compact
-+ $POP $out,`$FRAME-$SIZE_T*19`($sp)
-
- extrwi $acc00,$s0,8,0
- extrwi $acc01,$s0,8,8
-@@ -883,8 +971,6 @@ Ldec_xpage:
-
- Ldec_done:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -1355,6 +1441,7 @@ Ldec_compact_done:
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .AES_decrypt,.-.AES_decrypt
-
- .asciz "AES for PPC, CRYPTOGAMS by <appro\@openssl.org>"
- .align 7
-diff -up openssl-1.0.1i/crypto/aes/asm/aesp8-ppc.pl.ppc-asm openssl-1.0.1i/crypto/aes/asm/aesp8-ppc.pl
---- openssl-1.0.1i/crypto/aes/asm/aesp8-ppc.pl.ppc-asm 2014-08-13 19:46:21.093578128 +0200
-+++ openssl-1.0.1i/crypto/aes/asm/aesp8-ppc.pl 2014-08-13 19:46:21.093578128 +0200
-@@ -0,0 +1,1940 @@
-+#!/usr/bin/env perl
-+#
-+# ====================================================================
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+#
-+# This module implements support for AES instructions as per PowerISA
-+# specification version 2.07, first implemented by POWER8 processor.
-+# The module is endian-agnostic in sense that it supports both big-
-+# and little-endian cases. Data alignment in parallelizable modes is
-+# handled with VSX loads and stores, which implies MSR.VSX flag being
-+# set. It should also be noted that ISA specification doesn't prohibit
-+# alignment exceptions for these instructions on page boundaries.
-+# Initially alignment was handled in pure AltiVec/VMX way [when data
-+# is aligned programmatically, which in turn guarantees exception-
-+# free execution], but it turned to hamper performance when vcipher
-+# instructions are interleaved. It's reckoned that eventual
-+# misalignment penalties at page boundaries are in average lower
-+# than additional overhead in pure AltiVec approach.
-+
-+$flavour = shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T =8;
-+ $LRSAVE =2*$SIZE_T;
-+ $STU ="stdu";
-+ $POP ="ld";
-+ $PUSH ="std";
-+ $UCMP ="cmpld";
-+ $SHL ="sldi";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T =4;
-+ $LRSAVE =$SIZE_T;
-+ $STU ="stwu";
-+ $POP ="lwz";
-+ $PUSH ="stw";
-+ $UCMP ="cmplw";
-+ $SHL ="slwi";
-+} else { die "nonsense $flavour"; }
-+
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
-+
-+$FRAME=8*$SIZE_T;
-+$prefix="aes_p8";
-+
-+$sp="r1";
-+$vrsave="r12";
-+
-+#########################################################################
-+{{{ # Key setup procedures #
-+my ($inp,$bits,$out,$ptr,$cnt,$rounds)=map("r$_",(3..8));
-+my ($zero,$in0,$in1,$key,$rcon,$mask,$tmp)=map("v$_",(0..6));
-+my ($stage,$outperm,$outmask,$outhead,$outtail)=map("v$_",(7..11));
-+
-+$code.=<<___;
-+.machine "any"
-+
-+.text
-+
-+.align 7
-+rcon:
-+.long 0x01000000, 0x01000000, 0x01000000, 0x01000000 ?rev
-+.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
-+.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
-+.long 0,0,0,0 ?asis
-+Lconsts:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr $ptr #vvvvv "distance between . and rcon
-+ addi $ptr,$ptr,-0x48
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.asciz "AES for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+
-+.globl .${prefix}_set_encrypt_key
-+.align 5
-+.${prefix}_set_encrypt_key:
-+Lset_encrypt_key:
-+ mflr r11
-+ $PUSH r11,$LRSAVE($sp)
-+
-+ li $ptr,-1
-+ ${UCMP}i $inp,0
-+ beq- Lenc_key_abort # if ($inp==0) return -1;
-+ ${UCMP}i $out,0
-+ beq- Lenc_key_abort # if ($out==0) return -1;
-+ li $ptr,-2
-+ cmpwi $bits,128
-+ blt- Lenc_key_abort
-+ cmpwi $bits,256
-+ bgt- Lenc_key_abort
-+ andi. r0,$bits,0x3f
-+ bne- Lenc_key_abort
-+
-+ lis r0,0xfff0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ bl Lconsts
-+ mtlr r11
-+
-+ neg r9,$inp
-+ lvx $in0,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ lvsr $key,0,r9 # borrow $key
-+ li r8,0x20
-+ cmpwi $bits,192
-+ lvx $in1,0,$inp
-+ le?vspltisb $mask,0x0f # borrow $mask
-+ lvx $rcon,0,$ptr
-+ le?vxor $key,$key,$mask # adjust for byte swap
-+ lvx $mask,r8,$ptr
-+ addi $ptr,$ptr,0x10
-+ vperm $in0,$in0,$in1,$key # align [and byte swap in LE]
-+ li $cnt,8
-+ vxor $zero,$zero,$zero
-+ mtctr $cnt
-+
-+ ?lvsr $outperm,0,$out
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$zero,$outmask,$outperm
-+
-+ blt Loop128
-+ addi $inp,$inp,8
-+ beq L192
-+ addi $inp,$inp,8
-+ b L256
-+
-+.align 4
-+Loop128:
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+ bdnz Loop128
-+
-+ lvx $rcon,0,$ptr # last two round keys
-+
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+
-+ vperm $key,$in0,$in0,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vxor $in0,$in0,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,0x50
-+
-+ li $rounds,10
-+ b Ldone
-+
-+.align 4
-+L192:
-+ lvx $tmp,0,$inp
-+ li $cnt,4
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+ vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
-+ vspltisb $key,8 # borrow $key
-+ mtctr $cnt
-+ vsububm $mask,$mask,$key # adjust the mask
-+
-+Loop192:
-+ vperm $key,$in1,$in1,$mask # roate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vcipherlast $key,$key,$rcon
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+
-+ vsldoi $stage,$zero,$in1,8
-+ vspltw $tmp,$in0,3
-+ vxor $tmp,$tmp,$in1
-+ vsldoi $in1,$zero,$in1,12 # >>32
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in1,$in1,$tmp
-+ vxor $in0,$in0,$key
-+ vxor $in1,$in1,$key
-+ vsldoi $stage,$stage,$in0,8
-+
-+ vperm $key,$in1,$in1,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$stage,$stage,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vsldoi $stage,$in0,$in1,8
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vperm $outtail,$stage,$stage,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vspltw $tmp,$in0,3
-+ vxor $tmp,$tmp,$in1
-+ vsldoi $in1,$zero,$in1,12 # >>32
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in1,$in1,$tmp
-+ vxor $in0,$in0,$key
-+ vxor $in1,$in1,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,16
-+ bdnz Loop192
-+
-+ li $rounds,12
-+ addi $out,$out,0x20
-+ b Ldone
-+
-+.align 4
-+L256:
-+ lvx $tmp,0,$inp
-+ li $cnt,7
-+ li $rounds,14
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+ vperm $in1,$in1,$tmp,$key # align [and byte swap in LE]
-+ mtctr $cnt
-+
-+Loop256:
-+ vperm $key,$in1,$in1,$mask # rotate-n-splat
-+ vsldoi $tmp,$zero,$in0,12 # >>32
-+ vperm $outtail,$in1,$in1,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ vcipherlast $key,$key,$rcon
-+ stvx $stage,0,$out
-+ addi $out,$out,16
-+
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in0,$in0,$tmp
-+ vadduwm $rcon,$rcon,$rcon
-+ vxor $in0,$in0,$key
-+ vperm $outtail,$in0,$in0,$outperm # rotate
-+ vsel $stage,$outhead,$outtail,$outmask
-+ vmr $outhead,$outtail
-+ stvx $stage,0,$out
-+ addi $inp,$out,15 # 15 is not typo
-+ addi $out,$out,16
-+ bdz Ldone
-+
-+ vspltw $key,$in0,3 # just splat
-+ vsldoi $tmp,$zero,$in1,12 # >>32
-+ vsbox $key,$key
-+
-+ vxor $in1,$in1,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in1,$in1,$tmp
-+ vsldoi $tmp,$zero,$tmp,12 # >>32
-+ vxor $in1,$in1,$tmp
-+
-+ vxor $in1,$in1,$key
-+ b Loop256
-+
-+.align 4
-+Ldone:
-+ lvx $in1,0,$inp # redundant in aligned case
-+ vsel $in1,$outhead,$in1,$outmask
-+ stvx $in1,0,$inp
-+ li $ptr,0
-+ mtspr 256,$vrsave
-+ stw $rounds,0($out)
-+
-+Lenc_key_abort:
-+ mr r3,$ptr
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,1,0,0,3,0
-+ .long 0
-+.size .${prefix}_set_encrypt_key,.-.${prefix}_set_encrypt_key
-+
-+.globl .${prefix}_set_decrypt_key
-+.align 5
-+.${prefix}_set_decrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ mflr r10
-+ $PUSH r10,$FRAME+$LRSAVE($sp)
-+ bl Lset_encrypt_key
-+ mtlr r10
-+
-+ cmpwi r3,0
-+ bne- Ldec_key_abort
-+
-+ slwi $cnt,$rounds,4
-+ subi $inp,$out,240 # first round key
-+ srwi $rounds,$rounds,1
-+ add $out,$inp,$cnt # last round key
-+ mtctr $rounds
-+
-+Ldeckey:
-+ lwz r0, 0($inp)
-+ lwz r6, 4($inp)
-+ lwz r7, 8($inp)
-+ lwz r8, 12($inp)
-+ addi $inp,$inp,16
-+ lwz r9, 0($out)
-+ lwz r10,4($out)
-+ lwz r11,8($out)
-+ lwz r12,12($out)
-+ stw r0, 0($out)
-+ stw r6, 4($out)
-+ stw r7, 8($out)
-+ stw r8, 12($out)
-+ subi $out,$out,16
-+ stw r9, -16($inp)
-+ stw r10,-12($inp)
-+ stw r11,-8($inp)
-+ stw r12,-4($inp)
-+ bdnz Ldeckey
-+
-+ xor r3,r3,r3 # return value
-+Ldec_key_abort:
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,4,1,0x80,0,3,0
-+ .long 0
-+.size .${prefix}_set_decrypt_key,.-.${prefix}_set_decrypt_key
-+___
-+}}}
-+#########################################################################
-+{{{ # Single block en- and decrypt procedures #
-+sub gen_block () {
-+my $dir = shift;
-+my $n = $dir eq "de" ? "n" : "";
-+my ($inp,$out,$key,$rounds,$idx)=map("r$_",(3..7));
-+
-+$code.=<<___;
-+.globl .${prefix}_${dir}crypt
-+.align 5
-+.${prefix}_${dir}crypt:
-+ lwz $rounds,240($key)
-+ lis r0,0xfc00
-+ mfspr $vrsave,256
-+ li $idx,15 # 15 is not typo
-+ mtspr 256,r0
-+
-+ lvx v0,0,$inp
-+ neg r11,$out
-+ lvx v1,$idx,$inp
-+ lvsl v2,0,$inp # inpperm
-+ le?vspltisb v4,0x0f
-+ ?lvsl v3,0,r11 # outperm
-+ le?vxor v2,v2,v4
-+ li $idx,16
-+ vperm v0,v0,v1,v2 # align [and byte swap in LE]
-+ lvx v1,0,$key
-+ ?lvsl v5,0,$key # keyperm
-+ srwi $rounds,$rounds,1
-+ lvx v2,$idx,$key
-+ addi $idx,$idx,16
-+ subi $rounds,$rounds,1
-+ ?vperm v1,v1,v2,v5 # align round key
-+
-+ vxor v0,v0,v1
-+ lvx v1,$idx,$key
-+ addi $idx,$idx,16
-+ mtctr $rounds
-+
-+Loop_${dir}c:
-+ ?vperm v2,v2,v1,v5
-+ v${n}cipher v0,v0,v2
-+ lvx v2,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm v1,v1,v2,v5
-+ v${n}cipher v0,v0,v1
-+ lvx v1,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_${dir}c
-+
-+ ?vperm v2,v2,v1,v5
-+ v${n}cipher v0,v0,v2
-+ lvx v2,$idx,$key
-+ ?vperm v1,v1,v2,v5
-+ v${n}cipherlast v0,v0,v1
-+
-+ vspltisb v2,-1
-+ vxor v1,v1,v1
-+ li $idx,15 # 15 is not typo
-+ ?vperm v2,v1,v2,v3 # outmask
-+ le?vxor v3,v3,v4
-+ lvx v1,0,$out # outhead
-+ vperm v0,v0,v0,v3 # rotate [and byte swap in LE]
-+ vsel v1,v1,v0,v2
-+ lvx v4,$idx,$out
-+ stvx v1,0,$out
-+ vsel v0,v0,v4,v2
-+ stvx v0,$idx,$out
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,3,0
-+ .long 0
-+.size .${prefix}_${dir}crypt,.-.${prefix}_${dir}crypt
-+___
-+}
-+&gen_block("en");
-+&gen_block("de");
-+}}}
-+#########################################################################
-+{{{ # CBC en- and decrypt procedures #
-+my ($inp,$out,$len,$key,$ivp,$enc,$rounds,$idx)=map("r$_",(3..10));
-+my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
-+my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm)=
-+ map("v$_",(4..10));
-+$code.=<<___;
-+.globl .${prefix}_cbc_encrypt
-+.align 5
-+.${prefix}_cbc_encrypt:
-+ ${UCMP}i $len,16
-+ bltlr-
-+
-+ cmpwi $enc,0 # test direction
-+ lis r0,0xffe0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ li $idx,15
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+
-+ lvx $ivec,0,$ivp # load [unaligned] iv
-+ lvsl $inpperm,0,$ivp
-+ lvx $inptail,$idx,$ivp
-+ le?vxor $inpperm,$inpperm,$tmp
-+ vperm $ivec,$ivec,$inptail,$inpperm
-+
-+ neg r11,$inp
-+ ?lvsl $keyperm,0,$key # prepare for unaligned key
-+ lwz $rounds,240($key)
-+
-+ lvsr $inpperm,0,r11 # prepare for unaligned load
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ le?vxor $inpperm,$inpperm,$tmp
-+
-+ ?lvsr $outperm,0,$out # prepare for unaligned store
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+
-+ srwi $rounds,$rounds,1
-+ li $idx,16
-+ subi $rounds,$rounds,1
-+ beq Lcbc_dec
-+
-+Lcbc_enc:
-+ vmr $inout,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ mtctr $rounds
-+ subi $len,$len,16 # len-=16
-+
-+ lvx $rndkey0,0,$key
-+ vperm $inout,$inout,$inptail,$inpperm
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ vxor $inout,$inout,$ivec
-+
-+Loop_cbc_enc:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_cbc_enc
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ li $idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipherlast $ivec,$inout,$rndkey0
-+ ${UCMP}i $len,16
-+
-+ vperm $tmp,$ivec,$ivec,$outperm
-+ vsel $inout,$outhead,$tmp,$outmask
-+ vmr $outhead,$tmp
-+ stvx $inout,0,$out
-+ addi $out,$out,16
-+ bge Lcbc_enc
-+
-+ b Lcbc_done
-+
-+.align 4
-+Lcbc_dec:
-+ ${UCMP}i $len,128
-+ bge _aesp8_cbc_decrypt8x
-+ vmr $tmp,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ mtctr $rounds
-+ subi $len,$len,16 # len-=16
-+
-+ lvx $rndkey0,0,$key
-+ vperm $tmp,$tmp,$inptail,$inpperm
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$tmp,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+
-+Loop_cbc_dec:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vncipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vncipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_cbc_dec
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vncipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ li $idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vncipherlast $inout,$inout,$rndkey0
-+ ${UCMP}i $len,16
-+
-+ vxor $inout,$inout,$ivec
-+ vmr $ivec,$tmp
-+ vperm $tmp,$inout,$inout,$outperm
-+ vsel $inout,$outhead,$tmp,$outmask
-+ vmr $outhead,$tmp
-+ stvx $inout,0,$out
-+ addi $out,$out,16
-+ bge Lcbc_dec
-+
-+Lcbc_done:
-+ addi $out,$out,-1
-+ lvx $inout,0,$out # redundant in aligned case
-+ vsel $inout,$outhead,$inout,$outmask
-+ stvx $inout,0,$out
-+
-+ neg $enc,$ivp # write [unaligned] iv
-+ li $idx,15 # 15 is not typo
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ vspltisb $outmask,-1
-+ le?vspltisb $tmp,0x0f
-+ ?lvsl $outperm,0,$enc
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+ lvx $outhead,0,$ivp
-+ vperm $ivec,$ivec,$ivec,$outperm
-+ vsel $inout,$outhead,$ivec,$outmask
-+ lvx $inptail,$idx,$ivp
-+ stvx $inout,0,$ivp
-+ vsel $inout,$ivec,$inptail,$outmask
-+ stvx $inout,$idx,$ivp
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,6,0
-+ .long 0
-+___
-+#########################################################################
-+{{ # Optimized CBC decrypt procedure #
-+my $key_="r11";
-+my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
-+my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10..13));
-+my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(14..21));
-+my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
-+ # v26-v31 last 6 round keys
-+my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
-+
-+$code.=<<___;
-+.align 5
-+_aesp8_cbc_decrypt8x:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r0,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ mtspr 256,r0
-+
-+ subi $rounds,$rounds,3 # -4 in total
-+ subi $len,$len,128 # bias
-+
-+ lvx $rndkey0,$x00,$key # load key schedule
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ lvx v31,$x00,$key
-+ ?vperm $rndkey0,$rndkey0,v30,$keyperm
-+ addi $key_,$sp,$FRAME+15
-+ mtctr $rounds
-+
-+Load_cbc_dec_key:
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ stvx v24,$x00,$key_ # off-load round[1]
-+ ?vperm v25,v31,v30,$keyperm
-+ lvx v31,$x00,$key
-+ stvx v25,$x10,$key_ # off-load round[2]
-+ addi $key_,$key_,0x20
-+ bdnz Load_cbc_dec_key
-+
-+ lvx v26,$x10,$key
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v27,$x20,$key
-+ stvx v24,$x00,$key_ # off-load round[3]
-+ ?vperm v25,v31,v26,$keyperm
-+ lvx v28,$x30,$key
-+ stvx v25,$x10,$key_ # off-load round[4]
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ ?vperm v26,v26,v27,$keyperm
-+ lvx v29,$x40,$key
-+ ?vperm v27,v27,v28,$keyperm
-+ lvx v30,$x50,$key
-+ ?vperm v28,v28,v29,$keyperm
-+ lvx v31,$x60,$key
-+ ?vperm v29,v29,v30,$keyperm
-+ lvx $out0,$x70,$key # borrow $out0
-+ ?vperm v30,v30,v31,$keyperm
-+ lvx v24,$x00,$key_ # pre-load round[1]
-+ ?vperm v31,v31,$out0,$keyperm
-+ lvx v25,$x10,$key_ # pre-load round[2]
-+
-+ #lvx $inptail,0,$inp # "caller" already did this
-+ #addi $inp,$inp,15 # 15 is not typo
-+ subi $inp,$inp,15 # undo "caller"
-+
-+ le?li $idx,8
-+ lvx_u $in0,$x00,$inp # load first 8 "words"
-+ le?lvsl $inpperm,0,$idx
-+ le?vspltisb $tmp,0x0f
-+ lvx_u $in1,$x10,$inp
-+ le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
-+ lvx_u $in2,$x20,$inp
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ lvx_u $in3,$x30,$inp
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ lvx_u $in4,$x40,$inp
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vxor $out0,$in0,$rndkey0
-+ lvx_u $in5,$x50,$inp
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vxor $out1,$in1,$rndkey0
-+ lvx_u $in6,$x60,$inp
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vxor $out2,$in2,$rndkey0
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vxor $out3,$in3,$rndkey0
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vxor $out4,$in4,$rndkey0
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vxor $out5,$in5,$rndkey0
-+ vxor $out6,$in6,$rndkey0
-+ vxor $out7,$in7,$rndkey0
-+
-+ mtctr $rounds
-+ b Loop_cbc_dec8x
-+.align 5
-+Loop_cbc_dec8x:
-+ vncipher $out0,$out0,v24
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vncipher $out0,$out0,v25
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_cbc_dec8x
-+
-+ subic $len,$len,128 # $len-=128
-+ vncipher $out0,$out0,v24
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vncipher $out0,$out0,v25
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+
-+ and r0,r0,$len
-+ vncipher $out0,$out0,v26
-+ vncipher $out1,$out1,v26
-+ vncipher $out2,$out2,v26
-+ vncipher $out3,$out3,v26
-+ vncipher $out4,$out4,v26
-+ vncipher $out5,$out5,v26
-+ vncipher $out6,$out6,v26
-+ vncipher $out7,$out7,v26
-+
-+ add $inp,$inp,r0 # $inp is adjusted in such
-+ # way that at exit from the
-+ # loop inX-in7 are loaded
-+ # with last "words"
-+ vncipher $out0,$out0,v27
-+ vncipher $out1,$out1,v27
-+ vncipher $out2,$out2,v27
-+ vncipher $out3,$out3,v27
-+ vncipher $out4,$out4,v27
-+ vncipher $out5,$out5,v27
-+ vncipher $out6,$out6,v27
-+ vncipher $out7,$out7,v27
-+
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ vncipher $out0,$out0,v28
-+ vncipher $out1,$out1,v28
-+ vncipher $out2,$out2,v28
-+ vncipher $out3,$out3,v28
-+ vncipher $out4,$out4,v28
-+ vncipher $out5,$out5,v28
-+ vncipher $out6,$out6,v28
-+ vncipher $out7,$out7,v28
-+ lvx v24,$x00,$key_ # re-pre-load round[1]
-+
-+ vncipher $out0,$out0,v29
-+ vncipher $out1,$out1,v29
-+ vncipher $out2,$out2,v29
-+ vncipher $out3,$out3,v29
-+ vncipher $out4,$out4,v29
-+ vncipher $out5,$out5,v29
-+ vncipher $out6,$out6,v29
-+ vncipher $out7,$out7,v29
-+ lvx v25,$x10,$key_ # re-pre-load round[2]
-+
-+ vncipher $out0,$out0,v30
-+ vxor $ivec,$ivec,v31 # xor with last round key
-+ vncipher $out1,$out1,v30
-+ vxor $in0,$in0,v31
-+ vncipher $out2,$out2,v30
-+ vxor $in1,$in1,v31
-+ vncipher $out3,$out3,v30
-+ vxor $in2,$in2,v31
-+ vncipher $out4,$out4,v30
-+ vxor $in3,$in3,v31
-+ vncipher $out5,$out5,v30
-+ vxor $in4,$in4,v31
-+ vncipher $out6,$out6,v30
-+ vxor $in5,$in5,v31
-+ vncipher $out7,$out7,v30
-+ vxor $in6,$in6,v31
-+
-+ vncipherlast $out0,$out0,$ivec
-+ vncipherlast $out1,$out1,$in0
-+ lvx_u $in0,$x00,$inp # load next input block
-+ vncipherlast $out2,$out2,$in1
-+ lvx_u $in1,$x10,$inp
-+ vncipherlast $out3,$out3,$in2
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ lvx_u $in2,$x20,$inp
-+ vncipherlast $out4,$out4,$in3
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ lvx_u $in3,$x30,$inp
-+ vncipherlast $out5,$out5,$in4
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ lvx_u $in4,$x40,$inp
-+ vncipherlast $out6,$out6,$in5
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ lvx_u $in5,$x50,$inp
-+ vncipherlast $out7,$out7,$in6
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ lvx_u $in6,$x60,$inp
-+ vmr $ivec,$in7
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vxor $out0,$in0,$rndkey0
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vxor $out1,$in1,$rndkey0
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ vxor $out2,$in2,$rndkey0
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ vxor $out3,$in3,$rndkey0
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ vxor $out4,$in4,$rndkey0
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ vxor $out5,$in5,$rndkey0
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x60,$out
-+ vxor $out6,$in6,$rndkey0
-+ stvx_u $out7,$x70,$out
-+ addi $out,$out,0x80
-+ vxor $out7,$in7,$rndkey0
-+
-+ mtctr $rounds
-+ beq Loop_cbc_dec8x # did $len-=128 borrow?
-+
-+ addic. $len,$len,128
-+ beq Lcbc_dec8x_done
-+ nop
-+ nop
-+
-+Loop_cbc_dec8x_tail: # up to 7 "words" tail...
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_cbc_dec8x_tail
-+
-+ vncipher $out1,$out1,v24
-+ vncipher $out2,$out2,v24
-+ vncipher $out3,$out3,v24
-+ vncipher $out4,$out4,v24
-+ vncipher $out5,$out5,v24
-+ vncipher $out6,$out6,v24
-+ vncipher $out7,$out7,v24
-+
-+ vncipher $out1,$out1,v25
-+ vncipher $out2,$out2,v25
-+ vncipher $out3,$out3,v25
-+ vncipher $out4,$out4,v25
-+ vncipher $out5,$out5,v25
-+ vncipher $out6,$out6,v25
-+ vncipher $out7,$out7,v25
-+
-+ vncipher $out1,$out1,v26
-+ vncipher $out2,$out2,v26
-+ vncipher $out3,$out3,v26
-+ vncipher $out4,$out4,v26
-+ vncipher $out5,$out5,v26
-+ vncipher $out6,$out6,v26
-+ vncipher $out7,$out7,v26
-+
-+ vncipher $out1,$out1,v27
-+ vncipher $out2,$out2,v27
-+ vncipher $out3,$out3,v27
-+ vncipher $out4,$out4,v27
-+ vncipher $out5,$out5,v27
-+ vncipher $out6,$out6,v27
-+ vncipher $out7,$out7,v27
-+
-+ vncipher $out1,$out1,v28
-+ vncipher $out2,$out2,v28
-+ vncipher $out3,$out3,v28
-+ vncipher $out4,$out4,v28
-+ vncipher $out5,$out5,v28
-+ vncipher $out6,$out6,v28
-+ vncipher $out7,$out7,v28
-+
-+ vncipher $out1,$out1,v29
-+ vncipher $out2,$out2,v29
-+ vncipher $out3,$out3,v29
-+ vncipher $out4,$out4,v29
-+ vncipher $out5,$out5,v29
-+ vncipher $out6,$out6,v29
-+ vncipher $out7,$out7,v29
-+
-+ vncipher $out1,$out1,v30
-+ vxor $ivec,$ivec,v31 # last round key
-+ vncipher $out2,$out2,v30
-+ vxor $in1,$in1,v31
-+ vncipher $out3,$out3,v30
-+ vxor $in2,$in2,v31
-+ vncipher $out4,$out4,v30
-+ vxor $in3,$in3,v31
-+ vncipher $out5,$out5,v30
-+ vxor $in4,$in4,v31
-+ vncipher $out6,$out6,v30
-+ vxor $in5,$in5,v31
-+ vncipher $out7,$out7,v30
-+ vxor $in6,$in6,v31
-+
-+ cmplwi $len,32 # switch($len)
-+ blt Lcbc_dec8x_one
-+ nop
-+ beq Lcbc_dec8x_two
-+ cmplwi $len,64
-+ blt Lcbc_dec8x_three
-+ nop
-+ beq Lcbc_dec8x_four
-+ cmplwi $len,96
-+ blt Lcbc_dec8x_five
-+ nop
-+ beq Lcbc_dec8x_six
-+
-+Lcbc_dec8x_seven:
-+ vncipherlast $out1,$out1,$ivec
-+ vncipherlast $out2,$out2,$in1
-+ vncipherlast $out3,$out3,$in2
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x00,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x10,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x20,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x30,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x40,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x50,$out
-+ stvx_u $out7,$x60,$out
-+ addi $out,$out,0x70
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_six:
-+ vncipherlast $out2,$out2,$ivec
-+ vncipherlast $out3,$out3,$in2
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x00,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x10,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x20,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x30,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x40,$out
-+ stvx_u $out7,$x50,$out
-+ addi $out,$out,0x60
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_five:
-+ vncipherlast $out3,$out3,$ivec
-+ vncipherlast $out4,$out4,$in3
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x00,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x10,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x20,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x30,$out
-+ stvx_u $out7,$x40,$out
-+ addi $out,$out,0x50
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_four:
-+ vncipherlast $out4,$out4,$ivec
-+ vncipherlast $out5,$out5,$in4
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x00,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x10,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x20,$out
-+ stvx_u $out7,$x30,$out
-+ addi $out,$out,0x40
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_three:
-+ vncipherlast $out5,$out5,$ivec
-+ vncipherlast $out6,$out6,$in5
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x00,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x10,$out
-+ stvx_u $out7,$x20,$out
-+ addi $out,$out,0x30
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_two:
-+ vncipherlast $out6,$out6,$ivec
-+ vncipherlast $out7,$out7,$in6
-+ vmr $ivec,$in7
-+
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x00,$out
-+ stvx_u $out7,$x10,$out
-+ addi $out,$out,0x20
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lcbc_dec8x_one:
-+ vncipherlast $out7,$out7,$ivec
-+ vmr $ivec,$in7
-+
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out7,0,$out
-+ addi $out,$out,0x10
-+
-+Lcbc_dec8x_done:
-+ le?vperm $ivec,$ivec,$ivec,$inpperm
-+ stvx_u $ivec,0,$ivp # write [unaligned] iv
-+
-+ li r10,`$FRAME+15`
-+ li r11,`$FRAME+31`
-+ stvx $inpperm,r10,$sp # wipe copies of round keys
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0x80,6,6,0
-+ .long 0
-+.size .${prefix}_cbc_encrypt,.-.${prefix}_cbc_encrypt
-+___
-+}} }}}
-+
-+#########################################################################
-+{{{ # CTR procedure[s] #
-+my ($inp,$out,$len,$key,$ivp,$x10,$rounds,$idx)=map("r$_",(3..10));
-+my ($rndkey0,$rndkey1,$inout,$tmp)= map("v$_",(0..3));
-+my ($ivec,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm,$one)=
-+ map("v$_",(4..11));
-+my $dat=$tmp;
-+
-+$code.=<<___;
-+.globl .${prefix}_ctr32_encrypt_blocks
-+.align 5
-+.${prefix}_ctr32_encrypt_blocks:
-+ ${UCMP}i $len,1
-+ bltlr-
-+
-+ lis r0,0xfff0
-+ mfspr $vrsave,256
-+ mtspr 256,r0
-+
-+ li $idx,15
-+ vxor $rndkey0,$rndkey0,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+
-+ lvx $ivec,0,$ivp # load [unaligned] iv
-+ lvsl $inpperm,0,$ivp
-+ lvx $inptail,$idx,$ivp
-+ vspltisb $one,1
-+ le?vxor $inpperm,$inpperm,$tmp
-+ vperm $ivec,$ivec,$inptail,$inpperm
-+ vsldoi $one,$rndkey0,$one,1
-+
-+ neg r11,$inp
-+ ?lvsl $keyperm,0,$key # prepare for unaligned key
-+ lwz $rounds,240($key)
-+
-+ lvsr $inpperm,0,r11 # prepare for unaligned load
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,15 # 15 is not typo
-+ le?vxor $inpperm,$inpperm,$tmp
-+
-+ srwi $rounds,$rounds,1
-+ li $idx,16
-+ subi $rounds,$rounds,1
-+
-+ ${UCMP}i $len,8
-+ bge _aesp8_ctr32_encrypt8x
-+
-+ ?lvsr $outperm,0,$out # prepare for unaligned store
-+ vspltisb $outmask,-1
-+ lvx $outhead,0,$out
-+ ?vperm $outmask,$rndkey0,$outmask,$outperm
-+ le?vxor $outperm,$outperm,$tmp
-+
-+ lvx $rndkey0,0,$key
-+ mtctr $rounds
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vxor $inout,$ivec,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ b Loop_ctr32_enc
-+
-+.align 5
-+Loop_ctr32_enc:
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vcipher $inout,$inout,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ bdnz Loop_ctr32_enc
-+
-+ vadduwm $ivec,$ivec,$one
-+ vmr $dat,$inptail
-+ lvx $inptail,0,$inp
-+ addi $inp,$inp,16
-+ subic. $len,$len,1 # blocks--
-+
-+ ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm
-+ vcipher $inout,$inout,$rndkey1
-+ lvx $rndkey1,$idx,$key
-+ vperm $dat,$dat,$inptail,$inpperm
-+ li $idx,16
-+ ?vperm $rndkey1,$rndkey0,$rndkey1,$keyperm
-+ lvx $rndkey0,0,$key
-+ vxor $dat,$dat,$rndkey1 # last round key
-+ vcipherlast $inout,$inout,$dat
-+
-+ lvx $rndkey1,$idx,$key
-+ addi $idx,$idx,16
-+ vperm $inout,$inout,$inout,$outperm
-+ vsel $dat,$outhead,$inout,$outmask
-+ mtctr $rounds
-+ ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm
-+ vmr $outhead,$inout
-+ vxor $inout,$ivec,$rndkey0
-+ lvx $rndkey0,$idx,$key
-+ addi $idx,$idx,16
-+ stvx $dat,0,$out
-+ addi $out,$out,16
-+ bne Loop_ctr32_enc
-+
-+ addi $out,$out,-1
-+ lvx $inout,0,$out # redundant in aligned case
-+ vsel $inout,$outhead,$inout,$outmask
-+ stvx $inout,0,$out
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,6,0
-+ .long 0
-+___
-+#########################################################################
-+{{ # Optimized CTR procedure #
-+my $key_="r11";
-+my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,8,26..31));
-+my ($in0, $in1, $in2, $in3, $in4, $in5, $in6, $in7 )=map("v$_",(0..3,10,12..14));
-+my ($out0,$out1,$out2,$out3,$out4,$out5,$out6,$out7)=map("v$_",(15..22));
-+my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
-+ # v26-v31 last 6 round keys
-+my ($tmp,$keyperm)=($in3,$in4); # aliases with "caller", redundant assignment
-+my ($two,$three,$four)=($outhead,$outperm,$outmask);
-+
-+$code.=<<___;
-+.align 5
-+_aesp8_ctr32_encrypt8x:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r0,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ mtspr 256,r0
-+
-+ subi $rounds,$rounds,3 # -4 in total
-+
-+ lvx $rndkey0,$x00,$key # load key schedule
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ lvx v31,$x00,$key
-+ ?vperm $rndkey0,$rndkey0,v30,$keyperm
-+ addi $key_,$sp,$FRAME+15
-+ mtctr $rounds
-+
-+Load_ctr32_enc_key:
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v30,$x10,$key
-+ addi $key,$key,0x20
-+ stvx v24,$x00,$key_ # off-load round[1]
-+ ?vperm v25,v31,v30,$keyperm
-+ lvx v31,$x00,$key
-+ stvx v25,$x10,$key_ # off-load round[2]
-+ addi $key_,$key_,0x20
-+ bdnz Load_ctr32_enc_key
-+
-+ lvx v26,$x10,$key
-+ ?vperm v24,v30,v31,$keyperm
-+ lvx v27,$x20,$key
-+ stvx v24,$x00,$key_ # off-load round[3]
-+ ?vperm v25,v31,v26,$keyperm
-+ lvx v28,$x30,$key
-+ stvx v25,$x10,$key_ # off-load round[4]
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ ?vperm v26,v26,v27,$keyperm
-+ lvx v29,$x40,$key
-+ ?vperm v27,v27,v28,$keyperm
-+ lvx v30,$x50,$key
-+ ?vperm v28,v28,v29,$keyperm
-+ lvx v31,$x60,$key
-+ ?vperm v29,v29,v30,$keyperm
-+ lvx $out0,$x70,$key # borrow $out0
-+ ?vperm v30,v30,v31,$keyperm
-+ lvx v24,$x00,$key_ # pre-load round[1]
-+ ?vperm v31,v31,$out0,$keyperm
-+ lvx v25,$x10,$key_ # pre-load round[2]
-+
-+ vadduwm $two,$one,$one
-+ subi $inp,$inp,15 # undo "caller"
-+ $SHL $len,$len,4
-+
-+ vadduwm $out1,$ivec,$one # counter values ...
-+ vadduwm $out2,$ivec,$two
-+ vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
-+ le?li $idx,8
-+ vadduwm $out3,$out1,$two
-+ vxor $out1,$out1,$rndkey0
-+ le?lvsl $inpperm,0,$idx
-+ vadduwm $out4,$out2,$two
-+ vxor $out2,$out2,$rndkey0
-+ le?vspltisb $tmp,0x0f
-+ vadduwm $out5,$out3,$two
-+ vxor $out3,$out3,$rndkey0
-+ le?vxor $inpperm,$inpperm,$tmp # transform for lvx_u/stvx_u
-+ vadduwm $out6,$out4,$two
-+ vxor $out4,$out4,$rndkey0
-+ vadduwm $out7,$out5,$two
-+ vxor $out5,$out5,$rndkey0
-+ vadduwm $ivec,$out6,$two # next counter value
-+ vxor $out6,$out6,$rndkey0
-+ vxor $out7,$out7,$rndkey0
-+
-+ mtctr $rounds
-+ b Loop_ctr32_enc8x
-+.align 5
-+Loop_ctr32_enc8x:
-+ vcipher $out0,$out0,v24
-+ vcipher $out1,$out1,v24
-+ vcipher $out2,$out2,v24
-+ vcipher $out3,$out3,v24
-+ vcipher $out4,$out4,v24
-+ vcipher $out5,$out5,v24
-+ vcipher $out6,$out6,v24
-+ vcipher $out7,$out7,v24
-+Loop_ctr32_enc8x_middle:
-+ lvx v24,$x20,$key_ # round[3]
-+ addi $key_,$key_,0x20
-+
-+ vcipher $out0,$out0,v25
-+ vcipher $out1,$out1,v25
-+ vcipher $out2,$out2,v25
-+ vcipher $out3,$out3,v25
-+ vcipher $out4,$out4,v25
-+ vcipher $out5,$out5,v25
-+ vcipher $out6,$out6,v25
-+ vcipher $out7,$out7,v25
-+ lvx v25,$x10,$key_ # round[4]
-+ bdnz Loop_ctr32_enc8x
-+
-+ subic r11,$len,256 # $len-256, borrow $key_
-+ vcipher $out0,$out0,v24
-+ vcipher $out1,$out1,v24
-+ vcipher $out2,$out2,v24
-+ vcipher $out3,$out3,v24
-+ vcipher $out4,$out4,v24
-+ vcipher $out5,$out5,v24
-+ vcipher $out6,$out6,v24
-+ vcipher $out7,$out7,v24
-+
-+ subfe r0,r0,r0 # borrow?-1:0
-+ vcipher $out0,$out0,v25
-+ vcipher $out1,$out1,v25
-+ vcipher $out2,$out2,v25
-+ vcipher $out3,$out3,v25
-+ vcipher $out4,$out4,v25
-+ vcipher $out5,$out5,v25
-+ vcipher $out6,$out6,v25
-+ vcipher $out7,$out7,v25
-+
-+ and r0,r0,r11
-+ addi $key_,$sp,$FRAME+15 # rewind $key_
-+ vcipher $out0,$out0,v26
-+ vcipher $out1,$out1,v26
-+ vcipher $out2,$out2,v26
-+ vcipher $out3,$out3,v26
-+ vcipher $out4,$out4,v26
-+ vcipher $out5,$out5,v26
-+ vcipher $out6,$out6,v26
-+ vcipher $out7,$out7,v26
-+ lvx v24,$x00,$key_ # re-pre-load round[1]
-+
-+ subic $len,$len,129 # $len-=129
-+ vcipher $out0,$out0,v27
-+ addi $len,$len,1 # $len-=128 really
-+ vcipher $out1,$out1,v27
-+ vcipher $out2,$out2,v27
-+ vcipher $out3,$out3,v27
-+ vcipher $out4,$out4,v27
-+ vcipher $out5,$out5,v27
-+ vcipher $out6,$out6,v27
-+ vcipher $out7,$out7,v27
-+ lvx v25,$x10,$key_ # re-pre-load round[2]
-+
-+ vcipher $out0,$out0,v28
-+ lvx_u $in0,$x00,$inp # load input
-+ vcipher $out1,$out1,v28
-+ lvx_u $in1,$x10,$inp
-+ vcipher $out2,$out2,v28
-+ lvx_u $in2,$x20,$inp
-+ vcipher $out3,$out3,v28
-+ lvx_u $in3,$x30,$inp
-+ vcipher $out4,$out4,v28
-+ lvx_u $in4,$x40,$inp
-+ vcipher $out5,$out5,v28
-+ lvx_u $in5,$x50,$inp
-+ vcipher $out6,$out6,v28
-+ lvx_u $in6,$x60,$inp
-+ vcipher $out7,$out7,v28
-+ lvx_u $in7,$x70,$inp
-+ addi $inp,$inp,0x80
-+
-+ vcipher $out0,$out0,v29
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ vcipher $out1,$out1,v29
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ vcipher $out2,$out2,v29
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vcipher $out3,$out3,v29
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vcipher $out4,$out4,v29
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vcipher $out5,$out5,v29
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vcipher $out6,$out6,v29
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vcipher $out7,$out7,v29
-+ le?vperm $in7,$in7,$in7,$inpperm
-+
-+ add $inp,$inp,r0 # $inp is adjusted in such
-+ # way that at exit from the
-+ # loop inX-in7 are loaded
-+ # with last "words"
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vcipher $out0,$out0,v30
-+ vxor $in0,$in0,v31 # xor with last round key
-+ vcipher $out1,$out1,v30
-+ vxor $in1,$in1,v31
-+ vcipher $out2,$out2,v30
-+ vxor $in2,$in2,v31
-+ vcipher $out3,$out3,v30
-+ vxor $in3,$in3,v31
-+ vcipher $out4,$out4,v30
-+ vxor $in4,$in4,v31
-+ vcipher $out5,$out5,v30
-+ vxor $in5,$in5,v31
-+ vcipher $out6,$out6,v30
-+ vxor $in6,$in6,v31
-+ vcipher $out7,$out7,v30
-+ vxor $in7,$in7,v31
-+
-+ bne Lctr32_enc8x_break # did $len-129 borrow?
-+
-+ vcipherlast $in0,$out0,$in0
-+ vcipherlast $in1,$out1,$in1
-+ vadduwm $out1,$ivec,$one # counter values ...
-+ vcipherlast $in2,$out2,$in2
-+ vadduwm $out2,$ivec,$two
-+ vxor $out0,$ivec,$rndkey0 # ... xored with rndkey[0]
-+ vcipherlast $in3,$out3,$in3
-+ vadduwm $out3,$out1,$two
-+ vxor $out1,$out1,$rndkey0
-+ vcipherlast $in4,$out4,$in4
-+ vadduwm $out4,$out2,$two
-+ vxor $out2,$out2,$rndkey0
-+ vcipherlast $in5,$out5,$in5
-+ vadduwm $out5,$out3,$two
-+ vxor $out3,$out3,$rndkey0
-+ vcipherlast $in6,$out6,$in6
-+ vadduwm $out6,$out4,$two
-+ vxor $out4,$out4,$rndkey0
-+ vcipherlast $in7,$out7,$in7
-+ vadduwm $out7,$out5,$two
-+ vxor $out5,$out5,$rndkey0
-+ le?vperm $in0,$in0,$in0,$inpperm
-+ vadduwm $ivec,$out6,$two # next counter value
-+ vxor $out6,$out6,$rndkey0
-+ le?vperm $in1,$in1,$in1,$inpperm
-+ vxor $out7,$out7,$rndkey0
-+ mtctr $rounds
-+
-+ vcipher $out0,$out0,v24
-+ stvx_u $in0,$x00,$out
-+ le?vperm $in2,$in2,$in2,$inpperm
-+ vcipher $out1,$out1,v24
-+ stvx_u $in1,$x10,$out
-+ le?vperm $in3,$in3,$in3,$inpperm
-+ vcipher $out2,$out2,v24
-+ stvx_u $in2,$x20,$out
-+ le?vperm $in4,$in4,$in4,$inpperm
-+ vcipher $out3,$out3,v24
-+ stvx_u $in3,$x30,$out
-+ le?vperm $in5,$in5,$in5,$inpperm
-+ vcipher $out4,$out4,v24
-+ stvx_u $in4,$x40,$out
-+ le?vperm $in6,$in6,$in6,$inpperm
-+ vcipher $out5,$out5,v24
-+ stvx_u $in5,$x50,$out
-+ le?vperm $in7,$in7,$in7,$inpperm
-+ vcipher $out6,$out6,v24
-+ stvx_u $in6,$x60,$out
-+ vcipher $out7,$out7,v24
-+ stvx_u $in7,$x70,$out
-+ addi $out,$out,0x80
-+
-+ b Loop_ctr32_enc8x_middle
-+
-+.align 5
-+Lctr32_enc8x_break:
-+ cmpwi $len,-0x60
-+ blt Lctr32_enc8x_one
-+ nop
-+ beq Lctr32_enc8x_two
-+ cmpwi $len,-0x40
-+ blt Lctr32_enc8x_three
-+ nop
-+ beq Lctr32_enc8x_four
-+ cmpwi $len,-0x20
-+ blt Lctr32_enc8x_five
-+ nop
-+ beq Lctr32_enc8x_six
-+ cmpwi $len,0x00
-+ blt Lctr32_enc8x_seven
-+
-+Lctr32_enc8x_eight:
-+ vcipherlast $out0,$out0,$in0
-+ vcipherlast $out1,$out1,$in1
-+ vcipherlast $out2,$out2,$in2
-+ vcipherlast $out3,$out3,$in3
-+ vcipherlast $out4,$out4,$in4
-+ vcipherlast $out5,$out5,$in5
-+ vcipherlast $out6,$out6,$in6
-+ vcipherlast $out7,$out7,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ le?vperm $out7,$out7,$out7,$inpperm
-+ stvx_u $out6,$x60,$out
-+ stvx_u $out7,$x70,$out
-+ addi $out,$out,0x80
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_seven:
-+ vcipherlast $out0,$out0,$in1
-+ vcipherlast $out1,$out1,$in2
-+ vcipherlast $out2,$out2,$in3
-+ vcipherlast $out3,$out3,$in4
-+ vcipherlast $out4,$out4,$in5
-+ vcipherlast $out5,$out5,$in6
-+ vcipherlast $out6,$out6,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ le?vperm $out6,$out6,$out6,$inpperm
-+ stvx_u $out5,$x50,$out
-+ stvx_u $out6,$x60,$out
-+ addi $out,$out,0x70
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_six:
-+ vcipherlast $out0,$out0,$in2
-+ vcipherlast $out1,$out1,$in3
-+ vcipherlast $out2,$out2,$in4
-+ vcipherlast $out3,$out3,$in5
-+ vcipherlast $out4,$out4,$in6
-+ vcipherlast $out5,$out5,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ le?vperm $out5,$out5,$out5,$inpperm
-+ stvx_u $out4,$x40,$out
-+ stvx_u $out5,$x50,$out
-+ addi $out,$out,0x60
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_five:
-+ vcipherlast $out0,$out0,$in3
-+ vcipherlast $out1,$out1,$in4
-+ vcipherlast $out2,$out2,$in5
-+ vcipherlast $out3,$out3,$in6
-+ vcipherlast $out4,$out4,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ le?vperm $out4,$out4,$out4,$inpperm
-+ stvx_u $out3,$x30,$out
-+ stvx_u $out4,$x40,$out
-+ addi $out,$out,0x50
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_four:
-+ vcipherlast $out0,$out0,$in4
-+ vcipherlast $out1,$out1,$in5
-+ vcipherlast $out2,$out2,$in6
-+ vcipherlast $out3,$out3,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ le?vperm $out3,$out3,$out3,$inpperm
-+ stvx_u $out2,$x20,$out
-+ stvx_u $out3,$x30,$out
-+ addi $out,$out,0x40
-+ b Lctr32_enc8x_done
-+
-+.align 5
-+Lctr32_enc8x_three:
-+ vcipherlast $out0,$out0,$in5
-+ vcipherlast $out1,$out1,$in6
-+ vcipherlast $out2,$out2,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ le?vperm $out2,$out2,$out2,$inpperm
-+ stvx_u $out1,$x10,$out
-+ stvx_u $out2,$x20,$out
-+ addi $out,$out,0x30
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lctr32_enc8x_two:
-+ vcipherlast $out0,$out0,$in6
-+ vcipherlast $out1,$out1,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ le?vperm $out1,$out1,$out1,$inpperm
-+ stvx_u $out0,$x00,$out
-+ stvx_u $out1,$x10,$out
-+ addi $out,$out,0x20
-+ b Lcbc_dec8x_done
-+
-+.align 5
-+Lctr32_enc8x_one:
-+ vcipherlast $out0,$out0,$in7
-+
-+ le?vperm $out0,$out0,$out0,$inpperm
-+ stvx_u $out0,0,$out
-+ addi $out,$out,0x10
-+
-+Lctr32_enc8x_done:
-+ li r10,`$FRAME+15`
-+ li r11,`$FRAME+31`
-+ stvx $inpperm,r10,$sp # wipe copies of round keys
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+ stvx $inpperm,r10,$sp
-+ addi r10,r10,32
-+ stvx $inpperm,r11,$sp
-+ addi r11,r11,32
-+
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0x80,6,6,0
-+ .long 0
-+.size .${prefix}_ctr32_encrypt_blocks,.-.${prefix}_ctr32_encrypt_blocks
-+___
-+}} }}}
-+
-+my $consts=1;
-+foreach(split("\n",$code)) {
-+ s/\`([^\`]*)\`/eval($1)/geo;
-+
-+ # constants table endian-specific conversion
-+ if ($consts && m/\.(long|byte)\s+(.+)\s+(\?[a-z]*)$/o) {
-+ my $conv=$3;
-+ my @bytes=();
-+
-+ # convert to endian-agnostic format
-+ if ($1 eq "long") {
-+ foreach (split(/,\s*/,$2)) {
-+ my $l = /^0/?oct:int;
-+ push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
-+ }
-+ } else {
-+ @bytes = map(/^0/?oct:int,split(/,\s*/,$2));
-+ }
-+
-+ # little-endian conversion
-+ if ($flavour =~ /le$/o) {
-+ SWITCH: for($conv) {
-+ /\?inv/ && do { @bytes=map($_^0xf, at bytes); last; };
-+ /\?rev/ && do { @bytes=reverse(@bytes); last; };
-+ }
-+ }
-+
-+ #emit
-+ print ".byte\t",join(',',map (sprintf("0x%02x",$_), at bytes)),"\n";
-+ next;
-+ }
-+ $consts=0 if (m/Lconsts:/o); # end of table
-+
-+ # instructions prefixed with '?' are endian-specific and need
-+ # to be adjusted accordingly...
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/le\?//o or
-+ s/be\?/#be#/o or
-+ s/\?lvsr/lvsl/o or
-+ s/\?lvsl/lvsr/o or
-+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
-+ s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
-+ s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
-+ } else { # big-endian
-+ s/le\?/#le#/o or
-+ s/be\?//o or
-+ s/\?([a-z]+)/$1/o;
-+ }
-+
-+ print $_,"\n";
-+}
-+
-+close STDOUT;
-diff -up openssl-1.0.1i/crypto/aes/asm/vpaes-ppc.pl.ppc-asm openssl-1.0.1i/crypto/aes/asm/vpaes-ppc.pl
---- openssl-1.0.1i/crypto/aes/asm/vpaes-ppc.pl.ppc-asm 2014-08-13 19:46:21.093578128 +0200
-+++ openssl-1.0.1i/crypto/aes/asm/vpaes-ppc.pl 2014-08-13 19:46:21.093578128 +0200
-@@ -0,0 +1,1512 @@
-+#!/usr/bin/env perl
-+
-+######################################################################
-+## Constant-time SSSE3 AES core implementation.
-+## version 0.1
-+##
-+## By Mike Hamburg (Stanford University), 2009
-+## Public domain.
-+##
-+## For details see http://shiftleft.org/papers/vector_aes/ and
-+## http://crypto.stanford.edu/vpaes/.
-+
-+# CBC encrypt/decrypt performance in cycles per byte processed with
-+# 128-bit key.
-+#
-+# aes-ppc.pl this
-+# G4e 35.5/52.1/(23.8) 11.9(*)/15.4
-+# POWER6 42.7/54.3/(28.2) 63.0/92.8(**)
-+# POWER7 32.3/42.9/(18.4) 18.5/23.3
-+#
-+# (*) This is ~10% worse than reported in paper. The reason is
-+# twofold. This module doesn't make any assumption about
-+# key schedule (or data for that matter) alignment and handles
-+# it in-line. Secondly it, being transliterated from
-+# vpaes-x86_64.pl, relies on "nested inversion" better suited
-+# for Intel CPUs.
-+# (**) Inadequate POWER6 performance is due to astronomic AltiVec
-+# latency, 9 cycles per simple logical operation.
-+
-+$flavour = shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T =8;
-+ $LRSAVE =2*$SIZE_T;
-+ $STU ="stdu";
-+ $POP ="ld";
-+ $PUSH ="std";
-+ $UCMP ="cmpld";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T =4;
-+ $LRSAVE =$SIZE_T;
-+ $STU ="stwu";
-+ $POP ="lwz";
-+ $PUSH ="stw";
-+ $UCMP ="cmplw";
-+} else { die "nonsense $flavour"; }
-+
-+$sp="r1";
-+$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";
-+
-+$code.=<<___;
-+.machine "any"
-+
-+.text
-+
-+.align 7 # totally strategic alignment
-+_vpaes_consts:
-+Lk_mc_forward: # mc_forward
-+ .long 0x01020300, 0x05060704, 0x090a0b08, 0x0d0e0f0c ?inv
-+ .long 0x05060704, 0x090a0b08, 0x0d0e0f0c, 0x01020300 ?inv
-+ .long 0x090a0b08, 0x0d0e0f0c, 0x01020300, 0x05060704 ?inv
-+ .long 0x0d0e0f0c, 0x01020300, 0x05060704, 0x090a0b08 ?inv
-+Lk_mc_backward: # mc_backward
-+ .long 0x03000102, 0x07040506, 0x0b08090a, 0x0f0c0d0e ?inv
-+ .long 0x0f0c0d0e, 0x03000102, 0x07040506, 0x0b08090a ?inv
-+ .long 0x0b08090a, 0x0f0c0d0e, 0x03000102, 0x07040506 ?inv
-+ .long 0x07040506, 0x0b08090a, 0x0f0c0d0e, 0x03000102 ?inv
-+Lk_sr: # sr
-+ .long 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f ?inv
-+ .long 0x00050a0f, 0x04090e03, 0x080d0207, 0x0c01060b ?inv
-+ .long 0x0009020b, 0x040d060f, 0x08010a03, 0x0c050e07 ?inv
-+ .long 0x000d0a07, 0x04010e0b, 0x0805020f, 0x0c090603 ?inv
-+
-+##
-+## "Hot" constants
-+##
-+Lk_inv: # inv, inva
-+ .long 0xf001080d, 0x0f06050e, 0x020c0b0a, 0x09030704 ?rev
-+ .long 0xf0070b0f, 0x060a0401, 0x09080502, 0x0c0e0d03 ?rev
-+Lk_ipt: # input transform (lo, hi)
-+ .long 0x00702a5a, 0x98e8b2c2, 0x08782252, 0x90e0baca ?rev
-+ .long 0x004d7c31, 0x7d30014c, 0x81ccfdb0, 0xfcb180cd ?rev
-+Lk_sbo: # sbou, sbot
-+ .long 0x00c7bd6f, 0x176dd2d0, 0x78a802c5, 0x7abfaa15 ?rev
-+ .long 0x006abb5f, 0xa574e4cf, 0xfa352b41, 0xd1901e8e ?rev
-+Lk_sb1: # sb1u, sb1t
-+ .long 0x0023e2fa, 0x15d41836, 0xefd92e0d, 0xc1ccf73b ?rev
-+ .long 0x003e50cb, 0x8fe19bb1, 0x44f52a14, 0x6e7adfa5 ?rev
-+Lk_sb2: # sb2u, sb2t
-+ .long 0x0029e10a, 0x4088eb69, 0x4a2382ab, 0xc863a1c2 ?rev
-+ .long 0x0024710b, 0xc6937ae2, 0xcd2f98bc, 0x55e9b75e ?rev
-+
-+##
-+## Decryption stuff
-+##
-+Lk_dipt: # decryption input transform
-+ .long 0x005f540b, 0x045b500f, 0x1a454e11, 0x1e414a15 ?rev
-+ .long 0x00650560, 0xe683e386, 0x94f191f4, 0x72177712 ?rev
-+Lk_dsbo: # decryption sbox final output
-+ .long 0x0040f97e, 0x53ea8713, 0x2d3e94d4, 0xb96daac7 ?rev
-+ .long 0x001d4493, 0x0f56d712, 0x9c8ec5d8, 0x59814bca ?rev
-+Lk_dsb9: # decryption sbox output *9*u, *9*t
-+ .long 0x00d6869a, 0x53031c85, 0xc94c994f, 0x501fd5ca ?rev
-+ .long 0x0049d7ec, 0x89173bc0, 0x65a5fbb2, 0x9e2c5e72 ?rev
-+Lk_dsbd: # decryption sbox output *D*u, *D*t
-+ .long 0x00a2b1e6, 0xdfcc577d, 0x39442a88, 0x139b6ef5 ?rev
-+ .long 0x00cbc624, 0xf7fae23c, 0xd3efde15, 0x0d183129 ?rev
-+Lk_dsbb: # decryption sbox output *B*u, *B*t
-+ .long 0x0042b496, 0x926422d0, 0x04d4f2b0, 0xf6462660 ?rev
-+ .long 0x006759cd, 0xa69894c1, 0x6baa5532, 0x3e0cfff3 ?rev
-+Lk_dsbe: # decryption sbox output *E*u, *E*t
-+ .long 0x00d0d426, 0x9692f246, 0xb0f6b464, 0x04604222 ?rev
-+ .long 0x00c1aaff, 0xcda6550c, 0x323e5998, 0x6bf36794 ?rev
-+
-+##
-+## Key schedule constants
-+##
-+Lk_dksd: # decryption key schedule: invskew x*D
-+ .long 0x0047e4a3, 0x5d1ab9fe, 0xf9be1d5a, 0xa4e34007 ?rev
-+ .long 0x008336b5, 0xf477c241, 0x1e9d28ab, 0xea69dc5f ?rev
-+Lk_dksb: # decryption key schedule: invskew x*B
-+ .long 0x00d55085, 0x1fca4f9a, 0x994cc91c, 0x8653d603 ?rev
-+ .long 0x004afcb6, 0xa7ed5b11, 0xc882347e, 0x6f2593d9 ?rev
-+Lk_dkse: # decryption key schedule: invskew x*E + 0x63
-+ .long 0x00d6c91f, 0xca1c03d5, 0x86504f99, 0x4c9a8553 ?rev
-+ .long 0xe87bdc4f, 0x059631a2, 0x8714b320, 0x6af95ecd ?rev
-+Lk_dks9: # decryption key schedule: invskew x*9
-+ .long 0x00a7d97e, 0xc86f11b6, 0xfc5b2582, 0x3493ed4a ?rev
-+ .long 0x00331427, 0x62517645, 0xcefddae9, 0xac9fb88b ?rev
-+
-+Lk_rcon: # rcon
-+ .long 0xb6ee9daf, 0xb991831f, 0x817d7c4d, 0x08982a70 ?asis
-+Lk_s63:
-+ .long 0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b, 0x5b5b5b5b ?asis
-+
-+Lk_opt: # output transform
-+ .long 0x0060b6d6, 0x29499fff, 0x0868bede, 0x214197f7 ?rev
-+ .long 0x00ecbc50, 0x51bded01, 0xe00c5cb0, 0xb15d0de1 ?rev
-+Lk_deskew: # deskew tables: inverts the sbox's "skew"
-+ .long 0x00e3a447, 0x40a3e407, 0x1af9be5d, 0x5ab9fe1d ?rev
-+ .long 0x0069ea83, 0xdcb5365f, 0x771e9df4, 0xabc24128 ?rev
-+.align 5
-+Lconsts:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr r12 #vvvvv "distance between . and _vpaes_consts
-+ addi r12,r12,-0x308
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.asciz "Vector Permutation AES for AltiVec, Mike Hamburg (Stanford University)"
-+.align 6
-+___
-+
-+my ($inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm) = map("v$_",(26..31));
-+{
-+my ($inp,$out,$key) = map("r$_",(3..5));
-+
-+my ($invlo,$invhi,$iptlo,$ipthi,$sbou,$sbot) = map("v$_",(10..15));
-+my ($sb1u,$sb1t,$sb2u,$sb2t) = map("v$_",(16..19));
-+my ($sb9u,$sb9t,$sbdu,$sbdt,$sbbu,$sbbt,$sbeu,$sbet)=map("v$_",(16..23));
-+
-+$code.=<<___;
-+##
-+## _aes_preheat
-+##
-+## Fills register %r10 -> .aes_consts (so you can -fPIC)
-+## and %xmm9-%xmm15 as specified below.
-+##
-+.align 4
-+_vpaes_encrypt_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0xe0 # Lk_ipt
-+ li r8, 0xf0
-+ vxor v7, v7, v7 # 0x00..00
-+ vspltisb v8,4 # 0x04..04
-+ vspltisb v9,0x0f # 0x0f..0f
-+ lvx $invlo, r12, r11
-+ li r11, 0x100
-+ lvx $invhi, r12, r10
-+ li r10, 0x110
-+ lvx $iptlo, r12, r9
-+ li r9, 0x120
-+ lvx $ipthi, r12, r8
-+ li r8, 0x130
-+ lvx $sbou, r12, r11
-+ li r11, 0x140
-+ lvx $sbot, r12, r10
-+ li r10, 0x150
-+ lvx $sb1u, r12, r9
-+ lvx $sb1t, r12, r8
-+ lvx $sb2u, r12, r11
-+ lvx $sb2t, r12, r10
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## _aes_encrypt_core
-+##
-+## AES-encrypt %xmm0.
-+##
-+## Inputs:
-+## %xmm0 = input
-+## %xmm9-%xmm15 as in _vpaes_preheat
-+## (%rdx) = scheduled keys
-+##
-+## Output in %xmm0
-+## Clobbers %xmm1-%xmm6, %r9, %r10, %r11, %rax
-+##
-+##
-+.align 5
-+_vpaes_encrypt_core:
-+ lwz r8, 240($key) # pull rounds
-+ li r9, 16
-+ lvx v5, 0, $key # vmovdqu (%r9), %xmm5 # round0 key
-+ li r11, 0x10
-+ lvx v6, r9, $key
-+ addi r9, r9, 16
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ addi r10, r11, 0x40
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm1
-+ vperm v1, $ipthi, $ipthi, v1 # vpshufb %xmm0, %xmm3, %xmm2
-+ vxor v0, v0, v5 # vpxor %xmm5, %xmm1, %xmm0
-+ vxor v0, v0, v1 # vpxor %xmm2, %xmm0, %xmm0
-+ mtctr r8
-+ b Lenc_entry
-+
-+.align 4
-+Lenc_loop:
-+ # middle of middle round
-+ vperm v4, $sb1t, v7, v2 # vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u
-+ lvx v1, r12, r11 # vmovdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[]
-+ addi r11, r11, 16
-+ vperm v0, $sb1u, v7, v3 # vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
-+ andi. r11, r11, 0x30 # and \$0x30, %r11 # ... mod 4
-+ vperm v5, $sb2t, v7, v2 # vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = A
-+ vperm v2, $sb2u, v7, v3 # vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t
-+ lvx v4, r12, r10 # vmovdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[]
-+ addi r10, r11, 0x40
-+ vperm v3, v0, v7, v1 # vpshufb %xmm1, %xmm0, %xmm3 # 0 = B
-+ vxor v2, v2, v5 # vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A
-+ vperm v0, v0, v7, v4 # vpshufb %xmm4, %xmm0, %xmm0 # 3 = D
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B
-+ vperm v4, v3, v7, v1 # vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C
-+ vxor v0, v0, v3 # vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D
-+
-+Lenc_entry:
-+ # top of round
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vperm v5, $invhi, $invhi, v0 # vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k
-+ vxor v0, v0, v1 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, $invlo, v1 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vperm v4, $invlo, $invlo, v0 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vand v0, v0, v9
-+ vxor v3, v3, v5 # vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v7, v3 # vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
-+ vmr v5, v6
-+ lvx v6, r9, $key # vmovdqu (%r9), %xmm5
-+ vperm v3, $invlo, v7, v4 # vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
-+ addi r9, r9, 16
-+ vxor v2, v2, v0 # vpxor %xmm1, %xmm2, %xmm2 # 2 = io
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vxor v3, v3, v1 # vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
-+ bdnz Lenc_loop
-+
-+ # middle of last round
-+ addi r10, r11, 0x80
-+ # vmovdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo
-+ # vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16
-+ vperm v4, $sbou, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
-+ lvx v1, r12, r10 # vmovdqa 0x40(%r11,%r10), %xmm1 # .Lk_sr[]
-+ vperm v0, $sbot, v7, v3 # vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
-+ vxor v0, v0, v4 # vpxor %xmm4, %xmm0, %xmm0 # 0 = A
-+ vperm v0, v0, v7, v1 # vpshufb %xmm1, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_encrypt
-+.align 5
-+.vpaes_encrypt:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r6
-+ mfspr r7, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r7,`$FRAME-4`($sp) # save vrsave
-+ li r0, -1
-+ $PUSH r6,`$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r0 # preserve all AltiVec registers
-+
-+ bl _vpaes_encrypt_preheat
-+
-+ ?lvsl $inpperm, 0, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ ?lvsr $outperm, 0, $out
-+ ?lvsl $keyperm, 0, $key # prepare for unaligned access
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp # redundant in aligned case
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, $out
-+ ?vperm v0, v0, $inptail, $inpperm
-+
-+ bl _vpaes_encrypt_core
-+
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 15 # 15 is not a typo
-+ ########
-+
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtlr r6
-+ mtspr 256, r7 # restore vrsave
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_encrypt,.-.vpaes_encrypt
-+
-+.align 4
-+_vpaes_decrypt_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0x160 # Ldipt
-+ li r8, 0x170
-+ vxor v7, v7, v7 # 0x00..00
-+ vspltisb v8,4 # 0x04..04
-+ vspltisb v9,0x0f # 0x0f..0f
-+ lvx $invlo, r12, r11
-+ li r11, 0x180
-+ lvx $invhi, r12, r10
-+ li r10, 0x190
-+ lvx $iptlo, r12, r9
-+ li r9, 0x1a0
-+ lvx $ipthi, r12, r8
-+ li r8, 0x1b0
-+ lvx $sbou, r12, r11
-+ li r11, 0x1c0
-+ lvx $sbot, r12, r10
-+ li r10, 0x1d0
-+ lvx $sb9u, r12, r9
-+ li r9, 0x1e0
-+ lvx $sb9t, r12, r8
-+ li r8, 0x1f0
-+ lvx $sbdu, r12, r11
-+ li r11, 0x200
-+ lvx $sbdt, r12, r10
-+ li r10, 0x210
-+ lvx $sbbu, r12, r9
-+ lvx $sbbt, r12, r8
-+ lvx $sbeu, r12, r11
-+ lvx $sbet, r12, r10
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## Decryption core
-+##
-+## Same API as encryption core.
-+##
-+.align 4
-+_vpaes_decrypt_core:
-+ lwz r8, 240($key) # pull rounds
-+ li r9, 16
-+ lvx v5, 0, $key # vmovdqu (%r9), %xmm4 # round0 key
-+ li r11, 0x30
-+ lvx v6, r9, $key
-+ addi r9, r9, 16
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm2
-+ vperm v1, $ipthi, $ipthi, v1 # vpshufb %xmm0, %xmm1, %xmm0
-+ vxor v0, v0, v5 # vpxor %xmm4, %xmm2, %xmm2
-+ vxor v0, v0, v1 # vpxor %xmm2, %xmm0, %xmm0
-+ mtctr r8
-+ b Ldec_entry
-+
-+.align 4
-+Ldec_loop:
-+#
-+# Inverse mix columns
-+#
-+ lvx v0, r12, r11 # v5 and v0 are flipped
-+ # vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u
-+ # vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t
-+ vperm v4, $sb9u, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u
-+ subi r11, r11, 16
-+ vperm v1, $sb9t, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t
-+ andi. r11, r11, 0x30
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0
-+ # vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt
-+
-+ vperm v4, $sbdu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbdt, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ # vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt
-+
-+ vperm v4, $sbbu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbbt, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt
-+ vxor v5, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ # vmovdqa 0x40(%r10), %xmm4 # 4 : sbeu
-+ vxor v5, v5, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+ # vmovdqa 0x50(%r10), %xmm1 # 0 : sbet
-+
-+ vperm v4, $sbeu, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu
-+ vperm v5, v5, v7, v0 # vpshufb %xmm5, %xmm0, %xmm0 # MC ch
-+ vperm v1, $sbet, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet
-+ vxor v0, v5, v4 # vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
-+ vxor v0, v0, v1 # vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
-+
-+Ldec_entry:
-+ # top of round
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vperm v2, $invhi, $invhi, v0 # vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
-+ vxor v0, v0, v1 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, $invlo, v1 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vperm v4, $invlo, $invlo, v0 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vand v0, v0, v9
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vxor v4, v4, v2 # vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v7, v3 # vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
-+ vmr v5, v6
-+ lvx v6, r9, $key # vmovdqu (%r9), %xmm0
-+ vperm v3, $invlo, v7, v4 # vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
-+ addi r9, r9, 16
-+ vxor v2, v2, v0 # vpxor %xmm1, %xmm2, %xmm2 # 2 = io
-+ ?vperm v5, v5, v6, $keyperm # align round key
-+ vxor v3, v3, v1 # vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
-+ bdnz Ldec_loop
-+
-+ # middle of last round
-+ addi r10, r11, 0x80
-+ # vmovdqa 0x60(%r10), %xmm4 # 3 : sbou
-+ vperm v4, $sbou, v7, v2 # vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
-+ # vmovdqa 0x70(%r10), %xmm1 # 0 : sbot
-+ lvx v2, r12, r10 # vmovdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
-+ vperm v1, $sbot, v7, v3 # vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t
-+ vxor v4, v4, v5 # vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k
-+ vxor v0, v1, v4 # vpxor %xmm4, %xmm1, %xmm0 # 0 = A
-+ vperm v0, v0, v7, v2 # vpshufb %xmm2, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_decrypt
-+.align 5
-+.vpaes_decrypt:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r6
-+ mfspr r7, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r7,`$FRAME-4`($sp) # save vrsave
-+ li r0, -1
-+ $PUSH r6,`$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r0 # preserve all AltiVec registers
-+
-+ bl _vpaes_decrypt_preheat
-+
-+ ?lvsl $inpperm, 0, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ ?lvsr $outperm, 0, $out
-+ ?lvsl $keyperm, 0, $key
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp # redundant in aligned case
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, $out
-+ ?vperm v0, v0, $inptail, $inpperm
-+
-+ bl _vpaes_decrypt_core
-+
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 15 # 15 is not a typo
-+ ########
-+
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtlr r6
-+ mtspr 256, r7 # restore vrsave
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_decrypt,.-.vpaes_decrypt
-+
-+.globl .vpaes_cbc_encrypt
-+.align 5
-+.vpaes_cbc_encrypt:
-+ ${UCMP}i r5,16
-+ bltlr-
-+
-+ $STU $sp,-`($FRAME+2*$SIZE_T)`($sp)
-+ mflr r0
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mfspr r12, 256
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r12,`$FRAME-4`($sp) # save vrsave
-+ $PUSH r30,`$FRAME+$SIZE_T*0`($sp)
-+ $PUSH r31,`$FRAME+$SIZE_T*1`($sp)
-+ li r9, -16
-+ $PUSH r0, `$FRAME+$SIZE_T*2+$LRSAVE`($sp)
-+
-+ and r30, r5, r9 # copy length&-16
-+ mr r5, r6 # copy pointer to key
-+ mr r31, r7 # copy pointer to iv
-+ blt Lcbc_abort
-+ cmpwi r8, 0 # test direction
-+ li r6, -1
-+ mr r7, r12 # copy vrsave
-+ mtspr 256, r6 # preserve all AltiVec registers
-+
-+ lvx v24, 0, r31 # load [potentially unaligned] iv
-+ li r9, 15
-+ ?lvsl $inpperm, 0, r31
-+ lvx v25, r9, r31
-+ ?vperm v24, v24, v25, $inpperm
-+
-+ neg r8, $inp # prepare for unaligned access
-+ vxor v7, v7, v7
-+ ?lvsl $keyperm, 0, $key
-+ ?lvsr $outperm, 0, $out
-+ ?lvsr $inpperm, 0, r8 # -$inp
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ lvx $inptail, 0, $inp
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ addi $inp, $inp, 15 # 15 is not a typo
-+ lvx $outhead, 0, $out
-+
-+ beq Lcbc_decrypt
-+
-+ bl _vpaes_encrypt_preheat
-+ li r0, 16
-+
-+Lcbc_enc_loop:
-+ vmr v0, $inptail
-+ lvx $inptail, 0, $inp
-+ addi $inp, $inp, 16
-+ ?vperm v0, v0, $inptail, $inpperm
-+ vxor v0, v0, v24 # ^= iv
-+
-+ bl _vpaes_encrypt_core
-+
-+ vmr v24, v0 # put aside iv
-+ sub. r30, r30, r0 # len -= 16
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 16
-+ bne Lcbc_enc_loop
-+
-+ b Lcbc_done
-+
-+.align 5
-+Lcbc_decrypt:
-+ bl _vpaes_decrypt_preheat
-+ li r0, 16
-+
-+Lcbc_dec_loop:
-+ vmr v0, $inptail
-+ lvx $inptail, 0, $inp
-+ addi $inp, $inp, 16
-+ ?vperm v0, v0, $inptail, $inpperm
-+ vmr v25, v0 # put aside input
-+
-+ bl _vpaes_decrypt_core
-+
-+ vxor v0, v0, v24 # ^= iv
-+ vmr v24, v25
-+ sub. r30, r30, r0 # len -= 16
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v1, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v1, 0, $out
-+ addi $out, $out, 16
-+ bne Lcbc_dec_loop
-+
-+Lcbc_done:
-+ addi $out, $out, -1
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+ neg r8, r31 # write [potentially unaligned] iv
-+ ?lvsl $outperm, 0, r8
-+ li r6, 15
-+ vnor $outmask, v7, v7 # 0xff..ff
-+ ?vperm $outmask, v7, $outmask, $outperm
-+ lvx $outhead, 0, r31
-+ vperm v24, v24, v24, $outperm # rotate right/left
-+ vsel v0, $outhead, v24, $outmask
-+ lvx v1, r6, r31
-+ stvx v0, 0, r31
-+ vsel v1, v24, v1, $outmask
-+ stvx v1, r6, r31
-+
-+ mtspr 256, r7 # restore vrsave
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+Lcbc_abort:
-+ $POP r0, `$FRAME+$SIZE_T*2+$LRSAVE`($sp)
-+ $POP r30,`$FRAME+$SIZE_T*0`($sp)
-+ $POP r31,`$FRAME+$SIZE_T*1`($sp)
-+ mtlr r0
-+ addi $sp,$sp,`$FRAME+$SIZE_T*2`
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,2,6,0
-+ .long 0
-+.size .vpaes_cbc_encrypt,.-.vpaes_cbc_encrypt
-+___
-+}
-+{
-+my ($inp,$bits,$out)=map("r$_",(3..5));
-+my $dir="cr1";
-+my ($invlo,$invhi,$iptlo,$ipthi,$rcon) = map("v$_",(10..13,24));
-+
-+$code.=<<___;
-+########################################################
-+## ##
-+## AES key schedule ##
-+## ##
-+########################################################
-+.align 4
-+_vpaes_key_preheat:
-+ mflr r8
-+ bl Lconsts
-+ mtlr r8
-+ li r11, 0xc0 # Lk_inv
-+ li r10, 0xd0
-+ li r9, 0xe0 # L_ipt
-+ li r8, 0xf0
-+
-+ vspltisb v8,4 # 0x04..04
-+ vxor v9,v9,v9 # 0x00..00
-+ lvx $invlo, r12, r11 # Lk_inv
-+ li r11, 0x120
-+ lvx $invhi, r12, r10
-+ li r10, 0x130
-+ lvx $iptlo, r12, r9 # Lk_ipt
-+ li r9, 0x220
-+ lvx $ipthi, r12, r8
-+ li r8, 0x230
-+
-+ lvx v14, r12, r11 # Lk_sb1
-+ li r11, 0x240
-+ lvx v15, r12, r10
-+ li r10, 0x250
-+
-+ lvx v16, r12, r9 # Lk_dksd
-+ li r9, 0x260
-+ lvx v17, r12, r8
-+ li r8, 0x270
-+ lvx v18, r12, r11 # Lk_dksb
-+ li r11, 0x280
-+ lvx v19, r12, r10
-+ li r10, 0x290
-+ lvx v20, r12, r9 # Lk_dkse
-+ li r9, 0x2a0
-+ lvx v21, r12, r8
-+ li r8, 0x2b0
-+ lvx v22, r12, r11 # Lk_dks9
-+ lvx v23, r12, r10
-+
-+ lvx v24, r12, r9 # Lk_rcon
-+ lvx v25, 0, r12 # Lk_mc_forward[0]
-+ lvx v26, r12, r8 # Lks63
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.align 4
-+_vpaes_schedule_core:
-+ mflr r7
-+
-+ bl _vpaes_key_preheat # load the tables
-+
-+ #lvx v0, 0, $inp # vmovdqu (%rdi), %xmm0 # load key (unaligned)
-+ neg r8, $inp # prepare for unaligned access
-+ lvx v0, 0, $inp
-+ addi $inp, $inp, 15 # 15 is not typo
-+ ?lvsr $inpperm, 0, r8 # -$inp
-+ lvx v6, 0, $inp # v6 serves as inptail
-+ addi $inp, $inp, 8
-+ ?vperm v0, v0, v6, $inpperm
-+
-+ # input transform
-+ vmr v3, v0 # vmovdqa %xmm0, %xmm3
-+ bl _vpaes_schedule_transform
-+ vmr v7, v0 # vmovdqa %xmm0, %xmm7
-+
-+ bne $dir, Lschedule_am_decrypting
-+
-+ # encrypting, output zeroth round key after transform
-+ li r8, 0x30 # mov \$0x30,%r8d
-+ addi r10, r12, 0x80 # lea .Lk_sr(%rip),%r10
-+
-+ ?lvsr $outperm, 0, $out # prepare for unaligned access
-+ vnor $outmask, v9, v9 # 0xff..ff
-+ lvx $outhead, 0, $out
-+ ?vperm $outmask, v9, $outmask, $outperm
-+
-+ #stvx v0, 0, $out # vmovdqu %xmm0, (%rdx)
-+ vperm v1, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ b Lschedule_go
-+
-+Lschedule_am_decrypting:
-+ srwi r8, $bits, 1 # shr \$1,%r8d
-+ andi. r8, r8, 32 # and \$32,%r8d
-+ xori r8, r8, 32 # xor \$32,%r8d # nbits==192?0:32
-+ addi r10, r12, 0x80 # lea .Lk_sr(%rip),%r10
-+ # decrypting, output zeroth round key after shiftrows
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vperm v4, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+
-+ neg r0, $out # prepare for unaligned access
-+ ?lvsl $outperm, 0, r0
-+ addi $out, $out, 15 # 15 is not typo
-+ vnor $outmask, v9, v9 # 0xff..ff
-+ lvx $outhead, 0, $out
-+ ?vperm $outmask, $outmask, v9, $outperm
-+
-+ #stvx v4, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v4, v4, v4, $outperm # rotate right/left
-+ vsel v2, $outhead, v4, $outmask
-+ vmr $outhead, v4
-+ stvx v2, 0, $out
-+ xori r8, r8, 0x30 # xor \$0x30, %r8
-+
-+Lschedule_go:
-+ cmplwi $bits, 192 # cmp \$192, %esi
-+ bgt Lschedule_256
-+ beq Lschedule_192
-+ # 128: fall though
-+
-+##
-+## .schedule_128
-+##
-+## 128-bit specific part of key schedule.
-+##
-+## This schedule is really simple, because all its parts
-+## are accomplished by the subroutines.
-+##
-+Lschedule_128:
-+ li r0, 10 # mov \$10, %esi
-+ mtctr r0
-+
-+Loop_schedule_128:
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle # write output
-+ b Loop_schedule_128
-+
-+##
-+## .aes_schedule_192
-+##
-+## 192-bit specific part of key schedule.
-+##
-+## The main body of this schedule is the same as the 128-bit
-+## schedule, but with more smearing. The long, high side is
-+## stored in %xmm7 as before, and the short, low side is in
-+## the high bits of %xmm6.
-+##
-+## This schedule is somewhat nastier, however, because each
-+## round produces 192 bits of key material, or 1.5 round keys.
-+## Therefore, on each cycle we do 2 rounds and produce 3 round
-+## keys.
-+##
-+.align 4
-+Lschedule_192:
-+ li r0, 4 # mov \$4, %esi
-+ lvx v0, 0, $inp
-+ ?vperm v0, v6, v0, $inpperm
-+ ?vsldoi v0, v3, v0, 8 # vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned)
-+ bl _vpaes_schedule_transform # input transform
-+ ?vsldoi v6, v0, v9, 8
-+ ?vsldoi v6, v9, v6, 8 # clobber "low" side with zeros
-+ mtctr r0
-+
-+Loop_schedule_192:
-+ bl _vpaes_schedule_round
-+ ?vsldoi v0, v6, v0, 8 # vpalignr \$8,%xmm6,%xmm0,%xmm0
-+ bl _vpaes_schedule_mangle # save key n
-+ bl _vpaes_schedule_192_smear
-+ bl _vpaes_schedule_mangle # save key n+1
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle # save key n+2
-+ bl _vpaes_schedule_192_smear
-+ b Loop_schedule_192
-+
-+##
-+## .aes_schedule_256
-+##
-+## 256-bit specific part of key schedule.
-+##
-+## The structure here is very similar to the 128-bit
-+## schedule, but with an additional "low side" in
-+## %xmm6. The low side's rounds are the same as the
-+## high side's, except no rcon and no rotation.
-+##
-+.align 4
-+Lschedule_256:
-+ li r0, 7 # mov \$7, %esi
-+ addi $inp, $inp, 8
-+ lvx v0, 0, $inp # vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned)
-+ ?vperm v0, v6, v0, $inpperm
-+ bl _vpaes_schedule_transform # input transform
-+ mtctr r0
-+
-+Loop_schedule_256:
-+ bl _vpaes_schedule_mangle # output low result
-+ vmr v6, v0 # vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6
-+
-+ # high round
-+ bl _vpaes_schedule_round
-+ bdz Lschedule_mangle_last # dec %esi
-+ bl _vpaes_schedule_mangle
-+
-+ # low round. swap xmm7 and xmm6
-+ ?vspltw v0, v0, 3 # vpshufd \$0xFF, %xmm0, %xmm0
-+ vmr v5, v7 # vmovdqa %xmm7, %xmm5
-+ vmr v7, v6 # vmovdqa %xmm6, %xmm7
-+ bl _vpaes_schedule_low_round
-+ vmr v7, v5 # vmovdqa %xmm5, %xmm7
-+
-+ b Loop_schedule_256
-+##
-+## .aes_schedule_mangle_last
-+##
-+## Mangler for last round of key schedule
-+## Mangles %xmm0
-+## when encrypting, outputs out(%xmm0) ^ 63
-+## when decrypting, outputs unskew(%xmm0)
-+##
-+## Always called right before return... jumps to cleanup and exits
-+##
-+.align 4
-+Lschedule_mangle_last:
-+ # schedule last round key from xmm0
-+ li r11, 0x2e0 # lea .Lk_deskew(%rip),%r11
-+ li r9, 0x2f0
-+ bne $dir, Lschedule_mangle_last_dec
-+
-+ # encrypting
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10),%xmm1
-+ li r11, 0x2c0 # lea .Lk_opt(%rip), %r11 # prepare to output transform
-+ li r9, 0x2d0 # prepare to output transform
-+ vperm v0, v0, v0, v1 # vpshufb %xmm1, %xmm0, %xmm0 # output permute
-+
-+ lvx $iptlo, r11, r12 # reload $ipt
-+ lvx $ipthi, r9, r12
-+ addi $out, $out, 16 # add \$16, %rdx
-+ vxor v0, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm0
-+ bl _vpaes_schedule_transform # output transform
-+
-+ #stvx v0, r0, $out # vmovdqu %xmm0, (%rdx) # save last key
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v2, 0, $out
-+
-+ addi $out, $out, 15 # 15 is not typo
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+ b Lschedule_mangle_done
-+
-+.align 4
-+Lschedule_mangle_last_dec:
-+ lvx $iptlo, r11, r12 # reload $ipt
-+ lvx $ipthi, r9, r12
-+ addi $out, $out, -16 # add \$-16, %rdx
-+ vxor v0, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm0
-+ bl _vpaes_schedule_transform # output transform
-+
-+ #stvx v0, r0, $out # vmovdqu %xmm0, (%rdx) # save last key
-+ vperm v0, v0, v0, $outperm # rotate right/left
-+ vsel v2, $outhead, v0, $outmask
-+ vmr $outhead, v0
-+ stvx v2, 0, $out
-+
-+ addi $out, $out, -15 # -15 is not typo
-+ lvx v1, 0, $out # redundant in aligned case
-+ vsel v1, $outhead, v1, $outmask
-+ stvx v1, 0, $out
-+
-+Lschedule_mangle_done:
-+ mtlr r7
-+ # cleanup
-+ vxor v0, v0, v0 # vpxor %xmm0, %xmm0, %xmm0
-+ vxor v1, v1, v1 # vpxor %xmm1, %xmm1, %xmm1
-+ vxor v2, v2, v2 # vpxor %xmm2, %xmm2, %xmm2
-+ vxor v3, v3, v3 # vpxor %xmm3, %xmm3, %xmm3
-+ vxor v4, v4, v4 # vpxor %xmm4, %xmm4, %xmm4
-+ vxor v5, v5, v5 # vpxor %xmm5, %xmm5, %xmm5
-+ vxor v6, v6, v6 # vpxor %xmm6, %xmm6, %xmm6
-+ vxor v7, v7, v7 # vpxor %xmm7, %xmm7, %xmm7
-+
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_192_smear
-+##
-+## Smear the short, low side in the 192-bit key schedule.
-+##
-+## Inputs:
-+## %xmm7: high side, b a x y
-+## %xmm6: low side, d c 0 0
-+## %xmm13: 0
-+##
-+## Outputs:
-+## %xmm6: b+c+d b+c 0 0
-+## %xmm0: b+c+d b+c b a
-+##
-+.align 4
-+_vpaes_schedule_192_smear:
-+ ?vspltw v0, v7, 3
-+ ?vsldoi v1, v9, v6, 12 # vpshufd \$0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0
-+ ?vsldoi v0, v7, v0, 8 # vpshufd \$0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a
-+ vxor v6, v6, v1 # vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0
-+ vxor v6, v6, v0 # vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a
-+ vmr v0, v6
-+ ?vsldoi v6, v6, v9, 8
-+ ?vsldoi v6, v9, v6, 8 # clobber low side with zeros
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_round
-+##
-+## Runs one main round of the key schedule on %xmm0, %xmm7
-+##
-+## Specifically, runs subbytes on the high dword of %xmm0
-+## then rotates it by one byte and xors into the low dword of
-+## %xmm7.
-+##
-+## Adds rcon from low byte of %xmm8, then rotates %xmm8 for
-+## next rcon.
-+##
-+## Smears the dwords of %xmm7 by xoring the low into the
-+## second low, result into third, result into highest.
-+##
-+## Returns results in %xmm7 = %xmm0.
-+## Clobbers %xmm1-%xmm4, %r11.
-+##
-+.align 4
-+_vpaes_schedule_round:
-+ # extract rcon from xmm8
-+ #vxor v4, v4, v4 # vpxor %xmm4, %xmm4, %xmm4
-+ ?vsldoi v1, $rcon, v9, 15 # vpalignr \$15, %xmm8, %xmm4, %xmm1
-+ ?vsldoi $rcon, $rcon, $rcon, 15 # vpalignr \$15, %xmm8, %xmm8, %xmm8
-+ vxor v7, v7, v1 # vpxor %xmm1, %xmm7, %xmm7
-+
-+ # rotate
-+ ?vspltw v0, v0, 3 # vpshufd \$0xFF, %xmm0, %xmm0
-+ ?vsldoi v0, v0, v0, 1 # vpalignr \$1, %xmm0, %xmm0, %xmm0
-+
-+ # fall through...
-+
-+ # low round: same as high round, but no rotation and no rcon.
-+_vpaes_schedule_low_round:
-+ # smear xmm7
-+ ?vsldoi v1, v9, v7, 12 # vpslldq \$4, %xmm7, %xmm1
-+ vxor v7, v7, v1 # vpxor %xmm1, %xmm7, %xmm7
-+ vspltisb v1, 0x0f # 0x0f..0f
-+ ?vsldoi v4, v9, v7, 8 # vpslldq \$8, %xmm7, %xmm4
-+
-+ # subbytes
-+ vand v1, v1, v0 # vpand %xmm9, %xmm0, %xmm1 # 0 = k
-+ vsrb v0, v0, v8 # vpsrlb \$4, %xmm0, %xmm0 # 1 = i
-+ vxor v7, v7, v4 # vpxor %xmm4, %xmm7, %xmm7
-+ vperm v2, $invhi, v9, v1 # vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
-+ vxor v1, v1, v0 # vpxor %xmm0, %xmm1, %xmm1 # 0 = j
-+ vperm v3, $invlo, v9, v0 # vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
-+ vperm v4, $invlo, v9, v1 # vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
-+ vxor v7, v7, v26 # vpxor .Lk_s63(%rip), %xmm7, %xmm7
-+ vperm v3, $invlo, v9, v3 # vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak
-+ vxor v4, v4, v2 # vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
-+ vperm v2, $invlo, v9, v4 # vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak
-+ vxor v3, v3, v1 # vpxor %xmm1, %xmm3, %xmm3 # 2 = io
-+ vxor v2, v2, v0 # vpxor %xmm0, %xmm2, %xmm2 # 3 = jo
-+ vperm v4, v15, v9, v3 # vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou
-+ vperm v1, v14, v9, v2 # vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t
-+ vxor v1, v1, v4 # vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output
-+
-+ # add in smeared stuff
-+ vxor v0, v1, v7 # vpxor %xmm7, %xmm1, %xmm0
-+ vxor v7, v1, v7 # vmovdqa %xmm0, %xmm7
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_transform
-+##
-+## Linear-transform %xmm0 according to tables at (%r11)
-+##
-+## Requires that %xmm9 = 0x0F0F... as in preheat
-+## Output in %xmm0
-+## Clobbers %xmm2
-+##
-+.align 4
-+_vpaes_schedule_transform:
-+ #vand v1, v0, v9 # vpand %xmm9, %xmm0, %xmm1
-+ vsrb v2, v0, v8 # vpsrlb \$4, %xmm0, %xmm0
-+ # vmovdqa (%r11), %xmm2 # lo
-+ vperm v0, $iptlo, $iptlo, v0 # vpshufb %xmm1, %xmm2, %xmm2
-+ # vmovdqa 16(%r11), %xmm1 # hi
-+ vperm v2, $ipthi, $ipthi, v2 # vpshufb %xmm0, %xmm1, %xmm0
-+ vxor v0, v0, v2 # vpxor %xmm2, %xmm0, %xmm0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+##
-+## .aes_schedule_mangle
-+##
-+## Mangle xmm0 from (basis-transformed) standard version
-+## to our version.
-+##
-+## On encrypt,
-+## xor with 0x63
-+## multiply by circulant 0,1,1,1
-+## apply shiftrows transform
-+##
-+## On decrypt,
-+## xor with 0x63
-+## multiply by "inverse mixcolumns" circulant E,B,D,9
-+## deskew
-+## apply shiftrows transform
-+##
-+##
-+## Writes out to (%rdx), and increments or decrements it
-+## Keeps track of round number mod 4 in %r8
-+## Preserves xmm0
-+## Clobbers xmm1-xmm5
-+##
-+.align 4
-+_vpaes_schedule_mangle:
-+ #vmr v4, v0 # vmovdqa %xmm0, %xmm4 # save xmm0 for later
-+ # vmovdqa .Lk_mc_forward(%rip),%xmm5
-+ bne $dir, Lschedule_mangle_dec
-+
-+ # encrypting
-+ vxor v4, v0, v26 # vpxor .Lk_s63(%rip), %xmm0, %xmm4
-+ addi $out, $out, 16 # add \$16, %rdx
-+ vperm v4, v4, v4, v25 # vpshufb %xmm5, %xmm4, %xmm4
-+ vperm v1, v4, v4, v25 # vpshufb %xmm5, %xmm4, %xmm1
-+ vperm v3, v1, v1, v25 # vpshufb %xmm5, %xmm1, %xmm3
-+ vxor v4, v4, v1 # vpxor %xmm1, %xmm4, %xmm4
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vxor v3, v3, v4 # vpxor %xmm4, %xmm3, %xmm3
-+
-+ vperm v3, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ addi r8, r8, -16 # add \$-16, %r8
-+ andi. r8, r8, 0x30 # and \$0x30, %r8
-+
-+ #stvx v3, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v1, v3, v3, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ blr
-+
-+.align 4
-+Lschedule_mangle_dec:
-+ # inverse mix columns
-+ # lea .Lk_dksd(%rip),%r11
-+ vsrb v1, v0, v8 # vpsrlb \$4, %xmm4, %xmm1 # 1 = hi
-+ #and v4, v0, v9 # vpand %xmm9, %xmm4, %xmm4 # 4 = lo
-+
-+ # vmovdqa 0x00(%r11), %xmm2
-+ vperm v2, v16, v16, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ # vmovdqa 0x10(%r11), %xmm3
-+ vperm v3, v17, v17, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+
-+ # vmovdqa 0x20(%r11), %xmm2
-+ vperm v2, v18, v18, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ # vmovdqa 0x30(%r11), %xmm3
-+ vperm v3, v19, v19, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+
-+ # vmovdqa 0x40(%r11), %xmm2
-+ vperm v2, v20, v20, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ # vmovdqa 0x50(%r11), %xmm3
-+ vperm v3, v21, v21, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ vxor v3, v3, v2 # vpxor %xmm2, %xmm3, %xmm3
-+
-+ # vmovdqa 0x60(%r11), %xmm2
-+ vperm v2, v22, v22, v0 # vpshufb %xmm4, %xmm2, %xmm2
-+ vperm v3, v3, v9, v25 # vpshufb %xmm5, %xmm3, %xmm3
-+ # vmovdqa 0x70(%r11), %xmm4
-+ vperm v4, v23, v23, v1 # vpshufb %xmm1, %xmm4, %xmm4
-+ lvx v1, r8, r10 # vmovdqa (%r8,%r10), %xmm1
-+ vxor v2, v2, v3 # vpxor %xmm3, %xmm2, %xmm2
-+ vxor v3, v4, v2 # vpxor %xmm2, %xmm4, %xmm3
-+
-+ addi $out, $out, -16 # add \$-16, %rdx
-+
-+ vperm v3, v3, v3, v1 # vpshufb %xmm1, %xmm3, %xmm3
-+ addi r8, r8, -16 # add \$-16, %r8
-+ andi. r8, r8, 0x30 # and \$0x30, %r8
-+
-+ #stvx v3, 0, $out # vmovdqu %xmm3, (%rdx)
-+ vperm v1, v3, v3, $outperm # rotate right/left
-+ vsel v2, $outhead, v1, $outmask
-+ vmr $outhead, v1
-+ stvx v2, 0, $out
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+
-+.globl .vpaes_set_encrypt_key
-+.align 5
-+.vpaes_set_encrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r0
-+ mfspr r6, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r6,`$FRAME-4`($sp) # save vrsave
-+ li r7, -1
-+ $PUSH r0, `$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r7 # preserve all AltiVec registers
-+
-+ srwi r9, $bits, 5 # shr \$5,%eax
-+ addi r9, r9, 6 # add \$5,%eax
-+ stw r9, 240($out) # mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
-+
-+ cmplw $dir, $bits, $bits # set encrypt direction
-+ li r8, 0x30 # mov \$0x30,%r8d
-+ bl _vpaes_schedule_core
-+
-+ $POP r0, `$FRAME+$LRSAVE`($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtspr 256, r6 # restore vrsave
-+ mtlr r0
-+ xor r3, r3, r3
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_set_encrypt_key,.-.vpaes_set_encrypt_key
-+
-+.globl .vpaes_set_decrypt_key
-+.align 4
-+.vpaes_set_decrypt_key:
-+ $STU $sp,-$FRAME($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mflr r0
-+ mfspr r6, 256 # save vrsave
-+ stvx v20,r10,$sp
-+ addi r10,r10,32
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ stw r6,`$FRAME-4`($sp) # save vrsave
-+ li r7, -1
-+ $PUSH r0, `$FRAME+$LRSAVE`($sp)
-+ mtspr 256, r7 # preserve all AltiVec registers
-+
-+ srwi r9, $bits, 5 # shr \$5,%eax
-+ addi r9, r9, 6 # add \$5,%eax
-+ stw r9, 240($out) # mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
-+
-+ slwi r9, r9, 4 # shl \$4,%eax
-+ add $out, $out, r9 # lea (%rdx,%rax),%rdx
-+
-+ cmplwi $dir, $bits, 0 # set decrypt direction
-+ srwi r8, $bits, 1 # shr \$1,%r8d
-+ andi. r8, r8, 32 # and \$32,%r8d
-+ xori r8, r8, 32 # xor \$32,%r8d # nbits==192?0:32
-+ bl _vpaes_schedule_core
-+
-+ $POP r0, `$FRAME+$LRSAVE`($sp)
-+ li r10,`15+6*$SIZE_T`
-+ li r11,`31+6*$SIZE_T`
-+ mtspr 256, r6 # restore vrsave
-+ mtlr r0
-+ xor r3, r3, r3
-+ lvx v20,r10,$sp
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ addi $sp,$sp,$FRAME
-+ blr
-+ .long 0
-+ .byte 0,12,0x04,1,0x80,0,3,0
-+ .long 0
-+.size .vpaes_set_decrypt_key,.-.vpaes_set_decrypt_key
-+___
-+}
-+
-+my $consts=1;
-+foreach (split("\n",$code)) {
-+ s/\`([^\`]*)\`/eval $1/geo;
-+
-+ # constants table endian-specific conversion
-+ if ($consts && m/\.long\s+(.+)\s+(\?[a-z]*)$/o) {
-+ my $conv=$2;
-+ my @bytes=();
-+
-+ # convert to endian-agnostic format
-+ foreach (split(/,\s+/,$1)) {
-+ my $l = /^0/?oct:int;
-+ push @bytes,($l>>24)&0xff,($l>>16)&0xff,($l>>8)&0xff,$l&0xff;
-+ }
-+
-+ # little-endian conversion
-+ if ($flavour =~ /le$/o) {
-+ SWITCH: for($conv) {
-+ /\?inv/ && do { @bytes=map($_^0xf, at bytes); last; };
-+ /\?rev/ && do { @bytes=reverse(@bytes); last; };
-+ }
-+ }
-+
-+ #emit
-+ print ".byte\t",join(',',map (sprintf("0x%02x",$_), at bytes)),"\n";
-+ next;
-+ }
-+ $consts=0 if (m/Lconsts:/o); # end of table
-+
-+ # instructions prefixed with '?' are endian-specific and need
-+ # to be adjusted accordingly...
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/\?lvsr/lvsl/o or
-+ s/\?lvsl/lvsr/o or
-+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/o or
-+ s/\?(vsldoi\s+v[0-9]+,\s*)(v[0-9]+,)\s*(v[0-9]+,\s*)([0-9]+)/$1$3$2 16-$4/o or
-+ s/\?(vspltw\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9])/$1$2 3-$3/o;
-+ } else { # big-endian
-+ s/\?([a-z]+)/$1/o;
-+ }
-+
-+ print $_,"\n";
-+}
-+
-+close STDOUT;
-diff -up openssl-1.0.1i/crypto/aes/Makefile.ppc-asm openssl-1.0.1i/crypto/aes/Makefile
---- openssl-1.0.1i/crypto/aes/Makefile.ppc-asm 2014-08-06 23:18:31.000000000 +0200
-+++ openssl-1.0.1i/crypto/aes/Makefile 2014-08-13 19:46:21.092578104 +0200
-@@ -71,6 +71,10 @@ aes-sparcv9.s: asm/aes-sparcv9.pl
-
- aes-ppc.s: asm/aes-ppc.pl
- $(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@
-+vpaes-ppc.s: asm/vpaes-ppc.pl
-+ $(PERL) asm/vpaes-ppc.pl $(PERLASM_SCHEME) $@
-+aesp8-ppc.s: asm/aesp8-ppc.pl
-+ $(PERL) asm/aesp8-ppc.pl $(PERLASM_SCHEME) $@
-
- aes-parisc.s: asm/aes-parisc.pl
- $(PERL) asm/aes-parisc.pl $(PERLASM_SCHEME) $@
-diff -up openssl-1.0.1i/crypto/bn/asm/ppc-mont.pl.ppc-asm openssl-1.0.1i/crypto/bn/asm/ppc-mont.pl
---- openssl-1.0.1i/crypto/bn/asm/ppc-mont.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/bn/asm/ppc-mont.pl 2014-08-13 19:46:21.093578128 +0200
-@@ -325,6 +325,7 @@ Lcopy: ; copy or in-place refresh
- .long 0
- .byte 0,12,4,0,0x80,12,6,0
- .long 0
-+.size .bn_mul_mont_int,.-.bn_mul_mont_int
-
- .asciz "Montgomery Multiplication for PPC, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-diff -up openssl-1.0.1i/crypto/bn/asm/ppc.pl.ppc-asm openssl-1.0.1i/crypto/bn/asm/ppc.pl
---- openssl-1.0.1i/crypto/bn/asm/ppc.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/bn/asm/ppc.pl 2014-08-13 19:46:21.094578151 +0200
-@@ -392,6 +392,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .bn_sqr_comba4,.-.bn_sqr_comba4
-
- #
- # NOTE: The following label name should be changed to
-@@ -819,6 +820,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .bn_sqr_comba8,.-.bn_sqr_comba8
-
- #
- # NOTE: The following label name should be changed to
-@@ -972,6 +974,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_mul_comba4,.-.bn_mul_comba4
-
- #
- # NOTE: The following label name should be changed to
-@@ -1510,6 +1513,7 @@ $data=<<EOF;
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_mul_comba8,.-.bn_mul_comba8
-
- #
- # NOTE: The following label name should be changed to
-@@ -1560,6 +1564,7 @@ Lppcasm_sub_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_sub_words,.-.bn_sub_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1605,6 +1610,7 @@ Lppcasm_add_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_add_words,.-.bn_add_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1720,6 +1726,7 @@ Lppcasm_div9:
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_div_words,.-.bn_div_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1761,6 +1768,7 @@ Lppcasm_sqr_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,3,0
- .long 0
-+.size .bn_sqr_words,.-.bn_sqr_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1866,6 +1874,7 @@ Lppcasm_mw_OVER:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size bn_mul_words,.-bn_mul_words
-
- #
- # NOTE: The following label name should be changed to
-@@ -1991,6 +2000,7 @@ Lppcasm_maw_adios:
- .long 0
- .byte 0,12,0x14,0,0,0,4,0
- .long 0
-+.size .bn_mul_add_words,.-.bn_mul_add_words
- .align 4
- EOF
- $data =~ s/\`([^\`]*)\`/eval $1/gem;
-diff -up openssl-1.0.1i/crypto/bn/asm/ppc64-mont.pl.ppc-asm openssl-1.0.1i/crypto/bn/asm/ppc64-mont.pl
---- openssl-1.0.1i/crypto/bn/asm/ppc64-mont.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/bn/asm/ppc64-mont.pl 2014-08-13 19:46:21.094578151 +0200
-@@ -1,7 +1,7 @@
- #!/usr/bin/env perl
-
- # ====================================================================
--# Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
-@@ -65,6 +65,14 @@
- # others alternative would be to break dependence on upper halves of
- # GPRs by sticking to 32-bit integer operations...
-
-+# December 2012
-+
-+# Remove above mentioned dependence on GPRs' upper halves in 32-bit
-+# build. No signal masking overhead, but integer instructions are
-+# *more* numerous... It's still "universally" faster than 32-bit
-+# ppc-mont.pl, but improvement coefficient is not as impressive
-+# for longer keys...
-+
- $flavour = shift;
-
- if ($flavour =~ /32/) {
-@@ -110,6 +118,9 @@ $tp="r10";
- $j="r11";
- $i="r12";
- # non-volatile registers
-+$c1="r19";
-+$n1="r20";
-+$a1="r21";
- $nap_d="r22"; # interleaved ap and np in double format
- $a0="r23"; # ap[0]
- $t0="r24"; # temporary registers
-@@ -180,8 +191,8 @@ $T3a="f30"; $T3b="f31";
- # . .
- # +-------------------------------+
- # . .
--# -12*size_t +-------------------------------+
--# | 10 saved gpr, r22-r31 |
-+# -13*size_t +-------------------------------+
-+# | 13 saved gpr, r19-r31 |
- # . .
- # . .
- # -12*8 +-------------------------------+
-@@ -215,6 +226,9 @@ $code=<<___;
- mr $i,$sp
- $STUX $sp,$sp,$tp ; alloca
-
-+ $PUSH r19,`-12*8-13*$SIZE_T`($i)
-+ $PUSH r20,`-12*8-12*$SIZE_T`($i)
-+ $PUSH r21,`-12*8-11*$SIZE_T`($i)
- $PUSH r22,`-12*8-10*$SIZE_T`($i)
- $PUSH r23,`-12*8-9*$SIZE_T`($i)
- $PUSH r24,`-12*8-8*$SIZE_T`($i)
-@@ -237,40 +251,26 @@ $code=<<___;
- stfd f29,`-3*8`($i)
- stfd f30,`-2*8`($i)
- stfd f31,`-1*8`($i)
--___
--$code.=<<___ if ($SIZE_T==8);
-- ld $a0,0($ap) ; pull ap[0] value
-- ld $n0,0($n0) ; pull n0[0] value
-- ld $t3,0($bp) ; bp[0]
--___
--$code.=<<___ if ($SIZE_T==4);
-- mr $t1,$n0
-- lwz $a0,0($ap) ; pull ap[0,1] value
-- lwz $t0,4($ap)
-- lwz $n0,0($t1) ; pull n0[0,1] value
-- lwz $t1,4($t1)
-- lwz $t3,0($bp) ; bp[0,1]
-- lwz $t2,4($bp)
-- insrdi $a0,$t0,32,0
-- insrdi $n0,$t1,32,0
-- insrdi $t3,$t2,32,0
--___
--$code.=<<___;
-+
- addi $tp,$sp,`$FRAME+$TRANSFER+8+64`
- li $i,-64
- add $nap_d,$tp,$num
- and $nap_d,$nap_d,$i ; align to 64 bytes
--
-- mulld $t7,$a0,$t3 ; ap[0]*bp[0]
- ; nap_d is off by 1, because it's used with stfdu/lfdu
- addi $nap_d,$nap_d,-8
- srwi $j,$num,`3+1` ; counter register, num/2
-- mulld $t7,$t7,$n0 ; tp[0]*n0
- addi $j,$j,-1
- addi $tp,$sp,`$FRAME+$TRANSFER-8`
- li $carry,0
- mtctr $j
-+___
-+
-+$code.=<<___ if ($SIZE_T==8);
-+ ld $a0,0($ap) ; pull ap[0] value
-+ ld $t3,0($bp) ; bp[0]
-+ ld $n0,0($n0) ; pull n0[0] value
-
-+ mulld $t7,$a0,$t3 ; ap[0]*bp[0]
- ; transfer bp[0] to FPU as 4x16-bit values
- extrdi $t0,$t3,16,48
- extrdi $t1,$t3,16,32
-@@ -280,6 +280,8 @@ $code.=<<___;
- std $t1,`$FRAME+8`($sp)
- std $t2,`$FRAME+16`($sp)
- std $t3,`$FRAME+24`($sp)
-+
-+ mulld $t7,$t7,$n0 ; tp[0]*n0
- ; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
- extrdi $t4,$t7,16,48
- extrdi $t5,$t7,16,32
-@@ -289,21 +291,61 @@ $code.=<<___;
- std $t5,`$FRAME+40`($sp)
- std $t6,`$FRAME+48`($sp)
- std $t7,`$FRAME+56`($sp)
--___
--$code.=<<___ if ($SIZE_T==8);
-- lwz $t0,4($ap) ; load a[j] as 32-bit word pair
-- lwz $t1,0($ap)
-- lwz $t2,12($ap) ; load a[j+1] as 32-bit word pair
-+
-+ extrdi $t0,$a0,32,32 ; lwz $t0,4($ap)
-+ extrdi $t1,$a0,32,0 ; lwz $t1,0($ap)
-+ lwz $t2,12($ap) ; load a[1] as 32-bit word pair
- lwz $t3,8($ap)
-- lwz $t4,4($np) ; load n[j] as 32-bit word pair
-+ lwz $t4,4($np) ; load n[0] as 32-bit word pair
- lwz $t5,0($np)
-- lwz $t6,12($np) ; load n[j+1] as 32-bit word pair
-+ lwz $t6,12($np) ; load n[1] as 32-bit word pair
- lwz $t7,8($np)
- ___
- $code.=<<___ if ($SIZE_T==4);
-- lwz $t0,0($ap) ; load a[j..j+3] as 32-bit word pairs
-- lwz $t1,4($ap)
-- lwz $t2,8($ap)
-+ lwz $a0,0($ap) ; pull ap[0,1] value
-+ mr $n1,$n0
-+ lwz $a1,4($ap)
-+ li $c1,0
-+ lwz $t1,0($bp) ; bp[0,1]
-+ lwz $t3,4($bp)
-+ lwz $n0,0($n1) ; pull n0[0,1] value
-+ lwz $n1,4($n1)
-+
-+ mullw $t4,$a0,$t1 ; mulld ap[0]*bp[0]
-+ mulhwu $t5,$a0,$t1
-+ mullw $t6,$a1,$t1
-+ mullw $t7,$a0,$t3
-+ add $t5,$t5,$t6
-+ add $t5,$t5,$t7
-+ ; transfer bp[0] to FPU as 4x16-bit values
-+ extrwi $t0,$t1,16,16
-+ extrwi $t1,$t1,16,0
-+ extrwi $t2,$t3,16,16
-+ extrwi $t3,$t3,16,0
-+ std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
-+ std $t1,`$FRAME+8`($sp)
-+ std $t2,`$FRAME+16`($sp)
-+ std $t3,`$FRAME+24`($sp)
-+
-+ mullw $t0,$t4,$n0 ; mulld tp[0]*n0
-+ mulhwu $t1,$t4,$n0
-+ mullw $t2,$t5,$n0
-+ mullw $t3,$t4,$n1
-+ add $t1,$t1,$t2
-+ add $t1,$t1,$t3
-+ ; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
-+ extrwi $t4,$t0,16,16
-+ extrwi $t5,$t0,16,0
-+ extrwi $t6,$t1,16,16
-+ extrwi $t7,$t1,16,0
-+ std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
-+ std $t5,`$FRAME+40`($sp)
-+ std $t6,`$FRAME+48`($sp)
-+ std $t7,`$FRAME+56`($sp)
-+
-+ mr $t0,$a0 ; lwz $t0,0($ap)
-+ mr $t1,$a1 ; lwz $t1,4($ap)
-+ lwz $t2,8($ap) ; load a[j..j+3] as 32-bit word pairs
- lwz $t3,12($ap)
- lwz $t4,0($np) ; load n[j..j+3] as 32-bit word pairs
- lwz $t5,4($np)
-@@ -319,7 +361,7 @@ $code.=<<___;
- lfd $nb,`$FRAME+40`($sp)
- lfd $nc,`$FRAME+48`($sp)
- lfd $nd,`$FRAME+56`($sp)
-- std $t0,`$FRAME+64`($sp)
-+ std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
- std $t1,`$FRAME+72`($sp)
- std $t2,`$FRAME+80`($sp)
- std $t3,`$FRAME+88`($sp)
-@@ -441,7 +483,7 @@ $code.=<<___ if ($SIZE_T==4);
- lwz $t7,12($np)
- ___
- $code.=<<___;
-- std $t0,`$FRAME+64`($sp)
-+ std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
- std $t1,`$FRAME+72`($sp)
- std $t2,`$FRAME+80`($sp)
- std $t3,`$FRAME+88`($sp)
-@@ -449,6 +491,9 @@ $code.=<<___;
- std $t5,`$FRAME+104`($sp)
- std $t6,`$FRAME+112`($sp)
- std $t7,`$FRAME+120`($sp)
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -457,6 +502,20 @@ $code.=<<___;
- ld $t5,`$FRAME+40`($sp)
- ld $t6,`$FRAME+48`($sp)
- ld $t7,`$FRAME+56`($sp)
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+___
-+}
-+$code.=<<___;
- lfd $A0,`$FRAME+64`($sp)
- lfd $A1,`$FRAME+72`($sp)
- lfd $A2,`$FRAME+80`($sp)
-@@ -488,7 +547,9 @@ $code.=<<___;
- fmadd $T0b,$A0,$bb,$dotb
- stfd $A2,24($nap_d) ; save a[j+1] in double format
- stfd $A3,32($nap_d)
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- fmadd $T1a,$A0,$bc,$T1a
- fmadd $T1b,$A0,$bd,$T1b
- fmadd $T2a,$A1,$bc,$T2a
-@@ -561,11 +622,123 @@ $code.=<<___;
- stfd $T3b,`$FRAME+56`($sp)
- std $t0,8($tp) ; tp[j-1]
- stdu $t4,16($tp) ; tp[j]
-+___
-+} else {
-+$code.=<<___;
-+ fmadd $T1a,$A0,$bc,$T1a
-+ fmadd $T1b,$A0,$bd,$T1b
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fmadd $T2a,$A1,$bc,$T2a
-+ fmadd $T2b,$A1,$bd,$T2b
-+ stfd $N0,40($nap_d) ; save n[j] in double format
-+ stfd $N1,48($nap_d)
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+ fmadd $T3a,$A2,$bc,$T3a
-+ fmadd $T3b,$A2,$bd,$T3b
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmul $dota,$A3,$bc
-+ fmul $dotb,$A3,$bd
-+ stfd $N2,56($nap_d) ; save n[j+1] in double format
-+ stfdu $N3,64($nap_d)
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+
-+ fmadd $T1a,$N1,$na,$T1a
-+ fmadd $T1b,$N1,$nb,$T1b
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fmadd $T2a,$N2,$na,$T2a
-+ fmadd $T2b,$N2,$nb,$T2b
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+ fmadd $T3a,$N3,$na,$T3a
-+ fmadd $T3b,$N3,$nb,$T3b
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fmadd $T0a,$N0,$na,$T0a
-+ fmadd $T0b,$N0,$nb,$T0b
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+
-+ fmadd $T1a,$N0,$nc,$T1a
-+ fmadd $T1b,$N0,$nd,$T1b
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmadd $T2a,$N1,$nc,$T2a
-+ fmadd $T2b,$N1,$nd,$T2b
-+ stw $t0,12($tp) ; tp[j-1]
-+ stw $t4,8($tp)
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ fmadd $T3a,$N2,$nc,$T3a
-+ fmadd $T3b,$N2,$nd,$T3b
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fmadd $dota,$N3,$nc,$dota
-+ fmadd $dotb,$N3,$nd,$dotb
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+
-+ fctid $T0a,$T0a
-+ fctid $T0b,$T0b
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fctid $T1a,$T1a
-+ fctid $T1b,$T1b
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+ fctid $T2a,$T2a
-+ fctid $T2b,$T2b
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fctid $T3a,$T3a
-+ fctid $T3b,$T3b
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+
-+ stfd $T0a,`$FRAME+0`($sp)
-+ stfd $T0b,`$FRAME+8`($sp)
-+ stfd $T1a,`$FRAME+16`($sp)
-+ stfd $T1b,`$FRAME+24`($sp)
-+ stfd $T2a,`$FRAME+32`($sp)
-+ stfd $T2b,`$FRAME+40`($sp)
-+ stfd $T3a,`$FRAME+48`($sp)
-+ stfd $T3b,`$FRAME+56`($sp)
-+ stw $t2,20($tp) ; tp[j]
-+ stwu $t0,16($tp)
-+___
-+}
-+$code.=<<___;
- bdnz- L1st
-
- fctid $dota,$dota
- fctid $dotb,$dotb
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -611,33 +784,117 @@ $code.=<<___;
- insrdi $t6,$t7,48,0
- srdi $ovf,$t7,48
- std $t6,8($tp) ; tp[num-1]
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ stfd $dota,`$FRAME+64`($sp)
-+ stfd $dotb,`$FRAME+72`($sp)
-
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ stw $t0,12($tp) ; tp[j-1]
-+ stw $t4,8($tp)
-+
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ stw $t2,20($tp) ; tp[j]
-+ stwu $t0,16($tp)
-+
-+ lwz $t7,`$FRAME+64`($sp)
-+ lwz $t6,`$FRAME+68`($sp)
-+ lwz $t5,`$FRAME+72`($sp)
-+ lwz $t4,`$FRAME+76`($sp)
-+
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+
-+ insrwi $t6,$t4,16,0
-+ srwi $t4,$t4,16
-+ insrwi $t4,$t5,16,0
-+ srwi $ovf,$t5,16
-+ stw $t6,12($tp) ; tp[num-1]
-+ stw $t4,8($tp)
-+___
-+}
-+$code.=<<___;
- slwi $t7,$num,2
- subf $nap_d,$t7,$nap_d ; rewind pointer
-
- li $i,8 ; i=1
- .align 5
- Louter:
--___
--$code.=<<___ if ($SIZE_T==8);
-- ldx $t3,$bp,$i ; bp[i]
--___
--$code.=<<___ if ($SIZE_T==4);
-- add $t0,$bp,$i
-- lwz $t3,0($t0) ; bp[i,i+1]
-- lwz $t0,4($t0)
-- insrdi $t3,$t0,32,0
--___
--$code.=<<___;
-- ld $t6,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-- mulld $t7,$a0,$t3 ; ap[0]*bp[i]
--
- addi $tp,$sp,`$FRAME+$TRANSFER`
-- add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
- li $carry,0
-- mulld $t7,$t7,$n0 ; tp[0]*n0
- mtctr $j
-+___
-+$code.=<<___ if ($SIZE_T==8);
-+ ldx $t3,$bp,$i ; bp[i]
-
-+ ld $t6,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-+ mulld $t7,$a0,$t3 ; ap[0]*bp[i]
-+ add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
- ; transfer bp[i] to FPU as 4x16-bit values
- extrdi $t0,$t3,16,48
- extrdi $t1,$t3,16,32
-@@ -647,6 +904,8 @@ $code.=<<___;
- std $t1,`$FRAME+8`($sp)
- std $t2,`$FRAME+16`($sp)
- std $t3,`$FRAME+24`($sp)
-+
-+ mulld $t7,$t7,$n0 ; tp[0]*n0
- ; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
- extrdi $t4,$t7,16,48
- extrdi $t5,$t7,16,32
-@@ -656,7 +915,50 @@ $code.=<<___;
- std $t5,`$FRAME+40`($sp)
- std $t6,`$FRAME+48`($sp)
- std $t7,`$FRAME+56`($sp)
-+___
-+$code.=<<___ if ($SIZE_T==4);
-+ add $t0,$bp,$i
-+ li $c1,0
-+ lwz $t1,0($t0) ; bp[i,i+1]
-+ lwz $t3,4($t0)
-+
-+ mullw $t4,$a0,$t1 ; ap[0]*bp[i]
-+ lwz $t0,`$FRAME+$TRANSFER+8+4`($sp) ; tp[0]
-+ mulhwu $t5,$a0,$t1
-+ lwz $t2,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
-+ mullw $t6,$a1,$t1
-+ mullw $t7,$a0,$t3
-+ add $t5,$t5,$t6
-+ add $t5,$t5,$t7
-+ addc $t4,$t4,$t0 ; ap[0]*bp[i]+tp[0]
-+ adde $t5,$t5,$t2
-+ ; transfer bp[i] to FPU as 4x16-bit values
-+ extrwi $t0,$t1,16,16
-+ extrwi $t1,$t1,16,0
-+ extrwi $t2,$t3,16,16
-+ extrwi $t3,$t3,16,0
-+ std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
-+ std $t1,`$FRAME+8`($sp)
-+ std $t2,`$FRAME+16`($sp)
-+ std $t3,`$FRAME+24`($sp)
-
-+ mullw $t0,$t4,$n0 ; mulld tp[0]*n0
-+ mulhwu $t1,$t4,$n0
-+ mullw $t2,$t5,$n0
-+ mullw $t3,$t4,$n1
-+ add $t1,$t1,$t2
-+ add $t1,$t1,$t3
-+ ; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
-+ extrwi $t4,$t0,16,16
-+ extrwi $t5,$t0,16,0
-+ extrwi $t6,$t1,16,16
-+ extrwi $t7,$t1,16,0
-+ std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
-+ std $t5,`$FRAME+40`($sp)
-+ std $t6,`$FRAME+48`($sp)
-+ std $t7,`$FRAME+56`($sp)
-+___
-+$code.=<<___;
- lfd $A0,8($nap_d) ; load a[j] in double format
- lfd $A1,16($nap_d)
- lfd $A2,24($nap_d) ; load a[j+1] in double format
-@@ -769,7 +1071,9 @@ Linner:
- fmul $dotb,$A3,$bd
- lfd $A2,24($nap_d) ; load a[j+1] in double format
- lfd $A3,32($nap_d)
--
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- fmadd $T1a,$N1,$na,$T1a
- fmadd $T1b,$N1,$nb,$T1b
- ld $t0,`$FRAME+0`($sp)
-@@ -856,10 +1160,131 @@ $code.=<<___;
- addze $carry,$carry
- std $t3,-16($tp) ; tp[j-1]
- std $t5,-8($tp) ; tp[j]
-+___
-+} else {
-+$code.=<<___;
-+ fmadd $T1a,$N1,$na,$T1a
-+ fmadd $T1b,$N1,$nb,$T1b
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ fmadd $T2a,$N2,$na,$T2a
-+ fmadd $T2b,$N2,$nb,$T2b
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ fmadd $T3a,$N3,$na,$T3a
-+ fmadd $T3b,$N3,$nb,$T3b
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ fmadd $T0a,$N0,$na,$T0a
-+ fmadd $T0b,$N0,$nb,$T0b
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ srwi $c1,$t1,16
-+ insrwi $carry,$t1,16,0
-+
-+ fmadd $T1a,$N0,$nc,$T1a
-+ fmadd $T1b,$N0,$nd,$T1b
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ fmadd $T2a,$N1,$nc,$T2a
-+ fmadd $T2b,$N1,$nd,$T2b
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ fmadd $T3a,$N2,$nc,$T3a
-+ fmadd $T3b,$N2,$nd,$T3b
-+ lwz $t2,12($tp) ; tp[j]
-+ lwz $t3,8($tp)
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ fmadd $dota,$N3,$nc,$dota
-+ fmadd $dotb,$N3,$nd,$dotb
-+ srwi $c1,$t5,16
-+ insrwi $carry,$t5,16,0
-+
-+ fctid $T0a,$T0a
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ fctid $T0b,$T0b
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ srwi $c1,$t7,16
-+ insrwi $carry,$t7,16,0
-+ fctid $T1a,$T1a
-+ addc $t0,$t0,$t2
-+ adde $t4,$t4,$t3
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ fctid $T1b,$T1b
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ stw $t0,4($tp) ; tp[j-1]
-+ stw $t4,0($tp)
-+ fctid $T2a,$T2a
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ fctid $T2b,$T2b
-+ srwi $c1,$t3,16
-+ insrwi $carry,$t3,16,0
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ fctid $T3a,$T3a
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+ fctid $T3b,$T3b
-+
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ lwz $t6,20($tp)
-+ lwzu $t7,16($tp)
-+ addc $t0,$t0,$carry
-+ stfd $T0a,`$FRAME+0`($sp)
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ stfd $T0b,`$FRAME+8`($sp)
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ stfd $T1a,`$FRAME+16`($sp)
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ stfd $T1b,`$FRAME+24`($sp)
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+
-+ addc $t2,$t2,$t6
-+ stfd $T2a,`$FRAME+32`($sp)
-+ adde $t0,$t0,$t7
-+ stfd $T2b,`$FRAME+40`($sp)
-+ addze $carry,$carry
-+ stfd $T3a,`$FRAME+48`($sp)
-+ addze $c1,$c1
-+ stfd $T3b,`$FRAME+56`($sp)
-+ stw $t2,-4($tp) ; tp[j]
-+ stw $t0,-8($tp)
-+___
-+}
-+$code.=<<___;
- bdnz- Linner
-
- fctid $dota,$dota
- fctid $dotb,$dotb
-+___
-+if ($SIZE_T==8 or $flavour =~ /osx/) {
-+$code.=<<___;
- ld $t0,`$FRAME+0`($sp)
- ld $t1,`$FRAME+8`($sp)
- ld $t2,`$FRAME+16`($sp)
-@@ -926,7 +1351,116 @@ $code.=<<___;
- insrdi $t6,$t7,48,0
- srdi $ovf,$t7,48
- std $t6,0($tp) ; tp[num-1]
-+___
-+} else {
-+$code.=<<___;
-+ lwz $t1,`$FRAME+0`($sp)
-+ lwz $t0,`$FRAME+4`($sp)
-+ lwz $t3,`$FRAME+8`($sp)
-+ lwz $t2,`$FRAME+12`($sp)
-+ lwz $t5,`$FRAME+16`($sp)
-+ lwz $t4,`$FRAME+20`($sp)
-+ lwz $t7,`$FRAME+24`($sp)
-+ lwz $t6,`$FRAME+28`($sp)
-+ stfd $dota,`$FRAME+64`($sp)
-+ stfd $dotb,`$FRAME+72`($sp)
-
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $t0,$t2,16,0 ; 0..31 bits
-+ lwz $t2,12($tp) ; tp[j]
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ lwz $t3,8($tp)
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t4,$t6,16,0 ; 32..63 bits
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+
-+ addc $t0,$t0,$t2
-+ adde $t4,$t4,$t3
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ stw $t0,4($tp) ; tp[j-1]
-+ stw $t4,0($tp)
-+
-+ lwz $t3,`$FRAME+32`($sp) ; permuted $t1
-+ lwz $t2,`$FRAME+36`($sp) ; permuted $t0
-+ lwz $t7,`$FRAME+40`($sp) ; permuted $t3
-+ lwz $t6,`$FRAME+44`($sp) ; permuted $t2
-+ lwz $t1,`$FRAME+48`($sp) ; permuted $t5
-+ lwz $t0,`$FRAME+52`($sp) ; permuted $t4
-+ lwz $t5,`$FRAME+56`($sp) ; permuted $t7
-+ lwz $t4,`$FRAME+60`($sp) ; permuted $t6
-+
-+ addc $t2,$t2,$carry
-+ adde $t3,$t3,$c1
-+ srwi $carry,$t2,16
-+ insrwi $carry,$t3,16,0
-+ srwi $c1,$t3,16
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ srwi $carry,$t6,16
-+ insrwi $t2,$t6,16,0 ; 64..95 bits
-+ lwz $t6,20($tp)
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ lwzu $t7,16($tp)
-+ addc $t0,$t0,$carry
-+ adde $t1,$t1,$c1
-+ srwi $carry,$t0,16
-+ insrwi $carry,$t1,16,0
-+ srwi $c1,$t1,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+ srwi $carry,$t4,16
-+ insrwi $t0,$t4,16,0 ; 96..127 bits
-+ insrwi $carry,$t5,16,0
-+ srwi $c1,$t5,16
-+
-+ addc $t2,$t2,$t6
-+ adde $t0,$t0,$t7
-+ lwz $t7,`$FRAME+64`($sp)
-+ lwz $t6,`$FRAME+68`($sp)
-+ addze $carry,$carry
-+ addze $c1,$c1
-+ lwz $t5,`$FRAME+72`($sp)
-+ lwz $t4,`$FRAME+76`($sp)
-+
-+ addc $t6,$t6,$carry
-+ adde $t7,$t7,$c1
-+ stw $t2,-4($tp) ; tp[j]
-+ stw $t0,-8($tp)
-+ addc $t6,$t6,$ovf
-+ addze $t7,$t7
-+ srwi $carry,$t6,16
-+ insrwi $carry,$t7,16,0
-+ srwi $c1,$t7,16
-+ addc $t4,$t4,$carry
-+ adde $t5,$t5,$c1
-+
-+ insrwi $t6,$t4,16,0
-+ srwi $t4,$t4,16
-+ insrwi $t4,$t5,16,0
-+ srwi $ovf,$t5,16
-+ stw $t6,4($tp) ; tp[num-1]
-+ stw $t4,0($tp)
-+___
-+}
-+$code.=<<___;
- slwi $t7,$num,2
- addi $i,$i,8
- subf $nap_d,$t7,$nap_d ; rewind pointer
-@@ -994,14 +1528,14 @@ $code.=<<___ if ($SIZE_T==4);
- mtctr $j
-
- .align 4
--Lsub: ld $t0,8($tp) ; load tp[j..j+3] in 64-bit word order
-- ldu $t2,16($tp)
-+Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order
-+ lwz $t1,8($tp)
-+ lwz $t2,20($tp)
-+ lwzu $t3,16($tp)
- lwz $t4,4($np) ; load np[j..j+3] in 32-bit word order
- lwz $t5,8($np)
- lwz $t6,12($np)
- lwzu $t7,16($np)
-- extrdi $t1,$t0,32,0
-- extrdi $t3,$t2,32,0
- subfe $t4,$t4,$t0 ; tp[j]-np[j]
- stw $t0,4($ap) ; save tp[j..j+3] in 32-bit word order
- subfe $t5,$t5,$t1 ; tp[j+1]-np[j+1]
-@@ -1052,6 +1586,9 @@ ___
- $code.=<<___;
- $POP $i,0($sp)
- li r3,1 ; signal "handled"
-+ $POP r19,`-12*8-13*$SIZE_T`($i)
-+ $POP r20,`-12*8-12*$SIZE_T`($i)
-+ $POP r21,`-12*8-11*$SIZE_T`($i)
- $POP r22,`-12*8-10*$SIZE_T`($i)
- $POP r23,`-12*8-9*$SIZE_T`($i)
- $POP r24,`-12*8-8*$SIZE_T`($i)
-@@ -1077,8 +1614,9 @@ $code.=<<___;
- mr $sp,$i
- blr
- .long 0
-- .byte 0,12,4,0,0x8c,10,6,0
-+ .byte 0,12,4,0,0x8c,13,6,0
- .long 0
-+.size .$fname,.-.$fname
-
- .asciz "Montgomery Multiplication for PPC64, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-diff -up openssl-1.0.1i/crypto/evp/e_aes.c.ppc-asm openssl-1.0.1i/crypto/evp/e_aes.c
---- openssl-1.0.1i/crypto/evp/e_aes.c.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/evp/e_aes.c 2014-08-13 19:46:21.094578151 +0200
-@@ -153,6 +153,20 @@ void AES_xts_decrypt(const char *inp,cha
- const unsigned char iv[16]);
- #endif
-
-+#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-+# include "ppc_arch.h"
-+# ifdef VPAES_ASM
-+# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
-+# endif
-+# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
-+# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
-+# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
-+# define HWAES_encrypt aes_p8_encrypt
-+# define HWAES_decrypt aes_p8_decrypt
-+# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
-+# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
-+#endif
-+
- #if defined(AES_ASM) && !defined(I386_ONLY) && ( \
- ((defined(__i386) || defined(__i386__) || \
- defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
-diff -up openssl-1.0.1i/crypto/modes/asm/ghashp8-ppc.pl.ppc-asm openssl-1.0.1i/crypto/modes/asm/ghashp8-ppc.pl
---- openssl-1.0.1i/crypto/modes/asm/ghashp8-ppc.pl.ppc-asm 2014-08-13 19:46:21.095578174 +0200
-+++ openssl-1.0.1i/crypto/modes/asm/ghashp8-ppc.pl 2014-08-13 19:46:21.095578174 +0200
-@@ -0,0 +1,234 @@
-+#!/usr/bin/env perl
-+#
-+# ====================================================================
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+#
-+# GHASH for for PowerISA v2.07.
-+#
-+# July 2014
-+#
-+# Accurate performance measurements are problematic, because it's
-+# always virtualized setup with possibly throttled processor.
-+# Relative comparison is therefore more informative. This initial
-+# version is ~2.1x slower than hardware-assisted AES-128-CTR, ~12x
-+# faster than "4-bit" integer-only compiler-generated 64-bit code.
-+# "Initial version" means that there is room for futher improvement.
-+
-+$flavour=shift;
-+$output =shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T=8;
-+ $LRSAVE=2*$SIZE_T;
-+ $STU="stdu";
-+ $POP="ld";
-+ $PUSH="std";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T=4;
-+ $LRSAVE=$SIZE_T;
-+ $STU="stwu";
-+ $POP="lwz";
-+ $PUSH="stw";
-+} else { die "nonsense $flavour"; }
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-+
-+my ($Xip,$Htbl,$inp,$len)=map("r$_",(3..6)); # argument block
-+
-+my ($Xl,$Xm,$Xh,$IN)=map("v$_",(0..3));
-+my ($zero,$t0,$t1,$t2,$xC2,$H,$Hh,$Hl,$lemask)=map("v$_",(4..12));
-+my $vrsave="r12";
-+
-+$code=<<___;
-+.machine "any"
-+
-+.text
-+
-+.globl .gcm_init_p8
-+.align 5
-+.gcm_init_p8:
-+ lis r0,0xfff0
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $H,0,r4 # load H
-+
-+ vspltisb $xC2,-16 # 0xf0
-+ vspltisb $t0,1 # one
-+ vaddubm $xC2,$xC2,$xC2 # 0xe0
-+ vxor $zero,$zero,$zero
-+ vor $xC2,$xC2,$t0 # 0xe1
-+ vsldoi $xC2,$xC2,$zero,15 # 0xe1...
-+ vsldoi $t1,$zero,$t0,1 # ...1
-+ vaddubm $xC2,$xC2,$xC2 # 0xc2...
-+ vspltisb $t2,7
-+ vor $xC2,$xC2,$t1 # 0xc2....01
-+ vspltb $t1,$H,0 # most significant byte
-+ vsl $H,$H,$t0 # H<<=1
-+ vsrab $t1,$t1,$t2 # broadcast carry bit
-+ vand $t1,$t1,$xC2
-+ vxor $H,$H,$t1 # twisted H
-+
-+ vsldoi $H,$H,$H,8 # twist even more ...
-+ vsldoi $xC2,$zero,$xC2,8 # 0xc2.0
-+ vsldoi $Hl,$zero,$H,8 # ... and split
-+ vsldoi $Hh,$H,$zero,8
-+
-+ stvx_u $xC2,0,r3 # save pre-computed table
-+ stvx_u $Hl,r8,r3
-+ stvx_u $H, r9,r3
-+ stvx_u $Hh,r10,r3
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .gcm_init_p8,.-.gcm_init_p8
-+
-+.globl .gcm_gmult_p8
-+.align 5
-+.gcm_gmult_p8:
-+ lis r0,0xfff8
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $IN,0,$Xip # load Xi
-+
-+ lvx_u $Hl,r8,$Htbl # load pre-computed table
-+ le?lvsl $lemask,r0,r0
-+ lvx_u $H, r9,$Htbl
-+ le?vspltisb $t0,0x07
-+ lvx_u $Hh,r10,$Htbl
-+ le?vxor $lemask,$lemask,$t0
-+ lvx_u $xC2,0,$Htbl
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $zero,$zero,$zero
-+
-+ vpmsumd $Xl,$IN,$Hl # H.lo�Xi.lo
-+ vpmsumd $Xm,$IN,$H # H.hi�Xi.lo+H.lo�Xi.hi
-+ vpmsumd $Xh,$IN,$Hh # H.hi�Xi.hi
-+
-+ vpmsumd $t2,$Xl,$xC2 # 1st phase
-+
-+ vsldoi $t0,$Xm,$zero,8
-+ vsldoi $t1,$zero,$Xm,8
-+ vxor $Xl,$Xl,$t0
-+ vxor $Xh,$Xh,$t1
-+
-+ vsldoi $Xl,$Xl,$Xl,8
-+ vxor $Xl,$Xl,$t2
-+
-+ vsldoi $t1,$Xl,$Xl,8 # 2nd phase
-+ vpmsumd $Xl,$Xl,$xC2
-+ vxor $t1,$t1,$Xh
-+ vxor $Xl,$Xl,$t1
-+
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ stvx_u $Xl,0,$Xip # write out Xi
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .gcm_gmult_p8,.-.gcm_gmult_p8
-+
-+.globl .gcm_ghash_p8
-+.align 5
-+.gcm_ghash_p8:
-+ lis r0,0xfff8
-+ li r8,0x10
-+ mfspr $vrsave,256
-+ li r9,0x20
-+ mtspr 256,r0
-+ li r10,0x30
-+ lvx_u $Xl,0,$Xip # load Xi
-+
-+ lvx_u $Hl,r8,$Htbl # load pre-computed table
-+ le?lvsl $lemask,r0,r0
-+ lvx_u $H, r9,$Htbl
-+ le?vspltisb $t0,0x07
-+ lvx_u $Hh,r10,$Htbl
-+ le?vxor $lemask,$lemask,$t0
-+ lvx_u $xC2,0,$Htbl
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ vxor $zero,$zero,$zero
-+
-+ lvx_u $IN,0,$inp
-+ addi $inp,$inp,16
-+ subi $len,$len,16
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $IN,$IN,$Xl
-+ b Loop
-+
-+.align 5
-+Loop:
-+ subic $len,$len,16
-+ vpmsumd $Xl,$IN,$Hl # H.lo�Xi.lo
-+ subfe. r0,r0,r0 # borrow?-1:0
-+ vpmsumd $Xm,$IN,$H # H.hi�Xi.lo+H.lo�Xi.hi
-+ and r0,r0,$len
-+ vpmsumd $Xh,$IN,$Hh # H.hi�Xi.hi
-+ add $inp,$inp,r0
-+
-+ vpmsumd $t2,$Xl,$xC2 # 1st phase
-+
-+ vsldoi $t0,$Xm,$zero,8
-+ vsldoi $t1,$zero,$Xm,8
-+ vxor $Xl,$Xl,$t0
-+ vxor $Xh,$Xh,$t1
-+
-+ vsldoi $Xl,$Xl,$Xl,8
-+ vxor $Xl,$Xl,$t2
-+ lvx_u $IN,0,$inp
-+ addi $inp,$inp,16
-+
-+ vsldoi $t1,$Xl,$Xl,8 # 2nd phase
-+ vpmsumd $Xl,$Xl,$xC2
-+ le?vperm $IN,$IN,$IN,$lemask
-+ vxor $t1,$t1,$Xh
-+ vxor $IN,$IN,$t1
-+ vxor $IN,$IN,$Xl
-+ beq Loop # did $len-=16 borrow?
-+
-+ vxor $Xl,$Xl,$t1
-+ le?vperm $Xl,$Xl,$Xl,$lemask
-+ stvx_u $Xl,0,$Xip # write out Xi
-+
-+ mtspr 256,$vrsave
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,4,0
-+ .long 0
-+.size .gcm_ghash_p8,.-.gcm_ghash_p8
-+
-+.asciz "GHASH for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+.align 2
-+___
-+
-+foreach (split("\n",$code)) {
-+ if ($flavour =~ /le$/o) { # little-endian
-+ s/le\?//o or
-+ s/be\?/#be#/o;
-+ } else {
-+ s/le\?/#le#/o or
-+ s/be\?//o;
-+ }
-+ print $_,"\n";
-+}
-+
-+close STDOUT; # enforce flush
-diff -up openssl-1.0.1i/crypto/modes/gcm128.c.ppc-asm openssl-1.0.1i/crypto/modes/gcm128.c
---- openssl-1.0.1i/crypto/modes/gcm128.c.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/modes/gcm128.c 2014-08-13 19:46:21.095578174 +0200
-@@ -671,6 +671,21 @@ void gcm_ghash_4bit_x86(u64 Xi[2],const
- void gcm_gmult_neon(u64 Xi[2],const u128 Htable[16]);
- void gcm_ghash_neon(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
- # endif
-+# elif defined(__sparc__) || defined(__sparc)
-+# include "sparc_arch.h"
-+# define GHASH_ASM_SPARC
-+# define GCM_FUNCREF_4BIT
-+extern unsigned int OPENSSL_sparcv9cap_P[];
-+void gcm_init_vis3(u128 Htable[16],const u64 Xi[2]);
-+void gcm_gmult_vis3(u64 Xi[2],const u128 Htable[16]);
-+void gcm_ghash_vis3(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
-+#elif defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-+# include "ppc_arch.h"
-+# define GHASH_ASM_PPC
-+# define GCM_FUNCREF_4BIT
-+void gcm_init_p8(u128 Htable[16],const u64 Xi[2]);
-+void gcm_gmult_p8(u64 Xi[2],const u128 Htable[16]);
-+void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
- # endif
- #endif
-
-@@ -745,6 +760,16 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *
- } else {
- gcm_init_4bit(ctx->Htable,ctx->H.u);
- ctx->gmult = gcm_gmult_4bit;
-+ ctx->ghash = gcm_ghash_4bit;
-+ }
-+# elif defined(GHASH_ASM_PPC)
-+ if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
-+ gcm_init_p8(ctx->Htable,ctx->H.u);
-+ ctx->gmult = gcm_gmult_p8;
-+ ctx->ghash = gcm_ghash_p8;
-+ } else {
-+ gcm_init_4bit(ctx->Htable,ctx->H.u);
-+ ctx->gmult = gcm_gmult_4bit;
- ctx->ghash = gcm_ghash_4bit;
- }
- # else
-diff -up openssl-1.0.1i/crypto/modes/Makefile.ppc-asm openssl-1.0.1i/crypto/modes/Makefile
---- openssl-1.0.1i/crypto/modes/Makefile.ppc-asm 2014-08-13 19:48:28.435511100 +0200
-+++ openssl-1.0.1i/crypto/modes/Makefile 2014-08-13 19:48:04.641963082 +0200
-@@ -59,6 +59,8 @@ ghash-alpha.s: asm/ghash-alpha.pl
-
- ghash-parisc.s: asm/ghash-parisc.pl
- $(PERL) asm/ghash-parisc.pl $(PERLASM_SCHEME) $@
-+ghashp8-ppc.s: asm/ghashp8-ppc.pl
-+ $(PERL) asm/ghashp8-ppc.pl $(PERLASM_SCHEME) $@
-
- # GNU make "catch all"
- ghash-%.S: asm/ghash-%.pl; $(PERL) $< $(PERLASM_SCHEME) $@
-diff -up openssl-1.0.1i/crypto/perlasm/ppc-xlate.pl.ppc-asm openssl-1.0.1i/crypto/perlasm/ppc-xlate.pl
---- openssl-1.0.1i/crypto/perlasm/ppc-xlate.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/perlasm/ppc-xlate.pl 2014-08-13 19:46:21.095578174 +0200
-@@ -27,7 +27,8 @@ my $globl = sub {
- /osx/ && do { $name = "_$name";
- last;
- };
-- /linux.*32/ && do { $ret .= ".globl $name\n";
-+ /linux.*(32|64le)/
-+ && do { $ret .= ".globl $name\n";
- $ret .= ".type $name,\@function";
- last;
- };
-@@ -37,7 +38,6 @@ my $globl = sub {
- $ret .= ".align 3\n";
- $ret .= "$name:\n";
- $ret .= ".quad .$name,.TOC.\@tocbase,0\n";
-- $ret .= ".size $name,24\n";
- $ret .= ".previous\n";
-
- $name = ".$name";
-@@ -50,7 +50,9 @@ my $globl = sub {
- $ret;
- };
- my $text = sub {
-- ($flavour =~ /aix/) ? ".csect" : ".text";
-+ my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text";
-+ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/);
-+ $ret;
- };
- my $machine = sub {
- my $junk = shift;
-@@ -62,9 +64,12 @@ my $machine = sub {
- ".machine $arch";
- };
- my $size = sub {
-- if ($flavour =~ /linux.*32/)
-+ if ($flavour =~ /linux/)
- { shift;
-- ".size " . join(",", at _);
-+ my $name = shift; $name =~ s|^[\.\_]||;
-+ my $ret = ".size $name,.-".($flavour=~/64$/?".":"").$name;
-+ $ret .= "\n.size .$name,.-.$name" if ($flavour=~/64$/);
-+ $ret;
- }
- else
- { ""; }
-@@ -77,6 +82,25 @@ my $asciz = sub {
- else
- { ""; }
- };
-+my $quad = sub {
-+ shift;
-+ my @ret;
-+ my ($hi,$lo);
-+ for (@_) {
-+ if (/^0x([0-9a-f]*?)([0-9a-f]{1,8})$/io)
-+ { $hi=$1?"0x$1":"0"; $lo="0x$2"; }
-+ elsif (/^([0-9]+)$/o)
-+ { $hi=$1>>32; $lo=$1&0xffffffff; } # error-prone with 32-bit perl
-+ else
-+ { $hi=undef; $lo=$_; }
-+
-+ if (defined($hi))
-+ { push(@ret,$flavour=~/le$/o?".long\t$lo,$hi":".long\t$hi,$lo"); }
-+ else
-+ { push(@ret,".quad $lo"); }
-+ }
-+ join("\n", at ret);
-+};
-
- ################################################################
- # simplified mnemonics not handled by at least one assembler
-@@ -122,6 +146,46 @@ my $extrdi = sub {
- $b = ($b+$n)&63; $n = 64-$n;
- " rldicl $ra,$rs,$b,$n";
- };
-+my $vmr = sub {
-+ my ($f,$vx,$vy) = @_;
-+ " vor $vx,$vy,$vy";
-+};
-+
-+# PowerISA 2.06 stuff
-+sub vsxmem_op {
-+ my ($f, $vrt, $ra, $rb, $op) = @_;
-+ " .long ".sprintf "0x%X",(31<<26)|($vrt<<21)|($ra<<16)|($rb<<11)|($op*2+1);
-+}
-+# made-up unaligned memory reference AltiVec/VMX instructions
-+my $lvx_u = sub { vsxmem_op(@_, 844); }; # lxvd2x
-+my $stvx_u = sub { vsxmem_op(@_, 972); }; # stxvd2x
-+my $lvdx_u = sub { vsxmem_op(@_, 588); }; # lxsdx
-+my $stvdx_u = sub { vsxmem_op(@_, 716); }; # stxsdx
-+my $lvx_4w = sub { vsxmem_op(@_, 780); }; # lxvw4x
-+my $stvx_4w = sub { vsxmem_op(@_, 908); }; # stxvw4x
-+
-+# PowerISA 2.07 stuff
-+sub vcrypto_op {
-+ my ($f, $vrt, $vra, $vrb, $op) = @_;
-+ " .long ".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|$op;
-+}
-+my $vcipher = sub { vcrypto_op(@_, 1288); };
-+my $vcipherlast = sub { vcrypto_op(@_, 1289); };
-+my $vncipher = sub { vcrypto_op(@_, 1352); };
-+my $vncipherlast= sub { vcrypto_op(@_, 1353); };
-+my $vsbox = sub { vcrypto_op(@_, 0, 1480); };
-+my $vshasigmad = sub { my ($st,$six)=splice(@_,-2); vcrypto_op(@_, $st<<4|$six, 1730); };
-+my $vshasigmaw = sub { my ($st,$six)=splice(@_,-2); vcrypto_op(@_, $st<<4|$six, 1666); };
-+my $vpmsumb = sub { vcrypto_op(@_, 1032); };
-+my $vpmsumd = sub { vcrypto_op(@_, 1224); };
-+my $vpmsubh = sub { vcrypto_op(@_, 1096); };
-+my $vpmsumw = sub { vcrypto_op(@_, 1160); };
-+my $vaddudm = sub { vcrypto_op(@_, 192); };
-+
-+my $mtsle = sub {
-+ my ($f, $arg) = @_;
-+ " .long ".sprintf "0x%X",(31<<26)|($arg<<21)|(147*2);
-+};
-
- while($line=<>) {
-
-@@ -138,7 +202,10 @@ while($line=<>) {
- {
- $line =~ s|(^[\.\w]+)\:\s*||;
- my $label = $1;
-- printf "%s:",($GLOBALS{$label} or $label) if ($label);
-+ if ($label) {
-+ printf "%s:",($GLOBALS{$label} or $label);
-+ printf "\n.localentry\t$GLOBALS{$label},0" if ($GLOBALS{$label} && $flavour =~ /linux.*64le/);
-+ }
- }
-
- {
-@@ -147,7 +214,7 @@ while($line=<>) {
- my $mnemonic = $2;
- my $f = $3;
- my $opcode = eval("\$$mnemonic");
-- $line =~ s|\bc?[rf]([0-9]+)\b|$1|g if ($c ne "." and $flavour !~ /osx/);
-+ $line =~ s/\b(c?[rf]|v|vs)([0-9]+)\b/$2/g if ($c ne "." and $flavour !~ /osx/);
- if (ref($opcode) eq 'CODE') { $line = &$opcode($f,split(',',$line)); }
- elsif ($mnemonic) { $line = $c.$mnemonic.$f."\t".$line; }
- }
-diff -up openssl-1.0.1i/crypto/ppc_arch.h.ppc-asm openssl-1.0.1i/crypto/ppc_arch.h
---- openssl-1.0.1i/crypto/ppc_arch.h.ppc-asm 2014-08-13 19:46:21.095578174 +0200
-+++ openssl-1.0.1i/crypto/ppc_arch.h 2014-08-13 19:46:21.095578174 +0200
-@@ -0,0 +1,10 @@
-+#ifndef __PPC_ARCH_H__
-+#define __PPC_ARCH_H__
-+
-+extern unsigned int OPENSSL_ppccap_P;
-+
-+#define PPC_FPU64 (1<<0)
-+#define PPC_ALTIVEC (1<<1)
-+#define PPC_CRYPTO207 (1<<2)
-+
-+#endif
-diff -up openssl-1.0.1i/crypto/ppccap.c.ppc-asm openssl-1.0.1i/crypto/ppccap.c
---- openssl-1.0.1i/crypto/ppccap.c.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/ppccap.c 2014-08-13 19:46:21.095578174 +0200
-@@ -4,13 +4,15 @@
- #include <setjmp.h>
- #include <signal.h>
- #include <unistd.h>
-+#if defined(__linux) || defined(_AIX)
-+#include <sys/utsname.h>
-+#endif
- #include <crypto.h>
- #include <openssl/bn.h>
-
--#define PPC_FPU64 (1<<0)
--#define PPC_ALTIVEC (1<<1)
-+#include "ppc_arch.h"
-
--static int OPENSSL_ppccap_P = 0;
-+unsigned int OPENSSL_ppccap_P = 0;
-
- static sigset_t all_masked;
-
-@@ -22,7 +24,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_U
-
- if (sizeof(size_t)==4)
- {
--#if (defined(__APPLE__) && defined(__MACH__))
-+#if 1 || (defined(__APPLE__) && defined(__MACH__))
- if (num>=8 && (num&3)==0 && (OPENSSL_ppccap_P&PPC_FPU64))
- return bn_mul_mont_fpu64(rp,ap,bp,np,n0,num);
- #else
-@@ -50,11 +52,28 @@ int bn_mul_mont(BN_ULONG *rp, const BN_U
- }
- #endif
-
-+void sha256_block_p8(void *ctx,const void *inp,size_t len);
-+void sha256_block_ppc(void *ctx,const void *inp,size_t len);
-+void sha256_block_data_order(void *ctx,const void *inp,size_t len)
-+ {
-+ OPENSSL_ppccap_P&PPC_CRYPTO207? sha256_block_p8(ctx,inp,len):
-+ sha256_block_ppc(ctx,inp,len);
-+ }
-+
-+void sha512_block_p8(void *ctx,const void *inp,size_t len);
-+void sha512_block_ppc(void *ctx,const void *inp,size_t len);
-+void sha512_block_data_order(void *ctx,const void *inp,size_t len)
-+ {
-+ OPENSSL_ppccap_P&PPC_CRYPTO207? sha512_block_p8(ctx,inp,len):
-+ sha512_block_ppc(ctx,inp,len);
-+ }
-+
- static sigjmp_buf ill_jmp;
- static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
-
- void OPENSSL_ppc64_probe(void);
- void OPENSSL_altivec_probe(void);
-+void OPENSSL_crypto207_probe(void);
-
- void OPENSSL_cpuid_setup(void)
- {
-@@ -85,12 +104,14 @@ void OPENSSL_cpuid_setup(void)
- OPENSSL_ppccap_P = 0;
-
- #if defined(_AIX)
-- if (sizeof(size_t)==4
-+ if (sizeof(size_t)==4)
-+ {
-+ struct utsname uts;
- # if defined(_SC_AIX_KERNEL_BITMODE)
-- && sysconf(_SC_AIX_KERNEL_BITMODE)!=64
-+ if (sysconf(_SC_AIX_KERNEL_BITMODE)!=64) return;
- # endif
-- )
-- return;
-+ if (uname(&uts)!=0 || atoi(uts.version)<6) return;
-+ }
- #endif
-
- memset(&ill_act,0,sizeof(ill_act));
-@@ -102,6 +123,10 @@ void OPENSSL_cpuid_setup(void)
-
- if (sizeof(size_t)==4)
- {
-+#ifdef __linux
-+ struct utsname uts;
-+ if (uname(&uts)==0 && strcmp(uts.machine,"ppc64")==0)
-+#endif
- if (sigsetjmp(ill_jmp,1) == 0)
- {
- OPENSSL_ppc64_probe();
-@@ -119,6 +144,11 @@ void OPENSSL_cpuid_setup(void)
- {
- OPENSSL_altivec_probe();
- OPENSSL_ppccap_P |= PPC_ALTIVEC;
-+ if (sigsetjmp(ill_jmp,1) == 0)
-+ {
-+ OPENSSL_crypto207_probe();
-+ OPENSSL_ppccap_P |= PPC_CRYPTO207;
-+ }
- }
-
- sigaction (SIGILL,&ill_oact,NULL);
-diff -up openssl-1.0.1i/crypto/ppccpuid.pl.ppc-asm openssl-1.0.1i/crypto/ppccpuid.pl
---- openssl-1.0.1i/crypto/ppccpuid.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/ppccpuid.pl 2014-08-13 19:46:21.096578196 +0200
-@@ -31,6 +31,7 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_ppc64_probe,.-.OPENSSL_ppc64_probe
-
- .globl .OPENSSL_altivec_probe
- .align 4
-@@ -39,6 +40,17 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_altivec_probe,.-..OPENSSL_altivec_probe
-+
-+.globl .OPENSSL_crypto207_probe
-+.align 4
-+.OPENSSL_crypto207_probe:
-+ lvx_u v0,0,r1
-+ vcipher v0,v0,v0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_crypto207_probe,.-.OPENSSL_crypto207_probe
-
- .globl .OPENSSL_wipe_cpu
- .align 4
-@@ -71,6 +83,7 @@ $code=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_wipe_cpu,.-.OPENSSL_wipe_cpu
-
- .globl .OPENSSL_atomic_add
- .align 4
-@@ -84,6 +97,7 @@ Ladd: lwarx r5,0,r3
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .OPENSSL_atomic_add,.-.OPENSSL_atomic_add
-
- .globl .OPENSSL_rdtsc
- .align 4
-@@ -93,6 +107,7 @@ Ladd: lwarx r5,0,r3
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .OPENSSL_rdtsc,.-.OPENSSL_rdtsc
-
- .globl .OPENSSL_cleanse
- .align 4
-@@ -125,7 +140,99 @@ Laligned:
- .long 0
- .byte 0,12,0x14,0,0,0,2,0
- .long 0
-+.size .OPENSSL_cleanse,.-.OPENSSL_cleanse
-+___
-+{
-+my ($out,$cnt,$max)=("r3","r4","r5");
-+my ($tick,$lasttick)=("r6","r7");
-+my ($diff,$lastdiff)=("r8","r9");
-+
-+$code.=<<___;
-+.globl .OPENSSL_instrument_bus
-+.align 4
-+.OPENSSL_instrument_bus:
-+ mtctr $cnt
-+
-+ mftb $lasttick # collect 1st tick
-+ li $diff,0
-+
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+Loop: mftb $tick
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+ addi $out,$out,4 # ++$out
-+ bdnz Loop
-+
-+ mr r3,$cnt
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,2,0
-+ .long 0
-+.size .OPENSSL_instrument_bus,.-.OPENSSL_instrument_bus
-+
-+.globl .OPENSSL_instrument_bus2
-+.align 4
-+.OPENSSL_instrument_bus2:
-+ mr r0,$cnt
-+ slwi $cnt,$cnt,2
-+
-+ mftb $lasttick # collect 1st tick
-+ li $diff,0
-+
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+ mftb $tick # collect 1st diff
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ mr $lastdiff,$diff
-+Loop2:
-+ dcbf 0,$out # flush cache line
-+ lwarx $tick,0,$out # load and lock
-+ add $tick,$tick,$diff
-+ stwcx. $tick,0,$out
-+ stwx $tick,0,$out
-+
-+ addic. $max,$max,-1
-+ beq Ldone2
-+
-+ mftb $tick
-+ sub $diff,$tick,$lasttick
-+ mr $lasttick,$tick
-+ cmplw 7,$diff,$lastdiff
-+ mr $lastdiff,$diff
-+
-+ mfcr $tick # pull cr
-+ not $tick,$tick # flip bits
-+ rlwinm $tick,$tick,1,29,29 # isolate flipped eq bit and scale
-+
-+ sub. $cnt,$cnt,$tick # conditional --$cnt
-+ add $out,$out,$tick # conditional ++$out
-+ bne Loop2
-+
-+Ldone2:
-+ srwi $cnt,$cnt,2
-+ sub r3,r0,$cnt
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,3,0
-+ .long 0
-+.size .OPENSSL_instrument_bus2,.-.OPENSSL_instrument_bus2
- ___
-+}
-
- $code =~ s/\`([^\`]*)\`/eval $1/gem;
- print $code;
-diff -up openssl-1.0.1i/crypto/sha/asm/sha1-ppc.pl.ppc-asm openssl-1.0.1i/crypto/sha/asm/sha1-ppc.pl
---- openssl-1.0.1i/crypto/sha/asm/sha1-ppc.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/sha/asm/sha1-ppc.pl 2014-08-13 19:46:21.096578196 +0200
-@@ -9,8 +9,7 @@
-
- # I let hardware handle unaligned input(*), except on page boundaries
- # (see below for details). Otherwise straightforward implementation
--# with X vector in register bank. The module is big-endian [which is
--# not big deal as there're no little-endian targets left around].
-+# with X vector in register bank.
- #
- # (*) this means that this module is inappropriate for PPC403? Does
- # anybody know if pre-POWER3 can sustain unaligned load?
-@@ -38,6 +37,10 @@ if ($flavour =~ /64/) {
- $PUSH ="stw";
- } else { die "nonsense $flavour"; }
-
-+# Define endianess based on flavour
-+# i.e.: linux64le
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -68,14 +71,28 @@ $T ="r12";
- @X=("r16","r17","r18","r19","r20","r21","r22","r23",
- "r24","r25","r26","r27","r28","r29","r30","r31");
-
-+sub loadbe {
-+my ($dst, $src, $temp_reg) = @_;
-+$code.=<<___ if (!$LITTLE_ENDIAN);
-+ lwz $dst,$src
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $temp_reg,$src
-+ rotlwi $dst,$temp_reg,8
-+ rlwimi $dst,$temp_reg,24,0,7
-+ rlwimi $dst,$temp_reg,24,16,23
-+___
-+}
-+
- sub BODY_00_19 {
- my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
--$code.=<<___ if ($i==0);
-- lwz @X[$i],`$i*4`($inp)
--___
-+
-+ # Since the last value of $f is discarded, we can use
-+ # it as a temp reg to swap byte-order when needed.
-+ loadbe("@X[$i]","`$i*4`($inp)",$f) if ($i==0);
-+ loadbe("@X[$j]","`$j*4`($inp)",$f) if ($i<15);
- $code.=<<___ if ($i<15);
-- lwz @X[$j],`$j*4`($inp)
- add $f,$K,$e
- rotlwi $e,$a,5
- add $f,$f, at X[$i]
-@@ -108,31 +125,31 @@ my ($i,$a,$b,$c,$d,$e,$f)=@_;
- my $j=$i+1;
- $code.=<<___ if ($i<79);
- add $f,$K,$e
-+ xor $t0,$b,$d
- rotlwi $e,$a,5
- xor @X[$j%16], at X[$j%16], at X[($j+2)%16]
- add $f,$f, at X[$i%16]
-- xor $t0,$b,$c
-+ xor $t0,$t0,$c
- xor @X[$j%16], at X[$j%16], at X[($j+8)%16]
-- add $f,$f,$e
-+ add $f,$f,$t0
- rotlwi $b,$b,30
-- xor $t0,$t0,$d
- xor @X[$j%16], at X[$j%16], at X[($j+13)%16]
-- add $f,$f,$t0
-+ add $f,$f,$e
- rotlwi @X[$j%16], at X[$j%16],1
- ___
- $code.=<<___ if ($i==79);
- add $f,$K,$e
-+ xor $t0,$b,$d
- rotlwi $e,$a,5
- lwz r16,0($ctx)
- add $f,$f, at X[$i%16]
-- xor $t0,$b,$c
-+ xor $t0,$t0,$c
- lwz r17,4($ctx)
-- add $f,$f,$e
-+ add $f,$f,$t0
- rotlwi $b,$b,30
- lwz r18,8($ctx)
-- xor $t0,$t0,$d
- lwz r19,12($ctx)
-- add $f,$f,$t0
-+ add $f,$f,$e
- lwz r20,16($ctx)
- ___
- }
-@@ -316,6 +333,7 @@ $code.=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size .sha1_block_data_order,.-.sha1_block_data_order
- ___
- $code.=<<___;
- .asciz "SHA1 block transform for PPC, CRYPTOGAMS by <appro\@fy.chalmers.se>"
-diff -up openssl-1.0.1i/crypto/sha/asm/sha512-ppc.pl.ppc-asm openssl-1.0.1i/crypto/sha/asm/sha512-ppc.pl
---- openssl-1.0.1i/crypto/sha/asm/sha512-ppc.pl.ppc-asm 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/crypto/sha/asm/sha512-ppc.pl 2014-08-13 19:46:21.096578196 +0200
-@@ -1,7 +1,7 @@
- #!/usr/bin/env perl
-
- # ====================================================================
--# Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
- # project. The module is, however, dual licensed under OpenSSL and
- # CRYPTOGAMS licenses depending on where you obtain it. For further
- # details see http://www.openssl.org/~appro/cryptogams/.
