tmraz pushed to openssl (master). "minor upstream release 1.0.2c fixing multiple security issues"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Jun 15 16:23:59 UTC 2015
From 837dd048828c9c49a51fb70b7f0e8af43947fde4 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz at fedoraproject.org>
Date: Mon, 15 Jun 2015 18:23:46 +0200
Subject: minor upstream release 1.0.2c fixing multiple security issues
diff --git a/.gitignore b/.gitignore
index 0076204..c044edf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.1j-hobbled.tar.xz
/openssl-1.0.1k-hobbled.tar.xz
/openssl-1.0.2a-hobbled.tar.xz
+/openssl-1.0.2c-hobbled.tar.xz
diff --git a/ectest.c b/ectest.c
index 71fef23..a35f5ad 100644
--- a/ectest.c
+++ b/ectest.c
@@ -386,7 +386,7 @@ static void prime_field_tests(void)
ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx))
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
"84F3B9CAC2FC632551"))
@@ -442,7 +442,7 @@ static void prime_field_tests(void)
ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx))
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
@@ -501,7 +501,7 @@ static void prime_field_tests(void)
ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx))
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
@@ -545,7 +545,7 @@ static void prime_field_tests(void)
ABORT;
if (!EC_POINT_dbl(group, P, P, ctx))
ABORT;
- if (!EC_POINT_is_on_curve(group, P, ctx))
+ if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT;
if (!EC_POINT_invert(group, Q, ctx))
ABORT; /* P = -2Q */
diff --git a/openssl-1.0.2a-alt-chains.patch b/openssl-1.0.2a-alt-chains.patch
deleted file mode 100644
index 44453c6..0000000
--- a/openssl-1.0.2a-alt-chains.patch
+++ /dev/null
@@ -1,527 +0,0 @@
-diff -up openssl-1.0.2a/apps/apps.c.alt-chains openssl-1.0.2a/apps/apps.c
---- openssl-1.0.2a/apps/apps.c.alt-chains 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/apps/apps.c 2015-04-28 16:49:50.124558770 +0200
-@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *parg
- flags |= X509_V_FLAG_SUITEB_192_LOS;
- else if (!strcmp(arg, "-partial_chain"))
- flags |= X509_V_FLAG_PARTIAL_CHAIN;
-+ else if (!strcmp(arg, "-no_alt_chains"))
-+ flags |= X509_V_FLAG_NO_ALT_CHAINS;
- else
- return 0;
-
-diff -up openssl-1.0.2a/apps/cms.c.alt-chains openssl-1.0.2a/apps/cms.c
---- openssl-1.0.2a/apps/cms.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
-+++ openssl-1.0.2a/apps/cms.c 2015-04-28 16:49:50.125558793 +0200
-@@ -648,6 +648,8 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err,
- "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf(bio_err,
-+ "-no_alt_chains only ever use the first certificate chain found\n");
-+ BIO_printf(bio_err,
- "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf(bio_err,
- "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-diff -up openssl-1.0.2a/apps/ocsp.c.alt-chains openssl-1.0.2a/apps/ocsp.c
---- openssl-1.0.2a/apps/ocsp.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
-+++ openssl-1.0.2a/apps/ocsp.c 2015-04-28 16:49:50.125558793 +0200
-@@ -538,6 +538,8 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err,
- "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf(bio_err,
-+ "-no_alt_chains only ever use the first certificate chain found\n");
-+ BIO_printf(bio_err,
- "-VAfile file validator certificates file\n");
- BIO_printf(bio_err,
- "-validity_period n maximum validity discrepancy in seconds\n");
-diff -up openssl-1.0.2a/apps/s_client.c.alt-chains openssl-1.0.2a/apps/s_client.c
---- openssl-1.0.2a/apps/s_client.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
-+++ openssl-1.0.2a/apps/s_client.c 2015-04-28 16:49:50.126558815 +0200
-@@ -335,6 +335,8 @@ static void sc_usage(void)
- BIO_printf(bio_err,
- " -trusted_first - Use trusted CA's first when building the trust chain\n");
- BIO_printf(bio_err,
-+ " -no_alt_chains - only ever use the first certificate chain found\n");
-+ BIO_printf(bio_err,
- " -reconnect - Drop and re-make the connection with the same Session-ID\n");
- BIO_printf(bio_err,
- " -pause - sleep(1) after each read(2) and write(2) system call\n");
-diff -up openssl-1.0.2a/apps/smime.c.alt-chains openssl-1.0.2a/apps/smime.c
---- openssl-1.0.2a/apps/smime.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
-+++ openssl-1.0.2a/apps/smime.c 2015-04-28 16:49:50.128558861 +0200
-@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err,
- "-trusted_first use trusted certificates first when building the trust chain\n");
- BIO_printf(bio_err,
-+ "-no_alt_chains only ever use the first certificate chain found\n");
-+ BIO_printf(bio_err,
- "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf(bio_err,
- "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-diff -up openssl-1.0.2a/apps/s_server.c.alt-chains openssl-1.0.2a/apps/s_server.c
---- openssl-1.0.2a/apps/s_server.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
-+++ openssl-1.0.2a/apps/s_server.c 2015-04-28 16:49:50.128558861 +0200
-@@ -571,6 +571,8 @@ static void sv_usage(void)
- BIO_printf(bio_err,
- " -trusted_first - Use trusted CA's first when building the trust chain\n");
- BIO_printf(bio_err,
-+ " -no_alt_chains - only ever use the first certificate chain found\n");
-+ BIO_printf(bio_err,
- " -nocert - Don't use any certificates (Anon-DH)\n");
- BIO_printf(bio_err,
- " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
-diff -up openssl-1.0.2a/apps/verify.c.alt-chains openssl-1.0.2a/apps/verify.c
---- openssl-1.0.2a/apps/verify.c.alt-chains 2015-04-28 16:49:50.128558861 +0200
-+++ openssl-1.0.2a/apps/verify.c 2015-04-28 16:50:52.210974346 +0200
-@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
- if (ret == 1) {
- BIO_printf(bio_err,
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
-- BIO_printf(bio_err, " [-attime timestamp]");
-+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
- #ifndef OPENSSL_NO_ENGINE
- BIO_printf(bio_err, " [-engine e]");
- #endif
-diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.c
---- openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains 2015-04-23 10:22:56.188684277 +0200
-+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-28 17:03:40.478786778 +0200
-@@ -189,11 +189,11 @@ static X509 *lookup_cert_match(X509_STOR
-
- int X509_verify_cert(X509_STORE_CTX *ctx)
- {
-- X509 *x, *xtmp, *chain_ss = NULL;
-+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
- int bad_chain = 0;
- X509_VERIFY_PARAM *param = ctx->param;
- int depth, i, ok = 0;
-- int num;
-+ int num, j, retry;
- int (*cb) (int xok, X509_STORE_CTX *xctx);
- STACK_OF(X509) *sktmp = NULL;
- if (ctx->cert == NULL) {
-@@ -278,91 +278,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx
- break;
- }
-
-+ /* Remember how many untrusted certs we have */
-+ j = num;
- /*
- * at this point, chain should contain a list of untrusted certificates.
- * We now need to add at least one trusted one, if possible, otherwise we
- * complain.
- */
-
-- /*
-- * Examine last certificate in chain and see if it is self signed.
-- */
--
-- i = sk_X509_num(ctx->chain);
-- x = sk_X509_value(ctx->chain, i - 1);
-- if (cert_self_signed(x)) {
-- /* we have a self signed certificate */
-- if (sk_X509_num(ctx->chain) == 1) {
-- /*
-- * We have a single self signed certificate: see if we can find
-- * it in the store. We must have an exact match to avoid possible
-- * impersonation.
-- */
-- ok = ctx->get_issuer(&xtmp, ctx, x);
-- if ((ok <= 0) || X509_cmp(x, xtmp)) {
-- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
-- ctx->current_cert = x;
-- ctx->error_depth = i - 1;
-- if (ok == 1)
-- X509_free(xtmp);
-- bad_chain = 1;
-- ok = cb(0, ctx);
-- if (!ok)
-- goto end;
-+ do {
-+ /*
-+ * Examine last certificate in chain and see if it is self signed.
-+ */
-+ i = sk_X509_num(ctx->chain);
-+ x = sk_X509_value(ctx->chain, i - 1);
-+ if (cert_self_signed(x)) {
-+ /* we have a self signed certificate */
-+ if (sk_X509_num(ctx->chain) == 1) {
-+ /*
-+ * We have a single self signed certificate: see if we can
-+ * find it in the store. We must have an exact match to avoid
-+ * possible impersonation.
-+ */
-+ ok = ctx->get_issuer(&xtmp, ctx, x);
-+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
-+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
-+ ctx->current_cert = x;
-+ ctx->error_depth = i - 1;
-+ if (ok == 1)
-+ X509_free(xtmp);
-+ bad_chain = 1;
-+ ok = cb(0, ctx);
-+ if (!ok)
-+ goto end;
-+ } else {
-+ /*
-+ * We have a match: replace certificate with store
-+ * version so we get any trust settings.
-+ */
-+ X509_free(x);
-+ x = xtmp;
-+ (void)sk_X509_set(ctx->chain, i - 1, x);
-+ ctx->last_untrusted = 0;
-+ }
- } else {
- /*
-- * We have a match: replace certificate with store version so
-- * we get any trust settings.
-+ * extract and save self signed certificate for later use
- */
-- X509_free(x);
-- x = xtmp;
-- (void)sk_X509_set(ctx->chain, i - 1, x);
-- ctx->last_untrusted = 0;
-+ chain_ss = sk_X509_pop(ctx->chain);
-+ ctx->last_untrusted--;
-+ num--;
-+ j--;
-+ x = sk_X509_value(ctx->chain, num - 1);
- }
-- } else {
-- /*
-- * extract and save self signed certificate for later use
-- */
-- chain_ss = sk_X509_pop(ctx->chain);
-- ctx->last_untrusted--;
-- num--;
-- x = sk_X509_value(ctx->chain, num - 1);
- }
-- }
--
-- /* We now lookup certs from the certificate store */
-- for (;;) {
-- /* If we have enough, we break */
-- if (depth < num)
-- break;
-+ /* We now lookup certs from the certificate store */
-+ for (;;) {
-+ /* If we have enough, we break */
-+ if (depth < num)
-+ break;
-+ /* If we are self signed, we break */
-+ if (cert_self_signed(x))
-+ break;
-+ ok = ctx->get_issuer(&xtmp, ctx, x);
-
-- /* If we are self signed, we break */
-- if (cert_self_signed(x))
-- break;
-+ if (ok < 0)
-+ return ok;
-+ if (ok == 0)
-+ break;
-+ x = xtmp;
-+ if (!sk_X509_push(ctx->chain, x)) {
-+ X509_free(xtmp);
-+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-+ return 0;
-+ }
-+ num++;
-+ }
-
-- ok = ctx->get_issuer(&xtmp, ctx, x);
-+ /* we now have our chain, lets check it... */
-+ i = check_trust(ctx);
-
-- if (ok < 0)
-- return ok;
-- if (ok == 0)
-- break;
-+ /* If explicitly rejected error */
-+ if (i == X509_TRUST_REJECTED)
-+ goto end;
-+ /*
-+ * If it's not explicitly trusted then check if there is an alternative
-+ * chain that could be used. We only do this if we haven't already
-+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
-+ * chain checking
-+ */
-+ retry = 0;
-+ if (i != X509_TRUST_TRUSTED
-+ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
-+ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
-+ while (j-- > 1) {
-+ STACK_OF(X509) *chtmp = ctx->chain;
-+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
-+ /*
-+ * Temporarily set chain to NULL so we don't discount
-+ * duplicates: the same certificate could be an untrusted
-+ * CA found in the trusted store.
-+ */
-+ ctx->chain = NULL;
-+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
-+ ctx->chain = chtmp;
-+ if (ok < 0)
-+ goto end;
-+ /* Check if we found an alternate chain */
-+ if (ok > 0) {
-+ /*
-+ * Free up the found cert we'll add it again later
-+ */
-+ X509_free(xtmp);
-
-- x = xtmp;
-- if (!sk_X509_push(ctx->chain, x)) {
-- X509_free(xtmp);
-- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-- return 0;
-+ /*
-+ * Dump all the certs above this point - we've found an
-+ * alternate chain
-+ */
-+ while (num > j) {
-+ xtmp = sk_X509_pop(ctx->chain);
-+ X509_free(xtmp);
-+ num--;
-+ ctx->last_untrusted--;
-+ }
-+ retry = 1;
-+ break;
-+ }
-+ }
- }
-- num++;
-- }
-+ } while (retry);
-
-- /* we now have our chain, lets check it... */
--
-- i = check_trust(ctx);
--
-- /* If explicitly rejected error */
-- if (i == X509_TRUST_REJECTED)
-- goto end;
- /*
- * If not explicitly trusted then indicate error unless it's a single
- * self signed certificate in which case we've indicated an error already
-diff -up openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.h
---- openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains 2015-04-23 10:22:56.016679751 +0200
-+++ openssl-1.0.2a/crypto/x509/x509_vfy.h 2015-04-28 16:49:18.551838908 +0200
-@@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
-
- /* Allow partial chains if at least one certificate is in trusted store */
- # define X509_V_FLAG_PARTIAL_CHAIN 0x80000
-+/*
-+ * If the initial chain is not trusted, do not attempt to build an alternative
-+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
-+ * will force the behaviour to match that of previous versions.
-+ */
-+# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
-
- # define X509_VP_FLAG_DEFAULT 0x1
- # define X509_VP_FLAG_OVERWRITE 0x2
-diff -up openssl-1.0.2a/doc/apps/cms.pod.alt-chains openssl-1.0.2a/doc/apps/cms.pod
---- openssl-1.0.2a/doc/apps/cms.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
-+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-28 16:54:17.537682406 +0200
-@@ -36,6 +36,7 @@ B<openssl> B<cms>
- [B<-CAfile file>]
- [B<-CApath dir>]
- [B<-trusted_first>]
-+[B<-no_alt_chains>]
- [B<-md digest>]
- [B<-[cipher]>]
- [B<-nointern>]
-@@ -426,7 +427,7 @@ portion of a message so they may be incl
- then many S/MIME mail clients check the signers certificate's email
- address matches that specified in the From: address.
-
--=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
-+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
-
- Set various certificate chain valiadition option. See the
- L<B<verify>|verify(1)> manual page for details.
-@@ -662,4 +663,6 @@ Support for RSA-OAEP and RSA-PSS was fir
- The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
- to OpenSSL 1.1.0.
-
-+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
-+
- =cut
-diff -up openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains openssl-1.0.2a/doc/apps/ocsp.pod
---- openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
-+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-28 16:53:44.564914852 +0200
-@@ -30,6 +30,7 @@ B<openssl> B<ocsp>
- [B<-CApath dir>]
- [B<-CAfile file>]
- [B<-trusted_first>]
-+[B<-no_alt_chains>]
- [B<-VAfile file>]
- [B<-validity_period n>]
- [B<-status_age n>]
-@@ -151,6 +152,10 @@ in the response or residing in other cer
- chain to verify responder certificate.
- This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-
-+=item B<-no_alt_chains>
-+
-+See L<B<verify>|verify(1)> manual page for details.
-+
- =item B<-verify_other file>
-
- file containing additional certificates to search when attempting to locate
-@@ -388,3 +393,9 @@ second file.
-
- openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
- -reqin req.der -respout resp.der
-+
-+=head1 HISTORY
-+
-+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
-+
-+=cut
-diff -up openssl-1.0.2a/doc/apps/s_client.pod.alt-chains openssl-1.0.2a/doc/apps/s_client.pod
---- openssl-1.0.2a/doc/apps/s_client.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
-+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-28 16:55:24.812248450 +0200
-@@ -20,6 +20,7 @@ B<openssl> B<s_client>
- [B<-CApath directory>]
- [B<-CAfile filename>]
- [B<-trusted_first>]
-+[B<-no_alt_chains>]
- [B<-reconnect>]
- [B<-pause>]
- [B<-showcerts>]
-@@ -124,7 +125,7 @@ also used when building the client certi
- A file containing trusted certificates to use during server authentication
- and to use when attempting to build the client certificate chain.
-
--=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
-+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
-
- Set various certificate chain valiadition option. See the
- L<B<verify>|verify(1)> manual page for details.
-@@ -365,4 +366,8 @@ information whenever a session is renego
-
- L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
-
-+=head1 HISTORY
-+
-+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
-+
- =cut
-diff -up openssl-1.0.2a/doc/apps/smime.pod.alt-chains openssl-1.0.2a/doc/apps/smime.pod
---- openssl-1.0.2a/doc/apps/smime.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
-+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-28 16:57:33.598246384 +0200
-@@ -18,6 +18,7 @@ B<openssl> B<smime>
- [B<-CAfile file>]
- [B<-CApath dir>]
- [B<-trusted_first>]
-+[B<-no_alt_chains>]
- [B<-certfile file>]
- [B<-signer file>]
- [B<-recip file>]
-@@ -268,7 +269,7 @@ portion of a message so they may be incl
- then many S/MIME mail clients check the signers certificate's email
- address matches that specified in the From: address.
-
--=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
-+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
-
- Set various options of certificate chain verification. See
- L<B<verify>|verify(1)> manual page for details.
-@@ -450,5 +451,6 @@ structures may cause parsing errors.
- The use of multiple B<-signer> options and the B<-resign> command were first
- added in OpenSSL 1.0.0
-
-+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
-
- =cut
-diff -up openssl-1.0.2a/doc/apps/s_server.pod.alt-chains openssl-1.0.2a/doc/apps/s_server.pod
---- openssl-1.0.2a/doc/apps/s_server.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
-+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-28 16:56:27.494707598 +0200
-@@ -34,6 +34,7 @@ B<openssl> B<s_server>
- [B<-CApath directory>]
- [B<-CAfile filename>]
- [B<-trusted_first>]
-+[B<-no_alt_chains>]
- [B<-nocert>]
- [B<-cipher cipherlist>]
- [B<-serverpref>]
-@@ -181,6 +182,10 @@ Use certificates in CA file or CA direct
- when building the trust chain to verify client certificates.
- This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-
-+=item B<-no_alt_chains>
-+
-+See the L<B<verify>|verify(1)> manual page for details.
-+
- =item B<-state>
-
- prints out the SSL session states.
-@@ -413,4 +418,8 @@ unknown cipher suites a client says it s
-
- L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
-
-+=head1 HISTORY
-+
-+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
-+
- =cut
-diff -up openssl-1.0.2a/doc/apps/verify.pod.alt-chains openssl-1.0.2a/doc/apps/verify.pod
---- openssl-1.0.2a/doc/apps/verify.pod.alt-chains 2015-04-23 10:22:56.228685330 +0200
-+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-28 16:52:22.544033948 +0200
-@@ -26,6 +26,7 @@ B<openssl> B<verify>
- [B<-extended_crl>]
- [B<-use_deltas>]
- [B<-policy_print>]
-+[B<-no_alt_chains>]
- [B<-untrusted file>]
- [B<-help>]
- [B<-issuer_checks>]
-@@ -131,6 +132,14 @@ Set policy variable inhibit-any-policy (
-
- Set policy variable inhibit-policy-mapping (see RFC5280).
-
-+=item B<-no_alt_chains>
-+
-+When building a certificate chain, if the first certificate chain found is not
-+trusted, then OpenSSL will continue to check to see if an alternative chain can
-+be found that is trusted. With this option that behaviour is suppressed so that
-+only the first chain found is ever used. Using this option will force the
-+behaviour to match that of previous OpenSSL versions.
-+
- =item B<-policy_print>
-
- Print out diagnostics related to policy processing.
-@@ -432,4 +441,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CER
-
- L<x509(1)|x509(1)>
-
-+=head1 HISTORY
-+
-+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
-+
- =cut
-diff -up openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
---- openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-28 16:52:22.544033948 +0200
-@@ -197,6 +197,12 @@ verification. If this flag is set then a
- to the verification callback and it B<must> be prepared to handle such cases
- without assuming they are hard errors.
-
-+The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
-+chains. By default, when building a certificate chain, if the first certificate
-+chain found is not trusted, then OpenSSL will continue to check to see if an
-+alternative chain can be found that is trusted. With this flag set the behaviour
-+will match that of OpenSSL versions prior to 1.0.2b.
-+
- =head1 NOTES
-
- The above functions should be used to manipulate verification parameters
-@@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>
-
- =head1 HISTORY
-
--TBA
-+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b
-
- =cut
diff --git a/openssl-1.0.2a-default-paths.patch b/openssl-1.0.2a-default-paths.patch
deleted file mode 100644
index 6e02c6d..0000000
--- a/openssl-1.0.2a-default-paths.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c
---- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200
-+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200
-@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv)
-
- SSL_CTX_set_verify(ctx, verify, verify_callback);
-
-- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx))) {
-- /*
-- * BIO_printf(bio_err,"error setting default verify locations\n");
-- */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (CAfile == NULL && CApath == NULL) {
-+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
-+ ERR_print_errors(bio_err);
-+ }
-+ } else {
-+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
-+ ERR_print_errors(bio_err);
-+ }
- }
-
-- ssl_ctx_add_crls(ctx, crls, crl_download);
-- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
-- goto end;
--
- #ifndef OPENSSL_NO_TLSEXT
- if (servername != NULL) {
- tlsextcbp.biodebug = bio_err;
-diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
---- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200
-@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
- }
- #endif
-
-- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx))) {
-- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (CAfile == NULL && CApath == NULL) {
-+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
-+ ERR_print_errors(bio_err);
-+ }
-+ } else {
-+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
-+ ERR_print_errors(bio_err);
-+ }
- }
-+
- if (vpm)
- SSL_CTX_set1_param(ctx, vpm);
-
-@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[])
- else
- SSL_CTX_sess_set_cache_size(ctx2, 128);
-
-- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(ctx2))) {
-+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
-+ ERR_print_errors(bio_err);
-+ }
-+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
- ERR_print_errors(bio_err);
- }
- if (vpm)
-diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c
---- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200
-+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200
-@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
-
- SSL_load_error_strings();
-
-- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
-- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
-- /*
-- * BIO_printf(bio_err,"error setting default verify locations\n");
-- */
-- ERR_print_errors(bio_err);
-- /* goto end; */
-+ if (CAfile == NULL && CApath == NULL) {
-+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
-+ ERR_print_errors(bio_err);
-+ }
-+ } else {
-+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
-+ ERR_print_errors(bio_err);
-+ }
- }
-
- if (tm_cipher == NULL)
diff --git a/openssl-1.0.2a-dh-1024.patch b/openssl-1.0.2a-dh-1024.patch
deleted file mode 100644
index 67d3171..0000000
--- a/openssl-1.0.2a-dh-1024.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c
---- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200
-+++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200
-@@ -230,29 +230,44 @@ static void s_server_init(void);
- #endif
-
- #ifndef OPENSSL_NO_DH
--static unsigned char dh512_p[] = {
-- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
-- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
-- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
-- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
-- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
-- 0x47, 0x74, 0xE8, 0x33,
--};
--
--static unsigned char dh512_g[] = {
-- 0x02,
--};
--
--static DH *get_dh512(void)
-+static DH *get_dh1024()
- {
-- DH *dh = NULL;
-+ static unsigned char dh1024_p[] = {
-+ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54,
-+ 0x63,
-+ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66,
-+ 0x79,
-+ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0,
-+ 0x3C,
-+ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1,
-+ 0xEF,
-+ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07,
-+ 0xFB,
-+ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98,
-+ 0xE3,
-+ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A,
-+ 0xED,
-+ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97,
-+ 0x23,
-+ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB,
-+ 0x05,
-+ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52,
-+ 0xA4,
-+ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93,
-+ };
-+ static unsigned char dh1024_g[] = {
-+ 0x02,
-+ };
-+ DH *dh;
-
- if ((dh = DH_new()) == NULL)
- return (NULL);
-- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-- if ((dh->p == NULL) || (dh->g == NULL))
-+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
-+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
-+ if ((dh->p == NULL) || (dh->g == NULL)) {
-+ DH_free(dh);
- return (NULL);
-+ }
- return (dh);
- }
- #endif
-@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[])
- BIO_printf(bio_s_out, "Setting temp DH parameters\n");
- } else {
- BIO_printf(bio_s_out, "Using default temp DH parameters\n");
-- dh = get_dh512();
-+ dh = get_dh1024();
- }
- (void)BIO_flush(bio_s_out);
-
diff --git a/openssl-1.0.2a-ecc-suiteb.patch b/openssl-1.0.2a-ecc-suiteb.patch
deleted file mode 100644
index 5b27fdc..0000000
--- a/openssl-1.0.2a-ecc-suiteb.patch
+++ /dev/null
@@ -1,199 +0,0 @@
-diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
---- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200
-+++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200
-@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
- } else
- # endif
- # ifndef OPENSSL_NO_ECDSA
-- if (strcmp(*argv, "ecdsap160") == 0)
-- ecdsa_doit[R_EC_P160] = 2;
-- else if (strcmp(*argv, "ecdsap192") == 0)
-- ecdsa_doit[R_EC_P192] = 2;
-- else if (strcmp(*argv, "ecdsap224") == 0)
-- ecdsa_doit[R_EC_P224] = 2;
-- else if (strcmp(*argv, "ecdsap256") == 0)
-+ if (strcmp(*argv, "ecdsap256") == 0)
- ecdsa_doit[R_EC_P256] = 2;
- else if (strcmp(*argv, "ecdsap384") == 0)
- ecdsa_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdsap521") == 0)
- ecdsa_doit[R_EC_P521] = 2;
-- else if (strcmp(*argv, "ecdsak163") == 0)
-- ecdsa_doit[R_EC_K163] = 2;
-- else if (strcmp(*argv, "ecdsak233") == 0)
-- ecdsa_doit[R_EC_K233] = 2;
-- else if (strcmp(*argv, "ecdsak283") == 0)
-- ecdsa_doit[R_EC_K283] = 2;
-- else if (strcmp(*argv, "ecdsak409") == 0)
-- ecdsa_doit[R_EC_K409] = 2;
-- else if (strcmp(*argv, "ecdsak571") == 0)
-- ecdsa_doit[R_EC_K571] = 2;
-- else if (strcmp(*argv, "ecdsab163") == 0)
-- ecdsa_doit[R_EC_B163] = 2;
-- else if (strcmp(*argv, "ecdsab233") == 0)
-- ecdsa_doit[R_EC_B233] = 2;
-- else if (strcmp(*argv, "ecdsab283") == 0)
-- ecdsa_doit[R_EC_B283] = 2;
-- else if (strcmp(*argv, "ecdsab409") == 0)
-- ecdsa_doit[R_EC_B409] = 2;
-- else if (strcmp(*argv, "ecdsab571") == 0)
-- ecdsa_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdsa") == 0) {
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P256; i <= R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- } else
- # endif
- # ifndef OPENSSL_NO_ECDH
-- if (strcmp(*argv, "ecdhp160") == 0)
-- ecdh_doit[R_EC_P160] = 2;
-- else if (strcmp(*argv, "ecdhp192") == 0)
-- ecdh_doit[R_EC_P192] = 2;
-- else if (strcmp(*argv, "ecdhp224") == 0)
-- ecdh_doit[R_EC_P224] = 2;
-- else if (strcmp(*argv, "ecdhp256") == 0)
-+ if (strcmp(*argv, "ecdhp256") == 0)
- ecdh_doit[R_EC_P256] = 2;
- else if (strcmp(*argv, "ecdhp384") == 0)
- ecdh_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdhp521") == 0)
- ecdh_doit[R_EC_P521] = 2;
-- else if (strcmp(*argv, "ecdhk163") == 0)
-- ecdh_doit[R_EC_K163] = 2;
-- else if (strcmp(*argv, "ecdhk233") == 0)
-- ecdh_doit[R_EC_K233] = 2;
-- else if (strcmp(*argv, "ecdhk283") == 0)
-- ecdh_doit[R_EC_K283] = 2;
-- else if (strcmp(*argv, "ecdhk409") == 0)
-- ecdh_doit[R_EC_K409] = 2;
-- else if (strcmp(*argv, "ecdhk571") == 0)
-- ecdh_doit[R_EC_K571] = 2;
-- else if (strcmp(*argv, "ecdhb163") == 0)
-- ecdh_doit[R_EC_B163] = 2;
-- else if (strcmp(*argv, "ecdhb233") == 0)
-- ecdh_doit[R_EC_B233] = 2;
-- else if (strcmp(*argv, "ecdhb283") == 0)
-- ecdh_doit[R_EC_B283] = 2;
-- else if (strcmp(*argv, "ecdhb409") == 0)
-- ecdh_doit[R_EC_B409] = 2;
-- else if (strcmp(*argv, "ecdhb571") == 0)
-- ecdh_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdh") == 0) {
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P256; i <= R_EC_P521; i++)
- ecdh_doit[i] = 1;
- } else
- # endif
-@@ -1156,21 +1104,11 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
- # endif
- # ifndef OPENSSL_NO_ECDSA
-- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
-- "ecdsap256 ecdsap384 ecdsap521\n");
-- BIO_printf(bio_err,
-- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
-- BIO_printf(bio_err,
-- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
-+ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n");
- BIO_printf(bio_err, "ecdsa\n");
- # endif
- # ifndef OPENSSL_NO_ECDH
-- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
-- "ecdhp256 ecdhp384 ecdhp521\n");
-- BIO_printf(bio_err,
-- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
-- BIO_printf(bio_err,
-- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
-+ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n");
- BIO_printf(bio_err, "ecdh\n");
- # endif
-
-@@ -1255,11 +1193,11 @@ int MAIN(int argc, char **argv)
- if (!FIPS_mode() || i != R_DSA_512)
- dsa_doit[i] = 1;
- # ifndef OPENSSL_NO_ECDSA
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P256; i <= R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- # endif
- # ifndef OPENSSL_NO_ECDH
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P256; i <= R_EC_P521; i++)
- ecdh_doit[i] = 1;
- # endif
- }
-diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c
---- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200
-+++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200
-@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa
- 0, 13, /* sect571k1 (13) */
- # endif
- 0, 25, /* secp521r1 (25) */
-- 0, 28, /* brainpool512r1 (28) */
- # ifndef OPENSSL_NO_EC2M
- 0, 11, /* sect409k1 (11) */
- 0, 12, /* sect409r1 (12) */
- # endif
-- 0, 27, /* brainpoolP384r1 (27) */
- 0, 24, /* secp384r1 (24) */
- # ifndef OPENSSL_NO_EC2M
- 0, 9, /* sect283k1 (9) */
- 0, 10, /* sect283r1 (10) */
- # endif
-- 0, 26, /* brainpoolP256r1 (26) */
-- 0, 22, /* secp256k1 (22) */
- 0, 23, /* secp256r1 (23) */
- # ifndef OPENSSL_NO_EC2M
- 0, 8, /* sect239k1 (8) */
- 0, 6, /* sect233k1 (6) */
- 0, 7, /* sect233r1 (7) */
- # endif
-- 0, 20, /* secp224k1 (20) */
-- 0, 21, /* secp224r1 (21) */
- # ifndef OPENSSL_NO_EC2M
- 0, 4, /* sect193r1 (4) */
- 0, 5, /* sect193r2 (5) */
- # endif
-- 0, 18, /* secp192k1 (18) */
-- 0, 19, /* secp192r1 (19) */
- # ifndef OPENSSL_NO_EC2M
- 0, 1, /* sect163k1 (1) */
- 0, 2, /* sect163r1 (2) */
- 0, 3, /* sect163r2 (3) */
- # endif
-- 0, 15, /* secp160k1 (15) */
-- 0, 16, /* secp160r1 (16) */
-- 0, 17, /* secp160r2 (17) */
- };
-
- static const unsigned char suiteb_curves[] = {
-@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d
- 0, 9, /* sect283k1 (9) */
- 0, 10, /* sect283r1 (10) */
- # endif
-- 0, 22, /* secp256k1 (22) */
- 0, 23, /* secp256r1 (23) */
- # ifndef OPENSSL_NO_EC2M
- 0, 8, /* sect239k1 (8) */
- 0, 6, /* sect233k1 (6) */
- 0, 7, /* sect233r1 (7) */
- # endif
-- 0, 20, /* secp224k1 (20) */
-- 0, 21, /* secp224r1 (21) */
- # ifndef OPENSSL_NO_EC2M
- 0, 4, /* sect193r1 (4) */
- 0, 5, /* sect193r2 (5) */
- # endif
-- 0, 18, /* secp192k1 (18) */
-- 0, 19, /* secp192r1 (19) */
- # ifndef OPENSSL_NO_EC2M
- 0, 1, /* sect163k1 (1) */
- 0, 2, /* sect163r1 (2) */
- 0, 3, /* sect163r2 (3) */
- # endif
-- 0, 15, /* secp160k1 (15) */
-- 0, 16, /* secp160r1 (16) */
-- 0, 17, /* secp160r2 (17) */
- };
- # endif
-
diff --git a/openssl-1.0.2a-fips.patch b/openssl-1.0.2a-fips.patch
deleted file mode 100644
index 81bed3a..0000000
--- a/openssl-1.0.2a-fips.patch
+++ /dev/null
@@ -1,13699 +0,0 @@
-diff -up openssl-1.0.2a/apps/speed.c.fips openssl-1.0.2a/apps/speed.c
---- openssl-1.0.2a/apps/speed.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/apps/speed.c 2015-04-22 16:08:40.284245465 +0200
-@@ -197,7 +197,6 @@
- # ifdef OPENSSL_DOING_MAKEDEPEND
- # undef AES_set_encrypt_key
- # undef AES_set_decrypt_key
--# undef DES_set_key_unchecked
- # endif
- # define BF_set_key private_BF_set_key
- # define CAST_set_key private_CAST_set_key
-@@ -205,7 +204,6 @@
- # define SEED_set_key private_SEED_set_key
- # define RC2_set_key private_RC2_set_key
- # define RC4_set_key private_RC4_set_key
--# define DES_set_key_unchecked private_DES_set_key_unchecked
- # define AES_set_encrypt_key private_AES_set_encrypt_key
- # define AES_set_decrypt_key private_AES_set_decrypt_key
- # define Camellia_set_key private_Camellia_set_key
-@@ -974,7 +972,12 @@ int MAIN(int argc, char **argv)
- # endif
- # ifndef OPENSSL_NO_RSA
- if (strcmp(*argv, "rsa") == 0) {
-- rsa_doit[R_RSA_512] = 1;
-+# ifdef OPENSSL_FIPS
-+ if (!FIPS_mode())
-+# endif
-+ {
-+ rsa_doit[R_RSA_512] = 1;
-+ }
- rsa_doit[R_RSA_1024] = 1;
- rsa_doit[R_RSA_2048] = 1;
- rsa_doit[R_RSA_4096] = 1;
-@@ -982,7 +985,12 @@ int MAIN(int argc, char **argv)
- # endif
- # ifndef OPENSSL_NO_DSA
- if (strcmp(*argv, "dsa") == 0) {
-- dsa_doit[R_DSA_512] = 1;
-+# ifdef OPENSSL_FIPS
-+ if (!FIPS_mode())
-+# endif
-+ {
-+ dsa_doit[R_DSA_512] = 1;
-+ }
- dsa_doit[R_DSA_1024] = 1;
- dsa_doit[R_DSA_2048] = 1;
- } else
-@@ -1233,13 +1241,19 @@ int MAIN(int argc, char **argv)
-
- if (j == 0) {
- for (i = 0; i < ALGOR_NUM; i++) {
-- if (i != D_EVP)
-+ if (i != D_EVP &&
-+ (!FIPS_mode() || (i != D_WHIRLPOOL &&
-+ i != D_MD2 && i != D_MD4 &&
-+ i != D_MD5 && i != D_MDC2 &&
-+ i != D_RMD160)))
- doit[i] = 1;
- }
- for (i = 0; i < RSA_NUM; i++)
-- rsa_doit[i] = 1;
-+ if (!FIPS_mode() || i != R_RSA_512)
-+ rsa_doit[i] = 1;
- for (i = 0; i < DSA_NUM; i++)
-- dsa_doit[i] = 1;
-+ if (!FIPS_mode() || i != R_DSA_512)
-+ dsa_doit[i] = 1;
- # ifndef OPENSSL_NO_ECDSA
- for (i = 0; i < EC_NUM; i++)
- ecdsa_doit[i] = 1;
-@@ -1299,30 +1313,46 @@ int MAIN(int argc, char **argv)
- AES_set_encrypt_key(key32, 256, &aes_ks3);
- # endif
- # ifndef OPENSSL_NO_CAMELLIA
-- Camellia_set_key(key16, 128, &camellia_ks1);
-- Camellia_set_key(ckey24, 192, &camellia_ks2);
-- Camellia_set_key(ckey32, 256, &camellia_ks3);
-+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
-+ Camellia_set_key(key16, 128, &camellia_ks1);
-+ Camellia_set_key(ckey24, 192, &camellia_ks2);
-+ Camellia_set_key(ckey32, 256, &camellia_ks3);
-+ }
- # endif
- # ifndef OPENSSL_NO_IDEA
-- idea_set_encrypt_key(key16, &idea_ks);
-+ if (doit[D_CBC_IDEA]) {
-+ idea_set_encrypt_key(key16, &idea_ks);
-+ }
- # endif
- # ifndef OPENSSL_NO_SEED
-- SEED_set_key(key16, &seed_ks);
-+ if (doit[D_CBC_SEED]) {
-+ SEED_set_key(key16, &seed_ks);
-+ }
- # endif
- # ifndef OPENSSL_NO_RC4
-- RC4_set_key(&rc4_ks, 16, key16);
-+ if (doit[D_RC4]) {
-+ RC4_set_key(&rc4_ks, 16, key16);
-+ }
- # endif
- # ifndef OPENSSL_NO_RC2
-- RC2_set_key(&rc2_ks, 16, key16, 128);
-+ if (doit[D_CBC_RC2]) {
-+ RC2_set_key(&rc2_ks, 16, key16, 128);
-+ }
- # endif
- # ifndef OPENSSL_NO_RC5
-- RC5_32_set_key(&rc5_ks, 16, key16, 12);
-+ if (doit[D_CBC_RC5]) {
-+ RC5_32_set_key(&rc5_ks, 16, key16, 12);
-+ }
- # endif
- # ifndef OPENSSL_NO_BF
-- BF_set_key(&bf_ks, 16, key16);
-+ if (doit[D_CBC_BF]) {
-+ BF_set_key(&bf_ks, 16, key16);
-+ }
- # endif
- # ifndef OPENSSL_NO_CAST
-- CAST_set_key(&cast_ks, 16, key16);
-+ if (doit[D_CBC_CAST]) {
-+ CAST_set_key(&cast_ks, 16, key16);
-+ }
- # endif
- # ifndef OPENSSL_NO_RSA
- memset(rsa_c, 0, sizeof(rsa_c));
-@@ -1605,6 +1635,7 @@ int MAIN(int argc, char **argv)
- HMAC_CTX hctx;
-
- HMAC_CTX_init(&hctx);
-+ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...",
- 16, EVP_md5(), NULL);
-
-diff -up openssl-1.0.2a/Configure.fips openssl-1.0.2a/Configure
---- openssl-1.0.2a/Configure.fips 2015-04-22 16:08:40.266245039 +0200
-+++ openssl-1.0.2a/Configure 2015-04-22 16:08:40.284245465 +0200
-@@ -1040,11 +1040,6 @@ if (defined($disabled{"md5"}) || defined
- $disabled{"ssl2"} = "forced";
- }
-
--if ($fips && $fipslibdir eq "")
-- {
-- $fipslibdir = $fipsdir . "/lib/";
-- }
--
- # RSAX ENGINE sets default non-FIPS RSA method.
- if ($fips)
- {
-@@ -1532,7 +1527,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
- if ($fips)
- {
- $openssl_other_defines.="#define OPENSSL_FIPS\n";
-- $cflags .= " -I\$(FIPSDIR)/include";
- }
-
- $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
-@@ -1724,9 +1718,12 @@ while (<IN>)
-
- s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
- s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
-- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
- s/^BASEADDR=.*/BASEADDR=$baseaddr/;
-
-+ if ($fips)
-+ {
-+ s/^FIPS=.*/FIPS=yes/;
-+ }
- s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
- s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
- s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
-diff -up openssl-1.0.2a/crypto/aes/aes_misc.c.fips openssl-1.0.2a/crypto/aes/aes_misc.c
---- openssl-1.0.2a/crypto/aes/aes_misc.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/aes/aes_misc.c 2015-04-22 16:08:40.284245465 +0200
-@@ -70,17 +70,11 @@ const char *AES_options(void)
- int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key)
- {
--#ifdef OPENSSL_FIPS
-- fips_cipher_abort(AES);
--#endif
- return private_AES_set_encrypt_key(userKey, bits, key);
- }
-
- int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
- AES_KEY *key)
- {
--#ifdef OPENSSL_FIPS
-- fips_cipher_abort(AES);
--#endif
- return private_AES_set_decrypt_key(userKey, bits, key);
- }
-diff -up openssl-1.0.2a/crypto/cmac/cmac.c.fips openssl-1.0.2a/crypto/cmac/cmac.c
---- openssl-1.0.2a/crypto/cmac/cmac.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/cmac/cmac.c 2015-04-22 16:08:40.284245465 +0200
-@@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void)
-
- void CMAC_CTX_cleanup(CMAC_CTX *ctx)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine) {
-- FIPS_cmac_ctx_cleanup(ctx);
-- return;
-- }
--#endif
- EVP_CIPHER_CTX_cleanup(&ctx->cctx);
- OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
- OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
-@@ -158,12 +152,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
- EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
-- /*
-- * Other algorithm blocking will be done in FIPS_cmac_init, via
-- * FIPS_cipherinit().
-- */
-- if (!impl && !ctx->cctx.engine)
-- return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
- }
- #endif
- /* All zeros means restart */
-@@ -209,10 +197,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
- {
- const unsigned char *data = in;
- size_t bl;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- return FIPS_cmac_update(ctx, in, dlen);
--#endif
- if (ctx->nlast_block == -1)
- return 0;
- if (dlen == 0)
-@@ -252,10 +236,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
- int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
- {
- int i, bl, lb;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->cctx.engine)
-- return FIPS_cmac_final(ctx, out, poutlen);
--#endif
- if (ctx->nlast_block == -1)
- return 0;
- bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
-diff -up openssl-1.0.2a/crypto/crypto.h.fips openssl-1.0.2a/crypto/crypto.h
---- openssl-1.0.2a/crypto/crypto.h.fips 2015-04-22 16:08:40.161242552 +0200
-+++ openssl-1.0.2a/crypto/crypto.h 2015-04-22 16:08:40.285245489 +0200
-@@ -600,24 +600,29 @@ int FIPS_mode_set(int r);
- void OPENSSL_init(void);
-
- # define fips_md_init(alg) fips_md_init_ctx(alg, alg)
-+# define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
-+# define fips_md_init_ctx(alg, cx) \
-+ int alg##_Init(cx##_CTX *c)
-
- # ifdef OPENSSL_FIPS
--# define fips_md_init_ctx(alg, cx) \
-+# define nonfips_md_init_ctx(alg, cx) \
- int alg##_Init(cx##_CTX *c) \
- { \
- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
-- "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
-+ "Digest " #alg " forbidden in FIPS mode!"); \
- return private_##alg##_Init(c); \
- } \
- int private_##alg##_Init(cx##_CTX *c)
-
- # define fips_cipher_abort(alg) \
- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
-- "Low level API call to cipher " #alg " forbidden in FIPS mode!")
-+ "Cipher " #alg " forbidden in FIPS mode!")
-+
-+/* die if FIPS selftest failed */
-+void FIPS_selftest_check(void);
-
- # else
--# define fips_md_init_ctx(alg, cx) \
-- int alg##_Init(cx##_CTX *c)
-+# define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
- # define fips_cipher_abort(alg) while(0)
- # endif
-
-@@ -637,6 +642,9 @@ int CRYPTO_memcmp(const void *a, const v
- */
- void ERR_load_CRYPTO_strings(void);
-
-+# define OPENSSL_HAVE_INIT 1
-+void OPENSSL_init_library(void);
-+
- /* Error codes for the CRYPTO functions. */
-
- /* Function codes. */
-diff -up openssl-1.0.2a/crypto/des/des.h.fips openssl-1.0.2a/crypto/des/des.h
---- openssl-1.0.2a/crypto/des/des.h.fips 2015-04-22 16:08:40.191243263 +0200
-+++ openssl-1.0.2a/crypto/des/des.h 2015-04-22 16:08:40.285245489 +0200
-@@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D
- int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule);
- int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule);
- void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
--# ifdef OPENSSL_FIPS
--void private_DES_set_key_unchecked(const_DES_cblock *key,
-- DES_key_schedule *schedule);
--# endif
- void DES_string_to_key(const char *str, DES_cblock *key);
- void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2);
- void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-diff -up openssl-1.0.2a/crypto/des/set_key.c.fips openssl-1.0.2a/crypto/des/set_key.c
---- openssl-1.0.2a/crypto/des/set_key.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/des/set_key.c 2015-04-22 16:08:40.285245489 +0200
-@@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock
- }
-
- void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
--#ifdef OPENSSL_FIPS
--{
-- fips_cipher_abort(DES);
-- private_DES_set_key_unchecked(key, schedule);
--}
--
--void private_DES_set_key_unchecked(const_DES_cblock *key,
-- DES_key_schedule *schedule)
--#endif
- {
- static const int shifts2[16] =
- { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 };
-diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips openssl-1.0.2a/crypto/dh/dh_gen.c
---- openssl-1.0.2a/crypto/dh/dh_gen.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 16:08:40.285245489 +0200
-@@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i
- #endif
- if (ret->meth->generate_params)
- return ret->meth->generate_params(ret, prime_len, generator, cb);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dh_generate_parameters_ex(ret, prime_len, generator, cb);
--#endif
- return dh_builtin_genparams(ret, prime_len, generator, cb);
- }
-
-@@ -126,6 +122,18 @@ static int dh_builtin_genparams(DH *ret,
- int g, ok = -1;
- BN_CTX *ctx = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
-+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
-diff -up openssl-1.0.2a/crypto/dh/dh.h.fips openssl-1.0.2a/crypto/dh/dh.h
---- openssl-1.0.2a/crypto/dh/dh.h.fips 2015-04-22 16:08:40.134241913 +0200
-+++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 16:08:40.285245489 +0200
-@@ -77,6 +77,8 @@
- # define OPENSSL_DH_MAX_MODULUS_BITS 10000
- # endif
-
-+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-+
- # define DH_FLAG_CACHE_MONT_P 0x01
-
- /*
-diff -up openssl-1.0.2a/crypto/dh/dh_key.c.fips openssl-1.0.2a/crypto/dh/dh_key.c
---- openssl-1.0.2a/crypto/dh/dh_key.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/dh/dh_key.c 2015-04-22 16:08:40.285245489 +0200
-@@ -61,6 +61,9 @@
- #include <openssl/bn.h>
- #include <openssl/rand.h>
- #include <openssl/dh.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- static int generate_key(DH *dh);
- static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
-@@ -97,7 +100,7 @@ int DH_compute_key(unsigned char *key, c
- int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
- {
- int rv, pad;
-- rv = dh->meth->compute_key(key, pub_key, dh);
-+ rv = DH_compute_key(key, pub_key, dh);
- if (rv <= 0)
- return rv;
- pad = BN_num_bytes(dh->p) - rv;
-@@ -115,7 +118,7 @@ static DH_METHOD dh_ossl = {
- dh_bn_mod_exp,
- dh_init,
- dh_finish,
-- 0,
-+ DH_FLAG_FIPS_METHOD,
- NULL,
- NULL
- };
-@@ -134,6 +137,14 @@ static int generate_key(DH *dh)
- BN_MONT_CTX *mont = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode()
-+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
-+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ return 0;
-+ }
-+#endif
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
-@@ -217,6 +228,13 @@ static int compute_key(unsigned char *ke
- DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
- goto err;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode()
-+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
-+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+#endif
-
- ctx = BN_CTX_new();
- if (ctx == NULL)
-@@ -277,6 +295,9 @@ static int dh_bn_mod_exp(const DH *dh, B
-
- static int dh_init(DH *dh)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dh->flags |= DH_FLAG_CACHE_MONT_P;
- return (1);
- }
-diff -up openssl-1.0.2a/crypto/dh/dh_lib.c.fips openssl-1.0.2a/crypto/dh/dh_lib.c
---- openssl-1.0.2a/crypto/dh/dh_lib.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/dh/dh_lib.c 2015-04-22 16:08:40.286245512 +0200
-@@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH
- const DH_METHOD *DH_get_default_method(void)
- {
- if (!default_DH_method) {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dh_openssl();
-- else
-- return DH_OpenSSL();
--#else
- default_DH_method = DH_OpenSSL();
--#endif
- }
- return default_DH_method;
- }
-diff -up openssl-1.0.2a/crypto/dsa/dsa_err.c.fips openssl-1.0.2a/crypto/dsa/dsa_err.c
---- openssl-1.0.2a/crypto/dsa/dsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/dsa/dsa_err.c 2015-04-22 16:08:40.286245512 +0200
-@@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]
- {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
- {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
-+ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
-+ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
- {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "DSA_BUILTIN_PARAMGEN2"},
- {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
- {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
-@@ -109,6 +111,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
- {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"},
- {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"},
- {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"},
-+ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"},
-+ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
- {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"},
- {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
- {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"},
-diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips openssl-1.0.2a/crypto/dsa/dsa_gen.c
---- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 16:08:40.286245512 +0200
-@@ -91,6 +91,16 @@
- # include <openssl/fips.h>
- # endif
-
-+# ifndef OPENSSL_FIPS
-+static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed,
-+ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
-+ int *counter_ret, BN_GENCB *cb);
-+static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret,
-+ BN_GENCB *cb);
-+# endif
-+
- int DSA_generate_parameters_ex(DSA *ret, int bits,
- const unsigned char *seed_in, int seed_len,
- int *counter_ret, unsigned long *h_ret,
-@@ -106,13 +116,6 @@ int DSA_generate_parameters_ex(DSA *ret,
- if (ret->meth->dsa_paramgen)
- return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
- counter_ret, h_ret, cb);
--# ifdef OPENSSL_FIPS
-- else if (FIPS_mode()) {
-- return FIPS_dsa_generate_parameters_ex(ret, bits,
-- seed_in, seed_len,
-- counter_ret, h_ret, cb);
-- }
--# endif
- else {
- const EVP_MD *evpmd;
- size_t qbits = bits >= 2048 ? 256 : 160;
-@@ -126,80 +129,156 @@ int DSA_generate_parameters_ex(DSA *ret,
- }
-
- return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
-- seed_in, seed_len, NULL, counter_ret,
-+ seed_in, seed_len, counter_ret,
- h_ret, cb);
- }
- }
-
-+# ifdef OPENSSL_FIPS
-+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd,
-+ const unsigned char *seed_in, size_t seed_len,
-+ int *counter_ret, unsigned long *h_ret,
-+ BN_GENCB *cb)
-+{
-+ return dsa_builtin_paramgen(ret, bits, qbits,
-+ evpmd, seed_in, seed_len,
-+ counter_ret, h_ret, cb);
-+}
-+# endif
-+
- int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
- const EVP_MD *evpmd, const unsigned char *seed_in,
-- size_t seed_len, unsigned char *seed_out,
-+ size_t seed_len,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
- {
- int ok = 0;
- unsigned char seed[SHA256_DIGEST_LENGTH];
-+ BIGNUM *g = NULL, *q = NULL, *p = NULL;
-+ size_t qsize = qbits >> 3;
-+ BN_CTX *ctx = NULL;
-+
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (FIPS_module_mode() &&
-+ (bits != 1024 || qbits != 160) &&
-+ (bits != 2048 || qbits != 224) &&
-+ (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) {
-+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
-+ goto err;
-+ }
-+# endif
-+ if (seed_len && (seed_len < (size_t)qsize))
-+ seed_in = NULL; /* seed buffer too small -- ignore */
-+ if (seed_len > sizeof(seed))
-+ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
-+ * but our internal buffers are restricted to 256 bits*/
-+ if (seed_in != NULL)
-+ memcpy(seed, seed_in, seed_len);
-+ else
-+ seed_len = 0;
-+
-+ if ((ctx = BN_CTX_new()) == NULL)
-+ goto err;
-+
-+ BN_CTX_start(ctx);
-+
-+ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
-+ seed, seed_len, &p, &q, counter_ret, cb))
-+ goto err;
-+
-+ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
-+ goto err;
-+
-+ ok = 1;
-+ err:
-+ if (ok) {
-+ if (ret->p) {
-+ BN_free(ret->p);
-+ ret->p = NULL;
-+ }
-+ if (ret->q) {
-+ BN_free(ret->q);
-+ ret->q = NULL;
-+ }
-+ if (ret->g) {
-+ BN_free(ret->g);
-+ ret->g = NULL;
-+ }
-+ ret->p = BN_dup(p);
-+ ret->q = BN_dup(q);
-+ ret->g = BN_dup(g);
-+ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
-+ ok = 0;
-+ }
-+ if (ctx) {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+ return ok;
-+}
-+
-+# ifndef OPENSSL_FIPS
-+static
-+# endif
-+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed,
-+ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
-+ int *counter_ret, BN_GENCB *cb)
-+{
-+ int ok = 0;
- unsigned char md[SHA256_DIGEST_LENGTH];
-- unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
-+ unsigned char buf[SHA256_DIGEST_LENGTH];
- BIGNUM *r0, *W, *X, *c, *test;
-- BIGNUM *g = NULL, *q = NULL, *p = NULL;
-- BN_MONT_CTX *mont = NULL;
-- int i, k, n = 0, m = 0, qsize = qbits >> 3;
-+ BIGNUM *q = NULL, *p = NULL;
-+ int i, k, b, n = 0, m = 0, qsize = qbits >> 3;
- int counter = 0;
- int r = 0;
-- BN_CTX *ctx = NULL;
-- unsigned int h = 2;
-
- if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
- qsize != SHA256_DIGEST_LENGTH)
- /* invalid q size */
- return 0;
-
-- if (evpmd == NULL)
-- /* use SHA1 as default */
-- evpmd = EVP_sha1();
-+ if (evpmd == NULL) {
-+ if (qbits <= 160)
-+ evpmd = EVP_sha1();
-+ else if (qbits <= 224)
-+ evpmd = EVP_sha224();
-+ else
-+ evpmd = EVP_sha256();
-+ }
-
- if (bits < 512)
- bits = 512;
-
- bits = (bits + 63) / 64 * 64;
-
-- /*
-- * NB: seed_len == 0 is special case: copy generated seed to seed_in if
-- * it is not NULL.