-@@ -9,8 +9,7 @@
-
- # I let hardware handle unaligned input, except on page boundaries
- # (see below for details). Otherwise straightforward implementation
--# with X vector in register bank. The module is big-endian [which is
--# not big deal as there're no little-endian targets left around].
-+# with X vector in register bank.
-
- # sha256 | sha512
- # -m64 -m32 | -m64 -m32
-@@ -56,6 +55,8 @@ if ($flavour =~ /64/) {
- $PUSH="stw";
- } else { die "nonsense $flavour"; }
-
-+$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
-+
- $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
- ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
- ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-@@ -64,7 +65,7 @@ die "can't locate ppc-xlate.pl";
- open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-
- if ($output =~ /512/) {
-- $func="sha512_block_data_order";
-+ $func="sha512_block_ppc";
- $SZ=8;
- @Sigma0=(28,34,39);
- @Sigma1=(14,18,41);
-@@ -76,7 +77,7 @@ if ($output =~ /512/) {
- $ROR="rotrdi";
- $SHR="srdi";
- } else {
-- $func="sha256_block_data_order";
-+ $func="sha256_block_ppc";
- $SZ=4;
- @Sigma0=( 2,13,22);
- @Sigma1=( 6,11,25);
-@@ -110,7 +111,7 @@ $B ="r9";
- $C ="r10";
- $D ="r11";
- $E ="r12";
--$F ="r13"; $F="r2" if ($SIZE_T==8);# reassigned to exempt TLS pointer
-+$F =$t1; $t1 = "r0"; # stay away from "r13";
- $G ="r14";
- $H ="r15";
-
-@@ -118,24 +119,23 @@ $H ="r15";
- @X=("r16","r17","r18","r19","r20","r21","r22","r23",
- "r24","r25","r26","r27","r28","r29","r30","r31");
-
--$inp="r31"; # reassigned $inp! aliases with @X[15]
-+$inp="r31" if($SZ==4 || $SIZE_T==8); # reassigned $inp! aliases with @X[15]
-
- sub ROUND_00_15 {
- my ($i,$a,$b,$c,$d,$e,$f,$g,$h)=@_;
- $code.=<<___;
-- $LD $T,`$i*$SZ`($Tbl)
- $ROR $a0,$e,$Sigma1[0]
- $ROR $a1,$e,$Sigma1[1]
- and $t0,$f,$e
-- andc $t1,$g,$e
-- add $T,$T,$h
- xor $a0,$a0,$a1
-+ add $h,$h,$t1
-+ andc $t1,$g,$e
- $ROR $a1,$a1,`$Sigma1[2]-$Sigma1[1]`
- or $t0,$t0,$t1 ; Ch(e,f,g)
-- add $T,$T, at X[$i]
-+ add $h,$h, at X[$i%16]
- xor $a0,$a0,$a1 ; Sigma1(e)
-- add $T,$T,$t0
-- add $T,$T,$a0
-+ add $h,$h,$t0
-+ add $h,$h,$a0
-
- $ROR $a0,$a,$Sigma0[0]
- $ROR $a1,$a,$Sigma0[1]
-@@ -146,9 +146,14 @@ $code.=<<___;
- xor $t0,$t0,$t1
- and $t1,$b,$c
- xor $a0,$a0,$a1 ; Sigma0(a)
-- add $d,$d,$T
-+ add $d,$d,$h
- xor $t0,$t0,$t1 ; Maj(a,b,c)
-- add $h,$T,$a0
-+___
-+$code.=<<___ if ($i<15);
-+ $LD $t1,`($i+1)*$SZ`($Tbl)
-+___
-+$code.=<<___;
-+ add $h,$h,$a0
- add $h,$h,$t0
-
- ___
-@@ -169,10 +174,11 @@ $code.=<<___;
- add @X[$i], at X[$i], at X[($i+9)%16]
- xor $a0,$a0,$a1 ; sigma0(X[(i+1)&0x0f])
- xor $t0,$t0,$t1 ; sigma1(X[(i+14)&0x0f])
-+ $LD $t1,`$i*$SZ`($Tbl)
- add @X[$i], at X[$i],$a0
- add @X[$i], at X[$i],$t0
- ___
--&ROUND_00_15($i,$a,$b,$c,$d,$e,$f,$g,$h);
-+&ROUND_00_15($i+16,$a,$b,$c,$d,$e,$f,$g,$h);
- }
-
- $code=<<___;
-@@ -188,8 +194,6 @@ $func:
-
- $PUSH $ctx,`$FRAME-$SIZE_T*22`($sp)
-
-- $PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
-- $PUSH r13,`$FRAME-$SIZE_T*19`($sp)
- $PUSH r14,`$FRAME-$SIZE_T*18`($sp)
- $PUSH r15,`$FRAME-$SIZE_T*17`($sp)
- $PUSH r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -209,7 +213,10 @@ $func:
- $PUSH r30,`$FRAME-$SIZE_T*2`($sp)
- $PUSH r31,`$FRAME-$SIZE_T*1`($sp)
- $PUSH r0,`$FRAME+$LRSAVE`($sp)
-+___
-
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- $LD $A,`0*$SZ`($ctx)
- mr $inp,r4 ; incarnate $inp
- $LD $B,`1*$SZ`($ctx)
-@@ -219,7 +226,16 @@ $func:
- $LD $F,`5*$SZ`($ctx)
- $LD $G,`6*$SZ`($ctx)
- $LD $H,`7*$SZ`($ctx)
-+___
-+} else {
-+ for ($i=16;$i<32;$i++) {
-+ $code.=<<___;
-+ lwz r$i,`$LITTLE_ENDIAN^(4*($i-16))`($ctx)
-+___
-+ }
-+}
-
-+$code.=<<___;
- bl LPICmeup
- LPICedup:
- andi. r0,$inp,3
-@@ -255,6 +271,9 @@ Lunaligned:
- Lcross_page:
- li $t1,`16*$SZ/4`
- mtctr $t1
-+___
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- addi r20,$sp,$LOCALS ; aligned spot below the frame
- Lmemcpy:
- lbz r16,0($inp)
-@@ -268,7 +287,26 @@ Lmemcpy:
- stb r19,3(r20)
- addi r20,r20,4
- bdnz Lmemcpy
-+___
-+} else {
-+$code.=<<___;
-+ addi r12,$sp,$LOCALS ; aligned spot below the frame
-+Lmemcpy:
-+ lbz r8,0($inp)
-+ lbz r9,1($inp)
-+ lbz r10,2($inp)
-+ lbz r11,3($inp)
-+ addi $inp,$inp,4
-+ stb r8,0(r12)
-+ stb r9,1(r12)
-+ stb r10,2(r12)
-+ stb r11,3(r12)
-+ addi r12,r12,4
-+ bdnz Lmemcpy
-+___
-+}
-
-+$code.=<<___;
- $PUSH $inp,`$FRAME-$SIZE_T*26`($sp) ; save real inp
- addi $t1,$sp,`$LOCALS+16*$SZ` ; fictitious end pointer
- addi $inp,$sp,$LOCALS ; fictitious inp pointer
-@@ -283,8 +321,6 @@ Lmemcpy:
-
- Ldone:
- $POP r0,`$FRAME+$LRSAVE`($sp)
-- $POP $toc,`$FRAME-$SIZE_T*20`($sp)
-- $POP r13,`$FRAME-$SIZE_T*19`($sp)
- $POP r14,`$FRAME-$SIZE_T*18`($sp)
- $POP r15,`$FRAME-$SIZE_T*17`($sp)
- $POP r16,`$FRAME-$SIZE_T*16`($sp)
-@@ -309,27 +345,48 @@ Ldone:
- .long 0
- .byte 0,12,4,1,0x80,18,3,0
- .long 0
-+___
-
-+if ($SZ==4 || $SIZE_T==8) {
-+$code.=<<___;
- .align 4
- Lsha2_block_private:
-+ $LD $t1,0($Tbl)
- ___
- for($i=0;$i<16;$i++) {
--$code.=<<___ if ($SZ==4);
-+$code.=<<___ if ($SZ==4 && !$LITTLE_ENDIAN);
- lwz @X[$i],`$i*$SZ`($inp)
- ___
-+$code.=<<___ if ($SZ==4 && $LITTLE_ENDIAN);
-+ lwz $a0,`$i*$SZ`($inp)
-+ rotlwi @X[$i],$a0,8
-+ rlwimi @X[$i],$a0,24,0,7
-+ rlwimi @X[$i],$a0,24,16,23
-+___
- # 64-bit loads are split to 2x32-bit ones, as CPU can't handle
- # unaligned 64-bit loads, only 32-bit ones...
--$code.=<<___ if ($SZ==8);
-+$code.=<<___ if ($SZ==8 && !$LITTLE_ENDIAN);
- lwz $t0,`$i*$SZ`($inp)
- lwz @X[$i],`$i*$SZ+4`($inp)
- insrdi @X[$i],$t0,32,0
- ___
-+$code.=<<___ if ($SZ==8 && $LITTLE_ENDIAN);
-+ lwz $a0,`$i*$SZ`($inp)
-+ lwz $a1,`$i*$SZ+4`($inp)
-+ rotlwi $t0,$a0,8
-+ rotlwi @X[$i],$a1,8
-+ rlwimi $t0,$a0,24,0,7
-+ rlwimi @X[$i],$a1,24,0,7
-+ rlwimi $t0,$a0,24,16,23
-+ rlwimi @X[$i],$a1,24,16,23
-+ insrdi @X[$i],$t0,32,0
-+___
- &ROUND_00_15($i, at V);
- unshift(@V,pop(@V));
- }
- $code.=<<___;
-- li $T,`$rounds/16-1`
-- mtctr $T
-+ li $t0,`$rounds/16-1`
-+ mtctr $t0
- .align 4
- Lrounds:
- addi $Tbl,$Tbl,`16*$SZ`
-@@ -377,7 +434,282 @@ $code.=<<___;
- blr
- .long 0
- .byte 0,12,0x14,0,0,0,0,0
-+.size $func,.-$func
-+___
-+} else {
-+########################################################################
-+# SHA512 for PPC32, X vector is off-loaded to stack...
-+#
-+# | sha512
-+# | -m32
-+# ----------------------+-----------------------
-+# PPC74x0,gcc-4.0.1 | +48%
-+# POWER6,gcc-4.4.6 | +124%(*)
-+# POWER7,gcc-4.4.6 | +79%(*)
-+# e300,gcc-4.1.0 | +167%
-+#
-+# (*) ~1/3 of -m64 result [and ~20% better than -m32 code generated
-+# by xlc-12.1]
-+
-+my $XOFF=$LOCALS;
-+
-+my @V=map("r$_",(16..31)); # A..H
-+
-+my ($s0,$s1,$t0,$t1,$t2,$t3,$a0,$a1,$a2,$a3)=map("r$_",(0,5,6,8..12,14,15));
-+my ($x0,$x1)=("r3","r4"); # zaps $ctx and $inp
-+
-+sub ROUND_00_15_ppc32 {
-+my ($i, $ahi,$alo,$bhi,$blo,$chi,$clo,$dhi,$dlo,
-+ $ehi,$elo,$fhi,$flo,$ghi,$glo,$hhi,$hlo)=@_;
-+
-+$code.=<<___;
-+ lwz $t2,`$SZ*($i%16)+($LITTLE_ENDIAN^4)`($Tbl)
-+ xor $a0,$flo,$glo
-+ lwz $t3,`$SZ*($i%16)+($LITTLE_ENDIAN^0)`($Tbl)
-+ xor $a1,$fhi,$ghi
-+ addc $hlo,$hlo,$t0 ; h+=x[i]
-+ stw $t0,`$XOFF+0+$SZ*($i%16)`($sp) ; save x[i]
-+
-+ srwi $s0,$elo,$Sigma1[0]
-+ srwi $s1,$ehi,$Sigma1[0]
-+ and $a0,$a0,$elo
-+ adde $hhi,$hhi,$t1
-+ and $a1,$a1,$ehi
-+ stw $t1,`$XOFF+4+$SZ*($i%16)`($sp)
-+ srwi $t0,$elo,$Sigma1[1]
-+ srwi $t1,$ehi,$Sigma1[1]
-+ addc $hlo,$hlo,$t2 ; h+=K512[i]
-+ insrwi $s0,$ehi,$Sigma1[0],0
-+ insrwi $s1,$elo,$Sigma1[0],0
-+ xor $a0,$a0,$glo ; Ch(e,f,g)
-+ adde $hhi,$hhi,$t3
-+ xor $a1,$a1,$ghi
-+ insrwi $t0,$ehi,$Sigma1[1],0
-+ insrwi $t1,$elo,$Sigma1[1],0
-+ addc $hlo,$hlo,$a0 ; h+=Ch(e,f,g)
-+ srwi $t2,$ehi,$Sigma1[2]-32
-+ srwi $t3,$elo,$Sigma1[2]-32
-+ xor $s0,$s0,$t0
-+ xor $s1,$s1,$t1
-+ insrwi $t2,$elo,$Sigma1[2]-32,0
-+ insrwi $t3,$ehi,$Sigma1[2]-32,0
-+ xor $a0,$alo,$blo ; a^b, b^c in next round
-+ adde $hhi,$hhi,$a1
-+ xor $a1,$ahi,$bhi
-+ xor $s0,$s0,$t2 ; Sigma1(e)
-+ xor $s1,$s1,$t3
-+
-+ srwi $t0,$alo,$Sigma0[0]
-+ and $a2,$a2,$a0
-+ addc $hlo,$hlo,$s0 ; h+=Sigma1(e)
-+ and $a3,$a3,$a1
-+ srwi $t1,$ahi,$Sigma0[0]
-+ srwi $s0,$ahi,$Sigma0[1]-32
-+ adde $hhi,$hhi,$s1
-+ srwi $s1,$alo,$Sigma0[1]-32
-+ insrwi $t0,$ahi,$Sigma0[0],0
-+ insrwi $t1,$alo,$Sigma0[0],0
-+ xor $a2,$a2,$blo ; Maj(a,b,c)
-+ addc $dlo,$dlo,$hlo ; d+=h
-+ xor $a3,$a3,$bhi
-+ insrwi $s0,$alo,$Sigma0[1]-32,0
-+ insrwi $s1,$ahi,$Sigma0[1]-32,0
-+ adde $dhi,$dhi,$hhi
-+ srwi $t2,$ahi,$Sigma0[2]-32
-+ srwi $t3,$alo,$Sigma0[2]-32
-+ xor $s0,$s0,$t0
-+ addc $hlo,$hlo,$a2 ; h+=Maj(a,b,c)
-+ xor $s1,$s1,$t1
-+ insrwi $t2,$alo,$Sigma0[2]-32,0
-+ insrwi $t3,$ahi,$Sigma0[2]-32,0
-+ adde $hhi,$hhi,$a3
-+___
-+$code.=<<___ if ($i>=15);
-+ lwz $t0,`$XOFF+0+$SZ*(($i+2)%16)`($sp)
-+ lwz $t1,`$XOFF+4+$SZ*(($i+2)%16)`($sp)
-+___
-+$code.=<<___ if ($i<15 && !$LITTLE_ENDIAN);
-+ lwz $t1,`$SZ*($i+1)+0`($inp)
-+ lwz $t0,`$SZ*($i+1)+4`($inp)
- ___
-+$code.=<<___ if ($i<15 && $LITTLE_ENDIAN);
-+ lwz $a2,`$SZ*($i+1)+0`($inp)
-+ lwz $a3,`$SZ*($i+1)+4`($inp)
-+ rotlwi $t1,$a2,8
-+ rotlwi $t0,$a3,8
-+ rlwimi $t1,$a2,24,0,7
-+ rlwimi $t0,$a3,24,0,7
-+ rlwimi $t1,$a2,24,16,23
-+ rlwimi $t0,$a3,24,16,23
-+___
-+$code.=<<___;
-+ xor $s0,$s0,$t2 ; Sigma0(a)
-+ xor $s1,$s1,$t3
-+ addc $hlo,$hlo,$s0 ; h+=Sigma0(a)
-+ adde $hhi,$hhi,$s1
-+___
-+$code.=<<___ if ($i==15);
-+ lwz $x0,`$XOFF+0+$SZ*(($i+1)%16)`($sp)
-+ lwz $x1,`$XOFF+4+$SZ*(($i+1)%16)`($sp)
-+___
-+}
-+sub ROUND_16_xx_ppc32 {
-+my ($i, $ahi,$alo,$bhi,$blo,$chi,$clo,$dhi,$dlo,
-+ $ehi,$elo,$fhi,$flo,$ghi,$glo,$hhi,$hlo)=@_;
-+
-+$code.=<<___;
-+ srwi $s0,$t0,$sigma0[0]
-+ srwi $s1,$t1,$sigma0[0]
-+ srwi $t2,$t0,$sigma0[1]
-+ srwi $t3,$t1,$sigma0[1]
-+ insrwi $s0,$t1,$sigma0[0],0
-+ insrwi $s1,$t0,$sigma0[0],0
-+ srwi $a0,$t0,$sigma0[2]
-+ insrwi $t2,$t1,$sigma0[1],0
-+ insrwi $t3,$t0,$sigma0[1],0
-+ insrwi $a0,$t1,$sigma0[2],0
-+ xor $s0,$s0,$t2
-+ lwz $t2,`$XOFF+0+$SZ*(($i+14)%16)`($sp)
-+ srwi $a1,$t1,$sigma0[2]
-+ xor $s1,$s1,$t3
-+ lwz $t3,`$XOFF+4+$SZ*(($i+14)%16)`($sp)
-+ xor $a0,$a0,$s0
-+ srwi $s0,$t2,$sigma1[0]
-+ xor $a1,$a1,$s1
-+ srwi $s1,$t3,$sigma1[0]
-+ addc $x0,$x0,$a0 ; x[i]+=sigma0(x[i+1])
-+ srwi $a0,$t3,$sigma1[1]-32
-+ insrwi $s0,$t3,$sigma1[0],0
-+ insrwi $s1,$t2,$sigma1[0],0
-+ adde $x1,$x1,$a1
-+ srwi $a1,$t2,$sigma1[1]-32
-+
-+ insrwi $a0,$t2,$sigma1[1]-32,0
-+ srwi $t2,$t2,$sigma1[2]
-+ insrwi $a1,$t3,$sigma1[1]-32,0
-+ insrwi $t2,$t3,$sigma1[2],0
-+ xor $s0,$s0,$a0
-+ lwz $a0,`$XOFF+0+$SZ*(($i+9)%16)`($sp)
-+ srwi $t3,$t3,$sigma1[2]
-+ xor $s1,$s1,$a1
-+ lwz $a1,`$XOFF+4+$SZ*(($i+9)%16)`($sp)
-+ xor $s0,$s0,$t2
-+ addc $x0,$x0,$a0 ; x[i]+=x[i+9]
-+ xor $s1,$s1,$t3
-+ adde $x1,$x1,$a1
-+ addc $x0,$x0,$s0 ; x[i]+=sigma1(x[i+14])
-+ adde $x1,$x1,$s1
-+___
-+ ($t0,$t1,$x0,$x1) = ($x0,$x1,$t0,$t1);
-+ &ROUND_00_15_ppc32(@_);
-+}
-+
-+$code.=<<___;
-+.align 4
-+Lsha2_block_private:
-+___
-+$code.=<<___ if (!$LITTLE_ENDIAN);
-+ lwz $t1,0($inp)
-+ xor $a2, at V[3], at V[5] ; B^C, magic seed
-+ lwz $t0,4($inp)
-+ xor $a3, at V[2], at V[4]
-+___
-+$code.=<<___ if ($LITTLE_ENDIAN);
-+ lwz $a1,0($inp)
-+ xor $a2, at V[3], at V[5] ; B^C, magic seed
-+ lwz $a0,4($inp)
-+ xor $a3, at V[2], at V[4]
-+ rotlwi $t1,$a1,8
-+ rotlwi $t0,$a0,8
-+ rlwimi $t1,$a1,24,0,7
-+ rlwimi $t0,$a0,24,0,7
-+ rlwimi $t1,$a1,24,16,23
-+ rlwimi $t0,$a0,24,16,23
-+___
-+for($i=0;$i<16;$i++) {
-+ &ROUND_00_15_ppc32($i, at V);
-+ unshift(@V,pop(@V)); unshift(@V,pop(@V));
-+ ($a0,$a1,$a2,$a3) = ($a2,$a3,$a0,$a1);
-+}
-+$code.=<<___;
-+ li $a0,`$rounds/16-1`
-+ mtctr $a0
-+.align 4
-+Lrounds:
-+ addi $Tbl,$Tbl,`16*$SZ`
-+___
-+for(;$i<32;$i++) {
-+ &ROUND_16_xx_ppc32($i, at V);
-+ unshift(@V,pop(@V)); unshift(@V,pop(@V));
-+ ($a0,$a1,$a2,$a3) = ($a2,$a3,$a0,$a1);
-+}
-+$code.=<<___;
-+ bdnz- Lrounds
-+
-+ $POP $ctx,`$FRAME-$SIZE_T*22`($sp)
-+ $POP $inp,`$FRAME-$SIZE_T*23`($sp) ; inp pointer
-+ $POP $num,`$FRAME-$SIZE_T*24`($sp) ; end pointer
-+ subi $Tbl,$Tbl,`($rounds-16)*$SZ` ; rewind Tbl
-+
-+ lwz $t0,`$LITTLE_ENDIAN^0`($ctx)
-+ lwz $t1,`$LITTLE_ENDIAN^4`($ctx)
-+ lwz $t2,`$LITTLE_ENDIAN^8`($ctx)
-+ lwz $t3,`$LITTLE_ENDIAN^12`($ctx)
-+ lwz $a0,`$LITTLE_ENDIAN^16`($ctx)
-+ lwz $a1,`$LITTLE_ENDIAN^20`($ctx)
-+ lwz $a2,`$LITTLE_ENDIAN^24`($ctx)
-+ addc @V[1], at V[1],$t1
-+ lwz $a3,`$LITTLE_ENDIAN^28`($ctx)
-+ adde @V[0], at V[0],$t0
-+ lwz $t0,`$LITTLE_ENDIAN^32`($ctx)
-+ addc @V[3], at V[3],$t3
-+ lwz $t1,`$LITTLE_ENDIAN^36`($ctx)
-+ adde @V[2], at V[2],$t2
-+ lwz $t2,`$LITTLE_ENDIAN^40`($ctx)
-+ addc @V[5], at V[5],$a1
-+ lwz $t3,`$LITTLE_ENDIAN^44`($ctx)
-+ adde @V[4], at V[4],$a0
-+ lwz $a0,`$LITTLE_ENDIAN^48`($ctx)
-+ addc @V[7], at V[7],$a3
-+ lwz $a1,`$LITTLE_ENDIAN^52`($ctx)
-+ adde @V[6], at V[6],$a2
-+ lwz $a2,`$LITTLE_ENDIAN^56`($ctx)
-+ addc @V[9], at V[9],$t1
-+ lwz $a3,`$LITTLE_ENDIAN^60`($ctx)
-+ adde @V[8], at V[8],$t0
-+ stw @V[0],`$LITTLE_ENDIAN^0`($ctx)
-+ stw @V[1],`$LITTLE_ENDIAN^4`($ctx)
-+ addc @V[11], at V[11],$t3
-+ stw @V[2],`$LITTLE_ENDIAN^8`($ctx)
-+ stw @V[3],`$LITTLE_ENDIAN^12`($ctx)
-+ adde @V[10], at V[10],$t2
-+ stw @V[4],`$LITTLE_ENDIAN^16`($ctx)
-+ stw @V[5],`$LITTLE_ENDIAN^20`($ctx)
-+ addc @V[13], at V[13],$a1
-+ stw @V[6],`$LITTLE_ENDIAN^24`($ctx)
-+ stw @V[7],`$LITTLE_ENDIAN^28`($ctx)
-+ adde @V[12], at V[12],$a0
-+ stw @V[8],`$LITTLE_ENDIAN^32`($ctx)
-+ stw @V[9],`$LITTLE_ENDIAN^36`($ctx)
-+ addc @V[15], at V[15],$a3
-+ stw @V[10],`$LITTLE_ENDIAN^40`($ctx)
-+ stw @V[11],`$LITTLE_ENDIAN^44`($ctx)
-+ adde @V[14], at V[14],$a2
-+ stw @V[12],`$LITTLE_ENDIAN^48`($ctx)
-+ stw @V[13],`$LITTLE_ENDIAN^52`($ctx)
-+ stw @V[14],`$LITTLE_ENDIAN^56`($ctx)
-+ stw @V[15],`$LITTLE_ENDIAN^60`($ctx)
-+
-+ addi $inp,$inp,`16*$SZ` ; advance inp
-+ $PUSH $inp,`$FRAME-$SIZE_T*23`($sp)
-+ $UCMP $inp,$num
-+ bne Lsha2_block_private
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+.size $func,.-$func
-+___
-+}
-
- # Ugly hack here, because PPC assembler syntax seem to vary too
- # much from platforms to platform...
-@@ -395,46 +727,46 @@ LPICmeup:
- .space `64-9*4`
- ___
- $code.=<<___ if ($SZ==8);
-- .long 0x428a2f98,0xd728ae22,0x71374491,0x23ef65cd
-- .long 0xb5c0fbcf,0xec4d3b2f,0xe9b5dba5,0x8189dbbc
-- .long 0x3956c25b,0xf348b538,0x59f111f1,0xb605d019
-- .long 0x923f82a4,0xaf194f9b,0xab1c5ed5,0xda6d8118
-- .long 0xd807aa98,0xa3030242,0x12835b01,0x45706fbe
-- .long 0x243185be,0x4ee4b28c,0x550c7dc3,0xd5ffb4e2
-- .long 0x72be5d74,0xf27b896f,0x80deb1fe,0x3b1696b1
-- .long 0x9bdc06a7,0x25c71235,0xc19bf174,0xcf692694
-- .long 0xe49b69c1,0x9ef14ad2,0xefbe4786,0x384f25e3
-- .long 0x0fc19dc6,0x8b8cd5b5,0x240ca1cc,0x77ac9c65
-- .long 0x2de92c6f,0x592b0275,0x4a7484aa,0x6ea6e483
-- .long 0x5cb0a9dc,0xbd41fbd4,0x76f988da,0x831153b5
-- .long 0x983e5152,0xee66dfab,0xa831c66d,0x2db43210
-- .long 0xb00327c8,0x98fb213f,0xbf597fc7,0xbeef0ee4
-- .long 0xc6e00bf3,0x3da88fc2,0xd5a79147,0x930aa725
-- .long 0x06ca6351,0xe003826f,0x14292967,0x0a0e6e70
-- .long 0x27b70a85,0x46d22ffc,0x2e1b2138,0x5c26c926
-- .long 0x4d2c6dfc,0x5ac42aed,0x53380d13,0x9d95b3df
-- .long 0x650a7354,0x8baf63de,0x766a0abb,0x3c77b2a8
-- .long 0x81c2c92e,0x47edaee6,0x92722c85,0x1482353b
-- .long 0xa2bfe8a1,0x4cf10364,0xa81a664b,0xbc423001
-- .long 0xc24b8b70,0xd0f89791,0xc76c51a3,0x0654be30
-- .long 0xd192e819,0xd6ef5218,0xd6990624,0x5565a910
-- .long 0xf40e3585,0x5771202a,0x106aa070,0x32bbd1b8
-- .long 0x19a4c116,0xb8d2d0c8,0x1e376c08,0x5141ab53
-- .long 0x2748774c,0xdf8eeb99,0x34b0bcb5,0xe19b48a8
-- .long 0x391c0cb3,0xc5c95a63,0x4ed8aa4a,0xe3418acb
-- .long 0x5b9cca4f,0x7763e373,0x682e6ff3,0xd6b2b8a3
-- .long 0x748f82ee,0x5defb2fc,0x78a5636f,0x43172f60
-- .long 0x84c87814,0xa1f0ab72,0x8cc70208,0x1a6439ec
-- .long 0x90befffa,0x23631e28,0xa4506ceb,0xde82bde9
-- .long 0xbef9a3f7,0xb2c67915,0xc67178f2,0xe372532b
-- .long 0xca273ece,0xea26619c,0xd186b8c7,0x21c0c207
-- .long 0xeada7dd6,0xcde0eb1e,0xf57d4f7f,0xee6ed178
-- .long 0x06f067aa,0x72176fba,0x0a637dc5,0xa2c898a6
-- .long 0x113f9804,0xbef90dae,0x1b710b35,0x131c471b
-- .long 0x28db77f5,0x23047d84,0x32caab7b,0x40c72493
-- .long 0x3c9ebe0a,0x15c9bebc,0x431d67c4,0x9c100d4c
-- .long 0x4cc5d4be,0xcb3e42b6,0x597f299c,0xfc657e2a
-- .long 0x5fcb6fab,0x3ad6faec,0x6c44198c,0x4a475817
-+ .quad 0x428a2f98d728ae22,0x7137449123ef65cd
-+ .quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
-+ .quad 0x3956c25bf348b538,0x59f111f1b605d019
-+ .quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118
-+ .quad 0xd807aa98a3030242,0x12835b0145706fbe
-+ .quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
-+ .quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1
-+ .quad 0x9bdc06a725c71235,0xc19bf174cf692694
-+ .quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3
-+ .quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65
-+ .quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483
-+ .quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5
-+ .quad 0x983e5152ee66dfab,0xa831c66d2db43210
-+ .quad 0xb00327c898fb213f,0xbf597fc7beef0ee4
-+ .quad 0xc6e00bf33da88fc2,0xd5a79147930aa725
-+ .quad 0x06ca6351e003826f,0x142929670a0e6e70
-+ .quad 0x27b70a8546d22ffc,0x2e1b21385c26c926
-+ .quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df
-+ .quad 0x650a73548baf63de,0x766a0abb3c77b2a8
-+ .quad 0x81c2c92e47edaee6,0x92722c851482353b
-+ .quad 0xa2bfe8a14cf10364,0xa81a664bbc423001
-+ .quad 0xc24b8b70d0f89791,0xc76c51a30654be30
-+ .quad 0xd192e819d6ef5218,0xd69906245565a910
-+ .quad 0xf40e35855771202a,0x106aa07032bbd1b8
-+ .quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53
-+ .quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
-+ .quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
-+ .quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
-+ .quad 0x748f82ee5defb2fc,0x78a5636f43172f60
-+ .quad 0x84c87814a1f0ab72,0x8cc702081a6439ec
-+ .quad 0x90befffa23631e28,0xa4506cebde82bde9
-+ .quad 0xbef9a3f7b2c67915,0xc67178f2e372532b
-+ .quad 0xca273eceea26619c,0xd186b8c721c0c207
-+ .quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
-+ .quad 0x06f067aa72176fba,0x0a637dc5a2c898a6
-+ .quad 0x113f9804bef90dae,0x1b710b35131c471b
-+ .quad 0x28db77f523047d84,0x32caab7b40c72493
-+ .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
-+ .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a
-+ .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817
- ___
- $code.=<<___ if ($SZ==4);
- .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
-diff -up openssl-1.0.1i/crypto/sha/asm/sha512p8-ppc.pl.ppc-asm openssl-1.0.1i/crypto/sha/asm/sha512p8-ppc.pl
---- openssl-1.0.1i/crypto/sha/asm/sha512p8-ppc.pl.ppc-asm 2014-08-13 19:46:21.096578196 +0200
-+++ openssl-1.0.1i/crypto/sha/asm/sha512p8-ppc.pl 2014-08-13 19:46:21.096578196 +0200
-@@ -0,0 +1,423 @@
-+#!/usr/bin/env perl
-+
-+# ====================================================================
-+# Written by Andy Polyakov <appro at openssl.org> for the OpenSSL
-+# project. The module is, however, dual licensed under OpenSSL and
-+# CRYPTOGAMS licenses depending on where you obtain it. For further
-+# details see http://www.openssl.org/~appro/cryptogams/.
-+# ====================================================================
-+
-+# SHA256/512 for PowerISA v2.07.
-+#
-+# Accurate performance measurements are problematic, because it's
-+# always virtualized setup with possibly throttled processor.
-+# Relative comparison is therefore more informative. This module is
-+# ~60% faster than integer-only sha512-ppc.pl. To anchor to something
-+# else, SHA256 is 24% slower than sha1-ppc.pl and 2.5x slower than
-+# hardware-assisted aes-128-cbc encrypt. SHA512 is 20% faster than
-+# sha1-ppc.pl and 1.6x slower than aes-128-cbc. Another interesting
-+# result is degree of computational resources' utilization. POWER8 is
-+# "massively multi-threaded chip" and difference between single- and
-+# maximum multi-process benchmark results tells that utlization is
-+# whooping 94%. For sha512-ppc.pl we get [not unimpressive] 84% and
-+# for sha1-ppc.pl - 73%. 100% means that multi-process result equals
-+# to single-process one, given that all threads end up on the same
-+# physical core.
-+
-+$flavour=shift;
-+$output =shift;
-+
-+if ($flavour =~ /64/) {
-+ $SIZE_T=8;
-+ $LRSAVE=2*$SIZE_T;
-+ $STU="stdu";
-+ $POP="ld";
-+ $PUSH="std";
-+} elsif ($flavour =~ /32/) {
-+ $SIZE_T=4;
-+ $LRSAVE=$SIZE_T;
-+ $STU="stwu";
-+ $POP="lwz";
-+ $PUSH="stw";
-+} else { die "nonsense $flavour"; }
-+
-+$LENDIAN=($flavour=~/le/);
-+
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
-+
-+if ($output =~ /512/) {
-+ $bits=512;
-+ $SZ=8;
-+ $sz="d";
-+ $rounds=80;
-+} else {
-+ $bits=256;
-+ $SZ=4;
-+ $sz="w";
-+ $rounds=64;
-+}
-+
-+$func="sha${bits}_block_p8";
-+$FRAME=8*$SIZE_T;
-+
-+$sp ="r1";
-+$toc="r2";
-+$ctx="r3";
-+$inp="r4";
-+$num="r5";
-+$Tbl="r6";
-+$idx="r7";
-+$lrsave="r8";
-+$offload="r11";
-+$vrsave="r12";
-+($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,10,26..31));
-+
-+ at V=($A,$B,$C,$D,$E,$F,$G,$H)=map("v$_",(0..7));
-+ at X=map("v$_",(8..23));
-+($Ki,$Func,$S0,$S1,$s0,$s1,$lemask)=map("v$_",(24..31));
-+
-+sub ROUND {
-+my ($i,$a,$b,$c,$d,$e,$f,$g,$h)=@_;
-+my $j=($i+1)%16;
-+
-+$code.=<<___ if ($i<15 && ($i%(16/$SZ))==(16/$SZ-1));
-+ lvx_u @X[$i+1],0,$inp ; load X[i] in advance
-+ addi $inp,$inp,16
-+___
-+$code.=<<___ if ($i<16 && ($i%(16/$SZ)));
-+ vsldoi @X[$i], at X[$i-1], at X[$i-1],$SZ
-+___
-+$code.=<<___ if ($LENDIAN && $i<16 && ($i%(16/$SZ))==0);
-+ vperm @X[$i], at X[$i], at X[$i],$lemask
-+___
-+$code.=<<___;
-+ `"vshasigma${sz} $s0, at X[($j+1)%16],0,0" if ($i>=15)`
-+ vsel $Func,$g,$f,$e ; Ch(e,f,g)
-+ vshasigma${sz} $S1,$e,1,15 ; Sigma1(e)
-+ vaddu${sz}m $h,$h, at X[$i%16] ; h+=X[i]
-+ vshasigma${sz} $S0,$a,1,0 ; Sigma0(a)
-+ `"vshasigma${sz} $s1, at X[($j+14)%16],0,15" if ($i>=15)`
-+ vaddu${sz}m $h,$h,$Func ; h+=Ch(e,f,g)
-+ vxor $Func,$a,$b
-+ `"vaddu${sz}m @X[$j], at X[$j], at X[($j+9)%16]" if ($i>=15)`
-+ vaddu${sz}m $h,$h,$S1 ; h+=Sigma1(e)
-+ vsel $Func,$b,$c,$Func ; Maj(a,b,c)
-+ vaddu${sz}m $g,$g,$Ki ; future h+=K[i]
-+ vaddu${sz}m $d,$d,$h ; d+=h
-+ vaddu${sz}m $S0,$S0,$Func ; Sigma0(a)+Maj(a,b,c)
-+ `"vaddu${sz}m @X[$j], at X[$j],$s0" if ($i>=15)`
-+ lvx $Ki,$idx,$Tbl ; load next K[i]
-+ addi $idx,$idx,16
-+ vaddu${sz}m $h,$h,$S0 ; h+=Sigma0(a)+Maj(a,b,c)
-+ `"vaddu${sz}m @X[$j], at X[$j],$s1" if ($i>=15)`
-+___
-+}
-+
-+$code=<<___;
-+.machine "any"
-+.text
-+
-+.globl $func
-+.align 6
-+$func:
-+ $STU $sp,-`($FRAME+21*16+6*$SIZE_T)`($sp)
-+ mflr $lrsave
-+ li r10,`$FRAME+8*16+15`
-+ li r11,`$FRAME+8*16+31`
-+ stvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ mfspr $vrsave,256
-+ stvx v21,r11,$sp
-+ addi r11,r11,32
-+ stvx v22,r10,$sp
-+ addi r10,r10,32
-+ stvx v23,r11,$sp
-+ addi r11,r11,32
-+ stvx v24,r10,$sp
-+ addi r10,r10,32
-+ stvx v25,r11,$sp
-+ addi r11,r11,32
-+ stvx v26,r10,$sp
-+ addi r10,r10,32
-+ stvx v27,r11,$sp
-+ addi r11,r11,32
-+ stvx v28,r10,$sp
-+ addi r10,r10,32
-+ stvx v29,r11,$sp
-+ addi r11,r11,32
-+ stvx v30,r10,$sp
-+ stvx v31,r11,$sp
-+ li r11,-1
-+ stw $vrsave,`$FRAME+21*16-4`($sp) # save vrsave
-+ li $x10,0x10
-+ $PUSH r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ li $x20,0x20
-+ $PUSH r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ li $x30,0x30
-+ $PUSH r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ li $x40,0x40
-+ $PUSH r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ li $x50,0x50
-+ $PUSH r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ li $x60,0x60
-+ $PUSH r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ li $x70,0x70
-+ $PUSH $lrsave,`$FRAME+21*16+6*$SIZE_T+$LRSAVE`($sp)
-+ mtspr 256,r11
-+
-+ bl LPICmeup
-+ addi $offload,$sp,$FRAME+15
-+___
-+$code.=<<___ if ($LENDIAN);
-+ li $idx,8
-+ lvsl $lemask,0,$idx
-+ vspltisb $Ki,0x0f
-+ vxor $lemask,$lemask,$Ki
-+___
-+$code.=<<___ if ($SZ==4);
-+ lvx_4w $A,$x00,$ctx
-+ lvx_4w $E,$x10,$ctx
-+ vsldoi $B,$A,$A,4 # unpack
-+ vsldoi $C,$A,$A,8
-+ vsldoi $D,$A,$A,12
-+ vsldoi $F,$E,$E,4
-+ vsldoi $G,$E,$E,8
-+ vsldoi $H,$E,$E,12
-+___
-+$code.=<<___ if ($SZ==8);
-+ lvx_u $A,$x00,$ctx
-+ lvx_u $C,$x10,$ctx
-+ lvx_u $E,$x20,$ctx
-+ vsldoi $B,$A,$A,8 # unpack
-+ lvx_u $G,$x30,$ctx
-+ vsldoi $D,$C,$C,8
-+ vsldoi $F,$E,$E,8
-+ vsldoi $H,$G,$G,8
-+___
-+$code.=<<___;
-+ li r0,`($rounds-16)/16` # inner loop counter
-+ b Loop
-+.align 5
-+Loop:
-+ lvx $Ki,$x00,$Tbl
-+ li $idx,16
-+ lvx_u @X[0],0,$inp
-+ addi $inp,$inp,16
-+ stvx $A,$x00,$offload # offload $A-$H
-+ stvx $B,$x10,$offload
-+ stvx $C,$x20,$offload
-+ stvx $D,$x30,$offload
-+ stvx $E,$x40,$offload
-+ stvx $F,$x50,$offload
-+ stvx $G,$x60,$offload
-+ stvx $H,$x70,$offload
-+ vaddu${sz}m $H,$H,$Ki # h+K[i]
-+ lvx $Ki,$idx,$Tbl
-+ addi $idx,$idx,16
-+___
-+for ($i=0;$i<16;$i++) { &ROUND($i, at V); unshift(@V,pop(@V)); }
-+$code.=<<___;
-+ mtctr r0
-+ b L16_xx
-+.align 5
-+L16_xx:
-+___
-+for (;$i<32;$i++) { &ROUND($i, at V); unshift(@V,pop(@V)); }
-+$code.=<<___;
-+ bdnz L16_xx
-+
-+ lvx @X[2],$x00,$offload
-+ subic. $num,$num,1
-+ lvx @X[3],$x10,$offload
-+ vaddu${sz}m $A,$A, at X[2]
-+ lvx @X[4],$x20,$offload
-+ vaddu${sz}m $B,$B, at X[3]
-+ lvx @X[5],$x30,$offload
-+ vaddu${sz}m $C,$C, at X[4]
-+ lvx @X[6],$x40,$offload
-+ vaddu${sz}m $D,$D, at X[5]
-+ lvx @X[7],$x50,$offload
-+ vaddu${sz}m $E,$E, at X[6]
-+ lvx @X[8],$x60,$offload
-+ vaddu${sz}m $F,$F, at X[7]
-+ lvx @X[9],$x70,$offload
-+ vaddu${sz}m $G,$G, at X[8]
-+ vaddu${sz}m $H,$H, at X[9]
-+ bne Loop
-+___
-+$code.=<<___ if ($SZ==4);
-+ lvx @X[0],$idx,$Tbl
-+ addi $idx,$idx,16
-+ vperm $A,$A,$B,$Ki # pack the answer
-+ lvx @X[1],$idx,$Tbl
-+ vperm $E,$E,$F,$Ki
-+ vperm $A,$A,$C, at X[0]
-+ vperm $E,$E,$G, at X[0]
-+ vperm $A,$A,$D, at X[1]
-+ vperm $E,$E,$H, at X[1]
-+ stvx_4w $A,$x00,$ctx
-+ stvx_4w $E,$x10,$ctx
-+___
-+$code.=<<___ if ($SZ==8);
-+ vperm $A,$A,$B,$Ki # pack the answer
-+ vperm $C,$C,$D,$Ki
-+ vperm $E,$E,$F,$Ki
-+ vperm $G,$G,$H,$Ki
-+ stvx_u $A,$x00,$ctx
-+ stvx_u $C,$x10,$ctx
-+ stvx_u $E,$x20,$ctx
-+ stvx_u $G,$x30,$ctx
-+___
-+$code.=<<___;
-+ li r10,`$FRAME+8*16+15`
-+ mtlr $lrsave
-+ li r11,`$FRAME+8*16+31`
-+ mtspr 256,$vrsave
-+ lvx v20,r10,$sp # ABI says so
-+ addi r10,r10,32
-+ lvx v21,r11,$sp
-+ addi r11,r11,32
-+ lvx v22,r10,$sp
-+ addi r10,r10,32
-+ lvx v23,r11,$sp
-+ addi r11,r11,32
-+ lvx v24,r10,$sp
-+ addi r10,r10,32
-+ lvx v25,r11,$sp
-+ addi r11,r11,32
-+ lvx v26,r10,$sp
-+ addi r10,r10,32
-+ lvx v27,r11,$sp
-+ addi r11,r11,32
-+ lvx v28,r10,$sp
-+ addi r10,r10,32
-+ lvx v29,r11,$sp
-+ addi r11,r11,32
-+ lvx v30,r10,$sp
-+ lvx v31,r11,$sp
-+ $POP r26,`$FRAME+21*16+0*$SIZE_T`($sp)
-+ $POP r27,`$FRAME+21*16+1*$SIZE_T`($sp)
-+ $POP r28,`$FRAME+21*16+2*$SIZE_T`($sp)
-+ $POP r29,`$FRAME+21*16+3*$SIZE_T`($sp)
-+ $POP r30,`$FRAME+21*16+4*$SIZE_T`($sp)
-+ $POP r31,`$FRAME+21*16+5*$SIZE_T`($sp)
-+ addi $sp,$sp,`$FRAME+21*16+6*$SIZE_T`
-+ blr
-+ .long 0
-+ .byte 0,12,4,1,0x80,6,3,0
-+ .long 0
-+.size $func,.-$func
-+___
-+
-+# Ugly hack here, because PPC assembler syntax seem to vary too
-+# much from platforms to platform...
-+$code.=<<___;
-+.align 6
-+LPICmeup:
-+ mflr r0
-+ bcl 20,31,\$+4
-+ mflr $Tbl ; vvvvvv "distance" between . and 1st data entry
-+ addi $Tbl,$Tbl,`64-8`
-+ mtlr r0
-+ blr
-+ .long 0
-+ .byte 0,12,0x14,0,0,0,0,0
-+ .space `64-9*4`
-+___
-+
-+if ($SZ==8) {
-+ local *table = sub {
-+ foreach(@_) { $code.=".quad $_,$_\n"; }
-+ };
-+ table(
-+ "0x428a2f98d728ae22","0x7137449123ef65cd",
-+ "0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc",
-+ "0x3956c25bf348b538","0x59f111f1b605d019",
-+ "0x923f82a4af194f9b","0xab1c5ed5da6d8118",
-+ "0xd807aa98a3030242","0x12835b0145706fbe",
-+ "0x243185be4ee4b28c","0x550c7dc3d5ffb4e2",
-+ "0x72be5d74f27b896f","0x80deb1fe3b1696b1",
-+ "0x9bdc06a725c71235","0xc19bf174cf692694",
-+ "0xe49b69c19ef14ad2","0xefbe4786384f25e3",
-+ "0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65",
-+ "0x2de92c6f592b0275","0x4a7484aa6ea6e483",
-+ "0x5cb0a9dcbd41fbd4","0x76f988da831153b5",
-+ "0x983e5152ee66dfab","0xa831c66d2db43210",
-+ "0xb00327c898fb213f","0xbf597fc7beef0ee4",
-+ "0xc6e00bf33da88fc2","0xd5a79147930aa725",
-+ "0x06ca6351e003826f","0x142929670a0e6e70",
-+ "0x27b70a8546d22ffc","0x2e1b21385c26c926",
-+ "0x4d2c6dfc5ac42aed","0x53380d139d95b3df",
-+ "0x650a73548baf63de","0x766a0abb3c77b2a8",
-+ "0x81c2c92e47edaee6","0x92722c851482353b",
-+ "0xa2bfe8a14cf10364","0xa81a664bbc423001",
-+ "0xc24b8b70d0f89791","0xc76c51a30654be30",
-+ "0xd192e819d6ef5218","0xd69906245565a910",
-+ "0xf40e35855771202a","0x106aa07032bbd1b8",
-+ "0x19a4c116b8d2d0c8","0x1e376c085141ab53",
-+ "0x2748774cdf8eeb99","0x34b0bcb5e19b48a8",
-+ "0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb",
-+ "0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3",
-+ "0x748f82ee5defb2fc","0x78a5636f43172f60",
-+ "0x84c87814a1f0ab72","0x8cc702081a6439ec",
-+ "0x90befffa23631e28","0xa4506cebde82bde9",
-+ "0xbef9a3f7b2c67915","0xc67178f2e372532b",
-+ "0xca273eceea26619c","0xd186b8c721c0c207",
-+ "0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178",
-+ "0x06f067aa72176fba","0x0a637dc5a2c898a6",
-+ "0x113f9804bef90dae","0x1b710b35131c471b",
-+ "0x28db77f523047d84","0x32caab7b40c72493",
-+ "0x3c9ebe0a15c9bebc","0x431d67c49c100d4c",
-+ "0x4cc5d4becb3e42b6","0x597f299cfc657e2a",
-+ "0x5fcb6fab3ad6faec","0x6c44198c4a475817","0");
-+$code.=<<___ if (!$LENDIAN);
-+.quad 0x0001020304050607,0x1011121314151617
-+___
-+$code.=<<___ if ($LENDIAN); # quad-swapped
-+.quad 0x1011121314151617,0x0001020304050607
-+___
-+} else {
-+ local *table = sub {
-+ foreach(@_) { $code.=".long $_,$_,$_,$_\n"; }
-+ };
-+ table(
-+ "0x428a2f98","0x71374491","0xb5c0fbcf","0xe9b5dba5",
-+ "0x3956c25b","0x59f111f1","0x923f82a4","0xab1c5ed5",
-+ "0xd807aa98","0x12835b01","0x243185be","0x550c7dc3",
-+ "0x72be5d74","0x80deb1fe","0x9bdc06a7","0xc19bf174",
-+ "0xe49b69c1","0xefbe4786","0x0fc19dc6","0x240ca1cc",
-+ "0x2de92c6f","0x4a7484aa","0x5cb0a9dc","0x76f988da",
-+ "0x983e5152","0xa831c66d","0xb00327c8","0xbf597fc7",
-+ "0xc6e00bf3","0xd5a79147","0x06ca6351","0x14292967",
-+ "0x27b70a85","0x2e1b2138","0x4d2c6dfc","0x53380d13",
-+ "0x650a7354","0x766a0abb","0x81c2c92e","0x92722c85",
-+ "0xa2bfe8a1","0xa81a664b","0xc24b8b70","0xc76c51a3",
-+ "0xd192e819","0xd6990624","0xf40e3585","0x106aa070",
-+ "0x19a4c116","0x1e376c08","0x2748774c","0x34b0bcb5",
-+ "0x391c0cb3","0x4ed8aa4a","0x5b9cca4f","0x682e6ff3",
-+ "0x748f82ee","0x78a5636f","0x84c87814","0x8cc70208",
-+ "0x90befffa","0xa4506ceb","0xbef9a3f7","0xc67178f2","0");
-+$code.=<<___ if (!$LENDIAN);
-+.long 0x00010203,0x10111213,0x10111213,0x10111213
-+.long 0x00010203,0x04050607,0x10111213,0x10111213
-+.long 0x00010203,0x04050607,0x08090a0b,0x10111213
-+___
-+$code.=<<___ if ($LENDIAN); # word-swapped
-+.long 0x10111213,0x10111213,0x10111213,0x00010203
-+.long 0x10111213,0x10111213,0x04050607,0x00010203
-+.long 0x10111213,0x08090a0b,0x04050607,0x00010203
-+___
-+}
-+$code.=<<___;
-+.asciz "SHA${bits} for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
-+.align 2
-+___
-+
-+$code =~ s/\`([^\`]*)\`/eval $1/gem;
-+print $code;
-+close STDOUT;
-diff -up openssl-1.0.1i/crypto/sha/Makefile.ppc-asm openssl-1.0.1i/crypto/sha/Makefile
---- openssl-1.0.1i/crypto/sha/Makefile.ppc-asm 2014-08-06 23:18:30.000000000 +0200
-+++ openssl-1.0.1i/crypto/sha/Makefile 2014-08-13 19:46:21.096578196 +0200
-@@ -75,6 +75,8 @@ sha512-sparcv9.s:asm/sha512-sparcv9.pl;
- sha1-ppc.s: asm/sha1-ppc.pl; $(PERL) asm/sha1-ppc.pl $(PERLASM_SCHEME) $@
- sha256-ppc.s: asm/sha512-ppc.pl; $(PERL) asm/sha512-ppc.pl $(PERLASM_SCHEME) $@
- sha512-ppc.s: asm/sha512-ppc.pl; $(PERL) asm/sha512-ppc.pl $(PERLASM_SCHEME) $@
-+sha256p8-ppc.s: asm/sha512p8-ppc.pl; $(PERL) asm/sha512p8-ppc.pl $(PERLASM_SCHEME) $@
-+sha512p8-ppc.s: asm/sha512p8-ppc.pl; $(PERL) asm/sha512p8-ppc.pl $(PERLASM_SCHEME) $@
-
- sha1-parisc.s: asm/sha1-parisc.pl; $(PERL) asm/sha1-parisc.pl $(PERLASM_SCHEME) $@
- sha256-parisc.s:asm/sha512-parisc.pl; $(PERL) asm/sha512-parisc.pl $(PERLASM_SCHEME) $@
diff --git a/openssl-1.0.1i-trusted-first.patch b/openssl-1.0.1i-trusted-first.patch
deleted file mode 100644
index f11f36d..0000000
--- a/openssl-1.0.1i-trusted-first.patch
+++ /dev/null
@@ -1,330 +0,0 @@
-diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c
---- openssl-1.0.1i/apps/apps.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/apps.c 2014-08-07 13:54:27.751103405 +0200
-@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
- flags |= X509_V_FLAG_NOTIFY_POLICY;
- else if (!strcmp(arg, "-check_ss_sig"))
- flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
-+ else if (!strcmp(arg, "-trusted_first"))
-+ flags |= X509_V_FLAG_TRUSTED_FIRST;
- else
- return 0;
-
-diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c
---- openssl-1.0.1i/apps/cms.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/cms.c 2014-08-07 13:54:27.751103405 +0200
-@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
- BIO_printf (bio_err, "-text include or delete text MIME headers\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
-+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
- #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1i/apps/ocsp.c.trusted-first openssl-1.0.1i/apps/ocsp.c
---- openssl-1.0.1i/apps/ocsp.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/ocsp.c 2014-08-07 13:54:27.752103409 +0200
-@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
- BIO_printf (bio_err, "-path path to use in OCSP request\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
-+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf (bio_err, "-VAfile file validator certificates file\n");
- BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
- BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
-diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_client.c
---- openssl-1.0.1i/apps/s_client.c.trusted-first 2014-08-07 13:54:27.752103409 +0200
-+++ openssl-1.0.1i/apps/s_client.c 2014-08-07 15:06:28.443918055 +0200
-@@ -299,6 +299,7 @@ static void sc_usage(void)
- BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
- BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
- BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
-+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
- BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
- BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
- BIO_printf(bio_err," -prexit - print session information even on connection failure\n");
-diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c
---- openssl-1.0.1i/apps/smime.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/smime.c 2014-08-07 13:54:27.753103414 +0200
-@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
- BIO_printf (bio_err, "-text include or delete text MIME headers\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
-+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
- #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_server.c
---- openssl-1.0.1i/apps/s_server.c.trusted-first 2014-08-07 13:54:27.718103241 +0200
-+++ openssl-1.0.1i/apps/s_server.c 2014-08-07 13:54:27.753103414 +0200
-@@ -502,6 +502,7 @@ static void sv_usage(void)
- BIO_printf(bio_err," -state - Print the SSL states\n");
- BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
- BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
-+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
- BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
- BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
- BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
-diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c
---- openssl-1.0.1i/apps/s_time.c.trusted-first 2014-08-07 13:54:27.432101823 +0200
-+++ openssl-1.0.1i/apps/s_time.c 2014-08-07 13:54:27.753103414 +0200
-@@ -179,6 +179,7 @@ static void s_time_usage(void)
- file if not specified by this option\n\
- -CApath arg - PEM format directory of CA's\n\
- -CAfile arg - PEM format file of CA's\n\
-+-trusted_first - Use trusted CA's first when building the trust chain\n\
- -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
-
- printf( "usage: s_time <args>\n\n" );
-diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c
---- openssl-1.0.1i/apps/ts.c.trusted-first 2014-08-07 13:54:27.707103186 +0200
-+++ openssl-1.0.1i/apps/ts.c 2014-08-07 13:54:27.753103414 +0200
-@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
- "ts -verify [-data file_to_hash] [-digest digest_bytes] "
- "[-queryfile request.tsq] "
- "-in response.tsr [-token_in] "
-- "-CApath ca_path -CAfile ca_file.pem "
-+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
- "-untrusted cert_file.pem\n");
- cleanup:
- /* Clean up. */
-diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c
---- openssl-1.0.1i/apps/verify.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/apps/verify.c 2014-08-07 13:54:27.754103419 +0200
-@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
-
- end:
- if (ret == 1) {
-- BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
-+ BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
- BIO_printf(bio_err," [-attime timestamp]");
- #ifndef OPENSSL_NO_ENGINE
- BIO_printf(bio_err," [-engine e]");
-diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.c
---- openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first 2014-08-07 13:54:27.716103231 +0200
-+++ openssl-1.0.1i/crypto/x509/x509_vfy.c 2014-08-07 13:54:27.754103419 +0200
-@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
-
- /* If we are self signed, we break */
- if (ctx->check_issued(ctx, x,x)) break;
-+ /* If asked see if we can find issuer in trusted store first */
-+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
-+ {
-+ ok = ctx->get_issuer(&xtmp, ctx, x);
-+ if (ok < 0)
-+ return ok;
-+ /* If successful for now free up cert so it
-+ * will be picked up again later.
-+ */
-+ if (ok > 0)
-+ {
-+ X509_free(xtmp);
-+ break;
-+ }
-+ }
-
- /* If we were passed a cert chain, use it first */
- if (ctx->untrusted != NULL)
-diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.h
---- openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first 2014-08-07 13:54:27.360101466 +0200
-+++ openssl-1.0.1i/crypto/x509/x509_vfy.h 2014-08-07 13:54:27.754103419 +0200
-@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
- #define X509_V_FLAG_USE_DELTAS 0x2000
- /* Check selfsigned CA signature */
- #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
-+/* Use trusted store first */
-+#define X509_V_FLAG_TRUSTED_FIRST 0x8000
-
-
- #define X509_VP_FLAG_DEFAULT 0x1
-diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/cms.pod
---- openssl-1.0.1i/doc/apps/cms.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/cms.pod 2014-08-07 13:54:27.754103419 +0200
-@@ -35,6 +35,7 @@ B<openssl> B<cms>
- [B<-print>]
- [B<-CAfile file>]
- [B<-CApath dir>]
-+[B<-trusted_first>]
- [B<-md digest>]
- [B<-[cipher]>]
- [B<-nointern>]
-@@ -243,6 +244,12 @@ B<-verify>. This directory must be a sta
- is a hash of each subject name (using B<x509 -hash>) should be linked
- to each certificate.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before untrusted certificates
-+from the message when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-md digest>
-
- digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/ocsp.pod
---- openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first 2014-08-07 13:54:27.708103191 +0200
-+++ openssl-1.0.1i/doc/apps/ocsp.pod 2014-08-07 13:54:27.755103424 +0200
-@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
- [B<-path>]
- [B<-CApath dir>]
- [B<-CAfile file>]
-+[B<-trusted_first>]
- [B<-VAfile file>]
- [B<-validity_period n>]
- [B<-status_age n>]
-@@ -138,6 +139,13 @@ or "/" by default.
- file or pathname containing trusted CA certificates. These are used to verify
- the signature on the OCSP response.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over certificates provided
-+in the response or residing in other certificates file when building the trust
-+chain to verify responder certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-verify_other file>
-
- file containing additional certificates to search when attempting to locate
-diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/apps/s_client.pod
---- openssl-1.0.1i/doc/apps/s_client.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200
-+++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 13:54:27.755103424 +0200
-@@ -19,6 +19,7 @@ B<openssl> B<s_client>
- [B<-pass arg>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-reconnect>]
- [B<-pause>]
- [B<-showcerts>]
-@@ -121,7 +122,7 @@ also used when building the client certi
- A file containing trusted certificates to use during server authentication
- and to use when attempting to build the client certificate chain.
-
--=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
-+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
-
- Set various certificate chain valiadition option. See the
- L<B<verify>|verify(1)> manual page for details.
-diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps/smime.pod
---- openssl-1.0.1i/doc/apps/smime.pod.trusted-first 2014-07-22 21:43:11.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/smime.pod 2014-08-07 13:54:27.755103424 +0200
-@@ -15,6 +15,9 @@ B<openssl> B<smime>
- [B<-pk7out>]
- [B<-[cipher]>]
- [B<-in file>]
-+[B<-CAfile file>]
-+[B<-CApath dir>]
-+[B<-trusted_first>]
- [B<-certfile file>]
- [B<-signer file>]
- [B<-recip file>]
-@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
- is a hash of each subject name (using B<x509 -hash>) should be linked
- to each certificate.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over certificates provided
-+in the message when building the trust chain to verify a certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-md digest>
-
- digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/apps/s_server.pod
---- openssl-1.0.1i/doc/apps/s_server.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200
-+++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 15:07:12.315099577 +0200
-@@ -33,6 +33,7 @@ B<openssl> B<s_server>
- [B<-state>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-nocert>]
- [B<-cipher cipherlist>]
- [B<-serverpref>]
-@@ -178,6 +179,12 @@ and to use when attempting to build the
- is also used in the list of acceptable client CAs passed to the client when
- a certificate is requested.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before other certificates
-+when building the trust chain to verify client certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-state>
-
- prints out the SSL session states.
-diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/apps/s_time.pod
---- openssl-1.0.1i/doc/apps/s_time.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/s_time.pod 2014-08-07 13:54:27.755103424 +0200
-@@ -14,6 +14,7 @@ B<openssl> B<s_time>
- [B<-key filename>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-reuse>]
- [B<-new>]
- [B<-verify depth>]
-@@ -76,6 +77,12 @@ also used when building the client certi
- A file containing trusted certificates to use during server authentication
- and to use when attempting to build the client certificate chain.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over the certificates provided
-+by the server when building the trust chain to verify server certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-new>
-
- performs the timing test using a new session ID for each connection.
-diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts.pod
---- openssl-1.0.1i/doc/apps/ts.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/ts.pod 2014-08-07 13:54:27.756103429 +0200
-@@ -46,6 +46,7 @@ B<-verify>
- [B<-token_in>]
- [B<-CApath> trusted_cert_path]
- [B<-CAfile> trusted_certs.pem]
-+[B<-trusted_first>]
- [B<-untrusted> cert_file.pem]
-
- =head1 DESCRIPTION
-@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
- or B<-CApath> must be specified.
- (Optional)
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before other certificates
-+when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-untrusted> cert_file.pem
-
- Set of additional untrusted certificates in PEM format which may be
-diff -up openssl-1.0.1i/doc/apps/verify.pod.trusted-first openssl-1.0.1i/doc/apps/verify.pod
---- openssl-1.0.1i/doc/apps/verify.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200
-+++ openssl-1.0.1i/doc/apps/verify.pod 2014-08-07 13:54:27.756103429 +0200
-@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
- B<openssl> B<verify>
- [B<-CApath directory>]
- [B<-CAfile file>]
-+[B<-trusted_first>]
- [B<-purpose purpose>]
- [B<-policy arg>]
- [B<-ignore_critical>]
-@@ -56,6 +57,12 @@ in PEM format concatenated together.
- A file of untrusted certificates. The file should contain multiple certificates
- in PEM format concatenated together.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before the certificates in the untrusted
-+file when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-purpose purpose>
-
- The intended use for the certificate. If this option is not specified,
diff --git a/openssl-1.0.1j-ephemeral-key-size.patch b/openssl-1.0.1j-ephemeral-key-size.patch
deleted file mode 100644
index e8e8dbb..0000000
--- a/openssl-1.0.1j-ephemeral-key-size.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-diff -up openssl-1.0.1j/apps/s_apps.h.ephemeral openssl-1.0.1j/apps/s_apps.h
---- openssl-1.0.1j/apps/s_apps.h.ephemeral 2014-10-16 13:32:30.772817591 +0200
-+++ openssl-1.0.1j/apps/s_apps.h 2014-10-16 13:32:30.865819691 +0200
-@@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,
- int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
- int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
- #endif
-+int ssl_print_tmp_key(BIO *out, SSL *s);
- int init_client(int *sock, char *server, char *port, int type);
- int should_retry(int i);
- int extract_host_port(char *str,char **host_ptr,char **port_ptr);
-diff -up openssl-1.0.1j/apps/s_cb.c.ephemeral openssl-1.0.1j/apps/s_cb.c
---- openssl-1.0.1j/apps/s_cb.c.ephemeral 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/apps/s_cb.c 2014-10-16 13:32:30.865819691 +0200
-@@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(
- }
- }
-
-+int ssl_print_tmp_key(BIO *out, SSL *s)
-+ {
-+ EVP_PKEY *key;
-+ if (!SSL_get_server_tmp_key(s, &key))
-+ return 1;
-+ BIO_puts(out, "Server Temp Key: ");
-+ switch (EVP_PKEY_id(key))
-+ {
-+ case EVP_PKEY_RSA:
-+ BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
-+ break;
-+
-+ case EVP_PKEY_DH:
-+ BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
-+ break;
-+
-+ case EVP_PKEY_EC:
-+ {
-+ EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
-+ int nid;
-+ const char *cname;
-+ nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
-+ EC_KEY_free(ec);
-+ cname = OBJ_nid2sn(nid);
-+ BIO_printf(out, "ECDH, %s, %d bits\n",
-+ cname, EVP_PKEY_bits(key));
-+ }
-+ }
-+ EVP_PKEY_free(key);
-+ return 1;
-+ }
-+
-
- void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
- {
-diff -up openssl-1.0.1j/apps/s_client.c.ephemeral openssl-1.0.1j/apps/s_client.c
---- openssl-1.0.1j/apps/s_client.c.ephemeral 2014-10-16 13:32:30.860819578 +0200
-+++ openssl-1.0.1j/apps/s_client.c 2014-10-16 13:32:30.865819691 +0200
-@@ -2044,6 +2044,8 @@ static void print_stuff(BIO *bio, SSL *s
- BIO_write(bio,"\n",1);
- }
-
-+ ssl_print_tmp_key(bio, s);
-+
- BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
- BIO_number_read(SSL_get_rbio(s)),
- BIO_number_written(SSL_get_wbio(s)));
-diff -up openssl-1.0.1j/ssl/ssl.h.ephemeral openssl-1.0.1j/ssl/ssl.h
---- openssl-1.0.1j/ssl/ssl.h.ephemeral 2014-10-16 13:32:30.851819375 +0200
-+++ openssl-1.0.1j/ssl/ssl.h 2014-10-16 13:33:23.233001903 +0200
-@@ -1585,6 +1585,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
- #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
-
-+#define SSL_CTRL_GET_SERVER_TMP_KEY 109
- #define SSL_CTRL_CHECK_PROTO_VERSION 119
-
- #define DTLSv1_get_timeout(ssl, arg) \
-@@ -1628,6 +1629,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
- #define SSL_CTX_clear_extra_chain_certs(ctx) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
-
-+#define SSL_get_server_tmp_key(s, pk) \
-+ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
-+
- #ifndef OPENSSL_NO_BIO
- BIO_METHOD *BIO_f_ssl(void);
- BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
-diff -up openssl-1.0.1j/ssl/s3_lib.c.ephemeral openssl-1.0.1j/ssl/s3_lib.c
---- openssl-1.0.1j/ssl/s3_lib.c.ephemeral 2014-10-16 13:32:30.866819713 +0200
-+++ openssl-1.0.1j/ssl/s3_lib.c 2014-10-16 13:34:08.918033262 +0200
-@@ -3356,6 +3356,45 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
-
- #endif /* !OPENSSL_NO_TLSEXT */
-
-+ case SSL_CTRL_GET_SERVER_TMP_KEY:
-+ if (s->server || !s->session || !s->session->sess_cert)
-+ return 0;
-+ else
-+ {
-+ SESS_CERT *sc;
-+ EVP_PKEY *ptmp;
-+ int rv = 0;
-+ sc = s->session->sess_cert;
-+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
-+ if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
-+ && !sc->peer_ecdh_tmp)
-+ return 0;
-+#endif
-+ ptmp = EVP_PKEY_new();
-+ if (!ptmp)
-+ return 0;
-+ if (0);
-+#ifndef OPENSSL_NO_RSA
-+ else if (sc->peer_rsa_tmp)
-+ rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
-+#endif
-+#ifndef OPENSSL_NO_DH
-+ else if (sc->peer_dh_tmp)
-+ rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
-+#endif
-+#ifndef OPENSSL_NO_ECDH
-+ else if (sc->peer_ecdh_tmp)
-+ rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
-+#endif
-+ if (rv)
-+ {
-+ *(EVP_PKEY **)parg = ptmp;
-+ return 1;
-+ }
-+ EVP_PKEY_free(ptmp);
-+ return 0;
-+ }
-+
- case SSL_CTRL_CHECK_PROTO_VERSION:
- /* For library-internal use; checks that the current protocol
- * is the highest enabled version (according to s->ctx->method,
diff --git a/openssl-1.0.1j-evp-wrap.patch b/openssl-1.0.1j-evp-wrap.patch
deleted file mode 100644
index 5e60d76..0000000
--- a/openssl-1.0.1j-evp-wrap.patch
+++ /dev/null
@@ -1,1242 +0,0 @@
-diff -up openssl-1.0.1j/crypto/aes/aes_wrap.c.wrap openssl-1.0.1j/crypto/aes/aes_wrap.c
---- openssl-1.0.1j/crypto/aes/aes_wrap.c.wrap 2014-10-15 13:15:29.000000000 +0200
-+++ openssl-1.0.1j/crypto/aes/aes_wrap.c 2014-10-16 13:30:10.679654927 +0200
-@@ -53,207 +53,18 @@
-
- #include "cryptlib.h"
- #include <openssl/aes.h>
--#include <openssl/bio.h>
--
--static const unsigned char default_iv[] = {
-- 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
--};
-+#include <openssl/modes.h>
-
- int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
- unsigned char *out,
- const unsigned char *in, unsigned int inlen)
- {
-- unsigned char *A, B[16], *R;
-- unsigned int i, j, t;
-- if ((inlen & 0x7) || (inlen < 8))
-- return -1;
-- A = B;
-- t = 1;
-- memcpy(out + 8, in, inlen);
-- if (!iv)
-- iv = default_iv;
--
-- memcpy(A, iv, 8);
--
-- for (j = 0; j < 6; j++)
-- {
-- R = out + 8;
-- for (i = 0; i < inlen; i += 8, t++, R += 8)
-- {
-- memcpy(B + 8, R, 8);
-- AES_encrypt(B, B, key);
-- A[7] ^= (unsigned char)(t & 0xff);
-- if (t > 0xff)
-- {
-- A[6] ^= (unsigned char)((t >> 8) & 0xff);
-- A[5] ^= (unsigned char)((t >> 16) & 0xff);
-- A[4] ^= (unsigned char)((t >> 24) & 0xff);
-- }
-- memcpy(R, B + 8, 8);
-- }
-- }
-- memcpy(out, A, 8);
-- return inlen + 8;
-+ return CRYPTO_128_wrap(key, iv, out, in, inlen, (block128_f)AES_encrypt);
- }
-
- int AES_unwrap_key(AES_KEY *key, const unsigned char *iv,
- unsigned char *out,
- const unsigned char *in, unsigned int inlen)
- {
-- unsigned char *A, B[16], *R;
-- unsigned int i, j, t;
-- inlen -= 8;
-- if (inlen & 0x7)
-- return -1;
-- if (inlen < 8)
-- return -1;
-- A = B;
-- t = 6 * (inlen >> 3);
-- memcpy(A, in, 8);
-- memcpy(out, in + 8, inlen);
-- for (j = 0; j < 6; j++)
-- {
-- R = out + inlen - 8;
-- for (i = 0; i < inlen; i += 8, t--, R -= 8)
-- {
-- A[7] ^= (unsigned char)(t & 0xff);
-- if (t > 0xff)
-- {
-- A[6] ^= (unsigned char)((t >> 8) & 0xff);
-- A[5] ^= (unsigned char)((t >> 16) & 0xff);
-- A[4] ^= (unsigned char)((t >> 24) & 0xff);
-- }
-- memcpy(B + 8, R, 8);
-- AES_decrypt(B, B, key);
-- memcpy(R, B + 8, 8);
-- }
-- }
-- if (!iv)
-- iv = default_iv;
-- if (memcmp(A, iv, 8))
-- {
-- OPENSSL_cleanse(out, inlen);
-- return 0;
-- }
-- return inlen;
-- }
--
--#ifdef AES_WRAP_TEST
--
--int AES_wrap_unwrap_test(const unsigned char *kek, int keybits,
-- const unsigned char *iv,
-- const unsigned char *eout,
-- const unsigned char *key, int keylen)
-- {
-- unsigned char *otmp = NULL, *ptmp = NULL;
-- int r, ret = 0;
-- AES_KEY wctx;
-- otmp = OPENSSL_malloc(keylen + 8);
-- ptmp = OPENSSL_malloc(keylen);
-- if (!otmp || !ptmp)
-- return 0;
-- if (AES_set_encrypt_key(kek, keybits, &wctx))
-- goto err;
-- r = AES_wrap_key(&wctx, iv, otmp, key, keylen);
-- if (r <= 0)
-- goto err;
--
-- if (eout && memcmp(eout, otmp, keylen))
-- goto err;
--
-- if (AES_set_decrypt_key(kek, keybits, &wctx))
-- goto err;
-- r = AES_unwrap_key(&wctx, iv, ptmp, otmp, r);
--
-- if (memcmp(key, ptmp, keylen))
-- goto err;
--
-- ret = 1;
--
-- err:
-- if (otmp)
-- OPENSSL_free(otmp);
-- if (ptmp)
-- OPENSSL_free(ptmp);
--
-- return ret;
--
-+ return CRYPTO_128_unwrap(key, iv, out, in, inlen, (block128_f)AES_decrypt);
- }
--
--
--
--int main(int argc, char **argv)
--{
--
--static const unsigned char kek[] = {
-- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-- 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
--};
--
--static const unsigned char key[] = {
-- 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
-- 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
-- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
--};
--
--static const unsigned char e1[] = {
-- 0x1f, 0xa6, 0x8b, 0x0a, 0x81, 0x12, 0xb4, 0x47,
-- 0xae, 0xf3, 0x4b, 0xd8, 0xfb, 0x5a, 0x7b, 0x82,
-- 0x9d, 0x3e, 0x86, 0x23, 0x71, 0xd2, 0xcf, 0xe5
--};
--
--static const unsigned char e2[] = {
-- 0x96, 0x77, 0x8b, 0x25, 0xae, 0x6c, 0xa4, 0x35,
-- 0xf9, 0x2b, 0x5b, 0x97, 0xc0, 0x50, 0xae, 0xd2,
-- 0x46, 0x8a, 0xb8, 0xa1, 0x7a, 0xd8, 0x4e, 0x5d
--};
--
--static const unsigned char e3[] = {
-- 0x64, 0xe8, 0xc3, 0xf9, 0xce, 0x0f, 0x5b, 0xa2,
-- 0x63, 0xe9, 0x77, 0x79, 0x05, 0x81, 0x8a, 0x2a,
-- 0x93, 0xc8, 0x19, 0x1e, 0x7d, 0x6e, 0x8a, 0xe7
--};
--
--static const unsigned char e4[] = {
-- 0x03, 0x1d, 0x33, 0x26, 0x4e, 0x15, 0xd3, 0x32,
-- 0x68, 0xf2, 0x4e, 0xc2, 0x60, 0x74, 0x3e, 0xdc,
-- 0xe1, 0xc6, 0xc7, 0xdd, 0xee, 0x72, 0x5a, 0x93,
-- 0x6b, 0xa8, 0x14, 0x91, 0x5c, 0x67, 0x62, 0xd2
--};
--
--static const unsigned char e5[] = {
-- 0xa8, 0xf9, 0xbc, 0x16, 0x12, 0xc6, 0x8b, 0x3f,
-- 0xf6, 0xe6, 0xf4, 0xfb, 0xe3, 0x0e, 0x71, 0xe4,
-- 0x76, 0x9c, 0x8b, 0x80, 0xa3, 0x2c, 0xb8, 0x95,
-- 0x8c, 0xd5, 0xd1, 0x7d, 0x6b, 0x25, 0x4d, 0xa1
--};
--
--static const unsigned char e6[] = {
-- 0x28, 0xc9, 0xf4, 0x04, 0xc4, 0xb8, 0x10, 0xf4,
-- 0xcb, 0xcc, 0xb3, 0x5c, 0xfb, 0x87, 0xf8, 0x26,
-- 0x3f, 0x57, 0x86, 0xe2, 0xd8, 0x0e, 0xd3, 0x26,
-- 0xcb, 0xc7, 0xf0, 0xe7, 0x1a, 0x99, 0xf4, 0x3b,
-- 0xfb, 0x98, 0x8b, 0x9b, 0x7a, 0x02, 0xdd, 0x21
--};
--
-- AES_KEY wctx, xctx;
-- int ret;
-- ret = AES_wrap_unwrap_test(kek, 128, NULL, e1, key, 16);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 192, NULL, e2, key, 16);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 256, NULL, e3, key, 16);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 192, NULL, e4, key, 24);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 256, NULL, e5, key, 24);
-- fprintf(stderr, "Key test result %d\n", ret);
-- ret = AES_wrap_unwrap_test(kek, 256, NULL, e6, key, 32);
-- fprintf(stderr, "Key test result %d\n", ret);
--}
--
--
--#endif
-diff -up openssl-1.0.1j/crypto/evp/c_allc.c.wrap openssl-1.0.1j/crypto/evp/c_allc.c
---- openssl-1.0.1j/crypto/evp/c_allc.c.wrap 2014-10-16 13:30:10.583652760 +0200
-+++ openssl-1.0.1j/crypto/evp/c_allc.c 2014-10-16 13:30:10.679654927 +0200
-@@ -98,6 +98,7 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_des_ecb());
- EVP_add_cipher(EVP_des_ede());
- EVP_add_cipher(EVP_des_ede3());
-+ EVP_add_cipher(EVP_des_ede3_wrap());
- #endif
-
- #ifndef OPENSSL_NO_RC4
-@@ -177,6 +178,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_128_ctr());
- EVP_add_cipher(EVP_aes_128_gcm());
- EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher(EVP_aes_128_wrap());
-+ EVP_add_cipher(EVP_aes_128_wrap_pad());
- EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
- EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
- EVP_add_cipher(EVP_aes_192_ecb());
-@@ -187,6 +190,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_192_ofb());
- EVP_add_cipher(EVP_aes_192_ctr());
- EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher(EVP_aes_192_wrap());
-+ EVP_add_cipher(EVP_aes_192_wrap_pad());
- EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
- EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
- EVP_add_cipher(EVP_aes_256_ecb());
-@@ -198,6 +203,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_256_ctr());
- EVP_add_cipher(EVP_aes_256_gcm());
- EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher(EVP_aes_256_wrap());
-+ EVP_add_cipher(EVP_aes_256_wrap_pad());
- EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
- EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
-@@ -250,6 +257,7 @@ void OpenSSL_add_all_ciphers(void)
-
- EVP_add_cipher(EVP_des_ede());
- EVP_add_cipher(EVP_des_ede3());
-+ EVP_add_cipher(EVP_des_ede3_wrap());
- #endif
-
- #ifndef OPENSSL_NO_AES
-@@ -262,6 +270,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_128_ctr());
- EVP_add_cipher(EVP_aes_128_gcm());
- EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher(EVP_aes_128_wrap());
-+ EVP_add_cipher(EVP_aes_128_wrap_pad());
- EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
- EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
- EVP_add_cipher(EVP_aes_192_ecb());
-@@ -272,6 +282,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_192_ofb());
- EVP_add_cipher(EVP_aes_192_ctr());
- EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher(EVP_aes_192_wrap());
-+ EVP_add_cipher(EVP_aes_192_wrap_pad());
- EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
- EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
- EVP_add_cipher(EVP_aes_256_ecb());
-@@ -283,6 +295,8 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_256_ctr());
- EVP_add_cipher(EVP_aes_256_gcm());
- EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher(EVP_aes_256_wrap());
-+ EVP_add_cipher(EVP_aes_256_wrap_pad());
- EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
- EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
- #endif
-diff -up openssl-1.0.1j/crypto/evp/e_aes.c.wrap openssl-1.0.1j/crypto/evp/e_aes.c
---- openssl-1.0.1j/crypto/evp/e_aes.c.wrap 2014-10-16 13:30:10.584652782 +0200
-+++ openssl-1.0.1j/crypto/evp/e_aes.c 2014-10-16 13:30:10.679654927 +0200
-@@ -1,5 +1,5 @@
- /* ====================================================================
-- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -1384,4 +1384,180 @@ BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm
- BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
- BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-
-+typedef struct
-+ {
-+ union { double align; AES_KEY ks; } ks;
-+ /* Indicates if IV has been set */
-+ unsigned char *iv;
-+ } EVP_AES_WRAP_CTX;
-+
-+static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+ const unsigned char *iv, int enc)
-+ {
-+ EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
-+ if (!iv && !key)
-+ return 1;
-+ if (key)
-+ {
-+ if (ctx->encrypt)
-+ AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
-+ else
-+ AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
-+ if (!iv)
-+ wctx->iv = NULL;
-+ }
-+ if (iv)
-+ {
-+ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
-+ wctx->iv = ctx->iv;
-+ }
-+ return 1;
-+ }
-+
-+static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inlen)
-+ {
-+ EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
-+ size_t rv;
-+ /* AES wrap with padding has IV length of 4, without padding 8 */
-+ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
-+ /* No final operation so always return zero length */
-+ if (!in)
-+ return 0;
-+ /* Input length must always be non-zero */
-+ if (!inlen)
-+ return -1;
-+ /* If decrypting need at least 16 bytes and multiple of 8 */
-+ if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
-+ return -1;
-+ /* If not padding input must be multiple of 8 */
-+ if (!pad && inlen & 0x7)
-+ return -1;
-+ if (!out)
-+ {
-+ if (ctx->encrypt)
-+ {
-+ /* If padding round up to multiple of 8 */
-+ if (pad)
-+ inlen = (inlen + 7)/8 * 8;
-+ /* 8 byte prefix */
-+ return inlen + 8;
-+ }
-+ else
-+ {
-+ /* If not padding output will be exactly 8 bytes
-+ * smaller than input. If padding it will be at
-+ * least 8 bytes smaller but we don't know how
-+ * much.
-+ */
-+ return inlen - 8;
-+ }
-+ }
-+ if (pad)
-+ {
-+ if (ctx->encrypt)
-+ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_encrypt);
-+ else
-+ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_decrypt);
-+ }
-+ else
-+ {
-+ if (ctx->encrypt)
-+ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_encrypt);
-+ else
-+ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
-+ out, in, inlen,
-+ (block128_f)AES_decrypt);
-+ }
-+ return rv ? (int)rv : -1;
-+ }
-+
-+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
-+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
-+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
-+
-+static const EVP_CIPHER aes_128_wrap = {
-+ NID_id_aes128_wrap,
-+ 8, 16, 8, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_128_wrap(void)
-+ {
-+ return &aes_128_wrap;
-+ }
-+
-+static const EVP_CIPHER aes_192_wrap = {
-+ NID_id_aes192_wrap,
-+ 8, 24, 8, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_192_wrap(void)
-+ {
-+ return &aes_192_wrap;
-+ }
-+
-+static const EVP_CIPHER aes_256_wrap = {
-+ NID_id_aes256_wrap,
-+ 8, 32, 8, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_256_wrap(void)
-+ {
-+ return &aes_256_wrap;
-+ }
-+
-+static const EVP_CIPHER aes_128_wrap_pad = {
-+ NID_id_aes128_wrap_pad,
-+ 8, 16, 4, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
-+ {
-+ return &aes_128_wrap_pad;
-+ }
-+
-+static const EVP_CIPHER aes_192_wrap_pad = {
-+ NID_id_aes192_wrap_pad,
-+ 8, 24, 4, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
-+ {
-+ return &aes_192_wrap_pad;
-+ }
-+
-+static const EVP_CIPHER aes_256_wrap_pad = {
-+ NID_id_aes256_wrap_pad,
-+ 8, 32, 4, WRAP_FLAGS,
-+ aes_wrap_init_key, aes_wrap_cipher,
-+ NULL,
-+ sizeof(EVP_AES_WRAP_CTX),
-+ NULL,NULL,NULL,NULL };
-+
-+const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
-+ {
-+ return &aes_256_wrap_pad;
-+ }
-+
- #endif
-diff -up openssl-1.0.1j/crypto/evp/e_des3.c.wrap openssl-1.0.1j/crypto/evp/e_des3.c
---- openssl-1.0.1j/crypto/evp/e_des3.c.wrap 2014-10-16 13:30:10.584652782 +0200
-+++ openssl-1.0.1j/crypto/evp/e_des3.c 2014-10-16 13:30:10.679654927 +0200
-@@ -310,4 +310,112 @@ const EVP_CIPHER *EVP_des_ede3(void)
- {
- return &des_ede3_ecb;
- }
-+
-+#ifndef OPENSSL_NO_SHA
-+
-+#include <openssl/sha.h>
-+
-+static const unsigned char wrap_iv[8] = {0x4a,0xdd,0xa2,0x2c,0x79,0xe8,0x21,0x05};
-+
-+static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inl)
-+ {
-+ unsigned char icv[8], iv[8], sha1tmp[SHA_DIGEST_LENGTH];
-+ int rv = -1;
-+ if (inl < 24)
-+ return -1;
-+ if (!out)
-+ return inl - 16;
-+ memcpy(ctx->iv, wrap_iv, 8);
-+ /* Decrypt first block which will end up as icv */
-+ des_ede_cbc_cipher(ctx, icv, in, 8);
-+ /* Decrypt central blocks */
-+ /* If decrypting in place move whole output along a block
-+ * so the next des_ede_cbc_cipher is in place.
-+ */
-+ if (out == in)
-+ {
-+ memmove(out, out + 8, inl - 8);
-+ in -= 8;
-+ }
-+ des_ede_cbc_cipher(ctx, out, in + 8, inl - 16);
-+ /* Decrypt final block which will be IV */
-+ des_ede_cbc_cipher(ctx, iv, in + inl - 8, 8);
-+ /* Reverse order of everything */
-+ BUF_reverse(icv, NULL, 8);
-+ BUF_reverse(out, NULL, inl - 16);
-+ BUF_reverse(ctx->iv, iv, 8);
-+ /* Decrypt again using new IV */
-+ des_ede_cbc_cipher(ctx, out, out, inl - 16);
-+ des_ede_cbc_cipher(ctx, icv, icv, 8);
-+ /* Work out SHA1 hash of first portion */
-+ SHA1(out, inl - 16, sha1tmp);
-+
-+ if (!CRYPTO_memcmp(sha1tmp, icv, 8))
-+ rv = inl - 16;
-+ OPENSSL_cleanse(icv, 8);
-+ OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
-+ OPENSSL_cleanse(iv, 8);
-+ OPENSSL_cleanse(ctx->iv, 8);
-+ if (rv == -1)
-+ OPENSSL_cleanse(out, inl - 16);
-+
-+ return rv;
-+ }
-+
-+static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inl)
-+ {
-+ unsigned char sha1tmp[SHA_DIGEST_LENGTH];
-+ if (!out)
-+ return inl + 16;
-+ /* Copy input to output buffer + 8 so we have space for IV */
-+ memmove(out + 8, in, inl);
-+ /* Work out ICV */
-+ SHA1(in, inl, sha1tmp);
-+ memcpy(out + inl + 8, sha1tmp, 8);
-+ OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
-+ /* Generate random IV */
-+ RAND_bytes(ctx->iv, 8);
-+ memcpy(out, ctx->iv, 8);
-+ /* Encrypt everything after IV in place */
-+ des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8);
-+ BUF_reverse(out, NULL, inl + 16);
-+ memcpy(ctx->iv, wrap_iv, 8);
-+ des_ede_cbc_cipher(ctx, out, out, inl + 16);
-+ return inl + 16;
-+ }
-+
-+static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, size_t inl)
-+ {
-+ /* Sanity check input length: we typically only wrap keys
-+ * so EVP_MAXCHUNK is more than will ever be needed. Also
-+ * input length must be a multiple of 8 bits.
-+ */
-+ if (inl >= EVP_MAXCHUNK || inl % 8)
-+ return -1;
-+ if (ctx->encrypt)
-+ return des_ede3_wrap(ctx, out, in, inl);
-+ else
-+ return des_ede3_unwrap(ctx, out, in, inl);
-+ }
-+
-+static const EVP_CIPHER des3_wrap = {
-+ NID_id_smime_alg_CMS3DESwrap,
-+ 8, 24, 0,
-+ EVP_CIPH_WRAP_MODE|EVP_CIPH_CUSTOM_IV|EVP_CIPH_FLAG_CUSTOM_CIPHER
-+ |EVP_CIPH_FLAG_DEFAULT_ASN1|EVP_CIPH_FLAG_FIPS,
-+ des_ede3_init_key, des_ede3_wrap_cipher,
-+ NULL,
-+ sizeof(DES_EDE_KEY),
-+ NULL,NULL,NULL,NULL };
-+
-+
-+const EVP_CIPHER *EVP_des_ede3_wrap(void)
-+ {
-+ return &des3_wrap;
-+ }
-+
-+# endif
- #endif
-diff -up openssl-1.0.1j/crypto/evp/evp_enc.c.wrap openssl-1.0.1j/crypto/evp/evp_enc.c
---- openssl-1.0.1j/crypto/evp/evp_enc.c.wrap 2014-10-16 13:30:10.584652782 +0200
-+++ openssl-1.0.1j/crypto/evp/evp_enc.c 2014-10-16 13:30:10.680654949 +0200
-@@ -234,7 +234,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- ctx->cipher_data = NULL;
- }
- ctx->key_len = cipher->key_len;
-- ctx->flags = 0;
-+ /* Preserve wrap enable flag, zero everything else */
-+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
- if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
- {
- if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
-@@ -257,6 +258,13 @@ skip_to_init:
- || ctx->cipher->block_size == 8
- || ctx->cipher->block_size == 16);
-
-+ if(!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
-+ && EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE)
-+ {
-+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
-+ return 0;
-+ }
-+
- if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
- switch(EVP_CIPHER_CTX_mode(ctx)) {
-
-diff -up openssl-1.0.1j/crypto/evp/evp_err.c.wrap openssl-1.0.1j/crypto/evp/evp_err.c
---- openssl-1.0.1j/crypto/evp/evp_err.c.wrap 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/evp_err.c 2014-10-16 13:30:10.680654949 +0200
-@@ -1,6 +1,6 @@
- /* crypto/evp/evp_err.c */
- /* ====================================================================
-- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -220,6 +220,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
- {ERR_REASON(EVP_R_UNSUPPORTED_PRF) ,"unsupported prf"},
- {ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM),"unsupported private key algorithm"},
- {ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE) ,"unsupported salt type"},
-+{ERR_REASON(EVP_R_WRAP_MODE_NOT_ALLOWED) ,"wrap mode not allowed"},
- {ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH),"wrong final block length"},
- {ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) ,"wrong public key type"},
- {0,NULL}
-diff -up openssl-1.0.1j/crypto/evp/evp.h.wrap openssl-1.0.1j/crypto/evp/evp.h
---- openssl-1.0.1j/crypto/evp/evp.h.wrap 2014-10-16 13:30:10.585652805 +0200
-+++ openssl-1.0.1j/crypto/evp/evp.h 2014-10-16 13:30:10.680654949 +0200
-@@ -336,6 +336,7 @@ struct evp_cipher_st
- #define EVP_CIPH_GCM_MODE 0x6
- #define EVP_CIPH_CCM_MODE 0x7
- #define EVP_CIPH_XTS_MODE 0x10001
-+#define EVP_CIPH_WRAP_MODE 0x10002
- #define EVP_CIPH_MODE 0xF0007
- /* Set if variable length cipher */
- #define EVP_CIPH_VARIABLE_LENGTH 0x8
-@@ -367,6 +368,13 @@ struct evp_cipher_st
- #define EVP_CIPH_FLAG_CUSTOM_CIPHER 0x100000
- #define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
-
-+/* Cipher context flag to indicate we can handle
-+ * wrap mode: if allowed in older applications it could
-+ * overflow buffers.
-+ */
-+
-+#define EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 0x1
-+
- /* ctrl() values */
-
- #define EVP_CTRL_INIT 0x0
-@@ -729,6 +737,7 @@ const EVP_CIPHER *EVP_des_cbc(void);
- const EVP_CIPHER *EVP_des_ede_cbc(void);
- const EVP_CIPHER *EVP_des_ede3_cbc(void);
- const EVP_CIPHER *EVP_desx_cbc(void);
-+const EVP_CIPHER *EVP_des_ede3_wrap(void);
- /* This should now be supported through the dev_crypto ENGINE. But also, why are
- * rc4 and md5 declarations made here inside a "NO_DES" precompiler branch? */
- #if 0
-@@ -788,6 +797,8 @@ const EVP_CIPHER *EVP_aes_128_ctr(void);
- const EVP_CIPHER *EVP_aes_128_ccm(void);
- const EVP_CIPHER *EVP_aes_128_gcm(void);
- const EVP_CIPHER *EVP_aes_128_xts(void);
-+const EVP_CIPHER *EVP_aes_128_wrap(void);
-+const EVP_CIPHER *EVP_aes_128_wrap_pad(void);
- const EVP_CIPHER *EVP_aes_192_ecb(void);
- const EVP_CIPHER *EVP_aes_192_cbc(void);
- const EVP_CIPHER *EVP_aes_192_cfb1(void);
-@@ -798,6 +809,8 @@ const EVP_CIPHER *EVP_aes_192_ofb(void);
- const EVP_CIPHER *EVP_aes_192_ctr(void);
- const EVP_CIPHER *EVP_aes_192_ccm(void);
- const EVP_CIPHER *EVP_aes_192_gcm(void);
-+const EVP_CIPHER *EVP_aes_192_wrap(void);
-+const EVP_CIPHER *EVP_aes_192_wrap_pad(void);
- const EVP_CIPHER *EVP_aes_256_ecb(void);
- const EVP_CIPHER *EVP_aes_256_cbc(void);
- const EVP_CIPHER *EVP_aes_256_cfb1(void);
-@@ -809,6 +822,8 @@ const EVP_CIPHER *EVP_aes_256_ctr(void);
- const EVP_CIPHER *EVP_aes_256_ccm(void);
- const EVP_CIPHER *EVP_aes_256_gcm(void);
- const EVP_CIPHER *EVP_aes_256_xts(void);
-+const EVP_CIPHER *EVP_aes_256_wrap(void);
-+const EVP_CIPHER *EVP_aes_256_wrap_pad(void);
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
- const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
- const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
-@@ -1397,6 +1412,7 @@ void ERR_load_EVP_strings(void);
- #define EVP_R_UNSUPPORTED_PRF 125
- #define EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 118
- #define EVP_R_UNSUPPORTED_SALT_TYPE 126
-+#define EVP_R_WRAP_MODE_NOT_ALLOWED 170
- #define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
- #define EVP_R_WRONG_PUBLIC_KEY_TYPE 110
-
-diff -up openssl-1.0.1j/crypto/evp/evp_lib.c.wrap openssl-1.0.1j/crypto/evp/evp_lib.c
---- openssl-1.0.1j/crypto/evp/evp_lib.c.wrap 2014-10-16 13:30:10.585652805 +0200
-+++ openssl-1.0.1j/crypto/evp/evp_lib.c 2014-10-16 13:30:10.680654949 +0200
-@@ -68,7 +68,15 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_
- if (c->cipher->set_asn1_parameters != NULL)
- ret=c->cipher->set_asn1_parameters(c,type);
- else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
-- ret=EVP_CIPHER_set_asn1_iv(c, type);
-+ {
-+ if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE)
-+ {
-+ ASN1_TYPE_set(type, V_ASN1_NULL, NULL);
-+ ret = 1;
-+ }
-+ else
-+ ret=EVP_CIPHER_set_asn1_iv(c, type);
-+ }
- else
- ret=-1;
- return(ret);
-@@ -81,7 +89,11 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_
- if (c->cipher->get_asn1_parameters != NULL)
- ret=c->cipher->get_asn1_parameters(c,type);
- else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
-+ {
-+ if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE)
-+ return 1;
- ret=EVP_CIPHER_get_asn1_iv(c, type);
-+ }
- else
- ret=-1;
- return(ret);
-diff -up openssl-1.0.1j/crypto/evp/evp_test.c.wrap openssl-1.0.1j/crypto/evp/evp_test.c
---- openssl-1.0.1j/crypto/evp/evp_test.c.wrap 2014-10-15 14:51:06.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/evp_test.c 2014-10-16 13:30:10.680654949 +0200
-@@ -141,7 +141,7 @@ static void test1(const EVP_CIPHER *c,co
- {
- EVP_CIPHER_CTX ctx;
- unsigned char out[4096];
-- int outl,outl2;
-+ int outl,outl2,mode;
-
- printf("Testing cipher %s%s\n",EVP_CIPHER_name(c),
- (encdec == 1 ? "(encrypt)" : (encdec == 0 ? "(decrypt)" : "(encrypt/decrypt)")));
-@@ -151,6 +151,7 @@ static void test1(const EVP_CIPHER *c,co
- hexdump(stdout,"Plaintext",plaintext,pn);
- hexdump(stdout,"Ciphertext",ciphertext,cn);
-
-+ mode = EVP_CIPHER_mode(c);
- if(kn != c->key_len)
- {
- fprintf(stderr,"Key length doesn't match, got %d expected %lu\n",kn,
-@@ -158,9 +159,19 @@ static void test1(const EVP_CIPHER *c,co
- test1_exit(5);
- }
- EVP_CIPHER_CTX_init(&ctx);
-+ EVP_CIPHER_CTX_set_flags(&ctx,EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
- if (encdec != 0)
- {
-- if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
-+ if (mode == EVP_CIPH_WRAP_MODE)
-+ {
-+ if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,in ? iv : NULL))
-+ {
-+ fprintf(stderr,"EncryptInit failed\n");
-+ ERR_print_errors_fp(stderr);
-+ test1_exit(10);
-+ }
-+ }
-+ else if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
- {
- fprintf(stderr,"EncryptInit failed\n");
- ERR_print_errors_fp(stderr);
-@@ -199,7 +210,16 @@ static void test1(const EVP_CIPHER *c,co
-
- if (encdec <= 0)
- {
-- if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
-+ if (mode == EVP_CIPH_WRAP_MODE)
-+ {
-+ if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,in ? iv : NULL))
-+ {
-+ fprintf(stderr,"EncryptInit failed\n");
-+ ERR_print_errors_fp(stderr);
-+ test1_exit(10);
-+ }
-+ }
-+ else if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
- {
- fprintf(stderr,"DecryptInit failed\n");
- ERR_print_errors_fp(stderr);
-@@ -339,7 +359,7 @@ int main(int argc,char **argv)
- perror(szTestFile);
- EXIT(2);
- }
--
-+ ERR_load_crypto_strings();
- /* Load up the software EVP_CIPHER and EVP_MD definitions */
- OpenSSL_add_all_ciphers();
- OpenSSL_add_all_digests();
-diff -up openssl-1.0.1j/crypto/evp/evptests.txt.wrap openssl-1.0.1j/crypto/evp/evptests.txt
---- openssl-1.0.1j/crypto/evp/evptests.txt.wrap 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/evptests.txt 2014-10-16 13:30:10.681654972 +0200
-@@ -332,3 +332,15 @@ SEED-ECB:0000000000000000000000000000000
- SEED-ECB:000102030405060708090A0B0C0D0E0F::00000000000000000000000000000000:C11F22F20140505084483597E4370F43:1
- SEED-ECB:4706480851E61BE85D74BFB3FD956185::83A2F8A288641FB9A4E9A5CC2F131C7D:EE54D13EBCAE706D226BC3142CD40D4A:1
- SEED-ECB:28DBC3BC49FFD87DCFA509B11D422BE7::B41E6BE2EBA84A148E2EED84593C5EC7:9B9B7BFCD1813CB95D0B3618F40F5122:1
-+
-+# AES wrap tests from RFC3394
-+id-aes128-wrap:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5
-+id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D
-+id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:64E8C3F9CE0F5BA263E9777905818A2A93C8191E7D6E8AE7
-+id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
-+id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
-+id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F:28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43BFB988B9B7A02DD21
-+# AES wrap tests from RFC5649
-+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
-+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
-+
-diff -up openssl-1.0.1j/crypto/modes/Makefile.wrap openssl-1.0.1j/crypto/modes/Makefile
---- openssl-1.0.1j/crypto/modes/Makefile.wrap 2014-10-16 13:30:10.560652240 +0200
-+++ openssl-1.0.1j/crypto/modes/Makefile 2014-10-16 13:30:10.681654972 +0200
-@@ -22,9 +22,9 @@ APPS=
-
- LIB=$(TOP)/libcrypto.a
- LIBSRC= cbc128.c ctr128.c cts128.c cfb128.c ofb128.c gcm128.c \
-- ccm128.c xts128.c
-+ ccm128.c xts128.c wrap128.c
- LIBOBJ= cbc128.o ctr128.o cts128.o cfb128.o ofb128.o gcm128.o \
-- ccm128.o xts128.o $(MODES_ASM_OBJ)
-+ ccm128.o xts128.o wrap128.o $(MODES_ASM_OBJ)
-
- SRC= $(LIBSRC)
-
-diff -up openssl-1.0.1j/crypto/modes/modes.h.wrap openssl-1.0.1j/crypto/modes/modes.h
---- openssl-1.0.1j/crypto/modes/modes.h.wrap 2014-10-16 13:30:10.681654972 +0200
-+++ openssl-1.0.1j/crypto/modes/modes.h 2014-10-16 13:31:01.232796186 +0200
-@@ -136,6 +136,20 @@ typedef struct xts128_context XTS128_CON
-
- int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
- const unsigned char *inp, unsigned char *out, size_t len, int enc);
-+
-+size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
-+
-+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
-+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
-+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block);
- #ifdef __cplusplus
- }
- #endif
-diff -up openssl-1.0.1j/crypto/modes/wrap128.c.wrap openssl-1.0.1j/crypto/modes/wrap128.c
---- openssl-1.0.1j/crypto/modes/wrap128.c.wrap 2014-10-16 13:30:10.681654972 +0200
-+++ openssl-1.0.1j/crypto/modes/wrap128.c 2014-10-16 13:30:10.681654972 +0200
-@@ -0,0 +1,372 @@
-+/* crypto/modes/wrap128.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ * Mode with padding contributed by Petr Spacek (pspacek at redhat.com).
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+/** Beware!
-+ *
-+ * Following wrapping modes were designed for AES but this implementation
-+ * allows you to use them for any 128 bit block cipher.
-+ */
-+
-+#include "cryptlib.h"
-+#include <openssl/modes.h>
-+
-+/** RFC 3394 section 2.2.3.1 Default Initial Value */
-+static const unsigned char default_iv[] = {
-+ 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
-+};
-+
-+/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
-+static const unsigned char default_aiv[] = {
-+ 0xA6, 0x59, 0x59, 0xA6
-+};
-+
-+/** Input size limit: lower than maximum of standards but far larger than
-+ * anything that will be used in practice.
-+ */
-+#define CRYPTO128_WRAP_MAX (1UL << 31)
-+
-+/** Wrapping according to RFC 3394 section 2.2.1.
-+ *
-+ * @param[in] key Key value.
-+ * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
-+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
-+ * @param[in] inlen Length of in.
-+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 8) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
-+ * or if inlen > CRYPTO128_WRAP_MAX.
-+ * Output length if wrapping succeeded.
-+ */
-+size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block)
-+ {
-+ unsigned char *A, B[16], *R;
-+ size_t i, j, t;
-+ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
-+ return 0;
-+ A = B;
-+ t = 1;
-+ memmove(out + 8, in, inlen);
-+ if (!iv)
-+ iv = default_iv;
-+
-+ memcpy(A, iv, 8);
-+
-+ for (j = 0; j < 6; j++)
-+ {
-+ R = out + 8;
-+ for (i = 0; i < inlen; i += 8, t++, R += 8)
-+ {
-+ memcpy(B + 8, R, 8);
-+ block(B, B, key);
-+ A[7] ^= (unsigned char)(t & 0xff);
-+ if (t > 0xff)
-+ {
-+ A[6] ^= (unsigned char)((t >> 8) & 0xff);
-+ A[5] ^= (unsigned char)((t >> 16) & 0xff);
-+ A[4] ^= (unsigned char)((t >> 24) & 0xff);
-+ }
-+ memcpy(R, B + 8, 8);
-+ }
-+ }
-+ memcpy(out, A, 8);
-+ return inlen + 8;
-+ }
-+
-+
-+/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
-+ * IV check (step 3) is responsibility of the caller.
-+ *
-+ * @param[in] key Key value.
-+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
-+ * @param[out] out Plain text without IV.
-+ * Minimal buffer length = (inlen - 8) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Ciphertext text as n 64-bit blocks
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
-+ * or if inlen is not multiply of 8.
-+ * Output length otherwise.
-+ */
-+static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
-+ unsigned char *out, const unsigned char *in,
-+ size_t inlen, block128_f block)
-+ {
-+ unsigned char *A, B[16], *R;
-+ size_t i, j, t;
-+ inlen -= 8;
-+ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
-+ return 0;
-+ A = B;
-+ t = 6 * (inlen >> 3);
-+ memcpy(A, in, 8);
-+ memmove(out, in + 8, inlen);
-+ for (j = 0; j < 6; j++)
-+ {
-+ R = out + inlen - 8;
-+ for (i = 0; i < inlen; i += 8, t--, R -= 8)
-+ {
-+ A[7] ^= (unsigned char)(t & 0xff);
-+ if (t > 0xff)
-+ {
-+ A[6] ^= (unsigned char)((t >> 8) & 0xff);
-+ A[5] ^= (unsigned char)((t >> 16) & 0xff);
-+ A[4] ^= (unsigned char)((t >> 24) & 0xff);
-+ }
-+ memcpy(B + 8, R, 8);
-+ block(B, B, key);
-+ memcpy(R, B + 8, 8);
-+ }
-+ }
-+ memcpy(iv, A, 8);
-+ return inlen;
-+ }
-+
-+/** Unwrapping according to RFC 3394 section 2.2.2 including IV check.
-+ * First block of plain text have to match supplied IV otherwise an error is
-+ * returned.
-+ *
-+ * @param[in] key Key value.
-+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
-+ * @param[out] out Plain text without IV.
-+ * Minimal buffer length = (inlen - 8) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Ciphertext text as n 64-bit blocks
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
-+ * or if inlen is not multiply of 8
-+ * or if IV doesn't match expected value.
-+ * Output length otherwise.
-+ */
-+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
-+ unsigned char *out, const unsigned char *in, size_t inlen,
-+ block128_f block)
-+ {
-+ size_t ret;
-+ unsigned char got_iv[8];
-+
-+ ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
-+ if (ret != inlen)
-+ return ret;
-+
-+ if (!iv)
-+ iv = default_iv;
-+ if (CRYPTO_memcmp(out, iv, 8))
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+ return inlen;
-+ }
-+
-+/** Wrapping according to RFC 5649 section 4.1.
-+ *
-+ * @param[in] key Key value.
-+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
-+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 15) bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
-+ * Output length if wrapping succeeded.
-+ */
-+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block)
-+ {
-+ /* n: number of 64-bit blocks in the padded key data */
-+ const size_t blocks_padded = (inlen + 8) / 8;
-+ const size_t padded_len = blocks_padded * 8;
-+ const size_t padding_len = padded_len - inlen;
-+ /* RFC 5649 section 3: Alternative Initial Value */
-+ unsigned char aiv[8];
-+ int ret;
-+
-+ /* Section 1: use 32-bit fixed field for plaintext octet length */
-+ if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
-+ return 0;
-+
-+ /* Section 3: Alternative Initial Value */
-+ if (!icv)
-+ memcpy(aiv, default_aiv, 4);
-+ else
-+ memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
-+
-+ aiv[4] = (inlen >> 24) & 0xFF;
-+ aiv[5] = (inlen >> 16) & 0xFF;
-+ aiv[6] = (inlen >> 8) & 0xFF;
-+ aiv[7] = inlen & 0xFF;
-+
-+ if (padded_len == 8)
-+ {
-+ /* Section 4.1 - special case in step 2:
-+ * If the padded plaintext contains exactly eight octets, then
-+ * prepend the AIV and encrypt the resulting 128-bit block
-+ * using AES in ECB mode. */
-+ memmove(out + 8, in, inlen);
-+ memcpy(out, aiv, 8);
-+ memset(out + 8 + inlen, 0, padding_len);
-+ block(out, out, key);
-+ ret = 16; /* AIV + padded input */
-+ }
-+ else
-+ {
-+ memmove(out, in, inlen);
-+ memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
-+ ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
-+ }
-+
-+ return ret;
-+ }
-+
-+/** Unwrapping according to RFC 5649 section 4.2.
-+ *
-+ * @param[in] key Key value.
-+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
-+ * @param[out] out Plain text. Minimal buffer length = inlen bytes.
-+ * Input and output buffers can overlap if block function
-+ * supports that.
-+ * @param[in] in Ciphertext text as n 64-bit blocks
-+ * @param[in] inlen Length of in.
-+ * @param[in] block Block processing function.
-+ * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
-+ * or if inlen is not multiply of 8
-+ * or if IV and message length indicator doesn't match.
-+ * Output length if unwrapping succeeded and IV matches.
-+ */
-+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
-+ unsigned char *out,
-+ const unsigned char *in, size_t inlen, block128_f block)
-+ {
-+ /* n: number of 64-bit blocks in the padded key data */
-+ size_t n = inlen / 8 - 1;
-+ size_t padded_len;
-+ size_t padding_len;
-+ size_t ptext_len;
-+ /* RFC 5649 section 3: Alternative Initial Value */
-+ unsigned char aiv[8];
-+ static unsigned char zeros[8] = {0x0};
-+ size_t ret;
-+
-+ /* Section 4.2: Cipher text length has to be (n+1) 64-bit blocks. */
-+ if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
-+ return 0;
-+
-+ memmove(out, in, inlen);
-+ if (inlen == 16)
-+ {
-+ /* Section 4.2 - special case in step 1:
-+ * When n=1, the ciphertext contains exactly two 64-bit
-+ * blocks and they are decrypted as a single AES
-+ * block using AES in ECB mode:
-+ * AIV | P[1] = DEC(K, C[0] | C[1])
-+ */
-+ block(out, out, key);
-+ memcpy(aiv, out, 8);
-+ /* Remove AIV */
-+ memmove(out, out + 8, 8);
-+ padded_len = 8;
-+ }
-+ else
-+ {
-+ padded_len = inlen - 8;
-+ ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
-+ if (padded_len != ret)
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+ }
-+
-+ /* Section 3: AIV checks: Check that MSB(32,A) = A65959A6.
-+ * Optionally a user-supplied value can be used
-+ * (even if standard doesn't mention this). */
-+ if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
-+ || (icv && CRYPTO_memcmp(aiv, icv, 4)))
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+
-+ /* Check that 8*(n-1) < LSB(32,AIV) <= 8*n.
-+ * If so, let ptext_len = LSB(32,AIV). */
-+
-+ ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];
-+ if (8*(n-1) >= ptext_len || ptext_len > 8*n)
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+
-+ /* Check that the rightmost padding_len octets of the output data
-+ * are zero. */
-+ padding_len = padded_len - ptext_len;
-+ if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0)
-+ {
-+ OPENSSL_cleanse(out, inlen);
-+ return 0;
-+ }
-+
-+ /* Section 4.2 step 3: Remove padding */
-+ return ptext_len;
-+ }
diff --git a/openssl-1.0.1j-fips-ec.patch b/openssl-1.0.1j-fips-ec.patch
deleted file mode 100644
index b608a9d..0000000
--- a/openssl-1.0.1j-fips-ec.patch
+++ /dev/null
@@ -1,2031 +0,0 @@
-diff -up openssl-1.0.1j/crypto/ecdh/ecdh.h.fips-ec openssl-1.0.1j/crypto/ecdh/ecdh.h
---- openssl-1.0.1j/crypto/ecdh/ecdh.h.fips-ec 2014-10-16 13:25:20.248098308 +0200
-+++ openssl-1.0.1j/crypto/ecdh/ecdh.h 2014-10-16 13:25:20.730109190 +0200
-@@ -85,6 +85,8 @@
- extern "C" {
- #endif
-
-+#define EC_FLAG_COFACTOR_ECDH 0x1000
-+
- const ECDH_METHOD *ECDH_OpenSSL(void);
-
- void ECDH_set_default_method(const ECDH_METHOD *);
-diff -up openssl-1.0.1j/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.1j/crypto/ecdh/ecdhtest.c
---- openssl-1.0.1j/crypto/ecdh/ecdhtest.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ecdh/ecdhtest.c 2014-10-16 13:25:20.730109190 +0200
-@@ -323,8 +323,10 @@ int main(int argc, char *argv[])
- if ((ctx=BN_CTX_new()) == NULL) goto err;
-
- /* NIST PRIME CURVES TESTS */
-+#if 0
- if (!test_ecdh_curve(NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out)) goto err;
- if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out)) goto err;
-+#endif
- if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err;
- if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err;
- if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err;
-diff -up openssl-1.0.1j/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.1j/crypto/ecdh/ech_lib.c
---- openssl-1.0.1j/crypto/ecdh/ech_lib.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ecdh/ech_lib.c 2014-10-16 13:25:20.730109190 +0200
-@@ -94,14 +94,7 @@ const ECDH_METHOD *ECDH_get_default_meth
- {
- if(!default_ECDH_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_ecdh_openssl();
-- else
-- return ECDH_OpenSSL();
--#else
- default_ECDH_method = ECDH_OpenSSL();
--#endif
- }
- return default_ECDH_method;
- }
-diff -up openssl-1.0.1j/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.1j/crypto/ecdh/ech_ossl.c
---- openssl-1.0.1j/crypto/ecdh/ech_ossl.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ecdh/ech_ossl.c 2014-10-16 13:25:20.730109190 +0200
-@@ -79,6 +79,10 @@
- #include <openssl/obj_mac.h>
- #include <openssl/bn.h>
-
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
- EC_KEY *ecdh,
- void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen));
-@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = {
- NULL, /* init */
- NULL, /* finish */
- #endif
-- 0, /* flags */
-+ ECDH_FLAG_FIPS_METHOD, /* flags */
- NULL /* app_data */
- };
-
-@@ -118,6 +122,14 @@ static int ecdh_compute_key(void *out, s
- size_t buflen, len;
- unsigned char *buf=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+#endif
-+
- if (outlen > INT_MAX)
- {
- ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */
-@@ -137,6 +149,18 @@ static int ecdh_compute_key(void *out, s
- }
-
- group = EC_KEY_get0_group(ecdh);
-+
-+ if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH)
-+ {
-+ if (!EC_GROUP_get_cofactor(group, x, ctx) ||
-+ !BN_mul(x, x, priv_key, ctx))
-+ {
-+ ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
-+ goto err;
-+ }
-+ priv_key = x;
-+ }
-+
- if ((tmp=EC_POINT_new(group)) == NULL)
- {
- ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
-diff -up openssl-1.0.1j/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.1j/crypto/ecdsa/ecdsatest.c
---- openssl-1.0.1j/crypto/ecdsa/ecdsatest.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ecdsa/ecdsatest.c 2014-10-16 13:25:20.731109212 +0200
-@@ -138,11 +138,14 @@ int restore_rand(void)
- }
-
- static int fbytes_counter = 0;
--static const char *numbers[8] = {
-+static const char *numbers[10] = {
-+ "651056770906015076056810763456358567190100156695615665659",
- "651056770906015076056810763456358567190100156695615665659",
- "6140507067065001063065065565667405560006161556565665656654",
- "8763001015071075675010661307616710783570106710677817767166"
- "71676178726717",
-+ "8763001015071075675010661307616710783570106710677817767166"
-+ "71676178726717",
- "7000000175690566466555057817571571075705015757757057795755"
- "55657156756655",
- "1275552191113212300012030439187146164646146646466749494799",
-@@ -157,7 +160,7 @@ int fbytes(unsigned char *buf, int num)
- int ret;
- BIGNUM *tmp = NULL;
-
-- if (fbytes_counter >= 8)
-+ if (fbytes_counter >= 10)
- return 0;
- tmp = BN_new();
- if (!tmp)
-@@ -550,7 +553,9 @@ int main(void)
- RAND_seed(rnd_seed, sizeof(rnd_seed));
-
- /* the tests */
-+#if 0
- if (!x9_62_tests(out)) goto err;
-+#endif
- if (!test_builtin(out)) goto err;
-
- ret = 0;
-diff -up openssl-1.0.1j/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.1j/crypto/ecdsa/ecs_lib.c
---- openssl-1.0.1j/crypto/ecdsa/ecs_lib.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ecdsa/ecs_lib.c 2014-10-16 13:25:20.731109212 +0200
-@@ -81,14 +81,7 @@ const ECDSA_METHOD *ECDSA_get_default_me
- {
- if(!default_ECDSA_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_ecdsa_openssl();
-- else
-- return ECDSA_OpenSSL();
--#else
- default_ECDSA_method = ECDSA_OpenSSL();
--#endif
- }
- return default_ECDSA_method;
- }
-diff -up openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c
---- openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c 2014-10-16 13:25:20.731109212 +0200
-@@ -60,6 +60,9 @@
- #include <openssl/err.h>
- #include <openssl/obj_mac.h>
- #include <openssl/bn.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
- const BIGNUM *, const BIGNUM *, EC_KEY *eckey);
-@@ -77,7 +80,7 @@ static ECDSA_METHOD openssl_ecdsa_meth =
- NULL, /* init */
- NULL, /* finish */
- #endif
-- 0, /* flags */
-+ ECDSA_FLAG_FIPS_METHOD, /* flags */
- NULL /* app_data */
- };
-
-@@ -231,6 +234,14 @@ static ECDSA_SIG *ecdsa_do_sign(const un
- ECDSA_DATA *ecdsa;
- const BIGNUM *priv_key;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+#endif
-+
- ecdsa = ecdsa_check(eckey);
- group = EC_KEY_get0_group(eckey);
- priv_key = EC_KEY_get0_private_key(eckey);
-@@ -360,6 +371,14 @@ static int ecdsa_do_verify(const unsigne
- const EC_GROUP *group;
- const EC_POINT *pub_key;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+#endif
-+
- /* check input values */
- if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
- (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
-diff -up openssl-1.0.1j/crypto/ec/ec_key.c.fips-ec openssl-1.0.1j/crypto/ec/ec_key.c
---- openssl-1.0.1j/crypto/ec/ec_key.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ec/ec_key.c 2014-10-16 13:25:20.731109212 +0200
-@@ -64,9 +64,6 @@
- #include <string.h>
- #include "ec_lcl.h"
- #include <openssl/err.h>
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
-
- EC_KEY *EC_KEY_new(void)
- {
-@@ -234,6 +231,39 @@ int EC_KEY_up_ref(EC_KEY *r)
- return ((i > 1) ? 1 : 0);
- }
-
-+#ifdef OPENSSL_FIPS
-+
-+#include <openssl/evp.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+
-+static int fips_check_ec(EC_KEY *key)
-+ {
-+ EVP_PKEY *pk;
-+ unsigned char tbs[] = "ECDSA Pairwise Check Data";
-+ int ret = 0;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_EC_KEY(pk, key);
-+
-+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
-+ ret = 1;
-+
-+ err:
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_CHECK_EC,FIPS_R_PAIRWISE_TEST_FAILED);
-+ fips_set_selftest_fail();
-+ }
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ return ret;
-+ }
-+
-+#endif
-+
- int EC_KEY_generate_key(EC_KEY *eckey)
- {
- int ok = 0;
-@@ -242,8 +272,11 @@ int EC_KEY_generate_key(EC_KEY *eckey)
- EC_POINT *pub_key = NULL;
-
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_ec_key_generate_key(eckey);
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
- #endif
-
- if (!eckey || !eckey->group)
-@@ -287,6 +320,15 @@ int EC_KEY_generate_key(EC_KEY *eckey)
- eckey->priv_key = priv_key;
- eckey->pub_key = pub_key;
-
-+#ifdef OPENSSL_FIPS
-+ if(!fips_check_ec(eckey))
-+ {
-+ eckey->priv_key = NULL;
-+ eckey->pub_key = NULL;
-+ goto err;
-+ }
-+#endif
-+
- ok=1;
-
- err:
-@@ -429,10 +471,12 @@ int EC_KEY_set_public_key_affine_coordin
- tx, ty, ctx))
- goto err;
- }
-- /* Check if retrieved coordinates match originals: if not values
-- * are out of range.
-+ /* Check if retrieved coordinates match originals and are less than
-+ * field order: if not values are out of range.
- */
-- if (BN_cmp(x, tx) || BN_cmp(y, ty))
-+ if (BN_cmp(x, tx) || BN_cmp(y, ty)
-+ || (BN_cmp(x, &key->group->field) >= 0)
-+ || (BN_cmp(y, &key->group->field) >= 0))
- {
- ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
- EC_R_COORDINATES_OUT_OF_RANGE);
-diff -up openssl-1.0.1j/crypto/ec/ecp_mont.c.fips-ec openssl-1.0.1j/crypto/ec/ecp_mont.c
---- openssl-1.0.1j/crypto/ec/ecp_mont.c.fips-ec 2014-10-16 13:25:20.731109212 +0200
-+++ openssl-1.0.1j/crypto/ec/ecp_mont.c 2014-10-16 13:27:34.156121340 +0200
-@@ -63,10 +63,6 @@
-
- #include <openssl/err.h>
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- #include "ec_lcl.h"
-
-
-@@ -111,11 +107,6 @@ const EC_METHOD *EC_GFp_mont_method(void
- ec_GFp_mont_field_decode,
- ec_GFp_mont_field_set_to_one };
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return fips_ec_gfp_mont_method();
--#endif
--
- return &ret;
- }
-
-diff -up openssl-1.0.1j/crypto/ec/ecp_nist.c.fips-ec openssl-1.0.1j/crypto/ec/ecp_nist.c
---- openssl-1.0.1j/crypto/ec/ecp_nist.c.fips-ec 2014-10-16 13:25:20.732109235 +0200
-+++ openssl-1.0.1j/crypto/ec/ecp_nist.c 2014-10-16 13:27:53.163550441 +0200
-@@ -67,10 +67,6 @@
- #include <openssl/obj_mac.h>
- #include "ec_lcl.h"
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- const EC_METHOD *EC_GFp_nist_method(void)
- {
- static const EC_METHOD ret = {
-@@ -112,11 +108,6 @@ const EC_METHOD *EC_GFp_nist_method(void
- 0 /* field_decode */,
- 0 /* field_set_to_one */ };
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return fips_ec_gfp_nist_method();
--#endif
--
- return &ret;
- }
-
-diff -up openssl-1.0.1j/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.1j/crypto/ec/ecp_smpl.c
---- openssl-1.0.1j/crypto/ec/ecp_smpl.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ec/ecp_smpl.c 2014-10-16 13:28:39.386593946 +0200
-@@ -65,10 +65,6 @@
- #include <openssl/err.h>
- #include <openssl/symhacks.h>
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- #include "ec_lcl.h"
-
- const EC_METHOD *EC_GFp_simple_method(void)
-@@ -112,11 +108,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
- 0 /* field_decode */,
- 0 /* field_set_to_one */ };
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return fips_ec_gfp_simple_method();
--#endif
--
- return &ret;
- }
-
-@@ -187,6 +178,12 @@ int ec_GFp_simple_group_set_curve(EC_GRO
- return 0;
- }
-
-+ if (BN_num_bits(p) < 256)
-+ {
-+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+ return 0;
-+ }
-+
- if (ctx == NULL)
- {
- ctx = new_ctx = BN_CTX_new();
-diff -up openssl-1.0.1j/crypto/evp/m_ecdsa.c.fips-ec openssl-1.0.1j/crypto/evp/m_ecdsa.c
---- openssl-1.0.1j/crypto/evp/m_ecdsa.c.fips-ec 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/m_ecdsa.c 2014-10-16 13:25:20.732109235 +0200
-@@ -116,7 +116,6 @@
- #include <openssl/x509.h>
-
- #ifndef OPENSSL_NO_SHA
--#ifndef OPENSSL_FIPS
-
- static int init(EVP_MD_CTX *ctx)
- { return SHA1_Init(ctx->md_data); }
-@@ -132,7 +131,7 @@ static const EVP_MD ecdsa_md=
- NID_ecdsa_with_SHA1,
- NID_ecdsa_with_SHA1,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -148,4 +147,3 @@ const EVP_MD *EVP_ecdsa(void)
- return(&ecdsa_md);
- }
- #endif
--#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c.fips-ec openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c.fips-ec 2014-10-16 13:25:20.732109235 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c 2014-10-16 13:25:20.732109235 +0200
-@@ -0,0 +1,496 @@
-+/* fips/ecdh/fips_ecdhvs.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS ECDH support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/crypto.h>
-+#include <openssl/bn.h>
-+#include <openssl/ecdh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static const EVP_MD *eparse_md(char *line)
-+ {
-+ char *p;
-+ if (line[0] != '[' || line[1] != 'E')
-+ return NULL;
-+ p = strchr(line, '-');
-+ if (!p)
-+ return NULL;
-+ line = p + 1;
-+ p = strchr(line, ']');
-+ if (!p)
-+ return NULL;
-+ *p = 0;
-+ p = line;
-+ while(isspace(*p))
-+ p++;
-+ if (!strcmp(p, "SHA1"))
-+ return EVP_sha1();
-+ else if (!strcmp(p, "SHA224"))
-+ return EVP_sha224();
-+ else if (!strcmp(p, "SHA256"))
-+ return EVP_sha256();
-+ else if (!strcmp(p, "SHA384"))
-+ return EVP_sha384();
-+ else if (!strcmp(p, "SHA512"))
-+ return EVP_sha512();
-+ else
-+ return NULL;
-+ }
-+
-+static int lookup_curve2(char *cname)
-+ {
-+ char *p;
-+ p = strchr(cname, ']');
-+ if (!p)
-+ {
-+ fprintf(stderr, "Parse error: missing ]\n");
-+ return NID_undef;
-+ }
-+ *p = 0;
-+
-+ if (!strcmp(cname, "B-163"))
-+ return NID_sect163r2;
-+ if (!strcmp(cname, "B-233"))
-+ return NID_sect233r1;
-+ if (!strcmp(cname, "B-283"))
-+ return NID_sect283r1;
-+ if (!strcmp(cname, "B-409"))
-+ return NID_sect409r1;
-+ if (!strcmp(cname, "B-571"))
-+ return NID_sect571r1;
-+ if (!strcmp(cname, "K-163"))
-+ return NID_sect163k1;
-+ if (!strcmp(cname, "K-233"))
-+ return NID_sect233k1;
-+ if (!strcmp(cname, "K-283"))
-+ return NID_sect283k1;
-+ if (!strcmp(cname, "K-409"))
-+ return NID_sect409k1;
-+ if (!strcmp(cname, "K-571"))
-+ return NID_sect571k1;
-+ if (!strcmp(cname, "P-192"))
-+ return NID_X9_62_prime192v1;
-+ if (!strcmp(cname, "P-224"))
-+ return NID_secp224r1;
-+ if (!strcmp(cname, "P-256"))
-+ return NID_X9_62_prime256v1;
-+ if (!strcmp(cname, "P-384"))
-+ return NID_secp384r1;
-+ if (!strcmp(cname, "P-521"))
-+ return NID_secp521r1;
-+
-+ fprintf(stderr, "Unknown Curve name %s\n", cname);
-+ return NID_undef;
-+ }
-+
-+static int lookup_curve(char *cname)
-+ {
-+ char *p;
-+ p = strchr(cname, ':');
-+ if (!p)
-+ {
-+ fprintf(stderr, "Parse error: missing :\n");
-+ return NID_undef;
-+ }
-+ cname = p + 1;
-+ while(isspace(*cname))
-+ cname++;
-+ return lookup_curve2(cname);
-+ }
-+
-+static EC_POINT *make_peer(EC_GROUP *group, BIGNUM *x, BIGNUM *y)
-+ {
-+ EC_POINT *peer;
-+ int rv;
-+ BN_CTX *c;
-+ peer = EC_POINT_new(group);
-+ if (!peer)
-+ return NULL;
-+ c = BN_CTX_new();
-+ if (EC_METHOD_get_field_type(EC_GROUP_method_of(group))
-+ == NID_X9_62_prime_field)
-+ rv = EC_POINT_set_affine_coordinates_GFp(group, peer, x, y, c);
-+ else
-+#ifdef OPENSSL_NO_EC2M
-+ {
-+ fprintf(stderr, "ERROR: GF2m not supported\n");
-+ exit(1);
-+ }
-+#else
-+ rv = EC_POINT_set_affine_coordinates_GF2m(group, peer, x, y, c);
-+#endif
-+
-+ BN_CTX_free(c);
-+ if (rv)
-+ return peer;
-+ EC_POINT_free(peer);
-+ return NULL;
-+ }
-+
-+static int ec_print_key(FILE *out, EC_KEY *key, int add_e, int exout)
-+ {
-+ const EC_POINT *pt;
-+ const EC_GROUP *grp;
-+ const EC_METHOD *meth;
-+ int rv;
-+ BIGNUM *tx, *ty;
-+ const BIGNUM *d = NULL;
-+ BN_CTX *ctx;
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ tx = BN_CTX_get(ctx);
-+ ty = BN_CTX_get(ctx);
-+ if (!tx || !ty)
-+ return 0;
-+ grp = EC_KEY_get0_group(key);
-+ pt = EC_KEY_get0_public_key(key);
-+ if (exout)
-+ d = EC_KEY_get0_private_key(key);
-+ meth = EC_GROUP_method_of(grp);
-+ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
-+ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, tx, ty, ctx);
-+ else
-+#ifdef OPENSSL_NO_EC2M
-+ {
-+ fprintf(stderr, "ERROR: GF2m not supported\n");
-+ exit(1);
-+ }
-+#else
-+ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, tx, ty, ctx);
-+#endif
-+
-+ if (add_e)
-+ {
-+ do_bn_print_name(out, "QeIUTx", tx);
-+ do_bn_print_name(out, "QeIUTy", ty);
-+ if (d)
-+ do_bn_print_name(out, "QeIUTd", d);
-+ }
-+ else
-+ {
-+ do_bn_print_name(out, "QIUTx", tx);
-+ do_bn_print_name(out, "QIUTy", ty);
-+ if (d)
-+ do_bn_print_name(out, "QIUTd", d);
-+ }
-+
-+ BN_CTX_free(ctx);
-+
-+ return rv;
-+
-+ }
-+
-+static void ec_output_Zhash(FILE *out, int exout, EC_GROUP *group,
-+ BIGNUM *ix, BIGNUM *iy, BIGNUM *id, BIGNUM *cx,
-+ BIGNUM *cy, const EVP_MD *md,
-+ unsigned char *rhash, size_t rhashlen)
-+ {
-+ EC_KEY *ec = NULL;
-+ EC_POINT *peerkey = NULL;
-+ unsigned char *Z;
-+ unsigned char chash[EVP_MAX_MD_SIZE];
-+ int Zlen;
-+ ec = EC_KEY_new();
-+ EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
-+ EC_KEY_set_group(ec, group);
-+ peerkey = make_peer(group, cx, cy);
-+ if (rhash == NULL)
-+ {
-+ if (md)
-+ rhashlen = M_EVP_MD_size(md);
-+ EC_KEY_generate_key(ec);
-+ ec_print_key(out, ec, md ? 1 : 0, exout);
-+ }
-+ else
-+ {
-+ EC_KEY_set_public_key_affine_coordinates(ec, ix, iy);
-+ EC_KEY_set_private_key(ec, id);
-+ }
-+ Zlen = (EC_GROUP_get_degree(group) + 7)/8;
-+ Z = OPENSSL_malloc(Zlen);
-+ if (!Z)
-+ exit(1);
-+ ECDH_compute_key(Z, Zlen, peerkey, ec, 0);
-+ if (md)
-+ {
-+ if (exout)
-+ OutputValue("Z", Z, Zlen, out, 0);
-+ FIPS_digest(Z, Zlen, chash, NULL, md);
-+ OutputValue(rhash ? "IUTHashZZ" : "HashZZ",
-+ chash, rhashlen, out, 0);
-+ if (rhash)
-+ {
-+ fprintf(out, "Result = %s\n",
-+ memcmp(chash, rhash, rhashlen) ? "F" : "P");
-+ }
-+ }
-+ else
-+ OutputValue("ZIUT", Z, Zlen, out, 0);
-+ OPENSSL_cleanse(Z, Zlen);
-+ OPENSSL_free(Z);
-+ EC_KEY_free(ec);
-+ EC_POINT_free(peerkey);
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_ecdhvs_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ char **args = argv + 1;
-+ int argn = argc - 1;
-+ FILE *in, *out;
-+ char buf[2048], lbuf[2048];
-+ unsigned char *rhash = NULL;
-+ long rhashlen;
-+ BIGNUM *cx = NULL, *cy = NULL;
-+ BIGNUM *id = NULL, *ix = NULL, *iy = NULL;
-+ const EVP_MD *md = NULL;
-+ EC_GROUP *group = NULL;
-+ char *keyword = NULL, *value = NULL;
-+ int do_verify = -1, exout = 0;
-+ int rv = 1;
-+
-+ int curve_nids[5] = {0,0,0,0,0};
-+ int param_set = -1;
-+
-+ fips_algtest_init();
-+
-+ if (argn && !strcmp(*args, "ecdhver"))
-+ {
-+ do_verify = 1;
-+ args++;
-+ argn--;
-+ }
-+ else if (argn && !strcmp(*args, "ecdhgen"))
-+ {
-+ do_verify = 0;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (argn && !strcmp(*args, "-exout"))
-+ {
-+ exout = 1;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (do_verify == -1)
-+ {
-+ fprintf(stderr,"%s [ecdhver|ecdhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ if (argn == 2)
-+ {
-+ in = fopen(*args, "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(args[1], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argn == 0)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ while (fgets(buf, sizeof(buf), in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (buf[0] == '[' && buf[1] == 'E')
-+ {
-+ int c = buf[2];
-+ if (c < 'A' || c > 'E')
-+ goto parse_error;
-+ param_set = c - 'A';
-+ /* If just [E?] then initial paramset */
-+ if (buf[3] == ']')
-+ continue;
-+ if (group)
-+ EC_GROUP_free(group);
-+ group = EC_GROUP_new_by_curve_name(curve_nids[c - 'A']);
-+ }
-+ if (strlen(buf) > 10 && !strncmp(buf, "[Curve", 6))
-+ {
-+ int nid;
-+ if (param_set == -1)
-+ goto parse_error;
-+ nid = lookup_curve(buf);
-+ if (nid == NID_undef)
-+ goto parse_error;
-+ curve_nids[param_set] = nid;
-+ }
-+
-+ if (strlen(buf) > 4 && buf[0] == '[' && buf[2] == '-')
-+ {
-+ int nid = lookup_curve2(buf + 1);
-+ if (nid == NID_undef)
-+ goto parse_error;
-+ if (group)
-+ EC_GROUP_free(group);
-+ group = EC_GROUP_new_by_curve_name(nid);
-+ if (!group)
-+ {
-+ fprintf(stderr, "ERROR: unsupported curve %s\n", buf + 1);
-+ return 1;
-+ }
-+ }
-+
-+ if (strlen(buf) > 6 && !strncmp(buf, "[E", 2))
-+ {
-+ md = eparse_md(buf);
-+ if (md == NULL)
-+ goto parse_error;
-+ continue;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "QeCAVSx") || !strcmp(keyword, "QCAVSx"))
-+ {
-+ if (!do_hex2bn(&cx, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "QeCAVSy") || !strcmp(keyword, "QCAVSy"))
-+ {
-+ if (!do_hex2bn(&cy, value))
-+ goto parse_error;
-+ if (do_verify == 0)
-+ ec_output_Zhash(out, exout, group,
-+ NULL, NULL, NULL,
-+ cx, cy, md, rhash, rhashlen);
-+ }
-+ else if (!strcmp(keyword, "deIUT"))
-+ {
-+ if (!do_hex2bn(&id, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "QeIUTx"))
-+ {
-+ if (!do_hex2bn(&ix, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "QeIUTy"))
-+ {
-+ if (!do_hex2bn(&iy, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "CAVSHashZZ"))
-+ {
-+ if (!md)
-+ goto parse_error;
-+ rhash = hex2bin_m(value, &rhashlen);
-+ if (!rhash || rhashlen != M_EVP_MD_size(md))
-+ goto parse_error;
-+ ec_output_Zhash(out, exout, group, ix, iy, id, cx, cy,
-+ md, rhash, rhashlen);
-+ }
-+ }
-+ rv = 0;
-+ parse_error:
-+ if (id)
-+ BN_free(id);
-+ if (ix)
-+ BN_free(ix);
-+ if (iy)
-+ BN_free(iy);
-+ if (cx)
-+ BN_free(cx);
-+ if (cy)
-+ BN_free(cy);
-+ if (group)
-+ EC_GROUP_free(group);
-+ if (in && in != stdin)
-+ fclose(in);
-+ if (out && out != stdout)
-+ fclose(out);
-+ if (rv)
-+ fprintf(stderr, "Error Parsing request file\n");
-+ return rv;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c.fips-ec openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c.fips-ec 2014-10-16 13:25:20.733109257 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c 2014-10-16 13:25:20.733109257 +0200
-@@ -0,0 +1,533 @@
-+/* fips/ecdsa/fips_ecdsavs.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+#include <stdio.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS ECDSA support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <string.h>
-+#include <ctype.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/evp.h>
-+#include "fips_utl.h"
-+
-+#include <openssl/objects.h>
-+
-+
-+static int elookup_curve(char *in, char *curve_name, const EVP_MD **pmd)
-+ {
-+ char *cname, *p;
-+ /* Copy buffer as we will change it */
-+ strcpy(curve_name, in);
-+ cname = curve_name + 1;
-+ p = strchr(cname, ']');
-+ if (!p)
-+ {
-+ fprintf(stderr, "Parse error: missing ]\n");
-+ return NID_undef;
-+ }
-+ *p = 0;
-+ p = strchr(cname, ',');
-+ if (p)
-+ {
-+ if (!pmd)
-+ {
-+ fprintf(stderr, "Parse error: unexpected digest\n");
-+ return NID_undef;
-+ }
-+ *p = 0;
-+ p++;
-+
-+ if (!strcmp(p, "SHA-1"))
-+ *pmd = EVP_sha1();
-+ else if (!strcmp(p, "SHA-224"))
-+ *pmd = EVP_sha224();
-+ else if (!strcmp(p, "SHA-256"))
-+ *pmd = EVP_sha256();
-+ else if (!strcmp(p, "SHA-384"))
-+ *pmd = EVP_sha384();
-+ else if (!strcmp(p, "SHA-512"))
-+ *pmd = EVP_sha512();
-+ else
-+ {
-+ fprintf(stderr, "Unknown digest %s\n", p);
-+ return NID_undef;
-+ }
-+ }
-+ else if(pmd)
-+ *pmd = EVP_sha1();
-+
-+ if (!strcmp(cname, "B-163"))
-+ return NID_sect163r2;
-+ if (!strcmp(cname, "B-233"))
-+ return NID_sect233r1;
-+ if (!strcmp(cname, "B-283"))
-+ return NID_sect283r1;
-+ if (!strcmp(cname, "B-409"))
-+ return NID_sect409r1;
-+ if (!strcmp(cname, "B-571"))
-+ return NID_sect571r1;
-+ if (!strcmp(cname, "K-163"))
-+ return NID_sect163k1;
-+ if (!strcmp(cname, "K-233"))
-+ return NID_sect233k1;
-+ if (!strcmp(cname, "K-283"))
-+ return NID_sect283k1;
-+ if (!strcmp(cname, "K-409"))
-+ return NID_sect409k1;
-+ if (!strcmp(cname, "K-571"))
-+ return NID_sect571k1;
-+ if (!strcmp(cname, "P-192"))
-+ return NID_X9_62_prime192v1;
-+ if (!strcmp(cname, "P-224"))
-+ return NID_secp224r1;
-+ if (!strcmp(cname, "P-256"))
-+ return NID_X9_62_prime256v1;
-+ if (!strcmp(cname, "P-384"))
-+ return NID_secp384r1;
-+ if (!strcmp(cname, "P-521"))
-+ return NID_secp521r1;
-+
-+ fprintf(stderr, "Unknown Curve name %s\n", cname);
-+ return NID_undef;
-+ }
-+
-+static int ec_get_pubkey(EC_KEY *key, BIGNUM *x, BIGNUM *y)
-+ {
-+ const EC_POINT *pt;
-+ const EC_GROUP *grp;
-+ const EC_METHOD *meth;
-+ int rv;
-+ BN_CTX *ctx;
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ grp = EC_KEY_get0_group(key);
-+ pt = EC_KEY_get0_public_key(key);
-+ meth = EC_GROUP_method_of(grp);
-+ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
-+ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, x, y, ctx);
-+ else
-+#ifdef OPENSSL_NO_EC2M
-+ {
-+ fprintf(stderr, "ERROR: GF2m not supported\n");
-+ exit(1);
-+ }
-+#else
-+ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, x, y, ctx);
-+#endif
-+
-+ BN_CTX_free(ctx);
-+
-+ return rv;
-+
-+ }
-+
-+static int KeyPair(FILE *in, FILE *out)
-+ {
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ int curve_nid = NID_undef;
-+ int i, count;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ const BIGNUM *d = NULL;
-+ EC_KEY *key = NULL;
-+ Qx = BN_new();
-+ Qy = BN_new();
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ if (*buf == '[' && buf[2] == '-')
-+ {
-+ if (buf[2] == '-')
-+ curve_nid = elookup_curve(buf, lbuf, NULL);
-+ fputs(buf, out);
-+ continue;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf, out);
-+ continue;
-+ }
-+ if (!strcmp(keyword, "N"))
-+ {
-+ count = atoi(value);
-+
-+ for (i = 0; i < count; i++)
-+ {
-+
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ if (!EC_KEY_generate_key(key))
-+ {
-+ fprintf(stderr, "Error generating key\n");
-+ return 0;
-+ }
-+
-+ if (!ec_get_pubkey(key, Qx, Qy))
-+ {
-+ fprintf(stderr, "Error getting public key\n");
-+ return 0;
-+ }
-+
-+ d = EC_KEY_get0_private_key(key);
-+
-+ do_bn_print_name(out, "d", d);
-+ do_bn_print_name(out, "Qx", Qx);
-+ do_bn_print_name(out, "Qy", Qy);
-+ fputs(RESP_EOL, out);
-+ EC_KEY_free(key);
-+
-+ }
-+
-+ }
-+
-+ }
-+ BN_free(Qx);
-+ BN_free(Qy);
-+ return 1;
-+ }
-+
-+static int PKV(FILE *in, FILE *out)
-+ {
-+
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ int curve_nid = NID_undef;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ EC_KEY *key = NULL;
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (*buf == '[' && buf[2] == '-')
-+ {
-+ curve_nid = elookup_curve(buf, lbuf, NULL);
-+ if (curve_nid == NID_undef)
-+ return 0;
-+
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "Qx"))
-+ {
-+ if (!do_hex2bn(&Qx, value))
-+ {
-+ fprintf(stderr, "Invalid Qx value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "Qy"))
-+ {
-+ int rv;
-+ if (!do_hex2bn(&Qy, value))
-+ {
-+ fprintf(stderr, "Invalid Qy value\n");
-+ return 0;
-+ }
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ no_err = 1;
-+ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
-+ no_err = 0;
-+ EC_KEY_free(key);
-+ fprintf(out, "Result = %s" RESP_EOL, rv ? "P":"F");
-+ }
-+
-+ }
-+ BN_free(Qx);
-+ BN_free(Qy);
-+ return 1;
-+ }
-+
-+static int SigGen(FILE *in, FILE *out)
-+ {
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ unsigned char *msg;
-+ int curve_nid = NID_undef;
-+ long mlen;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ EC_KEY *key = NULL;
-+ ECDSA_SIG *sig = NULL;
-+ const EVP_MD *digest = NULL;
-+ Qx = BN_new();
-+ Qy = BN_new();
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (*buf == '[')
-+ {
-+ curve_nid = elookup_curve(buf, lbuf, &digest);
-+ if (curve_nid == NID_undef)
-+ return 0;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "Msg"))
-+ {
-+ msg = hex2bin_m(value, &mlen);
-+ if (!msg)
-+ {
-+ fprintf(stderr, "Invalid Message\n");
-+ return 0;
-+ }
-+
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ if (!EC_KEY_generate_key(key))
-+ {
-+ fprintf(stderr, "Error generating key\n");
-+ return 0;
-+ }
-+
-+ if (!ec_get_pubkey(key, Qx, Qy))
-+ {
-+ fprintf(stderr, "Error getting public key\n");
-+ return 0;
-+ }
-+
-+ sig = FIPS_ecdsa_sign(key, msg, mlen, digest);
-+
-+ if (!sig)
-+ {
-+ fprintf(stderr, "Error signing message\n");
-+ return 0;
-+ }
-+
-+ do_bn_print_name(out, "Qx", Qx);
-+ do_bn_print_name(out, "Qy", Qy);
-+ do_bn_print_name(out, "R", sig->r);
-+ do_bn_print_name(out, "S", sig->s);
-+
-+ EC_KEY_free(key);
-+ OPENSSL_free(msg);
-+ FIPS_ecdsa_sig_free(sig);
-+
-+ }
-+
-+ }
-+ BN_free(Qx);
-+ BN_free(Qy);
-+ return 1;
-+ }
-+
-+static int SigVer(FILE *in, FILE *out)
-+ {
-+ char buf[2048], lbuf[2048];
-+ char *keyword, *value;
-+ unsigned char *msg = NULL;
-+ int curve_nid = NID_undef;
-+ long mlen;
-+ BIGNUM *Qx = NULL, *Qy = NULL;
-+ EC_KEY *key = NULL;
-+ ECDSA_SIG sg, *sig = &sg;
-+ const EVP_MD *digest = NULL;
-+ sig->r = NULL;
-+ sig->s = NULL;
-+ while(fgets(buf, sizeof buf, in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (*buf == '[')
-+ {
-+ curve_nid = elookup_curve(buf, lbuf, &digest);
-+ if (curve_nid == NID_undef)
-+ return 0;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "Msg"))
-+ {
-+ msg = hex2bin_m(value, &mlen);
-+ if (!msg)
-+ {
-+ fprintf(stderr, "Invalid Message\n");
-+ return 0;
-+ }
-+ }
-+
-+ if (!strcmp(keyword, "Qx"))
-+ {
-+ if (!do_hex2bn(&Qx, value))
-+ {
-+ fprintf(stderr, "Invalid Qx value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "Qy"))
-+ {
-+ if (!do_hex2bn(&Qy, value))
-+ {
-+ fprintf(stderr, "Invalid Qy value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "R"))
-+ {
-+ if (!do_hex2bn(&sig->r, value))
-+ {
-+ fprintf(stderr, "Invalid R value\n");
-+ return 0;
-+ }
-+ }
-+ if (!strcmp(keyword, "S"))
-+ {
-+ int rv;
-+ if (!do_hex2bn(&sig->s, value))
-+ {
-+ fprintf(stderr, "Invalid S value\n");
-+ return 0;
-+ }
-+ key = EC_KEY_new_by_curve_name(curve_nid);
-+ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
-+
-+ if (rv != 1)
-+ {
-+ fprintf(stderr, "Error setting public key\n");
-+ return 0;
-+ }
-+
-+ no_err = 1;
-+ rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig);
-+ EC_KEY_free(key);
-+ if (msg)
-+ OPENSSL_free(msg);
-+ no_err = 0;
-+
-+ fprintf(out, "Result = %s" RESP_EOL, rv ? "P":"F");
-+ }
-+
-+ }
-+ if (sig->r)
-+ BN_free(sig->r);
-+ if (sig->s)
-+ BN_free(sig->s);
-+ if (Qx)
-+ BN_free(Qx);
-+ if (Qy)
-+ BN_free(Qy);
-+ return 1;
-+ }
-+#ifdef FIPS_ALGVS
-+int fips_ecdsavs_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ FILE *in = NULL, *out = NULL;
-+ const char *cmd = argv[1];
-+ int rv = 0;
-+ fips_algtest_init();
-+
-+ if (argc == 4)
-+ {
-+ in = fopen(argv[2], "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(argv[3], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argc == 2)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+
-+ if (!cmd)
-+ {
-+ fprintf(stderr, "fips_ecdsavs [KeyPair|PKV|SigGen|SigVer]\n");
-+ return 1;
-+ }
-+ if (!strcmp(cmd, "KeyPair"))
-+ rv = KeyPair(in, out);
-+ else if (!strcmp(cmd, "PKV"))
-+ rv = PKV(in, out);
-+ else if (!strcmp(cmd, "SigVer"))
-+ rv = SigVer(in, out);
-+ else if (!strcmp(cmd, "SigGen"))
-+ rv = SigGen(in, out);
-+ else
-+ {
-+ fprintf(stderr, "Unknown command %s\n", cmd);
-+ return 1;
-+ }
-+
-+ if (argc == 4)
-+ {
-+ fclose(in);
-+ fclose(out);
-+ }
-+
-+ if (rv <= 0)
-+ {
-+ fprintf(stderr, "Error running %s\n", cmd);
-+ return 1;
-+ }
-+
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c.fips-ec openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c.fips-ec 2014-10-16 13:25:20.733109257 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c 2014-10-16 13:25:20.733109257 +0200
-@@ -0,0 +1,252 @@
-+/* fips/ecdh/fips_ecdh_selftest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project 2011.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/ec.h>
-+#include <openssl/ecdh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+#include "fips_locl.h"
-+
-+static const unsigned char p256_qcavsx[] = {
-+ 0x52,0xc6,0xa5,0x75,0xf3,0x04,0x98,0xb3,0x29,0x66,0x0c,0x62,
-+ 0x18,0x60,0x55,0x41,0x59,0xd4,0x60,0x85,0x99,0xc1,0x51,0x13,
-+ 0x6f,0x97,0x85,0x93,0x33,0x34,0x07,0x50
-+};
-+static const unsigned char p256_qcavsy[] = {
-+ 0x6f,0x69,0x24,0xeb,0xe9,0x3b,0xa7,0xcc,0x47,0x17,0xaa,0x3f,
-+ 0x70,0xfc,0x10,0x73,0x0a,0xcd,0x21,0xee,0x29,0x19,0x1f,0xaf,
-+ 0xb4,0x1c,0x1e,0xc2,0x8e,0x97,0x81,0x6e
-+};
-+static const unsigned char p256_qiutx[] = {
-+ 0x71,0x46,0x88,0x08,0x92,0x21,0x1b,0x10,0x21,0x74,0xff,0x0c,
-+ 0x94,0xde,0x34,0x7c,0x86,0x74,0xbe,0x67,0x41,0x68,0xd4,0xc1,
-+ 0xe5,0x75,0x63,0x9c,0xa7,0x46,0x93,0x6f
-+};
-+static const unsigned char p256_qiuty[] = {
-+ 0x33,0x40,0xa9,0x6a,0xf5,0x20,0xb5,0x9e,0xfc,0x60,0x1a,0xae,
-+ 0x3d,0xf8,0x21,0xd2,0xa7,0xca,0x52,0x34,0xb9,0x5f,0x27,0x75,
-+ 0x6c,0x81,0xbe,0x32,0x4d,0xba,0xbb,0xf8
-+};
-+static const unsigned char p256_qiutd[] = {
-+ 0x1a,0x48,0x55,0x6b,0x11,0xbe,0x92,0xd4,0x1c,0xd7,0x45,0xc3,
-+ 0x82,0x81,0x51,0xf1,0x23,0x40,0xb7,0x83,0xfd,0x01,0x6d,0xbc,
-+ 0xa1,0x66,0xaf,0x0a,0x03,0x23,0xcd,0xc8
-+};
-+static const unsigned char p256_ziut[] = {
-+ 0x77,0x2a,0x1e,0x37,0xee,0xe6,0x51,0x02,0x71,0x40,0xf8,0x6a,
-+ 0x36,0xf8,0x65,0x61,0x2b,0x18,0x71,0x82,0x23,0xe6,0xf2,0x77,
-+ 0xce,0xec,0xb8,0x49,0xc7,0xbf,0x36,0x4f
-+};
-+
-+
-+typedef struct
-+ {
-+ int curve;
-+ const unsigned char *x1;
-+ size_t x1len;
-+ const unsigned char *y1;
-+ size_t y1len;
-+ const unsigned char *d1;
-+ size_t d1len;
-+ const unsigned char *x2;
-+ size_t x2len;
-+ const unsigned char *y2;
-+ size_t y2len;
-+ const unsigned char *z;
-+ size_t zlen;
-+ } ECDH_SELFTEST_DATA;
-+
-+#define make_ecdh_test(nid, pr) { nid, \
-+ pr##_qiutx, sizeof(pr##_qiutx), \
-+ pr##_qiuty, sizeof(pr##_qiuty), \
-+ pr##_qiutd, sizeof(pr##_qiutd), \
-+ pr##_qcavsx, sizeof(pr##_qcavsx), \
-+ pr##_qcavsy, sizeof(pr##_qcavsy), \
-+ pr##_ziut, sizeof(pr##_ziut) }
-+
-+static ECDH_SELFTEST_DATA test_ecdh_data[] =
-+ {
-+ make_ecdh_test(NID_X9_62_prime256v1, p256),
-+ };
-+
-+int FIPS_selftest_ecdh(void)
-+ {
-+ EC_KEY *ec1 = NULL, *ec2 = NULL;
-+ const EC_POINT *ecp = NULL;
-+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
-+ unsigned char *ztmp = NULL;
-+ int rv = 1;
-+ size_t i;
-+
-+ for (i = 0; i < sizeof(test_ecdh_data)/sizeof(ECDH_SELFTEST_DATA); i++)
-+ {
-+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
-+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
-+ continue;
-+ ztmp = OPENSSL_malloc(ecd->zlen);
-+
-+ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
-+ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
-+ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
-+
-+ if (!x || !y || !d || !ztmp)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec1)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!EC_KEY_set_private_key(ec1, d))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
-+ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
-+
-+ if (!x || !y)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec2)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ ecp = EC_KEY_get0_public_key(ec2);
-+ if (!ecp)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
-+ ztmp[0] ^= 0x1;
-+
-+ if (memcmp(ztmp, ecd->z, ecd->zlen))
-+ {
-+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
-+ rv = 0;
-+ }
-+ else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
-+ goto err;
-+
-+ EC_KEY_free(ec1);
-+ ec1 = NULL;
-+ EC_KEY_free(ec2);
-+ ec2 = NULL;
-+ OPENSSL_free(ztmp);
-+ ztmp = NULL;
-+ }
-+
-+ err:
-+
-+ if (x)
-+ BN_clear_free(x);
-+ if (y)
-+ BN_clear_free(y);
-+ if (d)
-+ BN_clear_free(d);
-+ if (ec1)
-+ EC_KEY_free(ec1);
-+ if (ec2)
-+ EC_KEY_free(ec2);
-+ if (ztmp)
-+ OPENSSL_free(ztmp);
-+
-+ return rv;
-+
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c.fips-ec openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c.fips-ec 2014-10-16 13:25:20.733109257 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c 2014-10-16 13:25:20.733109257 +0200
-@@ -0,0 +1,167 @@
-+/* fips/ecdsa/fips_ecdsa_selftest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project 2011.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/ec.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const char P_256_name[] = "ECDSA P-256";
-+
-+static const unsigned char P_256_d[] = {
-+ 0x51,0xbd,0x06,0xa1,0x1c,0xda,0xe2,0x12,0x99,0xc9,0x52,0x3f,
-+ 0xea,0xa4,0xd2,0xd1,0xf4,0x7f,0xd4,0x3e,0xbd,0xf8,0xfc,0x87,
-+ 0xdc,0x82,0x53,0x21,0xee,0xa0,0xdc,0x64
-+};
-+static const unsigned char P_256_qx[] = {
-+ 0x23,0x89,0xe0,0xf4,0x69,0xe0,0x49,0xe5,0xc7,0xe5,0x40,0x6e,
-+ 0x8f,0x25,0xdd,0xad,0x11,0x16,0x14,0x9b,0xab,0x44,0x06,0x31,
-+ 0xbf,0x5e,0xa6,0x44,0xac,0x86,0x00,0x07
-+};
-+static const unsigned char P_256_qy[] = {
-+ 0xb3,0x05,0x0d,0xd0,0xdc,0xf7,0x40,0xe6,0xf9,0xd8,0x6d,0x7b,
-+ 0x63,0xca,0x97,0xe6,0x12,0xf9,0xd4,0x18,0x59,0xbe,0xb2,0x5e,
-+ 0x4a,0x6a,0x77,0x23,0xf4,0x11,0x9d,0xeb
-+};
-+
-+typedef struct
-+ {
-+ int curve;
-+ const char *name;
-+ const unsigned char *x;
-+ size_t xlen;
-+ const unsigned char *y;
-+ size_t ylen;
-+ const unsigned char *d;
-+ size_t dlen;
-+ } EC_SELFTEST_DATA;
-+
-+#define make_ecdsa_test(nid, pr) { nid, pr##_name, \
-+ pr##_qx, sizeof(pr##_qx), \
-+ pr##_qy, sizeof(pr##_qy), \
-+ pr##_d, sizeof(pr##_d)}
-+
-+static EC_SELFTEST_DATA test_ec_data[] =
-+ {
-+ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
-+ };
-+
-+int FIPS_selftest_ecdsa()
-+ {
-+ EC_KEY *ec = NULL;
-+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
-+ EVP_PKEY *pk = NULL;
-+ int rv = 0;
-+ size_t i;
-+
-+ for (i = 0; i < sizeof(test_ec_data)/sizeof(EC_SELFTEST_DATA); i++)
-+ {
-+ EC_SELFTEST_DATA *ecd = test_ec_data + i;
-+
-+ x = BN_bin2bn(ecd->x, ecd->xlen, x);
-+ y = BN_bin2bn(ecd->y, ecd->ylen, y);
-+ d = BN_bin2bn(ecd->d, ecd->dlen, d);
-+
-+ if (!x || !y || !d)
-+ goto err;
-+
-+ ec = EC_KEY_new_by_curve_name(ecd->curve);
-+ if (!ec)
-+ goto err;
-+
-+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
-+ goto err;
-+
-+ if (!EC_KEY_set_private_key(ec, d))
-+ goto err;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_EC_KEY(pk, ec);
-+
-+ if (!fips_pkey_signature_test(pk, NULL, 0,
-+ NULL, 0, EVP_sha256(), 0,
-+ ecd->name))
-+ goto err;
-+ }
-+
-+ rv = 1;
-+
-+ err:
-+
-+ if (x)
-+ BN_clear_free(x);
-+ if (y)
-+ BN_clear_free(y);
-+ if (d)
-+ BN_clear_free(d);
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (ec)
-+ EC_KEY_free(ec);
-+
-+ return rv;
-+
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips.h.fips-ec openssl-1.0.1j/crypto/fips/fips.h
---- openssl-1.0.1j/crypto/fips/fips.h.fips-ec 2014-10-16 13:25:20.701108535 +0200
-+++ openssl-1.0.1j/crypto/fips/fips.h 2014-10-16 13:25:20.733109257 +0200
-@@ -93,6 +93,8 @@ int FIPS_selftest_rsa(void);
- void FIPS_corrupt_dsa(void);
- void FIPS_corrupt_dsa_keygen(void);
- int FIPS_selftest_dsa(void);
-+int FIPS_selftest_ecdsa(void);
-+int FIPS_selftest_ecdh(void);
- void FIPS_corrupt_rng(void);
- void FIPS_rng_stick(void);
- void FIPS_x931_stick(int onoff);
-diff -up openssl-1.0.1j/crypto/fips/fips_post.c.fips-ec openssl-1.0.1j/crypto/fips/fips_post.c
---- openssl-1.0.1j/crypto/fips/fips_post.c.fips-ec 2014-10-16 13:25:20.702108557 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_post.c 2014-10-16 13:25:20.733109257 +0200
-@@ -95,8 +95,12 @@ int FIPS_selftest(void)
- rv = 0;
- if (!FIPS_selftest_rsa())
- rv = 0;
-+ if (!FIPS_selftest_ecdsa())
-+ rv = 0;
- if (!FIPS_selftest_dsa())
- rv = 0;
-+ if (!FIPS_selftest_ecdh())
-+ rv = 0;
- return rv;
- }
-
-diff -up openssl-1.0.1j/crypto/fips/Makefile.fips-ec openssl-1.0.1j/crypto/fips/Makefile
---- openssl-1.0.1j/crypto/fips/Makefile.fips-ec 2014-10-16 13:25:20.704108603 +0200
-+++ openssl-1.0.1j/crypto/fips/Makefile 2014-10-16 13:25:20.734109280 +0200
-@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self
- fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
- fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
- fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-- fips_cmac_selftest.c fips_enc.c fips_md.c
-+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
-
- LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
- fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
- fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
- fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
-- fips_cmac_selftest.o fips_enc.o fips_md.o
-+ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
-
- LIBCRYPTO=-L.. -lcrypto
-
-@@ -119,6 +119,21 @@ fips_aes_selftest.o: ../../include/opens
- fips_aes_selftest.o: ../../include/openssl/safestack.h
- fips_aes_selftest.o: ../../include/openssl/stack.h
- fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
-+fips_cmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_cmac_selftest.o: ../../include/openssl/cmac.h
-+fips_cmac_selftest.o: ../../include/openssl/crypto.h
-+fips_cmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_cmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_cmac_selftest.o: ../../include/openssl/lhash.h
-+fips_cmac_selftest.o: ../../include/openssl/obj_mac.h
-+fips_cmac_selftest.o: ../../include/openssl/objects.h
-+fips_cmac_selftest.o: ../../include/openssl/opensslconf.h
-+fips_cmac_selftest.o: ../../include/openssl/opensslv.h
-+fips_cmac_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_cmac_selftest.o: ../../include/openssl/safestack.h
-+fips_cmac_selftest.o: ../../include/openssl/stack.h
-+fips_cmac_selftest.o: ../../include/openssl/symhacks.h fips_cmac_selftest.c
-+fips_cmac_selftest.o: fips_locl.h
- fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
- fips_des_selftest.o: ../../include/openssl/crypto.h
- fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-@@ -232,6 +247,46 @@ fips_dsa_selftest.o: ../../include/opens
- fips_dsa_selftest.o: ../../include/openssl/stack.h
- fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
- fips_dsa_selftest.o: fips_locl.h
-+fips_ecdh_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_ecdh_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_ecdh_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-+fips_ecdh_selftest.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h
-+fips_ecdh_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_ecdh_selftest.o: ../../include/openssl/lhash.h
-+fips_ecdh_selftest.o: ../../include/openssl/obj_mac.h
-+fips_ecdh_selftest.o: ../../include/openssl/objects.h
-+fips_ecdh_selftest.o: ../../include/openssl/opensslconf.h
-+fips_ecdh_selftest.o: ../../include/openssl/opensslv.h
-+fips_ecdh_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_ecdh_selftest.o: ../../include/openssl/safestack.h
-+fips_ecdh_selftest.o: ../../include/openssl/stack.h
-+fips_ecdh_selftest.o: ../../include/openssl/symhacks.h fips_ecdh_selftest.c
-+fips_ecdh_selftest.o: fips_locl.h
-+fips_ecdsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_ecdsa_selftest.o: ../../include/openssl/bn.h
-+fips_ecdsa_selftest.o: ../../include/openssl/crypto.h
-+fips_ecdsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-+fips_ecdsa_selftest.o: ../../include/openssl/ecdsa.h
-+fips_ecdsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_ecdsa_selftest.o: ../../include/openssl/fips.h
-+fips_ecdsa_selftest.o: ../../include/openssl/lhash.h
-+fips_ecdsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_ecdsa_selftest.o: ../../include/openssl/objects.h
-+fips_ecdsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_ecdsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_ecdsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_ecdsa_selftest.o: ../../include/openssl/safestack.h
-+fips_ecdsa_selftest.o: ../../include/openssl/stack.h
-+fips_ecdsa_selftest.o: ../../include/openssl/symhacks.h fips_ecdsa_selftest.c
-+fips_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_enc.o: ../../include/openssl/opensslconf.h
-+fips_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips_enc.o: ../../include/openssl/symhacks.h fips_enc.c
- fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
- fips_hmac_selftest.o: ../../include/openssl/crypto.h
- fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-@@ -246,6 +301,15 @@ fips_hmac_selftest.o: ../../include/open
- fips_hmac_selftest.o: ../../include/openssl/safestack.h
- fips_hmac_selftest.o: ../../include/openssl/stack.h
- fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
-+fips_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_md.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-+fips_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-+fips_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_md.o: fips_md.c
- fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
- fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
- fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-diff -up openssl-1.0.1j/version.map.fips-ec openssl-1.0.1j/version.map
---- openssl-1.0.1j/version.map.fips-ec 2014-10-16 13:25:20.716108873 +0200
-+++ openssl-1.0.1j/version.map 2014-10-16 13:25:20.734109280 +0200
-@@ -6,3 +6,7 @@ OPENSSL_1.0.1 {
- _original*;
- _current*;
- };
-+OPENSSL_1.0.1_EC {
-+ global:
-+ EC*;
-+};
diff --git a/openssl-1.0.1j-fips.patch b/openssl-1.0.1j-fips.patch
deleted file mode 100644
index dff6aca..0000000
--- a/openssl-1.0.1j-fips.patch
+++ /dev/null
@@ -1,20400 +0,0 @@
-diff -up openssl-1.0.1j/apps/speed.c.fips openssl-1.0.1j/apps/speed.c
---- openssl-1.0.1j/apps/speed.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/apps/speed.c 2014-10-16 13:19:35.084306085 +0200
-@@ -195,7 +195,6 @@
- #ifdef OPENSSL_DOING_MAKEDEPEND
- #undef AES_set_encrypt_key
- #undef AES_set_decrypt_key
--#undef DES_set_key_unchecked
- #endif
- #define BF_set_key private_BF_set_key
- #define CAST_set_key private_CAST_set_key
-@@ -203,7 +202,6 @@
- #define SEED_set_key private_SEED_set_key
- #define RC2_set_key private_RC2_set_key
- #define RC4_set_key private_RC4_set_key
--#define DES_set_key_unchecked private_DES_set_key_unchecked
- #define AES_set_encrypt_key private_AES_set_encrypt_key
- #define AES_set_decrypt_key private_AES_set_decrypt_key
- #define Camellia_set_key private_Camellia_set_key
-@@ -941,7 +939,12 @@ int MAIN(int argc, char **argv)
- #ifndef OPENSSL_NO_RSA
- if (strcmp(*argv,"rsa") == 0)
- {
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode())
-+#endif
-+ {
- rsa_doit[R_RSA_512]=1;
-+ }
- rsa_doit[R_RSA_1024]=1;
- rsa_doit[R_RSA_2048]=1;
- rsa_doit[R_RSA_4096]=1;
-@@ -951,7 +954,12 @@ int MAIN(int argc, char **argv)
- #ifndef OPENSSL_NO_DSA
- if (strcmp(*argv,"dsa") == 0)
- {
-+#ifdef OPENSSL_FIPS
-+ if (!FIPS_mode())
-+#endif
-+ {
- dsa_doit[R_DSA_512]=1;
-+ }
- dsa_doit[R_DSA_1024]=1;
- dsa_doit[R_DSA_2048]=1;
- }
-@@ -1162,12 +1170,18 @@ int MAIN(int argc, char **argv)
- {
- for (i=0; i<ALGOR_NUM; i++)
- {
-- if (i != D_EVP)
-+ if (i != D_EVP &&
-+ (!FIPS_mode() || (i != D_WHIRLPOOL &&
-+ i != D_MD2 && i != D_MD4 &&
-+ i != D_MD5 && i != D_MDC2 &&
-+ i != D_RMD160)))
- doit[i]=1;
- }
- for (i=0; i<RSA_NUM; i++)
-+ if (!FIPS_mode() || i != R_RSA_512)
- rsa_doit[i]=1;
- for (i=0; i<DSA_NUM; i++)
-+ if (!FIPS_mode() || i != R_DSA_512)
- dsa_doit[i]=1;
- #ifndef OPENSSL_NO_ECDSA
- for (i=0; i<EC_NUM; i++)
-@@ -1226,30 +1240,54 @@ int MAIN(int argc, char **argv)
- AES_set_encrypt_key(key32,256,&aes_ks3);
- #endif
- #ifndef OPENSSL_NO_CAMELLIA
-+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
-+ {
- Camellia_set_key(key16,128,&camellia_ks1);
- Camellia_set_key(ckey24,192,&camellia_ks2);
- Camellia_set_key(ckey32,256,&camellia_ks3);
-+ }
- #endif
- #ifndef OPENSSL_NO_IDEA
-+ if (doit[D_CBC_IDEA])
-+ {
- idea_set_encrypt_key(key16,&idea_ks);
-+ }
- #endif
- #ifndef OPENSSL_NO_SEED
-+ if (doit[D_CBC_SEED])
-+ {
- SEED_set_key(key16,&seed_ks);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC4
-+ if (doit[D_RC4])
-+ {
- RC4_set_key(&rc4_ks,16,key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC2
-+ if (doit[D_CBC_RC2])
-+ {
- RC2_set_key(&rc2_ks,16,key16,128);
-+ }
- #endif
- #ifndef OPENSSL_NO_RC5
-+ if (doit[D_CBC_RC5])
-+ {
- RC5_32_set_key(&rc5_ks,16,key16,12);
-+ }
- #endif
- #ifndef OPENSSL_NO_BF
-+ if (doit[D_CBC_BF])
-+ {
- BF_set_key(&bf_ks,16,key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_CAST
-+ if (doit[D_CBC_CAST])
-+ {
- CAST_set_key(&cast_ks,16,key16);
-+ }
- #endif
- #ifndef OPENSSL_NO_RSA
- memset(rsa_c,0,sizeof(rsa_c));
-@@ -1564,6 +1602,7 @@ int MAIN(int argc, char **argv)
- HMAC_CTX hctx;
-
- HMAC_CTX_init(&hctx);
-+ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- HMAC_Init_ex(&hctx,(unsigned char *)"This is a key...",
- 16,EVP_md5(), NULL);
-
-diff -up openssl-1.0.1j/Configure.fips openssl-1.0.1j/Configure
---- openssl-1.0.1j/Configure.fips 2014-10-16 13:19:35.056305452 +0200
-+++ openssl-1.0.1j/Configure 2014-10-16 13:19:35.084306085 +0200
-@@ -998,11 +998,6 @@ if (defined($disabled{"md5"}) || defined
- $disabled{"ssl2"} = "forced";
- }
-
--if ($fips && $fipslibdir eq "")
-- {
-- $fipslibdir = $fipsdir . "/lib/";
-- }
--
- # RSAX ENGINE sets default non-FIPS RSA method.
- if ($fips)
- {
-@@ -1477,7 +1472,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
- if ($fips)
- {
- $openssl_other_defines.="#define OPENSSL_FIPS\n";
-- $cflags .= " -I\$(FIPSDIR)/include";
- }
-
- $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
-@@ -1664,9 +1658,12 @@ while (<IN>)
-
- s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
- s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
-- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
- s/^BASEADDR=.*/BASEADDR=$baseaddr/;
-
-+ if ($fips)
-+ {
-+ s/^FIPS=.*/FIPS=yes/;
-+ }
- s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
- s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
- s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
-diff -up openssl-1.0.1j/crypto/aes/aes_misc.c.fips openssl-1.0.1j/crypto/aes/aes_misc.c
---- openssl-1.0.1j/crypto/aes/aes_misc.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/aes/aes_misc.c 2014-10-16 13:19:35.085306107 +0200
-@@ -69,17 +69,11 @@ const char *AES_options(void) {
- int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key)
- {
--#ifdef OPENSSL_FIPS
-- fips_cipher_abort(AES);
--#endif
- return private_AES_set_encrypt_key(userKey, bits, key);
- }
-
- int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key)
- {
--#ifdef OPENSSL_FIPS
-- fips_cipher_abort(AES);
--#endif
- return private_AES_set_decrypt_key(userKey, bits, key);
- }
-diff -up openssl-1.0.1j/crypto/cmac/cmac.c.fips openssl-1.0.1j/crypto/cmac/cmac.c
---- openssl-1.0.1j/crypto/cmac/cmac.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/cmac/cmac.c 2014-10-16 13:19:35.085306107 +0200
-@@ -107,13 +107,6 @@ CMAC_CTX *CMAC_CTX_new(void)
-
- void CMAC_CTX_cleanup(CMAC_CTX *ctx)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- {
-- FIPS_cmac_ctx_cleanup(ctx);
-- return;
-- }
--#endif
- EVP_CIPHER_CTX_cleanup(&ctx->cctx);
- OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
- OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
-@@ -164,11 +157,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
- EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
-- /* Other algorithm blocking will be done in FIPS_cmac_init,
-- * via FIPS_cipherinit().
-- */
-- if (!impl && !ctx->cctx.engine)
-- return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
- }
- #endif
- /* All zeros means restart */
-@@ -216,10 +204,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
- {
- const unsigned char *data = in;
- size_t bl;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- return FIPS_cmac_update(ctx, in, dlen);
--#endif
- if (ctx->nlast_block == -1)
- return 0;
- if (dlen == 0)
-@@ -261,10 +245,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
- int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
- {
- int i, bl, lb;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- return FIPS_cmac_final(ctx, out, poutlen);
--#endif
- if (ctx->nlast_block == -1)
- return 0;
- bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
-diff -up openssl-1.0.1j/crypto/crypto.h.fips openssl-1.0.1j/crypto/crypto.h
---- openssl-1.0.1j/crypto/crypto.h.fips 2014-10-16 13:19:34.918302337 +0200
-+++ openssl-1.0.1j/crypto/crypto.h 2014-10-16 13:19:35.085306107 +0200
-@@ -553,24 +553,29 @@ int FIPS_mode_set(int r);
- void OPENSSL_init(void);
-
- #define fips_md_init(alg) fips_md_init_ctx(alg, alg)
-+#define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
-+#define fips_md_init_ctx(alg, cx) \
-+ int alg##_Init(cx##_CTX *c)
-
- #ifdef OPENSSL_FIPS
--#define fips_md_init_ctx(alg, cx) \
-+#define nonfips_md_init_ctx(alg, cx) \
- int alg##_Init(cx##_CTX *c) \
- { \
- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
-- "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
-+ "Digest " #alg " forbidden in FIPS mode!"); \
- return private_##alg##_Init(c); \
- } \
- int private_##alg##_Init(cx##_CTX *c)
-
- #define fips_cipher_abort(alg) \
- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
-- "Low level API call to cipher " #alg " forbidden in FIPS mode!")
-+ "Cipher " #alg " forbidden in FIPS mode!")
-+
-+/* die if FIPS selftest failed */
-+void FIPS_selftest_check(void);
-
- #else
--#define fips_md_init_ctx(alg, cx) \
-- int alg##_Init(cx##_CTX *c)
-+#define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
- #define fips_cipher_abort(alg) while(0)
- #endif
-
-@@ -587,6 +592,9 @@ int CRYPTO_memcmp(const void *a, const v
- */
- void ERR_load_CRYPTO_strings(void);
-
-+#define OPENSSL_HAVE_INIT 1
-+void OPENSSL_init_library(void);
-+
- /* Error codes for the CRYPTO functions. */
-
- /* Function codes. */
-diff -up openssl-1.0.1j/crypto/des/des.h.fips openssl-1.0.1j/crypto/des/des.h
---- openssl-1.0.1j/crypto/des/des.h.fips 2014-10-16 13:19:34.967303443 +0200
-+++ openssl-1.0.1j/crypto/des/des.h 2014-10-16 13:19:35.085306107 +0200
-@@ -224,9 +224,6 @@ int DES_set_key(const_DES_cblock *key,DE
- int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
- int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
- void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
--#ifdef OPENSSL_FIPS
--void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
--#endif
- void DES_string_to_key(const char *str,DES_cblock *key);
- void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
- void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
-diff -up openssl-1.0.1j/crypto/des/set_key.c.fips openssl-1.0.1j/crypto/des/set_key.c
---- openssl-1.0.1j/crypto/des/set_key.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/des/set_key.c 2014-10-16 13:19:35.085306107 +0200
-@@ -336,13 +336,6 @@ int DES_set_key_checked(const_DES_cblock
- }
-
- void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
--#ifdef OPENSSL_FIPS
-- {
-- fips_cipher_abort(DES);
-- private_DES_set_key_unchecked(key, schedule);
-- }
--void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
--#endif
- {
- static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
- register DES_LONG c,d,t,s,t2;
-diff -up openssl-1.0.1j/crypto/dh/dh_gen.c.fips openssl-1.0.1j/crypto/dh/dh_gen.c
---- openssl-1.0.1j/crypto/dh/dh_gen.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dh/dh_gen.c 2014-10-16 13:19:35.085306107 +0200
-@@ -84,11 +84,6 @@ int DH_generate_parameters_ex(DH *ret, i
- #endif
- if(ret->meth->generate_params)
- return ret->meth->generate_params(ret, prime_len, generator, cb);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dh_generate_parameters_ex(ret, prime_len,
-- generator, cb);
--#endif
- return dh_builtin_genparams(ret, prime_len, generator, cb);
- }
-
-@@ -123,6 +118,20 @@ static int dh_builtin_genparams(DH *ret,
- int g,ok= -1;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-+
- ctx=BN_CTX_new();
- if (ctx == NULL) goto err;
- BN_CTX_start(ctx);
-diff -up openssl-1.0.1j/crypto/dh/dh.h.fips openssl-1.0.1j/crypto/dh/dh.h
---- openssl-1.0.1j/crypto/dh/dh.h.fips 2014-10-16 13:19:34.887301637 +0200
-+++ openssl-1.0.1j/crypto/dh/dh.h 2014-10-16 13:19:35.086306130 +0200
-@@ -77,6 +77,8 @@
- # define OPENSSL_DH_MAX_MODULUS_BITS 10000
- #endif
-
-+#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-+
- #define DH_FLAG_CACHE_MONT_P 0x01
- #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
- * implementation now uses constant time
-@@ -210,6 +212,7 @@ int DH_check(const DH *dh,int *codes);
- int DH_check_pub_key(const DH *dh,const BIGNUM *pub_key, int *codes);
- int DH_generate_key(DH *dh);
- int DH_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
-+int DH_compute_key_padded(unsigned char *key,const BIGNUM *pub_key,DH *dh);
- DH * d2i_DHparams(DH **a,const unsigned char **pp, long length);
- int i2d_DHparams(const DH *a,unsigned char **pp);
- #ifndef OPENSSL_NO_FP_API
-diff -up openssl-1.0.1j/crypto/dh/dh_key.c.fips openssl-1.0.1j/crypto/dh/dh_key.c
---- openssl-1.0.1j/crypto/dh/dh_key.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dh/dh_key.c 2014-10-16 13:19:35.086306130 +0200
-@@ -61,6 +61,9 @@
- #include <openssl/bn.h>
- #include <openssl/rand.h>
- #include <openssl/dh.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- static int generate_key(DH *dh);
- static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
-@@ -97,6 +100,21 @@ int DH_compute_key(unsigned char *key, c
- return dh->meth->compute_key(key, pub_key, dh);
- }
-
-+int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-+ {
-+ int rv, pad;
-+ rv = DH_compute_key(key, pub_key, dh);
-+ if (rv <= 0)
-+ return rv;
-+ pad = BN_num_bytes(dh->p) - rv;
-+ if (pad > 0)
-+ {
-+ memmove(key + pad, key, rv);
-+ memset(key, 0, pad);
-+ }
-+ return rv + pad;
-+ }
-+
- static DH_METHOD dh_ossl = {
- "OpenSSL DH Method",
- generate_key,
-@@ -104,7 +122,7 @@ compute_key,
- dh_bn_mod_exp,
- dh_init,
- dh_finish,
--0,
-+DH_FLAG_FIPS_METHOD,
- NULL,
- NULL
- };
-@@ -123,6 +141,14 @@ static int generate_key(DH *dh)
- BN_MONT_CTX *mont=NULL;
- BIGNUM *pub_key=NULL,*priv_key=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ return 0;
-+ }
-+#endif
-+
- ctx = BN_CTX_new();
- if (ctx == NULL) goto err;
-
-@@ -213,6 +239,13 @@ static int compute_key(unsigned char *ke
- DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
- goto err;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-
- ctx = BN_CTX_new();
- if (ctx == NULL) goto err;
-@@ -280,6 +313,9 @@ static int dh_bn_mod_exp(const DH *dh, B
-
- static int dh_init(DH *dh)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dh->flags |= DH_FLAG_CACHE_MONT_P;
- return(1);
- }
-diff -up openssl-1.0.1j/crypto/dh/dh_lib.c.fips openssl-1.0.1j/crypto/dh/dh_lib.c
---- openssl-1.0.1j/crypto/dh/dh_lib.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dh/dh_lib.c 2014-10-16 13:19:35.086306130 +0200
-@@ -81,14 +81,7 @@ const DH_METHOD *DH_get_default_method(v
- {
- if(!default_DH_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dh_openssl();
-- else
-- return DH_OpenSSL();
--#else
- default_DH_method = DH_OpenSSL();
--#endif
- }
- return default_DH_method;
- }
-diff -up openssl-1.0.1j/crypto/dsa/dsa_err.c.fips openssl-1.0.1j/crypto/dsa/dsa_err.c
---- openssl-1.0.1j/crypto/dsa/dsa_err.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa_err.c 2014-10-16 13:19:35.086306130 +0200
-@@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]=
- {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
-+{ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
-+{ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
- {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
- {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
- {ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
-@@ -106,6 +108,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
- {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
- {ERR_REASON(DSA_R_DECODE_ERROR) ,"decode error"},
- {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
-+{ERR_REASON(DSA_R_KEY_SIZE_INVALID) ,"key size invalid"},
-+{ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
- {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
- {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
- {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
-diff -up openssl-1.0.1j/crypto/dsa/dsa_gen.c.fips openssl-1.0.1j/crypto/dsa/dsa_gen.c
---- openssl-1.0.1j/crypto/dsa/dsa_gen.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa_gen.c 2014-10-16 13:19:35.086306130 +0200
-@@ -85,6 +85,14 @@
- #include <openssl/fips.h>
- #endif
-
-+#ifndef OPENSSL_FIPS
-+static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
-+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
-+static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
-+#endif
-+
- int DSA_generate_parameters_ex(DSA *ret, int bits,
- const unsigned char *seed_in, int seed_len,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
-@@ -100,14 +108,6 @@ int DSA_generate_parameters_ex(DSA *ret,
- if(ret->meth->dsa_paramgen)
- return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
- counter_ret, h_ret, cb);
--#ifdef OPENSSL_FIPS
-- else if (FIPS_mode())
-- {
-- return FIPS_dsa_generate_parameters_ex(ret, bits,
-- seed_in, seed_len,
-- counter_ret, h_ret, cb);
-- }
--#endif
- else
- {
- const EVP_MD *evpmd;
-@@ -125,27 +125,119 @@ int DSA_generate_parameters_ex(DSA *ret,
- }
-
- return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
-- seed_in, seed_len, NULL, counter_ret, h_ret, cb);
-+ seed_in, seed_len, counter_ret, h_ret, cb);
- }
- }
-
-+#ifdef OPENSSL_FIPS
-+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
-+ {
-+ return dsa_builtin_paramgen(ret, bits, qbits,
-+ evpmd, seed_in, seed_len,
-+ counter_ret, h_ret, cb);
-+ }
-+#endif
-+
- int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
- const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-- unsigned char *seed_out,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
- {
- int ok=0;
- unsigned char seed[SHA256_DIGEST_LENGTH];
-+ BIGNUM *g=NULL,*q=NULL,*p=NULL;
-+ size_t qsize = qbits >> 3;
-+ BN_CTX *ctx=NULL;
-+
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (FIPS_module_mode() &&
-+ (bits != 1024 || qbits != 160) &&
-+ (bits != 2048 || qbits != 224) &&
-+ (bits != 2048 || qbits != 256) &&
-+ (bits != 3072 || qbits != 256))
-+ {
-+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
-+ goto err;
-+ }
-+#endif
-+ if (seed_len && (seed_len < (size_t)qsize))
-+ seed_in = NULL; /* seed buffer too small -- ignore */
-+ if (seed_len > sizeof(seed))
-+ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
-+ * but our internal buffers are restricted to 256 bits*/
-+ if (seed_in != NULL)
-+ memcpy(seed, seed_in, seed_len);
-+ else
-+ seed_len = 0;
-+
-+ if ((ctx=BN_CTX_new()) == NULL)
-+ goto err;
-+
-+ BN_CTX_start(ctx);
-+
-+ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
-+ seed, seed_len, &p, &q, counter_ret, cb))
-+ goto err;
-+
-+ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
-+ goto err;
-+
-+ ok=1;
-+err:
-+ if (ok)
-+ {
-+ if(ret->p)
-+ {
-+ BN_free(ret->p);
-+ ret->p = NULL;
-+ }
-+ if(ret->q)
-+ {
-+ BN_free(ret->q);
-+ ret->q = NULL;
-+ }
-+ if(ret->g)
-+ {
-+ BN_free(ret->g);
-+ ret->g = NULL;
-+ }
-+ ret->p=BN_dup(p);
-+ ret->q=BN_dup(q);
-+ ret->g=BN_dup(g);
-+ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
-+ ok=0;
-+ }
-+ if(ctx)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+ return ok;
-+ }
-+
-+#ifndef OPENSSL_FIPS
-+static
-+#endif
-+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
-+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb)
-+ {
-+ int ok=0;
- unsigned char md[SHA256_DIGEST_LENGTH];
-- unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
-+ unsigned char buf[SHA256_DIGEST_LENGTH];
- BIGNUM *r0,*W,*X,*c,*test;
-- BIGNUM *g=NULL,*q=NULL,*p=NULL;
-- BN_MONT_CTX *mont=NULL;
-- int i, k, n=0, m=0, qsize = qbits >> 3;
-+ BIGNUM *q=NULL,*p=NULL;
-+ int i, k, b, n=0, m=0, qsize = qbits >> 3;
- int counter=0;
- int r=0;
-- BN_CTX *ctx=NULL;
-- unsigned int h=2;
-
- if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
- qsize != SHA256_DIGEST_LENGTH)
-@@ -153,51 +245,43 @@ int dsa_builtin_paramgen(DSA *ret, size_
- return 0;
-
- if (evpmd == NULL)
-- /* use SHA1 as default */
-- evpmd = EVP_sha1();
-+ {
-+ if (qbits <= 160)
-+ evpmd = EVP_sha1();
-+ else if (qbits <= 224)
-+ evpmd = EVP_sha224();
-+ else
-+ evpmd = EVP_sha256();
-+ }
-
- if (bits < 512)
- bits = 512;
-
- bits = (bits+63)/64*64;
-
-- /* NB: seed_len == 0 is special case: copy generated seed to
-- * seed_in if it is not NULL.
-- */
-- if (seed_len && (seed_len < (size_t)qsize))
-- seed_in = NULL; /* seed buffer too small -- ignore */
-- if (seed_len > (size_t)qsize)
-- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
-- * but our internal buffers are restricted to 160 bits*/
-- if (seed_in != NULL)
-- memcpy(seed, seed_in, seed_len);
--
-- if ((ctx=BN_CTX_new()) == NULL)
-- goto err;
--
-- if ((mont=BN_MONT_CTX_new()) == NULL)
-- goto err;
--
-- BN_CTX_start(ctx);
- r0 = BN_CTX_get(ctx);
-- g = BN_CTX_get(ctx);
- W = BN_CTX_get(ctx);
-- q = BN_CTX_get(ctx);
-+ *q_ret = q = BN_CTX_get(ctx);
- X = BN_CTX_get(ctx);
- c = BN_CTX_get(ctx);
-- p = BN_CTX_get(ctx);
-+ *p_ret = p = BN_CTX_get(ctx);
- test = BN_CTX_get(ctx);
-
- if (!BN_lshift(test,BN_value_one(),bits-1))
- goto err;
-
-+ /* step 3 n = \lceil bits / qbits \rceil - 1 */
-+ n = (bits+qbits-1)/qbits - 1;
-+ /* step 4 b = bits - 1 - n * qbits */
-+ b = bits - 1 - n*qbits;
-+
- for (;;)
- {
- for (;;) /* find q */
- {
- int seed_is_random;
-
-- /* step 1 */
-+ /* step 5 generate seed */
- if(!BN_GENCB_call(cb, 0, m++))
- goto err;
-
-@@ -212,30 +296,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
- seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
- }
- memcpy(buf , seed, qsize);
-- memcpy(buf2, seed, qsize);
-- /* precompute "SEED + 1" for step 7: */
-- for (i = qsize-1; i >= 0; i--)
-- {
-- buf[i]++;
-- if (buf[i] != 0)
-- break;
-- }
-
-- /* step 2 */
-+ /* step 6 U = hash(seed) */
- if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
- goto err;
-- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
-- goto err;
-- for (i = 0; i < qsize; i++)
-- md[i]^=buf2[i];
-
-- /* step 3 */
-+ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
- md[0] |= 0x80;
- md[qsize-1] |= 0x01;
- if (!BN_bin2bn(md, qsize, q))
- goto err;
-
-- /* step 4 */
-+ /* step 8 test for prime (64 round of Rabin-Miller) */
- r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
- seed_is_random, cb);
- if (r > 0)
-@@ -243,27 +315,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
- if (r != 0)
- goto err;
-
-- /* do a callback call */
-- /* step 5 */
- }
-
- if(!BN_GENCB_call(cb, 2, 0)) goto err;
- if(!BN_GENCB_call(cb, 3, 0)) goto err;
-
-- /* step 6 */
-+ /* step 11 */
- counter=0;
-- /* "offset = 2" */
--
-- n=(bits-1)/160;
-+ /* "offset = 1" */
-
- for (;;)
- {
- if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
- goto err;
-
-- /* step 7 */
-+ /* step 11.1, 11.2 obtain W */
- BN_zero(W);
-- /* now 'buf' contains "SEED + offset - 1" */
- for (k=0; k<=n; k++)
- {
- /* obtain "SEED + offset + k" by incrementing: */
-@@ -278,28 +345,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
- NULL))
- goto err;
-
-- /* step 8 */
- if (!BN_bin2bn(md, qsize, r0))
- goto err;
-- if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
-+ if (k == n)
-+ BN_mask_bits(r0,b);
-+ if (!BN_lshift(r0,r0,qbits*k)) goto err;
- if (!BN_add(W,W,r0)) goto err;
- }
-
-- /* more of step 8 */
-- if (!BN_mask_bits(W,bits-1)) goto err;
-+ /* step 11.3 X = W + 2^(L-1) */
- if (!BN_copy(X,W)) goto err;
- if (!BN_add(X,X,test)) goto err;
-
-- /* step 9 */
-+ /* step 11.4 c = X mod 2*q */
- if (!BN_lshift1(r0,q)) goto err;
- if (!BN_mod(c,X,r0,ctx)) goto err;
-+
-+ /* step 11.5 p = X - (c - 1) */
- if (!BN_sub(r0,c,BN_value_one())) goto err;
- if (!BN_sub(p,X,r0)) goto err;
-
-- /* step 10 */
-+ /* step 11.6 */
- if (BN_cmp(p,test) >= 0)
- {
-- /* step 11 */
-+ /* step 11.7 */
- r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
- ctx, 1, cb);
- if (r > 0)
-@@ -308,19 +377,45 @@ int dsa_builtin_paramgen(DSA *ret, size_
- goto err;
- }
-
-- /* step 13 */
-+ /* step 11.9 */
- counter++;
- /* "offset = offset + n + 1" */
-
-- /* step 14 */
-- if (counter >= 4096) break;
-+ /* step 12 */
-+ if (counter >= 4*bits) break;
- }
- }
- end:
- if(!BN_GENCB_call(cb, 2, 1))
- goto err;
-
-- /* We now need to generate g */
-+ ok=1;
-+err:
-+ if (ok)
-+ {
-+ if (counter_ret != NULL) *counter_ret=counter;
-+ }
-+ return ok;
-+ }
-+
-+#ifndef OPENSSL_FIPS
-+static
-+#endif
-+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
-+ {
-+ int ok=0;
-+ BIGNUM *r0, *test, *g = NULL;
-+ BN_MONT_CTX *mont;
-+ unsigned int h=2;
-+
-+ if ((mont=BN_MONT_CTX_new()) == NULL)
-+ goto err;
-+
-+ r0 = BN_CTX_get(ctx);
-+ *g_ret = g = BN_CTX_get(ctx);
-+ test = BN_CTX_get(ctx);
-+
- /* Set r0=(p-1)/q */
- if (!BN_sub(test,p,BN_value_one())) goto err;
- if (!BN_div(r0,NULL,test,q,ctx)) goto err;
-@@ -344,26 +439,7 @@ end:
- err:
- if (ok)
- {
-- if(ret->p) BN_free(ret->p);
-- if(ret->q) BN_free(ret->q);
-- if(ret->g) BN_free(ret->g);
-- ret->p=BN_dup(p);
-- ret->q=BN_dup(q);
-- ret->g=BN_dup(g);
-- if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
-- {
-- ok=0;
-- goto err;
-- }
-- if (counter_ret != NULL) *counter_ret=counter;
- if (h_ret != NULL) *h_ret=h;
-- if (seed_out)
-- memcpy(seed_out, seed, qsize);
-- }
-- if(ctx)
-- {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
- }
- if (mont != NULL) BN_MONT_CTX_free(mont);
- return ok;
-diff -up openssl-1.0.1j/crypto/dsa/dsa.h.fips openssl-1.0.1j/crypto/dsa/dsa.h
---- openssl-1.0.1j/crypto/dsa/dsa.h.fips 2014-10-16 13:19:34.791299470 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa.h 2014-10-16 13:19:35.087306152 +0200
-@@ -88,6 +88,8 @@
- # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
- #endif
-
-+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
-+
- #define DSA_FLAG_CACHE_MONT_P 0x01
- #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
- * implementation now uses constant time
-@@ -264,6 +266,17 @@ int DSA_print_fp(FILE *bp, const DSA *x,
- DH *DSA_dup_DH(const DSA *r);
- #endif
-
-+#ifdef OPENSSL_FIPS
-+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
-+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed, int seed_len,
-+ BIGNUM **p_ret, BIGNUM **q_ret, int *counter_ret, BN_GENCB *cb);
-+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb);
-+#endif
-+
- #define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
- EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
- EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
-@@ -285,10 +298,13 @@ void ERR_load_DSA_strings(void);
- #define DSA_F_DO_DSA_PRINT 104
- #define DSA_F_DSAPARAMS_PRINT 100
- #define DSA_F_DSAPARAMS_PRINT_FP 101
-+#define DSA_F_DSA_BUILTIN_KEYGEN 124
-+#define DSA_F_DSA_BUILTIN_PARAMGEN 123
- #define DSA_F_DSA_DO_SIGN 112
- #define DSA_F_DSA_DO_VERIFY 113
--#define DSA_F_DSA_GENERATE_KEY 124
--#define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
-+#define DSA_F_DSA_GENERATE_KEY 126
-+#define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
-+#define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
- #define DSA_F_DSA_NEW_METHOD 103
- #define DSA_F_DSA_PARAM_DECODE 119
- #define DSA_F_DSA_PRINT_FP 105
-@@ -314,11 +330,15 @@ void ERR_load_DSA_strings(void);
- #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
- #define DSA_R_DECODE_ERROR 104
- #define DSA_R_INVALID_DIGEST_TYPE 106
-+#define DSA_R_KEY_SIZE_INVALID 113
-+#define DSA_R_KEY_SIZE_TOO_SMALL 110
- #define DSA_R_MISSING_PARAMETERS 101
- #define DSA_R_MODULUS_TOO_LARGE 103
--#define DSA_R_NEED_NEW_SETUP_VALUES 110
-+#define DSA_R_NEED_NEW_SETUP_VALUES 112
- #define DSA_R_NON_FIPS_DSA_METHOD 111
-+#define DSA_R_NON_FIPS_METHOD 111
- #define DSA_R_NO_PARAMETERS_SET 107
-+#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
- #define DSA_R_PARAMETER_ENCODING_ERROR 105
-
- #ifdef __cplusplus
-diff -up openssl-1.0.1j/crypto/dsa/dsa_key.c.fips openssl-1.0.1j/crypto/dsa/dsa_key.c
---- openssl-1.0.1j/crypto/dsa/dsa_key.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa_key.c 2014-10-16 13:19:35.087306152 +0200
-@@ -66,6 +66,35 @@
-
- #ifdef OPENSSL_FIPS
- #include <openssl/fips.h>
-+#include <openssl/evp.h>
-+
-+static int fips_check_dsa(DSA *dsa)
-+ {
-+ EVP_PKEY *pk;
-+ unsigned char tbs[] = "DSA Pairwise Check Data";
-+ int ret = 0;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_DSA(pk, dsa);
-+
-+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
-+ ret = 1;
-+
-+ err:
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED);
-+ fips_set_selftest_fail();
-+ }
-+
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+ }
-+
- #endif
-
- static int dsa_builtin_keygen(DSA *dsa);
-@@ -82,10 +111,6 @@ int DSA_generate_key(DSA *dsa)
- #endif
- if(dsa->meth->dsa_keygen)
- return dsa->meth->dsa_keygen(dsa);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dsa_generate_key(dsa);
--#endif
- return dsa_builtin_keygen(dsa);
- }
-
-@@ -95,6 +120,15 @@ static int dsa_builtin_keygen(DSA *dsa)
- BN_CTX *ctx=NULL;
- BIGNUM *pub_key=NULL,*priv_key=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-+
- if ((ctx=BN_CTX_new()) == NULL) goto err;
-
- if (dsa->priv_key == NULL)
-@@ -133,6 +167,14 @@ static int dsa_builtin_keygen(DSA *dsa)
-
- dsa->priv_key=priv_key;
- dsa->pub_key=pub_key;
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_mode() && !fips_check_dsa(dsa))
-+ {
-+ dsa->pub_key = NULL;
-+ dsa->priv_key = NULL;
-+ goto err;
-+ }
-+#endif
- ok=1;
-
- err:
-diff -up openssl-1.0.1j/crypto/dsa/dsa_lib.c.fips openssl-1.0.1j/crypto/dsa/dsa_lib.c
---- openssl-1.0.1j/crypto/dsa/dsa_lib.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa_lib.c 2014-10-16 13:19:35.087306152 +0200
-@@ -87,14 +87,7 @@ const DSA_METHOD *DSA_get_default_method
- {
- if(!default_DSA_method)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dsa_openssl();
-- else
-- return DSA_OpenSSL();
--#else
- default_DSA_method = DSA_OpenSSL();
--#endif
- }
- return default_DSA_method;
- }
-diff -up openssl-1.0.1j/crypto/dsa/dsa_locl.h.fips openssl-1.0.1j/crypto/dsa/dsa_locl.h
---- openssl-1.0.1j/crypto/dsa/dsa_locl.h.fips 2014-10-16 13:19:34.792299493 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa_locl.h 2014-10-16 13:19:35.087306152 +0200
-@@ -56,5 +56,4 @@
-
- int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
- const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
-- unsigned char *seed_out,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
-diff -up openssl-1.0.1j/crypto/dsa/dsa_ossl.c.fips openssl-1.0.1j/crypto/dsa/dsa_ossl.c
---- openssl-1.0.1j/crypto/dsa/dsa_ossl.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa_ossl.c 2014-10-16 13:19:35.087306152 +0200
-@@ -65,6 +65,9 @@
- #include <openssl/dsa.h>
- #include <openssl/rand.h>
- #include <openssl/asn1.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
- static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
-@@ -82,7 +85,7 @@ NULL, /* dsa_mod_exp, */
- NULL, /* dsa_bn_mod_exp, */
- dsa_init,
- dsa_finish,
--0,
-+DSA_FLAG_FIPS_METHOD,
- NULL,
- NULL,
- NULL
-@@ -138,6 +141,21 @@ static DSA_SIG *dsa_do_sign(const unsign
- DSA_SIG *ret=NULL;
- int noredo = 0;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return NULL;
-+ }
-+#endif
-+
- BN_init(&m);
- BN_init(&xr);
-
-@@ -325,6 +343,21 @@ static int dsa_do_verify(const unsigned
- return -1;
- }
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+#endif
-+
- if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
- {
- DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
-@@ -399,6 +432,9 @@ static int dsa_do_verify(const unsigned
-
- static int dsa_init(DSA *dsa)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dsa->flags|=DSA_FLAG_CACHE_MONT_P;
- return(1);
- }
-diff -up openssl-1.0.1j/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.1j/crypto/dsa/dsa_pmeth.c
---- openssl-1.0.1j/crypto/dsa/dsa_pmeth.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsa_pmeth.c 2014-10-16 13:19:35.087306152 +0200
-@@ -255,7 +255,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
- if (!dsa)
- return 0;
- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
-- NULL, 0, NULL, NULL, NULL, pcb);
-+ NULL, 0, NULL, NULL, pcb);
- if (ret)
- EVP_PKEY_assign_DSA(pkey, dsa);
- else
-diff -up openssl-1.0.1j/crypto/dsa/dsatest.c.fips openssl-1.0.1j/crypto/dsa/dsatest.c
---- openssl-1.0.1j/crypto/dsa/dsatest.c.fips 2014-10-15 14:51:06.000000000 +0200
-+++ openssl-1.0.1j/crypto/dsa/dsatest.c 2014-10-16 13:19:35.088306175 +0200
-@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
- /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
- * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
- static unsigned char seed[20]={
-- 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
-- 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
-+ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
-+ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
- };
-
- static unsigned char out_p[]={
-- 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
-- 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
-- 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
-- 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
-- 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
-- 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
-- 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
-- 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
-+ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
-+ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
-+ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
-+ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
-+ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
-+ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
-+ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
-+ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
-+ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
-+ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
-+ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
- };
-
- static unsigned char out_q[]={
-- 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
-- 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
-- 0xda,0xce,0x91,0x5f,
-+ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
-+ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
- };
-
- static unsigned char out_g[]={
-- 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
-- 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
-- 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
-- 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
-- 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
-- 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
-- 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
-- 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
-+ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
-+ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
-+ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
-+ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
-+ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
-+ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
-+ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
-+ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
-+ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
-+ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
-+ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
- };
-
- static const unsigned char str1[]="12345678901234567890";
-@@ -157,7 +162,7 @@ int main(int argc, char **argv)
- BIO_printf(bio_err,"test generation of DSA parameters\n");
-
- BN_GENCB_set(&cb, dsa_cb, bio_err);
-- if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
-+ if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
- seed, 20, &counter, &h, &cb))
- goto end;
-
-@@ -170,9 +175,9 @@ int main(int argc, char **argv)
- BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
-
- DSA_print(bio_err,dsa,0);
-- if (counter != 105)
-+ if (counter != 239)
- {
-- BIO_printf(bio_err,"counter should be 105\n");
-+ BIO_printf(bio_err,"counter should be 239\n");
- goto end;
- }
- if (h != 2)
-diff -up openssl-1.0.1j/crypto/engine/eng_all.c.fips openssl-1.0.1j/crypto/engine/eng_all.c
---- openssl-1.0.1j/crypto/engine/eng_all.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/engine/eng_all.c 2014-10-16 13:19:35.088306175 +0200
-@@ -58,11 +58,25 @@
-
- #include "cryptlib.h"
- #include "eng_int.h"
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- void ENGINE_load_builtin_engines(void)
- {
- /* Some ENGINEs need this */
- OPENSSL_cpuid_setup();
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (FIPS_mode()) {
-+ /* We allow loading dynamic engine as a third party
-+ engine might be FIPS validated.
-+ User is disallowed to load non-validated engines
-+ by security policy. */
-+ ENGINE_load_dynamic();
-+ return;
-+ }
-+#endif
- #if 0
- /* There's no longer any need for an "openssl" ENGINE unless, one day,
- * it is the *only* way for standard builtin implementations to be be
-diff -up openssl-1.0.1j/crypto/evp/c_allc.c.fips openssl-1.0.1j/crypto/evp/c_allc.c
---- openssl-1.0.1j/crypto/evp/c_allc.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/c_allc.c 2014-10-16 13:19:35.088306175 +0200
-@@ -65,6 +65,11 @@
- void OpenSSL_add_all_ciphers(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if(!FIPS_mode())
-+ {
-+#endif
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cfb());
- EVP_add_cipher(EVP_des_cfb1());
-@@ -227,4 +232,60 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
- EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede_cfb());
-+ EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+ EVP_add_cipher(EVP_des_ede_ofb());
-+ EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+ EVP_add_cipher(EVP_des_ede_cbc());
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
-+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
-+
-+ EVP_add_cipher(EVP_des_ede());
-+ EVP_add_cipher(EVP_des_ede3());
-+#endif
-+
-+#ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_ecb());
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_128_cfb());
-+ EVP_add_cipher(EVP_aes_128_cfb1());
-+ EVP_add_cipher(EVP_aes_128_cfb8());
-+ EVP_add_cipher(EVP_aes_128_ofb());
-+ EVP_add_cipher(EVP_aes_128_ctr());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
-+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
-+ EVP_add_cipher(EVP_aes_192_ecb());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_192_cfb());
-+ EVP_add_cipher(EVP_aes_192_cfb1());
-+ EVP_add_cipher(EVP_aes_192_cfb8());
-+ EVP_add_cipher(EVP_aes_192_ofb());
-+ EVP_add_cipher(EVP_aes_192_ctr());
-+ EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
-+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
-+ EVP_add_cipher(EVP_aes_256_ecb());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_256_cfb());
-+ EVP_add_cipher(EVP_aes_256_cfb1());
-+ EVP_add_cipher(EVP_aes_256_cfb8());
-+ EVP_add_cipher(EVP_aes_256_ofb());
-+ EVP_add_cipher(EVP_aes_256_ctr());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+ EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
-+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-+#endif
-+ }
-+#endif
- }
-diff -up openssl-1.0.1j/crypto/evp/c_alld.c.fips openssl-1.0.1j/crypto/evp/c_alld.c
---- openssl-1.0.1j/crypto/evp/c_alld.c.fips 2014-10-15 14:51:06.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/c_alld.c 2014-10-16 13:19:35.088306175 +0200
-@@ -64,6 +64,11 @@
-
- void OpenSSL_add_all_digests(void)
- {
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (!FIPS_mode())
-+ {
-+#endif
- #ifndef OPENSSL_NO_MD4
- EVP_add_digest(EVP_md4());
- #endif
-@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
- #ifndef OPENSSL_NO_WHIRLPOOL
- EVP_add_digest(EVP_whirlpool());
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
-+ EVP_add_digest(EVP_sha1());
-+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-+#ifndef OPENSSL_NO_DSA
-+ EVP_add_digest(EVP_dss1());
-+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-+#endif
-+#ifndef OPENSSL_NO_ECDSA
-+ EVP_add_digest(EVP_ecdsa());
-+#endif
-+#endif
-+#ifndef OPENSSL_NO_SHA256
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+#endif
-+ }
-+#endif
- }
-diff -up openssl-1.0.1j/crypto/evp/digest.c.fips openssl-1.0.1j/crypto/evp/digest.c
---- openssl-1.0.1j/crypto/evp/digest.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/digest.c 2014-10-16 13:19:35.088306175 +0200
-@@ -142,9 +142,50 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
- return EVP_DigestInit_ex(ctx, type, NULL);
- }
-
-+#ifdef OPENSSL_FIPS
-+
-+/* The purpose of these is to trap programs that attempt to use non FIPS
-+ * algorithms in FIPS mode and ignore the errors.
-+ */
-+
-+static int bad_init(EVP_MD_CTX *ctx)
-+ { FIPS_ERROR_IGNORED("Digest init"); return 0;}
-+
-+static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count)
-+ { FIPS_ERROR_IGNORED("Digest update"); return 0;}
-+
-+static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
-+ { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
-+
-+static const EVP_MD bad_md =
-+ {
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ bad_init,
-+ bad_update,
-+ bad_final,
-+ NULL,
-+ NULL,
-+ NULL,
-+ 0,
-+ {0,0,0,0},
-+ };
-+
-+#endif
-+
- int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
- {
- EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-+ ctx->digest = &bad_md;
-+ return 0;
-+ }
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
- * so this context may already have an ENGINE! Try to avoid releasing
-@@ -201,6 +242,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
- #endif
- if (ctx->digest != type)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if (!(type->flags & EVP_MD_FLAG_FIPS)
-+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
-+ {
-+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ ctx->digest = &bad_md;
-+ return 0;
-+ }
-+ }
-+#endif
- if (ctx->digest && ctx->digest->ctx_size)
- OPENSSL_free(ctx->md_data);
- ctx->digest=type;
-@@ -229,26 +282,15 @@ skip_to_init:
- }
- if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
- return 1;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- {
-- if (FIPS_digestinit(ctx, type))
-- return 1;
-- OPENSSL_free(ctx->md_data);
-- ctx->md_data = NULL;
-- return 0;
-- }
--#endif
- return ctx->digest->init(ctx);
- }
-
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
- {
- #ifdef OPENSSL_FIPS
-- return FIPS_digestupdate(ctx, data, count);
--#else
-- return ctx->update(ctx,data,count);
-+ FIPS_selftest_check();
- #endif
-+ return ctx->update(ctx,data,count);
- }
-
- /* The caller can assume that this removes any secret data from the context */
-@@ -263,11 +305,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
- /* The caller can assume that this removes any secret data from the context */
- int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
- {
--#ifdef OPENSSL_FIPS
-- return FIPS_digestfinal(ctx, md, size);
--#else
- int ret;
-
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
- ret=ctx->digest->final(ctx,md);
- if (size != NULL)
-@@ -279,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
- }
- memset(ctx->md_data,0,ctx->digest->ctx_size);
- return ret;
--#endif
- }
-
- int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
-@@ -376,7 +417,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
- /* This call frees resources associated with the context */
- int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- {
--#ifndef OPENSSL_FIPS
- /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
- * because sometimes only copies of the context are ever finalised.
- */
-@@ -389,7 +429,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
- OPENSSL_free(ctx->md_data);
- }
--#endif
- if (ctx->pctx)
- EVP_PKEY_CTX_free(ctx->pctx);
- #ifndef OPENSSL_NO_ENGINE
-@@ -398,9 +437,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- * functional reference we held for this reason. */
- ENGINE_finish(ctx->engine);
- #endif
--#ifdef OPENSSL_FIPS
-- FIPS_md_ctx_cleanup(ctx);
--#endif
- memset(ctx,'\0',sizeof *ctx);
-
- return 1;
-diff -up openssl-1.0.1j/crypto/evp/e_aes.c.fips openssl-1.0.1j/crypto/evp/e_aes.c
---- openssl-1.0.1j/crypto/evp/e_aes.c.fips 2014-10-16 13:19:35.048305272 +0200
-+++ openssl-1.0.1j/crypto/evp/e_aes.c 2014-10-16 13:19:35.089306198 +0200
-@@ -56,7 +56,6 @@
- #include <assert.h>
- #include <openssl/aes.h>
- #include "evp_locl.h"
--#ifndef OPENSSL_FIPS
- #include "modes_lcl.h"
- #include <openssl/rand.h>
-
-@@ -730,7 +729,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
- if (arg <= 0)
- return 0;
- #ifdef OPENSSL_FIPS
-- if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
-+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
- && arg < 12)
- return 0;
- #endif
-@@ -1189,7 +1188,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
- return 0;
- #ifdef OPENSSL_FIPS
- /* Requirement of SP800-38E */
-- if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
- (len > (1UL<<20)*16))
- {
- EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-@@ -1386,4 +1385,3 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm
- BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
-
- #endif
--#endif
-diff -up openssl-1.0.1j/crypto/evp/e_des3.c.fips openssl-1.0.1j/crypto/evp/e_des3.c
---- openssl-1.0.1j/crypto/evp/e_des3.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/e_des3.c 2014-10-16 13:19:35.089306198 +0200
-@@ -65,8 +65,6 @@
- #include <openssl/des.h>
- #include <openssl/rand.h>
-
--#ifndef OPENSSL_FIPS
--
- static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv,int enc);
-
-@@ -208,9 +206,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPH
- }
-
- BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
-- EVP_CIPH_RAND_KEY, des_ede_init_key, NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
-@@ -219,21 +217,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
- #define des_ede3_ecb_cipher des_ede_ecb_cipher
-
- BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-- EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede3_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
-- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede3_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
-- EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
-- EVP_CIPHER_set_asn1_iv,
-- EVP_CIPHER_get_asn1_iv,
-+ EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-+ des_ede3_init_key,
-+ NULL, NULL, NULL,
- des3_ctrl)
-
- static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-@@ -313,4 +311,3 @@ const EVP_CIPHER *EVP_des_ede3(void)
- return &des_ede3_ecb;
- }
- #endif
--#endif
-diff -up openssl-1.0.1j/crypto/evp/e_null.c.fips openssl-1.0.1j/crypto/evp/e_null.c
---- openssl-1.0.1j/crypto/evp/e_null.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/e_null.c 2014-10-16 13:19:35.089306198 +0200
-@@ -61,8 +61,6 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
-
--#ifndef OPENSSL_FIPS
--
- static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv,int enc);
- static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-@@ -71,7 +69,7 @@ static const EVP_CIPHER n_cipher=
- {
- NID_undef,
- 1,0,0,
-- 0,
-+ EVP_CIPH_FLAG_FIPS,
- null_init_key,
- null_cipher,
- NULL,
-@@ -101,4 +99,3 @@ static int null_cipher(EVP_CIPHER_CTX *c
- memcpy((char *)out,(const char *)in,inl);
- return 1;
- }
--#endif
-diff -up openssl-1.0.1j/crypto/evp/evp_enc.c.fips openssl-1.0.1j/crypto/evp/evp_enc.c
---- openssl-1.0.1j/crypto/evp/evp_enc.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/evp_enc.c 2014-10-16 13:21:57.064511350 +0200
-@@ -70,17 +70,58 @@
- #include "constant_time_locl.h"
- #include "evp_locl.h"
-
--#ifdef OPENSSL_FIPS
--#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
--#else
- #define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
--#endif
-
-
- const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
-
-+#ifdef OPENSSL_FIPS
-+
-+/* The purpose of these is to trap programs that attempt to use non FIPS
-+ * algorithms in FIPS mode and ignore the errors.
-+ */
-+
-+static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+ const unsigned char *iv, int enc)
-+ { FIPS_ERROR_IGNORED("Cipher init"); return 0;}
-+
-+static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, unsigned int inl)
-+ { FIPS_ERROR_IGNORED("Cipher update"); return 0;}
-+
-+/* NB: no cleanup because it is allowed after failed init */
-+
-+static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
-+ { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;}
-+static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
-+ { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;}
-+static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
-+ { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;}
-+
-+static const EVP_CIPHER bad_cipher =
-+ {
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ bad_init,
-+ bad_do_cipher,
-+ NULL,
-+ 0,
-+ bad_set_asn1,
-+ bad_get_asn1,
-+ bad_ctrl,
-+ NULL
-+ };
-+
-+#endif
-+
- void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- memset(ctx,0,sizeof(EVP_CIPHER_CTX));
- /* ctx->cipher=NULL; */
- }
-@@ -112,6 +153,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- enc = 1;
- ctx->encrypt = enc;
- }
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-+ ctx->cipher = &bad_cipher;
-+ return 0;
-+ }
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
- * so this context may already have an ENGINE! Try to avoid releasing
-@@ -170,10 +219,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- ctx->engine = NULL;
- #endif
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
--#endif
- ctx->cipher=cipher;
- if (ctx->cipher->ctx_size)
- {
-@@ -207,10 +252,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- #ifndef OPENSSL_NO_ENGINE
- skip_to_init:
- #endif
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
--#endif
- /* we assume block size is a power of 2 in *cryptUpdate */
- OPENSSL_assert(ctx->cipher->block_size == 1
- || ctx->cipher->block_size == 8
-@@ -250,6 +291,22 @@ skip_to_init:
- }
- }
-
-+#ifdef OPENSSL_FIPS
-+ /* After 'key' is set no further parameters changes are permissible.
-+ * So only check for non FIPS enabling at this point.
-+ */
-+ if (key && FIPS_mode())
-+ {
-+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
-+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
-+ {
-+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ ctx->cipher = &bad_cipher;
-+ return 0;
-+ }
-+ }
-+#endif
-+
- if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
- if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
- }
-@@ -575,7 +632,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
-
- int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
- {
--#ifndef OPENSSL_FIPS
- if (c->cipher != NULL)
- {
- if(c->cipher->cleanup && !c->cipher->cleanup(c))
-@@ -586,16 +642,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
- }
- if (c->cipher_data)
- OPENSSL_free(c->cipher_data);
--#endif
- #ifndef OPENSSL_NO_ENGINE
- if (c->engine)
- /* The EVP_CIPHER we used belongs to an ENGINE, release the
- * functional reference we held for this reason. */
- ENGINE_finish(c->engine);
- #endif
--#ifdef OPENSSL_FIPS
-- FIPS_cipher_ctx_cleanup(c);
--#endif
- memset(c,0,sizeof(EVP_CIPHER_CTX));
- return 1;
- }
-diff -up openssl-1.0.1j/crypto/evp/evp.h.fips openssl-1.0.1j/crypto/evp/evp.h
---- openssl-1.0.1j/crypto/evp/evp.h.fips 2014-10-16 13:19:34.940302834 +0200
-+++ openssl-1.0.1j/crypto/evp/evp.h 2014-10-16 13:19:35.090306220 +0200
-@@ -75,6 +75,10 @@
- #include <openssl/bio.h>
- #endif
-
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- /*
- #define EVP_RC2_KEY_SIZE 16
- #define EVP_RC4_KEY_SIZE 16
-@@ -282,10 +286,6 @@ struct env_md_ctx_st
- * cleaned */
- #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data
- * in EVP_MD_CTX_cleanup */
--/* FIPS and pad options are ignored in 1.0.0, definitions are here
-- * so we don't accidentally reuse the values for other purposes.
-- */
--
- #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest
- * in FIPS mode */
-
-@@ -297,6 +297,10 @@ struct env_md_ctx_st
- #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */
- #define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */
- #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */
-+#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
-+ ((ctx->flags>>16) &0xFFFF) /* seed length */
-+#define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF /* salt len same as digest */
-+#define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE /* salt max or auto recovered */
-
- #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */
-
-@@ -348,15 +352,15 @@ struct evp_cipher_st
- /* cipher handles random key generation */
- #define EVP_CIPH_RAND_KEY 0x200
- /* cipher has its own additional copying logic */
--#define EVP_CIPH_CUSTOM_COPY 0x400
-+#define EVP_CIPH_CUSTOM_COPY 0x4000
- /* Allow use default ASN1 get/set iv */
- #define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
- /* Buffer length in bits not bytes: CFB1 mode only */
- #define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
- /* Note if suitable for use in FIPS mode */
--#define EVP_CIPH_FLAG_FIPS 0x4000
-+#define EVP_CIPH_FLAG_FIPS 0x400
- /* Allow non FIPS cipher in FIPS mode */
--#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
-+#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
- /* Cipher handles any and all padding logic as well
- * as finalisation.
- */
-diff -up openssl-1.0.1j/crypto/evp/evp_lib.c.fips openssl-1.0.1j/crypto/evp/evp_lib.c
---- openssl-1.0.1j/crypto/evp/evp_lib.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/evp_lib.c 2014-10-16 13:19:35.090306220 +0200
-@@ -190,6 +190,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
-
- int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- return ctx->cipher->do_cipher(ctx,out,in,inl);
- }
-
-diff -up openssl-1.0.1j/crypto/evp/evp_locl.h.fips openssl-1.0.1j/crypto/evp/evp_locl.h
---- openssl-1.0.1j/crypto/evp/evp_locl.h.fips 2014-10-16 13:19:34.933302676 +0200
-+++ openssl-1.0.1j/crypto/evp/evp_locl.h 2014-10-16 13:19:35.090306220 +0200
-@@ -258,10 +258,9 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
- BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
- BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
- NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
-- 0, cipher##_init_key, NULL, \
-- EVP_CIPHER_set_asn1_iv, \
-- EVP_CIPHER_get_asn1_iv, \
-- NULL)
-+ EVP_CIPH_FLAG_DEFAULT_ASN1, \
-+ cipher##_init_key, NULL, NULL, NULL, NULL)
-+
-
- struct evp_pkey_ctx_st
- {
-@@ -367,11 +366,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
- #define MD2_Init private_MD2_Init
- #define MDC2_Init private_MDC2_Init
- #define SHA_Init private_SHA_Init
--#define SHA1_Init private_SHA1_Init
--#define SHA224_Init private_SHA224_Init
--#define SHA256_Init private_SHA256_Init
--#define SHA384_Init private_SHA384_Init
--#define SHA512_Init private_SHA512_Init
-
- #define BF_set_key private_BF_set_key
- #define CAST_set_key private_CAST_set_key
-@@ -379,7 +373,6 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_
- #define SEED_set_key private_SEED_set_key
- #define RC2_set_key private_RC2_set_key
- #define RC4_set_key private_RC4_set_key
--#define DES_set_key_unchecked private_DES_set_key_unchecked
- #define Camellia_set_key private_Camellia_set_key
-
- #endif
-diff -up openssl-1.0.1j/crypto/evp/Makefile.fips openssl-1.0.1j/crypto/evp/Makefile
---- openssl-1.0.1j/crypto/evp/Makefile.fips 2014-10-15 14:54:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/Makefile 2014-10-16 13:19:35.090306220 +0200
-@@ -28,7 +28,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_
- bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
- c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
-- e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
-+ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
- e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
-
- LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
-@@ -41,7 +41,7 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_
- bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
- c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
- evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
-- e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
-+ e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
- e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
-
- SRC= $(LIBSRC)
-diff -up openssl-1.0.1j/crypto/evp/m_dss.c.fips openssl-1.0.1j/crypto/evp/m_dss.c
---- openssl-1.0.1j/crypto/evp/m_dss.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/m_dss.c 2014-10-16 13:19:35.090306220 +0200
-@@ -66,7 +66,6 @@
- #endif
-
- #ifndef OPENSSL_NO_SHA
--#ifndef OPENSSL_FIPS
-
- static int init(EVP_MD_CTX *ctx)
- { return SHA1_Init(ctx->md_data); }
-@@ -82,7 +81,7 @@ static const EVP_MD dsa_md=
- NID_dsaWithSHA,
- NID_dsaWithSHA,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -98,4 +97,3 @@ const EVP_MD *EVP_dss(void)
- return(&dsa_md);
- }
- #endif
--#endif
-diff -up openssl-1.0.1j/crypto/evp/m_dss1.c.fips openssl-1.0.1j/crypto/evp/m_dss1.c
---- openssl-1.0.1j/crypto/evp/m_dss1.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/m_dss1.c 2014-10-16 13:19:35.091306243 +0200
-@@ -68,8 +68,6 @@
- #include <openssl/dsa.h>
- #endif
-
--#ifndef OPENSSL_FIPS
--
- static int init(EVP_MD_CTX *ctx)
- { return SHA1_Init(ctx->md_data); }
-
-@@ -84,7 +82,7 @@ static const EVP_MD dss1_md=
- NID_dsa,
- NID_dsaWithSHA1,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST|EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -100,4 +98,3 @@ const EVP_MD *EVP_dss1(void)
- return(&dss1_md);
- }
- #endif
--#endif
-diff -up openssl-1.0.1j/crypto/evp/m_md2.c.fips openssl-1.0.1j/crypto/evp/m_md2.c
---- openssl-1.0.1j/crypto/evp/m_md2.c.fips 2014-10-15 14:51:06.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/m_md2.c 2014-10-16 13:19:35.091306243 +0200
-@@ -68,6 +68,7 @@
- #ifndef OPENSSL_NO_RSA
- #include <openssl/rsa.h>
- #endif
-+#include "evp_locl.h"
-
- static int init(EVP_MD_CTX *ctx)
- { return MD2_Init(ctx->md_data); }
-diff -up openssl-1.0.1j/crypto/evp/m_sha1.c.fips openssl-1.0.1j/crypto/evp/m_sha1.c
---- openssl-1.0.1j/crypto/evp/m_sha1.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/m_sha1.c 2014-10-16 13:19:35.091306243 +0200
-@@ -59,8 +59,6 @@
- #include <stdio.h>
- #include "cryptlib.h"
-
--#ifndef OPENSSL_FIPS
--
- #ifndef OPENSSL_NO_SHA
-
- #include <openssl/evp.h>
-@@ -85,7 +83,8 @@ static const EVP_MD sha1_md=
- NID_sha1,
- NID_sha1WithRSAEncryption,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -122,7 +121,8 @@ static const EVP_MD sha224_md=
- NID_sha224,
- NID_sha224WithRSAEncryption,
- SHA224_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init224,
- update256,
- final256,
-@@ -141,7 +141,8 @@ static const EVP_MD sha256_md=
- NID_sha256,
- NID_sha256WithRSAEncryption,
- SHA256_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init256,
- update256,
- final256,
-@@ -172,7 +173,8 @@ static const EVP_MD sha384_md=
- NID_sha384,
- NID_sha384WithRSAEncryption,
- SHA384_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init384,
- update512,
- final512,
-@@ -191,7 +193,8 @@ static const EVP_MD sha512_md=
- NID_sha512,
- NID_sha512WithRSAEncryption,
- SHA512_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|
-+ EVP_MD_FLAG_FIPS,
- init512,
- update512,
- final512,
-@@ -206,4 +209,3 @@ const EVP_MD *EVP_sha512(void)
- { return(&sha512_md); }
- #endif /* ifndef OPENSSL_NO_SHA512 */
-
--#endif
-diff -up openssl-1.0.1j/crypto/evp/p_sign.c.fips openssl-1.0.1j/crypto/evp/p_sign.c
---- openssl-1.0.1j/crypto/evp/p_sign.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/p_sign.c 2014-10-16 13:19:35.091306243 +0200
-@@ -61,6 +61,7 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
- #include <openssl/x509.h>
-+#include <openssl/rsa.h>
-
- #ifdef undef
- void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
-@@ -103,6 +104,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
- goto err;
- if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
- goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
-+ goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
-+ {
-+ int saltlen;
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
-+ goto err;
-+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
-+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
-+ saltlen = -1;
-+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
-+ saltlen = -2;
-+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
-+ goto err;
-+ }
- if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
- goto err;
- *siglen = sltmp;
-diff -up openssl-1.0.1j/crypto/evp/p_verify.c.fips openssl-1.0.1j/crypto/evp/p_verify.c
---- openssl-1.0.1j/crypto/evp/p_verify.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/evp/p_verify.c 2014-10-16 13:19:35.091306243 +0200
-@@ -61,6 +61,7 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
- #include <openssl/x509.h>
-+#include <openssl/rsa.h>
-
- int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
- unsigned int siglen, EVP_PKEY *pkey)
-@@ -88,6 +89,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
- goto err;
- if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
- goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
-+ goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS)
-+ {
-+ int saltlen;
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0)
-+ goto err;
-+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
-+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
-+ saltlen = -1;
-+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
-+ saltlen = -2;
-+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
-+ goto err;
-+ }
- i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
- err:
- EVP_PKEY_CTX_free(pkctx);
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_aesavs.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_aesavs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_aesavs.c.fips 2014-10-16 13:19:35.092306265 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_aesavs.c 2014-10-16 13:19:35.092306265 +0200
-@@ -0,0 +1,939 @@
-+/* ====================================================================
-+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+/*---------------------------------------------
-+ NIST AES Algorithm Validation Suite
-+ Test Program
-+
-+ Donated to OpenSSL by:
-+ V-ONE Corporation
-+ 20250 Century Blvd, Suite 300
-+ Germantown, MD 20874
-+ U.S.A.
-+ ----------------------------------------------*/
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <assert.h>
-+#include <ctype.h>
-+#include <openssl/aes.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#include <openssl/err.h>
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS AES support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+#define AES_BLOCK_SIZE 16
-+
-+#define VERBOSE 0
-+
-+/*-----------------------------------------------*/
-+
-+int AESTest(EVP_CIPHER_CTX *ctx,
-+ char *amode, int akeysz, unsigned char *aKey,
-+ unsigned char *iVec,
-+ int dir, /* 0 = decrypt, 1 = encrypt */
-+ unsigned char *plaintext, unsigned char *ciphertext, int len)
-+ {
-+ const EVP_CIPHER *cipher = NULL;
-+
-+ if (strcasecmp(amode, "CBC") == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cbc();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cbc();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cbc();
-+ break;
-+ }
-+
-+ }
-+ else if (strcasecmp(amode, "ECB") == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_ecb();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_ecb();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_ecb();
-+ break;
-+ }
-+ }
-+ else if (strcasecmp(amode, "CFB128") == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cfb128();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cfb128();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cfb128();
-+ break;
-+ }
-+
-+ }
-+ else if (strncasecmp(amode, "OFB", 3) == 0)
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_ofb();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_ofb();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_ofb();
-+ break;
-+ }
-+ }
-+ else if(!strcasecmp(amode,"CFB1"))
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cfb1();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cfb1();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cfb1();
-+ break;
-+ }
-+ }
-+ else if(!strcasecmp(amode,"CFB8"))
-+ {
-+ switch (akeysz)
-+ {
-+ case 128:
-+ cipher = EVP_aes_128_cfb8();
-+ break;
-+
-+ case 192:
-+ cipher = EVP_aes_192_cfb8();
-+ break;
-+
-+ case 256:
-+ cipher = EVP_aes_256_cfb8();
-+ break;
-+ }
-+ }
-+ else
-+ {
-+ printf("Unknown mode: %s\n", amode);
-+ return 0;
-+ }
-+ if (!cipher)
-+ {
-+ printf("Invalid key size: %d\n", akeysz);
-+ return 0;
-+ }
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
-+ return 0;
-+ if(!strcasecmp(amode,"CFB1"))
-+ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
-+ if (dir)
-+ EVP_Cipher(ctx, ciphertext, plaintext, len);
-+ else
-+ EVP_Cipher(ctx, plaintext, ciphertext, len);
-+ return 1;
-+ }
-+
-+/*-----------------------------------------------*/
-+char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
-+char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"};
-+enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128};
-+enum XCrypt {XDECRYPT, XENCRYPT};
-+
-+/*=============================*/
-+/* Monte Carlo Tests */
-+/*-----------------------------*/
-+
-+/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/
-+/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/
-+
-+#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
-+#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
-+
-+int do_mct(char *amode,
-+ int akeysz, unsigned char *aKey,unsigned char *iVec,
-+ int dir, unsigned char *text, int len,
-+ FILE *rfp)
-+ {
-+ int ret = 0;
-+ unsigned char key[101][32];
-+ unsigned char iv[101][AES_BLOCK_SIZE];
-+ unsigned char ptext[1001][32];
-+ unsigned char ctext[1001][32];
-+ unsigned char ciphertext[64+4];
-+ int i, j, n, n1, n2;
-+ int imode = 0, nkeysz = akeysz/8;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (len > 32)
-+ {
-+ printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n",
-+ amode, akeysz);
-+ return -1;
-+ }
-+ for (imode = 0; imode < 6; ++imode)
-+ if (strcmp(amode, t_mode[imode]) == 0)
-+ break;
-+ if (imode == 6)
-+ {
-+ printf("Unrecognized mode: %s\n", amode);
-+ return -1;
-+ }
-+
-+ memcpy(key[0], aKey, nkeysz);
-+ if (iVec)
-+ memcpy(iv[0], iVec, AES_BLOCK_SIZE);
-+ if (dir == XENCRYPT)
-+ memcpy(ptext[0], text, len);
-+ else
-+ memcpy(ctext[0], text, len);
-+ for (i = 0; i < 100; ++i)
-+ {
-+ /* printf("Iteration %d\n", i); */
-+ if (i > 0)
-+ {
-+ fprintf(rfp,"COUNT = %d\n",i);
-+ OutputValue("KEY",key[i],nkeysz,rfp,0);
-+ if (imode != ECB) /* ECB */
-+ OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0);
-+ /* Output Ciphertext | Plaintext */
-+ OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp,
-+ imode == CFB1);
-+ }
-+ for (j = 0; j < 1000; ++j)
-+ {
-+ switch (imode)
-+ {
-+ case ECB:
-+ if (j == 0)
-+ { /* set up encryption */
-+ ret = AESTest(&ctx, amode, akeysz, key[i], NULL,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ptext[j], ctext[j], len);
-+ if (dir == XENCRYPT)
-+ memcpy(ptext[j+1], ctext[j], len);
-+ else
-+ memcpy(ctext[j+1], ptext[j], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ {
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ memcpy(ptext[j+1], ctext[j], len);
-+ }
-+ else
-+ {
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+ memcpy(ctext[j+1], ptext[j], len);
-+ }
-+ }
-+ break;
-+
-+ case CBC:
-+ case OFB:
-+ case CFB128:
-+ if (j == 0)
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ptext[j], ctext[j], len);
-+ if (dir == XENCRYPT)
-+ memcpy(ptext[j+1], iv[i], len);
-+ else
-+ memcpy(ctext[j+1], iv[i], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ {
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ memcpy(ptext[j+1], ctext[j-1], len);
-+ }
-+ else
-+ {
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+ memcpy(ctext[j+1], ptext[j-1], len);
-+ }
-+ }
-+ break;
-+
-+ case CFB8:
-+ if (j == 0)
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, key[i], iv[i],
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ptext[j], ctext[j], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ else
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+ }
-+ if (dir == XENCRYPT)
-+ {
-+ if (j < 16)
-+ memcpy(ptext[j+1], &iv[i][j], len);
-+ else
-+ memcpy(ptext[j+1], ctext[j-16], len);
-+ }
-+ else
-+ {
-+ if (j < 16)
-+ memcpy(ctext[j+1], &iv[i][j], len);
-+ else
-+ memcpy(ctext[j+1], ptext[j-16], len);
-+ }
-+ break;
-+
-+ case CFB1:
-+ if(j == 0)
-+ {
-+#if 0
-+ /* compensate for wrong endianness of input file */
-+ if(i == 0)
-+ ptext[0][0]<<=7;
-+#endif
-+ ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir,
-+ ptext[j], ctext[j], len);
-+ }
-+ else
-+ {
-+ if (dir == XENCRYPT)
-+ EVP_Cipher(&ctx, ctext[j], ptext[j], len);
-+ else
-+ EVP_Cipher(&ctx, ptext[j], ctext[j], len);
-+
-+ }
-+ if(dir == XENCRYPT)
-+ {
-+ if(j < 128)
-+ sb(ptext[j+1],0,gb(iv[i],j));
-+ else
-+ sb(ptext[j+1],0,gb(ctext[j-128],0));
-+ }
-+ else
-+ {
-+ if(j < 128)
-+ sb(ctext[j+1],0,gb(iv[i],j));
-+ else
-+ sb(ctext[j+1],0,gb(ptext[j-128],0));
-+ }
-+ break;
-+ }
-+ }
-+ --j; /* reset to last of range */
-+ /* Output Ciphertext | Plaintext */
-+ OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp,
-+ imode == CFB1);
-+ fprintf(rfp, "\n"); /* add separator */
-+
-+ /* Compute next KEY */
-+ if (dir == XENCRYPT)
-+ {
-+ if (imode == CFB8)
-+ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
-+ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
-+ ciphertext[n1] = ctext[j-n2][0];
-+ }
-+ else if(imode == CFB1)
-+ {
-+ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
-+ sb(ciphertext,n1,gb(ctext[j-n2],0));
-+ }
-+ else
-+ switch (akeysz)
-+ {
-+ case 128:
-+ memcpy(ciphertext, ctext[j], 16);
-+ break;
-+ case 192:
-+ memcpy(ciphertext, ctext[j-1]+8, 8);
-+ memcpy(ciphertext+8, ctext[j], 16);
-+ break;
-+ case 256:
-+ memcpy(ciphertext, ctext[j-1], 16);
-+ memcpy(ciphertext+16, ctext[j], 16);
-+ break;
-+ }
-+ }
-+ else
-+ {
-+ if (imode == CFB8)
-+ { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */
-+ for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2)
-+ ciphertext[n1] = ptext[j-n2][0];
-+ }
-+ else if(imode == CFB1)
-+ {
-+ for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2)
-+ sb(ciphertext,n1,gb(ptext[j-n2],0));
-+ }
-+ else
-+ switch (akeysz)
-+ {
-+ case 128:
-+ memcpy(ciphertext, ptext[j], 16);
-+ break;
-+ case 192:
-+ memcpy(ciphertext, ptext[j-1]+8, 8);
-+ memcpy(ciphertext+8, ptext[j], 16);
-+ break;
-+ case 256:
-+ memcpy(ciphertext, ptext[j-1], 16);
-+ memcpy(ciphertext+16, ptext[j], 16);
-+ break;
-+ }
-+ }
-+ /* Compute next key: Key[i+1] = Key[i] xor ct */
-+ for (n = 0; n < nkeysz; ++n)
-+ key[i+1][n] = key[i][n] ^ ciphertext[n];
-+
-+ /* Compute next IV and text */
-+ if (dir == XENCRYPT)
-+ {
-+ switch (imode)
-+ {
-+ case ECB:
-+ memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE);
-+ break;
-+ case CBC:
-+ case OFB:
-+ case CFB128:
-+ memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE);
-+ memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE);
-+ break;
-+ case CFB8:
-+ /* IV[i+1] = ct */
-+ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
-+ iv[i+1][n1] = ctext[j-n2][0];
-+ ptext[0][0] = ctext[j-16][0];
-+ break;
-+ case CFB1:
-+ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
-+ sb(iv[i+1],n1,gb(ctext[j-n2],0));
-+ ptext[0][0]=ctext[j-128][0]&0x80;
-+ break;
-+ }
-+ }
-+ else
-+ {
-+ switch (imode)
-+ {
-+ case ECB:
-+ memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE);
-+ break;
-+ case CBC:
-+ case OFB:
-+ case CFB128:
-+ memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE);
-+ memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE);
-+ break;
-+ case CFB8:
-+ for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2)
-+ iv[i+1][n1] = ptext[j-n2][0];
-+ ctext[0][0] = ptext[j-16][0];
-+ break;
-+ case CFB1:
-+ for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2)
-+ sb(iv[i+1],n1,gb(ptext[j-n2],0));
-+ ctext[0][0]=ptext[j-128][0]&0x80;
-+ break;
-+ }
-+ }
-+ }
-+
-+ return ret;
-+ }
-+
-+/*================================================*/
-+/*----------------------------
-+ # Config info for v-one
-+ # AESVS MMT test data for ECB
-+ # State : Encrypt and Decrypt
-+ # Key Length : 256
-+ # Fri Aug 30 04:07:22 PM
-+ ----------------------------*/
-+
-+int proc_file(char *rqfile, char *rspfile)
-+ {
-+ char afn[256], rfn[256];
-+ FILE *afp = NULL, *rfp = NULL;
-+ char ibuf[2048];
-+ char tbuf[2048];
-+ int ilen, len, ret = 0;
-+ char algo[8] = "";
-+ char amode[8] = "";
-+ char atest[8] = "";
-+ int akeysz = 0;
-+ unsigned char iVec[20], aKey[40];
-+ int dir = -1, err = 0, step = 0;
-+ unsigned char plaintext[2048];
-+ unsigned char ciphertext[2048];
-+ char *rp;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (!rqfile || !(*rqfile))
-+ {
-+ printf("No req file\n");
-+ return -1;
-+ }
-+ strcpy(afn, rqfile);
-+
-+ if ((afp = fopen(afn, "r")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ afn, strerror(errno));
-+ return -1;
-+ }
-+ if (!rspfile)
-+ {
-+ strcpy(rfn,afn);
-+ rp=strstr(rfn,"req/");
-+#ifdef OPENSSL_SYS_WIN32
-+ if (!rp)
-+ rp=strstr(rfn,"req\\");
-+#endif
-+ assert(rp);
-+ memcpy(rp,"rsp",3);
-+ rp = strstr(rfn, ".req");
-+ memcpy(rp, ".rsp", 4);
-+ rspfile = rfn;
-+ }
-+ if ((rfp = fopen(rspfile, "w")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ rfn, strerror(errno));
-+ fclose(afp);
-+ afp = NULL;
-+ return -1;
-+ }
-+ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
-+ {
-+ tidy_line(tbuf, ibuf);
-+ ilen = strlen(ibuf);
-+ /* printf("step=%d ibuf=%s",step,ibuf); */
-+ switch (step)
-+ {
-+ case 0: /* read preamble */
-+ if (ibuf[0] == '\n')
-+ { /* end of preamble */
-+ if ((*algo == '\0') ||
-+ (*amode == '\0') ||
-+ (akeysz == 0))
-+ {
-+ printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n",
-+ algo,amode,akeysz);
-+ err = 1;
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ ++ step;
-+ }
-+ }
-+ else if (ibuf[0] != '#')
-+ {
-+ printf("Invalid preamble item: %s\n", ibuf);
-+ err = 1;
-+ }
-+ else
-+ { /* process preamble */
-+ char *xp, *pp = ibuf+2;
-+ int n;
-+ if (akeysz)
-+ { /* insert current time & date */
-+ time_t rtim = time(0);
-+ fprintf(rfp, "# %s", ctime(&rtim));
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ if (strncmp(pp, "AESVS ", 6) == 0)
-+ {
-+ strcpy(algo, "AES");
-+ /* get test type */
-+ pp += 6;
-+ xp = strchr(pp, ' ');
-+ n = xp-pp;
-+ strncpy(atest, pp, n);
-+ atest[n] = '\0';
-+ /* get mode */
-+ xp = strrchr(pp, ' '); /* get mode" */
-+ n = strlen(xp+1)-1;
-+ strncpy(amode, xp+1, n);
-+ amode[n] = '\0';
-+ /* amode[3] = '\0'; */
-+ if (VERBOSE)
-+ printf("Test = %s, Mode = %s\n", atest, amode);
-+ }
-+ else if (strncasecmp(pp, "Key Length : ", 13) == 0)
-+ {
-+ akeysz = atoi(pp+13);
-+ if (VERBOSE)
-+ printf("Key size = %d\n", akeysz);
-+ }
-+ }
-+ }
-+ break;
-+
-+ case 1: /* [ENCRYPT] | [DECRYPT] */
-+ if (ibuf[0] == '[')
-+ {
-+ fputs(ibuf, rfp);
-+ ++step;
-+ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
-+ dir = 1;
-+ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
-+ dir = 0;
-+ else
-+ {
-+ printf("Invalid keyword: %s\n", ibuf);
-+ err = 1;
-+ }
-+ break;
-+ }
-+ else if (dir == -1)
-+ {
-+ err = 1;
-+ printf("Missing ENCRYPT/DECRYPT keyword\n");
-+ break;
-+ }
-+ else
-+ step = 2;
-+
-+ case 2: /* KEY = xxxx */
-+ fputs(ibuf, rfp);
-+ if(*ibuf == '\n')
-+ break;
-+ if(!strncasecmp(ibuf,"COUNT = ",8))
-+ break;
-+
-+ if (strncasecmp(ibuf, "KEY = ", 6) != 0)
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ len = hex2bin((char*)ibuf+6, aKey);
-+ if (len < 0)
-+ {
-+ printf("Invalid KEY\n");
-+ err =1;
-+ break;
-+ }
-+ PrintValue("KEY", aKey, len);
-+ if (strcmp(amode, "ECB") == 0)
-+ {
-+ memset(iVec, 0, sizeof(iVec));
-+ step = (dir)? 4: 5; /* no ivec for ECB */
-+ }
-+ else
-+ ++step;
-+ }
-+ break;
-+
-+ case 3: /* IV = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "IV = ", 5) != 0)
-+ {
-+ printf("Missing IV\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ len = hex2bin((char*)ibuf+5, iVec);
-+ if (len < 0)
-+ {
-+ printf("Invalid IV\n");
-+ err =1;
-+ break;
-+ }
-+ PrintValue("IV", iVec, len);
-+ step = (dir)? 4: 5;
-+ }
-+ break;
-+
-+ case 4: /* PLAINTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
-+ {
-+ printf("Missing PLAINTEXT\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ int nn = strlen(ibuf+12);
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+12,nn-1,plaintext);
-+ else
-+ len=hex2bin(ibuf+12, plaintext);
-+ if (len < 0)
-+ {
-+ printf("Invalid PLAINTEXT: %s", ibuf+12);
-+ err =1;
-+ break;
-+ }
-+ if (len >= sizeof(plaintext))
-+ {
-+ printf("Buffer overflow\n");
-+ }
-+ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
-+ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
-+ {
-+ if(do_mct(amode, akeysz, aKey, iVec,
-+ dir, (unsigned char*)plaintext, len,
-+ rfp) < 0)
-+ EXIT(1);
-+ }
-+ else
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ plaintext, ciphertext, len);
-+ OutputValue("CIPHERTEXT",ciphertext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 5: /* CIPHERTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
-+ else
-+ len = hex2bin(ibuf+13,ciphertext);
-+ if (len < 0)
-+ {
-+ printf("Invalid CIPHERTEXT\n");
-+ err =1;
-+ break;
-+ }
-+
-+ PrintValue("CIPHERTEXT", ciphertext, len);
-+ if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */
-+ {
-+ do_mct(amode, akeysz, aKey, iVec,
-+ dir, ciphertext, len, rfp);
-+ }
-+ else
-+ {
-+ ret = AESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ plaintext, ciphertext, len);
-+ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 6:
-+ if (ibuf[0] != '\n')
-+ {
-+ err = 1;
-+ printf("Missing terminator\n");
-+ }
-+ else if (strcmp(atest, "MCT") != 0)
-+ { /* MCT already added terminating nl */
-+ fputs(ibuf, rfp);
-+ }
-+ step = 1;
-+ break;
-+ }
-+ }
-+ if (rfp)
-+ fclose(rfp);
-+ if (afp)
-+ fclose(afp);
-+ return err;
-+ }
-+
-+/*--------------------------------------------------
-+ Processes either a single file or
-+ a set of files whose names are passed in a file.
-+ A single file is specified as:
-+ aes_test -f xxx.req
-+ A set of files is specified as:
-+ aes_test -d xxxxx.xxx
-+ The default is: -d req.txt
-+--------------------------------------------------*/
-+int main(int argc, char **argv)
-+ {
-+ char *rqlist = "req.txt", *rspfile = NULL;
-+ FILE *fp = NULL;
-+ char fn[250] = "", rfn[256] = "";
-+ int f_opt = 0, d_opt = 1;
-+
-+#ifdef OPENSSL_FIPS
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ EXIT(1);
-+ }
-+#endif
-+ if (argc > 1)
-+ {
-+ if (strcasecmp(argv[1], "-d") == 0)
-+ {
-+ d_opt = 1;
-+ }
-+ else if (strcasecmp(argv[1], "-f") == 0)
-+ {
-+ f_opt = 1;
-+ d_opt = 0;
-+ }
-+ else
-+ {
-+ printf("Invalid parameter: %s\n", argv[1]);
-+ return 0;
-+ }
-+ if (argc < 3)
-+ {
-+ printf("Missing parameter\n");
-+ return 0;
-+ }
-+ if (d_opt)
-+ rqlist = argv[2];
-+ else
-+ {
-+ strcpy(fn, argv[2]);
-+ rspfile = argv[3];
-+ }
-+ }
-+ if (d_opt)
-+ { /* list of files (directory) */
-+ if (!(fp = fopen(rqlist, "r")))
-+ {
-+ printf("Cannot open req list file\n");
-+ return -1;
-+ }
-+ while (fgets(fn, sizeof(fn), fp))
-+ {
-+ strtok(fn, "\r\n");
-+ strcpy(rfn, fn);
-+ if (VERBOSE)
-+ printf("Processing: %s\n", rfn);
-+ if (proc_file(rfn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", rfn);
-+ EXIT(1);
-+ }
-+ }
-+ fclose(fp);
-+ }
-+ else /* single file */
-+ {
-+ if (VERBOSE)
-+ printf("Processing: %s\n", fn);
-+ if (proc_file(fn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", fn);
-+ }
-+ }
-+ EXIT(0);
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_cmactest.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_cmactest.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_cmactest.c.fips 2014-10-16 13:19:35.092306265 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_cmactest.c 2014-10-16 13:19:35.092306265 +0200
-@@ -0,0 +1,517 @@
-+/* fips_cmactest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay at cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh at cryptsoft.com).
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/cmac.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS CMAC support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+static int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
-+ int mode, int Klen_counts_keys, int known_keylen);
-+static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Msglen,
-+ int Tlen);
-+static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Msglen,
-+ unsigned char *Mac, int Maclen,
-+ int Tlen);
-+
-+#ifdef FIPS_ALGVS
-+int fips_cmactest_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ FILE *in = NULL, *out = NULL;
-+ int mode = 0; /* 0 => Generate, 1 => Verify */
-+ int Klen_counts_keys = 0; /* 0 => Klen is size of one key
-+ 1 => Klen is amount of keys
-+ */
-+ int known_keylen = 0; /* Only set when Klen_counts_keys = 1 */
-+ const EVP_CIPHER *cipher = 0;
-+ int ret = 1;
-+ fips_algtest_init();
-+
-+ while (argc > 1 && argv[1][0] == '-')
-+ {
-+ switch (argv[1][1])
-+ {
-+ case 'a':
-+ {
-+ char *p = &argv[1][2];
-+ if (*p == '\0')
-+ {
-+ if (argc <= 2)
-+ {
-+ fprintf(stderr, "Option %s needs a value\n", argv[1]);
-+ goto end;
-+ }
-+ argv++;
-+ argc--;
-+ p = &argv[1][0];
-+ }
-+ if (!strcmp(p, "aes128"))
-+ cipher = EVP_aes_128_cbc();
-+ else if (!strcmp(p, "aes192"))
-+ cipher = EVP_aes_192_cbc();
-+ else if (!strcmp(p, "aes256"))
-+ cipher = EVP_aes_256_cbc();
-+ else if (!strcmp(p, "tdea3") || !strcmp(p, "tdes3"))
-+ {
-+ cipher = EVP_des_ede3_cbc();
-+ Klen_counts_keys = 1;
-+ known_keylen = 8;
-+ }
-+ else
-+ {
-+ fprintf(stderr, "Unknown algorithm %s\n", p);
-+ goto end;
-+ }
-+ }
-+ break;
-+ case 'g':
-+ mode = 0;
-+ break;
-+ case 'v':
-+ mode = 1;
-+ break;
-+ default:
-+ fprintf(stderr, "Unknown option %s\n", argv[1]);
-+ goto end;
-+ }
-+ argv++;
-+ argc--;
-+ }
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!cmac_test(cipher, out, in, mode,
-+ Klen_counts_keys, known_keylen))
-+ {
-+ fprintf(stderr, "FATAL cmac file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define CMAC_TEST_MAXLINELEN 150000
-+
-+int cmac_test(const EVP_CIPHER *cipher, FILE *out, FILE *in,
-+ int mode, int Klen_counts_keys, int known_keylen)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ unsigned char **Keys = NULL, *Msg = NULL, *Mac = NULL;
-+ unsigned char *Key = NULL;
-+ int Count, Klen, Mlen, Tlen;
-+ long Keylen, Msglen, Maclen;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(CMAC_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ Count = -1;
-+ Klen = -1;
-+ Mlen = -1;
-+ Tlen = -1;
-+
-+ while (fgets(olinebuf, CMAC_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Skip comments */
-+ if (keyword[0] == '#')
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [L=20] line) just copy */
-+ if (!p)
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword, "Count"))
-+ {
-+ if (Count != -1)
-+ goto parse_error;
-+ Count = atoi(value);
-+ if (Count < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Klen"))
-+ {
-+ if (Klen != -1)
-+ goto parse_error;
-+ Klen = atoi(value);
-+ if (Klen < 0)
-+ goto parse_error;
-+ if (Klen_counts_keys)
-+ {
-+ Keys = OPENSSL_malloc(sizeof(*Keys) * Klen);
-+ memset(Keys, '\0', sizeof(*Keys) * Klen);
-+ }
-+ else
-+ {
-+ Keys = OPENSSL_malloc(sizeof(*Keys));
-+ memset(Keys, '\0', sizeof(*Keys));
-+ }
-+ }
-+ else if (!strcmp(keyword, "Mlen"))
-+ {
-+ if (Mlen != -1)
-+ goto parse_error;
-+ Mlen = atoi(value);
-+ if (Mlen < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Tlen"))
-+ {
-+ if (Tlen != -1)
-+ goto parse_error;
-+ Tlen = atoi(value);
-+ if (Tlen < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Key") && !Klen_counts_keys)
-+ {
-+ if (Keys[0])
-+ goto parse_error;
-+ Keys[0] = hex2bin_m(value, &Keylen);
-+ if (!Keys[0])
-+ goto parse_error;
-+ }
-+ else if (!strncmp(keyword, "Key", 3) && Klen_counts_keys)
-+ {
-+ int keynum = atoi(keyword + 3);
-+ if (!keynum || keynum > Klen || Keys[keynum-1])
-+ goto parse_error;
-+ Keys[keynum-1] = hex2bin_m(value, &Keylen);
-+ if (!Keys[keynum-1])
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ if (Msg)
-+ goto parse_error;
-+ Msg = hex2bin_m(value, &Msglen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Mac"))
-+ {
-+ if (mode == 0)
-+ continue;
-+ if (Mac)
-+ goto parse_error;
-+ Mac = hex2bin_m(value, &Maclen);
-+ if (!Mac)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Result"))
-+ {
-+ if (mode == 1)
-+ continue;
-+ goto parse_error;
-+ }
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (Keys && Msg && (!mode || Mac) && (Tlen > 0) && (Klen > 0))
-+ {
-+ if (Klen_counts_keys)
-+ {
-+ int x;
-+ Key = OPENSSL_malloc(Klen * known_keylen);
-+ for (x = 0; x < Klen; x++)
-+ {
-+ memcpy(Key + x * known_keylen,
-+ Keys[x], known_keylen);
-+ OPENSSL_free(Keys[x]);
-+ }
-+ Klen *= known_keylen;
-+ }
-+ else
-+ {
-+ Key = OPENSSL_malloc(Klen);
-+ memcpy(Key, Keys[0], Klen);
-+ OPENSSL_free(Keys[0]);
-+ }
-+ OPENSSL_free(Keys);
-+
-+ switch(mode)
-+ {
-+ case 0:
-+ if (!print_cmac_gen(cipher, out,
-+ Key, Klen,
-+ Msg, Mlen,
-+ Tlen))
-+ goto error;
-+ break;
-+ case 1:
-+ if (!print_cmac_ver(cipher, out,
-+ Key, Klen,
-+ Msg, Mlen,
-+ Mac, Maclen,
-+ Tlen))
-+ goto error;
-+ break;
-+ }
-+
-+ OPENSSL_free(Key);
-+ Key = NULL;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ OPENSSL_free(Mac);
-+ Mac = NULL;
-+ Klen = -1;
-+ Mlen = -1;
-+ Tlen = -1;
-+ Count = -1;
-+ }
-+ }
-+
-+
-+ ret = 1;
-+
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (Key)
-+ OPENSSL_free(Key);
-+ if (Msg)
-+ OPENSSL_free(Msg);
-+ if (Mac)
-+ OPENSSL_free(Mac);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int print_cmac_gen(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Mlen,
-+ int Tlen)
-+ {
-+ int rc, i;
-+ size_t reslen;
-+ unsigned char res[128];
-+ CMAC_CTX *cmac_ctx = CMAC_CTX_new();
-+
-+ CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
-+ CMAC_Update(cmac_ctx, Msg, Mlen);
-+ if (!CMAC_Final(cmac_ctx, res, &reslen))
-+ {
-+ fputs("Error calculating CMAC\n", stderr);
-+ rc = 0;
-+ }
-+ else if (Tlen > (int)reslen)
-+ {
-+ fputs("Parameter error, Tlen > CMAC length\n", stderr);
-+ rc = 0;
-+ }
-+ else
-+ {
-+ fputs("Mac = ", out);
-+ for (i = 0; i < Tlen; i++)
-+ fprintf(out, "%02x", res[i]);
-+ fputs(RESP_EOL, out);
-+ rc = 1;
-+ }
-+ CMAC_CTX_free(cmac_ctx);
-+ return rc;
-+ }
-+
-+static int print_cmac_ver(const EVP_CIPHER *cipher, FILE *out,
-+ unsigned char *Key, int Klen,
-+ unsigned char *Msg, int Mlen,
-+ unsigned char *Mac, int Maclen,
-+ int Tlen)
-+ {
-+ int rc = 1;
-+ size_t reslen;
-+ unsigned char res[128];
-+ CMAC_CTX *cmac_ctx = CMAC_CTX_new();
-+
-+ CMAC_Init(cmac_ctx, Key, Klen, cipher, 0);
-+ CMAC_Update(cmac_ctx, Msg, Mlen);
-+ if (!CMAC_Final(cmac_ctx, res, &reslen))
-+ {
-+ fputs("Error calculating CMAC\n", stderr);
-+ rc = 0;
-+ }
-+ else if (Tlen > (int)reslen)
-+ {
-+ fputs("Parameter error, Tlen > CMAC length\n", stderr);
-+ rc = 0;
-+ }
-+ else if (Tlen != Maclen)
-+ {
-+ fputs("Parameter error, Tlen != resulting Mac length\n", stderr);
-+ rc = 0;
-+ }
-+ else
-+ {
-+ if (!memcmp(Mac, res, Maclen))
-+ fputs("Result = P" RESP_EOL, out);
-+ else
-+ fputs("Result = F" RESP_EOL, out);
-+ }
-+ CMAC_CTX_free(cmac_ctx);
-+ return rc;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_desmovs.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_desmovs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_desmovs.c.fips 2014-10-16 13:19:35.092306265 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_desmovs.c 2014-10-16 13:19:35.092306265 +0200
-@@ -0,0 +1,702 @@
-+/* ====================================================================
-+ * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+/*---------------------------------------------
-+ NIST DES Modes of Operation Validation System
-+ Test Program
-+
-+ Based on the AES Validation Suite, which was:
-+ Donated to OpenSSL by:
-+ V-ONE Corporation
-+ 20250 Century Blvd, Suite 300
-+ Germantown, MD 20874
-+ U.S.A.
-+ ----------------------------------------------*/
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <assert.h>
-+#include <ctype.h>
-+#include <openssl/des.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+
-+#include <openssl/err.h>
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS DES support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+#define DES_BLOCK_SIZE 8
-+
-+#define VERBOSE 0
-+
-+int DESTest(EVP_CIPHER_CTX *ctx,
-+ char *amode, int akeysz, unsigned char *aKey,
-+ unsigned char *iVec,
-+ int dir, /* 0 = decrypt, 1 = encrypt */
-+ unsigned char *out, unsigned char *in, int len)
-+ {
-+ const EVP_CIPHER *cipher = NULL;
-+
-+ if (akeysz != 192)
-+ {
-+ printf("Invalid key size: %d\n", akeysz);
-+ EXIT(1);
-+ }
-+
-+ if (strcasecmp(amode, "CBC") == 0)
-+ cipher = EVP_des_ede3_cbc();
-+ else if (strcasecmp(amode, "ECB") == 0)
-+ cipher = EVP_des_ede3_ecb();
-+ else if (strcasecmp(amode, "CFB64") == 0)
-+ cipher = EVP_des_ede3_cfb64();
-+ else if (strncasecmp(amode, "OFB", 3) == 0)
-+ cipher = EVP_des_ede3_ofb();
-+ else if(!strcasecmp(amode,"CFB8"))
-+ cipher = EVP_des_ede3_cfb8();
-+ else if(!strcasecmp(amode,"CFB1"))
-+ cipher = EVP_des_ede3_cfb1();
-+ else
-+ {
-+ printf("Unknown mode: %s\n", amode);
-+ EXIT(1);
-+ }
-+
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
-+ return 0;
-+ if(!strcasecmp(amode,"CFB1"))
-+ M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS);
-+ EVP_Cipher(ctx, out, in, len);
-+
-+ return 1;
-+ }
-+
-+void DebugValue(char *tag, unsigned char *val, int len)
-+ {
-+ char obuf[2048];
-+ int olen;
-+ olen = bin2hex(val, len, obuf);
-+ printf("%s = %.*s\n", tag, olen, obuf);
-+ }
-+
-+void shiftin(unsigned char *dst,unsigned char *src,int nbits)
-+ {
-+ int n;
-+
-+ /* move the bytes... */
-+ memmove(dst,dst+nbits/8,3*8-nbits/8);
-+ /* append new data */
-+ memcpy(dst+3*8-nbits/8,src,(nbits+7)/8);
-+ /* left shift the bits */
-+ if(nbits%8)
-+ for(n=0 ; n < 3*8 ; ++n)
-+ dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8));
-+ }
-+
-+/*-----------------------------------------------*/
-+char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"};
-+char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"};
-+enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64};
-+int Sizes[6]={64,64,64,1,8,64};
-+
-+void do_mct(char *amode,
-+ int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec,
-+ int dir, unsigned char *text, int len,
-+ FILE *rfp)
-+ {
-+ int i,imode;
-+ unsigned char nk[4*8]; /* longest key+8 */
-+ unsigned char text0[8];
-+
-+ for (imode=0 ; imode < 6 ; ++imode)
-+ if(!strcmp(amode,t_mode[imode]))
-+ break;
-+ if (imode == 6)
-+ {
-+ printf("Unrecognized mode: %s\n", amode);
-+ EXIT(1);
-+ }
-+
-+ for(i=0 ; i < 400 ; ++i)
-+ {
-+ int j;
-+ int n;
-+ int kp=akeysz/64;
-+ unsigned char old_iv[8];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ fprintf(rfp,"\nCOUNT = %d\n",i);
-+ if(kp == 1)
-+ OutputValue("KEY",akey,8,rfp,0);
-+ else
-+ for(n=0 ; n < kp ; ++n)
-+ {
-+ fprintf(rfp,"KEY%d",n+1);
-+ OutputValue("",akey+n*8,8,rfp,0);
-+ }
-+
-+ if(imode != ECB)
-+ OutputValue("IV",ivec,8,rfp,0);
-+ OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1);
-+#if 0
-+ /* compensate for endianness */
-+ if(imode == CFB1)
-+ text[0]<<=7;
-+#endif
-+ memcpy(text0,text,8);
-+
-+ for(j=0 ; j < 10000 ; ++j)
-+ {
-+ unsigned char old_text[8];
-+
-+ memcpy(old_text,text,8);
-+ if(j == 0)
-+ {
-+ memcpy(old_iv,ivec,8);
-+ DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len);
-+ }
-+ else
-+ {
-+ memcpy(old_iv,ctx.iv,8);
-+ EVP_Cipher(&ctx,text,text,len);
-+ }
-+ if(j == 9999)
-+ {
-+ OutputValue(t_tag[dir],text,len,rfp,imode == CFB1);
-+ /* memcpy(ivec,text,8); */
-+ }
-+ /* DebugValue("iv",ctx.iv,8); */
-+ /* accumulate material for the next key */
-+ shiftin(nk,text,Sizes[imode]);
-+ /* DebugValue("nk",nk,24);*/
-+ if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64
-+ || imode == CBC)) || imode == OFB)
-+ memcpy(text,old_iv,8);
-+
-+ if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64))
-+ {
-+ /* the test specifies using the output of the raw DES operation
-+ which we don't have, so reconstruct it... */
-+ for(n=0 ; n < 8 ; ++n)
-+ text[n]^=old_text[n];
-+ }
-+ }
-+ for(n=0 ; n < 8 ; ++n)
-+ akey[n]^=nk[16+n];
-+ for(n=0 ; n < 8 ; ++n)
-+ akey[8+n]^=nk[8+n];
-+ for(n=0 ; n < 8 ; ++n)
-+ akey[16+n]^=nk[n];
-+ if(numkeys < 3)
-+ memcpy(&akey[2*8],akey,8);
-+ if(numkeys < 2)
-+ memcpy(&akey[8],akey,8);
-+ DES_set_odd_parity((DES_cblock *)akey);
-+ DES_set_odd_parity((DES_cblock *)(akey+8));
-+ DES_set_odd_parity((DES_cblock *)(akey+16));
-+ memcpy(ivec,ctx.iv,8);
-+
-+ /* pointless exercise - the final text doesn't depend on the
-+ initial text in OFB mode, so who cares what it is? (Who
-+ designed these tests?) */
-+ if(imode == OFB)
-+ for(n=0 ; n < 8 ; ++n)
-+ text[n]=text0[n]^old_iv[n];
-+ }
-+ }
-+
-+int proc_file(char *rqfile, char *rspfile)
-+ {
-+ char afn[256], rfn[256];
-+ FILE *afp = NULL, *rfp = NULL;
-+ char ibuf[2048], tbuf[2048];
-+ int ilen, len, ret = 0;
-+ char amode[8] = "";
-+ char atest[100] = "";
-+ int akeysz=0;
-+ unsigned char iVec[20], aKey[40];
-+ int dir = -1, err = 0, step = 0;
-+ unsigned char plaintext[2048];
-+ unsigned char ciphertext[2048];
-+ char *rp;
-+ EVP_CIPHER_CTX ctx;
-+ int numkeys=1;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (!rqfile || !(*rqfile))
-+ {
-+ printf("No req file\n");
-+ return -1;
-+ }
-+ strcpy(afn, rqfile);
-+
-+ if ((afp = fopen(afn, "r")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ afn, strerror(errno));
-+ return -1;
-+ }
-+ if (!rspfile)
-+ {
-+ strcpy(rfn,afn);
-+ rp=strstr(rfn,"req/");
-+#ifdef OPENSSL_SYS_WIN32
-+ if (!rp)
-+ rp=strstr(rfn,"req\\");
-+#endif
-+ assert(rp);
-+ memcpy(rp,"rsp",3);
-+ rp = strstr(rfn, ".req");
-+ memcpy(rp, ".rsp", 4);
-+ rspfile = rfn;
-+ }
-+ if ((rfp = fopen(rspfile, "w")) == NULL)
-+ {
-+ printf("Cannot open file: %s, %s\n",
-+ rfn, strerror(errno));
-+ fclose(afp);
-+ afp = NULL;
-+ return -1;
-+ }
-+ while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
-+ {
-+ tidy_line(tbuf, ibuf);
-+ ilen = strlen(ibuf);
-+ /* printf("step=%d ibuf=%s",step,ibuf);*/
-+ if(step == 3 && !strcmp(amode,"ECB"))
-+ {
-+ memset(iVec, 0, sizeof(iVec));
-+ step = (dir)? 4: 5; /* no ivec for ECB */
-+ }
-+ switch (step)
-+ {
-+ case 0: /* read preamble */
-+ if (ibuf[0] == '\n')
-+ { /* end of preamble */
-+ if (*amode == '\0')
-+ {
-+ printf("Missing Mode\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ ++ step;
-+ }
-+ }
-+ else if (ibuf[0] != '#')
-+ {
-+ printf("Invalid preamble item: %s\n", ibuf);
-+ err = 1;
-+ }
-+ else
-+ { /* process preamble */
-+ char *xp, *pp = ibuf+2;
-+ int n;
-+ if(*amode)
-+ { /* insert current time & date */
-+ time_t rtim = time(0);
-+ fprintf(rfp, "# %s", ctime(&rtim));
-+ }
-+ else
-+ {
-+ fputs(ibuf, rfp);
-+ if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4)
-+ || !strncmp(pp,"TDES ",5)
-+ || !strncmp(pp,"PERMUTATION ",12)
-+ || !strncmp(pp,"SUBSTITUTION ",13)
-+ || !strncmp(pp,"VARIABLE ",9))
-+ {
-+ /* get test type */
-+ if(!strncmp(pp,"DES ",4))
-+ pp+=4;
-+ else if(!strncmp(pp,"TDES ",5))
-+ pp+=5;
-+ xp = strchr(pp, ' ');
-+ n = xp-pp;
-+ strncpy(atest, pp, n);
-+ atest[n] = '\0';
-+ /* get mode */
-+ xp = strrchr(pp, ' '); /* get mode" */
-+ n = strlen(xp+1)-1;
-+ strncpy(amode, xp+1, n);
-+ amode[n] = '\0';
-+ /* amode[3] = '\0'; */
-+ if (VERBOSE)
-+ printf("Test=%s, Mode=%s\n",atest,amode);
-+ }
-+ }
-+ }
-+ break;
-+
-+ case 1: /* [ENCRYPT] | [DECRYPT] */
-+ if(ibuf[0] == '\n')
-+ break;
-+ if (ibuf[0] == '[')
-+ {
-+ fputs(ibuf, rfp);
-+ ++step;
-+ if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0)
-+ dir = 1;
-+ else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0)
-+ dir = 0;
-+ else
-+ {
-+ printf("Invalid keyword: %s\n", ibuf);
-+ err = 1;
-+ }
-+ break;
-+ }
-+ else if (dir == -1)
-+ {
-+ err = 1;
-+ printf("Missing ENCRYPT/DECRYPT keyword\n");
-+ break;
-+ }
-+ else
-+ step = 2;
-+
-+ case 2: /* KEY = xxxx */
-+ if(*ibuf == '\n')
-+ {
-+ fputs(ibuf, rfp);
-+ break;
-+ }
-+ if(!strncasecmp(ibuf,"COUNT = ",8))
-+ {
-+ fputs(ibuf, rfp);
-+ break;
-+ }
-+ if(!strncasecmp(ibuf,"COUNT=",6))
-+ {
-+ fputs(ibuf, rfp);
-+ break;
-+ }
-+ if(!strncasecmp(ibuf,"NumKeys = ",10))
-+ {
-+ numkeys=atoi(ibuf+10);
-+ break;
-+ }
-+
-+ fputs(ibuf, rfp);
-+ if(!strncasecmp(ibuf,"KEY = ",6))
-+ {
-+ akeysz=64;
-+ len = hex2bin((char*)ibuf+6, aKey);
-+ if (len < 0)
-+ {
-+ printf("Invalid KEY\n");
-+ err=1;
-+ break;
-+ }
-+ PrintValue("KEY", aKey, len);
-+ ++step;
-+ }
-+ else if(!strncasecmp(ibuf,"KEYs = ",7))
-+ {
-+ akeysz=64*3;
-+ len=hex2bin(ibuf+7,aKey);
-+ if(len != 8)
-+ {
-+ printf("Invalid KEY\n");
-+ err=1;
-+ break;
-+ }
-+ memcpy(aKey+8,aKey,8);
-+ memcpy(aKey+16,aKey,8);
-+ ibuf[4]='\0';
-+ PrintValue("KEYs",aKey,len);
-+ ++step;
-+ }
-+ else if(!strncasecmp(ibuf,"KEY",3))
-+ {
-+ int n=ibuf[3]-'1';
-+
-+ akeysz=64*3;
-+ len=hex2bin(ibuf+7,aKey+n*8);
-+ if(len != 8)
-+ {
-+ printf("Invalid KEY\n");
-+ err=1;
-+ break;
-+ }
-+ ibuf[4]='\0';
-+ PrintValue(ibuf,aKey,len);
-+ if(n == 2)
-+ ++step;
-+ }
-+ else
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ break;
-+
-+ case 3: /* IV = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "IV = ", 5) != 0)
-+ {
-+ printf("Missing IV\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ len = hex2bin((char*)ibuf+5, iVec);
-+ if (len < 0)
-+ {
-+ printf("Invalid IV\n");
-+ err =1;
-+ break;
-+ }
-+ PrintValue("IV", iVec, len);
-+ step = (dir)? 4: 5;
-+ }
-+ break;
-+
-+ case 4: /* PLAINTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0)
-+ {
-+ printf("Missing PLAINTEXT\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ int nn = strlen(ibuf+12);
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+12,nn-1,plaintext);
-+ else
-+ len=hex2bin(ibuf+12, plaintext);
-+ if (len < 0)
-+ {
-+ printf("Invalid PLAINTEXT: %s", ibuf+12);
-+ err =1;
-+ break;
-+ }
-+ if (len >= sizeof(plaintext))
-+ {
-+ printf("Buffer overflow\n");
-+ }
-+ PrintValue("PLAINTEXT", (unsigned char*)plaintext, len);
-+ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
-+ {
-+ do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp);
-+ }
-+ else
-+ {
-+ assert(dir == 1);
-+ ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ ciphertext, plaintext, len);
-+ OutputValue("CIPHERTEXT",ciphertext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 5: /* CIPHERTEXT = xxxx */
-+ fputs(ibuf, rfp);
-+ if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0)
-+ {
-+ printf("Missing KEY\n");
-+ err = 1;
-+ }
-+ else
-+ {
-+ if(!strcmp(amode,"CFB1"))
-+ len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext);
-+ else
-+ len = hex2bin(ibuf+13,ciphertext);
-+ if (len < 0)
-+ {
-+ printf("Invalid CIPHERTEXT\n");
-+ err =1;
-+ break;
-+ }
-+
-+ PrintValue("CIPHERTEXT", ciphertext, len);
-+ if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */
-+ {
-+ do_mct(amode, akeysz, numkeys, aKey, iVec,
-+ dir, ciphertext, len, rfp);
-+ }
-+ else
-+ {
-+ assert(dir == 0);
-+ ret = DESTest(&ctx, amode, akeysz, aKey, iVec,
-+ dir, /* 0 = decrypt, 1 = encrypt */
-+ plaintext, ciphertext, len);
-+ OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp,
-+ !strcmp(amode,"CFB1"));
-+ }
-+ step = 6;
-+ }
-+ break;
-+
-+ case 6:
-+ if (ibuf[0] != '\n')
-+ {
-+ err = 1;
-+ printf("Missing terminator\n");
-+ }
-+ else if (strcmp(atest, "MCT") != 0)
-+ { /* MCT already added terminating nl */
-+ fputs(ibuf, rfp);
-+ }
-+ step = 1;
-+ break;
-+ }
-+ }
-+ if (rfp)
-+ fclose(rfp);
-+ if (afp)
-+ fclose(afp);
-+ return err;
-+ }
-+
-+/*--------------------------------------------------
-+ Processes either a single file or
-+ a set of files whose names are passed in a file.
-+ A single file is specified as:
-+ aes_test -f xxx.req
-+ A set of files is specified as:
-+ aes_test -d xxxxx.xxx
-+ The default is: -d req.txt
-+--------------------------------------------------*/
-+int main(int argc, char **argv)
-+ {
-+ char *rqlist = "req.txt", *rspfile = NULL;
-+ FILE *fp = NULL;
-+ char fn[250] = "", rfn[256] = "";
-+ int f_opt = 0, d_opt = 1;
-+
-+#ifdef OPENSSL_FIPS
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ EXIT(1);
-+ }
-+#endif
-+ if (argc > 1)
-+ {
-+ if (strcasecmp(argv[1], "-d") == 0)
-+ {
-+ d_opt = 1;
-+ }
-+ else if (strcasecmp(argv[1], "-f") == 0)
-+ {
-+ f_opt = 1;
-+ d_opt = 0;
-+ }
-+ else
-+ {
-+ printf("Invalid parameter: %s\n", argv[1]);
-+ return 0;
-+ }
-+ if (argc < 3)
-+ {
-+ printf("Missing parameter\n");
-+ return 0;
-+ }
-+ if (d_opt)
-+ rqlist = argv[2];
-+ else
-+ {
-+ strcpy(fn, argv[2]);
-+ rspfile = argv[3];
-+ }
-+ }
-+ if (d_opt)
-+ { /* list of files (directory) */
-+ if (!(fp = fopen(rqlist, "r")))
-+ {
-+ printf("Cannot open req list file\n");
-+ return -1;
-+ }
-+ while (fgets(fn, sizeof(fn), fp))
-+ {
-+ strtok(fn, "\r\n");
-+ strcpy(rfn, fn);
-+ printf("Processing: %s\n", rfn);
-+ if (proc_file(rfn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", rfn);
-+ EXIT(1);
-+ }
-+ }
-+ fclose(fp);
-+ }
-+ else /* single file */
-+ {
-+ if (VERBOSE)
-+ printf("Processing: %s\n", fn);
-+ if (proc_file(fn, rspfile))
-+ {
-+ printf(">>> Processing failed for: %s <<<\n", fn);
-+ }
-+ }
-+ EXIT(0);
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_dhvs.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_dhvs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_dhvs.c.fips 2014-10-16 13:19:35.093306288 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_dhvs.c 2014-10-16 13:19:35.093306288 +0200
-@@ -0,0 +1,292 @@
-+/* fips/dh/fips_dhvs.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS DH support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/crypto.h>
-+#include <openssl/bn.h>
-+#include <openssl/dh.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static const EVP_MD *parse_md(char *line)
-+ {
-+ char *p;
-+ if (line[0] != '[' || line[1] != 'F')
-+ return NULL;
-+ p = strchr(line, '-');
-+ if (!p)
-+ return NULL;
-+ line = p + 1;
-+ p = strchr(line, ']');
-+ if (!p)
-+ return NULL;
-+ *p = 0;
-+ p = line;
-+ while(isspace(*p))
-+ p++;
-+ if (!strcmp(p, "SHA1"))
-+ return EVP_sha1();
-+ else if (!strcmp(p, "SHA224"))
-+ return EVP_sha224();
-+ else if (!strcmp(p, "SHA256"))
-+ return EVP_sha256();
-+ else if (!strcmp(p, "SHA384"))
-+ return EVP_sha384();
-+ else if (!strcmp(p, "SHA512"))
-+ return EVP_sha512();
-+ else
-+ return NULL;
-+ }
-+
-+static void output_Zhash(FILE *out, int exout,
-+ DH *dh, BIGNUM *peerkey, const EVP_MD *md,
-+ unsigned char *rhash, size_t rhashlen)
-+ {
-+ unsigned char *Z;
-+ unsigned char chash[EVP_MAX_MD_SIZE];
-+ int Zlen;
-+ if (rhash == NULL)
-+ {
-+ rhashlen = M_EVP_MD_size(md);
-+ if (!DH_generate_key(dh))
-+ exit (1);
-+ do_bn_print_name(out, "YephemIUT", dh->pub_key);
-+ if (exout)
-+ do_bn_print_name(out, "XephemIUT", dh->priv_key);
-+ }
-+ Z = OPENSSL_malloc(BN_num_bytes(dh->p));
-+ if (!Z)
-+ exit(1);
-+ Zlen = DH_compute_key_padded(Z, peerkey, dh);
-+ if (exout)
-+ OutputValue("Z", Z, Zlen, out, 0);
-+ FIPS_digest(Z, Zlen, chash, NULL, md);
-+ OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0);
-+ if (rhash)
-+ {
-+ fprintf(out, "Result = %s\n",
-+ memcmp(chash, rhash, rhashlen) ? "F" : "P");
-+ }
-+ else
-+ {
-+ BN_clear_free(dh->priv_key);
-+ BN_clear_free(dh->pub_key);
-+ dh->priv_key = NULL;
-+ dh->pub_key = NULL;
-+ }
-+ OPENSSL_cleanse(Z, Zlen);
-+ OPENSSL_free(Z);
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_dhvs_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ char **args = argv + 1;
-+ int argn = argc - 1;
-+ FILE *in, *out;
-+ char buf[2048], lbuf[2048];
-+ unsigned char *rhash;
-+ long rhashlen;
-+ DH *dh = NULL;
-+ const EVP_MD *md = NULL;
-+ BIGNUM *peerkey = NULL;
-+ char *keyword = NULL, *value = NULL;
-+ int do_verify = -1, exout = 0;
-+
-+ fips_algtest_init();
-+
-+ if (argn && !strcmp(*args, "dhver"))
-+ {
-+ do_verify = 1;
-+ args++;
-+ argn--;
-+ }
-+ else if (argn && !strcmp(*args, "dhgen"))
-+ {
-+ do_verify = 0;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (argn && !strcmp(*args, "-exout"))
-+ {
-+ exout = 1;
-+ args++;
-+ argn--;
-+ }
-+
-+ if (do_verify == -1)
-+ {
-+ fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ if (argn == 2)
-+ {
-+ in = fopen(*args, "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(args[1], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argn == 0)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s [dhver|dhgen|] [-exout] (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ dh = FIPS_dh_new();
-+
-+ while (fgets(buf, sizeof(buf), in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (strlen(buf) > 6 && !strncmp(buf, "[F", 2))
-+ {
-+ md = parse_md(buf);
-+ if (md == NULL)
-+ goto parse_error;
-+ if (dh)
-+ FIPS_dh_free(dh);
-+ dh = FIPS_dh_new();
-+ continue;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if (!strcmp(keyword, "P"))
-+ {
-+ if (!do_hex2bn(&dh->p, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Q"))
-+ {
-+ if (!do_hex2bn(&dh->q, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "G"))
-+ {
-+ if (!do_hex2bn(&dh->g, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "XephemIUT"))
-+ {
-+ if (!do_hex2bn(&dh->priv_key, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "YephemIUT"))
-+ {
-+ if (!do_hex2bn(&dh->pub_key, value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "YephemCAVS"))
-+ {
-+ if (!do_hex2bn(&peerkey, value))
-+ goto parse_error;
-+ if (do_verify == 0)
-+ output_Zhash(out, exout, dh, peerkey, md,
-+ NULL, 0);
-+ }
-+ else if (!strcmp(keyword, "CAVSHashZZ"))
-+ {
-+ if (!md)
-+ goto parse_error;
-+ rhash = hex2bin_m(value, &rhashlen);
-+ if (!rhash || rhashlen != M_EVP_MD_size(md))
-+ goto parse_error;
-+ output_Zhash(out, exout, dh, peerkey, md,
-+ rhash, rhashlen);
-+ }
-+ }
-+ if (in && in != stdin)
-+ fclose(in);
-+ if (out && out != stdout)
-+ fclose(out);
-+ return 0;
-+ parse_error:
-+ fprintf(stderr, "Error Parsing request file\n");
-+ exit(1);
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_drbgvs.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_drbgvs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_drbgvs.c.fips 2014-10-16 13:19:35.093306288 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_drbgvs.c 2014-10-16 13:19:35.093306288 +0200
-@@ -0,0 +1,416 @@
-+/* fips/rand/fips_drbgvs.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS DRBG support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static int dparse_md(char *str)
-+ {
-+ switch(atoi(str + 5))
-+ {
-+ case 1:
-+ return NID_sha1;
-+
-+ case 224:
-+ return NID_sha224;
-+
-+ case 256:
-+ return NID_sha256;
-+
-+ case 384:
-+ return NID_sha384;
-+
-+ case 512:
-+ return NID_sha512;
-+
-+ }
-+
-+ return NID_undef;
-+ }
-+
-+static int parse_ec(char *str)
-+ {
-+ int curve_nid, md_nid;
-+ char *md;
-+ md = strchr(str, ' ');
-+ if (!md)
-+ return NID_undef;
-+ if (!strncmp(str, "[P-256", 6))
-+ curve_nid = NID_X9_62_prime256v1;
-+ else if (!strncmp(str, "[P-384", 6))
-+ curve_nid = NID_secp384r1;
-+ else if (!strncmp(str, "[P-521", 6))
-+ curve_nid = NID_secp521r1;
-+ else
-+ return NID_undef;
-+ md_nid = dparse_md(md);
-+ if (md_nid == NID_undef)
-+ return NID_undef;
-+ return (curve_nid << 16) | md_nid;
-+ }
-+
-+static int parse_aes(char *str, int *pdf)
-+ {
-+
-+ if (!strncmp(str + 9, "no", 2))
-+ *pdf = 0;
-+ else
-+ *pdf = DRBG_FLAG_CTR_USE_DF;
-+
-+ switch(atoi(str + 5))
-+ {
-+ case 128:
-+ return NID_aes_128_ctr;
-+
-+ case 192:
-+ return NID_aes_192_ctr;
-+
-+ case 256:
-+ return NID_aes_256_ctr;
-+
-+ default:
-+ return NID_undef;
-+
-+ }
-+ }
-+
-+typedef struct
-+ {
-+ unsigned char *ent;
-+ size_t entlen;
-+ unsigned char *nonce;
-+ size_t noncelen;
-+ } TEST_ENT;
-+
-+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->ent;
-+ return t->entlen;
-+ }
-+
-+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->nonce;
-+ return t->noncelen;
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_drbgvs_main(int argc,char **argv)
-+#else
-+int main(int argc,char **argv)
-+#endif
-+ {
-+ FILE *in = NULL, *out = NULL;
-+ DRBG_CTX *dctx = NULL;
-+ TEST_ENT t;
-+ int r, nid = 0;
-+ int pr = 0;
-+ char buf[2048], lbuf[2048];
-+ unsigned char randout[2048];
-+ char *keyword = NULL, *value = NULL;
-+
-+ unsigned char *ent = NULL, *nonce = NULL, *pers = NULL, *adin = NULL;
-+ long entlen, noncelen, perslen, adinlen;
-+ int df = 0;
-+
-+ enum dtype { DRBG_NONE, DRBG_CTR, DRBG_HASH, DRBG_HMAC, DRBG_DUAL_EC }
-+ drbg_type = DRBG_NONE;
-+
-+ int randoutlen = 0;
-+
-+ int gen = 0;
-+
-+ fips_algtest_init();
-+
-+ if (argc == 3)
-+ {
-+ in = fopen(argv[1], "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(argv[2], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argc == 1)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s (infile outfile)\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ while (fgets(buf, sizeof(buf), in) != NULL)
-+ {
-+ fputs(buf, out);
-+ if (drbg_type == DRBG_NONE)
-+ {
-+ if (strstr(buf, "CTR_DRBG"))
-+ drbg_type = DRBG_CTR;
-+ else if (strstr(buf, "Hash_DRBG"))
-+ drbg_type = DRBG_HASH;
-+ else if (strstr(buf, "HMAC_DRBG"))
-+ drbg_type = DRBG_HMAC;
-+ else if (strstr(buf, "Dual_EC_DRBG"))
-+ drbg_type = DRBG_DUAL_EC;
-+ else
-+ continue;
-+ }
-+ if (strlen(buf) > 4 && !strncmp(buf, "[SHA-", 5))
-+ {
-+ nid = dparse_md(buf);
-+ if (nid == NID_undef)
-+ exit(1);
-+ if (drbg_type == DRBG_HMAC)
-+ {
-+ switch (nid)
-+ {
-+ case NID_sha1:
-+ nid = NID_hmacWithSHA1;
-+ break;
-+
-+ case NID_sha224:
-+ nid = NID_hmacWithSHA224;
-+ break;
-+
-+ case NID_sha256:
-+ nid = NID_hmacWithSHA256;
-+ break;
-+
-+ case NID_sha384:
-+ nid = NID_hmacWithSHA384;
-+ break;
-+
-+ case NID_sha512:
-+ nid = NID_hmacWithSHA512;
-+ break;
-+
-+ default:
-+ exit(1);
-+ }
-+ }
-+ }
-+ if (strlen(buf) > 12 && !strncmp(buf, "[AES-", 5))
-+ {
-+ nid = parse_aes(buf, &df);
-+ if (nid == NID_undef)
-+ exit(1);
-+ }
-+ if (strlen(buf) > 12 && !strncmp(buf, "[P-", 3))
-+ {
-+ nid = parse_ec(buf);
-+ if (nid == NID_undef)
-+ exit(1);
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+
-+ if (!strcmp(keyword, "[PredictionResistance"))
-+ {
-+ if (!strcmp(value, "True]"))
-+ pr = 1;
-+ else if (!strcmp(value, "False]"))
-+ pr = 0;
-+ else
-+ exit(1);
-+ }
-+
-+ if (!strcmp(keyword, "EntropyInput"))
-+ {
-+ ent = hex2bin_m(value, &entlen);
-+ t.ent = ent;
-+ t.entlen = entlen;
-+ }
-+
-+ if (!strcmp(keyword, "Nonce"))
-+ {
-+ nonce = hex2bin_m(value, &noncelen);
-+ t.nonce = nonce;
-+ t.noncelen = noncelen;
-+ }
-+
-+ if (!strcmp(keyword, "PersonalizationString"))
-+ {
-+ pers = hex2bin_m(value, &perslen);
-+ if (nid == 0)
-+ {
-+ fprintf(stderr, "DRBG type not recognised!\n");
-+ exit (1);
-+ }
-+ dctx = FIPS_drbg_new(nid, df | DRBG_FLAG_TEST);
-+ if (!dctx)
-+ exit (1);
-+ FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0,
-+ test_nonce, 0);
-+ FIPS_drbg_set_app_data(dctx, &t);
-+ randoutlen = (int)FIPS_drbg_get_blocklength(dctx);
-+ r = FIPS_drbg_instantiate(dctx, pers, perslen);
-+ if (!r)
-+ {
-+ fprintf(stderr, "Error instantiating DRBG\n");
-+ exit(1);
-+ }
-+ OPENSSL_free(pers);
-+ OPENSSL_free(ent);
-+ OPENSSL_free(nonce);
-+ ent = nonce = pers = NULL;
-+ gen = 0;
-+ }
-+
-+ if (!strcmp(keyword, "AdditionalInput"))
-+ {
-+ adin = hex2bin_m(value, &adinlen);
-+ if (pr)
-+ continue;
-+ r = FIPS_drbg_generate(dctx, randout, randoutlen, 0,
-+ adin, adinlen);
-+ if (!r)
-+ {
-+ fprintf(stderr, "Error generating DRBG bits\n");
-+ exit(1);
-+ }
-+ if (!r)
-+ exit(1);
-+ OPENSSL_free(adin);
-+ adin = NULL;
-+ gen++;
-+ }
-+
-+ if (pr)
-+ {
-+ if (!strcmp(keyword, "EntropyInputPR"))
-+ {
-+ ent = hex2bin_m(value, &entlen);
-+ t.ent = ent;
-+ t.entlen = entlen;
-+ r = FIPS_drbg_generate(dctx,
-+ randout, randoutlen,
-+ 1, adin, adinlen);
-+ if (!r)
-+ {
-+ fprintf(stderr,
-+ "Error generating DRBG bits\n");
-+ exit(1);
-+ }
-+ OPENSSL_free(adin);
-+ OPENSSL_free(ent);
-+ adin = ent = NULL;
-+ gen++;
-+ }
-+ }
-+ if (!strcmp(keyword, "EntropyInputReseed"))
-+ {
-+ ent = hex2bin_m(value, &entlen);
-+ t.ent = ent;
-+ t.entlen = entlen;
-+ }
-+ if (!strcmp(keyword, "AdditionalInputReseed"))
-+ {
-+ adin = hex2bin_m(value, &adinlen);
-+ FIPS_drbg_reseed(dctx, adin, adinlen);
-+ OPENSSL_free(ent);
-+ OPENSSL_free(adin);
-+ ent = adin = NULL;
-+ }
-+ if (gen == 2)
-+ {
-+ OutputValue("ReturnedBits", randout, randoutlen,
-+ out, 0);
-+ FIPS_drbg_free(dctx);
-+ dctx = NULL;
-+ gen = 0;
-+ }
-+
-+ }
-+ if (in && in != stdin)
-+ fclose(in);
-+ if (out && out != stdout)
-+ fclose(out);
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_dssvs.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_dssvs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_dssvs.c.fips 2014-10-16 13:19:35.093306288 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_dssvs.c 2014-10-16 13:19:35.093306288 +0200
-@@ -0,0 +1,537 @@
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS DSA support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static void pbn(const char *name, BIGNUM *bn)
-+ {
-+ int len, i;
-+ unsigned char *tmp;
-+ len = BN_num_bytes(bn);
-+ tmp = OPENSSL_malloc(len);
-+ if (!tmp)
-+ {
-+ fprintf(stderr, "Memory allocation error\n");
-+ return;
-+ }
-+ BN_bn2bin(bn, tmp);
-+ printf("%s = ", name);
-+ for (i = 0; i < len; i++)
-+ printf("%02X", tmp[i]);
-+ fputs("\n", stdout);
-+ OPENSSL_free(tmp);
-+ return;
-+ }
-+
-+void primes()
-+ {
-+ char buf[10240];
-+ char lbuf[10240];
-+ char *keyword, *value;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ fputs(buf,stdout);
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"Prime"))
-+ {
-+ BIGNUM *pp;
-+
-+ pp=BN_new();
-+ do_hex2bn(&pp,value);
-+ printf("result= %c\n",
-+ BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F');
-+ }
-+ }
-+ }
-+
-+void pqg()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ int nmod=0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ nmod=atoi(value);
-+ else if(!strcmp(keyword,"N"))
-+ {
-+ int n=atoi(value);
-+
-+ printf("[mod = %d]\n\n",nmod);
-+
-+ while(n--)
-+ {
-+ unsigned char seed[20];
-+ DSA *dsa;
-+ int counter;
-+ unsigned long h;
-+ dsa = FIPS_dsa_new();
-+
-+ if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ pv("Seed",seed,20);
-+ printf("c = %d\n",counter);
-+ printf("H = %lx\n",h);
-+ putc('\n',stdout);
-+ }
-+ }
-+ else
-+ fputs(buf,stdout);
-+ }
-+ }
-+
-+void pqgver()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ BIGNUM *p = NULL, *q = NULL, *g = NULL;
-+ int counter, counter2;
-+ unsigned long h, h2;
-+ DSA *dsa=NULL;
-+ int nmod=0;
-+ unsigned char seed[1024];
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ fputs(buf, stdout);
-+ if(!strcmp(keyword,"[mod"))
-+ nmod=atoi(value);
-+ else if(!strcmp(keyword,"P"))
-+ p=hex2bn(value);
-+ else if(!strcmp(keyword,"Q"))
-+ q=hex2bn(value);
-+ else if(!strcmp(keyword,"G"))
-+ g=hex2bn(value);
-+ else if(!strcmp(keyword,"Seed"))
-+ {
-+ int slen = hex2bin(value, seed);
-+ if (slen != 20)
-+ {
-+ fprintf(stderr, "Seed parse length error\n");
-+ exit (1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"c"))
-+ counter =atoi(buf+4);
-+ else if(!strcmp(keyword,"H"))
-+ {
-+ h = atoi(value);
-+ if (!p || !q || !g)
-+ {
-+ fprintf(stderr, "Parse Error\n");
-+ exit (1);
-+ }
-+ dsa = FIPS_dsa_new();
-+ if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g)
-+ || (counter != counter2) || (h != h2))
-+ printf("Result = F\n");
-+ else
-+ printf("Result = P\n");
-+ BN_free(p);
-+ BN_free(q);
-+ BN_free(g);
-+ p = NULL;
-+ q = NULL;
-+ g = NULL;
-+ FIPS_dsa_free(dsa);
-+ dsa = NULL;
-+ }
-+ }
-+ }
-+
-+/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2
-+ * algorithm tests. It is an additional test to perform sanity checks on the
-+ * output of the KeyPair test.
-+ */
-+
-+static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
-+ BN_CTX *ctx)
-+ {
-+ BIGNUM *rem = NULL;
-+ if (BN_num_bits(p) != nmod)
-+ return 0;
-+ if (BN_num_bits(q) != 160)
-+ return 0;
-+ if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1)
-+ return 0;
-+ if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1)
-+ return 0;
-+ rem = BN_new();
-+ if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
-+ || (BN_cmp(g, BN_value_one()) <= 0)
-+ || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
-+ {
-+ BN_free(rem);
-+ return 0;
-+ }
-+ /* Todo: check g */
-+ BN_free(rem);
-+ return 1;
-+ }
-+
-+void keyver()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
-+ BIGNUM *Y2;
-+ BN_CTX *ctx = NULL;
-+ int nmod=0, paramcheck = 0;
-+
-+ ctx = BN_CTX_new();
-+ Y2 = BN_new();
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ {
-+ if (p)
-+ BN_free(p);
-+ p = NULL;
-+ if (q)
-+ BN_free(q);
-+ q = NULL;
-+ if (g)
-+ BN_free(g);
-+ g = NULL;
-+ paramcheck = 0;
-+ nmod=atoi(value);
-+ }
-+ else if(!strcmp(keyword,"P"))
-+ p=hex2bn(value);
-+ else if(!strcmp(keyword,"Q"))
-+ q=hex2bn(value);
-+ else if(!strcmp(keyword,"G"))
-+ g=hex2bn(value);
-+ else if(!strcmp(keyword,"X"))
-+ X=hex2bn(value);
-+ else if(!strcmp(keyword,"Y"))
-+ {
-+ Y=hex2bn(value);
-+ if (!p || !q || !g || !X || !Y)
-+ {
-+ fprintf(stderr, "Parse Error\n");
-+ exit (1);
-+ }
-+ pbn("P",p);
-+ pbn("Q",q);
-+ pbn("G",g);
-+ pbn("X",X);
-+ pbn("Y",Y);
-+ if (!paramcheck)
-+ {
-+ if (dss_paramcheck(nmod, p, q, g, ctx))
-+ paramcheck = 1;
-+ else
-+ paramcheck = -1;
-+ }
-+ if (paramcheck != 1)
-+ printf("Result = F\n");
-+ else
-+ {
-+ if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
-+ printf("Result = F\n");
-+ else
-+ printf("Result = P\n");
-+ }
-+ BN_free(X);
-+ BN_free(Y);
-+ X = NULL;
-+ Y = NULL;
-+ }
-+ }
-+ if (p)
-+ BN_free(p);
-+ if (q)
-+ BN_free(q);
-+ if (g)
-+ BN_free(g);
-+ if (Y2)
-+ BN_free(Y2);
-+ }
-+
-+void keypair()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ int nmod=0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ nmod=atoi(value);
-+ else if(!strcmp(keyword,"N"))
-+ {
-+ DSA *dsa;
-+ int n=atoi(value);
-+
-+ printf("[mod = %d]\n\n",nmod);
-+ dsa = FIPS_dsa_new();
-+ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ putc('\n',stdout);
-+
-+ while(n--)
-+ {
-+ if (!DSA_generate_key(dsa))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+
-+ pbn("X",dsa->priv_key);
-+ pbn("Y",dsa->pub_key);
-+ putc('\n',stdout);
-+ }
-+ }
-+ }
-+ }
-+
-+void siggen()
-+ {
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ int nmod=0;
-+ DSA *dsa=NULL;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ {
-+ nmod=atoi(value);
-+ printf("[mod = %d]\n\n",nmod);
-+ if (dsa)
-+ FIPS_dsa_free(dsa);
-+ dsa = FIPS_dsa_new();
-+ if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ putc('\n',stdout);
-+ }
-+ else if(!strcmp(keyword,"Msg"))
-+ {
-+ unsigned char msg[1024];
-+ unsigned char sbuf[60];
-+ unsigned int slen;
-+ int n;
-+ EVP_PKEY pk;
-+ EVP_MD_CTX mctx;
-+ DSA_SIG *sig;
-+ EVP_MD_CTX_init(&mctx);
-+
-+ n=hex2bin(value,msg);
-+ pv("Msg",msg,n);
-+
-+ if (!DSA_generate_key(dsa))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
-+ pbn("Y",dsa->pub_key);
-+
-+ EVP_SignInit_ex(&mctx, EVP_dss1(), NULL);
-+ EVP_SignUpdate(&mctx, msg, n);
-+ EVP_SignFinal(&mctx, sbuf, &slen, &pk);
-+
-+ sig = DSA_SIG_new();
-+ FIPS_dsa_sig_decode(sig, sbuf, slen);
-+
-+ pbn("R",sig->r);
-+ pbn("S",sig->s);
-+ putc('\n',stdout);
-+ DSA_SIG_free(sig);
-+ EVP_MD_CTX_cleanup(&mctx);
-+ }
-+ }
-+ if (dsa)
-+ FIPS_dsa_free(dsa);
-+ }
-+
-+void sigver()
-+ {
-+ DSA *dsa=NULL;
-+ char buf[1024];
-+ char lbuf[1024];
-+ unsigned char msg[1024];
-+ char *keyword, *value;
-+ int nmod=0, n=0;
-+ DSA_SIG sg, *sig = &sg;
-+
-+ sig->r = NULL;
-+ sig->s = NULL;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ {
-+ fputs(buf,stdout);
-+ continue;
-+ }
-+ if(!strcmp(keyword,"[mod"))
-+ {
-+ nmod=atoi(value);
-+ if(dsa)
-+ FIPS_dsa_free(dsa);
-+ dsa=FIPS_dsa_new();
-+ }
-+ else if(!strcmp(keyword,"P"))
-+ dsa->p=hex2bn(value);
-+ else if(!strcmp(keyword,"Q"))
-+ dsa->q=hex2bn(value);
-+ else if(!strcmp(keyword,"G"))
-+ {
-+ dsa->g=hex2bn(value);
-+
-+ printf("[mod = %d]\n\n",nmod);
-+ pbn("P",dsa->p);
-+ pbn("Q",dsa->q);
-+ pbn("G",dsa->g);
-+ putc('\n',stdout);
-+ }
-+ else if(!strcmp(keyword,"Msg"))
-+ {
-+ n=hex2bin(value,msg);
-+ pv("Msg",msg,n);
-+ }
-+ else if(!strcmp(keyword,"Y"))
-+ dsa->pub_key=hex2bn(value);
-+ else if(!strcmp(keyword,"R"))
-+ sig->r=hex2bn(value);
-+ else if(!strcmp(keyword,"S"))
-+ {
-+ EVP_MD_CTX mctx;
-+ EVP_PKEY pk;
-+ unsigned char sigbuf[60];
-+ unsigned int slen;
-+ int r;
-+ EVP_MD_CTX_init(&mctx);
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
-+ sig->s=hex2bn(value);
-+
-+ pbn("Y",dsa->pub_key);
-+ pbn("R",sig->r);
-+ pbn("S",sig->s);
-+
-+ slen = FIPS_dsa_sig_encode(sigbuf, sig);
-+ EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL);
-+ EVP_VerifyUpdate(&mctx, msg, n);
-+ r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk);
-+ EVP_MD_CTX_cleanup(&mctx);
-+
-+ printf("Result = %c\n", r == 1 ? 'P' : 'F');
-+ putc('\n',stdout);
-+ }
-+ }
-+ }
-+
-+int main(int argc,char **argv)
-+ {
-+ if(argc != 2)
-+ {
-+ fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]);
-+ exit(1);
-+ }
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ if(!strcmp(argv[1],"prime"))
-+ primes();
-+ else if(!strcmp(argv[1],"pqg"))
-+ pqg();
-+ else if(!strcmp(argv[1],"pqgver"))
-+ pqgver();
-+ else if(!strcmp(argv[1],"keypair"))
-+ keypair();
-+ else if(!strcmp(argv[1],"keyver"))
-+ keyver();
-+ else if(!strcmp(argv[1],"siggen"))
-+ siggen();
-+ else if(!strcmp(argv[1],"sigver"))
-+ sigver();
-+ else
-+ {
-+ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
-+ exit(1);
-+ }
-+
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_gcmtest.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_gcmtest.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_gcmtest.c.fips 2014-10-16 13:19:35.094306310 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_gcmtest.c 2014-10-16 13:19:35.093306288 +0200
-@@ -0,0 +1,571 @@
-+/* fips/aes/fips_gcmtest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+
-+#define OPENSSL_FIPSAPI
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS GCM support\n");
-+ return(0);
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+static void gcmtest(FILE *in, FILE *out, int encrypt)
-+ {
-+ char buf[2048];
-+ char lbuf[2048];
-+ char *keyword, *value;
-+ int keylen = -1, ivlen = -1, aadlen = -1, taglen = -1, ptlen = -1;
-+ int rv;
-+ long l;
-+ unsigned char *key = NULL, *iv = NULL, *aad = NULL, *tag = NULL;
-+ unsigned char *ct = NULL, *pt = NULL;
-+ EVP_CIPHER_CTX ctx;
-+ const EVP_CIPHER *gcm = NULL;
-+ FIPS_cipher_ctx_init(&ctx);
-+
-+ while(fgets(buf,sizeof buf,in) != NULL)
-+ {
-+ fputs(buf,out);
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"[Keylen"))
-+ {
-+ keylen = atoi(value);
-+ if (keylen == 128)
-+ gcm = EVP_aes_128_gcm();
-+ else if (keylen == 192)
-+ gcm = EVP_aes_192_gcm();
-+ else if (keylen == 256)
-+ gcm = EVP_aes_256_gcm();
-+ else
-+ {
-+ fprintf(stderr, "Unsupported keylen %d\n",
-+ keylen);
-+ }
-+ keylen >>= 3;
-+ }
-+ else if (!strcmp(keyword, "[IVlen"))
-+ ivlen = atoi(value) >> 3;
-+ else if (!strcmp(keyword, "[AADlen"))
-+ aadlen = atoi(value) >> 3;
-+ else if (!strcmp(keyword, "[Taglen"))
-+ taglen = atoi(value) >> 3;
-+ else if (!strcmp(keyword, "[PTlen"))
-+ ptlen = atoi(value) >> 3;
-+ else if(!strcmp(keyword,"Key"))
-+ {
-+ key = hex2bin_m(value, &l);
-+ if (l != keylen)
-+ {
-+ fprintf(stderr, "Inconsistent Key length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"IV"))
-+ {
-+ iv = hex2bin_m(value, &l);
-+ if (l != ivlen)
-+ {
-+ fprintf(stderr, "Inconsistent IV length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"PT"))
-+ {
-+ pt = hex2bin_m(value, &l);
-+ if (l != ptlen)
-+ {
-+ fprintf(stderr, "Inconsistent PT length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"CT"))
-+ {
-+ ct = hex2bin_m(value, &l);
-+ if (l != ptlen)
-+ {
-+ fprintf(stderr, "Inconsistent CT length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"AAD"))
-+ {
-+ aad = hex2bin_m(value, &l);
-+ if (l != aadlen)
-+ {
-+ fprintf(stderr, "Inconsistent AAD length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"Tag"))
-+ {
-+ tag = hex2bin_m(value, &l);
-+ if (l != taglen)
-+ {
-+ fprintf(stderr, "Inconsistent Tag length\n");
-+ exit(1);
-+ }
-+ }
-+ if (encrypt && pt && aad && (iv || encrypt==1))
-+ {
-+ tag = OPENSSL_malloc(taglen);
-+ FIPS_cipherinit(&ctx, gcm, NULL, NULL, 1);
-+ /* Relax FIPS constraints for testing */
-+ M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
-+ if (encrypt == 1)
-+ {
-+ static unsigned char iv_fixed[4] = {1,2,3,4};
-+ if (!iv)
-+ iv = OPENSSL_malloc(ivlen);
-+ FIPS_cipherinit(&ctx, NULL, key, NULL, 1);
-+ FIPS_cipher_ctx_ctrl(&ctx,
-+ EVP_CTRL_GCM_SET_IV_FIXED,
-+ 4, iv_fixed);
-+ if (!FIPS_cipher_ctx_ctrl(&ctx,
-+ EVP_CTRL_GCM_IV_GEN, 0, iv))
-+ {
-+ fprintf(stderr, "IV gen error\n");
-+ exit(1);
-+ }
-+ OutputValue("IV", iv, ivlen, out, 0);
-+ }
-+ else
-+ FIPS_cipherinit(&ctx, NULL, key, iv, 1);
-+
-+
-+ if (aadlen)
-+ FIPS_cipher(&ctx, NULL, aad, aadlen);
-+ if (ptlen)
-+ {
-+ ct = OPENSSL_malloc(ptlen);
-+ rv = FIPS_cipher(&ctx, ct, pt, ptlen);
-+ }
-+ FIPS_cipher(&ctx, NULL, NULL, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG,
-+ taglen, tag);
-+ OutputValue("CT", ct, ptlen, out, 0);
-+ OutputValue("Tag", tag, taglen, out, 0);
-+ if (iv)
-+ OPENSSL_free(iv);
-+ if (aad)
-+ OPENSSL_free(aad);
-+ if (ct)
-+ OPENSSL_free(ct);
-+ if (pt)
-+ OPENSSL_free(pt);
-+ if (key)
-+ OPENSSL_free(key);
-+ if (tag)
-+ OPENSSL_free(tag);
-+ iv = aad = ct = pt = key = tag = NULL;
-+ }
-+ if (!encrypt && tag)
-+ {
-+ FIPS_cipherinit(&ctx, gcm, NULL, NULL, 0);
-+ /* Relax FIPS constraints for testing */
-+ M_EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, 0);
-+ FIPS_cipherinit(&ctx, NULL, key, iv, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag);
-+ if (aadlen)
-+ FIPS_cipher(&ctx, NULL, aad, aadlen);
-+ if (ptlen)
-+ {
-+ pt = OPENSSL_malloc(ptlen);
-+ rv = FIPS_cipher(&ctx, pt, ct, ptlen);
-+ }
-+ rv = FIPS_cipher(&ctx, NULL, NULL, 0);
-+ if (rv < 0)
-+ fprintf(out, "FAIL" RESP_EOL);
-+ else
-+ OutputValue("PT", pt, ptlen, out, 0);
-+ if (iv)
-+ OPENSSL_free(iv);
-+ if (aad)
-+ OPENSSL_free(aad);
-+ if (ct)
-+ OPENSSL_free(ct);
-+ if (pt)
-+ OPENSSL_free(pt);
-+ if (key)
-+ OPENSSL_free(key);
-+ if (tag)
-+ OPENSSL_free(tag);
-+ iv = aad = ct = pt = key = tag = NULL;
-+ }
-+ }
-+ FIPS_cipher_ctx_cleanup(&ctx);
-+ }
-+
-+static void xtstest(FILE *in, FILE *out)
-+ {
-+ char buf[204800];
-+ char lbuf[204800];
-+ char *keyword, *value;
-+ int inlen = 0;
-+ int encrypt = 0;
-+ long l;
-+ unsigned char *key = NULL, *iv = NULL;
-+ unsigned char *inbuf = NULL, *outbuf = NULL;
-+ EVP_CIPHER_CTX ctx;
-+ const EVP_CIPHER *xts = NULL;
-+ FIPS_cipher_ctx_init(&ctx);
-+
-+ while(fgets(buf,sizeof buf,in) != NULL)
-+ {
-+ fputs(buf,out);
-+ if (buf[0] == '[' && strlen(buf) >= 9)
-+ {
-+ if(!strncmp(buf,"[ENCRYPT]", 9))
-+ encrypt = 1;
-+ else if(!strncmp(buf,"[DECRYPT]", 9))
-+ encrypt = 0;
-+ }
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ else if(!strcmp(keyword,"Key"))
-+ {
-+ key = hex2bin_m(value, &l);
-+ if (l == 32)
-+ xts = EVP_aes_128_xts();
-+ else if (l == 64)
-+ xts = EVP_aes_256_xts();
-+ else
-+ {
-+ fprintf(stderr, "Inconsistent Key length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(!strcmp(keyword,"i"))
-+ {
-+ iv = hex2bin_m(value, &l);
-+ if (l != 16)
-+ {
-+ fprintf(stderr, "Inconsistent i length\n");
-+ exit(1);
-+ }
-+ }
-+ else if(encrypt && !strcmp(keyword,"PT"))
-+ {
-+ inbuf = hex2bin_m(value, &l);
-+ inlen = l;
-+ }
-+ else if(!encrypt && !strcmp(keyword,"CT"))
-+ {
-+ inbuf = hex2bin_m(value, &l);
-+ inlen = l;
-+ }
-+ if (inbuf)
-+ {
-+ FIPS_cipherinit(&ctx, xts, key, iv, encrypt);
-+ outbuf = OPENSSL_malloc(inlen);
-+ FIPS_cipher(&ctx, outbuf, inbuf, inlen);
-+ OutputValue(encrypt ? "CT":"PT", outbuf, inlen, out, 0);
-+ OPENSSL_free(inbuf);
-+ OPENSSL_free(outbuf);
-+ OPENSSL_free(key);
-+ OPENSSL_free(iv);
-+ iv = key = inbuf = outbuf = NULL;
-+ }
-+ }
-+ FIPS_cipher_ctx_cleanup(&ctx);
-+ }
-+
-+static void ccmtest(FILE *in, FILE *out)
-+ {
-+ char buf[200048];
-+ char lbuf[200048];
-+ char *keyword, *value;
-+ long l;
-+ unsigned char *Key = NULL, *Nonce = NULL;
-+ unsigned char *Adata = NULL, *Payload = NULL;
-+ unsigned char *CT = NULL;
-+ int Plen = -1, Nlen = -1, Tlen = -1, Alen = -1;
-+ int decr = 0;
-+ EVP_CIPHER_CTX ctx;
-+ const EVP_CIPHER *ccm = NULL;
-+ FIPS_cipher_ctx_init(&ctx);
-+
-+ while(fgets(buf,sizeof buf,in) != NULL)
-+ {
-+ char *p;
-+ fputs(buf,out);
-+ redo:
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+
-+ /* If surrounded by square brackets zap them */
-+ if (keyword[0] == '[')
-+ {
-+ keyword++;
-+ p = strchr(value, ']');
-+ if (p)
-+ *p = 0;
-+ }
-+ /* See if we have a comma separated list of parameters
-+ * if so copy rest of line back to buffer and redo later.
-+ */
-+ p = strchr(value, ',');
-+ if (p)
-+ {
-+ *p = 0;
-+ strcpy(buf, p + 1);
-+ strcat(buf, "\n");
-+ decr = 1;
-+ }
-+ if (!strcmp(keyword,"Plen"))
-+ Plen = atoi(value);
-+ else if (!strcmp(keyword,"Nlen"))
-+ Nlen = atoi(value);
-+ else if (!strcmp(keyword,"Tlen"))
-+ Tlen = atoi(value);
-+ else if (!strcmp(keyword,"Alen"))
-+ Alen = atoi(value);
-+ if (p)
-+ goto redo;
-+ if (!strcmp(keyword,"Key"))
-+ {
-+ if (Key)
-+ OPENSSL_free(Key);
-+ Key = hex2bin_m(value, &l);
-+ if (l == 16)
-+ ccm = EVP_aes_128_ccm();
-+ else if (l == 24)
-+ ccm = EVP_aes_192_ccm();
-+ else if (l == 32)
-+ ccm = EVP_aes_256_ccm();
-+ else
-+ {
-+ fprintf(stderr, "Inconsistent Key length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"Nonce"))
-+ {
-+ if (Nonce)
-+ OPENSSL_free(Nonce);
-+ Nonce = hex2bin_m(value, &l);
-+ if (l != Nlen)
-+ {
-+ fprintf(stderr, "Inconsistent nonce length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"Payload") && !decr)
-+ {
-+ Payload = hex2bin_m(value, &l);
-+ if (Plen && l != Plen)
-+ {
-+ fprintf(stderr, "Inconsistent Payload length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"Adata"))
-+ {
-+ if (Adata)
-+ OPENSSL_free(Adata);
-+ Adata = hex2bin_m(value, &l);
-+ if (Alen && l != Alen)
-+ {
-+ fprintf(stderr, "Inconsistent Payload length\n");
-+ exit(1);
-+ }
-+ }
-+ else if (!strcmp(keyword,"CT") && decr)
-+ {
-+ CT = hex2bin_m(value, &l);
-+ if (l != (Plen + Tlen))
-+ {
-+ fprintf(stderr, "Inconsistent CT length\n");
-+ exit(1);
-+ }
-+ }
-+ if (Payload)
-+ {
-+ FIPS_cipherinit(&ctx, ccm, NULL, NULL, 1);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, Tlen, 0);
-+ FIPS_cipherinit(&ctx, NULL, Key, Nonce, 1);
-+
-+ FIPS_cipher(&ctx, NULL, NULL, Plen);
-+ FIPS_cipher(&ctx, NULL, Adata, Alen);
-+ CT = OPENSSL_malloc(Plen + Tlen);
-+ FIPS_cipher(&ctx, CT, Payload, Plen);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, Tlen,
-+ CT + Plen);
-+ OutputValue("CT", CT, Plen + Tlen, out, 0);
-+ OPENSSL_free(CT);
-+ OPENSSL_free(Payload);
-+ CT = Payload = NULL;
-+ }
-+ if (CT)
-+ {
-+ int rv;
-+ int len = Plen == 0 ? 1: Plen;
-+ FIPS_cipherinit(&ctx, ccm, NULL, NULL, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, Nlen, 0);
-+ FIPS_cipher_ctx_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
-+ Tlen, CT + Plen);
-+ FIPS_cipherinit(&ctx, NULL, Key, Nonce, 0);
-+ FIPS_cipher(&ctx, NULL, NULL, Plen);
-+ FIPS_cipher(&ctx, NULL, Adata, Alen);
-+ Payload = OPENSSL_malloc(len);
-+ rv = FIPS_cipher(&ctx, Payload, CT, Plen);
-+ if (rv >= 0)
-+ {
-+ if (rv == 0)
-+ Payload[0] = 0;
-+ fputs("Result = Pass" RESP_EOL, out);
-+ OutputValue("Payload", Payload, len, out, 0);
-+ }
-+ else
-+ fputs("Result = Fail" RESP_EOL, out);
-+ OPENSSL_free(CT);
-+ OPENSSL_free(Payload);
-+ CT = Payload = NULL;
-+ }
-+ }
-+ if (Key)
-+ OPENSSL_free(Key);
-+ if (Nonce)
-+ OPENSSL_free(Nonce);
-+ if (Adata)
-+ OPENSSL_free(Adata);
-+ FIPS_cipher_ctx_cleanup(&ctx);
-+ }
-+
-+#ifdef FIPS_ALGVS
-+int fips_gcmtest_main(int argc, char **argv)
-+#else
-+int main(int argc, char **argv)
-+#endif
-+ {
-+ int encrypt;
-+ int xts = 0, ccm = 0;
-+ FILE *in, *out;
-+ if (argc == 4)
-+ {
-+ in = fopen(argv[2], "r");
-+ if (!in)
-+ {
-+ fprintf(stderr, "Error opening input file\n");
-+ exit(1);
-+ }
-+ out = fopen(argv[3], "w");
-+ if (!out)
-+ {
-+ fprintf(stderr, "Error opening output file\n");
-+ exit(1);
-+ }
-+ }
-+ else if (argc == 2)
-+ {
-+ in = stdin;
-+ out = stdout;
-+ }
-+ else
-+ {
-+ fprintf(stderr,"%s [-encrypt|-decrypt]\n",argv[0]);
-+ exit(1);
-+ }
-+ fips_algtest_init();
-+ if(!strcmp(argv[1],"-encrypt"))
-+ encrypt = 1;
-+ else if(!strcmp(argv[1],"-encryptIVext"))
-+ encrypt = 2;
-+ else if(!strcmp(argv[1],"-decrypt"))
-+ encrypt = 0;
-+ else if(!strcmp(argv[1],"-ccm"))
-+ ccm = 1;
-+ else if(!strcmp(argv[1],"-xts"))
-+ xts = 1;
-+ else
-+ {
-+ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
-+ exit(1);
-+ }
-+
-+ if (ccm)
-+ ccmtest(in, out);
-+ else if (xts)
-+ xtstest(in, out);
-+ else
-+ gcmtest(in, out, encrypt);
-+
-+ if (argc == 4)
-+ {
-+ fclose(in);
-+ fclose(out);
-+ }
-+
-+ return 0;
-+}
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_rngvs.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_rngvs.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_rngvs.c.fips 2014-10-16 13:19:35.094306310 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_rngvs.c 2014-10-16 13:19:35.094306310 +0200
-@@ -0,0 +1,230 @@
-+/*
-+ * Crude test driver for processing the VST and MCT testvector files
-+ * generated by the CMVP RNGVS product.
-+ *
-+ * Note the input files are assumed to have a _very_ specific format
-+ * as described in the NIST document "The Random Number Generator
-+ * Validation System (RNGVS)", May 25, 2004.