-- */
-- if (seed_len && (seed_len < (size_t)qsize))
-- seed_in = NULL; /* seed buffer too small -- ignore */
-- if (seed_len > (size_t)qsize)
-- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger
-- * SEED, but our internal buffers are
-- * restricted to 160 bits */
-- if (seed_in != NULL)
-- memcpy(seed, seed_in, seed_len);
--
-- if ((ctx = BN_CTX_new()) == NULL)
-- goto err;
--
-- if ((mont = BN_MONT_CTX_new()) == NULL)
-- goto err;
--
-- BN_CTX_start(ctx);
- r0 = BN_CTX_get(ctx);
-- g = BN_CTX_get(ctx);
- W = BN_CTX_get(ctx);
-- q = BN_CTX_get(ctx);
-+ *q_ret = q = BN_CTX_get(ctx);
- X = BN_CTX_get(ctx);
- c = BN_CTX_get(ctx);
-- p = BN_CTX_get(ctx);
-+ *p_ret = p = BN_CTX_get(ctx);
- test = BN_CTX_get(ctx);
-
- if (!BN_lshift(test, BN_value_one(), bits - 1))
- goto err;
-
-+ /* step 3 n = \lceil bits / qbits \rceil - 1 */
-+ n = (bits + qbits - 1) / qbits - 1;
-+ /* step 4 b = bits - 1 - n * qbits */
-+ b = bits - 1 - n * qbits;
-+
- for (;;) {
- for (;;) { /* find q */
- int seed_is_random;
-
-- /* step 1 */
-+ /* step 5 generate seed */
- if (!BN_GENCB_call(cb, 0, m++))
- goto err;
-
-@@ -212,29 +291,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
- * be bad */
- }
- memcpy(buf, seed, qsize);
-- memcpy(buf2, seed, qsize);
-- /* precompute "SEED + 1" for step 7: */
-- for (i = qsize - 1; i >= 0; i--) {
-- buf[i]++;
-- if (buf[i] != 0)
-- break;
-- }
-
-- /* step 2 */
-+ /* step 6 U = hash(seed) */
- if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
- goto err;
-- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
-- goto err;
-- for (i = 0; i < qsize; i++)
-- md[i] ^= buf2[i];
-
-- /* step 3 */
-+ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
- md[0] |= 0x80;
- md[qsize - 1] |= 0x01;
- if (!BN_bin2bn(md, qsize, q))
- goto err;
-
-- /* step 4 */
-+ /* step 8 test for prime (64 round of Rabin-Miller) */
- r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
- seed_is_random, cb);
- if (r > 0)
-@@ -242,8 +310,6 @@ int dsa_builtin_paramgen(DSA *ret, size_
- if (r != 0)
- goto err;
-
-- /* do a callback call */
-- /* step 5 */
- }
-
- if (!BN_GENCB_call(cb, 2, 0))
-@@ -251,19 +317,16 @@ int dsa_builtin_paramgen(DSA *ret, size_
- if (!BN_GENCB_call(cb, 3, 0))
- goto err;
-
-- /* step 6 */
-+ /* step 11 */
- counter = 0;
-- /* "offset = 2" */
--
-- n = (bits - 1) / 160;
-+ /* "offset = 1" */
-
- for (;;) {
- if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
- goto err;
-
-- /* step 7 */
-+ /* step 11.1, 11.2 obtain W */
- BN_zero(W);
-- /* now 'buf' contains "SEED + offset - 1" */
- for (k = 0; k <= n; k++) {
- /*
- * obtain "SEED + offset + k" by incrementing:
-@@ -277,36 +340,37 @@ int dsa_builtin_paramgen(DSA *ret, size_
- if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL))
- goto err;
-
-- /* step 8 */
- if (!BN_bin2bn(md, qsize, r0))
- goto err;
-- if (!BN_lshift(r0, r0, (qsize << 3) * k))
-+ if (k == n)
-+ BN_mask_bits(r0, b);
-+ if (!BN_lshift(r0, r0, qbits * k))
- goto err;
- if (!BN_add(W, W, r0))
- goto err;
- }
-
-- /* more of step 8 */
-- if (!BN_mask_bits(W, bits - 1))
-- goto err;
-+ /* step 11.3 X = W + 2^(L-1) */
- if (!BN_copy(X, W))
- goto err;
- if (!BN_add(X, X, test))
- goto err;
-
-- /* step 9 */
-+ /* step 11.4 c = X mod 2*q */
- if (!BN_lshift1(r0, q))
- goto err;
- if (!BN_mod(c, X, r0, ctx))
- goto err;
-+
-+ /* step 11.5 p = X - (c - 1) */
- if (!BN_sub(r0, c, BN_value_one()))
- goto err;
- if (!BN_sub(p, X, r0))
- goto err;
-
-- /* step 10 */
-+ /* step 11.6 */
- if (BN_cmp(p, test) >= 0) {
-- /* step 11 */
-+ /* step 11.7 */
- r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
- if (r > 0)
- goto end; /* found it */
-@@ -314,12 +378,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
- goto err;
- }
-
-- /* step 13 */
-+ /* step 11.9 */
- counter++;
- /* "offset = offset + n + 1" */
-
-- /* step 14 */
-- if (counter >= 4096)
-+ /* step 12 */
-+ if (counter >= 4 * bits)
- break;
- }
- }
-@@ -327,7 +391,33 @@ int dsa_builtin_paramgen(DSA *ret, size_
- if (!BN_GENCB_call(cb, 2, 1))
- goto err;
-
-- /* We now need to generate g */
-+ ok = 1;
-+ err:
-+ if (ok) {
-+ if (counter_ret != NULL)
-+ *counter_ret = counter;
-+ }
-+ return ok;
-+}
-+
-+# ifndef OPENSSL_FIPS
-+static
-+# endif
-+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
-+ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
-+{
-+ int ok = 0;
-+ BIGNUM *r0, *test, *g = NULL;
-+ BN_MONT_CTX *mont;
-+ unsigned int h = 2;
-+
-+ if ((mont = BN_MONT_CTX_new()) == NULL)
-+ goto err;
-+
-+ r0 = BN_CTX_get(ctx);
-+ *g_ret = g = BN_CTX_get(ctx);
-+ test = BN_CTX_get(ctx);
-+
- /* Set r0=(p-1)/q */
- if (!BN_sub(test, p, BN_value_one()))
- goto err;
-@@ -356,46 +446,14 @@ int dsa_builtin_paramgen(DSA *ret, size_
- ok = 1;
- err:
- if (ok) {
-- if (ret->p)
-- BN_free(ret->p);
-- if (ret->q)
-- BN_free(ret->q);
-- if (ret->g)
-- BN_free(ret->g);
-- ret->p = BN_dup(p);
-- ret->q = BN_dup(q);
-- ret->g = BN_dup(g);
-- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
-- ok = 0;
-- goto err;
-- }
-- if (counter_ret != NULL)
-- *counter_ret = counter;
- if (h_ret != NULL)
- *h_ret = h;
-- if (seed_out)
-- memcpy(seed_out, seed, qsize);
-- }
-- if (ctx) {
-- BN_CTX_end(ctx);
-- BN_CTX_free(ctx);
- }
- if (mont != NULL)
- BN_MONT_CTX_free(mont);
- return ok;
- }
-
--# ifdef OPENSSL_FIPS
--# undef fips_dsa_builtin_paramgen2
--extern int fips_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
-- const EVP_MD *evpmd,
-- const unsigned char *seed_in,
-- size_t seed_len, int idx,
-- unsigned char *seed_out,
-- int *counter_ret, unsigned long *h_ret,
-- BN_GENCB *cb);
--# endif
--
- /*
- * This is a parameter generation algorithm for the DSA2 algorithm as
- * described in FIPS 186-3.
-@@ -421,14 +479,6 @@ int dsa_builtin_paramgen2(DSA *ret, size
- EVP_MD_CTX mctx;
- unsigned int h = 2;
-
--# ifdef OPENSSL_FIPS
--
-- if (FIPS_mode())
-- return fips_dsa_builtin_paramgen2(ret, L, N, evpmd,
-- seed_in, seed_len, idx,
-- seed_out, counter_ret, h_ret, cb);
--# endif
--
- EVP_MD_CTX_init(&mctx);
-
- if (evpmd == NULL) {
-diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips openssl-1.0.2a/crypto/dsa/dsa.h
---- openssl-1.0.2a/crypto/dsa/dsa.h.fips 2015-04-22 16:08:40.056240066 +0200
-+++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 16:08:40.286245512 +0200
-@@ -88,6 +88,8 @@
- # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
- # endif
-
-+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
-+
- # define DSA_FLAG_CACHE_MONT_P 0x01
- /*
- * new with 0.9.7h; the built-in DSA implementation now uses constant time
-@@ -265,6 +267,20 @@ int DSA_print_fp(FILE *bp, const DSA *x,
- DH *DSA_dup_DH(const DSA *r);
- # endif
-
-+# ifdef OPENSSL_FIPS
-+int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd,
-+ const unsigned char *seed_in,
-+ size_t seed_len, int *counter_ret,
-+ unsigned long *h_ret, BN_GENCB *cb);
-+int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
-+ const EVP_MD *evpmd, unsigned char *seed,
-+ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
-+ int *counter_ret, BN_GENCB *cb);
-+int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, BIGNUM **g_ret,
-+ unsigned long *h_ret, BN_GENCB *cb);
-+# endif
-+
- # define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
- EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
- EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
-@@ -287,11 +303,14 @@ void ERR_load_DSA_strings(void);
- # define DSA_F_DO_DSA_PRINT 104
- # define DSA_F_DSAPARAMS_PRINT 100
- # define DSA_F_DSAPARAMS_PRINT_FP 101
--# define DSA_F_DSA_BUILTIN_PARAMGEN2 126
-+# define DSA_F_DSA_BUILTIN_KEYGEN 124
-+# define DSA_F_DSA_BUILTIN_PARAMGEN 123
-+# define DSA_F_DSA_BUILTIN_PARAMGEN2 226
- # define DSA_F_DSA_DO_SIGN 112
- # define DSA_F_DSA_DO_VERIFY 113
--# define DSA_F_DSA_GENERATE_KEY 124
--# define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
-+# define DSA_F_DSA_GENERATE_KEY 126
-+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
-+# define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
- # define DSA_F_DSA_NEW_METHOD 103
- # define DSA_F_DSA_PARAM_DECODE 119
- # define DSA_F_DSA_PRINT_FP 105
-@@ -317,12 +336,16 @@ void ERR_load_DSA_strings(void);
- # define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
- # define DSA_R_DECODE_ERROR 104
- # define DSA_R_INVALID_DIGEST_TYPE 106
--# define DSA_R_INVALID_PARAMETERS 112
-+# define DSA_R_INVALID_PARAMETERS 212
-+# define DSA_R_KEY_SIZE_INVALID 113
-+# define DSA_R_KEY_SIZE_TOO_SMALL 110
- # define DSA_R_MISSING_PARAMETERS 101
- # define DSA_R_MODULUS_TOO_LARGE 103
--# define DSA_R_NEED_NEW_SETUP_VALUES 110
-+# define DSA_R_NEED_NEW_SETUP_VALUES 112
- # define DSA_R_NON_FIPS_DSA_METHOD 111
-+# define DSA_R_NON_FIPS_METHOD 111
- # define DSA_R_NO_PARAMETERS_SET 107
-+# define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
- # define DSA_R_PARAMETER_ENCODING_ERROR 105
- # define DSA_R_Q_NOT_PRIME 113
-
-diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips openssl-1.0.2a/crypto/dsa/dsa_key.c
---- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 16:08:40.286245512 +0200
-@@ -66,6 +66,34 @@
-
- # ifdef OPENSSL_FIPS
- # include <openssl/fips.h>
-+# include <openssl/evp.h>
-+
-+static int fips_check_dsa(DSA *dsa)
-+{
-+ EVP_PKEY *pk;
-+ unsigned char tbs[] = "DSA Pairwise Check Data";
-+ int ret = 0;
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_DSA(pk, dsa);
-+
-+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
-+ ret = 1;
-+
-+ err:
-+ if (ret == 0) {
-+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
-+ fips_set_selftest_fail();
-+ }
-+
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+}
-+
- # endif
-
- static int dsa_builtin_keygen(DSA *dsa);
-@@ -81,10 +109,6 @@ int DSA_generate_key(DSA *dsa)
- # endif
- if (dsa->meth->dsa_keygen)
- return dsa->meth->dsa_keygen(dsa);
--# ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dsa_generate_key(dsa);
--# endif
- return dsa_builtin_keygen(dsa);
- }
-
-@@ -94,6 +118,14 @@ static int dsa_builtin_keygen(DSA *dsa)
- BN_CTX *ctx = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
-+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ goto err;
-+ }
-+# endif
-+
- if ((ctx = BN_CTX_new()) == NULL)
- goto err;
-
-@@ -131,6 +163,13 @@ static int dsa_builtin_keygen(DSA *dsa)
-
- dsa->priv_key = priv_key;
- dsa->pub_key = pub_key;
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !fips_check_dsa(dsa)) {
-+ dsa->pub_key = NULL;
-+ dsa->priv_key = NULL;
-+ goto err;
-+ }
-+# endif
- ok = 1;
-
- err:
-diff -up openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips openssl-1.0.2a/crypto/dsa/dsa_lib.c
---- openssl-1.0.2a/crypto/dsa/dsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/dsa/dsa_lib.c 2015-04-22 16:08:40.287245536 +0200
-@@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME
- const DSA_METHOD *DSA_get_default_method(void)
- {
- if (!default_DSA_method) {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_dsa_openssl();
-- else
-- return DSA_OpenSSL();
--#else
- default_DSA_method = DSA_OpenSSL();
--#endif
- }
- return default_DSA_method;
- }
-diff -up openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips openssl-1.0.2a/crypto/dsa/dsa_locl.h
---- openssl-1.0.2a/crypto/dsa/dsa_locl.h.fips 2015-04-22 16:08:40.058240114 +0200
-+++ openssl-1.0.2a/crypto/dsa/dsa_locl.h 2015-04-22 16:08:40.287245536 +0200
-@@ -56,7 +56,7 @@
-
- int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
- const EVP_MD *evpmd, const unsigned char *seed_in,
-- size_t seed_len, unsigned char *seed_out,
-+ size_t seed_len,
- int *counter_ret, unsigned long *h_ret,
- BN_GENCB *cb);
-
-diff -up openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2a/crypto/dsa/dsa_ossl.c
---- openssl-1.0.2a/crypto/dsa/dsa_ossl.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/dsa/dsa_ossl.c 2015-04-22 16:08:40.287245536 +0200
-@@ -65,6 +65,9 @@
- #include <openssl/dsa.h>
- #include <openssl/rand.h>
- #include <openssl/asn1.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
- static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-@@ -83,7 +86,7 @@ static DSA_METHOD openssl_dsa_meth = {
- NULL, /* dsa_bn_mod_exp, */
- dsa_init,
- dsa_finish,
-- 0,
-+ DSA_FLAG_FIPS_METHOD,
- NULL,
- NULL,
- NULL
-@@ -140,6 +143,19 @@ static DSA_SIG *dsa_do_sign(const unsign
- DSA_SIG *ret = NULL;
- int noredo = 0;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return NULL;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
-+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return NULL;
-+ }
-+#endif
-+
- BN_init(&m);
- BN_init(&xr);
-
-@@ -330,6 +346,18 @@ static int dsa_do_verify(const unsigned
- DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
- return -1;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
-+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+#endif
-
- if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
- DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
-@@ -410,6 +438,9 @@ static int dsa_do_verify(const unsigned
-
- static int dsa_init(DSA *dsa)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- dsa->flags |= DSA_FLAG_CACHE_MONT_P;
- return (1);
- }
-diff -up openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2a/crypto/dsa/dsa_pmeth.c
---- openssl-1.0.2a/crypto/dsa/dsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/dsa/dsa_pmeth.c 2015-04-22 16:08:40.287245536 +0200
-@@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
- if (!dsa)
- return 0;
- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
-- NULL, 0, NULL, NULL, NULL, pcb);
-+ NULL, 0, NULL, NULL, pcb);
- if (ret)
- EVP_PKEY_assign_DSA(pkey, dsa);
- else
-diff -up openssl-1.0.2a/crypto/dsa/dsatest.c.fips openssl-1.0.2a/crypto/dsa/dsatest.c
---- openssl-1.0.2a/crypto/dsa/dsatest.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/dsa/dsatest.c 2015-04-22 16:08:40.287245536 +0200
-@@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int
- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
- */
- static unsigned char seed[20] = {
-- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
-- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
-+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
-+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
- };
-
- static unsigned char out_p[] = {
-- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
-- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
-- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
-- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
-- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
-- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
-- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
-- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
-+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
-+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
-+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
-+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
-+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
-+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
-+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
-+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
-+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
-+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
-+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
- };
-
- static unsigned char out_q[] = {
-- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
-- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
-- 0xda, 0xce, 0x91, 0x5f,
-+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
-+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
- };
-
- static unsigned char out_g[] = {
-- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
-- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
-- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
-- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
-- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
-- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
-- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
-- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
-+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
-+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
-+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
-+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
-+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
-+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
-+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
-+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
-+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
-+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
-+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
- };
-
- static const unsigned char str1[] = "12345678901234567890";
-@@ -162,7 +167,7 @@ int main(int argc, char **argv)
- BIO_printf(bio_err, "test generation of DSA parameters\n");
-
- BN_GENCB_set(&cb, dsa_cb, bio_err);
-- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
-+ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
- seed, 20,
- &counter,
- &h, &cb))
-@@ -176,8 +181,8 @@ int main(int argc, char **argv)
- BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h);
-
- DSA_print(bio_err, dsa, 0);
-- if (counter != 105) {
-- BIO_printf(bio_err, "counter should be 105\n");
-+ if (counter != 239) {
-+ BIO_printf(bio_err, "counter should be 239\n");
- goto end;
- }
- if (h != 2) {
-diff -up openssl-1.0.2a/crypto/engine/eng_all.c.fips openssl-1.0.2a/crypto/engine/eng_all.c
---- openssl-1.0.2a/crypto/engine/eng_all.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-22 16:08:40.287245536 +0200
-@@ -59,11 +59,25 @@
-
- #include "cryptlib.h"
- #include "eng_int.h"
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- void ENGINE_load_builtin_engines(void)
- {
- /* Some ENGINEs need this */
- OPENSSL_cpuid_setup();
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (FIPS_mode()) {
-+ /* We allow loading dynamic engine as a third party
-+ engine might be FIPS validated.
-+ User is disallowed to load non-validated engines
-+ by security policy. */
-+ ENGINE_load_dynamic();
-+ return;
-+ }
-+#endif
- #if 0
- /*
- * There's no longer any need for an "openssl" ENGINE unless, one day, it
-diff -up openssl-1.0.2a/crypto/evp/c_allc.c.fips openssl-1.0.2a/crypto/evp/c_allc.c
---- openssl-1.0.2a/crypto/evp/c_allc.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 16:08:40.287245536 +0200
-@@ -65,6 +65,10 @@
- void OpenSSL_add_all_ciphers(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (!FIPS_mode()) {
-+#endif
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cfb());
- EVP_add_cipher(EVP_des_cfb1());
-@@ -238,4 +242,64 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher_alias(SN_camellia_256_cbc, "CAMELLIA256");
- EVP_add_cipher_alias(SN_camellia_256_cbc, "camellia256");
- #endif
-+#ifdef OPENSSL_FIPS
-+ } else {
-+# ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede_cfb());
-+ EVP_add_cipher(EVP_des_ede3_cfb());
-+
-+ EVP_add_cipher(EVP_des_ede_ofb());
-+ EVP_add_cipher(EVP_des_ede3_ofb());
-+
-+ EVP_add_cipher(EVP_des_ede_cbc());
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
-+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
-+
-+ EVP_add_cipher(EVP_des_ede());
-+ EVP_add_cipher(EVP_des_ede3());
-+# endif
-+
-+# ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_ecb());
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_128_cfb());
-+ EVP_add_cipher(EVP_aes_128_cfb1());
-+ EVP_add_cipher(EVP_aes_128_cfb8());
-+ EVP_add_cipher(EVP_aes_128_ofb());
-+ EVP_add_cipher(EVP_aes_128_ctr());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_128_xts());
-+ EVP_add_cipher(EVP_aes_128_ccm());
-+ EVP_add_cipher(EVP_aes_128_wrap());
-+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
-+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
-+ EVP_add_cipher(EVP_aes_192_ecb());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_192_cfb());
-+ EVP_add_cipher(EVP_aes_192_cfb1());
-+ EVP_add_cipher(EVP_aes_192_cfb8());
-+ EVP_add_cipher(EVP_aes_192_ofb());
-+ EVP_add_cipher(EVP_aes_192_ctr());
-+ EVP_add_cipher(EVP_aes_192_gcm());
-+ EVP_add_cipher(EVP_aes_192_ccm());
-+ EVP_add_cipher(EVP_aes_192_wrap());
-+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
-+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
-+ EVP_add_cipher(EVP_aes_256_ecb());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_256_cfb());
-+ EVP_add_cipher(EVP_aes_256_cfb1());
-+ EVP_add_cipher(EVP_aes_256_cfb8());
-+ EVP_add_cipher(EVP_aes_256_ofb());
-+ EVP_add_cipher(EVP_aes_256_ctr());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+ EVP_add_cipher(EVP_aes_256_xts());
-+ EVP_add_cipher(EVP_aes_256_ccm());
-+ EVP_add_cipher(EVP_aes_256_wrap());
-+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
-+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
-+# endif
-+ }
-+#endif
- }
-diff -up openssl-1.0.2a/crypto/evp/c_alld.c.fips openssl-1.0.2a/crypto/evp/c_alld.c
---- openssl-1.0.2a/crypto/evp/c_alld.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/c_alld.c 2015-04-22 16:08:40.288245560 +0200
-@@ -64,51 +64,81 @@
-
- void OpenSSL_add_all_digests(void)
- {
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (!FIPS_mode()) {
-+#endif
- #ifndef OPENSSL_NO_MD4
-- EVP_add_digest(EVP_md4());
-+ EVP_add_digest(EVP_md4());
- #endif
- #ifndef OPENSSL_NO_MD5
-- EVP_add_digest(EVP_md5());
-- EVP_add_digest_alias(SN_md5, "ssl2-md5");
-- EVP_add_digest_alias(SN_md5, "ssl3-md5");
-+ EVP_add_digest(EVP_md5());
-+ EVP_add_digest_alias(SN_md5, "ssl2-md5");
-+ EVP_add_digest_alias(SN_md5, "ssl3-md5");
- #endif
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
-- EVP_add_digest(EVP_sha());
-+ EVP_add_digest(EVP_sha());
- # ifndef OPENSSL_NO_DSA
-- EVP_add_digest(EVP_dss());
-+ EVP_add_digest(EVP_dss());
- # endif
- #endif
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
-- EVP_add_digest(EVP_sha1());
-- EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-- EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-+ EVP_add_digest(EVP_sha1());
-+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
- # ifndef OPENSSL_NO_DSA
-- EVP_add_digest(EVP_dss1());
-- EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
-- EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
-- EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
-+ EVP_add_digest(EVP_dss1());
-+ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
- # endif
- # ifndef OPENSSL_NO_ECDSA
-- EVP_add_digest(EVP_ecdsa());
-+ EVP_add_digest(EVP_ecdsa());
- # endif
- #endif
- #if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
-- EVP_add_digest(EVP_mdc2());
-+ EVP_add_digest(EVP_mdc2());
- #endif
- #ifndef OPENSSL_NO_RIPEMD
-- EVP_add_digest(EVP_ripemd160());
-- EVP_add_digest_alias(SN_ripemd160, "ripemd");
-- EVP_add_digest_alias(SN_ripemd160, "rmd160");
-+ EVP_add_digest(EVP_ripemd160());
-+ EVP_add_digest_alias(SN_ripemd160, "ripemd");
-+ EVP_add_digest_alias(SN_ripemd160, "rmd160");
- #endif
- #ifndef OPENSSL_NO_SHA256
-- EVP_add_digest(EVP_sha224());
-- EVP_add_digest(EVP_sha256());
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
- #endif
- #ifndef OPENSSL_NO_SHA512
-- EVP_add_digest(EVP_sha384());
-- EVP_add_digest(EVP_sha512());
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
- #endif
- #ifndef OPENSSL_NO_WHIRLPOOL
-- EVP_add_digest(EVP_whirlpool());
-+ EVP_add_digest(EVP_whirlpool());
-+#endif
-+#ifdef OPENSSL_FIPS
-+ } else {
-+# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
-+ EVP_add_digest(EVP_sha1());
-+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-+# ifndef OPENSSL_NO_DSA
-+ EVP_add_digest(EVP_dss1());
-+ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
-+# endif
-+# ifndef OPENSSL_NO_ECDSA
-+ EVP_add_digest(EVP_ecdsa());
-+# endif
-+# endif
-+# ifndef OPENSSL_NO_SHA256
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+# endif
-+# ifndef OPENSSL_NO_SHA512
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+# endif
-+ }
- #endif
- }
-diff -up openssl-1.0.2a/crypto/evp/digest.c.fips openssl-1.0.2a/crypto/evp/digest.c
---- openssl-1.0.2a/crypto/evp/digest.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/digest.c 2015-04-22 16:08:40.288245560 +0200
-@@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
- return EVP_DigestInit_ex(ctx, type, NULL);
- }
-
-+#ifdef OPENSSL_FIPS
-+
-+/* The purpose of these is to trap programs that attempt to use non FIPS
-+ * algorithms in FIPS mode and ignore the errors.
-+ */
-+
-+static int bad_init(EVP_MD_CTX *ctx)
-+{
-+ FIPS_ERROR_IGNORED("Digest init");
-+ return 0;
-+}
-+
-+static int bad_update(EVP_MD_CTX *ctx, const void *data, size_t count)
-+{
-+ FIPS_ERROR_IGNORED("Digest update");
-+ return 0;
-+}
-+
-+static int bad_final(EVP_MD_CTX *ctx, unsigned char *md)
-+{
-+ FIPS_ERROR_IGNORED("Digest Final");
-+ return 0;
-+}
-+
-+static const EVP_MD bad_md = {
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ bad_init,
-+ bad_update,
-+ bad_final,
-+ NULL,
-+ NULL,
-+ NULL,
-+ 0,
-+ {0, 0, 0, 0},
-+};
-+
-+#endif
-+
- int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
- {
- EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
- #ifdef OPENSSL_FIPS
-- /* If FIPS mode switch to approved implementation if possible */
-- if (FIPS_mode()) {
-- const EVP_MD *fipsmd;
-- if (type) {
-- fipsmd = evp_get_fips_md(type);
-- if (fipsmd)
-- type = fipsmd;
-- }
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
-+ ctx->digest = &bad_md;
-+ return 0;
- }
- #endif
- #ifndef OPENSSL_NO_ENGINE
-@@ -212,6 +249,16 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
- }
- #endif
- if (ctx->digest != type) {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (!(type->flags & EVP_MD_FLAG_FIPS)
-+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
-+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ ctx->digest = &bad_md;
-+ return 0;
-+ }
-+ }
-+#endif
- if (ctx->digest && ctx->digest->ctx_size)
- OPENSSL_free(ctx->md_data);
- ctx->digest = type;
-@@ -236,25 +283,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
- }
- if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
- return 1;
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode()) {
-- if (FIPS_digestinit(ctx, type))
-- return 1;
-- OPENSSL_free(ctx->md_data);
-- ctx->md_data = NULL;
-- return 0;
-- }
--#endif
- return ctx->digest->init(ctx);
- }
-
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
- {
- #ifdef OPENSSL_FIPS
-- return FIPS_digestupdate(ctx, data, count);
--#else
-- return ctx->update(ctx, data, count);
-+ FIPS_selftest_check();
- #endif
-+ return ctx->update(ctx, data, count);
- }
-
- /* The caller can assume that this removes any secret data from the context */
-@@ -269,11 +306,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
- /* The caller can assume that this removes any secret data from the context */
- int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
- {
--#ifdef OPENSSL_FIPS
-- return FIPS_digestfinal(ctx, md, size);
--#else
- int ret;
-
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
- ret = ctx->digest->final(ctx, md);
- if (size != NULL)
-@@ -284,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
- }
- memset(ctx->md_data, 0, ctx->digest->ctx_size);
- return ret;
--#endif
- }
-
- int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
-@@ -373,7 +409,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
- /* This call frees resources associated with the context */
- int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- {
--#ifndef OPENSSL_FIPS
- /*
- * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
- * sometimes only copies of the context are ever finalised.
-@@ -386,7 +421,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
- OPENSSL_free(ctx->md_data);
- }
--#endif
- if (ctx->pctx)
- EVP_PKEY_CTX_free(ctx->pctx);
- #ifndef OPENSSL_NO_ENGINE
-@@ -397,9 +431,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
- */
- ENGINE_finish(ctx->engine);
- #endif
--#ifdef OPENSSL_FIPS
-- FIPS_md_ctx_cleanup(ctx);
--#endif
- memset(ctx, '\0', sizeof *ctx);
-
- return 1;
-diff -up openssl-1.0.2a/crypto/evp/e_aes.c.fips openssl-1.0.2a/crypto/evp/e_aes.c
---- openssl-1.0.2a/crypto/evp/e_aes.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 16:08:40.288245560 +0200
-@@ -59,9 +59,6 @@
- # include "modes_lcl.h"
- # include <openssl/rand.h>
-
--# undef EVP_CIPH_FLAG_FIPS
--# define EVP_CIPH_FLAG_FIPS 0
--
- typedef struct {
- union {
- double align;
-@@ -1158,6 +1155,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
- case EVP_CTRL_GCM_SET_IVLEN:
- if (arg <= 0)
- return 0;
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
-+ && arg < 12)
-+ return 0;
-+# endif
- /* Allocate memory for IV if needed */
- if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
- if (gctx->iv != c->iv)
-@@ -1726,6 +1728,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
- return 0;
- if (!out || !in || len < AES_BLOCK_SIZE)
- return 0;
-+# ifdef OPENSSL_FIPS
-+ /* Requirement of SP800-38E */
-+ if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
-+ (len > (1UL << 20) * 16)) {
-+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
-+ return 0;
-+ }
-+# endif
- if (xctx->stream)
- (*xctx->stream) (in, out, len,
- xctx->xts.key1, xctx->xts.key2, ctx->iv);
-diff -up openssl-1.0.2a/crypto/evp/e_des3.c.fips openssl-1.0.2a/crypto/evp/e_des3.c
---- openssl-1.0.2a/crypto/evp/e_des3.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 16:08:40.288245560 +0200
-@@ -65,10 +65,6 @@
- # include <openssl/des.h>
- # include <openssl/rand.h>
-
--/* Block use of implementations in FIPS mode */
--# undef EVP_CIPH_FLAG_FIPS
--# define EVP_CIPH_FLAG_FIPS 0
--
- typedef struct {
- union {
- double align;
-diff -up openssl-1.0.2a/crypto/evp/e_null.c.fips openssl-1.0.2a/crypto/evp/e_null.c
---- openssl-1.0.2a/crypto/evp/e_null.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/e_null.c 2015-04-22 16:08:40.288245560 +0200
-@@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c
- static const EVP_CIPHER n_cipher = {
- NID_undef,
- 1, 0, 0,
-- 0,
-+ EVP_CIPH_FLAG_FIPS,
- null_init_key,
- null_cipher,
- NULL,
-diff -up openssl-1.0.2a/crypto/evp/evp_enc.c.fips openssl-1.0.2a/crypto/evp/evp_enc.c
---- openssl-1.0.2a/crypto/evp/evp_enc.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/evp_enc.c 2015-04-22 16:08:40.289245583 +0200
-@@ -69,16 +69,73 @@
- #endif
- #include "evp_locl.h"
-
--#ifdef OPENSSL_FIPS
--# define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
--#else
--# define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
--#endif
-+#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
-
- const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT;
-
-+#ifdef OPENSSL_FIPS
-+
-+/* The purpose of these is to trap programs that attempt to use non FIPS
-+ * algorithms in FIPS mode and ignore the errors.
-+ */
-+
-+static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+ const unsigned char *iv, int enc)
-+{
-+ FIPS_ERROR_IGNORED("Cipher init");
-+ return 0;
-+}
-+
-+static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+ const unsigned char *in, unsigned int inl)
-+{
-+ FIPS_ERROR_IGNORED("Cipher update");
-+ return 0;
-+}
-+
-+/* NB: no cleanup because it is allowed after failed init */
-+
-+static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
-+{
-+ FIPS_ERROR_IGNORED("Cipher set_asn1");
-+ return 0;
-+}
-+
-+static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
-+{
-+ FIPS_ERROR_IGNORED("Cipher get_asn1");
-+ return 0;
-+}
-+
-+static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
-+{
-+ FIPS_ERROR_IGNORED("Cipher ctrl");
-+ return 0;
-+}
-+
-+static const EVP_CIPHER bad_cipher = {
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ 0,
-+ bad_init,
-+ bad_do_cipher,
-+ NULL,
-+ 0,
-+ bad_set_asn1,
-+ bad_get_asn1,
-+ bad_ctrl,
-+ NULL
-+};
-+
-+#endif
-+
- void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- memset(ctx, 0, sizeof(EVP_CIPHER_CTX));
- /* ctx->cipher=NULL; */
- }
-@@ -110,6 +167,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- enc = 1;
- ctx->encrypt = enc;
- }
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
-+ ctx->cipher = &bad_cipher;
-+ return 0;
-+ }
-+#endif
- #ifndef OPENSSL_NO_ENGINE
- /*
- * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
-@@ -168,16 +232,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- ctx->engine = NULL;
- #endif
-
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode()) {
-- const EVP_CIPHER *fcipher;
-- if (cipher)
-- fcipher = evp_get_fips_cipher(cipher);
-- if (fcipher)
-- cipher = fcipher;
-- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
-- }
--#endif
- ctx->cipher = cipher;
- if (ctx->cipher->ctx_size) {
- ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);
-@@ -204,10 +258,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- #ifndef OPENSSL_NO_ENGINE
- skip_to_init:
- #endif
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
--#endif
- /* we assume block size is a power of 2 in *cryptUpdate */
- OPENSSL_assert(ctx->cipher->block_size == 1
- || ctx->cipher->block_size == 8
-@@ -253,6 +303,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
- break;
- }
- }
-+#ifdef OPENSSL_FIPS
-+ /* After 'key' is set no further parameters changes are permissible.
-+ * So only check for non FIPS enabling at this point.
-+ */
-+ if (key && FIPS_mode()) {
-+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
-+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
-+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
-+ ctx->cipher = &bad_cipher;
-+ return 0;
-+ }
-+ }
-+#endif
-
- if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
- if (!ctx->cipher->init(ctx, key, iv, enc))
-@@ -554,7 +617,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
-
- int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
- {
--#ifndef OPENSSL_FIPS
- if (c->cipher != NULL) {
- if (c->cipher->cleanup && !c->cipher->cleanup(c))
- return 0;
-@@ -564,7 +626,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
- }
- if (c->cipher_data)
- OPENSSL_free(c->cipher_data);
--#endif
- #ifndef OPENSSL_NO_ENGINE
- if (c->engine)
- /*
-@@ -573,9 +634,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
- */
- ENGINE_finish(c->engine);
- #endif
--#ifdef OPENSSL_FIPS
-- FIPS_cipher_ctx_cleanup(c);
--#endif
- memset(c, 0, sizeof(EVP_CIPHER_CTX));
- return 1;
- }
-diff -up openssl-1.0.2a/crypto/evp/evp.h.fips openssl-1.0.2a/crypto/evp/evp.h
---- openssl-1.0.2a/crypto/evp/evp.h.fips 2015-04-22 16:08:40.174242860 +0200
-+++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 16:08:40.289245583 +0200
-@@ -123,6 +123,10 @@
- extern "C" {
- #endif
-
-+# ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+# endif
-+
- /*
- * Type needs to be a bit field Sub-type needs to be for variations on the
- * method, as in, can it do arbitrary encryption....
-@@ -286,11 +290,6 @@ struct env_md_ctx_st {
- * cleaned */
- # define EVP_MD_CTX_FLAG_REUSE 0x0004/* Don't free up ctx->md_data
- * in EVP_MD_CTX_cleanup */
--/*
-- * FIPS and pad options are ignored in 1.0.0, definitions are here so we
-- * don't accidentally reuse the values for other purposes.
-- */
--
- # define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS
- * digest in FIPS mode */
-
-@@ -303,6 +302,10 @@ struct env_md_ctx_st {
- # define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00/* PKCS#1 v1.5 mode */
- # define EVP_MD_CTX_FLAG_PAD_X931 0x10/* X9.31 mode */
- # define EVP_MD_CTX_FLAG_PAD_PSS 0x20/* PSS mode */
-+# define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
-+ ((ctx->flags>>16) &0xFFFF) /* seed length */
-+# define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF/* salt len same as digest */
-+# define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE/* salt max or auto recovered */
-
- # define EVP_MD_CTX_FLAG_NO_INIT 0x0100/* Don't initialize md_data */
-
-@@ -364,15 +367,15 @@ struct evp_cipher_st {
- /* cipher handles random key generation */
- # define EVP_CIPH_RAND_KEY 0x200
- /* cipher has its own additional copying logic */
--# define EVP_CIPH_CUSTOM_COPY 0x400
-+# define EVP_CIPH_CUSTOM_COPY 0x4000
- /* Allow use default ASN1 get/set iv */
- # define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
- /* Buffer length in bits not bytes: CFB1 mode only */
- # define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
- /* Note if suitable for use in FIPS mode */
--# define EVP_CIPH_FLAG_FIPS 0x4000
-+# define EVP_CIPH_FLAG_FIPS 0x400
- /* Allow non FIPS cipher in FIPS mode */
--# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
-+# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
- /*
- * Cipher handles any and all padding logic as well as finalisation.
- */
-diff -up openssl-1.0.2a/crypto/evp/evp_lib.c.fips openssl-1.0.2a/crypto/evp/evp_lib.c
---- openssl-1.0.2a/crypto/evp/evp_lib.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/evp_lib.c 2015-04-22 16:10:58.297513170 +0200
-@@ -60,10 +60,6 @@
- #include "cryptlib.h"
- #include <openssl/evp.h>
- #include <openssl/objects.h>
--#ifdef OPENSSL_FIPS
--# include <openssl/fips.h>
--# include "evp_locl.h"
--#endif
-
- int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
- {
-@@ -200,6 +196,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
- int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, unsigned int inl)
- {
-+#ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+#endif
- return ctx->cipher->do_cipher(ctx, out, in, inl);
- }
-
-@@ -210,22 +209,12 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(
-
- unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
- {
--#ifdef OPENSSL_FIPS
-- const EVP_CIPHER *fcipher;
-- fcipher = evp_get_fips_cipher(cipher);
-- if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
-- return cipher->flags | EVP_CIPH_FLAG_FIPS;
--#endif
- return cipher->flags;
- }
-
- unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
- {
--#ifdef OPENSSL_FIPS
-- return EVP_CIPHER_flags(ctx->cipher);
--#else
- return ctx->cipher->flags;
--#endif
- }
-
- void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
-@@ -292,40 +281,8 @@ int EVP_MD_size(const EVP_MD *md)
- return md->md_size;
- }
-
--#ifdef OPENSSL_FIPS
--
--const EVP_MD *evp_get_fips_md(const EVP_MD *md)
--{
-- int nid = EVP_MD_type(md);
-- if (nid == NID_dsa)
-- return FIPS_evp_dss1();
-- else if (nid == NID_dsaWithSHA)
-- return FIPS_evp_dss();
-- else if (nid == NID_ecdsa_with_SHA1)
-- return FIPS_evp_ecdsa();
-- else
-- return FIPS_get_digestbynid(nid);
--}
--
--const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher)
--{
-- int nid = cipher->nid;
-- if (nid == NID_undef)
-- return FIPS_evp_enc_null();
-- else
-- return FIPS_get_cipherbynid(nid);
--}
--
--#endif
--
- unsigned long EVP_MD_flags(const EVP_MD *md)
- {
--#ifdef OPENSSL_FIPS
-- const EVP_MD *fmd;
-- fmd = evp_get_fips_md(md);
-- if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
-- return md->flags | EVP_MD_FLAG_FIPS;
--#endif
- return md->flags;
- }
-
-diff -up openssl-1.0.2a/crypto/evp/evp_locl.h.fips openssl-1.0.2a/crypto/evp/evp_locl.h
---- openssl-1.0.2a/crypto/evp/evp_locl.h.fips 2015-04-22 16:08:40.170242766 +0200
-+++ openssl-1.0.2a/crypto/evp/evp_locl.h 2015-04-22 16:08:40.289245583 +0200
-@@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
- BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
- BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
- NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
-- 0, cipher##_init_key, NULL, \
-- EVP_CIPHER_set_asn1_iv, \
-- EVP_CIPHER_get_asn1_iv, \
-- NULL)
-+ EVP_CIPH_FLAG_DEFAULT_ASN1, \
-+ cipher##_init_key, NULL, NULL, NULL, NULL)
-
- struct evp_pkey_ctx_st {
- /* Method associated with this operation */
-@@ -355,11 +353,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
- # define MD2_Init private_MD2_Init
- # define MDC2_Init private_MDC2_Init
- # define SHA_Init private_SHA_Init
--# define SHA1_Init private_SHA1_Init
--# define SHA224_Init private_SHA224_Init
--# define SHA256_Init private_SHA256_Init
--# define SHA384_Init private_SHA384_Init
--# define SHA512_Init private_SHA512_Init
-
- # define BF_set_key private_BF_set_key
- # define CAST_set_key private_CAST_set_key
-@@ -367,7 +360,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
- # define SEED_set_key private_SEED_set_key
- # define RC2_set_key private_RC2_set_key
- # define RC4_set_key private_RC4_set_key
--# define DES_set_key_unchecked private_DES_set_key_unchecked
- # define Camellia_set_key private_Camellia_set_key
-
- #endif
-diff -up openssl-1.0.2a/crypto/evp/m_dss.c.fips openssl-1.0.2a/crypto/evp/m_dss.c
---- openssl-1.0.2a/crypto/evp/m_dss.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/m_dss.c 2015-04-22 16:08:40.290245607 +0200
-@@ -86,7 +86,7 @@ static const EVP_MD dsa_md = {
- NID_dsaWithSHA,
- NID_dsaWithSHA,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-diff -up openssl-1.0.2a/crypto/evp/m_dss1.c.fips openssl-1.0.2a/crypto/evp/m_dss1.c
---- openssl-1.0.2a/crypto/evp/m_dss1.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/m_dss1.c 2015-04-22 16:08:40.290245607 +0200
-@@ -87,7 +87,7 @@ static const EVP_MD dss1_md = {
- NID_dsa,
- NID_dsaWithSHA1,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_DIGEST,
-+ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-diff -up openssl-1.0.2a/crypto/evp/m_md2.c.fips openssl-1.0.2a/crypto/evp/m_md2.c
---- openssl-1.0.2a/crypto/evp/m_md2.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/m_md2.c 2015-04-22 16:08:40.290245607 +0200
-@@ -68,6 +68,7 @@
- # ifndef OPENSSL_NO_RSA
- # include <openssl/rsa.h>
- # endif
-+# include "evp_locl.h"
-
- static int init(EVP_MD_CTX *ctx)
- {
-diff -up openssl-1.0.2a/crypto/evp/m_sha1.c.fips openssl-1.0.2a/crypto/evp/m_sha1.c
---- openssl-1.0.2a/crypto/evp/m_sha1.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/m_sha1.c 2015-04-22 16:08:40.290245607 +0200
-@@ -87,7 +87,8 @@ static const EVP_MD sha1_md = {
- NID_sha1,
- NID_sha1WithRSAEncryption,
- SHA_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
-+ EVP_MD_FLAG_FIPS,
- init,
- update,
- final,
-@@ -134,7 +135,8 @@ static const EVP_MD sha224_md = {
- NID_sha224,
- NID_sha224WithRSAEncryption,
- SHA224_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
-+ EVP_MD_FLAG_FIPS,
- init224,
- update256,
- final256,
-@@ -154,7 +156,8 @@ static const EVP_MD sha256_md = {
- NID_sha256,
- NID_sha256WithRSAEncryption,
- SHA256_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
-+ EVP_MD_FLAG_FIPS,
- init256,
- update256,
- final256,
-@@ -197,7 +200,8 @@ static const EVP_MD sha384_md = {
- NID_sha384,
- NID_sha384WithRSAEncryption,
- SHA384_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
-+ EVP_MD_FLAG_FIPS,
- init384,
- update512,
- final512,
-@@ -217,7 +221,8 @@ static const EVP_MD sha512_md = {
- NID_sha512,
- NID_sha512WithRSAEncryption,
- SHA512_DIGEST_LENGTH,
-- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
-+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
-+ EVP_MD_FLAG_FIPS,
- init512,
- update512,
- final512,
-diff -up openssl-1.0.2a/crypto/evp/p_sign.c.fips openssl-1.0.2a/crypto/evp/p_sign.c
---- openssl-1.0.2a/crypto/evp/p_sign.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/p_sign.c 2015-04-22 16:08:40.290245607 +0200
-@@ -61,6 +61,7 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
- #include <openssl/x509.h>
-+#include <openssl/rsa.h>
-
- #ifdef undef
- void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
-@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
- goto err;
- if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
- goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
-+ goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
-+ int saltlen;
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
-+ 0)
-+ goto err;
-+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
-+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
-+ saltlen = -1;
-+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
-+ saltlen = -2;
-+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
-+ goto err;
-+ }
- if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
- goto err;
- *siglen = sltmp;
-diff -up openssl-1.0.2a/crypto/evp/p_verify.c.fips openssl-1.0.2a/crypto/evp/p_verify.c
---- openssl-1.0.2a/crypto/evp/p_verify.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/evp/p_verify.c 2015-04-22 16:08:40.290245607 +0200
-@@ -61,6 +61,7 @@
- #include <openssl/evp.h>
- #include <openssl/objects.h>
- #include <openssl/x509.h>
-+#include <openssl/rsa.h>
-
- int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
- unsigned int siglen, EVP_PKEY *pkey)
-@@ -87,6 +88,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
- goto err;
- if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
- goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
-+ goto err;
-+ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
-+ int saltlen;
-+ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
-+ 0)
-+ goto err;
-+ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
-+ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
-+ saltlen = -1;
-+ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
-+ saltlen = -2;
-+ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
-+ goto err;
-+ }
- i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
- err:
- EVP_PKEY_CTX_free(pkctx);
-diff -up openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_aes_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_aes_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_aes_selftest.c 2015-04-22 16:08:40.294245702 +0200
-@@ -0,0 +1,365 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+
-+#ifdef OPENSSL_FIPS
-+static const struct {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[16];
-+ const unsigned char ciphertext[16];
-+} tests[] = {
-+ {
-+ {
-+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
-+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
-+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
-+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
-+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
-+
-+static int corrupt_aes;
-+
-+void FIPS_corrupt_aes()
-+{
-+ corrupt_aes = 1;
-+}
-+
-+int FIPS_selftest_aes()
-+{
-+ int n;
-+ int ret = 0;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ for (n = 0; n < 1; ++n) {
-+ unsigned char key[16];
-+
-+ memcpy(key, tests[n].key, sizeof(key));
-+ if (corrupt_aes)
-+ key[0]++;
-+ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
-+ key, NULL,
-+ tests[n].plaintext,
-+ tests[n].ciphertext, 16) <= 0)
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+}
-+
-+/* AES-CCM test data from NIST public test vectors */
-+
-+static const unsigned char ccm_key[] = {
-+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
-+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
-+};
-+
-+static const unsigned char ccm_nonce[] = {
-+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
-+};
-+
-+static const unsigned char ccm_adata[] = {
-+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
-+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
-+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
-+};
-+
-+static const unsigned char ccm_pt[] = {
-+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
-+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
-+};
-+
-+static const unsigned char ccm_ct[] = {
-+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
-+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
-+};
-+
-+static const unsigned char ccm_tag[] = {
-+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
-+ 0x14, 0xdb, 0x50, 0x6d
-+};
-+
-+int FIPS_selftest_aes_ccm(void)
-+{
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ memset(out, 0, sizeof(out));
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
-+ sizeof(ccm_tag), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
-+ goto err;
-+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
-+ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
-+ sizeof(ccm_nonce), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
-+ goto err;
-+
-+ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+
-+ if (ret == 0) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ } else
-+ return ret;
-+
-+}
-+
-+/* AES-GCM test data from NIST public test vectors */
-+
-+static const unsigned char gcm_key[] = {
-+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
-+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
-+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
-+};
-+
-+static const unsigned char gcm_iv[] = {
-+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
-+};
-+
-+static const unsigned char gcm_pt[] = {
-+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
-+ 0xcc, 0x2b, 0xf2, 0xa5
-+};
-+
-+static const unsigned char gcm_aad[] = {
-+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
-+ 0x7f, 0xec, 0x78, 0xde
-+};
-+
-+static const unsigned char gcm_ct[] = {
-+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
-+ 0xb9, 0xf2, 0x17, 0x36
-+};
-+
-+static const unsigned char gcm_tag[] = {
-+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
-+ 0x98, 0xf7, 0x7e, 0x0c
-+};
-+
-+int FIPS_selftest_aes_gcm(void)
-+{
-+ int ret = 0;
-+ unsigned char out[128], tag[16];
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ memset(out, 0, sizeof(out));
-+ memset(tag, 0, sizeof(tag));
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 1))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
-+ goto err;
-+
-+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
-+ goto err;
-+
-+ memset(out, 0, sizeof(out));
-+
-+ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
-+ sizeof(gcm_iv), NULL))
-+ goto err;
-+ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
-+ goto err;
-+ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 0))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
-+ goto err;
-+ if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
-+ goto err;
-+ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
-+ goto err;
-+
-+ if (memcmp(out, gcm_pt, 16))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+
-+ if (ret == 0) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ } else
-+ return ret;
-+
-+}
-+
-+static const unsigned char XTS_128_key[] = {
-+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
-+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
-+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
-+};
-+
-+static const unsigned char XTS_128_i[] = {
-+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
-+ 0x3e, 0x76, 0x8a, 0xd5
-+};
-+
-+static const unsigned char XTS_128_pt[] = {
-+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
-+ 0x07, 0x90, 0x31, 0x1c
-+};
-+
-+static const unsigned char XTS_128_ct[] = {
-+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
-+ 0xbe, 0x47, 0x1c, 0x63
-+};
-+
-+static const unsigned char XTS_256_key[] = {
-+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
-+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
-+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
-+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
-+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
-+ 0x2c, 0xf4, 0x1b, 0x08
-+};
-+
-+static const unsigned char XTS_256_i[] = {
-+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
-+ 0xa9, 0xf8, 0x75, 0x64
-+};
-+
-+static const unsigned char XTS_256_pt[] = {
-+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
-+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
-+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
-+};
-+
-+static const unsigned char XTS_256_ct[] = {
-+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
-+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
-+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
-+};
-+
-+int FIPS_selftest_aes_xts()
-+{
-+ int ret = 1;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+
-+ if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
-+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
-+ sizeof(XTS_128_pt)) <= 0)
-+ ret = 0;
-+
-+ if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
-+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
-+ sizeof(XTS_256_pt)) <= 0)
-+ ret = 0;
-+
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
-+ return ret;
-+}
-+
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips.c.fips openssl-1.0.2a/crypto/fips/fips.c
---- openssl-1.0.2a/crypto/fips/fips.c.fips 2015-04-22 16:08:40.294245702 +0200
-+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 16:08:40.294245702 +0200
-@@ -0,0 +1,483 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define _GNU_SOURCE
-+
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <string.h>
-+#include <limits.h>
-+#include <dlfcn.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+# include <openssl/fips.h>
-+
-+# ifndef PATH_MAX
-+# define PATH_MAX 1024
-+# endif
-+
-+static int fips_selftest_fail = 0;
-+static int fips_mode = 0;
-+static int fips_started = 0;
-+
-+static int fips_is_owning_thread(void);
-+static int fips_set_owning_thread(void);
-+static int fips_clear_owning_thread(void);
-+
-+# define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
-+# define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
-+# define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
-+# define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
-+
-+static void fips_set_mode(int onoff)
-+{
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started) {
-+ if (!owning_thread)
-+ fips_w_lock();
-+ fips_mode = onoff;
-+ if (!owning_thread)
-+ fips_w_unlock();
-+ }
-+}
-+
-+int FIPS_module_mode(void)
-+{
-+ int ret = 0;
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (fips_started) {
-+ if (!owning_thread)
-+ fips_r_lock();
-+ ret = fips_mode;
-+ if (!owning_thread)
-+ fips_r_unlock();
-+ }
-+ return ret;
-+}
-+
-+int FIPS_selftest_failed(void)
-+{
-+ int ret = 0;
-+ if (fips_started) {
-+ int owning_thread = fips_is_owning_thread();
-+
-+ if (!owning_thread)
-+ fips_r_lock();
-+ ret = fips_selftest_fail;
-+ if (!owning_thread)
-+ fips_r_unlock();
-+ }
-+ return ret;
-+}
-+
-+/* Selftest failure fatal exit routine. This will be called
-+ * during *any* cryptographic operation. It has the minimum
-+ * overhead possible to avoid too big a performance hit.
-+ */
-+
-+void FIPS_selftest_check(void)
-+{
-+ if (fips_selftest_fail) {
-+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
-+ }
-+}
-+
-+void fips_set_selftest_fail(void)
-+{
-+ fips_selftest_fail = 1;
-+}
-+
-+/* we implement what libfipscheck does ourselves */
-+
-+static int
-+get_library_path(const char *libname, const char *symbolname, char *path,
-+ size_t pathlen)
-+{
-+ Dl_info info;
-+ void *dl, *sym;
-+ int rv = -1;
-+
-+ dl = dlopen(libname, RTLD_LAZY);
-+ if (dl == NULL) {
-+ return -1;
-+ }
-+
-+ sym = dlsym(dl, symbolname);
-+
-+ if (sym != NULL && dladdr(sym, &info)) {
-+ strncpy(path, info.dli_fname, pathlen - 1);
-+ path[pathlen - 1] = '\0';
-+ rv = 0;
-+ }
-+
-+ dlclose(dl);
-+
-+ return rv;
-+}
-+
-+static const char conv[] = "0123456789abcdef";
-+
-+static char *bin2hex(void *buf, size_t len)
-+{
-+ char *hex, *p;
-+ unsigned char *src = buf;
-+
-+ hex = malloc(len * 2 + 1);
-+ if (hex == NULL)
-+ return NULL;
-+
-+ p = hex;
-+
-+ while (len > 0) {
-+ unsigned c;
-+
-+ c = *src;
-+ src++;
-+
-+ *p = conv[c >> 4];
-+ ++p;
-+ *p = conv[c & 0x0f];
-+ ++p;
-+ --len;
-+ }
-+ *p = '\0';
-+ return hex;
-+}
-+
-+# define HMAC_PREFIX "."
-+# define HMAC_SUFFIX ".hmac"
-+# define READ_BUFFER_LENGTH 16384
-+
-+static char *make_hmac_path(const char *origpath)
-+{
-+ char *path, *p;
-+ const char *fn;
-+
-+ path =
-+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
-+ if (path == NULL) {
-+ return NULL;
-+ }
-+
-+ fn = strrchr(origpath, '/');
-+ if (fn == NULL) {
-+ fn = origpath;
-+ } else {
-+ ++fn;
-+ }
-+
-+ strncpy(path, origpath, fn - origpath);
-+ p = path + (fn - origpath);
-+ p = stpcpy(p, HMAC_PREFIX);
-+ p = stpcpy(p, fn);
-+ p = stpcpy(p, HMAC_SUFFIX);
-+
-+ return path;
-+}
-+
-+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
-+
-+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
-+{
-+ FILE *f = NULL;
-+ int rv = -1;
-+ unsigned char rbuf[READ_BUFFER_LENGTH];
-+ size_t len;
-+ unsigned int hlen;
-+ HMAC_CTX c;
-+
-+ HMAC_CTX_init(&c);
-+
-+ f = fopen(path, "r");
-+
-+ if (f == NULL) {
-+ goto end;
-+ }
-+
-+ HMAC_Init(&c, hmackey, sizeof(hmackey) - 1, EVP_sha256());
-+
-+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
-+ HMAC_Update(&c, rbuf, len);
-+ }
-+
-+ len = sizeof(rbuf);
-+ /* reuse rbuf for hmac */
-+ HMAC_Final(&c, rbuf, &hlen);
-+
-+ *buf = malloc(hlen);
-+ if (*buf == NULL) {
-+ goto end;
-+ }
-+
-+ *hmaclen = hlen;
-+
-+ memcpy(*buf, rbuf, hlen);
-+
-+ rv = 0;
-+ end:
-+ HMAC_CTX_cleanup(&c);
-+
-+ if (f)
-+ fclose(f);
-+
-+ return rv;
-+}
-+
-+static int FIPSCHECK_verify(const char *libname, const char *symbolname)
-+{
-+ char path[PATH_MAX + 1];
-+ int rv;
-+ FILE *hf;
-+ char *hmacpath, *p;
-+ char *hmac = NULL;
-+ size_t n;
-+
-+ rv = get_library_path(libname, symbolname, path, sizeof(path));
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ hmacpath = make_hmac_path(path);
-+ if (hmacpath == NULL)
-+ return 0;
-+
-+ hf = fopen(hmacpath, "r");
-+ if (hf == NULL) {
-+ free(hmacpath);
-+ return 0;
-+ }
-+
-+ if (getline(&hmac, &n, hf) > 0) {
-+ void *buf;
-+ size_t hmaclen;
-+ char *hex;
-+
-+ if ((p = strchr(hmac, '\n')) != NULL)
-+ *p = '\0';
-+
-+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
-+ rv = -4;
-+ goto end;
-+ }
-+
-+ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
-+ free(buf);
-+ rv = -5;
-+ goto end;
-+ }
-+
-+ if (strcmp(hex, hmac) != 0) {
-+ rv = -1;
-+ }
-+ free(buf);
-+ free(hex);
-+ } else {
-+ rv = -1;
-+ }
-+
-+ end:
-+ free(hmac);
-+ free(hmacpath);
-+ fclose(hf);
-+
-+ if (rv < 0)
-+ return 0;
-+
-+ /* check successful */
-+ return 1;
-+}
-+
-+int FIPS_module_mode_set(int onoff, const char *auth)
-+{
-+ int ret = 0;
-+
-+ fips_w_lock();
-+ fips_started = 1;
-+ fips_set_owning_thread();
-+
-+ if (onoff) {
-+
-+ fips_selftest_fail = 0;
-+
-+ /* Don't go into FIPS mode twice, just so we can do automagic
-+ seeding */
-+ if (FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
-+ FIPS_R_FIPS_MODE_ALREADY_SET);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+# ifdef OPENSSL_IA32_SSE2
-+ {
-+ extern unsigned int OPENSSL_ia32cap_P[2];
-+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
-+ (1 << 25 | 1 << 26)) {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
-+ FIPS_R_UNSUPPORTED_PLATFORM);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+ OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */
-+ OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */
-+ }
-+# endif
-+
-+ if (!FIPSCHECK_verify
-+ ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
-+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ if (!FIPSCHECK_verify
-+ ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
-+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
-+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+
-+ if (FIPS_selftest())
-+ fips_set_mode(onoff);
-+ else {
-+ fips_selftest_fail = 1;
-+ ret = 0;
-+ goto end;
-+ }
-+ ret = 1;
-+ goto end;
-+ }
-+ fips_set_mode(0);
-+ fips_selftest_fail = 0;
-+ ret = 1;
-+ end:
-+ fips_clear_owning_thread();
-+ fips_w_unlock();
-+ return ret;
-+}
-+
-+static CRYPTO_THREADID fips_thread;
-+static int fips_thread_set = 0;
-+
-+static int fips_is_owning_thread(void)
-+{
-+ int ret = 0;
-+
-+ if (fips_started) {
-+ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
-+ if (fips_thread_set) {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
-+ ret = 1;
-+ }
-+ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+}
-+
-+int fips_set_owning_thread(void)
-+{
-+ int ret = 0;
-+
-+ if (fips_started) {
-+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-+ if (!fips_thread_set) {
-+ CRYPTO_THREADID_current(&fips_thread);
-+ ret = 1;
-+ fips_thread_set = 1;
-+ }
-+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+}
-+
-+int fips_clear_owning_thread(void)
-+{
-+ int ret = 0;
-+
-+ if (fips_started) {
-+ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
-+ if (fips_thread_set) {
-+ CRYPTO_THREADID cur;
-+ CRYPTO_THREADID_current(&cur);
-+ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
-+ fips_thread_set = 0;
-+ }
-+ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
-+ }
-+ return ret;
-+}
-+
-+# if 0
-+/* The purpose of this is to ensure the error code exists and the function
-+ * name is to keep the error checking script quiet
-+ */
-+void hash_final(void)
-+{
-+ FIPSerr(FIPS_F_HASH_FINAL, FIPS_R_NON_FIPS_METHOD);
-+}
-+# endif
-+
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_cmac_selftest.c 2015-04-22 16:08:40.294245702 +0200
-@@ -0,0 +1,156 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/cmac.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ int nid;
-+ const unsigned char key[EVP_MAX_KEY_LENGTH];
-+ size_t keysize;
-+ const unsigned char msg[64];
-+ size_t msgsize;
-+ const unsigned char mac[32];
-+ size_t macsize;
-+} CMAC_KAT;
-+
-+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
-+static const CMAC_KAT vector[] = {
-+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
-+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
-+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
-+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
-+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
-+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
-+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
-+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
-+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
-+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
-+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
-+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
-+ {0x0}, 0,
-+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
-+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
-+ },
-+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
-+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
-+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
-+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
-+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
-+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
-+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
-+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
-+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
-+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
-+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
-+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
-+ },
-+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
-+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
-+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
-+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
-+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
-+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
-+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
-+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
-+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
-+ },
-+};
-+
-+int FIPS_selftest_cmac()
-+{
-+ size_t n, outlen;
-+ unsigned char out[32];
-+ const EVP_CIPHER *cipher;
-+ CMAC_CTX *ctx = CMAC_CTX_new();
-+ const CMAC_KAT *t;
-+ int rv = 1;
-+
-+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
-+ cipher = FIPS_get_cipherbynid(t->nid);
-+ if (!cipher) {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
-+ rv = -1;
-+ goto err;
-+ }
-+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
-+ rv = -1;
-+ goto err;
-+ }
-+
-+ if (!CMAC_Final(ctx, out, &outlen)) {
-+ rv = -1;
-+ goto err;
-+ }
-+ CMAC_CTX_cleanup(ctx);
-+
-+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
-+ rv = 0;
-+ }
-+ }
-+
-+ err:
-+ CMAC_CTX_free(ctx);
-+
-+ if (rv == -1) {
-+ rv = 0;
-+ }
-+ if (!rv)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
-+
-+ return rv;
-+}
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_des_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_des_selftest.c.fips 2015-04-22 16:08:40.294245702 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_des_selftest.c 2015-04-22 16:08:40.294245702 +0200
-@@ -0,0 +1,138 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const struct {
-+ const unsigned char key[16];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+} tests2[] = {
-+ {
-+ {
-+ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
-+ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
-+ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
-+ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
-+ }, {
-+ {
-+ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
-+ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
-+ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
-+ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
-+};
-+
-+static const struct {
-+ const unsigned char key[24];
-+ const unsigned char plaintext[8];
-+ const unsigned char ciphertext[8];
-+} tests3[] = {
-+ {
-+ {
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
-+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
-+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
-+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
-+ {
-+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
-+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
-+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
-+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
-+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
-+
-+static int corrupt_des;
-+
-+void FIPS_corrupt_des()
-+{
-+ corrupt_des = 1;
-+}
-+
-+int FIPS_selftest_des()
-+{
-+ int n, ret = 0;
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
-+ for (n = 0; n < 2; ++n) {
-+ unsigned char plaintext[8];
-+
-+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
-+ if (corrupt_des)
-+ plaintext[0]++;
-+ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
-+ tests2[n].key, NULL,
-+ plaintext, tests2[n].ciphertext, 8))
-+ goto err;
-+ }
-+
-+ /* Encrypt/decrypt with 3DES and compare to known answers */
-+ for (n = 0; n < 2; ++n) {
-+ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
-+ tests3[n].key, NULL,
-+ tests3[n].plaintext, tests3[n].ciphertext, 8))
-+ goto err;
-+ }
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ if (ret == 0)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
-+
-+ return ret;
-+}
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c
---- openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c.fips 2015-04-22 16:08:40.294245702 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_drbg_ctr.c 2015-04-22 16:08:40.294245702 +0200
-@@ -0,0 +1,415 @@
-+/* fips/rand/fips_drbg_ctr.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static void inc_128(DRBG_CTR_CTX * cctx)
-+{
-+ int i;
-+ unsigned char c;
-+ unsigned char *p = cctx->V + 15;
-+ for (i = 0; i < 16; i++) {
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if (c)
-+ return;
-+ p--;
-+ }
-+}
-+
-+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
-+ size_t inlen)
-+{
-+ size_t i, n;
-+ /* Any zero padding will have no effect on the result as we
-+ * are XORing. So just process however much input we have.