-+ *
-+ */
-+#include <openssl/opensslconf.h>
-+
-+#ifndef OPENSSL_FIPS
-+#include <stdio.h>
-+
-+int main(int argc, char **argv)
-+{
-+ printf("No FIPS RNG support\n");
-+ return 0;
-+}
-+#else
-+
-+#include <openssl/bn.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/x509v3.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "fips_utl.h"
-+
-+void vst()
-+ {
-+ unsigned char *key = NULL;
-+ unsigned char *v = NULL;
-+ unsigned char *dt = NULL;
-+ unsigned char ret[16];
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ long i, keylen;
-+
-+ keylen = 0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ fputs(buf,stdout);
-+ if(!strncmp(buf,"[AES 128-Key]", 13))
-+ keylen = 16;
-+ else if(!strncmp(buf,"[AES 192-Key]", 13))
-+ keylen = 24;
-+ else if(!strncmp(buf,"[AES 256-Key]", 13))
-+ keylen = 32;
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"Key"))
-+ {
-+ key=hex2bin_m(value,&i);
-+ if (i != keylen)
-+ {
-+ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"DT"))
-+ {
-+ dt=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid DT length\n");
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"V"))
-+ {
-+ v=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid V length\n");
-+ return;
-+ }
-+
-+ if (!key || !dt)
-+ {
-+ fprintf(stderr, "Missing key or DT\n");
-+ return;
-+ }
-+
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(v,16);
-+ FIPS_x931_set_dt(dt);
-+ if (FIPS_x931_bytes(ret,16) <= 0)
-+ {
-+ fprintf(stderr, "Error getting PRNG value\n");
-+ return;
-+ }
-+
-+ pv("R",ret,16);
-+ OPENSSL_free(key);
-+ key = NULL;
-+ OPENSSL_free(dt);
-+ dt = NULL;
-+ OPENSSL_free(v);
-+ v = NULL;
-+ }
-+ }
-+ }
-+
-+void mct()
-+ {
-+ unsigned char *key = NULL;
-+ unsigned char *v = NULL;
-+ unsigned char *dt = NULL;
-+ unsigned char ret[16];
-+ char buf[1024];
-+ char lbuf[1024];
-+ char *keyword, *value;
-+ long i, keylen;
-+ int j;
-+
-+ keylen = 0;
-+
-+ while(fgets(buf,sizeof buf,stdin) != NULL)
-+ {
-+ fputs(buf,stdout);
-+ if(!strncmp(buf,"[AES 128-Key]", 13))
-+ keylen = 16;
-+ else if(!strncmp(buf,"[AES 192-Key]", 13))
-+ keylen = 24;
-+ else if(!strncmp(buf,"[AES 256-Key]", 13))
-+ keylen = 32;
-+ if (!parse_line(&keyword, &value, lbuf, buf))
-+ continue;
-+ if(!strcmp(keyword,"Key"))
-+ {
-+ key=hex2bin_m(value,&i);
-+ if (i != keylen)
-+ {
-+ fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"DT"))
-+ {
-+ dt=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid DT length\n");
-+ return;
-+ }
-+ }
-+ else if(!strcmp(keyword,"V"))
-+ {
-+ v=hex2bin_m(value,&i);
-+ if (i != 16)
-+ {
-+ fprintf(stderr, "Invalid V length\n");
-+ return;
-+ }
-+
-+ if (!key || !dt)
-+ {
-+ fprintf(stderr, "Missing key or DT\n");
-+ return;
-+ }
-+
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(v,16);
-+ for (i = 0; i < 10000; i++)
-+ {
-+ FIPS_x931_set_dt(dt);
-+ if (FIPS_x931_bytes(ret,16) <= 0)
-+ {
-+ fprintf(stderr, "Error getting PRNG value\n");
-+ return;
-+ }
-+ /* Increment DT */
-+ for (j = 15; j >= 0; j--)
-+ {
-+ dt[j]++;
-+ if (dt[j])
-+ break;
-+ }
-+ }
-+
-+ pv("R",ret,16);
-+ OPENSSL_free(key);
-+ key = NULL;
-+ OPENSSL_free(dt);
-+ dt = NULL;
-+ OPENSSL_free(v);
-+ v = NULL;
-+ }
-+ }
-+ }
-+
-+int main(int argc,char **argv)
-+ {
-+ if(argc != 2)
-+ {
-+ fprintf(stderr,"%s [mct|vst]\n",argv[0]);
-+ exit(1);
-+ }
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ exit(1);
-+ }
-+ FIPS_x931_reset();
-+ if (!FIPS_x931_test_mode())
-+ {
-+ fprintf(stderr, "Error setting PRNG test mode\n");
-+ do_print_errors();
-+ exit(1);
-+ }
-+ if(!strcmp(argv[1],"mct"))
-+ mct();
-+ else if(!strcmp(argv[1],"vst"))
-+ vst();
-+ else
-+ {
-+ fprintf(stderr,"Don't know how to %s.\n",argv[1]);
-+ exit(1);
-+ }
-+
-+ return 0;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_rsagtest.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_rsagtest.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_rsagtest.c.fips 2014-10-16 13:19:35.094306310 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_rsagtest.c 2014-10-16 13:19:35.094306310 +0200
-@@ -0,0 +1,390 @@
-+/* fips_rsagtest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay at cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh at cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/rsa.h>
-+#include <openssl/bn.h>
-+#include <openssl/x509v3.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RSA support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+int rsa_test(FILE *out, FILE *in);
-+static int rsa_printkey1(FILE *out, RSA *rsa,
-+ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
-+ BIGNUM *e);
-+static int rsa_printkey2(FILE *out, RSA *rsa,
-+ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!rsa_test(out, in))
-+ {
-+ fprintf(stderr, "FATAL RSAGTEST file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define RSA_TEST_MAXLINELEN 10240
-+
-+int rsa_test(FILE *out, FILE *in)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ RSA *rsa = NULL;
-+ BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL;
-+ BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL;
-+ BIGNUM *e = NULL;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [foo = bar] line) just copy */
-+ if (!p || *keyword=='[')
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword, "xp1"))
-+ {
-+ if (Xp1 || !do_hex2bn(&Xp1,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "xp2"))
-+ {
-+ if (Xp2 || !do_hex2bn(&Xp2,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Xp"))
-+ {
-+ if (Xp || !do_hex2bn(&Xp,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "xq1"))
-+ {
-+ if (Xq1 || !do_hex2bn(&Xq1,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "xq2"))
-+ {
-+ if (Xq2 || !do_hex2bn(&Xq2,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Xq"))
-+ {
-+ if (Xq || !do_hex2bn(&Xq,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "e"))
-+ {
-+ if (e || !do_hex2bn(&e,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "p1"))
-+ continue;
-+ else if (!strcmp(keyword, "p2"))
-+ continue;
-+ else if (!strcmp(keyword, "p"))
-+ continue;
-+ else if (!strcmp(keyword, "q1"))
-+ continue;
-+ else if (!strcmp(keyword, "q2"))
-+ continue;
-+ else if (!strcmp(keyword, "q"))
-+ continue;
-+ else if (!strcmp(keyword, "n"))
-+ continue;
-+ else if (!strcmp(keyword, "d"))
-+ continue;
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (e && Xp1 && Xp2 && Xp)
-+ {
-+ rsa = FIPS_rsa_new();
-+ if (!rsa)
-+ goto error;
-+ if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e))
-+ goto error;
-+ BN_free(Xp1);
-+ Xp1 = NULL;
-+ BN_free(Xp2);
-+ Xp2 = NULL;
-+ BN_free(Xp);
-+ Xp = NULL;
-+ BN_free(e);
-+ e = NULL;
-+ }
-+
-+ if (rsa && Xq1 && Xq2 && Xq)
-+ {
-+ if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq))
-+ goto error;
-+ BN_free(Xq1);
-+ Xq1 = NULL;
-+ BN_free(Xq2);
-+ Xq2 = NULL;
-+ BN_free(Xq);
-+ Xq = NULL;
-+ FIPS_rsa_free(rsa);
-+ rsa = NULL;
-+ }
-+ }
-+
-+ ret = 1;
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+
-+ if (Xp1)
-+ BN_free(Xp1);
-+ if (Xp2)
-+ BN_free(Xp2);
-+ if (Xp)
-+ BN_free(Xp);
-+ if (Xq1)
-+ BN_free(Xq1);
-+ if (Xq1)
-+ BN_free(Xq1);
-+ if (Xq2)
-+ BN_free(Xq2);
-+ if (Xq)
-+ BN_free(Xq);
-+ if (e)
-+ BN_free(e);
-+ if (rsa)
-+ FIPS_rsa_free(rsa);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int rsa_printkey1(FILE *out, RSA *rsa,
-+ BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp,
-+ BIGNUM *e)
-+ {
-+ int ret = 0;
-+ BIGNUM *p1 = NULL, *p2 = NULL;
-+ p1 = BN_new();
-+ p2 = BN_new();
-+ if (!p1 || !p2)
-+ goto error;
-+
-+ if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp,
-+ NULL, NULL, NULL, e, NULL))
-+ goto error;
-+
-+ do_bn_print_name(out, "p1", p1);
-+ do_bn_print_name(out, "p2", p2);
-+ do_bn_print_name(out, "p", rsa->p);
-+
-+ ret = 1;
-+
-+ error:
-+ if (p1)
-+ BN_free(p1);
-+ if (p2)
-+ BN_free(p2);
-+
-+ return ret;
-+ }
-+
-+static int rsa_printkey2(FILE *out, RSA *rsa,
-+ BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq)
-+ {
-+ int ret = 0;
-+ BIGNUM *q1 = NULL, *q2 = NULL;
-+ q1 = BN_new();
-+ q2 = BN_new();
-+ if (!q1 || !q2)
-+ goto error;
-+
-+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL,
-+ Xq1, Xq2, Xq, NULL, NULL))
-+ goto error;
-+
-+ do_bn_print_name(out, "q1", q1);
-+ do_bn_print_name(out, "q2", q2);
-+ do_bn_print_name(out, "q", rsa->q);
-+ do_bn_print_name(out, "n", rsa->n);
-+ do_bn_print_name(out, "d", rsa->d);
-+
-+ ret = 1;
-+
-+ error:
-+ if (q1)
-+ BN_free(q1);
-+ if (q2)
-+ BN_free(q2);
-+
-+ return ret;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_rsastest.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_rsastest.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_rsastest.c.fips 2014-10-16 13:19:35.094306310 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_rsastest.c 2014-10-16 13:19:35.094306310 +0200
-@@ -0,0 +1,370 @@
-+/* fips_rsastest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay at cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh at cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/rsa.h>
-+#include <openssl/bn.h>
-+#include <openssl/x509v3.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RSA support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+static int rsa_stest(FILE *out, FILE *in, int Saltlen);
-+static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen, int Saltlen);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1, Saltlen = -1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if ((argc > 2) && !strcmp("-saltlen", argv[1]))
-+ {
-+ Saltlen = atoi(argv[2]);
-+ if (Saltlen < 0)
-+ {
-+ fprintf(stderr, "FATAL: Invalid salt length\n");
-+ goto end;
-+ }
-+ argc -= 2;
-+ argv += 2;
-+ }
-+ else if ((argc > 1) && !strcmp("-x931", argv[1]))
-+ {
-+ Saltlen = -2;
-+ argc--;
-+ argv++;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!rsa_stest(out, in, Saltlen))
-+ {
-+ fprintf(stderr, "FATAL RSASTEST file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define RSA_TEST_MAXLINELEN 10240
-+
-+int rsa_stest(FILE *out, FILE *in, int Saltlen)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ RSA *rsa = NULL;
-+ const EVP_MD *dgst = NULL;
-+ unsigned char *Msg = NULL;
-+ long Msglen = -1;
-+ int keylen = -1, current_keylen = -1;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = just copy */
-+ if (!p)
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ /* Look for [mod = XXX] for key length */
-+
-+ if (!strcmp(keyword, "[mod"))
-+ {
-+ p = value + strlen(value) - 1;
-+ if (*p != ']')
-+ goto parse_error;
-+ *p = 0;
-+ keylen = atoi(value);
-+ if (keylen < 0)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "SHAAlg"))
-+ {
-+ if (!strcmp(value, "SHA1"))
-+ dgst = EVP_sha1();
-+ else if (!strcmp(value, "SHA224"))
-+ dgst = EVP_sha224();
-+ else if (!strcmp(value, "SHA256"))
-+ dgst = EVP_sha256();
-+ else if (!strcmp(value, "SHA384"))
-+ dgst = EVP_sha384();
-+ else if (!strcmp(value, "SHA512"))
-+ dgst = EVP_sha512();
-+ else
-+ {
-+ fprintf(stderr,
-+ "FATAL: unsupported algorithm \"%s\"\n",
-+ value);
-+ goto parse_error;
-+ }
-+ }
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ if (Msg)
-+ goto parse_error;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ Msg = hex2bin_m(value, &Msglen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+
-+ fputs(olinebuf, out);
-+
-+ /* If key length has changed, generate and output public
-+ * key components of new RSA private key.
-+ */
-+
-+ if (keylen != current_keylen)
-+ {
-+ BIGNUM *bn_e;
-+ if (rsa)
-+ FIPS_rsa_free(rsa);
-+ rsa = FIPS_rsa_new();
-+ if (!rsa)
-+ goto error;
-+ bn_e = BN_new();
-+ if (!bn_e || !BN_set_word(bn_e, 0x1001))
-+ goto error;
-+ if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL))
-+ goto error;
-+ BN_free(bn_e);
-+ fputs("n = ", out);
-+ do_bn_print(out, rsa->n);
-+ fputs("\ne = ", out);
-+ do_bn_print(out, rsa->e);
-+ fputs("\n", out);
-+ current_keylen = keylen;
-+ }
-+
-+ if (Msg && dgst)
-+ {
-+ if (!rsa_printsig(out, rsa, dgst, Msg, Msglen,
-+ Saltlen))
-+ goto error;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ }
-+
-+ }
-+
-+ ret = 1;
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (rsa)
-+ FIPS_rsa_free(rsa);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen, int Saltlen)
-+ {
-+ int ret = 0;
-+ unsigned char *sigbuf = NULL;
-+ int i, siglen;
-+ /* EVP_PKEY structure */
-+ EVP_PKEY pk;
-+ EVP_MD_CTX ctx;
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = rsa;
-+
-+ siglen = RSA_size(rsa);
-+ sigbuf = OPENSSL_malloc(siglen);
-+ if (!sigbuf)
-+ goto error;
-+
-+ EVP_MD_CTX_init(&ctx);
-+
-+ if (Saltlen >= 0)
-+ {
-+ M_EVP_MD_CTX_set_flags(&ctx,
-+ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
-+ }
-+ else if (Saltlen == -2)
-+ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
-+ if (!EVP_SignInit_ex(&ctx, dgst, NULL))
-+ goto error;
-+ if (!EVP_SignUpdate(&ctx, Msg, Msglen))
-+ goto error;
-+ if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk))
-+ goto error;
-+
-+ EVP_MD_CTX_cleanup(&ctx);
-+
-+ fputs("S = ", out);
-+
-+ for (i = 0; i < siglen; i++)
-+ fprintf(out, "%02X", sigbuf[i]);
-+
-+ fputs("\n", out);
-+
-+ ret = 1;
-+
-+ error:
-+
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_rsavtest.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_rsavtest.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_rsavtest.c.fips 2014-10-16 13:19:35.094306310 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_rsavtest.c 2014-10-16 13:19:35.094306310 +0200
-@@ -0,0 +1,377 @@
-+/* fips_rsavtest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay at cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh at cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/x509v3.h>
-+#include <openssl/bn.h>
-+#include <openssl/rsa.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RSA support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+int rsa_test(FILE *out, FILE *in, int saltlen);
-+static int rsa_printver(FILE *out,
-+ BIGNUM *n, BIGNUM *e,
-+ const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen,
-+ unsigned char *S, long Slen, int Saltlen);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1;
-+ int Saltlen = -1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if ((argc > 2) && !strcmp("-saltlen", argv[1]))
-+ {
-+ Saltlen = atoi(argv[2]);
-+ if (Saltlen < 0)
-+ {
-+ fprintf(stderr, "FATAL: Invalid salt length\n");
-+ goto end;
-+ }
-+ argc -= 2;
-+ argv += 2;
-+ }
-+ else if ((argc > 1) && !strcmp("-x931", argv[1]))
-+ {
-+ Saltlen = -2;
-+ argc--;
-+ argv++;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!rsa_test(out, in, Saltlen))
-+ {
-+ fprintf(stderr, "FATAL RSAVTEST file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define RSA_TEST_MAXLINELEN 10240
-+
-+int rsa_test(FILE *out, FILE *in, int Saltlen)
-+ {
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ const EVP_MD *dgst = NULL;
-+ BIGNUM *n = NULL, *e = NULL;
-+ unsigned char *Msg = NULL, *S = NULL;
-+ long Msglen, Slen;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+ while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [foo = bar] line) just copy */
-+ if (!p || *keyword=='[')
-+ {
-+ if (fputs(olinebuf, out) < 0)
-+ goto error;
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword, "n"))
-+ {
-+ if (!do_hex2bn(&n,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "e"))
-+ {
-+ if (!do_hex2bn(&e,value))
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "SHAAlg"))
-+ {
-+ if (!strcmp(value, "SHA1"))
-+ dgst = EVP_sha1();
-+ else if (!strcmp(value, "SHA224"))
-+ dgst = EVP_sha224();
-+ else if (!strcmp(value, "SHA256"))
-+ dgst = EVP_sha256();
-+ else if (!strcmp(value, "SHA384"))
-+ dgst = EVP_sha384();
-+ else if (!strcmp(value, "SHA512"))
-+ dgst = EVP_sha512();
-+ else
-+ {
-+ fprintf(stderr,
-+ "FATAL: unsupported algorithm \"%s\"\n",
-+ value);
-+ goto parse_error;
-+ }
-+ }
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ if (Msg)
-+ goto parse_error;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ Msg = hex2bin_m(value, &Msglen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "S"))
-+ {
-+ if (S)
-+ goto parse_error;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ S = hex2bin_m(value, &Slen);
-+ if (!S)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Result"))
-+ continue;
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (n && e && Msg && S && dgst)
-+ {
-+ if (!rsa_printver(out, n, e, dgst,
-+ Msg, Msglen, S, Slen, Saltlen))
-+ goto error;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ OPENSSL_free(S);
-+ S = NULL;
-+ }
-+
-+ }
-+
-+
-+ ret = 1;
-+
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (n)
-+ BN_free(n);
-+ if (e)
-+ BN_free(e);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int rsa_printver(FILE *out,
-+ BIGNUM *n, BIGNUM *e,
-+ const EVP_MD *dgst,
-+ unsigned char *Msg, long Msglen,
-+ unsigned char *S, long Slen, int Saltlen)
-+ {
-+ int ret = 0, r;
-+ /* Setup RSA and EVP_PKEY structures */
-+ RSA *rsa_pubkey = NULL;
-+ EVP_PKEY pk;
-+ EVP_MD_CTX ctx;
-+ unsigned char *buf = NULL;
-+ rsa_pubkey = FIPS_rsa_new();
-+ if (!rsa_pubkey)
-+ goto error;
-+ rsa_pubkey->n = BN_dup(n);
-+ rsa_pubkey->e = BN_dup(e);
-+ if (!rsa_pubkey->n || !rsa_pubkey->e)
-+ goto error;
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = rsa_pubkey;
-+
-+ EVP_MD_CTX_init(&ctx);
-+
-+ if (Saltlen >= 0)
-+ {
-+ M_EVP_MD_CTX_set_flags(&ctx,
-+ EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16));
-+ }
-+ else if (Saltlen == -2)
-+ M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931);
-+ if (!EVP_VerifyInit_ex(&ctx, dgst, NULL))
-+ goto error;
-+ if (!EVP_VerifyUpdate(&ctx, Msg, Msglen))
-+ goto error;
-+
-+ r = EVP_VerifyFinal(&ctx, S, Slen, &pk);
-+
-+
-+ EVP_MD_CTX_cleanup(&ctx);
-+
-+ if (r < 0)
-+ goto error;
-+ ERR_clear_error();
-+
-+ if (r == 0)
-+ fputs("Result = F\n", out);
-+ else
-+ fputs("Result = P\n", out);
-+
-+ ret = 1;
-+
-+ error:
-+ if (rsa_pubkey)
-+ FIPS_rsa_free(rsa_pubkey);
-+ if (buf)
-+ OPENSSL_free(buf);
-+
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_shatest.c.fips openssl-1.0.1j/crypto/fips/cavs/fips_shatest.c
---- openssl-1.0.1j/crypto/fips/cavs/fips_shatest.c.fips 2014-10-16 13:19:35.095306333 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_shatest.c 2014-10-16 13:19:35.095306333 +0200
-@@ -0,0 +1,388 @@
-+/* fips_shatest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project 2005.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay at cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh at cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <openssl/bio.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/x509v3.h>
-+
-+#ifndef OPENSSL_FIPS
-+
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS SHAXXX support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+
-+static int dgst_test(FILE *out, FILE *in);
-+static int print_dgst(const EVP_MD *md, FILE *out,
-+ unsigned char *Msg, int Msglen);
-+static int print_monte(const EVP_MD *md, FILE *out,
-+ unsigned char *Seed, int SeedLen);
-+
-+int main(int argc, char **argv)
-+ {
-+ FILE *in = NULL, *out = NULL;
-+
-+ int ret = 1;
-+
-+ if(!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ goto end;
-+ }
-+
-+ if (argc == 1)
-+ in = stdin;
-+ else
-+ in = fopen(argv[1], "r");
-+
-+ if (argc < 2)
-+ out = stdout;
-+ else
-+ out = fopen(argv[2], "w");
-+
-+ if (!in)
-+ {
-+ fprintf(stderr, "FATAL input initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!out)
-+ {
-+ fprintf(stderr, "FATAL output initialization error\n");
-+ goto end;
-+ }
-+
-+ if (!dgst_test(out, in))
-+ {
-+ fprintf(stderr, "FATAL digest file processing error\n");
-+ goto end;
-+ }
-+ else
-+ ret = 0;
-+
-+ end:
-+
-+ if (ret)
-+ do_print_errors();
-+
-+ if (in && (in != stdin))
-+ fclose(in);
-+ if (out && (out != stdout))
-+ fclose(out);
-+
-+ return ret;
-+
-+ }
-+
-+#define SHA_TEST_MAX_BITS 102400
-+#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100)
-+
-+int dgst_test(FILE *out, FILE *in)
-+ {
-+ const EVP_MD *md = NULL;
-+ char *linebuf, *olinebuf, *p, *q;
-+ char *keyword, *value;
-+ unsigned char *Msg = NULL, *Seed = NULL;
-+ long MsgLen = -1, Len = -1, SeedLen = -1;
-+ int ret = 0;
-+ int lnum = 0;
-+
-+ olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
-+ linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN);
-+
-+ if (!linebuf || !olinebuf)
-+ goto error;
-+
-+
-+ while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in))
-+ {
-+ lnum++;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no = or starts with [ (for [L=20] line) just copy */
-+ if (!p)
-+ {
-+ fputs(olinebuf, out);
-+ continue;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ if (!strcmp(keyword,"[L") && *p==']')
-+ {
-+ switch (atoi(value))
-+ {
-+ case 20: md=EVP_sha1(); break;
-+ case 28: md=EVP_sha224(); break;
-+ case 32: md=EVP_sha256(); break;
-+ case 48: md=EVP_sha384(); break;
-+ case 64: md=EVP_sha512(); break;
-+ default: goto parse_error;
-+ }
-+ }
-+ else if (!strcmp(keyword, "Len"))
-+ {
-+ if (Len != -1)
-+ goto parse_error;
-+ Len = atoi(value);
-+ if (Len < 0)
-+ goto parse_error;
-+ /* Only handle multiples of 8 bits */
-+ if (Len & 0x7)
-+ goto parse_error;
-+ if (Len > SHA_TEST_MAX_BITS)
-+ goto parse_error;
-+ MsgLen = Len >> 3;
-+ }
-+
-+ else if (!strcmp(keyword, "Msg"))
-+ {
-+ long tmplen;
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ if (Msg)
-+ goto parse_error;
-+ Msg = hex2bin_m(value, &tmplen);
-+ if (!Msg)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "Seed"))
-+ {
-+ if (strlen(value) & 1)
-+ *(--value) = '0';
-+ if (Seed)
-+ goto parse_error;
-+ Seed = hex2bin_m(value, &SeedLen);
-+ if (!Seed)
-+ goto parse_error;
-+ }
-+ else if (!strcmp(keyword, "MD"))
-+ continue;
-+ else
-+ goto parse_error;
-+
-+ fputs(olinebuf, out);
-+
-+ if (md && Msg && (MsgLen >= 0))
-+ {
-+ if (!print_dgst(md, out, Msg, MsgLen))
-+ goto error;
-+ OPENSSL_free(Msg);
-+ Msg = NULL;
-+ MsgLen = -1;
-+ Len = -1;
-+ }
-+ else if (md && Seed && (SeedLen > 0))
-+ {
-+ if (!print_monte(md, out, Seed, SeedLen))
-+ goto error;
-+ OPENSSL_free(Seed);
-+ Seed = NULL;
-+ SeedLen = -1;
-+ }
-+
-+
-+ }
-+
-+
-+ ret = 1;
-+
-+
-+ error:
-+
-+ if (olinebuf)
-+ OPENSSL_free(olinebuf);
-+ if (linebuf)
-+ OPENSSL_free(linebuf);
-+ if (Msg)
-+ OPENSSL_free(Msg);
-+ if (Seed)
-+ OPENSSL_free(Seed);
-+
-+ return ret;
-+
-+ parse_error:
-+
-+ fprintf(stderr, "FATAL parse error processing line %d\n", lnum);
-+
-+ goto error;
-+
-+ }
-+
-+static int print_dgst(const EVP_MD *emd, FILE *out,
-+ unsigned char *Msg, int Msglen)
-+ {
-+ int i, mdlen;
-+ unsigned char md[EVP_MAX_MD_SIZE];
-+ if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL))
-+ {
-+ fputs("Error calculating HASH\n", stderr);
-+ return 0;
-+ }
-+ fputs("MD = ", out);
-+ for (i = 0; i < mdlen; i++)
-+ fprintf(out, "%02x", md[i]);
-+ fputs("\n", out);
-+ return 1;
-+ }
-+
-+static int print_monte(const EVP_MD *md, FILE *out,
-+ unsigned char *Seed, int SeedLen)
-+ {
-+ unsigned int i, j, k;
-+ int ret = 0;
-+ EVP_MD_CTX ctx;
-+ unsigned char *m1, *m2, *m3, *p;
-+ unsigned int mlen, m1len, m2len, m3len;
-+
-+ EVP_MD_CTX_init(&ctx);
-+
-+ if (SeedLen > EVP_MAX_MD_SIZE)
-+ mlen = SeedLen;
-+ else
-+ mlen = EVP_MAX_MD_SIZE;
-+
-+ m1 = OPENSSL_malloc(mlen);
-+ m2 = OPENSSL_malloc(mlen);
-+ m3 = OPENSSL_malloc(mlen);
-+
-+ if (!m1 || !m2 || !m3)
-+ goto mc_error;
-+
-+ m1len = m2len = m3len = SeedLen;
-+ memcpy(m1, Seed, SeedLen);
-+ memcpy(m2, Seed, SeedLen);
-+ memcpy(m3, Seed, SeedLen);
-+
-+ fputs("\n", out);
-+
-+ for (j = 0; j < 100; j++)
-+ {
-+ for (i = 0; i < 1000; i++)
-+ {
-+ EVP_DigestInit_ex(&ctx, md, NULL);
-+ EVP_DigestUpdate(&ctx, m1, m1len);
-+ EVP_DigestUpdate(&ctx, m2, m2len);
-+ EVP_DigestUpdate(&ctx, m3, m3len);
-+ p = m1;
-+ m1 = m2;
-+ m1len = m2len;
-+ m2 = m3;
-+ m2len = m3len;
-+ m3 = p;
-+ EVP_DigestFinal_ex(&ctx, m3, &m3len);
-+ }
-+ fprintf(out, "COUNT = %d\n", j);
-+ fputs("MD = ", out);
-+ for (k = 0; k < m3len; k++)
-+ fprintf(out, "%02x", m3[k]);
-+ fputs("\n\n", out);
-+ memcpy(m1, m3, m3len);
-+ memcpy(m2, m3, m3len);
-+ m1len = m2len = m3len;
-+ }
-+
-+ ret = 1;
-+
-+ mc_error:
-+ if (m1)
-+ OPENSSL_free(m1);
-+ if (m2)
-+ OPENSSL_free(m2);
-+ if (m3)
-+ OPENSSL_free(m3);
-+
-+ EVP_MD_CTX_cleanup(&ctx);
-+
-+ return ret;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/cavs/fips_utl.h.fips openssl-1.0.1j/crypto/fips/cavs/fips_utl.h
---- openssl-1.0.1j/crypto/fips/cavs/fips_utl.h.fips 2014-10-16 13:19:35.095306333 +0200
-+++ openssl-1.0.1j/crypto/fips/cavs/fips_utl.h 2014-10-16 13:19:35.095306333 +0200
-@@ -0,0 +1,343 @@
-+/* ====================================================================
-+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+void do_print_errors(void)
-+ {
-+ const char *file, *data;
-+ int line, flags;
-+ unsigned long l;
-+ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)))
-+ {
-+ fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d"
-+ ":file=%s:line=%d:%s\n",
-+ l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l),
-+ file, line, flags & ERR_TXT_STRING ? data : "");
-+ }
-+ }
-+
-+int hex2bin(const char *in, unsigned char *out)
-+ {
-+ int n1, n2;
-+ unsigned char ch;
-+
-+ for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; )
-+ { /* first byte */
-+ if ((in[n1] >= '0') && (in[n1] <= '9'))
-+ ch = in[n1++] - '0';
-+ else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
-+ ch = in[n1++] - 'A' + 10;
-+ else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
-+ ch = in[n1++] - 'a' + 10;
-+ else
-+ return -1;
-+ if(!in[n1])
-+ {
-+ out[n2++]=ch;
-+ break;
-+ }
-+ out[n2] = ch << 4;
-+ /* second byte */
-+ if ((in[n1] >= '0') && (in[n1] <= '9'))
-+ ch = in[n1++] - '0';
-+ else if ((in[n1] >= 'A') && (in[n1] <= 'F'))
-+ ch = in[n1++] - 'A' + 10;
-+ else if ((in[n1] >= 'a') && (in[n1] <= 'f'))
-+ ch = in[n1++] - 'a' + 10;
-+ else
-+ return -1;
-+ out[n2++] |= ch;
-+ }
-+ return n2;
-+ }
-+
-+unsigned char *hex2bin_m(const char *in, long *plen)
-+ {
-+ unsigned char *p;
-+ p = OPENSSL_malloc((strlen(in) + 1)/2);
-+ *plen = hex2bin(in, p);
-+ return p;
-+ }
-+
-+int do_hex2bn(BIGNUM **pr, const char *in)
-+ {
-+ unsigned char *p;
-+ long plen;
-+ int r = 0;
-+ p = hex2bin_m(in, &plen);
-+ if (!p)
-+ return 0;
-+ if (!*pr)
-+ *pr = BN_new();
-+ if (!*pr)
-+ return 0;
-+ if (BN_bin2bn(p, plen, *pr))
-+ r = 1;
-+ OPENSSL_free(p);
-+ return r;
-+ }
-+
-+int do_bn_print(FILE *out, BIGNUM *bn)
-+ {
-+ int len, i;
-+ unsigned char *tmp;
-+ len = BN_num_bytes(bn);
-+ if (len == 0)
-+ {
-+ fputs("00", out);
-+ return 1;
-+ }
-+
-+ tmp = OPENSSL_malloc(len);
-+ if (!tmp)
-+ {
-+ fprintf(stderr, "Memory allocation error\n");
-+ return 0;
-+ }
-+ BN_bn2bin(bn, tmp);
-+ for (i = 0; i < len; i++)
-+ fprintf(out, "%02x", tmp[i]);
-+ OPENSSL_free(tmp);
-+ return 1;
-+ }
-+
-+int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn)
-+ {
-+ int r;
-+ fprintf(out, "%s = ", name);
-+ r = do_bn_print(out, bn);
-+ if (!r)
-+ return 0;
-+ fputs("\n", out);
-+ return 1;
-+ }
-+
-+int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf)
-+ {
-+ char *keyword, *value, *p, *q;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no '=' exit */
-+ if (!p)
-+ return 0;
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ *pkw = keyword;
-+ *pval = value;
-+ return 1;
-+ }
-+
-+BIGNUM *hex2bn(const char *in)
-+ {
-+ BIGNUM *p=NULL;
-+
-+ if (!do_hex2bn(&p, in))
-+ return NULL;
-+
-+ return p;
-+ }
-+
-+int bin2hex(const unsigned char *in,int len,char *out)
-+ {
-+ int n1, n2;
-+ unsigned char ch;
-+
-+ for (n1=0,n2=0 ; n1 < len ; ++n1)
-+ {
-+ ch=in[n1] >> 4;
-+ if (ch <= 0x09)
-+ out[n2++]=ch+'0';
-+ else
-+ out[n2++]=ch-10+'a';
-+ ch=in[n1] & 0x0f;
-+ if(ch <= 0x09)
-+ out[n2++]=ch+'0';
-+ else
-+ out[n2++]=ch-10+'a';
-+ }
-+ out[n2]='\0';
-+ return n2;
-+ }
-+
-+void pv(const char *tag,const unsigned char *val,int len)
-+ {
-+ char obuf[2048];
-+
-+ bin2hex(val,len,obuf);
-+ printf("%s = %s\n",tag,obuf);
-+ }
-+
-+/* To avoid extensive changes to test program at this stage just convert
-+ * the input line into an acceptable form. Keyword lines converted to form
-+ * "keyword = value\n" no matter what white space present, all other lines
-+ * just have leading and trailing space removed.
-+ */
-+
-+int tidy_line(char *linebuf, char *olinebuf)
-+ {
-+ char *keyword, *value, *p, *q;
-+ strcpy(linebuf, olinebuf);
-+ keyword = linebuf;
-+ /* Skip leading space */
-+ while (isspace((unsigned char)*keyword))
-+ keyword++;
-+ /* Look for = sign */
-+ p = strchr(linebuf, '=');
-+
-+ /* If no '=' just chop leading, trailing ws */
-+ if (!p)
-+ {
-+ p = keyword + strlen(keyword) - 1;
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+ strcpy(olinebuf, keyword);
-+ strcat(olinebuf, "\n");
-+ return 1;
-+ }
-+
-+ q = p - 1;
-+
-+ /* Remove trailing space */
-+ while (isspace((unsigned char)*q))
-+ *q-- = 0;
-+
-+ *p = 0;
-+ value = p + 1;
-+
-+ /* Remove leading space from value */
-+ while (isspace((unsigned char)*value))
-+ value++;
-+
-+ /* Remove trailing space from value */
-+ p = value + strlen(value) - 1;
-+
-+ while (*p == '\n' || isspace((unsigned char)*p))
-+ *p-- = 0;
-+
-+ strcpy(olinebuf, keyword);
-+ strcat(olinebuf, " = ");
-+ strcat(olinebuf, value);
-+ strcat(olinebuf, "\n");
-+
-+ return 1;
-+ }
-+
-+/* NB: this return the number of _bits_ read */
-+int bint2bin(const char *in, int len, unsigned char *out)
-+ {
-+ int n;
-+
-+ memset(out,0,len);
-+ for(n=0 ; n < len ; ++n)
-+ if(in[n] == '1')
-+ out[n/8]|=(0x80 >> (n%8));
-+ return len;
-+ }
-+
-+int bin2bint(const unsigned char *in,int len,char *out)
-+ {
-+ int n;
-+
-+ for(n=0 ; n < len ; ++n)
-+ out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0';
-+ return n;
-+ }
-+
-+/*-----------------------------------------------*/
-+
-+void PrintValue(char *tag, unsigned char *val, int len)
-+{
-+#if VERBOSE
-+ char obuf[2048];
-+ int olen;
-+ olen = bin2hex(val, len, obuf);
-+ printf("%s = %.*s\n", tag, olen, obuf);
-+#endif
-+}
-+
-+void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode)
-+ {
-+ char obuf[2048];
-+ int olen;
-+
-+ if(bitmode)
-+ olen=bin2bint(val,len,obuf);
-+ else
-+ olen=bin2hex(val,len,obuf);
-+
-+ fprintf(rfp, "%s = %.*s\n", tag, olen, obuf);
-+#if VERBOSE
-+ printf("%s = %.*s\n", tag, olen, obuf);
-+#endif
-+ }
-+
-diff -up openssl-1.0.1j/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_aes_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_aes_selftest.c.fips 2014-10-16 13:19:35.095306333 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_aes_selftest.c 2014-10-16 13:19:35.095306333 +0200
-@@ -0,0 +1,359 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+
-+#ifdef OPENSSL_FIPS
-+static const struct
-+ {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[16];
-+ const unsigned char ciphertext[16];
-+ } tests[]=
-+ {
-+ {
-+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-+ 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F },
-+ { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
-+ 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF },
-+ { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30,
-+ 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A },
-+ },
-+ };
-+
-+static int corrupt_aes;
-+
-+void FIPS_corrupt_aes()
-+ {
-+ corrupt_aes = 1;
-+ }
-+
-+int FIPS_selftest_aes()
-+ {
-+ int n;
-+ int ret = 0;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ for(n=0 ; n < 1 ; ++n)
-+ {
-+ unsigned char key[16];
-+
-+ memcpy(key, tests[n].key, sizeof(key));
-+ if (corrupt_aes)
-+ key[0]++;
-+ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
-+ key, NULL,
-+ tests[n].plaintext,
-+ tests[n].ciphertext,
-+ 16) <= 0)
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+ }
-+
-+/* AES-CCM test data from NIST public test vectors */
-+
-+static const unsigned char ccm_key[] = {
-+ 0xce,0xb0,0x09,0xae,0xa4,0x45,0x44,0x51,0xfe,0xad,0xf0,0xe6,
-+ 0xb3,0x6f,0x45,0x55,0x5d,0xd0,0x47,0x23,0xba,0xa4,0x48,0xe8
-+};
-+static const unsigned char ccm_nonce[] = {
-+ 0x76,0x40,0x43,0xc4,0x94,0x60,0xb7
-+};
-+static const unsigned char ccm_adata[] = {
-+ 0x6e,0x80,0xdd,0x7f,0x1b,0xad,0xf3,0xa1,0xc9,0xab,0x25,0xc7,
-+ 0x5f,0x10,0xbd,0xe7,0x8c,0x23,0xfa,0x0e,0xb8,0xf9,0xaa,0xa5,
-+ 0x3a,0xde,0xfb,0xf4,0xcb,0xf7,0x8f,0xe4
-+};
-+static const unsigned char ccm_pt[] = {
-+ 0xc8,0xd2,0x75,0xf9,0x19,0xe1,0x7d,0x7f,0xe6,0x9c,0x2a,0x1f,
-+ 0x58,0x93,0x9d,0xfe,0x4d,0x40,0x37,0x91,0xb5,0xdf,0x13,0x10
-+};
-+static const unsigned char ccm_ct[] = {
-+ 0x8a,0x0f,0x3d,0x82,0x29,0xe4,0x8e,0x74,0x87,0xfd,0x95,0xa2,
-+ 0x8a,0xd3,0x92,0xc8,0x0b,0x36,0x81,0xd4,0xfb,0xc7,0xbb,0xfd
-+};
-+static const unsigned char ccm_tag[] = {
-+ 0x2d,0xd6,0xef,0x1c,0x45,0xd4,0xcc,0xb7,0x23,0xdc,0x07,0x44,
-+ 0x14,0xdb,0x50,0x6d
-+};
-+
-+int FIPS_selftest_aes_ccm(void)
-+ {
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ memset(out, 0, sizeof(out));
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(),NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
-+ sizeof(ccm_tag), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
-+ goto err;
-+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
-+ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
-+ goto err;
-+
-+ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ else
-+ return ret;
-+
-+ }
-+
-+/* AES-GCM test data from NIST public test vectors */
-+
-+static const unsigned char gcm_key[] = {
-+ 0xee,0xbc,0x1f,0x57,0x48,0x7f,0x51,0x92,0x1c,0x04,0x65,0x66,
-+ 0x5f,0x8a,0xe6,0xd1,0x65,0x8b,0xb2,0x6d,0xe6,0xf8,0xa0,0x69,
-+ 0xa3,0x52,0x02,0x93,0xa5,0x72,0x07,0x8f
-+};
-+static const unsigned char gcm_iv[] = {
-+ 0x99,0xaa,0x3e,0x68,0xed,0x81,0x73,0xa0,0xee,0xd0,0x66,0x84
-+};
-+static const unsigned char gcm_pt[] = {
-+ 0xf5,0x6e,0x87,0x05,0x5b,0xc3,0x2d,0x0e,0xeb,0x31,0xb2,0xea,
-+ 0xcc,0x2b,0xf2,0xa5
-+};
-+static const unsigned char gcm_aad[] = {
-+ 0x4d,0x23,0xc3,0xce,0xc3,0x34,0xb4,0x9b,0xdb,0x37,0x0c,0x43,
-+ 0x7f,0xec,0x78,0xde
-+};
-+static const unsigned char gcm_ct[] = {
-+ 0xf7,0x26,0x44,0x13,0xa8,0x4c,0x0e,0x7c,0xd5,0x36,0x86,0x7e,
-+ 0xb9,0xf2,0x17,0x36
-+};
-+static const unsigned char gcm_tag[] = {
-+ 0x67,0xba,0x05,0x10,0x26,0x2a,0xe4,0x87,0xd7,0x37,0xee,0x62,
-+ 0x98,0xf7,0x7e,0x0c
-+};
-+
-+int FIPS_selftest_aes_gcm(void)
-+ {
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ memset(out, 0, sizeof(out));
-+ memset(tag, 0, sizeof(tag));
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 1))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
-+ goto err;
-+
-+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 0))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (memcmp(out, gcm_pt, 16))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+
-+ if (ret == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ else
-+ return ret;
-+
-+ }
-+
-+
-+static const unsigned char XTS_128_key[] = {
-+ 0xa1,0xb9,0x0c,0xba,0x3f,0x06,0xac,0x35,0x3b,0x2c,0x34,0x38,
-+ 0x76,0x08,0x17,0x62,0x09,0x09,0x23,0x02,0x6e,0x91,0x77,0x18,
-+ 0x15,0xf2,0x9d,0xab,0x01,0x93,0x2f,0x2f
-+};
-+static const unsigned char XTS_128_i[] = {
-+ 0x4f,0xae,0xf7,0x11,0x7c,0xda,0x59,0xc6,0x6e,0x4b,0x92,0x01,
-+ 0x3e,0x76,0x8a,0xd5
-+};
-+static const unsigned char XTS_128_pt[] = {
-+ 0xeb,0xab,0xce,0x95,0xb1,0x4d,0x3c,0x8d,0x6f,0xb3,0x50,0x39,
-+ 0x07,0x90,0x31,0x1c
-+};
-+static const unsigned char XTS_128_ct[] = {
-+ 0x77,0x8a,0xe8,0xb4,0x3c,0xb9,0x8d,0x5a,0x82,0x50,0x81,0xd5,
-+ 0xbe,0x47,0x1c,0x63
-+};
-+
-+static const unsigned char XTS_256_key[] = {
-+ 0x1e,0xa6,0x61,0xc5,0x8d,0x94,0x3a,0x0e,0x48,0x01,0xe4,0x2f,
-+ 0x4b,0x09,0x47,0x14,0x9e,0x7f,0x9f,0x8e,0x3e,0x68,0xd0,0xc7,
-+ 0x50,0x52,0x10,0xbd,0x31,0x1a,0x0e,0x7c,0xd6,0xe1,0x3f,0xfd,
-+ 0xf2,0x41,0x8d,0x8d,0x19,0x11,0xc0,0x04,0xcd,0xa5,0x8d,0xa3,
-+ 0xd6,0x19,0xb7,0xe2,0xb9,0x14,0x1e,0x58,0x31,0x8e,0xea,0x39,
-+ 0x2c,0xf4,0x1b,0x08
-+};
-+static const unsigned char XTS_256_i[] = {
-+ 0xad,0xf8,0xd9,0x26,0x27,0x46,0x4a,0xd2,0xf0,0x42,0x8e,0x84,
-+ 0xa9,0xf8,0x75,0x64
-+};
-+static const unsigned char XTS_256_pt[] = {
-+ 0x2e,0xed,0xea,0x52,0xcd,0x82,0x15,0xe1,0xac,0xc6,0x47,0xe8,
-+ 0x10,0xbb,0xc3,0x64,0x2e,0x87,0x28,0x7f,0x8d,0x2e,0x57,0xe3,
-+ 0x6c,0x0a,0x24,0xfb,0xc1,0x2a,0x20,0x2e
-+};
-+static const unsigned char XTS_256_ct[] = {
-+ 0xcb,0xaa,0xd0,0xe2,0xf6,0xce,0xa3,0xf5,0x0b,0x37,0xf9,0x34,
-+ 0xd4,0x6a,0x9b,0x13,0x0b,0x9d,0x54,0xf0,0x7e,0x34,0xf3,0x6a,
-+ 0xf7,0x93,0xe8,0x6f,0x73,0xc6,0xd7,0xdb
-+};
-+
-+int FIPS_selftest_aes_xts()
-+ {
-+ int ret = 1;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
-+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
-+ sizeof(XTS_128_pt)) <= 0)
-+ ret = 0;
-+
-+ if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
-+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
-+ sizeof(XTS_256_pt)) <= 0)
-+ ret = 0;
-+
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS,FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips.c.fips openssl-1.0.1j/crypto/fips/fips.c
---- openssl-1.0.1j/crypto/fips/fips.c.fips 2014-10-16 13:19:35.095306333 +0200
-+++ openssl-1.0.1j/crypto/fips/fips.c 2014-10-16 13:19:35.095306333 +0200
-@@ -0,0 +1,491 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define _GNU_SOURCE
-+
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <string.h>
-+#include <limits.h>
-+#include <dlfcn.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+#include <openssl/fips.h>
-+
-+#ifndef PATH_MAX
-+#define PATH_MAX 1024
-+#endif
-+
-+static int fips_selftest_fail = 0;
-+static int fips_mode = 0;
-+static int fips_started = 0;
-+
-+static int fips_is_owning_thread(void);
-+static int fips_set_owning_thread(void);
-+static int fips_clear_owning_thread(void);
-+
-+#define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
-+#define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
-+#define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
-+#define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
-+
-+static void fips_set_mode(int onoff)
-+ {
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started)
-+ {
-+ if (!owning_thread) fips_w_lock();
-+ fips_mode = onoff;
-+ if (!owning_thread) fips_w_unlock();
-+ }
-+ }
-+
-+int FIPS_module_mode(void)
-+ {
-+ int ret = 0;
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started)
-+ {
-+ if (!owning_thread) fips_r_lock();
-+ ret = fips_mode;
-+ if (!owning_thread) fips_r_unlock();
-+ }
-+ return ret;
-+ }
-+
-+int FIPS_selftest_failed(void)
-+ {
-+ int ret = 0;
-+ if (fips_started)
-+ {
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (!owning_thread) fips_r_lock();
-+ ret = fips_selftest_fail;
-+ if (!owning_thread) fips_r_unlock();
-+ }
-+ return ret;
-+ }
-+
-+/* Selftest failure fatal exit routine. This will be called
-+ * during *any* cryptographic operation. It has the minimum
-+ * overhead possible to avoid too big a performance hit.
-+ */
-+
-+void FIPS_selftest_check(void)
-+ {
-+ if (fips_selftest_fail)
-+ {
-+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
-+ }
-+ }
-+
-+void fips_set_selftest_fail(void)
-+ {
-+ fips_selftest_fail = 1;
-+ }
-+
-+/* we implement what libfipscheck does ourselves */
-+
-+static int
-+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
-+{
-+ Dl_info info;
-+ void *dl, *sym;
-+ int rv = -1;
-+
-+ dl = dlopen(libname, RTLD_LAZY);
-+ if (dl == NULL) {
-+ return -1;
-+ }
-+
-+ sym = dlsym(dl, symbolname);
-+
-+ if (sym != NULL && dladdr(sym, &info)) {
-+ strncpy(path, info.dli_fname, pathlen-1);
-+ path[pathlen-1] = '\0';
-+ rv = 0;
-+ }
-+
-+ dlclose(dl);
-+
-+ return rv;
-+}
-+
-+static const char conv[] = "0123456789abcdef";
-+
-+static char *
-+bin2hex(void *buf, size_t len)
-+{
-+ char *hex, *p;
-+ unsigned char *src = buf;
-+
-+ hex = malloc(len * 2 + 1);
-+ if (hex == NULL)
-+ return NULL;
-+
-+ p = hex;
-+
-+ while (len > 0) {
-+ unsigned c;
-+
-+ c = *src;
-+ src++;
-+
-+ *p = conv[c >> 4];
-+ ++p;
-+ *p = conv[c & 0x0f];
-+ ++p;
-+ --len;
-+ }
-+ *p = '\0';
-+ return hex;
-+}
-+
-+#define HMAC_PREFIX "."
-+#define HMAC_SUFFIX ".hmac"
-+#define READ_BUFFER_LENGTH 16384
-+
-+static char *
-+make_hmac_path(const char *origpath)
-+{
-+ char *path, *p;
-+ const char *fn;
-+
-+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
-+ if(path == NULL) {
-+ return NULL;
-+ }
-+
-+ fn = strrchr(origpath, '/');
-+ if (fn == NULL) {
-+ fn = origpath;
-+ } else {
-+ ++fn;
-+ }
-+
-+ strncpy(path, origpath, fn-origpath);
-+ p = path + (fn - origpath);
-+ p = stpcpy(p, HMAC_PREFIX);
-+ p = stpcpy(p, fn);
-+ p = stpcpy(p, HMAC_SUFFIX);
-+
-+ return path;
-+}
-+
-+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
-+
-+static int
-+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
-+{
-+ FILE *f = NULL;
-+ int rv = -1;
-+ unsigned char rbuf[READ_BUFFER_LENGTH];
-+ size_t len;
-+ unsigned int hlen;
-+ HMAC_CTX c;
-+
-+ HMAC_CTX_init(&c);
-+
-+ f = fopen(path, "r");
-+
-+ if (f == NULL) {
-+ goto end;
-+ }
-+
-+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
-+
-+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
-+ HMAC_Update(&c, rbuf, len);
-+ }
-+
-+ len = sizeof(rbuf);
-+ /* reuse rbuf for hmac */
-+ HMAC_Final(&c, rbuf, &hlen);
-+
-+ *buf = malloc(hlen);
-+ if (*buf == NULL) {
-+ goto end;
-+ }
-+
-+ *hmaclen = hlen;
-+
-+ memcpy(*buf, rbuf, hlen);
-+
-+ rv = 0;
-+end:
-+ HMAC_CTX_cleanup(&c);
-+
-+ if (f)
-+ fclose(f);
-+
-+ return rv;
-+}
-+
-+static int
-+FIPSCHECK_verify(const char *libname, const char *symbolname)
-+{
-+ char path[PATH_MAX+1];
-+ int rv;
-+ FILE *hf;
-+ char *hmacpath, *p;
-+ char *hmac = NULL;
-+ size_t n;
-+
-+ rv = get_library_path(libname, symbolname, path, sizeof(path));
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ hmacpath = make_hmac_path(path);
-+ if (hmacpath == NULL)
-+ return 0;
-+
-+ hf = fopen(hmacpath, "r");
-+ if (hf == NULL) {
-+ free(hmacpath);
-+ return 0;
-+ }
-+
-+ if (getline(&hmac, &n, hf) > 0) {
-+ void *buf;
-+ size_t hmaclen;
-+ char *hex;
-+
-+ if ((p=strchr(hmac, '\n')) != NULL)
-+ *p = '\0';
-+
-+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
-+ rv = -4;
-+ goto end;
-+ }
-+
-+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
-+ free(buf);
-+ rv = -5;
-+ goto end;
-+ }
-+
-+ if (strcmp(hex, hmac) != 0) {
-+ rv = -1;
-+ }
-+ free(buf);
-+ free(hex);
-+ } else {
-+ rv = -1;
-+ }
-+
-+end:
-+ free(hmac);
-+ free(hmacpath);
-+ fclose(hf);
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ /* check successful */
-+ return 1;
-+}
-+
-+int FIPS_module_mode_set(int onoff, const char *auth)
-+ {
-+ int ret = 0;
-+
-+ fips_w_lock();
-+ fips_started = 1;
-+ fips_set_owning_thread();
-+
-+ if(onoff)
-+ {
-+
-+ fips_selftest_fail = 0;
-+
-+ /* Don't go into FIPS mode twice, just so we can do automagic
-+ seeding */
-+ if(FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+#ifdef OPENSSL_IA32_SSE2
-+ {
-+ extern unsigned int OPENSSL_ia32cap_P[2];
-+ if ((OPENSSL_ia32cap_P[0] & (1<<25|1<<26)) != (1<<25|1<<26))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+ OPENSSL_ia32cap_P[0] |= (1<<28); /* set "shared cache" */
-+ OPENSSL_ia32cap_P[1] &= ~(1<<(60-32)); /* clear AVX */
-+ }
-+#endif
-+
-+ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ if(FIPS_selftest())
-+ fips_set_mode(onoff);
-+ else
-+ {
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+ ret = 1;
-+ goto end;
-+ }
-+ fips_set_mode(0);
-+ fips_selftest_fail = 0;
-+ ret = 1;
-+end:
-+ fips_clear_owning_thread();
-+ fips_w_unlock();
-+ return ret;
-+ }
-+
-+static CRYPTO_THREADID fips_thread;
-+static int fips_thread_set = 0;
-+
-+static int fips_is_owning_thread(void)
-+ {
-+ int ret = 0;
-+
-+ if (fips_started)
-+ {
-+ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
-+ if (fips_thread_set)
-+ {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
-+ ret = 1;
-+ }
-+ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+ }
-+
-+int fips_set_owning_thread(void)
-+ {
-+ int ret = 0;
-+
-+ if (fips_started)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-+ if (!fips_thread_set)
-+ {
-+ CRYPTO_THREADID_current(&fips_thread);
-+ ret = 1;
-+ fips_thread_set = 1;
-+ }
-+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+ }
-+
-+int fips_clear_owning_thread(void)
-+ {
-+ int ret = 0;
-+
-+ if (fips_started)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-+ if (fips_thread_set)
-+ {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
-+ fips_thread_set = 0;
-+ }
-+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+ }
-+
-+
-+#if 0
-+/* The purpose of this is to ensure the error code exists and the function
-+ * name is to keep the error checking script quiet
-+ */
-+void hash_final(void)
-+ {
-+ FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
-+ }
-+#endif
-+
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_cmac_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_cmac_selftest.c.fips 2014-10-16 13:19:35.096306356 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_cmac_selftest.c 2014-10-16 13:19:35.096306356 +0200
-@@ -0,0 +1,161 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/cmac.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ int nid;
-+ const unsigned char key[EVP_MAX_KEY_LENGTH]; size_t keysize;
-+ const unsigned char msg[64]; size_t msgsize;
-+ const unsigned char mac[32]; size_t macsize;
-+} CMAC_KAT;
-+
-+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
-+static const CMAC_KAT vector[] = {
-+ { NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
-+ { 0x77,0xa7,0x7f,0xaf, 0x29,0x0c,0x1f,0xa3,
-+ 0x0c,0x68,0x3d,0xf1, 0x6b,0xa7,0xa7,0x7b, }, 128,
-+ { 0x02,0x06,0x83,0xe1, 0xf0,0x39,0x2f,0x4c,
-+ 0xac,0x54,0x31,0x8b, 0x60,0x29,0x25,0x9e,
-+ 0x9c,0x55,0x3d,0xbc, 0x4b,0x6a,0xd9,0x98,
-+ 0xe6,0x4d,0x58,0xe4, 0xe7,0xdc,0x2e,0x13, }, 256,
-+ { 0xfb,0xfe,0xa4,0x1b, }, 32
-+ },
-+ { NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
-+ { 0x7b,0x32,0x39,0x13, 0x69,0xaa,0x4c,0xa9,
-+ 0x75,0x58,0x09,0x5b, 0xe3,0xc3,0xec,0x86,
-+ 0x2b,0xd0,0x57,0xce, 0xf1,0xe3,0x2d,0x62, }, 192,
-+ { 0x0 }, 0,
-+ { 0xe4,0xd9,0x34,0x0b, 0x03,0xe6,0x7d,0xef,
-+ 0xd4,0x96,0x9c,0xc1, 0xed,0x37,0x35,0xe6, }, 128,
-+ },
-+ { NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
-+ { 0x0b,0x12,0x2a,0xc8, 0xf3,0x4e,0xd1,0xfe,
-+ 0x08,0x2a,0x36,0x25, 0xd1,0x57,0x56,0x14,
-+ 0x54,0x16,0x7a,0xc1, 0x45,0xa1,0x0b,0xbf,
-+ 0x77,0xc6,0xa7,0x05, 0x96,0xd5,0x74,0xf1, }, 256,
-+ { 0x49,0x8b,0x53,0xfd, 0xec,0x87,0xed,0xcb,
-+ 0xf0,0x70,0x97,0xdc, 0xcd,0xe9,0x3a,0x08,
-+ 0x4b,0xad,0x75,0x01, 0xa2,0x24,0xe3,0x88,
-+ 0xdf,0x34,0x9c,0xe1, 0x89,0x59,0xfe,0x84,
-+ 0x85,0xf8,0xad,0x15, 0x37,0xf0,0xd8,0x96,
-+ 0xea,0x73,0xbe,0xdc, 0x72,0x14,0x71,0x3f, }, 384,
-+ { 0xf6,0x2c,0x46,0x32, 0x9b, }, 40,
-+ },
-+ { NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
-+ { 0x89,0xbc,0xd9,0x52, 0xa8,0xc8,0xab,0x37,
-+ 0x1a,0xf4,0x8a,0xc7, 0xd0,0x70,0x85,0xd5,
-+ 0xef,0xf7,0x02,0xe6, 0xd6,0x2c,0xdc,0x23, }, 192,
-+ { 0xfa,0x62,0x0c,0x1b, 0xbe,0x97,0x31,0x9e,
-+ 0x9a,0x0c,0xf0,0x49, 0x21,0x21,0xf7,0xa2,
-+ 0x0e,0xb0,0x8a,0x6a, 0x70,0x9d,0xcb,0xd0,
-+ 0x0a,0xaf,0x38,0xe4, 0xf9,0x9e,0x75,0x4e, }, 256,
-+ { 0x8f,0x49,0xa1,0xb7, 0xd6,0xaa,0x22,0x58, }, 64,
-+ },
-+};
-+
-+int FIPS_selftest_cmac()
-+ {
-+ size_t n, outlen;
-+ unsigned char out[32];
-+ const EVP_CIPHER *cipher;
-+ CMAC_CTX *ctx = CMAC_CTX_new();
-+ const CMAC_KAT *t;
-+ int rv = 1;
-+
-+ for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
-+ {
-+ cipher = FIPS_get_cipherbynid(t->nid);
-+ if (!cipher)
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Init(ctx, t->key, t->keysize/8, cipher, 0))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Update(ctx, t->msg, t->msgsize/8))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!CMAC_Final(ctx, out, &outlen))
-+ {
-+ rv = -1;
-+ goto err;
-+ }
-+ CMAC_CTX_cleanup(ctx);
-+
-+ if(outlen < t->macsize/8 || memcmp(out,t->mac,t->macsize/8))
-+ {
-+ rv = 0;
-+ }
-+ }
-+
-+ err:
-+ CMAC_CTX_free(ctx);
-+
-+ if (rv == -1)
-+ {
-+ rv = 0;
-+ }
-+ if (!rv)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC,FIPS_R_SELFTEST_FAILED);
-+
-+ return rv;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_des_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_des_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_des_selftest.c.fips 2014-10-16 13:19:35.096306356 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_des_selftest.c 2014-10-16 13:19:35.096306356 +0200
-@@ -0,0 +1,147 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const struct
-+ {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+ } tests2[]=
-+ {
-+ {
-+ { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec,
-+ 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 },
-+ { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef },
-+ { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd }
-+ },
-+ {
-+ { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34,
-+ 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 },
-+ { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e },
-+ { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff },
-+ }
-+ };
-+
-+static const struct
-+ {
-+ const unsigned char key[24];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+ } tests3[]=
-+ {
-+ {
-+ { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,
-+ 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 },
-+ { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c },
-+ { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b },
-+ },
-+ {
-+ { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE,
-+ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
-+ 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 },
-+ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
-+ { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 },
-+ },
-+ };
-+
-+
-+static int corrupt_des;
-+
-+void FIPS_corrupt_des()
-+ {
-+ corrupt_des = 1;
-+ }
-+
-+int FIPS_selftest_des()
-+ {
-+ int n, ret = 0;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
-+ for(n=0 ; n < 2 ; ++n)
-+ {
-+ unsigned char plaintext[8];
-+
-+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
-+ if (corrupt_des)
-+ plaintext[0]++;
-+ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
-+ tests2[n].key, NULL,
-+ plaintext, tests2[n].ciphertext, 8))
-+ goto err;
-+ }
-+
-+ /* Encrypt/decrypt with 3DES and compare to known answers */
-+ for(n=0 ; n < 2 ; ++n)
-+ {
-+ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
-+ tests3[n].key, NULL,
-+ tests3[n].plaintext, tests3[n].ciphertext, 8))
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED);
-+
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.1j/crypto/fips/fips_drbg_ctr.c
---- openssl-1.0.1j/crypto/fips/fips_drbg_ctr.c.fips 2014-10-16 13:19:35.096306356 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_drbg_ctr.c 2014-10-16 13:19:35.096306356 +0200
-@@ -0,0 +1,436 @@
-+/* fips/rand/fips_drbg_ctr.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static void inc_128(DRBG_CTR_CTX *cctx)
-+ {
-+ int i;
-+ unsigned char c;
-+ unsigned char *p = cctx->V + 15;
-+ for (i = 0; i < 16; i++)
-+ {
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if (c)
-+ return;
-+ p--;
-+ }
-+ }
-+
-+static void ctr_XOR(DRBG_CTR_CTX *cctx, const unsigned char *in, size_t inlen)
-+ {
-+ size_t i, n;
-+ /* Any zero padding will have no effect on the result as we
-+ * are XORing. So just process however much input we have.
-+ */
-+
-+ if (!in || !inlen)
-+ return;
-+
-+ if (inlen < cctx->keylen)
-+ n = inlen;
-+ else
-+ n = cctx->keylen;
-+
-+ for (i = 0; i < n; i++)
-+ cctx->K[i] ^= in[i];
-+ if (inlen <= cctx->keylen)
-+ return;
-+
-+ n = inlen - cctx->keylen;
-+ /* Should never happen */
-+ if (n > 16)
-+ n = 16;
-+ for (i = 0; i < 16; i++)
-+ cctx->V[i] ^= in[i + cctx->keylen];
-+ }
-+
-+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
-+
-+static void ctr_BCC_block(DRBG_CTR_CTX *cctx, unsigned char *out,
-+ const unsigned char *in)
-+ {
-+ int i;
-+ for (i = 0; i < 16; i++)
-+ out[i] ^= in[i];
-+ AES_encrypt(out, out, &cctx->df_ks);
-+#if 0
-+fprintf(stderr, "BCC in+out\n");
-+BIO_dump_fp(stderr, in, 16);
-+BIO_dump_fp(stderr, out, 16);
-+#endif
-+ }
-+
-+/* Handle several BCC operations for as much data as we need for K and X */
-+static void ctr_BCC_blocks(DRBG_CTR_CTX *cctx, const unsigned char *in)
-+ {
-+ ctr_BCC_block(cctx, cctx->KX, in);
-+ ctr_BCC_block(cctx, cctx->KX + 16, in);
-+ if (cctx->keylen != 16)
-+ ctr_BCC_block(cctx, cctx->KX + 32, in);
-+ }
-+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
-+ * see 10.4.2 stage 7.
-+ */
-+static void ctr_BCC_init(DRBG_CTR_CTX *cctx)
-+ {
-+ memset(cctx->KX, 0, 48);
-+ memset(cctx->bltmp, 0, 16);
-+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
-+ cctx->bltmp[3] = 1;
-+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
-+ if (cctx->keylen != 16)
-+ {
-+ cctx->bltmp[3] = 2;
-+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
-+ }
-+ }
-+
-+/* Process several blocks into BCC algorithm, some possibly partial */
-+static void ctr_BCC_update(DRBG_CTR_CTX *cctx,
-+ const unsigned char *in, size_t inlen)
-+ {
-+ if (!in || !inlen)
-+ return;
-+ /* If we have partial block handle it first */
-+ if (cctx->bltmp_pos)
-+ {
-+ size_t left = 16 - cctx->bltmp_pos;
-+ /* If we now have a complete block process it */
-+ if (inlen >= left)
-+ {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ cctx->bltmp_pos = 0;
-+ inlen -= left;
-+ in += left;
-+ }
-+ }
-+ /* Process zero or more complete blocks */
-+ while (inlen >= 16)
-+ {
-+ ctr_BCC_blocks(cctx, in);
-+ in += 16;
-+ inlen -= 16;
-+ }
-+ /* Copy any remaining partial block to the temporary buffer */
-+ if (inlen > 0)
-+ {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
-+ cctx->bltmp_pos += inlen;
-+ }
-+ }
-+
-+static void ctr_BCC_final(DRBG_CTR_CTX *cctx)
-+ {
-+ if (cctx->bltmp_pos)
-+ {
-+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ }
-+ }
-+
-+static void ctr_df(DRBG_CTR_CTX *cctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len)
-+ {
-+ size_t inlen;
-+ unsigned char *p = cctx->bltmp;
-+ static unsigned char c80 = 0x80;
-+
-+ ctr_BCC_init(cctx);
-+ if (!in1)
-+ in1len = 0;
-+ if (!in2)
-+ in2len = 0;
-+ if (!in3)
-+ in3len = 0;
-+ inlen = in1len + in2len + in3len;
-+ /* Initialise L||N in temporary block */
-+ *p++ = (inlen >> 24) & 0xff;
-+ *p++ = (inlen >> 16) & 0xff;
-+ *p++ = (inlen >> 8) & 0xff;
-+ *p++ = inlen & 0xff;
-+ /* NB keylen is at most 32 bytes */
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
-+ cctx->bltmp_pos = 8;
-+ ctr_BCC_update(cctx, in1, in1len);
-+ ctr_BCC_update(cctx, in2, in2len);
-+ ctr_BCC_update(cctx, in3, in3len);
-+ ctr_BCC_update(cctx, &c80, 1);
-+ ctr_BCC_final(cctx);
-+ /* Set up key K */
-+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
-+ /* X follows key K */
-+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
-+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
-+ if (cctx->keylen != 16)
-+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
-+#if 0
-+fprintf(stderr, "Output of ctr_df:\n");
-+BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
-+#endif
-+ }
-+
-+/* NB the no-df Update in SP800-90 specifies a constant input length
-+ * of seedlen, however other uses of this algorithm pad the input with
-+ * zeroes if necessary and have up to two parameters XORed together,
-+ * handle both cases in this function instead.
-+ */
-+
-+static void ctr_Update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *nonce, size_t noncelen)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ /* ks is already setup for correct key */
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ /* If keylen longer than 128 bits need extra encrypt */
-+ if (cctx->keylen != 16)
-+ {
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
-+ }
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
-+ /* If 192 bit key part of V is on end of K */
-+ if (cctx->keylen == 24)
-+ {
-+ memcpy(cctx->V + 8, cctx->V, 8);
-+ memcpy(cctx->V, cctx->K + 24, 8);
-+ }
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
-+ {
-+ /* If no input reuse existing derived value */
-+ if (in1 || nonce || in2)
-+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
-+ /* If this a reuse input in1len != 0 */
-+ if (in1len)
-+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
-+ }
-+ else
-+ {
-+ ctr_XOR(cctx, in1, in1len);
-+ ctr_XOR(cctx, in2, in2len);
-+ }
-+
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+#if 0
-+fprintf(stderr, "K+V after update is:\n");
-+BIO_dump_fp(stderr, cctx->K, cctx->keylen);
-+BIO_dump_fp(stderr, cctx->V, 16);
-+#endif
-+ }
-+
-+static int drbg_ctr_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ memset(cctx->K, 0, sizeof(cctx->K));
-+ memset(cctx->V, 0, sizeof(cctx->V));
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
-+ return 1;
-+ }
-+
-+static int drbg_ctr_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
-+ return 1;
-+ }
-+
-+static int drbg_ctr_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ if (adin && adinlen)
-+ {
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+ /* This means we reuse derived value */
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
-+ {
-+ adin = NULL;
-+ adinlen = 1;
-+ }
-+ }
-+ else
-+ adinlen = 0;
-+
-+ for (;;)
-+ {
-+ inc_128(cctx);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
-+ {
-+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
-+ dctx->lb_valid = 1;
-+ continue;
-+ }
-+ if (outlen < 16)
-+ {
-+ /* Use K as temp space as it will be updated */
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, cctx->K))
-+ return 0;
-+ memcpy(out, cctx->K, outlen);
-+ break;
-+ }
-+ AES_encrypt(cctx->V, out, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ out += 16;
-+ outlen -= 16;
-+ if (outlen == 0)
-+ break;
-+ }
-+
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+
-+ return 1;
-+
-+ }
-+
-+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
-+ return 1;
-+ }
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx)
-+ {
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+
-+ size_t keylen;
-+
-+ switch (dctx->type)
-+ {
-+ case NID_aes_128_ctr:
-+ keylen = 16;
-+ break;
-+
-+ case NID_aes_192_ctr:
-+ keylen = 24;
-+ break;
-+
-+ case NID_aes_256_ctr:
-+ keylen = 32;
-+ break;
-+
-+ default:
-+ return -2;
-+ }
-+
-+ dctx->instantiate = drbg_ctr_instantiate;
-+ dctx->reseed = drbg_ctr_reseed;
-+ dctx->generate = drbg_ctr_generate;
-+ dctx->uninstantiate = drbg_ctr_uninstantiate;
-+
-+ cctx->keylen = keylen;
-+ dctx->strength = keylen * 8;
-+ dctx->blocklength = 16;
-+ dctx->seedlen = keylen + 16;
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF)
-+ {
-+ /* df initialisation */
-+ static unsigned char df_key[32] =
-+ {
-+ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-+ 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-+ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-+ 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
-+ };
-+ /* Set key schedule for df_key */
-+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
-+
-+ dctx->min_entropy = cctx->keylen;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+ }
-+ else
-+ {
-+ dctx->min_entropy = dctx->seedlen;
-+ dctx->max_entropy = dctx->seedlen;
-+ /* Nonce not used */
-+ dctx->min_nonce = 0;
-+ dctx->max_nonce = 0;
-+ dctx->max_pers = dctx->seedlen;
-+ dctx->max_adin = dctx->seedlen;
-+ }
-+
-+ dctx->max_request = 1<<16;
-+ dctx->reseed_interval = 1<<24;
-+
-+ return 1;
-+ }
-diff -up openssl-1.0.1j/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.1j/crypto/fips/fips_drbg_hash.c
---- openssl-1.0.1j/crypto/fips/fips_drbg_hash.c.fips 2014-10-16 13:19:35.096306356 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_drbg_hash.c 2014-10-16 13:19:35.096306356 +0200
-@@ -0,0 +1,378 @@
-+/* fips/rand/fips_drbg_hash.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* This is Hash_df from SP 800-90 10.4.1 */
-+
-+static int hash_df(DRBG_CTX *dctx, unsigned char *out,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len,
-+ const unsigned char *in4, size_t in4len)
-+ {
-+ EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
-+ unsigned char *vtmp = dctx->d.hash.vtmp;
-+ unsigned char tmp[6];
-+ /* Standard only ever needs seedlen bytes which is always less than
-+ * maximum permitted so no need to check length.
-+ */
-+ size_t outlen = dctx->seedlen;
-+ tmp[0] = 1;
-+ tmp[1] = ((outlen * 8) >> 24) & 0xff;
-+ tmp[2] = ((outlen * 8) >> 16) & 0xff;
-+ tmp[3] = ((outlen * 8) >> 8) & 0xff;
-+ tmp[4] = (outlen * 8) & 0xff;
-+ if (!in1)
-+ {
-+ tmp[5] = (unsigned char)in1len;
-+ in1 = tmp + 5;
-+ in1len = 1;
-+ }
-+ for (;;)
-+ {
-+ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
-+ return 0;
-+ if (!FIPS_digestupdate(mctx, tmp, 5))
-+ return 0;
-+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
-+ return 0;
-+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
-+ return 0;
-+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
-+ return 0;
-+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
-+ return 0;
-+ if (outlen < dctx->blocklength)
-+ {
-+ if (!FIPS_digestfinal(mctx, vtmp, NULL))
-+ return 0;
-+ memcpy(out, vtmp, outlen);
-+ OPENSSL_cleanse(vtmp, dctx->blocklength);
-+ return 1;
-+ }
-+ else if(!FIPS_digestfinal(mctx, out, NULL))
-+ return 0;
-+
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ tmp[0]++;
-+ out += dctx->blocklength;
-+ }
-+ }
-+
-+
-+/* Add an unsigned buffer to the buf value, storing the result in buf. For
-+ * this algorithm the length of input never exceeds the seed length.
-+ */
-+
-+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
-+ unsigned char *in, size_t inlen)
-+ {
-+ size_t i = inlen;
-+ const unsigned char *q;
-+ unsigned char c, *p;
-+ p = buf + dctx->seedlen;
-+ q = in + inlen;
-+
-+ OPENSSL_assert(i <= dctx->seedlen);
-+
-+ /* Special case: zero length, just increment buffer */
-+ if (i)
-+ c = 0;
-+ else
-+ c = 1;
-+
-+ while (i)
-+ {
-+ int r;
-+ p--;
-+ q--;
-+ r = *p + *q + c;
-+ /* Carry */
-+ if (r > 0xff)
-+ c = 1;
-+ else
-+ c = 0;
-+ *p = r & 0xff;
-+ i--;
-+ }
-+
-+ i = dctx->seedlen - inlen;
-+
-+ /* If not adding whole buffer handle final carries */
-+ if (c && i)
-+ {
-+ do
-+ {
-+ p--;
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if(c)
-+ return;
-+ } while(i--);
-+ }
-+ }
-+
-+/* Finalise and add hash to V */
-+
-+static int ctx_add_md(DRBG_CTX *dctx)
-+ {
-+ if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
-+ return 0;
-+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
-+ return 1;
-+ }
-+
-+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (outlen == 0)
-+ return 1;
-+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
-+ for(;;)
-+ {
-+ FIPS_digestinit(&hctx->mctx, hctx->md);
-+ FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
-+ {
-+ FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
-+ dctx->lb_valid = 1;
-+ }
-+ else if (outlen < dctx->blocklength)
-+ {
-+ FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
-+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
-+ return 0;
-+ memcpy(out, hctx->vtmp, outlen);
-+ return 1;
-+ }
-+ else
-+ {
-+ FIPS_digestfinal(&hctx->mctx, out, NULL);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ out += dctx->blocklength;
-+ }
-+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
-+ }
-+ }
-+
-+static int drbg_hash_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (!hash_df(dctx, hctx->V,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len,
-+ NULL, 0))
-+ return 0;
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 0, hctx->V, dctx->seedlen,
-+ NULL, 0, NULL, 0))
-+ return 0;
-+
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after instantiate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+ }
-+
-+
-+static int drbg_hash_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ /* V about to be updated so use C as output instead */
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 1, hctx->V, dctx->seedlen,
-+ ent, ent_len, adin, adin_len))
-+ return 0;
-+ memcpy(hctx->V, hctx->C, dctx->seedlen);
-+ if (!hash_df(dctx, hctx->C, NULL, 0,
-+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
-+ return 0;
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after reseed:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hash_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ EVP_MD_CTX *mctx = &hctx->mctx;
-+ unsigned char tmp[4];
-+ if (adin && adin_len)
-+ {
-+ tmp[0] = 2;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, adin, adin_len))
-+ return 0;
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+ }
-+ if (!hash_gen(dctx, out, outlen))
-+ return 0;
-+
-+ tmp[0] = 3;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+
-+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
-+
-+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
-+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
-+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
-+ tmp[3] = dctx->reseed_counter & 0xff;
-+ ctx_add_buf(dctx, hctx->V, tmp, 4);
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after generate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
-+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
-+ return 1;
-+ }
-+
-+int fips_drbg_hash_init(DRBG_CTX *dctx)
-+ {
-+ const EVP_MD *md;
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ md = FIPS_get_digestbynid(dctx->type);
-+ if (!md)
-+ return -2;
-+ switch (dctx->type)
-+ {
-+ case NID_sha1:
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_sha224:
-+ dctx->strength = 192;
-+ break;
-+
-+ default:
-+ dctx->strength = 256;
-+ break;
-+ }
-+
-+ dctx->instantiate = drbg_hash_instantiate;
-+ dctx->reseed = drbg_hash_reseed;
-+ dctx->generate = drbg_hash_generate;
-+ dctx->uninstantiate = drbg_hash_uninstantiate;
-+
-+ dctx->d.hash.md = md;
-+ EVP_MD_CTX_init(&hctx->mctx);
-+
-+ /* These are taken from SP 800-90 10.1 table 2 */
-+
-+ dctx->blocklength = M_EVP_MD_size(md);
-+ if (dctx->blocklength > 32)
-+ dctx->seedlen = 111;
-+ else
-+ dctx->seedlen = 55;
-+
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1<<16;
-+ dctx->reseed_interval = 1<<24;
-+
-+ return 1;
-+ }
-diff -up openssl-1.0.1j/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1j/crypto/fips/fips_drbg_hmac.c
---- openssl-1.0.1j/crypto/fips/fips_drbg_hmac.c.fips 2014-10-16 13:19:35.097306378 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_drbg_hmac.c 2014-10-16 13:19:35.096306356 +0200
-@@ -0,0 +1,281 @@
-+/* fips/rand/fips_drbg_hmac.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/aes.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static int drbg_hmac_update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len
-+ )
-+ {
-+ static unsigned char c0 = 0, c1 = 1;
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = &hmac->hctx;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c0, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ if (!in1len && !in2len && !in3len)
-+ return 1;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c1, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ return 1;
-+
-+ }
-+
-+static int drbg_hmac_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ memset(hmac->K, 0, dctx->blocklength);
-+ memset(hmac->V, 1, dctx->blocklength);
-+ if (!drbg_hmac_update(dctx,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ fprintf(stderr, "K+V after instantiate:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hmac_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ if (!drbg_hmac_update(dctx,
-+ ent, ent_len, adin, adin_len, NULL, 0))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ fprintf(stderr, "K+V after reseed:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+ }
-+#endif
-+ return 1;
-+ }
-+
-+static int drbg_hmac_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = &hmac->hctx;
-+ const unsigned char *Vtmp = hmac->V;
-+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len,
-+ NULL, 0, NULL, 0))
-+ return 0;
-+ for (;;)
-+ {
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength,
-+ hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
-+ return 0;
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
-+ {
-+ if (!HMAC_Final(hctx, dctx->lb, NULL))
-+ return 0;
-+ dctx->lb_valid = 1;
-+ Vtmp = dctx->lb;
-+ continue;
-+ }
-+ else if (outlen > dctx->blocklength)
-+ {
-+ if (!HMAC_Final(hctx, out, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ Vtmp = out;
-+ }
-+ else
-+ {
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, hmac->V))
-+ return 0;
-+ memcpy(out, hmac->V, outlen);
-+ break;
-+ }
-+ out += dctx->blocklength;
-+ outlen -= dctx->blocklength;
-+ }
-+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
-+ return 0;
-+
-+ return 1;
-+ }
-+
-+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
-+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
-+ return 1;
-+ }
-+
-+int fips_drbg_hmac_init(DRBG_CTX *dctx)
-+ {
-+ const EVP_MD *md = NULL;
-+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
-+ dctx->strength = 256;
-+ switch (dctx->type)
-+ {
-+ case NID_hmacWithSHA1:
-+ md = EVP_sha1();
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_hmacWithSHA224:
-+ md = EVP_sha224();
-+ dctx->strength = 192;
-+ break;
-+
-+ case NID_hmacWithSHA256:
-+ md = EVP_sha256();
-+ break;
-+
-+ case NID_hmacWithSHA384:
-+ md = EVP_sha384();
-+ break;
-+
-+ case NID_hmacWithSHA512:
-+ md = EVP_sha512();
-+ break;
-+
-+ default:
-+ dctx->strength = 0;
-+ return -2;
-+ }
-+ dctx->instantiate = drbg_hmac_instantiate;
-+ dctx->reseed = drbg_hmac_reseed;
-+ dctx->generate = drbg_hmac_generate;
-+ dctx->uninstantiate = drbg_hmac_uninstantiate;
-+ HMAC_CTX_init(&hctx->hctx);
-+ hctx->md = md;
-+ dctx->blocklength = M_EVP_MD_size(md);
-+ dctx->seedlen = M_EVP_MD_size(md);
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1<<16;
-+ dctx->reseed_interval = 1<<24;
-+
-+ return 1;
-+ }
-diff -up openssl-1.0.1j/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1j/crypto/fips/fips_drbg_lib.c
---- openssl-1.0.1j/crypto/fips/fips_drbg_lib.c.fips 2014-10-16 13:19:35.097306378 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_drbg_lib.c 2014-10-16 13:19:35.097306378 +0200
-@@ -0,0 +1,578 @@
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_locl.h"
-+#include "fips_rand_lcl.h"
-+
-+/* Support framework for SP800-90 DRBGs */
-+
-+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
-+ {
-+ int rv;
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ dctx->xflags = flags;
-+ dctx->type = type;
-+
-+ dctx->iflags = 0;
-+ dctx->entropy_blocklen = 0;
-+ dctx->health_check_cnt = 0;
-+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
-+
-+ rv = fips_drbg_hash_init(dctx);
-+
-+ if (rv == -2)
-+ rv = fips_drbg_ctr_init(dctx);
-+ if (rv == -2)
-+ rv = fips_drbg_hmac_init(dctx);
-+
-+ if (rv <= 0)
-+ {
-+ if (rv == -2)
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
-+ else
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
-+ }
-+
-+ /* If not in test mode run selftests on DRBG of the same type */
-+
-+ if (!(dctx->xflags & DRBG_FLAG_TEST))
-+ {
-+ if (!FIPS_drbg_health_check(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+
-+ return rv;
-+ }
-+
-+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
-+ {
-+ DRBG_CTX *dctx;
-+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
-+ if (!dctx)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
-+ return NULL;
-+ }
-+
-+ if (type == 0)
-+ {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ return dctx;
-+ }
-+
-+ if (FIPS_drbg_init(dctx, type, flags) <= 0)
-+ {
-+ OPENSSL_free(dctx);
-+ return NULL;
-+ }
-+
-+ return dctx;
-+ }
-+
-+void FIPS_drbg_free(DRBG_CTX *dctx)
-+ {
-+ if (dctx->uninstantiate)
-+ dctx->uninstantiate(dctx);
-+ /* Don't free up default DRBG */
-+ if (dctx == FIPS_get_default_drbg())
-+ {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ }
-+ else
-+ {
-+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
-+ OPENSSL_free(dctx);
-+ }
-+ }
-+
-+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ unsigned char *tout, *p;
-+ size_t bl = dctx->entropy_blocklen, rv;
-+ if (!dctx->get_entropy)
-+ return 0;
-+ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
-+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
-+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
-+ min_len + bl, max_len + bl);
-+ if (tout == NULL)
-+ return 0;
-+ *pout = tout + bl;
-+ if (rv < (min_len + bl) || (rv % bl))
-+ return 0;
-+ /* Compare consecutive blocks for continuous PRNG test */
-+ for (p = tout; p < tout + rv - bl; p += bl)
-+ {
-+ if (!memcmp(p, p + bl, bl))
-+ {
-+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
-+ return 0;
-+ }
-+ }
-+ rv -= bl;
-+ if (rv > max_len)
-+ return max_len;
-+ return rv;
-+ }
-+
-+static void fips_cleanup_entropy(DRBG_CTX *dctx,
-+ unsigned char *out, size_t olen)
-+ {
-+ size_t bl;
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ bl = 0;
-+ else
-+ bl = dctx->entropy_blocklen;
-+ /* Call cleanup with original arguments */
-+ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
-+ }
-+
-+
-+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen)
-+ {
-+ size_t entlen = 0, noncelen = 0;
-+ unsigned char *nonce = NULL, *entropy = NULL;
-+
-+#if 0
-+ /* Put here so error script picks them up */
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
-+ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
-+#endif
-+
-+ int r = 0;
-+
-+ if (perslen > dctx->max_pers)
-+ {
-+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (!dctx->instantiate)
-+ {
-+ r = FIPS_R_DRBG_NOT_INITIALISED;
-+ goto end;
-+ }
-+
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else
-+ r = FIPS_R_ALREADY_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
-+ {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (dctx->max_nonce > 0 && dctx->get_nonce)
-+ {
-+ noncelen = dctx->get_nonce(dctx, &nonce,
-+ dctx->strength / 2,
-+ dctx->min_nonce, dctx->max_nonce);
-+
-+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce)
-+ {
-+ r = FIPS_R_ERROR_RETRIEVING_NONCE;
-+ goto end;
-+ }
-+
-+ }
-+
-+ if (!dctx->instantiate(dctx,
-+ entropy, entlen,
-+ nonce, noncelen,
-+ pers, perslen))
-+ {
-+ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
-+ goto end;
-+ }
-+
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (nonce && dctx->cleanup_nonce)
-+ dctx->cleanup_nonce(dctx, nonce, noncelen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
-+
-+ return 0;
-+
-+ }
-+
-+static int drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen, int hcheck)
-+ {
-+ unsigned char *entropy = NULL;
-+ size_t entlen = 0;
-+ int r = 0;
-+
-+#if 0
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
-+#endif
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED)
-+ {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if(dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (!adin)
-+ adinlen = 0;
-+ else if (adinlen > dctx->max_adin)
-+ {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+ /* Peform health check on all reseed operations if not a prediction
-+ * resistance request and not in test mode.
-+ */
-+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST))
-+ {
-+ if (!FIPS_drbg_health_check(dctx))
-+ {
-+ r = FIPS_R_SELFTEST_FAILURE;
-+ goto end;
-+ }
-+ }
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy)
-+ {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
-+ goto end;
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_DRBG_RESEED, r);
-+
-+ return 0;
-+ }
-+
-+int FIPS_drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ return drbg_reseed(dctx, adin, adinlen, 1);
-+ }
-+
-+static int fips_drbg_check(DRBG_CTX *dctx)
-+ {
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ dctx->health_check_cnt++;
-+ if (dctx->health_check_cnt >= dctx->health_check_interval)
-+ {
-+ if (!FIPS_drbg_health_check(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+ }
-+
-+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen)
-+ {
-+ int r = 0;
-+
-+ if (FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (!fips_drbg_check(dctx))
-+ return 0;
-+
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED)
-+ {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if(dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (outlen > dctx->max_request)
-+ {
-+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
-+ return 0;
-+ }
-+
-+ if (adinlen > dctx->max_adin)
-+ {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (dctx->iflags & DRBG_CUSTOM_RESEED)
-+ dctx->generate(dctx, NULL, outlen, NULL, 0);
-+ else if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+
-+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance)
-+ {
-+ /* If prediction resistance request don't do health check */
-+ int hcheck = prediction_resistance ? 0 : 1;
-+
-+ if (!drbg_reseed(dctx, adin, adinlen, hcheck))
-+ {
-+ r = FIPS_R_RESEED_ERROR;
-+ goto end;
-+ }
-+ adin = NULL;
-+ adinlen = 0;
-+ }
-+
-+ if (!dctx->generate(dctx, out, outlen, adin, adinlen))
-+ {
-+ r = FIPS_R_GENERATE_ERROR;
-+ dctx->status = DRBG_STATUS_ERROR;
-+ goto end;
-+ }
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ {
-+ if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+ else
-+ dctx->reseed_counter++;
-+ }
-+
-+ end:
-+ if (r)
-+ {
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
-+ return 0;
-+ }
-+
-+ return 1;
-+ }
-+
-+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
-+ {
-+ int rv;
-+ if (!dctx->uninstantiate)
-+ rv = 1;
-+ else
-+ rv = dctx->uninstantiate(dctx);
-+ /* Although we'd like to cleanse here we can't because we have to
-+ * test the uninstantiate really zeroes the data.
-+ */
-+ memset(&dctx->d, 0, sizeof(dctx->d));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ /* If method has problems uninstantiating, return error */
-+ return rv;
-+ }
-+
-+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen))
-+ {
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->entropy_blocklen = entropy_blocklen;
-+ dctx->get_entropy = get_entropy;
-+ dctx->cleanup_entropy = cleanup_entropy;
-+ dctx->get_nonce = get_nonce;
-+ dctx->cleanup_nonce = cleanup_nonce;
-+ return 1;
-+ }
-+
-+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
-+ void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
-+ int (*rand_add_cb)(DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy))
-+ {
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->get_adin = get_adin;
-+ dctx->cleanup_adin = cleanup_adin;
-+ dctx->rand_seed_cb = rand_seed_cb;
-+ dctx->rand_add_cb = rand_add_cb;
-+ return 1;
-+ }
-+
-+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
-+ {
-+ return dctx->app_data;
-+ }
-+
-+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
-+ {
-+ dctx->app_data = app_data;
-+ }
-+
-+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
-+ {
-+ return dctx->blocklength;
-+ }
-+
-+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
-+ {
-+ return dctx->strength;
-+ }
-+
-+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
-+ {
-+ dctx->health_check_interval = interval;
-+ }
-+
-+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
-+ {
-+ dctx->reseed_interval = interval;
-+ }
-+
-+static int drbg_stick = 0;
-+
-+void FIPS_drbg_stick(int onoff)
-+ {
-+ drbg_stick = onoff;
-+ }
-+
-+/* Continuous DRBG utility function */
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
-+ {
-+ /* No CPRNG in test mode */
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ /* Check block is valid: should never happen */
-+ if (dctx->lb_valid == 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ if (drbg_stick)
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ /* Check against last block: fail if match */
-+ if (!memcmp(dctx->lb, out, dctx->blocklength))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ /* Save last block for next comparison */
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ return 1;
-+ }
-diff -up openssl-1.0.1j/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.1j/crypto/fips/fips_drbg_rand.c
---- openssl-1.0.1j/crypto/fips/fips_drbg_rand.c.fips 2014-10-16 13:19:35.097306378 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_drbg_rand.c 2014-10-16 13:19:35.097306378 +0200
-@@ -0,0 +1,172 @@
-+/* fips/rand/fips_drbg_rand.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
-+
-+/* Since we only have one global PRNG used at any time in OpenSSL use a global
-+ * variable to store context.
-+ */
-+
-+static DRBG_CTX ossl_dctx;
-+
-+DRBG_CTX *FIPS_get_default_drbg(void)
-+ {
-+ return &ossl_dctx;
-+ }
-+
-+static int fips_drbg_bytes(unsigned char *out, int count)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv = 0;
-+ unsigned char *adin = NULL;
-+ size_t adinlen = 0;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ do
-+ {
-+ size_t rcnt;
-+ if (count > (int)dctx->max_request)
-+ rcnt = dctx->max_request;
-+ else
-+ rcnt = count;
-+ if (dctx->get_adin)
-+ {
-+ adinlen = dctx->get_adin(dctx, &adin);
-+ if (adinlen && !adin)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
-+ goto err;
-+ }
-+ }
-+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
-+ if (adin)
-+ {
-+ if (dctx->cleanup_adin)
-+ dctx->cleanup_adin(dctx, adin, adinlen);
-+ adin = NULL;
-+ }
-+ if (!rv)
-+ goto err;
-+ out += rcnt;
-+ count -= rcnt;
-+ }
-+ while (count);
-+ rv = 1;
-+ err:
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return rv;
-+ }
-+
-+static int fips_drbg_pseudo(unsigned char *out, int count)
-+ {
-+ if (fips_drbg_bytes(out, count) <= 0)
-+ return -1;
-+ return 1;
-+ }
-+
-+static int fips_drbg_status(void)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv;
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ return rv;
-+ }
-+
-+static void fips_drbg_cleanup(void)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ FIPS_drbg_uninstantiate(dctx);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ }
-+
-+static int fips_drbg_seed(const void *seed, int seedlen)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ if (dctx->rand_seed_cb)
-+ return dctx->rand_seed_cb(dctx, seed, seedlen);
-+ return 1;
-+ }
-+
-+static int fips_drbg_add(const void *seed, int seedlen,
-+ double add_entropy)
-+ {
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ if (dctx->rand_add_cb)
-+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-+ return 1;
-+ }
-+
-+static const RAND_METHOD rand_drbg_meth =
-+ {
-+ fips_drbg_seed,
-+ fips_drbg_bytes,
-+ fips_drbg_cleanup,
-+ fips_drbg_add,
-+ fips_drbg_pseudo,
-+ fips_drbg_status
-+ };
-+
-+const RAND_METHOD *FIPS_drbg_method(void)
-+ {
-+ return &rand_drbg_meth;
-+ }
-+
-diff -up openssl-1.0.1j/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_drbg_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_drbg_selftest.c.fips 2014-10-16 13:19:35.097306378 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_drbg_selftest.c 2014-10-16 13:19:35.097306378 +0200
-@@ -0,0 +1,862 @@
-+/* fips/rand/fips_drbg_selftest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+#include "fips_locl.h"
-+
-+#include "fips_drbg_selftest.h"
-+
-+typedef struct {
-+ int post;
-+ int nid;
-+ unsigned int flags;
-+
-+ /* KAT data for no PR */
-+ const unsigned char *ent;
-+ size_t entlen;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ const unsigned char *pers;
-+ size_t perslen;
-+ const unsigned char *adin;
-+ size_t adinlen;
-+ const unsigned char *entreseed;
-+ size_t entreseedlen;
-+ const unsigned char *adinreseed;
-+ size_t adinreseedlen;
-+ const unsigned char *adin2;
-+ size_t adin2len;
-+ const unsigned char *kat;
-+ size_t katlen;
-+ const unsigned char *kat2;
-+ size_t kat2len;
-+
-+ /* KAT data for PR */
-+ const unsigned char *ent_pr;
-+ size_t entlen_pr;
-+ const unsigned char *nonce_pr;
-+ size_t noncelen_pr;
-+ const unsigned char *pers_pr;
-+ size_t perslen_pr;
-+ const unsigned char *adin_pr;
-+ size_t adinlen_pr;
-+ const unsigned char *entpr_pr;
-+ size_t entprlen_pr;
-+ const unsigned char *ading_pr;
-+ size_t adinglen_pr;
-+ const unsigned char *entg_pr;
-+ size_t entglen_pr;
-+ const unsigned char *kat_pr;
-+ size_t katlen_pr;
-+ const unsigned char *kat2_pr;
-+ size_t kat2len_pr;
-+
-+ } DRBG_SELFTEST_DATA;
-+
-+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
-+ pr##_entropyinput, sizeof(pr##_entropyinput), \
-+ pr##_nonce, sizeof(pr##_nonce), \
-+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
-+ pr##_additionalinput, sizeof(pr##_additionalinput), \
-+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
-+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
-+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
-+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
-+ pr##_returnedbits, sizeof(pr##_returnedbits), \
-+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
-+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
-+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
-+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
-+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
-+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
-+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
-+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
-+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
-+ }
-+
-+#define make_drbg_test_data_df(nid, pr, p) \
-+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
-+
-+#define make_drbg_test_data_ec(curve, md, pr, p) \
-+ make_drbg_test_data((curve << 16) | md , 0, pr, p)
-+
-+static DRBG_SELFTEST_DATA drbg_test[] = {
-+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
-+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
-+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
-+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
-+ make_drbg_test_data(NID_sha1, 0, sha1, 0),
-+ make_drbg_test_data(NID_sha224, 0, sha224, 0),
-+ make_drbg_test_data(NID_sha256, 0, sha256, 1),
-+ make_drbg_test_data(NID_sha384, 0, sha384, 0),
-+ make_drbg_test_data(NID_sha512, 0, sha512, 0),
-+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
-+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
-+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
-+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
-+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
-+ {0,0,0}
-+ };
-+
-+typedef struct
-+ {
-+ const unsigned char *ent;
-+ size_t entlen;
-+ int entcnt;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ int noncecnt;
-+ } TEST_ENT;
-+
-+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->ent;
-+ t->entcnt++;
-+ return t->entlen;
-+ }
-+
-+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+ {
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->nonce;
-+ t->noncecnt++;
-+ return t->noncelen;
-+ }
-+
-+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
-+ int quick)
-+ {
-+ TEST_ENT t;
-+ int rv = 0;
-+ size_t adinlen;
-+ unsigned char randout[1024];
-+
-+ /* Initial test without PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent;
-+ t.entlen = td->entlen;
-+ t.nonce = td->nonce;
-+ t.noncelen = td->noncelen;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ goto err;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen / 2;
-+ else
-+ adinlen = td->adinlen;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat, td->katlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+ /* If abbreviated POST end of test */
-+ if (quick)
-+ {
-+ rv = 1;
-+ goto err;
-+ }
-+ /* Reseed DRBG with test entropy and additional input */
-+ t.ent = td->entreseed;
-+ t.entlen = td->entreseedlen;
-+
-+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
-+ goto err;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
-+ td->adin2, td->adin2len))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2, td->kat2len))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ /* Now test with PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent_pr;
-+ t.entlen = td->entlen_pr;
-+ t.nonce = td->nonce_pr;
-+ t.noncelen = td->noncelen_pr;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
-+ goto err;
-+
-+ /* Now generate with PR: we need to supply entropy as this will
-+ * perform a reseed operation. Check output matches expected value.
-+ */
-+
-+ t.ent = td->entpr_pr;
-+ t.entlen = td->entprlen_pr;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen_pr / 2;
-+ else
-+ adinlen = td->adinlen_pr;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
-+ td->adin_pr, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat_pr, td->katlen_pr))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+
-+ /* Now generate again with PR: supply new entropy again.
-+ * Check output matches expected value.
-+ */
-+
-+ t.ent = td->entg_pr;
-+ t.entlen = td->entglen_pr;
-+
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
-+ td->ading_pr, td->adinglen_pr))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+ /* All OK, test complete */
-+ rv = 1;
-+
-+ err:
-+ if (rv == 0)
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
-+ err2:
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ return rv;
-+
-+ }
-+
-+/* Initialise a DRBG based on selftest data */
-+
-+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td, TEST_ENT *t)
-+ {
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, t);
-+
-+ t->ent = td->ent;
-+ t->entlen = td->entlen;
-+ t->nonce = td->nonce;
-+ t->noncelen = td->noncelen;
-+ t->entcnt = 0;
-+ t->noncecnt = 0;
-+ return 1;
-+ }
-+
-+/* Initialise and instantiate DRBG based on selftest data */
-+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td,
-+ TEST_ENT *t)
-+ {
-+ if (!do_drbg_init(dctx, td, t))
-+ return 0;
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ return 0;
-+
-+ return 1;
-+ }
-+
-+/* This function performs extensive error checking as required by SP800-90.
-+ * Induce several failure modes and check an error condition is set.
-+ * This function along with fips_drbg_single_kat peforms the health checking
-+ * operation.
-+ */
-+
-+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA *td)
-+ {
-+ unsigned char randout[1024];
-+ TEST_ENT t;
-+ size_t i;
-+ unsigned int reseed_counter_tmp;
-+ unsigned char *p = (unsigned char *)dctx;
-+
-+ /* Initialise DRBG */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ /* Don't report induced errors */
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Personalisation string tests */
-+
-+ /* Test detection of too large personlisation string */
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Entropy source tests */
-+
-+ /* Test entropy source failure detecion: i.e. returns no data */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try to generate output from uninstantiated DRBG */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_GENERATE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Test insufficient entropy */
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Nonce tests */
-+
-+ /* Test too small nonce */
-+
-+ if (dctx->min_nonce)
-+ {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->min_nonce - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Test too large nonce */
-+
-+ if (dctx->max_nonce)
-+ {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->max_nonce + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Instantiate with valid data. */
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+
-+ /* Check generation is now OK */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Request too much data for one request */
-+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try too large additional input */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, dctx->max_adin + 1))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+
-+ /* Instantiate again with valid data */
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Explicit reseed tests */
-+
-+ /* Test explicit reseed with too large additional input */
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with entropy source failure */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too little entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx))
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ p = (unsigned char *)&dctx->d;
-+ /* Standard says we have to check uninstantiate really zeroes
-+ * the data...
-+ */
-+ for (i = 0; i < sizeof(dctx->d); i++)
-+ {
-+ if (*p != 0)
-+ {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
-+ goto err;
-+ }
-+ p++;
-+ }
-+
-+ return 1;
-+
-+ err:
-+ /* A real error as opposed to an induced one: underlying function will
-+ * indicate the error.
-+ */
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
-+ FIPS_drbg_uninstantiate(dctx);
-+ return 0;
-+
-+ }
-+
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
-+ {
-+ DRBG_SELFTEST_DATA *td;
-+ flags |= DRBG_FLAG_TEST;
-+ for (td = drbg_test; td->nid != 0; td++)
-+ {
-+ if (td->nid == nid && td->flags == flags)
-+ {
-+ if (!fips_drbg_single_kat(dctx, td, 0))
-+ return 0;
-+ return fips_drbg_error_check(dctx, td);
-+ }
-+ }
-+ return 0;
-+ }
-+
-+int FIPS_drbg_health_check(DRBG_CTX *dctx)
-+ {
-+ int rv;
-+ DRBG_CTX *tctx = NULL;
-+ tctx = FIPS_drbg_new(0, 0);
-+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!tctx)
-+ return 0;
-+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
-+ if (tctx)
-+ FIPS_drbg_free(tctx);
-+ if (rv)
-+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ else
-+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!rv)
-+ dctx->status = DRBG_STATUS_ERROR;
-+ else
-+ dctx->health_check_cnt = 0;
-+ return rv;
-+ }
-+
-+int FIPS_selftest_drbg(void)
-+ {
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++)
-+ {
-+ if (td->post != 1)
-+ continue;
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 1))
-+ {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+ }
-+
-+
-+int FIPS_selftest_drbg_all(void)
-+ {
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++)
-+ {
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 0))
-+ {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_drbg_error_check(dctx, td))
-+ {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+ }
-+
-diff -up openssl-1.0.1j/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.1j/crypto/fips/fips_drbg_selftest.h
---- openssl-1.0.1j/crypto/fips/fips_drbg_selftest.h.fips 2014-10-16 13:19:35.098306401 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_drbg_selftest.h 2014-10-16 13:19:35.098306401 +0200
-@@ -0,0 +1,2335 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/* Selftest and health check data for the SP800-90 DRBG */
-+
-+#define __fips_constseg
-+
-+/* AES-128 use df PR */
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_entropyinput[] =
-+ {
-+ 0x61,0x52,0x7c,0xe3,0x23,0x7d,0x0a,0x07,0x10,0x0c,0x50,0x33,
-+ 0xc8,0xdb,0xff,0x12
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_nonce[] =
-+ {
-+ 0x51,0x0d,0x85,0x77,0xed,0x22,0x97,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_personalizationstring[] =
-+ {
-+ 0x59,0x9f,0xbb,0xcd,0xd5,0x25,0x69,0xb5,0xcb,0xb5,0x03,0xfe,
-+ 0xd7,0xd7,0x01,0x67
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_additionalinput[] =
-+ {
-+ 0xef,0x88,0x76,0x01,0xaf,0x3c,0xfe,0x8b,0xaf,0x26,0x06,0x9e,
-+ 0x9a,0x47,0x08,0x76
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_entropyinputpr[] =
-+ {
-+ 0xe2,0x76,0xf9,0xf6,0x3a,0xba,0x10,0x9f,0xbf,0x47,0x0e,0x51,
-+ 0x09,0xfb,0xa3,0xb6
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_int_returnedbits[] =
-+ {
-+ 0xd4,0x98,0x8a,0x46,0x80,0x4c,0xdb,0xa3,0x59,0x02,0x57,0x52,
-+ 0x66,0x1c,0xea,0x5b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_additionalinput2[] =
-+ {
-+ 0x88,0x8c,0x91,0xd6,0xbe,0x56,0x6e,0x08,0x9a,0x62,0x2b,0x11,
-+ 0x3f,0x5e,0x31,0x06
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_entropyinputpr2[] =
-+ {
-+ 0xc0,0x5c,0x6b,0x98,0x01,0x0d,0x58,0x18,0x51,0x18,0x96,0xae,
-+ 0xa7,0xe3,0xa8,0x67
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_pr_returnedbits[] =
-+ {
-+ 0xcf,0x01,0xac,0x22,0x31,0x06,0x8e,0xfc,0xce,0x56,0xea,0x24,
-+ 0x0f,0x38,0x43,0xc6
-+ };
-+
-+
-+/* AES-128 use df No PR */
-+__fips_constseg
-+static const unsigned char aes_128_use_df_entropyinput[] =
-+ {
-+ 0x1f,0x8e,0x34,0x82,0x0c,0xb7,0xbe,0xc5,0x01,0x3e,0xd0,0xa3,
-+ 0x9d,0x7d,0x1c,0x9b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_nonce[] =
-+ {
-+ 0xd5,0x4d,0xbd,0x4a,0x93,0x7f,0xb8,0x96
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_personalizationstring[] =
-+ {
-+ 0xab,0xd6,0x3f,0x04,0xfe,0x27,0x6b,0x2d,0xd7,0xc3,0x1c,0xf3,
-+ 0x38,0x66,0xba,0x1b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_additionalinput[] =
-+ {
-+ 0xfe,0xf4,0x09,0xa8,0xb7,0x73,0x27,0x9c,0x5f,0xa7,0xea,0x46,
-+ 0xb5,0xe2,0xb2,0x41
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_int_returnedbits[] =
-+ {
-+ 0x42,0xe4,0x4e,0x7b,0x27,0xdd,0xcb,0xbc,0x0a,0xcf,0xa6,0x67,
-+ 0xe7,0x57,0x11,0xb4
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_entropyinputreseed[] =
-+ {
-+ 0x14,0x26,0x69,0xd9,0xf3,0x65,0x03,0xd6,0x6b,0xb9,0x44,0x0b,
-+ 0xc7,0xc4,0x9e,0x39
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_additionalinputreseed[] =
-+ {
-+ 0x55,0x2e,0x60,0x9a,0x05,0x72,0x8a,0xa8,0xef,0x22,0x81,0x5a,
-+ 0xc8,0x93,0xfa,0x84
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_additionalinput2[] =
-+ {
-+ 0x3c,0x40,0xc8,0xc4,0x16,0x0c,0x21,0xa4,0x37,0x2c,0x8f,0xa5,
-+ 0x06,0x0c,0x15,0x2c
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_use_df_returnedbits[] =
-+ {
-+ 0xe1,0x3e,0x99,0x98,0x86,0x67,0x0b,0x63,0x7b,0xbe,0x3f,0x88,
-+ 0x46,0x81,0xc7,0x19
-+ };
-+
-+
-+/* AES-192 use df PR */
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_entropyinput[] =
-+ {
-+ 0x2b,0x4e,0x8b,0xe1,0xf1,0x34,0x80,0x56,0x81,0xf9,0x74,0xec,
-+ 0x17,0x44,0x2a,0xf1,0x14,0xb0,0xbf,0x97,0x39,0xb7,0x04,0x7d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_nonce[] =
-+ {
-+ 0xd6,0x9d,0xeb,0x14,0x4e,0x6c,0x30,0x1e,0x39,0x55,0x73,0xd0,
-+ 0xd1,0x80,0x78,0xfa
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_personalizationstring[] =
-+ {
-+ 0xfc,0x43,0x4a,0xf8,0x9a,0x55,0xb3,0x53,0x83,0xe2,0x18,0x16,
-+ 0x0c,0xdc,0xcd,0x5e,0x4f,0xa0,0x03,0x01,0x2b,0x9f,0xe4,0xd5,
-+ 0x7d,0x49,0xf0,0x41,0x9e,0x3d,0x99,0x04
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_additionalinput[] =
-+ {
-+ 0x5e,0x9f,0x49,0x6f,0x21,0x8b,0x1d,0x32,0xd5,0x84,0x5c,0xac,
-+ 0xaf,0xdf,0xe4,0x79,0x9e,0xaf,0xa9,0x82,0xd0,0xf8,0x4f,0xcb,
-+ 0x69,0x10,0x0a,0x7e,0x81,0x57,0xb5,0x36
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_entropyinputpr[] =
-+ {
-+ 0xd4,0x81,0x0c,0xd7,0x66,0x39,0xec,0x42,0x53,0x87,0x41,0xa5,
-+ 0x1e,0x7d,0x80,0x91,0x8e,0xbb,0xed,0xac,0x14,0x02,0x1a,0xd5
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_int_returnedbits[] =
-+ {
-+ 0xdf,0x1d,0x39,0x45,0x7c,0x9b,0xc6,0x2b,0x7d,0x8c,0x93,0xe9,
-+ 0x19,0x30,0x6b,0x67
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_additionalinput2[] =
-+ {
-+ 0x00,0x71,0x27,0x4e,0xd3,0x14,0xf1,0x20,0x7f,0x4a,0x41,0x32,
-+ 0x2a,0x97,0x11,0x43,0x8f,0x4a,0x15,0x7b,0x9b,0x51,0x79,0xda,
-+ 0x49,0x3d,0xde,0xe8,0xbc,0x93,0x91,0x99
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_entropyinputpr2[] =
-+ {
-+ 0x90,0xee,0x76,0xa1,0x45,0x8d,0xb7,0x40,0xb0,0x11,0xbf,0xd0,
-+ 0x65,0xd7,0x3c,0x7c,0x4f,0x20,0x3f,0x4e,0x11,0x9d,0xb3,0x5e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_pr_returnedbits[] =
-+ {
-+ 0x24,0x3b,0x20,0xa4,0x37,0x66,0xba,0x72,0x39,0x3f,0xcf,0x3c,
-+ 0x7e,0x1a,0x2b,0x83
-+ };
-+
-+
-+/* AES-192 use df No PR */
-+__fips_constseg
-+static const unsigned char aes_192_use_df_entropyinput[] =
-+ {
-+ 0x8d,0x74,0xa4,0x50,0x1a,0x02,0x68,0x0c,0x2a,0x69,0xc4,0x82,
-+ 0x3b,0xbb,0xda,0x0e,0x7f,0x77,0xa3,0x17,0x78,0x57,0xb2,0x7b
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_nonce[] =
-+ {
-+ 0x75,0xd5,0x1f,0xac,0xa4,0x8d,0x42,0x78,0xd7,0x69,0x86,0x9d,
-+ 0x77,0xd7,0x41,0x0e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_personalizationstring[] =
-+ {
-+ 0x4e,0x33,0x41,0x3c,0x9c,0xc2,0xd2,0x53,0xaf,0x90,0xea,0xcf,
-+ 0x19,0x50,0x1e,0xe6,0x6f,0x63,0xc8,0x32,0x22,0xdc,0x07,0x65,
-+ 0x9c,0xd3,0xf8,0x30,0x9e,0xed,0x35,0x70
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_additionalinput[] =
-+ {
-+ 0x5d,0x8b,0x8c,0xc1,0xdf,0x0e,0x02,0x78,0xfb,0x19,0xb8,0x69,
-+ 0x78,0x4e,0x9c,0x52,0xbc,0xc7,0x20,0xc9,0xe6,0x5e,0x77,0x22,
-+ 0x28,0x3d,0x0c,0x9e,0x68,0xa8,0x45,0xd7
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_int_returnedbits[] =
-+ {
-+ 0xd5,0xe7,0x08,0xc5,0x19,0x99,0xd5,0x31,0x03,0x0a,0x74,0xb6,
-+ 0xb7,0xed,0xe9,0xea
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_entropyinputreseed[] =
-+ {
-+ 0x9c,0x26,0xda,0xf1,0xac,0xd9,0x5a,0xd6,0xa8,0x65,0xf5,0x02,
-+ 0x8f,0xdc,0xa2,0x09,0x54,0xa6,0xe2,0xa4,0xde,0x32,0xe0,0x01
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_additionalinputreseed[] =
-+ {
-+ 0x9b,0x90,0xb0,0x3a,0x0e,0x3a,0x80,0x07,0x4a,0xf4,0xda,0x76,
-+ 0x28,0x30,0x3c,0xee,0x54,0x1b,0x94,0x59,0x51,0x43,0x56,0x77,
-+ 0xaf,0x88,0xdd,0x63,0x89,0x47,0x06,0x65
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_additionalinput2[] =
-+ {
-+ 0x3c,0x11,0x64,0x7a,0x96,0xf5,0xd8,0xb8,0xae,0xd6,0x70,0x4e,
-+ 0x16,0x96,0xde,0xe9,0x62,0xbc,0xee,0x28,0x2f,0x26,0xa6,0xf0,
-+ 0x56,0xef,0xa3,0xf1,0x6b,0xa1,0xb1,0x77
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_use_df_returnedbits[] =
-+ {
-+ 0x0b,0xe2,0x56,0x03,0x1e,0xdb,0x2c,0x6d,0x7f,0x1b,0x15,0x58,
-+ 0x1a,0xf9,0x13,0x28
-+ };
-+
-+
-+/* AES-256 use df PR */
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_entropyinput[] =
-+ {
-+ 0x61,0x68,0xfc,0x1a,0xf0,0xb5,0x95,0x6b,0x85,0x09,0x9b,0x74,
-+ 0x3f,0x13,0x78,0x49,0x3b,0x85,0xec,0x93,0x13,0x3b,0xa9,0x4f,
-+ 0x96,0xab,0x2c,0xe4,0xc8,0x8f,0xdd,0x6a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_nonce[] =
-+ {
-+ 0xad,0xd2,0xbb,0xba,0xb7,0x65,0x89,0xc3,0x21,0x6c,0x55,0x33,
-+ 0x2b,0x36,0xff,0xa4
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_personalizationstring[] =
-+ {
-+ 0x6e,0xca,0xe7,0x20,0x72,0xd3,0x84,0x5a,0x32,0xd3,0x4b,0x24,
-+ 0x72,0xc4,0x63,0x2b,0x9d,0x12,0x24,0x0c,0x23,0x26,0x8e,0x83,
-+ 0x16,0x37,0x0b,0xd1,0x06,0x4f,0x68,0x6d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_additionalinput[] =
-+ {
-+ 0x7e,0x08,0x4a,0xbb,0xe3,0x21,0x7c,0xc9,0x23,0xd2,0xf8,0xb0,
-+ 0x73,0x98,0xba,0x84,0x74,0x23,0xab,0x06,0x8a,0xe2,0x22,0xd3,
-+ 0x7b,0xce,0x9b,0xd2,0x4a,0x76,0xb8,0xde
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_entropyinputpr[] =
-+ {
-+ 0x0b,0x23,0xaf,0xdf,0xf1,0x62,0xd7,0xd3,0x43,0x97,0xf8,0x77,
-+ 0x04,0xa8,0x42,0x20,0xbd,0xf6,0x0f,0xc1,0x17,0x2f,0x9f,0x54,
-+ 0xbb,0x56,0x17,0x86,0x68,0x0e,0xba,0xa9
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_int_returnedbits[] =
-+ {
-+ 0x31,0x8e,0xad,0xaf,0x40,0xeb,0x6b,0x74,0x31,0x46,0x80,0xc7,
-+ 0x17,0xab,0x3c,0x7a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_additionalinput2[] =
-+ {
-+ 0x94,0x6b,0xc9,0x9f,0xab,0x8d,0xc5,0xec,0x71,0x88,0x1d,0x00,
-+ 0x8c,0x89,0x68,0xe4,0xc8,0x07,0x77,0x36,0x17,0x6d,0x79,0x78,
-+ 0xc7,0x06,0x4e,0x99,0x04,0x28,0x29,0xc3
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_entropyinputpr2[] =
-+ {
-+ 0xbf,0x6c,0x59,0x2a,0x0d,0x44,0x0f,0xae,0x9a,0x5e,0x03,0x73,
-+ 0xd8,0xa6,0xe1,0xcf,0x25,0x61,0x38,0x24,0x86,0x9e,0x53,0xe8,
-+ 0xa4,0xdf,0x56,0xf4,0x06,0x07,0x9c,0x0f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_pr_returnedbits[] =
-+ {
-+ 0x22,0x4a,0xb4,0xb8,0xb6,0xee,0x7d,0xb1,0x9e,0xc9,0xf9,0xa0,
-+ 0xd9,0xe2,0x97,0x00
-+ };
-+
-+
-+/* AES-256 use df No PR */
-+__fips_constseg
-+static const unsigned char aes_256_use_df_entropyinput[] =
-+ {
-+ 0xa5,0x3e,0x37,0x10,0x17,0x43,0x91,0x93,0x59,0x1e,0x47,0x50,
-+ 0x87,0xaa,0xdd,0xd5,0xc1,0xc3,0x86,0xcd,0xca,0x0d,0xdb,0x68,
-+ 0xe0,0x02,0xd8,0x0f,0xdc,0x40,0x1a,0x47
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_nonce[] =
-+ {
-+ 0xa9,0x4d,0xa5,0x5a,0xfd,0xc5,0x0c,0xe5,0x1c,0x9a,0x3b,0x8a,
-+ 0x4c,0x44,0x84,0x40
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_personalizationstring[] =
-+ {
-+ 0x8b,0x52,0xa2,0x4a,0x93,0xc3,0x4e,0xa7,0x1e,0x1c,0xa7,0x05,
-+ 0xeb,0x82,0x9b,0xa6,0x5d,0xe4,0xd4,0xe0,0x7f,0xa3,0xd8,0x6b,
-+ 0x37,0x84,0x5f,0xf1,0xc7,0xd5,0xf6,0xd2
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_additionalinput[] =
-+ {
-+ 0x20,0xf4,0x22,0xed,0xf8,0x5c,0xa1,0x6a,0x01,0xcf,0xbe,0x5f,
-+ 0x8d,0x6c,0x94,0x7f,0xae,0x12,0xa8,0x57,0xdb,0x2a,0xa9,0xbf,
-+ 0xc7,0xb3,0x65,0x81,0x80,0x8d,0x0d,0x46
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_int_returnedbits[] =
-+ {
-+ 0x4e,0x44,0xfd,0xf3,0x9e,0x29,0xa2,0xb8,0x0f,0x5d,0x6c,0xe1,
-+ 0x28,0x0c,0x3b,0xc1
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_entropyinputreseed[] =
-+ {
-+ 0xdd,0x40,0xe5,0x98,0x7b,0x27,0x16,0x73,0x15,0x68,0xd2,0x76,
-+ 0xbf,0x0c,0x67,0x15,0x75,0x79,0x03,0xd3,0xde,0xde,0x91,0x46,
-+ 0x42,0xdd,0xd4,0x67,0xc8,0x79,0xc8,0x1e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_additionalinputreseed[] =
-+ {
-+ 0x7f,0xd8,0x1f,0xbd,0x2a,0xb5,0x1c,0x11,0x5d,0x83,0x4e,0x99,
-+ 0xf6,0x5c,0xa5,0x40,0x20,0xed,0x38,0x8e,0xd5,0x9e,0xe0,0x75,
-+ 0x93,0xfe,0x12,0x5e,0x5d,0x73,0xfb,0x75
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_additionalinput2[] =
-+ {
-+ 0xcd,0x2c,0xff,0x14,0x69,0x3e,0x4c,0x9e,0xfd,0xfe,0x26,0x0d,
-+ 0xe9,0x86,0x00,0x49,0x30,0xba,0xb1,0xc6,0x50,0x57,0x77,0x2a,
-+ 0x62,0x39,0x2c,0x3b,0x74,0xeb,0xc9,0x0d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_use_df_returnedbits[] =
-+ {
-+ 0x4f,0x78,0xbe,0xb9,0x4d,0x97,0x8c,0xe9,0xd0,0x97,0xfe,0xad,
-+ 0xfa,0xfd,0x35,0x5e
-+ };
-+
-+
-+/* AES-128 no df PR */
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_entropyinput[] =
-+ {
-+ 0x9a,0x25,0x65,0x10,0x67,0xd5,0xb6,0x6b,0x70,0xa1,0xb3,0xa4,
-+ 0x43,0x95,0x80,0xc0,0x84,0x0a,0x79,0xb0,0x88,0x74,0xf2,0xbf,
-+ 0x31,0x6c,0x33,0x38,0x0b,0x00,0xb2,0x5a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_nonce[] =
-+ {
-+ 0x78,0x47,0x6b,0xf7,0x90,0x8e,0x87,0xf1
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_personalizationstring[] =
-+ {
-+ 0xf7,0x22,0x1d,0x3a,0xbe,0x1d,0xca,0x32,0x1b,0xbd,0x87,0x0c,
-+ 0x51,0x24,0x19,0xee,0xa3,0x23,0x09,0x63,0x33,0x3d,0xa8,0x0c,
-+ 0x1c,0xfa,0x42,0x89,0xcc,0x6f,0xa0,0xa8
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_additionalinput[] =
-+ {
-+ 0xc9,0xe0,0x80,0xbf,0x8c,0x45,0x58,0x39,0xff,0x00,0xab,0x02,
-+ 0x4c,0x3e,0x3a,0x95,0x9b,0x80,0xa8,0x21,0x2a,0xee,0xba,0x73,
-+ 0xb1,0xd9,0xcf,0x28,0xf6,0x8f,0x9b,0x12
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_entropyinputpr[] =
-+ {
-+ 0x4c,0xa8,0xc5,0xf0,0x59,0x9e,0xa6,0x8d,0x26,0x53,0xd7,0x8a,
-+ 0xa9,0xd8,0xf7,0xed,0xb2,0xf9,0x12,0x42,0xe1,0xe5,0xbd,0xe7,
-+ 0xe7,0x1d,0x74,0x99,0x00,0x9d,0x31,0x3e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_int_returnedbits[] =
-+ {
-+ 0xe2,0xac,0x20,0xf0,0x80,0xe7,0xbc,0x7e,0x9c,0x7b,0x65,0x71,
-+ 0xaf,0x19,0x32,0x16
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_additionalinput2[] =
-+ {
-+ 0x32,0x7f,0x38,0x8b,0x73,0x0a,0x78,0x83,0xdc,0x30,0xbe,0x9f,
-+ 0x10,0x1f,0xf5,0x1f,0xca,0x00,0xb5,0x0d,0xd6,0x9d,0x60,0x83,
-+ 0x51,0x54,0x7d,0x38,0x23,0x3a,0x52,0x50
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_entropyinputpr2[] =
-+ {
-+ 0x18,0x61,0x53,0x56,0xed,0xed,0xd7,0x20,0xfb,0x71,0x04,0x7a,
-+ 0xb2,0xac,0xc1,0x28,0xcd,0xf2,0xc2,0xfc,0xaa,0xb1,0x06,0x07,
-+ 0xe9,0x46,0x95,0x02,0x48,0x01,0x78,0xf9
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_pr_returnedbits[] =
-+ {
-+ 0x29,0xc8,0x1b,0x15,0xb1,0xd1,0xc2,0xf6,0x71,0x86,0x68,0x33,
-+ 0x57,0x82,0x33,0xaf
-+ };
-+
-+
-+/* AES-128 no df No PR */
-+__fips_constseg
-+static const unsigned char aes_128_no_df_entropyinput[] =
-+ {
-+ 0xc9,0xc5,0x79,0xbc,0xe8,0xc5,0x19,0xd8,0xbc,0x66,0x73,0x67,
-+ 0xf6,0xd3,0x72,0xaa,0xa6,0x16,0xb8,0x50,0xb7,0x47,0x3a,0x42,
-+ 0xab,0xf4,0x16,0xb2,0x96,0xd2,0xb6,0x60
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_nonce[] =
-+ {
-+ 0x5f,0xbf,0x97,0x0c,0x4b,0xa4,0x87,0x13
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_personalizationstring[] =
-+ {
-+ 0xce,0xfb,0x7b,0x3f,0xd4,0x6b,0x29,0x0d,0x69,0x06,0xff,0xbb,
-+ 0xf2,0xe5,0xc6,0x6c,0x0a,0x10,0xa0,0xcf,0x1a,0x48,0xc7,0x8b,
-+ 0x3c,0x16,0x88,0xed,0x50,0x13,0x81,0xce
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_additionalinput[] =
-+ {
-+ 0x4b,0x22,0x46,0x18,0x02,0x7b,0xd2,0x1b,0x22,0x42,0x7c,0x37,
-+ 0xd9,0xf6,0xe8,0x9b,0x12,0x30,0x5f,0xe9,0x90,0xe8,0x08,0x24,
-+ 0x4f,0x06,0x66,0xdb,0x19,0x2b,0x13,0x95
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_int_returnedbits[] =
-+ {
-+ 0x2e,0x96,0x70,0x64,0xfa,0xdf,0xdf,0x57,0xb5,0x82,0xee,0xd6,
-+ 0xed,0x3e,0x65,0xc2
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_entropyinputreseed[] =
-+ {
-+ 0x26,0xc0,0x72,0x16,0x3a,0x4b,0xb7,0x99,0xd4,0x07,0xaf,0x66,
-+ 0x62,0x36,0x96,0xa4,0x51,0x17,0xfa,0x07,0x8b,0x17,0x5e,0xa1,
-+ 0x2f,0x3c,0x10,0xe7,0x90,0xd0,0x46,0x00
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_additionalinputreseed[] =
-+ {
-+ 0x83,0x39,0x37,0x7b,0x02,0x06,0xd2,0x12,0x13,0x8d,0x8b,0xf2,
-+ 0xf0,0xf6,0x26,0xeb,0xa4,0x22,0x7b,0xc2,0xe7,0xba,0x79,0xe4,
-+ 0x3b,0x77,0x5d,0x4d,0x47,0xb2,0x2d,0xb4
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_additionalinput2[] =
-+ {
-+ 0x0b,0xb9,0x67,0x37,0xdb,0x83,0xdf,0xca,0x81,0x8b,0xf9,0x3f,
-+ 0xf1,0x11,0x1b,0x2f,0xf0,0x61,0xa6,0xdf,0xba,0xa3,0xb1,0xac,
-+ 0xd3,0xe6,0x09,0xb8,0x2c,0x6a,0x67,0xd6
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_128_no_df_returnedbits[] =
-+ {
-+ 0x1e,0xa7,0xa4,0xe4,0xe1,0xa6,0x7c,0x69,0x9a,0x44,0x6c,0x36,
-+ 0x81,0x37,0x19,0xd4
-+ };
-+
-+
-+/* AES-192 no df PR */
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_entropyinput[] =
-+ {
-+ 0x9d,0x2c,0xd2,0x55,0x66,0xea,0xe0,0xbe,0x18,0xb7,0x76,0xe7,
-+ 0x73,0x35,0xd8,0x1f,0xad,0x3a,0xe3,0x81,0x0e,0x92,0xd0,0x61,
-+ 0xc9,0x12,0x26,0xf6,0x1c,0xdf,0xfe,0x47,0xaa,0xfe,0x7d,0x5a,
-+ 0x17,0x1f,0x8d,0x9a
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_nonce[] =
-+ {
-+ 0x44,0x82,0xed,0xe8,0x4c,0x28,0x5a,0x14,0xff,0x88,0x8d,0x19,
-+ 0x61,0x5c,0xee,0x0f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_personalizationstring[] =
-+ {
-+ 0x47,0xd7,0x9b,0x99,0xaa,0xcb,0xe7,0xd2,0x57,0x66,0x2c,0xe1,
-+ 0x78,0xd6,0x2c,0xea,0xa3,0x23,0x5f,0x2a,0xc1,0x3a,0xf0,0xa4,
-+ 0x20,0x3b,0xfa,0x07,0xd5,0x05,0x02,0xe4,0x57,0x01,0xb6,0x10,
-+ 0x57,0x2e,0xe7,0x55
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_additionalinput[] =
-+ {
-+ 0x4b,0x74,0x0b,0x40,0xce,0x6b,0xc2,0x6a,0x24,0xb4,0xf3,0xad,
-+ 0x7a,0xa5,0x7a,0xa2,0x15,0xe2,0xc8,0x61,0x15,0xc6,0xb7,0x85,
-+ 0x69,0x11,0xad,0x7b,0x14,0xd2,0xf6,0x12,0xa1,0x95,0x5d,0x3f,
-+ 0xe2,0xd0,0x0c,0x2f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_entropyinputpr[] =
-+ {
-+ 0x0c,0x9c,0xad,0x05,0xee,0xae,0x48,0x23,0x89,0x59,0xa1,0x94,
-+ 0xd7,0xd8,0x75,0xd5,0x54,0x93,0xc7,0x4a,0xd9,0x26,0xde,0xeb,
-+ 0xba,0xb0,0x7e,0x30,0x1d,0x5f,0x69,0x40,0x9c,0x3b,0x17,0x58,
-+ 0x1d,0x30,0xb3,0x78
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_int_returnedbits[] =
-+ {
-+ 0xf7,0x93,0xb0,0x6d,0x77,0x83,0xd5,0x38,0x01,0xe1,0x52,0x40,
-+ 0x7e,0x3e,0x0c,0x26
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_additionalinput2[] =
-+ {
-+ 0xbc,0x4b,0x37,0x44,0x1c,0xc5,0x45,0x5f,0x8f,0x51,0x62,0x8a,
-+ 0x85,0x30,0x1d,0x7c,0xe4,0xcf,0xf7,0x44,0xce,0x32,0x3e,0x57,
-+ 0x95,0xa4,0x2a,0xdf,0xfd,0x9e,0x38,0x41,0xb3,0xf6,0xc5,0xee,
-+ 0x0c,0x4b,0xee,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_entropyinputpr2[] =
-+ {
-+ 0xec,0xaf,0xf6,0x4f,0xb1,0xa0,0x54,0xb5,0x5b,0xe3,0x46,0xb0,
-+ 0x76,0x5a,0x7c,0x3f,0x7b,0x94,0x69,0x21,0x51,0x02,0xe5,0x9f,
-+ 0x04,0x59,0x02,0x98,0xc6,0x43,0x2c,0xcc,0x26,0x4c,0x87,0x6b,
-+ 0x8e,0x0a,0x83,0xdf
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_pr_returnedbits[] =
-+ {
-+ 0x74,0x45,0xfb,0x53,0x84,0x96,0xbe,0xff,0x15,0xcc,0x41,0x91,
-+ 0xb9,0xa1,0x21,0x68
-+ };
-+
-+
-+/* AES-192 no df No PR */
-+__fips_constseg
-+static const unsigned char aes_192_no_df_entropyinput[] =
-+ {
-+ 0x3c,0x7d,0xb5,0xe0,0x54,0xd9,0x6e,0x8c,0xa9,0x86,0xce,0x4e,
-+ 0x6b,0xaf,0xeb,0x2f,0xe7,0x75,0xe0,0x8b,0xa4,0x3b,0x07,0xfe,
-+ 0xbe,0x33,0x75,0x93,0x80,0x27,0xb5,0x29,0x47,0x8b,0xc7,0x28,
-+ 0x94,0xc3,0x59,0x63
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_nonce[] =
-+ {
-+ 0x43,0xf1,0x7d,0xb8,0xc3,0xfe,0xd0,0x23,0x6b,0xb4,0x92,0xdb,
-+ 0x29,0xfd,0x45,0x71
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_personalizationstring[] =
-+ {
-+ 0x9f,0x24,0x29,0x99,0x9e,0x01,0xab,0xe9,0x19,0xd8,0x23,0x08,
-+ 0xb7,0xd6,0x7e,0x8c,0xc0,0x9e,0x7f,0x6e,0x5b,0x33,0x20,0x96,
-+ 0x0b,0x23,0x2c,0xa5,0x6a,0xf8,0x1b,0x04,0x26,0xdb,0x2e,0x2b,
-+ 0x3b,0x88,0xce,0x35
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_additionalinput[] =
-+ {
-+ 0x94,0xe9,0x7c,0x3d,0xa7,0xdb,0x60,0x83,0x1f,0x98,0x3f,0x0b,
-+ 0x88,0x59,0x57,0x51,0x88,0x9f,0x76,0x49,0x9f,0xa6,0xda,0x71,
-+ 0x1d,0x0d,0x47,0x16,0x63,0xc5,0x68,0xe4,0x5d,0x39,0x69,0xb3,
-+ 0x3e,0xbe,0xd4,0x8e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_int_returnedbits[] =
-+ {
-+ 0xf9,0xd7,0xad,0x69,0xab,0x8f,0x23,0x56,0x70,0x17,0x4f,0x2a,
-+ 0x45,0xe7,0x4a,0xc5
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_entropyinputreseed[] =
-+ {
-+ 0xa6,0x71,0x6a,0x3d,0xba,0xd1,0xe8,0x66,0xa6,0xef,0xb2,0x0e,
-+ 0xa8,0x9c,0xaa,0x4e,0xaf,0x17,0x89,0x50,0x00,0xda,0xa1,0xb1,
-+ 0x0b,0xa4,0xd9,0x35,0x89,0xc8,0xe5,0xb0,0xd9,0xb7,0xc4,0x33,
-+ 0x9b,0xcb,0x7e,0x75
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_additionalinputreseed[] =
-+ {
-+ 0x27,0x21,0xfc,0xc2,0xbd,0xf3,0x3c,0xce,0xc3,0xca,0xc1,0x01,
-+ 0xe0,0xff,0x93,0x12,0x7d,0x54,0x42,0xe3,0x9f,0x03,0xdf,0x27,
-+ 0x04,0x07,0x3c,0x53,0x7f,0xa8,0x66,0xc8,0x97,0x4b,0x61,0x40,
-+ 0x5d,0x7a,0x25,0x79
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_additionalinput2[] =
-+ {
-+ 0x2d,0x8e,0x16,0x5d,0x0b,0x9f,0xeb,0xaa,0xd6,0xec,0x28,0x71,
-+ 0x7c,0x0b,0xc1,0x1d,0xd4,0x44,0x19,0x47,0xfd,0x1d,0x7c,0xe5,
-+ 0xf3,0x27,0xe1,0xb6,0x72,0x0a,0xe0,0xec,0x0e,0xcd,0xef,0x1a,
-+ 0x91,0x6a,0xe3,0x5f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_192_no_df_returnedbits[] =
-+ {
-+ 0xe5,0xda,0xb8,0xe0,0x63,0x59,0x5a,0xcc,0x3d,0xdc,0x9f,0xe8,
-+ 0x66,0x67,0x2c,0x92
-+ };
-+
-+
-+/* AES-256 no df PR */
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_entropyinput[] =
-+ {
-+ 0x15,0xc7,0x5d,0xcb,0x41,0x4b,0x16,0x01,0x3a,0xd1,0x44,0xe8,
-+ 0x22,0x32,0xc6,0x9c,0x3f,0xe7,0x43,0xf5,0x9a,0xd3,0xea,0xf2,
-+ 0xd7,0x4e,0x6e,0x6a,0x55,0x73,0x40,0xef,0x89,0xad,0x0d,0x03,
-+ 0x96,0x7e,0x78,0x81,0x2f,0x91,0x1b,0x44,0xb0,0x02,0xba,0x1c
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_nonce[] =
-+ {
-+ 0xdc,0xe4,0xd4,0x27,0x7a,0x90,0xd7,0x99,0x43,0xa1,0x3c,0x30,
-+ 0xcc,0x4b,0xee,0x2e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_personalizationstring[] =
-+ {
-+ 0xe3,0xe6,0xb9,0x11,0xe4,0x7a,0xa4,0x40,0x6b,0xf8,0x73,0xf7,
-+ 0x7e,0xec,0xc7,0xb9,0x97,0xbf,0xf8,0x25,0x7b,0xbe,0x11,0x9b,
-+ 0x5b,0x6a,0x0c,0x2e,0x2b,0x01,0x51,0xcd,0x41,0x4b,0x6b,0xac,
-+ 0x31,0xa8,0x0b,0xf7,0xe6,0x59,0x42,0xb8,0x03,0x0c,0xf8,0x06
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_additionalinput[] =
-+ {
-+ 0x6a,0x9f,0x00,0x91,0xae,0xfe,0xcf,0x84,0x99,0xce,0xb1,0x40,
-+ 0x6d,0x5d,0x33,0x28,0x84,0xf4,0x8c,0x63,0x4c,0x7e,0xbd,0x2c,
-+ 0x80,0x76,0xee,0x5a,0xaa,0x15,0x07,0x31,0xd8,0xbb,0x8c,0x69,
-+ 0x9d,0x9d,0xbc,0x7e,0x49,0xae,0xec,0x39,0x6b,0xd1,0x1f,0x7e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_entropyinputpr[] =
-+ {
-+ 0xf3,0xb9,0x75,0x9c,0xbd,0x88,0xea,0xa2,0x50,0xad,0xd6,0x16,
-+ 0x1a,0x12,0x3c,0x86,0x68,0xaf,0x6f,0xbe,0x19,0xf2,0xee,0xcc,
-+ 0xa5,0x70,0x84,0x53,0x50,0xcb,0x9f,0x14,0xa9,0xe5,0xee,0xb9,
-+ 0x48,0x45,0x40,0xe2,0xc7,0xc9,0x9a,0x74,0xff,0x8c,0x99,0x1f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_int_returnedbits[] =
-+ {
-+ 0x2e,0xf2,0x45,0x4c,0x62,0x2e,0x0a,0xb9,0x6b,0xa2,0xfd,0x56,
-+ 0x79,0x60,0x93,0xcf
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_additionalinput2[] =
-+ {
-+ 0xaf,0x69,0x20,0xe9,0x3b,0x37,0x9d,0x3f,0xb4,0x80,0x02,0x7a,
-+ 0x25,0x7d,0xb8,0xde,0x71,0xc5,0x06,0x0c,0xb4,0xe2,0x8f,0x35,
-+ 0xd8,0x14,0x0d,0x7f,0x76,0x63,0x4e,0xb5,0xee,0xe9,0x6f,0x34,
-+ 0xc7,0x5f,0x56,0x14,0x4a,0xe8,0x73,0x95,0x5b,0x1c,0xb9,0xcb
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_entropyinputpr2[] =
-+ {
-+ 0xe5,0xb0,0x2e,0x7e,0x52,0x30,0xe3,0x63,0x82,0xb6,0x44,0xd3,
-+ 0x25,0x19,0x05,0x24,0x9a,0x9f,0x5f,0x27,0x6a,0x29,0xab,0xfa,
-+ 0x07,0xa2,0x42,0x0f,0xc5,0xa8,0x94,0x7c,0x17,0x7b,0x85,0x83,
-+ 0x0c,0x25,0x0e,0x63,0x0b,0xe9,0x12,0x60,0xcd,0xef,0x80,0x0f
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_pr_returnedbits[] =
-+ {
-+ 0x5e,0xf2,0x26,0xef,0x9f,0x58,0x5d,0xd5,0x4a,0x10,0xfe,0xa7,
-+ 0x2d,0x5f,0x4a,0x46
-+ };
-+
-+
-+/* AES-256 no df No PR */
-+__fips_constseg
-+static const unsigned char aes_256_no_df_entropyinput[] =
-+ {
-+ 0xfb,0xcf,0x1b,0x61,0x16,0x89,0x78,0x23,0xf5,0xd8,0x96,0xe3,
-+ 0x4e,0x64,0x0b,0x29,0x9a,0x3f,0xf8,0xa5,0xed,0xf2,0xfe,0xdb,
-+ 0x16,0xca,0x7f,0x10,0xfa,0x5e,0x18,0x76,0x2c,0x63,0x5e,0x96,
-+ 0xcf,0xb3,0xd6,0xfc,0xaf,0x99,0x39,0x28,0x9c,0x61,0xe8,0xb3
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_nonce[] =
-+ {
-+ 0x12,0x96,0xf0,0x52,0xf3,0x8d,0x81,0xcf,0xde,0x86,0xf2,0x99,
-+ 0x43,0x96,0xb9,0xf0
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_personalizationstring[] =
-+ {
-+ 0x63,0x0d,0x78,0xf5,0x90,0x8e,0x32,0x47,0xb0,0x4d,0x37,0x60,
-+ 0x09,0x96,0xbc,0xbf,0x97,0x7a,0x62,0x14,0x45,0xbd,0x8d,0xcc,
-+ 0x69,0xfb,0x03,0xe1,0x80,0x1c,0xc7,0xe2,0x2a,0xf9,0x37,0x3f,
-+ 0x66,0x4d,0x62,0xd9,0x10,0xe0,0xad,0xc8,0x9a,0xf0,0xa8,0x6d
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_additionalinput[] =
-+ {
-+ 0x36,0xc6,0x13,0x60,0xbb,0x14,0xad,0x22,0xb0,0x38,0xac,0xa6,
-+ 0x18,0x16,0x93,0x25,0x86,0xb7,0xdc,0xdc,0x36,0x98,0x2b,0xf9,
-+ 0x68,0x33,0xd3,0xc6,0xff,0xce,0x8d,0x15,0x59,0x82,0x76,0xed,
-+ 0x6f,0x8d,0x49,0x74,0x2f,0xda,0xdc,0x1f,0x17,0xd0,0xde,0x17
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_int_returnedbits[] =
-+ {
-+ 0x16,0x2f,0x8e,0x3f,0x21,0x7a,0x1c,0x20,0x56,0xd1,0x92,0xf6,
-+ 0xd2,0x25,0x75,0x0e
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_entropyinputreseed[] =
-+ {
-+ 0x91,0x79,0x76,0xee,0xe0,0xcf,0x9e,0xc2,0xd5,0xd4,0x23,0x9b,
-+ 0x12,0x8c,0x7e,0x0a,0xb7,0xd2,0x8b,0xd6,0x7c,0xa3,0xc6,0xe5,
-+ 0x0e,0xaa,0xc7,0x6b,0xae,0x0d,0xfa,0x53,0x06,0x79,0xa1,0xed,
-+ 0x4d,0x6a,0x0e,0xd8,0x9d,0xbe,0x1b,0x31,0x93,0x7b,0xec,0xfb
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_additionalinputreseed[] =
-+ {
-+ 0xd2,0x46,0x50,0x22,0x10,0x14,0x63,0xf7,0xea,0x0f,0xb9,0x7e,
-+ 0x0d,0xe1,0x94,0x07,0xaf,0x09,0x44,0x31,0xea,0x64,0xa4,0x18,
-+ 0x5b,0xf9,0xd8,0xc2,0xfa,0x03,0x47,0xc5,0x39,0x43,0xd5,0x3b,
-+ 0x62,0x86,0x64,0xea,0x2c,0x73,0x8c,0xae,0x9d,0x98,0x98,0x29
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_additionalinput2[] =
-+ {
-+ 0x8c,0xab,0x18,0xf8,0xc3,0xec,0x18,0x5c,0xb3,0x1e,0x9d,0xbe,
-+ 0x3f,0x03,0xb4,0x00,0x98,0x9d,0xae,0xeb,0xf4,0x94,0xf8,0x42,
-+ 0x8f,0xe3,0x39,0x07,0xe1,0xc9,0xad,0x0b,0x1f,0xed,0xc0,0xba,
-+ 0xf6,0xd1,0xec,0x27,0x86,0x7b,0xd6,0x55,0x9b,0x60,0xa5,0xc6
-+ };
-+
-+__fips_constseg
-+static const unsigned char aes_256_no_df_returnedbits[] =
-+ {
-+ 0xef,0xd2,0xd8,0x5c,0xdc,0x62,0x25,0x9f,0xaa,0x1e,0x2c,0x67,
-+ 0xf6,0x02,0x32,0xe2
-+ };
-+
-+
-+/* SHA-1 PR */
-+__fips_constseg
-+static const unsigned char sha1_pr_entropyinput[] =
-+ {
-+ 0xd2,0x36,0xa5,0x27,0x31,0x73,0xdd,0x11,0x4f,0x93,0xbd,0xe2,
-+ 0x31,0xa5,0x91,0x13
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_nonce[] =
-+ {
-+ 0xb5,0xb3,0x60,0xef,0xf7,0x63,0x31,0xf3
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_personalizationstring[] =
-+ {
-+ 0xd4,0xbb,0x02,0x10,0xb2,0x71,0xdb,0x81,0xd6,0xf0,0x42,0x60,
-+ 0xda,0xea,0x77,0x52
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_additionalinput[] =
-+ {
-+ 0x4d,0xd2,0x6c,0x87,0xfb,0x2c,0x4f,0xa6,0x8d,0x16,0x63,0x22,
-+ 0x6a,0x51,0xe3,0xf8
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_entropyinputpr[] =
-+ {
-+ 0xc9,0x83,0x9e,0x16,0xf6,0x1c,0x0f,0xb2,0xec,0x60,0x31,0xa9,
-+ 0xcb,0xa9,0x36,0x7a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_int_returnedbits[] =
-+ {
-+ 0xa8,0x13,0x4f,0xf4,0x31,0x02,0x44,0xe3,0xd3,0x3d,0x61,0x9e,
-+ 0xe5,0xc6,0x3e,0x89,0xb5,0x9b,0x0f,0x35
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_additionalinput2[] =
-+ {
-+ 0xf9,0xe8,0xd2,0x72,0x13,0x34,0x95,0x6f,0x15,0x49,0x47,0x99,
-+ 0x16,0x03,0x19,0x47
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_entropyinputpr2[] =
-+ {
-+ 0x4e,0x8c,0x49,0x9b,0x4a,0x5c,0x9b,0x9c,0x3a,0xee,0xfb,0xd2,
-+ 0xae,0xcd,0x8c,0xc4
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_pr_returnedbits[] =
-+ {
-+ 0x50,0xb4,0xb4,0xcd,0x68,0x57,0xfc,0x2e,0xc1,0x52,0xcc,0xf6,
-+ 0x68,0xa4,0x81,0xed,0x7e,0xe4,0x1d,0x87
-+ };
-+
-+
-+/* SHA-1 No PR */
-+__fips_constseg
-+static const unsigned char sha1_entropyinput[] =
-+ {
-+ 0xa9,0x47,0x1b,0x29,0x2d,0x1c,0x05,0xdf,0x76,0xd0,0x62,0xf9,
-+ 0xe2,0x7f,0x4c,0x7b
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_nonce[] =
-+ {
-+ 0x53,0x23,0x24,0xe3,0xec,0x0c,0x54,0x14
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_personalizationstring[] =
-+ {
-+ 0x7a,0x87,0xa1,0xac,0x1c,0xfd,0xab,0xae,0xf7,0xd6,0xfb,0x76,
-+ 0x28,0xec,0x6d,0xca
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_additionalinput[] =
-+ {
-+ 0xfc,0x92,0x35,0xd6,0x7e,0xb7,0x24,0x65,0xfd,0x12,0x27,0x35,
-+ 0xc0,0x72,0xca,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_int_returnedbits[] =
-+ {
-+ 0x57,0x88,0x82,0xe5,0x25,0xa5,0x2c,0x4a,0x06,0x20,0x6c,0x72,
-+ 0x55,0x61,0xdd,0x90,0x71,0x9f,0x95,0xea
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_entropyinputreseed[] =
-+ {
-+ 0x69,0xa5,0x40,0x62,0x98,0x47,0x56,0x73,0x4a,0x8f,0x60,0x96,
-+ 0xd6,0x99,0x27,0xed
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_additionalinputreseed[] =
-+ {
-+ 0xe5,0x40,0x4e,0xbd,0x50,0x00,0xf5,0x15,0xa6,0xee,0x45,0xda,
-+ 0x84,0x3d,0xd4,0xc0
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_additionalinput2[] =
-+ {
-+ 0x11,0x51,0x14,0xf0,0x09,0x1b,0x4e,0x56,0x0d,0xe9,0xf6,0x1e,
-+ 0x52,0x65,0xcd,0x96
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha1_returnedbits[] =
-+ {
-+ 0xa1,0x9c,0x94,0x6e,0x29,0xe1,0x33,0x0d,0x32,0xd6,0xaa,0xce,
-+ 0x71,0x3f,0x52,0x72,0x8b,0x42,0xa8,0xd7
-+ };
-+
-+
-+/* SHA-224 PR */
-+__fips_constseg
-+static const unsigned char sha224_pr_entropyinput[] =
-+ {
-+ 0x12,0x69,0x32,0x4f,0x83,0xa6,0xf5,0x14,0xe3,0x49,0x3e,0x75,
-+ 0x3e,0xde,0xad,0xa1,0x29,0xc3,0xf3,0x19,0x20,0xb5,0x4c,0xd9
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_nonce[] =
-+ {
-+ 0x6a,0x78,0xd0,0xeb,0xbb,0x5a,0xf0,0xee,0xe8,0xc3,0xba,0x71
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_personalizationstring[] =
-+ {
-+ 0xd5,0xb8,0xb6,0xbc,0xc1,0x5b,0x60,0x31,0x3c,0xf5,0xe5,0xc0,
-+ 0x8e,0x52,0x7a,0xbd,0xea,0x47,0xa9,0x5f,0x8f,0xf9,0x8b,0xae
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_additionalinput[] =
-+ {
-+ 0x1f,0x55,0xec,0xae,0x16,0x12,0x84,0xba,0x84,0x16,0x19,0x88,
-+ 0x8e,0xb8,0x33,0x25,0x54,0xff,0xca,0x79,0xaf,0x07,0x25,0x50
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_entropyinputpr[] =
-+ {
-+ 0x92,0xa3,0x32,0xa8,0x9a,0x0a,0x58,0x7c,0x1d,0x5a,0x7e,0xe1,
-+ 0xb2,0x73,0xab,0x0e,0x16,0x79,0x23,0xd3,0x29,0x89,0x81,0xe1
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_int_returnedbits[] =
-+ {
-+ 0xf3,0x38,0x91,0x40,0x37,0x7a,0x51,0x72,0x42,0x74,0x78,0x0a,
-+ 0x69,0xfd,0xa6,0x44,0x43,0x45,0x6c,0x0c,0x5a,0x19,0xff,0xf1,
-+ 0x54,0x60,0xee,0x6a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_additionalinput2[] =
-+ {
-+ 0x75,0xf3,0x04,0x25,0xdd,0x36,0xa8,0x37,0x46,0xae,0x0c,0x52,
-+ 0x05,0x79,0x4c,0x26,0xdb,0xe9,0x71,0x16,0x4c,0x0a,0xf2,0x60
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_entropyinputpr2[] =
-+ {
-+ 0xea,0xc5,0x03,0x0a,0x4f,0xb0,0x38,0x8d,0x23,0xd4,0xc8,0x77,
-+ 0xe2,0x6d,0x9c,0x0b,0x44,0xf7,0x2d,0x5b,0xbf,0x5d,0x2a,0x11
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_pr_returnedbits[] =
-+ {
-+ 0x60,0x50,0x2b,0xe7,0x86,0xd8,0x26,0x73,0xe3,0x1d,0x95,0x20,
-+ 0xb3,0x2c,0x32,0x1c,0xf5,0xce,0x57,0xa6,0x67,0x2b,0xdc,0x4e,
-+ 0xdd,0x11,0x4c,0xc4
-+ };
-+
-+
-+/* SHA-224 No PR */
-+__fips_constseg
-+static const unsigned char sha224_entropyinput[] =
-+ {
-+ 0xb2,0x1c,0x77,0x4d,0xf6,0xd3,0xb6,0x40,0xb7,0x30,0x3e,0x29,
-+ 0xb0,0x85,0x1c,0xbe,0x4a,0xea,0x6b,0x5a,0xb5,0x8a,0x97,0xeb
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_nonce[] =
-+ {
-+ 0x42,0x02,0x0a,0x1c,0x98,0x9a,0x77,0x9e,0x9f,0x80,0xba,0xe0
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_personalizationstring[] =
-+ {
-+ 0x98,0xb8,0x04,0x41,0xfc,0xc1,0x5d,0xc5,0xe9,0xb9,0x08,0xda,
-+ 0xf9,0xfa,0x0d,0x90,0xce,0xdf,0x1d,0x10,0xa9,0x8d,0x50,0x0c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_additionalinput[] =
-+ {
-+ 0x9a,0x8d,0x39,0x49,0x42,0xd5,0x0b,0xae,0xe1,0xaf,0xb7,0x00,
-+ 0x02,0xfa,0x96,0xb1,0xa5,0x1d,0x2d,0x25,0x78,0xee,0x83,0x3f
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_int_returnedbits[] =
-+ {
-+ 0xe4,0xf5,0x53,0x79,0x5a,0x97,0x58,0x06,0x08,0xba,0x7b,0xfa,
-+ 0xf0,0x83,0x05,0x8c,0x22,0xc0,0xc9,0xdb,0x15,0xe7,0xde,0x20,
-+ 0x55,0x22,0x9a,0xad
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_entropyinputreseed[] =
-+ {
-+ 0x67,0x09,0x48,0xaa,0x07,0x16,0x99,0x89,0x7f,0x6d,0xa0,0xe5,
-+ 0x8f,0xdf,0xbc,0xdb,0xfe,0xe5,0x6c,0x7a,0x95,0x4a,0x66,0x17
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_additionalinputreseed[] =
-+ {
-+ 0x0f,0x4b,0x1c,0x6f,0xb7,0xe3,0x47,0xe5,0x5d,0x7d,0x38,0xd6,
-+ 0x28,0x9b,0xeb,0x55,0x63,0x09,0x3e,0x7c,0x56,0xea,0xf8,0x19
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_additionalinput2[] =
-+ {
-+ 0x2d,0x26,0x7c,0x37,0xe4,0x7a,0x28,0x5e,0x5a,0x3c,0xaf,0x3d,
-+ 0x5a,0x8e,0x55,0xa2,0x1a,0x6e,0xc0,0xe5,0xf6,0x21,0xd3,0xf6
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha224_returnedbits[] =
-+ {
-+ 0x4d,0x83,0x35,0xdf,0x67,0xa9,0xfc,0x17,0xda,0x70,0xcc,0x8b,
-+ 0x7f,0x77,0xae,0xa2,0x5f,0xb9,0x7e,0x74,0x4c,0x26,0xc1,0x7a,
-+ 0x3b,0xa7,0x5c,0x93
-+ };
-+
-+
-+/* SHA-256 PR */
-+__fips_constseg
-+static const unsigned char sha256_pr_entropyinput[] =
-+ {
-+ 0xce,0x49,0x00,0x7a,0x56,0xe3,0x67,0x8f,0xe1,0xb6,0xa7,0xd4,
-+ 0x4f,0x08,0x7a,0x1b,0x01,0xf4,0xfa,0x6b,0xef,0xb7,0xe5,0xeb,
-+ 0x07,0x3d,0x11,0x0d,0xc8,0xea,0x2b,0xfe
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_nonce[] =
-+ {
-+ 0x73,0x41,0xc8,0x92,0x94,0xe2,0xc5,0x5f,0x93,0xfd,0x39,0x5d,
-+ 0x2b,0x91,0x4d,0x38
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_personalizationstring[] =
-+ {
-+ 0x50,0x6d,0x01,0x01,0x07,0x5a,0x80,0x35,0x7a,0x56,0x1a,0x56,
-+ 0x2f,0x9a,0x0b,0x35,0xb2,0xb1,0xc9,0xe5,0xca,0x69,0x61,0x48,
-+ 0xff,0xfb,0x0f,0xd9,0x4b,0x79,0x1d,0xba
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_additionalinput[] =
-+ {
-+ 0x20,0xb8,0xdf,0x44,0x77,0x5a,0xb8,0xd3,0xbf,0xf6,0xcf,0xac,
-+ 0x5e,0xa6,0x96,0x62,0x73,0x44,0x40,0x4a,0x30,0xfb,0x38,0xa5,
-+ 0x7b,0x0d,0xe4,0x0d,0xc6,0xe4,0x9a,0x1f
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_entropyinputpr[] =
-+ {
-+ 0x04,0xc4,0x65,0xf4,0xd3,0xbf,0x83,0x4b,0xab,0xc8,0x41,0xa8,
-+ 0xc2,0xe0,0x44,0x63,0x77,0x4c,0x6f,0x6c,0x49,0x46,0xff,0x94,
-+ 0x17,0xea,0xe6,0x1a,0x9d,0x5e,0x66,0x78
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_int_returnedbits[] =
-+ {
-+ 0x07,0x4d,0xac,0x9b,0x86,0xca,0x4a,0xaa,0x6e,0x7a,0x03,0xa2,
-+ 0x5d,0x10,0xea,0x0b,0xf9,0x83,0xcc,0xd1,0xfc,0xe2,0x07,0xc7,
-+ 0x06,0x34,0x60,0x6f,0x83,0x94,0x99,0x76
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_additionalinput2[] =
-+ {
-+ 0x89,0x4e,0x45,0x8c,0x11,0xf9,0xbc,0x5b,0xac,0x74,0x8b,0x4b,
-+ 0x5f,0xf7,0x19,0xf3,0xf5,0x24,0x54,0x14,0xd1,0x15,0xb1,0x43,
-+ 0x12,0xa4,0x5f,0xd4,0xec,0xfc,0xcd,0x09
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_entropyinputpr2[] =
-+ {
-+ 0x0e,0xeb,0x1f,0xd7,0xfc,0xd1,0x9d,0xd4,0x05,0x36,0x8b,0xb2,
-+ 0xfb,0xe4,0xf4,0x51,0x0c,0x87,0x9b,0x02,0x44,0xd5,0x92,0x4d,
-+ 0x44,0xfe,0x1a,0x03,0x43,0x56,0xbd,0x86
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_pr_returnedbits[] =
-+ {
-+ 0x02,0xaa,0xb6,0x1d,0x7e,0x2a,0x40,0x03,0x69,0x2d,0x49,0xa3,
-+ 0x41,0xe7,0x44,0x0b,0xaf,0x7b,0x85,0xe4,0x5f,0x53,0x3b,0x64,
-+ 0xbc,0x89,0xc8,0x82,0xd4,0x78,0x37,0xa2
-+ };
-+
-+
-+/* SHA-256 No PR */
-+__fips_constseg
-+static const unsigned char sha256_entropyinput[] =
-+ {
-+ 0x5b,0x1b,0xec,0x4d,0xa9,0x38,0x74,0x5a,0x34,0x0b,0x7b,0xc5,
-+ 0xe5,0xd7,0x66,0x7c,0xbc,0x82,0xb9,0x0e,0x2d,0x1f,0x92,0xd7,
-+ 0xc1,0xbc,0x67,0x69,0xec,0x6b,0x03,0x3c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_nonce[] =
-+ {
-+ 0xa4,0x0c,0xd8,0x9c,0x61,0xd8,0xc3,0x54,0xfe,0x53,0xc9,0xe5,
-+ 0x5d,0x6f,0x6d,0x35
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_personalizationstring[] =
-+ {
-+ 0x22,0x5e,0x62,0x93,0x42,0x83,0x78,0x24,0xd8,0x40,0x8c,0xde,
-+ 0x6f,0xf9,0xa4,0x7a,0xc5,0xa7,0x3b,0x88,0xa3,0xee,0x42,0x20,
-+ 0xfd,0x61,0x56,0xc6,0x4c,0x13,0x41,0x9c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_additionalinput[] =
-+ {
-+ 0xbf,0x74,0x5b,0xf6,0xc5,0x64,0x5e,0x99,0x34,0x8f,0xbc,0xa4,
-+ 0xe2,0xbd,0xd8,0x85,0x26,0x37,0xea,0xba,0x4f,0xf2,0x9a,0x9a,
-+ 0x66,0xfc,0xdf,0x63,0x26,0x26,0x19,0x87
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_int_returnedbits[] =
-+ {
-+ 0xb3,0xc6,0x07,0x07,0xd6,0x75,0xf6,0x2b,0xd6,0x21,0x96,0xf1,
-+ 0xae,0xdb,0x2b,0xac,0x25,0x2a,0xae,0xae,0x41,0x72,0x03,0x5e,
-+ 0xbf,0xd3,0x64,0xbc,0x59,0xf9,0xc0,0x76
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_entropyinputreseed[] =
-+ {
-+ 0xbf,0x20,0x33,0x56,0x29,0xa8,0x37,0x04,0x1f,0x78,0x34,0x3d,
-+ 0x81,0x2a,0xc9,0x86,0xc6,0x7a,0x2f,0x88,0x5e,0xd5,0xbe,0x34,
-+ 0x46,0x20,0xa4,0x35,0xeb,0xc7,0xe2,0x9d
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_additionalinputreseed[] =
-+ {
-+ 0x9b,0xae,0x2d,0x2d,0x61,0xa4,0x89,0xeb,0x43,0x46,0xa7,0xda,
-+ 0xef,0x40,0xca,0x4a,0x99,0x11,0x41,0xdc,0x5c,0x94,0xe9,0xac,
-+ 0xd4,0xd0,0xe6,0xbd,0xfb,0x03,0x9c,0xa8
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_additionalinput2[] =
-+ {
-+ 0x23,0xaa,0x0c,0xbd,0x28,0x33,0xe2,0x51,0xfc,0x71,0xd2,0x15,
-+ 0x1f,0x76,0xfd,0x0d,0xe0,0xb7,0xb5,0x84,0x75,0x5b,0xbe,0xf3,
-+ 0x5c,0xca,0xc5,0x30,0xf2,0x75,0x1f,0xda
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha256_returnedbits[] =
-+ {
-+ 0x90,0x3c,0xc1,0x10,0x8c,0x12,0x01,0xc6,0xa6,0x3a,0x0f,0x4d,
-+ 0xb6,0x3a,0x4f,0x41,0x9c,0x61,0x75,0x84,0xe9,0x74,0x75,0xfd,
-+ 0xfe,0xf2,0x1f,0x43,0xd8,0x5e,0x24,0xa3
-+ };
-+
-+
-+/* SHA-384 PR */
-+__fips_constseg
-+static const unsigned char sha384_pr_entropyinput[] =
-+ {
-+ 0x71,0x9d,0xb2,0x5a,0x71,0x6d,0x04,0xe9,0x1e,0xc7,0x92,0x24,
-+ 0x6e,0x12,0x33,0xa9,0x52,0x64,0x31,0xef,0x71,0xeb,0x22,0x55,
-+ 0x28,0x97,0x06,0x6a,0xc0,0x0c,0xa0,0x7e
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_nonce[] =
-+ {
-+ 0xf5,0x0d,0xfa,0xb0,0xec,0x6a,0x7c,0xd6,0xbd,0x9b,0x05,0xfd,
-+ 0x38,0x3e,0x2e,0x56
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_personalizationstring[] =
-+ {
-+ 0x74,0xac,0x7e,0x6d,0xb1,0xa4,0xe7,0x21,0xd1,0x1e,0x6e,0x96,
-+ 0x6d,0x4d,0x53,0x46,0x82,0x96,0x6e,0xcf,0xaa,0x81,0x8d,0x7d,
-+ 0x9e,0xe1,0x0f,0x15,0xea,0x41,0xbf,0xe3
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_additionalinput[] =
-+ {
-+ 0xda,0x95,0xd4,0xd0,0xb8,0x11,0xd3,0x49,0x27,0x5d,0xa9,0x39,
-+ 0x68,0xf3,0xa8,0xe9,0x5d,0x19,0x8a,0x2b,0x66,0xe8,0x69,0x06,
-+ 0x7c,0x9e,0x03,0xa1,0x8b,0x26,0x2d,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_entropyinputpr[] =
-+ {
-+ 0x49,0xdf,0x44,0x00,0xe4,0x1c,0x75,0x0b,0x26,0x5a,0x59,0x64,
-+ 0x1f,0x4e,0xb1,0xb2,0x13,0xf1,0x22,0x4e,0xb4,0x6d,0x9a,0xcc,
-+ 0xa0,0x48,0xe6,0xcf,0x1d,0xd1,0x92,0x0d
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_int_returnedbits[] =
-+ {
-+ 0xc8,0x52,0xae,0xbf,0x04,0x3c,0x27,0xb7,0x78,0x18,0xaa,0x8f,
-+ 0xff,0xcf,0xa4,0xf1,0xcc,0xe7,0x68,0xfa,0x22,0xa2,0x13,0x45,
-+ 0xe8,0xdd,0x87,0xe6,0xf2,0x6e,0xdd,0xc7,0x52,0x90,0x9f,0x7b,
-+ 0xfa,0x61,0x2d,0x9d,0x9e,0xcf,0x98,0xac,0x52,0x40,0xce,0xaf
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_additionalinput2[] =
-+ {
-+ 0x61,0x7c,0x03,0x9a,0x3e,0x50,0x57,0x60,0xc5,0x83,0xc9,0xb2,
-+ 0xd1,0x87,0x85,0x66,0x92,0x5d,0x84,0x0e,0x53,0xfb,0x70,0x03,
-+ 0x72,0xfd,0xba,0xae,0x9c,0x8f,0xf8,0x18
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_entropyinputpr2[] =
-+ {
-+ 0xf8,0xeb,0x89,0xb1,0x8d,0x78,0xbe,0x21,0xe0,0xbb,0x9d,0xb7,
-+ 0x95,0x0e,0xd9,0x46,0x0c,0x8c,0xe2,0x63,0xb7,0x9d,0x67,0x90,
-+ 0xbd,0xc7,0x0b,0xa5,0xce,0xb2,0x65,0x81
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_pr_returnedbits[] =
-+ {
-+ 0xe6,0x9f,0xfe,0x68,0xd6,0xb5,0x79,0xf1,0x06,0x5f,0xa3,0xbb,
-+ 0x23,0x85,0xd8,0xf0,0x29,0x5a,0x68,0x9e,0xf5,0xf4,0xa6,0x12,
-+ 0xe0,0x9a,0xe2,0xac,0x00,0x1d,0x98,0x26,0xfc,0x53,0x95,0x53,
-+ 0xe4,0x3e,0x17,0xd5,0x08,0x0b,0x70,0x3d,0x67,0x99,0xac,0x66
-+ };
-+
-+
-+/* SHA-384 No PR */
-+__fips_constseg
-+static const unsigned char sha384_entropyinput[] =
-+ {
-+ 0x07,0x15,0x27,0x2a,0xaf,0x74,0x24,0x37,0xbc,0xd5,0x14,0x69,
-+ 0xce,0x11,0xff,0xa2,0x6b,0xb8,0x05,0x67,0x34,0xf8,0xbd,0x6d,
-+ 0x6a,0xcc,0xcd,0x60,0xa3,0x68,0xca,0xf4
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_nonce[] =
-+ {
-+ 0x70,0x17,0xc2,0x5b,0x5d,0x22,0x0b,0x06,0x15,0x54,0x78,0x77,
-+ 0x44,0xaf,0x2f,0x09
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_personalizationstring[] =
-+ {
-+ 0x89,0x39,0x28,0xb0,0x60,0xeb,0x3d,0xdc,0x55,0x75,0x86,0xeb,
-+ 0xae,0xa2,0x8f,0xbc,0x1b,0x75,0xd4,0xe1,0x0f,0xaa,0x38,0xca,
-+ 0x62,0x8b,0xcb,0x2c,0x26,0xf6,0xbc,0xb1
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_additionalinput[] =
-+ {
-+ 0x30,0x2b,0x42,0x35,0xef,0xda,0x40,0x55,0x28,0xc6,0x95,0xfb,
-+ 0x54,0x01,0x62,0xd7,0x87,0x14,0x48,0x6d,0x90,0x4c,0xa9,0x02,
-+ 0x54,0x40,0x22,0xc8,0x66,0xa5,0x48,0x48
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_int_returnedbits[] =
-+ {
-+ 0x82,0xc4,0xa1,0x9c,0x21,0xd2,0xe7,0xa5,0xa6,0xf6,0x5f,0x04,
-+ 0x5c,0xc7,0x31,0x9d,0x8d,0x59,0x74,0x50,0x19,0x89,0x2f,0x63,
-+ 0xd5,0xb7,0x7e,0xeb,0x15,0xe3,0x70,0x83,0xa1,0x24,0x59,0xfa,
-+ 0x2c,0x56,0xf6,0x88,0x3a,0x92,0x93,0xa1,0xfb,0x79,0xc1,0x7a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_entropyinputreseed[] =
-+ {
-+ 0x39,0xa6,0xe8,0x5c,0x82,0x17,0x71,0x26,0x57,0x4f,0x9f,0xc2,
-+ 0x55,0xff,0x5c,0x9b,0x53,0x1a,0xd1,0x5f,0xbc,0x62,0xe4,0x27,
-+ 0x2d,0x32,0xf0,0xe4,0x52,0x8c,0xc5,0x0c
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_additionalinputreseed[] =
-+ {
-+ 0x8d,0xcb,0x8d,0xce,0x08,0xea,0x80,0xe8,0x9b,0x61,0xa8,0x0f,
-+ 0xaf,0x49,0x20,0x9e,0x74,0xcb,0x57,0x80,0x42,0xb0,0x84,0x5e,
-+ 0x30,0x2a,0x67,0x08,0xf4,0xe3,0x40,0x22
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_additionalinput2[] =
-+ {
-+ 0x7c,0x8f,0xc2,0xae,0x22,0x4a,0xd6,0xf6,0x05,0xa4,0x7a,0xea,
-+ 0xbb,0x25,0xd0,0xb7,0x5a,0xd6,0xcf,0x9d,0xf3,0x6c,0xe2,0xb2,
-+ 0x4e,0xb4,0xbd,0xf4,0xe5,0x40,0x80,0x94
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha384_returnedbits[] =
-+ {
-+ 0x9e,0x7e,0xfb,0x59,0xbb,0xaa,0x3c,0xf7,0xe1,0xf8,0x76,0xdd,
-+ 0x63,0x5f,0xaf,0x23,0xd6,0x64,0x61,0xc0,0x9a,0x09,0x47,0xc9,
-+ 0x33,0xdf,0x6d,0x55,0x91,0x34,0x79,0x70,0xc4,0x99,0x6e,0x54,
-+ 0x09,0x64,0x21,0x1a,0xbd,0x1e,0x80,0x40,0x34,0xad,0xfa,0xd7
-+ };
-+
-+
-+/* SHA-512 PR */
-+__fips_constseg
-+static const unsigned char sha512_pr_entropyinput[] =
-+ {
-+ 0x13,0xf7,0x61,0x75,0x65,0x28,0xa2,0x59,0x13,0x5a,0x4a,0x4f,
-+ 0x56,0x60,0x8c,0x53,0x7d,0xb0,0xbd,0x06,0x4f,0xed,0xcc,0xd2,
-+ 0xa2,0xb5,0xfd,0x5b,0x3a,0xab,0xec,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_nonce[] =
-+ {
-+ 0xbe,0xa3,0x91,0x93,0x1d,0xc3,0x31,0x3a,0x23,0x33,0x50,0x67,
-+ 0x88,0xc7,0xa2,0xc4
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_personalizationstring[] =
-+ {
-+ 0x1f,0x59,0x4d,0x7b,0xe6,0x46,0x91,0x48,0xc1,0x25,0xfa,0xff,
-+ 0x89,0x12,0x77,0x35,0xdf,0x3e,0xf4,0x80,0x5f,0xd9,0xb0,0x07,
-+ 0x22,0x41,0xdd,0x48,0x78,0x6b,0x77,0x2b
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_additionalinput[] =
-+ {
-+ 0x30,0xff,0x63,0x6f,0xac,0xd9,0x84,0x39,0x6f,0xe4,0x99,0xce,
-+ 0x91,0x7d,0x7e,0xc8,0x58,0xf2,0x12,0xc3,0xb6,0xad,0xda,0x22,
-+ 0x04,0xa0,0xd2,0x21,0xfe,0xf2,0x95,0x1d
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_entropyinputpr[] =
-+ {
-+ 0x64,0x54,0x13,0xec,0x4f,0x77,0xda,0xb2,0x92,0x2e,0x52,0x80,
-+ 0x11,0x10,0xc2,0xf8,0xe6,0xa7,0xcd,0x4b,0xfc,0x32,0x2e,0x9e,
-+ 0xeb,0xbb,0xb1,0xbf,0x15,0x5c,0x73,0x08
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_int_returnedbits[] =
-+ {
-+ 0xef,0x1e,0xdc,0x0a,0xa4,0x36,0x91,0x9c,0x3d,0x27,0x97,0x50,
-+ 0x8d,0x36,0x29,0x8d,0xce,0x6a,0x0c,0xf7,0x21,0xc0,0x91,0xae,
-+ 0x0c,0x96,0x72,0xbd,0x52,0x81,0x58,0xfc,0x6d,0xe5,0xf7,0xa5,
-+ 0xfd,0x5d,0xa7,0x58,0x68,0xc8,0x99,0x58,0x8e,0xc8,0xce,0x95,
-+ 0x01,0x7d,0xff,0xa4,0xc8,0xf7,0x63,0xfe,0x5f,0x69,0x83,0x53,
-+ 0xe2,0xc6,0x8b,0xc3
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_additionalinput2[] =
-+ {
-+ 0xe6,0x9b,0xc4,0x88,0x34,0xca,0xea,0x29,0x2f,0x98,0x05,0xa4,