-+ */
-+
-+ if (!in || !inlen)
-+ return;
-+
-+ if (inlen < cctx->keylen)
-+ n = inlen;
-+ else
-+ n = cctx->keylen;
-+
-+ for (i = 0; i < n; i++)
-+ cctx->K[i] ^= in[i];
-+ if (inlen <= cctx->keylen)
-+ return;
-+
-+ n = inlen - cctx->keylen;
-+ /* Should never happen */
-+ if (n > 16)
-+ n = 16;
-+ for (i = 0; i < 16; i++)
-+ cctx->V[i] ^= in[i + cctx->keylen];
-+}
-+
-+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
-+
-+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
-+ const unsigned char *in)
-+{
-+ int i;
-+ for (i = 0; i < 16; i++)
-+ out[i] ^= in[i];
-+ AES_encrypt(out, out, &cctx->df_ks);
-+#if 0
-+ fprintf(stderr, "BCC in+out\n");
-+ BIO_dump_fp(stderr, in, 16);
-+ BIO_dump_fp(stderr, out, 16);
-+#endif
-+}
-+
-+/* Handle several BCC operations for as much data as we need for K and X */
-+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
-+{
-+ ctr_BCC_block(cctx, cctx->KX, in);
-+ ctr_BCC_block(cctx, cctx->KX + 16, in);
-+ if (cctx->keylen != 16)
-+ ctr_BCC_block(cctx, cctx->KX + 32, in);
-+}
-+
-+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
-+ * see 10.4.2 stage 7.
-+ */
-+static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
-+{
-+ memset(cctx->KX, 0, 48);
-+ memset(cctx->bltmp, 0, 16);
-+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
-+ cctx->bltmp[3] = 1;
-+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
-+ if (cctx->keylen != 16) {
-+ cctx->bltmp[3] = 2;
-+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
-+ }
-+}
-+
-+/* Process several blocks into BCC algorithm, some possibly partial */
-+static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
-+ const unsigned char *in, size_t inlen)
-+{
-+ if (!in || !inlen)
-+ return;
-+ /* If we have partial block handle it first */
-+ if (cctx->bltmp_pos) {
-+ size_t left = 16 - cctx->bltmp_pos;
-+ /* If we now have a complete block process it */
-+ if (inlen >= left) {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ cctx->bltmp_pos = 0;
-+ inlen -= left;
-+ in += left;
-+ }
-+ }
-+ /* Process zero or more complete blocks */
-+ while (inlen >= 16) {
-+ ctr_BCC_blocks(cctx, in);
-+ in += 16;
-+ inlen -= 16;
-+ }
-+ /* Copy any remaining partial block to the temporary buffer */
-+ if (inlen > 0) {
-+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
-+ cctx->bltmp_pos += inlen;
-+ }
-+}
-+
-+static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
-+{
-+ if (cctx->bltmp_pos) {
-+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
-+ ctr_BCC_blocks(cctx, cctx->bltmp);
-+ }
-+}
-+
-+static void ctr_df(DRBG_CTR_CTX * cctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len)
-+{
-+ size_t inlen;
-+ unsigned char *p = cctx->bltmp;
-+ static unsigned char c80 = 0x80;
-+
-+ ctr_BCC_init(cctx);
-+ if (!in1)
-+ in1len = 0;
-+ if (!in2)
-+ in2len = 0;
-+ if (!in3)
-+ in3len = 0;
-+ inlen = in1len + in2len + in3len;
-+ /* Initialise L||N in temporary block */
-+ *p++ = (inlen >> 24) & 0xff;
-+ *p++ = (inlen >> 16) & 0xff;
-+ *p++ = (inlen >> 8) & 0xff;
-+ *p++ = inlen & 0xff;
-+ /* NB keylen is at most 32 bytes */
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p++ = 0;
-+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
-+ cctx->bltmp_pos = 8;
-+ ctr_BCC_update(cctx, in1, in1len);
-+ ctr_BCC_update(cctx, in2, in2len);
-+ ctr_BCC_update(cctx, in3, in3len);
-+ ctr_BCC_update(cctx, &c80, 1);
-+ ctr_BCC_final(cctx);
-+ /* Set up key K */
-+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
-+ /* X follows key K */
-+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
-+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
-+ if (cctx->keylen != 16)
-+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
-+#if 0
-+ fprintf(stderr, "Output of ctr_df:\n");
-+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
-+#endif
-+}
-+
-+/* NB the no-df Update in SP800-90 specifies a constant input length
-+ * of seedlen, however other uses of this algorithm pad the input with
-+ * zeroes if necessary and have up to two parameters XORed together,
-+ * handle both cases in this function instead.
-+ */
-+
-+static void ctr_Update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *nonce, size_t noncelen)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ /* ks is already setup for correct key */
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ /* If keylen longer than 128 bits need extra encrypt */
-+ if (cctx->keylen != 16) {
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
-+ }
-+ inc_128(cctx);
-+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
-+ /* If 192 bit key part of V is on end of K */
-+ if (cctx->keylen == 24) {
-+ memcpy(cctx->V + 8, cctx->V, 8);
-+ memcpy(cctx->V, cctx->K + 24, 8);
-+ }
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
-+ /* If no input reuse existing derived value */
-+ if (in1 || nonce || in2)
-+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
-+ /* If this a reuse input in1len != 0 */
-+ if (in1len)
-+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
-+ } else {
-+ ctr_XOR(cctx, in1, in1len);
-+ ctr_XOR(cctx, in2, in2len);
-+ }
-+
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+#if 0
-+ fprintf(stderr, "K+V after update is:\n");
-+ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
-+ BIO_dump_fp(stderr, cctx->V, 16);
-+#endif
-+}
-+
-+static int drbg_ctr_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ memset(cctx->K, 0, sizeof(cctx->K));
-+ memset(cctx->V, 0, sizeof(cctx->V));
-+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
-+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
-+ return 1;
-+}
-+
-+static int drbg_ctr_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
-+ return 1;
-+}
-+
-+static int drbg_ctr_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+ if (adin && adinlen) {
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+ /* This means we reuse derived value */
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
-+ adin = NULL;
-+ adinlen = 1;
-+ }
-+ } else
-+ adinlen = 0;
-+
-+ for (;;) {
-+ inc_128(cctx);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
-+ dctx->lb_valid = 1;
-+ continue;
-+ }
-+ if (outlen < 16) {
-+ /* Use K as temp space as it will be updated */
-+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, cctx->K))
-+ return 0;
-+ memcpy(out, cctx->K, outlen);
-+ break;
-+ }
-+ AES_encrypt(cctx->V, out, &cctx->ks);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ out += 16;
-+ outlen -= 16;
-+ if (outlen == 0)
-+ break;
-+ }
-+
-+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
-+
-+ return 1;
-+
-+}
-+
-+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
-+{
-+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
-+ return 1;
-+}
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx)
-+{
-+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
-+
-+ size_t keylen;
-+
-+ switch (dctx->type) {
-+ case NID_aes_128_ctr:
-+ keylen = 16;
-+ break;
-+
-+ case NID_aes_192_ctr:
-+ keylen = 24;
-+ break;
-+
-+ case NID_aes_256_ctr:
-+ keylen = 32;
-+ break;
-+
-+ default:
-+ return -2;
-+ }
-+
-+ dctx->instantiate = drbg_ctr_instantiate;
-+ dctx->reseed = drbg_ctr_reseed;
-+ dctx->generate = drbg_ctr_generate;
-+ dctx->uninstantiate = drbg_ctr_uninstantiate;
-+
-+ cctx->keylen = keylen;
-+ dctx->strength = keylen * 8;
-+ dctx->blocklength = 16;
-+ dctx->seedlen = keylen + 16;
-+
-+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
-+ /* df initialisation */
-+ static unsigned char df_key[32] = {
-+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
-+ };
-+ /* Set key schedule for df_key */
-+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
-+
-+ dctx->min_entropy = cctx->keylen;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+ } else {
-+ dctx->min_entropy = dctx->seedlen;
-+ dctx->max_entropy = dctx->seedlen;
-+ /* Nonce not used */
-+ dctx->min_nonce = 0;
-+ dctx->max_nonce = 0;
-+ dctx->max_pers = dctx->seedlen;
-+ dctx->max_adin = dctx->seedlen;
-+ }
-+
-+ dctx->max_request = 1 << 16;
-+ dctx->reseed_interval = 1 << 24;
-+
-+ return 1;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hash.c
---- openssl-1.0.2a/crypto/fips/fips_drbg_hash.c.fips 2015-04-22 16:08:40.295245725 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_drbg_hash.c 2015-04-22 16:08:40.295245725 +0200
-@@ -0,0 +1,358 @@
-+/* fips/rand/fips_drbg_hash.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* This is Hash_df from SP 800-90 10.4.1 */
-+
-+static int hash_df(DRBG_CTX *dctx, unsigned char *out,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len,
-+ const unsigned char *in4, size_t in4len)
-+{
-+ EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
-+ unsigned char *vtmp = dctx->d.hash.vtmp;
-+ unsigned char tmp[6];
-+ /* Standard only ever needs seedlen bytes which is always less than
-+ * maximum permitted so no need to check length.
-+ */
-+ size_t outlen = dctx->seedlen;
-+ tmp[0] = 1;
-+ tmp[1] = ((outlen * 8) >> 24) & 0xff;
-+ tmp[2] = ((outlen * 8) >> 16) & 0xff;
-+ tmp[3] = ((outlen * 8) >> 8) & 0xff;
-+ tmp[4] = (outlen * 8) & 0xff;
-+ if (!in1) {
-+ tmp[5] = (unsigned char)in1len;
-+ in1 = tmp + 5;
-+ in1len = 1;
-+ }
-+ for (;;) {
-+ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
-+ return 0;
-+ if (!FIPS_digestupdate(mctx, tmp, 5))
-+ return 0;
-+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
-+ return 0;
-+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
-+ return 0;
-+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
-+ return 0;
-+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
-+ return 0;
-+ if (outlen < dctx->blocklength) {
-+ if (!FIPS_digestfinal(mctx, vtmp, NULL))
-+ return 0;
-+ memcpy(out, vtmp, outlen);
-+ OPENSSL_cleanse(vtmp, dctx->blocklength);
-+ return 1;
-+ } else if (!FIPS_digestfinal(mctx, out, NULL))
-+ return 0;
-+
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ tmp[0]++;
-+ out += dctx->blocklength;
-+ }
-+}
-+
-+/* Add an unsigned buffer to the buf value, storing the result in buf. For
-+ * this algorithm the length of input never exceeds the seed length.
-+ */
-+
-+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
-+ unsigned char *in, size_t inlen)
-+{
-+ size_t i = inlen;
-+ const unsigned char *q;
-+ unsigned char c, *p;
-+ p = buf + dctx->seedlen;
-+ q = in + inlen;
-+
-+ OPENSSL_assert(i <= dctx->seedlen);
-+
-+ /* Special case: zero length, just increment buffer */
-+ if (i)
-+ c = 0;
-+ else
-+ c = 1;
-+
-+ while (i) {
-+ int r;
-+ p--;
-+ q--;
-+ r = *p + *q + c;
-+ /* Carry */
-+ if (r > 0xff)
-+ c = 1;
-+ else
-+ c = 0;
-+ *p = r & 0xff;
-+ i--;
-+ }
-+
-+ i = dctx->seedlen - inlen;
-+
-+ /* If not adding whole buffer handle final carries */
-+ if (c && i) {
-+ do {
-+ p--;
-+ c = *p;
-+ c++;
-+ *p = c;
-+ if (c)
-+ return;
-+ } while (i--);
-+ }
-+}
-+
-+/* Finalise and add hash to V */
-+
-+static int ctx_add_md(DRBG_CTX *dctx)
-+{
-+ if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
-+ return 0;
-+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
-+ return 1;
-+}
-+
-+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (outlen == 0)
-+ return 1;
-+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
-+ for (;;) {
-+ FIPS_digestinit(&hctx->mctx, hctx->md);
-+ FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
-+ dctx->lb_valid = 1;
-+ } else if (outlen < dctx->blocklength) {
-+ FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
-+ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
-+ return 0;
-+ memcpy(out, hctx->vtmp, outlen);
-+ return 1;
-+ } else {
-+ FIPS_digestfinal(&hctx->mctx, out, NULL);
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ outlen -= dctx->blocklength;
-+ if (outlen == 0)
-+ return 1;
-+ out += dctx->blocklength;
-+ }
-+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
-+ }
-+}
-+
-+static int drbg_hash_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ if (!hash_df(dctx, hctx->V,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
-+ return 0;
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
-+ return 0;
-+
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after instantiate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hash_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ /* V about to be updated so use C as output instead */
-+ if (!hash_df(dctx, hctx->C,
-+ NULL, 1, hctx->V, dctx->seedlen,
-+ ent, ent_len, adin, adin_len))
-+ return 0;
-+ memcpy(hctx->V, hctx->C, dctx->seedlen);
-+ if (!hash_df(dctx, hctx->C, NULL, 0,
-+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
-+ return 0;
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after reseed:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hash_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ EVP_MD_CTX *mctx = &hctx->mctx;
-+ unsigned char tmp[4];
-+ if (adin && adin_len) {
-+ tmp[0] = 2;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, adin, adin_len))
-+ return 0;
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+ }
-+ if (!hash_gen(dctx, out, outlen))
-+ return 0;
-+
-+ tmp[0] = 3;
-+ if (!FIPS_digestinit(mctx, hctx->md))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, tmp, 1))
-+ return 0;
-+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
-+ return 0;
-+
-+ if (!ctx_add_md(dctx))
-+ return 0;
-+
-+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
-+
-+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
-+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
-+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
-+ tmp[3] = dctx->reseed_counter & 0xff;
-+ ctx_add_buf(dctx, hctx->V, tmp, 4);
-+#ifdef HASH_DRBG_TRACE
-+ fprintf(stderr, "V+C after generate:\n");
-+ hexprint(stderr, hctx->V, dctx->seedlen);
-+ hexprint(stderr, hctx->C, dctx->seedlen);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
-+{
-+ EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
-+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
-+ return 1;
-+}
-+
-+int fips_drbg_hash_init(DRBG_CTX *dctx)
-+{
-+ const EVP_MD *md;
-+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
-+ md = FIPS_get_digestbynid(dctx->type);
-+ if (!md)
-+ return -2;
-+ switch (dctx->type) {
-+ case NID_sha1:
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_sha224:
-+ dctx->strength = 192;
-+ break;
-+
-+ default:
-+ dctx->strength = 256;
-+ break;
-+ }
-+
-+ dctx->instantiate = drbg_hash_instantiate;
-+ dctx->reseed = drbg_hash_reseed;
-+ dctx->generate = drbg_hash_generate;
-+ dctx->uninstantiate = drbg_hash_uninstantiate;
-+
-+ dctx->d.hash.md = md;
-+ EVP_MD_CTX_init(&hctx->mctx);
-+
-+ /* These are taken from SP 800-90 10.1 table 2 */
-+
-+ dctx->blocklength = M_EVP_MD_size(md);
-+ if (dctx->blocklength > 32)
-+ dctx->seedlen = 111;
-+ else
-+ dctx->seedlen = 55;
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1 << 16;
-+ dctx->reseed_interval = 1 << 24;
-+
-+ return 1;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c
---- openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c.fips 2015-04-22 16:08:40.295245725 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_drbg_hmac.c 2015-04-22 16:08:40.295245725 +0200
-@@ -0,0 +1,270 @@
-+/* fips/rand/fips_drbg_hmac.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+#include <openssl/aes.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+static int drbg_hmac_update(DRBG_CTX *dctx,
-+ const unsigned char *in1, size_t in1len,
-+ const unsigned char *in2, size_t in2len,
-+ const unsigned char *in3, size_t in3len)
-+{
-+ static unsigned char c0 = 0, c1 = 1;
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = &hmac->hctx;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c0, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ if (!in1len && !in2len && !in3len)
-+ return 1;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+ if (!HMAC_Update(hctx, &c1, 1))
-+ return 0;
-+ if (in1len && !HMAC_Update(hctx, in1, in1len))
-+ return 0;
-+ if (in2len && !HMAC_Update(hctx, in2, in2len))
-+ return 0;
-+ if (in3len && !HMAC_Update(hctx, in3, in3len))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->K, NULL))
-+ return 0;
-+
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
-+ return 0;
-+
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+
-+ return 1;
-+
-+}
-+
-+static int drbg_hmac_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *nonce, size_t nonce_len,
-+ const unsigned char *pstr, size_t pstr_len)
-+{
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ memset(hmac->K, 0, dctx->blocklength);
-+ memset(hmac->V, 1, dctx->blocklength);
-+ if (!drbg_hmac_update(dctx,
-+ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ fprintf(stderr, "K+V after instantiate:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hmac_reseed(DRBG_CTX *dctx,
-+ const unsigned char *ent, size_t ent_len,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
-+ return 0;
-+
-+#ifdef HMAC_DRBG_TRACE
-+ {
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ fprintf(stderr, "K+V after reseed:\n");
-+ hexprint(stderr, hmac->K, hmac->blocklength);
-+ hexprint(stderr, hmac->V, hmac->blocklength);
-+ }
-+#endif
-+ return 1;
-+}
-+
-+static int drbg_hmac_generate(DRBG_CTX *dctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adin_len)
-+{
-+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
-+ HMAC_CTX *hctx = &hmac->hctx;
-+ const unsigned char *Vtmp = hmac->V;
-+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
-+ return 0;
-+ for (;;) {
-+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
-+ return 0;
-+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
-+ return 0;
-+ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
-+ if (!HMAC_Final(hctx, dctx->lb, NULL))
-+ return 0;
-+ dctx->lb_valid = 1;
-+ Vtmp = dctx->lb;
-+ continue;
-+ } else if (outlen > dctx->blocklength) {
-+ if (!HMAC_Final(hctx, out, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, out))
-+ return 0;
-+ Vtmp = out;
-+ } else {
-+ if (!HMAC_Final(hctx, hmac->V, NULL))
-+ return 0;
-+ if (!fips_drbg_cprng_test(dctx, hmac->V))
-+ return 0;
-+ memcpy(out, hmac->V, outlen);
-+ break;
-+ }
-+ out += dctx->blocklength;
-+ outlen -= dctx->blocklength;
-+ }
-+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
-+ return 0;
-+
-+ return 1;
-+}
-+
-+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
-+{
-+ HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
-+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
-+ return 1;
-+}
-+
-+int fips_drbg_hmac_init(DRBG_CTX *dctx)
-+{
-+ const EVP_MD *md = NULL;
-+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
-+ dctx->strength = 256;
-+ switch (dctx->type) {
-+ case NID_hmacWithSHA1:
-+ md = EVP_sha1();
-+ dctx->strength = 128;
-+ break;
-+
-+ case NID_hmacWithSHA224:
-+ md = EVP_sha224();
-+ dctx->strength = 192;
-+ break;
-+
-+ case NID_hmacWithSHA256:
-+ md = EVP_sha256();
-+ break;
-+
-+ case NID_hmacWithSHA384:
-+ md = EVP_sha384();
-+ break;
-+
-+ case NID_hmacWithSHA512:
-+ md = EVP_sha512();
-+ break;
-+
-+ default:
-+ dctx->strength = 0;
-+ return -2;
-+ }
-+ dctx->instantiate = drbg_hmac_instantiate;
-+ dctx->reseed = drbg_hmac_reseed;
-+ dctx->generate = drbg_hmac_generate;
-+ dctx->uninstantiate = drbg_hmac_uninstantiate;
-+ HMAC_CTX_init(&hctx->hctx);
-+ hctx->md = md;
-+ dctx->blocklength = M_EVP_MD_size(md);
-+ dctx->seedlen = M_EVP_MD_size(md);
-+
-+ dctx->min_entropy = dctx->strength / 8;
-+ dctx->max_entropy = DRBG_MAX_LENGTH;
-+
-+ dctx->min_nonce = dctx->min_entropy / 2;
-+ dctx->max_nonce = DRBG_MAX_LENGTH;
-+
-+ dctx->max_pers = DRBG_MAX_LENGTH;
-+ dctx->max_adin = DRBG_MAX_LENGTH;
-+
-+ dctx->max_request = 1 << 16;
-+ dctx->reseed_interval = 1 << 24;
-+
-+ return 1;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_lib.c
---- openssl-1.0.2a/crypto/fips/fips_drbg_lib.c.fips 2015-04-22 16:08:40.295245725 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_drbg_lib.c 2015-04-22 16:08:40.295245725 +0200
-@@ -0,0 +1,553 @@
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_locl.h"
-+#include "fips_rand_lcl.h"
-+
-+/* Support framework for SP800-90 DRBGs */
-+
-+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
-+{
-+ int rv;
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ dctx->xflags = flags;
-+ dctx->type = type;
-+
-+ dctx->iflags = 0;
-+ dctx->entropy_blocklen = 0;
-+ dctx->health_check_cnt = 0;
-+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
-+
-+ rv = fips_drbg_hash_init(dctx);
-+
-+ if (rv == -2)
-+ rv = fips_drbg_ctr_init(dctx);
-+ if (rv == -2)
-+ rv = fips_drbg_hmac_init(dctx);
-+
-+ if (rv <= 0) {
-+ if (rv == -2)
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
-+ else
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
-+ }
-+
-+ /* If not in test mode run selftests on DRBG of the same type */
-+
-+ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
-+ if (!FIPS_drbg_health_check(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+
-+ return rv;
-+}
-+
-+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
-+{
-+ DRBG_CTX *dctx;
-+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
-+ if (!dctx) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
-+ return NULL;
-+ }
-+
-+ if (type == 0) {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ return dctx;
-+ }
-+
-+ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
-+ OPENSSL_free(dctx);
-+ return NULL;
-+ }
-+
-+ return dctx;
-+}
-+
-+void FIPS_drbg_free(DRBG_CTX *dctx)
-+{
-+ if (dctx->uninstantiate)
-+ dctx->uninstantiate(dctx);
-+ /* Don't free up default DRBG */
-+ if (dctx == FIPS_get_default_drbg()) {
-+ memset(dctx, 0, sizeof(DRBG_CTX));
-+ dctx->type = 0;
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ } else {
-+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
-+ OPENSSL_free(dctx);
-+ }
-+}
-+
-+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+{
-+ unsigned char *tout, *p;
-+ size_t bl = dctx->entropy_blocklen, rv;
-+ if (!dctx->get_entropy)
-+ return 0;
-+ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
-+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
-+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
-+ min_len + bl, max_len + bl);
-+ if (tout == NULL)
-+ return 0;
-+ *pout = tout + bl;
-+ if (rv < (min_len + bl) || (rv % bl))
-+ return 0;
-+ /* Compare consecutive blocks for continuous PRNG test */
-+ for (p = tout; p < tout + rv - bl; p += bl) {
-+ if (!memcmp(p, p + bl, bl)) {
-+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
-+ return 0;
-+ }
-+ }
-+ rv -= bl;
-+ if (rv > max_len)
-+ return max_len;
-+ return rv;
-+}
-+
-+static void fips_cleanup_entropy(DRBG_CTX *dctx,
-+ unsigned char *out, size_t olen)
-+{
-+ size_t bl;
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ bl = 0;
-+ else
-+ bl = dctx->entropy_blocklen;
-+ /* Call cleanup with original arguments */
-+ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
-+}
-+
-+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen)
-+{
-+ size_t entlen = 0, noncelen = 0;
-+ unsigned char *nonce = NULL, *entropy = NULL;
-+
-+#if 0
-+ /* Put here so error script picks them up */
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
-+ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
-+#endif
-+
-+ int r = 0;
-+
-+ if (perslen > dctx->max_pers) {
-+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (!dctx->instantiate) {
-+ r = FIPS_R_DRBG_NOT_INITIALISED;
-+ goto end;
-+ }
-+
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else
-+ r = FIPS_R_ALREADY_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (dctx->max_nonce > 0 && dctx->get_nonce) {
-+ noncelen = dctx->get_nonce(dctx, &nonce,
-+ dctx->strength / 2,
-+ dctx->min_nonce, dctx->max_nonce);
-+
-+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
-+ r = FIPS_R_ERROR_RETRIEVING_NONCE;
-+ goto end;
-+ }
-+
-+ }
-+
-+ if (!dctx->instantiate(dctx,
-+ entropy, entlen, nonce, noncelen, pers, perslen)) {
-+ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (nonce && dctx->cleanup_nonce)
-+ dctx->cleanup_nonce(dctx, nonce, noncelen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
-+
-+ return 0;
-+
-+}
-+
-+static int drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen, int hcheck)
-+{
-+ unsigned char *entropy = NULL;
-+ size_t entlen = 0;
-+ int r = 0;
-+
-+#if 0
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
-+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
-+#endif
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED) {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (!adin)
-+ adinlen = 0;
-+ else if (adinlen > dctx->max_adin) {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ dctx->status = DRBG_STATUS_ERROR;
-+ /* Peform health check on all reseed operations if not a prediction
-+ * resistance request and not in test mode.
-+ */
-+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
-+ if (!FIPS_drbg_health_check(dctx)) {
-+ r = FIPS_R_SELFTEST_FAILURE;
-+ goto end;
-+ }
-+ }
-+
-+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
-+ dctx->min_entropy, dctx->max_entropy);
-+
-+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
-+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
-+ goto end;
-+ }
-+
-+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
-+ goto end;
-+
-+ dctx->status = DRBG_STATUS_READY;
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
-+ dctx->reseed_counter = 1;
-+ end:
-+
-+ if (entropy && dctx->cleanup_entropy)
-+ fips_cleanup_entropy(dctx, entropy, entlen);
-+
-+ if (dctx->status == DRBG_STATUS_READY)
-+ return 1;
-+
-+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_DRBG_RESEED, r);
-+
-+ return 0;
-+}
-+
-+int FIPS_drbg_reseed(DRBG_CTX *dctx,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ return drbg_reseed(dctx, adin, adinlen, 1);
-+}
-+
-+static int fips_drbg_check(DRBG_CTX *dctx)
-+{
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ dctx->health_check_cnt++;
-+ if (dctx->health_check_cnt >= dctx->health_check_interval) {
-+ if (!FIPS_drbg_health_check(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+}
-+
-+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen)
-+{
-+ int r = 0;
-+
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (!fips_drbg_check(dctx))
-+ return 0;
-+
-+ if (dctx->status != DRBG_STATUS_READY
-+ && dctx->status != DRBG_STATUS_RESEED) {
-+ if (dctx->status == DRBG_STATUS_ERROR)
-+ r = FIPS_R_IN_ERROR_STATE;
-+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
-+ r = FIPS_R_NOT_INSTANTIATED;
-+ goto end;
-+ }
-+
-+ if (outlen > dctx->max_request) {
-+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
-+ return 0;
-+ }
-+
-+ if (adinlen > dctx->max_adin) {
-+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
-+ goto end;
-+ }
-+
-+ if (dctx->iflags & DRBG_CUSTOM_RESEED)
-+ dctx->generate(dctx, NULL, outlen, NULL, 0);
-+ else if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+
-+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
-+ /* If prediction resistance request don't do health check */
-+ int hcheck = prediction_resistance ? 0 : 1;
-+
-+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
-+ r = FIPS_R_RESEED_ERROR;
-+ goto end;
-+ }
-+ adin = NULL;
-+ adinlen = 0;
-+ }
-+
-+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
-+ r = FIPS_R_GENERATE_ERROR;
-+ dctx->status = DRBG_STATUS_ERROR;
-+ goto end;
-+ }
-+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
-+ if (dctx->reseed_counter >= dctx->reseed_interval)
-+ dctx->status = DRBG_STATUS_RESEED;
-+ else
-+ dctx->reseed_counter++;
-+ }
-+
-+ end:
-+ if (r) {
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
-+{
-+ int rv;
-+ if (!dctx->uninstantiate)
-+ rv = 1;
-+ else
-+ rv = dctx->uninstantiate(dctx);
-+ /* Although we'd like to cleanse here we can't because we have to
-+ * test the uninstantiate really zeroes the data.
-+ */
-+ memset(&dctx->d, 0, sizeof(dctx->d));
-+ dctx->status = DRBG_STATUS_UNINITIALISED;
-+ /* If method has problems uninstantiating, return error */
-+ return rv;
-+}
-+
-+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy,
-+ size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_entropy) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy, size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_nonce) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen))
-+{
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->entropy_blocklen = entropy_blocklen;
-+ dctx->get_entropy = get_entropy;
-+ dctx->cleanup_entropy = cleanup_entropy;
-+ dctx->get_nonce = get_nonce;
-+ dctx->cleanup_nonce = cleanup_nonce;
-+ return 1;
-+}
-+
-+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin) (DRBG_CTX *ctx,
-+ unsigned char **pout),
-+ void (*cleanup_adin) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ int (*rand_seed_cb) (DRBG_CTX *ctx,
-+ const void *buf,
-+ int num),
-+ int (*rand_add_cb) (DRBG_CTX *ctx,
-+ const void *buf, int num,
-+ double entropy))
-+{
-+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
-+ return 0;
-+ dctx->get_adin = get_adin;
-+ dctx->cleanup_adin = cleanup_adin;
-+ dctx->rand_seed_cb = rand_seed_cb;
-+ dctx->rand_add_cb = rand_add_cb;
-+ return 1;
-+}
-+
-+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
-+{
-+ return dctx->app_data;
-+}
-+
-+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
-+{
-+ dctx->app_data = app_data;
-+}
-+
-+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
-+{
-+ return dctx->blocklength;
-+}
-+
-+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
-+{
-+ return dctx->strength;
-+}
-+
-+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
-+{
-+ dctx->health_check_interval = interval;
-+}
-+
-+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
-+{
-+ dctx->reseed_interval = interval;
-+}
-+
-+static int drbg_stick = 0;
-+
-+void FIPS_drbg_stick(int onoff)
-+{
-+ drbg_stick = onoff;
-+}
-+
-+/* Continuous DRBG utility function */
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
-+{
-+ /* No CPRNG in test mode */
-+ if (dctx->xflags & DRBG_FLAG_TEST)
-+ return 1;
-+ /* Check block is valid: should never happen */
-+ if (dctx->lb_valid == 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ if (drbg_stick)
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ /* Check against last block: fail if match */
-+ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ /* Save last block for next comparison */
-+ memcpy(dctx->lb, out, dctx->blocklength);
-+ return 1;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_rand.c
---- openssl-1.0.2a/crypto/fips/fips_drbg_rand.c.fips 2015-04-22 16:08:40.295245725 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_drbg_rand.c 2015-04-22 16:08:40.295245725 +0200
-@@ -0,0 +1,166 @@
-+/* fips/rand/fips_drbg_rand.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+
-+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
-+
-+/* Since we only have one global PRNG used at any time in OpenSSL use a global
-+ * variable to store context.
-+ */
-+
-+static DRBG_CTX ossl_dctx;
-+
-+DRBG_CTX *FIPS_get_default_drbg(void)
-+{
-+ return &ossl_dctx;
-+}
-+
-+static int fips_drbg_bytes(unsigned char *out, int count)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv = 0;
-+ unsigned char *adin = NULL;
-+ size_t adinlen = 0;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ do {
-+ size_t rcnt;
-+ if (count > (int)dctx->max_request)
-+ rcnt = dctx->max_request;
-+ else
-+ rcnt = count;
-+ if (dctx->get_adin) {
-+ adinlen = dctx->get_adin(dctx, &adin);
-+ if (adinlen && !adin) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
-+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
-+ goto err;
-+ }
-+ }
-+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
-+ if (adin) {
-+ if (dctx->cleanup_adin)
-+ dctx->cleanup_adin(dctx, adin, adinlen);
-+ adin = NULL;
-+ }
-+ if (!rv)
-+ goto err;
-+ out += rcnt;
-+ count -= rcnt;
-+ }
-+ while (count);
-+ rv = 1;
-+ err:
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return rv;
-+}
-+
-+static int fips_drbg_pseudo(unsigned char *out, int count)
-+{
-+ if (fips_drbg_bytes(out, count) <= 0)
-+ return -1;
-+ return 1;
-+}
-+
-+static int fips_drbg_status(void)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ int rv;
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ return rv;
-+}
-+
-+static void fips_drbg_cleanup(void)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ FIPS_drbg_uninstantiate(dctx);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+}
-+
-+static int fips_drbg_seed(const void *seed, int seedlen)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ if (dctx->rand_seed_cb)
-+ return dctx->rand_seed_cb(dctx, seed, seedlen);
-+ return 1;
-+}
-+
-+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
-+{
-+ DRBG_CTX *dctx = &ossl_dctx;
-+ if (dctx->rand_add_cb)
-+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
-+ return 1;
-+}
-+
-+static const RAND_METHOD rand_drbg_meth = {
-+ fips_drbg_seed,
-+ fips_drbg_bytes,
-+ fips_drbg_cleanup,
-+ fips_drbg_add,
-+ fips_drbg_pseudo,
-+ fips_drbg_status
-+};
-+
-+const RAND_METHOD *FIPS_drbg_method(void)
-+{
-+ return &rand_drbg_meth;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c.fips 2015-04-22 16:08:40.296245749 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.c 2015-04-22 16:08:40.296245749 +0200
-@@ -0,0 +1,827 @@
-+/* fips/rand/fips_drbg_selftest.c */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_rand_lcl.h"
-+#include "fips_locl.h"
-+
-+#include "fips_drbg_selftest.h"
-+
-+typedef struct {
-+ int post;
-+ int nid;
-+ unsigned int flags;
-+
-+ /* KAT data for no PR */
-+ const unsigned char *ent;
-+ size_t entlen;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ const unsigned char *pers;
-+ size_t perslen;
-+ const unsigned char *adin;
-+ size_t adinlen;
-+ const unsigned char *entreseed;
-+ size_t entreseedlen;
-+ const unsigned char *adinreseed;
-+ size_t adinreseedlen;
-+ const unsigned char *adin2;
-+ size_t adin2len;
-+ const unsigned char *kat;
-+ size_t katlen;
-+ const unsigned char *kat2;
-+ size_t kat2len;
-+
-+ /* KAT data for PR */
-+ const unsigned char *ent_pr;
-+ size_t entlen_pr;
-+ const unsigned char *nonce_pr;
-+ size_t noncelen_pr;
-+ const unsigned char *pers_pr;
-+ size_t perslen_pr;
-+ const unsigned char *adin_pr;
-+ size_t adinlen_pr;
-+ const unsigned char *entpr_pr;
-+ size_t entprlen_pr;
-+ const unsigned char *ading_pr;
-+ size_t adinglen_pr;
-+ const unsigned char *entg_pr;
-+ size_t entglen_pr;
-+ const unsigned char *kat_pr;
-+ size_t katlen_pr;
-+ const unsigned char *kat2_pr;
-+ size_t kat2len_pr;
-+
-+} DRBG_SELFTEST_DATA;
-+
-+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
-+ pr##_entropyinput, sizeof(pr##_entropyinput), \
-+ pr##_nonce, sizeof(pr##_nonce), \
-+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
-+ pr##_additionalinput, sizeof(pr##_additionalinput), \
-+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
-+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
-+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
-+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
-+ pr##_returnedbits, sizeof(pr##_returnedbits), \
-+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
-+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
-+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
-+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
-+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
-+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
-+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
-+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
-+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
-+ }
-+
-+#define make_drbg_test_data_df(nid, pr, p) \
-+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
-+
-+#define make_drbg_test_data_ec(curve, md, pr, p) \
-+ make_drbg_test_data((curve << 16) | md , 0, pr, p)
-+
-+static DRBG_SELFTEST_DATA drbg_test[] = {
-+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
-+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
-+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
-+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
-+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
-+ make_drbg_test_data(NID_sha1, 0, sha1, 0),
-+ make_drbg_test_data(NID_sha224, 0, sha224, 0),
-+ make_drbg_test_data(NID_sha256, 0, sha256, 1),
-+ make_drbg_test_data(NID_sha384, 0, sha384, 0),
-+ make_drbg_test_data(NID_sha512, 0, sha512, 0),
-+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
-+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
-+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
-+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
-+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
-+ {0, 0, 0}
-+};
-+
-+typedef struct {
-+ const unsigned char *ent;
-+ size_t entlen;
-+ int entcnt;
-+ const unsigned char *nonce;
-+ size_t noncelen;
-+ int noncecnt;
-+} TEST_ENT;
-+
-+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+{
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->ent;
-+ t->entcnt++;
-+ return t->entlen;
-+}
-+
-+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len)
-+{
-+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
-+ *pout = (unsigned char *)t->nonce;
-+ t->noncecnt++;
-+ return t->noncelen;
-+}
-+
-+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
-+ int quick)
-+{
-+ TEST_ENT t;
-+ int rv = 0;
-+ size_t adinlen;
-+ unsigned char randout[1024];
-+
-+ /* Initial test without PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent;
-+ t.entlen = td->entlen;
-+ t.nonce = td->nonce;
-+ t.noncelen = td->noncelen;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ goto err;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen / 2;
-+ else
-+ adinlen = td->adinlen;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat, td->katlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+ /* If abbreviated POST end of test */
-+ if (quick) {
-+ rv = 1;
-+ goto err;
-+ }
-+ /* Reseed DRBG with test entropy and additional input */
-+ t.ent = td->entreseed;
-+ t.entlen = td->entreseedlen;
-+
-+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
-+ goto err;
-+
-+ /* Generate with no PR and verify output matches expected data */
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
-+ td->adin2, td->adin2len))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2, td->kat2len)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ /* Now test with PR */
-+
-+ /* Instantiate DRBG with test entropy, nonce and personalisation
-+ * string.
-+ */
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, &t);
-+
-+ t.ent = td->ent_pr;
-+ t.entlen = td->entlen_pr;
-+ t.nonce = td->nonce_pr;
-+ t.noncelen = td->noncelen_pr;
-+ t.entcnt = 0;
-+ t.noncecnt = 0;
-+
-+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
-+ goto err;
-+
-+ /* Now generate with PR: we need to supply entropy as this will
-+ * perform a reseed operation. Check output matches expected value.
-+ */
-+
-+ t.ent = td->entpr_pr;
-+ t.entlen = td->entprlen_pr;
-+
-+ /* Note for CTR without DF some additional input values
-+ * ignore bytes after the keylength: so reduce adinlen
-+ * to half to ensure invalid data is fed in.
-+ */
-+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
-+ adinlen = td->adinlen_pr / 2;
-+ else
-+ adinlen = td->adinlen_pr;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
-+ td->adin_pr, adinlen))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
-+ goto err2;
-+ }
-+
-+ /* Now generate again with PR: supply new entropy again.
-+ * Check output matches expected value.
-+ */
-+
-+ t.ent = td->entg_pr;
-+ t.entlen = td->entglen_pr;
-+
-+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
-+ td->ading_pr, td->adinglen_pr))
-+ goto err;
-+
-+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
-+ goto err2;
-+ }
-+ /* All OK, test complete */
-+ rv = 1;
-+
-+ err:
-+ if (rv == 0)
-+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
-+ err2:
-+ FIPS_drbg_uninstantiate(dctx);
-+
-+ return rv;
-+
-+}
-+
-+/* Initialise a DRBG based on selftest data */
-+
-+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
-+{
-+
-+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
-+ return 0;
-+
-+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
-+ return 0;
-+
-+ FIPS_drbg_set_app_data(dctx, t);
-+
-+ t->ent = td->ent;
-+ t->entlen = td->entlen;
-+ t->nonce = td->nonce;
-+ t->noncelen = td->noncelen;
-+ t->entcnt = 0;
-+ t->noncecnt = 0;
-+ return 1;
-+}
-+
-+/* Initialise and instantiate DRBG based on selftest data */
-+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
-+ TEST_ENT * t)
-+{
-+ if (!do_drbg_init(dctx, td, t))
-+ return 0;
-+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
-+ return 0;
-+
-+ return 1;
-+}
-+
-+/* This function performs extensive error checking as required by SP800-90.
-+ * Induce several failure modes and check an error condition is set.
-+ * This function along with fips_drbg_single_kat peforms the health checking
-+ * operation.
-+ */
-+
-+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
-+{
-+ unsigned char randout[1024];
-+ TEST_ENT t;
-+ size_t i;
-+ unsigned int reseed_counter_tmp;
-+ unsigned char *p = (unsigned char *)dctx;
-+
-+ /* Initialise DRBG */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ /* Don't report induced errors */
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Personalisation string tests */
-+
-+ /* Test detection of too large personlisation string */
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Entropy source tests */
-+
-+ /* Test entropy source failure detecion: i.e. returns no data */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try to generate output from uninstantiated DRBG */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_GENERATE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Test insufficient entropy */
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Nonce tests */
-+
-+ /* Test too small nonce */
-+
-+ if (dctx->min_nonce) {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->min_nonce - 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Test too large nonce */
-+
-+ if (dctx->max_nonce) {
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.noncelen = dctx->max_nonce + 1;
-+
-+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_NONCE_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ }
-+
-+ /* Instantiate with valid data. */
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+
-+ /* Check generation is now OK */
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ /* Request too much data for one request */
-+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Try too large additional input */
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, dctx->max_adin + 1)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Instantiate again with valid data */
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Check prediction resistance request fails if entropy source
-+ * failure.
-+ */
-+
-+ t.entlen = 0;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
-+ td->adin, td->adinlen)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ if (!do_drbg_instantiate(dctx, td, &t))
-+ goto err;
-+ /* Test reseed counter works */
-+ /* Save initial reseed counter */
-+ reseed_counter_tmp = dctx->reseed_counter;
-+ /* Set reseed counter to beyond interval */
-+ dctx->reseed_counter = dctx->reseed_interval;
-+
-+ /* Generate output and check entropy has been requested for reseed */
-+ t.entcnt = 0;
-+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
-+ td->adin, td->adinlen))
-+ goto err;
-+ if (t.entcnt != 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
-+ goto err;
-+ }
-+ /* Check reseed counter has been reset */
-+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
-+ goto err;
-+ }
-+
-+ dctx->iflags &= ~DRBG_FLAG_NOERR;
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Explicit reseed tests */
-+
-+ /* Test explicit reseed with too large additional input */
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with entropy source failure */
-+
-+ t.entlen = 0;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too much entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->max_entropy + 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ /* Test explicit reseed with too little entropy */
-+
-+ if (!do_drbg_init(dctx, td, &t))
-+ goto err;
-+
-+ dctx->iflags |= DRBG_FLAG_NOERR;
-+
-+ t.entlen = dctx->min_entropy - 1;
-+
-+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
-+ goto err;
-+ }
-+
-+ if (!FIPS_drbg_uninstantiate(dctx)) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
-+ goto err;
-+ }
-+
-+ p = (unsigned char *)&dctx->d;
-+ /* Standard says we have to check uninstantiate really zeroes
-+ * the data...
-+ */
-+ for (i = 0; i < sizeof(dctx->d); i++) {
-+ if (*p != 0) {
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
-+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
-+ goto err;
-+ }
-+ p++;
-+ }
-+
-+ return 1;
-+
-+ err:
-+ /* A real error as opposed to an induced one: underlying function will
-+ * indicate the error.
-+ */
-+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
-+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
-+ FIPS_drbg_uninstantiate(dctx);
-+ return 0;
-+
-+}
-+
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
-+{
-+ DRBG_SELFTEST_DATA *td;
-+ flags |= DRBG_FLAG_TEST;
-+ for (td = drbg_test; td->nid != 0; td++) {
-+ if (td->nid == nid && td->flags == flags) {
-+ if (!fips_drbg_single_kat(dctx, td, 0))
-+ return 0;
-+ return fips_drbg_error_check(dctx, td);
-+ }
-+ }
-+ return 0;
-+}
-+
-+int FIPS_drbg_health_check(DRBG_CTX *dctx)
-+{
-+ int rv;
-+ DRBG_CTX *tctx = NULL;
-+ tctx = FIPS_drbg_new(0, 0);
-+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!tctx)
-+ return 0;
-+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
-+ if (tctx)
-+ FIPS_drbg_free(tctx);
-+ if (rv)
-+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ else
-+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
-+ if (!rv)
-+ dctx->status = DRBG_STATUS_ERROR;
-+ else
-+ dctx->health_check_cnt = 0;
-+ return rv;
-+}
-+
-+int FIPS_selftest_drbg(void)
-+{
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++) {
-+ if (td->post != 1)
-+ continue;
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 1)) {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+}
-+
-+int FIPS_selftest_drbg_all(void)
-+{
-+ DRBG_CTX *dctx;
-+ DRBG_SELFTEST_DATA *td;
-+ int rv = 1;
-+ dctx = FIPS_drbg_new(0, 0);
-+ if (!dctx)
-+ return 0;
-+ for (td = drbg_test; td->nid != 0; td++) {
-+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 1;
-+ if (!fips_drbg_single_kat(dctx, td, 0)) {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_drbg_error_check(dctx, td)) {
-+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
-+ rv = 0;
-+ continue;
-+ }
-+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
-+ return 0;
-+ }
-+ FIPS_drbg_free(dctx);
-+ return rv;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h
---- openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h.fips 2015-04-22 16:08:40.297245773 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_drbg_selftest.h 2015-04-22 16:08:40.297245773 +0200
-@@ -0,0 +1,1791 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/* Selftest and health check data for the SP800-90 DRBG */
-+
-+#define __fips_constseg
-+
-+/* AES-128 use df PR */
-+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
-+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
-+ 0xc8, 0xdb, 0xff, 0x12
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
-+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
-+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
-+ 0xd7, 0xd7, 0x01, 0x67
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
-+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
-+ 0x9a, 0x47, 0x08, 0x76
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
-+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
-+ 0x09, 0xfb, 0xa3, 0xb6
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
-+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
-+ 0x66, 0x1c, 0xea, 0x5b
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
-+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
-+ 0x3f, 0x5e, 0x31, 0x06
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
-+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
-+ 0xa7, 0xe3, 0xa8, 0x67
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
-+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
-+ 0x0f, 0x38, 0x43, 0xc6
-+};
-+
-+/* AES-128 use df No PR */
-+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
-+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
-+ 0x9d, 0x7d, 0x1c, 0x9b
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
-+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_personalizationstring[] = {
-+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
-+ 0x38, 0x66, 0xba, 0x1b
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
-+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
-+ 0xb5, 0xe2, 0xb2, 0x41
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
-+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
-+ 0xe7, 0x57, 0x11, 0xb4
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
-+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
-+ 0xc7, 0xc4, 0x9e, 0x39
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
-+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
-+ 0xc8, 0x93, 0xfa, 0x84
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
-+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
-+ 0x06, 0x0c, 0x15, 0x2c
-+};
-+
-+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
-+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
-+ 0x46, 0x81, 0xc7, 0x19
-+};
-+
-+/* AES-192 use df PR */
-+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
-+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
-+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
-+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
-+ 0xd1, 0x80, 0x78, 0xfa
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
-+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
-+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
-+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
-+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
-+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
-+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
-+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
-+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
-+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
-+ 0x19, 0x30, 0x6b, 0x67
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
-+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
-+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
-+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
-+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
-+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
-+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
-+ 0x7e, 0x1a, 0x2b, 0x83
-+};
-+
-+/* AES-192 use df No PR */
-+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
-+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
-+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
-+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
-+ 0x77, 0xd7, 0x41, 0x0e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_personalizationstring[] = {
-+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
-+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
-+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
-+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
-+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
-+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
-+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
-+ 0xb7, 0xed, 0xe9, 0xea
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
-+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
-+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
-+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
-+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
-+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
-+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
-+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
-+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
-+};
-+
-+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
-+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
-+ 0x1a, 0xf9, 0x13, 0x28
-+};
-+
-+/* AES-256 use df PR */
-+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
-+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
-+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
-+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
-+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
-+ 0x2b, 0x36, 0xff, 0xa4
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
-+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
-+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
-+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
-+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
-+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
-+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
-+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
-+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
-+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
-+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
-+ 0x17, 0xab, 0x3c, 0x7a
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
-+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
-+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
-+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
-+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
-+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
-+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
-+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
-+ 0xd9, 0xe2, 0x97, 0x00
-+};
-+
-+/* AES-256 use df No PR */
-+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
-+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
-+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
-+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
-+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
-+ 0x4c, 0x44, 0x84, 0x40
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_personalizationstring[] = {
-+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
-+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
-+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
-+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
-+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
-+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
-+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
-+ 0x28, 0x0c, 0x3b, 0xc1
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
-+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
-+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
-+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
-+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
-+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
-+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
-+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
-+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
-+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
-+};
-+
-+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
-+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
-+ 0xfa, 0xfd, 0x35, 0x5e
-+};
-+
-+/* AES-128 no df PR */
-+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
-+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
-+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
-+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
-+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
-+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
-+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
-+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
-+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
-+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
-+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
-+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
-+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
-+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
-+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
-+ 0xaf, 0x19, 0x32, 0x16
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
-+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
-+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
-+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
-+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
-+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
-+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
-+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
-+ 0x57, 0x82, 0x33, 0xaf
-+};
-+
-+/* AES-128 no df No PR */
-+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
-+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
-+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
-+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
-+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_personalizationstring[] = {
-+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
-+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
-+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
-+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
-+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
-+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
-+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
-+ 0xed, 0x3e, 0x65, 0xc2
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
-+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
-+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
-+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
-+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
-+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
-+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
-+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
-+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
-+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
-+};
-+
-+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
-+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
-+ 0x81, 0x37, 0x19, 0xd4
-+};
-+
-+/* AES-192 no df PR */
-+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
-+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
-+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
-+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
-+ 0x17, 0x1f, 0x8d, 0x9a
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
-+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
-+ 0x61, 0x5c, 0xee, 0x0f
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
-+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
-+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
-+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
-+ 0x57, 0x2e, 0xe7, 0x55
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
-+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
-+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
-+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
-+ 0xe2, 0xd0, 0x0c, 0x2f
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
-+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
-+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
-+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
-+ 0x1d, 0x30, 0xb3, 0x78
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
-+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
-+ 0x7e, 0x3e, 0x0c, 0x26
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
-+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
-+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
-+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
-+ 0x0c, 0x4b, 0xee, 0x6e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
-+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
-+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
-+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
-+ 0x8e, 0x0a, 0x83, 0xdf
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
-+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
-+ 0xb9, 0xa1, 0x21, 0x68
-+};
-+
-+/* AES-192 no df No PR */
-+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
-+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
-+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
-+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
-+ 0x94, 0xc3, 0x59, 0x63
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
-+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
-+ 0x29, 0xfd, 0x45, 0x71
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_personalizationstring[] = {
-+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
-+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
-+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
-+ 0x3b, 0x88, 0xce, 0x35
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
-+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
-+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
-+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
-+ 0x3e, 0xbe, 0xd4, 0x8e
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
-+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
-+ 0x45, 0xe7, 0x4a, 0xc5
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
-+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
-+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
-+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
-+ 0x9b, 0xcb, 0x7e, 0x75
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
-+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
-+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
-+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
-+ 0x5d, 0x7a, 0x25, 0x79
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
-+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
-+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
-+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
-+ 0x91, 0x6a, 0xe3, 0x5f
-+};
-+
-+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
-+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
-+ 0x66, 0x67, 0x2c, 0x92
-+};
-+
-+/* AES-256 no df PR */
-+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
-+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
-+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
-+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
-+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
-+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
-+ 0xcc, 0x4b, 0xee, 0x2e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
-+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
-+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
-+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
-+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
-+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
-+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
-+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
-+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
-+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
-+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
-+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
-+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
-+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
-+ 0x79, 0x60, 0x93, 0xcf
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
-+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
-+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
-+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
-+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
-+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
-+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
-+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
-+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
-+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
-+ 0x2d, 0x5f, 0x4a, 0x46
-+};
-+
-+/* AES-256 no df No PR */
-+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
-+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
-+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
-+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
-+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
-+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
-+ 0x43, 0x96, 0xb9, 0xf0
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_personalizationstring[] = {
-+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
-+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
-+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
-+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
-+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
-+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
-+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
-+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
-+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
-+ 0xd2, 0x25, 0x75, 0x0e
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
-+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
-+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
-+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
-+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
-+};
-+
-+__fips_constseg
-+ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
-+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
-+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
-+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
-+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
-+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
-+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
-+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
-+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
-+};
-+
-+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
-+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
-+ 0xf6, 0x02, 0x32, 0xe2
-+};
-+
-+/* SHA-1 PR */
-+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
-+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
-+ 0x31, 0xa5, 0x91, 0x13
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_nonce[] = {
-+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
-+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
-+ 0xda, 0xea, 0x77, 0x52
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
-+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
-+ 0x6a, 0x51, 0xe3, 0xf8
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
-+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
-+ 0xcb, 0xa9, 0x36, 0x7a
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
-+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
-+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
-+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
-+ 0x16, 0x03, 0x19, 0x47
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
-+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
-+ 0xae, 0xcd, 0x8c, 0xc4
-+};
-+
-+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
-+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
-+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
-+};
-+
-+/* SHA-1 No PR */
-+__fips_constseg static const unsigned char sha1_entropyinput[] = {
-+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
-+ 0xe2, 0x7f, 0x4c, 0x7b
-+};
-+
-+__fips_constseg static const unsigned char sha1_nonce[] = {
-+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
-+};
-+
-+__fips_constseg static const unsigned char sha1_personalizationstring[] = {
-+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
-+ 0x28, 0xec, 0x6d, 0xca
-+};
-+
-+__fips_constseg static const unsigned char sha1_additionalinput[] = {
-+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
-+ 0xc0, 0x72, 0xca, 0x28
-+};
-+
-+__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
-+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
-+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
-+};
-+
-+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
-+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
-+ 0xd6, 0x99, 0x27, 0xed
-+};
-+
-+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
-+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
-+ 0x84, 0x3d, 0xd4, 0xc0
-+};
-+
-+__fips_constseg static const unsigned char sha1_additionalinput2[] = {
-+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
-+ 0x52, 0x65, 0xcd, 0x96
-+};
-+
-+__fips_constseg static const unsigned char sha1_returnedbits[] = {
-+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
-+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
-+};
-+
-+/* SHA-224 PR */
-+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
-+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
-+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_nonce[] = {
-+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
-+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
-+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
-+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
-+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
-+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
-+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
-+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
-+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
-+ 0x54, 0x60, 0xee, 0x6a
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
-+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
-+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
-+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
-+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
-+};
-+
-+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
-+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
-+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
-+ 0xdd, 0x11, 0x4c, 0xc4
-+};
-+
-+/* SHA-224 No PR */
-+__fips_constseg static const unsigned char sha224_entropyinput[] = {
-+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
-+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
-+};
-+
-+__fips_constseg static const unsigned char sha224_nonce[] = {
-+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
-+};
-+
-+__fips_constseg static const unsigned char sha224_personalizationstring[] = {
-+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
-+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
-+};
-+
-+__fips_constseg static const unsigned char sha224_additionalinput[] = {
-+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
-+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
-+};
-+
-+__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
-+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
-+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
-+ 0x55, 0x22, 0x9a, 0xad
-+};
-+
-+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
-+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
-+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
-+};
-+
-+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
-+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
-+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
-+};
-+
-+__fips_constseg static const unsigned char sha224_additionalinput2[] = {
-+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
-+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
-+};
-+
-+__fips_constseg static const unsigned char sha224_returnedbits[] = {
-+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
-+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
-+ 0x3b, 0xa7, 0x5c, 0x93
-+};
-+
-+/* SHA-256 PR */
-+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
-+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
-+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
-+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_nonce[] = {
-+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
-+ 0x2b, 0x91, 0x4d, 0x38
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
-+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
-+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
-+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
-+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
-+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
-+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
-+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
-+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
-+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
-+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
-+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
-+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
-+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
-+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
-+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
-+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
-+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
-+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
-+};
-+
-+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
-+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
-+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
-+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
-+};
-+
-+/* SHA-256 No PR */
-+__fips_constseg static const unsigned char sha256_entropyinput[] = {
-+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
-+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
-+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
-+};
-+
-+__fips_constseg static const unsigned char sha256_nonce[] = {
-+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
-+ 0x5d, 0x6f, 0x6d, 0x35
-+};
-+
-+__fips_constseg static const unsigned char sha256_personalizationstring[] = {
-+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
-+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
-+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
-+};
-+
-+__fips_constseg static const unsigned char sha256_additionalinput[] = {
-+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
-+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
-+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
-+};
-+
-+__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
-+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
-+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
-+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
-+};
-+
-+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
-+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
-+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
-+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
-+};
-+
-+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
-+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
-+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
-+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
-+};
-+
-+__fips_constseg static const unsigned char sha256_additionalinput2[] = {
-+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
-+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
-+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
-+};
-+
-+__fips_constseg static const unsigned char sha256_returnedbits[] = {
-+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
-+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
-+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
-+};
-+
-+/* SHA-384 PR */
-+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
-+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
-+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
-+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_nonce[] = {
-+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
-+ 0x38, 0x3e, 0x2e, 0x56
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
-+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
-+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
-+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
-+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
-+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
-+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
-+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
-+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
-+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
-+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
-+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
-+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
-+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
-+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
-+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
-+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
-+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
-+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
-+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
-+};
-+
-+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
-+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
-+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
-+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
-+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
-+};
-+
-+/* SHA-384 No PR */
-+__fips_constseg static const unsigned char sha384_entropyinput[] = {
-+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
-+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
-+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
-+};
-+
-+__fips_constseg static const unsigned char sha384_nonce[] = {
-+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
-+ 0x44, 0xaf, 0x2f, 0x09
-+};
-+
-+__fips_constseg static const unsigned char sha384_personalizationstring[] = {
-+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
-+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
-+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
-+};
-+
-+__fips_constseg static const unsigned char sha384_additionalinput[] = {
-+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
-+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
-+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
-+};
-+
-+__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
-+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
-+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
-+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
-+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
-+};
-+
-+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
-+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
-+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
-+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
-+};
-+
-+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
-+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
-+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
-+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
-+};
-+
-+__fips_constseg static const unsigned char sha384_additionalinput2[] = {
-+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
-+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
-+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
-+};
-+
-+__fips_constseg static const unsigned char sha384_returnedbits[] = {
-+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
-+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
-+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
-+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
-+};
-+
-+/* SHA-512 PR */
-+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
-+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
-+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
-+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_nonce[] = {
-+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
-+ 0x88, 0xc7, 0xa2, 0xc4
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
-+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
-+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
-+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
-+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
-+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
-+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
-+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
-+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
-+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
-+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
-+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
-+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
-+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
-+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
-+ 0xe2, 0xc6, 0x8b, 0xc3
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
-+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
-+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
-+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
-+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
-+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
-+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
-+};
-+
-+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
-+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
-+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
-+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
-+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
-+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
-+ 0x67, 0xf7, 0x68, 0xdd
-+};
-+
-+/* SHA-512 No PR */
-+__fips_constseg static const unsigned char sha512_entropyinput[] = {
-+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
-+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
-+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
-+};
-+
-+__fips_constseg static const unsigned char sha512_nonce[] = {
-+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
-+ 0x5a, 0x64, 0xf0, 0xf7
-+};
-+
-+__fips_constseg static const unsigned char sha512_personalizationstring[] = {
-+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
-+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
-+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
-+};
-+
-+__fips_constseg static const unsigned char sha512_additionalinput[] = {
-+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
-+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
-+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
-+};
-+
-+__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
-+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
-+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
-+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
-+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
-+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
-+ 0x28, 0xd4, 0x39, 0x9a
-+};
-+
-+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
-+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
-+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
-+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
-+};
-+
-+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
-+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
-+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
-+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
-+};
-+
-+__fips_constseg static const unsigned char sha512_additionalinput2[] = {
-+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
-+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
-+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
-+};
-+
-+__fips_constseg static const unsigned char sha512_returnedbits[] = {
-+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
-+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
-+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
-+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
-+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
-+ 0x68, 0xde, 0x42, 0xb5
-+};
-+
-+/* HMAC SHA-1 PR */
-+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
-+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
-+ 0x2c, 0x18, 0x17, 0x1b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
-+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
-+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
-+ 0x80, 0xe2, 0x7f, 0x2a
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
-+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
-+ 0xd7, 0xbb, 0x42, 0x09
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
-+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
-+ 0x23, 0x87, 0x2a, 0xed
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
-+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
-+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
-+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
-+ 0xa0, 0x4b, 0x93, 0x6e
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
-+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
-+ 0x0f, 0xff, 0x2e, 0xaf
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
-+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
-+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
-+};
-+
-+/* HMAC SHA-1 No PR */
-+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
-+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
-+ 0x17, 0xfe, 0x47, 0x70
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
-+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
-+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
-+ 0x72, 0xf7, 0xd3, 0x5e
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
-+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
-+ 0xbb, 0xe3, 0xaa, 0xea
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
-+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
-+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
-+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
-+ 0x86, 0x52, 0x6d, 0x9c
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
-+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
-+ 0x79, 0xc5, 0x82, 0x28
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
-+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
-+ 0x8a, 0xca, 0xa4, 0x7f
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
-+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
-+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
-+};
-+
-+/* HMAC SHA-224 PR */
-+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
-+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
-+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
-+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
-+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
-+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
-+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
-+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
-+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
-+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
-+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
-+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
-+ 0x41, 0xfe, 0x99, 0xf2
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
-+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
-+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
-+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
-+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
-+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
-+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
-+ 0x6d, 0xd8, 0x9e, 0x72
-+};
-+
-+/* HMAC SHA-224 No PR */
-+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
-+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
-+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
-+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha224_personalizationstring[] = {
-+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
-+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
-+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
-+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
-+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
-+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
-+ 0xcd, 0xd6, 0xa9, 0xcc
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
-+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
-+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha224_additionalinputreseed[] = {
-+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
-+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
-+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
-+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
-+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
-+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
-+ 0x45, 0x84, 0xa8, 0x94
-+};
-+
-+/* HMAC SHA-256 PR */
-+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
-+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
-+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
-+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
-+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
-+ 0xaa, 0xd3, 0x30, 0x9a
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
-+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
-+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
-+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
-+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
-+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
-+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
-+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
-+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
-+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
-+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
-+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
-+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
-+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
-+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
-+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
-+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
-+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
-+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
-+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
-+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
-+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
-+};
-+
-+/* HMAC SHA-256 No PR */
-+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
-+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
-+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
-+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
-+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
-+ 0xc7, 0xfc, 0xc2, 0x01
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha256_personalizationstring[] = {
-+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
-+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
-+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
-+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
-+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
-+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
-+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
-+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
-+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
-+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
-+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
-+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha256_additionalinputreseed[] = {
-+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
-+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
-+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
-+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
-+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
-+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
-+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
-+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
-+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
-+};
-+
-+/* HMAC SHA-384 PR */
-+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
-+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
-+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
-+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
-+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
-+ 0xee, 0x16, 0xc9, 0xde
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
-+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
-+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
-+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
-+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
-+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
-+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
-+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
-+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
-+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
-+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
-+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
-+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
-+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
-+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
-+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
-+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
-+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
-+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
-+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
-+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
-+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
-+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
-+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
-+};
-+
-+/* HMAC SHA-384 No PR */
-+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
-+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
-+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
-+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
-+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
-+ 0x38, 0xe3, 0xeb, 0x62
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha384_personalizationstring[] = {
-+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
-+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
-+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
-+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
-+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
-+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
-+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
-+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
-+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
-+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
-+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
-+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
-+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha384_additionalinputreseed[] = {
-+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
-+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
-+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
-+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
-+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
-+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
-+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
-+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
-+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
-+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
-+};
-+
-+/* HMAC SHA-512 PR */
-+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
-+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
-+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
-+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
-+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
-+ 0x86, 0xea, 0xaf, 0xa2
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
-+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
-+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
-+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
-+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
-+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
-+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
-+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
-+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
-+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
-+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
-+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
-+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
-+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
-+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
-+ 0x05, 0x17, 0xbe, 0x0d
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
-+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
-+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
-+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
-+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
-+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
-+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
-+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
-+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
-+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
-+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
-+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
-+ 0xb6, 0xaf, 0xbc, 0xd3
-+};
-+
-+/* HMAC SHA-512 No PR */
-+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
-+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
-+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
-+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
-+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
-+ 0xd9, 0xaf, 0x43, 0x3c
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha512_personalizationstring[] = {
-+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
-+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
-+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
-+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
-+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
-+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
-+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
-+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
-+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
-+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
-+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
-+ 0xb1, 0x57, 0x69, 0xe8
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
-+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
-+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
-+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
-+};
-+
-+__fips_constseg
-+ static const unsigned char hmac_sha512_additionalinputreseed[] = {
-+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
-+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
-+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
-+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
-+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
-+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
-+};
-+
-+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
-+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
-+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
-+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
-+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
-+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
-+ 0xc2, 0xd6, 0xfd, 0xa5
-+};
-diff -up openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_dsa_selftest.c 2015-04-22 16:08:40.297245773 +0200
-@@ -0,0 +1,192 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dsa.h>
-+#include <openssl/fips.h>
-+#include <openssl/err.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char dsa_test_2048_p[] = {
-+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
-+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
-+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
-+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
-+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
-+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
-+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
-+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
-+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
-+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
-+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
-+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
-+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
-+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
-+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
-+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
-+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
-+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
-+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
-+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
-+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
-+ 0xdb, 0xa0, 0x69, 0xe9
-+};
-+
-+static const unsigned char dsa_test_2048_q[] = {
-+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
-+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
-+ 0x74, 0x41, 0xa0, 0xa5
-+};
-+
-+static const unsigned char dsa_test_2048_g[] = {
-+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
-+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
-+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
-+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
-+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
-+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
-+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
-+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
-+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
-+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
-+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
-+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
-+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
-+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
-+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
-+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
-+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
-+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
-+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
-+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
-+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
-+ 0xb3, 0xc2, 0xa9, 0x66
-+};
-+
-+static const unsigned char dsa_test_2048_pub_key[] = {
-+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
-+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
-+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
-+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
-+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
-+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
-+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
-+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
-+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
-+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
-+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
-+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
-+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
-+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
-+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
-+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
-+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
-+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
-+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
-+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
-+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
-+ 0xf7, 0xda, 0xb1, 0x4f
-+};
-+
-+static const unsigned char dsa_test_2048_priv_key[] = {
-+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
-+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
-+ 0xec, 0x55, 0xf6, 0xcc
-+};
-+
-+static int corrupt_dsa;
-+
-+void FIPS_corrupt_dsa()
-+{
-+ corrupt_dsa = 1;
-+}
-+
-+int FIPS_selftest_dsa()
-+{
-+ DSA *dsa = NULL;
-+ EVP_PKEY *pk = NULL;
-+ int ret = 0;
-+
-+ dsa = DSA_new();
-+
-+ if (dsa == NULL)
-+ goto err;
-+
-+ fips_load_key_component(dsa, p, dsa_test_2048);
-+ fips_load_key_component(dsa, q, dsa_test_2048);
-+ fips_load_key_component(dsa, g, dsa_test_2048);
-+ fips_load_key_component(dsa, pub_key, dsa_test_2048);
-+ fips_load_key_component(dsa, priv_key, dsa_test_2048);
-+
-+ if (corrupt_dsa)
-+ BN_set_bit(dsa->pub_key, 2047);
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_DSA(pk, dsa);
-+
-+ if (!fips_pkey_signature_test(pk, NULL, 0,
-+ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
-+ goto err;
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (dsa)
-+ DSA_free(dsa);
-+ return ret;
-+}
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_enc.c.fips openssl-1.0.2a/crypto/fips/fips_enc.c
---- openssl-1.0.2a/crypto/fips/fips_enc.c.fips 2015-04-22 16:08:40.297245773 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_enc.c 2015-04-22 16:08:40.297245773 +0200
-@@ -0,0 +1,189 @@
-+/* fipe/evp/fips_enc.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
-+{
-+ switch (nid) {
-+ case NID_aes_128_cbc:
-+ return EVP_aes_128_cbc();
-+
-+ case NID_aes_128_ccm:
-+ return EVP_aes_128_ccm();
-+
-+ case NID_aes_128_cfb1:
-+ return EVP_aes_128_cfb1();
-+
-+ case NID_aes_128_cfb128:
-+ return EVP_aes_128_cfb128();
-+
-+ case NID_aes_128_cfb8:
-+ return EVP_aes_128_cfb8();
-+
-+ case NID_aes_128_ctr:
-+ return EVP_aes_128_ctr();
-+
-+ case NID_aes_128_ecb:
-+ return EVP_aes_128_ecb();
-+
-+ case NID_aes_128_gcm:
-+ return EVP_aes_128_gcm();
-+
-+ case NID_aes_128_ofb128:
-+ return EVP_aes_128_ofb();
-+
-+ case NID_aes_128_xts:
-+ return EVP_aes_128_xts();
-+
-+ case NID_aes_192_cbc:
-+ return EVP_aes_192_cbc();
-+
-+ case NID_aes_192_ccm:
-+ return EVP_aes_192_ccm();
-+
-+ case NID_aes_192_cfb1:
-+ return EVP_aes_192_cfb1();
-+
-+ case NID_aes_192_cfb128:
-+ return EVP_aes_192_cfb128();
-+
-+ case NID_aes_192_cfb8:
-+ return EVP_aes_192_cfb8();
-+
-+ case NID_aes_192_ctr:
-+ return EVP_aes_192_ctr();
-+
-+ case NID_aes_192_ecb:
-+ return EVP_aes_192_ecb();
-+
-+ case NID_aes_192_gcm:
-+ return EVP_aes_192_gcm();
-+
-+ case NID_aes_192_ofb128:
-+ return EVP_aes_192_ofb();
-+
-+ case NID_aes_256_cbc:
-+ return EVP_aes_256_cbc();
-+
-+ case NID_aes_256_ccm:
-+ return EVP_aes_256_ccm();
-+
-+ case NID_aes_256_cfb1:
-+ return EVP_aes_256_cfb1();
-+
-+ case NID_aes_256_cfb128:
-+ return EVP_aes_256_cfb128();
-+
-+ case NID_aes_256_cfb8:
-+ return EVP_aes_256_cfb8();
-+
-+ case NID_aes_256_ctr:
-+ return EVP_aes_256_ctr();
-+
-+ case NID_aes_256_ecb:
-+ return EVP_aes_256_ecb();
-+
-+ case NID_aes_256_gcm:
-+ return EVP_aes_256_gcm();
-+
-+ case NID_aes_256_ofb128:
-+ return EVP_aes_256_ofb();
-+
-+ case NID_aes_256_xts:
-+ return EVP_aes_256_xts();
-+
-+ case NID_des_ede_ecb:
-+ return EVP_des_ede();
-+
-+ case NID_des_ede3_ecb:
-+ return EVP_des_ede3();
-+
-+ case NID_des_ede3_cbc:
-+ return EVP_des_ede3_cbc();
-+
-+ case NID_des_ede3_cfb1:
-+ return EVP_des_ede3_cfb1();
-+
-+ case NID_des_ede3_cfb64:
-+ return EVP_des_ede3_cfb64();
-+
-+ case NID_des_ede3_cfb8:
-+ return EVP_des_ede3_cfb8();
-+
-+ case NID_des_ede3_ofb64:
-+ return EVP_des_ede3_ofb();
-+
-+ case NID_des_ede_cbc:
-+ return EVP_des_ede_cbc();
-+
-+ case NID_des_ede_cfb64:
-+ return EVP_des_ede_cfb64();
-+
-+ case NID_des_ede_ofb64:
-+ return EVP_des_ede_ofb();
-+
-+ default:
-+ return NULL;
-+
-+ }
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips.h.fips openssl-1.0.2a/crypto/fips/fips.h
---- openssl-1.0.2a/crypto/fips/fips.h.fips 2015-04-22 16:08:40.297245773 +0200
-+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 16:08:40.297245773 +0200
-@@ -0,0 +1,278 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/opensslconf.h>
-+#include <openssl/crypto.h>
-+#include <stdarg.h>
-+
-+#ifndef OPENSSL_FIPS
-+# error FIPS is disabled.
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+
-+# ifdef __cplusplus
-+extern "C" {
-+# endif
-+
-+ struct dsa_st;
-+ struct rsa_st;
-+ struct evp_pkey_st;
-+ struct env_md_st;
-+ struct env_md_ctx_st;
-+ struct evp_cipher_st;
-+ struct evp_cipher_ctx_st;
-+ struct dh_method;
-+ struct CMAC_CTX_st;
-+ struct hmac_ctx_st;
-+
-+ int FIPS_module_mode_set(int onoff, const char *auth);
-+ int FIPS_module_mode(void);
-+ const void *FIPS_rand_check(void);
-+ int FIPS_selftest(void);
-+ int FIPS_selftest_failed(void);
-+ void FIPS_corrupt_sha1(void);
-+ int FIPS_selftest_sha1(void);
-+ int FIPS_selftest_sha2(void);
-+ void FIPS_corrupt_aes(void);
-+ int FIPS_selftest_aes_ccm(void);
-+ int FIPS_selftest_aes_gcm(void);
-+ int FIPS_selftest_aes_xts(void);
-+ int FIPS_selftest_aes(void);
-+ void FIPS_corrupt_des(void);
-+ int FIPS_selftest_des(void);
-+ void FIPS_corrupt_rsa(void);
-+ void FIPS_corrupt_rsa_keygen(void);
-+ int FIPS_selftest_rsa(void);
-+ void FIPS_corrupt_dsa(void);
-+ void FIPS_corrupt_dsa_keygen(void);
-+ int FIPS_selftest_dsa(void);
-+ void FIPS_corrupt_rng(void);
-+ void FIPS_rng_stick(void);
-+ void FIPS_x931_stick(int onoff);
-+ void FIPS_drbg_stick(int onoff);
-+ int FIPS_selftest_rng(void);
-+ int FIPS_selftest_x931(void);
-+ int FIPS_selftest_hmac(void);
-+ int FIPS_selftest_drbg(void);
-+ int FIPS_selftest_drbg_all(void);
-+ int FIPS_selftest_cmac(void);
-+
-+ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
-+
-+# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
-+ alg " previous FIPS forbidden algorithm error ignored");
-+
-+ int fips_pkey_signature_test(struct evp_pkey_st *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat,
-+ unsigned int katlen,
-+ const struct env_md_st *digest,
-+ unsigned int md_flags, const char *fail_str);
-+
-+ int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
-+ const struct evp_cipher_st *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext, int len);
-+
-+ void fips_set_selftest_fail(void);
-+
-+ const struct env_md_st *FIPS_get_digestbynid(int nid);
-+
-+ const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
-+
-+/* BEGIN ERROR CODES */
-+/* The following lines are auto generated by the script mkerr.pl. Any changes
-+ * made after this point may be overwritten when the script is next run.
-+ */
-+ void ERR_load_FIPS_strings(void);
-+
-+/* Error codes for the FIPS functions. */
-+
-+/* Function codes. */
-+# define FIPS_F_DH_BUILTIN_GENPARAMS 100
-+# define FIPS_F_DH_INIT 148
-+# define FIPS_F_DRBG_RESEED 162
-+# define FIPS_F_DSA_BUILTIN_PARAMGEN 101
-+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
-+# define FIPS_F_DSA_DO_SIGN 102
-+# define FIPS_F_DSA_DO_VERIFY 103
-+# define FIPS_F_ECDH_COMPUTE_KEY 163
-+# define FIPS_F_ECDSA_DO_SIGN 164
-+# define FIPS_F_ECDSA_DO_VERIFY 165
-+# define FIPS_F_EC_KEY_GENERATE_KEY 166
-+# define FIPS_F_EVP_CIPHERINIT_EX 124
-+# define FIPS_F_EVP_DIGESTINIT_EX 125
-+# define FIPS_F_FIPS_CHECK_DSA 104
-+# define FIPS_F_FIPS_CHECK_DSA_PRNG 151
-+# define FIPS_F_FIPS_CHECK_EC 142
-+# define FIPS_F_FIPS_CHECK_EC_PRNG 152
-+# define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
-+# define FIPS_F_FIPS_CHECK_RSA 106
-+# define FIPS_F_FIPS_CHECK_RSA_PRNG 150
-+# define FIPS_F_FIPS_CIPHER 160
-+# define FIPS_F_FIPS_CIPHERINIT 143
-+# define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
-+# define FIPS_F_FIPS_DIGESTFINAL 158
-+# define FIPS_F_FIPS_DIGESTINIT 128
-+# define FIPS_F_FIPS_DIGESTUPDATE 159
-+# define FIPS_F_FIPS_DRBG_BYTES 131
-+# define FIPS_F_FIPS_DRBG_CHECK 146
-+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
-+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
-+# define FIPS_F_FIPS_DRBG_GENERATE 134
-+# define FIPS_F_FIPS_DRBG_INIT 135
-+# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
-+# define FIPS_F_FIPS_DRBG_NEW 139
-+# define FIPS_F_FIPS_DRBG_RESEED 140
-+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
-+# define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
-+# define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
-+# define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
-+# define FIPS_F_FIPS_GET_ENTROPY 147
-+# define FIPS_F_FIPS_MODE_SET /* unused */ 108
-+# define FIPS_F_FIPS_MODULE_MODE_SET 108
-+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
-+# define FIPS_F_FIPS_RAND_ADD 137
-+# define FIPS_F_FIPS_RAND_BYTES 122
-+# define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
-+# define FIPS_F_FIPS_RAND_SEED 168
-+# define FIPS_F_FIPS_RAND_SET_METHOD 126
-+# define FIPS_F_FIPS_RAND_STATUS 127
-+# define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
-+# define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
-+# define FIPS_F_FIPS_SELFTEST_AES 110
-+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
-+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
-+# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
-+# define FIPS_F_FIPS_SELFTEST_CMAC 130
-+# define FIPS_F_FIPS_SELFTEST_DES 111
-+# define FIPS_F_FIPS_SELFTEST_DSA 112
-+# define FIPS_F_FIPS_SELFTEST_ECDSA 133
-+# define FIPS_F_FIPS_SELFTEST_HMAC 113
-+# define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
-+# define FIPS_F_FIPS_SELFTEST_SHA1 115
-+# define FIPS_F_FIPS_SELFTEST_X931 114
-+# define FIPS_F_FIPS_SET_PRNG_KEY 153
-+# define FIPS_F_HASH_FINAL 123
-+# define FIPS_F_RSA_BUILTIN_KEYGEN 116
-+# define FIPS_F_RSA_EAY_INIT 149
-+# define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
-+# define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
-+# define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
-+# define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
-+# define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
-+# define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
-+
-+/* Reason codes. */
-+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
-+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
-+# define FIPS_R_ALREADY_INSTANTIATED 134
-+# define FIPS_R_AUTHENTICATION_FAILURE 151
-+# define FIPS_R_CANNOT_READ_EXE /* unused */ 103
-+# define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
-+# define FIPS_R_CONTRADICTING_EVIDENCE 114
-+# define FIPS_R_DRBG_NOT_INITIALISED 152
-+# define FIPS_R_DRBG_STUCK 103
-+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
-+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
-+# define FIPS_R_ENTROPY_SOURCE_STUCK 142
-+# define FIPS_R_ERROR_INITIALISING_DRBG 115
-+# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
-+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
-+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
-+# define FIPS_R_ERROR_RETRIEVING_NONCE 140
-+# define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
-+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
-+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
-+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
-+# define FIPS_R_FIPS_MODE_ALREADY_SET 102
-+# define FIPS_R_FIPS_SELFTEST_FAILED 106
-+# define FIPS_R_FUNCTION_ERROR 116
-+# define FIPS_R_GENERATE_ERROR 137
-+# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
-+# define FIPS_R_INSTANTIATE_ERROR 119
-+# define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
-+# define FIPS_R_INTERNAL_ERROR 121
-+# define FIPS_R_INVALID_KEY_LENGTH 109
-+# define FIPS_R_INVALID_PARAMETERS 144
-+# define FIPS_R_IN_ERROR_STATE 123
-+# define FIPS_R_KEY_TOO_SHORT 108
-+# define FIPS_R_NONCE_ERROR_UNDETECTED 149
-+# define FIPS_R_NON_FIPS_METHOD 100
-+# define FIPS_R_NOPR_TEST1_FAILURE 145
-+# define FIPS_R_NOPR_TEST2_FAILURE 146
-+# define FIPS_R_NOT_INSTANTIATED 126
-+# define FIPS_R_PAIRWISE_TEST_FAILED 107
-+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
-+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
-+# define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
-+# define FIPS_R_PR_TEST1_FAILURE 147
-+# define FIPS_R_PR_TEST2_FAILURE 148
-+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
-+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
-+# define FIPS_R_RESEED_COUNTER_ERROR 132
-+# define FIPS_R_RESEED_ERROR 133
-+# define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
-+# define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
-+# define FIPS_R_SELFTEST_FAILED 101
-+# define FIPS_R_SELFTEST_FAILURE 135
-+# define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
-+# define FIPS_R_TEST_FAILURE 117
-+# define FIPS_R_UNINSTANTIATE_ERROR 141
-+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
-+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
-+# define FIPS_R_UNSUPPORTED_PLATFORM 113
-+
-+# ifdef __cplusplus
-+}
-+# endif
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c.fips 2015-04-22 16:08:40.297245773 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_hmac_selftest.c 2015-04-22 16:08:40.297245773 +0200
-@@ -0,0 +1,134 @@
-+/* ====================================================================
-+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+#include <openssl/hmac.h>
-+
-+#ifdef OPENSSL_FIPS
-+typedef struct {
-+ const EVP_MD *(*alg) (void);
-+ const char *key, *iv;
-+ unsigned char kaval[EVP_MAX_MD_SIZE];
-+} HMAC_KAT;
-+
-+static const HMAC_KAT vector[] = {
-+ {EVP_sha1,
-+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
-+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
-+ 0xc6, 0xc7, 0x5d, 0x24}
-+ },
-+ {EVP_sha224,
-+ /* just keep extending the above... */
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
-+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
-+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
-+ 0x8c, 0x8d, 0x12, 0xc7}
-+ },
-+ {EVP_sha256,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
-+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
-+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
-+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
-+ },
-+ {EVP_sha384,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
-+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
-+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
-+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
-+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
-+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
-+ },
-+ {EVP_sha512,
-+ "0123456789:;<=>?@ABC",
-+ "Sample #2",
-+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
-+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
-+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
-+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
-+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
-+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
-+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
-+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
-+ },
-+};
-+
-+int FIPS_selftest_hmac()
-+{
-+ int n;
-+ unsigned int outlen;
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ const EVP_MD *md;
-+ const HMAC_KAT *t;
-+
-+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
-+ md = (*t->alg) ();
-+ HMAC(md, t->key, strlen(t->key),
-+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
-+
-+ if (memcmp(out, t->kaval, outlen)) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+}
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_locl.h.fips openssl-1.0.2a/crypto/fips/fips_locl.h
---- openssl-1.0.2a/crypto/fips/fips_locl.h.fips 2015-04-22 16:08:40.297245773 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_locl.h 2015-04-22 16:08:40.297245773 +0200
-@@ -0,0 +1,71 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifdef OPENSSL_FIPS
-+
-+# ifdef __cplusplus
-+extern "C" {
-+# endif
-+
-+# define FIPS_MAX_CIPHER_TEST_SIZE 32
-+# define fips_load_key_component(key, comp, pre) \
-+ key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
-+ if (!key->comp) \
-+ goto err
-+
-+# define fips_post_started(id, subid, ex) 1
-+# define fips_post_success(id, subid, ex) 1
-+# define fips_post_failed(id, subid, ex) 1
-+# define fips_post_corrupt(id, subid, ex) 1
-+# define fips_post_status() 1
-+
-+# ifdef __cplusplus
-+}
-+# endif
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_md.c.fips openssl-1.0.2a/crypto/fips/fips_md.c
---- openssl-1.0.2a/crypto/fips/fips_md.c.fips 2015-04-22 16:08:40.298245796 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_md.c 2015-04-22 16:08:40.298245796 +0200
-@@ -0,0 +1,144 @@
-+/* fips/evp/fips_md.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay at cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh at cryptsoft.com).
-+ *
-+ */
-+
-+/* Minimal standalone FIPS versions of Digest operations */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <openssl/objects.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+
-+const EVP_MD *FIPS_get_digestbynid(int nid)
-+{
-+ switch (nid) {
-+ case NID_sha1:
-+ return EVP_sha1();
-+
-+ case NID_sha224:
-+ return EVP_sha224();
-+
-+ case NID_sha256:
-+ return EVP_sha256();
-+
-+ case NID_sha384:
-+ return EVP_sha384();
-+
-+ case NID_sha512:
-+ return EVP_sha512();
-+
-+ default:
-+ return NULL;
-+ }
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips openssl-1.0.2a/crypto/fips/fips_post.c
---- openssl-1.0.2a/crypto/fips/fips_post.c.fips 2015-04-22 16:08:40.298245796 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 16:08:40.298245796 +0200
-@@ -0,0 +1,201 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#define OPENSSL_FIPSAPI
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <string.h>
-+#include <limits.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+/* Power on self test (POST) support functions */
-+
-+# include <openssl/fips.h>
-+# include "fips_locl.h"
-+
-+/* Run all selftests */
-+int FIPS_selftest(void)
-+{
-+ int rv = 1;
-+ if (!FIPS_selftest_drbg())
-+ rv = 0;
-+ if (!FIPS_selftest_x931())
-+ rv = 0;
-+ if (!FIPS_selftest_sha1())
-+ rv = 0;
-+ if (!FIPS_selftest_sha2())
-+ rv = 0;
-+ if (!FIPS_selftest_hmac())
-+ rv = 0;
-+ if (!FIPS_selftest_cmac())
-+ rv = 0;
-+ if (!FIPS_selftest_aes())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_ccm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_gcm())
-+ rv = 0;
-+ if (!FIPS_selftest_aes_xts())
-+ rv = 0;
-+ if (!FIPS_selftest_des())
-+ rv = 0;
-+ if (!FIPS_selftest_rsa())
-+ rv = 0;
-+ if (!FIPS_selftest_dsa())
-+ rv = 0;
-+ return rv;
-+}
-+
-+/* Generalized public key test routine. Signs and verifies the data
-+ * supplied in tbs using mesage digest md and setting option digest
-+ * flags md_flags. If the 'kat' parameter is not NULL it will
-+ * additionally check the signature matches it: a known answer test
-+ * The string "fail_str" is used for identification purposes in case
-+ * of failure. If "pkey" is NULL just perform a message digest check.
-+ */
-+
-+int fips_pkey_signature_test(EVP_PKEY *pkey,
-+ const unsigned char *tbs, int tbslen,
-+ const unsigned char *kat, unsigned int katlen,
-+ const EVP_MD *digest, unsigned int md_flags,
-+ const char *fail_str)
-+{
-+ int ret = 0;
-+ unsigned char sigtmp[256], *sig = sigtmp;
-+ unsigned int siglen;
-+ EVP_MD_CTX mctx;
-+ EVP_MD_CTX_init(&mctx);
-+
-+ if (digest == NULL)
-+ digest = EVP_sha256();
-+
-+ if ((pkey->type == EVP_PKEY_RSA)
-+ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) {
-+ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
-+ if (!sig) {
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
-+ return 0;
-+ }
-+ }
-+
-+ if (tbslen == -1)
-+ tbslen = strlen((char *)tbs);
-+
-+ if (md_flags)
-+ EVP_MD_CTX_set_flags(&mctx, md_flags);
-+
-+ if (!EVP_SignInit_ex(&mctx, digest, NULL))
-+ goto error;
-+ if (!EVP_SignUpdate(&mctx, tbs, tbslen))
-+ goto error;
-+ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
-+ goto error;
-+
-+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
-+ goto error;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
-+ goto error;
-+ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
-+ goto error;
-+ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
-+
-+ error:
-+ if (sig != sigtmp)
-+ OPENSSL_free(sig);
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (ret != 1) {
-+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
-+ if (fail_str)
-+ ERR_add_error_data(2, "Type=", fail_str);
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+/* Generalized symmetric cipher test routine. Encrypt data, verify result
-+ * against known answer, decrypt and compare with original plaintext.
-+ */
-+
-+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-+ const unsigned char *key,
-+ const unsigned char *iv,
-+ const unsigned char *plaintext,
-+ const unsigned char *ciphertext, int len)
-+{
-+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
-+
-+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
-+
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
-+ return 0;
-+ if (memcmp(citmp, ciphertext, len))
-+ return 0;
-+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
-+ return 0;
-+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
-+ return 0;
-+ if (memcmp(pltmp, plaintext, len))
-+ return 0;
-+ return 1;
-+}
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_rand.c.fips openssl-1.0.2a/crypto/fips/fips_rand.c
---- openssl-1.0.2a/crypto/fips/fips_rand.c.fips 2015-04-22 16:08:40.298245796 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_rand.c 2015-04-22 16:08:40.298245796 +0200
-@@ -0,0 +1,428 @@
-+/* ====================================================================
-+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+/*
-+ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
-+ */
-+#include <openssl/crypto.h>
-+#include "e_os.h"
-+
-+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
-+ be defined and gettimeofday() won't be declared with strict compilers
-+ like DEC C in ANSI C mode. */
-+#ifndef _XOPEN_SOURCE_EXTENDED
-+# define _XOPEN_SOURCE_EXTENDED 1
-+#endif
-+
-+#include <openssl/rand.h>
-+#include <openssl/aes.h>
-+#include <openssl/err.h>
-+#include <openssl/fips_rand.h>
-+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
-+# include <sys/time.h>
-+#endif
-+#if defined(OPENSSL_SYS_VXWORKS)
-+# include <time.h>
-+#endif
-+#include <assert.h>
-+#ifndef OPENSSL_SYS_WIN32
-+# ifdef OPENSSL_UNISTD
-+# include OPENSSL_UNISTD
-+# else
-+# include <unistd.h>
-+# endif
-+#endif
-+#include <string.h>
-+#include <openssl/fips.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+void *OPENSSL_stderr(void);
-+
-+# define AES_BLOCK_LENGTH 16
-+
-+/* AES FIPS PRNG implementation */
-+
-+typedef struct {
-+ int seeded;
-+ int keyed;
-+ int test_mode;
-+ int second;
-+ int error;
-+ unsigned long counter;
-+ AES_KEY ks;
-+ int vpos;
-+ /* Temporary storage for key if it equals seed length */
-+ unsigned char tmp_key[AES_BLOCK_LENGTH];
-+ unsigned char V[AES_BLOCK_LENGTH];
-+ unsigned char DT[AES_BLOCK_LENGTH];
-+ unsigned char last[AES_BLOCK_LENGTH];
-+} FIPS_PRNG_CTX;
-+
-+static FIPS_PRNG_CTX sctx;
-+
-+static int fips_prng_fail = 0;
-+
-+void FIPS_x931_stick(int onoff)
-+{
-+ fips_prng_fail = onoff;
-+}
-+
-+void FIPS_rng_stick(void)
-+{
-+ FIPS_x931_stick(1);
-+}
-+
-+static void fips_rand_prng_reset(FIPS_PRNG_CTX * ctx)
-+{
-+ ctx->seeded = 0;
-+ ctx->keyed = 0;
-+ ctx->test_mode = 0;
-+ ctx->counter = 0;
-+ ctx->second = 0;
-+ ctx->error = 0;
-+ ctx->vpos = 0;
-+ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
-+ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
-+}
-+
-+static int fips_set_prng_key(FIPS_PRNG_CTX * ctx,
-+ const unsigned char *key, unsigned int keylen)
-+{
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ if (keylen != 16 && keylen != 24 && keylen != 32) {
-+ /* error: invalid key size */
-+ return 0;
-+ }
-+ AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
-+ if (keylen == 16) {
-+ memcpy(ctx->tmp_key, key, 16);
-+ ctx->keyed = 2;
-+ } else
-+ ctx->keyed = 1;
-+ ctx->seeded = 0;
-+ ctx->second = 0;
-+ return 1;
-+}
-+
-+static int fips_set_prng_seed(FIPS_PRNG_CTX * ctx,
-+ const unsigned char *seed, unsigned int seedlen)
-+{
-+ unsigned int i;
-+ if (!ctx->keyed)
-+ return 0;
-+ /* In test mode seed is just supplied data */
-+ if (ctx->test_mode) {
-+ if (seedlen != AES_BLOCK_LENGTH)
-+ return 0;
-+ memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
-+ ctx->seeded = 1;
-+ return 1;
-+ }
-+ /* Outside test mode XOR supplied data with existing seed */
-+ for (i = 0; i < seedlen; i++) {
-+ ctx->V[ctx->vpos++] ^= seed[i];
-+ if (ctx->vpos == AES_BLOCK_LENGTH) {
-+ ctx->vpos = 0;
-+ /* Special case if first seed and key length equals
-+ * block size check key and seed do not match.
-+ */
-+ if (ctx->keyed == 2) {
-+ if (!memcmp(ctx->tmp_key, ctx->V, 16)) {
-+ RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
-+ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
-+ return 0;
-+ }
-+ OPENSSL_cleanse(ctx->tmp_key, 16);
-+ ctx->keyed = 1;
-+ }
-+ ctx->seeded = 1;
-+ }
-+ }
-+ return 1;
-+}
-+
-+static int fips_set_test_mode(FIPS_PRNG_CTX * ctx)
-+{
-+ if (ctx->keyed) {
-+ RANDerr(RAND_F_FIPS_SET_TEST_MODE, RAND_R_PRNG_KEYED);
-+ return 0;
-+ }
-+ ctx->test_mode = 1;
-+ return 1;
-+}
-+
-+int FIPS_x931_test_mode(void)
-+{
-+ return fips_set_test_mode(&sctx);
-+}
-+
-+int FIPS_rand_test_mode(void)
-+{
-+ return fips_set_test_mode(&sctx);
-+}
-+
-+int FIPS_x931_set_dt(unsigned char *dt)
-+{
-+ if (!sctx.test_mode) {
-+ RANDerr(RAND_F_FIPS_X931_SET_DT, RAND_R_NOT_IN_TEST_MODE);
-+ return 0;
-+ }
-+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
-+ return 1;
-+}
-+
-+int FIPS_rand_set_dt(unsigned char *dt)
-+{
-+ if (!sctx.test_mode) {
-+ RANDerr(RAND_F_FIPS_RAND_SET_DT, RAND_R_NOT_IN_TEST_MODE);
-+ return 0;
-+ }
-+ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
-+ return 1;
-+}
-+
-+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
-+{
-+# ifdef OPENSSL_SYS_WIN32
-+ FILETIME ft;
-+# elif defined(OPENSSL_SYS_VXWORKS)
-+ struct timespec ts;
-+# else
-+ struct timeval tv;
-+# endif
-+
-+# ifndef GETPID_IS_MEANINGLESS
-+ unsigned long pid;
-+# endif
-+
-+# ifdef OPENSSL_SYS_WIN32
-+ GetSystemTimeAsFileTime(&ft);
-+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
-+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
-+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
-+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
-+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
-+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
-+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
-+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
-+# elif defined(OPENSSL_SYS_VXWORKS)
-+ clock_gettime(CLOCK_REALTIME, &ts);
-+ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
-+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
-+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
-+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
-+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
-+# else
-+ gettimeofday(&tv, NULL);
-+ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
-+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
-+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
-+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
-+ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
-+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
-+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
-+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
-+# endif
-+ buf[8] = (unsigned char)(*pctr & 0xff);
-+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
-+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
-+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
-+
-+ (*pctr)++;
-+
-+# ifndef GETPID_IS_MEANINGLESS
-+ pid = (unsigned long)getpid();
-+ buf[12] = (unsigned char)(pid & 0xff);
-+ buf[13] = (unsigned char)((pid >> 8) & 0xff);
-+ buf[14] = (unsigned char)((pid >> 16) & 0xff);
-+ buf[15] = (unsigned char)((pid >> 24) & 0xff);
-+# endif
-+}
-+
-+static int fips_rand(FIPS_PRNG_CTX * ctx,
-+ unsigned char *out, unsigned int outlen)
-+{
-+ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
-+ unsigned char tmp[AES_BLOCK_LENGTH];
-+ int i;
-+ if (ctx->error) {
-+ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_ERROR);
-+ return 0;
-+ }
-+ if (!ctx->keyed) {
-+ RANDerr(RAND_F_FIPS_RAND, RAND_R_NO_KEY_SET);
-+ return 0;
-+ }
-+ if (!ctx->seeded) {
-+ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_NOT_SEEDED);
-+ return 0;
-+ }
-+ for (;;) {
-+ if (!ctx->test_mode)
-+ FIPS_get_timevec(ctx->DT, &ctx->counter);
-+ AES_encrypt(ctx->DT, I, &ctx->ks);
-+ for (i = 0; i < AES_BLOCK_LENGTH; i++)
-+ tmp[i] = I[i] ^ ctx->V[i];
-+ AES_encrypt(tmp, R, &ctx->ks);
-+ for (i = 0; i < AES_BLOCK_LENGTH; i++)
-+ tmp[i] = R[i] ^ I[i];
-+ AES_encrypt(tmp, ctx->V, &ctx->ks);
-+ /* Continuous PRNG test */
-+ if (ctx->second) {
-+ if (fips_prng_fail)
-+ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
-+ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) {
-+ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_STUCK);
-+ ctx->error = 1;
-+ fips_set_selftest_fail();
-+ return 0;
-+ }
-+ }
-+ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
-+ if (!ctx->second) {
-+ ctx->second = 1;
-+ if (!ctx->test_mode)
-+ continue;
-+ }
-+
-+ if (outlen <= AES_BLOCK_LENGTH) {
-+ memcpy(out, R, outlen);
-+ break;
-+ }
-+
-+ memcpy(out, R, AES_BLOCK_LENGTH);
-+ out += AES_BLOCK_LENGTH;
-+ outlen -= AES_BLOCK_LENGTH;
-+ }
-+ return 1;
-+}
-+
-+int FIPS_x931_set_key(const unsigned char *key, int keylen)
-+{
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_set_prng_key(&sctx, key, keylen);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+}
-+
-+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
-+{
-+ return FIPS_x931_set_key(key, keylen);
-+}
-+
-+int FIPS_x931_seed(const void *seed, int seedlen)
-+{
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_set_prng_seed(&sctx, seed, seedlen);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+}
-+
-+int FIPS_x931_bytes(unsigned char *out, int count)
-+{
-+ int ret;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ ret = fips_rand(&sctx, out, count);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+}
-+
-+int FIPS_x931_status(void)
-+{
-+ int ret;
-+ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-+ ret = sctx.seeded;
-+ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-+ return ret;
-+}
-+
-+void FIPS_x931_reset(void)
-+{
-+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ fips_rand_prng_reset(&sctx);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+}
-+
-+static int fips_do_rand_seed(const void *seed, int seedlen)
-+{
-+ FIPS_x931_seed(seed, seedlen);
-+ return 1;
-+}
-+
-+static int fips_do_rand_add(const void *seed, int seedlen, double add_entropy)
-+{
-+ FIPS_x931_seed(seed, seedlen);
-+ return 1;
-+}
-+
-+static const RAND_METHOD rand_x931_meth = {
-+ fips_do_rand_seed,
-+ FIPS_x931_bytes,
-+ FIPS_x931_reset,
-+ fips_do_rand_add,
-+ FIPS_x931_bytes,
-+ FIPS_x931_status
-+};
-+
-+const RAND_METHOD *FIPS_x931_method(void)
-+{
-+ return &rand_x931_meth;
-+}
-+
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_rand.h.fips openssl-1.0.2a/crypto/fips/fips_rand.h
---- openssl-1.0.2a/crypto/fips/fips_rand.h.fips 2015-04-22 16:08:40.298245796 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_rand.h 2015-04-22 16:08:40.298245796 +0200
-@@ -0,0 +1,163 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#ifndef HEADER_FIPS_RAND_H
-+# define HEADER_FIPS_RAND_H
-+
-+# include <openssl/aes.h>
-+# include <openssl/evp.h>
-+# include <openssl/hmac.h>
-+# include <openssl/rand.h>
-+
-+# ifdef OPENSSL_FIPS
-+
-+# ifdef __cplusplus
-+extern "C" {
-+# endif
-+
-+ int FIPS_x931_set_key(const unsigned char *key, int keylen);
-+ int FIPS_x931_seed(const void *buf, int num);
-+ int FIPS_x931_bytes(unsigned char *out, int outlen);
-+
-+ int FIPS_x931_test_mode(void);
-+ void FIPS_x931_reset(void);
-+ int FIPS_x931_set_dt(unsigned char *dt);
-+
-+ int FIPS_x931_status(void);
-+
-+ const RAND_METHOD *FIPS_x931_method(void);
-+
-+ typedef struct drbg_ctx_st DRBG_CTX;
-+/* DRBG external flags */
-+/* Flag for CTR mode only: use derivation function ctr_df */
-+# define DRBG_FLAG_CTR_USE_DF 0x1
-+/* PRNG is in test state */
-+# define DRBG_FLAG_TEST 0x2
-+
-+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
-+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
-+ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
-+ const unsigned char *pers, size_t perslen);
-+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
-+ size_t adinlen);
-+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+ int prediction_resistance,
-+ const unsigned char *adin, size_t adinlen);
-+
-+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
-+ void FIPS_drbg_free(DRBG_CTX *dctx);
-+
-+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_entropy) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy,
-+ size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_entropy) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ size_t entropy_blocklen,
-+ size_t (*get_nonce) (DRBG_CTX *ctx,
-+ unsigned char **pout,
-+ int entropy,
-+ size_t min_len,
-+ size_t max_len),
-+ void (*cleanup_nonce) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen));
-+
-+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
-+ size_t (*get_adin) (DRBG_CTX *ctx,
-+ unsigned char
-+ **pout),
-+ void (*cleanup_adin) (DRBG_CTX *ctx,
-+ unsigned char *out,
-+ size_t olen),
-+ int (*rand_seed_cb) (DRBG_CTX *ctx,
-+ const void *buf,
-+ int num),
-+ int (*rand_add_cb) (DRBG_CTX *ctx,
-+ const void *buf,
-+ int num,
-+ double entropy));
-+
-+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
-+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
-+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
-+ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
-+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
-+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
-+
-+ int FIPS_drbg_health_check(DRBG_CTX *dctx);
-+
-+ DRBG_CTX *FIPS_get_default_drbg(void);
-+ const RAND_METHOD *FIPS_drbg_method(void);
-+
-+ int FIPS_rand_set_method(const RAND_METHOD *meth);
-+ const RAND_METHOD *FIPS_rand_get_method(void);
-+
-+ void FIPS_rand_set_bits(int nbits);
-+
-+ int FIPS_rand_strength(void);
-+
-+/* 1.0.0 compat functions */
-+ int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
-+ int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
-+ int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
-+ int FIPS_rand_test_mode(void);
-+ void FIPS_rand_reset(void);
-+ int FIPS_rand_set_dt(unsigned char *dt);
-+ int FIPS_rand_status(void);
-+ const RAND_METHOD *FIPS_rand_method(void);
-+
-+# ifdef __cplusplus
-+}
-+# endif
-+# endif
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2a/crypto/fips/fips_rand_lcl.h
---- openssl-1.0.2a/crypto/fips/fips_rand_lcl.h.fips 2015-04-22 16:08:40.298245796 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_rand_lcl.h 2015-04-22 16:08:40.298245796 +0200
-@@ -0,0 +1,213 @@
-+/* fips/rand/fips_rand_lcl.h */
-+/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
-+ * project.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * licensing at OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ */
-+
-+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
-+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
-+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
-+
-+/* 888 bits from 10.1 table 2 */
-+#define HASH_PRNG_MAX_SEEDLEN 111
-+
-+struct drbg_hash_ctx_st {
-+ const EVP_MD *md;
-+ EVP_MD_CTX mctx;
-+ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
-+ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
-+ /* Temporary value storage: should always exceed max digest length */
-+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
-+};
-+
-+struct drbg_hmac_ctx_st {
-+ const EVP_MD *md;
-+ HMAC_CTX hctx;
-+ unsigned char K[EVP_MAX_MD_SIZE];
-+ unsigned char V[EVP_MAX_MD_SIZE];
-+};
-+
-+struct drbg_ctr_ctx_st {
-+ AES_KEY ks;
-+ size_t keylen;
-+ unsigned char K[32];
-+ unsigned char V[16];
-+ /* Temp variables used by derivation function */
-+ AES_KEY df_ks;
-+ AES_KEY df_kxks;
-+ /* Temporary block storage used by ctr_df */
-+ unsigned char bltmp[16];
-+ size_t bltmp_pos;
-+ unsigned char KX[48];
-+};
-+
-+/* DRBG internal flags */
-+
-+/* Functions shouldn't call err library */
-+#define DRBG_FLAG_NOERR 0x1
-+/* Custom reseed checking */
-+#define DRBG_CUSTOM_RESEED 0x2
-+
-+/* DRBG status values */
-+/* not initialised */
-+#define DRBG_STATUS_UNINITIALISED 0
-+/* ok and ready to generate random bits */
-+#define DRBG_STATUS_READY 1
-+/* reseed required */
-+#define DRBG_STATUS_RESEED 2
-+/* fatal error condition */
-+#define DRBG_STATUS_ERROR 3
-+
-+/* A default maximum length: larger than any reasonable value used in pratice */
-+
-+#define DRBG_MAX_LENGTH 0x7ffffff0
-+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
-+ * so use max digest length.
-+ */
-+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
-+
-+#define DRBG_HEALTH_INTERVAL (1 << 24)
-+
-+/* DRBG context structure */
-+
-+struct drbg_ctx_st {
-+ /* First types common to all implementations */
-+ /* DRBG type: a NID for the underlying algorithm */
-+ int type;
-+ /* Various external flags */
-+ unsigned int xflags;
-+ /* Various internal use only flags */
-+ unsigned int iflags;
-+ /* Used for periodic health checks */
-+ int health_check_cnt, health_check_interval;
-+
-+ /* The following parameters are setup by mechanism drbg_init() call */
-+ int strength;
-+ size_t blocklength;
-+ size_t max_request;
-+
-+ size_t min_entropy, max_entropy;
-+ size_t min_nonce, max_nonce;
-+ size_t max_pers, max_adin;
-+ unsigned int reseed_counter;
-+ unsigned int reseed_interval;
-+ size_t seedlen;
-+ int status;
-+ /* Application data: typically used by test get_entropy */
-+ void *app_data;
-+ /* Implementation specific structures */
-+ union {
-+ DRBG_HASH_CTX hash;
-+ DRBG_HMAC_CTX hmac;
-+ DRBG_CTR_CTX ctr;
-+ } d;
-+ /* Initialiase PRNG and setup callbacks below */
-+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
-+ /* Intantiate PRNG */
-+ int (*instantiate) (DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *nonce, size_t noncelen,
-+ const unsigned char *pers, size_t perslen);
-+ /* reseed */
-+ int (*reseed) (DRBG_CTX *ctx,
-+ const unsigned char *ent, size_t entlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* generat output */
-+ int (*generate) (DRBG_CTX *ctx,
-+ unsigned char *out, size_t outlen,
-+ const unsigned char *adin, size_t adinlen);
-+ /* uninstantiate */
-+ int (*uninstantiate) (DRBG_CTX *ctx);
-+
-+ /* Entropy source block length */
-+ size_t entropy_blocklen;
-+
-+ /* entropy gathering function */
-+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with entropy buffer */
-+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* nonce gathering function */
-+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
-+ int entropy, size_t min_len, size_t max_len);
-+ /* Indicates we have finished with nonce buffer */
-+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+
-+ /* Continuous random number test temporary area */
-+ /* Last block */
-+ unsigned char lb[EVP_MAX_MD_SIZE];
-+ /* set if lb is valid */
-+ int lb_valid;
-+
-+ /* Callbacks used when called through RAND interface */
-+ /* Get any additional input for generate */
-+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
-+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
-+ /* Callback for RAND_seed(), RAND_add() */
-+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
-+ int (*rand_add_cb) (DRBG_CTX *ctx,
-+ const void *buf, int num, double entropy);
-+};
-+
-+int fips_drbg_ctr_init(DRBG_CTX *dctx);
-+int fips_drbg_hash_init(DRBG_CTX *dctx);
-+int fips_drbg_hmac_init(DRBG_CTX *dctx);
-+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
-+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
-+
-+const struct env_md_st *FIPS_get_digestbynid(int nid);
-+
-+const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
-+
-+#define FIPS_digestinit EVP_DigestInit
-+#define FIPS_digestupdate EVP_DigestUpdate
-+#define FIPS_digestfinal EVP_DigestFinal
-+#define M_EVP_MD_size EVP_MD_size
-diff -up openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2a/crypto/fips/fips_rand_lib.c
---- openssl-1.0.2a/crypto/fips/fips_rand_lib.c.fips 2015-04-22 16:08:40.299245820 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_rand_lib.c 2015-04-22 16:08:40.299245820 +0200
-@@ -0,0 +1,181 @@
-+/* ====================================================================
-+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <openssl/crypto.h>
-+#include <openssl/rand.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/fips_rand.h>
-+#include "e_os.h"
-+
-+/* FIPS API for PRNG use. Similar to RAND functionality but without
-+ * ENGINE and additional checking for non-FIPS rand methods.
-+ */
-+
-+static const RAND_METHOD *fips_rand_meth = NULL;
-+static int fips_approved_rand_meth = 0;
-+static int fips_rand_bits = 0;
-+
-+/* Allows application to override number of bits and uses non-FIPS methods */
-+void FIPS_rand_set_bits(int nbits)
-+{
-+ fips_rand_bits = nbits;
-+}
-+
-+int FIPS_rand_set_method(const RAND_METHOD *meth)
-+{
-+ if (!fips_rand_bits) {
-+ if (meth == FIPS_drbg_method())
-+ fips_approved_rand_meth = 1;
-+ else if (meth == FIPS_x931_method())
-+ fips_approved_rand_meth = 2;
-+ else {
-+ fips_approved_rand_meth = 0;
-+ if (FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ }
-+ }
-+ fips_rand_meth = meth;
-+ return 1;
-+}
-+
-+const RAND_METHOD *FIPS_rand_get_method(void)
-+{
-+ return fips_rand_meth;
-+}
-+
-+const RAND_METHOD *FIPS_rand_method(void)
-+{
-+ return FIPS_rand_get_method();
-+}
-+
-+void FIPS_rand_reset(void)
-+{
-+ if (fips_rand_meth && fips_rand_meth->cleanup)
-+ fips_rand_meth->cleanup();
-+}
-+
-+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->seed)
-+ fips_rand_meth->seed(buf, num);
-+ return 1;
-+}
-+
-+void FIPS_rand_add(const void *buf, int num, double entropy)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
-+ return;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->add)
-+ fips_rand_meth->add(buf, num, entropy);
-+}
-+
-+int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->bytes)
-+ return fips_rand_meth->bytes(buf, num);
-+ return 0;
-+}
-+
-+int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->pseudorand)
-+ return fips_rand_meth->pseudorand(buf, num);
-+ return -1;
-+}
-+
-+int FIPS_rand_status(void)
-+{
-+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
-+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+ if (fips_rand_meth && fips_rand_meth->status)
-+ return fips_rand_meth->status();
-+ return 0;
-+}
-+
-+/* Return instantiated strength of PRNG. For DRBG this is an internal
-+ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
-+ * type of PRNG is not approved and returns 0 in FIPS mode and maximum
-+ * 256 outside FIPS mode.