-+ 0xd3,0xc0,0x7b,0x11,0xe8,0xbb,0x75,0xf2,0xbd,0x29,0xb7,0x40,
-+ 0x25,0x7f,0xc1,0xb7,0xb1,0xf1,0x25,0x61
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_entropyinputpr2[] =
-+ {
-+ 0x23,0x6d,0xff,0xde,0xfb,0xd1,0xba,0x33,0x18,0xe6,0xbe,0xb5,
-+ 0x48,0x77,0x6d,0x7f,0xa7,0xe1,0x4d,0x48,0x1e,0x3c,0xa7,0x34,
-+ 0x1a,0xc8,0x60,0xdb,0x8f,0x99,0x15,0x99
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_pr_returnedbits[] =
-+ {
-+ 0x70,0x27,0x31,0xdb,0x92,0x70,0x21,0xfe,0x16,0xb6,0xc8,0x51,
-+ 0x34,0x87,0x65,0xd0,0x4e,0xfd,0xfe,0x68,0xec,0xac,0xdc,0x93,
-+ 0x41,0x38,0x92,0x90,0xb4,0x94,0xf9,0x0d,0xa4,0xf7,0x4e,0x80,
-+ 0x92,0x67,0x48,0x40,0xa7,0x08,0xc7,0xbc,0x66,0x00,0xfd,0xf7,
-+ 0x4c,0x8b,0x17,0x6e,0xd1,0x8f,0x9b,0xf3,0x6f,0xf6,0x34,0xdd,
-+ 0x67,0xf7,0x68,0xdd
-+ };
-+
-+
-+/* SHA-512 No PR */
-+__fips_constseg
-+static const unsigned char sha512_entropyinput[] =
-+ {
-+ 0xb6,0x0b,0xb7,0xbc,0x84,0x56,0xf6,0x12,0xaf,0x45,0x67,0x17,
-+ 0x7c,0xd1,0xb2,0x78,0x2b,0xa0,0xf2,0xbe,0xb6,0x6d,0x8b,0x56,
-+ 0xc6,0xbc,0x4d,0xe1,0xf7,0xbe,0xce,0xbd
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_nonce[] =
-+ {
-+ 0x9d,0xed,0xc0,0xe5,0x5a,0x98,0x6a,0xcb,0x51,0x7d,0x76,0x31,
-+ 0x5a,0x64,0xf0,0xf7
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_personalizationstring[] =
-+ {
-+ 0xc2,0x6d,0xa3,0xc3,0x06,0x74,0xe5,0x01,0x5c,0x10,0x17,0xc7,
-+ 0xaf,0x83,0x9d,0x59,0x8d,0x2d,0x29,0x38,0xc5,0x59,0x70,0x8b,
-+ 0x46,0x48,0x2d,0xcf,0x36,0x7d,0x59,0xc0
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_additionalinput[] =
-+ {
-+ 0xec,0x8c,0xd4,0xf7,0x61,0x6e,0x0d,0x95,0x79,0xb7,0x28,0xad,
-+ 0x5f,0x69,0x74,0x5f,0x2d,0x36,0x06,0x8a,0x6b,0xac,0x54,0x97,
-+ 0xc4,0xa1,0x12,0x85,0x0a,0xdf,0x4b,0x34
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_int_returnedbits[] =
-+ {
-+ 0x84,0x2f,0x1f,0x68,0x6a,0xa3,0xad,0x1e,0xfb,0xf4,0x15,0xbd,
-+ 0xde,0x38,0xd4,0x30,0x80,0x51,0xe9,0xd3,0xc7,0x20,0x88,0xe9,
-+ 0xf5,0xcc,0xdf,0x57,0x5c,0x47,0x2f,0x57,0x3c,0x5f,0x13,0x56,
-+ 0xcc,0xc5,0x4f,0x84,0xf8,0x10,0x41,0xd5,0x7e,0x58,0x6e,0x19,
-+ 0x19,0x9e,0xaf,0xc2,0x22,0x58,0x41,0x50,0x79,0xc2,0xd8,0x04,
-+ 0x28,0xd4,0x39,0x9a
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_entropyinputreseed[] =
-+ {
-+ 0xfa,0x7f,0x46,0x51,0x83,0x62,0x98,0x16,0x9a,0x19,0xa2,0x49,
-+ 0xa9,0xe6,0x4a,0xd8,0x85,0xe7,0xd4,0x3b,0x2c,0x82,0xc5,0x82,
-+ 0xbf,0x11,0xf9,0x9e,0xbc,0xd0,0x01,0xee
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_additionalinputreseed[] =
-+ {
-+ 0xb9,0x12,0xe0,0x4f,0xf7,0xa7,0xc4,0xd8,0xd0,0x8e,0x99,0x29,
-+ 0x7c,0x9a,0xe9,0xcf,0xc4,0x6c,0xf8,0xc3,0xa7,0x41,0x83,0xd6,
-+ 0x2e,0xfa,0xb8,0x5e,0x8e,0x6b,0x78,0x20
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_additionalinput2[] =
-+ {
-+ 0xd7,0x07,0x52,0xb9,0x83,0x2c,0x03,0x71,0xee,0xc9,0xc0,0x85,
-+ 0xe1,0x57,0xb2,0xcd,0x3a,0xf0,0xc9,0x34,0x24,0x41,0x1c,0x42,
-+ 0x99,0xb2,0x84,0xe9,0x17,0xd2,0x76,0x92
-+ };
-+
-+__fips_constseg
-+static const unsigned char sha512_returnedbits[] =
-+ {
-+ 0x36,0x17,0x5d,0x98,0x2b,0x65,0x25,0x8e,0xc8,0x29,0xdf,0x27,
-+ 0x05,0x36,0x26,0x12,0x8a,0x68,0x74,0x27,0x37,0xd4,0x7f,0x32,
-+ 0xb1,0x12,0xd6,0x85,0x83,0xeb,0x2e,0xa0,0xed,0x4b,0xb5,0x7b,
-+ 0x6f,0x39,0x3c,0x71,0x77,0x02,0x12,0xcc,0x2c,0x3a,0x8e,0x63,
-+ 0xdf,0x4a,0xbd,0x6f,0x6e,0x2e,0xed,0x0a,0x85,0xa5,0x2f,0xa2,
-+ 0x68,0xde,0x42,0xb5
-+ };
-+
-+
-+/* HMAC SHA-1 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_entropyinput[] =
-+ {
-+ 0x26,0x5f,0x36,0x14,0xff,0x3d,0x83,0xfa,0x73,0x5e,0x75,0xdc,
-+ 0x2c,0x18,0x17,0x1b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_nonce[] =
-+ {
-+ 0xc8,0xe3,0x57,0xa5,0x7b,0x74,0x86,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_personalizationstring[] =
-+ {
-+ 0x6e,0xdb,0x0d,0xfe,0x7d,0xac,0x79,0xd0,0xa5,0x3a,0x48,0x85,
-+ 0x80,0xe2,0x7f,0x2a
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_additionalinput[] =
-+ {
-+ 0x31,0xcd,0x5e,0x43,0xdc,0xfb,0x7a,0x79,0xca,0x88,0xde,0x1f,
-+ 0xd7,0xbb,0x42,0x09
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_entropyinputpr[] =
-+ {
-+ 0x7c,0x23,0x95,0x38,0x00,0x95,0xc1,0x78,0x1f,0x8f,0xd7,0x63,
-+ 0x23,0x87,0x2a,0xed
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_int_returnedbits[] =
-+ {
-+ 0xbb,0x34,0xe7,0x93,0xa3,0x02,0x2c,0x4a,0xd0,0x89,0xda,0x7f,
-+ 0xed,0xf4,0x4c,0xde,0x17,0xec,0xe5,0x6c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_additionalinput2[] =
-+ {
-+ 0x49,0xbc,0x2d,0x2c,0xb7,0x32,0xcb,0x20,0xdf,0xf5,0x77,0x58,
-+ 0xa0,0x4b,0x93,0x6e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_entropyinputpr2[] =
-+ {
-+ 0x3c,0xaa,0xb0,0x21,0x42,0xb0,0xdd,0x34,0xf0,0x16,0x7f,0x0c,
-+ 0x0f,0xff,0x2e,0xaf
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_pr_returnedbits[] =
-+ {
-+ 0x8e,0xcb,0xa3,0x64,0xb2,0xb8,0x33,0x6c,0x64,0x3b,0x78,0x16,
-+ 0x99,0x35,0xc8,0x30,0xcb,0x3e,0xa0,0xd8
-+ };
-+
-+
-+/* HMAC SHA-1 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha1_entropyinput[] =
-+ {
-+ 0x32,0x9a,0x2a,0x87,0x7b,0x89,0x7c,0xf6,0xcb,0x95,0xd5,0x40,
-+ 0x17,0xfe,0x47,0x70
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_nonce[] =
-+ {
-+ 0x16,0xd8,0xe0,0xc7,0x52,0xcf,0x4a,0x25
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_personalizationstring[] =
-+ {
-+ 0x35,0x35,0xa9,0xa5,0x40,0xbe,0x9b,0xd1,0x56,0xdd,0x44,0x00,
-+ 0x72,0xf7,0xd3,0x5e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_additionalinput[] =
-+ {
-+ 0x1b,0x2c,0x84,0x2d,0x4a,0x89,0x8f,0x69,0x19,0xf1,0xf3,0xdb,
-+ 0xbb,0xe3,0xaa,0xea
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_int_returnedbits[] =
-+ {
-+ 0xcf,0xfa,0x7d,0x72,0x0f,0xe6,0xc7,0x96,0xa0,0x69,0x31,0x11,
-+ 0x9b,0x0b,0x1a,0x20,0x1f,0x3f,0xaa,0xd1
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_entropyinputreseed[] =
-+ {
-+ 0x90,0x75,0x15,0x04,0x95,0xf1,0xba,0x81,0x0c,0x37,0x94,0x6f,
-+ 0x86,0x52,0x6d,0x9c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_additionalinputreseed[] =
-+ {
-+ 0x5b,0x40,0xba,0x5f,0x17,0x70,0xf0,0x4b,0xdf,0xc9,0x97,0x92,
-+ 0x79,0xc5,0x82,0x28
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_additionalinput2[] =
-+ {
-+ 0x97,0xc8,0x80,0x90,0xb3,0xaa,0x6e,0x60,0xea,0x83,0x7a,0xe3,
-+ 0x8a,0xca,0xa4,0x7f
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha1_returnedbits[] =
-+ {
-+ 0x90,0xbd,0x05,0x56,0x6d,0xb5,0x22,0xd5,0xb9,0x5a,0x29,0x2d,
-+ 0xe9,0x0b,0xe1,0xac,0xde,0x27,0x0b,0xb0
-+ };
-+
-+
-+/* HMAC SHA-224 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_entropyinput[] =
-+ {
-+ 0x17,0x32,0x2b,0x2e,0x6f,0x1b,0x9c,0x6d,0x31,0xe0,0x34,0x07,
-+ 0xcf,0xed,0xf6,0xb6,0x5a,0x76,0x4c,0xbc,0x62,0x85,0x01,0x90
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_nonce[] =
-+ {
-+ 0x38,0xbf,0x5f,0x20,0xb3,0x68,0x2f,0x43,0x61,0x05,0x8f,0x23
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_personalizationstring[] =
-+ {
-+ 0xc0,0xc9,0x45,0xac,0x8d,0x27,0x77,0x08,0x0b,0x17,0x6d,0xed,
-+ 0xc1,0x7d,0xd5,0x07,0x9d,0x6e,0xf8,0x23,0x2a,0x22,0x13,0xbd
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_additionalinput[] =
-+ {
-+ 0xa4,0x3c,0xe7,0x3b,0xea,0x19,0x45,0x32,0xc2,0x83,0x6d,0x21,
-+ 0x8a,0xc0,0xee,0x67,0x45,0xde,0x13,0x7d,0x9d,0x61,0x00,0x3b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_entropyinputpr[] =
-+ {
-+ 0x15,0x05,0x74,0x4a,0x7f,0x8d,0x5c,0x60,0x16,0xe5,0x7b,0xad,
-+ 0xf5,0x41,0x8f,0x55,0x60,0xc4,0x09,0xee,0x1e,0x11,0x81,0xab
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_int_returnedbits[] =
-+ {
-+ 0x6f,0xf5,0x9a,0xe2,0x54,0x53,0x30,0x3d,0x5a,0x27,0x29,0x38,
-+ 0x27,0xf2,0x0d,0x05,0xe9,0x26,0xcb,0x16,0xc3,0x51,0x5f,0x13,
-+ 0x41,0xfe,0x99,0xf2
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_additionalinput2[] =
-+ {
-+ 0x73,0x81,0x88,0x84,0x8f,0xed,0x6f,0x10,0x9f,0x93,0xbf,0x17,
-+ 0x35,0x7c,0xef,0xd5,0x8d,0x26,0xa6,0x7a,0xe8,0x09,0x36,0x4f
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_entropyinputpr2[] =
-+ {
-+ 0xe6,0xcf,0xcf,0x7e,0x12,0xe5,0x43,0xd2,0x38,0xd8,0x24,0x6f,
-+ 0x5a,0x37,0x68,0xbf,0x4f,0xa0,0xff,0xd5,0x61,0x8a,0x93,0xe0
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_pr_returnedbits[] =
-+ {
-+ 0xaf,0xf9,0xd8,0x19,0x91,0x30,0x82,0x6f,0xa9,0x1e,0x9d,0xd7,
-+ 0xf3,0x50,0xe0,0xc7,0xd5,0x64,0x96,0x7d,0x4c,0x4d,0x78,0x03,
-+ 0x6d,0xd8,0x9e,0x72
-+ };
-+
-+
-+/* HMAC SHA-224 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha224_entropyinput[] =
-+ {
-+ 0x11,0x82,0xfd,0xd9,0x42,0xf4,0xfa,0xc8,0xf2,0x41,0xe6,0x54,
-+ 0x01,0xae,0x22,0x6e,0xc6,0xaf,0xaf,0xd0,0xa6,0xb2,0xe2,0x6d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_nonce[] =
-+ {
-+ 0xa9,0x48,0xd7,0x92,0x39,0x7e,0x2a,0xdc,0x30,0x1f,0x0e,0x2b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_personalizationstring[] =
-+ {
-+ 0x11,0xd5,0xf4,0xbd,0x67,0x8c,0x31,0xcf,0xa3,0x3f,0x1e,0x6b,
-+ 0xa8,0x07,0x02,0x0b,0xc8,0x2e,0x6c,0x64,0x41,0x5b,0xc8,0x37
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_additionalinput[] =
-+ {
-+ 0x68,0x18,0xc2,0x06,0xeb,0x3e,0x04,0x95,0x44,0x5e,0xfb,0xe6,
-+ 0x41,0xc1,0x5c,0xcc,0x40,0x2f,0xb7,0xd2,0x0f,0xf3,0x6b,0xe7
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_int_returnedbits[] =
-+ {
-+ 0x7f,0x45,0xc7,0x5d,0x32,0xe6,0x17,0x60,0xba,0xdc,0xb8,0x42,
-+ 0x1b,0x9c,0xf1,0xfa,0x3b,0x4d,0x29,0x54,0xc6,0x90,0xff,0x5c,
-+ 0xcd,0xd6,0xa9,0xcc
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_entropyinputreseed[] =
-+ {
-+ 0xc4,0x8e,0x37,0x95,0x69,0x53,0x28,0xd7,0x37,0xbb,0x70,0x95,
-+ 0x1c,0x07,0x1d,0xd9,0xb7,0xe6,0x1b,0xbb,0xfe,0x41,0xeb,0xc9
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_additionalinputreseed[] =
-+ {
-+ 0x53,0x17,0xa1,0x6a,0xfa,0x77,0x47,0xb0,0x95,0x56,0x9a,0x20,
-+ 0x57,0xde,0x5c,0x89,0x9f,0x7f,0xe2,0xde,0x17,0x3a,0x50,0x23
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_additionalinput2[] =
-+ {
-+ 0x3a,0x32,0xf9,0x85,0x0c,0xc1,0xed,0x76,0x2d,0xdf,0x40,0xc3,
-+ 0x06,0x22,0x66,0xd4,0x9a,0x9a,0xff,0x5a,0x7e,0x7a,0xf3,0x96
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha224_returnedbits[] =
-+ {
-+ 0x43,0xb4,0x57,0x5c,0x38,0x25,0x9d,0xae,0xec,0x96,0xd1,0x85,
-+ 0x3a,0x84,0x8d,0xfe,0x68,0xd5,0x0e,0x5c,0x8f,0x65,0xa5,0x4e,
-+ 0x45,0x84,0xa8,0x94
-+ };
-+
-+
-+/* HMAC SHA-256 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_entropyinput[] =
-+ {
-+ 0x4d,0xb0,0x43,0xd8,0x34,0x4b,0x10,0x70,0xb1,0x8b,0xed,0xea,
-+ 0x07,0x92,0x9f,0x6c,0x79,0x31,0xaf,0x81,0x29,0xeb,0x6e,0xca,
-+ 0x32,0x48,0x28,0xe7,0x02,0x5d,0xa6,0xa6
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_nonce[] =
-+ {
-+ 0x3a,0xae,0x15,0xa9,0x99,0xdc,0xe4,0x67,0x34,0x3b,0x70,0x15,
-+ 0xaa,0xd3,0x30,0x9a
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_personalizationstring[] =
-+ {
-+ 0x13,0x1d,0x24,0x04,0xb0,0x18,0x81,0x15,0x21,0x51,0x2a,0x24,
-+ 0x52,0x61,0xbe,0x64,0x82,0x6b,0x55,0x2f,0xe2,0xf1,0x40,0x7d,
-+ 0x71,0xd8,0x01,0x86,0x15,0xb7,0x8b,0xb5
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_additionalinput[] =
-+ {
-+ 0x8f,0xa6,0x54,0x5f,0xb1,0xd0,0xd8,0xc3,0xe7,0x0c,0x15,0xa9,
-+ 0x23,0x6e,0xfe,0xfb,0x93,0xf7,0x3a,0xbd,0x59,0x01,0xfa,0x18,
-+ 0x8e,0xe9,0x1a,0xa9,0x78,0xfc,0x79,0x0b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_entropyinputpr[] =
-+ {
-+ 0xcf,0x24,0xb9,0xeb,0xb3,0xd4,0xcd,0x17,0x37,0x38,0x75,0x79,
-+ 0x15,0xcb,0x2d,0x75,0x51,0xf1,0xcc,0xaa,0x32,0xa4,0xa7,0x36,
-+ 0x7c,0x5c,0xe4,0x47,0xf1,0x3e,0x1d,0xe5
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_int_returnedbits[] =
-+ {
-+ 0x52,0x42,0xfa,0xeb,0x85,0xe0,0x30,0x22,0x79,0x00,0x16,0xb2,
-+ 0x88,0x2f,0x14,0x6a,0xb7,0xfc,0xb7,0x53,0xdc,0x4a,0x12,0xef,
-+ 0x54,0xd6,0x33,0xe9,0x20,0xd6,0xfd,0x56
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_additionalinput2[] =
-+ {
-+ 0xf4,0xf6,0x49,0xa1,0x2d,0x64,0x2b,0x30,0x58,0xf8,0xbd,0xb8,
-+ 0x75,0xeb,0xbb,0x5e,0x1c,0x9b,0x81,0x6a,0xda,0x14,0x86,0x6e,
-+ 0xd0,0xda,0x18,0xb7,0x88,0xfb,0x59,0xf3
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_entropyinputpr2[] =
-+ {
-+ 0x21,0xcd,0x6e,0x46,0xad,0x99,0x07,0x17,0xb4,0x3d,0x76,0x0a,
-+ 0xff,0x5b,0x52,0x50,0x78,0xdf,0x1f,0x24,0x06,0x0d,0x3f,0x74,
-+ 0xa9,0xc9,0x37,0xcf,0xd8,0x26,0x25,0x91
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_pr_returnedbits[] =
-+ {
-+ 0xa7,0xaf,0x2f,0x29,0xe0,0x3a,0x72,0x95,0x96,0x1c,0xa9,0xf0,
-+ 0x4a,0x17,0x4d,0x66,0x06,0x10,0xbf,0x39,0x89,0x88,0xb8,0x91,
-+ 0x37,0x18,0x99,0xcf,0x8c,0x53,0x3b,0x7e
-+ };
-+
-+
-+/* HMAC SHA-256 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha256_entropyinput[] =
-+ {
-+ 0x96,0xb7,0x53,0x22,0x1e,0x52,0x2a,0x96,0xb1,0x15,0x3c,0x35,
-+ 0x5a,0x8b,0xd3,0x4a,0xa6,0x6c,0x83,0x0a,0x7d,0xa3,0x23,0x3d,
-+ 0x43,0xa1,0x07,0x2c,0x2d,0xe3,0x81,0xcc
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_nonce[] =
-+ {
-+ 0xf1,0xac,0x97,0xcb,0x5e,0x06,0x48,0xd2,0x94,0xbe,0x15,0x2e,
-+ 0xc7,0xfc,0xc2,0x01
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_personalizationstring[] =
-+ {
-+ 0x98,0xc5,0x1e,0x35,0x5e,0x89,0x0d,0xce,0x64,0x6d,0x18,0xa7,
-+ 0x5a,0xc6,0xf3,0xe7,0xd6,0x9e,0xc0,0xea,0xb7,0x3a,0x8d,0x65,
-+ 0xb8,0xeb,0x10,0xd7,0x57,0x18,0xa0,0x32
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_additionalinput[] =
-+ {
-+ 0x1b,0x10,0xaf,0xac,0xd0,0x65,0x95,0xad,0x04,0xad,0x03,0x1c,
-+ 0xe0,0x40,0xd6,0x3e,0x1c,0x46,0x53,0x39,0x7c,0xe2,0xbc,0xda,
-+ 0x8c,0xa2,0x33,0xa7,0x9a,0x26,0xd3,0x27
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_int_returnedbits[] =
-+ {
-+ 0xba,0x61,0x0e,0x55,0xfe,0x11,0x8a,0x9e,0x0f,0x80,0xdf,0x1d,
-+ 0x03,0x0a,0xfe,0x15,0x94,0x28,0x4b,0xba,0xf4,0x9f,0x51,0x25,
-+ 0x88,0xe5,0x4e,0xfb,0xaf,0xce,0x69,0x90
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_entropyinputreseed[] =
-+ {
-+ 0x62,0x7f,0x1e,0x6b,0xe8,0x8e,0xe1,0x35,0x7d,0x9b,0x4f,0xc7,
-+ 0xec,0xc8,0xac,0xef,0x6b,0x13,0x9e,0x05,0x56,0xc1,0x08,0xf9,
-+ 0x2f,0x0f,0x27,0x9c,0xd4,0x15,0xed,0x2d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_additionalinputreseed[] =
-+ {
-+ 0xc7,0x76,0x6e,0xa9,0xd2,0xb2,0x76,0x40,0x82,0x25,0x2c,0xb3,
-+ 0x6f,0xac,0xe9,0x74,0xef,0x8f,0x3c,0x8e,0xcd,0xf1,0xbf,0xb3,
-+ 0x49,0x77,0x34,0x88,0x52,0x36,0xe6,0x2e
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_additionalinput2[] =
-+ {
-+ 0x8d,0xb8,0x0c,0xd1,0xbf,0x70,0xf6,0x19,0xc3,0x41,0x80,0x9f,
-+ 0xe1,0xa5,0xa4,0x1f,0x2c,0x26,0xb1,0xe5,0xd8,0xeb,0xbe,0xf8,
-+ 0xdf,0x88,0x6a,0x89,0xd6,0x05,0xd8,0x9d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha256_returnedbits[] =
-+ {
-+ 0x43,0x12,0x2a,0x2c,0x40,0x53,0x2e,0x7c,0x66,0x34,0xac,0xc3,
-+ 0x43,0xe3,0xe0,0x6a,0xfc,0xfa,0xea,0x87,0x21,0x1f,0xe2,0x26,
-+ 0xc4,0xf9,0x09,0x9a,0x0d,0x6e,0x7f,0xe0
-+ };
-+
-+
-+/* HMAC SHA-384 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_entropyinput[] =
-+ {
-+ 0x69,0x81,0x98,0x88,0x44,0xf5,0xd6,0x2e,0x00,0x08,0x3b,0xc5,
-+ 0xfb,0xd7,0x8e,0x6f,0x23,0xf8,0x6d,0x09,0xd6,0x85,0x49,0xd1,
-+ 0xf8,0x6d,0xa4,0x58,0x54,0xfd,0x88,0xa9
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_nonce[] =
-+ {
-+ 0x6e,0x38,0x81,0xca,0xb7,0xe8,0x6e,0x66,0x49,0x8a,0xb2,0x59,
-+ 0xee,0x16,0xc9,0xde
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_personalizationstring[] =
-+ {
-+ 0xfe,0x4c,0xd9,0xf4,0x78,0x3b,0x08,0x41,0x8d,0x8f,0x55,0xc4,
-+ 0x43,0x56,0xb6,0x12,0x36,0x6b,0x30,0xb7,0x5e,0xe1,0xb9,0x47,
-+ 0x04,0xb1,0x4e,0xa9,0x00,0xa1,0x52,0xa1
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_additionalinput[] =
-+ {
-+ 0x89,0xe9,0xcc,0x8f,0x27,0x3c,0x26,0xd1,0x95,0xc8,0x7d,0x0f,
-+ 0x5b,0x1a,0xf0,0x78,0x39,0x56,0x6f,0xa4,0x23,0xe7,0xd1,0xda,
-+ 0x7c,0x66,0x33,0xa0,0x90,0xc9,0x92,0x88
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_entropyinputpr[] =
-+ {
-+ 0xbe,0x3d,0x7c,0x0d,0xca,0xda,0x7c,0x49,0xb8,0x12,0x36,0xc0,
-+ 0xdb,0xad,0x35,0xa8,0xc7,0x0b,0x2a,0x2c,0x69,0x6d,0x25,0x56,
-+ 0x63,0x82,0x11,0x3e,0xa7,0x33,0x70,0x72
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_int_returnedbits[] =
-+ {
-+ 0x82,0x3d,0xe6,0x54,0x80,0x42,0xf8,0xba,0x90,0x4f,0x06,0xa6,
-+ 0xd2,0x7f,0xbf,0x79,0x7c,0x12,0x7d,0xa6,0xa2,0x66,0xe8,0xa6,
-+ 0xc0,0xd6,0x4a,0x55,0xbf,0xd8,0x0a,0xc5,0xf8,0x03,0x88,0xdd,
-+ 0x8e,0x87,0xd1,0x5a,0x48,0x26,0x72,0x2a,0x8e,0xcf,0xee,0xba
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_additionalinput2[] =
-+ {
-+ 0x8f,0xff,0xd9,0x84,0xbb,0x85,0x3a,0x66,0xa1,0x21,0xce,0xb2,
-+ 0x3a,0x3a,0x17,0x22,0x19,0xae,0xc7,0xb6,0x63,0x81,0xd5,0xff,
-+ 0x0d,0xc8,0xe1,0xaf,0x57,0xd2,0xcb,0x60
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_entropyinputpr2[] =
-+ {
-+ 0xd7,0xfb,0xc9,0xe8,0xe2,0xf2,0xaa,0x4c,0xb8,0x51,0x2f,0xe1,
-+ 0x22,0xba,0xf3,0xda,0x0a,0x19,0x76,0x71,0x57,0xb2,0x1d,0x94,
-+ 0x09,0x69,0x6c,0xd3,0x97,0x51,0x81,0x87
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_pr_returnedbits[] =
-+ {
-+ 0xe6,0x19,0x28,0xa8,0x21,0xce,0x5e,0xdb,0x24,0x79,0x8c,0x76,
-+ 0x5d,0x73,0xb2,0xdf,0xac,0xef,0x85,0xa7,0x3b,0x19,0x09,0x8b,
-+ 0x7f,0x98,0x28,0xa9,0x93,0xd8,0x7a,0xad,0x55,0x8b,0x24,0x9d,
-+ 0xe6,0x98,0xfe,0x47,0xd5,0x48,0xc1,0x23,0xd8,0x1d,0x62,0x75
-+ };
-+
-+
-+/* HMAC SHA-384 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha384_entropyinput[] =
-+ {
-+ 0xc3,0x56,0x2b,0x1d,0xc2,0xbb,0xa8,0xf0,0xae,0x1b,0x0d,0xd3,
-+ 0x5a,0x6c,0xda,0x57,0x8e,0xa5,0x8a,0x0d,0x6c,0x4b,0x18,0xb1,
-+ 0x04,0x3e,0xb4,0x99,0x35,0xc4,0xc0,0x5f
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_nonce[] =
-+ {
-+ 0xc5,0x49,0x1e,0x66,0x27,0x92,0xbe,0xec,0xb5,0x1e,0x4b,0xb1,
-+ 0x38,0xe3,0xeb,0x62
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_personalizationstring[] =
-+ {
-+ 0xbe,0xe7,0x6b,0x57,0xde,0x88,0x11,0x96,0x9b,0x6e,0xea,0xe5,
-+ 0x63,0x83,0x4c,0xb6,0x8d,0x66,0xaa,0x1f,0x8b,0x54,0xe7,0x62,
-+ 0x6d,0x5a,0xfc,0xbf,0x97,0xba,0xcd,0x77
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_additionalinput[] =
-+ {
-+ 0xe5,0x28,0x5f,0x43,0xf5,0x83,0x6e,0x0a,0x83,0x5c,0xe3,0x81,
-+ 0x03,0xf2,0xf8,0x78,0x00,0x7c,0x95,0x87,0x16,0xd6,0x6c,0x58,
-+ 0x33,0x6c,0x53,0x35,0x0d,0x66,0xe3,0xce
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_int_returnedbits[] =
-+ {
-+ 0xe2,0x1f,0xf3,0xda,0x0d,0x19,0x99,0x87,0xc4,0x90,0xa2,0x31,
-+ 0xca,0x2a,0x89,0x58,0x43,0x44,0xb8,0xde,0xcf,0xa4,0xbe,0x3b,
-+ 0x53,0x26,0x22,0x31,0x76,0x41,0x22,0xb5,0xa8,0x70,0x2f,0x4b,
-+ 0x64,0x95,0x4d,0x48,0x96,0x35,0xe6,0xbd,0x3c,0x34,0xdb,0x1b
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_entropyinputreseed[] =
-+ {
-+ 0x77,0x61,0xba,0xbc,0xf2,0xc1,0xf3,0x4b,0x86,0x65,0xfd,0x48,
-+ 0x0e,0x3c,0x02,0x5e,0xa2,0x7a,0x6b,0x7c,0xed,0x21,0x5e,0xf9,
-+ 0xcd,0xcd,0x77,0x07,0x2b,0xbe,0xc5,0x5c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_additionalinputreseed[] =
-+ {
-+ 0x18,0x24,0x5f,0xc6,0x84,0xd1,0x67,0xc3,0x9a,0x11,0xa5,0x8c,
-+ 0x07,0x39,0x21,0x83,0x4d,0x04,0xc4,0x6a,0x28,0x19,0xcf,0x92,
-+ 0x21,0xd9,0x9e,0x41,0x72,0x6c,0x9e,0x63
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_additionalinput2[] =
-+ {
-+ 0x96,0x67,0x41,0x28,0x9b,0xb7,0x92,0x8d,0x64,0x3b,0xe4,0xcf,
-+ 0x7e,0xaa,0x1e,0xb1,0x4b,0x1d,0x09,0x56,0x67,0x9c,0xc6,0x6d,
-+ 0x3b,0xe8,0x91,0x9d,0xe1,0x8a,0xb7,0x32
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha384_returnedbits[] =
-+ {
-+ 0xe3,0x59,0x61,0x38,0x92,0xec,0xe2,0x3c,0xff,0xb7,0xdb,0x19,
-+ 0x0f,0x5b,0x93,0x68,0x0d,0xa4,0x94,0x40,0x72,0x0b,0xe0,0xed,
-+ 0x4d,0xcd,0x68,0xa0,0x1e,0xfe,0x67,0xb2,0xfa,0x21,0x56,0x74,
-+ 0xa4,0xad,0xcf,0xb7,0x60,0x66,0x2e,0x40,0xde,0x82,0xca,0xfb
-+ };
-+
-+
-+/* HMAC SHA-512 PR */
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_entropyinput[] =
-+ {
-+ 0xaa,0x9e,0x45,0x67,0x0e,0x00,0x2a,0x67,0x98,0xd6,0xda,0x0b,
-+ 0x0f,0x17,0x7e,0xac,0xfd,0x27,0xc4,0xca,0x84,0xdf,0xde,0xba,
-+ 0x85,0xd9,0xbe,0x8f,0xf3,0xff,0x91,0x4d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_nonce[] =
-+ {
-+ 0x8c,0x49,0x2f,0x58,0x1e,0x7a,0xda,0x4b,0x7e,0x8a,0x30,0x7b,
-+ 0x86,0xea,0xaf,0xa2
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_personalizationstring[] =
-+ {
-+ 0x71,0xe1,0xbb,0xad,0xa7,0x4b,0x2e,0x31,0x3b,0x0b,0xec,0x24,
-+ 0x99,0x38,0xbc,0xaa,0x05,0x4c,0x46,0x44,0xfa,0xad,0x8e,0x02,
-+ 0xc1,0x7e,0xad,0xec,0x54,0xa6,0xd0,0xad
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_additionalinput[] =
-+ {
-+ 0x3d,0x6e,0xa6,0xa8,0x29,0x2a,0xb2,0xf5,0x98,0x42,0xe4,0x92,
-+ 0x78,0x22,0x67,0xfd,0x1b,0x15,0x1e,0x29,0xaa,0x71,0x3c,0x3c,
-+ 0xe7,0x05,0x20,0xa9,0x29,0xc6,0x75,0x71
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_entropyinputpr[] =
-+ {
-+ 0xab,0xb9,0x16,0xd8,0x55,0x35,0x54,0xb7,0x97,0x3f,0x94,0xbc,
-+ 0x2f,0x7c,0x70,0xc7,0xd0,0xed,0xb7,0x4b,0xf7,0xf6,0x6c,0x03,
-+ 0x0c,0xb0,0x03,0xd8,0xbb,0x71,0xd9,0x10
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_int_returnedbits[] =
-+ {
-+ 0x8e,0xd3,0xfd,0x52,0x9e,0x83,0x08,0x49,0x18,0x6e,0x23,0x56,
-+ 0x5c,0x45,0x93,0x34,0x05,0xe2,0x98,0x8f,0x0c,0xd4,0x32,0x0c,
-+ 0xfd,0xda,0x5f,0x92,0x3a,0x8c,0x81,0xbd,0xf6,0x6c,0x55,0xfd,
-+ 0xb8,0x20,0xce,0x8d,0x97,0x27,0xe8,0xe8,0xe0,0xb3,0x85,0x50,
-+ 0xa2,0xc2,0xb2,0x95,0x1d,0x48,0xd3,0x7b,0x4b,0x78,0x13,0x35,
-+ 0x05,0x17,0xbe,0x0d
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_additionalinput2[] =
-+ {
-+ 0xc3,0xfc,0x95,0xaa,0x69,0x06,0xae,0x59,0x41,0xce,0x26,0x08,
-+ 0x29,0x6d,0x45,0xda,0xe8,0xb3,0x6c,0x95,0x60,0x0f,0x70,0x2c,
-+ 0x10,0xba,0x38,0x8c,0xcf,0x29,0x99,0xaa
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_entropyinputpr2[] =
-+ {
-+ 0x3b,0x9a,0x25,0xce,0xd7,0xf9,0x5c,0xd1,0x3a,0x3e,0xaa,0x71,
-+ 0x14,0x3e,0x19,0xe8,0xce,0xe6,0xfe,0x51,0x84,0xe9,0x1b,0xfe,
-+ 0x3f,0xa7,0xf2,0xfd,0x76,0x5f,0x6a,0xe7
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_pr_returnedbits[] =
-+ {
-+ 0xb7,0x82,0xa9,0x57,0x81,0x67,0x53,0xb5,0xa1,0xe9,0x3d,0x35,
-+ 0xf9,0xe4,0x97,0xbe,0xa6,0xca,0xf1,0x01,0x13,0x09,0xe7,0x21,
-+ 0xc0,0xed,0x93,0x5d,0x4b,0xf4,0xeb,0x8d,0x53,0x25,0x8a,0xc4,
-+ 0xb1,0x6f,0x6e,0x37,0xcd,0x2e,0xac,0x39,0xb2,0xb6,0x99,0xa3,
-+ 0x82,0x00,0xb0,0x21,0xf0,0xc7,0x2f,0x4c,0x73,0x92,0xfd,0x00,
-+ 0xb6,0xaf,0xbc,0xd3
-+ };
-+
-+
-+/* HMAC SHA-512 No PR */
-+__fips_constseg
-+static const unsigned char hmac_sha512_entropyinput[] =
-+ {
-+ 0x6e,0x85,0xe6,0x25,0x96,0x29,0xa7,0x52,0x5b,0x60,0xba,0xaa,
-+ 0xde,0xdb,0x36,0x0a,0x51,0x9a,0x15,0xae,0x6e,0x18,0xd3,0xfe,
-+ 0x39,0xb9,0x4a,0x96,0xf8,0x77,0xcb,0x95
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_nonce[] =
-+ {
-+ 0xe0,0xa6,0x5d,0x08,0xc3,0x7c,0xae,0x25,0x2e,0x80,0xd1,0x3e,
-+ 0xd9,0xaf,0x43,0x3c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_personalizationstring[] =
-+ {
-+ 0x53,0x99,0x52,0x5f,0x11,0xa9,0x64,0x66,0x20,0x5e,0x1b,0x5f,
-+ 0x42,0xb3,0xf4,0xda,0xed,0xbb,0x63,0xc1,0x23,0xaf,0xd0,0x01,
-+ 0x90,0x3b,0xd0,0x78,0xe4,0x0b,0xa7,0x20
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_additionalinput[] =
-+ {
-+ 0x85,0x90,0x80,0xd3,0x98,0xf1,0x53,0x6d,0x68,0x15,0x8f,0xe5,
-+ 0x60,0x3f,0x17,0x29,0x55,0x8d,0x33,0xb1,0x45,0x64,0x64,0x8d,
-+ 0x50,0x21,0x89,0xae,0xf6,0xfd,0x32,0x73
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_int_returnedbits[] =
-+ {
-+ 0x28,0x56,0x30,0x6f,0xf4,0xa1,0x48,0xe0,0xc9,0xf5,0x75,0x90,
-+ 0xcc,0xfb,0xdf,0xdf,0x71,0x3d,0x0a,0x9a,0x03,0x65,0x3b,0x18,
-+ 0x61,0xe3,0xd1,0xda,0xcc,0x4a,0xfe,0x55,0x38,0xf8,0x21,0x6b,
-+ 0xfa,0x18,0x01,0x42,0x39,0x2f,0x99,0x53,0x38,0x15,0x82,0x34,
-+ 0xc5,0x93,0x92,0xbc,0x4d,0x75,0x1a,0x5f,0x21,0x27,0xcc,0xa1,
-+ 0xb1,0x57,0x69,0xe8
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_entropyinputreseed[] =
-+ {
-+ 0x8c,0x52,0x7e,0x77,0x72,0x3f,0xa3,0x04,0x97,0x10,0x9b,0x41,
-+ 0xbd,0xe8,0xff,0x89,0xed,0x80,0xe3,0xbd,0xaa,0x12,0x2d,0xca,
-+ 0x75,0x82,0x36,0x77,0x88,0xcd,0xa6,0x73
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_additionalinputreseed[] =
-+ {
-+ 0x7e,0x32,0xe3,0x69,0x69,0x07,0x34,0xa2,0x16,0xa2,0x5d,0x1a,
-+ 0x10,0x91,0xd3,0xe2,0x21,0xa2,0xa3,0xdd,0xcd,0x0c,0x09,0x86,
-+ 0x11,0xe1,0x50,0xff,0x5c,0xb7,0xeb,0x5c
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_additionalinput2[] =
-+ {
-+ 0x7f,0x78,0x66,0xd8,0xfb,0x67,0xcf,0x8d,0x8c,0x08,0x30,0xa5,
-+ 0xf8,0x7d,0xcf,0x44,0x59,0xce,0xf8,0xdf,0x58,0xd3,0x60,0xcb,
-+ 0xa8,0x60,0xb9,0x07,0xc4,0xb1,0x95,0x48
-+ };
-+
-+__fips_constseg
-+static const unsigned char hmac_sha512_returnedbits[] =
-+ {
-+ 0xdf,0xa7,0x36,0xd4,0xdc,0x5d,0x4d,0x31,0xad,0x69,0x46,0x9f,
-+ 0xf1,0x7c,0xd7,0x3b,0x4f,0x55,0xf2,0xd7,0xb9,0x9d,0xad,0x7a,
-+ 0x79,0x08,0x59,0xa5,0xdc,0x74,0xf5,0x9b,0x73,0xd2,0x13,0x25,
-+ 0x0b,0x81,0x08,0x08,0x25,0xfb,0x39,0xf2,0xf0,0xa3,0xa4,0x8d,
-+ 0xef,0x05,0x9e,0xb8,0xc7,0x52,0xe4,0x0e,0x42,0xaa,0x7c,0x79,
-+ 0xc2,0xd6,0xfd,0xa5
-+ };
-+
-diff -up openssl-1.0.1j/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_dsa_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_dsa_selftest.c.fips 2014-10-16 13:19:35.099306423 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_dsa_selftest.c 2014-10-16 13:19:35.099306423 +0200
-@@ -0,0 +1,193 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char dsa_test_2048_p[] = {
-+ 0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
-+ 0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
-+ 0x3b,0x7e,0x4d,0x04,0x44,0x1d,0xd1,0xa0,0x65,0x86,0x62,0x59,
-+ 0x64,0x93,0xca,0x8e,0x9e,0x8f,0xbb,0x7e,0x34,0xaa,0xdd,0xb6,
-+ 0x2e,0x5d,0x67,0xb6,0xd0,0x9a,0x6e,0x61,0xb7,0x69,0xe7,0xc3,
-+ 0x52,0xaa,0x2b,0x10,0xe2,0x0c,0xa0,0x63,0x69,0x63,0xb5,0x52,
-+ 0x3e,0x86,0x47,0x0d,0xec,0xbb,0xed,0xa0,0x27,0xe7,0x97,0xe7,
-+ 0xb6,0x76,0x35,0xd4,0xd4,0x9c,0x30,0x70,0x0e,0x74,0xaf,0x8a,
-+ 0x0f,0xf1,0x56,0xa8,0x01,0xaf,0x57,0xa2,0x6e,0x70,0x78,0xf1,
-+ 0xd8,0x2f,0x74,0x90,0x8e,0xcb,0x6d,0x07,0xe7,0x0b,0x35,0x03,
-+ 0xee,0xd9,0x4f,0xa3,0x2c,0xf1,0x7a,0x7f,0xc3,0xd6,0xcf,0x40,
-+ 0xdc,0x7b,0x00,0x83,0x0e,0x6a,0x25,0x66,0xdc,0x07,0x3e,0x34,
-+ 0x33,0x12,0x51,0x7c,0x6a,0xa5,0x15,0x2b,0x4b,0xfe,0xcd,0x2e,
-+ 0x55,0x1f,0xee,0x34,0x63,0x18,0xa1,0x53,0x42,0x3c,0x99,0x6b,
-+ 0x0d,0x5d,0xcb,0x91,0x02,0xae,0xdd,0x38,0x79,0x86,0x16,0xf1,
-+ 0xf1,0xe0,0xd6,0xc4,0x03,0x52,0x5b,0x1f,0x9b,0x3d,0x4d,0xc7,
-+ 0x66,0xde,0x2d,0xfc,0x4a,0x56,0xd7,0xb8,0xba,0x59,0x63,0xd6,
-+ 0x0f,0x3e,0x16,0x31,0x88,0x70,0xad,0x43,0x69,0x52,0xe5,0x57,
-+ 0x65,0x37,0x4e,0xab,0x85,0xe8,0xec,0x17,0xd6,0xb9,0xa4,0x54,
-+ 0x7b,0x9b,0x5f,0x27,0x52,0xf3,0x10,0x5b,0xe8,0x09,0xb2,0x3a,
-+ 0x2c,0x8d,0x74,0x69,0xdb,0x02,0xe2,0x4d,0x59,0x23,0x94,0xa7,
-+ 0xdb,0xa0,0x69,0xe9
-+};
-+
-+static const unsigned char dsa_test_2048_q[] = {
-+ 0xd2,0x77,0x04,0x4e,0x50,0xf5,0xa4,0xe3,0xf5,0x10,0xa5,0x0a,
-+ 0x0b,0x84,0xfd,0xff,0xbc,0xa0,0x47,0xed,0x27,0x60,0x20,0x56,
-+ 0x74,0x41,0xa0,0xa5
-+};
-+
-+static const unsigned char dsa_test_2048_g[] = {
-+ 0x13,0xd7,0x54,0xe2,0x1f,0xd2,0x41,0x65,0x5d,0xa8,0x91,0xc5,
-+ 0x22,0xa6,0x5a,0x72,0xa8,0x9b,0xdc,0x64,0xec,0x9b,0x54,0xa8,
-+ 0x21,0xed,0x4a,0x89,0x8b,0x49,0x0e,0x0c,0x4f,0xcb,0x72,0x19,
-+ 0x2a,0x4a,0x20,0xf5,0x41,0xf3,0xf2,0x92,0x53,0x99,0xf0,0xba,
-+ 0xec,0xf9,0x29,0xaa,0xfb,0xf7,0x9d,0xfe,0x43,0x32,0x39,0x3b,
-+ 0x32,0xcd,0x2e,0x2f,0xcf,0x27,0x2f,0x32,0xa6,0x27,0x43,0x4a,
-+ 0x0d,0xf2,0x42,0xb7,0x5b,0x41,0x4d,0xf3,0x72,0x12,0x1e,0x53,
-+ 0xa5,0x53,0xf2,0x22,0xf8,0x36,0xb0,0x00,0xf0,0x16,0x48,0x5b,
-+ 0x6b,0xd0,0x89,0x84,0x51,0x80,0x1d,0xcd,0x8d,0xe6,0x4c,0xd5,
-+ 0x36,0x56,0x96,0xff,0xc5,0x32,0xd5,0x28,0xc5,0x06,0x62,0x0a,
-+ 0x94,0x2a,0x03,0x05,0x04,0x6d,0x8f,0x18,0x76,0x34,0x1f,0x1e,
-+ 0x57,0x0b,0xc3,0x97,0x4b,0xa6,0xb9,0xa4,0x38,0xe9,0x70,0x23,
-+ 0x02,0xa2,0xe6,0xe6,0x7b,0xfd,0x06,0xd3,0x2b,0xc6,0x79,0x96,
-+ 0x22,0x71,0xd7,0xb4,0x0c,0xd7,0x2f,0x38,0x6e,0x64,0xe0,0xd7,
-+ 0xef,0x86,0xca,0x8c,0xa5,0xd1,0x42,0x28,0xdc,0x2a,0x4f,0x16,
-+ 0xe3,0x18,0x98,0x86,0xb5,0x99,0x06,0x74,0xf4,0x20,0x0f,0x3a,
-+ 0x4c,0xf6,0x5a,0x3f,0x0d,0xdb,0xa1,0xfa,0x67,0x2d,0xff,0x2f,
-+ 0x5e,0x14,0x3d,0x10,0xe4,0xe9,0x7a,0xe8,0x4f,0x6d,0xa0,0x95,
-+ 0x35,0xd5,0xb9,0xdf,0x25,0x91,0x81,0xa7,0x9b,0x63,0xb0,0x69,
-+ 0xe9,0x49,0x97,0x2b,0x02,0xba,0x36,0xb3,0x58,0x6a,0xab,0x7e,
-+ 0x45,0xf3,0x22,0xf8,0x2e,0x4e,0x85,0xca,0x3a,0xb8,0x55,0x91,
-+ 0xb3,0xc2,0xa9,0x66
-+};
-+
-+static const unsigned char dsa_test_2048_pub_key[] = {
-+ 0x24,0x52,0xf3,0xcc,0xbe,0x9e,0xd5,0xca,0x7d,0xc7,0x4c,0x60,
-+ 0x2b,0x99,0x22,0x6e,0x8f,0x2f,0xab,0x38,0xe7,0xd7,0xdd,0xfb,
-+ 0x75,0x53,0x9b,0x17,0x15,0x5e,0x9f,0xcf,0xd1,0xab,0xa5,0x64,
-+ 0xeb,0x85,0x35,0xd8,0x12,0xc9,0xc2,0xdc,0xf9,0x72,0x84,0x44,
-+ 0x1b,0xc4,0x82,0x24,0x36,0x24,0xc7,0xf4,0x57,0x58,0x0c,0x1c,
-+ 0x38,0xa5,0x7c,0x46,0xc4,0x57,0x39,0x24,0x70,0xed,0xb5,0x2c,
-+ 0xb5,0xa6,0xe0,0x3f,0xe6,0x28,0x7b,0xb6,0xf4,0x9a,0x42,0xa2,
-+ 0x06,0x5a,0x05,0x4f,0x03,0x08,0x39,0xdf,0x1f,0xd3,0x14,0x9c,
-+ 0x4c,0xa0,0x53,0x1d,0xd8,0xca,0x8a,0xaa,0x9c,0xc7,0x33,0x71,
-+ 0x93,0x38,0x73,0x48,0x33,0x61,0x18,0x22,0x45,0x45,0xe8,0x8c,
-+ 0x80,0xff,0xd8,0x76,0x5d,0x74,0x36,0x03,0x33,0xcc,0xab,0x99,
-+ 0x72,0x77,0x9b,0x65,0x25,0xa6,0x5b,0xdd,0x0d,0x10,0xc6,0x75,
-+ 0xc1,0x09,0xbb,0xd3,0xe5,0xbe,0x4d,0x72,0xef,0x6e,0xba,0x6e,
-+ 0x43,0x8d,0x52,0x26,0x23,0x7d,0xb8,0x88,0x37,0x9c,0x5f,0xcc,
-+ 0x47,0xa3,0x84,0x7f,0xf6,0x37,0x11,0xba,0xed,0x6d,0x03,0xaf,
-+ 0xe8,0x1e,0x69,0x4a,0x41,0x3b,0x68,0x0b,0xd3,0x8a,0xb4,0x90,
-+ 0x3f,0x83,0x70,0xa7,0x07,0xef,0x55,0x1d,0x49,0x41,0x02,0x6d,
-+ 0x95,0x79,0xd6,0x91,0xde,0x8e,0xda,0xa1,0x61,0x05,0xeb,0x9d,
-+ 0xba,0x3c,0x2f,0x4c,0x1b,0xec,0x50,0x82,0x75,0xaa,0x02,0x07,
-+ 0xe2,0x51,0xb5,0xec,0xcb,0x28,0x6a,0x4b,0x01,0xd4,0x49,0xd3,
-+ 0x0a,0xcb,0x67,0x37,0x17,0xa0,0xd2,0xfb,0x3b,0x50,0xc8,0x93,
-+ 0xf7,0xda,0xb1,0x4f
-+};
-+
-+static const unsigned char dsa_test_2048_priv_key[] = {
-+ 0x0c,0x4b,0x30,0x89,0xd1,0xb8,0x62,0xcb,0x3c,0x43,0x64,0x91,
-+ 0xf0,0x91,0x54,0x70,0xc5,0x27,0x96,0xe3,0xac,0xbe,0xe8,0x00,
-+ 0xec,0x55,0xf6,0xcc
-+};
-+
-+static int corrupt_dsa;
-+
-+void FIPS_corrupt_dsa()
-+ {
-+ corrupt_dsa = 1;
-+ }
-+
-+int FIPS_selftest_dsa()
-+ {
-+ DSA *dsa = NULL;
-+ EVP_PKEY *pk = NULL;
-+ int ret = 0;
-+
-+ dsa = DSA_new();
-+
-+ if(dsa == NULL)
-+ goto err;
-+
-+ fips_load_key_component(dsa, p, dsa_test_2048);
-+ fips_load_key_component(dsa, q, dsa_test_2048);
-+ fips_load_key_component(dsa, g, dsa_test_2048);
-+ fips_load_key_component(dsa, pub_key, dsa_test_2048);
-+ fips_load_key_component(dsa, priv_key, dsa_test_2048);
-+
-+ if (corrupt_dsa)
-+ BN_set_bit(dsa->pub_key, 2047);
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_DSA(pk, dsa);
-+
-+ if (!fips_pkey_signature_test(pk, NULL, 0,
-+ NULL, 0, EVP_sha256(), 0,
-+ "DSA SHA256"))
-+ goto err;
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (dsa)
-+ DSA_free(dsa);
-+ return ret;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_enc.c.fips openssl-1.0.1j/crypto/fips/fips_enc.c
---- openssl-1.0.1j/crypto/fips/fips_enc.c.fips 2014-10-16 13:19:35.099306423 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_enc.c 2014-10-16 13:19:35.099306423 +0200
-@@ -0,0 +1,191 @@
-+/* fipe/evp/fips_enc.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
-+ {
-+ switch (nid)
-+ {
-+ case NID_aes_128_cbc:
-+ return EVP_aes_128_cbc();
-+
-+ case NID_aes_128_ccm:
-+ return EVP_aes_128_ccm();
-+
-+ case NID_aes_128_cfb1:
-+ return EVP_aes_128_cfb1();
-+
-+ case NID_aes_128_cfb128:
-+ return EVP_aes_128_cfb128();
-+
-+ case NID_aes_128_cfb8:
-+ return EVP_aes_128_cfb8();
-+
-+ case NID_aes_128_ctr:
-+ return EVP_aes_128_ctr();
-+
-+ case NID_aes_128_ecb:
-+ return EVP_aes_128_ecb();
-+
-+ case NID_aes_128_gcm:
-+ return EVP_aes_128_gcm();
-+
-+ case NID_aes_128_ofb128:
-+ return EVP_aes_128_ofb();
-+
-+ case NID_aes_128_xts:
-+ return EVP_aes_128_xts();
-+
-+ case NID_aes_192_cbc:
-+ return EVP_aes_192_cbc();
-+
-+ case NID_aes_192_ccm:
-+ return EVP_aes_192_ccm();
-+
-+ case NID_aes_192_cfb1:
-+ return EVP_aes_192_cfb1();
-+
-+ case NID_aes_192_cfb128:
-+ return EVP_aes_192_cfb128();
-+
-+ case NID_aes_192_cfb8:
-+ return EVP_aes_192_cfb8();
-+
-+ case NID_aes_192_ctr:
-+ return EVP_aes_192_ctr();
-+
-+ case NID_aes_192_ecb:
-+ return EVP_aes_192_ecb();
-+
-+ case NID_aes_192_gcm:
-+ return EVP_aes_192_gcm();
-+
-+ case NID_aes_192_ofb128:
-+ return EVP_aes_192_ofb();
-+
-+ case NID_aes_256_cbc:
-+ return EVP_aes_256_cbc();
-+
-+ case NID_aes_256_ccm:
-+ return EVP_aes_256_ccm();
-+
-+ case NID_aes_256_cfb1:
-+ return EVP_aes_256_cfb1();
-+
-+ case NID_aes_256_cfb128:
-+ return EVP_aes_256_cfb128();
-+
-+ case NID_aes_256_cfb8:
-+ return EVP_aes_256_cfb8();
-+
-+ case NID_aes_256_ctr:
-+ return EVP_aes_256_ctr();
-+
-+ case NID_aes_256_ecb:
-+ return EVP_aes_256_ecb();
-+
-+ case NID_aes_256_gcm:
-+ return EVP_aes_256_gcm();
-+
-+ case NID_aes_256_ofb128:
-+ return EVP_aes_256_ofb();
-+
-+ case NID_aes_256_xts:
-+ return EVP_aes_256_xts();
-+
-+ case NID_des_ede_ecb:
-+ return EVP_des_ede();
-+
-+ case NID_des_ede3_ecb:
-+ return EVP_des_ede3();
-+
-+ case NID_des_ede3_cbc:
-+ return EVP_des_ede3_cbc();
-+
-+ case NID_des_ede3_cfb1:
-+ return EVP_des_ede3_cfb1();
-+
-+ case NID_des_ede3_cfb64:
-+ return EVP_des_ede3_cfb64();
-+
-+ case NID_des_ede3_cfb8:
-+ return EVP_des_ede3_cfb8();
-+
-+ case NID_des_ede3_ofb64:
-+ return EVP_des_ede3_ofb();
-+
-+ case NID_des_ede_cbc:
-+ return EVP_des_ede_cbc();
-+
-+ case NID_des_ede_cfb64:
-+ return EVP_des_ede_cfb64();
-+
-+ case NID_des_ede_ofb64:
-+ return EVP_des_ede_ofb();
-+
-+ default:
-+ return NULL;
-+
-+ }
-+ }
-+
-diff -up openssl-1.0.1j/crypto/fips/fips.h.fips openssl-1.0.1j/crypto/fips/fips.h
---- openssl-1.0.1j/crypto/fips/fips.h.fips 2014-10-16 13:19:35.099306423 +0200
-+++ openssl-1.0.1j/crypto/fips/fips.h 2014-10-16 13:19:35.099306423 +0200
-@@ -0,0 +1,279 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/opensslconf.h>
-+#include <openssl/crypto.h>
-+#include <stdarg.h>
-+
-+#ifndef OPENSSL_FIPS
-+#error FIPS is disabled.
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+struct dsa_st;
-+struct rsa_st;
-+struct evp_pkey_st;
-+struct env_md_st;
-+struct env_md_ctx_st;
-+struct evp_cipher_st;
-+struct evp_cipher_ctx_st;
-+struct dh_method;
-+struct CMAC_CTX_st;
-+struct hmac_ctx_st;
-+
-+int FIPS_module_mode_set(int onoff, const char *auth);
-+int FIPS_module_mode(void);
-+const void *FIPS_rand_check(void);
-+int FIPS_selftest(void);
-+int FIPS_selftest_failed(void);
-+void FIPS_corrupt_sha1(void);
-+int FIPS_selftest_sha1(void);
-+int FIPS_selftest_sha2(void);
-+void FIPS_corrupt_aes(void);
-+int FIPS_selftest_aes_ccm(void);
-+int FIPS_selftest_aes_gcm(void);
-+int FIPS_selftest_aes_xts(void);
-+int FIPS_selftest_aes(void);
-+void FIPS_corrupt_des(void);
-+int FIPS_selftest_des(void);
-+void FIPS_corrupt_rsa(void);
-+void FIPS_corrupt_rsa_keygen(void);
-+int FIPS_selftest_rsa(void);
-+void FIPS_corrupt_dsa(void);
-+void FIPS_corrupt_dsa_keygen(void);
-+int FIPS_selftest_dsa(void);
-+void FIPS_corrupt_rng(void);
-+void FIPS_rng_stick(void);
-+void FIPS_x931_stick(int onoff);
-+void FIPS_drbg_stick(int onoff);
-+int FIPS_selftest_rng(void);
-+int FIPS_selftest_x931(void);
-+int FIPS_selftest_hmac(void);
-+int FIPS_selftest_drbg(void);
-+int FIPS_selftest_drbg_all(void);
-+int FIPS_selftest_cmac(void);
-+
-+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
-+
-+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
-+ alg " previous FIPS forbidden algorithm error ignored");
-+
-+int fips_pkey_signature_test(struct evp_pkey_st *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat, unsigned int katlen,
-+ const struct env_md_st *digest, unsigned int md_flags,
-+ const char *fail_str);
-+
-+int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
-+ const struct evp_cipher_st *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext,
-+ int len);
-+
-+void fips_set_selftest_fail(void);
-+
-+const struct env_md_st *FIPS_get_digestbynid(int nid);
-+
-+const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
-+
-+
-+/* BEGIN ERROR CODES */
-+/* The following lines are auto generated by the script mkerr.pl. Any changes
-+ * made after this point may be overwritten when the script is next run.
-+ */
-+void ERR_load_FIPS_strings(void);
-+
-+/* Error codes for the FIPS functions. */
-+
-+/* Function codes. */
-+#define FIPS_F_DH_BUILTIN_GENPARAMS 100
-+#define FIPS_F_DH_INIT 148
-+#define FIPS_F_DRBG_RESEED 162
-+#define FIPS_F_DSA_BUILTIN_PARAMGEN 101
-+#define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
-+#define FIPS_F_DSA_DO_SIGN 102
-+#define FIPS_F_DSA_DO_VERIFY 103
-+#define FIPS_F_ECDH_COMPUTE_KEY 163
-+#define FIPS_F_ECDSA_DO_SIGN 164
-+#define FIPS_F_ECDSA_DO_VERIFY 165
-+#define FIPS_F_EC_KEY_GENERATE_KEY 166
-+#define FIPS_F_EVP_CIPHERINIT_EX 124
-+#define FIPS_F_EVP_DIGESTINIT_EX 125
-+#define FIPS_F_FIPS_CHECK_DSA 104
-+#define FIPS_F_FIPS_CHECK_DSA_PRNG 151
-+#define FIPS_F_FIPS_CHECK_EC 142
-+#define FIPS_F_FIPS_CHECK_EC_PRNG 152
-+#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
-+#define FIPS_F_FIPS_CHECK_RSA 106
-+#define FIPS_F_FIPS_CHECK_RSA_PRNG 150
-+#define FIPS_F_FIPS_CIPHER 160
-+#define FIPS_F_FIPS_CIPHERINIT 143
-+#define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
-+#define FIPS_F_FIPS_DIGESTFINAL 158
-+#define FIPS_F_FIPS_DIGESTINIT 128
-+#define FIPS_F_FIPS_DIGESTUPDATE 159
-+#define FIPS_F_FIPS_DRBG_BYTES 131
-+#define FIPS_F_FIPS_DRBG_CHECK 146
-+#define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
-+#define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
-+#define FIPS_F_FIPS_DRBG_GENERATE 134
-+#define FIPS_F_FIPS_DRBG_INIT 135
-+#define FIPS_F_FIPS_DRBG_INSTANTIATE 138
-+#define FIPS_F_FIPS_DRBG_NEW 139
-+#define FIPS_F_FIPS_DRBG_RESEED 140
-+#define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
-+#define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
-+#define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
-+#define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
-+#define FIPS_F_FIPS_GET_ENTROPY 147
-+#define FIPS_F_FIPS_MODE_SET /* unused */ 108
-+#define FIPS_F_FIPS_MODULE_MODE_SET 108
-+#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
-+#define FIPS_F_FIPS_RAND_ADD 137
-+#define FIPS_F_FIPS_RAND_BYTES 122
-+#define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
-+#define FIPS_F_FIPS_RAND_SEED 168
-+#define FIPS_F_FIPS_RAND_SET_METHOD 126
-+#define FIPS_F_FIPS_RAND_STATUS 127
-+#define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
-+#define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
-+#define FIPS_F_FIPS_SELFTEST_AES 110
-+#define FIPS_F_FIPS_SELFTEST_AES_CCM 145
-+#define FIPS_F_FIPS_SELFTEST_AES_GCM 129
-+#define FIPS_F_FIPS_SELFTEST_AES_XTS 144
-+#define FIPS_F_FIPS_SELFTEST_CMAC 130
-+#define FIPS_F_FIPS_SELFTEST_DES 111
-+#define FIPS_F_FIPS_SELFTEST_DSA 112
-+#define FIPS_F_FIPS_SELFTEST_ECDSA 133
-+#define FIPS_F_FIPS_SELFTEST_HMAC 113
-+#define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
-+#define FIPS_F_FIPS_SELFTEST_SHA1 115
-+#define FIPS_F_FIPS_SELFTEST_X931 114
-+#define FIPS_F_FIPS_SET_PRNG_KEY 153
-+#define FIPS_F_HASH_FINAL 123
-+#define FIPS_F_RSA_BUILTIN_KEYGEN 116
-+#define FIPS_F_RSA_EAY_INIT 149
-+#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
-+#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
-+#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
-+#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
-+#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
-+#define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
-+
-+/* Reason codes. */
-+#define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
-+#define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
-+#define FIPS_R_ALREADY_INSTANTIATED 134
-+#define FIPS_R_AUTHENTICATION_FAILURE 151
-+#define FIPS_R_CANNOT_READ_EXE /* unused */ 103
-+#define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
-+#define FIPS_R_CONTRADICTING_EVIDENCE 114
-+#define FIPS_R_DRBG_NOT_INITIALISED 152
-+#define FIPS_R_DRBG_STUCK 103
-+#define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
-+#define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
-+#define FIPS_R_ENTROPY_SOURCE_STUCK 142
-+#define FIPS_R_ERROR_INITIALISING_DRBG 115
-+#define FIPS_R_ERROR_INSTANTIATING_DRBG 127
-+#define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
-+#define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
-+#define FIPS_R_ERROR_RETRIEVING_NONCE 140
-+#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
-+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
-+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
-+#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
-+#define FIPS_R_FIPS_MODE_ALREADY_SET 102
-+#define FIPS_R_FIPS_SELFTEST_FAILED 106
-+#define FIPS_R_FUNCTION_ERROR 116
-+#define FIPS_R_GENERATE_ERROR 137
-+#define FIPS_R_GENERATE_ERROR_UNDETECTED 118
-+#define FIPS_R_INSTANTIATE_ERROR 119
-+#define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
-+#define FIPS_R_INTERNAL_ERROR 121
-+#define FIPS_R_INVALID_KEY_LENGTH 109
-+#define FIPS_R_INVALID_PARAMETERS 144
-+#define FIPS_R_IN_ERROR_STATE 123
-+#define FIPS_R_KEY_TOO_SHORT 108
-+#define FIPS_R_NONCE_ERROR_UNDETECTED 149
-+#define FIPS_R_NON_FIPS_METHOD 100
-+#define FIPS_R_NOPR_TEST1_FAILURE 145
-+#define FIPS_R_NOPR_TEST2_FAILURE 146
-+#define FIPS_R_NOT_INSTANTIATED 126
-+#define FIPS_R_PAIRWISE_TEST_FAILED 107
-+#define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
-+#define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
-+#define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
-+#define FIPS_R_PR_TEST1_FAILURE 147
-+#define FIPS_R_PR_TEST2_FAILURE 148
-+#define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
-+#define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
-+#define FIPS_R_RESEED_COUNTER_ERROR 132
-+#define FIPS_R_RESEED_ERROR 133
-+#define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
-+#define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
-+#define FIPS_R_SELFTEST_FAILED 101
-+#define FIPS_R_SELFTEST_FAILURE 135
-+#define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
-+#define FIPS_R_TEST_FAILURE 117
-+#define FIPS_R_UNINSTANTIATE_ERROR 141
-+#define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
-+#define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
-+#define FIPS_R_UNSUPPORTED_PLATFORM 113
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_hmac_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_hmac_selftest.c.fips 2014-10-16 13:19:35.099306423 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_hmac_selftest.c 2014-10-16 13:19:35.099306423 +0200
-@@ -0,0 +1,137 @@
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/hmac.h>
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ const EVP_MD *(*alg)(void);
-+ const char *key, *iv;
-+ unsigned char kaval[EVP_MAX_MD_SIZE];
-+} HMAC_KAT;
-+
-+static const HMAC_KAT vector[] = {
-+ { EVP_sha1,
-+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19,
-+ 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c,
-+ 0xc6,0xc7,0x5d,0x24 }
-+ },
-+ { EVP_sha224,
-+ /* just keep extending the above... */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb,
-+ 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa,
-+ 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b,
-+ 0x8c,0x8d,0x12,0xc7 }
-+ },
-+ { EVP_sha256,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09,
-+ 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34,
-+ 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38,
-+ 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 }
-+ },
-+ { EVP_sha384,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad,
-+ 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6,
-+ 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04,
-+ 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f,
-+ 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50,
-+ 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f }
-+ },
-+ { EVP_sha512,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41,
-+ 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac,
-+ 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0,
-+ 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68,
-+ 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f,
-+ 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7,
-+ 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45,
-+ 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 }
-+ },
-+};
-+
-+int FIPS_selftest_hmac()
-+ {
-+ int n;
-+ unsigned int outlen;
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ const EVP_MD *md;
-+ const HMAC_KAT *t;
-+
-+ for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++)
-+ {
-+ md = (*t->alg)();
-+ HMAC(md,t->key,strlen(t->key),
-+ (const unsigned char *)t->iv,strlen(t->iv),
-+ out,&outlen);
-+
-+ if(memcmp(out,t->kaval,outlen))
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_locl.h.fips openssl-1.0.1j/crypto/fips/fips_locl.h
---- openssl-1.0.1j/crypto/fips/fips_locl.h.fips 2014-10-16 13:19:35.100306446 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_locl.h 2014-10-16 13:19:35.099306423 +0200
-@@ -0,0 +1,71 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifdef OPENSSL_FIPS
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+#define FIPS_MAX_CIPHER_TEST_SIZE 32
-+#define fips_load_key_component(key, comp, pre) \
-+ key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
-+ if (!key->comp) \
-+ goto err
-+
-+#define fips_post_started(id, subid, ex) 1
-+#define fips_post_success(id, subid, ex) 1
-+#define fips_post_failed(id, subid, ex) 1
-+#define fips_post_corrupt(id, subid, ex) 1
-+#define fips_post_status() 1
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_md.c.fips openssl-1.0.1j/crypto/fips/fips_md.c
---- openssl-1.0.1j/crypto/fips/fips_md.c.fips 2014-10-16 13:19:35.100306446 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_md.c 2014-10-16 13:19:35.100306446 +0200
-@@ -0,0 +1,145 @@
-+/* fips/evp/fips_md.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay at cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh at cryptsoft.com).
-+ *
-+ */
-+
-+/* Minimal standalone FIPS versions of Digest operations */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/objects.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_MD *FIPS_get_digestbynid(int nid)
-+ {
-+ switch (nid)
-+ {
-+ case NID_sha1:
-+ return EVP_sha1();
-+
-+ case NID_sha224:
-+ return EVP_sha224();
-+
-+ case NID_sha256:
-+ return EVP_sha256();
-+
-+ case NID_sha384:
-+ return EVP_sha384();
-+
-+ case NID_sha512:
-+ return EVP_sha512();
-+
-+ default:
-+ return NULL;
-+ }
-+ }
-diff -up openssl-1.0.1j/crypto/fips/fips_post.c.fips openssl-1.0.1j/crypto/fips/fips_post.c
---- openssl-1.0.1j/crypto/fips/fips_post.c.fips 2014-10-16 13:19:35.100306446 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_post.c 2014-10-16 13:19:35.100306446 +0200
-@@ -0,0 +1,205 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <string.h>
-+#include <limits.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+/* Power on self test (POST) support functions */
-+
-+#include <openssl/fips.h>
-+#include "fips_locl.h"
-+
-+/* Run all selftests */
-+int FIPS_selftest(void)
-+ {
-+ int rv = 1;
-+ if (!FIPS_selftest_drbg())
-+ rv = 0;
-+ if (!FIPS_selftest_x931())
-+ rv = 0;
-+ if (!FIPS_selftest_sha1())
-+ rv = 0;
-+ if (!FIPS_selftest_sha2())
-+ rv = 0;
-+ if (!FIPS_selftest_hmac())
-+ rv = 0;
-+ if (!FIPS_selftest_cmac())
-+ rv = 0;
-+ if (!FIPS_selftest_aes())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_ccm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_gcm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_xts())
-+ rv = 0;
-+ if (!FIPS_selftest_des())
-+ rv = 0;
-+ if (!FIPS_selftest_rsa())
-+ rv = 0;
-+ if (!FIPS_selftest_dsa())
-+ rv = 0;
-+ return rv;
-+ }
-+
-+/* Generalized public key test routine. Signs and verifies the data
-+ * supplied in tbs using mesage digest md and setting option digest
-+ * flags md_flags. If the 'kat' parameter is not NULL it will
-+ * additionally check the signature matches it: a known answer test
-+ * The string "fail_str" is used for identification purposes in case
-+ * of failure. If "pkey" is NULL just perform a message digest check.
-+ */
-+
-+int fips_pkey_signature_test(EVP_PKEY *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat, unsigned int katlen,
-+ const EVP_MD *digest, unsigned int md_flags,
-+ const char *fail_str)
-+ {
-+ int ret = 0;
-+ unsigned char sigtmp[256], *sig = sigtmp;
-+ unsigned int siglen;
-+ EVP_MD_CTX mctx;
-+ EVP_MD_CTX_init(&mctx);
-+
-+ if (digest == NULL)
-+ digest = EVP_sha256();
-+
-+ if ((pkey->type == EVP_PKEY_RSA)
-+ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp)))
-+ {
-+ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
-+ if (!sig)
-+ {
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE);
-+ return 0;
-+ }
-+ }
-+
-+ if (tbslen == -1)
-+ tbslen = strlen((char *)tbs);
-+
-+ if (md_flags)
-+ EVP_MD_CTX_set_flags(&mctx, md_flags);
-+
-+ if (!EVP_SignInit_ex(&mctx, digest, NULL))
-+ goto error;
-+ if (!EVP_SignUpdate(&mctx, tbs, tbslen))
-+ goto error;
-+ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
-+ goto error;
-+
-+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
-+ goto error;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
-+ goto error;
-+ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
-+ goto error;
-+ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
-+
-+ error:
-+ if (sig != sigtmp)
-+ OPENSSL_free(sig);
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (ret != 1)
-+ {
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE);
-+ if (fail_str)
-+ ERR_add_error_data(2, "Type=", fail_str);
-+ return 0;
-+ }
-+ return 1;
-+ }
-+
-+/* Generalized symmetric cipher test routine. Encrypt data, verify result
-+ * against known answer, decrypt and compare with original plaintext.
-+ */
-+
-+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext,
-+ int len)
-+ {
-+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+
-+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
-+ return 0;
-+ if (memcmp(citmp, ciphertext, len))
-+ return 0;
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
-+ return 0;
-+ if (memcmp(pltmp, plaintext, len))
-+ return 0;
-+ return 1;
-+ }
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_rand.c.fips openssl-1.0.1j/crypto/fips/fips_rand.c
---- openssl-1.0.1j/crypto/fips/fips_rand.c.fips 2014-10-16 13:19:35.100306446 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_rand.c 2014-10-16 13:19:35.100306446 +0200
-@@ -0,0 +1,457 @@
-+/* ====================================================================
-+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/*
-+ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
-+ */
-+#include <openssl/crypto.h>
-+#include "e_os.h"
-+
-+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
-+ be defined and gettimeofday() won't be declared with strict compilers
-+ like DEC C in ANSI C mode. */
-+#ifndef _XOPEN_SOURCE_EXTENDED
-+#define _XOPEN_SOURCE_EXTENDED 1
-+#endif
-+
-+#include <openssl/rand.h>
-+#include <openssl/aes.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
-+# include <sys/time.h>
-+#endif
-+#if defined(OPENSSL_SYS_VXWORKS)
-+# include <time.h>
-+#endif
-+#include <assert.h>
-+#ifndef OPENSSL_SYS_WIN32
-+# ifdef OPENSSL_UNISTD
-+# include OPENSSL_UNISTD
-+# else
-+# include <unistd.h>
-+# endif
-+#endif
-+#include <string.h>
-+#include <openssl/fips.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+void *OPENSSL_stderr(void);
-+
-+#define AES_BLOCK_LENGTH 16
-+
-+
-+/* AES FIPS PRNG implementation */
-+
-+typedef struct
-+ {
-+ int seeded;
-+ int keyed;
-+ int test_mode;
-+ int second;
-+ int error;
-+ unsigned long counter;
-+ AES_KEY ks;
-+ int vpos;
-+ /* Temporary storage for key if it equals seed length */
-+ unsigned char tmp_key[AES_BLOCK_LENGTH];
-+ unsigned char V[AES_BLOCK_LENGTH];
-+ unsigned char DT[AES_BLOCK_LENGTH];
-+ unsigned char last[AES_BLOCK_LENGTH];
-+ } FIPS_PRNG_CTX;
-+
-+static FIPS_PRNG_CTX sctx;
-+
-+static int fips_prng_fail = 0;
-+
-+void FIPS_x931_stick(int onoff)
-+ {
-+ fips_prng_fail = onoff;
-+ }
-+
-+void FIPS_rng_stick(void)
-+ {
-+ FIPS_x931_stick(1);
-+ }
-+
-+static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
-+ {
-+ ctx->seeded = 0;
-+ ctx->keyed = 0;
-+ ctx->test_mode = 0;
-+ ctx->counter = 0;
-+ ctx->second = 0;
-+ ctx->error = 0;
-+ ctx->vpos = 0;
-+ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
-+ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
-+ }
-+
-+
-+static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
-+ const unsigned char *key, unsigned int keylen)
-+ {
-+ if (FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ if (keylen != 16 && keylen != 24 && keylen != 32)
-+ {
-+ /* error: invalid key size */
-+ return 0;
-+ }
-+ AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
-+ if (keylen == 16)
-+ {
-+ memcpy(ctx->tmp_key, key, 16);
-+ ctx->keyed = 2;
-+ }
-+ else
-+ ctx->keyed = 1;
-+ ctx->seeded = 0;
-+ ctx->second = 0;
-+ return 1;
-+ }
-+
-+static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
-+ const unsigned char *seed, unsigned int seedlen)
-+ {
-+ unsigned int i;
-+ if (!ctx->keyed)
-+ return 0;
-+ /* In test mode seed is just supplied data */
-+ if (ctx->test_mode)
-+ {
-+ if (seedlen != AES_BLOCK_LENGTH)
-+ return 0;
-+ memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
-+ ctx->seeded = 1;
-+ return 1;
-+ }
-+ /* Outside test mode XOR supplied data with existing seed */
-+ for (i = 0; i < seedlen; i++)
-+ {
-+ ctx->V[ctx->vpos++] ^= seed[i];
-+ if (ctx->vpos == AES_BLOCK_LENGTH)
-+ {
-+ ctx->vpos = 0;
-+ /* Special case if first seed and key length equals
-+ * block size check key and seed do not match.
-+ */
-+ if (ctx->keyed == 2)
-+ {
-+ if (!memcmp(ctx->tmp_key, ctx->V, 16))
-+ {
-+ RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
-+ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
-+ return 0;
-+ }
-+ OPENSSL_cleanse(ctx->tmp_key, 16);
-+ ctx->keyed = 1;
-+ }
-+ ctx->seeded = 1;
-+ }
-+ }
-+ return 1;
-+ }
-+
-+static int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
-+ {
-+ if (ctx->keyed)
-+ {
-+ RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
-+ return 0;
-+ }
-+ ctx->test_mode = 1;
-+ return 1;
-+ }
-+
-+int FIPS_x931_test_mode(void)
-+ {
-+ return fips_set_test_mode(&sctx);
-+ }
-+
-+int FIPS_rand_test_mode(void)
-+ {
-+ return fips_set_test_mode(&sctx);
-+ }
-+
-+
-+int FIPS_x931_set_dt(unsigned char *dt)
-+ {
-+ if (!sctx.test_mode)
-+ {
-+ RANDerr(RAND_F_FIPS_X931_SET_DT,RAND_R_NOT_IN_TEST_MODE);
-+ return 0;
-+ }
-+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
-+ return 1;
-+ }
-+
-+int FIPS_rand_set_dt(unsigned char *dt)
-+ {
-+ if (!sctx.test_mode)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE);
-+ return 0;
-+ }
-+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
-+ return 1;
-+ }
-+
-+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
-+ {
-+#ifdef OPENSSL_SYS_WIN32
-+ FILETIME ft;
-+#elif defined(OPENSSL_SYS_VXWORKS)
-+ struct timespec ts;
-+#else
-+ struct timeval tv;
-+#endif
-+
-+#ifndef GETPID_IS_MEANINGLESS
-+ unsigned long pid;
-+#endif
-+
-+#ifdef OPENSSL_SYS_WIN32
-+ GetSystemTimeAsFileTime(&ft);
-+ buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
-+ buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
-+ buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
-+ buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
-+ buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
-+ buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
-+ buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
-+ buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
-+#elif defined(OPENSSL_SYS_VXWORKS)
-+ clock_gettime(CLOCK_REALTIME, &ts);
-+ buf[0] = (unsigned char) (ts.tv_sec & 0xff);
-+ buf[1] = (unsigned char) ((ts.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char) ((ts.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char) ((ts.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char) (ts.tv_nsec & 0xff);
-+ buf[5] = (unsigned char) ((ts.tv_nsec >> 8) & 0xff);
-+ buf[6] = (unsigned char) ((ts.tv_nsec >> 16) & 0xff);
-+ buf[7] = (unsigned char) ((ts.tv_nsec >> 24) & 0xff);
-+#else
-+ gettimeofday(&tv,NULL);
-+ buf[0] = (unsigned char) (tv.tv_sec & 0xff);
-+ buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char) (tv.tv_usec & 0xff);
-+ buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
-+ buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
-+ buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
-+#endif
-+ buf[8] = (unsigned char) (*pctr & 0xff);
-+ buf[9] = (unsigned char) ((*pctr >> 8) & 0xff);
-+ buf[10] = (unsigned char) ((*pctr >> 16) & 0xff);
-+ buf[11] = (unsigned char) ((*pctr >> 24) & 0xff);
-+
-+ (*pctr)++;
-+
-+
-+#ifndef GETPID_IS_MEANINGLESS
-+ pid=(unsigned long)getpid();
-+ buf[12] = (unsigned char) (pid & 0xff);
-+ buf[13] = (unsigned char) ((pid >> 8) & 0xff);
-+ buf[14] = (unsigned char) ((pid >> 16) & 0xff);
-+ buf[15] = (unsigned char) ((pid >> 24) & 0xff);
-+#endif
-+ }
-+
-+static int fips_rand(FIPS_PRNG_CTX *ctx,
-+ unsigned char *out, unsigned int outlen)
-+ {
-+ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
-+ unsigned char tmp[AES_BLOCK_LENGTH];
-+ int i;
-+ if (ctx->error)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
-+ return 0;
-+ }
-+ if (!ctx->keyed)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
-+ return 0;
-+ }
-+ if (!ctx->seeded)
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
-+ return 0;
-+ }
-+ for (;;)
-+ {
-+ if (!ctx->test_mode)
-+ FIPS_get_timevec(ctx->DT, &ctx->counter);
-+ AES_encrypt(ctx->DT, I, &ctx->ks);
-+ for (i = 0; i < AES_BLOCK_LENGTH; i++)
-+ tmp[i] = I[i] ^ ctx->V[i];
-+ AES_encrypt(tmp, R, &ctx->ks);
-+ for (i = 0; i < AES_BLOCK_LENGTH; i++)
-+ tmp[i] = R[i] ^ I[i];
-+ AES_encrypt(tmp, ctx->V, &ctx->ks);
-+ /* Continuous PRNG test */
-+ if (ctx->second)
-+ {
-+ if (fips_prng_fail)
-+ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
-+ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
-+ {
-+ RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
-+ ctx->error = 1;
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ }
-+ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
-+ if (!ctx->second)
-+ {
-+ ctx->second = 1;
-+ if (!ctx->test_mode)
-+ continue;
-+ }
-+
-+ if (outlen <= AES_BLOCK_LENGTH)
-+ {
-+ memcpy(out, R, outlen);
-+ break;
-+ }
-+
-+ memcpy(out, R, AES_BLOCK_LENGTH);
-+ out += AES_BLOCK_LENGTH;
-+ outlen -= AES_BLOCK_LENGTH;
-+ }
-+ return 1;
-+ }
-+
-+
-+int FIPS_x931_set_key(const unsigned char *key, int keylen)
-+ {
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_set_prng_key(&sctx, key, keylen);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
-+ {
-+ return FIPS_x931_set_key(key, keylen);
-+ }
-+
-+int FIPS_x931_seed(const void *seed, int seedlen)
-+ {
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_set_prng_seed(&sctx, seed, seedlen);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+
-+int FIPS_x931_bytes(unsigned char *out, int count)
-+ {
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_rand(&sctx, out, count);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+int FIPS_x931_status(void)
-+ {
-+ int ret;
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ ret = sctx.seeded;
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+ }
-+
-+void FIPS_x931_reset(void)
-+ {
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ fips_rand_prng_reset(&sctx);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ }
-+
-+static int fips_do_rand_seed(const void *seed, int seedlen)
-+ {
-+ FIPS_x931_seed(seed, seedlen);
-+ return 1;
-+ }
-+
-+static int fips_do_rand_add(const void *seed, int seedlen,
-+ double add_entropy)
-+ {
-+ FIPS_x931_seed(seed, seedlen);
-+ return 1;
-+ }
-+
-+static const RAND_METHOD rand_x931_meth=
-+ {
-+ fips_do_rand_seed,
-+ FIPS_x931_bytes,
-+ FIPS_x931_reset,
-+ fips_do_rand_add,
-+ FIPS_x931_bytes,
-+ FIPS_x931_status
-+ };
-+
-+const RAND_METHOD *FIPS_x931_method(void)
-+{
-+ return &rand_x931_meth;
-+}
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_rand.h.fips openssl-1.0.1j/crypto/fips/fips_rand.h
---- openssl-1.0.1j/crypto/fips/fips_rand.h.fips 2014-10-16 13:19:35.100306446 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_rand.h 2014-10-16 13:19:35.100306446 +0200
-@@ -0,0 +1,145 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifndef HEADER_FIPS_RAND_H
-+#define HEADER_FIPS_RAND_H
-+
-+#include <openssl/aes.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rand.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+int FIPS_x931_set_key(const unsigned char *key, int keylen);
-+int FIPS_x931_seed(const void *buf, int num);
-+int FIPS_x931_bytes(unsigned char *out, int outlen);
-+
-+int FIPS_x931_test_mode(void);
-+void FIPS_x931_reset(void);
-+int FIPS_x931_set_dt(unsigned char *dt);
-+
-+int FIPS_x931_status(void);
-+
-+const RAND_METHOD *FIPS_x931_method(void);
-+
-+typedef struct drbg_ctx_st DRBG_CTX;
-+/* DRBG external flags */
-+/* Flag for CTR mode only: use derivation function ctr_df */
-+#define DRBG_FLAG_CTR_USE_DF 0x1
-+/* PRNG is in test state */
-+#define DRBG_FLAG_TEST 0x2
-+
-+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
-+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
-+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen);
-+int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen);
-+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen);
-+
-+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
-+void FIPS_drbg_free(DRBG_CTX *dctx);
-+
-+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len),
-+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen));
-+
-+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout),
-+ void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen),
-+ int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num),
-+ int (*rand_add_cb)(DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy));
-+
-+void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
-+void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
-+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
-+int FIPS_drbg_get_strength(DRBG_CTX *dctx);
-+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
-+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
-+
-+int FIPS_drbg_health_check(DRBG_CTX *dctx);
-+
-+DRBG_CTX *FIPS_get_default_drbg(void);
-+const RAND_METHOD *FIPS_drbg_method(void);
-+
-+
-+int FIPS_rand_set_method(const RAND_METHOD *meth);
-+const RAND_METHOD *FIPS_rand_get_method(void);
-+
-+void FIPS_rand_set_bits(int nbits);
-+
-+int FIPS_rand_strength(void);
-+
-+/* 1.0.0 compat functions */
-+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
-+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
-+int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
-+int FIPS_rand_test_mode(void);
-+void FIPS_rand_reset(void);
-+int FIPS_rand_set_dt(unsigned char *dt);
-+int FIPS_rand_status(void);
-+const RAND_METHOD *FIPS_rand_method(void);
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+#endif
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.1j/crypto/fips/fips_rand_lcl.h
---- openssl-1.0.1j/crypto/fips/fips_rand_lcl.h.fips 2014-10-16 13:19:35.101306469 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_rand_lcl.h 2014-10-16 13:19:35.101306469 +0200
-@@ -0,0 +1,219 @@
-+/* fips/rand/fips_rand_lcl.h */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
-+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
-+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
-+
-+/* 888 bits from 10.1 table 2 */
-+#define HASH_PRNG_MAX_SEEDLEN 111
-+
-+struct drbg_hash_ctx_st
-+ {
-+ const EVP_MD *md;
-+ EVP_MD_CTX mctx;
-+ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
-+ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
-+ /* Temporary value storage: should always exceed max digest length */
-+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
-+ };
-+
-+struct drbg_hmac_ctx_st
-+ {
-+ const EVP_MD *md;
-+ HMAC_CTX hctx;
-+ unsigned char K[EVP_MAX_MD_SIZE];
-+ unsigned char V[EVP_MAX_MD_SIZE];
-+ };
-+
-+struct drbg_ctr_ctx_st
-+ {
-+ AES_KEY ks;
-+ size_t keylen;
-+ unsigned char K[32];
-+ unsigned char V[16];
-+ /* Temp variables used by derivation function */
-+ AES_KEY df_ks;
-+ AES_KEY df_kxks;
-+ /* Temporary block storage used by ctr_df */
-+ unsigned char bltmp[16];
-+ size_t bltmp_pos;
-+ unsigned char KX[48];
-+ };
-+
-+/* DRBG internal flags */
-+
-+/* Functions shouldn't call err library */
-+#define DRBG_FLAG_NOERR 0x1
-+/* Custom reseed checking */
-+#define DRBG_CUSTOM_RESEED 0x2
-+
-+/* DRBG status values */
-+/* not initialised */
-+#define DRBG_STATUS_UNINITIALISED 0
-+/* ok and ready to generate random bits */
-+#define DRBG_STATUS_READY 1
-+/* reseed required */
-+#define DRBG_STATUS_RESEED 2
-+/* fatal error condition */
-+#define DRBG_STATUS_ERROR 3
-+
-+/* A default maximum length: larger than any reasonable value used in pratice */
-+
-+#define DRBG_MAX_LENGTH 0x7ffffff0
-+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
-+ * so use max digest length.
-+ */
-+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
-+
-+#define DRBG_HEALTH_INTERVAL (1 << 24)
-+
-+/* DRBG context structure */
-+
-+struct drbg_ctx_st
-+ {
-+ /* First types common to all implementations */
-+ /* DRBG type: a NID for the underlying algorithm */
-+ int type;
-+ /* Various external flags */
-+ unsigned int xflags;
-+ /* Various internal use only flags */
-+ unsigned int iflags;
-+ /* Used for periodic health checks */
-+ int health_check_cnt, health_check_interval;
-+
-+ /* The following parameters are setup by mechanism drbg_init() call */
-+ int strength;
-+ size_t blocklength;
-+ size_t max_request;
-+
-+ size_t min_entropy, max_entropy;
-+ size_t min_nonce, max_nonce;
-+ size_t max_pers, max_adin;
-+ unsigned int reseed_counter;
-+ unsigned int reseed_interval;
-+ size_t seedlen;
-+ int status;
-+ /* Application data: typically used by test get_entropy */
-+ void *app_data;
-+ /* Implementation specific structures */
-+ union
-+ {
-+ DRBG_HASH_CTX hash;
-+ DRBG_HMAC_CTX hmac;
-+ DRBG_CTR_CTX ctr;
-+ } d;
-+ /* Initialiase PRNG and setup callbacks below */
-+ int (*init)(DRBG_CTX *ctx, int nid, int security, unsigned int flags);
-+ /* Intantiate PRNG */
-+ int (*instantiate)(DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen);
-+ /* reseed */
-+ int (*reseed)(DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* generat output */
-+ int (*generate)(DRBG_CTX *ctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* uninstantiate */
-+ int (*uninstantiate)(DRBG_CTX *ctx);
-+
-+ /* Entropy source block length */
-+ size_t entropy_blocklen;
-+
-+ /* entropy gathering function */
-+ size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with entropy buffer */
-+ void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* nonce gathering function */
-+ size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with nonce buffer */
-+ void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* Continuous random number test temporary area */
-+ /* Last block */
-+ unsigned char lb[EVP_MAX_MD_SIZE];
-+ /* set if lb is valid */
-+ int lb_valid;
-+
-+ /* Callbacks used when called through RAND interface */
-+ /* Get any additional input for generate */
-+ size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout);
-+ void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+ /* Callback for RAND_seed(), RAND_add() */
-+ int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num);
-+ int (*rand_add_cb)(DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy);
-+ };
-+
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx);
-+int fips_drbg_hash_init(DRBG_CTX *dctx);
-+int fips_drbg_hmac_init(DRBG_CTX *dctx);
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
-+
-+const struct env_md_st *FIPS_get_digestbynid(int nid);
-+
-+const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
-+
-+#define FIPS_digestinit EVP_DigestInit
-+#define FIPS_digestupdate EVP_DigestUpdate
-+#define FIPS_digestfinal EVP_DigestFinal
-+#define M_EVP_MD_size EVP_MD_size
-diff -up openssl-1.0.1j/crypto/fips/fips_rand_lib.c.fips openssl-1.0.1j/crypto/fips/fips_rand_lib.c
---- openssl-1.0.1j/crypto/fips/fips_rand_lib.c.fips 2014-10-16 13:19:35.101306469 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_rand_lib.c 2014-10-16 13:19:35.101306469 +0200
-@@ -0,0 +1,191 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "e_os.h"
-+
-+/* FIPS API for PRNG use. Similar to RAND functionality but without
-+ * ENGINE and additional checking for non-FIPS rand methods.
-+ */
-+
-+static const RAND_METHOD *fips_rand_meth = NULL;
-+static int fips_approved_rand_meth = 0;
-+static int fips_rand_bits = 0;
-+
-+/* Allows application to override number of bits and uses non-FIPS methods */
-+void FIPS_rand_set_bits(int nbits)
-+ {
-+ fips_rand_bits = nbits;
-+ }
-+
-+int FIPS_rand_set_method(const RAND_METHOD *meth)
-+ {
-+ if (!fips_rand_bits)
-+ {
-+ if (meth == FIPS_drbg_method())
-+ fips_approved_rand_meth = 1;
-+ else if (meth == FIPS_x931_method())
-+ fips_approved_rand_meth = 2;
-+ else
-+ {
-+ fips_approved_rand_meth = 0;
-+ if (FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD,
-+ FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ }
-+ }
-+ fips_rand_meth = meth;
-+ return 1;
-+ }
-+
-+const RAND_METHOD *FIPS_rand_get_method(void)
-+ {
-+ return fips_rand_meth;
-+ }
-+
-+const RAND_METHOD *FIPS_rand_method(void)
-+ {
-+ return FIPS_rand_get_method();
-+ }
-+
-+void FIPS_rand_reset(void)
-+ {
-+ if (fips_rand_meth && fips_rand_meth->cleanup)
-+ fips_rand_meth->cleanup();
-+ }
-+
-+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->seed)
-+ fips_rand_meth->seed(buf,num);
-+ return 1;
-+ }
-+
-+void FIPS_rand_add(const void *buf, int num, double entropy)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
-+ return;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->add)
-+ fips_rand_meth->add(buf,num,entropy);
-+ }
-+
-+int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->bytes)
-+ return fips_rand_meth->bytes(buf,num);
-+ return 0;
-+ }
-+
-+int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->pseudorand)
-+ return fips_rand_meth->pseudorand(buf,num);
-+ return -1;
-+ }
-+
-+int FIPS_rand_status(void)
-+ {
-+ if (!fips_approved_rand_meth && FIPS_module_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->status)
-+ return fips_rand_meth->status();
-+ return 0;
-+ }
-+
-+/* Return instantiated strength of PRNG. For DRBG this is an internal
-+ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
-+ * type of PRNG is not approved and returns 0 in FIPS mode and maximum
-+ * 256 outside FIPS mode.
-+ */
-+
-+int FIPS_rand_strength(void)
-+ {
-+ if (fips_rand_bits)
-+ return fips_rand_bits;
-+ if (fips_approved_rand_meth == 1)
-+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
-+ else if (fips_approved_rand_meth == 2)
-+ return 80;
-+ else if (fips_approved_rand_meth == 0)
-+ {
-+ if (FIPS_module_mode())
-+ return 0;
-+ else
-+ return 256;
-+ }
-+ return 0;
-+ }
-diff -up openssl-1.0.1j/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_rand_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_rand_selftest.c.fips 2014-10-16 13:19:35.101306469 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_rand_selftest.c 2014-10-16 13:19:35.101306469 +0200
-@@ -0,0 +1,183 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+
-+
-+typedef struct
-+ {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+ } AES_PRNG_TV;
-+
-+/* The following test vectors are taken directly from the RGNVS spec */
-+
-+static unsigned char aes_128_key[16] =
-+ {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42,
-+ 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02};
-+
-+static AES_PRNG_TV aes_128_tv =
-+ {
-+ /* DT */
-+ {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-+ 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9},
-+ /* V */
-+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-+ /* R */
-+ {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55,
-+ 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41}
-+ };
-+
-+static unsigned char aes_192_key[24] =
-+ {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e,
-+ 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc,
-+ 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b};
-+
-+static AES_PRNG_TV aes_192_tv =
-+ {
-+ /* DT */
-+ {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-+ 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b},
-+ /* V */
-+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-+ /* R */
-+ {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef,
-+ 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93}
-+ };
-+
-+static unsigned char aes_256_key[32] =
-+ {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d,
-+ 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f,
-+ 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5,
-+ 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb};
-+
-+static AES_PRNG_TV aes_256_tv =
-+ {
-+ /* DT */
-+ {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-+ 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88},
-+ /* V */
-+ {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-+ /* R */
-+ {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc,
-+ 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72}
-+ };
-+
-+void FIPS_corrupt_rng()
-+ {
-+ aes_192_tv.V[0]++;
-+ }
-+
-+#define fips_x931_test(key, tv) \
-+ do_x931_test(key, sizeof key, &tv)
-+
-+static int do_x931_test(unsigned char *key, int keylen,
-+ AES_PRNG_TV *tv)
-+ {
-+ unsigned char R[16], V[16];
-+ int rv = 1;
-+ memcpy(V, tv->V, sizeof(V));
-+ if (!FIPS_x931_set_key(key, keylen))
-+ return 0;
-+ if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
-+ return 1;
-+ if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
-+ V[0]++;
-+ FIPS_x931_seed(V, 16);
-+ FIPS_x931_set_dt(tv->DT);
-+ FIPS_x931_bytes(R, 16);
-+ if (memcmp(R, tv->R, 16))
-+ {
-+ fips_post_failed(FIPS_TEST_X931, keylen, NULL);
-+ rv = 0;
-+ }
-+ else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
-+ return 0;
-+ return rv;
-+ }
-+
-+int FIPS_selftest_x931()
-+ {
-+ int rv = 1;
-+ FIPS_x931_reset();
-+ if (!FIPS_x931_test_mode())
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ if (!fips_x931_test(aes_128_key,aes_128_tv))
-+ rv = 0;
-+ if (!fips_x931_test(aes_192_key, aes_192_tv))
-+ rv = 0;
-+ if (!fips_x931_test(aes_256_key, aes_256_tv))
-+ rv = 0;
-+ FIPS_x931_reset();
-+ if (!rv)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED);
-+ return rv;
-+ }
-+
-+int FIPS_selftest_rng(void)
-+ {
-+ return FIPS_selftest_x931();
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_randtest.c.fips openssl-1.0.1j/crypto/fips/fips_randtest.c
---- openssl-1.0.1j/crypto/fips/fips_randtest.c.fips 2014-10-16 13:19:35.101306469 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_randtest.c 2014-10-16 13:19:35.101306469 +0200
-@@ -0,0 +1,250 @@
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <ctype.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RAND support\n");
-+ return(0);
-+}
-+
-+#else
-+
-+#include "fips_utl.h"
-+#include <openssl/fips.h>
-+
-+typedef struct
-+ {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+ } AES_PRNG_MCT;
-+
-+static const unsigned char aes_128_mct_key[16] =
-+ {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5,
-+ 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48};
-+
-+static const AES_PRNG_MCT aes_128_mct_tv = {
-+ /* DT */
-+ {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b,
-+ 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac},
-+ /* V */
-+ {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97,
-+ 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1},
-+ /* R */
-+ {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb,
-+ 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73}
-+};
-+
-+static const unsigned char aes_192_mct_key[24] =
-+ {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73,
-+ 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91,
-+ 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a};
-+
-+static const AES_PRNG_MCT aes_192_mct_tv = {
-+ /* DT */
-+ {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9,
-+ 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52},
-+ /* V */
-+ {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64,
-+ 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d},
-+ /* R */
-+ {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21,
-+ 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47}
-+};
-+
-+static const unsigned char aes_256_mct_key[32] =
-+ {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a,
-+ 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0,
-+ 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d,
-+ 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50};
-+
-+static const AES_PRNG_MCT aes_256_mct_tv = {
-+ /* DT */
-+ {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee,
-+ 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c},
-+ /* V */
-+ {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1,
-+ 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca},
-+ /* R */
-+ {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1,
-+ 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d}
-+};
-+
-+static void dump(const unsigned char *b,int n)
-+ {
-+ while(n-- > 0)
-+ {
-+ printf(" %02x",*b++);
-+ }
-+ }
-+
-+static void compare(const unsigned char *result,const unsigned char *expected,
-+ int n)
-+ {
-+ int i;
-+
-+ for(i=0 ; i < n ; ++i)
-+ if(result[i] != expected[i])
-+ {
-+ puts("Random test failed, got:");
-+ dump(result,n);
-+ puts("\n expected:");
-+ dump(expected,n);
-+ putchar('\n');
-+ EXIT(1);
-+ }
-+ }
-+
-+
-+static void run_test(const unsigned char *key, int keylen,
-+ const AES_PRNG_MCT *tv)
-+ {
-+ unsigned char buf[16], dt[16];
-+ int i, j;
-+ FIPS_x931_reset();
-+ FIPS_x931_test_mode();
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(tv->V, 16);
-+ memcpy(dt, tv->DT, 16);
-+ for (i = 0; i < 10000; i++)
-+ {
-+ FIPS_x931_set_dt(dt);
-+ FIPS_x931_bytes(buf, 16);
-+ /* Increment DT */
-+ for (j = 15; j >= 0; j--)
-+ {
-+ dt[j]++;
-+ if (dt[j])
-+ break;
-+ }
-+ }
-+
-+ compare(buf,tv->R, 16);
-+ }
-+
-+int main()
-+ {
-+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
-+ printf("FIPS PRNG test 1 done\n");
-+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
-+ printf("FIPS PRNG test 2 done\n");
-+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
-+ printf("FIPS PRNG test 3 done\n");
-+ return 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_rsa_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_rsa_selftest.c.fips 2014-10-16 13:19:35.102306491 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_rsa_selftest.c 2014-10-16 13:19:35.102306491 +0200
-@@ -0,0 +1,444 @@
-+/* ====================================================================
-+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/rsa.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char n[] =
-+"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
-+"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
-+"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
-+"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
-+"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
-+"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
-+"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
-+"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
-+"\xCB";
-+
-+static int corrupt_rsa;
-+
-+static int setrsakey(RSA *key)
-+ {
-+ static const unsigned char e[] = "\x11";
-+
-+ static const unsigned char d[] =
-+"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
-+"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
-+"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
-+"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
-+"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
-+"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
-+"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
-+"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
-+"\xC1";
-+
-+ static const unsigned char p[] =
-+"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
-+"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
-+"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
-+"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
-+"\x99";
-+
-+ static const unsigned char q[] =
-+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
-+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
-+"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
-+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
-+"\x03";
-+
-+ static const unsigned char dmp1[] =
-+"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
-+"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
-+"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
-+"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
-+
-+ static const unsigned char dmq1[] =
-+"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
-+"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
-+"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
-+"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
-+
-+ static const unsigned char iqmp[] =
-+"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
-+"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
-+"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
-+"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
-+"\xF7";
-+
-+ key->n = BN_bin2bn(n, sizeof(n)-1, key->n);
-+ if (corrupt_rsa)
-+ BN_set_bit(key->n, 1024);
-+ key->e = BN_bin2bn(e, sizeof(e)-1, key->e);
-+ key->d = BN_bin2bn(d, sizeof(d)-1, key->d);
-+ key->p = BN_bin2bn(p, sizeof(p)-1, key->p);
-+ key->q = BN_bin2bn(q, sizeof(q)-1, key->q);
-+ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1);
-+ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1);
-+ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp);
-+ return 1;
-+ }
-+
-+void FIPS_corrupt_rsa()
-+ {
-+ corrupt_rsa = 1;
-+ }
-+
-+/* Known Answer Test (KAT) data for the above RSA private key signing
-+ * kat_tbs.
-+ */
-+
-+static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT";
-+
-+static const unsigned char kat_RSA_PSS_SHA1[] = {
-+ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
-+ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
-+ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
-+ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
-+ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
-+ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
-+ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
-+ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
-+ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
-+ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
-+ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA224[] = {
-+ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
-+ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
-+ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
-+ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
-+ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
-+ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
-+ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
-+ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
-+ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
-+ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
-+ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA256[] = {
-+ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
-+ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
-+ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
-+ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
-+ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
-+ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
-+ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
-+ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
-+ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
-+ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
-+ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA384[] = {
-+ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
-+ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
-+ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
-+ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
-+ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
-+ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
-+ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
-+ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
-+ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
-+ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
-+ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA512[] = {
-+ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
-+ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
-+ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
-+ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
-+ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
-+ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
-+ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
-+ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
-+ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
-+ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
-+ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
-+};
-+
-+static const unsigned char kat_RSA_SHA1[] = {
-+ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
-+ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
-+ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
-+ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
-+ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
-+ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
-+ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
-+ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
-+ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
-+ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
-+ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
-+};
-+
-+static const unsigned char kat_RSA_SHA224[] = {
-+ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
-+ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
-+ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
-+ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
-+ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
-+ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
-+ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
-+ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
-+ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
-+ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
-+ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
-+};
-+
-+static const unsigned char kat_RSA_SHA256[] = {
-+ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
-+ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
-+ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
-+ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
-+ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
-+ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
-+ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
-+ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
-+ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
-+ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
-+ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
-+};
-+
-+static const unsigned char kat_RSA_SHA384[] = {
-+ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
-+ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
-+ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
-+ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
-+ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
-+ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
-+ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
-+ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
-+ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
-+ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
-+ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
-+};
-+
-+static const unsigned char kat_RSA_SHA512[] = {
-+ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
-+ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
-+ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
-+ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
-+ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
-+ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
-+ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
-+ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
-+ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
-+ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
-+ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA1[] = {
-+ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
-+ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
-+ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
-+ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
-+ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
-+ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
-+ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
-+ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
-+ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
-+ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
-+ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA256[] = {
-+ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
-+ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
-+ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
-+ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
-+ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
-+ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
-+ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
-+ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
-+ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
-+ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
-+ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA384[] = {
-+ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
-+ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
-+ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
-+ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
-+ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
-+ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
-+ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
-+ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
-+ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
-+ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
-+ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA512[] = {
-+ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
-+ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
-+ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
-+ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
-+ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
-+ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
-+ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
-+ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
-+ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
-+ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
-+ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
-+};
-+
-+
-+int FIPS_selftest_rsa()
-+ {
-+ int ret = 0;
-+ RSA *key;
-+ EVP_PKEY *pk = NULL;
-+
-+ if ((key=RSA_new()) == NULL)
-+ goto err;
-+ setrsakey(key);
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_RSA(pk, key);
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA1 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
-+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA224 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA256 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA384 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA512 PKCS#1"))
-+ goto err;
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA1 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224),
-+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA224 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA256 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA384 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA512 PSS"))
-+ goto err;
-+
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA1 X931"))
-+ goto err;
-+ /* NB: SHA224 not supported in X9.31 */
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA256 X931"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA384 X931"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA512 X931"))
-+ goto err;
-+
-+
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (key)
-+ RSA_free(key);
-+ return ret;
-+ }
-+
-+#endif /* def OPENSSL_FIPS */
-diff -up openssl-1.0.1j/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.1j/crypto/fips/fips_rsa_x931g.c
---- openssl-1.0.1j/crypto/fips/fips_rsa_x931g.c.fips 2014-10-16 13:19:35.102306491 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_rsa_x931g.c 2014-10-16 13:19:35.102306491 +0200
-@@ -0,0 +1,282 @@
-+/* crypto/rsa/rsa_gen.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <time.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/rsa.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+
-+extern int fips_check_rsa(RSA *rsa);
-+#endif
-+
-+/* X9.31 RSA key derivation and generation */
-+
-+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
-+ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
-+ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
-+ const BIGNUM *e, BN_GENCB *cb)
-+ {
-+ BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL;
-+ BN_CTX *ctx=NULL,*ctx2=NULL;
-+
-+ if (!rsa)
-+ goto err;
-+
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ goto err;
-+ BN_CTX_start(ctx);
-+
-+ r0 = BN_CTX_get(ctx);
-+ r1 = BN_CTX_get(ctx);
-+ r2 = BN_CTX_get(ctx);
-+ r3 = BN_CTX_get(ctx);
-+
-+ if (r3 == NULL)
-+ goto err;
-+ if (!rsa->e)
-+ {
-+ rsa->e = BN_dup(e);
-+ if (!rsa->e)
-+ goto err;
-+ }
-+ else
-+ e = rsa->e;
-+
-+ /* If not all parameters present only calculate what we can.
-+ * This allows test programs to output selective parameters.
-+ */
-+
-+ if (Xp && !rsa->p)
-+ {
-+ rsa->p = BN_new();
-+ if (!rsa->p)
-+ goto err;
-+
-+ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
-+ Xp, Xp1, Xp2, e, ctx, cb))
-+ goto err;
-+ }
-+
-+ if (Xq && !rsa->q)
-+ {
-+ rsa->q = BN_new();
-+ if (!rsa->q)
-+ goto err;
-+ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
-+ Xq, Xq1, Xq2, e, ctx, cb))
-+ goto err;
-+ }
-+
-+ if (!rsa->p || !rsa->q)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ return 2;
-+ }
-+
-+ /* Since both primes are set we can now calculate all remaining
-+ * components.
-+ */
-+
-+ /* calculate n */
-+ rsa->n=BN_new();
-+ if (rsa->n == NULL)
-+ goto err;
-+ if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx))
-+ goto err;
-+
-+ /* calculate d */
-+ if (!BN_sub(r1,rsa->p,BN_value_one()))
-+ goto err; /* p-1 */
-+ if (!BN_sub(r2,rsa->q,BN_value_one()))
-+ goto err; /* q-1 */
-+ if (!BN_mul(r0,r1,r2,ctx))
-+ goto err; /* (p-1)(q-1) */
-+
-+ if (!BN_gcd(r3, r1, r2, ctx))
-+ goto err;
-+
-+ if (!BN_div(r0, NULL, r0, r3, ctx))
-+ goto err; /* LCM((p-1)(q-1)) */
-+
-+ ctx2 = BN_CTX_new();
-+ if (!ctx2)
-+ goto err;
-+
-+ rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */
-+ if (rsa->d == NULL)
-+ goto err;
-+
-+ /* calculate d mod (p-1) */
-+ rsa->dmp1=BN_new();
-+ if (rsa->dmp1 == NULL)
-+ goto err;
-+ if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx))
-+ goto err;
-+
-+ /* calculate d mod (q-1) */
-+ rsa->dmq1=BN_new();
-+ if (rsa->dmq1 == NULL)
-+ goto err;
-+ if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx))
-+ goto err;
-+
-+ /* calculate inverse of q mod p */
-+ rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2);
-+
-+ err:
-+ if (ctx)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+ if (ctx2)
-+ BN_CTX_free(ctx2);
-+ /* If this is set all calls successful */
-+ if (rsa && rsa->iqmp != NULL)
-+ return 1;
-+
-+ return 0;
-+
-+ }
-+
-+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb)
-+ {
-+ int ok = 0;
-+ BIGNUM *Xp = NULL, *Xq = NULL;
-+ BN_CTX *ctx = NULL;
-+
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
-+ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT);
-+ return 0;
-+ }
-+
-+ if (bits & 0xff)
-+ {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH);
-+ return 0;
-+ }
-+
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+#endif
-+
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ goto error;
-+
-+ BN_CTX_start(ctx);
-+ Xp = BN_CTX_get(ctx);
-+ Xq = BN_CTX_get(ctx);
-+ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
-+ goto error;
-+
-+ rsa->p = BN_new();
-+ rsa->q = BN_new();
-+ if (!rsa->p || !rsa->q)
-+ goto error;
-+
-+ /* Generate two primes from Xp, Xq */
-+
-+ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
-+ e, ctx, cb))
-+ goto error;
-+
-+ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
-+ e, ctx, cb))
-+ goto error;
-+
-+ /* Since rsa->p and rsa->q are valid this call will just derive
-+ * remaining RSA components.
-+ */
-+
-+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
-+ NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
-+ goto error;
-+
-+#ifdef OPENSSL_FIPS
-+ if(!fips_check_rsa(rsa))
-+ goto error;
-+#endif
-+
-+ ok = 1;
-+
-+ error:
-+ if (ctx)
-+ {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+
-+ if (ok)
-+ return 1;
-+
-+ return 0;
-+
-+ }
-diff -up openssl-1.0.1j/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.1j/crypto/fips/fips_sha_selftest.c
---- openssl-1.0.1j/crypto/fips/fips_sha_selftest.c.fips 2014-10-16 13:19:35.102306491 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_sha_selftest.c 2014-10-16 13:19:35.102306491 +0200
-@@ -0,0 +1,140 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+#include <openssl/sha.h>
-+
-+#ifdef OPENSSL_FIPS
-+static const char test[][60]=
-+ {
-+ "",
-+ "abc",
-+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-+ };
-+
-+static const unsigned char ret[][SHA_DIGEST_LENGTH]=
-+ {
-+ { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55,
-+ 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 },
-+ { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e,
-+ 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d },
-+ { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae,
-+ 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 },
-+ };
-+
-+static int corrupt_sha;
-+
-+void FIPS_corrupt_sha1()
-+ {
-+ corrupt_sha = 1;
-+ }
-+
-+int FIPS_selftest_sha1()
-+ {
-+ int n;
-+
-+ for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n)
-+ {
-+ unsigned char md[SHA_DIGEST_LENGTH];
-+
-+ EVP_Digest(test[n],strlen(test[n])+corrupt_sha,md, NULL, EVP_sha1(), NULL);
-+ if(memcmp(md,ret[n],sizeof md))
-+ {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1,FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+ }
-+
-+static const unsigned char msg_sha256[] = { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
-+ 0xfc };
-+static const unsigned char dig_sha256[] = { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
-+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
-+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
-+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a };
-+
-+static const unsigned char msg_sha512[] = { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
-+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd };
-+static const unsigned char dig_sha512[] = { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
-+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
-+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
-+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
-+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
-+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
-+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
-+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 };
-+
-+int FIPS_selftest_sha2(void)
-+ {
-+ unsigned char md[SHA512_DIGEST_LENGTH];
-+
-+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
-+ if(memcmp(dig_sha256, md, sizeof(dig_sha256)))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
-+ if(memcmp(dig_sha512, md, sizeof(dig_sha512)))
-+ {
-+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ return 1;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.1j/crypto/fips/fips_standalone_hmac.c
---- openssl-1.0.1j/crypto/fips/fips_standalone_hmac.c.fips 2014-10-16 13:19:35.102306491 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_standalone_hmac.c 2014-10-16 13:19:35.102306491 +0200
-@@ -0,0 +1,236 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/opensslconf.h>
-+#include <openssl/sha.h>
-+#include <openssl/hmac.h>
-+
-+#ifndef FIPSCANISTER_O
-+int FIPS_selftest_failed() { return 0; }
-+void FIPS_selftest_check() {}
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+int bn_mul_mont_fpu64(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num) { return 0; };
-+int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num) { return 0; };
-+
-+#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
-+ defined(__INTEL__) || \
-+ defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
-+
-+unsigned int OPENSSL_ia32cap_P[2];
-+unsigned long *OPENSSL_ia32cap_loc(void)
-+{ if (sizeof(long)==4)
-+ /*
-+ * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
-+ * clear second element to maintain the illusion that vector
-+ * is 32-bit.
-+ */
-+ OPENSSL_ia32cap_P[1]=0;
-+ return (unsigned long *)OPENSSL_ia32cap_P;
-+}
-+
-+#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
-+#define OPENSSL_CPUID_SETUP
-+#if defined(_WIN32)
-+typedef unsigned __int64 IA32CAP;
-+#else
-+typedef unsigned long long IA32CAP;
-+#endif
-+void OPENSSL_cpuid_setup(void)
-+{ static int trigger=0;
-+ IA32CAP OPENSSL_ia32_cpuid(void);
-+ IA32CAP vec;
-+ char *env;
-+
-+ if (trigger) return;
-+
-+ trigger=1;
-+ if ((env=getenv("OPENSSL_ia32cap"))) {
-+ int off = (env[0]=='~')?1:0;
-+#if defined(_WIN32)
-+ if (!sscanf(env+off,"%I64i",&vec)) vec = strtoul(env+off,NULL,0);
-+#else
-+ if (!sscanf(env+off,"%lli",(long long *)&vec)) vec = strtoul(env+off,NULL,0);
-+#endif
-+ if (off) vec = OPENSSL_ia32_cpuid()&~vec;
-+ }
-+ else
-+ vec = OPENSSL_ia32_cpuid();
-+
-+ /*
-+ * |(1<<10) sets a reserved bit to signal that variable
-+ * was initialized already... This is to avoid interference
-+ * with cpuid snippets in ELF .init segment.
-+ */
-+ OPENSSL_ia32cap_P[0] = (unsigned int)vec|(1<<10);
-+ OPENSSL_ia32cap_P[1] = (unsigned int)(vec>>32);
-+}
-+#endif
-+
-+#else
-+unsigned long *OPENSSL_ia32cap_loc(void) { return NULL; }
-+#endif
-+int OPENSSL_NONPIC_relocated = 0;
-+#if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
-+void OPENSSL_cpuid_setup(void) {}
-+#endif
-+
-+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
-+ const char *key)
-+ {
-+ size_t len=strlen(key);
-+ int i;
-+ unsigned char keymd[HMAC_MAX_MD_CBLOCK];
-+ unsigned char pad[HMAC_MAX_MD_CBLOCK];
-+
-+ if (len > SHA_CBLOCK)
-+ {
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx,key,len);
-+ SHA256_Final(keymd,md_ctx);
-+ len=SHA256_DIGEST_LENGTH;
-+ }
-+ else
-+ memcpy(keymd,key,len);
-+ memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len);
-+
-+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
-+ pad[i]=0x36^keymd[i];
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
-+
-+ for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
-+ pad[i]=0x5c^keymd[i];
-+ SHA256_Init(o_ctx);
-+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
-+ }
-+
-+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
-+ {
-+ unsigned char buf[SHA256_DIGEST_LENGTH];
-+
-+ SHA256_Final(buf,md_ctx);
-+ SHA256_Update(o_ctx,buf,sizeof buf);
-+ SHA256_Final(md,o_ctx);
-+ }
-+
-+#endif
-+
-+int main(int argc,char **argv)
-+ {
-+#ifdef OPENSSL_FIPS
-+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
-+ int n,binary=0;
-+
-+ if(argc < 2)
-+ {
-+ fprintf(stderr,"%s [<file>]+\n",argv[0]);
-+ exit(1);
-+ }
-+
-+ n=1;
-+ if (!strcmp(argv[n],"-binary"))
-+ {
-+ n++;
-+ binary=1; /* emit binary fingerprint... */
-+ }
-+
-+ for(; n < argc ; ++n)
-+ {
-+ FILE *f=fopen(argv[n],"rb");
-+ SHA256_CTX md_ctx,o_ctx;
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+ int i;
-+
-+ if(!f)
-+ {
-+ perror(argv[n]);
-+ exit(2);
-+ }
-+
-+ hmac_init(&md_ctx,&o_ctx,key);
-+ for( ; ; )
-+ {
-+ char buf[1024];
-+ size_t l=fread(buf,1,sizeof buf,f);
-+
-+ if(l == 0)
-+ {
-+ if(ferror(f))
-+ {
-+ perror(argv[n]);
-+ exit(3);
-+ }
-+ else
-+ break;
-+ }
-+ SHA256_Update(&md_ctx,buf,l);
-+ }
-+ hmac_final(md,&md_ctx,&o_ctx);
-+
-+ if (binary)
-+ {
-+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
-+ break; /* ... for single(!) file */
-+ }
-+
-+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
-+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
-+ printf("%02x",md[i]);
-+ printf("\n");
-+ }
-+#endif
-+ return 0;
-+ }
-+
-+
-diff -up openssl-1.0.1j/crypto/fips/fips_test_suite.c.fips openssl-1.0.1j/crypto/fips/fips_test_suite.c
---- openssl-1.0.1j/crypto/fips/fips_test_suite.c.fips 2014-10-16 13:19:35.103306514 +0200
-+++ openssl-1.0.1j/crypto/fips/fips_test_suite.c 2014-10-16 13:19:35.103306514 +0200
-@@ -0,0 +1,588 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ *
-+ * This command is intended as a test driver for the FIPS-140 testing
-+ * lab performing FIPS-140 validation. It demonstrates the use of the
-+ * OpenSSL library ito perform a variety of common cryptographic
-+ * functions. A power-up self test is demonstrated by deliberately
-+ * pointing to an invalid executable hash
-+ *
-+ * Contributed by Steve Marquess.
-+ *
-+ */
-+#include <stdio.h>
-+#include <assert.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <openssl/aes.h>
-+#include <openssl/des.h>
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <openssl/dh.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+
-+#include <openssl/bn.h>
-+#include <openssl/rand.h>
-+#include <openssl/sha.h>
-+
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+ {
-+ printf("No FIPS support\n");
-+ return(0);
-+ }
-+#else
-+
-+#include <openssl/fips.h>
-+#include "fips_utl.h"
-+
-+/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
-+*/
-+static int FIPS_aes_test(void)
-+ {
-+ int ret = 0;
-+ unsigned char pltmp[16];
-+ unsigned char citmp[16];
-+ unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16};
-+ unsigned char plaintext[16] = "etaonrishdlcu";
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, citmp, plaintext, 16);
-+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, pltmp, citmp, 16);
-+ if (memcmp(pltmp, plaintext, 16))
-+ goto err;
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return ret;
-+ }
-+
-+static int FIPS_des3_test(void)
-+ {
-+ int ret = 0;
-+ unsigned char pltmp[8];
-+ unsigned char citmp[8];
-+ unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
-+ 19,20,21,22,23,24};
-+ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, citmp, plaintext, 8);
-+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, pltmp, citmp, 8);
-+ if (memcmp(pltmp, plaintext, 8))
-+ goto err;
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return ret;
-+ }
-+
-+/*
-+ * DSA: generate keys and sign, verify input plaintext.
-+ */
-+static int FIPS_dsa_test(int bad)
-+ {
-+ DSA *dsa = NULL;
-+ EVP_PKEY pk;
-+ unsigned char dgst[] = "etaonrishdlc";
-+ unsigned char buf[60];
-+ unsigned int slen;
-+ int r = 0;
-+ EVP_MD_CTX mctx;
-+
-+ ERR_clear_error();
-+ EVP_MD_CTX_init(&mctx);
-+ dsa = DSA_new();
-+ if (!dsa)
-+ goto end;
-+ if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL))
-+ goto end;
-+ if (!DSA_generate_key(dsa))
-+ goto end;
-+ if (bad)
-+ BN_add_word(dsa->pub_key, 1);
-+
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
-+
-+ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
-+ goto end;
-+ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
-+ goto end;
-+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
-+ goto end;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
-+ goto end;
-+ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
-+ goto end;
-+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
-+ end:
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (dsa)
-+ DSA_free(dsa);
-+ if (r != 1)
-+ return 0;
-+ return 1;
-+ }
-+
-+/*
-+ * RSA: generate keys and sign, verify input plaintext.
-+ */
-+static int FIPS_rsa_test(int bad)
-+ {
-+ RSA *key;
-+ unsigned char input_ptext[] = "etaonrishdlc";
-+ unsigned char buf[256];
-+ unsigned int slen;
-+ BIGNUM *bn;
-+ EVP_MD_CTX mctx;
-+ EVP_PKEY pk;
-+ int r = 0;
-+
-+ ERR_clear_error();
-+ EVP_MD_CTX_init(&mctx);
-+ key = RSA_new();
-+ bn = BN_new();
-+ if (!key || !bn)
-+ return 0;
-+ BN_set_word(bn, 65537);
-+ if (!RSA_generate_key_ex(key, 1024,bn,NULL))
-+ return 0;
-+ BN_free(bn);
-+ if (bad)
-+ BN_add_word(key->n, 1);
-+
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = key;
-+
-+ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
-+ goto end;
-+ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
-+ goto end;
-+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
-+ goto end;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
-+ goto end;
-+ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
-+ goto end;
-+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
-+ end:
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (key)
-+ RSA_free(key);
-+ if (r != 1)
-+ return 0;
-+ return 1;
-+ }
-+
-+/* SHA1: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha1_test()
-+ {
-+ unsigned char digest[SHA_DIGEST_LENGTH] =
-+ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0;
-+ if (memcmp(md,digest,sizeof(md)))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* SHA256: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha256_test()
-+ {
-+ unsigned char digest[SHA256_DIGEST_LENGTH] =
-+ {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91,
-+ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57};
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0;
-+ if (memcmp(md,digest,sizeof(md)))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* SHA512: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha512_test()
-+ {
-+ unsigned char digest[SHA512_DIGEST_LENGTH] =
-+ {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca,
-+ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
-+ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22,
-+ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3};
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA512_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0;
-+ if (memcmp(md,digest,sizeof(md)))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA1: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha1_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70,
-+ 0xb2, 0xfb, 0xec, 0xc6};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA224: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha224_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35,
-+ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA256: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha256_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87,
-+ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA384: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha384_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10,
-+ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08,
-+ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+/* HMAC-SHA512: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha512_test()
-+ {
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6,
-+ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1,
-+ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
-+ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53};
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0;
-+ if (memcmp(out,kaval,outlen))
-+ return 0;
-+ return 1;
-+ }
-+
-+
-+/* DH: generate shared parameters
-+*/
-+static int dh_test()
-+ {
-+ DH *dh;
-+ ERR_clear_error();
-+ dh = FIPS_dh_new();
-+ if (!dh)
-+ return 0;
-+ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
-+ return 0;
-+ FIPS_dh_free(dh);
-+ return 1;
-+ }
-+
-+/* Zeroize
-+*/
-+static int Zeroize()
-+ {
-+ RSA *key;
-+ BIGNUM *bn;
-+ unsigned char userkey[16] =
-+ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
-+ int i, n;
-+
-+ key = FIPS_rsa_new();
-+ bn = BN_new();
-+ if (!key || !bn)
-+ return 0;
-+ BN_set_word(bn, 65537);
-+ if (!RSA_generate_key_ex(key, 1024,bn,NULL))
-+ return 0;
-+ BN_free(bn);
-+
-+ n = BN_num_bytes(key->d);
-+ printf(" Generated %d byte RSA private key\n", n);
-+ printf("\tBN key before overwriting:\n");
-+ do_bn_print(stdout, key->d);
-+ BN_rand(key->d,n*8,-1,0);
-+ printf("\tBN key after overwriting:\n");
-+ do_bn_print(stdout, key->d);
-+
-+ printf("\tchar buffer key before overwriting: \n\t\t");
-+ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
-+ printf("\n");
-+ RAND_bytes(userkey, sizeof userkey);
-+ printf("\tchar buffer key after overwriting: \n\t\t");
-+ for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]);
-+ printf("\n");
-+
-+ return 1;
-+ }
-+
-+static int Error;
-+const char * Fail(const char *msg)
-+ {
-+ do_print_errors();
-+ Error++;
-+ return msg;
-+ }
-+
-+int main(int argc,char **argv)
-+ {
-+
-+ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
-+ int bad_rsa = 0, bad_dsa = 0;
-+ int do_rng_stick = 0;
-+ int no_exit = 0;
-+
-+ printf("\tFIPS-mode test application\n\n");
-+
-+ /* Load entropy from external file, if any */
-+ RAND_load_file(".rnd", 1024);
-+
-+ if (argv[1]) {
-+ /* Corrupted KAT tests */
-+ if (!strcmp(argv[1], "aes")) {
-+ FIPS_corrupt_aes();
-+ printf("AES encryption/decryption with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "des")) {
-+ FIPS_corrupt_des();
-+ printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "dsa")) {
-+ FIPS_corrupt_dsa();
-+ printf("DSA key generation and signature validation with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rsa")) {
-+ FIPS_corrupt_rsa();
-+ printf("RSA key generation and signature validation with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rsakey")) {
-+ printf("RSA key generation and signature validation with corrupted key...\n");
-+ bad_rsa = 1;
-+ no_exit = 1;
-+ } else if (!strcmp(argv[1], "rsakeygen")) {
-+ do_corrupt_rsa_keygen = 1;
-+ no_exit = 1;
-+ printf("RSA key generation and signature validation with corrupted keygen...\n");
-+ } else if (!strcmp(argv[1], "dsakey")) {
-+ printf("DSA key generation and signature validation with corrupted key...\n");
-+ bad_dsa = 1;
-+ no_exit = 1;
-+ } else if (!strcmp(argv[1], "dsakeygen")) {
-+ do_corrupt_dsa_keygen = 1;
-+ no_exit = 1;
-+ printf("DSA key generation and signature validation with corrupted keygen...\n");
-+ } else if (!strcmp(argv[1], "sha1")) {
-+ FIPS_corrupt_sha1();
-+ printf("SHA-1 hash with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rng")) {
-+ FIPS_corrupt_rng();
-+ } else if (!strcmp(argv[1], "rngstick")) {
-+ do_rng_stick = 1;
-+ no_exit = 1;
-+ printf("RNG test with stuck continuous test...\n");
-+ } else {
-+ printf("Bad argument \"%s\"\n", argv[1]);
-+ exit(1);
-+ }
-+ if (!no_exit) {
-+ if (!FIPS_mode_set(1)) {
-+ do_print_errors();
-+ printf("Power-up self test failed\n");
-+ exit(1);
-+ }
-+ printf("Power-up self test successful\n");
-+ exit(0);
-+ }
-+ }
-+
-+ /* Non-Approved cryptographic operation
-+ */
-+ printf("1. Non-Approved cryptographic operation test...\n");
-+ printf("\ta. Included algorithm (D-H)...");
-+ printf( dh_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* Power-up self test
-+ */
-+ ERR_clear_error();
-+ printf("2. Automatic power-up self test...");
-+ if (!FIPS_mode_set(1))
-+ {
-+ do_print_errors();
-+ printf(Fail("FAILED!\n"));
-+ exit(1);
-+ }
-+ printf("successful\n");
-+ if (do_corrupt_dsa_keygen)
-+ FIPS_corrupt_dsa_keygen();
-+ if (do_corrupt_rsa_keygen)
-+ FIPS_corrupt_rsa_keygen();
-+ if (do_rng_stick)
-+ FIPS_rng_stick();
-+
-+ /* AES encryption/decryption
-+ */
-+ printf("3. AES encryption/decryption...");
-+ printf( FIPS_aes_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* RSA key generation and encryption/decryption
-+ */
-+ printf("4. RSA key generation and encryption/decryption...");
-+ printf( FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* DES-CBC encryption/decryption
-+ */
-+ printf("5. DES-ECB encryption/decryption...");
-+ printf( FIPS_des3_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* DSA key generation and signature validation
-+ */
-+ printf("6. DSA key generation and signature validation...");
-+ printf( FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* SHA-1 hash
-+ */
-+ printf("7a. SHA-1 hash...");
-+ printf( FIPS_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* SHA-256 hash
-+ */
-+ printf("7b. SHA-256 hash...");
-+ printf( FIPS_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* SHA-512 hash
-+ */
-+ printf("7c. SHA-512 hash...");
-+ printf( FIPS_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-1 hash
-+ */
-+ printf("7d. HMAC-SHA-1 hash...");
-+ printf( FIPS_hmac_sha1_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-224 hash
-+ */
-+ printf("7e. HMAC-SHA-224 hash...");
-+ printf( FIPS_hmac_sha224_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-256 hash
-+ */
-+ printf("7f. HMAC-SHA-256 hash...");
-+ printf( FIPS_hmac_sha256_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-384 hash
-+ */
-+ printf("7g. HMAC-SHA-384 hash...");
-+ printf( FIPS_hmac_sha384_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* HMAC-SHA-512 hash
-+ */
-+ printf("7h. HMAC-SHA-512 hash...");
-+ printf( FIPS_hmac_sha512_test() ? "successful\n" : Fail("FAILED!\n") );
-+
-+ /* Non-Approved cryptographic operation
-+ */
-+ printf("8. Non-Approved cryptographic operation test...\n");
-+ printf("\ta. Included algorithm (D-H)...");
-+ printf( dh_test() ? "successful as expected\n"
-+ : Fail("failed INCORRECTLY!\n") );
-+
-+ /* Zeroization
-+ */
-+ printf("9. Zero-ization...\n");
-+ printf( Zeroize() ? "\tsuccessful as expected\n"
-+ : Fail("\tfailed INCORRECTLY!\n") );
-+
-+ printf("\nAll tests completed with %d errors\n", Error);
-+ return Error ? 1 : 0;
-+ }
-+
-+#endif
-diff -up openssl-1.0.1j/crypto/fips/Makefile.fips openssl-1.0.1j/crypto/fips/Makefile
---- openssl-1.0.1j/crypto/fips/Makefile.fips 2014-10-16 13:19:35.103306514 +0200
-+++ openssl-1.0.1j/crypto/fips/Makefile 2014-10-16 13:19:35.103306514 +0200
-@@ -0,0 +1,341 @@
-+#
-+# OpenSSL/crypto/fips/Makefile
-+#
-+
-+DIR= fips
-+TOP= ../..
-+CC= cc
-+INCLUDES=
-+CFLAG=-g
-+MAKEFILE= Makefile
-+AR= ar r
-+
-+CFLAGS= $(INCLUDES) $(CFLAG)
-+
-+GENERAL=Makefile
-+TEST=fips_test_suite.c fips_randtest.c
-+APPS=
-+
-+PROGRAM= fips_standalone_hmac
-+EXE= $(PROGRAM)$(EXE_EXT)
-+
-+LIB=$(TOP)/libcrypto.a
-+LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
-+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
-+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
-+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-+ fips_cmac_selftest.c fips_enc.c fips_md.c
-+
-+LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
-+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
-+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
-+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
-+ fips_cmac_selftest.o fips_enc.o fips_md.o
-+
-+LIBCRYPTO=-L.. -lcrypto
-+
-+SRC= $(LIBSRC) fips_standalone_hmac.c
-+
-+EXHEADER= fips.h fips_rand.h
-+HEADER= $(EXHEADER)
-+
-+ALL= $(GENERAL) $(SRC) $(HEADER)
-+
-+top:
-+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-+
-+all: lib exe
-+
-+lib: $(LIBOBJ)
-+ $(AR) $(LIB) $(LIBOBJ)
-+ $(RANLIB) $(LIB) || echo Never mind.
-+ @touch lib
-+
-+exe: $(EXE)
-+
-+files:
-+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-+
-+links:
-+ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-+ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-+ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-+
-+install:
-+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-+ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
-+ do \
-+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-+ done;
-+
-+tags:
-+ ctags $(SRC)
-+
-+tests:
-+
-+lint:
-+ lint -DLINT $(INCLUDES) $(SRC)>fluff
-+
-+depend:
-+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
-+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-+
-+dclean:
-+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-+ mv -f Makefile.new $(MAKEFILE)
-+
-+clean:
-+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-+
-+$(EXE): $(PROGRAM).o
-+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
-+ for i in $(CPUID_OBJ); do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../$$i" ; done; \
-+ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
-+
-+# DO NOT DELETE THIS LINE -- make depend depends on it.
-+
-+fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
-+fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-+fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
-+fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_aes_selftest.o: ../../include/openssl/crypto.h
-+fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_aes_selftest.o: ../../include/openssl/lhash.h
-+fips_aes_selftest.o: ../../include/openssl/obj_mac.h
-+fips_aes_selftest.o: ../../include/openssl/objects.h
-+fips_aes_selftest.o: ../../include/openssl/opensslconf.h
-+fips_aes_selftest.o: ../../include/openssl/opensslv.h
-+fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_aes_selftest.o: ../../include/openssl/safestack.h
-+fips_aes_selftest.o: ../../include/openssl/stack.h
-+fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
-+fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_des_selftest.o: ../../include/openssl/crypto.h
-+fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_des_selftest.o: ../../include/openssl/lhash.h
-+fips_des_selftest.o: ../../include/openssl/obj_mac.h
-+fips_des_selftest.o: ../../include/openssl/objects.h
-+fips_des_selftest.o: ../../include/openssl/opensslconf.h
-+fips_des_selftest.o: ../../include/openssl/opensslv.h
-+fips_des_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_des_selftest.o: ../../include/openssl/safestack.h
-+fips_des_selftest.o: ../../include/openssl/stack.h
-+fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
-+fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_ctr.o: ../../include/openssl/objects.h
-+fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
-+fips_drbg_ctr.o: ../../include/openssl/opensslv.h
-+fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_ctr.o: ../../include/openssl/safestack.h
-+fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
-+fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_hash.o: ../../include/openssl/fips.h
-+fips_drbg_hash.o: ../../include/openssl/fips_rand.h
-+fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_hash.o: ../../include/openssl/objects.h
-+fips_drbg_hash.o: ../../include/openssl/opensslconf.h
-+fips_drbg_hash.o: ../../include/openssl/opensslv.h
-+fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_hash.o: ../../include/openssl/safestack.h
-+fips_drbg_hash.o: ../../include/openssl/stack.h
-+fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
-+fips_drbg_hash.o: fips_rand_lcl.h
-+fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_hmac.o: ../../include/openssl/fips.h
-+fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
-+fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_hmac.o: ../../include/openssl/objects.h
-+fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
-+fips_drbg_hmac.o: ../../include/openssl/opensslv.h
-+fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_hmac.o: ../../include/openssl/safestack.h
-+fips_drbg_hmac.o: ../../include/openssl/stack.h
-+fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
-+fips_drbg_hmac.o: fips_rand_lcl.h
-+fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
-+fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+fips_drbg_lib.o: ../../include/openssl/objects.h
-+fips_drbg_lib.o: ../../include/openssl/opensslconf.h
-+fips_drbg_lib.o: ../../include/openssl/opensslv.h
-+fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_lib.o: ../../include/openssl/safestack.h
-+fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
-+fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_rand.o: ../../include/openssl/fips_rand.h
-+fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_drbg_rand.o: ../../include/openssl/obj_mac.h
-+fips_drbg_rand.o: ../../include/openssl/objects.h
-+fips_drbg_rand.o: ../../include/openssl/opensslconf.h
-+fips_drbg_rand.o: ../../include/openssl/opensslv.h
-+fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_rand.o: ../../include/openssl/safestack.h
-+fips_drbg_rand.o: ../../include/openssl/stack.h
-+fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
-+fips_drbg_rand.o: fips_rand_lcl.h
-+fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_selftest.o: ../../include/openssl/bio.h
-+fips_drbg_selftest.o: ../../include/openssl/crypto.h
-+fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
-+fips_drbg_selftest.o: ../../include/openssl/hmac.h
-+fips_drbg_selftest.o: ../../include/openssl/lhash.h
-+fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
-+fips_drbg_selftest.o: ../../include/openssl/objects.h
-+fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
-+fips_drbg_selftest.o: ../../include/openssl/opensslv.h
-+fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_drbg_selftest.o: ../../include/openssl/rand.h
-+fips_drbg_selftest.o: ../../include/openssl/safestack.h
-+fips_drbg_selftest.o: ../../include/openssl/stack.h
-+fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
-+fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
-+fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-+fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_dsa_selftest.o: ../../include/openssl/objects.h
-+fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_dsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_dsa_selftest.o: ../../include/openssl/safestack.h
-+fips_dsa_selftest.o: ../../include/openssl/stack.h
-+fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
-+fips_dsa_selftest.o: fips_locl.h
-+fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_hmac_selftest.o: ../../include/openssl/crypto.h
-+fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_hmac_selftest.o: ../../include/openssl/hmac.h
-+fips_hmac_selftest.o: ../../include/openssl/lhash.h
-+fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
-+fips_hmac_selftest.o: ../../include/openssl/objects.h
-+fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
-+fips_hmac_selftest.o: ../../include/openssl/opensslv.h
-+fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_hmac_selftest.o: ../../include/openssl/safestack.h
-+fips_hmac_selftest.o: ../../include/openssl/stack.h
-+fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
-+fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-+fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_post.o: ../../include/openssl/opensslconf.h
-+fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
-+fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
-+fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_rand.o: ../../include/openssl/opensslconf.h
-+fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-+fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_rand.o: fips_locl.h fips_rand.c
-+fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
-+fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_rand_lib.o: ../../include/openssl/obj_mac.h
-+fips_rand_lib.o: ../../include/openssl/objects.h
-+fips_rand_lib.o: ../../include/openssl/opensslconf.h
-+fips_rand_lib.o: ../../include/openssl/opensslv.h
-+fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_rand_lib.o: ../../include/openssl/safestack.h
-+fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_rand_lib.o: fips_rand_lib.c
-+fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_rand_selftest.o: ../../include/openssl/bio.h
-+fips_rand_selftest.o: ../../include/openssl/crypto.h
-+fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_rand_selftest.o: ../../include/openssl/fips_rand.h
-+fips_rand_selftest.o: ../../include/openssl/hmac.h
-+fips_rand_selftest.o: ../../include/openssl/lhash.h
-+fips_rand_selftest.o: ../../include/openssl/obj_mac.h
-+fips_rand_selftest.o: ../../include/openssl/objects.h
-+fips_rand_selftest.o: ../../include/openssl/opensslconf.h
-+fips_rand_selftest.o: ../../include/openssl/opensslv.h
-+fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_rand_selftest.o: ../../include/openssl/rand.h
-+fips_rand_selftest.o: ../../include/openssl/safestack.h
-+fips_rand_selftest.o: ../../include/openssl/stack.h
-+fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
-+fips_rand_selftest.o: fips_rand_selftest.c
-+fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_rsa_selftest.o: ../../include/openssl/lhash.h
-+fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_rsa_selftest.o: ../../include/openssl/objects.h
-+fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_rsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_rsa_selftest.o: ../../include/openssl/rsa.h
-+fips_rsa_selftest.o: ../../include/openssl/safestack.h
-+fips_rsa_selftest.o: ../../include/openssl/stack.h
-+fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
-+fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
-+fips_rsa_x931g.o: ../../include/openssl/opensslv.h
-+fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
-+fips_rsa_x931g.o: ../../include/openssl/safestack.h
-+fips_rsa_x931g.o: ../../include/openssl/stack.h
-+fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
-+fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_sha_selftest.o: ../../include/openssl/crypto.h
-+fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_sha_selftest.o: ../../include/openssl/lhash.h
-+fips_sha_selftest.o: ../../include/openssl/obj_mac.h
-+fips_sha_selftest.o: ../../include/openssl/objects.h
-+fips_sha_selftest.o: ../../include/openssl/opensslconf.h
-+fips_sha_selftest.o: ../../include/openssl/opensslv.h
-+fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_sha_selftest.o: ../../include/openssl/safestack.h
-+fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-+fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
-diff -up openssl-1.0.1j/crypto/hmac/hmac.c.fips openssl-1.0.1j/crypto/hmac/hmac.c
---- openssl-1.0.1j/crypto/hmac/hmac.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/hmac/hmac.c 2014-10-16 13:19:35.103306514 +0200
-@@ -81,11 +81,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
- EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
-- /* Other algorithm blocking will be done in FIPS_cmac_init,
-- * via FIPS_hmac_init_ex().
-- */
-- if (!impl && !ctx->i_ctx.engine)
-- return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
- }
- #endif
-
-@@ -99,6 +94,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
-
- if (key != NULL)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
-+ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
-+ goto err;
-+#endif
- reset=1;
- j=EVP_MD_block_size(md);
- OPENSSL_assert(j <= (int)sizeof(ctx->key));
-@@ -155,10 +157,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
-
- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- return FIPS_hmac_update(ctx, data, len);
--#endif
- return EVP_DigestUpdate(&ctx->md_ctx,data,len);
- }
-
-@@ -166,10 +164,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
- {
- unsigned int i;
- unsigned char buf[EVP_MAX_MD_SIZE];
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- return FIPS_hmac_final(ctx, md, len);
--#endif
-
- if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
- goto err;
-@@ -209,13 +203,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
-
- void HMAC_CTX_cleanup(HMAC_CTX *ctx)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- {
-- FIPS_hmac_ctx_cleanup(ctx);
-- return;
-- }
--#endif
- EVP_MD_CTX_cleanup(&ctx->i_ctx);
- EVP_MD_CTX_cleanup(&ctx->o_ctx);
- EVP_MD_CTX_cleanup(&ctx->md_ctx);
-diff -up openssl-1.0.1j/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.1j/crypto/mdc2/mdc2dgst.c
---- openssl-1.0.1j/crypto/mdc2/mdc2dgst.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/mdc2/mdc2dgst.c 2014-10-16 13:19:35.103306514 +0200
-@@ -76,7 +76,7 @@
- *((c)++)=(unsigned char)(((l)>>24L)&0xff))
-
- static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
--fips_md_init(MDC2)
-+nonfips_md_init(MDC2)
- {
- c->num=0;
- c->pad_type=1;
-diff -up openssl-1.0.1j/crypto/md2/md2_dgst.c.fips openssl-1.0.1j/crypto/md2/md2_dgst.c
---- openssl-1.0.1j/crypto/md2/md2_dgst.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/md2/md2_dgst.c 2014-10-16 13:19:35.103306514 +0200
-@@ -62,6 +62,11 @@
- #include <openssl/md2.h>
- #include <openssl/opensslv.h>
- #include <openssl/crypto.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
-+#include <openssl/err.h>
-
- const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT;
-
-@@ -116,7 +121,7 @@ const char *MD2_options(void)
- return("md2(int)");
- }
-
--fips_md_init(MD2)
-+nonfips_md_init(MD2)
- {
- c->num=0;
- memset(c->state,0,sizeof c->state);
-diff -up openssl-1.0.1j/crypto/md4/md4_dgst.c.fips openssl-1.0.1j/crypto/md4/md4_dgst.c
---- openssl-1.0.1j/crypto/md4/md4_dgst.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/md4/md4_dgst.c 2014-10-16 13:19:35.104306536 +0200
-@@ -71,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_V
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--fips_md_init(MD4)
-+nonfips_md_init(MD4)
- {
- memset (c,0,sizeof(*c));
- c->A=INIT_DATA_A;
-diff -up openssl-1.0.1j/crypto/md5/md5_dgst.c.fips openssl-1.0.1j/crypto/md5/md5_dgst.c
---- openssl-1.0.1j/crypto/md5/md5_dgst.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/md5/md5_dgst.c 2014-10-16 13:19:35.104306536 +0200
-@@ -71,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_V
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--fips_md_init(MD5)
-+nonfips_md_init(MD5)
- {
- memset (c,0,sizeof(*c));
- c->A=INIT_DATA_A;
-diff -up openssl-1.0.1j/crypto/o_fips.c.fips openssl-1.0.1j/crypto/o_fips.c
---- openssl-1.0.1j/crypto/o_fips.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/o_fips.c 2014-10-16 13:19:35.104306536 +0200
-@@ -79,6 +79,8 @@ int FIPS_mode_set(int r)
- #ifndef FIPS_AUTH_USER_PASS
- #define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
- #endif
-+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
-+ return 1;
- if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
- return 0;
- if (r)
-diff -up openssl-1.0.1j/crypto/o_init.c.fips openssl-1.0.1j/crypto/o_init.c
---- openssl-1.0.1j/crypto/o_init.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/o_init.c 2014-10-16 13:19:35.104306536 +0200
-@@ -55,28 +55,68 @@
- #include <e_os.h>
- #include <openssl/err.h>
- #ifdef OPENSSL_FIPS
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#include <errno.h>
-+#include <stdlib.h>
- #include <openssl/fips.h>
- #include <openssl/rand.h>
-+
-+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-+
-+static void init_fips_mode(void)
-+ {
-+ char buf[2] = "0";
-+ int fd;
-+
-+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
-+ {
-+ buf[0] = '1';
-+ }
-+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
-+ {
-+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
-+ close(fd);
-+ }
-+ /* Failure reading the fips mode switch file means just not
-+ * switching into FIPS mode. We would break too many things
-+ * otherwise.
-+ */
-+
-+ if (buf[0] == '1')
-+ {
-+ FIPS_mode_set(1);
-+ }
-+ }
- #endif
-
- /* Perform any essential OpenSSL initialization operations.
- * Currently only sets FIPS callbacks
- */
-
--void OPENSSL_init(void)
-+void OPENSSL_init_library(void)
- {
- static int done = 0;
- if (done)
- return;
- done = 1;
- #ifdef OPENSSL_FIPS
-- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
-- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
-- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
- RAND_init_fips();
-+ init_fips_mode();
-+ if (!FIPS_mode())
-+ {
-+ /* Clean up prematurely set default rand method */
-+ RAND_set_rand_method(NULL);
-+ }
- #endif
- #if 0
- fprintf(stderr, "Called OPENSSL_init\n");
- #endif
- }
-
-+void OPENSSL_init(void)
-+ {
-+ OPENSSL_init_library();
-+ }
-diff -up openssl-1.0.1j/crypto/opensslconf.h.in.fips openssl-1.0.1j/crypto/opensslconf.h.in
---- openssl-1.0.1j/crypto/opensslconf.h.in.fips 2014-10-15 14:51:06.000000000 +0200
-+++ openssl-1.0.1j/crypto/opensslconf.h.in 2014-10-16 13:19:35.104306536 +0200
-@@ -1,5 +1,20 @@
- /* crypto/opensslconf.h.in */
-
-+#ifdef OPENSSL_DOING_MAKEDEPEND
-+
-+/* Include any symbols here that have to be explicitly set to enable a feature
-+ * that should be visible to makedepend.