-+ */
-+
-+int FIPS_rand_strength(void)
-+{
-+ if (fips_rand_bits)
-+ return fips_rand_bits;
-+ if (fips_approved_rand_meth == 1)
-+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
-+ else if (fips_approved_rand_meth == 2)
-+ return 80;
-+ else if (fips_approved_rand_meth == 0) {
-+ if (FIPS_module_mode())
-+ return 0;
-+ else
-+ return 256;
-+ }
-+ return 0;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rand_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_rand_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_rand_selftest.c 2015-04-22 16:08:40.299245820 +0200
-@@ -0,0 +1,176 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include "fips_locl.h"
-+
-+#ifdef OPENSSL_FIPS
-+
-+typedef struct {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+} AES_PRNG_TV;
-+
-+/* The following test vectors are taken directly from the RGNVS spec */
-+
-+static unsigned char aes_128_key[16] =
-+ { 0xf3, 0xb1, 0x66, 0x6d, 0x13, 0x60, 0x72, 0x42,
-+ 0xed, 0x06, 0x1c, 0xab, 0xb8, 0xd4, 0x62, 0x02
-+};
-+
-+static AES_PRNG_TV aes_128_tv = {
-+ /* DT */
-+ {0xe6, 0xb3, 0xbe, 0x78, 0x2a, 0x23, 0xfa, 0x62,
-+ 0xd7, 0x1d, 0x4a, 0xfb, 0xb0, 0xe9, 0x22, 0xf9},
-+ /* V */
-+ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-+ /* R */
-+ {0x59, 0x53, 0x1e, 0xd1, 0x3b, 0xb0, 0xc0, 0x55,
-+ 0x84, 0x79, 0x66, 0x85, 0xc1, 0x2f, 0x76, 0x41}
-+};
-+
-+static unsigned char aes_192_key[24] =
-+ { 0x15, 0xd8, 0x78, 0x0d, 0x62, 0xd3, 0x25, 0x6e,
-+ 0x44, 0x64, 0x10, 0x13, 0x60, 0x2b, 0xa9, 0xbc,
-+ 0x4a, 0xfb, 0xca, 0xeb, 0x4c, 0x8b, 0x99, 0x3b
-+};
-+
-+static AES_PRNG_TV aes_192_tv = {
-+ /* DT */
-+ {0x3f, 0xd8, 0xff, 0xe8, 0x80, 0x69, 0x8b, 0xc1,
-+ 0xbf, 0x99, 0x7d, 0xa4, 0x24, 0x78, 0xf3, 0x4b},
-+ /* V */
-+ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-+ /* R */
-+ {0x17, 0x07, 0xd5, 0x28, 0x19, 0x79, 0x1e, 0xef,
-+ 0xa5, 0x0c, 0xbf, 0x25, 0xe5, 0x56, 0xb4, 0x93}
-+};
-+
-+static unsigned char aes_256_key[32] =
-+ { 0x6d, 0x14, 0x06, 0x6c, 0xb6, 0xd8, 0x21, 0x2d,
-+ 0x82, 0x8d, 0xfa, 0xf2, 0x7a, 0x03, 0xb7, 0x9f,
-+ 0x0c, 0xc7, 0x3e, 0xcd, 0x76, 0xeb, 0xee, 0xb5,
-+ 0x21, 0x05, 0x8c, 0x4f, 0x31, 0x7a, 0x80, 0xbb
-+};
-+
-+static AES_PRNG_TV aes_256_tv = {
-+ /* DT */
-+ {0xda, 0x3a, 0x41, 0xec, 0x1d, 0xa3, 0xb0, 0xd5,
-+ 0xf2, 0xa9, 0x4e, 0x34, 0x74, 0x8e, 0x9e, 0x88},
-+ /* V */
-+ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-+ /* R */
-+ {0x35, 0xc7, 0xef, 0xa7, 0x78, 0x4d, 0x29, 0xbc,
-+ 0x82, 0x79, 0x99, 0xfb, 0xd0, 0xb3, 0x3b, 0x72}
-+};
-+
-+void FIPS_corrupt_rng()
-+{
-+ aes_192_tv.V[0]++;
-+}
-+
-+# define fips_x931_test(key, tv) \
-+ do_x931_test(key, sizeof key, &tv)
-+
-+static int do_x931_test(unsigned char *key, int keylen, AES_PRNG_TV * tv)
-+{
-+ unsigned char R[16], V[16];
-+ int rv = 1;
-+ memcpy(V, tv->V, sizeof(V));
-+ if (!FIPS_x931_set_key(key, keylen))
-+ return 0;
-+ if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
-+ return 1;
-+ if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
-+ V[0]++;
-+ FIPS_x931_seed(V, 16);
-+ FIPS_x931_set_dt(tv->DT);
-+ FIPS_x931_bytes(R, 16);
-+ if (memcmp(R, tv->R, 16)) {
-+ fips_post_failed(FIPS_TEST_X931, keylen, NULL);
-+ rv = 0;
-+ } else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
-+ return 0;
-+ return rv;
-+}
-+
-+int FIPS_selftest_x931()
-+{
-+ int rv = 1;
-+ FIPS_x931_reset();
-+ if (!FIPS_x931_test_mode()) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ if (!fips_x931_test(aes_128_key, aes_128_tv))
-+ rv = 0;
-+ if (!fips_x931_test(aes_192_key, aes_192_tv))
-+ rv = 0;
-+ if (!fips_x931_test(aes_256_key, aes_256_tv))
-+ rv = 0;
-+ FIPS_x931_reset();
-+ if (!rv)
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
-+ return rv;
-+}
-+
-+int FIPS_selftest_rng(void)
-+{
-+ return FIPS_selftest_x931();
-+}
-+
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_randtest.c.fips openssl-1.0.2a/crypto/fips/fips_randtest.c
---- openssl-1.0.2a/crypto/fips/fips_randtest.c.fips 2015-04-22 16:08:40.299245820 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_randtest.c 2015-04-22 16:08:40.299245820 +0200
-@@ -0,0 +1,247 @@
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <ctype.h>
-+#include <openssl/rand.h>
-+#include <openssl/fips_rand.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+
-+#include "e_os.h"
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS RAND support\n");
-+ return (0);
-+}
-+
-+#else
-+
-+# include "fips_utl.h"
-+# include <openssl/fips.h>
-+
-+typedef struct {
-+ unsigned char DT[16];
-+ unsigned char V[16];
-+ unsigned char R[16];
-+} AES_PRNG_MCT;
-+
-+static const unsigned char aes_128_mct_key[16] =
-+ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
-+ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
-+};
-+
-+static const AES_PRNG_MCT aes_128_mct_tv = {
-+ /* DT */
-+ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
-+ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
-+ /* V */
-+ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
-+ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
-+ /* R */
-+ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
-+ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
-+};
-+
-+static const unsigned char aes_192_mct_key[24] =
-+ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
-+ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
-+ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
-+};
-+
-+static const AES_PRNG_MCT aes_192_mct_tv = {
-+ /* DT */
-+ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
-+ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
-+ /* V */
-+ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
-+ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
-+ /* R */
-+ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
-+ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
-+};
-+
-+static const unsigned char aes_256_mct_key[32] =
-+ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
-+ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
-+ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
-+ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
-+};
-+
-+static const AES_PRNG_MCT aes_256_mct_tv = {
-+ /* DT */
-+ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
-+ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
-+ /* V */
-+ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
-+ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
-+ /* R */
-+ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
-+ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
-+};
-+
-+static void dump(const unsigned char *b, int n)
-+{
-+ while (n-- > 0) {
-+ printf(" %02x", *b++);
-+ }
-+}
-+
-+static void compare(const unsigned char *result,
-+ const unsigned char *expected, int n)
-+{
-+ int i;
-+
-+ for (i = 0; i < n; ++i)
-+ if (result[i] != expected[i]) {
-+ puts("Random test failed, got:");
-+ dump(result, n);
-+ puts("\n expected:");
-+ dump(expected, n);
-+ putchar('\n');
-+ EXIT(1);
-+ }
-+}
-+
-+static void run_test(const unsigned char *key, int keylen,
-+ const AES_PRNG_MCT * tv)
-+{
-+ unsigned char buf[16], dt[16];
-+ int i, j;
-+ FIPS_x931_reset();
-+ FIPS_x931_test_mode();
-+ FIPS_x931_set_key(key, keylen);
-+ FIPS_x931_seed(tv->V, 16);
-+ memcpy(dt, tv->DT, 16);
-+ for (i = 0; i < 10000; i++) {
-+ FIPS_x931_set_dt(dt);
-+ FIPS_x931_bytes(buf, 16);
-+ /* Increment DT */
-+ for (j = 15; j >= 0; j--) {
-+ dt[j]++;
-+ if (dt[j])
-+ break;
-+ }
-+ }
-+
-+ compare(buf, tv->R, 16);
-+}
-+
-+int main()
-+{
-+ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
-+ printf("FIPS PRNG test 1 done\n");
-+ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
-+ printf("FIPS PRNG test 2 done\n");
-+ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
-+ printf("FIPS PRNG test 3 done\n");
-+ return 0;
-+}
-+
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips 2015-04-22 16:08:40.299245820 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 16:08:40.299245820 +0200
-@@ -0,0 +1,444 @@
-+/* ====================================================================
-+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+#include <openssl/rsa.h>
-+#include <openssl/evp.h>
-+#include <openssl/bn.h>
-+#include <openssl/opensslconf.h>
-+
-+#ifdef OPENSSL_FIPS
-+
-+static const unsigned char n[] =
-+ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
-+ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
-+ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
-+ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
-+ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
-+ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
-+ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
-+ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB";
-+
-+static int corrupt_rsa;
-+
-+static int setrsakey(RSA *key)
-+{
-+ static const unsigned char e[] = "\x11";
-+
-+ static const unsigned char d[] =
-+ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
-+ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
-+ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
-+ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
-+ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
-+ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
-+ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
-+ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
-+ "\xC1";
-+
-+ static const unsigned char p[] =
-+ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
-+ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
-+ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
-+ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
-+ "\x99";
-+
-+ static const unsigned char q[] =
-+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
-+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
-+ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
-+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
-+ "\x03";
-+
-+ static const unsigned char dmp1[] =
-+ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
-+ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
-+ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
-+ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
-+
-+ static const unsigned char dmq1[] =
-+ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
-+ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
-+ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
-+ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
-+
-+ static const unsigned char iqmp[] =
-+ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
-+ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
-+ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
-+ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
-+ "\xF7";
-+
-+ key->n = BN_bin2bn(n, sizeof(n) - 1, key->n);
-+ if (corrupt_rsa)
-+ BN_set_bit(key->n, 1024);
-+ key->e = BN_bin2bn(e, sizeof(e) - 1, key->e);
-+ key->d = BN_bin2bn(d, sizeof(d) - 1, key->d);
-+ key->p = BN_bin2bn(p, sizeof(p) - 1, key->p);
-+ key->q = BN_bin2bn(q, sizeof(q) - 1, key->q);
-+ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1) - 1, key->dmp1);
-+ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1) - 1, key->dmq1);
-+ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp) - 1, key->iqmp);
-+ return 1;
-+}
-+
-+void FIPS_corrupt_rsa()
-+{
-+ corrupt_rsa = 1;
-+}
-+
-+/* Known Answer Test (KAT) data for the above RSA private key signing
-+ * kat_tbs.
-+ */
-+
-+static const unsigned char kat_tbs[] =
-+ "OpenSSL FIPS 140-2 Public Key RSA KAT";
-+
-+static const unsigned char kat_RSA_PSS_SHA1[] = {
-+ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
-+ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
-+ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
-+ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
-+ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
-+ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
-+ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
-+ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
-+ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
-+ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
-+ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA224[] = {
-+ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
-+ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
-+ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
-+ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
-+ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
-+ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
-+ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
-+ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
-+ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
-+ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
-+ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA256[] = {
-+ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
-+ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
-+ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
-+ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
-+ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
-+ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
-+ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
-+ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
-+ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
-+ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
-+ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA384[] = {
-+ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
-+ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
-+ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
-+ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
-+ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
-+ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
-+ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
-+ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
-+ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
-+ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
-+ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
-+};
-+
-+static const unsigned char kat_RSA_PSS_SHA512[] = {
-+ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
-+ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
-+ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
-+ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
-+ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
-+ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
-+ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
-+ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
-+ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
-+ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
-+ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
-+};
-+
-+static const unsigned char kat_RSA_SHA1[] = {
-+ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
-+ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
-+ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
-+ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
-+ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
-+ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
-+ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
-+ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
-+ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
-+ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
-+ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
-+};
-+
-+static const unsigned char kat_RSA_SHA224[] = {
-+ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
-+ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
-+ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
-+ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
-+ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
-+ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
-+ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
-+ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
-+ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
-+ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
-+ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
-+};
-+
-+static const unsigned char kat_RSA_SHA256[] = {
-+ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
-+ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
-+ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
-+ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
-+ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
-+ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
-+ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
-+ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
-+ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
-+ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
-+ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
-+};
-+
-+static const unsigned char kat_RSA_SHA384[] = {
-+ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
-+ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
-+ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
-+ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
-+ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
-+ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
-+ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
-+ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
-+ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
-+ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
-+ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
-+};
-+
-+static const unsigned char kat_RSA_SHA512[] = {
-+ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
-+ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
-+ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
-+ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
-+ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
-+ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
-+ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
-+ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
-+ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
-+ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
-+ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA1[] = {
-+ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
-+ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
-+ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
-+ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
-+ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
-+ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
-+ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
-+ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
-+ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
-+ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
-+ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA256[] = {
-+ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
-+ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
-+ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
-+ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
-+ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
-+ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
-+ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
-+ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
-+ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
-+ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
-+ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA384[] = {
-+ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
-+ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
-+ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
-+ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
-+ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
-+ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
-+ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
-+ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
-+ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
-+ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
-+ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
-+};
-+
-+static const unsigned char kat_RSA_X931_SHA512[] = {
-+ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
-+ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
-+ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
-+ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
-+ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
-+ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
-+ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
-+ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
-+ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
-+ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
-+ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
-+};
-+
-+int FIPS_selftest_rsa()
-+{
-+ int ret = 0;
-+ RSA *key;
-+ EVP_PKEY *pk = NULL;
-+
-+ if ((key = RSA_new()) == NULL)
-+ goto err;
-+ setrsakey(key);
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_assign_RSA(pk, key);
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA1 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
-+ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA224 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
-+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA256 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
-+ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA384 PKCS#1"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
-+ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
-+ "RSA SHA512 PKCS#1"))
-+ goto err;
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
-+ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
-+ "RSA SHA1 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA224,
-+ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA256,
-+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA384,
-+ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_PSS_SHA512,
-+ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
-+ goto err;
-+
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA1,
-+ sizeof(kat_RSA_X931_SHA1), EVP_sha1(),
-+ EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931"))
-+ goto err;
-+ /* NB: SHA224 not supported in X9.31 */
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA256,
-+ sizeof(kat_RSA_X931_SHA256), EVP_sha256(),
-+ EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA256 X931"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA384,
-+ sizeof(kat_RSA_X931_SHA384), EVP_sha384(),
-+ EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA384 X931"))
-+ goto err;
-+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
-+ kat_RSA_X931_SHA512,
-+ sizeof(kat_RSA_X931_SHA512), EVP_sha512(),
-+ EVP_MD_CTX_FLAG_PAD_X931,
-+ "RSA SHA512 X931"))
-+ goto err;
-+
-+ ret = 1;
-+
-+ err:
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+ else if (key)
-+ RSA_free(key);
-+ return ret;
-+}
-+
-+#endif /* def OPENSSL_FIPS */
-diff -up openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c
---- openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c.fips 2015-04-22 16:08:40.299245820 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_rsa_x931g.c 2015-04-22 16:08:40.299245820 +0200
-@@ -0,0 +1,273 @@
-+/* crypto/rsa/rsa_gen.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include <stdio.h>
-+#include <string.h>
-+#include <time.h>
-+#include <openssl/err.h>
-+#include <openssl/bn.h>
-+#include <openssl/rsa.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+
-+extern int fips_check_rsa(RSA *rsa);
-+#endif
-+
-+/* X9.31 RSA key derivation and generation */
-+
-+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
-+ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
-+ const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
-+ const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb)
-+{
-+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
-+ BN_CTX *ctx = NULL, *ctx2 = NULL;
-+
-+ if (!rsa)
-+ goto err;
-+
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ goto err;
-+ BN_CTX_start(ctx);
-+
-+ r0 = BN_CTX_get(ctx);
-+ r1 = BN_CTX_get(ctx);
-+ r2 = BN_CTX_get(ctx);
-+ r3 = BN_CTX_get(ctx);
-+
-+ if (r3 == NULL)
-+ goto err;
-+ if (!rsa->e) {
-+ rsa->e = BN_dup(e);
-+ if (!rsa->e)
-+ goto err;
-+ } else
-+ e = rsa->e;
-+
-+ /* If not all parameters present only calculate what we can.
-+ * This allows test programs to output selective parameters.
-+ */
-+
-+ if (Xp && !rsa->p) {
-+ rsa->p = BN_new();
-+ if (!rsa->p)
-+ goto err;
-+
-+ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
-+ Xp, Xp1, Xp2, e, ctx, cb))
-+ goto err;
-+ }
-+
-+ if (Xq && !rsa->q) {
-+ rsa->q = BN_new();
-+ if (!rsa->q)
-+ goto err;
-+ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
-+ Xq, Xq1, Xq2, e, ctx, cb))
-+ goto err;
-+ }
-+
-+ if (!rsa->p || !rsa->q) {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ return 2;
-+ }
-+
-+ /* Since both primes are set we can now calculate all remaining
-+ * components.
-+ */
-+
-+ /* calculate n */
-+ rsa->n = BN_new();
-+ if (rsa->n == NULL)
-+ goto err;
-+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
-+ goto err;
-+
-+ /* calculate d */
-+ if (!BN_sub(r1, rsa->p, BN_value_one()))
-+ goto err; /* p-1 */
-+ if (!BN_sub(r2, rsa->q, BN_value_one()))
-+ goto err; /* q-1 */
-+ if (!BN_mul(r0, r1, r2, ctx))
-+ goto err; /* (p-1)(q-1) */
-+
-+ if (!BN_gcd(r3, r1, r2, ctx))
-+ goto err;
-+
-+ if (!BN_div(r0, NULL, r0, r3, ctx))
-+ goto err; /* LCM((p-1)(q-1)) */
-+
-+ ctx2 = BN_CTX_new();
-+ if (!ctx2)
-+ goto err;
-+
-+ rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */
-+ if (rsa->d == NULL)
-+ goto err;
-+
-+ /* calculate d mod (p-1) */
-+ rsa->dmp1 = BN_new();
-+ if (rsa->dmp1 == NULL)
-+ goto err;
-+ if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx))
-+ goto err;
-+
-+ /* calculate d mod (q-1) */
-+ rsa->dmq1 = BN_new();
-+ if (rsa->dmq1 == NULL)
-+ goto err;
-+ if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx))
-+ goto err;
-+
-+ /* calculate inverse of q mod p */
-+ rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
-+
-+ err:
-+ if (ctx) {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+ if (ctx2)
-+ BN_CTX_free(ctx2);
-+ /* If this is set all calls successful */
-+ if (rsa && rsa->iqmp != NULL)
-+ return 1;
-+
-+ return 0;
-+
-+}
-+
-+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
-+ BN_GENCB *cb)
-+{
-+ int ok = 0;
-+ BIGNUM *Xp = NULL, *Xq = NULL;
-+ BN_CTX *ctx = NULL;
-+
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
-+ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_KEY_TOO_SHORT);
-+ return 0;
-+ }
-+
-+ if (bits & 0xff) {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_INVALID_KEY_LENGTH);
-+ return 0;
-+ }
-+
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+#endif
-+
-+ ctx = BN_CTX_new();
-+ if (!ctx)
-+ goto error;
-+
-+ BN_CTX_start(ctx);
-+ Xp = BN_CTX_get(ctx);
-+ Xq = BN_CTX_get(ctx);
-+ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
-+ goto error;
-+
-+ rsa->p = BN_new();
-+ rsa->q = BN_new();
-+ if (!rsa->p || !rsa->q)
-+ goto error;
-+
-+ /* Generate two primes from Xp, Xq */
-+
-+ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
-+ e, ctx, cb))
-+ goto error;
-+
-+ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
-+ e, ctx, cb))
-+ goto error;
-+
-+ /* Since rsa->p and rsa->q are valid this call will just derive
-+ * remaining RSA components.
-+ */
-+
-+ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
-+ NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
-+ goto error;
-+
-+#ifdef OPENSSL_FIPS
-+ if (!fips_check_rsa(rsa))
-+ goto error;
-+#endif
-+
-+ ok = 1;
-+
-+ error:
-+ if (ctx) {
-+ BN_CTX_end(ctx);
-+ BN_CTX_free(ctx);
-+ }
-+
-+ if (ok)
-+ return 1;
-+
-+ return 0;
-+
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2a/crypto/fips/fips_sha_selftest.c
---- openssl-1.0.2a/crypto/fips/fips_sha_selftest.c.fips 2015-04-22 16:08:40.300245844 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_sha_selftest.c 2015-04-22 16:08:40.300245844 +0200
-@@ -0,0 +1,145 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+#include <openssl/evp.h>
-+#include <openssl/sha.h>
-+
-+#ifdef OPENSSL_FIPS
-+static const char test[][60] = {
-+ "",
-+ "abc",
-+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-+};
-+
-+static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
-+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
-+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
-+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
-+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
-+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
-+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
-+};
-+
-+static int corrupt_sha;
-+
-+void FIPS_corrupt_sha1()
-+{
-+ corrupt_sha = 1;
-+}
-+
-+int FIPS_selftest_sha1()
-+{
-+ int n;
-+
-+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
-+ unsigned char md[SHA_DIGEST_LENGTH];
-+
-+ EVP_Digest(test[n], strlen(test[n]) + corrupt_sha, md, NULL,
-+ EVP_sha1(), NULL);
-+ if (memcmp(md, ret[n], sizeof md)) {
-+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+ }
-+ return 1;
-+}
-+
-+static const unsigned char msg_sha256[] =
-+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
-+ 0xfc
-+};
-+
-+static const unsigned char dig_sha256[] =
-+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
-+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
-+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
-+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
-+};
-+
-+static const unsigned char msg_sha512[] =
-+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
-+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
-+};
-+
-+static const unsigned char dig_sha512[] =
-+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
-+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
-+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
-+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
-+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
-+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
-+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
-+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
-+};
-+
-+int FIPS_selftest_sha2(void)
-+{
-+ unsigned char md[SHA512_DIGEST_LENGTH];
-+
-+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
-+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
-+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
-+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
-+ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c
---- openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c.fips 2015-04-22 19:05:28.500174541 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_standalone_hmac.c 2015-04-22 19:20:28.777446278 +0200
-@@ -0,0 +1,268 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core at openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <openssl/opensslconf.h>
-+#include <openssl/sha.h>
-+#include <openssl/hmac.h>
-+
-+#ifndef FIPSCANISTER_O
-+int FIPS_selftest_failed()
-+{
-+ return 0;
-+}
-+
-+void FIPS_selftest_check()
-+{
-+}
-+#endif
-+
-+#ifdef OPENSSL_FIPS
-+int bn_mul_mont_fpu64(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-+ const BN_ULONG *np, const BN_ULONG *n0, int num)
-+{
-+ return 0;
-+};
-+
-+int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-+ const BN_ULONG *np, const BN_ULONG *n0, int num)
-+{
-+ return 0;
-+};
-+
-+# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
-+ defined(__INTEL__) || \
-+ defined(__x86_64) || defined(__x86_64__) || \
-+ defined(_M_AMD64) || defined(_M_X64)
-+
-+unsigned int OPENSSL_ia32cap_P[4];
-+unsigned long *OPENSSL_ia32cap_loc(void)
-+{
-+ if (sizeof(long) == 4)
-+ /*
-+ * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
-+ * clear second element to maintain the illusion that vector
-+ * is 32-bit.
-+ */
-+ OPENSSL_ia32cap_P[1] = 0;
-+
-+ OPENSSL_ia32cap_P[2] = 0;
-+
-+ return (unsigned long *)OPENSSL_ia32cap_P;
-+}
-+
-+# if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
-+# define OPENSSL_CPUID_SETUP
-+# if defined(_WIN32)
-+typedef unsigned __int64 IA32CAP;
-+# else
-+typedef unsigned long long IA32CAP;
-+# endif
-+void OPENSSL_cpuid_setup(void)
-+{
-+ static int trigger = 0;
-+ IA32CAP OPENSSL_ia32_cpuid(unsigned int *);
-+ IA32CAP vec;
-+ char *env;
-+
-+ if (trigger)
-+ return;
-+
-+ trigger = 1;
-+ if ((env = getenv("OPENSSL_ia32cap"))) {
-+ int off = (env[0] == '~') ? 1 : 0;
-+# if defined(_WIN32)
-+ if (!sscanf(env + off, "%I64i", &vec))
-+ vec = strtoul(env + off, NULL, 0);
-+# else
-+ if (!sscanf(env + off, "%lli", (long long *)&vec))
-+ vec = strtoul(env + off, NULL, 0);
-+# endif
-+ if (off)
-+ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~vec;
-+ else if (env[0] == ':')
-+ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
-+
-+ OPENSSL_ia32cap_P[2] = 0;
-+ if ((env = strchr(env, ':'))) {
-+ unsigned int vecx;
-+ env++;
-+ off = (env[0] == '~') ? 1 : 0;
-+ vecx = strtoul(env + off, NULL, 0);
-+ if (off)
-+ OPENSSL_ia32cap_P[2] &= ~vecx;
-+ else
-+ OPENSSL_ia32cap_P[2] = vecx;
-+ }
-+ } else
-+ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
-+
-+ /*
-+ * |(1<<10) sets a reserved bit to signal that variable
-+ * was initialized already... This is to avoid interference
-+ * with cpuid snippets in ELF .init segment.
-+ */
-+ OPENSSL_ia32cap_P[0] = (unsigned int)vec | (1 << 10);
-+ OPENSSL_ia32cap_P[1] = (unsigned int)(vec >> 32);
-+}
-+# else
-+unsigned int OPENSSL_ia32cap_P[4];
-+# endif
-+
-+# else
-+unsigned long *OPENSSL_ia32cap_loc(void)
-+{
-+ return NULL;
-+}
-+# endif
-+int OPENSSL_NONPIC_relocated = 0;
-+# if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
-+void OPENSSL_cpuid_setup(void)
-+{
-+}
-+# endif
-+
-+static void hmac_init(SHA256_CTX *md_ctx, SHA256_CTX *o_ctx, const char *key)
-+{
-+ size_t len = strlen(key);
-+ int i;
-+ unsigned char keymd[HMAC_MAX_MD_CBLOCK];
-+ unsigned char pad[HMAC_MAX_MD_CBLOCK];
-+
-+ if (len > SHA_CBLOCK) {
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx, key, len);
-+ SHA256_Final(keymd, md_ctx);
-+ len = SHA256_DIGEST_LENGTH;
-+ } else
-+ memcpy(keymd, key, len);
-+ memset(&keymd[len], '\0', HMAC_MAX_MD_CBLOCK - len);
-+
-+ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
-+ pad[i] = 0x36 ^ keymd[i];
-+ SHA256_Init(md_ctx);
-+ SHA256_Update(md_ctx, pad, SHA256_CBLOCK);
-+
-+ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
-+ pad[i] = 0x5c ^ keymd[i];
-+ SHA256_Init(o_ctx);
-+ SHA256_Update(o_ctx, pad, SHA256_CBLOCK);
-+}
-+
-+static void hmac_final(unsigned char *md, SHA256_CTX *md_ctx,
-+ SHA256_CTX *o_ctx)
-+{
-+ unsigned char buf[SHA256_DIGEST_LENGTH];
-+
-+ SHA256_Final(buf, md_ctx);
-+ SHA256_Update(o_ctx, buf, sizeof buf);
-+ SHA256_Final(md, o_ctx);
-+}
-+
-+#endif
-+
-+int main(int argc, char **argv)
-+{
-+#ifdef OPENSSL_FIPS
-+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
-+ int n, binary = 0;
-+
-+ if (argc < 2) {
-+ fprintf(stderr, "%s [<file>]+\n", argv[0]);
-+ exit(1);
-+ }
-+
-+ n = 1;
-+ if (!strcmp(argv[n], "-binary")) {
-+ n++;
-+ binary = 1; /* emit binary fingerprint... */
-+ }
-+
-+ for (; n < argc; ++n) {
-+ FILE *f = fopen(argv[n], "rb");
-+ SHA256_CTX md_ctx, o_ctx;
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+ int i;
-+
-+ if (!f) {
-+ perror(argv[n]);
-+ exit(2);
-+ }
-+
-+ hmac_init(&md_ctx, &o_ctx, key);
-+ for (;;) {
-+ char buf[1024];
-+ size_t l = fread(buf, 1, sizeof buf, f);
-+
-+ if (l == 0) {
-+ if (ferror(f)) {
-+ perror(argv[n]);
-+ exit(3);
-+ } else
-+ break;
-+ }
-+ SHA256_Update(&md_ctx, buf, l);
-+ }
-+ hmac_final(md, &md_ctx, &o_ctx);
-+
-+ if (binary) {
-+ fwrite(md, SHA256_DIGEST_LENGTH, 1, stdout);
-+ break; /* ... for single(!) file */
-+ }
-+
-+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
-+ for (i = 0; i < SHA256_DIGEST_LENGTH; ++i)
-+ printf("%02x", md[i]);
-+ printf("\n");
-+ }
-+#endif
-+ return 0;
-+}
-diff -up openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips openssl-1.0.2a/crypto/fips/fips_test_suite.c
---- openssl-1.0.2a/crypto/fips/fips_test_suite.c.fips 2015-04-22 16:08:40.300245844 +0200
-+++ openssl-1.0.2a/crypto/fips/fips_test_suite.c 2015-04-22 16:08:40.300245844 +0200
-@@ -0,0 +1,639 @@
-+/* ====================================================================
-+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
-+ *
-+ *
-+ * This command is intended as a test driver for the FIPS-140 testing
-+ * lab performing FIPS-140 validation. It demonstrates the use of the
-+ * OpenSSL library ito perform a variety of common cryptographic
-+ * functions. A power-up self test is demonstrated by deliberately
-+ * pointing to an invalid executable hash
-+ *
-+ * Contributed by Steve Marquess.
-+ *
-+ */
-+#include <stdio.h>
-+#include <assert.h>
-+#include <ctype.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <openssl/aes.h>
-+#include <openssl/des.h>
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <openssl/dh.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+
-+#include <openssl/bn.h>
-+#include <openssl/rand.h>
-+#include <openssl/sha.h>
-+
-+#ifndef OPENSSL_FIPS
-+int main(int argc, char *argv[])
-+{
-+ printf("No FIPS support\n");
-+ return (0);
-+}
-+#else
-+
-+# include <openssl/fips.h>
-+# include "fips_utl.h"
-+
-+/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
-+*/
-+static int FIPS_aes_test(void)
-+{
-+ int ret = 0;
-+ unsigned char pltmp[16];
-+ unsigned char citmp[16];
-+ unsigned char key[16] =
-+ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
-+ unsigned char plaintext[16] = "etaonrishdlcu";
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 1) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, citmp, plaintext, 16);
-+ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 0) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, pltmp, citmp, 16);
-+ if (memcmp(pltmp, plaintext, 16))
-+ goto err;
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return ret;
-+}
-+
-+static int FIPS_des3_test(void)
-+{
-+ int ret = 0;
-+ unsigned char pltmp[8];
-+ unsigned char citmp[8];
-+ unsigned char key[] =
-+ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
-+ 19, 20, 21, 22, 23, 24
-+ };
-+ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
-+ EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX_init(&ctx);
-+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 1) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, citmp, plaintext, 8);
-+ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 0) <= 0)
-+ goto err;
-+ EVP_Cipher(&ctx, pltmp, citmp, 8);
-+ if (memcmp(pltmp, plaintext, 8))
-+ goto err;
-+ ret = 1;
-+ err:
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return ret;
-+}
-+
-+/*
-+ * DSA: generate keys and sign, verify input plaintext.
-+ */
-+static int FIPS_dsa_test(int bad)
-+{
-+ DSA *dsa = NULL;
-+ EVP_PKEY pk;
-+ unsigned char dgst[] = "etaonrishdlc";
-+ unsigned char buf[60];
-+ unsigned int slen;
-+ int r = 0;
-+ EVP_MD_CTX mctx;
-+
-+ ERR_clear_error();
-+ EVP_MD_CTX_init(&mctx);
-+ dsa = DSA_new();
-+ if (!dsa)
-+ goto end;
-+ if (!DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL))
-+ goto end;
-+ if (!DSA_generate_key(dsa))
-+ goto end;
-+ if (bad)
-+ BN_add_word(dsa->pub_key, 1);
-+
-+ pk.type = EVP_PKEY_DSA;
-+ pk.pkey.dsa = dsa;
-+
-+ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
-+ goto end;
-+ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
-+ goto end;
-+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
-+ goto end;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
-+ goto end;
-+ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
-+ goto end;
-+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
-+ end:
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (dsa)
-+ DSA_free(dsa);
-+ if (r != 1)
-+ return 0;
-+ return 1;
-+}
-+
-+/*
-+ * RSA: generate keys and sign, verify input plaintext.
-+ */
-+static int FIPS_rsa_test(int bad)
-+{
-+ RSA *key;
-+ unsigned char input_ptext[] = "etaonrishdlc";
-+ unsigned char buf[256];
-+ unsigned int slen;
-+ BIGNUM *bn;
-+ EVP_MD_CTX mctx;
-+ EVP_PKEY pk;
-+ int r = 0;
-+
-+ ERR_clear_error();
-+ EVP_MD_CTX_init(&mctx);
-+ key = RSA_new();
-+ bn = BN_new();
-+ if (!key || !bn)
-+ return 0;
-+ BN_set_word(bn, 65537);
-+ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
-+ return 0;
-+ BN_free(bn);
-+ if (bad)
-+ BN_add_word(key->n, 1);
-+
-+ pk.type = EVP_PKEY_RSA;
-+ pk.pkey.rsa = key;
-+
-+ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
-+ goto end;
-+ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
-+ goto end;
-+ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
-+ goto end;
-+
-+ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
-+ goto end;
-+ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
-+ goto end;
-+ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
-+ end:
-+ EVP_MD_CTX_cleanup(&mctx);
-+ if (key)
-+ RSA_free(key);
-+ if (r != 1)
-+ return 0;
-+ return 1;
-+}
-+
-+/* SHA1: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha1_test()
-+{
-+ unsigned char digest[SHA_DIGEST_LENGTH] =
-+ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a,
-+0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha1(), NULL))
-+ return 0;
-+ if (memcmp(md, digest, sizeof(md)))
-+ return 0;
-+ return 1;
-+}
-+
-+/* SHA256: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha256_test()
-+{
-+ unsigned char digest[SHA256_DIGEST_LENGTH] =
-+ { 0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9,
-+0x68, 0xc0, 0xea, 0x40, 0x91,
-+ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6,
-+ 0x50, 0x4f, 0x47, 0x57
-+ };
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha256(), NULL))
-+ return 0;
-+ if (memcmp(md, digest, sizeof(md)))
-+ return 0;
-+ return 1;
-+}
-+
-+/* SHA512: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_sha512_test()
-+{
-+ unsigned char digest[SHA512_DIGEST_LENGTH] =
-+ { 0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f,
-+0x94, 0x71, 0x64, 0x28, 0xca,
-+ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2,
-+ 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
-+ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f,
-+ 0x24, 0xb1, 0xd9, 0x40, 0x22,
-+ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6,
-+ 0xeb, 0x2d, 0x42, 0x1d, 0xa3
-+ };
-+ unsigned char str[] = "etaonrishd";
-+
-+ unsigned char md[SHA512_DIGEST_LENGTH];
-+
-+ ERR_clear_error();
-+ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha512(), NULL))
-+ return 0;
-+ if (memcmp(md, digest, sizeof(md)))
-+ return 0;
-+ return 1;
-+}
-+
-+/* HMAC-SHA1: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha1_test()
-+{
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ { 0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea,
-+0x56, 0x1b, 0x61, 0x2e, 0x70,
-+ 0xb2, 0xfb, 0xec, 0xc6
-+ };
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC
-+ (EVP_sha1(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, &outlen))
-+ return 0;
-+ if (memcmp(out, kaval, outlen))
-+ return 0;
-+ return 1;
-+}
-+
-+/* HMAC-SHA224: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha224_test()
-+{
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ { 0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe,
-+0x1c, 0xb2, 0xf0, 0x20, 0x35,
-+ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19
-+ };
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC
-+ (EVP_sha224(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
-+ &outlen))
-+ return 0;
-+ if (memcmp(out, kaval, outlen))
-+ return 0;
-+ return 1;
-+}
-+
-+/* HMAC-SHA256: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha256_test()
-+{
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ { 0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36,
-+0x02, 0xf5, 0x72, 0x33, 0x87,
-+ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee,
-+ 0x51, 0xff, 0xda, 0x24, 0xf4
-+ };
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC
-+ (EVP_sha256(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
-+ &outlen))
-+ return 0;
-+ if (memcmp(out, kaval, outlen))
-+ return 0;
-+ return 1;
-+}
-+
-+/* HMAC-SHA384: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha384_test()
-+{
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ { 0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08,
-+0x26, 0x99, 0xef, 0x3b, 0x10,
-+ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b,
-+ 0xac, 0xb0, 0x07, 0x39, 0x08,
-+ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3,
-+ 0xf3, 0xb8, 0x9b, 0x88, 0x1c
-+ };
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC
-+ (EVP_sha384(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
-+ &outlen))
-+ return 0;
-+ if (memcmp(out, kaval, outlen))
-+ return 0;
-+ return 1;
-+}
-+
-+/* HMAC-SHA512: generate hash of known digest value and compare to known
-+ precomputed correct hash
-+*/
-+static int FIPS_hmac_sha512_test()
-+{
-+ unsigned char key[] = "etaonrishd";
-+ unsigned char iv[] = "Sample text";
-+ unsigned char kaval[EVP_MAX_MD_SIZE] =
-+ { 0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3,
-+0x77, 0x59, 0x85, 0xa9, 0xe6,
-+ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1,
-+ 0xad, 0x7e, 0x24, 0xca, 0xb1,
-+ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52,
-+ 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
-+ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96,
-+ 0x3d, 0xa6, 0xd9, 0x2a, 0x53
-+ };
-+
-+ unsigned char out[EVP_MAX_MD_SIZE];
-+ unsigned int outlen;
-+
-+ ERR_clear_error();
-+ if (!HMAC
-+ (EVP_sha512(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
-+ &outlen))
-+ return 0;
-+ if (memcmp(out, kaval, outlen))
-+ return 0;
-+ return 1;
-+}
-+
-+/* DH: generate shared parameters
-+*/
-+static int dh_test()
-+{
-+ DH *dh;
-+ ERR_clear_error();
-+ dh = FIPS_dh_new();
-+ if (!dh)
-+ return 0;
-+ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
-+ return 0;
-+ FIPS_dh_free(dh);
-+ return 1;
-+}
-+
-+/* Zeroize
-+*/
-+static int Zeroize()
-+{
-+ RSA *key;
-+ BIGNUM *bn;
-+ unsigned char userkey[16] =
-+ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f,
-+0x83, 0x02, 0xb1, 0x09, 0x68 };
-+ int i, n;
-+
-+ key = FIPS_rsa_new();
-+ bn = BN_new();
-+ if (!key || !bn)
-+ return 0;
-+ BN_set_word(bn, 65537);
-+ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
-+ return 0;
-+ BN_free(bn);
-+
-+ n = BN_num_bytes(key->d);
-+ printf(" Generated %d byte RSA private key\n", n);
-+ printf("\tBN key before overwriting:\n");
-+ do_bn_print(stdout, key->d);
-+ BN_rand(key->d, n * 8, -1, 0);
-+ printf("\tBN key after overwriting:\n");
-+ do_bn_print(stdout, key->d);
-+
-+ printf("\tchar buffer key before overwriting: \n\t\t");
-+ for (i = 0; i < sizeof(userkey); i++)
-+ printf("%02x", userkey[i]);
-+ printf("\n");
-+ RAND_bytes(userkey, sizeof userkey);
-+ printf("\tchar buffer key after overwriting: \n\t\t");
-+ for (i = 0; i < sizeof(userkey); i++)
-+ printf("%02x", userkey[i]);
-+ printf("\n");
-+
-+ return 1;
-+}
-+
-+static int Error;
-+const char *Fail(const char *msg)
-+{
-+ do_print_errors();
-+ Error++;
-+ return msg;
-+}
-+
-+int main(int argc, char **argv)
-+{
-+
-+ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
-+ int bad_rsa = 0, bad_dsa = 0;
-+ int do_rng_stick = 0;
-+ int no_exit = 0;
-+
-+ printf("\tFIPS-mode test application\n\n");
-+
-+ /* Load entropy from external file, if any */
-+ RAND_load_file(".rnd", 1024);
-+
-+ if (argv[1]) {
-+ /* Corrupted KAT tests */
-+ if (!strcmp(argv[1], "aes")) {
-+ FIPS_corrupt_aes();
-+ printf("AES encryption/decryption with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "des")) {
-+ FIPS_corrupt_des();
-+ printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "dsa")) {
-+ FIPS_corrupt_dsa();
-+ printf
-+ ("DSA key generation and signature validation with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rsa")) {
-+ FIPS_corrupt_rsa();
-+ printf
-+ ("RSA key generation and signature validation with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rsakey")) {
-+ printf
-+ ("RSA key generation and signature validation with corrupted key...\n");
-+ bad_rsa = 1;
-+ no_exit = 1;
-+ } else if (!strcmp(argv[1], "rsakeygen")) {
-+ do_corrupt_rsa_keygen = 1;
-+ no_exit = 1;
-+ printf
-+ ("RSA key generation and signature validation with corrupted keygen...\n");
-+ } else if (!strcmp(argv[1], "dsakey")) {
-+ printf
-+ ("DSA key generation and signature validation with corrupted key...\n");
-+ bad_dsa = 1;
-+ no_exit = 1;
-+ } else if (!strcmp(argv[1], "dsakeygen")) {
-+ do_corrupt_dsa_keygen = 1;
-+ no_exit = 1;
-+ printf
-+ ("DSA key generation and signature validation with corrupted keygen...\n");
-+ } else if (!strcmp(argv[1], "sha1")) {
-+ FIPS_corrupt_sha1();
-+ printf("SHA-1 hash with corrupted KAT...\n");
-+ } else if (!strcmp(argv[1], "rng")) {
-+ FIPS_corrupt_rng();
-+ } else if (!strcmp(argv[1], "rngstick")) {
-+ do_rng_stick = 1;
-+ no_exit = 1;
-+ printf("RNG test with stuck continuous test...\n");
-+ } else {
-+ printf("Bad argument \"%s\"\n", argv[1]);
-+ exit(1);
-+ }
-+ if (!no_exit) {
-+ if (!FIPS_mode_set(1)) {
-+ do_print_errors();
-+ printf("Power-up self test failed\n");
-+ exit(1);
-+ }
-+ printf("Power-up self test successful\n");
-+ exit(0);
-+ }
-+ }
-+
-+ /* Non-Approved cryptographic operation
-+ */
-+ printf("1. Non-Approved cryptographic operation test...\n");
-+ printf("\ta. Included algorithm (D-H)...");
-+ printf(dh_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* Power-up self test
-+ */
-+ ERR_clear_error();
-+ printf("2. Automatic power-up self test...");
-+ if (!FIPS_mode_set(1)) {
-+ do_print_errors();
-+ printf(Fail("FAILED!\n"));
-+ exit(1);
-+ }
-+ printf("successful\n");
-+ if (do_corrupt_dsa_keygen)
-+ FIPS_corrupt_dsa_keygen();
-+ if (do_corrupt_rsa_keygen)
-+ FIPS_corrupt_rsa_keygen();
-+ if (do_rng_stick)
-+ FIPS_rng_stick();
-+
-+ /* AES encryption/decryption
-+ */
-+ printf("3. AES encryption/decryption...");
-+ printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* RSA key generation and encryption/decryption
-+ */
-+ printf("4. RSA key generation and encryption/decryption...");
-+ printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* DES-CBC encryption/decryption
-+ */
-+ printf("5. DES-ECB encryption/decryption...");
-+ printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* DSA key generation and signature validation
-+ */
-+ printf("6. DSA key generation and signature validation...");
-+ printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* SHA-1 hash
-+ */
-+ printf("7a. SHA-1 hash...");
-+ printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* SHA-256 hash
-+ */
-+ printf("7b. SHA-256 hash...");
-+ printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* SHA-512 hash
-+ */
-+ printf("7c. SHA-512 hash...");
-+ printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* HMAC-SHA-1 hash
-+ */
-+ printf("7d. HMAC-SHA-1 hash...");
-+ printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* HMAC-SHA-224 hash
-+ */
-+ printf("7e. HMAC-SHA-224 hash...");
-+ printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* HMAC-SHA-256 hash
-+ */
-+ printf("7f. HMAC-SHA-256 hash...");
-+ printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* HMAC-SHA-384 hash
-+ */
-+ printf("7g. HMAC-SHA-384 hash...");
-+ printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* HMAC-SHA-512 hash
-+ */
-+ printf("7h. HMAC-SHA-512 hash...");
-+ printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n"));
-+
-+ /* Non-Approved cryptographic operation
-+ */
-+ printf("8. Non-Approved cryptographic operation test...\n");
-+ printf("\ta. Included algorithm (D-H)...");
-+ printf(dh_test()? "successful as expected\n"
-+ : Fail("failed INCORRECTLY!\n"));
-+
-+ /* Zeroization
-+ */
-+ printf("9. Zero-ization...\n");
-+ printf(Zeroize()? "\tsuccessful as expected\n"
-+ : Fail("\tfailed INCORRECTLY!\n"));
-+
-+ printf("\nAll tests completed with %d errors\n", Error);
-+ return Error ? 1 : 0;
-+}
-+
-+#endif
-diff -up openssl-1.0.2a/crypto/fips/Makefile.fips openssl-1.0.2a/crypto/fips/Makefile
---- openssl-1.0.2a/crypto/fips/Makefile.fips 2015-04-22 16:08:40.300245844 +0200
-+++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 16:08:40.300245844 +0200
-@@ -0,0 +1,341 @@
-+#
-+# OpenSSL/crypto/fips/Makefile
-+#
-+
-+DIR= fips
-+TOP= ../..
-+CC= cc
-+INCLUDES=
-+CFLAG=-g
-+MAKEFILE= Makefile
-+AR= ar r
-+
-+CFLAGS= $(INCLUDES) $(CFLAG)
-+
-+GENERAL=Makefile
-+TEST=fips_test_suite.c fips_randtest.c
-+APPS=
-+
-+PROGRAM= fips_standalone_hmac
-+EXE= $(PROGRAM)$(EXE_EXT)
-+
-+LIB=$(TOP)/libcrypto.a
-+LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
-+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
-+ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
-+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-+ fips_cmac_selftest.c fips_enc.c fips_md.c
-+
-+LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
-+ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
-+ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
-+ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
-+ fips_cmac_selftest.o fips_enc.o fips_md.o
-+
-+LIBCRYPTO=-L.. -lcrypto
-+
-+SRC= $(LIBSRC) fips_standalone_hmac.c
-+
-+EXHEADER= fips.h fips_rand.h
-+HEADER= $(EXHEADER)
-+
-+ALL= $(GENERAL) $(SRC) $(HEADER)
-+
-+top:
-+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-+
-+all: lib exe
-+
-+lib: $(LIBOBJ)
-+ $(AR) $(LIB) $(LIBOBJ)
-+ $(RANLIB) $(LIB) || echo Never mind.
-+ @touch lib
-+
-+exe: $(EXE)
-+
-+files:
-+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-+
-+links:
-+ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-+ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-+ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-+
-+install:
-+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-+ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
-+ do \
-+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-+ done;
-+
-+tags:
-+ ctags $(SRC)
-+
-+tests:
-+
-+lint:
-+ lint -DLINT $(INCLUDES) $(SRC)>fluff
-+
-+depend:
-+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
-+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-+
-+dclean:
-+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-+ mv -f Makefile.new $(MAKEFILE)
-+
-+clean:
-+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-+
-+$(EXE): $(PROGRAM).o
-+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
-+ for i in $(CPUID_OBJ); do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../$$i" ; done; \
-+ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
-+
-+# DO NOT DELETE THIS LINE -- make depend depends on it.
-+
-+fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
-+fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-+fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
-+fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_aes_selftest.o: ../../include/openssl/crypto.h
-+fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_aes_selftest.o: ../../include/openssl/lhash.h
-+fips_aes_selftest.o: ../../include/openssl/obj_mac.h
-+fips_aes_selftest.o: ../../include/openssl/objects.h
-+fips_aes_selftest.o: ../../include/openssl/opensslconf.h
-+fips_aes_selftest.o: ../../include/openssl/opensslv.h
-+fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_aes_selftest.o: ../../include/openssl/safestack.h
-+fips_aes_selftest.o: ../../include/openssl/stack.h
-+fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
-+fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_des_selftest.o: ../../include/openssl/crypto.h
-+fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_des_selftest.o: ../../include/openssl/lhash.h
-+fips_des_selftest.o: ../../include/openssl/obj_mac.h
-+fips_des_selftest.o: ../../include/openssl/objects.h
-+fips_des_selftest.o: ../../include/openssl/opensslconf.h
-+fips_des_selftest.o: ../../include/openssl/opensslv.h
-+fips_des_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_des_selftest.o: ../../include/openssl/safestack.h
-+fips_des_selftest.o: ../../include/openssl/stack.h
-+fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
-+fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_ctr.o: ../../include/openssl/objects.h
-+fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
-+fips_drbg_ctr.o: ../../include/openssl/opensslv.h
-+fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_ctr.o: ../../include/openssl/safestack.h
-+fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
-+fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_hash.o: ../../include/openssl/fips.h
-+fips_drbg_hash.o: ../../include/openssl/fips_rand.h
-+fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_hash.o: ../../include/openssl/objects.h
-+fips_drbg_hash.o: ../../include/openssl/opensslconf.h
-+fips_drbg_hash.o: ../../include/openssl/opensslv.h
-+fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_hash.o: ../../include/openssl/safestack.h
-+fips_drbg_hash.o: ../../include/openssl/stack.h
-+fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
-+fips_drbg_hash.o: fips_rand_lcl.h
-+fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-+fips_drbg_hmac.o: ../../include/openssl/fips.h
-+fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
-+fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
-+fips_drbg_hmac.o: ../../include/openssl/objects.h
-+fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
-+fips_drbg_hmac.o: ../../include/openssl/opensslv.h
-+fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_hmac.o: ../../include/openssl/safestack.h
-+fips_drbg_hmac.o: ../../include/openssl/stack.h
-+fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
-+fips_drbg_hmac.o: fips_rand_lcl.h
-+fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
-+fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-+fips_drbg_lib.o: ../../include/openssl/objects.h
-+fips_drbg_lib.o: ../../include/openssl/opensslconf.h
-+fips_drbg_lib.o: ../../include/openssl/opensslv.h
-+fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_lib.o: ../../include/openssl/safestack.h
-+fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
-+fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_rand.o: ../../include/openssl/fips_rand.h
-+fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_drbg_rand.o: ../../include/openssl/obj_mac.h
-+fips_drbg_rand.o: ../../include/openssl/objects.h
-+fips_drbg_rand.o: ../../include/openssl/opensslconf.h
-+fips_drbg_rand.o: ../../include/openssl/opensslv.h
-+fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_drbg_rand.o: ../../include/openssl/safestack.h
-+fips_drbg_rand.o: ../../include/openssl/stack.h
-+fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
-+fips_drbg_rand.o: fips_rand_lcl.h
-+fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_drbg_selftest.o: ../../include/openssl/bio.h
-+fips_drbg_selftest.o: ../../include/openssl/crypto.h
-+fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
-+fips_drbg_selftest.o: ../../include/openssl/hmac.h
-+fips_drbg_selftest.o: ../../include/openssl/lhash.h
-+fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
-+fips_drbg_selftest.o: ../../include/openssl/objects.h
-+fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
-+fips_drbg_selftest.o: ../../include/openssl/opensslv.h
-+fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_drbg_selftest.o: ../../include/openssl/rand.h
-+fips_drbg_selftest.o: ../../include/openssl/safestack.h
-+fips_drbg_selftest.o: ../../include/openssl/stack.h
-+fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
-+fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
-+fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-+fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_dsa_selftest.o: ../../include/openssl/objects.h
-+fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_dsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_dsa_selftest.o: ../../include/openssl/safestack.h
-+fips_dsa_selftest.o: ../../include/openssl/stack.h
-+fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
-+fips_dsa_selftest.o: fips_locl.h
-+fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_hmac_selftest.o: ../../include/openssl/crypto.h
-+fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_hmac_selftest.o: ../../include/openssl/hmac.h
-+fips_hmac_selftest.o: ../../include/openssl/lhash.h
-+fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
-+fips_hmac_selftest.o: ../../include/openssl/objects.h
-+fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
-+fips_hmac_selftest.o: ../../include/openssl/opensslv.h
-+fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_hmac_selftest.o: ../../include/openssl/safestack.h
-+fips_hmac_selftest.o: ../../include/openssl/stack.h
-+fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
-+fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-+fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-+fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_post.o: ../../include/openssl/opensslconf.h
-+fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-+fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-+fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
-+fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
-+fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-+fips_rand.o: ../../include/openssl/opensslconf.h
-+fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-+fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-+fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_rand.o: fips_locl.h fips_rand.c
-+fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
-+fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-+fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-+fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
-+fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
-+fips_rand_lib.o: ../../include/openssl/obj_mac.h
-+fips_rand_lib.o: ../../include/openssl/objects.h
-+fips_rand_lib.o: ../../include/openssl/opensslconf.h
-+fips_rand_lib.o: ../../include/openssl/opensslv.h
-+fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-+fips_rand_lib.o: ../../include/openssl/safestack.h
-+fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-+fips_rand_lib.o: fips_rand_lib.c
-+fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-+fips_rand_selftest.o: ../../include/openssl/bio.h
-+fips_rand_selftest.o: ../../include/openssl/crypto.h
-+fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_rand_selftest.o: ../../include/openssl/fips_rand.h
-+fips_rand_selftest.o: ../../include/openssl/hmac.h
-+fips_rand_selftest.o: ../../include/openssl/lhash.h
-+fips_rand_selftest.o: ../../include/openssl/obj_mac.h
-+fips_rand_selftest.o: ../../include/openssl/objects.h
-+fips_rand_selftest.o: ../../include/openssl/opensslconf.h
-+fips_rand_selftest.o: ../../include/openssl/opensslv.h
-+fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_rand_selftest.o: ../../include/openssl/rand.h
-+fips_rand_selftest.o: ../../include/openssl/safestack.h
-+fips_rand_selftest.o: ../../include/openssl/stack.h
-+fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
-+fips_rand_selftest.o: fips_rand_selftest.c
-+fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_rsa_selftest.o: ../../include/openssl/lhash.h
-+fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
-+fips_rsa_selftest.o: ../../include/openssl/objects.h
-+fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
-+fips_rsa_selftest.o: ../../include/openssl/opensslv.h
-+fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_rsa_selftest.o: ../../include/openssl/rsa.h
-+fips_rsa_selftest.o: ../../include/openssl/safestack.h
-+fips_rsa_selftest.o: ../../include/openssl/stack.h
-+fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
-+fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-+fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-+fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
-+fips_rsa_x931g.o: ../../include/openssl/opensslv.h
-+fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
-+fips_rsa_x931g.o: ../../include/openssl/safestack.h
-+fips_rsa_x931g.o: ../../include/openssl/stack.h
-+fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
-+fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+fips_sha_selftest.o: ../../include/openssl/crypto.h
-+fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-+fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
-+fips_sha_selftest.o: ../../include/openssl/lhash.h
-+fips_sha_selftest.o: ../../include/openssl/obj_mac.h
-+fips_sha_selftest.o: ../../include/openssl/objects.h
-+fips_sha_selftest.o: ../../include/openssl/opensslconf.h
-+fips_sha_selftest.o: ../../include/openssl/opensslv.h
-+fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
-+fips_sha_selftest.o: ../../include/openssl/safestack.h
-+fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-+fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
-diff -up openssl-1.0.2a/crypto/hmac/hmac.c.fips openssl-1.0.2a/crypto/hmac/hmac.c
---- openssl-1.0.2a/crypto/hmac/hmac.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/hmac/hmac.c 2015-04-22 16:08:40.301245867 +0200
-@@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
- EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
-- /*
-- * Other algorithm blocking will be done in FIPS_cmac_init, via
-- * FIPS_hmac_init_ex().
-- */
-- if (!impl && !ctx->i_ctx.engine)
-- return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
- }
- #endif
-
-@@ -105,6 +99,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
- md = ctx->md;
-
- if (key != NULL) {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
-+ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
-+ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
-+ goto err;
-+#endif
- reset = 1;
- j = EVP_MD_block_size(md);
- OPENSSL_assert(j <= (int)sizeof(ctx->key));
-@@ -157,10 +158,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
-
- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- return FIPS_hmac_update(ctx, data, len);
--#endif
- return EVP_DigestUpdate(&ctx->md_ctx, data, len);
- }
-
-@@ -168,10 +165,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
- {
- unsigned int i;
- unsigned char buf[EVP_MAX_MD_SIZE];
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine)
-- return FIPS_hmac_final(ctx, md, len);
--#endif
-
- if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
- goto err;
-@@ -211,12 +204,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
-
- void HMAC_CTX_cleanup(HMAC_CTX *ctx)
- {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !ctx->i_ctx.engine) {
-- FIPS_hmac_ctx_cleanup(ctx);
-- return;
-- }
--#endif
- EVP_MD_CTX_cleanup(&ctx->i_ctx);
- EVP_MD_CTX_cleanup(&ctx->o_ctx);
- EVP_MD_CTX_cleanup(&ctx->md_ctx);
-diff -up openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2a/crypto/mdc2/mdc2dgst.c
---- openssl-1.0.2a/crypto/mdc2/mdc2dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/mdc2/mdc2dgst.c 2015-04-22 16:08:40.301245867 +0200
-@@ -76,7 +76,7 @@
- *((c)++)=(unsigned char)(((l)>>24L)&0xff))
-
- static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
--fips_md_init(MDC2)
-+nonfips_md_init(MDC2)
- {
- c->num = 0;
- c->pad_type = 1;
-diff -up openssl-1.0.2a/crypto/md2/md2_dgst.c.fips openssl-1.0.2a/crypto/md2/md2_dgst.c
---- openssl-1.0.2a/crypto/md2/md2_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/md2/md2_dgst.c 2015-04-22 16:08:40.301245867 +0200
-@@ -62,6 +62,11 @@
- #include <openssl/md2.h>
- #include <openssl/opensslv.h>
- #include <openssl/crypto.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+
-+#include <openssl/err.h>
-
- const char MD2_version[] = "MD2" OPENSSL_VERSION_PTEXT;
-
-@@ -119,7 +124,7 @@ const char *MD2_options(void)
- return ("md2(int)");
- }
-
--fips_md_init(MD2)
-+nonfips_md_init(MD2)
- {
- c->num = 0;
- memset(c->state, 0, sizeof c->state);
-diff -up openssl-1.0.2a/crypto/md4/md4_dgst.c.fips openssl-1.0.2a/crypto/md4/md4_dgst.c
---- openssl-1.0.2a/crypto/md4/md4_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/md4/md4_dgst.c 2015-04-22 16:08:40.301245867 +0200
-@@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--fips_md_init(MD4)
-+nonfips_md_init(MD4)
- {
- memset(c, 0, sizeof(*c));
- c->A = INIT_DATA_A;
-diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.fips openssl-1.0.2a/crypto/md5/md5_dgst.c
---- openssl-1.0.2a/crypto/md5/md5_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-22 16:08:40.301245867 +0200
-@@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL
- #define INIT_DATA_C (unsigned long)0x98badcfeL
- #define INIT_DATA_D (unsigned long)0x10325476L
-
--fips_md_init(MD5)
-+nonfips_md_init(MD5)
- {
- memset(c, 0, sizeof(*c));
- c->A = INIT_DATA_A;
-diff -up openssl-1.0.2a/crypto/o_fips.c.fips openssl-1.0.2a/crypto/o_fips.c
---- openssl-1.0.2a/crypto/o_fips.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/o_fips.c 2015-04-22 16:08:40.301245867 +0200
-@@ -80,6 +80,8 @@ int FIPS_mode_set(int r)
- # ifndef FIPS_AUTH_USER_PASS
- # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
- # endif
-+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
-+ return 1;
- if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
- return 0;
- if (r)
-diff -up openssl-1.0.2a/crypto/o_init.c.fips openssl-1.0.2a/crypto/o_init.c
---- openssl-1.0.2a/crypto/o_init.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/o_init.c 2015-04-22 16:08:40.301245867 +0200
-@@ -56,8 +56,37 @@
- #include <e_os.h>
- #include <openssl/err.h>
- #ifdef OPENSSL_FIPS
-+# include <sys/types.h>
-+# include <sys/stat.h>
-+# include <fcntl.h>
-+# include <unistd.h>
-+# include <errno.h>
-+# include <stdlib.h>
- # include <openssl/fips.h>
- # include <openssl/rand.h>
-+
-+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
-+
-+static void init_fips_mode(void)
-+{
-+ char buf[2] = "0";
-+ int fd;
-+
-+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
-+ buf[0] = '1';
-+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
-+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
-+ close(fd);
-+ }
-+ /* Failure reading the fips mode switch file means just not
-+ * switching into FIPS mode. We would break too many things
-+ * otherwise..
-+ */
-+
-+ if (buf[0] == '1') {
-+ FIPS_mode_set(1);
-+ }
-+}
- #endif
-
- /*
-@@ -65,19 +94,26 @@
- * sets FIPS callbacks
- */
-
--void OPENSSL_init(void)
-+void OPENSSL_init_library(void)
- {
- static int done = 0;
- if (done)
- return;
- done = 1;
- #ifdef OPENSSL_FIPS
-- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
-- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
-- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
- RAND_init_fips();
-+ init_fips_mode();
-+ if (!FIPS_mode()) {
-+ /* Clean up prematurely set default rand method */
-+ RAND_set_rand_method(NULL);
-+ }
- #endif
- #if 0
- fprintf(stderr, "Called OPENSSL_init\n");
- #endif
- }
-+
-+void OPENSSL_init(void)
-+{
-+ OPENSSL_init_library();
-+}
-diff -up openssl-1.0.2a/crypto/opensslconf.h.in.fips openssl-1.0.2a/crypto/opensslconf.h.in
---- openssl-1.0.2a/crypto/opensslconf.h.in.fips 2015-01-20 13:33:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 16:08:40.301245867 +0200
-@@ -1,5 +1,20 @@
- /* crypto/opensslconf.h.in */
-
-+#ifdef OPENSSL_DOING_MAKEDEPEND
-+
-+/* Include any symbols here that have to be explicitly set to enable a feature
-+ * that should be visible to makedepend.
-+ *
-+ * [Our "make depend" doesn't actually look at this, we use actual build settings
-+ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
-+ */
-+
-+#ifndef OPENSSL_FIPS
-+#define OPENSSL_FIPS
-+#endif
-+
-+#endif
-+
- /* Generate 80386 code? */
- #undef I386_ONLY
-
-diff -up openssl-1.0.2a/crypto/rand/md_rand.c.fips openssl-1.0.2a/crypto/rand/md_rand.c
---- openssl-1.0.2a/crypto/rand/md_rand.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/rand/md_rand.c 2015-04-22 16:08:40.302245891 +0200
-@@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
- crypto_lock_rand = 1;
-
-- if (!initialized) {
-+ /* always poll for external entropy in FIPS mode, drbg provides the
-+ * expansion
-+ */
-+ if (!initialized || FIPS_module_mode()) {
- RAND_poll();
- initialized = 1;
- }
-diff -up openssl-1.0.2a/crypto/rand/rand.h.fips openssl-1.0.2a/crypto/rand/rand.h
---- openssl-1.0.2a/crypto/rand/rand.h.fips 2015-04-22 16:08:40.044239782 +0200
-+++ openssl-1.0.2a/crypto/rand/rand.h 2015-04-22 16:08:40.302245891 +0200
-@@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void);
- /* Error codes for the RAND functions. */
-
- /* Function codes. */
-+# define RAND_F_ENG_RAND_GET_RAND_METHOD 108
-+# define RAND_F_FIPS_RAND 103
-+# define RAND_F_FIPS_RAND_BYTES 102
-+# define RAND_F_FIPS_RAND_SET_DT 106
-+# define RAND_F_FIPS_X931_SET_DT 106
-+# define RAND_F_FIPS_SET_DT 104
-+# define RAND_F_FIPS_SET_PRNG_SEED 107
-+# define RAND_F_FIPS_SET_TEST_MODE 105
- # define RAND_F_RAND_GET_RAND_METHOD 101
--# define RAND_F_RAND_INIT_FIPS 102
-+# define RAND_F_RAND_INIT_FIPS 109
- # define RAND_F_SSLEAY_RAND_BYTES 100
-
- /* Reason codes. */
--# define RAND_R_DUAL_EC_DRBG_DISABLED 104
--# define RAND_R_ERROR_INITIALISING_DRBG 102
--# define RAND_R_ERROR_INSTANTIATING_DRBG 103
--# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
-+# define RAND_R_DUAL_EC_DRBG_DISABLED 114
-+# define RAND_R_ERROR_INITIALISING_DRBG 112
-+# define RAND_R_ERROR_INSTANTIATING_DRBG 113
-+# define RAND_R_NON_FIPS_METHOD 105
-+# define RAND_R_NOT_IN_TEST_MODE 106
-+# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
-+# define RAND_R_NO_KEY_SET 107
-+# define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
-+# define RAND_R_PRNG_ERROR 108
-+# define RAND_R_PRNG_KEYED 109
-+# define RAND_R_PRNG_NOT_REKEYED 102
-+# define RAND_R_PRNG_NOT_RESEEDED 103
- # define RAND_R_PRNG_NOT_SEEDED 100
-+# define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
-+# define RAND_R_PRNG_STUCK 104
-
- #ifdef __cplusplus
- }
-diff -up openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2a/crypto/ripemd/rmd_dgst.c
---- openssl-1.0.2a/crypto/ripemd/rmd_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/ripemd/rmd_dgst.c 2015-04-22 16:08:40.302245891 +0200
-@@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX *
- void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num);
- #endif
-
--fips_md_init(RIPEMD160)
-+nonfips_md_init(RIPEMD160)
- {
- memset(c, 0, sizeof(*c));
- c->A = RIPEMD160_A;
-diff -up openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2a/crypto/rsa/rsa_crpt.c
---- openssl-1.0.2a/crypto/rsa/rsa_crpt.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/rsa/rsa_crpt.c 2015-04-22 16:08:40.302245891 +0200
-@@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const
- unsigned char *to, RSA *rsa, int padding)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-- RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
-+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
- return -1;
- }
- #endif
-@@ -115,9 +115,9 @@ int RSA_public_decrypt(int flen, const u
- RSA *rsa, int padding)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-- RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
-+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
-+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
-+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
- return -1;
- }
- #endif
-diff -up openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips openssl-1.0.2a/crypto/rsa/rsa_eay.c
---- openssl-1.0.2a/crypto/rsa/rsa_eay.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/rsa/rsa_eay.c 2015-04-22 16:08:40.302245891 +0200
-@@ -114,6 +114,10 @@
- #include <openssl/bn.h>
- #include <openssl/rsa.h>
- #include <openssl/rand.h>
-+#include <openssl/err.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-
- #ifndef RSA_NULL
-
-@@ -140,7 +144,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
- * if e == 3 */
- RSA_eay_init,
- RSA_eay_finish,
-- 0, /* flags */
-+ RSA_FLAG_FIPS_METHOD, /* flags */
- NULL,
- 0, /* rsa_sign */
- 0, /* rsa_verify */
-@@ -160,6 +164,22 @@ static int RSA_eay_public_encrypt(int fl
- unsigned char *buf = NULL;
- BN_CTX *ctx = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
- RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
- return -1;
-@@ -361,6 +381,22 @@ static int RSA_eay_private_encrypt(int f
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if ((ctx = BN_CTX_new()) == NULL)
- goto err;
- BN_CTX_start(ctx);
-@@ -497,6 +533,22 @@ static int RSA_eay_private_decrypt(int f
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ return -1;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if ((ctx = BN_CTX_new()) == NULL)
- goto err;
- BN_CTX_start(ctx);
-@@ -623,6 +675,22 @@ static int RSA_eay_public_decrypt(int fl
- unsigned char *buf = NULL;
- BN_CTX *ctx = NULL;
-
-+# ifdef OPENSSL_FIPS
-+ if (FIPS_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,
-+ FIPS_R_FIPS_SELFTEST_FAILED);
-+ goto err;
-+ }
-+
-+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
-+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
-+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
-+ return -1;
-+ }
-+ }
-+# endif
-+
- if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
- RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
- return -1;
-@@ -886,6 +954,9 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c
-
- static int RSA_eay_init(RSA *rsa)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
- return (1);
- }
-diff -up openssl-1.0.2a/crypto/rsa/rsa_err.c.fips openssl-1.0.2a/crypto/rsa/rsa_err.c
---- openssl-1.0.2a/crypto/rsa/rsa_err.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/rsa/rsa_err.c 2015-04-22 16:08:40.302245891 +0200
-@@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[]
- {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
- {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
- {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
-+ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
-+ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
- {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
- {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),
- "RSA_sign_ASN1_OCTET_STRING"},
-diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips openssl-1.0.2a/crypto/rsa/rsa_gen.c
---- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 16:08:40.303245914 +0200
-@@ -69,6 +69,80 @@
- #include <openssl/rsa.h>
- #ifdef OPENSSL_FIPS
- # include <openssl/fips.h>
-+# include <openssl/err.h>
-+# include <openssl/evp.h>
-+
-+static int fips_rsa_pairwise_fail = 0;
-+
-+void FIPS_corrupt_rsa_keygen(void)
-+{
-+ fips_rsa_pairwise_fail = 1;
-+}
-+
-+int fips_check_rsa(RSA *rsa)
-+{
-+ const unsigned char tbs[] = "RSA Pairwise Check Data";
-+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
-+ int len, ret = 0;
-+ EVP_PKEY *pk;
-+
-+ if ((pk = EVP_PKEY_new()) == NULL)
-+ goto err;
-+
-+ EVP_PKEY_set1_RSA(pk, rsa);
-+
-+ /* Perform pairwise consistency signature test */
-+ if (!fips_pkey_signature_test(pk, tbs, -1,
-+ NULL, 0, EVP_sha1(),
-+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
-+ EVP_MD_CTX_FLAG_PAD_X931, NULL)
-+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
-+ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
-+ goto err;
-+ /* Now perform pairwise consistency encrypt/decrypt test */
-+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
-+ if (!ctbuf)
-+ goto err;
-+
-+ len =
-+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
-+ RSA_PKCS1_PADDING);
-+ if (len <= 0)
-+ goto err;
-+ /* Check ciphertext doesn't match plaintext */
-+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
-+ goto err;
-+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
-+
-+ if (!ptbuf)
-+ goto err;
-+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
-+ if (len != (sizeof(tbs) - 1))
-+ goto err;
-+ if (memcmp(ptbuf, tbs, len))
-+ goto err;
-+
-+ ret = 1;
-+
-+ if (!ptbuf)
-+ goto err;
-+
-+ err:
-+ if (ret == 0) {
-+ fips_set_selftest_fail();
-+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
-+ }
-+
-+ if (ctbuf)
-+ OPENSSL_free(ctbuf);
-+ if (ptbuf)
-+ OPENSSL_free(ptbuf);
-+ if (pk)
-+ EVP_PKEY_free(pk);
-+
-+ return ret;
-+}
- #endif
-
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
-@@ -84,7 +158,7 @@ static int rsa_builtin_keygen(RSA *rsa,
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
- {
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-+ if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
- RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
- return 0;
-@@ -92,10 +166,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
- #endif
- if (rsa->meth->rsa_keygen)
- return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
--#endif
- return rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
-
-@@ -108,6 +178,20 @@ static int rsa_builtin_keygen(RSA *rsa,
- int bitsp, bitsq, ok = -1, n = 0;
- BN_CTX *ctx = NULL;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_module_mode()) {
-+ if (FIPS_selftest_failed()) {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
-+ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
-+ return 0;
-+ }
-+ }
-+#endif
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
-@@ -233,6 +317,16 @@ static int rsa_builtin_keygen(RSA *rsa,
- if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
- goto err;
-
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_module_mode()) {
-+ if (fips_rsa_pairwise_fail)
-+ BN_add_word(rsa->n, 1);
-+
-+ if (!fips_check_rsa(rsa))
-+ goto err;
-+ }
-+#endif
-+
- ok = 1;
- err:
- if (ok == -1) {
-diff -up openssl-1.0.2a/crypto/rsa/rsa.h.fips openssl-1.0.2a/crypto/rsa/rsa.h
---- openssl-1.0.2a/crypto/rsa/rsa.h.fips 2015-04-22 16:08:40.178242955 +0200
-+++ openssl-1.0.2a/crypto/rsa/rsa.h 2015-04-22 16:08:40.303245914 +0200
-@@ -168,6 +168,8 @@ struct rsa_st {
- # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
- # endif
-
-+# define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
-+
- # ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
- # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
- # endif
-@@ -329,6 +331,13 @@ RSA *RSA_generate_key(int bits, unsigned
-
- /* New version */
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
-+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
-+ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
-+ const BIGNUM *Xp, const BIGNUM *Xq1,
-+ const BIGNUM *Xq2, const BIGNUM *Xq,
-+ const BIGNUM *e, BN_GENCB *cb);
-+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
-+ BN_GENCB *cb);
-
- int RSA_check_key(const RSA *);
- /* next 4 return -1 on error */
-@@ -538,7 +547,7 @@ void ERR_load_RSA_strings(void);
- # define RSA_F_RSA_ALGOR_TO_MD 157
- # define RSA_F_RSA_BUILTIN_KEYGEN 129
- # define RSA_F_RSA_CHECK_KEY 123
--# define RSA_F_RSA_CMS_DECRYPT 158
-+# define RSA_F_RSA_CMS_DECRYPT 258
- # define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
- # define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
- # define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
-@@ -559,7 +568,7 @@ void ERR_load_RSA_strings(void);
- # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
- # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 160
- # define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
--# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
-+# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
- # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
- # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
- # define RSA_F_RSA_PADDING_ADD_SSLV23 110
-@@ -573,21 +582,23 @@ void ERR_load_RSA_strings(void);
- # define RSA_F_RSA_PADDING_CHECK_X931 128
- # define RSA_F_RSA_PRINT 115
- # define RSA_F_RSA_PRINT_FP 116
--# define RSA_F_RSA_PRIVATE_DECRYPT 150
--# define RSA_F_RSA_PRIVATE_ENCRYPT 151
-+# define RSA_F_RSA_PRIVATE_DECRYPT 157
-+# define RSA_F_RSA_PRIVATE_ENCRYPT 148
- # define RSA_F_RSA_PRIV_DECODE 137
- # define RSA_F_RSA_PRIV_ENCODE 138
- # define RSA_F_RSA_PSS_TO_CTX 162
--# define RSA_F_RSA_PUBLIC_DECRYPT 152
-+# define RSA_F_RSA_PUBLIC_DECRYPT 149
- # define RSA_F_RSA_PUBLIC_ENCRYPT 153
- # define RSA_F_RSA_PUB_DECODE 139
- # define RSA_F_RSA_SETUP_BLINDING 136
-+# define RSA_F_RSA_SET_DEFAULT_METHOD 150
-+# define RSA_F_RSA_SET_METHOD 151
- # define RSA_F_RSA_SIGN 117
- # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
- # define RSA_F_RSA_VERIFY 119
- # define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
- # define RSA_F_RSA_VERIFY_PKCS1_PSS 126
--# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
-+# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
-
- /* Reason codes. */
- # define RSA_R_ALGORITHM_MISMATCH 100
-@@ -620,21 +631,22 @@ void ERR_load_RSA_strings(void);
- # define RSA_R_INVALID_OAEP_PARAMETERS 162
- # define RSA_R_INVALID_PADDING 138
- # define RSA_R_INVALID_PADDING_MODE 141
--# define RSA_R_INVALID_PSS_PARAMETERS 149
-+# define RSA_R_INVALID_PSS_PARAMETERS 157
- # define RSA_R_INVALID_PSS_SALTLEN 146
--# define RSA_R_INVALID_SALT_LENGTH 150
-+# define RSA_R_INVALID_SALT_LENGTH 158
- # define RSA_R_INVALID_TRAILER 139
- # define RSA_R_INVALID_X931_DIGEST 142
- # define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
- # define RSA_R_KEY_SIZE_TOO_SMALL 120
- # define RSA_R_LAST_OCTET_INVALID 134
- # define RSA_R_MODULUS_TOO_LARGE 105
--# define RSA_R_NON_FIPS_RSA_METHOD 157
-+# define RSA_R_NON_FIPS_RSA_METHOD 149
-+# define RSA_R_NON_FIPS_METHOD 149
- # define RSA_R_NO_PUBLIC_EXPONENT 140
- # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
- # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
- # define RSA_R_OAEP_DECODING_ERROR 121
--# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
-+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
- # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
- # define RSA_R_PADDING_CHECK_FAILED 114
- # define RSA_R_PKCS_DECODING_ERROR 159
-diff -up openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips openssl-1.0.2a/crypto/rsa/rsa_lib.c
---- openssl-1.0.2a/crypto/rsa/rsa_lib.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/rsa/rsa_lib.c 2015-04-22 16:08:40.303245914 +0200
-@@ -84,23 +84,22 @@ RSA *RSA_new(void)
-
- void RSA_set_default_method(const RSA_METHOD *meth)
- {
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
-+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
-+ return;
-+ }
-+#endif
- default_RSA_meth = meth;
- }
-
- const RSA_METHOD *RSA_get_default_method(void)
- {
- if (default_RSA_meth == NULL) {
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_rsa_pkcs1_ssleay();
-- else
-- return RSA_PKCS1_SSLeay();
--#else
--# ifdef RSA_NULL
-+#ifdef RSA_NULL
- default_RSA_meth = RSA_null_method();
--# else
-+#else
- default_RSA_meth = RSA_PKCS1_SSLeay();
--# endif
- #endif
- }
-
-@@ -119,6 +118,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
- * to deal with which ENGINE it comes from.
- */
- const RSA_METHOD *mtmp;
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
-+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
-+ return 0;
-+ }
-+#endif
- mtmp = rsa->meth;
- if (mtmp->finish)
- mtmp->finish(rsa);
-@@ -165,6 +170,17 @@ RSA *RSA_new_method(ENGINE *engine)
- }
- }
- #endif
-+#ifdef OPENSSL_FIPS
-+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
-+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
-+# ifndef OPENSSL_NO_ENGINE
-+ if (ret->engine)
-+ ENGINE_finish(ret->engine);
-+# endif
-+ OPENSSL_free(ret);
-+ return NULL;
-+ }
-+#endif
-
- ret->pad = 0;
- ret->version = 0;
-@@ -183,7 +199,7 @@ RSA *RSA_new_method(ENGINE *engine)
- ret->blinding = NULL;
- ret->mt_blinding = NULL;
- ret->bignum_data = NULL;
-- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
-+ ret->flags = ret->meth->flags;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
- #ifndef OPENSSL_NO_ENGINE
- if (ret->engine)
-diff -up openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2a/crypto/rsa/rsa_pmeth.c
---- openssl-1.0.2a/crypto/rsa/rsa_pmeth.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/rsa/rsa_pmeth.c 2015-04-22 16:08:40.303245914 +0200
-@@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
- RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
- return -1;
- }
--#ifdef OPENSSL_FIPS
-- if (ret > 0) {
-- unsigned int slen;
-- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
-- rctx->pad_mode,
-- rctx->saltlen,
-- rctx->mgf1md, sig, &slen);
-- if (ret > 0)
-- *siglen = slen;
-- else
-- *siglen = 0;
-- return ret;
-- }
--#endif
-
- if (EVP_MD_type(rctx->md) == NID_mdc2) {
- unsigned int sltmp;
-@@ -353,17 +339,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
- }
- #endif
- if (rctx->md) {
--#ifdef OPENSSL_FIPS
-- if (rv > 0) {
-- return FIPS_rsa_verify_digest(rsa,
-- tbs, tbslen,
-- rctx->md,
-- rctx->pad_mode,
-- rctx->saltlen,
-- rctx->mgf1md, sig, siglen);
--
-- }
--#endif
- if (rctx->pad_mode == RSA_PKCS1_PADDING)
- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
- sig, siglen, rsa);
-diff -up openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips openssl-1.0.2a/crypto/rsa/rsa_sign.c
---- openssl-1.0.2a/crypto/rsa/rsa_sign.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/rsa/rsa_sign.c 2015-04-22 16:08:40.303245914 +0200
-@@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch
- i2d_X509_SIG(&sig, &p);
- s = tmps;
- }
-- i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
-+ /* NB: call underlying method directly to avoid FIPS blocking */
-+ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i, s, sigret, rsa,
-+ RSA_PKCS1_PADDING) :
-+ 0;
- if (i <= 0)
- ret = 0;
- else
-@@ -188,8 +191,10 @@ int int_rsa_verify(int dtype, const unsi
- }
-
- if ((dtype == NID_md5_sha1) && rm) {
-- i = RSA_public_decrypt((int)siglen,
-- sigbuf, rm, rsa, RSA_PKCS1_PADDING);
-+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
-+ sigbuf, rm, rsa,
-+ RSA_PKCS1_PADDING)
-+ : 0;
- if (i <= 0)
- return 0;
- *prm_len = i;
-@@ -205,7 +210,11 @@ int int_rsa_verify(int dtype, const unsi
- RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
- goto err;
- }
-- i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
-+ /* NB: call underlying method directly to avoid FIPS blocking */
-+ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, sigbuf,
-+ s, rsa,
-+ RSA_PKCS1_PADDING) :
-+ 0;
-
- if (i <= 0)
- goto err;
-diff -up openssl-1.0.2a/crypto/sha/sha.h.fips openssl-1.0.2a/crypto/sha/sha.h
---- openssl-1.0.2a/crypto/sha/sha.h.fips 2015-04-22 16:08:39.964237888 +0200
-+++ openssl-1.0.2a/crypto/sha/sha.h 2015-04-22 16:08:40.304245938 +0200
-@@ -105,9 +105,6 @@ typedef struct SHAstate_st {
- } SHA_CTX;
-
- # ifndef OPENSSL_NO_SHA0
--# ifdef OPENSSL_FIPS
--int private_SHA_Init(SHA_CTX *c);
--# endif
- int SHA_Init(SHA_CTX *c);
- int SHA_Update(SHA_CTX *c, const void *data, size_t len);
- int SHA_Final(unsigned char *md, SHA_CTX *c);
-@@ -115,9 +112,6 @@ unsigned char *SHA(const unsigned char *
- void SHA_Transform(SHA_CTX *c, const unsigned char *data);
- # endif
- # ifndef OPENSSL_NO_SHA1
--# ifdef OPENSSL_FIPS
--int private_SHA1_Init(SHA_CTX *c);
--# endif
- int SHA1_Init(SHA_CTX *c);
- int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
- int SHA1_Final(unsigned char *md, SHA_CTX *c);
-@@ -139,10 +133,6 @@ typedef struct SHA256state_st {
- } SHA256_CTX;
-
- # ifndef OPENSSL_NO_SHA256
--# ifdef OPENSSL_FIPS
--int private_SHA224_Init(SHA256_CTX *c);
--int private_SHA256_Init(SHA256_CTX *c);
--# endif
- int SHA224_Init(SHA256_CTX *c);
- int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
- int SHA224_Final(unsigned char *md, SHA256_CTX *c);
-@@ -192,10 +182,6 @@ typedef struct SHA512state_st {
- # endif
-
- # ifndef OPENSSL_NO_SHA512
--# ifdef OPENSSL_FIPS
--int private_SHA384_Init(SHA512_CTX *c);
--int private_SHA512_Init(SHA512_CTX *c);
--# endif
- int SHA384_Init(SHA512_CTX *c);
- int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
- int SHA384_Final(unsigned char *md, SHA512_CTX *c);
-diff -up openssl-1.0.2a/crypto/sha/sha_locl.h.fips openssl-1.0.2a/crypto/sha/sha_locl.h
---- openssl-1.0.2a/crypto/sha/sha_locl.h.fips 2015-04-22 16:08:39.966237935 +0200
-+++ openssl-1.0.2a/crypto/sha/sha_locl.h 2015-04-22 16:08:40.304245938 +0200
-@@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c
- #define INIT_DATA_h4 0xc3d2e1f0UL
-
- #ifdef SHA_0
--fips_md_init(SHA)
-+nonfips_md_init(SHA)
- #else
- fips_md_init_ctx(SHA1, SHA)
- #endif
- {
-+#if defined(SHA_1) && defined(OPENSSL_FIPS)
-+ FIPS_selftest_check();
-+#endif
- memset(c, 0, sizeof(*c));
- c->h0 = INIT_DATA_h0;
- c->h1 = INIT_DATA_h1;
-diff -up openssl-1.0.2a/crypto/sha/sha256.c.fips openssl-1.0.2a/crypto/sha/sha256.c
---- openssl-1.0.2a/crypto/sha/sha256.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/sha/sha256.c 2015-04-22 16:08:40.304245938 +0200
-@@ -12,12 +12,19 @@
-
- # include <openssl/crypto.h>
- # include <openssl/sha.h>
-+# ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+# endif
-+
- # include <openssl/opensslv.h>
-
- const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
-
- fips_md_init_ctx(SHA224, SHA256)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- memset(c, 0, sizeof(*c));
- c->h[0] = 0xc1059ed8UL;
- c->h[1] = 0x367cd507UL;
-@@ -33,6 +40,9 @@ fips_md_init_ctx(SHA224, SHA256)
-
- fips_md_init(SHA256)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- memset(c, 0, sizeof(*c));
- c->h[0] = 0x6a09e667UL;
- c->h[1] = 0xbb67ae85UL;
-diff -up openssl-1.0.2a/crypto/sha/sha512.c.fips openssl-1.0.2a/crypto/sha/sha512.c
---- openssl-1.0.2a/crypto/sha/sha512.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/sha/sha512.c 2015-04-22 16:08:40.304245938 +0200
-@@ -5,6 +5,10 @@
- * ====================================================================
- */
- #include <openssl/opensslconf.h>
-+#ifdef OPENSSL_FIPS
-+# include <openssl/fips.h>
-+#endif
-+
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
- /*-
- * IMPLEMENTATION NOTES.
-@@ -62,6 +66,9 @@ const char SHA512_version[] = "SHA-512"
-
- fips_md_init_ctx(SHA384, SHA512)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- c->h[0] = U64(0xcbbb9d5dc1059ed8);
- c->h[1] = U64(0x629a292a367cd507);
- c->h[2] = U64(0x9159015a3070dd17);
-@@ -80,6 +87,9 @@ fips_md_init_ctx(SHA384, SHA512)
-
- fips_md_init(SHA512)
- {
-+# ifdef OPENSSL_FIPS
-+ FIPS_selftest_check();
-+# endif
- c->h[0] = U64(0x6a09e667f3bcc908);
- c->h[1] = U64(0xbb67ae8584caa73b);
- c->h[2] = U64(0x3c6ef372fe94f82b);
-diff -up openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2a/crypto/whrlpool/wp_dgst.c
---- openssl-1.0.2a/crypto/whrlpool/wp_dgst.c.fips 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/whrlpool/wp_dgst.c 2015-04-22 16:08:40.304245938 +0200
-@@ -55,7 +55,7 @@
- #include <openssl/crypto.h>
- #include <string.h>
-
--fips_md_init(WHIRLPOOL)
-+nonfips_md_init(WHIRLPOOL)
- {
- memset(c, 0, sizeof(*c));
- return (1);
-diff -up openssl-1.0.2a/Makefile.org.fips openssl-1.0.2a/Makefile.org
---- openssl-1.0.2a/Makefile.org.fips 2015-04-22 16:08:40.270245133 +0200
-+++ openssl-1.0.2a/Makefile.org 2015-04-22 16:08:40.304245938 +0200
-@@ -137,6 +137,9 @@ FIPSCANLIB=
-
- BASEADDR=
-
-+# Non-empty if FIPS enabled
-+FIPS=
-+
- DIRS= crypto ssl engines apps test tools
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
-@@ -149,7 +152,7 @@ SDIRS= \
- bn ec rsa dsa ecdsa dh ecdh dso engine \
- buffer bio stack lhash rand err \
- evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-- cms pqueue ts jpake srp store cmac
-+ cms pqueue ts jpake srp store cmac fips
- # keep in mind that the above list is adjusted by ./Configure
- # according to no-xxx arguments...
-
-@@ -238,6 +241,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
- FIPSLIBDIR='${FIPSLIBDIR}' \
- FIPSDIR='${FIPSDIR}' \
- FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
-+ FIPS="$${FIPS:-$(FIPS)}" \
- THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
- # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
- # which in turn eliminates ambiguities in variable treatment with -e.
-diff -up openssl-1.0.2a/ssl/ssl_algs.c.fips openssl-1.0.2a/ssl/ssl_algs.c
---- openssl-1.0.2a/ssl/ssl_algs.c.fips 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/ssl/ssl_algs.c 2015-04-22 16:08:40.305245962 +0200
-@@ -64,6 +64,11 @@
- int SSL_library_init(void)
- {
-
-+#ifdef OPENSSL_FIPS
-+ OPENSSL_init_library();
-+ if (!FIPS_mode()) {
-+#endif
-+
- #ifndef OPENSSL_NO_DES
- EVP_add_cipher(EVP_des_cbc());
- EVP_add_cipher(EVP_des_ede3_cbc());
-@@ -142,6 +147,48 @@ int SSL_library_init(void)
- EVP_add_digest(EVP_sha());
- EVP_add_digest(EVP_dss());
- #endif
-+#ifdef OPENSSL_FIPS
-+ } else {
-+# ifndef OPENSSL_NO_DES
-+ EVP_add_cipher(EVP_des_ede3_cbc());
-+# endif
-+# ifndef OPENSSL_NO_AES
-+ EVP_add_cipher(EVP_aes_128_cbc());
-+ EVP_add_cipher(EVP_aes_192_cbc());
-+ EVP_add_cipher(EVP_aes_256_cbc());
-+ EVP_add_cipher(EVP_aes_128_gcm());
-+ EVP_add_cipher(EVP_aes_256_gcm());
-+# endif
-+# ifndef OPENSSL_NO_MD5
-+ /* needed even in the FIPS mode for TLS MAC */
-+ EVP_add_digest(EVP_md5());
-+ EVP_add_digest_alias(SN_md5, "ssl2-md5");
-+ EVP_add_digest_alias(SN_md5, "ssl3-md5");
-+# endif
-+# ifndef OPENSSL_NO_SHA
-+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
-+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-+# endif
-+# ifndef OPENSSL_NO_SHA256
-+ EVP_add_digest(EVP_sha224());
-+ EVP_add_digest(EVP_sha256());
-+# endif
-+# ifndef OPENSSL_NO_SHA512
-+ EVP_add_digest(EVP_sha384());
-+ EVP_add_digest(EVP_sha512());
-+# endif
-+# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
-+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
-+ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
-+ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
-+ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
-+# endif
-+# ifndef OPENSSL_NO_ECDSA
-+ EVP_add_digest(EVP_ecdsa());
-+# endif
-+ }
-+#endif
- #ifndef OPENSSL_NO_COMP
- /*
- * This will initialise the built-in compression algorithms. The value
diff --git a/openssl-1.0.2a-rpmbuild.patch b/openssl-1.0.2a-rpmbuild.patch
deleted file mode 100644
index 69252f1..0000000
--- a/openssl-1.0.2a-rpmbuild.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
---- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200
-@@ -348,8 +348,8 @@ my %table=(
- ####
- # *-generic* is endian-neutral target, but ./config is free to
- # throw in -D[BL]_ENDIAN, whichever appropriate...
--"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-
- #######################################################################
- # Note that -march is not among compiler options in below linux-armv4
-@@ -378,30 +378,30 @@ my %table=(
- #
- # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
- #
--"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- # Configure script adds minimally required -march for assembly support,
- # if no -march was specified at command line. mips32 and mips64 below
- # refer to contemporary MIPS Architecture specifications, MIPS32 and
- # MIPS64, rather than to kernel bitness.
--"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
--"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-+"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
-+"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### IA-32 targets...
- "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
- ####
--"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
--"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
--"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
- "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
--"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### So called "highgprs" target for z/Architecture CPUs
- # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
- # /proc/cpuinfo. The idea is to preserve most significant bits of
-@@ -419,12 +419,12 @@ my %table=(
- #### SPARC Linux setups
- # Ray Miller <ray.miller at computing-services.oxford.ac.uk> has patiently
- # assisted with debugging of following two configs.
--"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # it's a real mess with -mcpu=ultrasparc option under Linux, but
- # -Wa,-Av8plus should do the trick no matter what.
--"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
- # GCC 3.1 is a requirement
--"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
- #### Alpha Linux with GNU C and Compaq C setups
- # Special notes:
- # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -1737,7 +1737,7 @@ while (<IN>)
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
- {
- my $sotmp = $1;
-- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
-+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
- }
- elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
- {
-diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
---- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200
-@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
- SHLIB_MAJOR=
- SHLIB_MINOR=
- SHLIB_EXT=
-+SHLIB_SONAMEVER=10
- PLATFORM=dist
- OPTIONS=
- CONFIGURE_ARGS=
-@@ -335,10 +336,9 @@ clean-shared:
- link-shared:
- @ set -e; for i in $(SHLIBDIRS); do \
- $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- symlink.$(SHLIB_TARGET); \
-- libs="$$libs -l$$i"; \
- done
-
- build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET):
- libs="$(LIBKRB5) $$libs"; \
- fi; \
- $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
- LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
- LIBDEPS="$$libs $(EX_LIBS)" \
- link_a.$(SHLIB_TARGET); \
diff --git a/openssl-1.0.2a-trusted-first-doc.patch b/openssl-1.0.2a-trusted-first-doc.patch
deleted file mode 100644
index 8333751..0000000
--- a/openssl-1.0.2a-trusted-first-doc.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c
---- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200
-@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
- "-CApath dir trusted certificates directory\n");
- BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
- BIO_printf(bio_err,
-+ "-trusted_first use trusted certificates first when building the trust chain\n");
-+ BIO_printf(bio_err,
- "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf(bio_err,
- "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c
---- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200
-@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err,
- "-CAfile file trusted certificates file\n");
- BIO_printf(bio_err,
-+ "-trusted_first use trusted certificates first when building the trust chain\n");
-+ BIO_printf(bio_err,
- "-VAfile file validator certificates file\n");
- BIO_printf(bio_err,
- "-validity_period n maximum validity discrepancy in seconds\n");
-diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c
---- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200
-+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200
-@@ -333,6 +333,8 @@ static void sc_usage(void)
- BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
- BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
- BIO_printf(bio_err,
-+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
-+ BIO_printf(bio_err,
- " -reconnect - Drop and re-make the connection with the same Session-ID\n");
- BIO_printf(bio_err,
- " -pause - sleep(1) after each read(2) and write(2) system call\n");
-diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c
---- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200
-@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
- "-CApath dir trusted certificates directory\n");
- BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
- BIO_printf(bio_err,
-+ "-trusted_first use trusted certificates first when building the trust chain\n");
-+ BIO_printf(bio_err,
- "-crl_check check revocation status of signer's certificate using CRLs\n");
- BIO_printf(bio_err,
- "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c
---- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200
-+++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200
-@@ -569,6 +569,8 @@ static void sv_usage(void)
- BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
- BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
- BIO_printf(bio_err,
-+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
-+ BIO_printf(bio_err,
- " -nocert - Don't use any certificates (Anon-DH)\n");
- BIO_printf(bio_err,
- " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
-diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
---- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200
-+++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200
-@@ -182,6 +182,7 @@ static void s_time_usage(void)
- file if not specified by this option\n\
- -CApath arg - PEM format directory of CA's\n\
- -CAfile arg - PEM format file of CA's\n\
-+-trusted_first - Use trusted CA's first when building the trust chain\n\
- -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
-
- printf("usage: s_time <args>\n\n");
-diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
---- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200
-+++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200
-@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
- "ts -verify [-data file_to_hash] [-digest digest_bytes] "
- "[-queryfile request.tsq] "
- "-in response.tsr [-token_in] "
-- "-CApath ca_path -CAfile ca_file.pem "
-+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
- "-untrusted cert_file.pem\n");
- cleanup:
- /* Clean up. */
-diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c
---- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200
-@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
- end:
- if (ret == 1) {
- BIO_printf(bio_err,
-- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
-+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
- BIO_printf(bio_err, " [-attime timestamp]");
- #ifndef OPENSSL_NO_ENGINE
- BIO_printf(bio_err, " [-engine e]");
-diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod
---- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200
-@@ -35,6 +35,7 @@ B<openssl> B<cms>
- [B<-print>]
- [B<-CAfile file>]
- [B<-CApath dir>]
-+[B<-trusted_first>]
- [B<-md digest>]
- [B<-[cipher]>]
- [B<-nointern>]
-@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta
- is a hash of each subject name (using B<x509 -hash>) should be linked
- to each certificate.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before untrusted certificates
-+from the message when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-md digest>
-
- digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod
---- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200
-+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200
-@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
- [B<-path>]
- [B<-CApath dir>]
- [B<-CAfile file>]
-+[B<-trusted_first>]
- [B<-VAfile file>]
- [B<-validity_period n>]
- [B<-status_age n>]
-@@ -143,6 +144,13 @@ connection timeout to the OCSP responder
- file or pathname containing trusted CA certificates. These are used to verify
- the signature on the OCSP response.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over certificates provided
-+in the response or residing in other certificates file when building the trust
-+chain to verify responder certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-verify_other file>
-
- file containing additional certificates to search when attempting to locate
-diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod
---- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
-+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200
-@@ -19,6 +19,7 @@ B<openssl> B<s_client>
- [B<-pass arg>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-reconnect>]
- [B<-pause>]
- [B<-showcerts>]
-@@ -123,7 +124,7 @@ also used when building the client certi
- A file containing trusted certificates to use during server authentication
- and to use when attempting to build the client certificate chain.
-
--=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
-+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
-
- Set various certificate chain valiadition option. See the
- L<B<verify>|verify(1)> manual page for details.
-diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod
---- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200
-@@ -15,6 +15,9 @@ B<openssl> B<smime>
- [B<-pk7out>]
- [B<-[cipher]>]
- [B<-in file>]
-+[B<-CAfile file>]
-+[B<-CApath dir>]
-+[B<-trusted_first>]
- [B<-certfile file>]
- [B<-signer file>]
- [B<-recip file>]
-@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
- is a hash of each subject name (using B<x509 -hash>) should be linked
- to each certificate.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over certificates provided
-+in the message when building the trust chain to verify a certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-md digest>
-
- digest algorithm to use when signing or resigning. If not present then the
-diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod
---- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
-+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200
-@@ -33,6 +33,7 @@ B<openssl> B<s_server>
- [B<-state>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-nocert>]
- [B<-cipher cipherlist>]
- [B<-serverpref>]
-@@ -174,6 +175,12 @@ and to use when attempting to build the
- is also used in the list of acceptable client CAs passed to the client when
- a certificate is requested.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before other certificates
-+when building the trust chain to verify client certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-state>
-
- prints out the SSL session states.
-diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod
---- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200
-@@ -14,6 +14,7 @@ B<openssl> B<s_time>
- [B<-key filename>]
- [B<-CApath directory>]
- [B<-CAfile filename>]
-+[B<-trusted_first>]
- [B<-reuse>]
- [B<-new>]
- [B<-verify depth>]
-@@ -76,6 +77,12 @@ also used when building the client certi
- A file containing trusted certificates to use during server authentication
- and to use when attempting to build the client certificate chain.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory over the certificates provided
-+by the server when building the trust chain to verify server certificate.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-new>
-
- performs the timing test using a new session ID for each connection.
-diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod
---- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200
-@@ -46,6 +46,7 @@ B<-verify>
- [B<-token_in>]
- [B<-CApath> trusted_cert_path]
- [B<-CAfile> trusted_certs.pem]
-+[B<-trusted_first>]
- [B<-untrusted> cert_file.pem]
-
- =head1 DESCRIPTION
-@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
- or B<-CApath> must be specified.
- (Optional)
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before other certificates
-+when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-untrusted> cert_file.pem
-
- Set of additional untrusted certificates in PEM format which may be
-diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod
---- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200
-@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
- B<openssl> B<verify>
- [B<-CApath directory>]
- [B<-CAfile file>]
-+[B<-trusted_first>]
- [B<-purpose purpose>]
- [B<-policy arg>]
- [B<-ignore_critical>]
-@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error
- A file of untrusted certificates. The file should contain multiple certificates
- in PEM format concatenated together.
-
-+=item B<-trusted_first>
-+
-+Use certificates in CA file or CA directory before the certificates in the untrusted
-+file when building the trust chain to verify certificates.
-+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
-+
- =item B<-purpose purpose>
-
- The intended use for the certificate. If this option is not specified,
diff --git a/openssl-1.0.2c-default-paths.patch b/openssl-1.0.2c-default-paths.patch
new file mode 100644
index 0000000..aa607be
--- /dev/null
+++ b/openssl-1.0.2c-default-paths.patch
@@ -0,0 +1,63 @@
+diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
+--- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200
+@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
+ }
+ #endif
+
+- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx))) {
+- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
++
+ if (vpm)
+ SSL_CTX_set1_param(ctx, vpm);
+
+@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
+ else
+ SSL_CTX_sess_set_cache_size(ctx2, 128);
+
+- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx2))) {
++ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
++ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
+ ERR_print_errors(bio_err);
+ }
+ if (vpm)
+diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
+--- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200
+@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
+
+ SSL_load_error_strings();
+
+- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
+- /*
+- * BIO_printf(bio_err,"error setting default verify locations\n");
+- */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (CAfile == NULL && CApath == NULL) {
++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
++ ERR_print_errors(bio_err);
++ }
++ } else {
++ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
++ ERR_print_errors(bio_err);
++ }
+ }
+
+ if (tm_cipher == NULL)
diff --git a/openssl-1.0.2c-ecc-suiteb.patch b/openssl-1.0.2c-ecc-suiteb.patch
new file mode 100644
index 0000000..dfcae76
--- /dev/null
+++ b/openssl-1.0.2c-ecc-suiteb.patch
@@ -0,0 +1,195 @@
+diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
+--- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200
++++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200
+@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- if (strcmp(*argv, "ecdsap160") == 0)
+- ecdsa_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdsap192") == 0)
+- ecdsa_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdsap224") == 0)
+- ecdsa_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdsap256") == 0)
++ if (strcmp(*argv, "ecdsap256") == 0)
+ ecdsa_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdsap384") == 0)
+ ecdsa_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdsap521") == 0)
+ ecdsa_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdsak163") == 0)
+- ecdsa_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdsak233") == 0)
+- ecdsa_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdsak283") == 0)
+- ecdsa_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdsak409") == 0)
+- ecdsa_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdsak571") == 0)
+- ecdsa_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdsab163") == 0)
+- ecdsa_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdsab233") == 0)
+- ecdsa_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdsab283") == 0)
+- ecdsa_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdsab409") == 0)
+- ecdsa_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdsab571") == 0)
+- ecdsa_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdsa") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- if (strcmp(*argv, "ecdhp160") == 0)
+- ecdh_doit[R_EC_P160] = 2;
+- else if (strcmp(*argv, "ecdhp192") == 0)
+- ecdh_doit[R_EC_P192] = 2;
+- else if (strcmp(*argv, "ecdhp224") == 0)
+- ecdh_doit[R_EC_P224] = 2;
+- else if (strcmp(*argv, "ecdhp256") == 0)
++ if (strcmp(*argv, "ecdhp256") == 0)
+ ecdh_doit[R_EC_P256] = 2;
+ else if (strcmp(*argv, "ecdhp384") == 0)
+ ecdh_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdhp521") == 0)
+ ecdh_doit[R_EC_P521] = 2;
+- else if (strcmp(*argv, "ecdhk163") == 0)
+- ecdh_doit[R_EC_K163] = 2;
+- else if (strcmp(*argv, "ecdhk233") == 0)
+- ecdh_doit[R_EC_K233] = 2;
+- else if (strcmp(*argv, "ecdhk283") == 0)
+- ecdh_doit[R_EC_K283] = 2;
+- else if (strcmp(*argv, "ecdhk409") == 0)
+- ecdh_doit[R_EC_K409] = 2;
+- else if (strcmp(*argv, "ecdhk571") == 0)
+- ecdh_doit[R_EC_K571] = 2;
+- else if (strcmp(*argv, "ecdhb163") == 0)
+- ecdh_doit[R_EC_B163] = 2;
+- else if (strcmp(*argv, "ecdhb233") == 0)
+- ecdh_doit[R_EC_B233] = 2;
+- else if (strcmp(*argv, "ecdhb283") == 0)
+- ecdh_doit[R_EC_B283] = 2;
+- else if (strcmp(*argv, "ecdhb409") == 0)
+- ecdh_doit[R_EC_B409] = 2;
+- else if (strcmp(*argv, "ecdhb571") == 0)
+- ecdh_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdh") == 0) {
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ } else
+ # endif
+@@ -1156,21 +1104,11 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
+- "ecdsap256 ecdsap384 ecdsap521\n");
+- BIO_printf(bio_err,
+- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
+- BIO_printf(bio_err,
+- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
++ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n");
+ BIO_printf(bio_err, "ecdsa\n");
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
+- "ecdhp256 ecdhp384 ecdhp521\n");
+- BIO_printf(bio_err,
+- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
+- BIO_printf(bio_err,
+- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
++ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n");
+ BIO_printf(bio_err, "ecdh\n");
+ # endif
+
+@@ -1255,11 +1193,11 @@ int MAIN(int argc, char **argv)
+ if (!FIPS_mode() || i != R_DSA_512)
+ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+- for (i = 0; i < EC_NUM; i++)
++ for (i = R_EC_P256; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ # endif
+ }
+diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
+--- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200
++++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200
+@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
+ 0, 23, /* secp256r1 (23) */
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+- 0, 28, /* brainpool512r1 (28) */
+- 0, 27, /* brainpoolP384r1 (27) */
+ 0, 24, /* secp384r1 (24) */
+- 0, 26, /* brainpoolP256r1 (26) */
+- 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
+ 0, 23, /* secp256r1 (23) */
+ /* Other >= 256-bit prime curves. */
+ 0, 25, /* secp521r1 (25) */
+- 0, 28, /* brainpool512r1 (28) */
+- 0, 27, /* brainpoolP384r1 (27) */
+ 0, 24, /* secp384r1 (24) */
+- 0, 26, /* brainpoolP256r1 (26) */
+- 0, 22, /* secp256k1 (22) */
+ # ifndef OPENSSL_NO_EC2M
+ /* >= 256-bit binary curves. */
+ 0, 14, /* sect571r1 (14) */
+@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
+ * Remaining curves disabled by default but still permitted if set
+ * via an explicit callback or parameters.
+ */
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
+ 0, 9, /* sect283k1 (9) */
+ 0, 10, /* sect283r1 (10) */
+ # endif
+- 0, 22, /* secp256k1 (22) */
+ 0, 23, /* secp256r1 (23) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 8, /* sect239k1 (8) */
+ 0, 6, /* sect233k1 (6) */
+ 0, 7, /* sect233r1 (7) */
+ # endif
+- 0, 20, /* secp224k1 (20) */
+- 0, 21, /* secp224r1 (21) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 4, /* sect193r1 (4) */
+ 0, 5, /* sect193r2 (5) */
+ # endif
+- 0, 18, /* secp192k1 (18) */
+- 0, 19, /* secp192r1 (19) */
+ # ifndef OPENSSL_NO_EC2M
+ 0, 1, /* sect163k1 (1) */
+ 0, 2, /* sect163r1 (2) */
+ 0, 3, /* sect163r2 (3) */
+ # endif
+- 0, 15, /* secp160k1 (15) */
+- 0, 16, /* secp160r1 (16) */
+- 0, 17, /* secp160r2 (17) */
+ };
+ # endif
+
diff --git a/openssl-1.0.2c-fips.patch b/openssl-1.0.2c-fips.patch
new file mode 100644
index 0000000..b23368d
--- /dev/null
+++ b/openssl-1.0.2c-fips.patch
@@ -0,0 +1,13699 @@
+diff -up openssl-1.0.2c/apps/speed.c.fips openssl-1.0.2c/apps/speed.c
+--- openssl-1.0.2c/apps/speed.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:29:59.999283776 +0200
+@@ -197,7 +197,6 @@
+ # ifdef OPENSSL_DOING_MAKEDEPEND
+ # undef AES_set_encrypt_key
+ # undef AES_set_decrypt_key
+-# undef DES_set_key_unchecked
+ # endif
+ # define BF_set_key private_BF_set_key
+ # define CAST_set_key private_CAST_set_key
+@@ -205,7 +204,6 @@
+ # define SEED_set_key private_SEED_set_key
+ # define RC2_set_key private_RC2_set_key
+ # define RC4_set_key private_RC4_set_key
+-# define DES_set_key_unchecked private_DES_set_key_unchecked
+ # define AES_set_encrypt_key private_AES_set_encrypt_key
+ # define AES_set_decrypt_key private_AES_set_decrypt_key
+ # define Camellia_set_key private_Camellia_set_key
+@@ -974,7 +972,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ if (strcmp(*argv, "rsa") == 0) {
+- rsa_doit[R_RSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ rsa_doit[R_RSA_512] = 1;
++ }
+ rsa_doit[R_RSA_1024] = 1;
+ rsa_doit[R_RSA_2048] = 1;
+ rsa_doit[R_RSA_4096] = 1;
+@@ -982,7 +985,12 @@ int MAIN(int argc, char **argv)
+ # endif
+ # ifndef OPENSSL_NO_DSA
+ if (strcmp(*argv, "dsa") == 0) {
+- dsa_doit[R_DSA_512] = 1;
++# ifdef OPENSSL_FIPS
++ if (!FIPS_mode())
++# endif
++ {
++ dsa_doit[R_DSA_512] = 1;
++ }
+ dsa_doit[R_DSA_1024] = 1;
+ dsa_doit[R_DSA_2048] = 1;
+ } else
+@@ -1233,13 +1241,19 @@ int MAIN(int argc, char **argv)
+
+ if (j == 0) {
+ for (i = 0; i < ALGOR_NUM; i++) {
+- if (i != D_EVP)
++ if (i != D_EVP &&
++ (!FIPS_mode() || (i != D_WHIRLPOOL &&
++ i != D_MD2 && i != D_MD4 &&
++ i != D_MD5 && i != D_MDC2 &&
++ i != D_RMD160)))
+ doit[i] = 1;
+ }
+ for (i = 0; i < RSA_NUM; i++)
+- rsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_RSA_512)
++ rsa_doit[i] = 1;
+ for (i = 0; i < DSA_NUM; i++)
+- dsa_doit[i] = 1;
++ if (!FIPS_mode() || i != R_DSA_512)
++ dsa_doit[i] = 1;
+ # ifndef OPENSSL_NO_ECDSA
+ for (i = 0; i < EC_NUM; i++)
+ ecdsa_doit[i] = 1;
+@@ -1299,30 +1313,46 @@ int MAIN(int argc, char **argv)
+ AES_set_encrypt_key(key32, 256, &aes_ks3);
+ # endif
+ # ifndef OPENSSL_NO_CAMELLIA
+- Camellia_set_key(key16, 128, &camellia_ks1);
+- Camellia_set_key(ckey24, 192, &camellia_ks2);
+- Camellia_set_key(ckey32, 256, &camellia_ks3);
++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
++ Camellia_set_key(key16, 128, &camellia_ks1);
++ Camellia_set_key(ckey24, 192, &camellia_ks2);
++ Camellia_set_key(ckey32, 256, &camellia_ks3);
++ }
+ # endif
+ # ifndef OPENSSL_NO_IDEA
+- idea_set_encrypt_key(key16, &idea_ks);
++ if (doit[D_CBC_IDEA]) {
++ idea_set_encrypt_key(key16, &idea_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_SEED
+- SEED_set_key(key16, &seed_ks);
++ if (doit[D_CBC_SEED]) {
++ SEED_set_key(key16, &seed_ks);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC4
+- RC4_set_key(&rc4_ks, 16, key16);
++ if (doit[D_RC4]) {
++ RC4_set_key(&rc4_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC2
+- RC2_set_key(&rc2_ks, 16, key16, 128);
++ if (doit[D_CBC_RC2]) {
++ RC2_set_key(&rc2_ks, 16, key16, 128);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RC5
+- RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ if (doit[D_CBC_RC5]) {
++ RC5_32_set_key(&rc5_ks, 16, key16, 12);
++ }
+ # endif
+ # ifndef OPENSSL_NO_BF
+- BF_set_key(&bf_ks, 16, key16);
++ if (doit[D_CBC_BF]) {
++ BF_set_key(&bf_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_CAST
+- CAST_set_key(&cast_ks, 16, key16);
++ if (doit[D_CBC_CAST]) {
++ CAST_set_key(&cast_ks, 16, key16);
++ }
+ # endif
+ # ifndef OPENSSL_NO_RSA
+ memset(rsa_c, 0, sizeof(rsa_c));
+@@ -1605,6 +1635,7 @@ int MAIN(int argc, char **argv)
+ HMAC_CTX hctx;
+
+ HMAC_CTX_init(&hctx);
++ HMAC_CTX_set_flags(&hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ HMAC_Init_ex(&hctx, (unsigned char *)"This is a key...",
+ 16, EVP_md5(), NULL);
+
+diff -up openssl-1.0.2c/Configure.fips openssl-1.0.2c/Configure
+--- openssl-1.0.2c/Configure.fips 2015-06-15 17:29:59.982283387 +0200
++++ openssl-1.0.2c/Configure 2015-06-15 17:29:59.999283776 +0200
+@@ -1057,11 +1057,6 @@ if (defined($disabled{"md5"}) || defined
+ $disabled{"ssl2"} = "forced";
+ }
+
+-if ($fips && $fipslibdir eq "")
+- {
+- $fipslibdir = $fipsdir . "/lib/";
+- }
+-
+ # RSAX ENGINE sets default non-FIPS RSA method.
+ if ($fips)
+ {
+@@ -1550,7 +1545,6 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($b
+ if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+- $cflags .= " -I\$(FIPSDIR)/include";
+ }
+
+ $cpuid_obj="mem_clr.o" unless ($cpuid_obj =~ /\.o$/);
+@@ -1751,9 +1745,12 @@ while (<IN>)
+
+ s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
+ s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+- s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
+ s/^BASEADDR=.*/BASEADDR=$baseaddr/;
+
++ if ($fips)
++ {
++ s/^FIPS=.*/FIPS=yes/;
++ }
+ s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
+ s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
+ s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+diff -up openssl-1.0.2c/crypto/aes/aes_misc.c.fips openssl-1.0.2c/crypto/aes/aes_misc.c
+--- openssl-1.0.2c/crypto/aes/aes_misc.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/aes/aes_misc.c 2015-06-15 17:29:59.999283776 +0200
+@@ -70,17 +70,11 @@ const char *AES_options(void)
+ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_encrypt_key(userKey, bits, key);
+ }
+
+ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+ {
+-#ifdef OPENSSL_FIPS
+- fips_cipher_abort(AES);
+-#endif
+ return private_AES_set_decrypt_key(userKey, bits, key);
+ }
+diff -up openssl-1.0.2c/crypto/cmac/cmac.c.fips openssl-1.0.2c/crypto/cmac/cmac.c
+--- openssl-1.0.2c/crypto/cmac/cmac.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/cmac/cmac.c 2015-06-15 17:29:59.999283776 +0200
+@@ -105,12 +105,6 @@ CMAC_CTX *CMAC_CTX_new(void)
+
+ void CMAC_CTX_cleanup(CMAC_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine) {
+- FIPS_cmac_ctx_cleanup(ctx);
+- return;
+- }
+-#endif
+ EVP_CIPHER_CTX_cleanup(&ctx->cctx);
+ OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
+ OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
+@@ -160,12 +154,6 @@ int CMAC_Init(CMAC_CTX *ctx, const void
+ EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+- /*
+- * Other algorithm blocking will be done in FIPS_cmac_init, via
+- * FIPS_cipherinit().