-+ *
-+ * [Our "make depend" doesn't actually look at this, we use actual build settings
-+ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
-+ */
-+
-+#ifndef OPENSSL_FIPS
-+#define OPENSSL_FIPS
-+#endif
-+
-+#endif
-+
- /* Generate 80386 code? */
- #undef I386_ONLY
-
-diff -up openssl-1.0.1j/crypto/rand/md_rand.c.fips openssl-1.0.1j/crypto/rand/md_rand.c
---- openssl-1.0.1j/crypto/rand/md_rand.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rand/md_rand.c 2014-10-16 13:19:35.104306536 +0200
-@@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
- crypto_lock_rand = 1;
-
-- if (!initialized)
-+ /* always poll for external entropy in FIPS mode, drbg provides the
-+ * expansion
-+ */
-+ if (!initialized || FIPS_module_mode())
- {
- RAND_poll();
- initialized = 1;
-diff -up openssl-1.0.1j/crypto/rand/rand.h.fips openssl-1.0.1j/crypto/rand/rand.h
---- openssl-1.0.1j/crypto/rand/rand.h.fips 2014-10-16 13:19:34.775299109 +0200
-+++ openssl-1.0.1j/crypto/rand/rand.h 2014-10-16 13:19:35.105306559 +0200
-@@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void);
- /* Error codes for the RAND functions. */
-
- /* Function codes. */
-+#define RAND_F_ENG_RAND_GET_RAND_METHOD 108
-+#define RAND_F_FIPS_RAND 103
-+#define RAND_F_FIPS_RAND_BYTES 102
-+#define RAND_F_FIPS_RAND_SET_DT 106
-+#define RAND_F_FIPS_X931_SET_DT 106
-+#define RAND_F_FIPS_SET_DT 104
-+#define RAND_F_FIPS_SET_PRNG_SEED 107
-+#define RAND_F_FIPS_SET_TEST_MODE 105
- #define RAND_F_RAND_GET_RAND_METHOD 101
--#define RAND_F_RAND_INIT_FIPS 102
-+#define RAND_F_RAND_INIT_FIPS 109
- #define RAND_F_SSLEAY_RAND_BYTES 100
-
- /* Reason codes. */
--#define RAND_R_DUAL_EC_DRBG_DISABLED 104
--#define RAND_R_ERROR_INITIALISING_DRBG 102
--#define RAND_R_ERROR_INSTANTIATING_DRBG 103
--#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
-+#define RAND_R_DUAL_EC_DRBG_DISABLED 114
-+#define RAND_R_ERROR_INITIALISING_DRBG 112
-+#define RAND_R_ERROR_INSTANTIATING_DRBG 113
-+#define RAND_R_NON_FIPS_METHOD 105
-+#define RAND_R_NOT_IN_TEST_MODE 106
-+#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
-+#define RAND_R_NO_KEY_SET 107
-+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
-+#define RAND_R_PRNG_ERROR 108
-+#define RAND_R_PRNG_KEYED 109
-+#define RAND_R_PRNG_NOT_REKEYED 102
-+#define RAND_R_PRNG_NOT_RESEEDED 103
- #define RAND_R_PRNG_NOT_SEEDED 100
-+#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
-+#define RAND_R_PRNG_STUCK 104
-
- #ifdef __cplusplus
- }
-diff -up openssl-1.0.1j/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.1j/crypto/ripemd/rmd_dgst.c
---- openssl-1.0.1j/crypto/ripemd/rmd_dgst.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/ripemd/rmd_dgst.c 2014-10-16 13:19:35.105306559 +0200
-@@ -70,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160"
- void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
- # endif
-
--fips_md_init(RIPEMD160)
-+nonfips_md_init(RIPEMD160)
- {
- memset (c,0,sizeof(*c));
- c->A=RIPEMD160_A;
-diff -up openssl-1.0.1j/crypto/rsa/rsa_crpt.c.fips openssl-1.0.1j/crypto/rsa/rsa_crpt.c
---- openssl-1.0.1j/crypto/rsa/rsa_crpt.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa_crpt.c 2014-10-16 13:19:35.105306559 +0200
-@@ -90,10 +90,9 @@ int RSA_private_encrypt(int flen, const
- RSA *rsa, int padding)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-+ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
- {
-- RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
- return -1;
- }
- #endif
-@@ -118,10 +117,9 @@ int RSA_public_decrypt(int flen, const u
- RSA *rsa, int padding)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-+ if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
- {
-- RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
- return -1;
- }
- #endif
-diff -up openssl-1.0.1j/crypto/rsa/rsa_eay.c.fips openssl-1.0.1j/crypto/rsa/rsa_eay.c
---- openssl-1.0.1j/crypto/rsa/rsa_eay.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa_eay.c 2014-10-16 13:19:35.105306559 +0200
-@@ -114,6 +114,10 @@
- #include <openssl/bn.h>
- #include <openssl/rsa.h>
- #include <openssl/rand.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-
- #ifndef RSA_NULL
-
-@@ -138,7 +142,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
- BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */
- RSA_eay_init,
- RSA_eay_finish,
-- 0, /* flags */
-+ RSA_FLAG_FIPS_METHOD, /* flags */
- NULL,
- 0, /* rsa_sign */
- 0, /* rsa_verify */
-@@ -158,6 +162,24 @@ static int RSA_eay_public_encrypt(int fl
- unsigned char *buf=NULL;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if(FIPS_mode())
-+ {
-+ if (FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
- {
- RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
-@@ -361,6 +383,24 @@ static int RSA_eay_private_encrypt(int f
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if ((ctx=BN_CTX_new()) == NULL) goto err;
- BN_CTX_start(ctx);
- f = BN_CTX_get(ctx);
-@@ -504,6 +544,24 @@ static int RSA_eay_private_decrypt(int f
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if((ctx = BN_CTX_new()) == NULL) goto err;
- BN_CTX_start(ctx);
- f = BN_CTX_get(ctx);
-@@ -639,6 +697,24 @@ static int RSA_eay_public_decrypt(int fl
- unsigned char *buf=NULL;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
- {
- RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
-@@ -897,6 +973,9 @@ err:
-
- static int RSA_eay_init(RSA *rsa)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE;
- return(1);
- }
-diff -up openssl-1.0.1j/crypto/rsa/rsa_err.c.fips openssl-1.0.1j/crypto/rsa/rsa_err.c
---- openssl-1.0.1j/crypto/rsa/rsa_err.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa_err.c 2014-10-16 13:19:35.105306559 +0200
-@@ -121,6 +121,8 @@ static ERR_STRING_DATA RSA_str_functs[]=
- {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
- {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
- {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
-+{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
-+{ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
- {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
- {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"},
- {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
-diff -up openssl-1.0.1j/crypto/rsa/rsa_gen.c.fips openssl-1.0.1j/crypto/rsa/rsa_gen.c
---- openssl-1.0.1j/crypto/rsa/rsa_gen.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa_gen.c 2014-10-16 13:19:35.106306581 +0200
-@@ -69,6 +69,78 @@
- #include <openssl/rsa.h>
- #ifdef OPENSSL_FIPS
- #include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+
-+static int fips_rsa_pairwise_fail = 0;
-+
-+void FIPS_corrupt_rsa_keygen(void)
-+ {
-+ fips_rsa_pairwise_fail = 1;
-+ }
-+
-+int fips_check_rsa(RSA *rsa)
-+ {
-+ const unsigned char tbs[] = "RSA Pairwise Check Data";
-+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
-+ int len, ret = 0;
-+ EVP_PKEY *pk;
-+
-+ if ((pk=EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_RSA(pk, rsa);
-+
-+ /* Perform pairwise consistency signature test */
-+ if (!fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL))
-+ goto err;
-+ /* Now perform pairwise consistency encrypt/decrypt test */
-+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ctbuf)
-+ goto err;
-+
-+ len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len <= 0)
-+ goto err;
-+ /* Check ciphertext doesn't match plaintext */
-+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
-+ goto err;
-+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
-+
-+ if (!ptbuf)
-+ goto err;
-+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len != (sizeof(tbs) - 1))
-+ goto err;
-+ if (memcmp(ptbuf, tbs, len))
-+ goto err;
-+
-+ ret = 1;
-+
-+ if (!ptbuf)
-+ goto err;
-+
-+ err:
-+ if (ret == 0)
-+ {
-+ fips_set_selftest_fail();
-+ FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED);
-+ }
-+
-+ if (ctbuf)
-+ OPENSSL_free(ctbuf);
-+ if (ptbuf)
-+ OPENSSL_free(ptbuf);
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+ }
- #endif
-
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
-@@ -81,7 +153,7 @@ static int rsa_builtin_keygen(RSA *rsa,
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-+ if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
- {
- RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
-@@ -90,10 +162,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
- #endif
- if(rsa->meth->rsa_keygen)
- return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
--#endif
- return rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
-
-@@ -105,6 +173,23 @@ static int rsa_builtin_keygen(RSA *rsa,
- int bitsp,bitsq,ok= -1,n=0;
- BN_CTX *ctx=NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_module_mode())
-+ {
-+ if(FIPS_selftest_failed())
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)
-+ {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT);
-+ return 0;
-+ }
-+ }
-+#endif
-+
- ctx=BN_CTX_new();
- if (ctx == NULL) goto err;
- BN_CTX_start(ctx);
-@@ -216,6 +301,17 @@ static int rsa_builtin_keygen(RSA *rsa,
- p = rsa->p;
- if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_module_mode())
-+ {
-+ if (fips_rsa_pairwise_fail)
-+ BN_add_word(rsa->n, 1);
-+
-+ if(!fips_check_rsa(rsa))
-+ goto err;
-+ }
-+#endif
-+
- ok=1;
- err:
- if (ok == -1)
-diff -up openssl-1.0.1j/crypto/rsa/rsa.h.fips openssl-1.0.1j/crypto/rsa/rsa.h
---- openssl-1.0.1j/crypto/rsa/rsa.h.fips 2014-10-16 13:19:34.947302992 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa.h 2014-10-16 13:24:00.824305281 +0200
-@@ -164,6 +164,8 @@ struct rsa_st
- # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
- #endif
-
-+#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
-+
- #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
- # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
- #endif
-@@ -290,6 +292,11 @@ RSA * RSA_generate_key(int bits, unsigne
-
- /* New version */
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
-+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
-+ const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
-+ const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
-+ const BIGNUM *e, BN_GENCB *cb);
-+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb);
-
- int RSA_check_key(const RSA *);
- /* next 4 return -1 on error */
-@@ -487,7 +494,7 @@ void ERR_load_RSA_strings(void);
- #define RSA_F_RSA_PADDING_ADD_NONE 107
- #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
- #define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
--#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
-+#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
- #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
- #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
- #define RSA_F_RSA_PADDING_ADD_SSLV23 110
-@@ -500,20 +507,22 @@ void ERR_load_RSA_strings(void);
- #define RSA_F_RSA_PADDING_CHECK_X931 128
- #define RSA_F_RSA_PRINT 115
- #define RSA_F_RSA_PRINT_FP 116
--#define RSA_F_RSA_PRIVATE_DECRYPT 150
--#define RSA_F_RSA_PRIVATE_ENCRYPT 151
-+#define RSA_F_RSA_PRIVATE_DECRYPT 157
-+#define RSA_F_RSA_PRIVATE_ENCRYPT 148
- #define RSA_F_RSA_PRIV_DECODE 137
- #define RSA_F_RSA_PRIV_ENCODE 138
--#define RSA_F_RSA_PUBLIC_DECRYPT 152
-+#define RSA_F_RSA_PUBLIC_DECRYPT 149
- #define RSA_F_RSA_PUBLIC_ENCRYPT 153
- #define RSA_F_RSA_PUB_DECODE 139
- #define RSA_F_RSA_SETUP_BLINDING 136
-+#define RSA_F_RSA_SET_DEFAULT_METHOD 150
-+#define RSA_F_RSA_SET_METHOD 151
- #define RSA_F_RSA_SIGN 117
- #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
- #define RSA_F_RSA_VERIFY 119
- #define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
- #define RSA_F_RSA_VERIFY_PKCS1_PSS 126
--#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
-+#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
-
- /* Reason codes. */
- #define RSA_R_ALGORITHM_MISMATCH 100
-@@ -542,21 +551,22 @@ void ERR_load_RSA_strings(void);
- #define RSA_R_INVALID_MGF1_MD 156
- #define RSA_R_INVALID_PADDING 138
- #define RSA_R_INVALID_PADDING_MODE 141
--#define RSA_R_INVALID_PSS_PARAMETERS 149
-+#define RSA_R_INVALID_PSS_PARAMETERS 157
- #define RSA_R_INVALID_PSS_SALTLEN 146
--#define RSA_R_INVALID_SALT_LENGTH 150
-+#define RSA_R_INVALID_SALT_LENGTH 158
- #define RSA_R_INVALID_TRAILER 139
- #define RSA_R_INVALID_X931_DIGEST 142
- #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
- #define RSA_R_KEY_SIZE_TOO_SMALL 120
- #define RSA_R_LAST_OCTET_INVALID 134
- #define RSA_R_MODULUS_TOO_LARGE 105
--#define RSA_R_NON_FIPS_RSA_METHOD 157
-+#define RSA_R_NON_FIPS_RSA_METHOD 149
-+#define RSA_R_NON_FIPS_METHOD 149
- #define RSA_R_NO_PUBLIC_EXPONENT 140
- #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
- #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
- #define RSA_R_OAEP_DECODING_ERROR 121
--#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
-+#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
- #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
- #define RSA_R_PADDING_CHECK_FAILED 114
- #define RSA_R_PKCS_DECODING_ERROR 159
-diff -up openssl-1.0.1j/crypto/rsa/rsa_lib.c.fips openssl-1.0.1j/crypto/rsa/rsa_lib.c
---- openssl-1.0.1j/crypto/rsa/rsa_lib.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa_lib.c 2014-10-16 13:19:35.106306581 +0200
-@@ -84,6 +84,13 @@ RSA *RSA_new(void)
-
- void RSA_set_default_method(const RSA_METHOD *meth)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
-+ {
-+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
-+ return;
-+ }
-+#endif
- default_RSA_meth = meth;
- }
-
-@@ -91,18 +98,11 @@ const RSA_METHOD *RSA_get_default_method
- {
- if (default_RSA_meth == NULL)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_rsa_pkcs1_ssleay();
-- else
-- return RSA_PKCS1_SSLeay();
--#else
- #ifdef RSA_NULL
- default_RSA_meth=RSA_null_method();
- #else
- default_RSA_meth=RSA_PKCS1_SSLeay();
- #endif
--#endif
- }
-
- return default_RSA_meth;
-@@ -118,6 +118,13 @@ int RSA_set_method(RSA *rsa, const RSA_M
- /* NB: The caller is specifically setting a method, so it's not up to us
- * to deal with which ENGINE it comes from. */
- const RSA_METHOD *mtmp;
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD))
-+ {
-+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+#endif
- mtmp = rsa->meth;
- if (mtmp->finish) mtmp->finish(rsa);
- #ifndef OPENSSL_NO_ENGINE
-@@ -170,6 +177,18 @@ RSA *RSA_new_method(ENGINE *engine)
- }
- }
- #endif
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD))
-+ {
-+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
-+#ifndef OPENSSL_NO_ENGINE
-+ if (ret->engine)
-+ ENGINE_finish(ret->engine);
-+#endif
-+ OPENSSL_free(ret);
-+ return NULL;
-+ }
-+#endif
-
- ret->pad=0;
- ret->version=0;
-@@ -188,7 +207,7 @@ RSA *RSA_new_method(ENGINE *engine)
- ret->blinding=NULL;
- ret->mt_blinding=NULL;
- ret->bignum_data=NULL;
-- ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
-+ ret->flags=ret->meth->flags;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
- {
- #ifndef OPENSSL_NO_ENGINE
-diff -up openssl-1.0.1j/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.1j/crypto/rsa/rsa_pmeth.c
---- openssl-1.0.1j/crypto/rsa/rsa_pmeth.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa_pmeth.c 2014-10-16 13:19:35.106306581 +0200
-@@ -206,22 +206,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
- RSA_R_INVALID_DIGEST_LENGTH);
- return -1;
- }
--#ifdef OPENSSL_FIPS
-- if (ret > 0)
-- {
-- unsigned int slen;
-- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
-- rctx->pad_mode,
-- rctx->saltlen,
-- rctx->mgf1md,
-- sig, &slen);
-- if (ret > 0)
-- *siglen = slen;
-- else
-- *siglen = 0;
-- return ret;
-- }
--#endif
-
- if (EVP_MD_type(rctx->md) == NID_mdc2)
- {
-@@ -354,19 +338,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
- #endif
- if (rctx->md)
- {
--#ifdef OPENSSL_FIPS
-- if (rv > 0)
-- {
-- return FIPS_rsa_verify_digest(rsa,
-- tbs, tbslen,
-- rctx->md,
-- rctx->pad_mode,
-- rctx->saltlen,
-- rctx->mgf1md,
-- sig, siglen);
--
-- }
--#endif
- if (rctx->pad_mode == RSA_PKCS1_PADDING)
- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
- sig, siglen, rsa);
-diff -up openssl-1.0.1j/crypto/rsa/rsa_sign.c.fips openssl-1.0.1j/crypto/rsa/rsa_sign.c
---- openssl-1.0.1j/crypto/rsa/rsa_sign.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/rsa/rsa_sign.c 2014-10-16 13:19:35.106306581 +0200
-@@ -138,7 +138,8 @@ int RSA_sign(int type, const unsigned ch
- i2d_X509_SIG(&sig,&p);
- s=tmps;
- }
-- i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
-+ /* NB: call underlying method directly to avoid FIPS blocking */
-+ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING) : 0;
- if (i <= 0)
- ret=0;
- else
-@@ -197,8 +198,8 @@ int int_rsa_verify(int dtype, const unsi
-
- if((dtype == NID_md5_sha1) && rm)
- {
-- i = RSA_public_decrypt((int)siglen,
-- sigbuf,rm,rsa,RSA_PKCS1_PADDING);
-+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
-+ sigbuf,rm,rsa,RSA_PKCS1_PADDING) : 0;
- if (i <= 0)
- return 0;
- *prm_len = i;
-@@ -215,7 +216,8 @@ int int_rsa_verify(int dtype, const unsi
- RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
- goto err;
- }
-- i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
-+ /* NB: call underlying method directly to avoid FIPS blocking */
-+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING) : 0;
-
- if (i <= 0) goto err;
- /* Oddball MDC2 case: signature can be OCTET STRING.
-diff -up openssl-1.0.1j/crypto/sha/sha.h.fips openssl-1.0.1j/crypto/sha/sha.h
---- openssl-1.0.1j/crypto/sha/sha.h.fips 2014-10-16 13:19:34.667296671 +0200
-+++ openssl-1.0.1j/crypto/sha/sha.h 2014-10-16 13:19:35.107306604 +0200
-@@ -116,9 +116,6 @@ unsigned char *SHA(const unsigned char *
- void SHA_Transform(SHA_CTX *c, const unsigned char *data);
- #endif
- #ifndef OPENSSL_NO_SHA1
--#ifdef OPENSSL_FIPS
--int private_SHA1_Init(SHA_CTX *c);
--#endif
- int SHA1_Init(SHA_CTX *c);
- int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
- int SHA1_Final(unsigned char *md, SHA_CTX *c);
-@@ -141,10 +138,6 @@ typedef struct SHA256state_st
- } SHA256_CTX;
-
- #ifndef OPENSSL_NO_SHA256
--#ifdef OPENSSL_FIPS
--int private_SHA224_Init(SHA256_CTX *c);
--int private_SHA256_Init(SHA256_CTX *c);
--#endif
- int SHA224_Init(SHA256_CTX *c);
- int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
- int SHA224_Final(unsigned char *md, SHA256_CTX *c);
-@@ -192,10 +185,6 @@ typedef struct SHA512state_st
- #endif
-
- #ifndef OPENSSL_NO_SHA512
--#ifdef OPENSSL_FIPS
--int private_SHA384_Init(SHA512_CTX *c);
--int private_SHA512_Init(SHA512_CTX *c);
--#endif
- int SHA384_Init(SHA512_CTX *c);
- int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
- int SHA384_Final(unsigned char *md, SHA512_CTX *c);
-diff -up openssl-1.0.1j/crypto/sha/sha_locl.h.fips openssl-1.0.1j/crypto/sha/sha_locl.h
---- openssl-1.0.1j/crypto/sha/sha_locl.h.fips 2014-10-16 13:19:34.669296716 +0200
-+++ openssl-1.0.1j/crypto/sha/sha_locl.h 2014-10-16 13:19:35.107306604 +0200
-@@ -123,11 +123,14 @@ void sha1_block_data_order (SHA_CTX *c,
- #define INIT_DATA_h4 0xc3d2e1f0UL
-
- #ifdef SHA_0
--fips_md_init(SHA)
-+nonfips_md_init(SHA)
- #else
- fips_md_init_ctx(SHA1, SHA)
- #endif
- {
-+#if defined(SHA_1) && defined(OPENSSL_FIPS)
-+ FIPS_selftest_check();
-+#endif
- memset (c,0,sizeof(*c));
- c->h0=INIT_DATA_h0;
- c->h1=INIT_DATA_h1;
-diff -up openssl-1.0.1j/crypto/sha/sha256.c.fips openssl-1.0.1j/crypto/sha/sha256.c
---- openssl-1.0.1j/crypto/sha/sha256.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/sha/sha256.c 2014-10-16 13:19:35.107306604 +0200
-@@ -12,12 +12,19 @@
-
- #include <openssl/crypto.h>
- #include <openssl/sha.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- #include <openssl/opensslv.h>
-
- const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT;
-
- fips_md_init_ctx(SHA224, SHA256)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- memset (c,0,sizeof(*c));
- c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL;
- c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL;
-@@ -29,6 +36,9 @@ fips_md_init_ctx(SHA224, SHA256)
-
- fips_md_init(SHA256)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- memset (c,0,sizeof(*c));
- c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL;
- c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL;
-diff -up openssl-1.0.1j/crypto/sha/sha512.c.fips openssl-1.0.1j/crypto/sha/sha512.c
---- openssl-1.0.1j/crypto/sha/sha512.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/sha/sha512.c 2014-10-16 13:19:35.107306604 +0200
-@@ -5,6 +5,10 @@
- * ====================================================================
- */
- #include <openssl/opensslconf.h>
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif
-+
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
- /*
- * IMPLEMENTATION NOTES.
-@@ -61,6 +65,9 @@ const char SHA512_version[]="SHA-512" OP
-
- fips_md_init_ctx(SHA384, SHA512)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- c->h[0]=U64(0xcbbb9d5dc1059ed8);
- c->h[1]=U64(0x629a292a367cd507);
- c->h[2]=U64(0x9159015a3070dd17);
-@@ -77,6 +84,9 @@ fips_md_init_ctx(SHA384, SHA512)
-
- fips_md_init(SHA512)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- c->h[0]=U64(0x6a09e667f3bcc908);
- c->h[1]=U64(0xbb67ae8584caa73b);
- c->h[2]=U64(0x3c6ef372fe94f82b);
-diff -up openssl-1.0.1j/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.1j/crypto/whrlpool/wp_dgst.c
---- openssl-1.0.1j/crypto/whrlpool/wp_dgst.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/crypto/whrlpool/wp_dgst.c 2014-10-16 13:19:35.107306604 +0200
-@@ -55,7 +55,7 @@
- #include <openssl/crypto.h>
- #include <string.h>
-
--fips_md_init(WHIRLPOOL)
-+nonfips_md_init(WHIRLPOOL)
- {
- memset (c,0,sizeof(*c));
- return(1);
-diff -up openssl-1.0.1j/Makefile.org.fips openssl-1.0.1j/Makefile.org
---- openssl-1.0.1j/Makefile.org.fips 2014-10-16 13:19:35.062305588 +0200
-+++ openssl-1.0.1j/Makefile.org 2014-10-16 13:19:35.108306626 +0200
-@@ -136,6 +136,9 @@ FIPSCANLIB=
-
- BASEADDR=
-
-+# Non-empty if FIPS enabled
-+FIPS=
-+
- DIRS= crypto ssl engines apps test tools
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
-@@ -148,7 +151,7 @@ SDIRS= \
- bn ec rsa dsa ecdsa dh ecdh dso engine \
- buffer bio stack lhash rand err \
- evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-- cms pqueue ts jpake srp store cmac
-+ cms pqueue ts jpake srp store cmac fips
- # keep in mind that the above list is adjusted by ./Configure
- # according to no-xxx arguments...
-
-@@ -237,6 +240,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
- FIPSLIBDIR='${FIPSLIBDIR}' \
- FIPSDIR='${FIPSDIR}' \
- FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
-+ FIPS="$${FIPS:-$(FIPS)}" \
- THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
- # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
- # which in turn eliminates ambiguities in variable treatment with -e.
-diff -up openssl-1.0.1j/ssl/d1_srvr.c.fips openssl-1.0.1j/ssl/d1_srvr.c
---- openssl-1.0.1j/ssl/d1_srvr.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/ssl/d1_srvr.c 2014-10-16 13:19:35.108306626 +0200
-@@ -1390,6 +1390,8 @@ int dtls1_send_server_key_exchange(SSL *
- j=0;
- for (num=2; num > 0; num--)
- {
-+ EVP_MD_CTX_set_flags(&md_ctx,
-+ EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx,(num == 2)
- ?s->ctx->md5:s->ctx->sha1, NULL);
- EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
-diff -up openssl-1.0.1j/ssl/ssl_algs.c.fips openssl-1.0.1j/ssl/ssl_algs.c
---- openssl-1.0.1j/ssl/ssl_algs.c.fips 2014-10-15 14:53:39.000000000 +0200
-+++ openssl-1.0.1j/ssl/ssl_algs.c 2014-10-16 13:19:35.108306626 +0200
-@@ -64,6 +64,12 @@
- int SSL_library_init(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (!FIPS_mode())
-+ {
-+#endif
-+
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cbc());
- EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -137,6 +143,50 @@ int SSL_library_init(void)
- EVP_add_digest(EVP_sha());
- EVP_add_digest(EVP_dss());
- #endif
-+#ifdef OPENSSL_FIPS
-+ }
-+ else
-+ {
-+#ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+#endif
-+#ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+#endif
-+#ifndef OPENSSL_NO_MD5
-+ /* needed even in the FIPS mode for TLS MAC */
-+ EVP_add_digest(EVP_md5());
-+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
-+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
-+#endif
-+#ifndef OPENSSL_NO_SHA
-+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
-+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-+#endif
-+#ifndef OPENSSL_NO_SHA256
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+#endif
-+#ifndef OPENSSL_NO_SHA512
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+#endif
-+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
-+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
-+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
-+#endif
-+#ifndef OPENSSL_NO_ECDSA
-+ EVP_add_digest(EVP_ecdsa());
-+#endif
-+ }
-+#endif
- #ifndef OPENSSL_NO_COMP
- /* This will initialise the built-in compression algorithms.
- The value returned is a STACK_OF(SSL_COMP), but that can
diff --git a/openssl-1.0.2a-apps-dgst.patch b/openssl-1.0.2a-apps-dgst.patch
new file mode 100644
index 0000000..2bb8327
--- /dev/null
+++ b/openssl-1.0.2a-apps-dgst.patch
@@ -0,0 +1,110 @@
+diff -up openssl-1.0.2a/apps/ca.c.dgst openssl-1.0.2a/apps/ca.c
+--- openssl-1.0.2a/apps/ca.c.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/ca.c 2015-04-21 17:01:38.841551616 +0200
+@@ -157,7 +157,7 @@ static const char *ca_usage[] = {
+ " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
+ " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
+ " -days arg - number of days to certify the certificate for\n",
+- " -md arg - md to use, one of md2, md5, sha or sha1\n",
++ " -md arg - md to use, see openssl dgst -h for list\n",
+ " -policy arg - The CA 'policy' to support\n",
+ " -keyfile arg - private key file\n",
+ " -keyform arg - private key file format (PEM or ENGINE)\n",
+diff -up openssl-1.0.2a/apps/enc.c.dgst openssl-1.0.2a/apps/enc.c
+--- openssl-1.0.2a/apps/enc.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/enc.c 2015-04-21 17:01:38.841551616 +0200
+@@ -294,7 +294,7 @@ int MAIN(int argc, char **argv)
+ "%-14s the next argument is the md to use to create a key\n",
+ "-md");
+ BIO_printf(bio_err,
+- "%-14s from a passphrase. One of md2, md5, sha or sha1\n",
++ "%-14s from a passphrase. See openssl dgst -h for list.\n",
+ "");
+ BIO_printf(bio_err, "%-14s salt in hex is the next argument\n",
+ "-S");
+diff -up openssl-1.0.2a/apps/req.c.dgst openssl-1.0.2a/apps/req.c
+--- openssl-1.0.2a/apps/req.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/req.c 2015-04-21 17:01:38.842551640 +0200
+@@ -414,7 +414,7 @@ int MAIN(int argc, char **argv)
+ " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
+ #endif
+ BIO_printf(bio_err,
+- " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
++ " -[digest] Digest to sign with (see openssl dgst -h for list)\n");
+ BIO_printf(bio_err, " -config file request template file.\n");
+ BIO_printf(bio_err,
+ " -subj arg set or modify request subject\n");
+diff -up openssl-1.0.2a/apps/ts.c.dgst openssl-1.0.2a/apps/ts.c
+--- openssl-1.0.2a/apps/ts.c.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/apps/ts.c 2015-04-21 17:01:38.842551640 +0200
+@@ -337,7 +337,7 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "usage:\n"
+ "ts -query [-rand file%cfile%c...] [-config configfile] "
+ "[-data file_to_hash] [-digest digest_bytes]"
+- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
++ "[-<hashalg>] "
+ "[-policy object_id] [-no_nonce] [-cert] "
+ "[-in request.tsq] [-out request.tsq] [-text]\n",
+ LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+diff -up openssl-1.0.2a/apps/x509.c.dgst openssl-1.0.2a/apps/x509.c
+--- openssl-1.0.2a/apps/x509.c.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/x509.c 2015-04-21 17:01:38.842551640 +0200
+@@ -141,7 +141,7 @@ static const char *x509_usage[] = {
+ " -set_serial - serial number to use\n",
+ " -text - print the certificate in text form\n",
+ " -C - print out C code forms\n",
+- " -md2/-md5/-sha1/-mdc2 - digest to use\n",
++ " -<dgst> - digest to use, see openssl dgst -h output for list\n",
+ " -extfile - configuration file with X509V3 extensions to add\n",
+ " -extensions - section from config file with X509V3 extensions to add\n",
+ " -clrext - delete extensions before signing and input certificate\n",
+diff -up openssl-1.0.2a/doc/apps/ca.pod.dgst openssl-1.0.2a/doc/apps/ca.pod
+--- openssl-1.0.2a/doc/apps/ca.pod.dgst 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ca.pod 2015-04-21 17:01:38.842551640 +0200
+@@ -168,7 +168,8 @@ the number of days to certify the certif
+ =item B<-md alg>
+
+ the message digest to use. Possible values include md5, sha1 and mdc2.
+-This option also applies to CRLs.
++For full list of digests see openssl dgst -h output. This option also
++applies to CRLs.
+
+ =item B<-policy arg>
+
+diff -up openssl-1.0.2a/doc/apps/ocsp.pod.dgst openssl-1.0.2a/doc/apps/ocsp.pod
+--- openssl-1.0.2a/doc/apps/ocsp.pod.dgst 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-21 17:01:38.842551640 +0200
+@@ -219,7 +219,8 @@ check is not performed.
+ =item B<-md5|-sha1|-sha256|-ripemod160|...>
+
+ this option sets digest algorithm to use for certificate identification
+-in the OCSP request. By default SHA-1 is used.
++in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
++the list of available algorithms.
+
+ =back
+
+diff -up openssl-1.0.2a/doc/apps/req.pod.dgst openssl-1.0.2a/doc/apps/req.pod
+--- openssl-1.0.2a/doc/apps/req.pod.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/req.pod 2015-04-21 17:01:38.843551664 +0200
+@@ -201,7 +201,8 @@ will not be encrypted.
+
+ this specifies the message digest to sign the request with (such as
+ B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
+-the configuration file.
++the configuration file. For full list of possible digests see openssl
++dgst -h output.
+
+ Some public key algorithms may override this choice. For instance, DSA
+ signatures always use SHA1, GOST R 34.10 signatures always use
+diff -up openssl-1.0.2a/doc/apps/x509.pod.dgst openssl-1.0.2a/doc/apps/x509.pod
+--- openssl-1.0.2a/doc/apps/x509.pod.dgst 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/x509.pod 2015-04-21 17:01:38.843551664 +0200
+@@ -107,6 +107,7 @@ the digest to use. This affects any sign
+ digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+ specified then SHA1 is used. If the key being used to sign with is a DSA key
+ then this option has no effect: SHA1 is always used with DSA keys.
++For full list of digests see openssl dgst -h output.
+
+ =item B<-engine id>
+
diff --git a/openssl-1.0.2a-cc-reqs.patch b/openssl-1.0.2a-cc-reqs.patch
new file mode 100644
index 0000000..f268d62
--- /dev/null
+++ b/openssl-1.0.2a-cc-reqs.patch
@@ -0,0 +1,27 @@
+diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs 2015-04-09 18:22:58.638448432 +0200
++++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-09 18:22:57.264416692 +0200
+@@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
+ goto err;
+
++ /* prepare minimum p and q difference */
++ if (!BN_one(r3))
++ goto err;
++ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
++ goto err;
++
+ BN_copy(rsa->e, e_value);
+
+ /* generate p and q */
+@@ -501,7 +507,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+ do {
+ if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+ goto err;
+- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
++ if (!BN_sub(r2, rsa->q, rsa->p))
++ goto err;
++ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
+ if (degenerate == 3) {
+ ok = 0; /* we set our own err */
+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
diff --git a/openssl-1.0.2a-chil-fixes.patch b/openssl-1.0.2a-chil-fixes.patch
new file mode 100644
index 0000000..ebd2429
--- /dev/null
+++ b/openssl-1.0.2a-chil-fixes.patch
@@ -0,0 +1,24 @@
+diff -up openssl-1.0.2a/engines/e_chil.c.chil openssl-1.0.2a/engines/e_chil.c
+--- openssl-1.0.2a/engines/e_chil.c.chil 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/engines/e_chil.c 2015-04-21 17:06:25.480293443 +0200
+@@ -1247,6 +1247,11 @@ static int hwcrhk_insert_card(const char
+ UI *ui;
+ void *callback_data = NULL;
+ UI_METHOD *ui_method = NULL;
++ /* Despite what the documentation says prompt_info can be
++ * an empty string.
++ */
++ if (prompt_info && !*prompt_info)
++ prompt_info = NULL;
+
+ if (cactx) {
+ if (cactx->ui_method)
+@@ -1268,7 +1273,7 @@ static int hwcrhk_insert_card(const char
+ ui = UI_new_method(ui_method);
+
+ if (ui) {
+- char answer;
++ char answer = '\0';
+ char buf[BUFSIZ];
+ /*
+ * Despite what the documentation says wrong_info can be an empty
diff --git a/openssl-1.0.2a-compat-symbols.patch b/openssl-1.0.2a-compat-symbols.patch
new file mode 100644
index 0000000..1e0993e
--- /dev/null
+++ b/openssl-1.0.2a-compat-symbols.patch
@@ -0,0 +1,46 @@
+diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.compat openssl-1.0.2a/crypto/dsa/dsa_key.c
+--- openssl-1.0.2a/crypto/dsa/dsa_key.c.compat 2015-04-09 18:21:11.687977858 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-09 18:21:07.869889659 +0200
+@@ -68,6 +68,11 @@
+ # include <openssl/fips.h>
+ # include <openssl/evp.h>
+
++/* just a compatibility symbol - no-op */
++void FIPS_corrupt_dsa_keygen(void)
++{
++}
++
+ static int fips_check_dsa(DSA *dsa)
+ {
+ EVP_PKEY *pk;
+diff -up openssl-1.0.2a/crypto/engine/eng_all.c.compat openssl-1.0.2a/crypto/engine/eng_all.c
+--- openssl-1.0.2a/crypto/engine/eng_all.c.compat 2015-04-09 18:21:11.688977881 +0200
++++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-09 18:21:09.159919459 +0200
+@@ -63,6 +63,11 @@
+ # include <openssl/fips.h>
+ #endif
+
++/* just backwards compatibility symbol - no-op */
++void ENGINE_load_aesni(void)
++{
++}
++
+ void ENGINE_load_builtin_engines(void)
+ {
+ /* Some ENGINEs need this */
+diff -up openssl-1.0.2a/crypto/fips/fips.c.compat openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.compat 2015-04-09 18:21:11.689977904 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-09 18:21:09.925937154 +0200
+@@ -113,6 +113,12 @@ int FIPS_module_mode(void)
+ return ret;
+ }
+
++/* just a compat symbol - return NULL */
++const void *FIPS_rand_check(void)
++{
++ return NULL;
++}
++
+ int FIPS_selftest_failed(void)
+ {
+ int ret = 0;
diff --git a/openssl-1.0.2a-default-paths.patch b/openssl-1.0.2a-default-paths.patch
new file mode 100644
index 0000000..6e02c6d
--- /dev/null
+++ b/openssl-1.0.2a-default-paths.patch
@@ -0,0 +1,94 @@
+diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200
+@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv)
+
+ SSL_CTX_set_verify(ctx, verify, verify_callback);
+
+- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx))) {
+- /*
+- * BIO_printf(bio_err,"error setting default verify locations\n");
+- */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
+
+- ssl_ctx_add_crls(ctx, crls, crl_download);
+- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
+- goto end;
+-
+ #ifndef OPENSSL_NO_TLSEXT
+ if (servername != NULL) {
+ tlsextcbp.biodebug = bio_err;
+diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
+--- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200
+@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
+ }
+ #endif
+
+- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx))) {
+- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
++
+ if (vpm)
+ SSL_CTX_set1_param(ctx, vpm);
+
+@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[])
+ else
+ SSL_CTX_sess_set_cache_size(ctx2, 128);
+
+- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx2))) {
++ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
++ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
+ ERR_print_errors(bio_err);
+ }
+ if (vpm)
+diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c
+--- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200
++++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200
+@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
+
+ SSL_load_error_strings();
+
+- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
+- /*
+- * BIO_printf(bio_err,"error setting default verify locations\n");
+- */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
+
+ if (tm_cipher == NULL)
diff --git a/openssl-1.0.2a-defaults.patch b/openssl-1.0.2a-defaults.patch
new file mode 100644
index 0000000..315a9b0
--- /dev/null
+++ b/openssl-1.0.2a-defaults.patch
@@ -0,0 +1,60 @@
+diff -up openssl-1.0.2a/apps/openssl.cnf.defaults openssl-1.0.2a/apps/openssl.cnf
+--- openssl-1.0.2a/apps/openssl.cnf.defaults 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/openssl.cnf 2015-04-20 14:37:10.112271850 +0200
+@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
+
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+-default_md = default # use public key default MD
++default_md = sha256 # use SHA-256 by default
+ preserve = no # keep passed DN ordering
+
+ # A few difference way of specifying how similar the request should look
+@@ -104,6 +104,7 @@ emailAddress = optional
+ ####################################################################
+ [ req ]
+ default_bits = 2048
++default_md = sha256
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+
+ [ req_distinguished_name ]
+ countryName = Country Name (2 letter code)
+-countryName_default = AU
++countryName_default = XX
+ countryName_min = 2
+ countryName_max = 2
+
+ stateOrProvinceName = State or Province Name (full name)
+-stateOrProvinceName_default = Some-State
++#stateOrProvinceName_default = Default Province
+
+ localityName = Locality Name (eg, city)
++localityName_default = Default City
+
+ 0.organizationName = Organization Name (eg, company)
+-0.organizationName_default = Internet Widgits Pty Ltd
++0.organizationName_default = Default Company Ltd
+
+ # we can do this but it is not needed normally :-)
+ #1.organizationName = Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
+ organizationalUnitName = Organizational Unit Name (eg, section)
+ #organizationalUnitName_default =
+
+-commonName = Common Name (e.g. server FQDN or YOUR name)
++commonName = Common Name (eg, your name or your server\'s hostname)
+ commonName_max = 64
+
+ emailAddress = Email Address
+@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
+ default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+ other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+-digests = md5, sha1 # Acceptable message digests (mandatory)
++digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+ accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ clock_precision_digits = 0 # number of digits after dot. (optional)
+ ordering = yes # Is ordering defined for timestamps?
diff --git a/openssl-1.0.2a-dh-1024.patch b/openssl-1.0.2a-dh-1024.patch
new file mode 100644
index 0000000..67d3171
--- /dev/null
+++ b/openssl-1.0.2a-dh-1024.patch
@@ -0,0 +1,75 @@
+diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c
+--- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200
++++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200
+@@ -230,29 +230,44 @@ static void s_server_init(void);
+ #endif
+
+ #ifndef OPENSSL_NO_DH
+-static unsigned char dh512_p[] = {
+- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
+- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
+- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
+- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
+- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
+- 0x47, 0x74, 0xE8, 0x33,
+-};
+-
+-static unsigned char dh512_g[] = {
+- 0x02,
+-};
+-
+-static DH *get_dh512(void)
++static DH *get_dh1024()
+ {
+- DH *dh = NULL;
++ static unsigned char dh1024_p[] = {
++ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54,
++ 0x63,
++ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66,
++ 0x79,
++ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0,
++ 0x3C,
++ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1,
++ 0xEF,
++ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07,
++ 0xFB,
++ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98,
++ 0xE3,
++ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A,
++ 0xED,
++ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97,
++ 0x23,
++ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB,
++ 0x05,
++ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52,
++ 0xA4,
++ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93,
++ };
++ static unsigned char dh1024_g[] = {
++ 0x02,
++ };
++ DH *dh;
+
+ if ((dh = DH_new()) == NULL)
+ return (NULL);
+- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+- if ((dh->p == NULL) || (dh->g == NULL))
++ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
++ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
++ if ((dh->p == NULL) || (dh->g == NULL)) {
++ DH_free(dh);
+ return (NULL);
++ }
+ return (dh);
+ }
+ #endif
+@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[])
+ BIO_printf(bio_s_out, "Setting temp DH parameters\n");
+ } else {
+ BIO_printf(bio_s_out, "Using default temp DH parameters\n");
+- dh = get_dh512();
++ dh = get_dh1024();
+ }
+ (void)BIO_flush(bio_s_out);
+
diff --git a/openssl-1.0.2a-disable-sslv2v3.patch b/openssl-1.0.2a-disable-sslv2v3.patch
new file mode 100644
index 0000000..9cb018f
--- /dev/null
+++ b/openssl-1.0.2a-disable-sslv2v3.patch
@@ -0,0 +1,13 @@
+diff -up openssl-1.0.2a/ssl/ssl_lib.c.v2v3 openssl-1.0.2a/ssl/ssl_lib.c
+--- openssl-1.0.2a/ssl/ssl_lib.c.v2v3 2015-04-22 15:37:15.974345757 +0200
++++ openssl-1.0.2a/ssl/ssl_lib.c 2015-04-22 15:39:39.114782365 +0200
+@@ -2048,6 +2048,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ */
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+
++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++
+ return (ret);
+ err:
+ SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
diff --git a/openssl-1.0.2a-dtls1-abi.patch b/openssl-1.0.2a-dtls1-abi.patch
new file mode 100644
index 0000000..a6a79d7
--- /dev/null
+++ b/openssl-1.0.2a-dtls1-abi.patch
@@ -0,0 +1,23 @@
+diff -up openssl-1.0.2a/ssl/dtls1.h.dtls1-abi openssl-1.0.2a/ssl/dtls1.h
+--- openssl-1.0.2a/ssl/dtls1.h.dtls1-abi 2015-04-21 10:49:57.984781143 +0200
++++ openssl-1.0.2a/ssl/dtls1.h 2015-04-21 16:41:37.835164264 +0200
+@@ -214,9 +214,6 @@ typedef struct dtls1_state_st {
+ * loss.
+ */
+ record_pqueue buffered_app_data;
+- /* Is set when listening for new connections with dtls1_listen() */
+- unsigned int listen;
+- unsigned int link_mtu; /* max on-the-wire DTLS packet size */
+ unsigned int mtu; /* max DTLS packet size */
+ struct hm_header_st w_msg_hdr;
+ struct hm_header_st r_msg_hdr;
+@@ -241,6 +238,9 @@ typedef struct dtls1_state_st {
+ * Cleared after the message has been processed.
+ */
+ unsigned int change_cipher_spec_ok;
++ /* Is set when listening for new connections with dtls1_listen() */
++ unsigned int listen;
++ unsigned int link_mtu; /* max on-the-wire DTLS packet size */
+ # ifndef OPENSSL_NO_SCTP
+ /* used when SSL_ST_XX_FLUSH is entered */
+ int next_state;
diff --git a/openssl-1.0.2a-ecc-suiteb.patch b/openssl-1.0.2a-ecc-suiteb.patch
new file mode 100644
index 0000000..5b27fdc
--- /dev/null
+++ b/openssl-1.0.2a-ecc-suiteb.patch
@@ -0,0 +1,199 @@
+diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
+--- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200
++++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200
+@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- if (strcmp(*argv, "ecdsap160") == 0)
+- ecdsa_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdsap192") == 0)
+- ecdsa_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdsap224") == 0)
+- ecdsa_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdsap256") == 0)
++ if (strcmp(*argv, "ecdsap256") == 0)
+ ecdsa_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdsap384") == 0)
+ ecdsa_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdsap521") == 0)
+ ecdsa_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdsak163") == 0)
+- ecdsa_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdsak233") == 0)
+- ecdsa_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdsak283") == 0)
+- ecdsa_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdsak409") == 0)
+- ecdsa_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdsak571") == 0)
+- ecdsa_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdsab163") == 0)
+- ecdsa_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdsab233") == 0)
+- ecdsa_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdsab283") == 0)
+- ecdsa_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdsab409") == 0)
+- ecdsa_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdsab571") == 0)
+- ecdsa_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdsa") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- if (strcmp(*argv, "ecdhp160") == 0)
+- ecdh_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdhp192") == 0)
+- ecdh_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdhp224") == 0)
+- ecdh_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdhp256") == 0)
++ if (strcmp(*argv, "ecdhp256") == 0)
+ ecdh_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdhp384") == 0)
+ ecdh_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdhp521") == 0)
+ ecdh_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdhk163") == 0)
+- ecdh_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdhk233") == 0)
+- ecdh_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdhk283") == 0)
+- ecdh_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdhk409") == 0)
+- ecdh_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdhk571") == 0)
+- ecdh_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdhb163") == 0)
+- ecdh_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdhb233") == 0)
+- ecdh_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdhb283") == 0)
+- ecdh_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdhb409") == 0)
+- ecdh_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdhb571") == 0)
+- ecdh_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdh") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ } else
+ # endif
+@@ -1156,21 +1104,11 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
+- "ecdsap256 ecdsap384 ecdsap521\n");
+- BIO_printf(bio_err,
+- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+- BIO_printf(bio_err,
+- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
++ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n");
+ BIO_printf(bio_err, "ecdsa\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
+- "ecdhp256 ecdhp384 ecdhp521\n");
+- BIO_printf(bio_err,
+- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
+- BIO_printf(bio_err,
+- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
++ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n");
+ BIO_printf(bio_err, "ecdh\n");
+ # endif
+
+@@ -1255,11 +1193,11 @@ int MAIN(int argc, char **argv)
+ if (!FIPS_mode() || i != R_DSA_512)
+ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ # endif
+ }
+diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c
+--- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200
++++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200
+@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa
+ 0, 13, /* sect571k1 (13) */
+ # endif
+ 0, 25, /* secp521r1 (25) */
+- 0, 28, /* brainpool512r1 (28) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 11, /* sect409k1 (11) */
+ 0, 12, /* sect409r1 (12) */
+ # endif
+- 0, 27, /* brainpoolP384r1 (27) */
+ 0, 24, /* secp384r1 (24) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 9, /* sect283k1 (9) */
+ 0, 10, /* sect283r1 (10) */
+ # endif
+- 0, 26, /* brainpoolP256r1 (26) */
+- 0, 22, /* secp256k1 (22) */
+ 0, 23, /* secp256r1 (23) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+ 0, 7, /* sect233r1 (7) */
+ # endif
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 4, /* sect193r1 (4) */
+ 0, 5, /* sect193r2 (5) */
+ # endif
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 1, /* sect163k1 (1) */
+ 0, 2, /* sect163r1 (2) */
+ 0, 3, /* sect163r2 (3) */
+ # endif
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ };
+
+ static const unsigned char suiteb_curves[] = {
+@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d
+ 0, 9, /* sect283k1 (9) */
+ 0, 10, /* sect283r1 (10) */
+ # endif
+- 0, 22, /* secp256k1 (22) */
+ 0, 23, /* secp256r1 (23) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+ 0, 7, /* sect233r1 (7) */
+ # endif
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 4, /* sect193r1 (4) */
+ 0, 5, /* sect193r2 (5) */
+ # endif
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 1, /* sect163k1 (1) */
+ 0, 2, /* sect163r1 (2) */
+ 0, 3, /* sect163r2 (3) */
+ # endif
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ };
+ # endif
+
diff --git a/openssl-1.0.2a-enc-fail.patch b/openssl-1.0.2a-enc-fail.patch
new file mode 100644
index 0000000..1dac66d
--- /dev/null
+++ b/openssl-1.0.2a-enc-fail.patch
@@ -0,0 +1,61 @@
+diff -up openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2a/crypto/evp/bio_enc.c
+--- openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/bio_enc.c 2015-04-22 18:10:06.491819948 +0200
+@@ -201,10 +201,14 @@ static int enc_read(BIO *b, char *out, i
+ break;
+ }
+ } else {
+- EVP_CipherUpdate(&(ctx->cipher),
+- (unsigned char *)ctx->buf, &ctx->buf_len,
+- (unsigned char *)&(ctx->buf[BUF_OFFSET]), i);
+- ctx->cont = 1;
++ if (!EVP_CipherUpdate(&(ctx->cipher),
++ (unsigned char *)ctx->buf, &ctx->buf_len,
++ (unsigned char *)&(ctx->buf[BUF_OFFSET]),
++ i)) {
++ ctx->ok = 0;
++ ctx->cont = 0;
++ } else
++ ctx->cont = 1;
+ /*
+ * Note: it is possible for EVP_CipherUpdate to decrypt zero
+ * bytes because this is or looks like the final block: if this
+@@ -260,9 +264,13 @@ static int enc_write(BIO *b, const char
+ ctx->buf_off = 0;
+ while (inl > 0) {
+ n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl;
+- EVP_CipherUpdate(&(ctx->cipher),
+- (unsigned char *)ctx->buf, &ctx->buf_len,
+- (unsigned char *)in, n);
++ if (!EVP_CipherUpdate(&(ctx->cipher),
++ (unsigned char *)ctx->buf, &ctx->buf_len,
++ (unsigned char *)in, n)) {
++ BIO_copy_next_retry(b);
++ ctx->ok = 0;
++ return ret - inl;
++ }
+ inl -= n;
+ in += n;
+
+@@ -298,8 +306,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
+ case BIO_CTRL_RESET:
+ ctx->ok = 1;
+ ctx->finished = 0;
+- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+- ctx->cipher.encrypt);
++ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
++ ctx->cipher.encrypt))
++ ctx->ok = 0;
+ ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
+ break;
+ case BIO_CTRL_EOF: /* More to read */
+@@ -421,7 +430,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
+
+ b->init = 1;
+ ctx = (BIO_ENC_CTX *)b->ptr;
+- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
++ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
++ ctx->ok = 0;
+
+ if (b->callback != NULL)
+ b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);
diff --git a/openssl-1.0.2a-enginesdir.patch b/openssl-1.0.2a-enginesdir.patch
new file mode 100644
index 0000000..10baf5a
--- /dev/null
+++ b/openssl-1.0.2a-enginesdir.patch
@@ -0,0 +1,52 @@
+diff -up openssl-1.0.2a/Configure.enginesdir openssl-1.0.2a/Configure
+--- openssl-1.0.2a/Configure.enginesdir 2015-04-20 14:37:58.137392222 +0200
++++ openssl-1.0.2a/Configure 2015-04-20 14:37:58.140392292 +0200
+@@ -702,6 +702,7 @@ my $idx_multilib = $idx++;
+ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
++my $enginesdir="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -929,6 +930,10 @@ PROCESS_ARGS:
+ {
+ $openssldir=$1;
+ }
++ elsif (/^--enginesdir=(.*)$/)
++ {
++ $enginesdir=$1;
++ }
+ elsif (/^--install.prefix=(.*)$/)
+ {
+ $install_prefix=$1;
+@@ -1185,7 +1190,7 @@ chop $prefix if $prefix =~ /.\/$/;
+
+ $openssldir=$prefix . "/ssl" if $openssldir eq "";
+ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+-
++$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
+
+ print "IsMK1MF=$IsMK1MF\n";
+
+@@ -1871,7 +1876,7 @@ while (<IN>)
+ }
+ elsif (/^#define\s+ENGINESDIR/)
+ {
+- my $foo = "$prefix/$libdir/engines";
++ my $foo = "$enginesdir";
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
+diff -up openssl-1.0.2a/engines/Makefile.enginesdir openssl-1.0.2a/engines/Makefile
+--- openssl-1.0.2a/engines/Makefile.enginesdir 2015-04-20 14:37:58.140392292 +0200
++++ openssl-1.0.2a/engines/Makefile 2015-04-20 14:40:15.570598383 +0200
+@@ -124,7 +124,7 @@ install:
+ esac; \
+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ fi; \
+- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
++ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+ done; \
+ fi
diff --git a/openssl-1.0.2a-env-zlib.patch b/openssl-1.0.2a-env-zlib.patch
new file mode 100644
index 0000000..328079b
--- /dev/null
+++ b/openssl-1.0.2a-env-zlib.patch
@@ -0,0 +1,39 @@
+diff -up openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2015-04-09 18:17:20.509637597 +0200
++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-09 18:17:14.767504953 +0200
+@@ -47,6 +47,13 @@ Once the identities of the compression m
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+
+ SSL_COMP_add_compression_method() may return the following values:
+diff -up openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib 2015-04-09 18:17:20.510637620 +0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-09 18:17:20.264631937 +0200
+@@ -140,6 +140,8 @@
+ * OTHERWISE.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+@@ -450,7 +452,8 @@ static void load_builtin_compressions(vo
+
+ MemCheck_off();
+ ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+- if (ssl_comp_methods != NULL) {
++ if (ssl_comp_methods != NULL
++ && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+ comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL) {
+ comp->method = COMP_zlib();
diff --git a/openssl-1.0.2a-fips-ctor.patch b/openssl-1.0.2a-fips-ctor.patch
new file mode 100644
index 0000000..65f652c
--- /dev/null
+++ b/openssl-1.0.2a-fips-ctor.patch
@@ -0,0 +1,174 @@
+diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200
+@@ -60,6 +60,8 @@
+ #include <dlfcn.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
+ #include "fips_locl.h"
+
+ #ifdef OPENSSL_FIPS
+@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
+ }
+
+ # define HMAC_PREFIX "."
+-# define HMAC_SUFFIX ".hmac"
++# ifndef HMAC_SUFFIX
++# define HMAC_SUFFIX ".hmac"
++# endif
+ # define READ_BUFFER_LENGTH 16384
+
+ static char *make_hmac_path(const char *origpath)
+@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
+ return rv;
+ }
+
+-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
++static int FIPSCHECK_verify(const char *path)
+ {
+- char path[PATH_MAX + 1];
+- int rv;
++ int rv = 0;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+- rv = get_library_path(libname, symbolname, path, sizeof(path));
+-
+- if (rv < 0)
+- return 0;
+-
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
+ return 1;
+ }
+
++static int verify_checksums(void)
++{
++ int rv;
++ char path[PATH_MAX + 1];
++ char *p;
++
++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++ are in the same directory */
++
++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
++ "FIPS_mode_set", path, sizeof(path));
++ if (rv < 0)
++ return 0;
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++
++ /* replace libcrypto with libssl */
++ while ((p = strstr(path, "libcrypto.so")) != NULL) {
++ p = stpcpy(p, "libssl");
++ memmove(p, p + 3, strlen(p + 2));
++ }
++
++ rv = FIPSCHECK_verify(path);
++ if (!rv)
++ return 0;
++ return 1;
++}
++
++# ifndef FIPS_MODULE_PATH
++# define FIPS_MODULE_PATH "/etc/system-fips"
++# endif
++
++int FIPS_module_installed(void)
++{
++ int rv;
++ rv = access(FIPS_MODULE_PATH, F_OK);
++ if (rv < 0 && errno != ENOENT)
++ rv = 0;
++
++ /* Installed == true */
++ return !rv;
++}
++
+ int FIPS_module_mode_set(int onoff, const char *auth)
+ {
+ int ret = 0;
+@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
+ }
+ # endif
+
+- if (!FIPSCHECK_verify
+- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
+- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+- fips_selftest_fail = 1;
+- ret = 0;
+- goto end;
+- }
+-
+- if (!FIPSCHECK_verify
+- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
++ if (!verify_checksums()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h
+--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200
++++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200
+@@ -74,6 +74,7 @@ extern "C" {
+
+ int FIPS_module_mode_set(int onoff, const char *auth);
+ int FIPS_module_mode(void);
++ int FIPS_module_installed(void);
+ const void *FIPS_rand_check(void);
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c
+--- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200
++++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200
+@@ -74,6 +74,9 @@ static void init_fips_mode(void)
+ char buf[2] = "0";
+ int fd;
+
++ /* Ensure the selftests always run */
++ FIPS_mode_set(1);
++
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+@@ -85,8 +88,12 @@ static void init_fips_mode(void)
+ * otherwise..
+ */
+
+- if (buf[0] == '1') {
+- FIPS_mode_set(1);
++ if (buf[0] != '1') {
++ /* drop down to non-FIPS mode if it is not requested */
++ FIPS_mode_set(0);
++ } else {
++ /* abort if selftest failed */
++ FIPS_selftest_check();
+ }
+ }
+ #endif
+@@ -96,13 +103,16 @@ static void init_fips_mode(void)
+ * sets FIPS callbacks
+ */
+
+-void OPENSSL_init_library(void)
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
+ {
+ static int done = 0;
+ if (done)
+ return;
+ done = 1;
+ #ifdef OPENSSL_FIPS
++ if (!FIPS_module_installed()) {
++ return;
++ }
+ RAND_init_fips();
+ init_fips_mode();
+ if (!FIPS_mode()) {
diff --git a/openssl-1.0.2a-fips-ec.patch b/openssl-1.0.2a-fips-ec.patch
new file mode 100644
index 0000000..e42f4a1
--- /dev/null
+++ b/openssl-1.0.2a-fips-ec.patch
@@ -0,0 +1,1929 @@
+diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c
+--- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c 2015-04-22 19:00:19.721884512 +0200
+@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
+ goto err;
+
+ /* NIST PRIME CURVES TESTS */
++# if 0
+ if (!test_ecdh_curve
+ (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
+ goto err;
+ if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
+ goto err;
++# endif
+ if (!test_ecdh_curve
+ (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
+ goto err;
+@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
+ if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
+ goto err;
+ # endif
++# if 0
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
+ goto err;
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
+ goto err;
+ if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
+ goto err;
+-
++# endif
+ ret = 0;
+
+ err:
+diff -up openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_lib.c
+--- openssl-1.0.2a/crypto/ecdh/ech_lib.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ech_lib.c 2015-04-22 19:00:19.721884512 +0200
+@@ -93,14 +93,7 @@ void ECDH_set_default_method(const ECDH_
+ const ECDH_METHOD *ECDH_get_default_method(void)
+ {
+ if (!default_ECDH_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ecdh_openssl();
+- else
+- return ECDH_OpenSSL();
+-#else
+ default_ECDH_method = ECDH_OpenSSL();
+-#endif
+ }
+ return default_ECDH_method;
+ }
+diff -up openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdh/ech_ossl.c
+--- openssl-1.0.2a/crypto/ecdh/ech_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdh/ech_ossl.c 2015-04-22 19:00:19.722884536 +0200
+@@ -78,6 +78,10 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/bn.h>
+
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key,
+ EC_KEY *ecdh,
+ void *(*KDF) (const void *in, size_t inlen,
+@@ -90,7 +94,7 @@ static ECDH_METHOD openssl_ecdh_meth = {
+ NULL, /* init */
+ NULL, /* finish */
+ #endif
+- 0, /* flags */
++ ECDH_FLAG_FIPS_METHOD, /* flags */
+ NULL /* app_data */
+ };
+
+@@ -119,6 +123,13 @@ static int ecdh_compute_key(void *out, s
+ size_t buflen, len;
+ unsigned char *buf = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++#endif
++
+ if (outlen > INT_MAX) {
+ ECDHerr(ECDH_F_ECDH_COMPUTE_KEY, ERR_R_MALLOC_FAILURE); /* sort of,
+ * anyway */
+diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c
+--- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c 2015-04-22 19:00:19.722884536 +0200
+@@ -138,11 +138,14 @@ int restore_rand(void)
+ }
+
+ static int fbytes_counter = 0;
+-static const char *numbers[8] = {
++static const char *numbers[10] = {
++ "651056770906015076056810763456358567190100156695615665659",
+ "651056770906015076056810763456358567190100156695615665659",
+ "6140507067065001063065065565667405560006161556565665656654",
+ "8763001015071075675010661307616710783570106710677817767166"
+ "71676178726717",
++ "8763001015071075675010661307616710783570106710677817767166"
++ "71676178726717",
+ "7000000175690566466555057817571571075705015757757057795755"
+ "55657156756655",
+ "1275552191113212300012030439187146164646146646466749494799",
+@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num)
+ int ret;
+ BIGNUM *tmp = NULL;
+
+- if (fbytes_counter >= 8)
++ if (fbytes_counter >= 10)
+ return 0;
+ tmp = BN_new();
+ if (!tmp)
+@@ -532,8 +535,10 @@ int main(void)
+ RAND_seed(rnd_seed, sizeof(rnd_seed));
+
+ /* the tests */
++# if 0
+ if (!x9_62_tests(out))
+ goto err;
++# endif
+ if (!test_builtin(out))
+ goto err;
+
+diff -up openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_lib.c
+--- openssl-1.0.2a/crypto/ecdsa/ecs_lib.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecs_lib.c 2015-04-22 19:00:19.722884536 +0200
+@@ -80,14 +80,7 @@ void ECDSA_set_default_method(const ECDS
+ const ECDSA_METHOD *ECDSA_get_default_method(void)
+ {
+ if (!default_ECDSA_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ecdsa_openssl();
+- else
+- return ECDSA_OpenSSL();
+-#else
+ default_ECDSA_method = ECDSA_OpenSSL();
+-#endif
+ }
+ return default_ECDSA_method;
+ }
+diff -up openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c
+--- openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ecdsa/ecs_ossl.c 2015-04-22 19:00:19.722884536 +0200
+@@ -60,6 +60,9 @@
+ #include <openssl/err.h>
+ #include <openssl/obj_mac.h>
+ #include <openssl/bn.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
+ const BIGNUM *, const BIGNUM *,
+@@ -78,7 +81,7 @@ static ECDSA_METHOD openssl_ecdsa_meth =
+ NULL, /* init */
+ NULL, /* finish */
+ #endif
+- 0, /* flags */
++ ECDSA_FLAG_FIPS_METHOD, /* flags */
+ NULL /* app_data */
+ };
+
+@@ -245,6 +248,13 @@ static ECDSA_SIG *ecdsa_do_sign(const un
+ ECDSA_DATA *ecdsa;
+ const BIGNUM *priv_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++#endif
++
+ ecdsa = ecdsa_check(eckey);
+ group = EC_KEY_get0_group(eckey);
+ priv_key = EC_KEY_get0_private_key(eckey);
+@@ -358,6 +368,13 @@ static int ecdsa_do_verify(const unsigne
+ const EC_GROUP *group;
+ const EC_POINT *pub_key;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_ECDSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++#endif
++
+ /* check input values */
+ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+ (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
+diff -up openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec openssl-1.0.2a/crypto/ec/ec_cvt.c
+--- openssl-1.0.2a/crypto/ec/ec_cvt.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ec_cvt.c 2015-04-22 19:01:08.703040756 +0200
+@@ -82,10 +82,6 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const B
+ const EC_METHOD *meth;
+ EC_GROUP *ret;
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ec_group_new_curve_gfp(p, a, b, ctx);
+-#endif
+ #if defined(OPENSSL_BN_ASM_MONT)
+ /*
+ * This might appear controversial, but the fact is that generic
+@@ -160,10 +156,6 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const
+ const EC_METHOD *meth;
+ EC_GROUP *ret;
+
+-# ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ec_group_new_curve_gf2m(p, a, b, ctx);
+-# endif
+ meth = EC_GF2m_simple_method();
+
+ ret = EC_GROUP_new(meth);
+diff -up openssl-1.0.2a/crypto/ec/ec_key.c.fips-ec openssl-1.0.2a/crypto/ec/ec_key.c
+--- openssl-1.0.2a/crypto/ec/ec_key.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ec_key.c 2015-04-22 19:00:19.722884536 +0200
+@@ -64,9 +64,6 @@
+ #include <string.h>
+ #include "ec_lcl.h"
+ #include <openssl/err.h>
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+
+ EC_KEY *EC_KEY_new(void)
+ {
+@@ -227,6 +224,38 @@ int EC_KEY_up_ref(EC_KEY *r)
+ return ((i > 1) ? 1 : 0);
+ }
+
++#ifdef OPENSSL_FIPS
++
++# include <openssl/evp.h>
++# include <openssl/fips.h>
++# include <openssl/fips_rand.h>
++
++static int fips_check_ec(EC_KEY *key)
++{
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "ECDSA Pairwise Check Data";
++ int ret = 0;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_EC_KEY(pk, key);
++
++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++ ret = 1;
++
++ err:
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
++ fips_set_selftest_fail();
++ }
++ if (pk)
++ EVP_PKEY_free(pk);
++ return ret;
++}
++
++#endif
++
+ int EC_KEY_generate_key(EC_KEY *eckey)
+ {
+ int ok = 0;
+@@ -235,8 +264,10 @@ int EC_KEY_generate_key(EC_KEY *eckey)
+ EC_POINT *pub_key = NULL;
+
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_ec_key_generate_key(eckey);
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
+ #endif
+
+ if (!eckey || !eckey->group) {
+@@ -277,6 +308,14 @@ int EC_KEY_generate_key(EC_KEY *eckey)
+ eckey->priv_key = priv_key;
+ eckey->pub_key = pub_key;
+
++#ifdef OPENSSL_FIPS
++ if (!fips_check_ec(eckey)) {
++ eckey->priv_key = NULL;
++ eckey->pub_key = NULL;
++ goto err;
++ }
++#endif
++
+ ok = 1;
+
+ err:
+@@ -408,10 +447,12 @@ int EC_KEY_set_public_key_affine_coordin
+ goto err;
+ }
+ /*
+- * Check if retrieved coordinates match originals: if not values are out
+- * of range.
++ * Check if retrieved coordinates match originals and are less
++ * than field order: if not values are out of range.
+ */
+- if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
++ if (BN_cmp(x, tx) || BN_cmp(y, ty)
++ || (BN_cmp(x, &key->group->field) >= 0)
++ || (BN_cmp(y, &key->group->field) >= 0)) {
+ ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
+ EC_R_COORDINATES_OUT_OF_RANGE);
+ goto err;
+diff -up openssl-1.0.2a/crypto/ec/ecp_mont.c.fips-ec openssl-1.0.2a/crypto/ec/ecp_mont.c
+--- openssl-1.0.2a/crypto/ec/ecp_mont.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ecp_mont.c 2015-04-22 19:00:19.722884536 +0200
+@@ -63,10 +63,6 @@
+
+ #include <openssl/err.h>
+
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+-
+ #include "ec_lcl.h"
+
+ const EC_METHOD *EC_GFp_mont_method(void)
+@@ -111,11 +107,6 @@ const EC_METHOD *EC_GFp_mont_method(void
+ ec_GFp_mont_field_set_to_one
+ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_mont_method();
+-#endif
+-
+ return &ret;
+ }
+
+diff -up openssl-1.0.2a/crypto/ec/ecp_nist.c.fips-ec openssl-1.0.2a/crypto/ec/ecp_nist.c
+--- openssl-1.0.2a/crypto/ec/ecp_nist.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ecp_nist.c 2015-04-22 19:00:19.723884560 +0200
+@@ -67,10 +67,6 @@
+ #include <openssl/obj_mac.h>
+ #include "ec_lcl.h"
+
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+-
+ const EC_METHOD *EC_GFp_nist_method(void)
+ {
+ static const EC_METHOD ret = {
+@@ -113,11 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void
+ 0 /* field_set_to_one */
+ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_nist_method();
+-#endif
+-
+ return &ret;
+ }
+
+diff -up openssl-1.0.2a/crypto/ec/ecp_smpl.c.fips-ec openssl-1.0.2a/crypto/ec/ecp_smpl.c
+--- openssl-1.0.2a/crypto/ec/ecp_smpl.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ec/ecp_smpl.c 2015-04-22 19:00:19.723884560 +0200
+@@ -66,10 +66,6 @@
+ #include <openssl/err.h>
+ #include <openssl/symhacks.h>
+
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-#endif
+-
+ #include "ec_lcl.h"
+
+ const EC_METHOD *EC_GFp_simple_method(void)
+@@ -114,11 +110,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
+ 0 /* field_set_to_one */
+ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_simple_method();
+-#endif
+-
+ return &ret;
+ }
+
+@@ -187,6 +178,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
+ return 0;
+ }
+
++ if (BN_num_bits(p) < 256) {
++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
++ return 0;
++ }
++
+ if (ctx == NULL) {
+ ctx = new_ctx = BN_CTX_new();
+ if (ctx == NULL)
+diff -up openssl-1.0.2a/crypto/evp/m_ecdsa.c.fips-ec openssl-1.0.2a/crypto/evp/m_ecdsa.c
+--- openssl-1.0.2a/crypto/evp/m_ecdsa.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/m_ecdsa.c 2015-04-22 19:00:19.723884560 +0200
+@@ -136,7 +136,7 @@ static const EVP_MD ecdsa_md = {
+ NID_ecdsa_with_SHA1,
+ NID_ecdsa_with_SHA1,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c.fips-ec openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c
+--- openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c.fips-ec 2015-04-22 19:00:19.723884560 +0200
++++ openssl-1.0.2a/crypto/fips/cavs/fips_ecdhvs.c 2015-04-22 19:00:19.723884560 +0200
+@@ -0,0 +1,456 @@
++/* fips/ecdh/fips_ecdhvs.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++#include <openssl/opensslconf.h>
++
++#ifndef OPENSSL_FIPS
++# include <stdio.h>
++
++int main(int argc, char **argv)
++{
++ printf("No FIPS ECDH support\n");
++ return (0);
++}
++#else
++
++# include <openssl/crypto.h>
++# include <openssl/bn.h>
++# include <openssl/ecdh.h>
++# include <openssl/fips.h>
++# include <openssl/err.h>
++# include <openssl/evp.h>
++# include <string.h>
++# include <ctype.h>
++
++# include "fips_utl.h"
++
++static const EVP_MD *eparse_md(char *line)
++{
++ char *p;
++ if (line[0] != '[' || line[1] != 'E')
++ return NULL;
++ p = strchr(line, '-');
++ if (!p)
++ return NULL;
++ line = p + 1;
++ p = strchr(line, ']');
++ if (!p)
++ return NULL;
++ *p = 0;
++ p = line;
++ while (isspace(*p))
++ p++;
++ if (!strcmp(p, "SHA1"))
++ return EVP_sha1();
++ else if (!strcmp(p, "SHA224"))
++ return EVP_sha224();
++ else if (!strcmp(p, "SHA256"))
++ return EVP_sha256();
++ else if (!strcmp(p, "SHA384"))
++ return EVP_sha384();
++ else if (!strcmp(p, "SHA512"))
++ return EVP_sha512();
++ else
++ return NULL;
++}
++
++static int lookup_curve2(char *cname)
++{
++ char *p;
++ p = strchr(cname, ']');
++ if (!p) {
++ fprintf(stderr, "Parse error: missing ]\n");
++ return NID_undef;
++ }
++ *p = 0;
++
++ if (!strcmp(cname, "B-163"))
++ return NID_sect163r2;
++ if (!strcmp(cname, "B-233"))
++ return NID_sect233r1;
++ if (!strcmp(cname, "B-283"))
++ return NID_sect283r1;
++ if (!strcmp(cname, "B-409"))
++ return NID_sect409r1;
++ if (!strcmp(cname, "B-571"))
++ return NID_sect571r1;
++ if (!strcmp(cname, "K-163"))
++ return NID_sect163k1;
++ if (!strcmp(cname, "K-233"))
++ return NID_sect233k1;
++ if (!strcmp(cname, "K-283"))
++ return NID_sect283k1;
++ if (!strcmp(cname, "K-409"))
++ return NID_sect409k1;
++ if (!strcmp(cname, "K-571"))
++ return NID_sect571k1;
++ if (!strcmp(cname, "P-192"))
++ return NID_X9_62_prime192v1;
++ if (!strcmp(cname, "P-224"))
++ return NID_secp224r1;
++ if (!strcmp(cname, "P-256"))
++ return NID_X9_62_prime256v1;
++ if (!strcmp(cname, "P-384"))
++ return NID_secp384r1;
++ if (!strcmp(cname, "P-521"))
++ return NID_secp521r1;
++
++ fprintf(stderr, "Unknown Curve name %s\n", cname);
++ return NID_undef;
++}
++
++static int lookup_curve(char *cname)
++{
++ char *p;
++ p = strchr(cname, ':');
++ if (!p) {
++ fprintf(stderr, "Parse error: missing :\n");
++ return NID_undef;
++ }
++ cname = p + 1;
++ while (isspace(*cname))
++ cname++;
++ return lookup_curve2(cname);
++}
++
++static EC_POINT *make_peer(EC_GROUP *group, BIGNUM *x, BIGNUM *y)
++{
++ EC_POINT *peer;
++ int rv;
++ BN_CTX *c;
++ peer = EC_POINT_new(group);
++ if (!peer)
++ return NULL;
++ c = BN_CTX_new();
++ if (EC_METHOD_get_field_type(EC_GROUP_method_of(group))
++ == NID_X9_62_prime_field)
++ rv = EC_POINT_set_affine_coordinates_GFp(group, peer, x, y, c);
++ else
++# ifdef OPENSSL_NO_EC2M
++ {
++ fprintf(stderr, "ERROR: GF2m not supported\n");
++ exit(1);
++ }
++# else
++ rv = EC_POINT_set_affine_coordinates_GF2m(group, peer, x, y, c);
++# endif
++
++ BN_CTX_free(c);
++ if (rv)
++ return peer;
++ EC_POINT_free(peer);
++ return NULL;
++}
++
++static int ec_print_key(FILE *out, EC_KEY *key, int add_e, int exout)
++{
++ const EC_POINT *pt;
++ const EC_GROUP *grp;
++ const EC_METHOD *meth;
++ int rv;
++ BIGNUM *tx, *ty;
++ const BIGNUM *d = NULL;
++ BN_CTX *ctx;
++ ctx = BN_CTX_new();
++ if (!ctx)
++ return 0;
++ tx = BN_CTX_get(ctx);
++ ty = BN_CTX_get(ctx);
++ if (!tx || !ty)
++ return 0;
++ grp = EC_KEY_get0_group(key);
++ pt = EC_KEY_get0_public_key(key);
++ if (exout)
++ d = EC_KEY_get0_private_key(key);
++ meth = EC_GROUP_method_of(grp);
++ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
++ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, tx, ty, ctx);
++ else
++# ifdef OPENSSL_NO_EC2M
++ {
++ fprintf(stderr, "ERROR: GF2m not supported\n");
++ exit(1);
++ }
++# else
++ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, tx, ty, ctx);
++# endif
++
++ if (add_e) {
++ do_bn_print_name(out, "QeIUTx", tx);
++ do_bn_print_name(out, "QeIUTy", ty);
++ if (d)
++ do_bn_print_name(out, "QeIUTd", d);
++ } else {
++ do_bn_print_name(out, "QIUTx", tx);
++ do_bn_print_name(out, "QIUTy", ty);
++ if (d)
++ do_bn_print_name(out, "QIUTd", d);
++ }
++
++ BN_CTX_free(ctx);
++
++ return rv;
++
++}
++
++static void ec_output_Zhash(FILE *out, int exout, EC_GROUP *group,
++ BIGNUM *ix, BIGNUM *iy, BIGNUM *id, BIGNUM *cx,
++ BIGNUM *cy, const EVP_MD *md,
++ unsigned char *rhash, size_t rhashlen)
++{
++ EC_KEY *ec = NULL;
++ EC_POINT *peerkey = NULL;
++ unsigned char *Z;
++ unsigned char chash[EVP_MAX_MD_SIZE];
++ int Zlen;
++ ec = EC_KEY_new();
++ EC_KEY_set_flags(ec, EC_FLAG_COFACTOR_ECDH);
++ EC_KEY_set_group(ec, group);
++ peerkey = make_peer(group, cx, cy);
++ if (rhash == NULL) {
++ if (md)
++ rhashlen = M_EVP_MD_size(md);
++ EC_KEY_generate_key(ec);
++ ec_print_key(out, ec, md ? 1 : 0, exout);
++ } else {
++ EC_KEY_set_public_key_affine_coordinates(ec, ix, iy);
++ EC_KEY_set_private_key(ec, id);
++ }
++ Zlen = (EC_GROUP_get_degree(group) + 7) / 8;
++ Z = OPENSSL_malloc(Zlen);
++ if (!Z)
++ exit(1);
++ ECDH_compute_key(Z, Zlen, peerkey, ec, 0);
++ if (md) {
++ if (exout)
++ OutputValue("Z", Z, Zlen, out, 0);
++ FIPS_digest(Z, Zlen, chash, NULL, md);
++ OutputValue(rhash ? "IUTHashZZ" : "HashZZ", chash, rhashlen, out, 0);
++ if (rhash) {
++ fprintf(out, "Result = %s\n",
++ memcmp(chash, rhash, rhashlen) ? "F" : "P");
++ }
++ } else
++ OutputValue("ZIUT", Z, Zlen, out, 0);
++ OPENSSL_cleanse(Z, Zlen);
++ OPENSSL_free(Z);
++ EC_KEY_free(ec);
++ EC_POINT_free(peerkey);
++}
++
++# ifdef FIPS_ALGVS
++int fips_ecdhvs_main(int argc, char **argv)
++# else
++int main(int argc, char **argv)
++# endif
++{
++ char **args = argv + 1;
++ int argn = argc - 1;
++ FILE *in, *out;
++ char buf[2048], lbuf[2048];
++ unsigned char *rhash = NULL;
++ long rhashlen;
++ BIGNUM *cx = NULL, *cy = NULL;
++ BIGNUM *id = NULL, *ix = NULL, *iy = NULL;
++ const EVP_MD *md = NULL;
++ EC_GROUP *group = NULL;
++ char *keyword = NULL, *value = NULL;
++ int do_verify = -1, exout = 0;
++ int rv = 1;
++
++ int curve_nids[5] = { 0, 0, 0, 0, 0 };
++ int param_set = -1;
++
++ fips_algtest_init();
++
++ if (argn && !strcmp(*args, "ecdhver")) {
++ do_verify = 1;
++ args++;
++ argn--;
++ } else if (argn && !strcmp(*args, "ecdhgen")) {
++ do_verify = 0;
++ args++;
++ argn--;
++ }
++
++ if (argn && !strcmp(*args, "-exout")) {
++ exout = 1;
++ args++;
++ argn--;
++ }
++
++ if (do_verify == -1) {
++ fprintf(stderr, "%s [ecdhver|ecdhgen|] [-exout] (infile outfile)\n",
++ argv[0]);
++ exit(1);
++ }
++
++ if (argn == 2) {
++ in = fopen(*args, "r");
++ if (!in) {
++ fprintf(stderr, "Error opening input file\n");
++ exit(1);
++ }
++ out = fopen(args[1], "w");
++ if (!out) {
++ fprintf(stderr, "Error opening output file\n");
++ exit(1);
++ }
++ } else if (argn == 0) {
++ in = stdin;
++ out = stdout;
++ } else {
++ fprintf(stderr, "%s [dhver|dhgen|] [-exout] (infile outfile)\n",
++ argv[0]);
++ exit(1);
++ }
++
++ while (fgets(buf, sizeof(buf), in) != NULL) {
++ fputs(buf, out);
++ if (buf[0] == '[' && buf[1] == 'E') {
++ int c = buf[2];
++ if (c < 'A' || c > 'E')
++ goto parse_error;
++ param_set = c - 'A';
++ /* If just [E?] then initial paramset */
++ if (buf[3] == ']')
++ continue;
++ if (group)
++ EC_GROUP_free(group);
++ group = EC_GROUP_new_by_curve_name(curve_nids[c - 'A']);
++ }
++ if (strlen(buf) > 10 && !strncmp(buf, "[Curve", 6)) {
++ int nid;
++ if (param_set == -1)
++ goto parse_error;
++ nid = lookup_curve(buf);
++ if (nid == NID_undef)
++ goto parse_error;
++ curve_nids[param_set] = nid;
++ }
++
++ if (strlen(buf) > 4 && buf[0] == '[' && buf[2] == '-') {
++ int nid = lookup_curve2(buf + 1);
++ if (nid == NID_undef)
++ goto parse_error;
++ if (group)
++ EC_GROUP_free(group);
++ group = EC_GROUP_new_by_curve_name(nid);
++ if (!group) {
++ fprintf(stderr, "ERROR: unsupported curve %s\n", buf + 1);
++ return 1;
++ }
++ }
++
++ if (strlen(buf) > 6 && !strncmp(buf, "[E", 2)) {
++ md = eparse_md(buf);
++ if (md == NULL)
++ goto parse_error;
++ continue;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "QeCAVSx") || !strcmp(keyword, "QCAVSx")) {
++ if (!do_hex2bn(&cx, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "QeCAVSy") || !strcmp(keyword, "QCAVSy")) {
++ if (!do_hex2bn(&cy, value))
++ goto parse_error;
++ if (do_verify == 0)
++ ec_output_Zhash(out, exout, group,
++ NULL, NULL, NULL,
++ cx, cy, md, rhash, rhashlen);
++ } else if (!strcmp(keyword, "deIUT")) {
++ if (!do_hex2bn(&id, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "QeIUTx")) {
++ if (!do_hex2bn(&ix, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "QeIUTy")) {
++ if (!do_hex2bn(&iy, value))
++ goto parse_error;
++ } else if (!strcmp(keyword, "CAVSHashZZ")) {
++ if (!md)
++ goto parse_error;
++ rhash = hex2bin_m(value, &rhashlen);
++ if (!rhash || rhashlen != M_EVP_MD_size(md))
++ goto parse_error;
++ ec_output_Zhash(out, exout, group, ix, iy, id, cx, cy,
++ md, rhash, rhashlen);
++ }
++ }
++ rv = 0;
++ parse_error:
++ if (id)
++ BN_free(id);
++ if (ix)
++ BN_free(ix);
++ if (iy)
++ BN_free(iy);
++ if (cx)
++ BN_free(cx);
++ if (cy)
++ BN_free(cy);
++ if (group)
++ EC_GROUP_free(group);
++ if (in && in != stdin)
++ fclose(in);
++ if (out && out != stdout)
++ fclose(out);
++ if (rv)
++ fprintf(stderr, "Error Parsing request file\n");
++ return rv;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c.fips-ec openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c
+--- openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c.fips-ec 2015-04-22 19:00:19.723884560 +0200
++++ openssl-1.0.2a/crypto/fips/cavs/fips_ecdsavs.c 2015-04-22 19:00:19.723884560 +0200
+@@ -0,0 +1,486 @@
++/* fips/ecdsa/fips_ecdsavs.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++#include <openssl/opensslconf.h>
++#include <stdio.h>
++
++#ifndef OPENSSL_FIPS
++
++int main(int argc, char **argv)
++{
++ printf("No FIPS ECDSA support\n");
++ return (0);
++}
++#else
++
++# include <string.h>
++# include <ctype.h>
++# include <openssl/err.h>
++# include <openssl/bn.h>
++# include <openssl/ecdsa.h>
++# include <openssl/evp.h>
++# include "fips_utl.h"
++
++# include <openssl/objects.h>
++
++static int elookup_curve(char *in, char *curve_name, const EVP_MD **pmd)
++{
++ char *cname, *p;
++ /* Copy buffer as we will change it */
++ strcpy(curve_name, in);
++ cname = curve_name + 1;
++ p = strchr(cname, ']');
++ if (!p) {
++ fprintf(stderr, "Parse error: missing ]\n");
++ return NID_undef;
++ }
++ *p = 0;
++ p = strchr(cname, ',');
++ if (p) {
++ if (!pmd) {
++ fprintf(stderr, "Parse error: unexpected digest\n");
++ return NID_undef;
++ }
++ *p = 0;
++ p++;
++
++ if (!strcmp(p, "SHA-1"))
++ *pmd = EVP_sha1();
++ else if (!strcmp(p, "SHA-224"))
++ *pmd = EVP_sha224();
++ else if (!strcmp(p, "SHA-256"))
++ *pmd = EVP_sha256();
++ else if (!strcmp(p, "SHA-384"))
++ *pmd = EVP_sha384();
++ else if (!strcmp(p, "SHA-512"))
++ *pmd = EVP_sha512();
++ else {
++ fprintf(stderr, "Unknown digest %s\n", p);
++ return NID_undef;
++ }
++ } else if (pmd)
++ *pmd = EVP_sha1();
++
++ if (!strcmp(cname, "B-163"))
++ return NID_sect163r2;
++ if (!strcmp(cname, "B-233"))
++ return NID_sect233r1;
++ if (!strcmp(cname, "B-283"))
++ return NID_sect283r1;
++ if (!strcmp(cname, "B-409"))
++ return NID_sect409r1;
++ if (!strcmp(cname, "B-571"))
++ return NID_sect571r1;
++ if (!strcmp(cname, "K-163"))
++ return NID_sect163k1;
++ if (!strcmp(cname, "K-233"))
++ return NID_sect233k1;
++ if (!strcmp(cname, "K-283"))
++ return NID_sect283k1;
++ if (!strcmp(cname, "K-409"))
++ return NID_sect409k1;
++ if (!strcmp(cname, "K-571"))
++ return NID_sect571k1;
++ if (!strcmp(cname, "P-192"))
++ return NID_X9_62_prime192v1;
++ if (!strcmp(cname, "P-224"))
++ return NID_secp224r1;
++ if (!strcmp(cname, "P-256"))
++ return NID_X9_62_prime256v1;
++ if (!strcmp(cname, "P-384"))
++ return NID_secp384r1;
++ if (!strcmp(cname, "P-521"))
++ return NID_secp521r1;
++
++ fprintf(stderr, "Unknown Curve name %s\n", cname);
++ return NID_undef;
++}
++
++static int ec_get_pubkey(EC_KEY *key, BIGNUM *x, BIGNUM *y)
++{
++ const EC_POINT *pt;
++ const EC_GROUP *grp;
++ const EC_METHOD *meth;
++ int rv;
++ BN_CTX *ctx;
++ ctx = BN_CTX_new();
++ if (!ctx)
++ return 0;
++ grp = EC_KEY_get0_group(key);
++ pt = EC_KEY_get0_public_key(key);
++ meth = EC_GROUP_method_of(grp);
++ if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
++ rv = EC_POINT_get_affine_coordinates_GFp(grp, pt, x, y, ctx);
++ else
++# ifdef OPENSSL_NO_EC2M
++ {
++ fprintf(stderr, "ERROR: GF2m not supported\n");
++ exit(1);
++ }
++# else
++ rv = EC_POINT_get_affine_coordinates_GF2m(grp, pt, x, y, ctx);
++# endif
++
++ BN_CTX_free(ctx);
++
++ return rv;
++
++}
++
++static int KeyPair(FILE *in, FILE *out)
++{
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ int curve_nid = NID_undef;
++ int i, count;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ const BIGNUM *d = NULL;
++ EC_KEY *key = NULL;
++ Qx = BN_new();
++ Qy = BN_new();
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ if (*buf == '[' && buf[2] == '-') {
++ if (buf[2] == '-')
++ curve_nid = elookup_curve(buf, lbuf, NULL);
++ fputs(buf, out);
++ continue;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf)) {
++ fputs(buf, out);
++ continue;
++ }
++ if (!strcmp(keyword, "N")) {
++ count = atoi(value);
++
++ for (i = 0; i < count; i++) {
++
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ if (!EC_KEY_generate_key(key)) {
++ fprintf(stderr, "Error generating key\n");
++ return 0;
++ }
++
++ if (!ec_get_pubkey(key, Qx, Qy)) {
++ fprintf(stderr, "Error getting public key\n");
++ return 0;
++ }
++
++ d = EC_KEY_get0_private_key(key);
++
++ do_bn_print_name(out, "d", d);
++ do_bn_print_name(out, "Qx", Qx);
++ do_bn_print_name(out, "Qy", Qy);
++ fputs(RESP_EOL, out);
++ EC_KEY_free(key);
++
++ }
++
++ }
++
++ }
++ BN_free(Qx);
++ BN_free(Qy);
++ return 1;
++}
++
++static int PKV(FILE *in, FILE *out)
++{
++
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ int curve_nid = NID_undef;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ EC_KEY *key = NULL;
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ fputs(buf, out);
++ if (*buf == '[' && buf[2] == '-') {
++ curve_nid = elookup_curve(buf, lbuf, NULL);
++ if (curve_nid == NID_undef)
++ return 0;
++
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "Qx")) {
++ if (!do_hex2bn(&Qx, value)) {
++ fprintf(stderr, "Invalid Qx value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "Qy")) {
++ int rv;
++ if (!do_hex2bn(&Qy, value)) {
++ fprintf(stderr, "Invalid Qy value\n");
++ return 0;
++ }
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ no_err = 1;
++ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
++ no_err = 0;
++ EC_KEY_free(key);
++ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F");
++ }
++
++ }
++ BN_free(Qx);
++ BN_free(Qy);
++ return 1;
++}
++
++static int SigGen(FILE *in, FILE *out)
++{
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ unsigned char *msg;
++ int curve_nid = NID_undef;
++ long mlen;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ EC_KEY *key = NULL;
++ ECDSA_SIG *sig = NULL;
++ const EVP_MD *digest = NULL;
++ Qx = BN_new();
++ Qy = BN_new();
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ fputs(buf, out);
++ if (*buf == '[') {
++ curve_nid = elookup_curve(buf, lbuf, &digest);
++ if (curve_nid == NID_undef)
++ return 0;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "Msg")) {
++ msg = hex2bin_m(value, &mlen);
++ if (!msg) {
++ fprintf(stderr, "Invalid Message\n");
++ return 0;
++ }
++
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ if (!EC_KEY_generate_key(key)) {
++ fprintf(stderr, "Error generating key\n");
++ return 0;
++ }
++
++ if (!ec_get_pubkey(key, Qx, Qy)) {
++ fprintf(stderr, "Error getting public key\n");
++ return 0;
++ }
++
++ sig = FIPS_ecdsa_sign(key, msg, mlen, digest);
++
++ if (!sig) {
++ fprintf(stderr, "Error signing message\n");
++ return 0;
++ }
++
++ do_bn_print_name(out, "Qx", Qx);
++ do_bn_print_name(out, "Qy", Qy);
++ do_bn_print_name(out, "R", sig->r);
++ do_bn_print_name(out, "S", sig->s);
++
++ EC_KEY_free(key);
++ OPENSSL_free(msg);
++ FIPS_ecdsa_sig_free(sig);
++
++ }
++
++ }
++ BN_free(Qx);
++ BN_free(Qy);
++ return 1;
++}
++
++static int SigVer(FILE *in, FILE *out)
++{
++ char buf[2048], lbuf[2048];
++ char *keyword, *value;
++ unsigned char *msg = NULL;
++ int curve_nid = NID_undef;
++ long mlen;
++ BIGNUM *Qx = NULL, *Qy = NULL;
++ EC_KEY *key = NULL;
++ ECDSA_SIG sg, *sig = &sg;
++ const EVP_MD *digest = NULL;
++ sig->r = NULL;
++ sig->s = NULL;
++ while (fgets(buf, sizeof buf, in) != NULL) {
++ fputs(buf, out);
++ if (*buf == '[') {
++ curve_nid = elookup_curve(buf, lbuf, &digest);
++ if (curve_nid == NID_undef)
++ return 0;
++ }
++ if (!parse_line(&keyword, &value, lbuf, buf))
++ continue;
++ if (!strcmp(keyword, "Msg")) {
++ msg = hex2bin_m(value, &mlen);
++ if (!msg) {
++ fprintf(stderr, "Invalid Message\n");
++ return 0;
++ }
++ }
++
++ if (!strcmp(keyword, "Qx")) {
++ if (!do_hex2bn(&Qx, value)) {
++ fprintf(stderr, "Invalid Qx value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "Qy")) {
++ if (!do_hex2bn(&Qy, value)) {
++ fprintf(stderr, "Invalid Qy value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "R")) {
++ if (!do_hex2bn(&sig->r, value)) {
++ fprintf(stderr, "Invalid R value\n");
++ return 0;
++ }
++ }
++ if (!strcmp(keyword, "S")) {
++ int rv;
++ if (!do_hex2bn(&sig->s, value)) {
++ fprintf(stderr, "Invalid S value\n");
++ return 0;
++ }
++ key = EC_KEY_new_by_curve_name(curve_nid);
++ rv = EC_KEY_set_public_key_affine_coordinates(key, Qx, Qy);
++
++ if (rv != 1) {
++ fprintf(stderr, "Error setting public key\n");
++ return 0;
++ }
++
++ no_err = 1;
++ rv = FIPS_ecdsa_verify(key, msg, mlen, digest, sig);
++ EC_KEY_free(key);
++ if (msg)
++ OPENSSL_free(msg);
++ no_err = 0;
++
++ fprintf(out, "Result = %s" RESP_EOL, rv ? "P" : "F");
++ }
++
++ }
++ if (sig->r)
++ BN_free(sig->r);
++ if (sig->s)
++ BN_free(sig->s);
++ if (Qx)
++ BN_free(Qx);
++ if (Qy)
++ BN_free(Qy);
++ return 1;
++}
++
++# ifdef FIPS_ALGVS
++int fips_ecdsavs_main(int argc, char **argv)
++# else
++int main(int argc, char **argv)
++# endif
++{
++ FILE *in = NULL, *out = NULL;
++ const char *cmd = argv[1];
++ int rv = 0;
++ fips_algtest_init();
++
++ if (argc == 4) {
++ in = fopen(argv[2], "r");
++ if (!in) {
++ fprintf(stderr, "Error opening input file\n");
++ exit(1);
++ }
++ out = fopen(argv[3], "w");
++ if (!out) {
++ fprintf(stderr, "Error opening output file\n");
++ exit(1);
++ }
++ } else if (argc == 2) {
++ in = stdin;
++ out = stdout;
++ }
++
++ if (!cmd) {
++ fprintf(stderr, "fips_ecdsavs [KeyPair|PKV|SigGen|SigVer]\n");
++ return 1;
++ }
++ if (!strcmp(cmd, "KeyPair"))
++ rv = KeyPair(in, out);
++ else if (!strcmp(cmd, "PKV"))
++ rv = PKV(in, out);
++ else if (!strcmp(cmd, "SigVer"))
++ rv = SigVer(in, out);
++ else if (!strcmp(cmd, "SigGen"))
++ rv = SigGen(in, out);
++ else {
++ fprintf(stderr, "Unknown command %s\n", cmd);
++ return 1;
++ }
++
++ if (argc == 4) {
++ fclose(in);
++ fclose(out);
++ }
++
++ if (rv <= 0) {
++ fprintf(stderr, "Error running %s\n", cmd);
++ return 1;
++ }
++
++ return 0;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c.fips-ec openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c.fips-ec 2015-04-22 19:00:19.724884583 +0200
++++ openssl-1.0.2a/crypto/fips/fips_ecdh_selftest.c 2015-04-22 19:00:19.724884583 +0200
+@@ -0,0 +1,242 @@
++/* fips/ecdh/fips_ecdh_selftest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++# include "fips_locl.h"
++
++static const unsigned char p256_qcavsx[] = {
++ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,
++ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,
++ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50
++};
++
++static const unsigned char p256_qcavsy[] = {
++ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,
++ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,
++ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e
++};
++
++static const unsigned char p256_qiutx[] = {
++ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,
++ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,
++ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f
++};
++
++static const unsigned char p256_qiuty[] = {
++ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,
++ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,
++ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8
++};
++
++static const unsigned char p256_qiutd[] = {
++ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,
++ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,
++ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8
++};
++
++static const unsigned char p256_ziut[] = {
++ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,
++ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,
++ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f
++};
++
++typedef struct {
++ int curve;
++ const unsigned char *x1;
++ size_t x1len;
++ const unsigned char *y1;
++ size_t y1len;
++ const unsigned char *d1;
++ size_t d1len;
++ const unsigned char *x2;
++ size_t x2len;
++ const unsigned char *y2;
++ size_t y2len;
++ const unsigned char *z;
++ size_t zlen;
++} ECDH_SELFTEST_DATA;
++
++# define make_ecdh_test(nid, pr) { nid, \
++ pr##_qiutx, sizeof(pr##_qiutx), \
++ pr##_qiuty, sizeof(pr##_qiuty), \
++ pr##_qiutd, sizeof(pr##_qiutd), \
++ pr##_qcavsx, sizeof(pr##_qcavsx), \
++ pr##_qcavsy, sizeof(pr##_qcavsy), \
++ pr##_ziut, sizeof(pr##_ziut) }
++
++static ECDH_SELFTEST_DATA test_ecdh_data[] = {
++ make_ecdh_test(NID_X9_62_prime256v1, p256),
++};
++
++int FIPS_selftest_ecdh(void)
++{
++ EC_KEY *ec1 = NULL, *ec2 = NULL;
++ const EC_POINT *ecp = NULL;
++ BIGNUM *x = NULL, *y = NULL, *d = NULL;
++ unsigned char *ztmp = NULL;
++ int rv = 1;
++ size_t i;
++
++ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
++ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
++ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
++ continue;
++ ztmp = OPENSSL_malloc(ecd->zlen);
++
++ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
++ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
++ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
++
++ if (!x || !y || !d || !ztmp) {
++ rv = -1;
++ goto err;
++ }
++
++ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec1) {
++ rv = -1;
++ goto err;
++ }
++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!EC_KEY_set_private_key(ec1, d)) {
++ rv = -1;
++ goto err;
++ }
++
++ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
++ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
++
++ if (!x || !y) {
++ rv = -1;
++ goto err;
++ }
++
++ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec2) {
++ rv = -1;
++ goto err;
++ }
++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
++ rv = -1;
++ goto err;
++ }
++
++ ecp = EC_KEY_get0_public_key(ec2);
++ if (!ecp) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
++ ztmp[0] ^= 0x1;
++
++ if (memcmp(ztmp, ecd->z, ecd->zlen)) {
++ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
++ rv = 0;
++ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
++ goto err;
++
++ EC_KEY_free(ec1);
++ ec1 = NULL;
++ EC_KEY_free(ec2);
++ ec2 = NULL;
++ OPENSSL_free(ztmp);
++ ztmp = NULL;
++ }
++
++ err:
++
++ if (x)
++ BN_clear_free(x);
++ if (y)
++ BN_clear_free(y);
++ if (d)
++ BN_clear_free(d);
++ if (ec1)
++ EC_KEY_free(ec1);
++ if (ec2)
++ EC_KEY_free(ec2);
++ if (ztmp)
++ OPENSSL_free(ztmp);
++
++ return rv;
++
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c.fips-ec openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c.fips-ec 2015-04-22 19:00:19.724884583 +0200
++++ openssl-1.0.2a/crypto/fips/fips_ecdsa_selftest.c 2015-04-22 19:00:19.724884583 +0200
+@@ -0,0 +1,165 @@
++/* fips/ecdsa/fips_ecdsa_selftest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdsa.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++static const char P_256_name[] = "ECDSA P-256";
++
++static const unsigned char P_256_d[] = {
++ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
++ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
++ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
++};
++
++static const unsigned char P_256_qx[] = {
++ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
++ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
++ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
++};
++
++static const unsigned char P_256_qy[] = {
++ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
++ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
++ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
++};
++
++typedef struct {
++ int curve;
++ const char *name;
++ const unsigned char *x;
++ size_t xlen;
++ const unsigned char *y;
++ size_t ylen;
++ const unsigned char *d;
++ size_t dlen;
++} EC_SELFTEST_DATA;
++
++# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
++ pr##_qx, sizeof(pr##_qx), \
++ pr##_qy, sizeof(pr##_qy), \
++ pr##_d, sizeof(pr##_d)}
++
++static EC_SELFTEST_DATA test_ec_data[] = {
++ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
++};
++
++int FIPS_selftest_ecdsa()
++{
++ EC_KEY *ec = NULL;
++ BIGNUM *x = NULL, *y = NULL, *d = NULL;
++ EVP_PKEY *pk = NULL;
++ int rv = 0;
++ size_t i;
++
++ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
++ EC_SELFTEST_DATA *ecd = test_ec_data + i;
++
++ x = BN_bin2bn(ecd->x, ecd->xlen, x);
++ y = BN_bin2bn(ecd->y, ecd->ylen, y);
++ d = BN_bin2bn(ecd->d, ecd->dlen, d);
++
++ if (!x || !y || !d)
++ goto err;
++
++ ec = EC_KEY_new_by_curve_name(ecd->curve);
++ if (!ec)
++ goto err;
++
++ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
++ goto err;
++
++ if (!EC_KEY_set_private_key(ec, d))
++ goto err;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_EC_KEY(pk, ec);
++
++ if (!fips_pkey_signature_test(pk, NULL, 0,
++ NULL, 0, EVP_sha256(), 0, ecd->name))
++ goto err;
++ }
++
++ rv = 1;
++
++ err:
++
++ if (x)
++ BN_clear_free(x);
++ if (y)
++ BN_clear_free(y);
++ if (d)
++ BN_clear_free(d);
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (ec)
++ EC_KEY_free(ec);
++
++ return rv;
++
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ec openssl-1.0.2a/crypto/fips/fips.h
+--- openssl-1.0.2a/crypto/fips/fips.h.fips-ec 2015-04-22 19:00:19.688883733 +0200
++++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 19:00:19.724884583 +0200
+@@ -93,6 +93,8 @@ extern "C" {
+ void FIPS_corrupt_dsa(void);
+ void FIPS_corrupt_dsa_keygen(void);
+ int FIPS_selftest_dsa(void);
++ int FIPS_selftest_ecdsa(void);
++ int FIPS_selftest_ecdh(void);
+ void FIPS_corrupt_rng(void);
+ void FIPS_rng_stick(void);
+ void FIPS_x931_stick(int onoff);
+diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-ec openssl-1.0.2a/crypto/fips/fips_post.c
+--- openssl-1.0.2a/crypto/fips/fips_post.c.fips-ec 2015-04-22 19:00:19.688883733 +0200
++++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 19:00:19.724884583 +0200
+@@ -95,8 +95,12 @@ int FIPS_selftest(void)
+ rv = 0;
+ if (!FIPS_selftest_rsa())
+ rv = 0;
++ if (!FIPS_selftest_ecdsa())
++ rv = 0;
+ if (!FIPS_selftest_dsa())
+ rv = 0;
++ if (!FIPS_selftest_ecdh())
++ rv = 0;
+ return rv;
+ }
+
+diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-ec openssl-1.0.2a/crypto/fips/Makefile
+--- openssl-1.0.2a/crypto/fips/Makefile.fips-ec 2015-04-22 19:00:19.691883805 +0200
++++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 19:00:19.724884583 +0200
+@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self
+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+- fips_cmac_selftest.c fips_enc.c fips_md.c
++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
+
+ LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
+- fips_cmac_selftest.o fips_enc.o fips_md.o
++ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
+
+ LIBCRYPTO=-L.. -lcrypto
+
+@@ -119,6 +119,21 @@ fips_aes_selftest.o: ../../include/opens
+ fips_aes_selftest.o: ../../include/openssl/safestack.h
+ fips_aes_selftest.o: ../../include/openssl/stack.h
+ fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
++fips_cmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_cmac_selftest.o: ../../include/openssl/cmac.h
++fips_cmac_selftest.o: ../../include/openssl/crypto.h
++fips_cmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_cmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_cmac_selftest.o: ../../include/openssl/lhash.h
++fips_cmac_selftest.o: ../../include/openssl/obj_mac.h
++fips_cmac_selftest.o: ../../include/openssl/objects.h
++fips_cmac_selftest.o: ../../include/openssl/opensslconf.h
++fips_cmac_selftest.o: ../../include/openssl/opensslv.h
++fips_cmac_selftest.o: ../../include/openssl/ossl_typ.h
++fips_cmac_selftest.o: ../../include/openssl/safestack.h
++fips_cmac_selftest.o: ../../include/openssl/stack.h
++fips_cmac_selftest.o: ../../include/openssl/symhacks.h fips_cmac_selftest.c
++fips_cmac_selftest.o: fips_locl.h
+ fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ fips_des_selftest.o: ../../include/openssl/crypto.h
+ fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+@@ -232,6 +247,46 @@ fips_dsa_selftest.o: ../../include/opens
+ fips_dsa_selftest.o: ../../include/openssl/stack.h
+ fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
+ fips_dsa_selftest.o: fips_locl.h
++fips_ecdh_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_ecdh_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_ecdh_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
++fips_ecdh_selftest.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h
++fips_ecdh_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_ecdh_selftest.o: ../../include/openssl/lhash.h
++fips_ecdh_selftest.o: ../../include/openssl/obj_mac.h
++fips_ecdh_selftest.o: ../../include/openssl/objects.h
++fips_ecdh_selftest.o: ../../include/openssl/opensslconf.h
++fips_ecdh_selftest.o: ../../include/openssl/opensslv.h
++fips_ecdh_selftest.o: ../../include/openssl/ossl_typ.h
++fips_ecdh_selftest.o: ../../include/openssl/safestack.h
++fips_ecdh_selftest.o: ../../include/openssl/stack.h
++fips_ecdh_selftest.o: ../../include/openssl/symhacks.h fips_ecdh_selftest.c
++fips_ecdh_selftest.o: fips_locl.h
++fips_ecdsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_ecdsa_selftest.o: ../../include/openssl/bn.h
++fips_ecdsa_selftest.o: ../../include/openssl/crypto.h
++fips_ecdsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
++fips_ecdsa_selftest.o: ../../include/openssl/ecdsa.h
++fips_ecdsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_ecdsa_selftest.o: ../../include/openssl/fips.h
++fips_ecdsa_selftest.o: ../../include/openssl/lhash.h
++fips_ecdsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_ecdsa_selftest.o: ../../include/openssl/objects.h
++fips_ecdsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_ecdsa_selftest.o: ../../include/openssl/opensslv.h
++fips_ecdsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_ecdsa_selftest.o: ../../include/openssl/safestack.h
++fips_ecdsa_selftest.o: ../../include/openssl/stack.h
++fips_ecdsa_selftest.o: ../../include/openssl/symhacks.h fips_ecdsa_selftest.c
++fips_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_enc.o: ../../include/openssl/opensslconf.h
++fips_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips_enc.o: ../../include/openssl/symhacks.h fips_enc.c
+ fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ fips_hmac_selftest.o: ../../include/openssl/crypto.h
+ fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+@@ -246,6 +301,15 @@ fips_hmac_selftest.o: ../../include/open
+ fips_hmac_selftest.o: ../../include/openssl/safestack.h
+ fips_hmac_selftest.o: ../../include/openssl/stack.h
+ fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
++fips_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_md.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
++fips_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
++fips_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_md.o: fips_md.c
+ fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+ fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+ fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+diff -up openssl-1.0.2a/version.map.fips-ec openssl-1.0.2a/version.map
+--- openssl-1.0.2a/version.map.fips-ec 2015-04-22 19:00:19.704884111 +0200
++++ openssl-1.0.2a/version.map 2015-04-22 19:00:19.724884583 +0200
+@@ -6,6 +6,10 @@ OPENSSL_1.0.1 {
+ _original*;
+ _current*;
+ };
++OPENSSL_1.0.1_EC {
++ global:
++ EC*;
++};
+ OPENSSL_1.0.2 {
+ global:
+ SSLeay;
diff --git a/openssl-1.0.2a-fips-md5-allow.patch b/openssl-1.0.2a-fips-md5-allow.patch
new file mode 100644
index 0000000..825417f
--- /dev/null
+++ b/openssl-1.0.2a-fips-md5-allow.patch
@@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.2a/crypto/md5/md5_dgst.c
+--- openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow 2015-04-09 18:18:36.505393113 +0200
++++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-09 18:18:32.408298469 +0200
+@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-nonfips_md_init(MD5)
++int MD5_Init(MD5_CTX *c)
++#ifdef OPENSSL_FIPS
++{
++ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
++ return private_MD5_Init(c);
++}
++
++int private_MD5_Init(MD5_CTX *c)
++#endif
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
diff --git a/openssl-1.0.2a-fips.patch b/openssl-1.0.2a-fips.patch
new file mode 100644
index 0000000..81bed3a
--- /dev/null
+++ b/openssl-1.0.2a-fips.patch
@@ -0,0 +1,13699 @@
+diff -up openssl-1.0.2a/apps/speed.c.fips openssl-1.0.2a/apps/speed.c
+--- openssl-1.0.2a/apps/speed.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/speed.c 2015-04-22 16:08:40.284245465 +0200
+@@ -197,7 +197,6 @@
+ # ifdef OPENSSL_DOING_MAKEDEPEND
+ # undef AES_set_encrypt_key
+ # undef AES_set_decrypt_key
+-# undef DES_set_key_unchecked
+ # endif
+ # define BF_set_key private_BF_set_key
+ # define CAST_set_key private_CAST_set_key
+@@ -205,7 +204,6 @@
+ # define SEED_set_key private_SEED_set_key
+ # define RC2_set_key private_RC2_set_key
+ # define RC4_set_key private_RC4_set_key
+-# define DES_set_key_unchecked private_DES_set_key_unchecked
+ # define AES_set_encrypt_key private_AES_set_encrypt_key
+ # define AES_set_decrypt_key private_AES_set_decrypt_key
+ # define Camellia_set_key private_Camellia_set_key
+@@ -974,7 +972,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ if (strcmp(*argv, "rsa") == 0) {
+- rsa_doit[R_RSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ rsa_doit[R_RSA_512] = 1;
++ }
+ rsa_doit[R_RSA_1024] = 1;
+ rsa_doit[R_RSA_2048] = 1;
+ rsa_doit[R_RSA_4096] = 1;
+@@ -982,7 +985,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_DSA
+ if (strcmp(*argv, "dsa") == 0) {
+- dsa_doit[R_DSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ dsa_doit[R_DSA_512] = 1;
++ }
+ dsa_doit[R_DSA_1024] = 1;
+ dsa_doit[R_DSA_2048] = 1;
+ } else
+@@ -1233,13 +1241,19 @@ int MAIN(int argc, char **argv)
+
+ if (j == 0) {
+ for (i = 0; i < ALGOR_NUM; i++) {
+- if (i != D_EVP)
++ if (i != D_EVP &&
++ (!FIPS_mode() || (i != D_WHIRLPOOL &&
++ i != D_MD2 && i != D_MD4 &&
++ i != D_MD5 && i != D_MDC2 &&
++ i != D_RMD160)))
+ doit[i] = 1;
+ }
+ for (i = 0; i < RSA_NUM; i++)
+- rsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_RSA_512)
++ rsa_doit[i] = 1;
+ for (i = 0; i < DSA_NUM; i++)
+- dsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_DSA_512)
++ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+ for (i = 0; i < EC_NUM; i++)
+ ecdsa_doit[i] = 1;
+@@ -1299,30 +1313,46 @@ int MAIN(int argc, char **argv)
+ AES_set_encrypt_key(key32, 256, &aes_ks3);
+ # endif
+ # ifndef OPENSSL_NO_CAMELLIA
+- Camellia_set_key(key16, 128, &camellia_ks1);
+- Camellia_set_key(ckey24, 192, &camellia_ks2);
+- Camellia_set_key(ckey32, 256, &camellia_ks3);
++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
++ Camellia_set_key(key16, 128, &camellia_ks1);
++ Camellia_set_key(ckey24, 192, &camellia_ks2);
++ Camellia_set_key(ckey32, 256, &camellia_ks3);
++ }
+ # endif
+ # ifndef OPENSSL_NO_IDEA
+- idea_set_encrypt_key(key16, &idea_ks);
++ if (doit[D_CBC_IDEA]) {
++ idea_set_encrypt_key(key16, &idea_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_SEED
+- SEED_set_key(key16, &seed_ks);
++ if (doit[D_CBC_SEED]) {
++ SEED_set_key(key16, &seed_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC4
+- RC4_set_key(&rc4_ks, 16, key16);
++ if (doit[D_RC4]) {
++ RC4_set_key(&rc4_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC2
+- RC2_set_key(&rc2_ks, 16, key16, 128);
++ if (doit[D_CBC_RC2]) {
++ RC2_set_key(&rc2_ks, 16, key16, 128);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC5
+- RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ if (doit[D_CBC_RC5]) {
++ RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ }
+ # endif
+ # ifndef OPENSSL_NO_BF
+- BF_set_key(&bf_ks, 16, key16);
++ if (doit[D_CBC_BF]) {
++ BF_set_key(&bf_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_CAST
+- CAST_set_key(&cast_ks, 16, key16);
++ if (doit[D_CBC_CAST]) {
++ CAST_set_key(&cast_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ memset(rsa_c, 0, sizeof(rsa_c));
+@@ -1605,6 +1635,7 @@ int MAIN(int argc, char **argv)
+ HMAC_CTX hctx;
+
+ HMAC_CTX_init(&hctx);
++ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...",
+ 16, EVP_md5(), NULL);
+
+diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure
+--- openssl-1.0.2a/Configure.fips 2015-04-22 16:08:40.266245039 +0200
++++ openssl-1.0.2a/Configure 2015-04-22 16:08:40.284245465 +0200
+@@ -1040,11 +1040,6 @@ if (defined($disabled{"md5"}) || defined
+ $disabled{"ssl2"} = "forced";
+ }
+
+-if ($fips && $fipslibdir eq "")
+- {
+- $fipslibdir = $fipsdir . "/lib/";
+- }
+-
+ # RSAX ENGINE sets default non-FIPS RSA method.
+ if ($fips)
+ {
+@@ -1532,7 +1527,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
+ if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+- $cflags .= " -I\$(FIPSDIR)/include";
+ }
+
+ $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
+@@ -1724,9 +1718,12 @@ while (<IN>)
+
+ s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
+ s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
+ s/^BASEADDR=.*/BASEADDR=$baseaddr/;
+
++ if ($fips)
++ {
++ s/^FIPS=.*/FIPS=yes/;
++ }
+ s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
+ s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
+ s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+diff -up openssl-1.0.2a/crypto/aes/aes_misc.c.fips openssl-1.0.2a/crypto/aes/aes_misc.c
+--- openssl-1.0.2a/crypto/aes/aes_misc.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/aes/aes_misc.c 2015-04-22 16:08:40.284245465 +0200
+@@ -70,17 +70,11 @@ const char *AES_options(void)
+ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_encrypt_key(userKey, bits, key);
+ }
+
+ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_decrypt_key(userKey, bits, key);
+ }
+diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac.c
+--- openssl-1.0.2a/crypto/cmac/cmac.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/cmac/cmac.c 2015-04-22 16:08:40.284245465 +0200
+@@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void)
+
+ void CMAC_CTX_cleanup(CMAC_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine) {
+- FIPS_cmac_ctx_cleanup(ctx);
+- return;
+- }
+-#endif
+ EVP_CIPHER_CTX_cleanup(&ctx->cctx);
+ OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
+ OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
+@@ -158,12 +152,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
+ EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+- /*
+- * Other algorithm blocking will be done in FIPS_cmac_init, via
+- * FIPS_cipherinit().
+- */
+- if (!impl && !ctx->cctx.engine)
+- return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
+ }
+ #endif
+ /* All zeros means restart */
+@@ -209,10 +197,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
+ {
+ const unsigned char *data = in;
+ size_t bl;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine)
+- return FIPS_cmac_update(ctx, in, dlen);
+-#endif
+ if (ctx->nlast_block == -1)
+ return 0;
+ if (dlen == 0)
+@@ -252,10 +236,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
+ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
+ {
+ int i, bl, lb;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine)
+- return FIPS_cmac_final(ctx, out, poutlen);
+-#endif
+ if (ctx->nlast_block == -1)
+ return 0;
+ bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
+diff -up openssl-1.0.2a/crypto/crypto.h.fips openssl-1.0.2a/crypto/crypto.h
+--- openssl-1.0.2a/crypto/crypto.h.fips 2015-04-22 16:08:40.161242552 +0200
++++ openssl-1.0.2a/crypto/crypto.h 2015-04-22 16:08:40.285245489 +0200
+@@ -600,24 +600,29 @@ int FIPS_mode_set(int r);
+ void OPENSSL_init(void);
+
+ # define fips_md_init(alg) fips_md_init_ctx(alg, alg)
++# define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
++# define fips_md_init_ctx(alg, cx) \
++ int alg##_Init(cx##_CTX *c)
+
+ # ifdef OPENSSL_FIPS
+-# define fips_md_init_ctx(alg, cx) \
++# define nonfips_md_init_ctx(alg, cx) \
+ int alg##_Init(cx##_CTX *c) \
+ { \
+ if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+- "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
++ "Digest " #alg " forbidden in FIPS mode!"); \
+ return private_##alg##_Init(c); \
+ } \
+ int private_##alg##_Init(cx##_CTX *c)
+
+ # define fips_cipher_abort(alg) \
+ if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+- "Low level API call to cipher " #alg " forbidden in FIPS mode!")
++ "Cipher " #alg " forbidden in FIPS mode!")
++
++/* die if FIPS selftest failed */
++void FIPS_selftest_check(void);
+
+ # else
+-# define fips_md_init_ctx(alg, cx) \
+- int alg##_Init(cx##_CTX *c)
++# define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
+ # define fips_cipher_abort(alg) while(0)
+ # endif
+
+@@ -637,6 +642,9 @@ int CRYPTO_memcmp(const void *a, const v
+ */
+ void ERR_load_CRYPTO_strings(void);
+
++# define OPENSSL_HAVE_INIT 1
++void OPENSSL_init_library(void);
++
+ /* Error codes for the CRYPTO functions. */
+
+ /* Function codes. */
+diff -up openssl-1.0.2a/crypto/des/des.h.fips openssl-1.0.2a/crypto/des/des.h
+--- openssl-1.0.2a/crypto/des/des.h.fips 2015-04-22 16:08:40.191243263 +0200
++++ openssl-1.0.2a/crypto/des/des.h 2015-04-22 16:08:40.285245489 +0200
+@@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D
+ int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule);
+ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule);
+ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
+-# ifdef OPENSSL_FIPS
+-void private_DES_set_key_unchecked(const_DES_cblock *key,
+- DES_key_schedule *schedule);
+-# endif
+ void DES_string_to_key(const char *str, DES_cblock *key);
+ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2);
+ void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+diff -up openssl-1.0.2a/crypto/des/set_key.c.fips openssl-1.0.2a/crypto/des/set_key.c
+--- openssl-1.0.2a/crypto/des/set_key.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/des/set_key.c 2015-04-22 16:08:40.285245489 +0200
+@@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock
+ }
+
+ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
+-#ifdef OPENSSL_FIPS
+-{
+- fips_cipher_abort(DES);
+- private_DES_set_key_unchecked(key, schedule);
+-}
+-
+-void private_DES_set_key_unchecked(const_DES_cblock *key,
+- DES_key_schedule *schedule)
+-#endif
+ {
+ static const int shifts2[16] =
+ { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 };
+diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips openssl-1.0.2a/crypto/dh/dh_gen.c
+--- openssl-1.0.2a/crypto/dh/dh_gen.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 16:08:40.285245489 +0200
+@@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i
+ #endif
+ if (ret->meth->generate_params)
+ return ret->meth->generate_params(ret, prime_len, generator, cb);
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dh_generate_parameters_ex(ret, prime_len, generator, cb);
+-#endif
+ return dh_builtin_genparams(ret, prime_len, generator, cb);
+ }
+
+@@ -126,6 +122,18 @@ static int dh_builtin_genparams(DH *ret,
+ int g, ok = -1;
+ BN_CTX *ctx = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+diff -up openssl-1.0.2a/crypto/dh/dh.h.fips openssl-1.0.2a/crypto/dh/dh.h
+--- openssl-1.0.2a/crypto/dh/dh.h.fips 2015-04-22 16:08:40.134241913 +0200
++++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 16:08:40.285245489 +0200
+@@ -77,6 +77,8 @@
+ # define OPENSSL_DH_MAX_MODULUS_BITS 10000
+ # endif
+
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++
+ # define DH_FLAG_CACHE_MONT_P 0x01
+
+ /*
+diff -up openssl-1.0.2a/crypto/dh/dh_key.c.fips openssl-1.0.2a/crypto/dh/dh_key.c
+--- openssl-1.0.2a/crypto/dh/dh_key.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/dh/dh_key.c 2015-04-22 16:08:40.285245489 +0200
+@@ -61,6 +61,9 @@
+ #include <openssl/bn.h>
+ #include <openssl/rand.h>
+ #include <openssl/dh.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static int generate_key(DH *dh);
+ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+@@ -97,7 +100,7 @@ int DH_compute_key(unsigned char *key, c
+ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ {
+ int rv, pad;
+- rv = dh->meth->compute_key(key, pub_key, dh);
++ rv = DH_compute_key(key, pub_key, dh);
+ if (rv <= 0)
+ return rv;
+ pad = BN_num_bytes(dh->p) - rv;
+@@ -115,7 +118,7 @@ static DH_METHOD dh_ossl = {
+ dh_bn_mod_exp,
+ dh_init,
+ dh_finish,
+- 0,
++ DH_FLAG_FIPS_METHOD,
+ NULL,
+ NULL
+ };
+@@ -134,6 +137,14 @@ static int generate_key(DH *dh)
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+@@ -217,6 +228,13 @@ static int compute_key(unsigned char *ke
+ DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
+ goto err;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+@@ -277,6 +295,9 @@ static int dh_bn_mod_exp(const DH *dh, B
+
+ static int dh_init(DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dh->flags |= DH_FLAG_CACHE_MONT_P;
+ return (1);
+ }
+diff -up openssl-1.0.2a/crypto/dh/dh_lib.c.fips openssl-1.0.2a/crypto/dh/dh_lib.c
+--- openssl-1.0.2a/crypto/dh/dh_lib.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/dh/dh_lib.c 2015-04-22 16:08:40.286245512 +0200
+@@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH
+ const DH_METHOD *DH_get_default_method(void)
+ {
+ if (!default_DH_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dh_openssl();
+- else
+- return DH_OpenSSL();
+-#else
+ default_DH_method = DH_OpenSSL();
+-#endif
+ }
+ return default_DH_method;
+ }
+diff -up openssl-1.0.2a/crypto/dsa/dsa_err.c.fips openssl-1.0.2a/crypto/dsa/dsa_err.c
+--- openssl-1.0.2a/crypto/dsa/dsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/dsa/dsa_err.c 2015-04-22 16:08:40.286245512 +0200
+@@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]
+ {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
+ {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
+ {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
++ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
++ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
+ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "DSA_BUILTIN_PARAMGEN2"},
+ {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
+ {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
+@@ -109,6 +111,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
+ {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"},
+ {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"},
+ {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"},
++ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"},
++ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+ {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"},
+ {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
+ {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"},
+diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_gen.c
+--- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 16:08:40.286245512 +0200
+@@ -91,6 +91,16 @@
+ # include <openssl/fips.h>
+ # endif
+
++# ifndef OPENSSL_FIPS
++static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb);
++static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret,
++ BN_GENCB *cb);
++# endif
++
+ int DSA_generate_parameters_ex(DSA *ret, int bits,
+ const unsigned char *seed_in, int seed_len,
+ int *counter_ret, unsigned long *h_ret,
+@@ -106,13 +116,6 @@ int DSA_generate_parameters_ex(DSA *ret,
+ if (ret->meth->dsa_paramgen)
+ return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
+ counter_ret, h_ret, cb);
+-# ifdef OPENSSL_FIPS
+- else if (FIPS_mode()) {
+- return FIPS_dsa_generate_parameters_ex(ret, bits,
+- seed_in, seed_len,
+- counter_ret, h_ret, cb);
+- }
+-# endif
+ else {
+ const EVP_MD *evpmd;
+ size_t qbits = bits >= 2048 ? 256 : 160;
+@@ -126,80 +129,156 @@ int DSA_generate_parameters_ex(DSA *ret,
+ }
+
+ return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
+- seed_in, seed_len, NULL, counter_ret,
++ seed_in, seed_len, counter_ret,
+ h_ret, cb);
+ }
+ }
+
++# ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd,
++ const unsigned char *seed_in, size_t seed_len,
++ int *counter_ret, unsigned long *h_ret,
++ BN_GENCB *cb)
++{
++ return dsa_builtin_paramgen(ret, bits, qbits,
++ evpmd, seed_in, seed_len,
++ counter_ret, h_ret, cb);
++}
++# endif
++
+ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+- size_t seed_len, unsigned char *seed_out,
++ size_t seed_len,
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
+ {
+ int ok = 0;
+ unsigned char seed[SHA256_DIGEST_LENGTH];
++ BIGNUM *g = NULL, *q = NULL, *p = NULL;
++ size_t qsize = qbits >> 3;
++ BN_CTX *ctx = NULL;
++
++# ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (FIPS_module_mode() &&
++ (bits != 1024 || qbits != 160) &&
++ (bits != 2048 || qbits != 224) &&
++ (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) {
++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
++ goto err;
++ }
++# endif
++ if (seed_len && (seed_len < (size_t)qsize))
++ seed_in = NULL; /* seed buffer too small -- ignore */
++ if (seed_len > sizeof(seed))
++ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
++ * but our internal buffers are restricted to 256 bits*/
++ if (seed_in != NULL)
++ memcpy(seed, seed_in, seed_len);
++ else
++ seed_len = 0;
++
++ if ((ctx = BN_CTX_new()) == NULL)
++ goto err;
++
++ BN_CTX_start(ctx);
++
++ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
++ seed, seed_len, &p, &q, counter_ret, cb))
++ goto err;
++
++ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
++ goto err;
++
++ ok = 1;
++ err:
++ if (ok) {
++ if (ret->p) {
++ BN_free(ret->p);
++ ret->p = NULL;
++ }
++ if (ret->q) {
++ BN_free(ret->q);
++ ret->q = NULL;
++ }
++ if (ret->g) {
++ BN_free(ret->g);
++ ret->g = NULL;
++ }
++ ret->p = BN_dup(p);
++ ret->q = BN_dup(q);
++ ret->g = BN_dup(g);
++ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
++ ok = 0;
++ }
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ return ok;
++}
++
++# ifndef OPENSSL_FIPS
++static
++# endif
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb)
++{
++ int ok = 0;
+ unsigned char md[SHA256_DIGEST_LENGTH];
+- unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
++ unsigned char buf[SHA256_DIGEST_LENGTH];
+ BIGNUM *r0, *W, *X, *c, *test;
+- BIGNUM *g = NULL, *q = NULL, *p = NULL;
+- BN_MONT_CTX *mont = NULL;
+- int i, k, n = 0, m = 0, qsize = qbits >> 3;
++ BIGNUM *q = NULL, *p = NULL;
++ int i, k, b, n = 0, m = 0, qsize = qbits >> 3;
+ int counter = 0;
+ int r = 0;
+- BN_CTX *ctx = NULL;
+- unsigned int h = 2;
+
+ if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
+ qsize != SHA256_DIGEST_LENGTH)
+ /* invalid q size */
+ return 0;
+
+- if (evpmd == NULL)
+- /* use SHA1 as default */
+- evpmd = EVP_sha1();
++ if (evpmd == NULL) {
++ if (qbits <= 160)
++ evpmd = EVP_sha1();
++ else if (qbits <= 224)
++ evpmd = EVP_sha224();
++ else
++ evpmd = EVP_sha256();
++ }
+
+ if (bits < 512)
+ bits = 512;
+
+ bits = (bits + 63) / 64 * 64;
+
+- /*
+- * NB: seed_len == 0 is special case: copy generated seed to seed_in if
+- * it is not NULL.
+- */
+- if (seed_len && (seed_len < (size_t)qsize))
+- seed_in = NULL; /* seed buffer too small -- ignore */
+- if (seed_len > (size_t)qsize)
+- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger
+- * SEED, but our internal buffers are
+- * restricted to 160 bits */
+- if (seed_in != NULL)
+- memcpy(seed, seed_in, seed_len);
+-
+- if ((ctx = BN_CTX_new()) == NULL)
+- goto err;
+-
+- if ((mont = BN_MONT_CTX_new()) == NULL)
+- goto err;
+-
+- BN_CTX_start(ctx);
+ r0 = BN_CTX_get(ctx);
+- g = BN_CTX_get(ctx);
+ W = BN_CTX_get(ctx);
+- q = BN_CTX_get(ctx);
++ *q_ret = q = BN_CTX_get(ctx);
+ X = BN_CTX_get(ctx);
+ c = BN_CTX_get(ctx);
+- p = BN_CTX_get(ctx);
++ *p_ret = p = BN_CTX_get(ctx);
+ test = BN_CTX_get(ctx);
+
+ if (!BN_lshift(test, BN_value_one(), bits - 1))
+ goto err;
+
++ /* step 3 n = \lceil bits / qbits \rceil - 1 */
++ n = (bits + qbits - 1) / qbits - 1;
++ /* step 4 b = bits - 1 - n * qbits */
++ b = bits - 1 - n * qbits;
++
+ for (;;) {
+ for (;;) { /* find q */
+ int seed_is_random;
+
+- /* step 1 */
++ /* step 5 generate seed */
+ if (!BN_GENCB_call(cb, 0, m++))
+ goto err;
+
+@@ -212,29 +291,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ * be bad */
+ }
+ memcpy(buf, seed, qsize);
+- memcpy(buf2, seed, qsize);
+- /* precompute "SEED + 1" for step 7: */
+- for (i = qsize - 1; i >= 0; i--) {
+- buf[i]++;
+- if (buf[i] != 0)
+- break;
+- }
+
+- /* step 2 */
++ /* step 6 U = hash(seed) */
+ if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
+ goto err;
+- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
+- goto err;
+- for (i = 0; i < qsize; i++)
+- md[i] ^= buf2[i];
+
+- /* step 3 */
++ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
+ md[0] |= 0x80;
+ md[qsize - 1] |= 0x01;
+ if (!BN_bin2bn(md, qsize, q))
+ goto err;
+
+- /* step 4 */
++ /* step 8 test for prime (64 round of Rabin-Miller) */
+ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
+ seed_is_random, cb);
+ if (r > 0)
+@@ -242,8 +310,6 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (r != 0)
+ goto err;
+
+- /* do a callback call */
+- /* step 5 */
+ }
+
+ if (!BN_GENCB_call(cb, 2, 0))
+@@ -251,19 +317,16 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_GENCB_call(cb, 3, 0))
+ goto err;
+
+- /* step 6 */
++ /* step 11 */
+ counter = 0;
+- /* "offset = 2" */
+-
+- n = (bits - 1) / 160;
++ /* "offset = 1" */
+
+ for (;;) {
+ if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
+ goto err;
+
+- /* step 7 */
++ /* step 11.1, 11.2 obtain W */
+ BN_zero(W);
+- /* now 'buf' contains "SEED + offset - 1" */
+ for (k = 0; k <= n; k++) {
+ /*
+ * obtain "SEED + offset + k" by incrementing:
+@@ -277,36 +340,37 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL))
+ goto err;
+
+- /* step 8 */
+ if (!BN_bin2bn(md, qsize, r0))
+ goto err;
+- if (!BN_lshift(r0, r0, (qsize << 3) * k))
++ if (k == n)
++ BN_mask_bits(r0, b);
++ if (!BN_lshift(r0, r0, qbits * k))
+ goto err;
+ if (!BN_add(W, W, r0))
+ goto err;
+ }
+
+- /* more of step 8 */
+- if (!BN_mask_bits(W, bits - 1))
+- goto err;
++ /* step 11.3 X = W + 2^(L-1) */
+ if (!BN_copy(X, W))
+ goto err;
+ if (!BN_add(X, X, test))
+ goto err;
+
+- /* step 9 */
++ /* step 11.4 c = X mod 2*q */
+ if (!BN_lshift1(r0, q))
+ goto err;
+ if (!BN_mod(c, X, r0, ctx))
+ goto err;
++
++ /* step 11.5 p = X - (c - 1) */
+ if (!BN_sub(r0, c, BN_value_one()))
+ goto err;
+ if (!BN_sub(p, X, r0))
+ goto err;
+
+- /* step 10 */
++ /* step 11.6 */
+ if (BN_cmp(p, test) >= 0) {
+- /* step 11 */
++ /* step 11.7 */
+ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
+ if (r > 0)
+ goto end; /* found it */
+@@ -314,12 +378,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ goto err;
+ }
+
+- /* step 13 */
++ /* step 11.9 */
+ counter++;
+ /* "offset = offset + n + 1" */
+
+- /* step 14 */
+- if (counter >= 4096)
++ /* step 12 */
++ if (counter >= 4 * bits)
+ break;
+ }
+ }
+@@ -327,7 +391,33 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_GENCB_call(cb, 2, 1))
+ goto err;
+
+- /* We now need to generate g */
++ ok = 1;
++ err:
++ if (ok) {
++ if (counter_ret != NULL)
++ *counter_ret = counter;
++ }
++ return ok;
++}
++
++# ifndef OPENSSL_FIPS
++static
++# endif
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
++{
++ int ok = 0;
++ BIGNUM *r0, *test, *g = NULL;
++ BN_MONT_CTX *mont;
++ unsigned int h = 2;
++
++ if ((mont = BN_MONT_CTX_new()) == NULL)
++ goto err;
++
++ r0 = BN_CTX_get(ctx);
++ *g_ret = g = BN_CTX_get(ctx);
++ test = BN_CTX_get(ctx);
++
+ /* Set r0=(p-1)/q */
+ if (!BN_sub(test, p, BN_value_one()))
+ goto err;
+@@ -356,46 +446,14 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ ok = 1;
+ err:
+ if (ok) {
+- if (ret->p)
+- BN_free(ret->p);
+- if (ret->q)
+- BN_free(ret->q);
+- if (ret->g)
+- BN_free(ret->g);
+- ret->p = BN_dup(p);
+- ret->q = BN_dup(q);
+- ret->g = BN_dup(g);
+- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
+- ok = 0;
+- goto err;
+- }
+- if (counter_ret != NULL)
+- *counter_ret = counter;
+ if (h_ret != NULL)
+ *h_ret = h;
+- if (seed_out)
+- memcpy(seed_out, seed, qsize);
+- }
+- if (ctx) {
+- BN_CTX_end(ctx);
+- BN_CTX_free(ctx);
+ }
+ if (mont != NULL)
+ BN_MONT_CTX_free(mont);
+ return ok;
+ }
+
+-# ifdef OPENSSL_FIPS
+-# undef fips_dsa_builtin_paramgen2
+-extern int fips_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+- const EVP_MD *evpmd,
+- const unsigned char *seed_in,
+- size_t seed_len, int idx,
+- unsigned char *seed_out,
+- int *counter_ret, unsigned long *h_ret,
+- BN_GENCB *cb);
+-# endif
+-
+ /*
+ * This is a parameter generation algorithm for the DSA2 algorithm as
+ * described in FIPS 186-3.
+@@ -421,14 +479,6 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ EVP_MD_CTX mctx;
+ unsigned int h = 2;
+
+-# ifdef OPENSSL_FIPS
+-
+- if (FIPS_mode())
+- return fips_dsa_builtin_paramgen2(ret, L, N, evpmd,
+- seed_in, seed_len, idx,
+- seed_out, counter_ret, h_ret, cb);
+-# endif
+-
+ EVP_MD_CTX_init(&mctx);
+
+ if (evpmd == NULL) {
+diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips openssl-1.0.2a/crypto/dsa/dsa.h
+--- openssl-1.0.2a/crypto/dsa/dsa.h.fips 2015-04-22 16:08:40.056240066 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 16:08:40.286245512 +0200
+@@ -88,6 +88,8 @@
+ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
+ # endif
+
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++
+ # define DSA_FLAG_CACHE_MONT_P 0x01
+ /*
+ * new with 0.9.7h; the built-in DSA implementation now uses constant time
+@@ -265,6 +267,20 @@ int DSA_print_fp(FILE *bp, const DSA *x,
+ DH *DSA_dup_DH(const DSA *r);
+ # endif
+
++# ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd,
++ const unsigned char *seed_in,
++ size_t seed_len, int *counter_ret,
++ unsigned long *h_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, BIGNUM **g_ret,
++ unsigned long *h_ret, BN_GENCB *cb);
++# endif
++
+ # define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
+ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
+ EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
+@@ -287,11 +303,14 @@ void ERR_load_DSA_strings(void);
+ # define DSA_F_DO_DSA_PRINT 104
+ # define DSA_F_DSAPARAMS_PRINT 100
+ # define DSA_F_DSAPARAMS_PRINT_FP 101
+-# define DSA_F_DSA_BUILTIN_PARAMGEN2 126
++# define DSA_F_DSA_BUILTIN_KEYGEN 124
++# define DSA_F_DSA_BUILTIN_PARAMGEN 123
++# define DSA_F_DSA_BUILTIN_PARAMGEN2 226
+ # define DSA_F_DSA_DO_SIGN 112
+ # define DSA_F_DSA_DO_VERIFY 113
+-# define DSA_F_DSA_GENERATE_KEY 124
+-# define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
++# define DSA_F_DSA_GENERATE_KEY 126
++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
++# define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
+ # define DSA_F_DSA_NEW_METHOD 103
+ # define DSA_F_DSA_PARAM_DECODE 119
+ # define DSA_F_DSA_PRINT_FP 105
+@@ -317,12 +336,16 @@ void ERR_load_DSA_strings(void);
+ # define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
+ # define DSA_R_DECODE_ERROR 104
+ # define DSA_R_INVALID_DIGEST_TYPE 106
+-# define DSA_R_INVALID_PARAMETERS 112
++# define DSA_R_INVALID_PARAMETERS 212
++# define DSA_R_KEY_SIZE_INVALID 113
++# define DSA_R_KEY_SIZE_TOO_SMALL 110
+ # define DSA_R_MISSING_PARAMETERS 101
+ # define DSA_R_MODULUS_TOO_LARGE 103
+-# define DSA_R_NEED_NEW_SETUP_VALUES 110
++# define DSA_R_NEED_NEW_SETUP_VALUES 112
+ # define DSA_R_NON_FIPS_DSA_METHOD 111
++# define DSA_R_NON_FIPS_METHOD 111
+ # define DSA_R_NO_PARAMETERS_SET 107
++# define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
+ # define DSA_R_PARAMETER_ENCODING_ERROR 105
+ # define DSA_R_Q_NOT_PRIME 113
+
+diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips openssl-1.0.2a/crypto/dsa/dsa_key.c
+--- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 16:08:40.286245512 +0200
+@@ -66,6 +66,34 @@
+
+ # ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
++# include <openssl/evp.h>
++
++static int fips_check_dsa(DSA *dsa)
++{
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "DSA Pairwise Check Data";
++ int ret = 0;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_DSA(pk, dsa);
++
++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++ ret = 1;
++
++ err:
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ fips_set_selftest_fail();
++ }
++
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
++
+ # endif
+
+ static int dsa_builtin_keygen(DSA *dsa);
+@@ -81,10 +109,6 @@ int DSA_generate_key(DSA *dsa)
+ # endif
+ if (dsa->meth->dsa_keygen)
+ return dsa->meth->dsa_keygen(dsa);
+-# ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dsa_generate_key(dsa);
+-# endif
+ return dsa_builtin_keygen(dsa);
+ }
+
+@@ -94,6 +118,14 @@ static int dsa_builtin_keygen(DSA *dsa)
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+
+@@ -131,6 +163,13 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ dsa->priv_key = priv_key;
+ dsa->pub_key = pub_key;
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !fips_check_dsa(dsa)) {
++ dsa->pub_key = NULL;
++ dsa->priv_key = NULL;
++ goto err;
++ }
++# endif
+ ok = 1;
+
+ err:
+diff -up openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips openssl-1.0.2a/crypto/dsa/dsa_lib.c
+--- openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/dsa/dsa_lib.c 2015-04-22 16:08:40.287245536 +0200
+@@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME
+ const DSA_METHOD *DSA_get_default_method(void)
+ {
+ if (!default_DSA_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dsa_openssl();
+- else
+- return DSA_OpenSSL();
+-#else
+ default_DSA_method = DSA_OpenSSL();
+-#endif
+ }
+ return default_DSA_method;
+ }
+diff -up openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips openssl-1.0.2a/crypto/dsa/dsa_locl.h
+--- openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips 2015-04-22 16:08:40.058240114 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa_locl.h 2015-04-22 16:08:40.287245536 +0200
+@@ -56,7 +56,7 @@
+
+ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+- size_t seed_len, unsigned char *seed_out,
++ size_t seed_len,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb);
+
+diff -up openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2a/crypto/dsa/dsa_ossl.c
+--- openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/dsa/dsa_ossl.c 2015-04-22 16:08:40.287245536 +0200
+@@ -65,6 +65,9 @@
+ #include <openssl/dsa.h>
+ #include <openssl/rand.h>
+ #include <openssl/asn1.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+@@ -83,7 +86,7 @@ static DSA_METHOD openssl_dsa_meth = {
+ NULL, /* dsa_bn_mod_exp, */
+ dsa_init,
+ dsa_finish,
+- 0,
++ DSA_FLAG_FIPS_METHOD,
+ NULL,
+ NULL,
+ NULL
+@@ -140,6 +143,19 @@ static DSA_SIG *dsa_do_sign(const unsign
+ DSA_SIG *ret = NULL;
+ int noredo = 0;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
++ return NULL;
++ }
++#endif
++
+ BN_init(&m);
+ BN_init(&xr);
+
+@@ -330,6 +346,18 @@ static int dsa_do_verify(const unsigned
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
+ return -1;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++#endif
+
+ if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
+@@ -410,6 +438,9 @@ static int dsa_do_verify(const unsigned
+
+ static int dsa_init(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dsa->flags |= DSA_FLAG_CACHE_MONT_P;
+ return (1);
+ }
+diff -up openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2a/crypto/dsa/dsa_pmeth.c
+--- openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/dsa/dsa_pmeth.c 2015-04-22 16:08:40.287245536 +0200
+@@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
+ if (!dsa)
+ return 0;
+ ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
+- NULL, 0, NULL, NULL, NULL, pcb);
++ NULL, 0, NULL, NULL, pcb);
+ if (ret)
+ EVP_PKEY_assign_DSA(pkey, dsa);
+ else
+diff -up openssl-1.0.2a/crypto/dsa/dsatest.c.fips openssl-1.0.2a/crypto/dsa/dsatest.c
+--- openssl-1.0.2a/crypto/dsa/dsatest.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/dsa/dsatest.c 2015-04-22 16:08:40.287245536 +0200
+@@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int
+ * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
+ */
+ static unsigned char seed[20] = {
+- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
+- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
++ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
++ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
+ };
+
+ static unsigned char out_p[] = {
+- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
+- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
+- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
+- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
+- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
+- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
+- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
+- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
++ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
++ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
++ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
++ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
++ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
++ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
++ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
++ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
++ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
++ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
++ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
+ };
+
+ static unsigned char out_q[] = {
+- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
+- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
+- 0xda, 0xce, 0x91, 0x5f,
++ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
++ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
+ };
+
+ static unsigned char out_g[] = {
+- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
+- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
+- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
+- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
+- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
+- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
+- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
+- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
++ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
++ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
++ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
++ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
++ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
++ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
++ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
++ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
++ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
++ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
++ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
+ };
+
+ static const unsigned char str1[] = "12345678901234567890";
+@@ -162,7 +167,7 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err, "test generation of DSA parameters\n");
+
+ BN_GENCB_set(&cb, dsa_cb, bio_err);
+- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
++ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
+ seed, 20,
+ &counter,
+ &h, &cb))
+@@ -176,8 +181,8 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h);
+
+ DSA_print(bio_err, dsa, 0);
+- if (counter != 105) {
+- BIO_printf(bio_err, "counter should be 105\n");
++ if (counter != 239) {
++ BIO_printf(bio_err, "counter should be 239\n");
+ goto end;
+ }
+ if (h != 2) {
+diff -up openssl-1.0.2a/crypto/engine/eng_all.c.fips openssl-1.0.2a/crypto/engine/eng_all.c
+--- openssl-1.0.2a/crypto/engine/eng_all.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-22 16:08:40.287245536 +0200
+@@ -59,11 +59,25 @@
+
+ #include "cryptlib.h"
+ #include "eng_int.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ void ENGINE_load_builtin_engines(void)
+ {
+ /* Some ENGINEs need this */
+ OPENSSL_cpuid_setup();
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (FIPS_mode()) {
++ /* We allow loading dynamic engine as a third party
++ engine might be FIPS validated.
++ User is disallowed to load non-validated engines
++ by security policy. */
++ ENGINE_load_dynamic();
++ return;
++ }
++#endif
+ #if 0
+ /*
+ * There's no longer any need for an "openssl" ENGINE unless, one day, it
+diff -up openssl-1.0.2a/crypto/evp/c_allc.c.fips openssl-1.0.2a/crypto/evp/c_allc.c
+--- openssl-1.0.2a/crypto/evp/c_allc.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 16:08:40.287245536 +0200
+@@ -65,6 +65,10 @@
+ void OpenSSL_add_all_ciphers(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cfb());
+ EVP_add_cipher(EVP_des_cfb1());
+@@ -238,4 +242,64 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher_alias(SN_camellia_256_cbc, "CAMELLIA256");
+ EVP_add_cipher_alias(SN_camellia_256_cbc, "camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede_cfb());
++ EVP_add_cipher(EVP_des_ede3_cfb());
++
++ EVP_add_cipher(EVP_des_ede_ofb());
++ EVP_add_cipher(EVP_des_ede3_ofb());
++
++ EVP_add_cipher(EVP_des_ede_cbc());
++ EVP_add_cipher(EVP_des_ede3_cbc());
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
++
++ EVP_add_cipher(EVP_des_ede());
++ EVP_add_cipher(EVP_des_ede3());
++# endif
++
++# ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_ecb());
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_128_cfb());
++ EVP_add_cipher(EVP_aes_128_cfb1());
++ EVP_add_cipher(EVP_aes_128_cfb8());
++ EVP_add_cipher(EVP_aes_128_ofb());
++ EVP_add_cipher(EVP_aes_128_ctr());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_128_xts());
++ EVP_add_cipher(EVP_aes_128_ccm());
++ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
++ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
++ EVP_add_cipher(EVP_aes_192_ecb());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_192_cfb());
++ EVP_add_cipher(EVP_aes_192_cfb1());
++ EVP_add_cipher(EVP_aes_192_cfb8());
++ EVP_add_cipher(EVP_aes_192_ofb());
++ EVP_add_cipher(EVP_aes_192_ctr());
++ EVP_add_cipher(EVP_aes_192_gcm());
++ EVP_add_cipher(EVP_aes_192_ccm());
++ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
++ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
++ EVP_add_cipher(EVP_aes_256_ecb());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_256_cfb());
++ EVP_add_cipher(EVP_aes_256_cfb1());
++ EVP_add_cipher(EVP_aes_256_cfb8());
++ EVP_add_cipher(EVP_aes_256_ofb());
++ EVP_add_cipher(EVP_aes_256_ctr());
++ EVP_add_cipher(EVP_aes_256_gcm());
++ EVP_add_cipher(EVP_aes_256_xts());
++ EVP_add_cipher(EVP_aes_256_ccm());
++ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
++ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
++# endif
++ }
++#endif
+ }
+diff -up openssl-1.0.2a/crypto/evp/c_alld.c.fips openssl-1.0.2a/crypto/evp/c_alld.c
+--- openssl-1.0.2a/crypto/evp/c_alld.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/c_alld.c 2015-04-22 16:08:40.288245560 +0200
+@@ -64,51 +64,81 @@
+
+ void OpenSSL_add_all_digests(void)
+ {
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_MD4
+- EVP_add_digest(EVP_md4());
++ EVP_add_digest(EVP_md4());
+ #endif
+ #ifndef OPENSSL_NO_MD5
+- EVP_add_digest(EVP_md5());
+- EVP_add_digest_alias(SN_md5, "ssl2-md5");
+- EVP_add_digest_alias(SN_md5, "ssl3-md5");
++ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5, "ssl2-md5");
++ EVP_add_digest_alias(SN_md5, "ssl3-md5");
+ #endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
+- EVP_add_digest(EVP_sha());
++ EVP_add_digest(EVP_sha());
+ # ifndef OPENSSL_NO_DSA
+- EVP_add_digest(EVP_dss());
++ EVP_add_digest(EVP_dss());
+ # endif
+ #endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+- EVP_add_digest(EVP_sha1());
+- EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+- EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ # ifndef OPENSSL_NO_DSA
+- EVP_add_digest(EVP_dss1());
+- EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
+- EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
+- EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- EVP_add_digest(EVP_ecdsa());
++ EVP_add_digest(EVP_ecdsa());
+ # endif
+ #endif
+ #if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
+- EVP_add_digest(EVP_mdc2());
++ EVP_add_digest(EVP_mdc2());
+ #endif
+ #ifndef OPENSSL_NO_RIPEMD
+- EVP_add_digest(EVP_ripemd160());
+- EVP_add_digest_alias(SN_ripemd160, "ripemd");
+- EVP_add_digest_alias(SN_ripemd160, "rmd160");
++ EVP_add_digest(EVP_ripemd160());
++ EVP_add_digest_alias(SN_ripemd160, "ripemd");
++ EVP_add_digest_alias(SN_ripemd160, "rmd160");
+ #endif
+ #ifndef OPENSSL_NO_SHA256
+- EVP_add_digest(EVP_sha224());
+- EVP_add_digest(EVP_sha256());
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
+ #endif
+ #ifndef OPENSSL_NO_SHA512
+- EVP_add_digest(EVP_sha384());
+- EVP_add_digest(EVP_sha512());
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
+ #endif
+ #ifndef OPENSSL_NO_WHIRLPOOL
+- EVP_add_digest(EVP_whirlpool());
++ EVP_add_digest(EVP_whirlpool());
++#endif
++#ifdef OPENSSL_FIPS
++ } else {
++# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++# ifndef OPENSSL_NO_DSA
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++# endif
++# ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++# endif
++# endif
++# ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++# endif
++# ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++# endif
++ }
+ #endif
+ }
+diff -up openssl-1.0.2a/crypto/evp/digest.c.fips openssl-1.0.2a/crypto/evp/digest.c
+--- openssl-1.0.2a/crypto/evp/digest.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/digest.c 2015-04-22 16:08:40.288245560 +0200
+@@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
+ return EVP_DigestInit_ex(ctx, type, NULL);
+ }
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_MD_CTX *ctx)
++{
++ FIPS_ERROR_IGNORED("Digest init");
++ return 0;
++}
++
++static int bad_update(EVP_MD_CTX *ctx, const void *data, size_t count)
++{
++ FIPS_ERROR_IGNORED("Digest update");
++ return 0;
++}
++
++static int bad_final(EVP_MD_CTX *ctx, unsigned char *md)
++{
++ FIPS_ERROR_IGNORED("Digest Final");
++ return 0;
++}
++
++static const EVP_MD bad_md = {
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_update,
++ bad_final,
++ NULL,
++ NULL,
++ NULL,
++ 0,
++ {0, 0, 0, 0},
++};
++
++#endif
++
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+ {
+ EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+ #ifdef OPENSSL_FIPS
+- /* If FIPS mode switch to approved implementation if possible */
+- if (FIPS_mode()) {
+- const EVP_MD *fipsmd;
+- if (type) {
+- fipsmd = evp_get_fips_md(type);
+- if (fipsmd)
+- type = fipsmd;
+- }
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->digest = &bad_md;
++ return 0;
+ }
+ #endif
+ #ifndef OPENSSL_NO_ENGINE
+@@ -212,6 +249,16 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ }
+ #endif
+ if (ctx->digest != type) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (!(type->flags & EVP_MD_FLAG_FIPS)
++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->digest = &bad_md;
++ return 0;
++ }
++ }
++#endif
+ if (ctx->digest && ctx->digest->ctx_size)
+ OPENSSL_free(ctx->md_data);
+ ctx->digest = type;
+@@ -236,25 +283,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ }
+ if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
+ return 1;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode()) {
+- if (FIPS_digestinit(ctx, type))
+- return 1;
+- OPENSSL_free(ctx->md_data);
+- ctx->md_data = NULL;
+- return 0;
+- }
+-#endif
+ return ctx->digest->init(ctx);
+ }
+
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
+ {
+ #ifdef OPENSSL_FIPS
+- return FIPS_digestupdate(ctx, data, count);
+-#else
+- return ctx->update(ctx, data, count);
++ FIPS_selftest_check();
+ #endif
++ return ctx->update(ctx, data, count);
+ }
+
+ /* The caller can assume that this removes any secret data from the context */
+@@ -269,11 +306,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
+ /* The caller can assume that this removes any secret data from the context */
+ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
+ {
+-#ifdef OPENSSL_FIPS
+- return FIPS_digestfinal(ctx, md, size);
+-#else
+ int ret;
+
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
+ ret = ctx->digest->final(ctx, md);
+ if (size != NULL)
+@@ -284,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
+ }
+ memset(ctx->md_data, 0, ctx->digest->ctx_size);
+ return ret;
+-#endif
+ }
+
+ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
+@@ -373,7 +409,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
+ /* This call frees resources associated with the context */
+ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ {
+-#ifndef OPENSSL_FIPS
+ /*
+ * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
+ * sometimes only copies of the context are ever finalised.
+@@ -386,7 +421,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
+ OPENSSL_free(ctx->md_data);
+ }
+-#endif
+ if (ctx->pctx)
+ EVP_PKEY_CTX_free(ctx->pctx);
+ #ifndef OPENSSL_NO_ENGINE
+@@ -397,9 +431,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ */
+ ENGINE_finish(ctx->engine);
+ #endif
+-#ifdef OPENSSL_FIPS
+- FIPS_md_ctx_cleanup(ctx);
+-#endif
+ memset(ctx, '\0', sizeof *ctx);
+
+ return 1;
+diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes.c
+--- openssl-1.0.2a/crypto/evp/e_aes.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 16:08:40.288245560 +0200
+@@ -59,9 +59,6 @@
+ # include "modes_lcl.h"
+ # include <openssl/rand.h>
+
+-# undef EVP_CIPH_FLAG_FIPS
+-# define EVP_CIPH_FLAG_FIPS 0
+-
+ typedef struct {
+ union {
+ double align;
+@@ -1158,6 +1155,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+ case EVP_CTRL_GCM_SET_IVLEN:
+ if (arg <= 0)
+ return 0;
++# ifdef OPENSSL_FIPS
++ if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
++ && arg < 12)
++ return 0;
++# endif
+ /* Allocate memory for IV if needed */
+ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
+ if (gctx->iv != c->iv)
+@@ -1726,6 +1728,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+ return 0;
+ if (!out || !in || len < AES_BLOCK_SIZE)
+ return 0;
++# ifdef OPENSSL_FIPS
++ /* Requirement of SP800-38E */
++ if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
++ (len > (1UL << 20) * 16)) {
++ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
++ return 0;
++ }
++# endif
+ if (xctx->stream)
+ (*xctx->stream) (in, out, len,
+ xctx->xts.key1, xctx->xts.key2, ctx->iv);
+diff -up openssl-1.0.2a/crypto/evp/e_des3.c.fips openssl-1.0.2a/crypto/evp/e_des3.c
+--- openssl-1.0.2a/crypto/evp/e_des3.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 16:08:40.288245560 +0200
+@@ -65,10 +65,6 @@
+ # include <openssl/des.h>
+ # include <openssl/rand.h>
+
+-/* Block use of implementations in FIPS mode */
+-# undef EVP_CIPH_FLAG_FIPS
+-# define EVP_CIPH_FLAG_FIPS 0
+-
+ typedef struct {
+ union {
+ double align;
+diff -up openssl-1.0.2a/crypto/evp/e_null.c.fips openssl-1.0.2a/crypto/evp/e_null.c
+--- openssl-1.0.2a/crypto/evp/e_null.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/e_null.c 2015-04-22 16:08:40.288245560 +0200
+@@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c
+ static const EVP_CIPHER n_cipher = {
+ NID_undef,
+ 1, 0, 0,
+- 0,
++ EVP_CIPH_FLAG_FIPS,
+ null_init_key,
+ null_cipher,
+ NULL,
+diff -up openssl-1.0.2a/crypto/evp/evp_enc.c.fips openssl-1.0.2a/crypto/evp/evp_enc.c
+--- openssl-1.0.2a/crypto/evp/evp_enc.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/evp_enc.c 2015-04-22 16:08:40.289245583 +0200
+@@ -69,16 +69,73 @@
+ #endif
+ #include "evp_locl.h"
+
+-#ifdef OPENSSL_FIPS
+-# define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
+-#else
+-# define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
+-#endif
++#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
+
+ const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT;
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++ const unsigned char *iv, int enc)
++{
++ FIPS_ERROR_IGNORED("Cipher init");
++ return 0;
++}
++
++static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, unsigned int inl)
++{
++ FIPS_ERROR_IGNORED("Cipher update");
++ return 0;
++}
++
++/* NB: no cleanup because it is allowed after failed init */
++
++static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++{
++ FIPS_ERROR_IGNORED("Cipher set_asn1");
++ return 0;
++}
++
++static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++{
++ FIPS_ERROR_IGNORED("Cipher get_asn1");
++ return 0;
++}
++
++static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
++{
++ FIPS_ERROR_IGNORED("Cipher ctrl");
++ return 0;
++}
++
++static const EVP_CIPHER bad_cipher = {
++ 0,
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_do_cipher,
++ NULL,
++ 0,
++ bad_set_asn1,
++ bad_get_asn1,
++ bad_ctrl,
++ NULL
++};
++
++#endif
++
+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ memset(ctx, 0, sizeof(EVP_CIPHER_CTX));
+ /* ctx->cipher=NULL; */
+ }
+@@ -110,6 +167,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ enc = 1;
+ ctx->encrypt = enc;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ /*
+ * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
+@@ -168,16 +232,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ ctx->engine = NULL;
+ #endif
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode()) {
+- const EVP_CIPHER *fcipher;
+- if (cipher)
+- fcipher = evp_get_fips_cipher(cipher);
+- if (fcipher)
+- cipher = fcipher;
+- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+- }
+-#endif
+ ctx->cipher = cipher;
+ if (ctx->cipher->ctx_size) {
+ ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);
+@@ -204,10 +258,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ #ifndef OPENSSL_NO_ENGINE
+ skip_to_init:
+ #endif
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+-#endif
+ /* we assume block size is a power of 2 in *cryptUpdate */
+ OPENSSL_assert(ctx->cipher->block_size == 1
+ || ctx->cipher->block_size == 8
+@@ -253,6 +303,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ break;
+ }
+ }
++#ifdef OPENSSL_FIPS
++ /* After 'key' is set no further parameters changes are permissible.
++ * So only check for non FIPS enabling at this point.
++ */
++ if (key && FIPS_mode()) {
++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++ }
++#endif
+
+ if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+ if (!ctx->cipher->init(ctx, key, iv, enc))
+@@ -554,7 +617,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
+
+ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
+ {
+-#ifndef OPENSSL_FIPS
+ if (c->cipher != NULL) {
+ if (c->cipher->cleanup && !c->cipher->cleanup(c))
+ return 0;
+@@ -564,7 +626,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
+ }
+ if (c->cipher_data)
+ OPENSSL_free(c->cipher_data);
+-#endif
+ #ifndef OPENSSL_NO_ENGINE
+ if (c->engine)
+ /*
+@@ -573,9 +634,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
+ */
+ ENGINE_finish(c->engine);
+ #endif
+-#ifdef OPENSSL_FIPS
+- FIPS_cipher_ctx_cleanup(c);
+-#endif
+ memset(c, 0, sizeof(EVP_CIPHER_CTX));
+ return 1;
+ }
+diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h
+--- openssl-1.0.2a/crypto/evp/evp.h.fips 2015-04-22 16:08:40.174242860 +0200
++++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 16:08:40.289245583 +0200
+@@ -123,6 +123,10 @@
+ extern "C" {
+ #endif
+
++# ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# endif
++
+ /*
+ * Type needs to be a bit field Sub-type needs to be for variations on the
+ * method, as in, can it do arbitrary encryption....
+@@ -286,11 +290,6 @@ struct env_md_ctx_st {
+ * cleaned */
+ # define EVP_MD_CTX_FLAG_REUSE 0x0004/* Don't free up ctx->md_data
+ * in EVP_MD_CTX_cleanup */
+-/*
+- * FIPS and pad options are ignored in 1.0.0, definitions are here so we
+- * don't accidentally reuse the values for other purposes.
+- */
+-
+ # define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS
+ * digest in FIPS mode */
+
+@@ -303,6 +302,10 @@ struct env_md_ctx_st {
+ # define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00/* PKCS#1 v1.5 mode */
+ # define EVP_MD_CTX_FLAG_PAD_X931 0x10/* X9.31 mode */
+ # define EVP_MD_CTX_FLAG_PAD_PSS 0x20/* PSS mode */
++# define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
++ ((ctx->flags>>16) &0xFFFF) /* seed length */
++# define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF/* salt len same as digest */
++# define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE/* salt max or auto recovered */
+
+ # define EVP_MD_CTX_FLAG_NO_INIT 0x0100/* Don't initialize md_data */
+
+@@ -364,15 +367,15 @@ struct evp_cipher_st {
+ /* cipher handles random key generation */
+ # define EVP_CIPH_RAND_KEY 0x200
+ /* cipher has its own additional copying logic */
+-# define EVP_CIPH_CUSTOM_COPY 0x400
++# define EVP_CIPH_CUSTOM_COPY 0x4000
+ /* Allow use default ASN1 get/set iv */
+ # define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
+ /* Buffer length in bits not bytes: CFB1 mode only */
+ # define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
+ /* Note if suitable for use in FIPS mode */
+-# define EVP_CIPH_FLAG_FIPS 0x4000
++# define EVP_CIPH_FLAG_FIPS 0x400
+ /* Allow non FIPS cipher in FIPS mode */
+-# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
++# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
+ /*
+ * Cipher handles any and all padding logic as well as finalisation.