+- */
+- if (!impl && !ctx->cctx.engine)
+- return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
+ }
+ #endif
+ /* All zeros means restart */
+@@ -211,10 +199,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
+ {
+ const unsigned char *data = in;
+ size_t bl;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine)
+- return FIPS_cmac_update(ctx, in, dlen);
+-#endif
+ if (ctx->nlast_block == -1)
+ return 0;
+ if (dlen == 0)
+@@ -254,10 +238,6 @@ int CMAC_Update(CMAC_CTX *ctx, const voi
+ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
+ {
+ int i, bl, lb;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->cctx.engine)
+- return FIPS_cmac_final(ctx, out, poutlen);
+-#endif
+ if (ctx->nlast_block == -1)
+ return 0;
+ bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
+diff -up openssl-1.0.2c/crypto/crypto.h.fips openssl-1.0.2c/crypto/crypto.h
+--- openssl-1.0.2c/crypto/crypto.h.fips 2015-06-15 17:29:59.886281188 +0200
++++ openssl-1.0.2c/crypto/crypto.h 2015-06-15 17:29:59.999283776 +0200
+@@ -600,24 +600,29 @@ int FIPS_mode_set(int r);
+ void OPENSSL_init(void);
+
+ # define fips_md_init(alg) fips_md_init_ctx(alg, alg)
++# define nonfips_md_init(alg) nonfips_md_init_ctx(alg, alg)
++# define fips_md_init_ctx(alg, cx) \
++ int alg##_Init(cx##_CTX *c)
+
+ # ifdef OPENSSL_FIPS
+-# define fips_md_init_ctx(alg, cx) \
++# define nonfips_md_init_ctx(alg, cx) \
+ int alg##_Init(cx##_CTX *c) \
+ { \
+ if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+- "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
++ "Digest " #alg " forbidden in FIPS mode!"); \
+ return private_##alg##_Init(c); \
+ } \
+ int private_##alg##_Init(cx##_CTX *c)
+
+ # define fips_cipher_abort(alg) \
+ if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
+- "Low level API call to cipher " #alg " forbidden in FIPS mode!")
++ "Cipher " #alg " forbidden in FIPS mode!")
++
++/* die if FIPS selftest failed */
++void FIPS_selftest_check(void);
+
+ # else
+-# define fips_md_init_ctx(alg, cx) \
+- int alg##_Init(cx##_CTX *c)
++# define nonfips_md_init_ctx(alg, cx) fips_md_init_ctx(alg, cx)
+ # define fips_cipher_abort(alg) while(0)
+ # endif
+
+@@ -637,6 +642,9 @@ int CRYPTO_memcmp(const void *a, const v
+ */
+ void ERR_load_CRYPTO_strings(void);
+
++# define OPENSSL_HAVE_INIT 1
++void OPENSSL_init_library(void);
++
+ /* Error codes for the CRYPTO functions. */
+
+ /* Function codes. */
+diff -up openssl-1.0.2c/crypto/des/des.h.fips openssl-1.0.2c/crypto/des/des.h
+--- openssl-1.0.2c/crypto/des/des.h.fips 2015-06-15 17:29:59.915281852 +0200
++++ openssl-1.0.2c/crypto/des/des.h 2015-06-15 17:30:00.000283799 +0200
+@@ -231,10 +231,6 @@ int DES_set_key(const_DES_cblock *key, D
+ int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule);
+ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule);
+ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
+-# ifdef OPENSSL_FIPS
+-void private_DES_set_key_unchecked(const_DES_cblock *key,
+- DES_key_schedule *schedule);
+-# endif
+ void DES_string_to_key(const char *str, DES_cblock *key);
+ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2);
+ void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+diff -up openssl-1.0.2c/crypto/des/set_key.c.fips openssl-1.0.2c/crypto/des/set_key.c
+--- openssl-1.0.2c/crypto/des/set_key.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/des/set_key.c 2015-06-15 17:30:00.000283799 +0200
+@@ -359,15 +359,6 @@ int DES_set_key_checked(const_DES_cblock
+ }
+
+ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
+-#ifdef OPENSSL_FIPS
+-{
+- fips_cipher_abort(DES);
+- private_DES_set_key_unchecked(key, schedule);
+-}
+-
+-void private_DES_set_key_unchecked(const_DES_cblock *key,
+- DES_key_schedule *schedule)
+-#endif
+ {
+ static const int shifts2[16] =
+ { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 };
+diff -up openssl-1.0.2c/crypto/dh/dh_gen.c.fips openssl-1.0.2c/crypto/dh/dh_gen.c
+--- openssl-1.0.2c/crypto/dh/dh_gen.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dh/dh_gen.c 2015-06-15 17:30:00.000283799 +0200
+@@ -85,10 +85,6 @@ int DH_generate_parameters_ex(DH *ret, i
+ #endif
+ if (ret->meth->generate_params)
+ return ret->meth->generate_params(ret, prime_len, generator, cb);
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dh_generate_parameters_ex(ret, prime_len, generator, cb);
+-#endif
+ return dh_builtin_genparams(ret, prime_len, generator, cb);
+ }
+
+@@ -126,6 +122,18 @@ static int dh_builtin_genparams(DH *ret,
+ int g, ok = -1;
+ BN_CTX *ctx = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+diff -up openssl-1.0.2c/crypto/dh/dh.h.fips openssl-1.0.2c/crypto/dh/dh.h
+--- openssl-1.0.2c/crypto/dh/dh.h.fips 2015-06-15 17:29:59.860280593 +0200
++++ openssl-1.0.2c/crypto/dh/dh.h 2015-06-15 17:30:00.000283799 +0200
+@@ -77,6 +77,8 @@
+ # define OPENSSL_DH_MAX_MODULUS_BITS 10000
+ # endif
+
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++
+ # define DH_FLAG_CACHE_MONT_P 0x01
+
+ /*
+diff -up openssl-1.0.2c/crypto/dh/dh_key.c.fips openssl-1.0.2c/crypto/dh/dh_key.c
+--- openssl-1.0.2c/crypto/dh/dh_key.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dh/dh_key.c 2015-06-15 17:30:00.000283799 +0200
+@@ -61,6 +61,9 @@
+ #include <openssl/bn.h>
+ #include <openssl/rand.h>
+ #include <openssl/dh.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static int generate_key(DH *dh);
+ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+@@ -97,7 +100,7 @@ int DH_compute_key(unsigned char *key, c
+ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ {
+ int rv, pad;
+- rv = dh->meth->compute_key(key, pub_key, dh);
++ rv = DH_compute_key(key, pub_key, dh);
+ if (rv <= 0)
+ return rv;
+ pad = BN_num_bytes(dh->p) - rv;
+@@ -115,7 +118,7 @@ static DH_METHOD dh_ossl = {
+ dh_bn_mod_exp,
+ dh_init,
+ dh_finish,
+- 0,
++ DH_FLAG_FIPS_METHOD,
+ NULL,
+ NULL
+ };
+@@ -134,6 +137,14 @@ static int generate_key(DH *dh)
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+@@ -217,6 +228,13 @@ static int compute_key(unsigned char *ke
+ DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
+ goto err;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()
++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++#endif
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+@@ -277,6 +295,9 @@ static int dh_bn_mod_exp(const DH *dh, B
+
+ static int dh_init(DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dh->flags |= DH_FLAG_CACHE_MONT_P;
+ return (1);
+ }
+diff -up openssl-1.0.2c/crypto/dh/dh_lib.c.fips openssl-1.0.2c/crypto/dh/dh_lib.c
+--- openssl-1.0.2c/crypto/dh/dh_lib.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dh/dh_lib.c 2015-06-15 17:30:00.000283799 +0200
+@@ -80,14 +80,7 @@ void DH_set_default_method(const DH_METH
+ const DH_METHOD *DH_get_default_method(void)
+ {
+ if (!default_DH_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dh_openssl();
+- else
+- return DH_OpenSSL();
+-#else
+ default_DH_method = DH_OpenSSL();
+-#endif
+ }
+ return default_DH_method;
+ }
+diff -up openssl-1.0.2c/crypto/dsa/dsa_err.c.fips openssl-1.0.2c/crypto/dsa/dsa_err.c
+--- openssl-1.0.2c/crypto/dsa/dsa_err.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa_err.c 2015-06-15 17:30:00.001283822 +0200
+@@ -74,6 +74,8 @@ static ERR_STRING_DATA DSA_str_functs[]
+ {ERR_FUNC(DSA_F_DO_DSA_PRINT), "DO_DSA_PRINT"},
+ {ERR_FUNC(DSA_F_DSAPARAMS_PRINT), "DSAparams_print"},
+ {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
++ {ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN), "dsa_builtin_keygen"},
++ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN), "dsa_builtin_paramgen"},
+ {ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN2), "DSA_BUILTIN_PARAMGEN2"},
+ {ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
+ {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
+@@ -109,6 +111,8 @@ static ERR_STRING_DATA DSA_str_reasons[]
+ {ERR_REASON(DSA_R_DECODE_ERROR), "decode error"},
+ {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"},
+ {ERR_REASON(DSA_R_INVALID_PARAMETERS), "invalid parameters"},
++ {ERR_REASON(DSA_R_KEY_SIZE_INVALID), "key size invalid"},
++ {ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+ {ERR_REASON(DSA_R_MISSING_PARAMETERS), "missing parameters"},
+ {ERR_REASON(DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
+ {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES), "need new setup values"},
+diff -up openssl-1.0.2c/crypto/dsa/dsa_gen.c.fips openssl-1.0.2c/crypto/dsa/dsa_gen.c
+--- openssl-1.0.2c/crypto/dsa/dsa_gen.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa_gen.c 2015-06-15 17:30:00.001283822 +0200
+@@ -91,6 +91,16 @@
+ # include <openssl/fips.h>
+ # endif
+
++# ifndef OPENSSL_FIPS
++static int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb);
++static int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret,
++ BN_GENCB *cb);
++# endif
++
+ int DSA_generate_parameters_ex(DSA *ret, int bits,
+ const unsigned char *seed_in, int seed_len,
+ int *counter_ret, unsigned long *h_ret,
+@@ -106,13 +116,6 @@ int DSA_generate_parameters_ex(DSA *ret,
+ if (ret->meth->dsa_paramgen)
+ return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
+ counter_ret, h_ret, cb);
+-# ifdef OPENSSL_FIPS
+- else if (FIPS_mode()) {
+- return FIPS_dsa_generate_parameters_ex(ret, bits,
+- seed_in, seed_len,
+- counter_ret, h_ret, cb);
+- }
+-# endif
+ else {
+ const EVP_MD *evpmd;
+ size_t qbits = bits >= 2048 ? 256 : 160;
+@@ -126,80 +129,156 @@ int DSA_generate_parameters_ex(DSA *ret,
+ }
+
+ return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
+- seed_in, seed_len, NULL, counter_ret,
++ seed_in, seed_len, counter_ret,
+ h_ret, cb);
+ }
+ }
+
++# ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd,
++ const unsigned char *seed_in, size_t seed_len,
++ int *counter_ret, unsigned long *h_ret,
++ BN_GENCB *cb)
++{
++ return dsa_builtin_paramgen(ret, bits, qbits,
++ evpmd, seed_in, seed_len,
++ counter_ret, h_ret, cb);
++}
++# endif
++
+ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+- size_t seed_len, unsigned char *seed_out,
++ size_t seed_len,
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
+ {
+ int ok = 0;
+ unsigned char seed[SHA256_DIGEST_LENGTH];
++ BIGNUM *g = NULL, *q = NULL, *p = NULL;
++ size_t qsize = qbits >> 3;
++ BN_CTX *ctx = NULL;
++
++# ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (FIPS_module_mode() &&
++ (bits != 1024 || qbits != 160) &&
++ (bits != 2048 || qbits != 224) &&
++ (bits != 2048 || qbits != 256) && (bits != 3072 || qbits != 256)) {
++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
++ goto err;
++ }
++# endif
++ if (seed_len && (seed_len < (size_t)qsize))
++ seed_in = NULL; /* seed buffer too small -- ignore */
++ if (seed_len > sizeof(seed))
++ seed_len = sizeof(seed); /* App. 2.2 of FIPS PUB 186 allows larger SEED,
++ * but our internal buffers are restricted to 256 bits*/
++ if (seed_in != NULL)
++ memcpy(seed, seed_in, seed_len);
++ else
++ seed_len = 0;
++
++ if ((ctx = BN_CTX_new()) == NULL)
++ goto err;
++
++ BN_CTX_start(ctx);
++
++ if (!FIPS_dsa_generate_pq(ctx, bits, qbits, evpmd,
++ seed, seed_len, &p, &q, counter_ret, cb))
++ goto err;
++
++ if (!FIPS_dsa_generate_g(ctx, p, q, &g, h_ret, cb))
++ goto err;
++
++ ok = 1;
++ err:
++ if (ok) {
++ if (ret->p) {
++ BN_free(ret->p);
++ ret->p = NULL;
++ }
++ if (ret->q) {
++ BN_free(ret->q);
++ ret->q = NULL;
++ }
++ if (ret->g) {
++ BN_free(ret->g);
++ ret->g = NULL;
++ }
++ ret->p = BN_dup(p);
++ ret->q = BN_dup(q);
++ ret->g = BN_dup(g);
++ if (ret->p == NULL || ret->q == NULL || ret->g == NULL)
++ ok = 0;
++ }
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ return ok;
++}
++
++# ifndef OPENSSL_FIPS
++static
++# endif
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb)
++{
++ int ok = 0;
+ unsigned char md[SHA256_DIGEST_LENGTH];
+- unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];
++ unsigned char buf[SHA256_DIGEST_LENGTH];
+ BIGNUM *r0, *W, *X, *c, *test;
+- BIGNUM *g = NULL, *q = NULL, *p = NULL;
+- BN_MONT_CTX *mont = NULL;
+- int i, k, n = 0, m = 0, qsize = qbits >> 3;
++ BIGNUM *q = NULL, *p = NULL;
++ int i, k, b, n = 0, m = 0, qsize = qbits >> 3;
+ int counter = 0;
+ int r = 0;
+- BN_CTX *ctx = NULL;
+- unsigned int h = 2;
+
+ if (qsize != SHA_DIGEST_LENGTH && qsize != SHA224_DIGEST_LENGTH &&
+ qsize != SHA256_DIGEST_LENGTH)
+ /* invalid q size */
+ return 0;
+
+- if (evpmd == NULL)
+- /* use SHA1 as default */
+- evpmd = EVP_sha1();
++ if (evpmd == NULL) {
++ if (qbits <= 160)
++ evpmd = EVP_sha1();
++ else if (qbits <= 224)
++ evpmd = EVP_sha224();
++ else
++ evpmd = EVP_sha256();
++ }
+
+ if (bits < 512)
+ bits = 512;
+
+ bits = (bits + 63) / 64 * 64;
+
+- /*
+- * NB: seed_len == 0 is special case: copy generated seed to seed_in if
+- * it is not NULL.
+- */
+- if (seed_len && (seed_len < (size_t)qsize))
+- seed_in = NULL; /* seed buffer too small -- ignore */
+- if (seed_len > (size_t)qsize)
+- seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger
+- * SEED, but our internal buffers are
+- * restricted to 160 bits */
+- if (seed_in != NULL)
+- memcpy(seed, seed_in, seed_len);
+-
+- if ((ctx = BN_CTX_new()) == NULL)
+- goto err;
+-
+- if ((mont = BN_MONT_CTX_new()) == NULL)
+- goto err;
+-
+- BN_CTX_start(ctx);
+ r0 = BN_CTX_get(ctx);
+- g = BN_CTX_get(ctx);
+ W = BN_CTX_get(ctx);
+- q = BN_CTX_get(ctx);
++ *q_ret = q = BN_CTX_get(ctx);
+ X = BN_CTX_get(ctx);
+ c = BN_CTX_get(ctx);
+- p = BN_CTX_get(ctx);
++ *p_ret = p = BN_CTX_get(ctx);
+ test = BN_CTX_get(ctx);
+
+ if (!BN_lshift(test, BN_value_one(), bits - 1))
+ goto err;
+
++ /* step 3 n = \lceil bits / qbits \rceil - 1 */
++ n = (bits + qbits - 1) / qbits - 1;
++ /* step 4 b = bits - 1 - n * qbits */
++ b = bits - 1 - n * qbits;
++
+ for (;;) {
+ for (;;) { /* find q */
+ int seed_is_random;
+
+- /* step 1 */
++ /* step 5 generate seed */
+ if (!BN_GENCB_call(cb, 0, m++))
+ goto err;
+
+@@ -213,29 +292,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ * be bad */
+ }
+ memcpy(buf, seed, qsize);
+- memcpy(buf2, seed, qsize);
+- /* precompute "SEED + 1" for step 7: */
+- for (i = qsize - 1; i >= 0; i--) {
+- buf[i]++;
+- if (buf[i] != 0)
+- break;
+- }
+
+- /* step 2 */
++ /* step 6 U = hash(seed) */
+ if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
+ goto err;
+- if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
+- goto err;
+- for (i = 0; i < qsize; i++)
+- md[i] ^= buf2[i];
+
+- /* step 3 */
++ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
+ md[0] |= 0x80;
+ md[qsize - 1] |= 0x01;
+ if (!BN_bin2bn(md, qsize, q))
+ goto err;
+
+- /* step 4 */
++ /* step 8 test for prime (64 round of Rabin-Miller) */
+ r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
+ seed_is_random, cb);
+ if (r > 0)
+@@ -243,8 +311,6 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (r != 0)
+ goto err;
+
+- /* do a callback call */
+- /* step 5 */
+ }
+
+ if (!BN_GENCB_call(cb, 2, 0))
+@@ -252,19 +318,16 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_GENCB_call(cb, 3, 0))
+ goto err;
+
+- /* step 6 */
++ /* step 11 */
+ counter = 0;
+- /* "offset = 2" */
+-
+- n = (bits - 1) / 160;
++ /* "offset = 1" */
+
+ for (;;) {
+ if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
+ goto err;
+
+- /* step 7 */
++ /* step 11.1, 11.2 obtain W */
+ BN_zero(W);
+- /* now 'buf' contains "SEED + offset - 1" */
+ for (k = 0; k <= n; k++) {
+ /*
+ * obtain "SEED + offset + k" by incrementing:
+@@ -278,36 +341,37 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL))
+ goto err;
+
+- /* step 8 */
+ if (!BN_bin2bn(md, qsize, r0))
+ goto err;
+- if (!BN_lshift(r0, r0, (qsize << 3) * k))
++ if (k == n)
++ BN_mask_bits(r0, b);
++ if (!BN_lshift(r0, r0, qbits * k))
+ goto err;
+ if (!BN_add(W, W, r0))
+ goto err;
+ }
+
+- /* more of step 8 */
+- if (!BN_mask_bits(W, bits - 1))
+- goto err;
++ /* step 11.3 X = W + 2^(L-1) */
+ if (!BN_copy(X, W))
+ goto err;
+ if (!BN_add(X, X, test))
+ goto err;
+
+- /* step 9 */
++ /* step 11.4 c = X mod 2*q */
+ if (!BN_lshift1(r0, q))
+ goto err;
+ if (!BN_mod(c, X, r0, ctx))
+ goto err;
++
++ /* step 11.5 p = X - (c - 1) */
+ if (!BN_sub(r0, c, BN_value_one()))
+ goto err;
+ if (!BN_sub(p, X, r0))
+ goto err;
+
+- /* step 10 */
++ /* step 11.6 */
+ if (BN_cmp(p, test) >= 0) {
+- /* step 11 */
++ /* step 11.7 */
+ r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
+ if (r > 0)
+ goto end; /* found it */
+@@ -315,12 +379,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ goto err;
+ }
+
+- /* step 13 */
++ /* step 11.9 */
+ counter++;
+ /* "offset = offset + n + 1" */
+
+- /* step 14 */
+- if (counter >= 4096)
++ /* step 12 */
++ if (counter >= 4 * bits)
+ break;
+ }
+ }
+@@ -328,7 +392,33 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ if (!BN_GENCB_call(cb, 2, 1))
+ goto err;
+
+- /* We now need to generate g */
++ ok = 1;
++ err:
++ if (ok) {
++ if (counter_ret != NULL)
++ *counter_ret = counter;
++ }
++ return ok;
++}
++
++# ifndef OPENSSL_FIPS
++static
++# endif
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q,
++ BIGNUM **g_ret, unsigned long *h_ret, BN_GENCB *cb)
++{
++ int ok = 0;
++ BIGNUM *r0, *test, *g = NULL;
++ BN_MONT_CTX *mont;
++ unsigned int h = 2;
++
++ if ((mont = BN_MONT_CTX_new()) == NULL)
++ goto err;
++
++ r0 = BN_CTX_get(ctx);
++ *g_ret = g = BN_CTX_get(ctx);
++ test = BN_CTX_get(ctx);
++
+ /* Set r0=(p-1)/q */
+ if (!BN_sub(test, p, BN_value_one()))
+ goto err;
+@@ -357,46 +447,14 @@ int dsa_builtin_paramgen(DSA *ret, size_
+ ok = 1;
+ err:
+ if (ok) {
+- if (ret->p)
+- BN_free(ret->p);
+- if (ret->q)
+- BN_free(ret->q);
+- if (ret->g)
+- BN_free(ret->g);
+- ret->p = BN_dup(p);
+- ret->q = BN_dup(q);
+- ret->g = BN_dup(g);
+- if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
+- ok = 0;
+- goto err;
+- }
+- if (counter_ret != NULL)
+- *counter_ret = counter;
+ if (h_ret != NULL)
+ *h_ret = h;
+- if (seed_out)
+- memcpy(seed_out, seed, qsize);
+- }
+- if (ctx) {
+- BN_CTX_end(ctx);
+- BN_CTX_free(ctx);
+ }
+ if (mont != NULL)
+ BN_MONT_CTX_free(mont);
+ return ok;
+ }
+
+-# ifdef OPENSSL_FIPS
+-# undef fips_dsa_builtin_paramgen2
+-extern int fips_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+- const EVP_MD *evpmd,
+- const unsigned char *seed_in,
+- size_t seed_len, int idx,
+- unsigned char *seed_out,
+- int *counter_ret, unsigned long *h_ret,
+- BN_GENCB *cb);
+-# endif
+-
+ /*
+ * This is a parameter generation algorithm for the DSA2 algorithm as
+ * described in FIPS 186-3.
+@@ -422,14 +480,6 @@ int dsa_builtin_paramgen2(DSA *ret, size
+ EVP_MD_CTX mctx;
+ unsigned int h = 2;
+
+-# ifdef OPENSSL_FIPS
+-
+- if (FIPS_mode())
+- return fips_dsa_builtin_paramgen2(ret, L, N, evpmd,
+- seed_in, seed_len, idx,
+- seed_out, counter_ret, h_ret, cb);
+-# endif
+-
+ EVP_MD_CTX_init(&mctx);
+
+ if (evpmd == NULL) {
+diff -up openssl-1.0.2c/crypto/dsa/dsa.h.fips openssl-1.0.2c/crypto/dsa/dsa.h
+--- openssl-1.0.2c/crypto/dsa/dsa.h.fips 2015-06-15 17:29:59.784278853 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa.h 2015-06-15 17:30:00.001283822 +0200
+@@ -88,6 +88,8 @@
+ # define OPENSSL_DSA_MAX_MODULUS_BITS 10000
+ # endif
+
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++
+ # define DSA_FLAG_CACHE_MONT_P 0x01
+ /*
+ * new with 0.9.7h; the built-in DSA implementation now uses constant time
+@@ -265,6 +267,20 @@ int DSA_print_fp(FILE *bp, const DSA *x,
+ DH *DSA_dup_DH(const DSA *r);
+ # endif
+
++# ifdef OPENSSL_FIPS
++int FIPS_dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
++ const EVP_MD *evpmd,
++ const unsigned char *seed_in,
++ size_t seed_len, int *counter_ret,
++ unsigned long *h_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_pq(BN_CTX *ctx, size_t bits, size_t qbits,
++ const EVP_MD *evpmd, unsigned char *seed,
++ int seed_len, BIGNUM **p_ret, BIGNUM **q_ret,
++ int *counter_ret, BN_GENCB *cb);
++int FIPS_dsa_generate_g(BN_CTX *ctx, BIGNUM *p, BIGNUM *q, BIGNUM **g_ret,
++ unsigned long *h_ret, BN_GENCB *cb);
++# endif
++
+ # define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
+ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
+ EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
+@@ -287,11 +303,14 @@ void ERR_load_DSA_strings(void);
+ # define DSA_F_DO_DSA_PRINT 104
+ # define DSA_F_DSAPARAMS_PRINT 100
+ # define DSA_F_DSAPARAMS_PRINT_FP 101
+-# define DSA_F_DSA_BUILTIN_PARAMGEN2 126
++# define DSA_F_DSA_BUILTIN_KEYGEN 124
++# define DSA_F_DSA_BUILTIN_PARAMGEN 123
++# define DSA_F_DSA_BUILTIN_PARAMGEN2 226
+ # define DSA_F_DSA_DO_SIGN 112
+ # define DSA_F_DSA_DO_VERIFY 113
+-# define DSA_F_DSA_GENERATE_KEY 124
+-# define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
++# define DSA_F_DSA_GENERATE_KEY 126
++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 127
++# define DSA_F_DSA_GENERATE_PARAMETERS /* unused */ 125
+ # define DSA_F_DSA_NEW_METHOD 103
+ # define DSA_F_DSA_PARAM_DECODE 119
+ # define DSA_F_DSA_PRINT_FP 105
+@@ -317,12 +336,16 @@ void ERR_load_DSA_strings(void);
+ # define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
+ # define DSA_R_DECODE_ERROR 104
+ # define DSA_R_INVALID_DIGEST_TYPE 106
+-# define DSA_R_INVALID_PARAMETERS 112
++# define DSA_R_INVALID_PARAMETERS 212
++# define DSA_R_KEY_SIZE_INVALID 113
++# define DSA_R_KEY_SIZE_TOO_SMALL 110
+ # define DSA_R_MISSING_PARAMETERS 101
+ # define DSA_R_MODULUS_TOO_LARGE 103
+-# define DSA_R_NEED_NEW_SETUP_VALUES 110
++# define DSA_R_NEED_NEW_SETUP_VALUES 112
+ # define DSA_R_NON_FIPS_DSA_METHOD 111
++# define DSA_R_NON_FIPS_METHOD 111
+ # define DSA_R_NO_PARAMETERS_SET 107
++# define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE /* unused */ 112
+ # define DSA_R_PARAMETER_ENCODING_ERROR 105
+ # define DSA_R_Q_NOT_PRIME 113
+
+diff -up openssl-1.0.2c/crypto/dsa/dsa_key.c.fips openssl-1.0.2c/crypto/dsa/dsa_key.c
+--- openssl-1.0.2c/crypto/dsa/dsa_key.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa_key.c 2015-06-15 17:30:00.001283822 +0200
+@@ -66,6 +66,34 @@
+
+ # ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
++# include <openssl/evp.h>
++
++static int fips_check_dsa(DSA *dsa)
++{
++ EVP_PKEY *pk;
++ unsigned char tbs[] = "DSA Pairwise Check Data";
++ int ret = 0;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_DSA(pk, dsa);
++
++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++ ret = 1;
++
++ err:
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ fips_set_selftest_fail();
++ }
++
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
++
+ # endif
+
+ static int dsa_builtin_keygen(DSA *dsa);
+@@ -81,10 +109,6 @@ int DSA_generate_key(DSA *dsa)
+ # endif
+ if (dsa->meth->dsa_keygen)
+ return dsa->meth->dsa_keygen(dsa);
+-# ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dsa_generate_key(dsa);
+-# endif
+ return dsa_builtin_keygen(dsa);
+ }
+
+@@ -94,6 +118,14 @@ static int dsa_builtin_keygen(DSA *dsa)
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++ goto err;
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+
+@@ -131,6 +163,13 @@ static int dsa_builtin_keygen(DSA *dsa)
+
+ dsa->priv_key = priv_key;
+ dsa->pub_key = pub_key;
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !fips_check_dsa(dsa)) {
++ dsa->pub_key = NULL;
++ dsa->priv_key = NULL;
++ goto err;
++ }
++# endif
+ ok = 1;
+
+ err:
+diff -up openssl-1.0.2c/crypto/dsa/dsa_lib.c.fips openssl-1.0.2c/crypto/dsa/dsa_lib.c
+--- openssl-1.0.2c/crypto/dsa/dsa_lib.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa_lib.c 2015-06-15 17:30:00.001283822 +0200
+@@ -86,14 +86,7 @@ void DSA_set_default_method(const DSA_ME
+ const DSA_METHOD *DSA_get_default_method(void)
+ {
+ if (!default_DSA_method) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_dsa_openssl();
+- else
+- return DSA_OpenSSL();
+-#else
+ default_DSA_method = DSA_OpenSSL();
+-#endif
+ }
+ return default_DSA_method;
+ }
+diff -up openssl-1.0.2c/crypto/dsa/dsa_locl.h.fips openssl-1.0.2c/crypto/dsa/dsa_locl.h
+--- openssl-1.0.2c/crypto/dsa/dsa_locl.h.fips 2015-06-15 17:29:59.786278898 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa_locl.h 2015-06-15 17:30:00.002283845 +0200
+@@ -56,7 +56,7 @@
+
+ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+- size_t seed_len, unsigned char *seed_out,
++ size_t seed_len,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb);
+
+diff -up openssl-1.0.2c/crypto/dsa/dsa_ossl.c.fips openssl-1.0.2c/crypto/dsa/dsa_ossl.c
+--- openssl-1.0.2c/crypto/dsa/dsa_ossl.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa_ossl.c 2015-06-15 17:30:00.002283845 +0200
+@@ -65,6 +65,9 @@
+ #include <openssl/dsa.h>
+ #include <openssl/rand.h>
+ #include <openssl/asn1.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+@@ -83,7 +86,7 @@ static DSA_METHOD openssl_dsa_meth = {
+ NULL, /* dsa_bn_mod_exp, */
+ dsa_init,
+ dsa_finish,
+- 0,
++ DSA_FLAG_FIPS_METHOD,
+ NULL,
+ NULL,
+ NULL
+@@ -140,6 +143,19 @@ static DSA_SIG *dsa_do_sign(const unsign
+ DSA_SIG *ret = NULL;
+ int noredo = 0;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return NULL;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
++ return NULL;
++ }
++#endif
++
+ BN_init(&m);
+ BN_init(&xr);
+
+@@ -330,6 +346,18 @@ static int dsa_do_verify(const unsigned
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
+ return -1;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++#endif
+
+ if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
+@@ -410,6 +438,9 @@ static int dsa_do_verify(const unsigned
+
+ static int dsa_init(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ dsa->flags |= DSA_FLAG_CACHE_MONT_P;
+ return (1);
+ }
+diff -up openssl-1.0.2c/crypto/dsa/dsa_pmeth.c.fips openssl-1.0.2c/crypto/dsa/dsa_pmeth.c
+--- openssl-1.0.2c/crypto/dsa/dsa_pmeth.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dsa/dsa_pmeth.c 2015-06-15 17:30:00.002283845 +0200
+@@ -253,7 +253,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
+ if (!dsa)
+ return 0;
+ ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
+- NULL, 0, NULL, NULL, NULL, pcb);
++ NULL, 0, NULL, NULL, pcb);
+ if (ret)
+ EVP_PKEY_assign_DSA(pkey, dsa);
+ else
+diff -up openssl-1.0.2c/crypto/dsa/dsatest.c.fips openssl-1.0.2c/crypto/dsa/dsatest.c
+--- openssl-1.0.2c/crypto/dsa/dsatest.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/dsa/dsatest.c 2015-06-15 17:30:00.002283845 +0200
+@@ -100,36 +100,41 @@ static int MS_CALLBACK dsa_cb(int p, int
+ * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
+ */
+ static unsigned char seed[20] = {
+- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
+- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
++ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
++ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
+ };
+
+ static unsigned char out_p[] = {
+- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
+- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
+- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
+- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
+- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
+- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
+- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
+- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
++ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
++ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
++ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
++ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
++ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
++ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
++ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
++ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
++ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
++ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
++ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
+ };
+
+ static unsigned char out_q[] = {
+- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
+- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
+- 0xda, 0xce, 0x91, 0x5f,
++ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
++ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
+ };
+
+ static unsigned char out_g[] = {
+- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
+- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
+- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
+- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
+- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
+- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
+- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
+- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
++ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
++ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
++ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
++ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
++ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
++ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
++ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
++ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
++ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
++ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
++ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
+ };
+
+ static const unsigned char str1[] = "12345678901234567890";
+@@ -162,7 +167,7 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err, "test generation of DSA parameters\n");
+
+ BN_GENCB_set(&cb, dsa_cb, bio_err);
+- if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
++ if (((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
+ seed, 20,
+ &counter,
+ &h, &cb))
+@@ -176,8 +181,8 @@ int main(int argc, char **argv)
+ BIO_printf(bio_err, "\ncounter=%d h=%ld\n", counter, h);
+
+ DSA_print(bio_err, dsa, 0);
+- if (counter != 105) {
+- BIO_printf(bio_err, "counter should be 105\n");
++ if (counter != 239) {
++ BIO_printf(bio_err, "counter should be 239\n");
+ goto end;
+ }
+ if (h != 2) {
+diff -up openssl-1.0.2c/crypto/engine/eng_all.c.fips openssl-1.0.2c/crypto/engine/eng_all.c
+--- openssl-1.0.2c/crypto/engine/eng_all.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/engine/eng_all.c 2015-06-15 17:30:00.002283845 +0200
+@@ -59,11 +59,25 @@
+
+ #include "cryptlib.h"
+ #include "eng_int.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ void ENGINE_load_builtin_engines(void)
+ {
+ /* Some ENGINEs need this */
+ OPENSSL_cpuid_setup();
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (FIPS_mode()) {
++ /* We allow loading dynamic engine as a third party
++ engine might be FIPS validated.
++ User is disallowed to load non-validated engines
++ by security policy. */
++ ENGINE_load_dynamic();
++ return;
++ }
++#endif
+ #if 0
+ /*
+ * There's no longer any need for an "openssl" ENGINE unless, one day, it
+diff -up openssl-1.0.2c/crypto/evp/c_allc.c.fips openssl-1.0.2c/crypto/evp/c_allc.c
+--- openssl-1.0.2c/crypto/evp/c_allc.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/c_allc.c 2015-06-15 17:30:00.002283845 +0200
+@@ -65,6 +65,10 @@
+ void OpenSSL_add_all_ciphers(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cfb());
+ EVP_add_cipher(EVP_des_cfb1());
+@@ -238,4 +242,64 @@ void OpenSSL_add_all_ciphers(void)
+ EVP_add_cipher_alias(SN_camellia_256_cbc, "CAMELLIA256");
+ EVP_add_cipher_alias(SN_camellia_256_cbc, "camellia256");
+ #endif
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede_cfb());
++ EVP_add_cipher(EVP_des_ede3_cfb());
++
++ EVP_add_cipher(EVP_des_ede_ofb());
++ EVP_add_cipher(EVP_des_ede3_ofb());
++
++ EVP_add_cipher(EVP_des_ede_cbc());
++ EVP_add_cipher(EVP_des_ede3_cbc());
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
++ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
++
++ EVP_add_cipher(EVP_des_ede());
++ EVP_add_cipher(EVP_des_ede3());
++# endif
++
++# ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_ecb());
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_128_cfb());
++ EVP_add_cipher(EVP_aes_128_cfb1());
++ EVP_add_cipher(EVP_aes_128_cfb8());
++ EVP_add_cipher(EVP_aes_128_ofb());
++ EVP_add_cipher(EVP_aes_128_ctr());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_128_xts());
++ EVP_add_cipher(EVP_aes_128_ccm());
++ EVP_add_cipher(EVP_aes_128_wrap());
++ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
++ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
++ EVP_add_cipher(EVP_aes_192_ecb());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_192_cfb());
++ EVP_add_cipher(EVP_aes_192_cfb1());
++ EVP_add_cipher(EVP_aes_192_cfb8());
++ EVP_add_cipher(EVP_aes_192_ofb());
++ EVP_add_cipher(EVP_aes_192_ctr());
++ EVP_add_cipher(EVP_aes_192_gcm());
++ EVP_add_cipher(EVP_aes_192_ccm());
++ EVP_add_cipher(EVP_aes_192_wrap());
++ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
++ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
++ EVP_add_cipher(EVP_aes_256_ecb());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_256_cfb());
++ EVP_add_cipher(EVP_aes_256_cfb1());
++ EVP_add_cipher(EVP_aes_256_cfb8());
++ EVP_add_cipher(EVP_aes_256_ofb());
++ EVP_add_cipher(EVP_aes_256_ctr());
++ EVP_add_cipher(EVP_aes_256_gcm());
++ EVP_add_cipher(EVP_aes_256_xts());
++ EVP_add_cipher(EVP_aes_256_ccm());
++ EVP_add_cipher(EVP_aes_256_wrap());
++ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
++ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
++# endif
++ }
++#endif
+ }
+diff -up openssl-1.0.2c/crypto/evp/c_alld.c.fips openssl-1.0.2c/crypto/evp/c_alld.c
+--- openssl-1.0.2c/crypto/evp/c_alld.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/c_alld.c 2015-06-15 17:30:00.003283868 +0200
+@@ -64,51 +64,81 @@
+
+ void OpenSSL_add_all_digests(void)
+ {
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
+ #ifndef OPENSSL_NO_MD4
+- EVP_add_digest(EVP_md4());
++ EVP_add_digest(EVP_md4());
+ #endif
+ #ifndef OPENSSL_NO_MD5
+- EVP_add_digest(EVP_md5());
+- EVP_add_digest_alias(SN_md5, "ssl2-md5");
+- EVP_add_digest_alias(SN_md5, "ssl3-md5");
++ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5, "ssl2-md5");
++ EVP_add_digest_alias(SN_md5, "ssl3-md5");
+ #endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
+- EVP_add_digest(EVP_sha());
++ EVP_add_digest(EVP_sha());
+ # ifndef OPENSSL_NO_DSA
+- EVP_add_digest(EVP_dss());
++ EVP_add_digest(EVP_dss());
+ # endif
+ #endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+- EVP_add_digest(EVP_sha1());
+- EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+- EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ # ifndef OPENSSL_NO_DSA
+- EVP_add_digest(EVP_dss1());
+- EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
+- EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
+- EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+- EVP_add_digest(EVP_ecdsa());
++ EVP_add_digest(EVP_ecdsa());
+ # endif
+ #endif
+ #if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
+- EVP_add_digest(EVP_mdc2());
++ EVP_add_digest(EVP_mdc2());
+ #endif
+ #ifndef OPENSSL_NO_RIPEMD
+- EVP_add_digest(EVP_ripemd160());
+- EVP_add_digest_alias(SN_ripemd160, "ripemd");
+- EVP_add_digest_alias(SN_ripemd160, "rmd160");
++ EVP_add_digest(EVP_ripemd160());
++ EVP_add_digest_alias(SN_ripemd160, "ripemd");
++ EVP_add_digest_alias(SN_ripemd160, "rmd160");
+ #endif
+ #ifndef OPENSSL_NO_SHA256
+- EVP_add_digest(EVP_sha224());
+- EVP_add_digest(EVP_sha256());
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
+ #endif
+ #ifndef OPENSSL_NO_SHA512
+- EVP_add_digest(EVP_sha384());
+- EVP_add_digest(EVP_sha512());
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
+ #endif
+ #ifndef OPENSSL_NO_WHIRLPOOL
+- EVP_add_digest(EVP_whirlpool());
++ EVP_add_digest(EVP_whirlpool());
++#endif
++#ifdef OPENSSL_FIPS
++ } else {
++# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
++ EVP_add_digest(EVP_sha1());
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++# ifndef OPENSSL_NO_DSA
++ EVP_add_digest(EVP_dss1());
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++# endif
++# ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++# endif
++# endif
++# ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++# endif
++# ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++# endif
++ }
+ #endif
+ }
+diff -up openssl-1.0.2c/crypto/evp/digest.c.fips openssl-1.0.2c/crypto/evp/digest.c
+--- openssl-1.0.2c/crypto/evp/digest.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/digest.c 2015-06-15 17:30:00.003283868 +0200
+@@ -143,18 +143,55 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
+ return EVP_DigestInit_ex(ctx, type, NULL);
+ }
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_MD_CTX *ctx)
++{
++ FIPS_ERROR_IGNORED("Digest init");
++ return 0;
++}
++
++static int bad_update(EVP_MD_CTX *ctx, const void *data, size_t count)
++{
++ FIPS_ERROR_IGNORED("Digest update");
++ return 0;
++}
++
++static int bad_final(EVP_MD_CTX *ctx, unsigned char *md)
++{
++ FIPS_ERROR_IGNORED("Digest Final");
++ return 0;
++}
++
++static const EVP_MD bad_md = {
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_update,
++ bad_final,
++ NULL,
++ NULL,
++ NULL,
++ 0,
++ {0, 0, 0, 0},
++};
++
++#endif
++
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+ {
+ EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+ #ifdef OPENSSL_FIPS
+- /* If FIPS mode switch to approved implementation if possible */
+- if (FIPS_mode()) {
+- const EVP_MD *fipsmd;
+- if (type) {
+- fipsmd = evp_get_fips_md(type);
+- if (fipsmd)
+- type = fipsmd;
+- }
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->digest = &bad_md;
++ return 0;
+ }
+ #endif
+ #ifndef OPENSSL_NO_ENGINE
+@@ -212,6 +249,16 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ }
+ #endif
+ if (ctx->digest != type) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (!(type->flags & EVP_MD_FLAG_FIPS)
++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->digest = &bad_md;
++ return 0;
++ }
++ }
++#endif
+ if (ctx->digest && ctx->digest->ctx_size)
+ OPENSSL_free(ctx->md_data);
+ ctx->digest = type;
+@@ -236,25 +283,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ }
+ if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
+ return 1;
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode()) {
+- if (FIPS_digestinit(ctx, type))
+- return 1;
+- OPENSSL_free(ctx->md_data);
+- ctx->md_data = NULL;
+- return 0;
+- }
+-#endif
+ return ctx->digest->init(ctx);
+ }
+
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
+ {
+ #ifdef OPENSSL_FIPS
+- return FIPS_digestupdate(ctx, data, count);
+-#else
+- return ctx->update(ctx, data, count);
++ FIPS_selftest_check();
+ #endif
++ return ctx->update(ctx, data, count);
+ }
+
+ /* The caller can assume that this removes any secret data from the context */
+@@ -269,11 +306,11 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, uns
+ /* The caller can assume that this removes any secret data from the context */
+ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
+ {
+-#ifdef OPENSSL_FIPS
+- return FIPS_digestfinal(ctx, md, size);
+-#else
+ int ret;
+
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
+ ret = ctx->digest->final(ctx, md);
+ if (size != NULL)
+@@ -284,7 +321,6 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
+ }
+ memset(ctx->md_data, 0, ctx->digest->ctx_size);
+ return ret;
+-#endif
+ }
+
+ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
+@@ -373,7 +409,6 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
+ /* This call frees resources associated with the context */
+ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ {
+-#ifndef OPENSSL_FIPS
+ /*
+ * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
+ * sometimes only copies of the context are ever finalised.
+@@ -386,7 +421,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
+ OPENSSL_free(ctx->md_data);
+ }
+-#endif
+ if (ctx->pctx)
+ EVP_PKEY_CTX_free(ctx->pctx);
+ #ifndef OPENSSL_NO_ENGINE
+@@ -397,9 +431,6 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+ */
+ ENGINE_finish(ctx->engine);
+ #endif
+-#ifdef OPENSSL_FIPS
+- FIPS_md_ctx_cleanup(ctx);
+-#endif
+ memset(ctx, '\0', sizeof *ctx);
+
+ return 1;
+diff -up openssl-1.0.2c/crypto/evp/e_aes.c.fips openssl-1.0.2c/crypto/evp/e_aes.c
+--- openssl-1.0.2c/crypto/evp/e_aes.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/e_aes.c 2015-06-15 17:30:00.003283868 +0200
+@@ -60,9 +60,6 @@
+ # include "modes_lcl.h"
+ # include <openssl/rand.h>
+
+-# undef EVP_CIPH_FLAG_FIPS
+-# define EVP_CIPH_FLAG_FIPS 0
+-
+ typedef struct {
+ union {
+ double align;
+@@ -1159,6 +1156,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+ case EVP_CTRL_GCM_SET_IVLEN:
+ if (arg <= 0)
+ return 0;
++# ifdef OPENSSL_FIPS
++ if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
++ && arg < 12)
++ return 0;
++# endif
+ /* Allocate memory for IV if needed */
+ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
+ if (gctx->iv != c->iv)
+@@ -1727,6 +1729,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+ return 0;
+ if (!out || !in || len < AES_BLOCK_SIZE)
+ return 0;
++# ifdef OPENSSL_FIPS
++ /* Requirement of SP800-38E */
++ if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
++ (len > (1UL << 20) * 16)) {
++ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
++ return 0;
++ }
++# endif
+ if (xctx->stream)
+ (*xctx->stream) (in, out, len,
+ xctx->xts.key1, xctx->xts.key2, ctx->iv);
+diff -up openssl-1.0.2c/crypto/evp/e_des3.c.fips openssl-1.0.2c/crypto/evp/e_des3.c
+--- openssl-1.0.2c/crypto/evp/e_des3.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/e_des3.c 2015-06-15 17:30:00.003283868 +0200
+@@ -65,10 +65,6 @@
+ # include <openssl/des.h>
+ # include <openssl/rand.h>
+
+-/* Block use of implementations in FIPS mode */
+-# undef EVP_CIPH_FLAG_FIPS
+-# define EVP_CIPH_FLAG_FIPS 0
+-
+ typedef struct {
+ union {
+ double align;
+diff -up openssl-1.0.2c/crypto/evp/e_null.c.fips openssl-1.0.2c/crypto/evp/e_null.c
+--- openssl-1.0.2c/crypto/evp/e_null.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/e_null.c 2015-06-15 17:30:00.003283868 +0200
+@@ -68,7 +68,7 @@ static int null_cipher(EVP_CIPHER_CTX *c
+ static const EVP_CIPHER n_cipher = {
+ NID_undef,
+ 1, 0, 0,
+- 0,
++ EVP_CIPH_FLAG_FIPS,
+ null_init_key,
+ null_cipher,
+ NULL,
+diff -up openssl-1.0.2c/crypto/evp/evp_enc.c.fips openssl-1.0.2c/crypto/evp/evp_enc.c
+--- openssl-1.0.2c/crypto/evp/evp_enc.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/evp_enc.c 2015-06-15 17:30:00.004283891 +0200
+@@ -69,16 +69,73 @@
+ #endif
+ #include "evp_locl.h"
+
+-#ifdef OPENSSL_FIPS
+-# define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
+-#else
+-# define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
+-#endif
++#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
+
+ const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT;
+
++#ifdef OPENSSL_FIPS
++
++/* The purpose of these is to trap programs that attempt to use non FIPS
++ * algorithms in FIPS mode and ignore the errors.
++ */
++
++static int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++ const unsigned char *iv, int enc)
++{
++ FIPS_ERROR_IGNORED("Cipher init");
++ return 0;
++}
++
++static int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, unsigned int inl)
++{
++ FIPS_ERROR_IGNORED("Cipher update");
++ return 0;
++}
++
++/* NB: no cleanup because it is allowed after failed init */
++
++static int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++{
++ FIPS_ERROR_IGNORED("Cipher set_asn1");
++ return 0;
++}
++
++static int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ)
++{
++ FIPS_ERROR_IGNORED("Cipher get_asn1");
++ return 0;
++}
++
++static int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
++{
++ FIPS_ERROR_IGNORED("Cipher ctrl");
++ return 0;
++}
++
++static const EVP_CIPHER bad_cipher = {
++ 0,
++ 0,
++ 0,
++ 0,
++ 0,
++ bad_init,
++ bad_do_cipher,
++ NULL,
++ 0,
++ bad_set_asn1,
++ bad_get_asn1,
++ bad_ctrl,
++ NULL
++};
++
++#endif
++
+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ memset(ctx, 0, sizeof(EVP_CIPHER_CTX));
+ /* ctx->cipher=NULL; */
+ }
+@@ -110,6 +167,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ enc = 1;
+ ctx->encrypt = enc;
+ }
++#ifdef OPENSSL_FIPS
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+ /*
+ * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
+@@ -168,16 +232,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ ctx->engine = NULL;
+ #endif
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode()) {
+- const EVP_CIPHER *fcipher;
+- if (cipher)
+- fcipher = evp_get_fips_cipher(cipher);
+- if (fcipher)
+- cipher = fcipher;
+- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+- }
+-#endif
+ ctx->cipher = cipher;
+ if (ctx->cipher->ctx_size) {
+ ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);
+@@ -204,10 +258,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ #ifndef OPENSSL_NO_ENGINE
+ skip_to_init:
+ #endif
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+-#endif
+ /* we assume block size is a power of 2 in *cryptUpdate */
+ OPENSSL_assert(ctx->cipher->block_size == 1
+ || ctx->cipher->block_size == 8
+@@ -253,6 +303,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+ break;
+ }
+ }
++#ifdef OPENSSL_FIPS
++ /* After 'key' is set no further parameters changes are permissible.
++ * So only check for non FIPS enabling at this point.
++ */
++ if (key && FIPS_mode()) {
++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++ ctx->cipher = &bad_cipher;
++ return 0;
++ }
++ }
++#endif
+
+ if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+ if (!ctx->cipher->init(ctx, key, iv, enc))
+@@ -554,7 +617,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX
+
+ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
+ {
+-#ifndef OPENSSL_FIPS
+ if (c->cipher != NULL) {
+ if (c->cipher->cleanup && !c->cipher->cleanup(c))
+ return 0;
+@@ -564,7 +626,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
+ }
+ if (c->cipher_data)
+ OPENSSL_free(c->cipher_data);
+-#endif
+ #ifndef OPENSSL_NO_ENGINE
+ if (c->engine)
+ /*
+@@ -573,9 +634,6 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CT
+ */
+ ENGINE_finish(c->engine);
+ #endif
+-#ifdef OPENSSL_FIPS
+- FIPS_cipher_ctx_cleanup(c);
+-#endif
+ memset(c, 0, sizeof(EVP_CIPHER_CTX));
+ return 1;
+ }
+diff -up openssl-1.0.2c/crypto/evp/evp.h.fips openssl-1.0.2c/crypto/evp/evp.h
+--- openssl-1.0.2c/crypto/evp/evp.h.fips 2015-06-15 17:29:59.898281463 +0200
++++ openssl-1.0.2c/crypto/evp/evp.h 2015-06-15 17:30:00.004283891 +0200
+@@ -122,6 +122,10 @@
+ extern "C" {
+ #endif
+
++# ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# endif
++
+ /*
+ * Type needs to be a bit field Sub-type needs to be for variations on the
+ * method, as in, can it do arbitrary encryption....
+@@ -285,11 +289,6 @@ struct env_md_ctx_st {
+ * cleaned */
+ # define EVP_MD_CTX_FLAG_REUSE 0x0004/* Don't free up ctx->md_data
+ * in EVP_MD_CTX_cleanup */
+-/*
+- * FIPS and pad options are ignored in 1.0.0, definitions are here so we
+- * don't accidentally reuse the values for other purposes.
+- */
+-
+ # define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008/* Allow use of non FIPS
+ * digest in FIPS mode */
+
+@@ -302,6 +301,10 @@ struct env_md_ctx_st {
+ # define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00/* PKCS#1 v1.5 mode */
+ # define EVP_MD_CTX_FLAG_PAD_X931 0x10/* X9.31 mode */
+ # define EVP_MD_CTX_FLAG_PAD_PSS 0x20/* PSS mode */
++# define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
++ ((ctx->flags>>16) &0xFFFF) /* seed length */
++# define EVP_MD_CTX_FLAG_PSS_MDLEN 0xFFFF/* salt len same as digest */
++# define EVP_MD_CTX_FLAG_PSS_MREC 0xFFFE/* salt max or auto recovered */
+
+ # define EVP_MD_CTX_FLAG_NO_INIT 0x0100/* Don't initialize md_data */
+
+@@ -363,15 +366,15 @@ struct evp_cipher_st {
+ /* cipher handles random key generation */
+ # define EVP_CIPH_RAND_KEY 0x200
+ /* cipher has its own additional copying logic */
+-# define EVP_CIPH_CUSTOM_COPY 0x400
++# define EVP_CIPH_CUSTOM_COPY 0x4000
+ /* Allow use default ASN1 get/set iv */
+ # define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
+ /* Buffer length in bits not bytes: CFB1 mode only */
+ # define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
+ /* Note if suitable for use in FIPS mode */
+-# define EVP_CIPH_FLAG_FIPS 0x4000
++# define EVP_CIPH_FLAG_FIPS 0x400
+ /* Allow non FIPS cipher in FIPS mode */
+-# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
++# define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800
+ /*
+ * Cipher handles any and all padding logic as well as finalisation.