+ */
+diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_lib.c
+--- openssl-1.0.2a/crypto/evp/evp_lib.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/evp_lib.c 2015-04-22 16:10:58.297513170 +0200
+@@ -60,10 +60,6 @@
+ #include "cryptlib.h"
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-# include "evp_locl.h"
+-#endif
+
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+ {
+@@ -200,6 +196,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
+ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, unsigned int inl)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ return ctx->cipher->do_cipher(ctx, out, in, inl);
+ }
+
+@@ -210,22 +209,12 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(
+
+ unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
+ {
+-#ifdef OPENSSL_FIPS
+- const EVP_CIPHER *fcipher;
+- fcipher = evp_get_fips_cipher(cipher);
+- if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
+- return cipher->flags | EVP_CIPH_FLAG_FIPS;
+-#endif
+ return cipher->flags;
+ }
+
+ unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- return EVP_CIPHER_flags(ctx->cipher);
+-#else
+ return ctx->cipher->flags;
+-#endif
+ }
+
+ void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
+@@ -292,40 +281,8 @@ int EVP_MD_size(const EVP_MD *md)
+ return md->md_size;
+ }
+
+-#ifdef OPENSSL_FIPS
+-
+-const EVP_MD *evp_get_fips_md(const EVP_MD *md)
+-{
+- int nid = EVP_MD_type(md);
+- if (nid == NID_dsa)
+- return FIPS_evp_dss1();
+- else if (nid == NID_dsaWithSHA)
+- return FIPS_evp_dss();
+- else if (nid == NID_ecdsa_with_SHA1)
+- return FIPS_evp_ecdsa();
+- else
+- return FIPS_get_digestbynid(nid);
+-}
+-
+-const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher)
+-{
+- int nid = cipher->nid;
+- if (nid == NID_undef)
+- return FIPS_evp_enc_null();
+- else
+- return FIPS_get_cipherbynid(nid);
+-}
+-
+-#endif
+-
+ unsigned long EVP_MD_flags(const EVP_MD *md)
+ {
+-#ifdef OPENSSL_FIPS
+- const EVP_MD *fmd;
+- fmd = evp_get_fips_md(md);
+- if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
+- return md->flags | EVP_MD_FLAG_FIPS;
+-#endif
+ return md->flags;
+ }
+
+diff -up openssl-1.0.2a/crypto/evp/evp_locl.h.fips openssl-1.0.2a/crypto/evp/evp_locl.h
+--- openssl-1.0.2a/crypto/evp/evp_locl.h.fips 2015-04-22 16:08:40.170242766 +0200
++++ openssl-1.0.2a/crypto/evp/evp_locl.h 2015-04-22 16:08:40.289245583 +0200
+@@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
+ BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+ NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+- 0, cipher##_init_key, NULL, \
+- EVP_CIPHER_set_asn1_iv, \
+- EVP_CIPHER_get_asn1_iv, \
+- NULL)
++ EVP_CIPH_FLAG_DEFAULT_ASN1, \
++ cipher##_init_key, NULL, NULL, NULL, NULL)
+
+ struct evp_pkey_ctx_st {
+ /* Method associated with this operation */
+@@ -355,11 +353,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
+ # define MD2_Init private_MD2_Init
+ # define MDC2_Init private_MDC2_Init
+ # define SHA_Init private_SHA_Init
+-# define SHA1_Init private_SHA1_Init
+-# define SHA224_Init private_SHA224_Init
+-# define SHA256_Init private_SHA256_Init
+-# define SHA384_Init private_SHA384_Init
+-# define SHA512_Init private_SHA512_Init
+
+ # define BF_set_key private_BF_set_key
+ # define CAST_set_key private_CAST_set_key
+@@ -367,7 +360,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
+ # define SEED_set_key private_SEED_set_key
+ # define RC2_set_key private_RC2_set_key
+ # define RC4_set_key private_RC4_set_key
+-# define DES_set_key_unchecked private_DES_set_key_unchecked
+ # define Camellia_set_key private_Camellia_set_key
+
+ #endif
+diff -up openssl-1.0.2a/crypto/evp/m_dss.c.fips openssl-1.0.2a/crypto/evp/m_dss.c
+--- openssl-1.0.2a/crypto/evp/m_dss.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/m_dss.c 2015-04-22 16:08:40.290245607 +0200
+@@ -86,7 +86,7 @@ static const EVP_MD dsa_md = {
+ NID_dsaWithSHA,
+ NID_dsaWithSHA,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2a/crypto/evp/m_dss1.c.fips openssl-1.0.2a/crypto/evp/m_dss1.c
+--- openssl-1.0.2a/crypto/evp/m_dss1.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/m_dss1.c 2015-04-22 16:08:40.290245607 +0200
+@@ -87,7 +87,7 @@ static const EVP_MD dss1_md = {
+ NID_dsa,
+ NID_dsaWithSHA1,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2a/crypto/evp/m_md2.c.fips openssl-1.0.2a/crypto/evp/m_md2.c
+--- openssl-1.0.2a/crypto/evp/m_md2.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/m_md2.c 2015-04-22 16:08:40.290245607 +0200
+@@ -68,6 +68,7 @@
+ # ifndef OPENSSL_NO_RSA
+ # include <openssl/rsa.h>
+ # endif
++# include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ {
+diff -up openssl-1.0.2a/crypto/evp/m_sha1.c.fips openssl-1.0.2a/crypto/evp/m_sha1.c
+--- openssl-1.0.2a/crypto/evp/m_sha1.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/m_sha1.c 2015-04-22 16:08:40.290245607 +0200
+@@ -87,7 +87,8 @@ static const EVP_MD sha1_md = {
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+@@ -134,7 +135,8 @@ static const EVP_MD sha224_md = {
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init224,
+ update256,
+ final256,
+@@ -154,7 +156,8 @@ static const EVP_MD sha256_md = {
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init256,
+ update256,
+ final256,
+@@ -197,7 +200,8 @@ static const EVP_MD sha384_md = {
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init384,
+ update512,
+ final512,
+@@ -217,7 +221,8 @@ static const EVP_MD sha512_md = {
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init512,
+ update512,
+ final512,
+diff -up openssl-1.0.2a/crypto/evp/p_sign.c.fips openssl-1.0.2a/crypto/evp/p_sign.c
+--- openssl-1.0.2a/crypto/evp/p_sign.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/p_sign.c 2015-04-22 16:08:40.290245607 +0200
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ #ifdef undef
+ void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
++ 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
+ goto err;
+ *siglen = sltmp;
+diff -up openssl-1.0.2a/crypto/evp/p_verify.c.fips openssl-1.0.2a/crypto/evp/p_verify.c
+--- openssl-1.0.2a/crypto/evp/p_verify.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/evp/p_verify.c 2015-04-22 16:08:40.290245607 +0200
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
+ unsigned int siglen, EVP_PKEY *pkey)
+@@ -87,6 +88,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
++ 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
+ err:
+ EVP_PKEY_CTX_free(pkctx);
+diff -up openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_aes_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200
++++ openssl-1.0.2a/crypto/fips/fips_aes_selftest.c 2015-04-22 16:08:40.294245702 +0200
+@@ -0,0 +1,365 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++
++#ifdef OPENSSL_FIPS
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[16];
++ const unsigned char ciphertext[16];
++} tests[] = {
++ {
++ {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
++ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
++0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
++ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
++
++static int corrupt_aes;
++
++void FIPS_corrupt_aes()
++{
++ corrupt_aes = 1;
++}
++
++int FIPS_selftest_aes()
++{
++ int n;
++ int ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ for (n = 0; n < 1; ++n) {
++ unsigned char key[16];
++
++ memcpy(key, tests[n].key, sizeof(key));
++ if (corrupt_aes)
++ key[0]++;
++ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
++ key, NULL,
++ tests[n].plaintext,
++ tests[n].ciphertext, 16) <= 0)
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++/* AES-CCM test data from NIST public test vectors */
++
++static const unsigned char ccm_key[] = {
++ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
++ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
++};
++
++static const unsigned char ccm_nonce[] = {
++ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
++};
++
++static const unsigned char ccm_adata[] = {
++ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
++ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
++ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
++};
++
++static const unsigned char ccm_pt[] = {
++ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
++ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
++};
++
++static const unsigned char ccm_ct[] = {
++ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
++ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
++};
++
++static const unsigned char ccm_tag[] = {
++ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
++ 0x14, 0xdb, 0x50, 0x6d
++};
++
++int FIPS_selftest_aes_ccm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ memset(out, 0, sizeof(out));
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
++ sizeof(ccm_tag), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
++ goto err;
++ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
++ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
++ goto err;
++
++ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++/* AES-GCM test data from NIST public test vectors */
++
++static const unsigned char gcm_key[] = {
++ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
++ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
++ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
++};
++
++static const unsigned char gcm_iv[] = {
++ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
++};
++
++static const unsigned char gcm_pt[] = {
++ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
++ 0xcc, 0x2b, 0xf2, 0xa5
++};
++
++static const unsigned char gcm_aad[] = {
++ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
++ 0x7f, 0xec, 0x78, 0xde
++};
++
++static const unsigned char gcm_ct[] = {
++ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
++ 0xb9, 0xf2, 0x17, 0x36
++};
++
++static const unsigned char gcm_tag[] = {
++ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
++ 0x98, 0xf7, 0x7e, 0x0c
++};
++
++int FIPS_selftest_aes_gcm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ memset(out, 0, sizeof(out));
++ memset(tag, 0, sizeof(tag));
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 1))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
++ goto err;
++
++ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 0))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (memcmp(out, gcm_pt, 16))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++static const unsigned char XTS_128_key[] = {
++ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
++ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
++ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
++};
++
++static const unsigned char XTS_128_i[] = {
++ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
++ 0x3e, 0x76, 0x8a, 0xd5
++};
++
++static const unsigned char XTS_128_pt[] = {
++ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
++ 0x07, 0x90, 0x31, 0x1c
++};
++
++static const unsigned char XTS_128_ct[] = {
++ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
++ 0xbe, 0x47, 0x1c, 0x63
++};
++
++static const unsigned char XTS_256_key[] = {
++ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
++ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
++ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
++ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
++ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
++ 0x2c, 0xf4, 0x1b, 0x08
++};
++
++static const unsigned char XTS_256_i[] = {
++ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
++ 0xa9, 0xf8, 0x75, 0x64
++};
++
++static const unsigned char XTS_256_pt[] = {
++ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
++ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
++ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
++};
++
++static const unsigned char XTS_256_ct[] = {
++ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
++ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
++ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
++};
++
++int FIPS_selftest_aes_xts()
++{
++ int ret = 1;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
++ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
++ sizeof(XTS_128_pt)) <= 0)
++ ret = 0;
++
++ if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
++ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
++ sizeof(XTS_256_pt)) <= 0)
++ ret = 0;
++
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips.c.fips openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.fips 2015-04-22 16:08:40.294245702 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 16:08:40.294245702 +0200
+@@ -0,0 +1,483 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define _GNU_SOURCE
++
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <string.h>
++#include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++# include <openssl/fips.h>
++
++# ifndef PATH_MAX
++# define PATH_MAX 1024
++# endif
++
++static int fips_selftest_fail = 0;
++static int fips_mode = 0;
++static int fips_started = 0;
++
++static int fips_is_owning_thread(void);
++static int fips_set_owning_thread(void);
++static int fips_clear_owning_thread(void);
++
++# define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
++# define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
++# define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
++# define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
++
++static void fips_set_mode(int onoff)
++{
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_w_lock();
++ fips_mode = onoff;
++ if (!owning_thread)
++ fips_w_unlock();
++ }
++}
++
++int FIPS_module_mode(void)
++{
++ int ret = 0;
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_mode;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++int FIPS_selftest_failed(void)
++{
++ int ret = 0;
++ if (fips_started) {
++ int owning_thread = fips_is_owning_thread();
++
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_selftest_fail;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++/* Selftest failure fatal exit routine. This will be called
++ * during *any* cryptographic operation. It has the minimum
++ * overhead possible to avoid too big a performance hit.
++ */
++
++void FIPS_selftest_check(void)
++{
++ if (fips_selftest_fail) {
++ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
++ }
++}
++
++void fips_set_selftest_fail(void)
++{
++ fips_selftest_fail = 1;
++}
++
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path,
++ size_t pathlen)
++{
++ Dl_info info;
++ void *dl, *sym;
++ int rv = -1;
++
++ dl = dlopen(libname, RTLD_LAZY);
++ if (dl == NULL) {
++ return -1;
++ }
++
++ sym = dlsym(dl, symbolname);
++
++ if (sym != NULL && dladdr(sym, &info)) {
++ strncpy(path, info.dli_fname, pathlen - 1);
++ path[pathlen - 1] = '\0';
++ rv = 0;
++ }
++
++ dlclose(dl);
++
++ return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *bin2hex(void *buf, size_t len)
++{
++ char *hex, *p;
++ unsigned char *src = buf;
++
++ hex = malloc(len * 2 + 1);
++ if (hex == NULL)
++ return NULL;
++
++ p = hex;
++
++ while (len > 0) {
++ unsigned c;
++
++ c = *src;
++ src++;
++
++ *p = conv[c >> 4];
++ ++p;
++ *p = conv[c & 0x0f];
++ ++p;
++ --len;
++ }
++ *p = '\0';
++ return hex;
++}
++
++# define HMAC_PREFIX "."
++# define HMAC_SUFFIX ".hmac"
++# define READ_BUFFER_LENGTH 16384
++
++static char *make_hmac_path(const char *origpath)
++{
++ char *path, *p;
++ const char *fn;
++
++ path =
++ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++ if (path == NULL) {
++ return NULL;
++ }
++
++ fn = strrchr(origpath, '/');
++ if (fn == NULL) {
++ fn = origpath;
++ } else {
++ ++fn;
++ }
++
++ strncpy(path, origpath, fn - origpath);
++ p = path + (fn - origpath);
++ p = stpcpy(p, HMAC_PREFIX);
++ p = stpcpy(p, fn);
++ p = stpcpy(p, HMAC_SUFFIX);
++
++ return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++ FILE *f = NULL;
++ int rv = -1;
++ unsigned char rbuf[READ_BUFFER_LENGTH];
++ size_t len;
++ unsigned int hlen;
++ HMAC_CTX c;
++
++ HMAC_CTX_init(&c);
++
++ f = fopen(path, "r");
++
++ if (f == NULL) {
++ goto end;
++ }
++
++ HMAC_Init(&c, hmackey, sizeof(hmackey) - 1, EVP_sha256());
++
++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++ HMAC_Update(&c, rbuf, len);
++ }
++
++ len = sizeof(rbuf);
++ /* reuse rbuf for hmac */
++ HMAC_Final(&c, rbuf, &hlen);
++
++ *buf = malloc(hlen);
++ if (*buf == NULL) {
++ goto end;
++ }
++
++ *hmaclen = hlen;
++
++ memcpy(*buf, rbuf, hlen);
++
++ rv = 0;
++ end:
++ HMAC_CTX_cleanup(&c);
++
++ if (f)
++ fclose(f);
++
++ return rv;
++}
++
++static int FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++ char path[PATH_MAX + 1];
++ int rv;
++ FILE *hf;
++ char *hmacpath, *p;
++ char *hmac = NULL;
++ size_t n;
++
++ rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++ if (rv < 0)
++ return 0;
++
++ hmacpath = make_hmac_path(path);
++ if (hmacpath == NULL)
++ return 0;
++
++ hf = fopen(hmacpath, "r");
++ if (hf == NULL) {
++ free(hmacpath);
++ return 0;
++ }
++
++ if (getline(&hmac, &n, hf) > 0) {
++ void *buf;
++ size_t hmaclen;
++ char *hex;
++
++ if ((p = strchr(hmac, '\n')) != NULL)
++ *p = '\0';
++
++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++ rv = -4;
++ goto end;
++ }
++
++ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
++ free(buf);
++ rv = -5;
++ goto end;
++ }
++
++ if (strcmp(hex, hmac) != 0) {
++ rv = -1;
++ }
++ free(buf);
++ free(hex);
++ } else {
++ rv = -1;
++ }
++
++ end:
++ free(hmac);
++ free(hmacpath);
++ fclose(hf);
++
++ if (rv < 0)
++ return 0;
++
++ /* check successful */
++ return 1;
++}
++
++int FIPS_module_mode_set(int onoff, const char *auth)
++{
++ int ret = 0;
++
++ fips_w_lock();
++ fips_started = 1;
++ fips_set_owning_thread();
++
++ if (onoff) {
++
++ fips_selftest_fail = 0;
++
++ /* Don't go into FIPS mode twice, just so we can do automagic
++ seeding */
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FIPS_MODE_ALREADY_SET);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++# ifdef OPENSSL_IA32_SSE2
++ {
++ extern unsigned int OPENSSL_ia32cap_P[2];
++ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
++ (1 << 25 | 1 << 26)) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_UNSUPPORTED_PLATFORM);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */
++ OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */
++ }
++# endif
++
++ if (!FIPSCHECK_verify
++ ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if (!FIPSCHECK_verify
++ ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if (FIPS_selftest())
++ fips_set_mode(onoff);
++ else {
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ ret = 1;
++ goto end;
++ }
++ fips_set_mode(0);
++ fips_selftest_fail = 0;
++ ret = 1;
++ end:
++ fips_clear_owning_thread();
++ fips_w_unlock();
++ return ret;
++}
++
++static CRYPTO_THREADID fips_thread;
++static int fips_thread_set = 0;
++
++static int fips_is_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread_set) {
++ CRYPTO_THREADID cur;
++ CRYPTO_THREADID_current(&cur);
++ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
++ ret = 1;
++ }
++ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++int fips_set_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (!fips_thread_set) {
++ CRYPTO_THREADID_current(&fips_thread);
++ ret = 1;
++ fips_thread_set = 1;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++int fips_clear_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread_set) {
++ CRYPTO_THREADID cur;
++ CRYPTO_THREADID_current(&cur);
++ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
++ fips_thread_set = 0;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++# if 0
++/* The purpose of this is to ensure the error code exists and the function
++ * name is to keep the error checking script quiet
++ */
++void hash_final(void)
++{
++ FIPSerr(FIPS_F_HASH_FINAL, FIPS_R_NON_FIPS_METHOD);
++}
++# endif
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200
++++ openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c 2015-04-22 16:08:40.294245702 +0200
+@@ -0,0 +1,156 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/cmac.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ int nid;
++ const unsigned char key[EVP_MAX_KEY_LENGTH];
++ size_t keysize;
++ const unsigned char msg[64];
++ size_t msgsize;
++ const unsigned char mac[32];
++ size_t macsize;
++} CMAC_KAT;
++
++/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
++static const CMAC_KAT vector[] = {
++ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
++ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
++ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
++ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
++ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
++ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
++ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
++ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
++ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
++ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
++ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
++ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
++ {0x0}, 0,
++ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
++ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
++ },
++ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
++ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
++ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
++ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
++ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
++ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
++ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
++ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
++ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
++ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
++ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
++ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
++ },
++ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
++ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
++ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
++ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
++ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
++ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
++ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
++ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
++ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
++ },
++};
++
++int FIPS_selftest_cmac()
++{
++ size_t n, outlen;
++ unsigned char out[32];
++ const EVP_CIPHER *cipher;
++ CMAC_CTX *ctx = CMAC_CTX_new();
++ const CMAC_KAT *t;
++ int rv = 1;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ cipher = FIPS_get_cipherbynid(t->nid);
++ if (!cipher) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!CMAC_Final(ctx, out, &outlen)) {
++ rv = -1;
++ goto err;
++ }
++ CMAC_CTX_cleanup(ctx);
++
++ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
++ rv = 0;
++ }
++ }
++
++ err:
++ CMAC_CTX_free(ctx);
++
++ if (rv == -1) {
++ rv = 0;
++ }
++ if (!rv)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
++
++ return rv;
++}
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_des_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200
++++ openssl-1.0.2a/crypto/fips/fips_des_selftest.c 2015-04-22 16:08:40.294245702 +0200
+@@ -0,0 +1,138 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests2[] = {
++ {
++ {
++ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
++ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
++ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
++ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
++ }, {
++ {
++ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
++ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
++ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
++ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
++};
++
++static const struct {
++ const unsigned char key[24];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests3[] = {
++ {
++ {
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
++ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
++ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
++ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
++ {
++ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
++ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
++0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
++
++static int corrupt_des;
++
++void FIPS_corrupt_des()
++{
++ corrupt_des = 1;
++}
++
++int FIPS_selftest_des()
++{
++ int n, ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ unsigned char plaintext[8];
++
++ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
++ if (corrupt_des)
++ plaintext[0]++;
++ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
++ tests2[n].key, NULL,
++ plaintext, tests2[n].ciphertext, 8))
++ goto err;
++ }
++
++ /* Encrypt/decrypt with 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
++ tests3[n].key, NULL,
++ tests3[n].plaintext, tests3[n].ciphertext, 8))
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
++
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c
+--- openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips 2015-04-22 16:08:40.294245702 +0200
++++ openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c 2015-04-22 16:08:40.294245702 +0200
+@@ -0,0 +1,415 @@
++/* fips/rand/fips_drbg_ctr.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static void inc_128(DRBG_CTR_CTX * cctx)
++{
++ int i;
++ unsigned char c;
++ unsigned char *p = cctx->V + 15;
++ for (i = 0; i < 16; i++) {
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ p--;
++ }
++}
++
++static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
++ size_t inlen)
++{
++ size_t i, n;
++ /* Any zero padding will have no effect on the result as we
++ * are XORing. So just process however much input we have.
++ */
++
++ if (!in || !inlen)
++ return;
++
++ if (inlen < cctx->keylen)
++ n = inlen;
++ else
++ n = cctx->keylen;
++
++ for (i = 0; i < n; i++)
++ cctx->K[i] ^= in[i];
++ if (inlen <= cctx->keylen)
++ return;
++
++ n = inlen - cctx->keylen;
++ /* Should never happen */
++ if (n > 16)
++ n = 16;
++ for (i = 0; i < 16; i++)
++ cctx->V[i] ^= in[i + cctx->keylen];
++}
++
++/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
++
++static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
++ const unsigned char *in)
++{
++ int i;
++ for (i = 0; i < 16; i++)
++ out[i] ^= in[i];
++ AES_encrypt(out, out, &cctx->df_ks);
++#if 0
++ fprintf(stderr, "BCC in+out\n");
++ BIO_dump_fp(stderr, in, 16);
++ BIO_dump_fp(stderr, out, 16);
++#endif
++}
++
++/* Handle several BCC operations for as much data as we need for K and X */
++static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
++{
++ ctr_BCC_block(cctx, cctx->KX, in);
++ ctr_BCC_block(cctx, cctx->KX + 16, in);
++ if (cctx->keylen != 16)
++ ctr_BCC_block(cctx, cctx->KX + 32, in);
++}
++
++/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
++ * see 10.4.2 stage 7.
++ */
++static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
++{
++ memset(cctx->KX, 0, 48);
++ memset(cctx->bltmp, 0, 16);
++ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
++ cctx->bltmp[3] = 1;
++ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
++ if (cctx->keylen != 16) {
++ cctx->bltmp[3] = 2;
++ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
++ }
++}
++
++/* Process several blocks into BCC algorithm, some possibly partial */
++static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
++ const unsigned char *in, size_t inlen)
++{
++ if (!in || !inlen)
++ return;
++ /* If we have partial block handle it first */
++ if (cctx->bltmp_pos) {
++ size_t left = 16 - cctx->bltmp_pos;
++ /* If we now have a complete block process it */
++ if (inlen >= left) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ cctx->bltmp_pos = 0;
++ inlen -= left;
++ in += left;
++ }
++ }
++ /* Process zero or more complete blocks */
++ while (inlen >= 16) {
++ ctr_BCC_blocks(cctx, in);
++ in += 16;
++ inlen -= 16;
++ }
++ /* Copy any remaining partial block to the temporary buffer */
++ if (inlen > 0) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
++ cctx->bltmp_pos += inlen;
++ }
++}
++
++static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
++{
++ if (cctx->bltmp_pos) {
++ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ }
++}
++
++static void ctr_df(DRBG_CTR_CTX * cctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ size_t inlen;
++ unsigned char *p = cctx->bltmp;
++ static unsigned char c80 = 0x80;
++
++ ctr_BCC_init(cctx);
++ if (!in1)
++ in1len = 0;
++ if (!in2)
++ in2len = 0;
++ if (!in3)
++ in3len = 0;
++ inlen = in1len + in2len + in3len;
++ /* Initialise L||N in temporary block */
++ *p++ = (inlen >> 24) & 0xff;
++ *p++ = (inlen >> 16) & 0xff;
++ *p++ = (inlen >> 8) & 0xff;
++ *p++ = inlen & 0xff;
++ /* NB keylen is at most 32 bytes */
++ *p++ = 0;
++ *p++ = 0;
++ *p++ = 0;
++ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
++ cctx->bltmp_pos = 8;
++ ctr_BCC_update(cctx, in1, in1len);
++ ctr_BCC_update(cctx, in2, in2len);
++ ctr_BCC_update(cctx, in3, in3len);
++ ctr_BCC_update(cctx, &c80, 1);
++ ctr_BCC_final(cctx);
++ /* Set up key K */
++ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
++ /* X follows key K */
++ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
++ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
++ if (cctx->keylen != 16)
++ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
++#if 0
++ fprintf(stderr, "Output of ctr_df:\n");
++ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
++#endif
++}
++
++/* NB the no-df Update in SP800-90 specifies a constant input length
++ * of seedlen, however other uses of this algorithm pad the input with
++ * zeroes if necessary and have up to two parameters XORed together,
++ * handle both cases in this function instead.
++ */
++
++static void ctr_Update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *nonce, size_t noncelen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ /* ks is already setup for correct key */
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ /* If keylen longer than 128 bits need extra encrypt */
++ if (cctx->keylen != 16) {
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
++ }
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
++ /* If 192 bit key part of V is on end of K */
++ if (cctx->keylen == 24) {
++ memcpy(cctx->V + 8, cctx->V, 8);
++ memcpy(cctx->V, cctx->K + 24, 8);
++ }
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* If no input reuse existing derived value */
++ if (in1 || nonce || in2)
++ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
++ /* If this a reuse input in1len != 0 */
++ if (in1len)
++ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
++ } else {
++ ctr_XOR(cctx, in1, in1len);
++ ctr_XOR(cctx, in2, in2len);
++ }
++
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++#if 0
++ fprintf(stderr, "K+V after update is:\n");
++ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
++ BIO_dump_fp(stderr, cctx->V, 16);
++#endif
++}
++
++static int drbg_ctr_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ memset(cctx->K, 0, sizeof(cctx->K));
++ memset(cctx->V, 0, sizeof(cctx->V));
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
++ return 1;
++}
++
++static int drbg_ctr_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
++ return 1;
++}
++
++static int drbg_ctr_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ if (adin && adinlen) {
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++ /* This means we reuse derived value */
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ adin = NULL;
++ adinlen = 1;
++ }
++ } else
++ adinlen = 0;
++
++ for (;;) {
++ inc_128(cctx);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
++ dctx->lb_valid = 1;
++ continue;
++ }
++ if (outlen < 16) {
++ /* Use K as temp space as it will be updated */
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, cctx->K))
++ return 0;
++ memcpy(out, cctx->K, outlen);
++ break;
++ }
++ AES_encrypt(cctx->V, out, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ out += 16;
++ outlen -= 16;
++ if (outlen == 0)
++ break;
++ }
++
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++
++ return 1;
++
++}
++
++static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
++{
++ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
++ return 1;
++}
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++
++ size_t keylen;
++
++ switch (dctx->type) {
++ case NID_aes_128_ctr:
++ keylen = 16;
++ break;
++
++ case NID_aes_192_ctr:
++ keylen = 24;
++ break;
++
++ case NID_aes_256_ctr:
++ keylen = 32;
++ break;
++
++ default:
++ return -2;
++ }
++
++ dctx->instantiate = drbg_ctr_instantiate;
++ dctx->reseed = drbg_ctr_reseed;
++ dctx->generate = drbg_ctr_generate;
++ dctx->uninstantiate = drbg_ctr_uninstantiate;
++
++ cctx->keylen = keylen;
++ dctx->strength = keylen * 8;
++ dctx->blocklength = 16;
++ dctx->seedlen = keylen + 16;
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* df initialisation */
++ static unsigned char df_key[32] = {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
++ };
++ /* Set key schedule for df_key */
++ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
++
++ dctx->min_entropy = cctx->keylen;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++ } else {
++ dctx->min_entropy = dctx->seedlen;
++ dctx->max_entropy = dctx->seedlen;
++ /* Nonce not used */
++ dctx->min_nonce = 0;
++ dctx->max_nonce = 0;
++ dctx->max_pers = dctx->seedlen;
++ dctx->max_adin = dctx->seedlen;
++ }
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hash.c
+--- openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips 2015-04-22 16:08:40.295245725 +0200
++++ openssl-1.0.2a/crypto/fips/fips_drbg_hash.c 2015-04-22 16:08:40.295245725 +0200
+@@ -0,0 +1,358 @@
++/* fips/rand/fips_drbg_hash.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* This is Hash_df from SP 800-90 10.4.1 */
++
++static int hash_df(DRBG_CTX *dctx, unsigned char *out,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len,
++ const unsigned char *in4, size_t in4len)
++{
++ EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
++ unsigned char *vtmp = dctx->d.hash.vtmp;
++ unsigned char tmp[6];
++ /* Standard only ever needs seedlen bytes which is always less than
++ * maximum permitted so no need to check length.
++ */
++ size_t outlen = dctx->seedlen;
++ tmp[0] = 1;
++ tmp[1] = ((outlen * 8) >> 24) & 0xff;
++ tmp[2] = ((outlen * 8) >> 16) & 0xff;
++ tmp[3] = ((outlen * 8) >> 8) & 0xff;
++ tmp[4] = (outlen * 8) & 0xff;
++ if (!in1) {
++ tmp[5] = (unsigned char)in1len;
++ in1 = tmp + 5;
++ in1len = 1;
++ }
++ for (;;) {
++ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
++ return 0;
++ if (!FIPS_digestupdate(mctx, tmp, 5))
++ return 0;
++ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
++ return 0;
++ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
++ return 0;
++ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
++ return 0;
++ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
++ return 0;
++ if (outlen < dctx->blocklength) {
++ if (!FIPS_digestfinal(mctx, vtmp, NULL))
++ return 0;
++ memcpy(out, vtmp, outlen);
++ OPENSSL_cleanse(vtmp, dctx->blocklength);
++ return 1;
++ } else if (!FIPS_digestfinal(mctx, out, NULL))
++ return 0;
++
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ tmp[0]++;
++ out += dctx->blocklength;
++ }
++}
++
++/* Add an unsigned buffer to the buf value, storing the result in buf. For
++ * this algorithm the length of input never exceeds the seed length.
++ */
++
++static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
++ unsigned char *in, size_t inlen)
++{
++ size_t i = inlen;
++ const unsigned char *q;
++ unsigned char c, *p;
++ p = buf + dctx->seedlen;
++ q = in + inlen;
++
++ OPENSSL_assert(i <= dctx->seedlen);
++
++ /* Special case: zero length, just increment buffer */
++ if (i)
++ c = 0;
++ else
++ c = 1;
++
++ while (i) {
++ int r;
++ p--;
++ q--;
++ r = *p + *q + c;
++ /* Carry */
++ if (r > 0xff)
++ c = 1;
++ else
++ c = 0;
++ *p = r & 0xff;
++ i--;
++ }
++
++ i = dctx->seedlen - inlen;
++
++ /* If not adding whole buffer handle final carries */
++ if (c && i) {
++ do {
++ p--;
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ } while (i--);
++ }
++}
++
++/* Finalise and add hash to V */
++
++static int ctx_add_md(DRBG_CTX *dctx)
++{
++ if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
++ return 0;
++ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
++ return 1;
++}
++
++static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (outlen == 0)
++ return 1;
++ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
++ for (;;) {
++ FIPS_digestinit(&hctx->mctx, hctx->md);
++ FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
++ dctx->lb_valid = 1;
++ } else if (outlen < dctx->blocklength) {
++ FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
++ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
++ return 0;
++ memcpy(out, hctx->vtmp, outlen);
++ return 1;
++ } else {
++ FIPS_digestfinal(&hctx->mctx, out, NULL);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ out += dctx->blocklength;
++ }
++ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
++ }
++}
++
++static int drbg_hash_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (!hash_df(dctx, hctx->V,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
++ return 0;
++ if (!hash_df(dctx, hctx->C,
++ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after instantiate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ /* V about to be updated so use C as output instead */
++ if (!hash_df(dctx, hctx->C,
++ NULL, 1, hctx->V, dctx->seedlen,
++ ent, ent_len, adin, adin_len))
++ return 0;
++ memcpy(hctx->V, hctx->C, dctx->seedlen);
++ if (!hash_df(dctx, hctx->C, NULL, 0,
++ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after reseed:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ EVP_MD_CTX *mctx = &hctx->mctx;
++ unsigned char tmp[4];
++ if (adin && adin_len) {
++ tmp[0] = 2;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, adin, adin_len))
++ return 0;
++ if (!ctx_add_md(dctx))
++ return 0;
++ }
++ if (!hash_gen(dctx, out, outlen))
++ return 0;
++
++ tmp[0] = 3;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++
++ if (!ctx_add_md(dctx))
++ return 0;
++
++ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
++
++ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
++ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
++ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
++ tmp[3] = dctx->reseed_counter & 0xff;
++ ctx_add_buf(dctx, hctx->V, tmp, 4);
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after generate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
++{
++ EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
++ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
++ return 1;
++}
++
++int fips_drbg_hash_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md;
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ md = FIPS_get_digestbynid(dctx->type);
++ if (!md)
++ return -2;
++ switch (dctx->type) {
++ case NID_sha1:
++ dctx->strength = 128;
++ break;
++
++ case NID_sha224:
++ dctx->strength = 192;
++ break;
++
++ default:
++ dctx->strength = 256;
++ break;
++ }
++
++ dctx->instantiate = drbg_hash_instantiate;
++ dctx->reseed = drbg_hash_reseed;
++ dctx->generate = drbg_hash_generate;
++ dctx->uninstantiate = drbg_hash_uninstantiate;
++
++ dctx->d.hash.md = md;
++ EVP_MD_CTX_init(&hctx->mctx);
++
++ /* These are taken from SP 800-90 10.1 table 2 */
++
++ dctx->blocklength = M_EVP_MD_size(md);
++ if (dctx->blocklength > 32)
++ dctx->seedlen = 111;
++ else
++ dctx->seedlen = 55;
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c
+--- openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips 2015-04-22 16:08:40.295245725 +0200
++++ openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c 2015-04-22 16:08:40.295245725 +0200
+@@ -0,0 +1,270 @@
++/* fips/rand/fips_drbg_hmac.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/aes.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static int drbg_hmac_update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ static unsigned char c0 = 0, c1 = 1;
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = &hmac->hctx;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c0, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ if (!in1len && !in2len && !in3len)
++ return 1;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c1, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ return 1;
++
++}
++
++static int drbg_hmac_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ memset(hmac->K, 0, dctx->blocklength);
++ memset(hmac->V, 1, dctx->blocklength);
++ if (!drbg_hmac_update(dctx,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ fprintf(stderr, "K+V after instantiate:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++#endif
++ return 1;
++}
++
++static int drbg_hmac_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ {
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ fprintf(stderr, "K+V after reseed:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++ }
++#endif
++ return 1;
++}
++
++static int drbg_hmac_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = &hmac->hctx;
++ const unsigned char *Vtmp = hmac->V;
++ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++ for (;;) {
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
++ return 0;
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ if (!HMAC_Final(hctx, dctx->lb, NULL))
++ return 0;
++ dctx->lb_valid = 1;
++ Vtmp = dctx->lb;
++ continue;
++ } else if (outlen > dctx->blocklength) {
++ if (!HMAC_Final(hctx, out, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ Vtmp = out;
++ } else {
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, hmac->V))
++ return 0;
++ memcpy(out, hmac->V, outlen);
++ break;
++ }
++ out += dctx->blocklength;
++ outlen -= dctx->blocklength;
++ }
++ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++
++ return 1;
++}
++
++static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
++{
++ HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
++ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
++ return 1;
++}
++
++int fips_drbg_hmac_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md = NULL;
++ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
++ dctx->strength = 256;
++ switch (dctx->type) {
++ case NID_hmacWithSHA1:
++ md = EVP_sha1();
++ dctx->strength = 128;
++ break;
++
++ case NID_hmacWithSHA224:
++ md = EVP_sha224();
++ dctx->strength = 192;
++ break;
++
++ case NID_hmacWithSHA256:
++ md = EVP_sha256();
++ break;
++
++ case NID_hmacWithSHA384:
++ md = EVP_sha384();
++ break;
++
++ case NID_hmacWithSHA512:
++ md = EVP_sha512();
++ break;
++
++ default:
++ dctx->strength = 0;
++ return -2;
++ }
++ dctx->instantiate = drbg_hmac_instantiate;
++ dctx->reseed = drbg_hmac_reseed;
++ dctx->generate = drbg_hmac_generate;
++ dctx->uninstantiate = drbg_hmac_uninstantiate;
++ HMAC_CTX_init(&hctx->hctx);
++ hctx->md = md;
++ dctx->blocklength = M_EVP_MD_size(md);
++ dctx->seedlen = M_EVP_MD_size(md);
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_lib.c
+--- openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips 2015-04-22 16:08:40.295245725 +0200
++++ openssl-1.0.2a/crypto/fips/fips_drbg_lib.c 2015-04-22 16:08:40.295245725 +0200
+@@ -0,0 +1,553 @@
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++#include "fips_rand_lcl.h"
++
++/* Support framework for SP800-90 DRBGs */
++
++int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
++{
++ int rv;
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ dctx->xflags = flags;
++ dctx->type = type;
++
++ dctx->iflags = 0;
++ dctx->entropy_blocklen = 0;
++ dctx->health_check_cnt = 0;
++ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
++
++ rv = fips_drbg_hash_init(dctx);
++
++ if (rv == -2)
++ rv = fips_drbg_ctr_init(dctx);
++ if (rv == -2)
++ rv = fips_drbg_hmac_init(dctx);
++
++ if (rv <= 0) {
++ if (rv == -2)
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
++ else
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
++ }
++
++ /* If not in test mode run selftests on DRBG of the same type */
++
++ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++
++ return rv;
++}
++
++DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
++{
++ DRBG_CTX *dctx;
++ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
++ if (!dctx) {
++ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
++ return NULL;
++ }
++
++ if (type == 0) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ return dctx;
++ }
++
++ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
++ OPENSSL_free(dctx);
++ return NULL;
++ }
++
++ return dctx;
++}
++
++void FIPS_drbg_free(DRBG_CTX *dctx)
++{
++ if (dctx->uninstantiate)
++ dctx->uninstantiate(dctx);
++ /* Don't free up default DRBG */
++ if (dctx == FIPS_get_default_drbg()) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ } else {
++ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
++ OPENSSL_free(dctx);
++ }
++}
++
++static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ unsigned char *tout, *p;
++ size_t bl = dctx->entropy_blocklen, rv;
++ if (!dctx->get_entropy)
++ return 0;
++ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
++ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
++ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
++ min_len + bl, max_len + bl);
++ if (tout == NULL)
++ return 0;
++ *pout = tout + bl;
++ if (rv < (min_len + bl) || (rv % bl))
++ return 0;
++ /* Compare consecutive blocks for continuous PRNG test */
++ for (p = tout; p < tout + rv - bl; p += bl) {
++ if (!memcmp(p, p + bl, bl)) {
++ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
++ return 0;
++ }
++ }
++ rv -= bl;
++ if (rv > max_len)
++ return max_len;
++ return rv;
++}
++
++static void fips_cleanup_entropy(DRBG_CTX *dctx,
++ unsigned char *out, size_t olen)
++{
++ size_t bl;
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ bl = 0;
++ else
++ bl = dctx->entropy_blocklen;
++ /* Call cleanup with original arguments */
++ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
++}
++
++int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen)
++{
++ size_t entlen = 0, noncelen = 0;
++ unsigned char *nonce = NULL, *entropy = NULL;
++
++#if 0
++ /* Put here so error script picks them up */
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
++ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
++#endif
++
++ int r = 0;
++
++ if (perslen > dctx->max_pers) {
++ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
++ goto end;
++ }
++
++ if (!dctx->instantiate) {
++ r = FIPS_R_DRBG_NOT_INITIALISED;
++ goto end;
++ }
++
++ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else
++ r = FIPS_R_ALREADY_INSTANTIATED;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (dctx->max_nonce > 0 && dctx->get_nonce) {
++ noncelen = dctx->get_nonce(dctx, &nonce,
++ dctx->strength / 2,
++ dctx->min_nonce, dctx->max_nonce);
++
++ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
++ r = FIPS_R_ERROR_RETRIEVING_NONCE;
++ goto end;
++ }
++
++ }
++
++ if (!dctx->instantiate(dctx,
++ entropy, entlen, nonce, noncelen, pers, perslen)) {
++ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (nonce && dctx->cleanup_nonce)
++ dctx->cleanup_nonce(dctx, nonce, noncelen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
++
++ return 0;
++
++}
++
++static int drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen, int hcheck)
++{
++ unsigned char *entropy = NULL;
++ size_t entlen = 0;
++ int r = 0;
++
++#if 0
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++#endif
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (!adin)
++ adinlen = 0;
++ else if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++ /* Peform health check on all reseed operations if not a prediction
++ * resistance request and not in test mode.
++ */
++ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ r = FIPS_R_SELFTEST_FAILURE;
++ goto end;
++ }
++ }
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
++ goto end;
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_DRBG_RESEED, r);
++
++ return 0;
++}
++
++int FIPS_drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen)
++{
++ return drbg_reseed(dctx, adin, adinlen, 1);
++}
++
++static int fips_drbg_check(DRBG_CTX *dctx)
++{
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ dctx->health_check_cnt++;
++ if (dctx->health_check_cnt >= dctx->health_check_interval) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen)
++{
++ int r = 0;
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (!fips_drbg_check(dctx))
++ return 0;
++
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (outlen > dctx->max_request) {
++ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
++ return 0;
++ }
++
++ if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ if (dctx->iflags & DRBG_CUSTOM_RESEED)
++ dctx->generate(dctx, NULL, outlen, NULL, 0);
++ else if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++
++ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
++ /* If prediction resistance request don't do health check */
++ int hcheck = prediction_resistance ? 0 : 1;
++
++ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
++ r = FIPS_R_RESEED_ERROR;
++ goto end;
++ }
++ adin = NULL;
++ adinlen = 0;
++ }
++
++ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
++ r = FIPS_R_GENERATE_ERROR;
++ dctx->status = DRBG_STATUS_ERROR;
++ goto end;
++ }
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
++ if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++ else
++ dctx->reseed_counter++;
++ }
++
++ end:
++ if (r) {
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
++ return 0;
++ }
++
++ return 1;
++}
++
++int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
++{
++ int rv;
++ if (!dctx->uninstantiate)
++ rv = 1;
++ else
++ rv = dctx->uninstantiate(dctx);
++ /* Although we'd like to cleanse here we can't because we have to
++ * test the uninstantiate really zeroes the data.
++ */
++ memset(&dctx->d, 0, sizeof(dctx->d));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ /* If method has problems uninstantiating, return error */
++ return rv;
++}
++
++int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy, size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->entropy_blocklen = entropy_blocklen;
++ dctx->get_entropy = get_entropy;
++ dctx->cleanup_entropy = cleanup_entropy;
++ dctx->get_nonce = get_nonce;
++ dctx->cleanup_nonce = cleanup_nonce;
++ return 1;
++}
++
++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num,
++ double entropy))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->get_adin = get_adin;
++ dctx->cleanup_adin = cleanup_adin;
++ dctx->rand_seed_cb = rand_seed_cb;
++ dctx->rand_add_cb = rand_add_cb;
++ return 1;
++}
++
++void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
++{
++ return dctx->app_data;
++}
++
++void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
++{
++ dctx->app_data = app_data;
++}
++
++size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
++{
++ return dctx->blocklength;
++}
++
++int FIPS_drbg_get_strength(DRBG_CTX *dctx)
++{
++ return dctx->strength;
++}
++
++void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->health_check_interval = interval;
++}
++
++void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->reseed_interval = interval;
++}
++
++static int drbg_stick = 0;
++
++void FIPS_drbg_stick(int onoff)
++{
++ drbg_stick = onoff;
++}
++
++/* Continuous DRBG utility function */
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
++{
++ /* No CPRNG in test mode */
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ /* Check block is valid: should never happen */
++ if (dctx->lb_valid == 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ if (drbg_stick)
++ memcpy(dctx->lb, out, dctx->blocklength);
++ /* Check against last block: fail if match */
++ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ /* Save last block for next comparison */
++ memcpy(dctx->lb, out, dctx->blocklength);
++ return 1;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_rand.c
+--- openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips 2015-04-22 16:08:40.295245725 +0200
++++ openssl-1.0.2a/crypto/fips/fips_drbg_rand.c 2015-04-22 16:08:40.295245725 +0200
+@@ -0,0 +1,166 @@
++/* fips/rand/fips_drbg_rand.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
++
++/* Since we only have one global PRNG used at any time in OpenSSL use a global
++ * variable to store context.
++ */
++
++static DRBG_CTX ossl_dctx;
++
++DRBG_CTX *FIPS_get_default_drbg(void)
++{
++ return &ossl_dctx;
++}
++
++static int fips_drbg_bytes(unsigned char *out, int count)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv = 0;
++ unsigned char *adin = NULL;
++ size_t adinlen = 0;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ do {
++ size_t rcnt;
++ if (count > (int)dctx->max_request)
++ rcnt = dctx->max_request;
++ else
++ rcnt = count;
++ if (dctx->get_adin) {
++ adinlen = dctx->get_adin(dctx, &adin);
++ if (adinlen && !adin) {
++ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
++ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
++ goto err;
++ }
++ }
++ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
++ if (adin) {
++ if (dctx->cleanup_adin)
++ dctx->cleanup_adin(dctx, adin, adinlen);
++ adin = NULL;
++ }
++ if (!rv)
++ goto err;
++ out += rcnt;
++ count -= rcnt;
++ }
++ while (count);
++ rv = 1;
++ err:
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return rv;
++}
++
++static int fips_drbg_pseudo(unsigned char *out, int count)
++{
++ if (fips_drbg_bytes(out, count) <= 0)
++ return -1;
++ return 1;
++}
++
++static int fips_drbg_status(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv;
++ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
++ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
++ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
++ return rv;
++}
++
++static void fips_drbg_cleanup(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ FIPS_drbg_uninstantiate(dctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++}
++
++static int fips_drbg_seed(const void *seed, int seedlen)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ if (dctx->rand_seed_cb)
++ return dctx->rand_seed_cb(dctx, seed, seedlen);
++ return 1;
++}
++
++static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ if (dctx->rand_add_cb)
++ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
++ return 1;
++}
++
++static const RAND_METHOD rand_drbg_meth = {
++ fips_drbg_seed,
++ fips_drbg_bytes,
++ fips_drbg_cleanup,
++ fips_drbg_add,
++ fips_drbg_pseudo,
++ fips_drbg_status
++};
++
++const RAND_METHOD *FIPS_drbg_method(void)
++{
++ return &rand_drbg_meth;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips 2015-04-22 16:08:40.296245749 +0200
++++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c 2015-04-22 16:08:40.296245749 +0200
+@@ -0,0 +1,827 @@
++/* fips/rand/fips_drbg_selftest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++#include "fips_locl.h"
++
++#include "fips_drbg_selftest.h"
++
++typedef struct {
++ int post;
++ int nid;
++ unsigned int flags;
++
++ /* KAT data for no PR */
++ const unsigned char *ent;
++ size_t entlen;
++ const unsigned char *nonce;
++ size_t noncelen;
++ const unsigned char *pers;
++ size_t perslen;
++ const unsigned char *adin;
++ size_t adinlen;
++ const unsigned char *entreseed;
++ size_t entreseedlen;
++ const unsigned char *adinreseed;
++ size_t adinreseedlen;
++ const unsigned char *adin2;
++ size_t adin2len;
++ const unsigned char *kat;
++ size_t katlen;
++ const unsigned char *kat2;
++ size_t kat2len;
++
++ /* KAT data for PR */
++ const unsigned char *ent_pr;
++ size_t entlen_pr;
++ const unsigned char *nonce_pr;
++ size_t noncelen_pr;
++ const unsigned char *pers_pr;
++ size_t perslen_pr;
++ const unsigned char *adin_pr;
++ size_t adinlen_pr;
++ const unsigned char *entpr_pr;
++ size_t entprlen_pr;
++ const unsigned char *ading_pr;
++ size_t adinglen_pr;
++ const unsigned char *entg_pr;
++ size_t entglen_pr;
++ const unsigned char *kat_pr;
++ size_t katlen_pr;
++ const unsigned char *kat2_pr;
++ size_t kat2len_pr;
++
++} DRBG_SELFTEST_DATA;
++
++#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
++ pr##_entropyinput, sizeof(pr##_entropyinput), \
++ pr##_nonce, sizeof(pr##_nonce), \
++ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
++ pr##_additionalinput, sizeof(pr##_additionalinput), \
++ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
++ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
++ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
++ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
++ pr##_returnedbits, sizeof(pr##_returnedbits), \
++ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
++ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
++ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
++ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
++ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
++ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
++ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
++ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
++ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
++ }
++
++#define make_drbg_test_data_df(nid, pr, p) \
++ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
++
++#define make_drbg_test_data_ec(curve, md, pr, p) \
++ make_drbg_test_data((curve << 16) | md , 0, pr, p)
++
++static DRBG_SELFTEST_DATA drbg_test[] = {
++ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
++ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
++ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
++ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
++ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
++ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
++ make_drbg_test_data(NID_sha1, 0, sha1, 0),
++ make_drbg_test_data(NID_sha224, 0, sha224, 0),
++ make_drbg_test_data(NID_sha256, 0, sha256, 1),
++ make_drbg_test_data(NID_sha384, 0, sha384, 0),
++ make_drbg_test_data(NID_sha512, 0, sha512, 0),
++ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
++ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
++ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
++ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
++ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
++ {0, 0, 0}
++};
++
++typedef struct {
++ const unsigned char *ent;
++ size_t entlen;
++ int entcnt;
++ const unsigned char *nonce;
++ size_t noncelen;
++ int noncecnt;
++} TEST_ENT;
++
++static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->ent;
++ t->entcnt++;
++ return t->entlen;
++}
++
++static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->nonce;
++ t->noncecnt++;
++ return t->noncelen;
++}
++
++static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ int quick)
++{
++ TEST_ENT t;
++ int rv = 0;
++ size_t adinlen;
++ unsigned char randout[1024];
++
++ /* Initial test without PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent;
++ t.entlen = td->entlen;
++ t.nonce = td->nonce;
++ t.noncelen = td->noncelen;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ goto err;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen / 2;
++ else
++ adinlen = td->adinlen;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat, td->katlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
++ goto err2;
++ }
++ /* If abbreviated POST end of test */
++ if (quick) {
++ rv = 1;
++ goto err;
++ }
++ /* Reseed DRBG with test entropy and additional input */
++ t.ent = td->entreseed;
++ t.entlen = td->entreseedlen;
++
++ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
++ goto err;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
++ td->adin2, td->adin2len))
++ goto err;
++
++ if (memcmp(randout, td->kat2, td->kat2len)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
++ goto err2;
++ }
++
++ FIPS_drbg_uninstantiate(dctx);
++
++ /* Now test with PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent_pr;
++ t.entlen = td->entlen_pr;
++ t.nonce = td->nonce_pr;
++ t.noncelen = td->noncelen_pr;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
++ goto err;
++
++ /* Now generate with PR: we need to supply entropy as this will
++ * perform a reseed operation. Check output matches expected value.
++ */
++
++ t.ent = td->entpr_pr;
++ t.entlen = td->entprlen_pr;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen_pr / 2;
++ else
++ adinlen = td->adinlen_pr;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
++ td->adin_pr, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
++ goto err2;
++ }
++
++ /* Now generate again with PR: supply new entropy again.
++ * Check output matches expected value.
++ */
++
++ t.ent = td->entg_pr;
++ t.entlen = td->entglen_pr;
++
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
++ td->ading_pr, td->adinglen_pr))
++ goto err;
++
++ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
++ goto err2;
++ }
++ /* All OK, test complete */
++ rv = 1;
++
++ err:
++ if (rv == 0)
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
++ err2:
++ FIPS_drbg_uninstantiate(dctx);
++
++ return rv;
++
++}
++
++/* Initialise a DRBG based on selftest data */
++
++static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
++{
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, t);
++
++ t->ent = td->ent;
++ t->entlen = td->entlen;
++ t->nonce = td->nonce;
++ t->noncelen = td->noncelen;
++ t->entcnt = 0;
++ t->noncecnt = 0;
++ return 1;
++}
++
++/* Initialise and instantiate DRBG based on selftest data */
++static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ TEST_ENT * t)
++{
++ if (!do_drbg_init(dctx, td, t))
++ return 0;
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ return 0;
++
++ return 1;
++}
++
++/* This function performs extensive error checking as required by SP800-90.
++ * Induce several failure modes and check an error condition is set.
++ * This function along with fips_drbg_single_kat peforms the health checking
++ * operation.
++ */
++
++static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
++{
++ unsigned char randout[1024];
++ TEST_ENT t;
++ size_t i;
++ unsigned int reseed_counter_tmp;
++ unsigned char *p = (unsigned char *)dctx;
++
++ /* Initialise DRBG */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ /* Don't report induced errors */
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Personalisation string tests */
++
++ /* Test detection of too large personlisation string */
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Entropy source tests */
++
++ /* Test entropy source failure detecion: i.e. returns no data */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try to generate output from uninstantiated DRBG */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_GENERATE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Test insufficient entropy */
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Nonce tests */
++
++ /* Test too small nonce */
++
++ if (dctx->min_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->min_nonce - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Test too large nonce */
++
++ if (dctx->max_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->max_nonce + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Instantiate with valid data. */
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++
++ /* Check generation is now OK */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Request too much data for one request */
++ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try too large additional input */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, dctx->max_adin + 1)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Instantiate again with valid data */
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Explicit reseed tests */
++
++ /* Test explicit reseed with too large additional input */
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Test explicit reseed with entropy source failure */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too little entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ p = (unsigned char *)&dctx->d;
++ /* Standard says we have to check uninstantiate really zeroes
++ * the data...
++ */
++ for (i = 0; i < sizeof(dctx->d); i++) {
++ if (*p != 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
++ goto err;
++ }
++ p++;
++ }
++
++ return 1;
++
++ err:
++ /* A real error as opposed to an induced one: underlying function will
++ * indicate the error.
++ */
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
++ FIPS_drbg_uninstantiate(dctx);
++ return 0;
++
++}
++
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
++{
++ DRBG_SELFTEST_DATA *td;
++ flags |= DRBG_FLAG_TEST;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->nid == nid && td->flags == flags) {
++ if (!fips_drbg_single_kat(dctx, td, 0))
++ return 0;
++ return fips_drbg_error_check(dctx, td);
++ }
++ }
++ return 0;
++}
++
++int FIPS_drbg_health_check(DRBG_CTX *dctx)
++{
++ int rv;
++ DRBG_CTX *tctx = NULL;
++ tctx = FIPS_drbg_new(0, 0);
++ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!tctx)
++ return 0;
++ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
++ if (tctx)
++ FIPS_drbg_free(tctx);
++ if (rv)
++ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ else
++ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!rv)
++ dctx->status = DRBG_STATUS_ERROR;
++ else
++ dctx->health_check_cnt = 0;
++ return rv;
++}
++
++int FIPS_selftest_drbg(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->post != 1)
++ continue;
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 1)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
++
++int FIPS_selftest_drbg_all(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 0)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_drbg_error_check(dctx, td)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h
+--- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips 2015-04-22 16:08:40.297245773 +0200
++++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h 2015-04-22 16:08:40.297245773 +0200
+@@ -0,0 +1,1791 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/* Selftest and health check data for the SP800-90 DRBG */
++
++#define __fips_constseg
++
++/* AES-128 use df PR */
++__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
++ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
++ 0xc8, 0xdb, 0xff, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
++ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
++ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
++ 0xd7, 0xd7, 0x01, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
++ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
++ 0x9a, 0x47, 0x08, 0x76
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
++ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
++ 0x09, 0xfb, 0xa3, 0xb6
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
++ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
++ 0x66, 0x1c, 0xea, 0x5b
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
++ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
++ 0x3f, 0x5e, 0x31, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
++ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
++ 0xa7, 0xe3, 0xa8, 0x67
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
++ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
++ 0x0f, 0x38, 0x43, 0xc6
++};
++
++/* AES-128 use df No PR */
++__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
++ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
++ 0x9d, 0x7d, 0x1c, 0x9b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
++ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_personalizationstring[] = {
++ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
++ 0x38, 0x66, 0xba, 0x1b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
++ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
++ 0xb5, 0xe2, 0xb2, 0x41
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
++ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
++ 0xe7, 0x57, 0x11, 0xb4
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
++ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
++ 0xc7, 0xc4, 0x9e, 0x39
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
++ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
++ 0xc8, 0x93, 0xfa, 0x84
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
++ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
++ 0x06, 0x0c, 0x15, 0x2c
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
++ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
++ 0x46, 0x81, 0xc7, 0x19
++};
++
++/* AES-192 use df PR */
++__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
++ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
++ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
++ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
++ 0xd1, 0x80, 0x78, 0xfa
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
++ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
++ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
++ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
++ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
++ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
++ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
++ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
++ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
++ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
++ 0x19, 0x30, 0x6b, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
++ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
++ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
++ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
++ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
++ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
++ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
++ 0x7e, 0x1a, 0x2b, 0x83
++};
++
++/* AES-192 use df No PR */
++__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
++ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
++ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
++ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
++ 0x77, 0xd7, 0x41, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_personalizationstring[] = {
++ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
++ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
++ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
++ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
++ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
++ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
++ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
++ 0xb7, 0xed, 0xe9, 0xea
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
++ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
++ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
++ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
++ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
++ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
++ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
++ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
++ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
++ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
++ 0x1a, 0xf9, 0x13, 0x28
++};
++
++/* AES-256 use df PR */
++__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
++ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
++ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
++ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
++ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
++ 0x2b, 0x36, 0xff, 0xa4
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
++ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
++ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
++ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
++ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
++ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
++ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
++ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
++ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
++ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
++ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
++ 0x17, 0xab, 0x3c, 0x7a
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
++ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
++ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
++ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
++ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
++ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
++ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
++ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
++ 0xd9, 0xe2, 0x97, 0x00
++};
++
++/* AES-256 use df No PR */
++__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
++ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
++ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
++ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
++ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
++ 0x4c, 0x44, 0x84, 0x40
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_personalizationstring[] = {
++ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
++ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
++ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
++ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
++ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
++ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
++ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
++ 0x28, 0x0c, 0x3b, 0xc1
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
++ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
++ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
++ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
++ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
++ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
++ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
++ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
++ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
++ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
++ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
++ 0xfa, 0xfd, 0x35, 0x5e
++};
++
++/* AES-128 no df PR */
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
++ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
++ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
++ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
++ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
++ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
++ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
++ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
++ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
++ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
++ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
++ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
++ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
++ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
++ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
++ 0xaf, 0x19, 0x32, 0x16
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
++ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
++ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
++ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
++ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
++ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
++ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
++ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
++ 0x57, 0x82, 0x33, 0xaf
++};
++
++/* AES-128 no df No PR */
++__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
++ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
++ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
++ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
++ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_personalizationstring[] = {
++ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
++ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
++ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
++ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
++ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
++ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
++ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
++ 0xed, 0x3e, 0x65, 0xc2
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
++ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
++ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
++ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
++ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
++ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
++ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
++ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
++ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
++ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
++ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
++ 0x81, 0x37, 0x19, 0xd4
++};
++
++/* AES-192 no df PR */
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
++ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
++ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
++ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
++ 0x17, 0x1f, 0x8d, 0x9a
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
++ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
++ 0x61, 0x5c, 0xee, 0x0f
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
++ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
++ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
++ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
++ 0x57, 0x2e, 0xe7, 0x55
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
++ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
++ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
++ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
++ 0xe2, 0xd0, 0x0c, 0x2f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
++ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
++ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
++ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
++ 0x1d, 0x30, 0xb3, 0x78
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
++ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
++ 0x7e, 0x3e, 0x0c, 0x26
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
++ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
++ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
++ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
++ 0x0c, 0x4b, 0xee, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
++ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
++ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
++ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
++ 0x8e, 0x0a, 0x83, 0xdf
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
++ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
++ 0xb9, 0xa1, 0x21, 0x68
++};
++
++/* AES-192 no df No PR */
++__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
++ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
++ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
++ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
++ 0x94, 0xc3, 0x59, 0x63
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
++ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
++ 0x29, 0xfd, 0x45, 0x71
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_personalizationstring[] = {
++ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
++ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
++ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
++ 0x3b, 0x88, 0xce, 0x35
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
++ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
++ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
++ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
++ 0x3e, 0xbe, 0xd4, 0x8e
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
++ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
++ 0x45, 0xe7, 0x4a, 0xc5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
++ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
++ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
++ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
++ 0x9b, 0xcb, 0x7e, 0x75
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
++ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
++ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
++ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
++ 0x5d, 0x7a, 0x25, 0x79
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
++ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
++ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
++ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
++ 0x91, 0x6a, 0xe3, 0x5f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
++ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
++ 0x66, 0x67, 0x2c, 0x92
++};
++
++/* AES-256 no df PR */
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
++ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
++ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
++ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
++ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
++ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
++ 0xcc, 0x4b, 0xee, 0x2e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
++ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
++ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
++ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
++ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
++ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
++ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
++ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
++ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
++ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
++ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
++ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
++ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
++ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
++ 0x79, 0x60, 0x93, 0xcf
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
++ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
++ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
++ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
++ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
++ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
++ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
++ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
++ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
++ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
++ 0x2d, 0x5f, 0x4a, 0x46
++};
++
++/* AES-256 no df No PR */
++__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
++ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
++ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
++ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
++ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
++ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
++ 0x43, 0x96, 0xb9, 0xf0
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_personalizationstring[] = {
++ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
++ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
++ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
++ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
++ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
++ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
++ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
++ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
++ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
++ 0xd2, 0x25, 0x75, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
++ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
++ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
++ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
++ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
++ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
++ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
++ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
++ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
++ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
++ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
++ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
++ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
++ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
++ 0xf6, 0x02, 0x32, 0xe2
++};
++
++/* SHA-1 PR */
++__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
++ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
++ 0x31, 0xa5, 0x91, 0x13
++};
++
++__fips_constseg static const unsigned char sha1_pr_nonce[] = {
++ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
++};
++
++__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
++ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
++ 0xda, 0xea, 0x77, 0x52
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
++ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
++ 0x6a, 0x51, 0xe3, 0xf8
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
++ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
++ 0xcb, 0xa9, 0x36, 0x7a
++};
++
++__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
++ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
++ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
++ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
++ 0x16, 0x03, 0x19, 0x47
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
++ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
++ 0xae, 0xcd, 0x8c, 0xc4
++};
++
++__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
++ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
++ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
++};
++
++/* SHA-1 No PR */
++__fips_constseg static const unsigned char sha1_entropyinput[] = {
++ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
++ 0xe2, 0x7f, 0x4c, 0x7b
++};
++
++__fips_constseg static const unsigned char sha1_nonce[] = {
++ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
++};
++
++__fips_constseg static const unsigned char sha1_personalizationstring[] = {
++ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
++ 0x28, 0xec, 0x6d, 0xca
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput[] = {
++ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
++ 0xc0, 0x72, 0xca, 0x28
++};
++
++__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
++ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
++ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
++};
++
++__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
++ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
++ 0xd6, 0x99, 0x27, 0xed
++};
++
++__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
++ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
++ 0x84, 0x3d, 0xd4, 0xc0
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput2[] = {
++ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
++ 0x52, 0x65, 0xcd, 0x96
++};
++
++__fips_constseg static const unsigned char sha1_returnedbits[] = {
++ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
++ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
++};
++
++/* SHA-224 PR */
++__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
++ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
++ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
++};
++
++__fips_constseg static const unsigned char sha224_pr_nonce[] = {
++ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
++};
++
++__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
++ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
++ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
++ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
++ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
++ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
++ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
++};
++
++__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
++ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
++ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
++ 0x54, 0x60, 0xee, 0x6a
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
++ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
++ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
++ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
++ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
++};
++
++__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
++ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
++ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
++ 0xdd, 0x11, 0x4c, 0xc4
++};
++
++/* SHA-224 No PR */
++__fips_constseg static const unsigned char sha224_entropyinput[] = {
++ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
++ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
++};
++
++__fips_constseg static const unsigned char sha224_nonce[] = {
++ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
++};
++
++__fips_constseg static const unsigned char sha224_personalizationstring[] = {
++ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
++ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput[] = {
++ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
++ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
++};
++
++__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
++ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
++ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
++ 0x55, 0x22, 0x9a, 0xad
++};
++
++__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
++ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
++ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
++};
++
++__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
++ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
++ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput2[] = {
++ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
++ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
++};
++
++__fips_constseg static const unsigned char sha224_returnedbits[] = {
++ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
++ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
++ 0x3b, 0xa7, 0x5c, 0x93
++};
++
++/* SHA-256 PR */
++__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
++ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
++ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
++ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
++};
++
++__fips_constseg static const unsigned char sha256_pr_nonce[] = {
++ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
++ 0x2b, 0x91, 0x4d, 0x38
++};
++
++__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
++ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
++ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
++ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
++ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
++ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
++ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
++ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
++ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
++ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
++};
++
++__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
++ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
++ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
++ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
++ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
++ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
++ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
++ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
++ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
++ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
++};
++
++__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
++ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
++ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
++ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
++};
++
++/* SHA-256 No PR */
++__fips_constseg static const unsigned char sha256_entropyinput[] = {
++ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
++ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
++ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
++};
++
++__fips_constseg static const unsigned char sha256_nonce[] = {
++ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
++ 0x5d, 0x6f, 0x6d, 0x35
++};
++
++__fips_constseg static const unsigned char sha256_personalizationstring[] = {
++ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
++ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
++ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput[] = {
++ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
++ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
++ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
++};
++
++__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
++ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
++ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
++ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
++ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
++ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
++ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
++};
++
++__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
++ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
++ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
++ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput2[] = {
++ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
++ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
++ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
++};
++
++__fips_constseg static const unsigned char sha256_returnedbits[] = {
++ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
++ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
++ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
++};
++
++/* SHA-384 PR */
++__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
++ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
++ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
++ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
++};
++
++__fips_constseg static const unsigned char sha384_pr_nonce[] = {
++ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
++ 0x38, 0x3e, 0x2e, 0x56
++};
++
++__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
++ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
++ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
++ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
++ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
++ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
++ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
++ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
++ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
++ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
++};
++
++__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
++ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
++ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
++ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
++ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
++ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
++ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
++ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
++ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
++ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
++ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
++};
++
++__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
++ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
++ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
++ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
++ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
++};
++
++/* SHA-384 No PR */
++__fips_constseg static const unsigned char sha384_entropyinput[] = {
++ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
++ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
++ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
++};
++
++__fips_constseg static const unsigned char sha384_nonce[] = {
++ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
++ 0x44, 0xaf, 0x2f, 0x09
++};
++
++__fips_constseg static const unsigned char sha384_personalizationstring[] = {
++ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
++ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
++ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput[] = {
++ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
++ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
++ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
++};
++
++__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
++ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
++ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
++ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
++ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
++};
++
++__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
++ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
++ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
++ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
++};
++
++__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
++ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
++ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
++ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput2[] = {
++ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
++ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
++ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
++};
++
++__fips_constseg static const unsigned char sha384_returnedbits[] = {
++ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
++ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
++ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
++ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
++};
++
++/* SHA-512 PR */
++__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
++ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
++ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
++ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
++};
++
++__fips_constseg static const unsigned char sha512_pr_nonce[] = {
++ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
++ 0x88, 0xc7, 0xa2, 0xc4
++};
++
++__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
++ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
++ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
++ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
++ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
++ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
++ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
++ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
++ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
++ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
++};
++
++__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
++ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
++ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
++ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
++ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
++ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
++ 0xe2, 0xc6, 0x8b, 0xc3
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
++ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
++ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
++ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
++ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
++ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
++ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
++};
++
++__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
++ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
++ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
++ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
++ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
++ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
++ 0x67, 0xf7, 0x68, 0xdd
++};
++
++/* SHA-512 No PR */
++__fips_constseg static const unsigned char sha512_entropyinput[] = {
++ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
++ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
++ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
++};
++
++__fips_constseg static const unsigned char sha512_nonce[] = {
++ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
++ 0x5a, 0x64, 0xf0, 0xf7
++};
++
++__fips_constseg static const unsigned char sha512_personalizationstring[] = {
++ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
++ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
++ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput[] = {
++ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
++ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
++ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
++};
++
++__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
++ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
++ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
++ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
++ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
++ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
++ 0x28, 0xd4, 0x39, 0x9a
++};
++
++__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
++ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
++ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
++ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
++};
++
++__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
++ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
++ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
++ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput2[] = {
++ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
++ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
++ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
++};
++
++__fips_constseg static const unsigned char sha512_returnedbits[] = {
++ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
++ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
++ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
++ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
++ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
++ 0x68, 0xde, 0x42, 0xb5
++};
++
++/* HMAC SHA-1 PR */
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
++ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
++ 0x2c, 0x18, 0x17, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
++ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
++ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
++ 0x80, 0xe2, 0x7f, 0x2a
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
++ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
++ 0xd7, 0xbb, 0x42, 0x09
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
++ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
++ 0x23, 0x87, 0x2a, 0xed
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
++ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
++ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
++ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
++ 0xa0, 0x4b, 0x93, 0x6e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
++ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
++ 0x0f, 0xff, 0x2e, 0xaf
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
++ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
++ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
++};
++
++/* HMAC SHA-1 No PR */
++__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
++ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
++ 0x17, 0xfe, 0x47, 0x70
++};
++
++__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
++ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
++};
++
++__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
++ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
++ 0x72, 0xf7, 0xd3, 0x5e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
++ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
++ 0xbb, 0xe3, 0xaa, 0xea
++};
++
++__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
++ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
++ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
++};
++
++__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
++ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
++ 0x86, 0x52, 0x6d, 0x9c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
++ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
++ 0x79, 0xc5, 0x82, 0x28
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
++ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
++ 0x8a, 0xca, 0xa4, 0x7f
++};
++
++__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
++ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
++ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
++};
++
++/* HMAC SHA-224 PR */
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
++ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
++ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
++ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
++ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
++ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
++ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
++ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
++ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
++ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
++ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
++ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
++ 0x41, 0xfe, 0x99, 0xf2
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
++ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
++ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
++ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
++ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
++ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
++ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
++ 0x6d, 0xd8, 0x9e, 0x72
++};
++
++/* HMAC SHA-224 No PR */
++__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
++ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
++ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
++};
++
++__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
++ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_personalizationstring[] = {
++ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
++ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
++ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
++ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
++ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
++ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
++ 0xcd, 0xd6, 0xa9, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
++ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
++ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_additionalinputreseed[] = {
++ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
++ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
++ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
++ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
++};
++
++__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
++ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
++ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
++ 0x45, 0x84, 0xa8, 0x94
++};
++
++/* HMAC SHA-256 PR */
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
++ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
++ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
++ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
++ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
++ 0xaa, 0xd3, 0x30, 0x9a
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
++ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
++ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
++ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
++ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
++ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
++ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
++ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
++ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
++ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
++ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
++ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
++ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
++ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
++ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
++ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
++ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
++ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
++ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
++ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
++ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
++ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
++};
++
++/* HMAC SHA-256 No PR */
++__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
++ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
++ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
++ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
++ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
++ 0xc7, 0xfc, 0xc2, 0x01
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_personalizationstring[] = {
++ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
++ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
++ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
++ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
++ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
++ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
++};
++
++__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
++ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
++ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
++ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
++ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
++ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
++ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_additionalinputreseed[] = {
++ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
++ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
++ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
++ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
++ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
++ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
++};
++
++__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
++ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
++ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
++ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
++};
++
++/* HMAC SHA-384 PR */
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
++ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
++ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
++ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
++ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
++ 0xee, 0x16, 0xc9, 0xde
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
++ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
++ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
++ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
++ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
++ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
++ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
++ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
++ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
++ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
++ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
++ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
++ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
++ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
++ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
++ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
++ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
++ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
++ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
++ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
++ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
++ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
++ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
++ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
++};
++
++/* HMAC SHA-384 No PR */
++__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
++ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
++ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
++ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
++};
++
++__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
++ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
++ 0x38, 0xe3, 0xeb, 0x62
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_personalizationstring[] = {
++ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
++ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
++ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
++ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
++ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
++ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
++};
++
++__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
++ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
++ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
++ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
++ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
++ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
++ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
++ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_additionalinputreseed[] = {
++ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
++ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
++ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
++ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
++ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
++ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
++ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
++ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
++ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
++ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
++};
++
++/* HMAC SHA-512 PR */
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
++ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
++ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
++ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
++ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
++ 0x86, 0xea, 0xaf, 0xa2
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
++ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
++ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
++ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
++ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
++ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
++ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
++ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
++ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
++ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
++ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
++ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
++ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
++ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
++ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
++ 0x05, 0x17, 0xbe, 0x0d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
++ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
++ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
++ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
++ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
++ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
++ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
++ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
++ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
++ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
++ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
++ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
++ 0xb6, 0xaf, 0xbc, 0xd3
++};
++
++/* HMAC SHA-512 No PR */
++__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
++ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
++ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
++ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
++};
++
++__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
++ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
++ 0xd9, 0xaf, 0x43, 0x3c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_personalizationstring[] = {
++ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
++ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
++ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
++ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
++ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
++ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
++};
++
++__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
++ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
++ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
++ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
++ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
++ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
++ 0xb1, 0x57, 0x69, 0xe8
++};
++
++__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
++ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
++ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
++ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_additionalinputreseed[] = {
++ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
++ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
++ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
++ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
++ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
++ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
++};
++
++__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
++ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
++ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
++ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
++ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
++ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
++ 0xc2, 0xd6, 0xfd, 0xa5
++};
+diff -up openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200
++++ openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c 2015-04-22 16:08:40.297245773 +0200
+@@ -0,0 +1,192 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dsa.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dsa_test_2048_p[] = {
++ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
++ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
++ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
++ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
++ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
++ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
++ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
++ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
++ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
++ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
++ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
++ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
++ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
++ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
++ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
++ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
++ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
++ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
++ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
++ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
++ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
++ 0xdb, 0xa0, 0x69, 0xe9
++};
++
++static const unsigned char dsa_test_2048_q[] = {
++ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
++ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
++ 0x74, 0x41, 0xa0, 0xa5
++};
++
++static const unsigned char dsa_test_2048_g[] = {
++ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
++ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
++ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
++ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
++ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
++ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
++ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
++ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
++ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
++ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
++ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
++ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
++ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
++ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
++ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
++ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
++ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
++ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
++ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
++ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
++ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
++ 0xb3, 0xc2, 0xa9, 0x66
++};
++
++static const unsigned char dsa_test_2048_pub_key[] = {
++ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
++ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
++ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
++ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
++ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
++ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
++ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
++ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
++ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
++ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
++ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
++ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
++ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
++ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
++ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
++ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
++ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
++ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
++ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
++ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
++ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
++ 0xf7, 0xda, 0xb1, 0x4f
++};
++
++static const unsigned char dsa_test_2048_priv_key[] = {
++ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
++ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
++ 0xec, 0x55, 0xf6, 0xcc
++};
++
++static int corrupt_dsa;
++
++void FIPS_corrupt_dsa()
++{
++ corrupt_dsa = 1;
++}
++
++int FIPS_selftest_dsa()
++{
++ DSA *dsa = NULL;
++ EVP_PKEY *pk = NULL;
++ int ret = 0;
++
++ dsa = DSA_new();
++
++ if (dsa == NULL)
++ goto err;
++
++ fips_load_key_component(dsa, p, dsa_test_2048);
++ fips_load_key_component(dsa, q, dsa_test_2048);
++ fips_load_key_component(dsa, g, dsa_test_2048);
++ fips_load_key_component(dsa, pub_key, dsa_test_2048);
++ fips_load_key_component(dsa, priv_key, dsa_test_2048);
++
++ if (corrupt_dsa)
++ BN_set_bit(dsa->pub_key, 2047);
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_DSA(pk, dsa);
++
++ if (!fips_pkey_signature_test(pk, NULL, 0,
++ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
++ goto err;
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (dsa)
++ DSA_free(dsa);
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_enc.c.fips openssl-1.0.2a/crypto/fips/fips_enc.c
+--- openssl-1.0.2a/crypto/fips/fips_enc.c.fips 2015-04-22 16:08:40.297245773 +0200
++++ openssl-1.0.2a/crypto/fips/fips_enc.c 2015-04-22 16:08:40.297245773 +0200
+@@ -0,0 +1,189 @@
++/* fipe/evp/fips_enc.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
++{
++ switch (nid) {
++ case NID_aes_128_cbc:
++ return EVP_aes_128_cbc();
++
++ case NID_aes_128_ccm:
++ return EVP_aes_128_ccm();
++
++ case NID_aes_128_cfb1:
++ return EVP_aes_128_cfb1();
++
++ case NID_aes_128_cfb128:
++ return EVP_aes_128_cfb128();
++
++ case NID_aes_128_cfb8:
++ return EVP_aes_128_cfb8();
++
++ case NID_aes_128_ctr:
++ return EVP_aes_128_ctr();
++
++ case NID_aes_128_ecb:
++ return EVP_aes_128_ecb();
++
++ case NID_aes_128_gcm:
++ return EVP_aes_128_gcm();
++
++ case NID_aes_128_ofb128:
++ return EVP_aes_128_ofb();
++
++ case NID_aes_128_xts:
++ return EVP_aes_128_xts();
++
++ case NID_aes_192_cbc:
++ return EVP_aes_192_cbc();
++
++ case NID_aes_192_ccm:
++ return EVP_aes_192_ccm();
++
++ case NID_aes_192_cfb1:
++ return EVP_aes_192_cfb1();
++
++ case NID_aes_192_cfb128:
++ return EVP_aes_192_cfb128();
++
++ case NID_aes_192_cfb8:
++ return EVP_aes_192_cfb8();
++
++ case NID_aes_192_ctr:
++ return EVP_aes_192_ctr();
++
++ case NID_aes_192_ecb:
++ return EVP_aes_192_ecb();
++
++ case NID_aes_192_gcm:
++ return EVP_aes_192_gcm();
++
++ case NID_aes_192_ofb128:
++ return EVP_aes_192_ofb();
++
++ case NID_aes_256_cbc:
++ return EVP_aes_256_cbc();
++
++ case NID_aes_256_ccm:
++ return EVP_aes_256_ccm();
++
++ case NID_aes_256_cfb1:
++ return EVP_aes_256_cfb1();
++
++ case NID_aes_256_cfb128:
++ return EVP_aes_256_cfb128();
++
++ case NID_aes_256_cfb8:
++ return EVP_aes_256_cfb8();
++
++ case NID_aes_256_ctr:
++ return EVP_aes_256_ctr();
++
++ case NID_aes_256_ecb:
++ return EVP_aes_256_ecb();
++
++ case NID_aes_256_gcm:
++ return EVP_aes_256_gcm();
++
++ case NID_aes_256_ofb128:
++ return EVP_aes_256_ofb();
++
++ case NID_aes_256_xts:
++ return EVP_aes_256_xts();
++
++ case NID_des_ede_ecb:
++ return EVP_des_ede();
++
++ case NID_des_ede3_ecb:
++ return EVP_des_ede3();
++
++ case NID_des_ede3_cbc:
++ return EVP_des_ede3_cbc();
++
++ case NID_des_ede3_cfb1:
++ return EVP_des_ede3_cfb1();
++
++ case NID_des_ede3_cfb64:
++ return EVP_des_ede3_cfb64();
++
++ case NID_des_ede3_cfb8:
++ return EVP_des_ede3_cfb8();
++
++ case NID_des_ede3_ofb64:
++ return EVP_des_ede3_ofb();
++
++ case NID_des_ede_cbc:
++ return EVP_des_ede_cbc();
++
++ case NID_des_ede_cfb64:
++ return EVP_des_ede_cfb64();
++
++ case NID_des_ede_ofb64:
++ return EVP_des_ede_ofb();
++
++ default:
++ return NULL;
++
++ }
++}
+diff -up openssl-1.0.2a/crypto/fips/fips.h.fips openssl-1.0.2a/crypto/fips/fips.h
+--- openssl-1.0.2a/crypto/fips/fips.h.fips 2015-04-22 16:08:40.297245773 +0200
++++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 16:08:40.297245773 +0200
+@@ -0,0 +1,278 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
++#include <stdarg.h>
++
++#ifndef OPENSSL_FIPS
++# error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++ struct dsa_st;
++ struct rsa_st;
++ struct evp_pkey_st;
++ struct env_md_st;
++ struct env_md_ctx_st;
++ struct evp_cipher_st;
++ struct evp_cipher_ctx_st;
++ struct dh_method;
++ struct CMAC_CTX_st;
++ struct hmac_ctx_st;
++
++ int FIPS_module_mode_set(int onoff, const char *auth);
++ int FIPS_module_mode(void);
++ const void *FIPS_rand_check(void);
++ int FIPS_selftest(void);
++ int FIPS_selftest_failed(void);
++ void FIPS_corrupt_sha1(void);
++ int FIPS_selftest_sha1(void);
++ int FIPS_selftest_sha2(void);
++ void FIPS_corrupt_aes(void);
++ int FIPS_selftest_aes_ccm(void);
++ int FIPS_selftest_aes_gcm(void);
++ int FIPS_selftest_aes_xts(void);
++ int FIPS_selftest_aes(void);
++ void FIPS_corrupt_des(void);
++ int FIPS_selftest_des(void);
++ void FIPS_corrupt_rsa(void);
++ void FIPS_corrupt_rsa_keygen(void);
++ int FIPS_selftest_rsa(void);
++ void FIPS_corrupt_dsa(void);
++ void FIPS_corrupt_dsa_keygen(void);
++ int FIPS_selftest_dsa(void);
++ void FIPS_corrupt_rng(void);
++ void FIPS_rng_stick(void);
++ void FIPS_x931_stick(int onoff);
++ void FIPS_drbg_stick(int onoff);
++ int FIPS_selftest_rng(void);
++ int FIPS_selftest_x931(void);
++ int FIPS_selftest_hmac(void);
++ int FIPS_selftest_drbg(void);
++ int FIPS_selftest_drbg_all(void);
++ int FIPS_selftest_cmac(void);
++
++ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
++
++# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
++ alg " previous FIPS forbidden algorithm error ignored");
++
++ int fips_pkey_signature_test(struct evp_pkey_st *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat,
++ unsigned int katlen,
++ const struct env_md_st *digest,
++ unsigned int md_flags, const char *fail_str);
++
++ int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
++ const struct evp_cipher_st *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len);
++
++ void fips_set_selftest_fail(void);
++
++ const struct env_md_st *FIPS_get_digestbynid(int nid);
++
++ const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
++
++/* BEGIN ERROR CODES */
++/* The following lines are auto generated by the script mkerr.pl. Any changes
++ * made after this point may be overwritten when the script is next run.
++ */
++ void ERR_load_FIPS_strings(void);
++
++/* Error codes for the FIPS functions. */
++
++/* Function codes. */
++# define FIPS_F_DH_BUILTIN_GENPARAMS 100
++# define FIPS_F_DH_INIT 148
++# define FIPS_F_DRBG_RESEED 162
++# define FIPS_F_DSA_BUILTIN_PARAMGEN 101
++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
++# define FIPS_F_DSA_DO_SIGN 102
++# define FIPS_F_DSA_DO_VERIFY 103
++# define FIPS_F_ECDH_COMPUTE_KEY 163
++# define FIPS_F_ECDSA_DO_SIGN 164
++# define FIPS_F_ECDSA_DO_VERIFY 165
++# define FIPS_F_EC_KEY_GENERATE_KEY 166
++# define FIPS_F_EVP_CIPHERINIT_EX 124
++# define FIPS_F_EVP_DIGESTINIT_EX 125
++# define FIPS_F_FIPS_CHECK_DSA 104
++# define FIPS_F_FIPS_CHECK_DSA_PRNG 151
++# define FIPS_F_FIPS_CHECK_EC 142
++# define FIPS_F_FIPS_CHECK_EC_PRNG 152
++# define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
++# define FIPS_F_FIPS_CHECK_RSA 106
++# define FIPS_F_FIPS_CHECK_RSA_PRNG 150
++# define FIPS_F_FIPS_CIPHER 160
++# define FIPS_F_FIPS_CIPHERINIT 143
++# define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
++# define FIPS_F_FIPS_DIGESTFINAL 158
++# define FIPS_F_FIPS_DIGESTINIT 128
++# define FIPS_F_FIPS_DIGESTUPDATE 159
++# define FIPS_F_FIPS_DRBG_BYTES 131
++# define FIPS_F_FIPS_DRBG_CHECK 146
++# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
++# define FIPS_F_FIPS_DRBG_GENERATE 134
++# define FIPS_F_FIPS_DRBG_INIT 135
++# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
++# define FIPS_F_FIPS_DRBG_NEW 139
++# define FIPS_F_FIPS_DRBG_RESEED 140
++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
++# define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
++# define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
++# define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
++# define FIPS_F_FIPS_GET_ENTROPY 147
++# define FIPS_F_FIPS_MODE_SET /* unused */ 108
++# define FIPS_F_FIPS_MODULE_MODE_SET 108
++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
++# define FIPS_F_FIPS_RAND_ADD 137
++# define FIPS_F_FIPS_RAND_BYTES 122
++# define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
++# define FIPS_F_FIPS_RAND_SEED 168
++# define FIPS_F_FIPS_RAND_SET_METHOD 126
++# define FIPS_F_FIPS_RAND_STATUS 127
++# define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
++# define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
++# define FIPS_F_FIPS_SELFTEST_AES 110
++# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
++# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
++# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
++# define FIPS_F_FIPS_SELFTEST_CMAC 130
++# define FIPS_F_FIPS_SELFTEST_DES 111
++# define FIPS_F_FIPS_SELFTEST_DSA 112
++# define FIPS_F_FIPS_SELFTEST_ECDSA 133
++# define FIPS_F_FIPS_SELFTEST_HMAC 113
++# define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
++# define FIPS_F_FIPS_SELFTEST_SHA1 115
++# define FIPS_F_FIPS_SELFTEST_X931 114
++# define FIPS_F_FIPS_SET_PRNG_KEY 153
++# define FIPS_F_HASH_FINAL 123
++# define FIPS_F_RSA_BUILTIN_KEYGEN 116
++# define FIPS_F_RSA_EAY_INIT 149
++# define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
++# define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
++# define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
++# define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
++# define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
++# define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
++
++/* Reason codes. */
++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
++# define FIPS_R_ALREADY_INSTANTIATED 134
++# define FIPS_R_AUTHENTICATION_FAILURE 151
++# define FIPS_R_CANNOT_READ_EXE /* unused */ 103
++# define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
++# define FIPS_R_CONTRADICTING_EVIDENCE 114
++# define FIPS_R_DRBG_NOT_INITIALISED 152
++# define FIPS_R_DRBG_STUCK 103
++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
++# define FIPS_R_ENTROPY_SOURCE_STUCK 142
++# define FIPS_R_ERROR_INITIALISING_DRBG 115
++# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
++# define FIPS_R_ERROR_RETRIEVING_NONCE 140
++# define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
++# define FIPS_R_FIPS_MODE_ALREADY_SET 102
++# define FIPS_R_FIPS_SELFTEST_FAILED 106
++# define FIPS_R_FUNCTION_ERROR 116
++# define FIPS_R_GENERATE_ERROR 137
++# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
++# define FIPS_R_INSTANTIATE_ERROR 119
++# define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
++# define FIPS_R_INTERNAL_ERROR 121
++# define FIPS_R_INVALID_KEY_LENGTH 109
++# define FIPS_R_INVALID_PARAMETERS 144
++# define FIPS_R_IN_ERROR_STATE 123
++# define FIPS_R_KEY_TOO_SHORT 108
++# define FIPS_R_NONCE_ERROR_UNDETECTED 149
++# define FIPS_R_NON_FIPS_METHOD 100
++# define FIPS_R_NOPR_TEST1_FAILURE 145
++# define FIPS_R_NOPR_TEST2_FAILURE 146
++# define FIPS_R_NOT_INSTANTIATED 126
++# define FIPS_R_PAIRWISE_TEST_FAILED 107
++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
++# define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
++# define FIPS_R_PR_TEST1_FAILURE 147
++# define FIPS_R_PR_TEST2_FAILURE 148
++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
++# define FIPS_R_RESEED_COUNTER_ERROR 132
++# define FIPS_R_RESEED_ERROR 133
++# define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
++# define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
++# define FIPS_R_SELFTEST_FAILED 101
++# define FIPS_R_SELFTEST_FAILURE 135
++# define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
++# define FIPS_R_TEST_FAILURE 117
++# define FIPS_R_UNINSTANTIATE_ERROR 141
++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
++# define FIPS_R_UNSUPPORTED_PLATFORM 113
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200
++++ openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c 2015-04-22 16:08:40.297245773 +0200
+@@ -0,0 +1,134 @@
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/hmac.h>
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ const EVP_MD *(*alg) (void);
++ const char *key, *iv;
++ unsigned char kaval[EVP_MAX_MD_SIZE];
++} HMAC_KAT;
++
++static const HMAC_KAT vector[] = {
++ {EVP_sha1,
++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
++ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
++ 0xc6, 0xc7, 0x5d, 0x24}
++ },
++ {EVP_sha224,
++ /* just keep extending the above... */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
++ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
++ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
++ 0x8c, 0x8d, 0x12, 0xc7}
++ },
++ {EVP_sha256,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
++ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
++ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
++ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
++ },
++ {EVP_sha384,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
++ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
++ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
++ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
++ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
++ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
++ },
++ {EVP_sha512,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
++ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
++ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
++ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
++ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
++ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
++ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
++ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
++ },
++};
++
++int FIPS_selftest_hmac()
++{
++ int n;
++ unsigned int outlen;
++ unsigned char out[EVP_MAX_MD_SIZE];
++ const EVP_MD *md;
++ const HMAC_KAT *t;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ md = (*t->alg) ();
++ HMAC(md, t->key, strlen(t->key),
++ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
++
++ if (memcmp(out, t->kaval, outlen)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_locl.h.fips openssl-1.0.2a/crypto/fips/fips_locl.h
+--- openssl-1.0.2a/crypto/fips/fips_locl.h.fips 2015-04-22 16:08:40.297245773 +0200
++++ openssl-1.0.2a/crypto/fips/fips_locl.h 2015-04-22 16:08:40.297245773 +0200
+@@ -0,0 +1,71 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_MAX_CIPHER_TEST_SIZE 32
++# define fips_load_key_component(key, comp, pre) \
++ key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
++ if (!key->comp) \
++ goto err
++
++# define fips_post_started(id, subid, ex) 1
++# define fips_post_success(id, subid, ex) 1
++# define fips_post_failed(id, subid, ex) 1
++# define fips_post_corrupt(id, subid, ex) 1
++# define fips_post_status() 1
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_md.c.fips openssl-1.0.2a/crypto/fips/fips_md.c
+--- openssl-1.0.2a/crypto/fips/fips_md.c.fips 2015-04-22 16:08:40.298245796 +0200
++++ openssl-1.0.2a/crypto/fips/fips_md.c 2015-04-22 16:08:40.298245796 +0200
+@@ -0,0 +1,144 @@
++/* fips/evp/fips_md.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++/* Minimal standalone FIPS versions of Digest operations */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/objects.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_MD *FIPS_get_digestbynid(int nid)
++{
++ switch (nid) {
++ case NID_sha1:
++ return EVP_sha1();
++
++ case NID_sha224:
++ return EVP_sha224();
++
++ case NID_sha256:
++ return EVP_sha256();
++
++ case NID_sha384:
++ return EVP_sha384();
++
++ case NID_sha512:
++ return EVP_sha512();
++
++ default:
++ return NULL;
++ }
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips openssl-1.0.2a/crypto/fips/fips_post.c
+--- openssl-1.0.2a/crypto/fips/fips_post.c.fips 2015-04-22 16:08:40.298245796 +0200
++++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 16:08:40.298245796 +0200
+@@ -0,0 +1,201 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <string.h>
++#include <limits.h>
++
++#ifdef OPENSSL_FIPS
++
++/* Power on self test (POST) support functions */
++
++# include <openssl/fips.h>
++# include "fips_locl.h"
++
++/* Run all selftests */
++int FIPS_selftest(void)
++{
++ int rv = 1;
++ if (!FIPS_selftest_drbg())
++ rv = 0;
++ if (!FIPS_selftest_x931())
++ rv = 0;
++ if (!FIPS_selftest_sha1())
++ rv = 0;
++ if (!FIPS_selftest_sha2())
++ rv = 0;
++ if (!FIPS_selftest_hmac())
++ rv = 0;
++ if (!FIPS_selftest_cmac())
++ rv = 0;
++ if (!FIPS_selftest_aes())
++ rv = 0;
++ if (!FIPS_selftest_aes_ccm())
++ rv = 0;
++ if (!FIPS_selftest_aes_gcm())
++ rv = 0;
++ if (!FIPS_selftest_aes_xts())
++ rv = 0;
++ if (!FIPS_selftest_des())
++ rv = 0;
++ if (!FIPS_selftest_rsa())
++ rv = 0;
++ if (!FIPS_selftest_dsa())
++ rv = 0;
++ return rv;
++}
++
++/* Generalized public key test routine. Signs and verifies the data
++ * supplied in tbs using mesage digest md and setting option digest
++ * flags md_flags. If the 'kat' parameter is not NULL it will
++ * additionally check the signature matches it: a known answer test
++ * The string "fail_str" is used for identification purposes in case
++ * of failure. If "pkey" is NULL just perform a message digest check.
++ */
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat, unsigned int katlen,
++ const EVP_MD *digest, unsigned int md_flags,
++ const char *fail_str)
++{
++ int ret = 0;
++ unsigned char sigtmp[256], *sig = sigtmp;
++ unsigned int siglen;
++ EVP_MD_CTX mctx;
++ EVP_MD_CTX_init(&mctx);
++
++ if (digest == NULL)
++ digest = EVP_sha256();
++
++ if ((pkey->type == EVP_PKEY_RSA)
++ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) {
++ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
++ if (!sig) {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ }
++
++ if (tbslen == -1)
++ tbslen = strlen((char *)tbs);
++
++ if (md_flags)
++ EVP_MD_CTX_set_flags(&mctx, md_flags);
++
++ if (!EVP_SignInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_SignUpdate(&mctx, tbs, tbslen))
++ goto error;
++ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
++ goto error;
++
++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
++ goto error;
++
++ if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
++ goto error;
++ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
++
++ error:
++ if (sig != sigtmp)
++ OPENSSL_free(sig);
++ EVP_MD_CTX_cleanup(&mctx);
++ if (ret != 1) {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
++ if (fail_str)
++ ERR_add_error_data(2, "Type=", fail_str);
++ return 0;
++ }
++ return 1;
++}
++
++/* Generalized symmetric cipher test routine. Encrypt data, verify result
++ * against known answer, decrypt and compare with original plaintext.
++ */
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len)
++{
++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
++
++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
++ return 0;
++ if (memcmp(citmp, ciphertext, len))
++ return 0;
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
++ return 0;
++ if (memcmp(pltmp, plaintext, len))
++ return 0;
++ return 1;
++}
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_rand.c.fips openssl-1.0.2a/crypto/fips/fips_rand.c
+--- openssl-1.0.2a/crypto/fips/fips_rand.c.fips 2015-04-22 16:08:40.298245796 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rand.c 2015-04-22 16:08:40.298245796 +0200
+@@ -0,0 +1,428 @@
++/* ====================================================================
++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/*
++ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
++ */
++#include <openssl/crypto.h>
++#include "e_os.h"
++
++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
++ be defined and gettimeofday() won't be declared with strict compilers
++ like DEC C in ANSI C mode. */
++#ifndef _XOPEN_SOURCE_EXTENDED
++# define _XOPEN_SOURCE_EXTENDED 1
++#endif
++
++#include <openssl/rand.h>
++#include <openssl/aes.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
++# include <sys/time.h>
++#endif
++#if defined(OPENSSL_SYS_VXWORKS)
++# include <time.h>
++#endif
++#include <assert.h>
++#ifndef OPENSSL_SYS_WIN32
++# ifdef OPENSSL_UNISTD
++# include OPENSSL_UNISTD
++# else
++# include <unistd.h>
++# endif
++#endif
++#include <string.h>
++#include <openssl/fips.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++void *OPENSSL_stderr(void);
++
++# define AES_BLOCK_LENGTH 16
++
++/* AES FIPS PRNG implementation */
++
++typedef struct {
++ int seeded;
++ int keyed;
++ int test_mode;
++ int second;
++ int error;
++ unsigned long counter;
++ AES_KEY ks;
++ int vpos;
++ /* Temporary storage for key if it equals seed length */
++ unsigned char tmp_key[AES_BLOCK_LENGTH];
++ unsigned char V[AES_BLOCK_LENGTH];
++ unsigned char DT[AES_BLOCK_LENGTH];
++ unsigned char last[AES_BLOCK_LENGTH];
++} FIPS_PRNG_CTX;
++
++static FIPS_PRNG_CTX sctx;
++
++static int fips_prng_fail = 0;
++
++void FIPS_x931_stick(int onoff)
++{
++ fips_prng_fail = onoff;
++}
++
++void FIPS_rng_stick(void)
++{
++ FIPS_x931_stick(1);
++}
++
++static void fips_rand_prng_reset(FIPS_PRNG_CTX * ctx)
++{
++ ctx->seeded = 0;
++ ctx->keyed = 0;
++ ctx->test_mode = 0;
++ ctx->counter = 0;
++ ctx->second = 0;
++ ctx->error = 0;
++ ctx->vpos = 0;
++ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
++ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
++}
++
++static int fips_set_prng_key(FIPS_PRNG_CTX * ctx,
++ const unsigned char *key, unsigned int keylen)
++{
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ if (keylen != 16 && keylen != 24 && keylen != 32) {
++ /* error: invalid key size */
++ return 0;
++ }
++ AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
++ if (keylen == 16) {
++ memcpy(ctx->tmp_key, key, 16);
++ ctx->keyed = 2;
++ } else
++ ctx->keyed = 1;
++ ctx->seeded = 0;
++ ctx->second = 0;
++ return 1;
++}
++
++static int fips_set_prng_seed(FIPS_PRNG_CTX * ctx,
++ const unsigned char *seed, unsigned int seedlen)
++{
++ unsigned int i;
++ if (!ctx->keyed)
++ return 0;
++ /* In test mode seed is just supplied data */
++ if (ctx->test_mode) {
++ if (seedlen != AES_BLOCK_LENGTH)
++ return 0;
++ memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
++ ctx->seeded = 1;
++ return 1;
++ }
++ /* Outside test mode XOR supplied data with existing seed */
++ for (i = 0; i < seedlen; i++) {
++ ctx->V[ctx->vpos++] ^= seed[i];
++ if (ctx->vpos == AES_BLOCK_LENGTH) {
++ ctx->vpos = 0;
++ /* Special case if first seed and key length equals
++ * block size check key and seed do not match.
++ */
++ if (ctx->keyed == 2) {
++ if (!memcmp(ctx->tmp_key, ctx->V, 16)) {
++ RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
++ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
++ return 0;
++ }
++ OPENSSL_cleanse(ctx->tmp_key, 16);
++ ctx->keyed = 1;
++ }
++ ctx->seeded = 1;
++ }
++ }
++ return 1;
++}
++
++static int fips_set_test_mode(FIPS_PRNG_CTX * ctx)
++{
++ if (ctx->keyed) {
++ RANDerr(RAND_F_FIPS_SET_TEST_MODE, RAND_R_PRNG_KEYED);
++ return 0;
++ }
++ ctx->test_mode = 1;
++ return 1;
++}
++
++int FIPS_x931_test_mode(void)
++{
++ return fips_set_test_mode(&sctx);
++}
++
++int FIPS_rand_test_mode(void)
++{
++ return fips_set_test_mode(&sctx);
++}
++
++int FIPS_x931_set_dt(unsigned char *dt)
++{
++ if (!sctx.test_mode) {
++ RANDerr(RAND_F_FIPS_X931_SET_DT, RAND_R_NOT_IN_TEST_MODE);
++ return 0;
++ }
++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
++ return 1;
++}
++
++int FIPS_rand_set_dt(unsigned char *dt)
++{
++ if (!sctx.test_mode) {
++ RANDerr(RAND_F_FIPS_RAND_SET_DT, RAND_R_NOT_IN_TEST_MODE);
++ return 0;
++ }
++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
++ return 1;
++}
++
++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
++{
++# ifdef OPENSSL_SYS_WIN32
++ FILETIME ft;
++# elif defined(OPENSSL_SYS_VXWORKS)
++ struct timespec ts;
++# else
++ struct timeval tv;
++# endif
++
++# ifndef GETPID_IS_MEANINGLESS
++ unsigned long pid;
++# endif
++
++# ifdef OPENSSL_SYS_WIN32
++ GetSystemTimeAsFileTime(&ft);
++ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
++ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
++ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
++ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
++ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
++ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
++ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
++ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
++# elif defined(OPENSSL_SYS_VXWORKS)
++ clock_gettime(CLOCK_REALTIME, &ts);
++ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
++ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
++ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
++ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
++ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
++# else
++ gettimeofday(&tv, NULL);
++ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
++ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
++ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
++ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
++ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
++# endif
++ buf[8] = (unsigned char)(*pctr & 0xff);
++ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
++ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
++ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
++
++ (*pctr)++;
++
++# ifndef GETPID_IS_MEANINGLESS
++ pid = (unsigned long)getpid();
++ buf[12] = (unsigned char)(pid & 0xff);
++ buf[13] = (unsigned char)((pid >> 8) & 0xff);
++ buf[14] = (unsigned char)((pid >> 16) & 0xff);
++ buf[15] = (unsigned char)((pid >> 24) & 0xff);
++# endif
++}
++
++static int fips_rand(FIPS_PRNG_CTX * ctx,
++ unsigned char *out, unsigned int outlen)
++{
++ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
++ unsigned char tmp[AES_BLOCK_LENGTH];
++ int i;
++ if (ctx->error) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_ERROR);
++ return 0;
++ }
++ if (!ctx->keyed) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_NO_KEY_SET);
++ return 0;
++ }
++ if (!ctx->seeded) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_NOT_SEEDED);
++ return 0;
++ }
++ for (;;) {
++ if (!ctx->test_mode)
++ FIPS_get_timevec(ctx->DT, &ctx->counter);
++ AES_encrypt(ctx->DT, I, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = I[i] ^ ctx->V[i];
++ AES_encrypt(tmp, R, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = R[i] ^ I[i];
++ AES_encrypt(tmp, ctx->V, &ctx->ks);
++ /* Continuous PRNG test */
++ if (ctx->second) {
++ if (fips_prng_fail)
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_STUCK);
++ ctx->error = 1;
++ fips_set_selftest_fail();
++ return 0;
++ }
++ }
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!ctx->second) {
++ ctx->second = 1;
++ if (!ctx->test_mode)
++ continue;
++ }
++
++ if (outlen <= AES_BLOCK_LENGTH) {
++ memcpy(out, R, outlen);
++ break;
++ }
++
++ memcpy(out, R, AES_BLOCK_LENGTH);
++ out += AES_BLOCK_LENGTH;
++ outlen -= AES_BLOCK_LENGTH;
++ }
++ return 1;
++}
++
++int FIPS_x931_set_key(const unsigned char *key, int keylen)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_key(&sctx, key, keylen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
++{
++ return FIPS_x931_set_key(key, keylen);
++}
++
++int FIPS_x931_seed(const void *seed, int seedlen)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_seed(&sctx, seed, seedlen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_x931_bytes(unsigned char *out, int count)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_rand(&sctx, out, count);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_x931_status(void)
++{
++ int ret;
++ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
++ ret = sctx.seeded;
++ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++void FIPS_x931_reset(void)
++{
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ fips_rand_prng_reset(&sctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++}
++
++static int fips_do_rand_seed(const void *seed, int seedlen)
++{
++ FIPS_x931_seed(seed, seedlen);
++ return 1;
++}
++
++static int fips_do_rand_add(const void *seed, int seedlen, double add_entropy)
++{
++ FIPS_x931_seed(seed, seedlen);
++ return 1;
++}
++
++static const RAND_METHOD rand_x931_meth = {
++ fips_do_rand_seed,
++ FIPS_x931_bytes,
++ FIPS_x931_reset,
++ fips_do_rand_add,
++ FIPS_x931_bytes,
++ FIPS_x931_status
++};
++
++const RAND_METHOD *FIPS_x931_method(void)
++{
++ return &rand_x931_meth;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_rand.h.fips openssl-1.0.2a/crypto/fips/fips_rand.h
+--- openssl-1.0.2a/crypto/fips/fips_rand.h.fips 2015-04-22 16:08:40.298245796 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rand.h 2015-04-22 16:08:40.298245796 +0200
+@@ -0,0 +1,163 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifndef HEADER_FIPS_RAND_H
++# define HEADER_FIPS_RAND_H
++
++# include <openssl/aes.h>
++# include <openssl/evp.h>
++# include <openssl/hmac.h>
++# include <openssl/rand.h>
++
++# ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++ int FIPS_x931_set_key(const unsigned char *key, int keylen);
++ int FIPS_x931_seed(const void *buf, int num);
++ int FIPS_x931_bytes(unsigned char *out, int outlen);
++
++ int FIPS_x931_test_mode(void);
++ void FIPS_x931_reset(void);
++ int FIPS_x931_set_dt(unsigned char *dt);
++
++ int FIPS_x931_status(void);
++
++ const RAND_METHOD *FIPS_x931_method(void);
++
++ typedef struct drbg_ctx_st DRBG_CTX;
++/* DRBG external flags */
++/* Flag for CTR mode only: use derivation function ctr_df */
++# define DRBG_FLAG_CTR_USE_DF 0x1
++/* PRNG is in test state */
++# define DRBG_FLAG_TEST 0x2
++
++ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
++ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
++ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen);
++ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
++ size_t adinlen);
++ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen);
++
++ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
++ void FIPS_drbg_free(DRBG_CTX *dctx);
++
++ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen));
++
++ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char
++ **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num,
++ double entropy));
++
++ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
++ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
++ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
++ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
++ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
++ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
++
++ int FIPS_drbg_health_check(DRBG_CTX *dctx);
++
++ DRBG_CTX *FIPS_get_default_drbg(void);
++ const RAND_METHOD *FIPS_drbg_method(void);
++
++ int FIPS_rand_set_method(const RAND_METHOD *meth);
++ const RAND_METHOD *FIPS_rand_get_method(void);
++
++ void FIPS_rand_set_bits(int nbits);
++
++ int FIPS_rand_strength(void);
++
++/* 1.0.0 compat functions */
++ int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
++ int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
++ int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
++ int FIPS_rand_test_mode(void);
++ void FIPS_rand_reset(void);
++ int FIPS_rand_set_dt(unsigned char *dt);
++ int FIPS_rand_status(void);
++ const RAND_METHOD *FIPS_rand_method(void);
++
++# ifdef __cplusplus
++}
++# endif
++# endif
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2a/crypto/fips/fips_rand_lcl.h
+--- openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips 2015-04-22 16:08:40.298245796 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rand_lcl.h 2015-04-22 16:08:40.298245796 +0200
+@@ -0,0 +1,213 @@
++/* fips/rand/fips_rand_lcl.h */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
++typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
++typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
++
++/* 888 bits from 10.1 table 2 */
++#define HASH_PRNG_MAX_SEEDLEN 111
++
++struct drbg_hash_ctx_st {
++ const EVP_MD *md;
++ EVP_MD_CTX mctx;
++ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
++ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
++ /* Temporary value storage: should always exceed max digest length */
++ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
++};
++
++struct drbg_hmac_ctx_st {
++ const EVP_MD *md;
++ HMAC_CTX hctx;
++ unsigned char K[EVP_MAX_MD_SIZE];
++ unsigned char V[EVP_MAX_MD_SIZE];
++};
++
++struct drbg_ctr_ctx_st {
++ AES_KEY ks;
++ size_t keylen;
++ unsigned char K[32];
++ unsigned char V[16];
++ /* Temp variables used by derivation function */
++ AES_KEY df_ks;
++ AES_KEY df_kxks;
++ /* Temporary block storage used by ctr_df */
++ unsigned char bltmp[16];
++ size_t bltmp_pos;
++ unsigned char KX[48];
++};
++
++/* DRBG internal flags */
++
++/* Functions shouldn't call err library */
++#define DRBG_FLAG_NOERR 0x1
++/* Custom reseed checking */
++#define DRBG_CUSTOM_RESEED 0x2
++
++/* DRBG status values */
++/* not initialised */
++#define DRBG_STATUS_UNINITIALISED 0
++/* ok and ready to generate random bits */
++#define DRBG_STATUS_READY 1
++/* reseed required */
++#define DRBG_STATUS_RESEED 2
++/* fatal error condition */
++#define DRBG_STATUS_ERROR 3
++
++/* A default maximum length: larger than any reasonable value used in pratice */
++
++#define DRBG_MAX_LENGTH 0x7ffffff0
++/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
++ * so use max digest length.
++ */
++#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
++
++#define DRBG_HEALTH_INTERVAL (1 << 24)
++
++/* DRBG context structure */
++
++struct drbg_ctx_st {
++ /* First types common to all implementations */
++ /* DRBG type: a NID for the underlying algorithm */
++ int type;
++ /* Various external flags */
++ unsigned int xflags;
++ /* Various internal use only flags */
++ unsigned int iflags;
++ /* Used for periodic health checks */
++ int health_check_cnt, health_check_interval;
++
++ /* The following parameters are setup by mechanism drbg_init() call */
++ int strength;
++ size_t blocklength;
++ size_t max_request;
++
++ size_t min_entropy, max_entropy;
++ size_t min_nonce, max_nonce;
++ size_t max_pers, max_adin;
++ unsigned int reseed_counter;
++ unsigned int reseed_interval;
++ size_t seedlen;
++ int status;
++ /* Application data: typically used by test get_entropy */
++ void *app_data;
++ /* Implementation specific structures */
++ union {
++ DRBG_HASH_CTX hash;
++ DRBG_HMAC_CTX hmac;
++ DRBG_CTR_CTX ctr;
++ } d;
++ /* Initialiase PRNG and setup callbacks below */
++ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
++ /* Intantiate PRNG */
++ int (*instantiate) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen);
++ /* reseed */
++ int (*reseed) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen);
++ /* generat output */
++ int (*generate) (DRBG_CTX *ctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen);
++ /* uninstantiate */
++ int (*uninstantiate) (DRBG_CTX *ctx);
++
++ /* Entropy source block length */
++ size_t entropy_blocklen;
++
++ /* entropy gathering function */
++ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with entropy buffer */
++ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* nonce gathering function */
++ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with nonce buffer */
++ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* Continuous random number test temporary area */
++ /* Last block */
++ unsigned char lb[EVP_MAX_MD_SIZE];
++ /* set if lb is valid */
++ int lb_valid;
++
++ /* Callbacks used when called through RAND interface */
++ /* Get any additional input for generate */
++ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
++ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++ /* Callback for RAND_seed(), RAND_add() */
++ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num, double entropy);
++};
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx);
++int fips_drbg_hash_init(DRBG_CTX *dctx);
++int fips_drbg_hmac_init(DRBG_CTX *dctx);
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
++
++const struct env_md_st *FIPS_get_digestbynid(int nid);
++
++const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
++
++#define FIPS_digestinit EVP_DigestInit
++#define FIPS_digestupdate EVP_DigestUpdate
++#define FIPS_digestfinal EVP_DigestFinal
++#define M_EVP_MD_size EVP_MD_size
+diff -up openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2a/crypto/fips/fips_rand_lib.c
+--- openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips 2015-04-22 16:08:40.299245820 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rand_lib.c 2015-04-22 16:08:40.299245820 +0200
+@@ -0,0 +1,181 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "e_os.h"
++
++/* FIPS API for PRNG use. Similar to RAND functionality but without
++ * ENGINE and additional checking for non-FIPS rand methods.
++ */
++
++static const RAND_METHOD *fips_rand_meth = NULL;
++static int fips_approved_rand_meth = 0;
++static int fips_rand_bits = 0;
++
++/* Allows application to override number of bits and uses non-FIPS methods */
++void FIPS_rand_set_bits(int nbits)
++{
++ fips_rand_bits = nbits;
++}
++
++int FIPS_rand_set_method(const RAND_METHOD *meth)
++{
++ if (!fips_rand_bits) {
++ if (meth == FIPS_drbg_method())
++ fips_approved_rand_meth = 1;
++ else if (meth == FIPS_x931_method())
++ fips_approved_rand_meth = 2;
++ else {
++ fips_approved_rand_meth = 0;
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ }
++ }
++ fips_rand_meth = meth;
++ return 1;
++}
++
++const RAND_METHOD *FIPS_rand_get_method(void)
++{
++ return fips_rand_meth;
++}
++
++const RAND_METHOD *FIPS_rand_method(void)
++{
++ return FIPS_rand_get_method();
++}
++
++void FIPS_rand_reset(void)
++{
++ if (fips_rand_meth && fips_rand_meth->cleanup)
++ fips_rand_meth->cleanup();
++}
++
++int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->seed)
++ fips_rand_meth->seed(buf, num);
++ return 1;
++}
++
++void FIPS_rand_add(const void *buf, int num, double entropy)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
++ return;
++ }
++ if (fips_rand_meth && fips_rand_meth->add)
++ fips_rand_meth->add(buf, num, entropy);
++}
++
++int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->bytes)
++ return fips_rand_meth->bytes(buf, num);
++ return 0;
++}
++
++int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->pseudorand)
++ return fips_rand_meth->pseudorand(buf, num);
++ return -1;
++}
++
++int FIPS_rand_status(void)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->status)
++ return fips_rand_meth->status();
++ return 0;
++}
++
++/* Return instantiated strength of PRNG. For DRBG this is an internal
++ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
++ * type of PRNG is not approved and returns 0 in FIPS mode and maximum
++ * 256 outside FIPS mode.
++ */
++
++int FIPS_rand_strength(void)
++{
++ if (fips_rand_bits)
++ return fips_rand_bits;
++ if (fips_approved_rand_meth == 1)
++ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
++ else if (fips_approved_rand_meth == 2)
++ return 80;
++ else if (fips_approved_rand_meth == 0) {
++ if (FIPS_module_mode())
++ return 0;
++ else
++ return 256;
++ }
++ return 0;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rand_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rand_selftest.c 2015-04-22 16:08:40.299245820 +0200
+@@ -0,0 +1,176 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++typedef struct {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++} AES_PRNG_TV;
++
++/* The following test vectors are taken directly from the RGNVS spec */
++
++static unsigned char aes_128_key[16] =
++ { 0xf3, 0xb1, 0x66, 0x6d, 0x13, 0x60, 0x72, 0x42,
++ 0xed, 0x06, 0x1c, 0xab, 0xb8, 0xd4, 0x62, 0x02
++};
++
++static AES_PRNG_TV aes_128_tv = {
++ /* DT */
++ {0xe6, 0xb3, 0xbe, 0x78, 0x2a, 0x23, 0xfa, 0x62,
++ 0xd7, 0x1d, 0x4a, 0xfb, 0xb0, 0xe9, 0x22, 0xf9},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x59, 0x53, 0x1e, 0xd1, 0x3b, 0xb0, 0xc0, 0x55,
++ 0x84, 0x79, 0x66, 0x85, 0xc1, 0x2f, 0x76, 0x41}
++};
++
++static unsigned char aes_192_key[24] =
++ { 0x15, 0xd8, 0x78, 0x0d, 0x62, 0xd3, 0x25, 0x6e,
++ 0x44, 0x64, 0x10, 0x13, 0x60, 0x2b, 0xa9, 0xbc,
++ 0x4a, 0xfb, 0xca, 0xeb, 0x4c, 0x8b, 0x99, 0x3b
++};
++
++static AES_PRNG_TV aes_192_tv = {
++ /* DT */
++ {0x3f, 0xd8, 0xff, 0xe8, 0x80, 0x69, 0x8b, 0xc1,
++ 0xbf, 0x99, 0x7d, 0xa4, 0x24, 0x78, 0xf3, 0x4b},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x17, 0x07, 0xd5, 0x28, 0x19, 0x79, 0x1e, 0xef,
++ 0xa5, 0x0c, 0xbf, 0x25, 0xe5, 0x56, 0xb4, 0x93}
++};
++
++static unsigned char aes_256_key[32] =
++ { 0x6d, 0x14, 0x06, 0x6c, 0xb6, 0xd8, 0x21, 0x2d,
++ 0x82, 0x8d, 0xfa, 0xf2, 0x7a, 0x03, 0xb7, 0x9f,
++ 0x0c, 0xc7, 0x3e, 0xcd, 0x76, 0xeb, 0xee, 0xb5,
++ 0x21, 0x05, 0x8c, 0x4f, 0x31, 0x7a, 0x80, 0xbb
++};
++
++static AES_PRNG_TV aes_256_tv = {
++ /* DT */
++ {0xda, 0x3a, 0x41, 0xec, 0x1d, 0xa3, 0xb0, 0xd5,
++ 0xf2, 0xa9, 0x4e, 0x34, 0x74, 0x8e, 0x9e, 0x88},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x35, 0xc7, 0xef, 0xa7, 0x78, 0x4d, 0x29, 0xbc,
++ 0x82, 0x79, 0x99, 0xfb, 0xd0, 0xb3, 0x3b, 0x72}
++};
++
++void FIPS_corrupt_rng()
++{
++ aes_192_tv.V[0]++;
++}
++
++# define fips_x931_test(key, tv) \
++ do_x931_test(key, sizeof key, &tv)
++
++static int do_x931_test(unsigned char *key, int keylen, AES_PRNG_TV * tv)
++{
++ unsigned char R[16], V[16];
++ int rv = 1;
++ memcpy(V, tv->V, sizeof(V));
++ if (!FIPS_x931_set_key(key, keylen))
++ return 0;
++ if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
++ return 1;
++ if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
++ V[0]++;
++ FIPS_x931_seed(V, 16);
++ FIPS_x931_set_dt(tv->DT);
++ FIPS_x931_bytes(R, 16);
++ if (memcmp(R, tv->R, 16)) {
++ fips_post_failed(FIPS_TEST_X931, keylen, NULL);
++ rv = 0;
++ } else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
++ return 0;
++ return rv;
++}
++
++int FIPS_selftest_x931()
++{
++ int rv = 1;
++ FIPS_x931_reset();
++ if (!FIPS_x931_test_mode()) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ if (!fips_x931_test(aes_128_key, aes_128_tv))
++ rv = 0;
++ if (!fips_x931_test(aes_192_key, aes_192_tv))
++ rv = 0;
++ if (!fips_x931_test(aes_256_key, aes_256_tv))
++ rv = 0;
++ FIPS_x931_reset();
++ if (!rv)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
++ return rv;
++}
++
++int FIPS_selftest_rng(void)
++{
++ return FIPS_selftest_x931();
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_randtest.c.fips openssl-1.0.2a/crypto/fips/fips_randtest.c
+--- openssl-1.0.2a/crypto/fips/fips_randtest.c.fips 2015-04-22 16:08:40.299245820 +0200
++++ openssl-1.0.2a/crypto/fips/fips_randtest.c 2015-04-22 16:08:40.299245820 +0200
+@@ -0,0 +1,247 @@
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++
++#include "e_os.h"
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RAND support\n");
++ return (0);
++}
++
++#else
++
++# include "fips_utl.h"
++# include <openssl/fips.h>
++
++typedef struct {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++} AES_PRNG_MCT;
++
++static const unsigned char aes_128_mct_key[16] =
++ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
++ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
++};
++
++static const AES_PRNG_MCT aes_128_mct_tv = {
++ /* DT */
++ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
++ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
++ /* V */
++ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
++ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
++ /* R */
++ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
++ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
++};
++
++static const unsigned char aes_192_mct_key[24] =
++ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
++ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
++ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
++};
++
++static const AES_PRNG_MCT aes_192_mct_tv = {
++ /* DT */
++ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
++ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
++ /* V */
++ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
++ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
++ /* R */
++ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
++ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
++};
++
++static const unsigned char aes_256_mct_key[32] =
++ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
++ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
++ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
++ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
++};
++
++static const AES_PRNG_MCT aes_256_mct_tv = {
++ /* DT */
++ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
++ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
++ /* V */
++ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
++ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
++ /* R */
++ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
++ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
++};
++
++static void dump(const unsigned char *b, int n)
++{
++ while (n-- > 0) {
++ printf(" %02x", *b++);
++ }
++}
++
++static void compare(const unsigned char *result,
++ const unsigned char *expected, int n)
++{
++ int i;
++
++ for (i = 0; i < n; ++i)
++ if (result[i] != expected[i]) {
++ puts("Random test failed, got:");
++ dump(result, n);
++ puts("\n expected:");
++ dump(expected, n);
++ putchar('\n');
++ EXIT(1);
++ }
++}
++
++static void run_test(const unsigned char *key, int keylen,
++ const AES_PRNG_MCT * tv)
++{
++ unsigned char buf[16], dt[16];
++ int i, j;
++ FIPS_x931_reset();
++ FIPS_x931_test_mode();
++ FIPS_x931_set_key(key, keylen);
++ FIPS_x931_seed(tv->V, 16);
++ memcpy(dt, tv->DT, 16);
++ for (i = 0; i < 10000; i++) {
++ FIPS_x931_set_dt(dt);
++ FIPS_x931_bytes(buf, 16);
++ /* Increment DT */
++ for (j = 15; j >= 0; j--) {
++ dt[j]++;
++ if (dt[j])
++ break;
++ }
++ }
++
++ compare(buf, tv->R, 16);
++}
++
++int main()
++{
++ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
++ printf("FIPS PRNG test 1 done\n");
++ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
++ printf("FIPS PRNG test 2 done\n");
++ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
++ printf("FIPS PRNG test 3 done\n");
++ return 0;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 16:08:40.299245820 +0200
+@@ -0,0 +1,444 @@
++/* ====================================================================
++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/rsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char n[] =
++ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
++ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
++ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
++ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
++ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
++ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
++ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
++ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB";
++
++static int corrupt_rsa;
++
++static int setrsakey(RSA *key)
++{
++ static const unsigned char e[] = "\x11";
++
++ static const unsigned char d[] =
++ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
++ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
++ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
++ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
++ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
++ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
++ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
++ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
++ "\xC1";
++
++ static const unsigned char p[] =
++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
++ "\x99";
++
++ static const unsigned char q[] =
++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
++ "\x03";
++
++ static const unsigned char dmp1[] =
++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
++
++ static const unsigned char dmq1[] =
++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
++
++ static const unsigned char iqmp[] =
++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
++ "\xF7";
++
++ key->n = BN_bin2bn(n, sizeof(n) - 1, key->n);
++ if (corrupt_rsa)
++ BN_set_bit(key->n, 1024);
++ key->e = BN_bin2bn(e, sizeof(e) - 1, key->e);
++ key->d = BN_bin2bn(d, sizeof(d) - 1, key->d);
++ key->p = BN_bin2bn(p, sizeof(p) - 1, key->p);
++ key->q = BN_bin2bn(q, sizeof(q) - 1, key->q);
++ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1) - 1, key->dmp1);
++ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1) - 1, key->dmq1);
++ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp) - 1, key->iqmp);
++ return 1;
++}
++
++void FIPS_corrupt_rsa()
++{
++ corrupt_rsa = 1;
++}
++
++/* Known Answer Test (KAT) data for the above RSA private key signing
++ * kat_tbs.
++ */
++
++static const unsigned char kat_tbs[] =
++ "OpenSSL FIPS 140-2 Public Key RSA KAT";
++
++static const unsigned char kat_RSA_PSS_SHA1[] = {
++ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
++ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
++ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
++ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
++ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
++ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
++ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
++ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
++ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
++ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
++ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
++};
++
++static const unsigned char kat_RSA_PSS_SHA224[] = {
++ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
++ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
++ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
++ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
++ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
++ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
++ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
++ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
++ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
++ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
++ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
++};
++
++static const unsigned char kat_RSA_PSS_SHA256[] = {
++ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
++ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
++ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
++ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
++ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
++ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
++ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
++ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
++ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
++ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
++ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
++};
++
++static const unsigned char kat_RSA_PSS_SHA384[] = {
++ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
++ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
++ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
++ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
++ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
++ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
++ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
++ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
++ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
++ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
++ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
++};
++
++static const unsigned char kat_RSA_PSS_SHA512[] = {
++ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
++ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
++ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
++ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
++ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
++ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
++ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
++ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
++ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
++ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
++ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
++};
++
++static const unsigned char kat_RSA_SHA1[] = {
++ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
++ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
++ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
++ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
++ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
++ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
++ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
++ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
++ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
++ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
++ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
++};
++
++static const unsigned char kat_RSA_SHA224[] = {
++ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
++ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
++ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
++ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
++ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
++ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
++ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
++ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
++ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
++ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
++ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
++};
++
++static const unsigned char kat_RSA_SHA256[] = {
++ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
++ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
++ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
++ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
++ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
++ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
++ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
++ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
++ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
++ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
++ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
++};
++
++static const unsigned char kat_RSA_SHA384[] = {
++ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
++ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
++ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
++ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
++ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
++ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
++ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
++ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
++ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
++ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
++ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
++};
++
++static const unsigned char kat_RSA_SHA512[] = {
++ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
++ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
++ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
++ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
++ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
++ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
++ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
++ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
++ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
++ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
++ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
++};
++
++static const unsigned char kat_RSA_X931_SHA1[] = {
++ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
++ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
++ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
++ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
++ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
++ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
++ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
++ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
++ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
++ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
++ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
++};
++
++static const unsigned char kat_RSA_X931_SHA256[] = {
++ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
++ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
++ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
++ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
++ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
++ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
++ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
++ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
++ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
++ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
++ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
++};
++
++static const unsigned char kat_RSA_X931_SHA384[] = {
++ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
++ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
++ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
++ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
++ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
++ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
++ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
++ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
++ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
++ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
++ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
++};
++
++static const unsigned char kat_RSA_X931_SHA512[] = {
++ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
++ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
++ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
++ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
++ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
++ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
++ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
++ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
++ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
++ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
++ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
++};
++
++int FIPS_selftest_rsa()
++{
++ int ret = 0;
++ RSA *key;
++ EVP_PKEY *pk = NULL;
++
++ if ((key = RSA_new()) == NULL)
++ goto err;
++ setrsakey(key);
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_RSA(pk, key);
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA1 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA224 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA256 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA384 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA512 PKCS#1"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA1 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA224,
++ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA256,
++ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA384,
++ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA512,
++ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA1,
++ sizeof(kat_RSA_X931_SHA1), EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931"))
++ goto err;
++ /* NB: SHA224 not supported in X9.31 */
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA256,
++ sizeof(kat_RSA_X931_SHA256), EVP_sha256(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA256 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA384,
++ sizeof(kat_RSA_X931_SHA384), EVP_sha384(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA384 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA512,
++ sizeof(kat_RSA_X931_SHA512), EVP_sha512(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA512 X931"))
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (key)
++ RSA_free(key);
++ return ret;
++}
++
++#endif /* def OPENSSL_FIPS */
+diff -up openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c
+--- openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips 2015-04-22 16:08:40.299245820 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c 2015-04-22 16:08:40.299245820 +0200
+@@ -0,0 +1,273 @@
++/* crypto/rsa/rsa_gen.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <time.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/rsa.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++
++extern int fips_check_rsa(RSA *rsa);
++#endif
++
++/* X9.31 RSA key derivation and generation */
++
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
++ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
++ const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb)
++{
++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
++ BN_CTX *ctx = NULL, *ctx2 = NULL;
++
++ if (!rsa)
++ goto err;
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto err;
++ BN_CTX_start(ctx);
++
++ r0 = BN_CTX_get(ctx);
++ r1 = BN_CTX_get(ctx);
++ r2 = BN_CTX_get(ctx);
++ r3 = BN_CTX_get(ctx);
++
++ if (r3 == NULL)
++ goto err;
++ if (!rsa->e) {
++ rsa->e = BN_dup(e);
++ if (!rsa->e)
++ goto err;
++ } else
++ e = rsa->e;
++
++ /* If not all parameters present only calculate what we can.
++ * This allows test programs to output selective parameters.
++ */
++
++ if (Xp && !rsa->p) {
++ rsa->p = BN_new();
++ if (!rsa->p)
++ goto err;
++
++ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
++ Xp, Xp1, Xp2, e, ctx, cb))
++ goto err;
++ }
++
++ if (Xq && !rsa->q) {
++ rsa->q = BN_new();
++ if (!rsa->q)
++ goto err;
++ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
++ Xq, Xq1, Xq2, e, ctx, cb))
++ goto err;
++ }
++
++ if (!rsa->p || !rsa->q) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ return 2;
++ }
++
++ /* Since both primes are set we can now calculate all remaining
++ * components.
++ */
++
++ /* calculate n */
++ rsa->n = BN_new();
++ if (rsa->n == NULL)
++ goto err;
++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
++ goto err;
++
++ /* calculate d */
++ if (!BN_sub(r1, rsa->p, BN_value_one()))
++ goto err; /* p-1 */
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err; /* q-1 */
++ if (!BN_mul(r0, r1, r2, ctx))
++ goto err; /* (p-1)(q-1) */
++
++ if (!BN_gcd(r3, r1, r2, ctx))
++ goto err;
++
++ if (!BN_div(r0, NULL, r0, r3, ctx))
++ goto err; /* LCM((p-1)(q-1)) */
++
++ ctx2 = BN_CTX_new();
++ if (!ctx2)
++ goto err;
++
++ rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */
++ if (rsa->d == NULL)
++ goto err;
++
++ /* calculate d mod (p-1) */
++ rsa->dmp1 = BN_new();
++ if (rsa->dmp1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx))
++ goto err;
++
++ /* calculate d mod (q-1) */
++ rsa->dmq1 = BN_new();
++ if (rsa->dmq1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx))
++ goto err;
++
++ /* calculate inverse of q mod p */
++ rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
++
++ err:
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ if (ctx2)
++ BN_CTX_free(ctx2);
++ /* If this is set all calls successful */
++ if (rsa && rsa->iqmp != NULL)
++ return 1;
++
++ return 0;
++
++}
++
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
++ BN_GENCB *cb)
++{
++ int ok = 0;
++ BIGNUM *Xp = NULL, *Xq = NULL;
++ BN_CTX *ctx = NULL;
++
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
++ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++
++ if (bits & 0xff) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++#endif
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto error;
++
++ BN_CTX_start(ctx);
++ Xp = BN_CTX_get(ctx);
++ Xq = BN_CTX_get(ctx);
++ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
++ goto error;
++
++ rsa->p = BN_new();
++ rsa->q = BN_new();
++ if (!rsa->p || !rsa->q)
++ goto error;
++
++ /* Generate two primes from Xp, Xq */
++
++ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
++ e, ctx, cb))
++ goto error;
++
++ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
++ e, ctx, cb))
++ goto error;
++
++ /* Since rsa->p and rsa->q are valid this call will just derive
++ * remaining RSA components.
++ */
++
++ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
++ goto error;
++
++#ifdef OPENSSL_FIPS
++ if (!fips_check_rsa(rsa))
++ goto error;
++#endif
++
++ ok = 1;
++
++ error:
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++
++ if (ok)
++ return 1;
++
++ return 0;
++
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_sha_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips 2015-04-22 16:08:40.300245844 +0200
++++ openssl-1.0.2a/crypto/fips/fips_sha_selftest.c 2015-04-22 16:08:40.300245844 +0200
+@@ -0,0 +1,145 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++
++#ifdef OPENSSL_FIPS
++static const char test[][60] = {
++ "",
++ "abc",
++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
++};
++
++static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
++ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
++ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
++ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
++ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
++ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
++ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
++};
++
++static int corrupt_sha;
++
++void FIPS_corrupt_sha1()
++{
++ corrupt_sha = 1;
++}
++
++int FIPS_selftest_sha1()
++{
++ int n;
++
++ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ EVP_Digest(test[n], strlen(test[n]) + corrupt_sha, md, NULL,
++ EVP_sha1(), NULL);
++ if (memcmp(md, ret[n], sizeof md)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++static const unsigned char msg_sha256[] =
++ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
++ 0xfc
++};
++
++static const unsigned char dig_sha256[] =
++ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
++};
++
++static const unsigned char msg_sha512[] =
++ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
++};
++
++static const unsigned char dig_sha512[] =
++ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
++};
++
++int FIPS_selftest_sha2(void)
++{
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
++ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
++ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ return 1;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c
+--- openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips 2015-04-22 19:05:28.500174541 +0200
++++ openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c 2015-04-22 19:20:28.777446278 +0200
+@@ -0,0 +1,268 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
++
++#ifndef FIPSCANISTER_O
++int FIPS_selftest_failed()
++{
++ return 0;
++}
++
++void FIPS_selftest_check()
++{
++}
++#endif
++
++#ifdef OPENSSL_FIPS
++int bn_mul_mont_fpu64(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
++ const BN_ULONG *np, const BN_ULONG *n0, int num)
++{
++ return 0;
++};
++
++int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
++ const BN_ULONG *np, const BN_ULONG *n0, int num)
++{
++ return 0;
++};
++
++# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
++ defined(__INTEL__) || \
++ defined(__x86_64) || defined(__x86_64__) || \
++ defined(_M_AMD64) || defined(_M_X64)
++
++unsigned int OPENSSL_ia32cap_P[4];
++unsigned long *OPENSSL_ia32cap_loc(void)
++{
++ if (sizeof(long) == 4)
++ /*
++ * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
++ * clear second element to maintain the illusion that vector
++ * is 32-bit.
++ */
++ OPENSSL_ia32cap_P[1] = 0;
++
++ OPENSSL_ia32cap_P[2] = 0;
++
++ return (unsigned long *)OPENSSL_ia32cap_P;
++}
++
++# if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
++# define OPENSSL_CPUID_SETUP
++# if defined(_WIN32)
++typedef unsigned __int64 IA32CAP;
++# else
++typedef unsigned long long IA32CAP;
++# endif
++void OPENSSL_cpuid_setup(void)
++{
++ static int trigger = 0;
++ IA32CAP OPENSSL_ia32_cpuid(unsigned int *);
++ IA32CAP vec;
++ char *env;
++
++ if (trigger)
++ return;
++
++ trigger = 1;
++ if ((env = getenv("OPENSSL_ia32cap"))) {
++ int off = (env[0] == '~') ? 1 : 0;
++# if defined(_WIN32)
++ if (!sscanf(env + off, "%I64i", &vec))
++ vec = strtoul(env + off, NULL, 0);
++# else
++ if (!sscanf(env + off, "%lli", (long long *)&vec))
++ vec = strtoul(env + off, NULL, 0);
++# endif
++ if (off)
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~vec;
++ else if (env[0] == ':')
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
++
++ OPENSSL_ia32cap_P[2] = 0;
++ if ((env = strchr(env, ':'))) {
++ unsigned int vecx;
++ env++;
++ off = (env[0] == '~') ? 1 : 0;
++ vecx = strtoul(env + off, NULL, 0);
++ if (off)
++ OPENSSL_ia32cap_P[2] &= ~vecx;
++ else
++ OPENSSL_ia32cap_P[2] = vecx;
++ }
++ } else
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
++
++ /*
++ * |(1<<10) sets a reserved bit to signal that variable
++ * was initialized already... This is to avoid interference
++ * with cpuid snippets in ELF .init segment.
++ */
++ OPENSSL_ia32cap_P[0] = (unsigned int)vec | (1 << 10);
++ OPENSSL_ia32cap_P[1] = (unsigned int)(vec >> 32);
++}
++# else
++unsigned int OPENSSL_ia32cap_P[4];
++# endif
++
++# else
++unsigned long *OPENSSL_ia32cap_loc(void)
++{
++ return NULL;
++}
++# endif
++int OPENSSL_NONPIC_relocated = 0;
++# if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
++void OPENSSL_cpuid_setup(void)
++{
++}
++# endif
++
++static void hmac_init(SHA256_CTX *md_ctx, SHA256_CTX *o_ctx, const char *key)
++{
++ size_t len = strlen(key);
++ int i;
++ unsigned char keymd[HMAC_MAX_MD_CBLOCK];
++ unsigned char pad[HMAC_MAX_MD_CBLOCK];
++
++ if (len > SHA_CBLOCK) {
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx, key, len);
++ SHA256_Final(keymd, md_ctx);
++ len = SHA256_DIGEST_LENGTH;
++ } else
++ memcpy(keymd, key, len);
++ memset(&keymd[len], '\0', HMAC_MAX_MD_CBLOCK - len);
++
++ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
++ pad[i] = 0x36 ^ keymd[i];
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx, pad, SHA256_CBLOCK);
++
++ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
++ pad[i] = 0x5c ^ keymd[i];
++ SHA256_Init(o_ctx);
++ SHA256_Update(o_ctx, pad, SHA256_CBLOCK);
++}
++
++static void hmac_final(unsigned char *md, SHA256_CTX *md_ctx,
++ SHA256_CTX *o_ctx)
++{
++ unsigned char buf[SHA256_DIGEST_LENGTH];
++
++ SHA256_Final(buf, md_ctx);
++ SHA256_Update(o_ctx, buf, sizeof buf);
++ SHA256_Final(md, o_ctx);
++}
++
++#endif
++
++int main(int argc, char **argv)
++{
++#ifdef OPENSSL_FIPS
++ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
++ int n, binary = 0;
++
++ if (argc < 2) {
++ fprintf(stderr, "%s [<file>]+\n", argv[0]);
++ exit(1);
++ }
++
++ n = 1;
++ if (!strcmp(argv[n], "-binary")) {
++ n++;
++ binary = 1; /* emit binary fingerprint... */
++ }
++
++ for (; n < argc; ++n) {
++ FILE *f = fopen(argv[n], "rb");
++ SHA256_CTX md_ctx, o_ctx;
++ unsigned char md[SHA256_DIGEST_LENGTH];
++ int i;
++
++ if (!f) {
++ perror(argv[n]);
++ exit(2);
++ }
++
++ hmac_init(&md_ctx, &o_ctx, key);
++ for (;;) {
++ char buf[1024];
++ size_t l = fread(buf, 1, sizeof buf, f);
++
++ if (l == 0) {
++ if (ferror(f)) {
++ perror(argv[n]);
++ exit(3);
++ } else
++ break;
++ }
++ SHA256_Update(&md_ctx, buf, l);
++ }
++ hmac_final(md, &md_ctx, &o_ctx);
++
++ if (binary) {
++ fwrite(md, SHA256_DIGEST_LENGTH, 1, stdout);
++ break; /* ... for single(!) file */
++ }
++
++/* printf("HMAC-SHA1(%s)= ",argv[n]); */
++ for (i = 0; i < SHA256_DIGEST_LENGTH; ++i)
++ printf("%02x", md[i]);
++ printf("\n");
++ }
++#endif
++ return 0;
++}
+diff -up openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips openssl-1.0.2a/crypto/fips/fips_test_suite.c
+--- openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips 2015-04-22 16:08:40.300245844 +0200
++++ openssl-1.0.2a/crypto/fips/fips_test_suite.c 2015-04-22 16:08:40.300245844 +0200
+@@ -0,0 +1,639 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ *
++ * This command is intended as a test driver for the FIPS-140 testing
++ * lab performing FIPS-140 validation. It demonstrates the use of the
++ * OpenSSL library ito perform a variety of common cryptographic
++ * functions. A power-up self test is demonstrated by deliberately
++ * pointing to an invalid executable hash
++ *
++ * Contributed by Steve Marquess.
++ *
++ */
++#include <stdio.h>
++#include <assert.h>
++#include <ctype.h>
++#include <string.h>
++#include <stdlib.h>
++#include <openssl/aes.h>
++#include <openssl/des.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <openssl/dh.h>
++#include <openssl/hmac.h>
++#include <openssl/err.h>
++
++#include <openssl/bn.h>
++#include <openssl/rand.h>
++#include <openssl/sha.h>
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS support\n");
++ return (0);
++}
++#else
++
++# include <openssl/fips.h>
++# include "fips_utl.h"
++
++/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
++*/
++static int FIPS_aes_test(void)
++{
++ int ret = 0;
++ unsigned char pltmp[16];
++ unsigned char citmp[16];
++ unsigned char key[16] =
++ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
++ unsigned char plaintext[16] = "etaonrishdlcu";
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 16);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 16);
++ if (memcmp(pltmp, plaintext, 16))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++}
++
++static int FIPS_des3_test(void)
++{
++ int ret = 0;
++ unsigned char pltmp[8];
++ unsigned char citmp[8];
++ unsigned char key[] =
++ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
++ 19, 20, 21, 22, 23, 24
++ };
++ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 8);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 8);
++ if (memcmp(pltmp, plaintext, 8))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++}
++
++/*
++ * DSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_dsa_test(int bad)
++{
++ DSA *dsa = NULL;
++ EVP_PKEY pk;
++ unsigned char dgst[] = "etaonrishdlc";
++ unsigned char buf[60];
++ unsigned int slen;
++ int r = 0;
++ EVP_MD_CTX mctx;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ dsa = DSA_new();
++ if (!dsa)
++ goto end;
++ if (!DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL))
++ goto end;
++ if (!DSA_generate_key(dsa))
++ goto end;
++ if (bad)
++ BN_add_word(dsa->pub_key, 1);
++
++ pk.type = EVP_PKEY_DSA;
++ pk.pkey.dsa = dsa;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (dsa)
++ DSA_free(dsa);
++ if (r != 1)
++ return 0;
++ return 1;
++}
++
++/*
++ * RSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_rsa_test(int bad)
++{
++ RSA *key;
++ unsigned char input_ptext[] = "etaonrishdlc";
++ unsigned char buf[256];
++ unsigned int slen;
++ BIGNUM *bn;
++ EVP_MD_CTX mctx;
++ EVP_PKEY pk;
++ int r = 0;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ key = RSA_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
++ return 0;
++ BN_free(bn);
++ if (bad)
++ BN_add_word(key->n, 1);
++
++ pk.type = EVP_PKEY_RSA;
++ pk.pkey.rsa = key;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (key)
++ RSA_free(key);
++ if (r != 1)
++ return 0;
++ return 1;
++}
++
++/* SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha1_test()
++{
++ unsigned char digest[SHA_DIGEST_LENGTH] =
++ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a,
++0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha1(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha256_test()
++{
++ unsigned char digest[SHA256_DIGEST_LENGTH] =
++ { 0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9,
++0x68, 0xc0, 0xea, 0x40, 0x91,
++ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6,
++ 0x50, 0x4f, 0x47, 0x57
++ };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA256_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha256(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha512_test()
++{
++ unsigned char digest[SHA512_DIGEST_LENGTH] =
++ { 0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f,
++0x94, 0x71, 0x64, 0x28, 0xca,
++ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2,
++ 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
++ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f,
++ 0x24, 0xb1, 0xd9, 0x40, 0x22,
++ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6,
++ 0xeb, 0x2d, 0x42, 0x1d, 0xa3
++ };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha512(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha1_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea,
++0x56, 0x1b, 0x61, 0x2e, 0x70,
++ 0xb2, 0xfb, 0xec, 0xc6
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha1(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA224: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha224_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe,
++0x1c, 0xb2, 0xf0, 0x20, 0x35,
++ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha224(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha256_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36,
++0x02, 0xf5, 0x72, 0x33, 0x87,
++ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee,
++ 0x51, 0xff, 0xda, 0x24, 0xf4
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha256(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA384: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha384_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08,
++0x26, 0x99, 0xef, 0x3b, 0x10,
++ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b,
++ 0xac, 0xb0, 0x07, 0x39, 0x08,
++ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3,
++ 0xf3, 0xb8, 0x9b, 0x88, 0x1c
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha384(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha512_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3,
++0x77, 0x59, 0x85, 0xa9, 0xe6,
++ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1,
++ 0xad, 0x7e, 0x24, 0xca, 0xb1,
++ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52,
++ 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
++ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96,
++ 0x3d, 0xa6, 0xd9, 0x2a, 0x53
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha512(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* DH: generate shared parameters
++*/
++static int dh_test()
++{
++ DH *dh;
++ ERR_clear_error();
++ dh = FIPS_dh_new();
++ if (!dh)
++ return 0;
++ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
++ return 0;
++ FIPS_dh_free(dh);
++ return 1;
++}
++
++/* Zeroize
++*/
++static int Zeroize()
++{
++ RSA *key;
++ BIGNUM *bn;
++ unsigned char userkey[16] =
++ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f,
++0x83, 0x02, 0xb1, 0x09, 0x68 };
++ int i, n;
++
++ key = FIPS_rsa_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
++ return 0;
++ BN_free(bn);
++
++ n = BN_num_bytes(key->d);
++ printf(" Generated %d byte RSA private key\n", n);
++ printf("\tBN key before overwriting:\n");
++ do_bn_print(stdout, key->d);
++ BN_rand(key->d, n * 8, -1, 0);
++ printf("\tBN key after overwriting:\n");
++ do_bn_print(stdout, key->d);
++
++ printf("\tchar buffer key before overwriting: \n\t\t");
++ for (i = 0; i < sizeof(userkey); i++)
++ printf("%02x", userkey[i]);
++ printf("\n");
++ RAND_bytes(userkey, sizeof userkey);
++ printf("\tchar buffer key after overwriting: \n\t\t");
++ for (i = 0; i < sizeof(userkey); i++)
++ printf("%02x", userkey[i]);
++ printf("\n");
++
++ return 1;
++}
++
++static int Error;
++const char *Fail(const char *msg)
++{
++ do_print_errors();
++ Error++;
++ return msg;
++}
++
++int main(int argc, char **argv)
++{
++
++ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
++ int bad_rsa = 0, bad_dsa = 0;
++ int do_rng_stick = 0;
++ int no_exit = 0;
++
++ printf("\tFIPS-mode test application\n\n");
++
++ /* Load entropy from external file, if any */
++ RAND_load_file(".rnd", 1024);
++
++ if (argv[1]) {
++ /* Corrupted KAT tests */
++ if (!strcmp(argv[1], "aes")) {
++ FIPS_corrupt_aes();
++ printf("AES encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "des")) {
++ FIPS_corrupt_des();
++ printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "dsa")) {
++ FIPS_corrupt_dsa();
++ printf
++ ("DSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsa")) {
++ FIPS_corrupt_rsa();
++ printf
++ ("RSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsakey")) {
++ printf
++ ("RSA key generation and signature validation with corrupted key...\n");
++ bad_rsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "rsakeygen")) {
++ do_corrupt_rsa_keygen = 1;
++ no_exit = 1;
++ printf
++ ("RSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "dsakey")) {
++ printf
++ ("DSA key generation and signature validation with corrupted key...\n");
++ bad_dsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "dsakeygen")) {
++ do_corrupt_dsa_keygen = 1;
++ no_exit = 1;
++ printf
++ ("DSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "sha1")) {
++ FIPS_corrupt_sha1();
++ printf("SHA-1 hash with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rng")) {
++ FIPS_corrupt_rng();
++ } else if (!strcmp(argv[1], "rngstick")) {
++ do_rng_stick = 1;
++ no_exit = 1;
++ printf("RNG test with stuck continuous test...\n");
++ } else {
++ printf("Bad argument \"%s\"\n", argv[1]);
++ exit(1);
++ }
++ if (!no_exit) {
++ if (!FIPS_mode_set(1)) {
++ do_print_errors();
++ printf("Power-up self test failed\n");
++ exit(1);
++ }
++ printf("Power-up self test successful\n");
++ exit(0);
++ }
++ }
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("1. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf(dh_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* Power-up self test
++ */
++ ERR_clear_error();
++ printf("2. Automatic power-up self test...");
++ if (!FIPS_mode_set(1)) {
++ do_print_errors();
++ printf(Fail("FAILED!\n"));
++ exit(1);
++ }
++ printf("successful\n");
++ if (do_corrupt_dsa_keygen)
++ FIPS_corrupt_dsa_keygen();
++ if (do_corrupt_rsa_keygen)
++ FIPS_corrupt_rsa_keygen();
++ if (do_rng_stick)
++ FIPS_rng_stick();
++
++ /* AES encryption/decryption
++ */
++ printf("3. AES encryption/decryption...");
++ printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* RSA key generation and encryption/decryption
++ */
++ printf("4. RSA key generation and encryption/decryption...");
++ printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n"));
++
++ /* DES-CBC encryption/decryption
++ */
++ printf("5. DES-ECB encryption/decryption...");
++ printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* DSA key generation and signature validation
++ */
++ printf("6. DSA key generation and signature validation...");
++ printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-1 hash
++ */
++ printf("7a. SHA-1 hash...");
++ printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-256 hash
++ */
++ printf("7b. SHA-256 hash...");
++ printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-512 hash
++ */
++ printf("7c. SHA-512 hash...");
++ printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-1 hash
++ */
++ printf("7d. HMAC-SHA-1 hash...");
++ printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-224 hash
++ */
++ printf("7e. HMAC-SHA-224 hash...");
++ printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-256 hash
++ */
++ printf("7f. HMAC-SHA-256 hash...");
++ printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-384 hash
++ */
++ printf("7g. HMAC-SHA-384 hash...");
++ printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-512 hash
++ */
++ printf("7h. HMAC-SHA-512 hash...");
++ printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("8. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf(dh_test()? "successful as expected\n"
++ : Fail("failed INCORRECTLY!\n"));
++
++ /* Zeroization
++ */
++ printf("9. Zero-ization...\n");
++ printf(Zeroize()? "\tsuccessful as expected\n"
++ : Fail("\tfailed INCORRECTLY!\n"));
++
++ printf("\nAll tests completed with %d errors\n", Error);
++ return Error ? 1 : 0;
++}
++
++#endif
+diff -up openssl-1.0.2a/crypto/fips/Makefile.fips openssl-1.0.2a/crypto/fips/Makefile
+--- openssl-1.0.2a/crypto/fips/Makefile.fips 2015-04-22 16:08:40.300245844 +0200
++++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 16:08:40.300245844 +0200
+@@ -0,0 +1,341 @@
++#
++# OpenSSL/crypto/fips/Makefile
++#
++
++DIR= fips
++TOP= ../..
++CC= cc
++INCLUDES=
++CFLAG=-g
++MAKEFILE= Makefile
++AR= ar r
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++
++GENERAL=Makefile
++TEST=fips_test_suite.c fips_randtest.c
++APPS=
++
++PROGRAM= fips_standalone_hmac
++EXE= $(PROGRAM)$(EXE_EXT)
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
++ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
++ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
++ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
++ fips_cmac_selftest.c fips_enc.c fips_md.c
++
++LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
++ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
++ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
++ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
++ fips_cmac_selftest.o fips_enc.o fips_md.o
++
++LIBCRYPTO=-L.. -lcrypto
++
++SRC= $(LIBSRC) fips_standalone_hmac.c
++
++EXHEADER= fips.h fips_rand.h
++HEADER= $(EXHEADER)
++
++ALL= $(GENERAL) $(SRC) $(HEADER)
++
++top:
++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all: lib exe
++
++lib: $(LIBOBJ)
++ $(AR) $(LIB) $(LIBOBJ)
++ $(RANLIB) $(LIB) || echo Never mind.
++ @touch lib
++
++exe: $(EXE)
++
++files:
++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++ do \
++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++ done;
++
++tags:
++ ctags $(SRC)
++
++tests:
++
++lint:
++ lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++ mv -f Makefile.new $(MAKEFILE)
++
++clean:
++ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++$(EXE): $(PROGRAM).o
++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
++ for i in $(CPUID_OBJ); do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../$$i" ; done; \
++ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
++fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
++fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
++fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
++fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
++fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_aes_selftest.o: ../../include/openssl/crypto.h
++fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_aes_selftest.o: ../../include/openssl/lhash.h
++fips_aes_selftest.o: ../../include/openssl/obj_mac.h
++fips_aes_selftest.o: ../../include/openssl/objects.h
++fips_aes_selftest.o: ../../include/openssl/opensslconf.h
++fips_aes_selftest.o: ../../include/openssl/opensslv.h
++fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
++fips_aes_selftest.o: ../../include/openssl/safestack.h
++fips_aes_selftest.o: ../../include/openssl/stack.h
++fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
++fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_des_selftest.o: ../../include/openssl/crypto.h
++fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_des_selftest.o: ../../include/openssl/lhash.h
++fips_des_selftest.o: ../../include/openssl/obj_mac.h
++fips_des_selftest.o: ../../include/openssl/objects.h
++fips_des_selftest.o: ../../include/openssl/opensslconf.h
++fips_des_selftest.o: ../../include/openssl/opensslv.h
++fips_des_selftest.o: ../../include/openssl/ossl_typ.h
++fips_des_selftest.o: ../../include/openssl/safestack.h
++fips_des_selftest.o: ../../include/openssl/stack.h
++fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
++fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_ctr.o: ../../include/openssl/objects.h
++fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
++fips_drbg_ctr.o: ../../include/openssl/opensslv.h
++fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_ctr.o: ../../include/openssl/safestack.h
++fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
++fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_hash.o: ../../include/openssl/fips.h
++fips_drbg_hash.o: ../../include/openssl/fips_rand.h
++fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_hash.o: ../../include/openssl/objects.h
++fips_drbg_hash.o: ../../include/openssl/opensslconf.h
++fips_drbg_hash.o: ../../include/openssl/opensslv.h
++fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_hash.o: ../../include/openssl/safestack.h
++fips_drbg_hash.o: ../../include/openssl/stack.h
++fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
++fips_drbg_hash.o: fips_rand_lcl.h
++fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_hmac.o: ../../include/openssl/fips.h
++fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
++fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_hmac.o: ../../include/openssl/objects.h
++fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
++fips_drbg_hmac.o: ../../include/openssl/opensslv.h
++fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_hmac.o: ../../include/openssl/safestack.h
++fips_drbg_hmac.o: ../../include/openssl/stack.h
++fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
++fips_drbg_hmac.o: fips_rand_lcl.h
++fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
++fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++fips_drbg_lib.o: ../../include/openssl/objects.h
++fips_drbg_lib.o: ../../include/openssl/opensslconf.h
++fips_drbg_lib.o: ../../include/openssl/opensslv.h
++fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_lib.o: ../../include/openssl/safestack.h
++fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
++fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_rand.o: ../../include/openssl/fips_rand.h
++fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_drbg_rand.o: ../../include/openssl/obj_mac.h
++fips_drbg_rand.o: ../../include/openssl/objects.h
++fips_drbg_rand.o: ../../include/openssl/opensslconf.h
++fips_drbg_rand.o: ../../include/openssl/opensslv.h
++fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_rand.o: ../../include/openssl/safestack.h
++fips_drbg_rand.o: ../../include/openssl/stack.h
++fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
++fips_drbg_rand.o: fips_rand_lcl.h
++fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_selftest.o: ../../include/openssl/bio.h
++fips_drbg_selftest.o: ../../include/openssl/crypto.h
++fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
++fips_drbg_selftest.o: ../../include/openssl/hmac.h
++fips_drbg_selftest.o: ../../include/openssl/lhash.h
++fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
++fips_drbg_selftest.o: ../../include/openssl/objects.h
++fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
++fips_drbg_selftest.o: ../../include/openssl/opensslv.h
++fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
++fips_drbg_selftest.o: ../../include/openssl/rand.h
++fips_drbg_selftest.o: ../../include/openssl/safestack.h
++fips_drbg_selftest.o: ../../include/openssl/stack.h
++fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
++fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
++fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
++fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_dsa_selftest.o: ../../include/openssl/objects.h
++fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_dsa_selftest.o: ../../include/openssl/opensslv.h
++fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_dsa_selftest.o: ../../include/openssl/safestack.h
++fips_dsa_selftest.o: ../../include/openssl/stack.h
++fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
++fips_dsa_selftest.o: fips_locl.h
++fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_hmac_selftest.o: ../../include/openssl/crypto.h
++fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_hmac_selftest.o: ../../include/openssl/hmac.h
++fips_hmac_selftest.o: ../../include/openssl/lhash.h
++fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
++fips_hmac_selftest.o: ../../include/openssl/objects.h
++fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
++fips_hmac_selftest.o: ../../include/openssl/opensslv.h
++fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
++fips_hmac_selftest.o: ../../include/openssl/safestack.h
++fips_hmac_selftest.o: ../../include/openssl/stack.h
++fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
++fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
++fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_post.o: ../../include/openssl/opensslconf.h
++fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
++fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
++fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
++fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_rand.o: ../../include/openssl/opensslconf.h
++fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
++fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_rand.o: fips_locl.h fips_rand.c
++fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
++fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_rand_lib.o: ../../include/openssl/obj_mac.h
++fips_rand_lib.o: ../../include/openssl/objects.h
++fips_rand_lib.o: ../../include/openssl/opensslconf.h
++fips_rand_lib.o: ../../include/openssl/opensslv.h
++fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_rand_lib.o: ../../include/openssl/safestack.h
++fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_rand_lib.o: fips_rand_lib.c
++fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_rand_selftest.o: ../../include/openssl/bio.h
++fips_rand_selftest.o: ../../include/openssl/crypto.h
++fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_rand_selftest.o: ../../include/openssl/fips_rand.h
++fips_rand_selftest.o: ../../include/openssl/hmac.h
++fips_rand_selftest.o: ../../include/openssl/lhash.h
++fips_rand_selftest.o: ../../include/openssl/obj_mac.h
++fips_rand_selftest.o: ../../include/openssl/objects.h
++fips_rand_selftest.o: ../../include/openssl/opensslconf.h
++fips_rand_selftest.o: ../../include/openssl/opensslv.h
++fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
++fips_rand_selftest.o: ../../include/openssl/rand.h
++fips_rand_selftest.o: ../../include/openssl/safestack.h
++fips_rand_selftest.o: ../../include/openssl/stack.h
++fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
++fips_rand_selftest.o: fips_rand_selftest.c
++fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_rsa_selftest.o: ../../include/openssl/lhash.h
++fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_rsa_selftest.o: ../../include/openssl/objects.h
++fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_rsa_selftest.o: ../../include/openssl/opensslv.h
++fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_rsa_selftest.o: ../../include/openssl/rsa.h
++fips_rsa_selftest.o: ../../include/openssl/safestack.h
++fips_rsa_selftest.o: ../../include/openssl/stack.h
++fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
++fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
++fips_rsa_x931g.o: ../../include/openssl/opensslv.h
++fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
++fips_rsa_x931g.o: ../../include/openssl/safestack.h
++fips_rsa_x931g.o: ../../include/openssl/stack.h
++fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
++fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_sha_selftest.o: ../../include/openssl/crypto.h
++fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_sha_selftest.o: ../../include/openssl/lhash.h
++fips_sha_selftest.o: ../../include/openssl/obj_mac.h
++fips_sha_selftest.o: ../../include/openssl/objects.h
++fips_sha_selftest.o: ../../include/openssl/opensslconf.h
++fips_sha_selftest.o: ../../include/openssl/opensslv.h
++fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
++fips_sha_selftest.o: ../../include/openssl/safestack.h
++fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
++fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
+diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac.c
+--- openssl-1.0.2a/crypto/hmac/hmac.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/hmac/hmac.c 2015-04-22 16:08:40.301245867 +0200
+@@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+- /*
+- * Other algorithm blocking will be done in FIPS_cmac_init, via
+- * FIPS_hmac_init_ex().
+- */
+- if (!impl && !ctx->i_ctx.engine)
+- return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
+ }
+ #endif
+
+@@ -105,6 +99,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ md = ctx->md;
+
+ if (key != NULL) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
++ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
++ goto err;
++#endif
+ reset = 1;
+ j = EVP_MD_block_size(md);
+ OPENSSL_assert(j <= (int)sizeof(ctx->key));
+@@ -157,10 +158,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
+
+ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine)
+- return FIPS_hmac_update(ctx, data, len);
+-#endif
+ return EVP_DigestUpdate(&ctx->md_ctx, data, len);
+ }
+
+@@ -168,10 +165,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
+ {
+ unsigned int i;
+ unsigned char buf[EVP_MAX_MD_SIZE];
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine)
+- return FIPS_hmac_final(ctx, md, len);
+-#endif
+
+ if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
+ goto err;
+@@ -211,12 +204,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
+
+ void HMAC_CTX_cleanup(HMAC_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine) {
+- FIPS_hmac_ctx_cleanup(ctx);
+- return;
+- }
+-#endif
+ EVP_MD_CTX_cleanup(&ctx->i_ctx);
+ EVP_MD_CTX_cleanup(&ctx->o_ctx);
+ EVP_MD_CTX_cleanup(&ctx->md_ctx);
+diff -up openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2a/crypto/mdc2/mdc2dgst.c
+--- openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/mdc2/mdc2dgst.c 2015-04-22 16:08:40.301245867 +0200
+@@ -76,7 +76,7 @@
+ *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+ static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
+-fips_md_init(MDC2)
++nonfips_md_init(MDC2)
+ {
+ c->num = 0;
+ c->pad_type = 1;
+diff -up openssl-1.0.2a/crypto/md2/md2_dgst.c.fips openssl-1.0.2a/crypto/md2/md2_dgst.c
+--- openssl-1.0.2a/crypto/md2/md2_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/md2/md2_dgst.c 2015-04-22 16:08:40.301245867 +0200
+@@ -62,6 +62,11 @@
+ #include <openssl/md2.h>
+ #include <openssl/opensslv.h>
+ #include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
++#include <openssl/err.h>
+
+ const char MD2_version[] = "MD2" OPENSSL_VERSION_PTEXT;
+
+@@ -119,7 +124,7 @@ const char *MD2_options(void)
+ return ("md2(int)");
+ }
+
+-fips_md_init(MD2)
++nonfips_md_init(MD2)
+ {
+ c->num = 0;
+ memset(c->state, 0, sizeof c->state);
+diff -up openssl-1.0.2a/crypto/md4/md4_dgst.c.fips openssl-1.0.2a/crypto/md4/md4_dgst.c
+--- openssl-1.0.2a/crypto/md4/md4_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/md4/md4_dgst.c 2015-04-22 16:08:40.301245867 +0200
+@@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-fips_md_init(MD4)
++nonfips_md_init(MD4)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
+diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.fips openssl-1.0.2a/crypto/md5/md5_dgst.c
+--- openssl-1.0.2a/crypto/md5/md5_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-22 16:08:40.301245867 +0200
+@@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-fips_md_init(MD5)
++nonfips_md_init(MD5)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
+diff -up openssl-1.0.2a/crypto/o_fips.c.fips openssl-1.0.2a/crypto/o_fips.c
+--- openssl-1.0.2a/crypto/o_fips.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/o_fips.c 2015-04-22 16:08:40.301245867 +0200
+@@ -80,6 +80,8 @@ int FIPS_mode_set(int r)
+ # ifndef FIPS_AUTH_USER_PASS
+ # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
+ # endif
++ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
++ return 1;
+ if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
+ return 0;
+ if (r)
+diff -up openssl-1.0.2a/crypto/o_init.c.fips openssl-1.0.2a/crypto/o_init.c
+--- openssl-1.0.2a/crypto/o_init.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/o_init.c 2015-04-22 16:08:40.301245867 +0200
+@@ -56,8 +56,37 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <errno.h>
++# include <stdlib.h>
+ # include <openssl/fips.h>
+ # include <openssl/rand.h>
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++{
++ char buf[2] = "0";
++ int fd;
++
++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++ buf[0] = '1';
++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++ close(fd);
++ }
++ /* Failure reading the fips mode switch file means just not
++ * switching into FIPS mode. We would break too many things
++ * otherwise..
++ */
++
++ if (buf[0] == '1') {
++ FIPS_mode_set(1);
++ }
++}
+ #endif
+
+ /*
+@@ -65,19 +94,26 @@
+ * sets FIPS callbacks
+ */
+
+-void OPENSSL_init(void)
++void OPENSSL_init_library(void)
+ {
+ static int done = 0;
+ if (done)
+ return;
+ done = 1;
+ #ifdef OPENSSL_FIPS
+- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
+- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
+- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
+ RAND_init_fips();
++ init_fips_mode();
++ if (!FIPS_mode()) {
++ /* Clean up prematurely set default rand method */
++ RAND_set_rand_method(NULL);
++ }
+ #endif
+ #if 0
+ fprintf(stderr, "Called OPENSSL_init\n");
+ #endif
+ }
++
++void OPENSSL_init(void)
++{
++ OPENSSL_init_library();
++}
+diff -up openssl-1.0.2a/crypto/opensslconf.h.in.fips openssl-1.0.2a/crypto/opensslconf.h.in
+--- openssl-1.0.2a/crypto/opensslconf.h.in.fips 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 16:08:40.301245867 +0200
+@@ -1,5 +1,20 @@
+ /* crypto/opensslconf.h.in */
+
++#ifdef OPENSSL_DOING_MAKEDEPEND
++
++/* Include any symbols here that have to be explicitly set to enable a feature
++ * that should be visible to makedepend.
++ *
++ * [Our "make depend" doesn't actually look at this, we use actual build settings
++ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
++ */
++
++#ifndef OPENSSL_FIPS
++#define OPENSSL_FIPS
++#endif
++
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+
+diff -up openssl-1.0.2a/crypto/rand/md_rand.c.fips openssl-1.0.2a/crypto/rand/md_rand.c
+--- openssl-1.0.2a/crypto/rand/md_rand.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rand/md_rand.c 2015-04-22 16:08:40.302245891 +0200
+@@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
+ crypto_lock_rand = 1;
+
+- if (!initialized) {
++ /* always poll for external entropy in FIPS mode, drbg provides the
++ * expansion
++ */
++ if (!initialized || FIPS_module_mode()) {
+ RAND_poll();
+ initialized = 1;
+ }
+diff -up openssl-1.0.2a/crypto/rand/rand.h.fips openssl-1.0.2a/crypto/rand/rand.h
+--- openssl-1.0.2a/crypto/rand/rand.h.fips 2015-04-22 16:08:40.044239782 +0200
++++ openssl-1.0.2a/crypto/rand/rand.h 2015-04-22 16:08:40.302245891 +0200
+@@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void);
+ /* Error codes for the RAND functions. */
+
+ /* Function codes. */
++# define RAND_F_ENG_RAND_GET_RAND_METHOD 108
++# define RAND_F_FIPS_RAND 103
++# define RAND_F_FIPS_RAND_BYTES 102
++# define RAND_F_FIPS_RAND_SET_DT 106
++# define RAND_F_FIPS_X931_SET_DT 106
++# define RAND_F_FIPS_SET_DT 104
++# define RAND_F_FIPS_SET_PRNG_SEED 107
++# define RAND_F_FIPS_SET_TEST_MODE 105
+ # define RAND_F_RAND_GET_RAND_METHOD 101
+-# define RAND_F_RAND_INIT_FIPS 102
++# define RAND_F_RAND_INIT_FIPS 109
+ # define RAND_F_SSLEAY_RAND_BYTES 100
+
+ /* Reason codes. */
+-# define RAND_R_DUAL_EC_DRBG_DISABLED 104
+-# define RAND_R_ERROR_INITIALISING_DRBG 102
+-# define RAND_R_ERROR_INSTANTIATING_DRBG 103
+-# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
++# define RAND_R_DUAL_EC_DRBG_DISABLED 114
++# define RAND_R_ERROR_INITIALISING_DRBG 112
++# define RAND_R_ERROR_INSTANTIATING_DRBG 113
++# define RAND_R_NON_FIPS_METHOD 105
++# define RAND_R_NOT_IN_TEST_MODE 106
++# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
++# define RAND_R_NO_KEY_SET 107
++# define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
++# define RAND_R_PRNG_ERROR 108
++# define RAND_R_PRNG_KEYED 109
++# define RAND_R_PRNG_NOT_REKEYED 102
++# define RAND_R_PRNG_NOT_RESEEDED 103
+ # define RAND_R_PRNG_NOT_SEEDED 100
++# define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
++# define RAND_R_PRNG_STUCK 104
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2a/crypto/ripemd/rmd_dgst.c
+--- openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/ripemd/rmd_dgst.c 2015-04-22 16:08:40.302245891 +0200
+@@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX *
+ void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num);
+ #endif
+
+-fips_md_init(RIPEMD160)
++nonfips_md_init(RIPEMD160)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = RIPEMD160_A;
+diff -up openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2a/crypto/rsa/rsa_crpt.c
+--- openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rsa/rsa_crpt.c 2015-04-22 16:08:40.302245891 +0200
+@@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const
+ unsigned char *to, RSA *rsa, int padding)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+- RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+ #endif
+@@ -115,9 +115,9 @@ int RSA_public_decrypt(int flen, const u
+ RSA *rsa, int padding)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+- RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+ #endif
+diff -up openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips openssl-1.0.2a/crypto/rsa/rsa_eay.c
+--- openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rsa/rsa_eay.c 2015-04-22 16:08:40.302245891 +0200
+@@ -114,6 +114,10 @@
+ #include <openssl/bn.h>
+ #include <openssl/rsa.h>
+ #include <openssl/rand.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ #ifndef RSA_NULL
+
+@@ -140,7 +144,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
+ * if e == 3 */
+ RSA_eay_init,
+ RSA_eay_finish,
+- 0, /* flags */
++ RSA_FLAG_FIPS_METHOD, /* flags */
+ NULL,
+ 0, /* rsa_sign */
+ 0, /* rsa_verify */
+@@ -160,6 +164,22 @@ static int RSA_eay_public_encrypt(int fl
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+@@ -361,6 +381,22 @@ static int RSA_eay_private_encrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -497,6 +533,22 @@ static int RSA_eay_private_decrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -623,6 +675,22 @@ static int RSA_eay_public_decrypt(int fl
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+@@ -886,6 +954,9 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c
+
+ static int RSA_eay_init(RSA *rsa)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
+ return (1);
+ }
+diff -up openssl-1.0.2a/crypto/rsa/rsa_err.c.fips openssl-1.0.2a/crypto/rsa/rsa_err.c
+--- openssl-1.0.2a/crypto/rsa/rsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/rsa/rsa_err.c 2015-04-22 16:08:40.302245891 +0200
+@@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[]
+ {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
+ {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
+ {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
++ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
++ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
+ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
+ {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),
+ "RSA_sign_ASN1_OCTET_STRING"},
+diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 16:08:40.303245914 +0200
+@@ -69,6 +69,80 @@
+ #include <openssl/rsa.h>
+ #ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
++# include <openssl/err.h>
++# include <openssl/evp.h>
++
++static int fips_rsa_pairwise_fail = 0;
++
++void FIPS_corrupt_rsa_keygen(void)
++{
++ fips_rsa_pairwise_fail = 1;
++}
++
++int fips_check_rsa(RSA *rsa)
++{
++ const unsigned char tbs[] = "RSA Pairwise Check Data";
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int len, ret = 0;
++ EVP_PKEY *pk;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_RSA(pk, rsa);
++
++ /* Perform pairwise consistency signature test */
++ if (!fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_X931, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
++ goto err;
++ /* Now perform pairwise consistency encrypt/decrypt test */
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
++
++ len =
++ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
++ RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
++ goto err;
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++
++ if (!ptbuf)
++ goto err;
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != (sizeof(tbs) - 1))
++ goto err;
++ if (memcmp(ptbuf, tbs, len))
++ goto err;
++
++ ret = 1;
++
++ if (!ptbuf)
++ goto err;
++
++ err:
++ if (ret == 0) {
++ fips_set_selftest_fail();
++ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ }
++
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
+ #endif
+
+ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+@@ -84,7 +158,7 @@ static int rsa_builtin_keygen(RSA *rsa,
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+@@ -92,10 +166,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
+ #endif
+ if (rsa->meth->rsa_keygen)
+ return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
+-#endif
+ return rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+
+@@ -108,6 +178,20 @@ static int rsa_builtin_keygen(RSA *rsa,
+ int bitsp, bitsq, ok = -1, n = 0;
+ BN_CTX *ctx = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_module_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+@@ -233,6 +317,16 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ goto err;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_module_mode()) {
++ if (fips_rsa_pairwise_fail)
++ BN_add_word(rsa->n, 1);
++
++ if (!fips_check_rsa(rsa))
++ goto err;
++ }
++#endif
++
+ ok = 1;
+ err:
+ if (ok == -1) {
+diff -up openssl-1.0.2a/crypto/rsa/rsa.h.fips openssl-1.0.2a/crypto/rsa/rsa.h
+--- openssl-1.0.2a/crypto/rsa/rsa.h.fips 2015-04-22 16:08:40.178242955 +0200
++++ openssl-1.0.2a/crypto/rsa/rsa.h 2015-04-22 16:08:40.303245914 +0200
+@@ -168,6 +168,8 @@ struct rsa_st {
+ # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
+ # endif
+
++# define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
++
+ # ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
+ # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
+ # endif
+@@ -329,6 +331,13 @@ RSA *RSA_generate_key(int bits, unsigned
+
+ /* New version */
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
++ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *Xp, const BIGNUM *Xq1,
++ const BIGNUM *Xq2, const BIGNUM *Xq,
++ const BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
++ BN_GENCB *cb);
+
+ int RSA_check_key(const RSA *);
+ /* next 4 return -1 on error */
+@@ -538,7 +547,7 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_ALGOR_TO_MD 157
+ # define RSA_F_RSA_BUILTIN_KEYGEN 129
+ # define RSA_F_RSA_CHECK_KEY 123
+-# define RSA_F_RSA_CMS_DECRYPT 158
++# define RSA_F_RSA_CMS_DECRYPT 258
+ # define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
+ # define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
+ # define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
+@@ -559,7 +568,7 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 160
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
+-# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
++# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
+ # define RSA_F_RSA_PADDING_ADD_SSLV23 110
+@@ -573,21 +582,23 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PADDING_CHECK_X931 128
+ # define RSA_F_RSA_PRINT 115
+ # define RSA_F_RSA_PRINT_FP 116
+-# define RSA_F_RSA_PRIVATE_DECRYPT 150
+-# define RSA_F_RSA_PRIVATE_ENCRYPT 151
++# define RSA_F_RSA_PRIVATE_DECRYPT 157
++# define RSA_F_RSA_PRIVATE_ENCRYPT 148
+ # define RSA_F_RSA_PRIV_DECODE 137
+ # define RSA_F_RSA_PRIV_ENCODE 138
+ # define RSA_F_RSA_PSS_TO_CTX 162
+-# define RSA_F_RSA_PUBLIC_DECRYPT 152
++# define RSA_F_RSA_PUBLIC_DECRYPT 149
+ # define RSA_F_RSA_PUBLIC_ENCRYPT 153
+ # define RSA_F_RSA_PUB_DECODE 139
+ # define RSA_F_RSA_SETUP_BLINDING 136
++# define RSA_F_RSA_SET_DEFAULT_METHOD 150
++# define RSA_F_RSA_SET_METHOD 151
+ # define RSA_F_RSA_SIGN 117
+ # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
+ # define RSA_F_RSA_VERIFY 119
+ # define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
+ # define RSA_F_RSA_VERIFY_PKCS1_PSS 126
+-# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
++# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
+
+ /* Reason codes. */
+ # define RSA_R_ALGORITHM_MISMATCH 100
+@@ -620,21 +631,22 @@ void ERR_load_RSA_strings(void);
+ # define RSA_R_INVALID_OAEP_PARAMETERS 162
+ # define RSA_R_INVALID_PADDING 138
+ # define RSA_R_INVALID_PADDING_MODE 141
+-# define RSA_R_INVALID_PSS_PARAMETERS 149
++# define RSA_R_INVALID_PSS_PARAMETERS 157
+ # define RSA_R_INVALID_PSS_SALTLEN 146
+-# define RSA_R_INVALID_SALT_LENGTH 150
++# define RSA_R_INVALID_SALT_LENGTH 158
+ # define RSA_R_INVALID_TRAILER 139
+ # define RSA_R_INVALID_X931_DIGEST 142
+ # define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
+ # define RSA_R_KEY_SIZE_TOO_SMALL 120
+ # define RSA_R_LAST_OCTET_INVALID 134
+ # define RSA_R_MODULUS_TOO_LARGE 105
+-# define RSA_R_NON_FIPS_RSA_METHOD 157
++# define RSA_R_NON_FIPS_RSA_METHOD 149
++# define RSA_R_NON_FIPS_METHOD 149
+ # define RSA_R_NO_PUBLIC_EXPONENT 140
+ # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
+ # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
+ # define RSA_R_OAEP_DECODING_ERROR 121
+-# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
+ # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
+ # define RSA_R_PADDING_CHECK_FAILED 114
+ # define RSA_R_PKCS_DECODING_ERROR 159
+diff -up openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips openssl-1.0.2a/crypto/rsa/rsa_lib.c
+--- openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rsa/rsa_lib.c 2015-04-22 16:08:40.303245914 +0200
+@@ -84,23 +84,22 @@ RSA *RSA_new(void)
+
+ void RSA_set_default_method(const RSA_METHOD *meth)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
++ return;
++ }
++#endif
+ default_RSA_meth = meth;
+ }
+
+ const RSA_METHOD *RSA_get_default_method(void)
+ {
+ if (default_RSA_meth == NULL) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_rsa_pkcs1_ssleay();
+- else
+- return RSA_PKCS1_SSLeay();
+-#else
+-# ifdef RSA_NULL
++#ifdef RSA_NULL
+ default_RSA_meth = RSA_null_method();
+-# else
++#else
+ default_RSA_meth = RSA_PKCS1_SSLeay();
+-# endif
+ #endif
+ }
+
+@@ -119,6 +118,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
+ * to deal with which ENGINE it comes from.
+ */
+ const RSA_METHOD *mtmp;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
+ mtmp = rsa->meth;
+ if (mtmp->finish)
+ mtmp->finish(rsa);
+@@ -165,6 +170,17 @@ RSA *RSA_new_method(ENGINE *engine)
+ }
+ }
+ #endif
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
++# ifndef OPENSSL_NO_ENGINE
++ if (ret->engine)
++ ENGINE_finish(ret->engine);
++# endif
++ OPENSSL_free(ret);
++ return NULL;
++ }
++#endif
+
+ ret->pad = 0;
+ ret->version = 0;
+@@ -183,7 +199,7 @@ RSA *RSA_new_method(ENGINE *engine)
+ ret->blinding = NULL;
+ ret->mt_blinding = NULL;
+ ret->bignum_data = NULL;
+- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
++ ret->flags = ret->meth->flags;
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
+ #ifndef OPENSSL_NO_ENGINE
+ if (ret->engine)
+diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rsa_pmeth.c
+--- openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/rsa/rsa_pmeth.c 2015-04-22 16:08:40.303245914 +0200
+@@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
+ RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
+ return -1;
+ }
+-#ifdef OPENSSL_FIPS
+- if (ret > 0) {
+- unsigned int slen;
+- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
+- rctx->pad_mode,
+- rctx->saltlen,
+- rctx->mgf1md, sig, &slen);
+- if (ret > 0)
+- *siglen = slen;
+- else
+- *siglen = 0;
+- return ret;
+- }
+-#endif
+
+ if (EVP_MD_type(rctx->md) == NID_mdc2) {
+ unsigned int sltmp;
+@@ -353,17 +339,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
+ }
+ #endif
+ if (rctx->md) {
+-#ifdef OPENSSL_FIPS
+- if (rv > 0) {
+- return FIPS_rsa_verify_digest(rsa,
+- tbs, tbslen,
+- rctx->md,
+- rctx->pad_mode,
+- rctx->saltlen,
+- rctx->mgf1md, sig, siglen);
+-
+- }
+-#endif
+ if (rctx->pad_mode == RSA_PKCS1_PADDING)
+ return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
+ sig, siglen, rsa);
+diff -up openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips openssl-1.0.2a/crypto/rsa/rsa_sign.c
+--- openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/rsa/rsa_sign.c 2015-04-22 16:08:40.303245914 +0200
+@@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch
+ i2d_X509_SIG(&sig, &p);
+ s = tmps;
+ }
+- i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i, s, sigret, rsa,
++ RSA_PKCS1_PADDING) :
++ 0;
+ if (i <= 0)
+ ret = 0;
+ else
+@@ -188,8 +191,10 @@ int int_rsa_verify(int dtype, const unsi
+ }
+
+ if ((dtype == NID_md5_sha1) && rm) {
+- i = RSA_public_decrypt((int)siglen,
+- sigbuf, rm, rsa, RSA_PKCS1_PADDING);
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
++ sigbuf, rm, rsa,
++ RSA_PKCS1_PADDING)
++ : 0;
+ if (i <= 0)
+ return 0;
+ *prm_len = i;
+@@ -205,7 +210,11 @@ int int_rsa_verify(int dtype, const unsi
+ RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
+ goto err;
+ }
+- i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, sigbuf,
++ s, rsa,
++ RSA_PKCS1_PADDING) :
++ 0;
+
+ if (i <= 0)
+ goto err;
+diff -up openssl-1.0.2a/crypto/sha/sha.h.fips openssl-1.0.2a/crypto/sha/sha.h
+--- openssl-1.0.2a/crypto/sha/sha.h.fips 2015-04-22 16:08:39.964237888 +0200
++++ openssl-1.0.2a/crypto/sha/sha.h 2015-04-22 16:08:40.304245938 +0200
+@@ -105,9 +105,6 @@ typedef struct SHAstate_st {
+ } SHA_CTX;
+
+ # ifndef OPENSSL_NO_SHA0
+-# ifdef OPENSSL_FIPS
+-int private_SHA_Init(SHA_CTX *c);
+-# endif
+ int SHA_Init(SHA_CTX *c);
+ int SHA_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA_Final(unsigned char *md, SHA_CTX *c);
+@@ -115,9 +112,6 @@ unsigned char *SHA(const unsigned char *
+ void SHA_Transform(SHA_CTX *c, const unsigned char *data);
+ # endif
+ # ifndef OPENSSL_NO_SHA1
+-# ifdef OPENSSL_FIPS
+-int private_SHA1_Init(SHA_CTX *c);
+-# endif
+ int SHA1_Init(SHA_CTX *c);
+ int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA1_Final(unsigned char *md, SHA_CTX *c);
+@@ -139,10 +133,6 @@ typedef struct SHA256state_st {
+ } SHA256_CTX;
+
+ # ifndef OPENSSL_NO_SHA256
+-# ifdef OPENSSL_FIPS
+-int private_SHA224_Init(SHA256_CTX *c);
+-int private_SHA256_Init(SHA256_CTX *c);
+-# endif
+ int SHA224_Init(SHA256_CTX *c);
+ int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
+ int SHA224_Final(unsigned char *md, SHA256_CTX *c);
+@@ -192,10 +182,6 @@ typedef struct SHA512state_st {
+ # endif
+
+ # ifndef OPENSSL_NO_SHA512
+-# ifdef OPENSSL_FIPS
+-int private_SHA384_Init(SHA512_CTX *c);
+-int private_SHA512_Init(SHA512_CTX *c);
+-# endif
+ int SHA384_Init(SHA512_CTX *c);
+ int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
+ int SHA384_Final(unsigned char *md, SHA512_CTX *c);
+diff -up openssl-1.0.2a/crypto/sha/sha_locl.h.fips openssl-1.0.2a/crypto/sha/sha_locl.h
+--- openssl-1.0.2a/crypto/sha/sha_locl.h.fips 2015-04-22 16:08:39.966237935 +0200
++++ openssl-1.0.2a/crypto/sha/sha_locl.h 2015-04-22 16:08:40.304245938 +0200
+@@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c
+ #define INIT_DATA_h4 0xc3d2e1f0UL
+
+ #ifdef SHA_0
+-fips_md_init(SHA)
++nonfips_md_init(SHA)
+ #else
+ fips_md_init_ctx(SHA1, SHA)
+ #endif
+ {
++#if defined(SHA_1) && defined(OPENSSL_FIPS)
++ FIPS_selftest_check();
++#endif
+ memset(c, 0, sizeof(*c));
+ c->h0 = INIT_DATA_h0;
+ c->h1 = INIT_DATA_h1;
+diff -up openssl-1.0.2a/crypto/sha/sha256.c.fips openssl-1.0.2a/crypto/sha/sha256.c
+--- openssl-1.0.2a/crypto/sha/sha256.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/sha/sha256.c 2015-04-22 16:08:40.304245938 +0200
+@@ -12,12 +12,19 @@
+
+ # include <openssl/crypto.h>
+ # include <openssl/sha.h>
++# ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# endif
++
+ # include <openssl/opensslv.h>
+
+ const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
+
+ fips_md_init_ctx(SHA224, SHA256)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0xc1059ed8UL;
+ c->h[1] = 0x367cd507UL;
+@@ -33,6 +40,9 @@ fips_md_init_ctx(SHA224, SHA256)
+
+ fips_md_init(SHA256)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0x6a09e667UL;
+ c->h[1] = 0xbb67ae85UL;
+diff -up openssl-1.0.2a/crypto/sha/sha512.c.fips openssl-1.0.2a/crypto/sha/sha512.c
+--- openssl-1.0.2a/crypto/sha/sha512.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/sha/sha512.c 2015-04-22 16:08:40.304245938 +0200
+@@ -5,6 +5,10 @@
+ * ====================================================================
+ */
+ #include <openssl/opensslconf.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
+ /*-
+ * IMPLEMENTATION NOTES.
+@@ -62,6 +66,9 @@ const char SHA512_version[] = "SHA-512"
+
+ fips_md_init_ctx(SHA384, SHA512)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0xcbbb9d5dc1059ed8);
+ c->h[1] = U64(0x629a292a367cd507);
+ c->h[2] = U64(0x9159015a3070dd17);
+@@ -80,6 +87,9 @@ fips_md_init_ctx(SHA384, SHA512)
+
+ fips_md_init(SHA512)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0x6a09e667f3bcc908);
+ c->h[1] = U64(0xbb67ae8584caa73b);
+ c->h[2] = U64(0x3c6ef372fe94f82b);
+diff -up openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2a/crypto/whrlpool/wp_dgst.c
+--- openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/whrlpool/wp_dgst.c 2015-04-22 16:08:40.304245938 +0200
+@@ -55,7 +55,7 @@
+ #include <openssl/crypto.h>
+ #include <string.h>
+
+-fips_md_init(WHIRLPOOL)
++nonfips_md_init(WHIRLPOOL)
+ {
+ memset(c, 0, sizeof(*c));
+ return (1);
+diff -up openssl-1.0.2a/Makefile.org.fips openssl-1.0.2a/Makefile.org
+--- openssl-1.0.2a/Makefile.org.fips 2015-04-22 16:08:40.270245133 +0200
++++ openssl-1.0.2a/Makefile.org 2015-04-22 16:08:40.304245938 +0200
+@@ -137,6 +137,9 @@ FIPSCANLIB=
+
+ BASEADDR=
+
++# Non-empty if FIPS enabled
++FIPS=
++
+ DIRS= crypto ssl engines apps test tools
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+@@ -149,7 +152,7 @@ SDIRS= \
+ bn ec rsa dsa ecdsa dh ecdh dso engine \
+ buffer bio stack lhash rand err \
+ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+- cms pqueue ts jpake srp store cmac
++ cms pqueue ts jpake srp store cmac fips
+ # keep in mind that the above list is adjusted by ./Configure
+ # according to no-xxx arguments...
+
+@@ -238,6 +241,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
+ FIPSLIBDIR='${FIPSLIBDIR}' \
+ FIPSDIR='${FIPSDIR}' \
+ FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
++ FIPS="$${FIPS:-$(FIPS)}" \
+ THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
+ # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
+ # which in turn eliminates ambiguities in variable treatment with -e.
+diff -up openssl-1.0.2a/ssl/ssl_algs.c.fips openssl-1.0.2a/ssl/ssl_algs.c
+--- openssl-1.0.2a/ssl/ssl_algs.c.fips 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/ssl/ssl_algs.c 2015-04-22 16:08:40.305245962 +0200
+@@ -64,6 +64,11 @@
+ int SSL_library_init(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
++
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+@@ -142,6 +147,48 @@ int SSL_library_init(void)
+ EVP_add_digest(EVP_sha());
+ EVP_add_digest(EVP_dss());
+ #endif
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede3_cbc());
++# endif
++# ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_256_gcm());
++# endif
++# ifndef OPENSSL_NO_MD5
++ /* needed even in the FIPS mode for TLS MAC */
++ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5, "ssl2-md5");
++ EVP_add_digest_alias(SN_md5, "ssl3-md5");
++# endif
++# ifndef OPENSSL_NO_SHA
++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++# endif
++# ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++# endif
++# ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++# endif
++# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
++ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++# endif
++# ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++# endif
++ }
++#endif
+ #ifndef OPENSSL_NO_COMP
+ /*
+ * This will initialise the built-in compression algorithms. The value
diff --git a/openssl-1.0.2a-ipv6-apps.patch b/openssl-1.0.2a-ipv6-apps.patch
new file mode 100644
index 0000000..dd8b42c
--- /dev/null
+++ b/openssl-1.0.2a-ipv6-apps.patch
@@ -0,0 +1,525 @@
+diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
+--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
++++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
+@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
+ #define PORT_STR "4433"
+ #define PROTOCOL "tcp"
+
+-int do_server(int port, int type, int *ret,
++int do_server(char *port, int type, int *ret,
+ int (*cb) (char *hostname, int s, int stype,
+ unsigned char *context), unsigned char *context,
+ int naccept);
+@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
+ int ssl_print_curves(BIO *out, SSL *s, int noshared);
+ #endif
+ int ssl_print_tmp_key(BIO *out, SSL *s);
+-int init_client(int *sock, char *server, int port, int type);
++int init_client(int *sock, char *server, char *port, int type);
+ int should_retry(int i);
+ int extract_port(char *str, short *port_ptr);
+-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+- short *p);
++int extract_host_port(char *str, char **host_ptr, char **port_ptr);
+
+ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+ int argi, long argl, long ret);
+diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
+@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
+ int cbuf_len, cbuf_off;
+ int sbuf_len, sbuf_off;
+ fd_set readfds, writefds;
+- short port = PORT;
++ char *port_str = PORT_STR;
+ int full_log = 1;
+ char *host = SSL_HOST_NAME;
+ char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
+@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
+ } else if (strcmp(*argv, "-port") == 0) {
+ if (--argc < 1)
+ goto bad;
+- port = atoi(*(++argv));
+- if (port == 0)
+- goto bad;
++ port_str = *(++argv);
+ } else if (strcmp(*argv, "-connect") == 0) {
+ if (--argc < 1)
+ goto bad;
+- if (!extract_host_port(*(++argv), &host, NULL, &port))
++ if (!extract_host_port(*(++argv), &host, &port_str))
+ goto bad;
+ } else if (strcmp(*argv, "-verify") == 0) {
+ verify = SSL_VERIFY_PEER;
+@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
+
+ re_start:
+
+- if (init_client(&s, host, port, socket_type) == 0) {
++ if (init_client(&s, host, port_str, socket_type) == 0) {
+ BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
+ SHUTDOWN(s);
+ goto end;
+diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
+--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
++++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
+@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
+ {
+ X509_VERIFY_PARAM *vpm = NULL;
+ int badarg = 0;
+- short port = PORT;
++ char *port_str = PORT_STR;
+ char *CApath = NULL, *CAfile = NULL;
+ char *chCApath = NULL, *chCAfile = NULL;
+ char *vfyCApath = NULL, *vfyCAfile = NULL;
+@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
+ if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
+ if (--argc < 1)
+ goto bad;
+- if (!extract_port(*(++argv), &port))
++ port_str = *(++argv);
++ if (port_str == NULL || *port_str == '\0')
+ goto bad;
+ } else if (strcmp(*argv, "-naccept") == 0) {
+ if (--argc < 1)
+@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
+ BIO_printf(bio_s_out, "ACCEPT\n");
+ (void)BIO_flush(bio_s_out);
+ if (rev)
+- do_server(port, socket_type, &accept_socket, rev_body, context,
++ do_server(port_str, socket_type, &accept_socket, rev_body, context,
+ naccept);
+ else if (www)
+- do_server(port, socket_type, &accept_socket, www_body, context,
++ do_server(port_str, socket_type, &accept_socket, www_body, context,
+ naccept);
+ else
+- do_server(port, socket_type, &accept_socket, sv_body, context,
++ do_server(port_str, socket_type, &accept_socket, sv_body, context,
+ naccept);
+ print_stats(bio_s_out, ctx);
+ ret = 0;
+diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
+--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
+@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
+ static void ssl_sock_cleanup(void);
+ # endif
+ static int ssl_sock_init(void);
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
+-static int init_server(int *sock, int port, int type);
+-static int init_server_long(int *sock, int port, char *ip, int type);
++static int init_server(int *sock, char *port, int type);
+ static int do_accept(int acc_sock, int *sock, char **host);
+ static int host_ip(char *str, unsigned char ip[4]);
+
+@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
+ return (1);
+ }
+
+-int init_client(int *sock, char *host, int port, int type)
++int init_client(int *sock, char *host, char *port, int type)
+ {
+- unsigned char ip[4];
+-
+- memset(ip, '\0', sizeof ip);
+- if (!host_ip(host, &(ip[0])))
+- return 0;
+- return init_client_ip(sock, ip, port, type);
+-}
+-
+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
+-{
+- unsigned long addr;
+- struct sockaddr_in them;
+- int s, i;
++ struct addrinfo *res, *res0, hints;
++ char *failed_call = NULL;
++ int s;
++ int e;
+
+ if (!ssl_sock_init())
+ return (0);
+
+- memset((char *)&them, 0, sizeof(them));
+- them.sin_family = AF_INET;
+- them.sin_port = htons((unsigned short)port);
+- addr = (unsigned long)
+- ((unsigned long)ip[0] << 24L) |
+- ((unsigned long)ip[1] << 16L) |
+- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
+- them.sin_addr.s_addr = htonl(addr);
+-
+- if (type == SOCK_STREAM)
+- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+- else /* ( type == SOCK_DGRAM) */
+- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+-
+- if (s == INVALID_SOCKET) {
+- perror("socket");
++ memset(&hints, '\0', sizeof(hints));
++ hints.ai_socktype = type;
++ hints.ai_flags = AI_ADDRCONFIG;
++
++ e = getaddrinfo(host, port, &hints, &res);
++ if (e) {
++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
++ if (e == EAI_SYSTEM)
++ perror("getaddrinfo");
+ return (0);
+ }
++
++ res0 = res;
++ while (res) {
++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++ if (s == INVALID_SOCKET) {
++ failed_call = "socket";
++ goto nextres;
++ }
+ # if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+- if (type == SOCK_STREAM) {
+- i = 0;
+- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
+- if (i < 0) {
+- closesocket(s);
+- perror("keepalive");
+- return (0);
++ if (type == SOCK_STREAM) {
++ int i = 0;
++ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
++ (char *)&i, sizeof(i));
++ if (i < 0) {
++ failed_call = "keepalive";
++ goto nextres;
++ }
+ }
+- }
+ # endif
+-
+- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
+- closesocket(s);
+- perror("connect");
+- return (0);
++ if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {
++ freeaddrinfo(res0);
++ *sock = s;
++ return (1);
++ }
++
++ failed_call = "socket";
++ nextres:
++ if (s != INVALID_SOCKET)
++ close(s);
++ res = res->ai_next;
+ }
+- *sock = s;
+- return (1);
++ freeaddrinfo(res0);
++ closesocket(s);
++
++ perror(failed_call);
++ return (0);
+ }
+
+-int do_server(int port, int type, int *ret,
++int do_server(char *port, int type, int *ret,
+ int (*cb) (char *hostname, int s, int stype,
+ unsigned char *context), unsigned char *context,
+ int naccept)
+@@ -328,69 +327,89 @@ int do_server(int port, int type, int *r
+ }
+ }
+
+-static int init_server_long(int *sock, int port, char *ip, int type)
++static int init_server(int *sock, char *port, int type)
+ {
+- int ret = 0;
+- struct sockaddr_in server;
+- int s = -1;
++ struct addrinfo *res, *res0 = NULL, hints;
++ char *failed_call = NULL;
++ int s = INVALID_SOCKET;
++ int e;
+
+ if (!ssl_sock_init())
+ return (0);
+
+- memset((char *)&server, 0, sizeof(server));
+- server.sin_family = AF_INET;
+- server.sin_port = htons((unsigned short)port);
+- if (ip == NULL)
+- server.sin_addr.s_addr = INADDR_ANY;
+- else
+-/* Added for T3E, address-of fails on bit field (beckman at acl.lanl.gov) */
+-# ifndef BIT_FIELD_LIMITS
+- memcpy(&server.sin_addr.s_addr, ip, 4);
+-# else
+- memcpy(&server.sin_addr, ip, 4);
+-# endif
+-
+- if (type == SOCK_STREAM)
+- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+- else /* type == SOCK_DGRAM */
+- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
++ memset(&hints, '\0', sizeof(hints));
++ hints.ai_family = AF_INET6;
++ tryipv4:
++ hints.ai_socktype = type;
++ hints.ai_flags = AI_PASSIVE;
++
++ e = getaddrinfo(NULL, port, &hints, &res);
++ if (e) {
++ if (hints.ai_family == AF_INET) {
++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
++ if (e == EAI_SYSTEM)
++ perror("getaddrinfo");
++ return (0);
++ } else
++ res = NULL;
++ }
+
+- if (s == INVALID_SOCKET)
+- goto err;
++ res0 = res;
++ while (res) {
++ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++ if (s == INVALID_SOCKET) {
++ failed_call = "socket";
++ goto nextres;
++ }
++ if (hints.ai_family == AF_INET6) {
++ int j = 0;
++ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);
++ }
+ # if defined SOL_SOCKET && defined SO_REUSEADDR
+- {
+- int j = 1;
+- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
+- }
+-# endif
+- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
+-# ifndef OPENSSL_SYS_WINDOWS
+- perror("bind");
++ {
++ int j = 1;
++ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
++ }
+ # endif
+- goto err;
++
++ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {
++ failed_call = "bind";
++ goto nextres;
++ }
++ if (type == SOCK_STREAM && listen(s, 128) == -1) {
++ failed_call = "listen";
++ goto nextres;
++ }
++
++ *sock = s;
++ return (1);
++
++ nextres:
++ if (s != INVALID_SOCKET)
++ close(s);
++ res = res->ai_next;
+ }
+- /* Make it 128 for linux */
+- if (type == SOCK_STREAM && listen(s, 128) == -1)
+- goto err;
+- *sock = s;
+- ret = 1;
+- err:
+- if ((ret == 0) && (s != -1)) {
+- SHUTDOWN(s);
++ if (res0)
++ freeaddrinfo(res0);
++
++ if (s == INVALID_SOCKET) {
++ if (hints.ai_family == AF_INET6) {
++ hints.ai_family = AF_INET;
++ goto tryipv4;
++ }
++ perror("socket");
++ return (0);
+ }
+- return (ret);
+-}
+
+-static int init_server(int *sock, int port, int type)
+-{
+- return (init_server_long(sock, port, NULL, type));
++ perror(failed_call);
++ return (0);
+ }
+
+ static int do_accept(int acc_sock, int *sock, char **host)
+ {
++ static struct sockaddr_storage from;
++ char buffer[NI_MAXHOST];
+ int ret;
+- struct hostent *h1, *h2;
+- static struct sockaddr_in from;
+ int len;
+ /* struct linger ling; */
+
+@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *
+ ling.l_onoff=1;
+ ling.l_linger=0;
+ i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
+- if (i < 0) { perror("linger"); return(0); }
++ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
+ i=0;
+ i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+- if (i < 0) { perror("keepalive"); return(0); }
++ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
+ */
+
+ if (host == NULL)
+ goto end;
+-# ifndef BIT_FIELD_LIMITS
+- /* I should use WSAAsyncGetHostByName() under windows */
+- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
+- sizeof(from.sin_addr.s_addr), AF_INET);
+-# else
+- h1 = gethostbyaddr((char *)&from.sin_addr,
+- sizeof(struct in_addr), AF_INET);
+-# endif
+- if (h1 == NULL) {
+- BIO_printf(bio_err, "bad gethostbyaddr\n");
++
++ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
++ buffer, sizeof(buffer), NULL, 0, 0)) {
++ BIO_printf(bio_err, "getnameinfo failed\n");
+ *host = NULL;
+ /* return(0); */
+ } else {
+- if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
++ if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {
+ perror("OPENSSL_malloc");
+ closesocket(ret);
+ return (0);
+ }
+- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
+-
+- h2 = GetHostByName(*host);
+- if (h2 == NULL) {
+- BIO_printf(bio_err, "gethostbyname failure\n");
+- closesocket(ret);
+- return (0);
+- }
+- if (h2->h_addrtype != AF_INET) {
+- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
+- closesocket(ret);
+- return (0);
+- }
++ strcpy(*host, buffer);
+ }
+ end:
+ *sock = ret;
+ return (1);
+ }
+
+-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+- short *port_ptr)
++int extract_host_port(char *str, char **host_ptr, char **port_ptr)
+ {
+- char *h, *p;
++ char *h, *p, *x;
+
+- h = str;
+- p = strchr(str, ':');
++ x = h = str;
++ if (*h == '[') {
++ h++;
++ p = strchr(h, ']');
++ if (p == NULL) {
++ BIO_printf(bio_err, "no ending bracket for IPv6 address\n");
++ return (0);
++ }
++ *(p++) = '\0';
++ x = p;
++ }
++ p = strchr(x, ':');
+ if (p == NULL) {
+ BIO_printf(bio_err, "no port defined\n");
+ return (0);
+ }
+ *(p++) = '\0';
+
+- if ((ip != NULL) && !host_ip(str, ip))
+- goto err;
+ if (host_ptr != NULL)
+ *host_ptr = h;
++ if (port_ptr != NULL)
++ *port_ptr = p;
+
+- if (!extract_port(p, port_ptr))
+- goto err;
+- return (1);
+- err:
+- return (0);
+-}
+-
+-static int host_ip(char *str, unsigned char ip[4])
+-{
+- unsigned int in[4];
+- int i;
+-
+- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
+- 4) {
+- for (i = 0; i < 4; i++)
+- if (in[i] > 255) {
+- BIO_printf(bio_err, "invalid IP address\n");
+- goto err;
+- }
+- ip[0] = in[0];
+- ip[1] = in[1];
+- ip[2] = in[2];
+- ip[3] = in[3];
+- } else { /* do a gethostbyname */
+- struct hostent *he;
+-
+- if (!ssl_sock_init())
+- return (0);
+-
+- he = GetHostByName(str);
+- if (he == NULL) {
+- BIO_printf(bio_err, "gethostbyname failure\n");
+- goto err;
+- }
+- /* cast to short because of win16 winsock definition */
+- if ((short)he->h_addrtype != AF_INET) {
+- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
+- return (0);
+- }
+- ip[0] = he->h_addr_list[0][0];
+- ip[1] = he->h_addr_list[0][1];
+- ip[2] = he->h_addr_list[0][2];
+- ip[3] = he->h_addr_list[0][3];
+- }
+- return (1);
+- err:
+- return (0);
+-}
+-
+-int extract_port(char *str, short *port_ptr)
+-{
+- int i;
+- struct servent *s;
+-
+- i = atoi(str);
+- if (i != 0)
+- *port_ptr = (unsigned short)i;
+- else {
+- s = getservbyname(str, "tcp");
+- if (s == NULL) {
+- BIO_printf(bio_err, "getservbyname failure for %s\n", str);
+- return (0);
+- }
+- *port_ptr = ntohs((unsigned short)s->s_port);
+- }
+ return (1);
+ }
+
diff --git a/openssl-1.0.2a-issuer-hash.patch b/openssl-1.0.2a-issuer-hash.patch
new file mode 100644
index 0000000..a439d14
--- /dev/null
+++ b/openssl-1.0.2a-issuer-hash.patch
@@ -0,0 +1,11 @@
+diff -up openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1k/crypto/x509/x509_cmp.c
+--- openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash 2015-04-09 18:16:03.349855193 +0200
++++ openssl-1.0.1k/crypto/x509/x509_cmp.c 2015-04-09 18:16:00.616792058 +0200
+@@ -86,6 +86,7 @@ unsigned long X509_issuer_and_serial_has
+ char *f;
+
+ EVP_MD_CTX_init(&ctx);
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
+ goto err;
diff --git a/openssl-1.0.2a-manfix.patch b/openssl-1.0.2a-manfix.patch
new file mode 100644
index 0000000..91071b0
--- /dev/null
+++ b/openssl-1.0.2a-manfix.patch
@@ -0,0 +1,93 @@
+diff -up openssl-1.0.2a/doc/apps/ec.pod.manfix openssl-1.0.2a/doc/apps/ec.pod
+--- openssl-1.0.2a/doc/apps/ec.pod.manfix 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ec.pod 2015-04-21 17:39:20.084574580 +0200
+@@ -93,10 +93,6 @@ prints out the public, private key compo
+
+ this option prevents output of the encoded version of the key.
+
+-=item B<-modulus>
+-
+-this option prints out the value of the public key component of the key.
+-
+ =item B<-pubin>
+
+ by default a private key is read from the input file: with this option a
+diff -up openssl-1.0.2a/doc/apps/openssl.pod.manfix openssl-1.0.2a/doc/apps/openssl.pod
+--- openssl-1.0.2a/doc/apps/openssl.pod.manfix 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/openssl.pod 2015-04-21 17:39:20.084574580 +0200
+@@ -163,7 +163,7 @@ Create or examine a netscape certificate
+
+ Online Certificate Status Protocol utility.
+
+-=item L<B<passwd>|passwd(1)>
++=item L<B<passwd>|sslpasswd(1)>
+
+ Generation of hashed passwords.
+
+@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
+
+ Public key algorithm cryptographic operation utility.
+
+-=item L<B<rand>|rand(1)>
++=item L<B<rand>|sslrand(1)>
+
+ Generate pseudo-random bytes.
+
+@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
+ L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
+ L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
+ L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
+-L<passwd(1)|passwd(1)>,
++L<sslpasswd(1)|sslpasswd(1)>,
+ L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
+-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
++L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
+ L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
+ L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
+ L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+diff -up openssl-1.0.2a/doc/apps/s_client.pod.manfix openssl-1.0.2a/doc/apps/s_client.pod
+--- openssl-1.0.2a/doc/apps/s_client.pod.manfix 2015-04-21 17:39:20.085574603 +0200
++++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-21 17:41:00.215924162 +0200
+@@ -34,6 +34,9 @@ B<openssl> B<s_client>
+ [B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
++[B<-tls1_1>]
++[B<-tls1_2>]
++[B<-dtls1>]
+ [B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+@@ -200,7 +203,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_server.pod
+--- openssl-1.0.2a/doc/apps/s_server.pod.manfix 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-21 17:39:20.085574603 +0200
+@@ -212,7 +212,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+diff -up openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod
+--- openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod 2015-04-22 20:12:43.082395251 +0200
+@@ -2,7 +2,7 @@
+
+ =head1 NAME
+
+-SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file
++SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - load serverinfo extensions
+
+ =head1 SYNOPSIS
+
diff --git a/openssl-1.0.2a-new-fips-reqs.patch b/openssl-1.0.2a-new-fips-reqs.patch
new file mode 100644
index 0000000..2462012
--- /dev/null
+++ b/openssl-1.0.2a-new-fips-reqs.patch
@@ -0,0 +1,1400 @@
+diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/bn_rand.c
+--- openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/bn/bn_rand.c 2015-04-22 15:06:37.907003880 +0200
+@@ -136,9 +136,11 @@ static int bnrand(int pseudorand, BIGNUM
+ goto err;
+ }
+
+- /* make a random number and set the top and bottom bits */
+- time(&tim);
+- RAND_add(&tim, sizeof(tim), 0.0);
++ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */
++ /* make a random number and set the top and bottom bits */
++ time(&tim);
++ RAND_add(&tim, sizeof(tim), 0.0);
++ }
+
+ if (pseudorand) {
+ if (RAND_pseudo_bytes(buf, bytes) == -1)
+diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_gen.c
+--- openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs 2015-04-22 15:06:37.840002285 +0200
++++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 15:06:37.907003880 +0200
+@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
+ return 0;
+ }
+
+- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h
+--- openssl-1.0.2a/crypto/dh/dh.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200
++++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 15:07:25.265130812 +0200
+@@ -78,6 +78,7 @@
+ # endif
+
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
+
+ # define DH_FLAG_CACHE_MONT_P 0x01
+
+diff -up openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_check.c
+--- openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/dh/dh_check.c 2015-04-22 15:06:37.908003903 +0200
+@@ -164,7 +164,30 @@ int DH_check_pub_key(const DH *dh, const
+ BN_sub_word(q, 1);
+ if (BN_cmp(pub_key, q) >= 0)
+ *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && dh->q != NULL) {
++ BN_CTX *ctx = NULL;
+
++ ctx = BN_CTX_new();
++ if (ctx == NULL)
++ goto err;
++
++ if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0) {
++ BN_CTX_free(ctx);
++ goto err;
++ }
++ if (!BN_is_one(q)) {
++ /* it would be more correct to add new return flag
++ * for this test, but we do not want to do it
++ * so just error out
++ */
++ BN_CTX_free(ctx);
++ goto err;
++ }
++
++ BN_CTX_free(ctx);
++ }
++#endif
+ ok = 1;
+ err:
+ if (q != NULL)
+diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_gen.c
+--- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs 2015-04-22 15:06:37.841002309 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 15:06:37.908003903 +0200
+@@ -165,9 +165,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ }
+
+ if (FIPS_module_mode() &&
+- (bits != 1024 || qbits != 160) &&
+- (bits != 2048 || qbits != 224) &&
+- (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) {
++ (getenv("OPENSSL_ENFORCE_MODULUS_BITS") || bits != 1024
++ || qbits != 160) && (bits != 2048 || qbits != 224) && (bits != 2048
++ || qbits !=
++ 256)
++ && (bits != 3072 || qbits != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
+ goto err;
+ }
+diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa.h
+--- openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 15:09:01.291415852 +0200
+@@ -89,6 +89,7 @@
+ # endif
+
+ # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN (getenv("OPENSSL_ENFORCE_MODULUS_BITS")?2048:1024)
+
+ # define DSA_FLAG_CACHE_MONT_P 0x01
+ /*
+@@ -251,9 +252,9 @@ int DSAparams_print_fp(FILE *fp, const D
+ int DSA_print_fp(FILE *bp, const DSA *x, int off);
+ # endif
+
+-# define DSS_prime_checks 50
++# define DSS_prime_checks 64
+ /*
+- * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
++ * Primality test according to FIPS PUB 186-4, Appendix 2.1: 64 rounds of
+ * Rabin-Miller
+ */
+ # define DSA_is_prime(n, callback, cb_arg) \
+diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_key.c
+--- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200
++++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 15:06:37.908003903 +0200
+@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ # ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+- && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/fips.c
+--- openssl-1.0.2a/crypto/fips/fips.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200
++++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 15:06:37.909003927 +0200
+@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
+ ret = 0;
+ goto end;
+ }
+- OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */
+- OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */
+ }
+ # endif
+
+- if (!verify_checksums()) {
+- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ if (!FIPS_selftest()) {
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+- if (FIPS_selftest())
+- fips_set_mode(onoff);
+- else {
++ if (!verify_checksums()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
++
++ fips_set_mode(onoff);
+ ret = 1;
+ goto end;
+ }
+diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_dh_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs 2015-04-22 15:06:37.909003927 +0200
++++ openssl-1.0.2a/crypto/fips/fips_dh_selftest.c 2015-04-22 15:06:37.909003927 +0200
+@@ -0,0 +1,162 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 2013 Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dh_test_2048_p[] = {
++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
++ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,
++ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,
++ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,
++ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,
++ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,
++ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,
++ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,
++ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,
++ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,
++ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,
++ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,
++ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,
++ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,
++ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,
++ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,
++ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,
++ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,
++ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,
++ 0x4B, 0xD8, 0x37, 0xEB
++};
++
++static const unsigned char dh_test_2048_g[] = {
++ 0x02
++};
++
++static const unsigned char dh_test_2048_pub_key[] = {
++ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,
++ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,
++ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,
++ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,
++ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,
++ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,
++ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,
++ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,
++ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,
++ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,
++ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,
++ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,
++ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,
++ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,
++ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,
++ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,
++ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,
++ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,
++ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,
++ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,
++ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,
++ 0x36, 0x9E, 0xDA, 0xD2
++};
++
++static const unsigned char dh_test_2048_priv_key[] = {
++ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,
++ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,
++ 0xEC, 0x55, 0xF6, 0xCC
++};
++
++int FIPS_selftest_dh()
++{
++ DH *dh = NULL;
++ int ret = 0;
++ void *pub_key = NULL;
++ int len;
++
++ dh = DH_new();
++
++ if (dh == NULL)
++ goto err;
++
++ fips_load_key_component(dh, p, dh_test_2048);
++ fips_load_key_component(dh, g, dh_test_2048);
++ /* note that the private key is much shorter than normally used
++ * but still g ** priv_key > p
++ */
++ fips_load_key_component(dh, priv_key, dh_test_2048);
++
++ if (DH_generate_key(dh) <= 0)
++ goto err;
++
++ len = BN_num_bytes(dh->pub_key);
++ if ((pub_key = OPENSSL_malloc(len)) == NULL)
++ goto err;
++ BN_bn2bin(dh->pub_key, pub_key);
++
++ if (len != sizeof(dh_test_2048_pub_key) ||
++ memcmp(pub_key, dh_test_2048_pub_key, len) != 0)
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (dh)
++ DH_free(dh);
++
++ OPENSSL_free(pub_key);
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/fips.h
+--- openssl-1.0.2a/crypto/fips/fips.h.fips-reqs 2015-04-22 15:06:37.899003689 +0200
++++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 15:06:37.909003927 +0200
+@@ -96,6 +96,7 @@ extern "C" {
+ int FIPS_selftest_dsa(void);
+ int FIPS_selftest_ecdsa(void);
+ int FIPS_selftest_ecdh(void);
++ int FIPS_selftest_dh(void);
+ void FIPS_corrupt_rng(void);
+ void FIPS_rng_stick(void);
+ void FIPS_x931_stick(int onoff);
+diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_post.c
+--- openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs 2015-04-22 15:06:37.895003594 +0200
++++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 15:06:37.909003927 +0200
+@@ -99,6 +99,8 @@ int FIPS_selftest(void)
+ rv = 0;
+ if (!FIPS_selftest_dsa())
+ rv = 0;
++ if (!FIPS_selftest_dh())
++ rv = 0;
+ if (!FIPS_selftest_ecdh())
+ rv = 0;
+ return rv;
+diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs 2015-04-22 15:06:37.854002618 +0200
++++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 15:06:37.910003951 +0200
+@@ -60,68 +60,107 @@
+ #ifdef OPENSSL_FIPS
+
+ static const unsigned char n[] =
+- "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+- "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
+- "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
+- "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
+- "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
+- "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
+- "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
+- "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB";
++ "\x00\xc9\xd5\x6d\x9d\x90\xdb\x43\xd6\x02\xed\x96\x88\x13\x8a"
++ "\xb2\xbf\x6e\xa1\x06\x10\xb2\x78\x37\xa7\x14\xa8\xff\xdd\x00"
++ "\xdd\xb4\x93\xa0\x45\xcc\x96\x90\xed\xad\xa9\xdd\xc4\xd6\xca"
++ "\x0c\xf0\xed\x4f\x72\x5e\x21\x49\x9a\x18\x12\x15\x8f\x90\x5a"
++ "\xdb\xb6\x33\x99\xa3\xe6\xb4\xf0\xc4\x97\x21\x26\xbb\xe3\xba"
++ "\xf2\xff\xa0\x72\xda\x89\x63\x8e\x8b\x3e\x08\x9d\x92\x2a\xbe"
++ "\x16\xe1\x43\x15\xfc\x57\xc7\x1f\x09\x11\x67\x1c\xa9\x96\xd1"
++ "\x8b\x3e\x80\x93\xc1\x59\xd0\x6d\x39\xf2\xac\x95\xcc\x10\x75"
++ "\xe9\x31\x24\xd1\x43\xaf\x68\x52\x4b\xe7\x16\xd7\x49\x65\x6f"
++ "\x26\xc0\x86\xad\xc0\x07\x0a\xc1\xe1\x2f\x87\x85\x86\x3b\xdc"
++ "\x5a\x99\xbe\xe9\xf9\xb9\xe9\x82\x27\x51\x04\x15\xab\x06\x0e"
++ "\x76\x5a\x28\x8d\x92\xbd\xc5\xb5\x7b\xa8\xdf\x4e\x47\xa2\xc1"
++ "\xe7\x52\xbf\x47\xf7\x62\xe0\x3a\x6f\x4d\x6a\x4d\x4e\xd4\xb9"
++ "\x59\x69\xfa\xb2\x14\xc1\xee\xe6\x2f\x95\xcd\x94\x72\xae\xe4"
++ "\xdb\x18\x9a\xc4\xcd\x70\xbd\xee\x31\x16\xb7\x49\x65\xac\x40"
++ "\x19\x0e\xb5\x6d\x83\xf1\x36\xbb\x08\x2f\x2e\x4e\x92\x62\xa4"
++ "\xff\x50\xdb\x20\x45\xa2\xeb\x16\x7a\xf2\xd5\x28\xc1\xfd\x4e" "\x03\x71";
+
+ static int corrupt_rsa;
+
+ static int setrsakey(RSA *key)
+ {
+- static const unsigned char e[] = "\x11";
++ static const unsigned char e[] = "\x01\x00\x01";
+
+ static const unsigned char d[] =
+- "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
+- "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
+- "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
+- "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
+- "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
+- "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
+- "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
+- "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
+- "\xC1";
++ "\x36\x27\x3d\xb1\xf9\x1b\xdb\xa7\xa0\x41\x7f\x12\x23\xac\x23"
++ "\x29\x99\xd5\x3a\x7b\x60\x67\x41\x07\x63\x53\xb4\xd2\xe7\x58"
++ "\x95\x0a\xc7\x05\xf3\x4e\xb2\xb4\x12\xd4\x70\xdc\x4f\x85\x06"
++ "\xd3\xdd\xd8\x63\x27\x3e\x67\x31\x21\x24\x39\x04\xbc\x06\xa4"
++ "\xcc\xce\x2b\x7a\xfe\x7b\xad\xde\x11\x6e\xa3\xa5\xe6\x04\x53"
++ "\x0e\xa3\x4e\x2d\xb4\x8f\x31\xbf\xca\x75\x25\x52\x02\x85\xde"
++ "\x3d\xb2\x72\x43\xb2\x89\x8a\x9a\x34\x41\x26\x3f\x9a\x67\xbe"
++ "\xa4\x96\x7b\x0e\x75\xba\xa6\x93\xd5\xb8\xd8\xb8\x57\xf2\x4b"
++ "\x0f\x14\x81\xd1\x57\x4e\xf6\x45\x4c\xa6\x3b\xd0\x70\xca\xd3"
++ "\x9d\x55\xde\x22\x05\xe7\x8e\x28\x4d\xee\x11\xcf\xb6\x67\x76"
++ "\x09\xd3\xe3\x3c\x13\xf9\x99\x34\x10\x7b\xec\x81\x38\xf0\xb6"
++ "\x34\x9c\x9b\x50\x6f\x0b\x91\x81\x4d\x89\x94\x04\x7b\xf0\x3c"
++ "\xf4\xb1\xb2\x00\x48\x8d\x5a\x8f\x88\x9e\xc5\xab\x3a\x9e\x44"
++ "\x3f\x54\xe7\xd9\x6e\x47\xaa\xa1\xbd\x40\x46\x31\xf9\xf0\x34"
++ "\xb6\x04\xe1\x2b\x5b\x73\x86\xdd\x3a\x92\x1b\x71\xc7\x3f\x32"
++ "\xe5\xc3\xc2\xab\xa1\x7e\xbf\xa4\x52\xa0\xb0\x68\x90\xd1\x20"
++ "\x12\x79\xe9\xd7\xc9\x40\xba\xf2\x19\xc7\xa5\x00\x92\x86\x0d" "\x01";
+
+ static const unsigned char p[] =
+- "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
+- "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
+- "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
+- "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
+- "\x99";
++ "\x00\xfc\x5c\x6e\x16\xce\x1f\x03\x7b\xcd\xf7\xb3\x72\xb2\x8f"
++ "\x16\x72\xb8\x56\xae\xf7\xcd\x67\xd8\x4e\x7d\x07\xaf\xd5\x43"
++ "\x26\xc3\x35\xbe\x43\x8f\x4e\x2f\x1c\x43\x4e\x6b\xd2\xb2\xec"
++ "\x52\x6d\x97\x52\x2b\xcc\x5c\x3a\x6b\xf4\x14\xc6\x74\xda\x66"
++ "\x38\x1c\x7a\x3f\x84\x2f\xe3\xf9\x5a\xb8\x65\x69\x46\x06\xa3"
++ "\x37\x79\xb2\xa1\x5b\x58\xed\x5e\xa7\x5f\x8c\x65\x66\xbb\xd1"
++ "\x24\x36\xe6\x37\xa7\x3d\x49\x77\x8a\x8c\x34\xd8\x69\x29\xf3"
++ "\x4d\x58\x22\xb0\x51\x24\xb6\x40\xa8\x86\x59\x0a\xb7\xba\x5c"
++ "\x97\xda\x57\xe8\x36\xda\x7a\x9c\xad";
+
+ static const unsigned char q[] =
+- "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+- "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+- "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+- "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
+- "\x03";
++ "\x00\xcc\xbe\x7b\x09\x69\x06\xee\x45\xbf\x88\x47\x38\xa8\xf8"
++ "\x17\xe5\xb6\xba\x67\x55\xe3\xe8\x05\x8b\xb8\xe2\x53\xd6\x8e"
++ "\xef\x2c\xe7\x4f\x4a\xf7\x4e\x26\x8d\x85\x0b\x3f\xec\xc3\x1c"
++ "\xd4\xeb\xec\x6a\xc8\x72\x2a\x25\x7d\xfd\xa6\x77\x96\xf0\x1e"
++ "\xcd\x28\x57\xf8\x37\x30\x75\x6b\xbd\xd4\x7b\x0c\x87\xc5\x6c"
++ "\x87\x40\xa5\xbb\x27\x2c\x78\xc9\x74\x5a\x54\x5b\x0b\x30\x6f"
++ "\x44\x4a\xfa\x71\xe4\x21\x61\x66\xf9\xee\x65\xde\x7c\x04\xd7"
++ "\xfd\xa9\x15\x5b\x7f\xe2\x7a\xba\x69\x86\x72\xa6\x06\x8d\x9b"
++ "\x90\x55\x60\x9e\x4c\x5d\xa9\xb6\x55";
+
+ static const unsigned char dmp1[] =
+- "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
+- "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
+- "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
+- "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
++ "\x7a\xd6\x12\xd0\x0e\xec\x91\xa9\x85\x8b\xf8\x50\xf0\x11\x2e"
++ "\x00\x11\x32\x40\x60\x66\x1f\x11\xee\xc2\x75\x27\x65\x4b\x16"
++ "\x67\x16\x95\xd2\x14\xc3\x1d\xb3\x48\x1f\xb7\xe4\x0b\x2b\x74"
++ "\xc3\xdb\x50\x27\xf9\x85\x3a\xfa\xa9\x08\x23\xc1\x65\x3d\x34"
++ "\x3a\xc8\x56\x7a\x65\x45\x36\x6e\xae\x2a\xce\x9f\x43\x43\xd7"
++ "\x10\xe9\x9e\x18\xf4\xa4\x35\xda\x8a\x6b\xb0\x3f\xdd\x53\xe3"
++ "\xa8\xc5\x4e\x79\x9d\x1f\x51\x8c\xa2\xca\x66\x3c\x6a\x2a\xff"
++ "\x8e\xd2\xf3\xb7\xcb\x82\xda\xde\x2c\xe6\xd2\x8c\xb3\xad\xb6"
++ "\x4c\x95\x55\x76\xbd\xc9\xc8\xd1";
+
+ static const unsigned char dmq1[] =
+- "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
+- "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+- "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+- "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
++ "\x00\x83\x23\x1d\xbb\x11\x42\x17\x2b\x25\x5a\x2c\x03\xe6\x75"
++ "\xc1\x18\xa8\xc9\x0b\x96\xbf\xba\xc4\x92\x91\x80\xa5\x22\x2f"
++ "\xba\x91\x90\x36\x01\x56\x15\x00\x2c\x74\xa2\x97\xf7\x15\xa1"
++ "\x49\xdf\x32\x35\xd2\xdd\x0c\x91\xa6\xf8\xe7\xbe\x81\x36\x9b"
++ "\x03\xdc\x6b\x3b\xd8\x5d\x79\x57\xe0\xe6\x4f\x49\xdf\x4c\x5c"
++ "\x0e\xe5\x21\x41\x95\xfd\xad\xff\x9a\x3e\xa0\xf9\x0f\x59\x9e"
++ "\x6a\xa7\x7b\x71\xa7\x24\x9a\x36\x52\xae\x97\x20\xc1\x5e\x78"
++ "\xd9\x47\x8b\x1e\x67\xf2\xaf\x98\xe6\x2d\xef\x10\xd7\xf1\xab"
++ "\x49\xee\xe5\x4b\x7e\xae\x1f\x1d\x61";
+
+ static const unsigned char iqmp[] =
+- "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+- "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+- "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+- "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
+- "\xF7";
++ "\x23\x96\xc1\x91\x17\x5e\x0a\x83\xd2\xdc\x7b\x69\xb2\x59\x1d"
++ "\x33\x58\x52\x3f\x18\xc7\x09\x50\x1c\xb9\xa1\xbb\x4c\xa2\x38"
++ "\x40\x4c\x9a\x8e\xfe\x9c\x90\x92\xd0\x71\x9f\x89\x99\x50\x91"
++ "\x1f\x34\x8b\x74\x53\x11\x11\x4a\x70\xe2\xf7\x30\xd8\x8c\x80"
++ "\xe1\xcc\x9f\xf1\x63\x17\x1a\x7d\x67\x29\x4c\xcb\x4e\x74\x7b"
++ "\xe0\x3e\x9e\x2f\xf4\x67\x8f\xec\xb9\x5c\x00\x1e\x7e\xa2\x7b"
++ "\x92\xc9\x6f\x4c\xe4\x0e\xf9\x48\x63\xcd\x50\x22\x5d\xbf\xb6"
++ "\x9d\x01\x33\x6a\xf4\x50\xbe\x86\x98\x4f\xca\x3f\x3a\xfa\xcf"
++ "\x07\x40\xc4\xaa\xad\xae\xbe\xbf";
+
+ key->n = BN_bin2bn(n, sizeof(n) - 1, key->n);
+ if (corrupt_rsa)
+- BN_set_bit(key->n, 1024);
++ BN_set_bit(key->n, 2048);
+ key->e = BN_bin2bn(e, sizeof(e) - 1, key->e);
+ key->d = BN_bin2bn(d, sizeof(d) - 1, key->d);
+ key->p = BN_bin2bn(p, sizeof(p) - 1, key->p);
+@@ -145,200 +184,292 @@ static const unsigned char kat_tbs[] =
+ "OpenSSL FIPS 140-2 Public Key RSA KAT";
+
+ static const unsigned char kat_RSA_PSS_SHA1[] = {
+- 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
+- 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
+- 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
+- 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
+- 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
+- 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
+- 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
+- 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
+- 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
+- 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
+- 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
++ 0xC2, 0x80, 0x82, 0x56, 0xD8, 0xA7, 0xB2, 0x9C, 0xF5, 0xD6, 0x3C, 0xE3,
++ 0xBF, 0xE9, 0x3A, 0x53, 0x40, 0xAE, 0xF2, 0xA9, 0x6A, 0x39, 0x49, 0x5B,
++ 0x05, 0x7F, 0x67, 0x38, 0x2E, 0x1D, 0xE1, 0x93, 0x22, 0x65, 0x79, 0x84,
++ 0x68, 0xFA, 0xD8, 0xAF, 0xA1, 0x98, 0x61, 0x6F, 0x44, 0x27, 0xA6, 0x8B,
++ 0xCF, 0x0E, 0x13, 0xA9, 0xCE, 0xD7, 0x6C, 0xD2, 0x38, 0xB5, 0x16, 0xB9,
++ 0x66, 0x94, 0x48, 0xDE, 0x9E, 0x19, 0x3D, 0x6F, 0xB3, 0xA1, 0x9A, 0x19,
++ 0xDF, 0xFB, 0xAB, 0xA5, 0x9F, 0x38, 0xDA, 0xC9, 0x21, 0x8F, 0xCE, 0x98,
++ 0x01, 0x3A, 0xC8, 0xE0, 0xDF, 0xDA, 0xFC, 0xF0, 0xA6, 0x86, 0x29, 0xB5,
++ 0x7F, 0x61, 0xFB, 0xBA, 0xC5, 0x49, 0xB2, 0x7C, 0x6A, 0x26, 0x82, 0xC4,
++ 0x8F, 0xAA, 0x5B, 0x10, 0xD5, 0xEE, 0xA0, 0x55, 0x42, 0xEF, 0x32, 0x5A,
++ 0x3F, 0x55, 0xB3, 0x2C, 0x22, 0xE9, 0x65, 0xDA, 0x8D, 0x0A, 0xB9, 0x70,
++ 0x43, 0xCC, 0x3F, 0x64, 0x9C, 0xB5, 0x65, 0x49, 0xBD, 0x7F, 0x35, 0xC1,
++ 0x20, 0x85, 0x24, 0xFE, 0xAA, 0x6B, 0x37, 0x04, 0xA1, 0x0E, 0x9D, 0x5C,
++ 0xBA, 0x7F, 0x14, 0x69, 0xC5, 0x93, 0xB2, 0x33, 0xC2, 0xC0, 0xC7, 0xDF,
++ 0x7E, 0x9E, 0xA4, 0xB0, 0xA0, 0x64, 0xD2, 0xAC, 0xFC, 0xFD, 0xFD, 0x99,
++ 0x8F, 0x6A, 0x40, 0x26, 0xC1, 0x2E, 0x4E, 0x8B, 0x33, 0xBE, 0xF1, 0x45,
++ 0x59, 0x8F, 0x33, 0x40, 0x1D, 0x2A, 0xD2, 0xF7, 0x50, 0x83, 0x89, 0xCF,
++ 0x94, 0xC6, 0xF8, 0x36, 0xF0, 0x84, 0x0B, 0x85, 0xA5, 0x02, 0xA9, 0x0F,
++ 0x41, 0x7A, 0x77, 0xA3, 0x2F, 0x47, 0x1E, 0x1D, 0xEC, 0xE6, 0xD3, 0x01,
++ 0x1E, 0x6F, 0x7A, 0x96, 0x50, 0x37, 0x37, 0x4B, 0x27, 0x52, 0x0B, 0xDC,
++ 0xDB, 0xC7, 0xA9, 0x31, 0xB2, 0x40, 0xEE, 0x60, 0x41, 0x26, 0x6A, 0x05,
++ 0xCE, 0x08, 0x1D, 0x89
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA224[] = {
+- 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
+- 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
+- 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
+- 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
+- 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
+- 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
+- 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
+- 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
+- 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
+- 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
+- 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
++ 0xB4, 0x01, 0x93, 0x16, 0x05, 0xF6, 0xEB, 0xE2, 0xA4, 0xEB, 0x48, 0xAA,
++ 0x00, 0xF4, 0xA1, 0x99, 0x0A, 0xB4, 0xB6, 0x63, 0xE9, 0x68, 0xCA, 0xB3,
++ 0x13, 0xD7, 0x66, 0x6A, 0xCD, 0xCB, 0x33, 0x9F, 0xE5, 0x84, 0xE2, 0xC3,
++ 0x0B, 0x53, 0xE5, 0x8B, 0x96, 0x4B, 0xDB, 0x2D, 0x80, 0xA4, 0x1D, 0xE3,
++ 0x81, 0xDC, 0x52, 0x99, 0xBA, 0x9B, 0x6A, 0x9D, 0x48, 0x1F, 0x73, 0xF7,
++ 0xAC, 0x09, 0x13, 0xA1, 0x16, 0x2C, 0x60, 0xFB, 0xBC, 0x25, 0xF7, 0x53,
++ 0xD1, 0x04, 0x5A, 0x3F, 0x95, 0x09, 0x5E, 0xE5, 0xA2, 0x7D, 0xFC, 0x2A,
++ 0x51, 0x1D, 0x21, 0xCE, 0x2B, 0x4E, 0x1B, 0xB8, 0xCB, 0xDD, 0x24, 0xEE,
++ 0x99, 0x1D, 0x37, 0xDC, 0xED, 0x5F, 0x2F, 0x48, 0x5E, 0x33, 0x94, 0x06,
++ 0x19, 0xCD, 0x5A, 0x26, 0x85, 0x77, 0x9D, 0xAF, 0x86, 0x97, 0xC9, 0x08,
++ 0xD5, 0x81, 0x0E, 0xB8, 0x9F, 0xB6, 0xAF, 0x20, 0x72, 0xDC, 0x13, 0x4D,
++ 0x7A, 0xE4, 0x5C, 0x81, 0xDE, 0xC0, 0x3D, 0x19, 0x9C, 0x33, 0x11, 0x07,
++ 0xD5, 0xA9, 0x51, 0x67, 0xCD, 0xFD, 0x37, 0x61, 0x14, 0x9F, 0xE7, 0x70,
++ 0x18, 0x32, 0xC3, 0x34, 0x54, 0x0D, 0x4F, 0xB4, 0xAE, 0x9F, 0xEC, 0x64,
++ 0xD8, 0xB2, 0x16, 0xA4, 0xB2, 0x99, 0x92, 0xCB, 0x7F, 0x1F, 0x06, 0x17,
++ 0x5F, 0xA1, 0x07, 0x68, 0xAE, 0xA7, 0x2D, 0x03, 0x91, 0x2A, 0x9D, 0x69,
++ 0xC2, 0x9D, 0x90, 0xF7, 0xF9, 0x66, 0x5D, 0x13, 0xB7, 0x7F, 0xD3, 0x97,
++ 0x45, 0x97, 0x43, 0xD8, 0xCE, 0x3C, 0xF2, 0x98, 0x98, 0xDD, 0xE2, 0x2D,
++ 0xCF, 0xA1, 0xC4, 0x25, 0x46, 0x2E, 0xD2, 0xE5, 0x5F, 0xC6, 0x01, 0xC5,
++ 0x4F, 0x42, 0x2B, 0xDE, 0x0F, 0xEA, 0x4A, 0x4F, 0xC3, 0x5B, 0xDF, 0x9B,
++ 0x5D, 0x30, 0x18, 0x93, 0xD0, 0xDE, 0xC5, 0x09, 0xAA, 0x57, 0x57, 0xBD,
++ 0x2D, 0x84, 0x03, 0xB7
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA256[] = {
+- 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
+- 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
+- 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
+- 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
+- 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
+- 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
+- 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
+- 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
+- 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
+- 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
+- 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
++ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
++ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
++ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
++ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
++ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
++ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
++ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
++ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
++ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
++ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
++ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
++ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
++ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
++ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
++ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
++ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
++ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
++ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
++ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
++ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
++ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
++ 0x2B, 0x31, 0xB9, 0x7D
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA384[] = {
+- 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
+- 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
+- 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
+- 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
+- 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
+- 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
+- 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
+- 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
+- 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
+- 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
+- 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
++ 0x99, 0x02, 0xC9, 0x1E, 0x31, 0x82, 0xB4, 0xE6, 0x1B, 0x32, 0xCE, 0x5D,
++ 0x41, 0x1D, 0x00, 0x2F, 0x04, 0x8B, 0xBD, 0x37, 0x79, 0xCF, 0x77, 0x03,
++ 0x05, 0x6A, 0x21, 0xC7, 0x8D, 0x24, 0x60, 0x49, 0x39, 0x58, 0xC5, 0x27,
++ 0x8F, 0xC5, 0x97, 0x4A, 0xB2, 0xE1, 0xD4, 0x36, 0x57, 0xBD, 0x43, 0xCC,
++ 0x7B, 0xCE, 0xF2, 0xA5, 0x30, 0xF8, 0x72, 0x14, 0xBB, 0xD0, 0x9F, 0xC1,
++ 0x49, 0xC8, 0x1C, 0xAF, 0xCD, 0x95, 0x78, 0x72, 0x25, 0xF9, 0x45, 0xC6,
++ 0x5B, 0x62, 0x5E, 0x01, 0xD7, 0x40, 0x5E, 0xC8, 0xCA, 0x0A, 0xF3, 0xBA,
++ 0x08, 0x07, 0x88, 0xCA, 0x49, 0x36, 0x84, 0x7D, 0xF6, 0xFC, 0x5A, 0xDB,
++ 0xFC, 0x50, 0xD3, 0xEB, 0x3D, 0x83, 0xB0, 0xF5, 0x94, 0x5E, 0x88, 0xC3,
++ 0x82, 0xCD, 0x53, 0x40, 0x96, 0x18, 0x6B, 0x4A, 0x6C, 0x9C, 0xFE, 0xE5,
++ 0x3B, 0x75, 0xF9, 0xEB, 0xA5, 0x77, 0x11, 0xEF, 0x88, 0x1C, 0x25, 0x70,
++ 0x7D, 0x88, 0x5D, 0xC3, 0xCA, 0xE1, 0x49, 0x14, 0x90, 0xAD, 0xF2, 0x5E,
++ 0x49, 0xD7, 0x99, 0xA5, 0x7B, 0x77, 0x3B, 0x8E, 0xB8, 0xDB, 0xF1, 0x4C,
++ 0xD6, 0x9A, 0xDC, 0xE5, 0x7A, 0x1C, 0xE1, 0xCE, 0x9D, 0xF1, 0xF3, 0xA0,
++ 0x0A, 0x35, 0x52, 0x9D, 0xB9, 0x46, 0x94, 0x82, 0x0F, 0xF7, 0xB2, 0x62,
++ 0x51, 0x70, 0x75, 0xD2, 0x37, 0x96, 0x67, 0x2F, 0xD0, 0x22, 0xD8, 0x07,
++ 0x8D, 0x69, 0x9E, 0x6D, 0x0B, 0x40, 0x4F, 0x70, 0xEC, 0x0B, 0xCA, 0x88,
++ 0x80, 0x8D, 0x9A, 0xF4, 0xF9, 0x18, 0x50, 0x27, 0x08, 0xFA, 0xCC, 0xC7,
++ 0x3F, 0xE4, 0x84, 0x83, 0xA1, 0xB6, 0x1D, 0x23, 0x34, 0xFE, 0x48, 0xE5,
++ 0xE3, 0xAE, 0x4D, 0x98, 0xBC, 0xA6, 0x8A, 0x9F, 0xFD, 0x4D, 0xDB, 0x9D,
++ 0xF7, 0xEB, 0x4E, 0xB6, 0x6F, 0x25, 0xEA, 0x7A, 0xE9, 0x85, 0xB2, 0xEF,
++ 0x90, 0xD2, 0xA6, 0x2B
+ };
+
+ static const unsigned char kat_RSA_PSS_SHA512[] = {
+- 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
+- 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
+- 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
+- 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
+- 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
+- 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
+- 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
+- 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
+- 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
+- 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
+- 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
++ 0x3F, 0x83, 0x43, 0x78, 0x25, 0xBE, 0x81, 0xB2, 0x6E, 0x78, 0x11, 0x32,
++ 0xD0, 0x88, 0x05, 0x53, 0x95, 0xED, 0x81, 0x12, 0xCE, 0x50, 0xD9, 0x06,
++ 0x42, 0x89, 0xA0, 0x55, 0x7A, 0x05, 0x13, 0x94, 0x35, 0x9B, 0xCA, 0x5D,
++ 0xCB, 0xB2, 0x32, 0xE1, 0x04, 0x99, 0xEC, 0xE7, 0xA6, 0x69, 0x4D, 0x2B,
++ 0xC1, 0x57, 0x13, 0x48, 0x0D, 0x6B, 0x4D, 0x83, 0x28, 0x06, 0x79, 0x9D,
++ 0xB4, 0x70, 0xCE, 0xC0, 0xFC, 0x3B, 0x69, 0xB3, 0x91, 0x54, 0xA9, 0x44,
++ 0x2E, 0xDA, 0x4A, 0xC5, 0xC2, 0x99, 0xF0, 0xDE, 0xCA, 0x77, 0x99, 0x6B,
++ 0x0C, 0x79, 0xE5, 0x29, 0x74, 0x83, 0x69, 0xEA, 0xB8, 0x72, 0x30, 0x3D,
++ 0x7A, 0x30, 0xE1, 0x03, 0x7B, 0x09, 0xE6, 0x11, 0xC0, 0xDC, 0xFF, 0xFD,
++ 0xBD, 0xEC, 0x9C, 0xCC, 0x46, 0x7B, 0x4C, 0x4C, 0x59, 0xBE, 0x82, 0x7C,
++ 0xF5, 0x60, 0x5A, 0xC3, 0xE8, 0xA8, 0x8A, 0x38, 0x9E, 0x01, 0x57, 0xF1,
++ 0x79, 0x3A, 0x7C, 0xA3, 0x9F, 0x12, 0x1A, 0x4F, 0x2E, 0xA2, 0xE5, 0x0A,
++ 0xAB, 0xC0, 0xF4, 0xA5, 0xE3, 0x5F, 0x89, 0x1C, 0x8F, 0xA4, 0x5E, 0xCE,
++ 0x0D, 0x91, 0x05, 0x1B, 0x17, 0x62, 0x48, 0xFE, 0xA5, 0x4C, 0xEF, 0x2D,
++ 0x28, 0xF1, 0x5E, 0xE6, 0xD1, 0x30, 0x89, 0x0A, 0xAD, 0x18, 0xAF, 0x6F,
++ 0x04, 0x09, 0x36, 0x9A, 0xFF, 0xCA, 0xA1, 0xA7, 0x05, 0x7F, 0xD4, 0xBF,
++ 0x3A, 0xB5, 0x42, 0x6D, 0xE9, 0x07, 0x29, 0x65, 0x8B, 0xAD, 0x4D, 0x0F,
++ 0x22, 0xE1, 0x59, 0x43, 0x68, 0x87, 0xA8, 0x8B, 0xBC, 0x69, 0xA1, 0x94,
++ 0x22, 0x3E, 0x8A, 0x49, 0xE8, 0xA3, 0x6F, 0xC2, 0x93, 0x58, 0xE7, 0xAE,
++ 0xC9, 0x1F, 0xCF, 0x61, 0x93, 0xFC, 0xC1, 0xF6, 0xF3, 0x27, 0x7F, 0x0A,
++ 0x90, 0xE0, 0x65, 0x32, 0x57, 0x47, 0xE2, 0xED, 0x08, 0x59, 0xA6, 0xF0,
++ 0x17, 0x2C, 0x13, 0xE0
+ };
+
+ static const unsigned char kat_RSA_SHA1[] = {
+- 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
+- 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
+- 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
+- 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
+- 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
+- 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
+- 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
+- 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
+- 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
+- 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
+- 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
++ 0x3B, 0x60, 0x4B, 0xFC, 0x54, 0x28, 0x23, 0xE6, 0x2F, 0x05, 0x04, 0xBA,
++ 0x9D, 0xE4, 0x3C, 0xB8, 0x5B, 0x60, 0x5C, 0xCD, 0x9D, 0xEA, 0xC3, 0x4C,
++ 0xC2, 0x33, 0xE6, 0xC6, 0x21, 0x48, 0x76, 0xEC, 0xB2, 0xF5, 0x11, 0xDE,
++ 0x44, 0xB4, 0xAF, 0x16, 0x11, 0xC3, 0x18, 0x16, 0xB3, 0x69, 0xBB, 0x94,
++ 0xED, 0xE8, 0xB3, 0x9E, 0xB1, 0x43, 0x8E, 0xCE, 0xB4, 0x34, 0x9B, 0x08,
++ 0x22, 0xAF, 0x31, 0x73, 0xB5, 0xFA, 0x11, 0x7E, 0x8F, 0x13, 0x52, 0xEC,
++ 0xC9, 0x03, 0xEE, 0x0D, 0x2B, 0x91, 0x32, 0xF2, 0x8E, 0xDF, 0x02, 0xE0,
++ 0x0A, 0x47, 0xD2, 0x0A, 0x51, 0x00, 0x1A, 0x30, 0x6F, 0x0C, 0xB3, 0x54,
++ 0x64, 0x20, 0x90, 0x0C, 0x01, 0xBE, 0xC0, 0x42, 0x8C, 0x5D, 0x18, 0x6F,
++ 0x32, 0x75, 0x45, 0x7B, 0x1C, 0x04, 0xA2, 0x9F, 0x84, 0xD7, 0xF5, 0x3A,
++ 0x95, 0xD4, 0xE8, 0x8D, 0xEC, 0x99, 0xEF, 0x18, 0x5E, 0x64, 0xD3, 0xAF,
++ 0xF8, 0xD4, 0xFF, 0x3C, 0x87, 0xA0, 0x3F, 0xC7, 0x22, 0x05, 0xFD, 0xFD,
++ 0x29, 0x8A, 0x28, 0xDA, 0xA9, 0x8A, 0x8B, 0x23, 0x62, 0x9D, 0x42, 0xB8,
++ 0x4A, 0x76, 0x0D, 0x9F, 0x9A, 0xE0, 0xE6, 0xDD, 0xAD, 0x5E, 0x5F, 0xD5,
++ 0x32, 0xE9, 0x4B, 0x97, 0x7D, 0x62, 0x0A, 0xB3, 0xBE, 0xF2, 0x8C, 0x1F,
++ 0x2B, 0x22, 0x06, 0x15, 0x33, 0x71, 0xED, 0x9B, 0xA0, 0x82, 0xCE, 0xBF,
++ 0x3B, 0x08, 0x5F, 0xA7, 0x20, 0x94, 0x09, 0xEB, 0x82, 0xA5, 0x41, 0x60,
++ 0xF1, 0x08, 0xEB, 0x8D, 0xCC, 0x8D, 0xC9, 0x52, 0x0A, 0xAF, 0xF4, 0xF9,
++ 0x9F, 0x82, 0xD8, 0x0B, 0x75, 0x5E, 0xE4, 0xAF, 0x65, 0x96, 0xAF, 0xFC,
++ 0x33, 0xBF, 0x9F, 0x3E, 0xA4, 0x7B, 0x86, 0xC7, 0xF7, 0x47, 0xAB, 0x37,
++ 0x05, 0xD6, 0x0D, 0x31, 0x72, 0x8C, 0x80, 0x1E, 0xA9, 0x54, 0xFC, 0xDF,
++ 0x27, 0x90, 0xE2, 0x01
+ };
+
+ static const unsigned char kat_RSA_SHA224[] = {
+- 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
+- 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
+- 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
+- 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
+- 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
+- 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
+- 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
+- 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
+- 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
+- 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
+- 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
++ 0xA2, 0xD8, 0x42, 0x53, 0xDD, 0xBF, 0x1F, 0x6B, 0x07, 0xE0, 0x60, 0x86,
++ 0x5A, 0x60, 0x06, 0x8F, 0x44, 0xD9, 0xB0, 0x4A, 0xAA, 0x90, 0x71, 0xB8,
++ 0xB2, 0xBC, 0x30, 0x41, 0x50, 0xBB, 0xFD, 0x46, 0x98, 0x4D, 0xC0, 0x89,
++ 0x57, 0x85, 0x8A, 0x97, 0x49, 0x25, 0xA8, 0x0C, 0x69, 0x70, 0x19, 0x39,
++ 0x66, 0x24, 0xB4, 0x69, 0x47, 0xD2, 0x7C, 0xDE, 0x2D, 0x37, 0x59, 0xB3,
++ 0xE3, 0xC7, 0x6B, 0xDD, 0xBE, 0xE1, 0xE6, 0x28, 0x9A, 0x8D, 0x42, 0x3E,
++ 0x28, 0x01, 0xD7, 0x03, 0xC9, 0x73, 0xC3, 0x6B, 0x03, 0xEC, 0x1E, 0xF8,
++ 0x53, 0x8B, 0x52, 0x42, 0x89, 0x55, 0xB7, 0x87, 0xA9, 0x94, 0xC2, 0xB4,
++ 0x4B, 0x76, 0xF5, 0x61, 0x47, 0xE1, 0x44, 0x7B, 0xEC, 0xB4, 0x25, 0x66,
++ 0xC0, 0xFF, 0xEB, 0x86, 0x24, 0xAA, 0xA8, 0x72, 0xC7, 0xFB, 0xFB, 0xF6,
++ 0x84, 0xA7, 0x5B, 0xD4, 0x87, 0xE5, 0x84, 0x56, 0x1E, 0x4C, 0xE5, 0xBC,
++ 0x87, 0x94, 0xAC, 0x9C, 0x1B, 0x3D, 0xF7, 0xD4, 0x36, 0x85, 0x9F, 0xC9,
++ 0xF6, 0x43, 0x3F, 0xB6, 0x25, 0x33, 0x48, 0x0F, 0xE5, 0x7C, 0xCD, 0x53,
++ 0x48, 0xEB, 0x02, 0x11, 0xB9, 0x9E, 0xC3, 0xB4, 0xE1, 0x54, 0xD6, 0xAA,
++ 0x1A, 0x9E, 0x10, 0xE1, 0x27, 0x25, 0xF2, 0xE1, 0xAB, 0xAB, 0x6C, 0x45,
++ 0x61, 0xD5, 0xA3, 0x6C, 0xB6, 0x33, 0x52, 0xAE, 0x3D, 0xFD, 0x22, 0xFC,
++ 0x3A, 0xAB, 0x63, 0x94, 0xB5, 0x3A, 0x69, 0x11, 0xAC, 0x99, 0x4F, 0x33,
++ 0x67, 0x0A, 0x1A, 0x70, 0x1E, 0xB9, 0xE2, 0x26, 0x27, 0x68, 0xEA, 0xF5,
++ 0x97, 0x55, 0xAC, 0x83, 0x6A, 0x40, 0x3B, 0x56, 0xAE, 0x13, 0x88, 0xE8,
++ 0x98, 0x72, 0x52, 0x91, 0x7F, 0x78, 0x0A, 0x18, 0xD4, 0x44, 0x78, 0x83,
++ 0x0D, 0x44, 0x77, 0xA6, 0xF3, 0x04, 0xF1, 0x8C, 0xBC, 0x2F, 0xF9, 0x5B,
++ 0xDB, 0x70, 0x00, 0xF6
+ };
+
+ static const unsigned char kat_RSA_SHA256[] = {
+- 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
+- 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
+- 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
+- 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
+- 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
+- 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
+- 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
+- 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
+- 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
+- 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
+- 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
++ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
++ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
++ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
++ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
++ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
++ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
++ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
++ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
++ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
++ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
++ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
++ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
++ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
++ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
++ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
++ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
++ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
++ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
++ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
++ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
++ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
++ 0x47, 0x9D, 0x18, 0xD7
+ };
+
+ static const unsigned char kat_RSA_SHA384[] = {
+- 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
+- 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
+- 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
+- 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
+- 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
+- 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
+- 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
+- 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
+- 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
+- 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
+- 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
++ 0x11, 0x5E, 0x63, 0xFE, 0x47, 0xAA, 0x6A, 0x84, 0xEB, 0x44, 0x9A, 0x00,
++ 0x96, 0x4A, 0xED, 0xD2, 0xA7, 0x67, 0x3A, 0x64, 0x82, 0x30, 0x61, 0x2D,
++ 0xE3, 0xF5, 0x49, 0x68, 0x5E, 0x60, 0xD2, 0x4D, 0xEF, 0xF2, 0xA4, 0xB2,
++ 0x9A, 0x81, 0x1D, 0x41, 0xA5, 0x73, 0x59, 0xEB, 0xBB, 0xC4, 0x9E, 0x2B,
++ 0xEB, 0xC3, 0xDE, 0x3A, 0xEA, 0xF5, 0xAD, 0xDA, 0x87, 0x08, 0x68, 0xCF,
++ 0x12, 0x9B, 0xC1, 0xE4, 0xA7, 0x71, 0xF8, 0xBD, 0x6B, 0x6F, 0x50, 0xF1,
++ 0xD1, 0xFF, 0xCE, 0x6C, 0xD9, 0xBE, 0xDA, 0x76, 0xF3, 0xEB, 0xAB, 0x9C,
++ 0x41, 0x6E, 0x4F, 0x35, 0x7A, 0x61, 0x27, 0xBC, 0x03, 0x3E, 0xAE, 0x3E,
++ 0x1B, 0xDD, 0xAC, 0xD9, 0x1A, 0xFF, 0xD3, 0xF5, 0x66, 0x43, 0x07, 0x76,
++ 0x8A, 0x69, 0x2D, 0x14, 0xB1, 0xBE, 0x55, 0x49, 0x90, 0x89, 0x4B, 0xC4,
++ 0x11, 0x67, 0xD5, 0x9D, 0xB0, 0xB2, 0xEE, 0x8D, 0x0A, 0x47, 0x4A, 0xD9,
++ 0x0E, 0xD1, 0x24, 0xF0, 0x30, 0x2B, 0xF2, 0x79, 0x47, 0xDB, 0x70, 0xB4,
++ 0x46, 0xF2, 0xF8, 0xB7, 0xB4, 0xF6, 0x34, 0x79, 0xA8, 0x2D, 0x3D, 0x56,
++ 0xD5, 0x9A, 0x60, 0x7A, 0x04, 0xC7, 0x66, 0x1D, 0xCD, 0x3C, 0xD5, 0x39,
++ 0x37, 0x12, 0x51, 0x5E, 0x9F, 0xF8, 0x1A, 0xAF, 0x13, 0xC1, 0x13, 0x00,
++ 0x35, 0xD5, 0x8D, 0x17, 0xE3, 0x02, 0x28, 0xD9, 0xEC, 0xDE, 0xD1, 0x2F,
++ 0x93, 0x49, 0x03, 0x11, 0x3E, 0x56, 0x9D, 0xC2, 0x31, 0xF8, 0xAF, 0x2D,
++ 0xD9, 0x99, 0xB7, 0x8A, 0xAC, 0x5A, 0x86, 0x20, 0x3A, 0x83, 0x29, 0x26,
++ 0x9D, 0x03, 0x52, 0x2B, 0x34, 0x56, 0x40, 0x16, 0x53, 0x50, 0x82, 0xC9,
++ 0xC7, 0xD5, 0x51, 0x4C, 0xED, 0xB3, 0xE2, 0xE1, 0xCF, 0xA8, 0xCE, 0xBD,
++ 0xB1, 0x48, 0xA6, 0x8A, 0x79, 0x17, 0x55, 0x11, 0xEF, 0xE8, 0x14, 0xF4,
++ 0x7E, 0x37, 0x1D, 0x96
+ };
+
+ static const unsigned char kat_RSA_SHA512[] = {
+- 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
+- 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
+- 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
+- 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
+- 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
+- 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
+- 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
+- 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
+- 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
+- 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
+- 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
++ 0x35, 0x6D, 0xF1, 0x9E, 0xCF, 0xB1, 0xF6, 0x0C, 0x04, 0x21, 0x17, 0xB3,
++ 0xC4, 0x9D, 0xFE, 0x62, 0x1C, 0x1A, 0x45, 0x00, 0x2E, 0x6B, 0xB6, 0x9F,
++ 0x5C, 0xB1, 0xCB, 0xCF, 0xF9, 0x67, 0xEA, 0x62, 0x8A, 0xEB, 0x77, 0x02,
++ 0x42, 0x30, 0x88, 0xB1, 0x48, 0xDF, 0x12, 0x60, 0x6E, 0x92, 0xBB, 0x4B,
++ 0x09, 0x68, 0xD1, 0x70, 0x2B, 0x59, 0xEE, 0x57, 0x96, 0xF9, 0xEA, 0xA3,
++ 0x4C, 0xE9, 0xC9, 0xBD, 0x25, 0x34, 0x66, 0x15, 0x6C, 0xC9, 0x81, 0xD1,
++ 0x48, 0x0F, 0x33, 0x5F, 0x05, 0x4F, 0xC2, 0xC4, 0xDD, 0x09, 0x54, 0x79,
++ 0xA1, 0x57, 0x07, 0x70, 0xA0, 0x33, 0x02, 0x4D, 0x5D, 0xE9, 0x24, 0xD1,
++ 0xEF, 0xF0, 0x61, 0xD0, 0x1D, 0x41, 0xE2, 0x9B, 0x2B, 0x7C, 0xD0, 0x4E,
++ 0x55, 0xD9, 0x6D, 0xA1, 0x16, 0x9F, 0xDA, 0xC3, 0x3B, 0xF1, 0x74, 0xD1,
++ 0x99, 0xF1, 0x63, 0x57, 0xAD, 0xC7, 0x55, 0xF4, 0x97, 0x43, 0x1C, 0xED,
++ 0x1B, 0x7A, 0x32, 0xCB, 0x24, 0xA6, 0x3D, 0x93, 0x37, 0x90, 0x74, 0xEE,
++ 0xD2, 0x8D, 0x4B, 0xBC, 0x72, 0xDA, 0x25, 0x2B, 0x64, 0xE9, 0xCA, 0x69,
++ 0x36, 0xB6, 0xEC, 0x6E, 0x8F, 0x33, 0x0E, 0x74, 0x40, 0x48, 0x51, 0xE2,
++ 0x54, 0x6F, 0xAF, 0x6E, 0x36, 0x54, 0x3A, 0xEC, 0x78, 0x37, 0xE6, 0x1F,
++ 0x76, 0xA5, 0x4D, 0xA6, 0xD9, 0xB3, 0x6B, 0x17, 0x6D, 0x61, 0xFC, 0xA3,
++ 0x85, 0x4A, 0xCC, 0xDA, 0x52, 0xAC, 0x5B, 0xDA, 0x51, 0xE5, 0x7F, 0x5B,
++ 0x52, 0x8B, 0x74, 0x75, 0x99, 0x5C, 0x01, 0xFD, 0x25, 0x3E, 0xCD, 0x86,
++ 0x6F, 0x7A, 0xC0, 0xD8, 0x17, 0x6F, 0xD1, 0xD2, 0x6B, 0xAB, 0x14, 0x1F,
++ 0x3B, 0xB8, 0x15, 0x05, 0x86, 0x40, 0x36, 0xCF, 0xDA, 0x59, 0x2B, 0x9A,
++ 0xE9, 0x1E, 0x6E, 0xD3, 0x6B, 0xA1, 0x19, 0xC5, 0xE6, 0x3F, 0xE9, 0x2E,
++ 0x43, 0xA8, 0x34, 0x0A
+ };
+
+-static const unsigned char kat_RSA_X931_SHA1[] = {
+- 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
+- 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
+- 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
+- 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
+- 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
+- 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
+- 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
+- 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
+- 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
+- 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
+- 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
+-};
++static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
++ int ptlen)
++{
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int ret = 0;
++ int len;
+
+-static const unsigned char kat_RSA_X931_SHA256[] = {
+- 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
+- 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
+- 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
+- 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
+- 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
+- 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
+- 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
+- 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
+- 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
+- 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
+- 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
+-};
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
+
+-static const unsigned char kat_RSA_X931_SHA384[] = {
+- 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
+- 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
+- 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
+- 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
+- 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
+- 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
+- 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
+- 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
+- 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
+- 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
+- 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
+-};
++ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
++ goto err;
+
+-static const unsigned char kat_RSA_X931_SHA512[] = {
+- 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
+- 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
+- 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
+- 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
+- 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
+- 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
+- 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
+- 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
+- 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
+- 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
+- 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
+-};
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ptbuf)
++ goto err;
++
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != ptlen)
++ goto err;
++ if (memcmp(ptbuf, plaintext, len))
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ return ret;
++}
+
+ int FIPS_selftest_rsa()
+ {
+@@ -352,7 +483,7 @@ int FIPS_selftest_rsa()
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+- EVP_PKEY_assign_RSA(pk, key);
++ EVP_PKEY_set1_RSA(pk, key);
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
+@@ -406,29 +537,7 @@ int FIPS_selftest_rsa()
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
+ goto err;
+
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA1,
+- sizeof(kat_RSA_X931_SHA1), EVP_sha1(),
+- EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931"))
+- goto err;
+- /* NB: SHA224 not supported in X9.31 */
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA256,
+- sizeof(kat_RSA_X931_SHA256), EVP_sha256(),
+- EVP_MD_CTX_FLAG_PAD_X931,
+- "RSA SHA256 X931"))
+- goto err;
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA384,
+- sizeof(kat_RSA_X931_SHA384), EVP_sha384(),
+- EVP_MD_CTX_FLAG_PAD_X931,
+- "RSA SHA384 X931"))
+- goto err;
+- if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+- kat_RSA_X931_SHA512,
+- sizeof(kat_RSA_X931_SHA512), EVP_sha512(),
+- EVP_MD_CTX_FLAG_PAD_X931,
+- "RSA SHA512 X931"))
++ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
+ goto err;
+
+ ret = 1;
+@@ -436,7 +545,7 @@ int FIPS_selftest_rsa()
+ err:
+ if (pk)
+ EVP_PKEY_free(pk);
+- else if (key)
++ if (key)
+ RSA_free(key);
+ return ret;
+ }
+diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fips/Makefile
+--- openssl-1.0.2a/crypto/fips/Makefile.fips-reqs 2015-04-22 15:06:37.895003594 +0200
++++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 15:06:37.910003951 +0200
+@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+- fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c
++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c fips_enc.c fips_md.c \
++ fips_dh_selftest.c
+
+ LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
+- fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o
++ fips_cmac_selftest.o fips_ecdh_selftest.o fips_ecdsa_selftest.o fips_enc.o fips_md.o \
++ fips_dh_selftest.o
+
+ LIBCRYPTO=-L.. -lcrypto
+
+diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/rand/rand_lcl.h
+--- openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs 2015-04-22 15:06:37.599996574 +0200
++++ openssl-1.0.2a/crypto/rand/rand_lcl.h 2015-04-22 15:06:37.910003951 +0200
+@@ -112,7 +112,7 @@
+ #ifndef HEADER_RAND_LCL_H
+ # define HEADER_RAND_LCL_H
+
+-# define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
++# define ENTROPY_NEEDED 48 /* require 384 bits = 48 bytes of randomness */
+
+ # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/rand/rand_lib.c
+--- openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rand/rand_lib.c 2015-04-22 15:06:37.910003951 +0200
+@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
+ double entropy)
+ {
+ RAND_SSLeay()->add(in, inlen, entropy);
++ if (FIPS_rand_status()) {
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ FIPS_drbg_reseed(ctx, NULL, 0);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ }
+ return 1;
+ }
+
+ static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
+ {
+ RAND_SSLeay()->seed(in, inlen);
++ if (FIPS_rand_status()) {
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ FIPS_drbg_reseed(ctx, NULL, 0);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ }
+ return 1;
+ }
+
+diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs 2015-04-22 15:06:37.858002714 +0200
++++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 15:06:37.910003951 +0200
+@@ -1,5 +1,6 @@
+ /* crypto/rsa/rsa_gen.c */
+ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * Copyright (C) 2013 Red Hat, Inc.
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+@@ -169,6 +170,259 @@ int RSA_generate_key_ex(RSA *rsa, int bi
+ return rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+
++#ifdef OPENSSL_FIPS
++static int FIPS_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
++ BN_GENCB *cb)
++{
++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
++ BIGNUM local_r0, local_d, local_p;
++ BIGNUM *pr0, *d, *p;
++ BN_CTX *ctx = NULL;
++ int ok = -1;
++ int i;
++ int n = 0;
++ int test = 0;
++ int pbits = bits / 2;
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if ((pbits & 0xFF)
++ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits != 2048
++ && bits != 3072)) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++
++ ctx = BN_CTX_new();
++ if (ctx == NULL)
++ goto err;
++ BN_CTX_start(ctx);
++ r0 = BN_CTX_get(ctx);
++ r1 = BN_CTX_get(ctx);
++ r2 = BN_CTX_get(ctx);
++ r3 = BN_CTX_get(ctx);
++
++ if (r3 == NULL)
++ goto err;
++
++ /* We need the RSA components non-NULL */
++ if (!rsa->n && ((rsa->n = BN_new()) == NULL))
++ goto err;
++ if (!rsa->d && ((rsa->d = BN_new()) == NULL))
++ goto err;
++ if (!rsa->e && ((rsa->e = BN_new()) == NULL))
++ goto err;
++ if (!rsa->p && ((rsa->p = BN_new()) == NULL))
++ goto err;
++ if (!rsa->q && ((rsa->q = BN_new()) == NULL))
++ goto err;
++ if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
++ goto err;
++ if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
++ goto err;
++ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
++ goto err;
++
++ if (!BN_set_word(r0, RSA_F4))
++ goto err;
++ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {
++ ok = 0; /* we set our own err */
++ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);
++ goto err;
++ }
++
++ /* prepare approximate minimum p and q */
++ if (!BN_set_word(r0, 0xB504F334))
++ goto err;
++ if (!BN_lshift(r0, r0, pbits - 32))
++ goto err;
++
++ /* prepare minimum p and q difference */
++ if (!BN_one(r3))
++ goto err;
++ if (!BN_lshift(r3, r3, pbits - 100))
++ goto err;
++
++ BN_copy(rsa->e, e_value);
++
++ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
++ test = 1;
++
++ retry:
++ /* generate p and q */
++ for (i = 0; i < 5 * pbits; i++) {
++ ploop:
++ if (!test)
++ if (!BN_rand(rsa->p, pbits, 0, 1))
++ goto err;
++ if (BN_cmp(rsa->p, r0) < 0) {
++ if (test)
++ goto err;
++ goto ploop;
++ }
++
++ if (!BN_sub(r2, rsa->p, BN_value_one()))
++ goto err;
++ if (!BN_gcd(r1, r2, rsa->e, ctx))
++ goto err;
++ if (BN_is_one(r1)) {
++ int r;
++ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
++ cb);
++ if (r == -1 || (test && r <= 0))
++ goto err;
++ if (r > 0)
++ break;
++ }
++
++ if (!BN_GENCB_call(cb, 2, n++))
++ goto err;
++ }
++
++ if (!BN_GENCB_call(cb, 3, 0))
++ goto err;
++
++ if (i >= 5 * pbits)
++ /* prime not found */
++ goto err;
++
++ for (i = 0; i < 5 * pbits; i++) {
++ qloop:
++ if (!test)
++ if (!BN_rand(rsa->q, pbits, 0, 1))
++ goto err;
++ if (BN_cmp(rsa->q, r0) < 0) {
++ if (test)
++ goto err;
++ goto qloop;
++ }
++ if (!BN_sub(r2, rsa->q, rsa->p))
++ goto err;
++ if (BN_ucmp(r2, r3) <= 0) {
++ if (test)
++ goto err;
++ goto qloop;
++ }
++
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err;
++ if (!BN_gcd(r1, r2, rsa->e, ctx))
++ goto err;
++ if (BN_is_one(r1)) {
++ int r;
++ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
++ cb);
++ if (r == -1 || (test && r <= 0))
++ goto err;
++ if (r > 0)
++ break;
++ }
++
++ if (!BN_GENCB_call(cb, 2, n++))
++ goto err;
++ }
++
++ if (!BN_GENCB_call(cb, 3, 1))
++ goto err;
++
++ if (i >= 5 * pbits)
++ /* prime not found */
++ goto err;
++
++ if (test) {
++ /* do not try to calculate the remaining key values */
++ BN_clear(rsa->n);
++ ok = 1;
++ goto err;
++ }
++
++ if (BN_cmp(rsa->p, rsa->q) < 0) {
++ tmp = rsa->p;
++ rsa->p = rsa->q;
++ rsa->q = tmp;
++ }
++
++ /* calculate n */
++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
++ goto err;
++
++ /* calculate d */
++ if (!BN_sub(r1, rsa->p, BN_value_one()))
++ goto err; /* p-1 */
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err; /* q-1 */
++
++ if (!BN_gcd(r0, r1, r2, ctx))
++ goto err;
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ pr0 = &local_r0;
++ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
++ } else
++ pr0 = r0;
++ if (!BN_div(r0, NULL, r1, pr0, ctx))
++ goto err;
++ if (!BN_mul(r0, r0, r2, ctx))
++ goto err; /* lcm(p-1, q-1) */
++
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ pr0 = &local_r0;
++ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
++ } else
++ pr0 = r0;
++ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
++ goto err; /* d */
++
++ if (BN_num_bits(rsa->d) < pbits)
++ goto retry; /* d is too small */
++
++ /* set up d for correct BN_FLG_CONSTTIME flag */
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ d = &local_d;
++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
++ } else
++ d = rsa->d;
++
++ /* calculate d mod (p-1) */
++ if (!BN_mod(rsa->dmp1, d, r1, ctx))
++ goto err;
++
++ /* calculate d mod (q-1) */
++ if (!BN_mod(rsa->dmq1, d, r2, ctx))
++ goto err;
++
++ /* calculate inverse of q mod p */
++ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
++ p = &local_p;
++ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
++ } else
++ p = rsa->p;
++ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
++ goto err;
++
++ if (fips_rsa_pairwise_fail)
++ BN_add_word(rsa->n, 1);
++
++ if (!fips_check_rsa(rsa))
++ goto err;
++
++ ok = 1;
++ err:
++ if (ok == -1) {
++ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
++ ok = 0;
++ }
++ if (ctx != NULL) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++
++ return ok;
++}
++#endif
++
+ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+ BN_GENCB *cb)
+ {
+@@ -180,15 +434,11 @@ static int rsa_builtin_keygen(RSA *rsa,
+
+ #ifdef OPENSSL_FIPS
+ if (FIPS_module_mode()) {
+- if (FIPS_selftest_failed()) {
+- FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
+- return 0;
+- }
+-
+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
+ return 0;
+ }
++ return FIPS_rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+ #endif
+
+@@ -317,16 +567,6 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ goto err;
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_module_mode()) {
+- if (fips_rsa_pairwise_fail)
+- BN_add_word(rsa->n, 1);
+-
+- if (!fips_check_rsa(rsa))
+- goto err;
+- }
+-#endif
+-
+ ok = 1;
+ err:
+ if (ok == -1) {
+diff -up openssl-1.0.2a/ssl/t1_enc.c.fips-reqs openssl-1.0.2a/ssl/t1_enc.c
+--- openssl-1.0.2a/ssl/t1_enc.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/ssl/t1_enc.c 2015-04-22 15:06:37.911003975 +0200
+@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
+ return ret;
+ }
+
++int private_tls1_PRF(long digest_mask,
++ const void *seed1, int seed1_len,
++ const void *seed2, int seed2_len,
++ const void *seed3, int seed3_len,
++ const void *seed4, int seed4_len,
++ const void *seed5, int seed5_len,
++ const unsigned char *sec, int slen,
++ unsigned char *out1, unsigned char *out2, int olen)
++{
++ return tls1_PRF(digest_mask,
++ seed1, seed1_len,
++ seed2, seed2_len,
++ seed3, seed3_len,
++ seed4, seed4_len,
++ seed5, seed5_len, sec, slen, out1, out2, olen);
++}
++
+ static int tls1_generate_key_block(SSL *s, unsigned char *km,
+ unsigned char *tmp, int num)
+ {
diff --git a/openssl-1.0.2a-no-md5-verify.patch b/openssl-1.0.2a-no-md5-verify.patch
new file mode 100644
index 0000000..b7e6663
--- /dev/null
+++ b/openssl-1.0.2a-no-md5-verify.patch
@@ -0,0 +1,25 @@
+diff -up openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.2a/crypto/asn1/a_verify.c
+--- openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify 2015-04-09 18:20:58.829680829 +0200
++++ openssl-1.0.2a/crypto/asn1/a_verify.c 2015-04-09 18:20:54.495580710 +0200
+@@ -56,6 +56,9 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <time.h>
+
+@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
+ if (ret != 2)
+ goto err;
+ ret = -1;
++ } else if (mdnid == NID_md5
++ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
++ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++ goto err;
+ } else {
+ const EVP_MD *type;
+ type = EVP_get_digestbynid(mdnid);
diff --git a/openssl-1.0.2a-no-rpath.patch b/openssl-1.0.2a-no-rpath.patch
new file mode 100644
index 0000000..4aafefd
--- /dev/null
+++ b/openssl-1.0.2a-no-rpath.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.2a/Makefile.shared.no-rpath openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a/Makefile.shared.no-rpath 2015-04-09 18:14:39.647921663 +0200
++++ openssl-1.0.2a/Makefile.shared 2015-04-09 18:14:34.423800985 +0200
+@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+ #This is rather special. It's a special target with which one can link
+ #applications without bothering with any features that have anything to
diff --git a/openssl-1.0.2a-padlock64.patch b/openssl-1.0.2a-padlock64.patch
new file mode 100644
index 0000000..19d3958
--- /dev/null
+++ b/openssl-1.0.2a-padlock64.patch
@@ -0,0 +1,198 @@
+diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c
+--- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200
+@@ -101,7 +101,10 @@
+ */
+ # undef COMPILE_HW_PADLOCK
+ # if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
+-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
++# if (defined(__GNUC__) && __GNUC__>=2 && \
++ (defined(__i386__) || defined(__i386) || \
++ defined(__x86_64__) || defined(__x86_64)) \
++ ) || \
+ (defined(_MSC_VER) && defined(_M_IX86))
+ # define COMPILE_HW_PADLOCK
+ # endif
+@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void)
+ # endif
+ # elif defined(__GNUC__)
+ # ifndef alloca
+-# define alloca(s) __builtin_alloca(s)
++# define alloca(s) __builtin_alloca((s))
+ # endif
+ # endif
+
+@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da
+ * =======================================================
+ */
+ # if defined(__GNUC__) && __GNUC__>=2
++# if defined(__i386__) || defined(__i386)
+ /*
+ * As for excessive "push %ebx"/"pop %ebx" found all over.
+ * When generating position-independent code GCC won't let
+@@ -379,22 +383,6 @@ static int padlock_available(void)
+ return padlock_use_ace + padlock_use_rng;
+ }
+
+-# ifndef OPENSSL_NO_AES
+-# ifndef AES_ASM
+-/* Our own htonl()/ntohl() */
+-static inline void padlock_bswapl(AES_KEY *ks)
+-{
+- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+- unsigned int *key = ks->rd_key;
+-
+- while (i--) {
+- asm volatile ("bswapl %0":"+r" (*key));
+- key++;
+- }
+-}
+-# endif
+-# endif
+-
+ /*
+ * Force key reload from memory to the CPU microcode. Loading EFLAGS from the
+ * stack clears EFLAGS[30] which does the trick.
+@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo
+ asm volatile ("pushfl; popfl");
+ }
+
+-# ifndef OPENSSL_NO_AES
++# ifndef OPENSSL_NO_AES
+ /*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+@@ -448,6 +436,101 @@ static inline void *name(size_t cnt,
+ : "edx", "cc", "memory"); \
+ return iv; \
+ }
++# endif
++
++# elif defined(__x86_64__) || defined(__x86_64)
++
++/* Load supported features of the CPU to see if
++ the PadLock is available. */
++static int padlock_available(void)
++{
++ char vendor_string[16];
++ unsigned int eax, edx;
++
++ /* Are we running on the Centaur (VIA) CPU? */
++ eax = 0x00000000;
++ vendor_string[12] = 0;
++ asm volatile ("cpuid\n"
++ "movl %%ebx,(%1)\n"
++ "movl %%edx,4(%1)\n"
++ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx",
++ "rcx", "rdx");
++ if (strcmp(vendor_string, "CentaurHauls") != 0)
++ return 0;
++
++ /* Check for Centaur Extended Feature Flags presence */
++ eax = 0xC0000000;
++ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx");
++ if (eax < 0xC0000001)
++ return 0;
++
++ /* Read the Centaur Extended Feature Flags */
++ eax = 0xC0000001;
++ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx");
++
++ /* Fill up some flags */
++ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
++ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
++
++ return padlock_use_ace + padlock_use_rng;
++}
++
++/* Force key reload from memory to the CPU microcode.
++ Loading EFLAGS from the stack clears EFLAGS[30]
++ which does the trick. */
++static inline void padlock_reload_key(void)
++{
++ asm volatile ("pushfq; popfq");
++}
++
++# ifndef OPENSSL_NO_AES
++/*
++ * This is heuristic key context tracing. At first one
++ * believes that one should use atomic swap instructions,
++ * but it's not actually necessary. Point is that if
++ * padlock_saved_context was changed by another thread
++ * after we've read it and before we compare it with cdata,
++ * our key *shall* be reloaded upon thread context switch
++ * and we are therefore set in either case...
++ */
++static inline void padlock_verify_context(struct padlock_cipher_data *cdata)
++{
++ asm volatile ("pushfq\n"
++ " btl $30,(%%rsp)\n"
++ " jnc 1f\n"
++ " cmpq %2,%1\n"
++ " je 1f\n"
++ " popfq\n"
++ " subq $8,%%rsp\n"
++ "1: addq $8,%%rsp\n"
++ " movq %2,%0":"+m" (padlock_saved_context)
++ :"r"(padlock_saved_context), "r"(cdata):"cc");
++}
++
++/* Template for padlock_xcrypt_* modes */
++/* BIG FAT WARNING:
++ * The offsets used with 'leal' instructions
++ * describe items of the 'padlock_cipher_data'
++ * structure.
++ */
++# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
++static inline void *name(size_t cnt, \
++ struct padlock_cipher_data *cdata, \
++ void *out, const void *inp) \
++{ void *iv; \
++ asm volatile ( "leaq 16(%0),%%rdx\n" \
++ " leaq 32(%0),%%rbx\n" \
++ rep_xcrypt "\n" \
++ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
++ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
++ : "rbx", "rdx", "cc", "memory"); \
++ return iv; \
++}
++# endif
++
++# endif /* cpu */
++
++# ifndef OPENSSL_NO_AES
+
+ /* Generate all functions with appropriate opcodes */
+ /* rep xcryptecb */
+@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, "
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
+ /* rep xcryptofb */
+ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
++
++# ifndef AES_ASM
++/* Our own htonl()/ntohl() */
++static inline void padlock_bswapl(AES_KEY *ks)
++{
++ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
++ unsigned int *key = ks->rd_key;
++
++ while (i--) {
++ asm volatile ("bswapl %0":"+r" (*key));
++ key++;
++ }
++}
++# endif
+ # endif
+ /* The RNG call itself */
+ static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
+@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor
+ static inline unsigned char *padlock_memcpy(void *dst, const void *src,
+ size_t n)
+ {
+- long *d = dst;
+- const long *s = src;
++ size_t *d = dst;
++ const size_t *s = src;
+
+ n /= sizeof(*d);
+ do {
diff --git a/openssl-1.0.2a-pkgconfig-krb5.patch b/openssl-1.0.2a-pkgconfig-krb5.patch
new file mode 100644
index 0000000..8ee2c4d
--- /dev/null
+++ b/openssl-1.0.2a-pkgconfig-krb5.patch
@@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/Makefile.org.krb5 openssl-1.0.2a/Makefile.org
+--- openssl-1.0.2a/Makefile.org.krb5 2015-04-21 17:08:41.157464459 +0200
++++ openssl-1.0.2a/Makefile.org 2015-04-21 17:11:56.887039005 +0200
+@@ -372,7 +372,7 @@ libcrypto.pc: Makefile
+ echo 'Requires: '; \
+ echo 'Libs: -L$${libdir} -lcrypto'; \
+ echo 'Libs.private: $(EX_LIBS)'; \
+- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
++ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
+
+ libssl.pc: Makefile
+ @ ( echo 'prefix=$(INSTALLTOP)'; \
+@@ -385,7 +385,7 @@ libssl.pc: Makefile
+ echo 'Version: '$(VERSION); \
+ echo 'Requires.private: libcrypto'; \
+ echo 'Libs: -L$${libdir} -lssl'; \
+- echo 'Libs.private: $(EX_LIBS)'; \
++ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
+ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+
+ openssl.pc: Makefile
diff --git a/openssl-1.0.2a-readme-warning.patch b/openssl-1.0.2a-readme-warning.patch
new file mode 100644
index 0000000..7069989
--- /dev/null
+++ b/openssl-1.0.2a-readme-warning.patch
@@ -0,0 +1,50 @@
+diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README
+--- openssl-1.0.2a/README.warning 2015-03-20 16:00:47.000000000 +0100
++++ openssl-1.0.2a/README 2015-03-21 09:06:11.000000000 +0100
+@@ -5,6 +5,46 @@
+ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+ All rights reserved.
+
++ WARNING
++ -------
++
++ This version of OpenSSL is built in a way that supports operation in
++ the so called FIPS mode. Note though that the library as we build it
++ is not FIPS 140-2 validated and the FIPS mode is present for testing
++ purposes only.
++
++ This version also contains a few differences from the upstream code
++ some of which are:
++ * The FIPS validation support is significantly different from the
++ upstream FIPS support. For example the FIPS integrity verification
++ check is implemented differently as the FIPS module is built inside
++ the shared library. The HMAC-SHA256 checksums of the whole shared
++ libraries are verified. Also note that the FIPS integrity
++ verification check requires that the libcrypto and libssl shared
++ library files are unmodified which means that it will fail if these
++ files are changed for example by prelink.
++ * If the file /etc/system-fips is present the integrity verification
++ and selftests of the crypto algorithms are run inside the library
++ constructor code.
++ * With the /etc/system-fips present the module respects the kernel
++ FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode
++ if it is set to 1 aborting if the FIPS mode could not be initialized.
++ With the /etc/system-fips present it is also possible to force the
++ OpenSSL library to FIPS mode especially for debugging purposes by
++ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
++ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
++ will not automatically load the built in compression method ZLIB
++ when initialized. Applications can still explicitely ask for ZLIB
++ compression method.
++ * The library was patched so the certificates, CRLs and other objects
++ signed with use of MD5 fail verification as the MD5 is too insecure
++ to be used for signatures. If the environment variable
++ OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed
++ normally.
++ * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set,
++ the library will not allow generation of DSA and RSA keys with
++ other lengths than specified in the FIPS 186-4 standard.
++
+ DESCRIPTION
+ -----------
+
diff --git a/openssl-1.0.2a-rpmbuild.patch b/openssl-1.0.2a-rpmbuild.patch
new file mode 100644
index 0000000..4efb633
--- /dev/null
+++ b/openssl-1.0.2a-rpmbuild.patch
@@ -0,0 +1,114 @@
+diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
+--- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200
+@@ -348,8 +348,8 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+
+ #######################################################################
+ # Note that -march is not among compiler options in below linux-armv4
+@@ -378,30 +378,30 @@ my %table=(
+ #
+ # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
+ #
+-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # Configure script adds minimally required -march for assembly support,
+ # if no -march was specified at command line. mips32 and mips64 below
+ # refer to contemporary MIPS Architecture specifications, MIPS32 and
+ # MIPS64, rather than to kernel bitness.
+-"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
+-"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
++"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+-"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
+-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
+-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### So called "highgprs" target for z/Architecture CPUs
+ # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
+ # /proc/cpuinfo. The idea is to preserve most significant bits of
+@@ -419,12 +419,12 @@ my %table=(
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller at computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -1737,7 +1737,7 @@ while (<IN>)
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ {
+ my $sotmp = $1;
+- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ }
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ {
+diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
+--- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=10
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -335,10 +336,9 @@ clean-shared:
+ link-shared:
+ @ set -e; for i in $(SHLIBDIRS); do \
+ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ symlink.$(SHLIB_TARGET); \
+- libs="$$libs -l$$i"; \
+ done
+
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET):
+ libs="$(LIBKRB5) $$libs"; \
+ fi; \
+ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ LIBDEPS="$$libs $(EX_LIBS)" \
+ link_a.$(SHLIB_TARGET); \
diff --git a/openssl-1.0.2a-rsa-x931.patch b/openssl-1.0.2a-rsa-x931.patch
new file mode 100644
index 0000000..4de716a
--- /dev/null
+++ b/openssl-1.0.2a-rsa-x931.patch
@@ -0,0 +1,35 @@
+diff -up openssl-1.0.2a/apps/genrsa.c.x931 openssl-1.0.2a/apps/genrsa.c
+--- openssl-1.0.2a/apps/genrsa.c.x931 2015-04-09 18:18:24.132107287 +0200
++++ openssl-1.0.2a/apps/genrsa.c 2015-04-09 18:18:18.852985339 +0200
+@@ -97,6 +97,7 @@ int MAIN(int argc, char **argv)
+ int ret = 1;
+ int i, num = DEFBITS;
+ long l;
++ int use_x931 = 0;
+ const EVP_CIPHER *enc = NULL;
+ unsigned long f4 = RSA_F4;
+ char *outfile = NULL;
+@@ -139,6 +140,8 @@ int MAIN(int argc, char **argv)
+ f4 = 3;
+ else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
+ f4 = RSA_F4;
++ else if (strcmp(*argv, "-x931") == 0)
++ use_x931 = 1;
+ # ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*argv, "-engine") == 0) {
+ if (--argc < 1)
+@@ -278,7 +281,13 @@ int MAIN(int argc, char **argv)
+ if (!rsa)
+ goto err;
+
+- if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
++ if (use_x931) {
++ if (!BN_set_word(bn, f4))
++ goto err;
++ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
++ goto err;
++ } else if (!BN_set_word(bn, f4)
++ || !RSA_generate_key_ex(rsa, num, bn, &cb))
+ goto err;
+
+ app_RAND_write_file(NULL, bio_err);
diff --git a/openssl-1.0.2a-secure-getenv.patch b/openssl-1.0.2a-secure-getenv.patch
new file mode 100644
index 0000000..f494839
--- /dev/null
+++ b/openssl-1.0.2a-secure-getenv.patch
@@ -0,0 +1,241 @@
+diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_api.c
+--- openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/conf/conf_api.c 2015-04-21 17:14:12.757214532 +0200
+@@ -63,6 +63,8 @@
+ # define NDEBUG
+ #endif
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -141,7 +143,7 @@ char *_CONF_get_string(const CONF *conf,
+ if (v != NULL)
+ return (v->value);
+ if (strcmp(section, "ENV") == 0) {
+- p = getenv(name);
++ p = secure_getenv(name);
+ if (p != NULL)
+ return (p);
+ }
+@@ -154,7 +156,7 @@ char *_CONF_get_string(const CONF *conf,
+ else
+ return (NULL);
+ } else
+- return (getenv(name));
++ return (secure_getenv(name));
+ }
+
+ #if 0 /* There's no way to provide error checking
+diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_mod.c
+--- openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/conf/conf_mod.c 2015-04-21 17:13:24.165078848 +0200
+@@ -57,6 +57,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <openssl/crypto.h>
+@@ -526,7 +528,7 @@ char *CONF_get1_default_config_file(void
+ char *file;
+ int len;
+
+- file = getenv("OPENSSL_CONF");
++ file = secure_getenv("OPENSSL_CONF");
+ if (file)
+ return BUF_strdup(file);
+
+diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/crypto/engine/eng_list.c
+--- openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv 2015-04-21 17:13:24.165078848 +0200
++++ openssl-1.0.2a/crypto/engine/eng_list.c 2015-04-21 17:15:53.180561603 +0200
+@@ -62,6 +62,8 @@
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "eng_int.h"
+
+ /*
+@@ -368,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id)
+ */
+ if (strcmp(id, "dynamic")) {
+ # ifdef OPENSSL_SYS_VMS
+- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
++ if (OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0)
+ load_dir = "SSLROOT:[ENGINES]";
+ # else
+- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
++ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
+ load_dir = ENGINESDIR;
+ # endif
+ iterator = ENGINE_by_id("dynamic");
+diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypto/md5/md5_dgst.c
+--- openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv 2015-04-21 17:13:24.156078637 +0200
++++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-21 17:13:24.165078848 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include "md5_locl.h"
+ #include <openssl/opensslv.h>
+@@ -75,7 +77,8 @@ const char MD5_version[] = "MD5" OPENSSL
+ int MD5_Init(MD5_CTX *c)
+ #ifdef OPENSSL_FIPS
+ {
+- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
++ if (FIPS_mode()
++ && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
+ return private_MD5_Init(c);
+ }
+diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_init.c
+--- openssl-1.0.2a/crypto/o_init.c.secure-getenv 2015-04-21 17:13:24.142078310 +0200
++++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:13:24.165078848 +0200
+@@ -53,6 +53,8 @@
+ *
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <e_os.h>
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
+@@ -72,7 +74,7 @@ static void init_fips_mode(void)
+ char buf[2] = "0";
+ int fd;
+
+- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/crypto/rand/randfile.c
+--- openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/rand/randfile.c 2015-04-21 17:13:24.165078848 +0200
+@@ -60,6 +60,8 @@
+ #if !defined(OPENSSL_SYS_VXWORKS)
+ # define _XOPEN_SOURCE 500
+ #endif
++/* for secure_getenv */
++#define _GNU_SOURCE
+
+ #include <errno.h>
+ #include <stdio.h>
+@@ -292,14 +294,12 @@ const char *RAND_file_name(char *buf, si
+ struct stat sb;
+ #endif
+
+- if (OPENSSL_issetugid() == 0)
+- s = getenv("RANDFILE");
++ s = secure_getenv("RANDFILE");
+ if (s != NULL && *s && strlen(s) + 1 < size) {
+ if (BUF_strlcpy(buf, s, size) >= size)
+ return NULL;
+ } else {
+- if (OPENSSL_issetugid() == 0)
+- s = getenv("HOME");
++ s = secure_getenv("HOME");
+ #ifdef DEFAULT_HOME
+ if (s == NULL) {
+ s = DEFAULT_HOME;
+diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto/x509/by_dir.c
+--- openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/crypto/x509/by_dir.c 2015-04-21 17:13:24.165078848 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -128,7 +130,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
+ switch (cmd) {
+ case X509_L_ADD_DIR:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- dir = (char *)getenv(X509_get_default_cert_dir_env());
++ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
+ if (dir)
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
+ else
+diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypto/x509/by_file.c
+--- openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv 2015-04-21 17:13:24.118077749 +0200
++++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-21 17:13:24.166078871 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -97,7 +99,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
+ switch (cmd) {
+ case X509_L_FILE_LOAD:
+ if (argl == X509_FILETYPE_DEFAULT) {
+- file = (char *)getenv(X509_get_default_cert_file_env());
++ file = (char *)secure_getenv(X509_get_default_cert_file_env());
+ if (file)
+ ok = (X509_load_cert_crl_file(ctx, file,
+ X509_FILETYPE_PEM) != 0);
+diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/crypto/x509/x509_vfy.c
+--- openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-21 17:19:14.948277272 +0200
+@@ -56,6 +56,8 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <time.h>
+ #include <errno.h>
+@@ -550,7 +552,7 @@ static int check_chain_extensions(X509_S
+ * A hack to keep people who don't want to modify their software
+ * happy
+ */
+- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
++ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+ allow_proxy_certs = 1;
+ purpose = ctx->param->purpose;
+ }
+diff -up openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2a/engines/ccgost/gost_ctl.c
+--- openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
++++ openssl-1.0.2a/engines/ccgost/gost_ctl.c 2015-04-21 17:19:53.897187577 +0200
+@@ -6,6 +6,8 @@
+ * Implementation of control commands for GOST engine *
+ * OpenSSL 0.9.9 libraries required *
+ **********************************************************************/
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdlib.h>
+ #include <string.h>
+ #include <openssl/crypto.h>
+@@ -64,7 +66,7 @@ const char *get_gost_engine_param(int pa
+ if (gost_params[param] != NULL) {
+ return gost_params[param];
+ }
+- tmp = getenv(gost_envnames[param]);
++ tmp = secure_getenv(gost_envnames[param]);
+ if (tmp) {
+ if (gost_params[param])
+ OPENSSL_free(gost_params[param]);
+@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
+ const char *tmp;
+ if (param < 0 || param > GOST_PARAM_MAX)
+ return 0;
+- tmp = getenv(gost_envnames[param]);
++ tmp = secure_getenv(gost_envnames[param]);
+ /*
+ * if there is value in the environment, use it, else -passed string *
+ */
diff --git a/openssl-1.0.2a-system-cipherlist.patch b/openssl-1.0.2a-system-cipherlist.patch
new file mode 100644
index 0000000..482fecc
--- /dev/null
+++ b/openssl-1.0.2a-system-cipherlist.patch
@@ -0,0 +1,285 @@
+diff -up openssl-1.0.2a/Configure.system openssl-1.0.2a/Configure
+--- openssl-1.0.2a/Configure.system 2015-04-22 15:23:47.970633650 +0200
++++ openssl-1.0.2a/Configure 2015-04-22 15:23:48.042635407 +0200
+@@ -10,7 +10,7 @@ use strict;
+
+ # see INSTALL for instructions.
+
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+
+ # Options:
+ #
+@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
+ # --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
+ # supported values are "MIT" and "Heimdal". A value is required.
+ #
++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
++# cipher is specified (default).
++#
+ # --test-sanity Make a number of sanity checks on the data in this file.
+ # This is a debugging tool for OpenSSL developers.
+ #
+@@ -703,6 +706,7 @@ my $prefix="";
+ my $libdir="";
+ my $openssldir="";
+ my $enginesdir="";
++my $system_ciphers_file="";
+ my $exe_ext="";
+ my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
+ my $cross_compile_prefix="";
+@@ -934,6 +938,10 @@ PROCESS_ARGS:
+ {
+ $enginesdir=$1;
+ }
++ elsif (/^--system-ciphers-file=(.*)$/)
++ {
++ $system_ciphers_file=$1;
++ }
+ elsif (/^--install.prefix=(.*)$/)
+ {
+ $install_prefix=$1;
+@@ -1096,6 +1104,7 @@ print "Configuring for $target\n";
+
+ &usage if (!defined($table{$target}));
+
++chop $system_ciphers_file if $system_ciphers_file =~ /\/$/;
+
+ foreach (sort (keys %disabled))
+ {
+@@ -1667,6 +1676,7 @@ while (<IN>)
+ s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
+ s/^MULTILIB=.*$/MULTILIB=$multilib/;
+ s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
++ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/;
+ s/^LIBDIR=.*$/LIBDIR=$libdir/;
+ s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
+ s/^PLATFORM=.*$/PLATFORM=$target/;
+@@ -1877,6 +1887,14 @@ while (<IN>)
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
++ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/)
++ {
++ my $foo = "$system_ciphers_file";
++ if ($foo ne '') {
++ $foo =~ s/\\/\\\\/g;
++ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n";
++ }
++ }
+ elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
+ { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
+ if $export_var_as_fn;
+diff -up openssl-1.0.2a/crypto/opensslconf.h.in.system openssl-1.0.2a/crypto/opensslconf.h.in
+--- openssl-1.0.2a/crypto/opensslconf.h.in.system 2015-04-22 15:23:47.988634089 +0200
++++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 15:23:48.042635407 +0200
+@@ -25,6 +25,8 @@
+ #endif
+ #endif
+
++#undef SYSTEM_CIPHERS_FILE
++
+ #undef OPENSSL_UNISTD
+ #define OPENSSL_UNISTD <unistd.h>
+
+diff -up openssl-1.0.2a/ssl/ssl_ciph.c.system openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a/ssl/ssl_ciph.c.system 2015-04-22 15:23:47.993634211 +0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-22 15:29:30.185982356 +0200
+@@ -1463,6 +1463,50 @@ static int check_suiteb_cipher_list(cons
+ }
+ #endif
+
++#ifdef SYSTEM_CIPHERS_FILE
++static char *load_system_str(const char *suffix)
++{
++ FILE *fp;
++ char buf[1024];
++ char *new_rules;
++ unsigned len, slen;
++
++ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
++ /* cannot open or file is empty */
++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
++ }
++
++ if (fp)
++ fclose(fp);
++
++ slen = strlen(suffix);
++ len = strlen(buf);
++
++ if (buf[len - 1] == '\n') {
++ len--;
++ buf[len] = 0;
++ }
++ if (buf[len - 1] == '\r') {
++ len--;
++ buf[len] = 0;
++ }
++
++ new_rules = OPENSSL_malloc(len + slen + 1);
++ if (new_rules == 0)
++ return NULL;
++
++ memcpy(new_rules, buf, len);
++ if (slen > 0) {
++ memcpy(&new_rules[len], suffix, slen);
++ len += slen;
++ }
++ new_rules[len] = 0;
++
++ return new_rules;
++}
++#endif
++
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
+ **cipher_list, STACK_OF(SSL_CIPHER)
+ **cipher_list_by_id,
+@@ -1471,19 +1515,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
+ unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac,
+ disabled_ssl;
+- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
++ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
+ const char *rule_p;
+ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
+ const SSL_CIPHER **ca_list = NULL;
++#ifdef SYSTEM_CIPHERS_FILE
++ char *new_rules = NULL;
++
++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
++ char *p = rule_str + 14;
++
++ new_rules = load_system_str(p);
++ rule_str = new_rules;
++ }
++#endif
+
+ /*
+ * Return with error if nothing to do.
+ */
+ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+- return NULL;
++ goto end;
+ #ifndef OPENSSL_NO_EC
+ if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+- return NULL;
++ goto end;
+ #endif
+
+ /*
+@@ -1507,7 +1561,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
+ if (co_list == NULL) {
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+- return (NULL); /* Failure */
++ goto end;
+ }
+
+ ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
+@@ -1568,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * in force within each class
+ */
+ if (!ssl_cipher_strength_sort(&head, &tail)) {
+- OPENSSL_free(co_list);
+- return NULL;
++ goto end;
+ }
+
+ /* Now disable everything (maintaining the ordering!) */
+@@ -1587,9 +1640,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+ ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+ if (ca_list == NULL) {
+- OPENSSL_free(co_list);
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+- return (NULL); /* Failure */
++ goto end;
+ }
+ ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
+ disabled_mkey, disabled_auth, disabled_enc,
+@@ -1615,8 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ OPENSSL_free((void *)ca_list); /* Not needed anymore */
+
+ if (!ok) { /* Rule processing failure */
+- OPENSSL_free(co_list);
+- return (NULL);
++ goto end;
+ }
+
+ /*
+@@ -1624,8 +1675,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * if we cannot get one.
+ */
+ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
+- OPENSSL_free(co_list);
+- return (NULL);
++ goto end;
+ }
+
+ /*
+@@ -1646,12 +1696,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ #endif
+ }
+ }
+- OPENSSL_free(co_list); /* Not needed any longer */
+
+ tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
+ if (tmp_cipher_list == NULL) {
+ sk_SSL_CIPHER_free(cipherstack);
+- return NULL;
++ cipherstack = NULL;
++ goto end;
+ }
+ if (*cipher_list != NULL)
+ sk_SSL_CIPHER_free(*cipher_list);
+@@ -1663,6 +1713,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ ssl_cipher_ptr_id_cmp);
+
+ sk_SSL_CIPHER_sort(*cipher_list_by_id);
++
++ end:
++ OPENSSL_free(co_list);
++#ifdef SYSTEM_CIPHERS_FILE
++ OPENSSL_free(new_rules);
++#endif
+ return (cipherstack);
+ }
+
+diff -up openssl-1.0.2a/ssl/ssl.h.system openssl-1.0.2a/ssl/ssl.h
+--- openssl-1.0.2a/ssl/ssl.h.system 2015-04-22 15:23:48.043635431 +0200
++++ openssl-1.0.2a/ssl/ssl.h 2015-04-22 15:35:43.666093799 +0200
+@@ -345,6 +345,11 @@ extern "C" {
+ * throwing out anonymous and unencrypted ciphersuites! (The latter are not
+ * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
+ */
++# ifdef SYSTEM_CIPHERS_FILE
++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
++# else
++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
++# endif
+
+ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
+ # define SSL_SENT_SHUTDOWN 1
+diff -up openssl-1.0.2a/ssl/ssl_lib.c.system openssl-1.0.2a/ssl/ssl_lib.c
+--- openssl-1.0.2a/ssl/ssl_lib.c.system 2015-04-22 15:23:48.044635455 +0200
++++ openssl-1.0.2a/ssl/ssl_lib.c 2015-04-22 15:31:55.794534631 +0200
+@@ -273,7 +273,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
+ &(ctx->cipher_list_by_id),
+ meth->version ==
+ SSL2_VERSION ? "SSLv2" :
+- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
+ if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
+ SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,
+ SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+@@ -1945,7 +1945,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ ssl_create_cipher_list(ret->method,
+ &ret->cipher_list, &ret->cipher_list_by_id,
+ meth->version ==
+- SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST,
++ SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST,
+ ret->cert);
+ if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
diff --git a/openssl-1.0.2a-test-use-localhost.patch b/openssl-1.0.2a-test-use-localhost.patch
new file mode 100644
index 0000000..4510e6e
--- /dev/null
+++ b/openssl-1.0.2a-test-use-localhost.patch
@@ -0,0 +1,21 @@
+diff -up openssl-1.0.2a/ssl/ssltest.c.use-localhost openssl-1.0.2a/ssl/ssltest.c
+--- openssl-1.0.2a/ssl/ssltest.c.use-localhost 2015-04-20 14:43:07.172601663 +0200
++++ openssl-1.0.2a/ssl/ssltest.c 2015-04-20 14:45:02.831299849 +0200
+@@ -1516,16 +1516,7 @@ int main(int argc, char *argv[])
+
+ #ifndef OPENSSL_NO_KRB5
+ if (c_ssl && c_ssl->kssl_ctx) {
+- char localhost[MAXHOSTNAMELEN + 2];
+-
+- if (gethostname(localhost, sizeof localhost - 1) == 0) {
+- localhost[sizeof localhost - 1] = '\0';
+- if (strlen(localhost) == sizeof localhost - 1) {
+- BIO_printf(bio_err, "localhost name too long\n");
+- goto end;
+- }
+- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost);
+- }
++ kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, "localhost");
+ }
+ #endif /* OPENSSL_NO_KRB5 */
+
diff --git a/openssl-1.0.2a-trusted-first-doc.patch b/openssl-1.0.2a-trusted-first-doc.patch
new file mode 100644
index 0000000..8333751
--- /dev/null
+++ b/openssl-1.0.2a-trusted-first-doc.patch
@@ -0,0 +1,286 @@
+diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c
+--- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200
+@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+ BIO_printf(bio_err,
+ "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c
+--- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200
+@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err,
+ "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-VAfile file validator certificates file\n");
+ BIO_printf(bio_err,
+ "-validity_period n maximum validity discrepancy in seconds\n");
+diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200
+@@ -333,6 +333,8 @@ static void sc_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -reconnect - Drop and re-make the connection with the same Session-ID\n");
+ BIO_printf(bio_err,
+ " -pause - sleep(1) after each read(2) and write(2) system call\n");
+diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c
+--- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200
+@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+ BIO_printf(bio_err,
+ "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c
+--- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200
++++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200
+@@ -569,6 +569,8 @@ static void sv_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -nocert - Don't use any certificates (Anon-DH)\n");
+ BIO_printf(bio_err,
+ " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
+diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
+--- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200
++++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200
+@@ -182,6 +182,7 @@ static void s_time_usage(void)
+ file if not specified by this option\n\
+ -CApath arg - PEM format directory of CA's\n\
+ -CAfile arg - PEM format file of CA's\n\
++-trusted_first - Use trusted CA's first when building the trust chain\n\
+ -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
+
+ printf("usage: s_time <args>\n\n");
+diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
+--- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200
++++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200
+@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
+ "ts -verify [-data file_to_hash] [-digest digest_bytes] "
+ "[-queryfile request.tsq] "
+ "-in response.tsr [-token_in] "
+- "-CApath ca_path -CAfile ca_file.pem "
++ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
+ "-untrusted cert_file.pem\n");
+ cleanup:
+ /* Clean up. */
+diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c
+--- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200
+@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
+ end:
+ if (ret == 1) {
+ BIO_printf(bio_err,
+- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
++ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+ BIO_printf(bio_err, " [-attime timestamp]");
+ #ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, " [-engine e]");
+diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod
+--- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200
+@@ -35,6 +35,7 @@ B<openssl> B<cms>
+ [B<-print>]
+ [B<-CAfile file>]
+ [B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-md digest>]
+ [B<-[cipher]>]
+ [B<-nointern>]
+@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before untrusted certificates
++from the message when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod
+--- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200
++++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200
+@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
+ [B<-path>]
+ [B<-CApath dir>]
+ [B<-CAfile file>]
++[B<-trusted_first>]
+ [B<-VAfile file>]
+ [B<-validity_period n>]
+ [B<-status_age n>]
+@@ -143,6 +144,13 @@ connection timeout to the OCSP responder
+ file or pathname containing trusted CA certificates. These are used to verify
+ the signature on the OCSP response.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the response or residing in other certificates file when building the trust
++chain to verify responder certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-verify_other file>
+
+ file containing additional certificates to search when attempting to locate
+diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod
+--- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
++++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200
+@@ -19,6 +19,7 @@ B<openssl> B<s_client>
+ [B<-pass arg>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-reconnect>]
+ [B<-pause>]
+ [B<-showcerts>]
+@@ -123,7 +124,7 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
+-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
+
+ Set various certificate chain valiadition option. See the
+ L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod
+--- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200
+@@ -15,6 +15,9 @@ B<openssl> B<smime>
+ [B<-pk7out>]
+ [B<-[cipher]>]
+ [B<-in file>]
++[B<-CAfile file>]
++[B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-certfile file>]
+ [B<-signer file>]
+ [B<-recip file>]
+@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the message when building the trust chain to verify a certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod
+--- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
++++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200
+@@ -33,6 +33,7 @@ B<openssl> B<s_server>
+ [B<-state>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-nocert>]
+ [B<-cipher cipherlist>]
+ [B<-serverpref>]
+@@ -174,6 +175,12 @@ and to use when attempting to build the
+ is also used in the list of acceptable client CAs passed to the client when
+ a certificate is requested.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before other certificates
++when building the trust chain to verify client certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-state>
+
+ prints out the SSL session states.
+diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod
+--- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100
++++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200
+@@ -14,6 +14,7 @@ B<openssl> B<s_time>
+ [B<-key filename>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-reuse>]
+ [B<-new>]
+ [B<-verify depth>]
+@@ -76,6 +77,12 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over the certificates provided
++by the server when building the trust chain to verify server certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-new>
+
+ performs the timing test using a new session ID for each connection.
+diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod
+--- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200
+@@ -46,6 +46,7 @@ B<-verify>
+ [B<-token_in>]
+ [B<-CApath> trusted_cert_path]
+ [B<-CAfile> trusted_certs.pem]
++[B<-trusted_first>]
+ [B<-untrusted> cert_file.pem]
+
+ =head1 DESCRIPTION
+@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
+ or B<-CApath> must be specified.
+ (Optional)
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before other certificates
++when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-untrusted> cert_file.pem
+
+ Set of additional untrusted certificates in PEM format which may be
+diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod
+--- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200
+@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
+ B<openssl> B<verify>
+ [B<-CApath directory>]
+ [B<-CAfile file>]
++[B<-trusted_first>]
+ [B<-purpose purpose>]
+ [B<-policy arg>]
+ [B<-ignore_critical>]
+@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error
+ A file of untrusted certificates. The file should contain multiple certificates
+ in PEM format concatenated together.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before the certificates in the untrusted
++file when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-purpose purpose>
+
+ The intended use for the certificate. If this option is not specified,
diff --git a/openssl-1.0.2a-version-add-engines.patch b/openssl-1.0.2a-version-add-engines.patch
new file mode 100644
index 0000000..b7936b3
--- /dev/null
+++ b/openssl-1.0.2a-version-add-engines.patch
@@ -0,0 +1,47 @@
+diff -up openssl-1.0.2a/apps/version.c.version-add-engines openssl-1.0.2a/apps/version.c
+--- openssl-1.0.2a/apps/version.c.version-add-engines 2015-04-09 18:16:42.345756005 +0200
++++ openssl-1.0.2a/apps/version.c 2015-04-09 18:16:36.573622667 +0200
+@@ -131,6 +131,7 @@
+ #ifndef OPENSSL_NO_BF
+ # include <openssl/blowfish.h>
+ #endif
++#include <openssl/engine.h>
+
+ #undef PROG
+ #define PROG version_main
+@@ -140,7 +141,8 @@ int MAIN(int, char **);
+ int MAIN(int argc, char **argv)
+ {
+ int i, ret = 0;
+- int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
++ int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir =
++ 0, engines = 0;
+
+ apps_startup();
+
+@@ -164,7 +166,7 @@ int MAIN(int argc, char **argv)
+ else if (strcmp(argv[i], "-d") == 0)
+ dir = 1;
+ else if (strcmp(argv[i], "-a") == 0)
+- date = version = cflags = options = platform = dir = 1;
++ date = version = cflags = options = platform = dir = engines = 1;
+ else {
+ BIO_printf(bio_err, "usage:version -[avbofpd]\n");
+ ret = 1;
+@@ -208,6 +210,16 @@ int MAIN(int argc, char **argv)
+ printf("%s\n", SSLeay_version(SSLEAY_CFLAGS));
+ if (dir)
+ printf("%s\n", SSLeay_version(SSLEAY_DIR));
++ if (engines) {
++ ENGINE *e;
++ printf("engines: ");
++ e = ENGINE_get_first();
++ while (e) {
++ printf("%s ", ENGINE_get_id(e));
++ e = ENGINE_get_next(e);
++ }
++ printf("\n");
++ }
+ end:
+ apps_shutdown();
+ OPENSSL_EXIT(ret);
diff --git a/openssl-1.0.2a-version.patch b/openssl-1.0.2a-version.patch
new file mode 100644
index 0000000..25dfff5
--- /dev/null
+++ b/openssl-1.0.2a-version.patch
@@ -0,0 +1,83 @@
+diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
+--- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200
+@@ -62,7 +62,7 @@
+ # include "buildinf.h"
+ #endif
+
+-const char *SSLeay_version(int t)
++const char *_current_SSLeay_version(int t)
+ {
+ if (t == SSLEAY_VERSION)
+ return OPENSSL_VERSION_TEXT;
+@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
+ return ("not available");
+ }
+
+-unsigned long SSLeay(void)
++const char *_original_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.0-fips 29 Mar 2010";
++ else
++ return _current_SSLeay_version(t);
++}
++
++const char *_original101_SSLeay_version(int t)
++{
++ if (t == SSLEAY_VERSION)
++ return "OpenSSL 1.0.1e-fips 11 Feb 2013";
++ else
++ return _current_SSLeay_version(t);
++}
++
++unsigned long _original_SSLeay(void)
++{
++ return (0x10000003L);
++}
++
++unsigned long _original101_SSLeay(void)
++{
++ return (0x1000105fL);
++}
++
++unsigned long _current_SSLeay(void)
+ {
+ return (SSLEAY_VERSION_NUMBER);
+ }
++
++__asm__(".symver _original_SSLeay,SSLeay@");
++__asm__(".symver _original_SSLeay_version,SSLeay_version@");
++__asm__(".symver _original101_SSLeay,SSLeay at OPENSSL_1.0.1");
++__asm__(".symver _original101_SSLeay_version,SSLeay_version at OPENSSL_1.0.1");
++__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
++__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
+diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
+--- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200
++++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200
+@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
+ SHLIB_SUFFIX=; \
+ ALLSYMSFLAGS='-Wl,--whole-archive'; \
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+ DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
+--- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200
++++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200
+@@ -0,0 +1,13 @@
++OPENSSL_1.0.1 {
++ global:
++ SSLeay;
++ SSLeay_version;
++ local:
++ _original*;
++ _current*;
++};
++OPENSSL_1.0.2 {
++ global:
++ SSLeay;
++ SSLeay_version;
++} OPENSSL_1.0.1;
diff --git a/openssl-1.0.2a-weak-ciphers.patch b/openssl-1.0.2a-weak-ciphers.patch
new file mode 100644
index 0000000..7cb708d
--- /dev/null
+++ b/openssl-1.0.2a-weak-ciphers.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.2a/ssl/ssl.h.weak-ciphers openssl-1.0.2a/ssl/ssl.h
+--- openssl-1.0.2a/ssl/ssl.h.weak-ciphers 2015-04-22 15:11:14.026574414 +0200
++++ openssl-1.0.2a/ssl/ssl.h 2015-04-22 15:14:51.302744713 +0200
+@@ -338,7 +338,7 @@ extern "C" {
+ * The following cipher list is used by default. It also is substituted when
+ * an application-defined cipher list string starts with 'DEFAULT'.
+ */
+-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
++# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!DES"
+ /*
+ * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+ * starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/openssl-1.0.2a-wrap-pad.patch b/openssl-1.0.2a-wrap-pad.patch
new file mode 100644
index 0000000..ff1a133
--- /dev/null
+++ b/openssl-1.0.2a-wrap-pad.patch
@@ -0,0 +1,555 @@
+diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_allc.c
+--- openssl-1.0.2a/crypto/evp/c_allc.c.wrap 2015-04-22 15:41:32.147488107 +0200
++++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 15:47:25.486946239 +0200
+@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+@@ -191,6 +192,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+@@ -204,6 +206,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+@@ -258,6 +261,7 @@ void OpenSSL_add_all_ciphers(void)
+
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
++ EVP_add_cipher(EVP_des_ede3_wrap());
+ # endif
+
+ # ifndef OPENSSL_NO_AES
+@@ -272,6 +276,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+@@ -284,6 +289,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+@@ -297,6 +303,7 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+ # endif
+diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.c
+--- openssl-1.0.2a/crypto/evp/e_aes.c.wrap 2015-04-22 15:41:32.148488131 +0200
++++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 15:52:21.809039506 +0200
+@@ -1,5 +1,5 @@
+ /* ====================================================================
+- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -1952,7 +1952,7 @@ static int aes_wrap_init_key(EVP_CIPHER_
+ wctx->iv = NULL;
+ }
+ if (iv) {
+- memcpy(ctx->iv, iv, 8);
++ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
+ wctx->iv = ctx->iv;
+ }
+ return 1;
+@@ -1963,30 +1963,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+ {
+ EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
+ size_t rv;
++ /* AES wrap with padding has IV length of 4, without padding 8 */
++ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
++ /* No final operation so always return zero length */
+ if (!in)
+ return 0;
+- if (inlen % 8)
++ /* Input length must always be non-zero */
++ if (!inlen)
+ return -1;
+- if (ctx->encrypt && inlen < 8)
++ /* If decrypting need at least 16 bytes and multiple of 8 */
++ if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
+ return -1;
+- if (!ctx->encrypt && inlen < 16)
++ /* If not padding input must be multiple of 8 */
++ if (!pad && inlen & 0x7)
+ return -1;
+ if (!out) {
+- if (ctx->encrypt)
++ if (ctx->encrypt) {
++ /* If padding round up to multiple of 8 */
++ if (pad)
++ inlen = (inlen + 7) / 8 * 8;
++ /* 8 byte prefix */
+ return inlen + 8;
+- else
++ } else {
++ /* If not padding output will be exactly 8 bytes
++ * smaller than input. If padding it will be at
++ * least 8 bytes smaller but we don't know how
++ * much.
++ */
+ return inlen - 8;
+ }
++ }
++ if (pad) {
+ if (ctx->encrypt)
+- rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
++ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
++ out, in, inlen,
+ (block128_f) AES_encrypt);
+ else
+- rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
++ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
++ out, in, inlen,
+ (block128_f) AES_decrypt);
++ } else {
++ if (ctx->encrypt)
++ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
++ out, in, inlen, (block128_f) AES_encrypt);
++ else
++ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
++ out, in, inlen, (block128_f) AES_decrypt);
++ }
+ return rv ? (int)rv : -1;
+ }
+
+-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
++# define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
+ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
+ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
+
+@@ -2031,3 +2058,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
+ {
+ return &aes_256_wrap;
+ }
++
++static const EVP_CIPHER aes_128_wrap_pad = {
++ NID_id_aes128_wrap_pad,
++ 8, 16, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
++{
++ return &aes_128_wrap_pad;
++}
++
++static const EVP_CIPHER aes_192_wrap_pad = {
++ NID_id_aes192_wrap_pad,
++ 8, 24, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
++{
++ return &aes_192_wrap_pad;
++}
++
++static const EVP_CIPHER aes_256_wrap_pad = {
++ NID_id_aes256_wrap_pad,
++ 8, 32, 4, WRAP_FLAGS,
++ aes_wrap_init_key, aes_wrap_cipher,
++ NULL,
++ sizeof(EVP_AES_WRAP_CTX),
++ NULL, NULL, NULL, NULL
++};
++
++const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
++{
++ return &aes_256_wrap_pad;
++}
+diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des3.c
+--- openssl-1.0.2a/crypto/evp/e_des3.c.wrap 2015-04-22 15:41:40.301683300 +0200
++++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 15:53:39.529899964 +0200
+@@ -473,7 +473,7 @@ static const EVP_CIPHER des3_wrap = {
+ NID_id_smime_alg_CMS3DESwrap,
+ 8, 24, 0,
+ EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
+- | EVP_CIPH_FLAG_DEFAULT_ASN1,
++ | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_FIPS,
+ des_ede3_init_key, des_ede3_wrap_cipher,
+ NULL,
+ sizeof(DES_EDE_KEY),
+diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
+--- openssl-1.0.2a/crypto/evp/evp.h.wrap 2015-04-22 19:30:57.000000000 +0200
++++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 19:51:06.352832516 +0200
+@@ -832,6 +832,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void);
+ const EVP_CIPHER *EVP_aes_128_gcm(void);
+ const EVP_CIPHER *EVP_aes_128_xts(void);
+ const EVP_CIPHER *EVP_aes_128_wrap(void);
++const EVP_CIPHER *EVP_aes_128_wrap_pad(void);
+ const EVP_CIPHER *EVP_aes_192_ecb(void);
+ const EVP_CIPHER *EVP_aes_192_cbc(void);
+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
+@@ -843,6 +844,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void);
+ const EVP_CIPHER *EVP_aes_192_ccm(void);
+ const EVP_CIPHER *EVP_aes_192_gcm(void);
+ const EVP_CIPHER *EVP_aes_192_wrap(void);
++const EVP_CIPHER *EVP_aes_192_wrap_pad(void);
+ const EVP_CIPHER *EVP_aes_256_ecb(void);
+ const EVP_CIPHER *EVP_aes_256_cbc(void);
+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
+@@ -855,6 +857,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void);
+ const EVP_CIPHER *EVP_aes_256_gcm(void);
+ const EVP_CIPHER *EVP_aes_256_xts(void);
+ const EVP_CIPHER *EVP_aes_256_wrap(void);
++const EVP_CIPHER *EVP_aes_256_wrap_pad(void);
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+ const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
+ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
+diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/evptests.txt
+--- openssl-1.0.2a/crypto/evp/evptests.txt.wrap 2015-04-22 15:41:47.194848307 +0200
++++ openssl-1.0.2a/crypto/evp/evptests.txt 2015-04-22 16:01:08.174540977 +0200
+@@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0
+ id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
+ id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
+ id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F:28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43BFB988B9B7A02DD21
++# AES wrap tests from RFC5649
++id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
++id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
++
+diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/modes.h
+--- openssl-1.0.2a/crypto/modes/modes.h.wrap 2015-04-22 15:41:49.228896997 +0200
++++ openssl-1.0.2a/crypto/modes/modes.h 2015-04-22 16:03:40.724152855 +0200
+@@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+ block128_f block);
++size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out, const unsigned char *in,
++ size_t inlen, block128_f block);
++size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out, const unsigned char *in,
++ size_t inlen, block128_f block);
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/wrap128.c
+--- openssl-1.0.2a/crypto/modes/wrap128.c.wrap 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/crypto/modes/wrap128.c 2015-04-22 16:06:16.798848197 +0200
+@@ -2,6 +2,7 @@
+ /*
+ * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
+ * project.
++ * Mode with padding contributed by Petr Spacek (pspacek at redhat.com).
+ */
+ /* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project. All rights reserved.
+@@ -52,19 +53,44 @@
+ * ====================================================================
+ */
+
++/** Beware!
++ *
++ * Following wrapping modes were designed for AES but this implementation
++ * allows you to use them for any 128 bit block cipher.
++ */
++
+ #include "cryptlib.h"
+ #include <openssl/modes.h>
+
++/** RFC 3394 section 2.2.3.1 Default Initial Value */
+ static const unsigned char default_iv[] = {
+ 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
+ };
+
+-/*
+- * Input size limit: lower than maximum of standards but far larger than
++/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
++static const unsigned char default_aiv[] = {
++ 0xA6, 0x59, 0x59, 0xA6
++};
++
++/** Input size limit: lower than maximum of standards but far larger than
+ * anything that will be used in practice.
+ */
+ #define CRYPTO128_WRAP_MAX (1UL << 31)
+
++/** Wrapping according to RFC 3394 section 2.2.1.
++ *
++ * @param[in] key Key value.
++ * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
++ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
++ * @param[in] inlen Length of in.
++ * @param[out] out Cipher text. Minimal buffer length = (inlen + 8) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
++ * or if inlen > CRYPTO128_WRAP_MAX.
++ * Output length if wrapping succeeded.
++ */
+ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+@@ -72,11 +98,11 @@ size_t CRYPTO_128_wrap(void *key, const
+ {
+ unsigned char *A, B[16], *R;
+ size_t i, j, t;
+- if ((inlen & 0x7) || (inlen < 8) || (inlen > CRYPTO128_WRAP_MAX))
++ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
+ return 0;
+ A = B;
+ t = 1;
+- memcpy(out + 8, in, inlen);
++ memmove(out + 8, in, inlen);
+ if (!iv)
+ iv = default_iv;
+
+@@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const
+ return inlen + 8;
+ }
+
+-size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
++/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
++ * IV check (step 3) is responsibility of the caller.
++ *
++ * @param[in] key Key value.
++ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
++ * @param[out] out Plain text without IV.
++ * Minimal buffer length = (inlen - 8) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Ciphertext text as n 64-bit blocks
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
++ * or if inlen is not multiply of 8.
++ * Output length otherwise.
++ */
++static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
+ unsigned char *out,
+ const unsigned char *in, size_t inlen,
+ block128_f block)
+@@ -113,7 +155,7 @@ size_t CRYPTO_128_unwrap(void *key, cons
+ A = B;
+ t = 6 * (inlen >> 3);
+ memcpy(A, in, 8);
+- memcpy(out, in + 8, inlen);
++ memmove(out, in + 8, inlen);
+ for (j = 0; j < 6; j++) {
+ R = out + inlen - 8;
+ for (i = 0; i < inlen; i += 8, t--, R -= 8) {
+@@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons
+ memcpy(R, B + 8, 8);
+ }
+ }
++ memcpy(iv, A, 8);
++ return inlen;
++}
++
++/** Unwrapping according to RFC 3394 section 2.2.2 including IV check.
++ * First block of plain text have to match supplied IV otherwise an error is
++ * returned.
++ *
++ * @param[in] key Key value.
++ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
++ * @param[out] out Plain text without IV.
++ * Minimal buffer length = (inlen - 8) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Ciphertext text as n 64-bit blocks
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
++ * or if inlen is not multiply of 8
++ * or if IV doesn't match expected value.
++ * Output length otherwise.
++ */
++size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
++ unsigned char *out, const unsigned char *in,
++ size_t inlen, block128_f block)
++{
++ size_t ret;
++ unsigned char got_iv[8];
++
++ ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
++ if (ret == 0)
++ return 0;
++
+ if (!iv)
+ iv = default_iv;
+- if (memcmp(A, iv, 8)) {
++ if (CRYPTO_memcmp(got_iv, iv, 8)) {
++ OPENSSL_cleanse(out, ret);
++ return 0;
++ }
++ return ret;
++}
++
++/** Wrapping according to RFC 5649 section 4.1.
++ *
++ * @param[in] key Key value.
++ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
++ * @param[out] out Cipher text. Minimal buffer length = (inlen + 15) bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
++ * Output length if wrapping succeeded.
++ */
++size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out,
++ const unsigned char *in, size_t inlen,
++ block128_f block)
++{
++ /* n: number of 64-bit blocks in the padded key data */
++ const size_t blocks_padded = (inlen + 7) / 8;
++ const size_t padded_len = blocks_padded * 8;
++ const size_t padding_len = padded_len - inlen;
++ /* RFC 5649 section 3: Alternative Initial Value */
++ unsigned char aiv[8];
++ int ret;
++
++ /* Section 1: use 32-bit fixed field for plaintext octet length */
++ if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
++ return 0;
++
++ /* Section 3: Alternative Initial Value */
++ if (!icv)
++ memcpy(aiv, default_aiv, 4);
++ else
++ memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
++
++ aiv[4] = (inlen >> 24) & 0xFF;
++ aiv[5] = (inlen >> 16) & 0xFF;
++ aiv[6] = (inlen >> 8) & 0xFF;
++ aiv[7] = inlen & 0xFF;
++
++ if (padded_len == 8) {
++ /* Section 4.1 - special case in step 2:
++ * If the padded plaintext contains exactly eight octets, then
++ * prepend the AIV and encrypt the resulting 128-bit block
++ * using AES in ECB mode. */
++ memmove(out + 8, in, inlen);
++ memcpy(out, aiv, 8);
++ memset(out + 8 + inlen, 0, padding_len);
++ block(out, out, key);
++ ret = 16; /* AIV + padded input */
++ } else {
++ memmove(out, in, inlen);
++ memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
++ ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
++ }
++
++ return ret;
++}
++
++/** Unwrapping according to RFC 5649 section 4.2.
++ *
++ * @param[in] key Key value.
++ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
++ * @param[out] out Plain text. Minimal buffer length = inlen bytes.
++ * Input and output buffers can overlap if block function
++ * supports that.
++ * @param[in] in Ciphertext text as n 64-bit blocks
++ * @param[in] inlen Length of in.
++ * @param[in] block Block processing function.
++ * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
++ * or if inlen is not multiply of 8
++ * or if IV and message length indicator doesn't match.
++ * Output length if unwrapping succeeded and IV matches.
++ */
++size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
++ unsigned char *out,
++ const unsigned char *in, size_t inlen,
++ block128_f block)
++{
++ /* n: number of 64-bit blocks in the padded key data */
++ size_t n = inlen / 8 - 1;
++ size_t padded_len;
++ size_t padding_len;
++ size_t ptext_len;
++ /* RFC 5649 section 3: Alternative Initial Value */
++ unsigned char aiv[8];
++ static unsigned char zeros[8] = { 0x0 };
++ size_t ret;
++
++ /* Section 4.2: Cipher text length has to be (n+1) 64-bit blocks. */
++ if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
++ return 0;
++
++ memmove(out, in, inlen);
++ if (inlen == 16) {
++ /* Section 4.2 - special case in step 1:
++ * When n=1, the ciphertext contains exactly two 64-bit
++ * blocks and they are decrypted as a single AES
++ * block using AES in ECB mode:
++ * AIV | P[1] = DEC(K, C[0] | C[1])
++ */
++ block(out, out, key);
++ memcpy(aiv, out, 8);
++ /* Remove AIV */
++ memmove(out, out + 8, 8);
++ padded_len = 8;
++ } else {
++ padded_len = inlen - 8;
++ ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
++ if (padded_len != ret) {
+ OPENSSL_cleanse(out, inlen);
+ return 0;
+ }
+- return inlen;
++ }
++
++ /* Section 3: AIV checks: Check that MSB(32,A) = A65959A6.
++ * Optionally a user-supplied value can be used
++ * (even if standard doesn't mention this). */
++ if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
++ || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
++ OPENSSL_cleanse(out, inlen);
++ return 0;
++ }
++
++ /* Check that 8*(n-1) < LSB(32,AIV) <= 8*n.
++ * If so, let ptext_len = LSB(32,AIV). */
++
++ ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];
++ if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
++ OPENSSL_cleanse(out, inlen);
++ return 0;
++ }
++
++ /* Check that the rightmost padding_len octets of the output data
++ * are zero. */
++ padding_len = padded_len - ptext_len;
++ if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
++ OPENSSL_cleanse(out, inlen);
++ return 0;
++ }
++
++ /* Section 4.2 step 3: Remove padding */
++ return ptext_len;
+ }
diff --git a/openssl-1.0.2a-x509.patch b/openssl-1.0.2a-x509.patch
new file mode 100644
index 0000000..7c96a57
--- /dev/null
+++ b/openssl-1.0.2a-x509.patch
@@ -0,0 +1,28 @@
+diff -up openssl-1.0.2a/crypto/x509/by_file.c.x509 openssl-1.0.2a/crypto/x509/by_file.c
+--- openssl-1.0.2a/crypto/x509/by_file.c.x509 2015-04-09 18:16:29.365456157 +0200
++++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-09 18:16:26.398387618 +0200
+@@ -152,9 +152,12 @@ int X509_load_cert_file(X509_LOOKUP *ctx
+ }
+ }
+ i = X509_STORE_add_cert(ctx->store_ctx, x);
+- if (!i)
+- goto err;
+- count++;
++ /* ignore any problems with current certificate
++ and continue with the next one */
++ if (i)
++ count++;
++ else
++ ERR_clear_error();
+ X509_free(x);
+ x = NULL;
+ }
+@@ -167,7 +170,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx
+ }
+ i = X509_STORE_add_cert(ctx->store_ctx, x);
+ if (!i)
+- goto err;
++ ERR_clear_error();
+ ret = i;
+ } else {
+ X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
diff --git a/openssl-1.0.2a-xmpp-starttls.patch b/openssl-1.0.2a-xmpp-starttls.patch
new file mode 100644
index 0000000..d2c3bcd
--- /dev/null
+++ b/openssl-1.0.2a-xmpp-starttls.patch
@@ -0,0 +1,27 @@
+diff -up openssl-1.0.2a/apps/s_client.c.starttls openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.starttls 2015-04-22 18:23:12.964387157 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-22 18:23:56.496414820 +0200
+@@ -134,7 +134,8 @@
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
+-
++/* for strcasestr */
++#define _GNU_SOURCE
+ #include <assert.h>
+ #include <ctype.h>
+ #include <stdio.h>
+@@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv)
+ "xmlns='jabber:client' to='%s' version='1.0'>", host);
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);
+ mbuf[seen] = 0;
+- while (!strstr
+- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
++ while (!strcasestr
++ (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
++ && !strcasestr(mbuf,
++ "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
++ {
+ if (strstr(mbuf, "/stream:features>"))
+ goto shut;
+ seen = BIO_read(sbio, mbuf, BUFSIZZ);
diff --git a/openssl-dont-include-winsock-h.patch b/openssl-dont-include-winsock-h.patch
index 694728d..a5082e4 100644
--- a/openssl-dont-include-winsock-h.patch
+++ b/openssl-dont-include-winsock-h.patch
@@ -1,11 +1,11 @@
--- ssl/dtls1.h.orig 2014-12-22 19:03:22.442338471 +0100
+++ ssl/dtls1.h 2014-12-22 19:03:44.061694335 +0100
@@ -68,7 +68,7 @@
- #endif
- #ifdef OPENSSL_SYS_WIN32
+ # endif
+ # ifdef OPENSSL_SYS_WIN32
/* Needed for struct timeval */
--#include <winsock.h>
-+#include <time.h>
- #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
- #include <sys/timeval.h>
- #else
+-# include <winsock.h>
++# include <time.h>
+ # elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
+ # include <sys/timeval.h>
+ # else
diff --git a/openssl-mingw64-dont-use-secure-getenv.patch b/openssl-mingw64-dont-use-secure-getenv.patch
index c8a752a..69e0a84 100644
--- a/openssl-mingw64-dont-use-secure-getenv.patch
+++ b/openssl-mingw64-dont-use-secure-getenv.patch
@@ -1,11 +1,11 @@
---- openssl-1.0.1e/ssl/ssl_ciph.c.orig 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-03-24 20:39:53.425122737 +0100
-@@ -455,7 +457,7 @@
-
- MemCheck_off();
- ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-- if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
-+ if (ssl_comp_methods != NULL && getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
- {
- comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
- if (comp != NULL)
+--- openssl-1.0.2a/ssl/ssl_ciph.c.secure_getenv_mingw 2015-04-24 18:34:32.572168275 +0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-24 18:35:03.060679959 +0200
+@@ -484,7 +484,7 @@
+ MemCheck_off();
+ ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+ if (ssl_comp_methods != NULL
+- && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
++ && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+ comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL) {
+ comp->method = COMP_zlib();
diff --git a/openssl_mingw64_install_fix.patch b/openssl_mingw64_install_fix.patch
index 17b8607..d226f7f 100644
--- a/openssl_mingw64_install_fix.patch
+++ b/openssl_mingw64_install_fix.patch
@@ -6,6 +6,6 @@
pfx=lib; \
- if [ "$(PLATFORM)" = "mingw" ]; then \
+ if [ "$(PLATFORM)" = "mingw" -o "$(PLATFORM)" = "mingw64" ]; then \
- sfx=.dll; \
- cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
- elif [ "$(PLATFORM)" != "Cygwin" ]; then \
+ sfx=.dll; \
+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
+ elif expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/mingw-openssl.git/commit/?h=f22&id=038bb32a6e859d4e8b2fb2821029e3542d71528b
More information about the scm-commits
mailing list