+ */
+diff -up openssl-1.0.2c/crypto/evp/evp_lib.c.fips openssl-1.0.2c/crypto/evp/evp_lib.c
+--- openssl-1.0.2c/crypto/evp/evp_lib.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/evp_lib.c 2015-06-15 17:30:00.004283891 +0200
+@@ -60,10 +60,6 @@
+ #include "cryptlib.h"
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+-#ifdef OPENSSL_FIPS
+-# include <openssl/fips.h>
+-# include "evp_locl.h"
+-#endif
+
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+ {
+@@ -200,6 +196,9 @@ int EVP_CIPHER_CTX_block_size(const EVP_
+ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, unsigned int inl)
+ {
++#ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++#endif
+ return ctx->cipher->do_cipher(ctx, out, in, inl);
+ }
+
+@@ -210,22 +209,12 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(
+
+ unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
+ {
+-#ifdef OPENSSL_FIPS
+- const EVP_CIPHER *fcipher;
+- fcipher = evp_get_fips_cipher(cipher);
+- if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
+- return cipher->flags | EVP_CIPH_FLAG_FIPS;
+-#endif
+ return cipher->flags;
+ }
+
+ unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- return EVP_CIPHER_flags(ctx->cipher);
+-#else
+ return ctx->cipher->flags;
+-#endif
+ }
+
+ void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
+@@ -292,40 +281,8 @@ int EVP_MD_size(const EVP_MD *md)
+ return md->md_size;
+ }
+
+-#ifdef OPENSSL_FIPS
+-
+-const EVP_MD *evp_get_fips_md(const EVP_MD *md)
+-{
+- int nid = EVP_MD_type(md);
+- if (nid == NID_dsa)
+- return FIPS_evp_dss1();
+- else if (nid == NID_dsaWithSHA)
+- return FIPS_evp_dss();
+- else if (nid == NID_ecdsa_with_SHA1)
+- return FIPS_evp_ecdsa();
+- else
+- return FIPS_get_digestbynid(nid);
+-}
+-
+-const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher)
+-{
+- int nid = cipher->nid;
+- if (nid == NID_undef)
+- return FIPS_evp_enc_null();
+- else
+- return FIPS_get_cipherbynid(nid);
+-}
+-
+-#endif
+-
+ unsigned long EVP_MD_flags(const EVP_MD *md)
+ {
+-#ifdef OPENSSL_FIPS
+- const EVP_MD *fmd;
+- fmd = evp_get_fips_md(md);
+- if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
+- return md->flags | EVP_MD_FLAG_FIPS;
+-#endif
+ return md->flags;
+ }
+
+diff -up openssl-1.0.2c/crypto/evp/evp_locl.h.fips openssl-1.0.2c/crypto/evp/evp_locl.h
+--- openssl-1.0.2c/crypto/evp/evp_locl.h.fips 2015-06-15 17:29:59.895281394 +0200
++++ openssl-1.0.2c/crypto/evp/evp_locl.h 2015-06-15 17:30:00.004283891 +0200
+@@ -258,10 +258,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
+ BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+ BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+ NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+- 0, cipher##_init_key, NULL, \
+- EVP_CIPHER_set_asn1_iv, \
+- EVP_CIPHER_get_asn1_iv, \
+- NULL)
++ EVP_CIPH_FLAG_DEFAULT_ASN1, \
++ cipher##_init_key, NULL, NULL, NULL, NULL)
+
+ struct evp_pkey_ctx_st {
+ /* Method associated with this operation */
+@@ -355,11 +353,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
+ # define MD2_Init private_MD2_Init
+ # define MDC2_Init private_MDC2_Init
+ # define SHA_Init private_SHA_Init
+-# define SHA1_Init private_SHA1_Init
+-# define SHA224_Init private_SHA224_Init
+-# define SHA256_Init private_SHA256_Init
+-# define SHA384_Init private_SHA384_Init
+-# define SHA512_Init private_SHA512_Init
+
+ # define BF_set_key private_BF_set_key
+ # define CAST_set_key private_CAST_set_key
+@@ -367,7 +360,6 @@ const EVP_CIPHER *evp_get_fips_cipher(co
+ # define SEED_set_key private_SEED_set_key
+ # define RC2_set_key private_RC2_set_key
+ # define RC4_set_key private_RC4_set_key
+-# define DES_set_key_unchecked private_DES_set_key_unchecked
+ # define Camellia_set_key private_Camellia_set_key
+
+ #endif
+diff -up openssl-1.0.2c/crypto/evp/m_dss.c.fips openssl-1.0.2c/crypto/evp/m_dss.c
+--- openssl-1.0.2c/crypto/evp/m_dss.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/m_dss.c 2015-06-15 17:30:00.004283891 +0200
+@@ -86,7 +86,7 @@ static const EVP_MD dsa_md = {
+ NID_dsaWithSHA,
+ NID_dsaWithSHA,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2c/crypto/evp/m_dss1.c.fips openssl-1.0.2c/crypto/evp/m_dss1.c
+--- openssl-1.0.2c/crypto/evp/m_dss1.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/m_dss1.c 2015-06-15 17:30:00.004283891 +0200
+@@ -87,7 +87,7 @@ static const EVP_MD dss1_md = {
+ NID_dsa,
+ NID_dsaWithSHA1,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_DIGEST,
++ EVP_MD_FLAG_PKEY_DIGEST | EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+diff -up openssl-1.0.2c/crypto/evp/m_md2.c.fips openssl-1.0.2c/crypto/evp/m_md2.c
+--- openssl-1.0.2c/crypto/evp/m_md2.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/m_md2.c 2015-06-15 17:30:00.005283913 +0200
+@@ -68,6 +68,7 @@
+ # ifndef OPENSSL_NO_RSA
+ # include <openssl/rsa.h>
+ # endif
++# include "evp_locl.h"
+
+ static int init(EVP_MD_CTX *ctx)
+ {
+diff -up openssl-1.0.2c/crypto/evp/m_sha1.c.fips openssl-1.0.2c/crypto/evp/m_sha1.c
+--- openssl-1.0.2c/crypto/evp/m_sha1.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/m_sha1.c 2015-06-15 17:30:00.005283913 +0200
+@@ -87,7 +87,8 @@ static const EVP_MD sha1_md = {
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init,
+ update,
+ final,
+@@ -134,7 +135,8 @@ static const EVP_MD sha224_md = {
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init224,
+ update256,
+ final256,
+@@ -154,7 +156,8 @@ static const EVP_MD sha256_md = {
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init256,
+ update256,
+ final256,
+@@ -197,7 +200,8 @@ static const EVP_MD sha384_md = {
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init384,
+ update512,
+ final512,
+@@ -217,7 +221,8 @@ static const EVP_MD sha512_md = {
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
+- EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT |
++ EVP_MD_FLAG_FIPS,
+ init512,
+ update512,
+ final512,
+diff -up openssl-1.0.2c/crypto/evp/p_sign.c.fips openssl-1.0.2c/crypto/evp/p_sign.c
+--- openssl-1.0.2c/crypto/evp/p_sign.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/p_sign.c 2015-06-15 17:30:00.005283913 +0200
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ #ifdef undef
+ void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+@@ -101,6 +102,22 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
++ 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
+ goto err;
+ *siglen = sltmp;
+diff -up openssl-1.0.2c/crypto/evp/p_verify.c.fips openssl-1.0.2c/crypto/evp/p_verify.c
+--- openssl-1.0.2c/crypto/evp/p_verify.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/evp/p_verify.c 2015-06-15 17:30:00.005283913 +0200
+@@ -61,6 +61,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/objects.h>
+ #include <openssl/x509.h>
++#include <openssl/rsa.h>
+
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
+ unsigned int siglen, EVP_PKEY *pkey)
+@@ -87,6 +88,22 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con
+ goto err;
+ if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_X931)
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_X931_PADDING) <= 0)
++ goto err;
++ if (ctx->flags & EVP_MD_CTX_FLAG_PAD_PSS) {
++ int saltlen;
++ if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <=
++ 0)
++ goto err;
++ saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(ctx);
++ if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN)
++ saltlen = -1;
++ else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC)
++ saltlen = -2;
++ if (EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0)
++ goto err;
++ }
+ i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
+ err:
+ EVP_PKEY_CTX_free(pkctx);
+diff -up openssl-1.0.2c/crypto/fips/fips_aes_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_aes_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_aes_selftest.c.fips 2015-06-15 17:30:00.005283913 +0200
++++ openssl-1.0.2c/crypto/fips/fips_aes_selftest.c 2015-06-15 17:30:00.005283913 +0200
+@@ -0,0 +1,365 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++
++#ifdef OPENSSL_FIPS
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[16];
++ const unsigned char ciphertext[16];
++} tests[] = {
++ {
++ {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
++ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
++0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
++ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
++
++static int corrupt_aes;
++
++void FIPS_corrupt_aes()
++{
++ corrupt_aes = 1;
++}
++
++int FIPS_selftest_aes()
++{
++ int n;
++ int ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ for (n = 0; n < 1; ++n) {
++ unsigned char key[16];
++
++ memcpy(key, tests[n].key, sizeof(key));
++ if (corrupt_aes)
++ key[0]++;
++ if (fips_cipher_test(&ctx, EVP_aes_128_ecb(),
++ key, NULL,
++ tests[n].plaintext,
++ tests[n].ciphertext, 16) <= 0)
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++/* AES-CCM test data from NIST public test vectors */
++
++static const unsigned char ccm_key[] = {
++ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
++ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
++};
++
++static const unsigned char ccm_nonce[] = {
++ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
++};
++
++static const unsigned char ccm_adata[] = {
++ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
++ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
++ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
++};
++
++static const unsigned char ccm_pt[] = {
++ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
++ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
++};
++
++static const unsigned char ccm_ct[] = {
++ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
++ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
++};
++
++static const unsigned char ccm_tag[] = {
++ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
++ 0x14, 0xdb, 0x50, 0x6d
++};
++
++int FIPS_selftest_aes_ccm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ memset(out, 0, sizeof(out));
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG,
++ sizeof(ccm_tag), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
++ goto err;
++ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
++ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN,
++ sizeof(ccm_nonce), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
++ goto err;
++
++ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++/* AES-GCM test data from NIST public test vectors */
++
++static const unsigned char gcm_key[] = {
++ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
++ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
++ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
++};
++
++static const unsigned char gcm_iv[] = {
++ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
++};
++
++static const unsigned char gcm_pt[] = {
++ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
++ 0xcc, 0x2b, 0xf2, 0xa5
++};
++
++static const unsigned char gcm_aad[] = {
++ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
++ 0x7f, 0xec, 0x78, 0xde
++};
++
++static const unsigned char gcm_ct[] = {
++ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
++ 0xb9, 0xf2, 0x17, 0x36
++};
++
++static const unsigned char gcm_tag[] = {
++ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
++ 0x98, 0xf7, 0x7e, 0x0c
++};
++
++int FIPS_selftest_aes_gcm(void)
++{
++ int ret = 0;
++ unsigned char out[128], tag[16];
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ memset(out, 0, sizeof(out));
++ memset(tag, 0, sizeof(tag));
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 1))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
++ goto err;
++
++ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
++ goto err;
++
++ memset(out, 0, sizeof(out));
++
++ if (!EVP_CipherInit_ex(&ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN,
++ sizeof(gcm_iv), NULL))
++ goto err;
++ if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
++ goto err;
++ if (!EVP_CipherInit_ex(&ctx, NULL, NULL, gcm_key, gcm_iv, 0))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++ goto err;
++ if (EVP_Cipher(&ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
++ goto err;
++ if (EVP_Cipher(&ctx, NULL, NULL, 0) < 0)
++ goto err;
++
++ if (memcmp(out, gcm_pt, 16))
++ goto err;
++
++ ret = 1;
++
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++
++ if (ret == 0) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ } else
++ return ret;
++
++}
++
++static const unsigned char XTS_128_key[] = {
++ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
++ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
++ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
++};
++
++static const unsigned char XTS_128_i[] = {
++ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
++ 0x3e, 0x76, 0x8a, 0xd5
++};
++
++static const unsigned char XTS_128_pt[] = {
++ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
++ 0x07, 0x90, 0x31, 0x1c
++};
++
++static const unsigned char XTS_128_ct[] = {
++ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
++ 0xbe, 0x47, 0x1c, 0x63
++};
++
++static const unsigned char XTS_256_key[] = {
++ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
++ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
++ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
++ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
++ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
++ 0x2c, 0xf4, 0x1b, 0x08
++};
++
++static const unsigned char XTS_256_i[] = {
++ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
++ 0xa9, 0xf8, 0x75, 0x64
++};
++
++static const unsigned char XTS_256_pt[] = {
++ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
++ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
++ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
++};
++
++static const unsigned char XTS_256_ct[] = {
++ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
++ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
++ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
++};
++
++int FIPS_selftest_aes_xts()
++{
++ int ret = 1;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++
++ if (fips_cipher_test(&ctx, EVP_aes_128_xts(),
++ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
++ sizeof(XTS_128_pt)) <= 0)
++ ret = 0;
++
++ if (fips_cipher_test(&ctx, EVP_aes_256_xts(),
++ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
++ sizeof(XTS_256_pt)) <= 0)
++ ret = 0;
++
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
++ return ret;
++}
++
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips.c.fips openssl-1.0.2c/crypto/fips/fips.c
+--- openssl-1.0.2c/crypto/fips/fips.c.fips 2015-06-15 17:30:00.006283936 +0200
++++ openssl-1.0.2c/crypto/fips/fips.c 2015-06-15 17:30:00.006283936 +0200
+@@ -0,0 +1,483 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define _GNU_SOURCE
++
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <string.h>
++#include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++# include <openssl/fips.h>
++
++# ifndef PATH_MAX
++# define PATH_MAX 1024
++# endif
++
++static int fips_selftest_fail = 0;
++static int fips_mode = 0;
++static int fips_started = 0;
++
++static int fips_is_owning_thread(void);
++static int fips_set_owning_thread(void);
++static int fips_clear_owning_thread(void);
++
++# define fips_w_lock() CRYPTO_w_lock(CRYPTO_LOCK_FIPS)
++# define fips_w_unlock() CRYPTO_w_unlock(CRYPTO_LOCK_FIPS)
++# define fips_r_lock() CRYPTO_r_lock(CRYPTO_LOCK_FIPS)
++# define fips_r_unlock() CRYPTO_r_unlock(CRYPTO_LOCK_FIPS)
++
++static void fips_set_mode(int onoff)
++{
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_w_lock();
++ fips_mode = onoff;
++ if (!owning_thread)
++ fips_w_unlock();
++ }
++}
++
++int FIPS_module_mode(void)
++{
++ int ret = 0;
++ int owning_thread = fips_is_owning_thread();
++
++ if (fips_started) {
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_mode;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++int FIPS_selftest_failed(void)
++{
++ int ret = 0;
++ if (fips_started) {
++ int owning_thread = fips_is_owning_thread();
++
++ if (!owning_thread)
++ fips_r_lock();
++ ret = fips_selftest_fail;
++ if (!owning_thread)
++ fips_r_unlock();
++ }
++ return ret;
++}
++
++/* Selftest failure fatal exit routine. This will be called
++ * during *any* cryptographic operation. It has the minimum
++ * overhead possible to avoid too big a performance hit.
++ */
++
++void FIPS_selftest_check(void)
++{
++ if (fips_selftest_fail) {
++ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
++ }
++}
++
++void fips_set_selftest_fail(void)
++{
++ fips_selftest_fail = 1;
++}
++
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path,
++ size_t pathlen)
++{
++ Dl_info info;
++ void *dl, *sym;
++ int rv = -1;
++
++ dl = dlopen(libname, RTLD_LAZY);
++ if (dl == NULL) {
++ return -1;
++ }
++
++ sym = dlsym(dl, symbolname);
++
++ if (sym != NULL && dladdr(sym, &info)) {
++ strncpy(path, info.dli_fname, pathlen - 1);
++ path[pathlen - 1] = '\0';
++ rv = 0;
++ }
++
++ dlclose(dl);
++
++ return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *bin2hex(void *buf, size_t len)
++{
++ char *hex, *p;
++ unsigned char *src = buf;
++
++ hex = malloc(len * 2 + 1);
++ if (hex == NULL)
++ return NULL;
++
++ p = hex;
++
++ while (len > 0) {
++ unsigned c;
++
++ c = *src;
++ src++;
++
++ *p = conv[c >> 4];
++ ++p;
++ *p = conv[c & 0x0f];
++ ++p;
++ --len;
++ }
++ *p = '\0';
++ return hex;
++}
++
++# define HMAC_PREFIX "."
++# define HMAC_SUFFIX ".hmac"
++# define READ_BUFFER_LENGTH 16384
++
++static char *make_hmac_path(const char *origpath)
++{
++ char *path, *p;
++ const char *fn;
++
++ path =
++ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++ if (path == NULL) {
++ return NULL;
++ }
++
++ fn = strrchr(origpath, '/');
++ if (fn == NULL) {
++ fn = origpath;
++ } else {
++ ++fn;
++ }
++
++ strncpy(path, origpath, fn - origpath);
++ p = path + (fn - origpath);
++ p = stpcpy(p, HMAC_PREFIX);
++ p = stpcpy(p, fn);
++ p = stpcpy(p, HMAC_SUFFIX);
++
++ return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++ FILE *f = NULL;
++ int rv = -1;
++ unsigned char rbuf[READ_BUFFER_LENGTH];
++ size_t len;
++ unsigned int hlen;
++ HMAC_CTX c;
++
++ HMAC_CTX_init(&c);
++
++ f = fopen(path, "r");
++
++ if (f == NULL) {
++ goto end;
++ }
++
++ HMAC_Init(&c, hmackey, sizeof(hmackey) - 1, EVP_sha256());
++
++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++ HMAC_Update(&c, rbuf, len);
++ }
++
++ len = sizeof(rbuf);
++ /* reuse rbuf for hmac */
++ HMAC_Final(&c, rbuf, &hlen);
++
++ *buf = malloc(hlen);
++ if (*buf == NULL) {
++ goto end;
++ }
++
++ *hmaclen = hlen;
++
++ memcpy(*buf, rbuf, hlen);
++
++ rv = 0;
++ end:
++ HMAC_CTX_cleanup(&c);
++
++ if (f)
++ fclose(f);
++
++ return rv;
++}
++
++static int FIPSCHECK_verify(const char *libname, const char *symbolname)
++{
++ char path[PATH_MAX + 1];
++ int rv;
++ FILE *hf;
++ char *hmacpath, *p;
++ char *hmac = NULL;
++ size_t n;
++
++ rv = get_library_path(libname, symbolname, path, sizeof(path));
++
++ if (rv < 0)
++ return 0;
++
++ hmacpath = make_hmac_path(path);
++ if (hmacpath == NULL)
++ return 0;
++
++ hf = fopen(hmacpath, "r");
++ if (hf == NULL) {
++ free(hmacpath);
++ return 0;
++ }
++
++ if (getline(&hmac, &n, hf) > 0) {
++ void *buf;
++ size_t hmaclen;
++ char *hex;
++
++ if ((p = strchr(hmac, '\n')) != NULL)
++ *p = '\0';
++
++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++ rv = -4;
++ goto end;
++ }
++
++ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
++ free(buf);
++ rv = -5;
++ goto end;
++ }
++
++ if (strcmp(hex, hmac) != 0) {
++ rv = -1;
++ }
++ free(buf);
++ free(hex);
++ } else {
++ rv = -1;
++ }
++
++ end:
++ free(hmac);
++ free(hmacpath);
++ fclose(hf);
++
++ if (rv < 0)
++ return 0;
++
++ /* check successful */
++ return 1;
++}
++
++int FIPS_module_mode_set(int onoff, const char *auth)
++{
++ int ret = 0;
++
++ fips_w_lock();
++ fips_started = 1;
++ fips_set_owning_thread();
++
++ if (onoff) {
++
++ fips_selftest_fail = 0;
++
++ /* Don't go into FIPS mode twice, just so we can do automagic
++ seeding */
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FIPS_MODE_ALREADY_SET);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++# ifdef OPENSSL_IA32_SSE2
++ {
++ extern unsigned int OPENSSL_ia32cap_P[2];
++ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
++ (1 << 25 | 1 << 26)) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_UNSUPPORTED_PLATFORM);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ OPENSSL_ia32cap_P[0] |= (1 << 28); /* set "shared cache" */
++ OPENSSL_ia32cap_P[1] &= ~(1 << (60 - 32)); /* clear AVX */
++ }
++# endif
++
++ if (!FIPSCHECK_verify
++ ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if (!FIPSCHECK_verify
++ ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++
++ if (FIPS_selftest())
++ fips_set_mode(onoff);
++ else {
++ fips_selftest_fail = 1;
++ ret = 0;
++ goto end;
++ }
++ ret = 1;
++ goto end;
++ }
++ fips_set_mode(0);
++ fips_selftest_fail = 0;
++ ret = 1;
++ end:
++ fips_clear_owning_thread();
++ fips_w_unlock();
++ return ret;
++}
++
++static CRYPTO_THREADID fips_thread;
++static int fips_thread_set = 0;
++
++static int fips_is_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread_set) {
++ CRYPTO_THREADID cur;
++ CRYPTO_THREADID_current(&cur);
++ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
++ ret = 1;
++ }
++ CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++int fips_set_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (!fips_thread_set) {
++ CRYPTO_THREADID_current(&fips_thread);
++ ret = 1;
++ fips_thread_set = 1;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++int fips_clear_owning_thread(void)
++{
++ int ret = 0;
++
++ if (fips_started) {
++ CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
++ if (fips_thread_set) {
++ CRYPTO_THREADID cur;
++ CRYPTO_THREADID_current(&cur);
++ if (!CRYPTO_THREADID_cmp(&cur, &fips_thread))
++ fips_thread_set = 0;
++ }
++ CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
++ }
++ return ret;
++}
++
++# if 0
++/* The purpose of this is to ensure the error code exists and the function
++ * name is to keep the error checking script quiet
++ */
++void hash_final(void)
++{
++ FIPSerr(FIPS_F_HASH_FINAL, FIPS_R_NON_FIPS_METHOD);
++}
++# endif
++
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c.fips 2015-06-15 17:30:00.006283936 +0200
++++ openssl-1.0.2c/crypto/fips/fips_cmac_selftest.c 2015-06-15 17:30:00.006283936 +0200
+@@ -0,0 +1,156 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/cmac.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ int nid;
++ const unsigned char key[EVP_MAX_KEY_LENGTH];
++ size_t keysize;
++ const unsigned char msg[64];
++ size_t msgsize;
++ const unsigned char mac[32];
++ size_t macsize;
++} CMAC_KAT;
++
++/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
++static const CMAC_KAT vector[] = {
++ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
++ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
++ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
++ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
++ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
++ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
++ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
++ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
++ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
++ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
++ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
++ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
++ {0x0}, 0,
++ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
++ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
++ },
++ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
++ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
++ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
++ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
++ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
++ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
++ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
++ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
++ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
++ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
++ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
++ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
++ },
++ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
++ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
++ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
++ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
++ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
++ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
++ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
++ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
++ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
++ },
++};
++
++int FIPS_selftest_cmac()
++{
++ size_t n, outlen;
++ unsigned char out[32];
++ const EVP_CIPHER *cipher;
++ CMAC_CTX *ctx = CMAC_CTX_new();
++ const CMAC_KAT *t;
++ int rv = 1;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ cipher = FIPS_get_cipherbynid(t->nid);
++ if (!cipher) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
++ rv = -1;
++ goto err;
++ }
++ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
++ rv = -1;
++ goto err;
++ }
++
++ if (!CMAC_Final(ctx, out, &outlen)) {
++ rv = -1;
++ goto err;
++ }
++ CMAC_CTX_cleanup(ctx);
++
++ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
++ rv = 0;
++ }
++ }
++
++ err:
++ CMAC_CTX_free(ctx);
++
++ if (rv == -1) {
++ rv = 0;
++ }
++ if (!rv)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
++
++ return rv;
++}
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_des_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_des_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_des_selftest.c.fips 2015-06-15 17:30:00.006283936 +0200
++++ openssl-1.0.2c/crypto/fips/fips_des_selftest.c 2015-06-15 17:30:00.006283936 +0200
+@@ -0,0 +1,138 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const struct {
++ const unsigned char key[16];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests2[] = {
++ {
++ {
++ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
++ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
++ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
++ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
++ }, {
++ {
++ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
++ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
++ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
++ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
++};
++
++static const struct {
++ const unsigned char key[24];
++ const unsigned char plaintext[8];
++ const unsigned char ciphertext[8];
++} tests3[] = {
++ {
++ {
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
++ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
++ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
++ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
++ {
++ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
++ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
++0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
++
++static int corrupt_des;
++
++void FIPS_corrupt_des()
++{
++ corrupt_des = 1;
++}
++
++int FIPS_selftest_des()
++{
++ int n, ret = 0;
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ unsigned char plaintext[8];
++
++ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
++ if (corrupt_des)
++ plaintext[0]++;
++ if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(),
++ tests2[n].key, NULL,
++ plaintext, tests2[n].ciphertext, 8))
++ goto err;
++ }
++
++ /* Encrypt/decrypt with 3DES and compare to known answers */
++ for (n = 0; n < 2; ++n) {
++ if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(),
++ tests3[n].key, NULL,
++ tests3[n].plaintext, tests3[n].ciphertext, 8))
++ goto err;
++ }
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ if (ret == 0)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
++
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c
+--- openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c.fips 2015-06-15 17:30:00.006283936 +0200
++++ openssl-1.0.2c/crypto/fips/fips_drbg_ctr.c 2015-06-15 17:30:00.006283936 +0200
+@@ -0,0 +1,415 @@
++/* fips/rand/fips_drbg_ctr.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static void inc_128(DRBG_CTR_CTX * cctx)
++{
++ int i;
++ unsigned char c;
++ unsigned char *p = cctx->V + 15;
++ for (i = 0; i < 16; i++) {
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ p--;
++ }
++}
++
++static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
++ size_t inlen)
++{
++ size_t i, n;
++ /* Any zero padding will have no effect on the result as we
++ * are XORing. So just process however much input we have.
++ */
++
++ if (!in || !inlen)
++ return;
++
++ if (inlen < cctx->keylen)
++ n = inlen;
++ else
++ n = cctx->keylen;
++
++ for (i = 0; i < n; i++)
++ cctx->K[i] ^= in[i];
++ if (inlen <= cctx->keylen)
++ return;
++
++ n = inlen - cctx->keylen;
++ /* Should never happen */
++ if (n > 16)
++ n = 16;
++ for (i = 0; i < 16; i++)
++ cctx->V[i] ^= in[i + cctx->keylen];
++}
++
++/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
++
++static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
++ const unsigned char *in)
++{
++ int i;
++ for (i = 0; i < 16; i++)
++ out[i] ^= in[i];
++ AES_encrypt(out, out, &cctx->df_ks);
++#if 0
++ fprintf(stderr, "BCC in+out\n");
++ BIO_dump_fp(stderr, in, 16);
++ BIO_dump_fp(stderr, out, 16);
++#endif
++}
++
++/* Handle several BCC operations for as much data as we need for K and X */
++static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
++{
++ ctr_BCC_block(cctx, cctx->KX, in);
++ ctr_BCC_block(cctx, cctx->KX + 16, in);
++ if (cctx->keylen != 16)
++ ctr_BCC_block(cctx, cctx->KX + 32, in);
++}
++
++/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
++ * see 10.4.2 stage 7.
++ */
++static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
++{
++ memset(cctx->KX, 0, 48);
++ memset(cctx->bltmp, 0, 16);
++ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
++ cctx->bltmp[3] = 1;
++ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
++ if (cctx->keylen != 16) {
++ cctx->bltmp[3] = 2;
++ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
++ }
++}
++
++/* Process several blocks into BCC algorithm, some possibly partial */
++static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
++ const unsigned char *in, size_t inlen)
++{
++ if (!in || !inlen)
++ return;
++ /* If we have partial block handle it first */
++ if (cctx->bltmp_pos) {
++ size_t left = 16 - cctx->bltmp_pos;
++ /* If we now have a complete block process it */
++ if (inlen >= left) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ cctx->bltmp_pos = 0;
++ inlen -= left;
++ in += left;
++ }
++ }
++ /* Process zero or more complete blocks */
++ while (inlen >= 16) {
++ ctr_BCC_blocks(cctx, in);
++ in += 16;
++ inlen -= 16;
++ }
++ /* Copy any remaining partial block to the temporary buffer */
++ if (inlen > 0) {
++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
++ cctx->bltmp_pos += inlen;
++ }
++}
++
++static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
++{
++ if (cctx->bltmp_pos) {
++ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
++ ctr_BCC_blocks(cctx, cctx->bltmp);
++ }
++}
++
++static void ctr_df(DRBG_CTR_CTX * cctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ size_t inlen;
++ unsigned char *p = cctx->bltmp;
++ static unsigned char c80 = 0x80;
++
++ ctr_BCC_init(cctx);
++ if (!in1)
++ in1len = 0;
++ if (!in2)
++ in2len = 0;
++ if (!in3)
++ in3len = 0;
++ inlen = in1len + in2len + in3len;
++ /* Initialise L||N in temporary block */
++ *p++ = (inlen >> 24) & 0xff;
++ *p++ = (inlen >> 16) & 0xff;
++ *p++ = (inlen >> 8) & 0xff;
++ *p++ = inlen & 0xff;
++ /* NB keylen is at most 32 bytes */
++ *p++ = 0;
++ *p++ = 0;
++ *p++ = 0;
++ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
++ cctx->bltmp_pos = 8;
++ ctr_BCC_update(cctx, in1, in1len);
++ ctr_BCC_update(cctx, in2, in2len);
++ ctr_BCC_update(cctx, in3, in3len);
++ ctr_BCC_update(cctx, &c80, 1);
++ ctr_BCC_final(cctx);
++ /* Set up key K */
++ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
++ /* X follows key K */
++ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
++ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
++ if (cctx->keylen != 16)
++ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
++#if 0
++ fprintf(stderr, "Output of ctr_df:\n");
++ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
++#endif
++}
++
++/* NB the no-df Update in SP800-90 specifies a constant input length
++ * of seedlen, however other uses of this algorithm pad the input with
++ * zeroes if necessary and have up to two parameters XORed together,
++ * handle both cases in this function instead.
++ */
++
++static void ctr_Update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *nonce, size_t noncelen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ /* ks is already setup for correct key */
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ /* If keylen longer than 128 bits need extra encrypt */
++ if (cctx->keylen != 16) {
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
++ }
++ inc_128(cctx);
++ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
++ /* If 192 bit key part of V is on end of K */
++ if (cctx->keylen == 24) {
++ memcpy(cctx->V + 8, cctx->V, 8);
++ memcpy(cctx->V, cctx->K + 24, 8);
++ }
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* If no input reuse existing derived value */
++ if (in1 || nonce || in2)
++ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
++ /* If this a reuse input in1len != 0 */
++ if (in1len)
++ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
++ } else {
++ ctr_XOR(cctx, in1, in1len);
++ ctr_XOR(cctx, in2, in2len);
++ }
++
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++#if 0
++ fprintf(stderr, "K+V after update is:\n");
++ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
++ BIO_dump_fp(stderr, cctx->V, 16);
++#endif
++}
++
++static int drbg_ctr_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ memset(cctx->K, 0, sizeof(cctx->K));
++ memset(cctx->V, 0, sizeof(cctx->V));
++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
++ return 1;
++}
++
++static int drbg_ctr_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
++ return 1;
++}
++
++static int drbg_ctr_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++ if (adin && adinlen) {
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++ /* This means we reuse derived value */
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ adin = NULL;
++ adinlen = 1;
++ }
++ } else
++ adinlen = 0;
++
++ for (;;) {
++ inc_128(cctx);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ AES_encrypt(cctx->V, dctx->lb, &cctx->ks);
++ dctx->lb_valid = 1;
++ continue;
++ }
++ if (outlen < 16) {
++ /* Use K as temp space as it will be updated */
++ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, cctx->K))
++ return 0;
++ memcpy(out, cctx->K, outlen);
++ break;
++ }
++ AES_encrypt(cctx->V, out, &cctx->ks);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ out += 16;
++ outlen -= 16;
++ if (outlen == 0)
++ break;
++ }
++
++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++
++ return 1;
++
++}
++
++static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
++{
++ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
++ return 1;
++}
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx)
++{
++ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++
++ size_t keylen;
++
++ switch (dctx->type) {
++ case NID_aes_128_ctr:
++ keylen = 16;
++ break;
++
++ case NID_aes_192_ctr:
++ keylen = 24;
++ break;
++
++ case NID_aes_256_ctr:
++ keylen = 32;
++ break;
++
++ default:
++ return -2;
++ }
++
++ dctx->instantiate = drbg_ctr_instantiate;
++ dctx->reseed = drbg_ctr_reseed;
++ dctx->generate = drbg_ctr_generate;
++ dctx->uninstantiate = drbg_ctr_uninstantiate;
++
++ cctx->keylen = keylen;
++ dctx->strength = keylen * 8;
++ dctx->blocklength = 16;
++ dctx->seedlen = keylen + 16;
++
++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++ /* df initialisation */
++ static unsigned char df_key[32] = {
++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
++ };
++ /* Set key schedule for df_key */
++ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
++
++ dctx->min_entropy = cctx->keylen;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++ } else {
++ dctx->min_entropy = dctx->seedlen;
++ dctx->max_entropy = dctx->seedlen;
++ /* Nonce not used */
++ dctx->min_nonce = 0;
++ dctx->max_nonce = 0;
++ dctx->max_pers = dctx->seedlen;
++ dctx->max_adin = dctx->seedlen;
++ }
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_drbg_hash.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_hash.c
+--- openssl-1.0.2c/crypto/fips/fips_drbg_hash.c.fips 2015-06-15 17:30:00.006283936 +0200
++++ openssl-1.0.2c/crypto/fips/fips_drbg_hash.c 2015-06-15 17:30:00.006283936 +0200
+@@ -0,0 +1,358 @@
++/* fips/rand/fips_drbg_hash.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* This is Hash_df from SP 800-90 10.4.1 */
++
++static int hash_df(DRBG_CTX *dctx, unsigned char *out,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len,
++ const unsigned char *in4, size_t in4len)
++{
++ EVP_MD_CTX *mctx = &dctx->d.hash.mctx;
++ unsigned char *vtmp = dctx->d.hash.vtmp;
++ unsigned char tmp[6];
++ /* Standard only ever needs seedlen bytes which is always less than
++ * maximum permitted so no need to check length.
++ */
++ size_t outlen = dctx->seedlen;
++ tmp[0] = 1;
++ tmp[1] = ((outlen * 8) >> 24) & 0xff;
++ tmp[2] = ((outlen * 8) >> 16) & 0xff;
++ tmp[3] = ((outlen * 8) >> 8) & 0xff;
++ tmp[4] = (outlen * 8) & 0xff;
++ if (!in1) {
++ tmp[5] = (unsigned char)in1len;
++ in1 = tmp + 5;
++ in1len = 1;
++ }
++ for (;;) {
++ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
++ return 0;
++ if (!FIPS_digestupdate(mctx, tmp, 5))
++ return 0;
++ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
++ return 0;
++ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
++ return 0;
++ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
++ return 0;
++ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
++ return 0;
++ if (outlen < dctx->blocklength) {
++ if (!FIPS_digestfinal(mctx, vtmp, NULL))
++ return 0;
++ memcpy(out, vtmp, outlen);
++ OPENSSL_cleanse(vtmp, dctx->blocklength);
++ return 1;
++ } else if (!FIPS_digestfinal(mctx, out, NULL))
++ return 0;
++
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ tmp[0]++;
++ out += dctx->blocklength;
++ }
++}
++
++/* Add an unsigned buffer to the buf value, storing the result in buf. For
++ * this algorithm the length of input never exceeds the seed length.
++ */
++
++static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
++ unsigned char *in, size_t inlen)
++{
++ size_t i = inlen;
++ const unsigned char *q;
++ unsigned char c, *p;
++ p = buf + dctx->seedlen;
++ q = in + inlen;
++
++ OPENSSL_assert(i <= dctx->seedlen);
++
++ /* Special case: zero length, just increment buffer */
++ if (i)
++ c = 0;
++ else
++ c = 1;
++
++ while (i) {
++ int r;
++ p--;
++ q--;
++ r = *p + *q + c;
++ /* Carry */
++ if (r > 0xff)
++ c = 1;
++ else
++ c = 0;
++ *p = r & 0xff;
++ i--;
++ }
++
++ i = dctx->seedlen - inlen;
++
++ /* If not adding whole buffer handle final carries */
++ if (c && i) {
++ do {
++ p--;
++ c = *p;
++ c++;
++ *p = c;
++ if (c)
++ return;
++ } while (i--);
++ }
++}
++
++/* Finalise and add hash to V */
++
++static int ctx_add_md(DRBG_CTX *dctx)
++{
++ if (!FIPS_digestfinal(&dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
++ return 0;
++ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
++ return 1;
++}
++
++static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (outlen == 0)
++ return 1;
++ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
++ for (;;) {
++ FIPS_digestinit(&hctx->mctx, hctx->md);
++ FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
++ dctx->lb_valid = 1;
++ } else if (outlen < dctx->blocklength) {
++ FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
++ if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
++ return 0;
++ memcpy(out, hctx->vtmp, outlen);
++ return 1;
++ } else {
++ FIPS_digestfinal(&hctx->mctx, out, NULL);
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ outlen -= dctx->blocklength;
++ if (outlen == 0)
++ return 1;
++ out += dctx->blocklength;
++ }
++ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
++ }
++}
++
++static int drbg_hash_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ if (!hash_df(dctx, hctx->V,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
++ return 0;
++ if (!hash_df(dctx, hctx->C,
++ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after instantiate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ /* V about to be updated so use C as output instead */
++ if (!hash_df(dctx, hctx->C,
++ NULL, 1, hctx->V, dctx->seedlen,
++ ent, ent_len, adin, adin_len))
++ return 0;
++ memcpy(hctx->V, hctx->C, dctx->seedlen);
++ if (!hash_df(dctx, hctx->C, NULL, 0,
++ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++ return 0;
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after reseed:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ EVP_MD_CTX *mctx = &hctx->mctx;
++ unsigned char tmp[4];
++ if (adin && adin_len) {
++ tmp[0] = 2;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, adin, adin_len))
++ return 0;
++ if (!ctx_add_md(dctx))
++ return 0;
++ }
++ if (!hash_gen(dctx, out, outlen))
++ return 0;
++
++ tmp[0] = 3;
++ if (!FIPS_digestinit(mctx, hctx->md))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, tmp, 1))
++ return 0;
++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++ return 0;
++
++ if (!ctx_add_md(dctx))
++ return 0;
++
++ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
++
++ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
++ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
++ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
++ tmp[3] = dctx->reseed_counter & 0xff;
++ ctx_add_buf(dctx, hctx->V, tmp, 4);
++#ifdef HASH_DRBG_TRACE
++ fprintf(stderr, "V+C after generate:\n");
++ hexprint(stderr, hctx->V, dctx->seedlen);
++ hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++ return 1;
++}
++
++static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
++{
++ EVP_MD_CTX_cleanup(&dctx->d.hash.mctx);
++ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
++ return 1;
++}
++
++int fips_drbg_hash_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md;
++ DRBG_HASH_CTX *hctx = &dctx->d.hash;
++ md = FIPS_get_digestbynid(dctx->type);
++ if (!md)
++ return -2;
++ switch (dctx->type) {
++ case NID_sha1:
++ dctx->strength = 128;
++ break;
++
++ case NID_sha224:
++ dctx->strength = 192;
++ break;
++
++ default:
++ dctx->strength = 256;
++ break;
++ }
++
++ dctx->instantiate = drbg_hash_instantiate;
++ dctx->reseed = drbg_hash_reseed;
++ dctx->generate = drbg_hash_generate;
++ dctx->uninstantiate = drbg_hash_uninstantiate;
++
++ dctx->d.hash.md = md;
++ EVP_MD_CTX_init(&hctx->mctx);
++
++ /* These are taken from SP 800-90 10.1 table 2 */
++
++ dctx->blocklength = M_EVP_MD_size(md);
++ if (dctx->blocklength > 32)
++ dctx->seedlen = 111;
++ else
++ dctx->seedlen = 55;
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c
+--- openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c.fips 2015-06-15 17:30:00.006283936 +0200
++++ openssl-1.0.2c/crypto/fips/fips_drbg_hmac.c 2015-06-15 17:30:00.006283936 +0200
+@@ -0,0 +1,270 @@
++/* fips/rand/fips_drbg_hmac.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/aes.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static int drbg_hmac_update(DRBG_CTX *dctx,
++ const unsigned char *in1, size_t in1len,
++ const unsigned char *in2, size_t in2len,
++ const unsigned char *in3, size_t in3len)
++{
++ static unsigned char c0 = 0, c1 = 1;
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = &hmac->hctx;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c0, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ if (!in1len && !in2len && !in3len)
++ return 1;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++ if (!HMAC_Update(hctx, &c1, 1))
++ return 0;
++ if (in1len && !HMAC_Update(hctx, in1, in1len))
++ return 0;
++ if (in2len && !HMAC_Update(hctx, in2, in2len))
++ return 0;
++ if (in3len && !HMAC_Update(hctx, in3, in3len))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->K, NULL))
++ return 0;
++
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++ return 0;
++
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++
++ return 1;
++
++}
++
++static int drbg_hmac_instantiate(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *nonce, size_t nonce_len,
++ const unsigned char *pstr, size_t pstr_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ memset(hmac->K, 0, dctx->blocklength);
++ memset(hmac->V, 1, dctx->blocklength);
++ if (!drbg_hmac_update(dctx,
++ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ fprintf(stderr, "K+V after instantiate:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++#endif
++ return 1;
++}
++
++static int drbg_hmac_reseed(DRBG_CTX *dctx,
++ const unsigned char *ent, size_t ent_len,
++ const unsigned char *adin, size_t adin_len)
++{
++ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
++ return 0;
++
++#ifdef HMAC_DRBG_TRACE
++ {
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ fprintf(stderr, "K+V after reseed:\n");
++ hexprint(stderr, hmac->K, hmac->blocklength);
++ hexprint(stderr, hmac->V, hmac->blocklength);
++ }
++#endif
++ return 1;
++}
++
++static int drbg_hmac_generate(DRBG_CTX *dctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adin_len)
++{
++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++ HMAC_CTX *hctx = &hmac->hctx;
++ const unsigned char *Vtmp = hmac->V;
++ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++ for (;;) {
++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++ return 0;
++ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
++ return 0;
++ if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid) {
++ if (!HMAC_Final(hctx, dctx->lb, NULL))
++ return 0;
++ dctx->lb_valid = 1;
++ Vtmp = dctx->lb;
++ continue;
++ } else if (outlen > dctx->blocklength) {
++ if (!HMAC_Final(hctx, out, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, out))
++ return 0;
++ Vtmp = out;
++ } else {
++ if (!HMAC_Final(hctx, hmac->V, NULL))
++ return 0;
++ if (!fips_drbg_cprng_test(dctx, hmac->V))
++ return 0;
++ memcpy(out, hmac->V, outlen);
++ break;
++ }
++ out += dctx->blocklength;
++ outlen -= dctx->blocklength;
++ }
++ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++ return 0;
++
++ return 1;
++}
++
++static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
++{
++ HMAC_CTX_cleanup(&dctx->d.hmac.hctx);
++ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
++ return 1;
++}
++
++int fips_drbg_hmac_init(DRBG_CTX *dctx)
++{
++ const EVP_MD *md = NULL;
++ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
++ dctx->strength = 256;
++ switch (dctx->type) {
++ case NID_hmacWithSHA1:
++ md = EVP_sha1();
++ dctx->strength = 128;
++ break;
++
++ case NID_hmacWithSHA224:
++ md = EVP_sha224();
++ dctx->strength = 192;
++ break;
++
++ case NID_hmacWithSHA256:
++ md = EVP_sha256();
++ break;
++
++ case NID_hmacWithSHA384:
++ md = EVP_sha384();
++ break;
++
++ case NID_hmacWithSHA512:
++ md = EVP_sha512();
++ break;
++
++ default:
++ dctx->strength = 0;
++ return -2;
++ }
++ dctx->instantiate = drbg_hmac_instantiate;
++ dctx->reseed = drbg_hmac_reseed;
++ dctx->generate = drbg_hmac_generate;
++ dctx->uninstantiate = drbg_hmac_uninstantiate;
++ HMAC_CTX_init(&hctx->hctx);
++ hctx->md = md;
++ dctx->blocklength = M_EVP_MD_size(md);
++ dctx->seedlen = M_EVP_MD_size(md);
++
++ dctx->min_entropy = dctx->strength / 8;
++ dctx->max_entropy = DRBG_MAX_LENGTH;
++
++ dctx->min_nonce = dctx->min_entropy / 2;
++ dctx->max_nonce = DRBG_MAX_LENGTH;
++
++ dctx->max_pers = DRBG_MAX_LENGTH;
++ dctx->max_adin = DRBG_MAX_LENGTH;
++
++ dctx->max_request = 1 << 16;
++ dctx->reseed_interval = 1 << 24;
++
++ return 1;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_lib.c
+--- openssl-1.0.2c/crypto/fips/fips_drbg_lib.c.fips 2015-06-15 17:30:00.007283959 +0200
++++ openssl-1.0.2c/crypto/fips/fips_drbg_lib.c 2015-06-15 17:30:00.007283959 +0200
+@@ -0,0 +1,553 @@
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++#include "fips_rand_lcl.h"
++
++/* Support framework for SP800-90 DRBGs */
++
++int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
++{
++ int rv;
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ dctx->xflags = flags;
++ dctx->type = type;
++
++ dctx->iflags = 0;
++ dctx->entropy_blocklen = 0;
++ dctx->health_check_cnt = 0;
++ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
++
++ rv = fips_drbg_hash_init(dctx);
++
++ if (rv == -2)
++ rv = fips_drbg_ctr_init(dctx);
++ if (rv == -2)
++ rv = fips_drbg_hmac_init(dctx);
++
++ if (rv <= 0) {
++ if (rv == -2)
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
++ else
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
++ }
++
++ /* If not in test mode run selftests on DRBG of the same type */
++
++ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++
++ return rv;
++}
++
++DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
++{
++ DRBG_CTX *dctx;
++ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
++ if (!dctx) {
++ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
++ return NULL;
++ }
++
++ if (type == 0) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ return dctx;
++ }
++
++ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
++ OPENSSL_free(dctx);
++ return NULL;
++ }
++
++ return dctx;
++}
++
++void FIPS_drbg_free(DRBG_CTX *dctx)
++{
++ if (dctx->uninstantiate)
++ dctx->uninstantiate(dctx);
++ /* Don't free up default DRBG */
++ if (dctx == FIPS_get_default_drbg()) {
++ memset(dctx, 0, sizeof(DRBG_CTX));
++ dctx->type = 0;
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ } else {
++ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
++ OPENSSL_free(dctx);
++ }
++}
++
++static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ unsigned char *tout, *p;
++ size_t bl = dctx->entropy_blocklen, rv;
++ if (!dctx->get_entropy)
++ return 0;
++ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
++ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
++ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
++ min_len + bl, max_len + bl);
++ if (tout == NULL)
++ return 0;
++ *pout = tout + bl;
++ if (rv < (min_len + bl) || (rv % bl))
++ return 0;
++ /* Compare consecutive blocks for continuous PRNG test */
++ for (p = tout; p < tout + rv - bl; p += bl) {
++ if (!memcmp(p, p + bl, bl)) {
++ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
++ return 0;
++ }
++ }
++ rv -= bl;
++ if (rv > max_len)
++ return max_len;
++ return rv;
++}
++
++static void fips_cleanup_entropy(DRBG_CTX *dctx,
++ unsigned char *out, size_t olen)
++{
++ size_t bl;
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ bl = 0;
++ else
++ bl = dctx->entropy_blocklen;
++ /* Call cleanup with original arguments */
++ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
++}
++
++int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen)
++{
++ size_t entlen = 0, noncelen = 0;
++ unsigned char *nonce = NULL, *entropy = NULL;
++
++#if 0
++ /* Put here so error script picks them up */
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
++ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
++#endif
++
++ int r = 0;
++
++ if (perslen > dctx->max_pers) {
++ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
++ goto end;
++ }
++
++ if (!dctx->instantiate) {
++ r = FIPS_R_DRBG_NOT_INITIALISED;
++ goto end;
++ }
++
++ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else
++ r = FIPS_R_ALREADY_INSTANTIATED;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (dctx->max_nonce > 0 && dctx->get_nonce) {
++ noncelen = dctx->get_nonce(dctx, &nonce,
++ dctx->strength / 2,
++ dctx->min_nonce, dctx->max_nonce);
++
++ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
++ r = FIPS_R_ERROR_RETRIEVING_NONCE;
++ goto end;
++ }
++
++ }
++
++ if (!dctx->instantiate(dctx,
++ entropy, entlen, nonce, noncelen, pers, perslen)) {
++ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (nonce && dctx->cleanup_nonce)
++ dctx->cleanup_nonce(dctx, nonce, noncelen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
++
++ return 0;
++
++}
++
++static int drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen, int hcheck)
++{
++ unsigned char *entropy = NULL;
++ size_t entlen = 0;
++ int r = 0;
++
++#if 0
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++#endif
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (!adin)
++ adinlen = 0;
++ else if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ dctx->status = DRBG_STATUS_ERROR;
++ /* Peform health check on all reseed operations if not a prediction
++ * resistance request and not in test mode.
++ */
++ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ r = FIPS_R_SELFTEST_FAILURE;
++ goto end;
++ }
++ }
++
++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++ dctx->min_entropy, dctx->max_entropy);
++
++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++ goto end;
++ }
++
++ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
++ goto end;
++
++ dctx->status = DRBG_STATUS_READY;
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++ dctx->reseed_counter = 1;
++ end:
++
++ if (entropy && dctx->cleanup_entropy)
++ fips_cleanup_entropy(dctx, entropy, entlen);
++
++ if (dctx->status == DRBG_STATUS_READY)
++ return 1;
++
++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_DRBG_RESEED, r);
++
++ return 0;
++}
++
++int FIPS_drbg_reseed(DRBG_CTX *dctx,
++ const unsigned char *adin, size_t adinlen)
++{
++ return drbg_reseed(dctx, adin, adinlen, 1);
++}
++
++static int fips_drbg_check(DRBG_CTX *dctx)
++{
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ dctx->health_check_cnt++;
++ if (dctx->health_check_cnt >= dctx->health_check_interval) {
++ if (!FIPS_drbg_health_check(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen)
++{
++ int r = 0;
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (!fips_drbg_check(dctx))
++ return 0;
++
++ if (dctx->status != DRBG_STATUS_READY
++ && dctx->status != DRBG_STATUS_RESEED) {
++ if (dctx->status == DRBG_STATUS_ERROR)
++ r = FIPS_R_IN_ERROR_STATE;
++ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++ r = FIPS_R_NOT_INSTANTIATED;
++ goto end;
++ }
++
++ if (outlen > dctx->max_request) {
++ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
++ return 0;
++ }
++
++ if (adinlen > dctx->max_adin) {
++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++ goto end;
++ }
++
++ if (dctx->iflags & DRBG_CUSTOM_RESEED)
++ dctx->generate(dctx, NULL, outlen, NULL, 0);
++ else if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++
++ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
++ /* If prediction resistance request don't do health check */
++ int hcheck = prediction_resistance ? 0 : 1;
++
++ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
++ r = FIPS_R_RESEED_ERROR;
++ goto end;
++ }
++ adin = NULL;
++ adinlen = 0;
++ }
++
++ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
++ r = FIPS_R_GENERATE_ERROR;
++ dctx->status = DRBG_STATUS_ERROR;
++ goto end;
++ }
++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
++ if (dctx->reseed_counter >= dctx->reseed_interval)
++ dctx->status = DRBG_STATUS_RESEED;
++ else
++ dctx->reseed_counter++;
++ }
++
++ end:
++ if (r) {
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
++ return 0;
++ }
++
++ return 1;
++}
++
++int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
++{
++ int rv;
++ if (!dctx->uninstantiate)
++ rv = 1;
++ else
++ rv = dctx->uninstantiate(dctx);
++ /* Although we'd like to cleanse here we can't because we have to
++ * test the uninstantiate really zeroes the data.
++ */
++ memset(&dctx->d, 0, sizeof(dctx->d));
++ dctx->status = DRBG_STATUS_UNINITIALISED;
++ /* If method has problems uninstantiating, return error */
++ return rv;
++}
++
++int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy, size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->entropy_blocklen = entropy_blocklen;
++ dctx->get_entropy = get_entropy;
++ dctx->cleanup_entropy = cleanup_entropy;
++ dctx->get_nonce = get_nonce;
++ dctx->cleanup_nonce = cleanup_nonce;
++ return 1;
++}
++
++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num,
++ double entropy))
++{
++ if (dctx->status != DRBG_STATUS_UNINITIALISED)
++ return 0;
++ dctx->get_adin = get_adin;
++ dctx->cleanup_adin = cleanup_adin;
++ dctx->rand_seed_cb = rand_seed_cb;
++ dctx->rand_add_cb = rand_add_cb;
++ return 1;
++}
++
++void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
++{
++ return dctx->app_data;
++}
++
++void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
++{
++ dctx->app_data = app_data;
++}
++
++size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
++{
++ return dctx->blocklength;
++}
++
++int FIPS_drbg_get_strength(DRBG_CTX *dctx)
++{
++ return dctx->strength;
++}
++
++void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->health_check_interval = interval;
++}
++
++void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
++{
++ dctx->reseed_interval = interval;
++}
++
++static int drbg_stick = 0;
++
++void FIPS_drbg_stick(int onoff)
++{
++ drbg_stick = onoff;
++}
++
++/* Continuous DRBG utility function */
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out)
++{
++ /* No CPRNG in test mode */
++ if (dctx->xflags & DRBG_FLAG_TEST)
++ return 1;
++ /* Check block is valid: should never happen */
++ if (dctx->lb_valid == 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_INTERNAL_ERROR);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ if (drbg_stick)
++ memcpy(dctx->lb, out, dctx->blocklength);
++ /* Check against last block: fail if match */
++ if (!memcmp(dctx->lb, out, dctx->blocklength)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_CPRNG_TEST, FIPS_R_DRBG_STUCK);
++ fips_set_selftest_fail();
++ return 0;
++ }
++ /* Save last block for next comparison */
++ memcpy(dctx->lb, out, dctx->blocklength);
++ return 1;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_drbg_rand.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_rand.c
+--- openssl-1.0.2c/crypto/fips/fips_drbg_rand.c.fips 2015-06-15 17:30:00.007283959 +0200
++++ openssl-1.0.2c/crypto/fips/fips_drbg_rand.c 2015-06-15 17:30:00.007283959 +0200
+@@ -0,0 +1,166 @@
++/* fips/rand/fips_drbg_rand.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
++
++/* Since we only have one global PRNG used at any time in OpenSSL use a global
++ * variable to store context.
++ */
++
++static DRBG_CTX ossl_dctx;
++
++DRBG_CTX *FIPS_get_default_drbg(void)
++{
++ return &ossl_dctx;
++}
++
++static int fips_drbg_bytes(unsigned char *out, int count)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv = 0;
++ unsigned char *adin = NULL;
++ size_t adinlen = 0;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ do {
++ size_t rcnt;
++ if (count > (int)dctx->max_request)
++ rcnt = dctx->max_request;
++ else
++ rcnt = count;
++ if (dctx->get_adin) {
++ adinlen = dctx->get_adin(dctx, &adin);
++ if (adinlen && !adin) {
++ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
++ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
++ goto err;
++ }
++ }
++ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
++ if (adin) {
++ if (dctx->cleanup_adin)
++ dctx->cleanup_adin(dctx, adin, adinlen);
++ adin = NULL;
++ }
++ if (!rv)
++ goto err;
++ out += rcnt;
++ count -= rcnt;
++ }
++ while (count);
++ rv = 1;
++ err:
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return rv;
++}
++
++static int fips_drbg_pseudo(unsigned char *out, int count)
++{
++ if (fips_drbg_bytes(out, count) <= 0)
++ return -1;
++ return 1;
++}
++
++static int fips_drbg_status(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ int rv;
++ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
++ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
++ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
++ return rv;
++}
++
++static void fips_drbg_cleanup(void)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ FIPS_drbg_uninstantiate(dctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++}
++
++static int fips_drbg_seed(const void *seed, int seedlen)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ if (dctx->rand_seed_cb)
++ return dctx->rand_seed_cb(dctx, seed, seedlen);
++ return 1;
++}
++
++static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
++{
++ DRBG_CTX *dctx = &ossl_dctx;
++ if (dctx->rand_add_cb)
++ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
++ return 1;
++}
++
++static const RAND_METHOD rand_drbg_meth = {
++ fips_drbg_seed,
++ fips_drbg_bytes,
++ fips_drbg_cleanup,
++ fips_drbg_add,
++ fips_drbg_pseudo,
++ fips_drbg_status
++};
++
++const RAND_METHOD *FIPS_drbg_method(void)
++{
++ return &rand_drbg_meth;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c.fips 2015-06-15 17:30:00.007283959 +0200
++++ openssl-1.0.2c/crypto/fips/fips_drbg_selftest.c 2015-06-15 17:30:00.007283959 +0200
+@@ -0,0 +1,827 @@
++/* fips/rand/fips_drbg_selftest.c */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++#include "fips_locl.h"
++
++#include "fips_drbg_selftest.h"
++
++typedef struct {
++ int post;
++ int nid;
++ unsigned int flags;
++
++ /* KAT data for no PR */
++ const unsigned char *ent;
++ size_t entlen;
++ const unsigned char *nonce;
++ size_t noncelen;
++ const unsigned char *pers;
++ size_t perslen;
++ const unsigned char *adin;
++ size_t adinlen;
++ const unsigned char *entreseed;
++ size_t entreseedlen;
++ const unsigned char *adinreseed;
++ size_t adinreseedlen;
++ const unsigned char *adin2;
++ size_t adin2len;
++ const unsigned char *kat;
++ size_t katlen;
++ const unsigned char *kat2;
++ size_t kat2len;
++
++ /* KAT data for PR */
++ const unsigned char *ent_pr;
++ size_t entlen_pr;
++ const unsigned char *nonce_pr;
++ size_t noncelen_pr;
++ const unsigned char *pers_pr;
++ size_t perslen_pr;
++ const unsigned char *adin_pr;
++ size_t adinlen_pr;
++ const unsigned char *entpr_pr;
++ size_t entprlen_pr;
++ const unsigned char *ading_pr;
++ size_t adinglen_pr;
++ const unsigned char *entg_pr;
++ size_t entglen_pr;
++ const unsigned char *kat_pr;
++ size_t katlen_pr;
++ const unsigned char *kat2_pr;
++ size_t kat2len_pr;
++
++} DRBG_SELFTEST_DATA;
++
++#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
++ pr##_entropyinput, sizeof(pr##_entropyinput), \
++ pr##_nonce, sizeof(pr##_nonce), \
++ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
++ pr##_additionalinput, sizeof(pr##_additionalinput), \
++ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
++ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
++ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
++ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
++ pr##_returnedbits, sizeof(pr##_returnedbits), \
++ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
++ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
++ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
++ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
++ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
++ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
++ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
++ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
++ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
++ }
++
++#define make_drbg_test_data_df(nid, pr, p) \
++ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
++
++#define make_drbg_test_data_ec(curve, md, pr, p) \
++ make_drbg_test_data((curve << 16) | md , 0, pr, p)
++
++static DRBG_SELFTEST_DATA drbg_test[] = {
++ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
++ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
++ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
++ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
++ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
++ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
++ make_drbg_test_data(NID_sha1, 0, sha1, 0),
++ make_drbg_test_data(NID_sha224, 0, sha224, 0),
++ make_drbg_test_data(NID_sha256, 0, sha256, 1),
++ make_drbg_test_data(NID_sha384, 0, sha384, 0),
++ make_drbg_test_data(NID_sha512, 0, sha512, 0),
++ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
++ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
++ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
++ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
++ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
++ {0, 0, 0}
++};
++
++typedef struct {
++ const unsigned char *ent;
++ size_t entlen;
++ int entcnt;
++ const unsigned char *nonce;
++ size_t noncelen;
++ int noncecnt;
++} TEST_ENT;
++
++static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->ent;
++ t->entcnt++;
++ return t->entlen;
++}
++
++static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len)
++{
++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++ *pout = (unsigned char *)t->nonce;
++ t->noncecnt++;
++ return t->noncelen;
++}
++
++static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ int quick)
++{
++ TEST_ENT t;
++ int rv = 0;
++ size_t adinlen;
++ unsigned char randout[1024];
++
++ /* Initial test without PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent;
++ t.entlen = td->entlen;
++ t.nonce = td->nonce;
++ t.noncelen = td->noncelen;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ goto err;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen / 2;
++ else
++ adinlen = td->adinlen;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat, td->katlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
++ goto err2;
++ }
++ /* If abbreviated POST end of test */
++ if (quick) {
++ rv = 1;
++ goto err;
++ }
++ /* Reseed DRBG with test entropy and additional input */
++ t.ent = td->entreseed;
++ t.entlen = td->entreseedlen;
++
++ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
++ goto err;
++
++ /* Generate with no PR and verify output matches expected data */
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
++ td->adin2, td->adin2len))
++ goto err;
++
++ if (memcmp(randout, td->kat2, td->kat2len)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
++ goto err2;
++ }
++
++ FIPS_drbg_uninstantiate(dctx);
++
++ /* Now test with PR */
++
++ /* Instantiate DRBG with test entropy, nonce and personalisation
++ * string.
++ */
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, &t);
++
++ t.ent = td->ent_pr;
++ t.entlen = td->entlen_pr;
++ t.nonce = td->nonce_pr;
++ t.noncelen = td->noncelen_pr;
++ t.entcnt = 0;
++ t.noncecnt = 0;
++
++ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
++ goto err;
++
++ /* Now generate with PR: we need to supply entropy as this will
++ * perform a reseed operation. Check output matches expected value.
++ */
++
++ t.ent = td->entpr_pr;
++ t.entlen = td->entprlen_pr;
++
++ /* Note for CTR without DF some additional input values
++ * ignore bytes after the keylength: so reduce adinlen
++ * to half to ensure invalid data is fed in.
++ */
++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++ adinlen = td->adinlen_pr / 2;
++ else
++ adinlen = td->adinlen_pr;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
++ td->adin_pr, adinlen))
++ goto err;
++
++ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
++ goto err2;
++ }
++
++ /* Now generate again with PR: supply new entropy again.
++ * Check output matches expected value.
++ */
++
++ t.ent = td->entg_pr;
++ t.entlen = td->entglen_pr;
++
++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
++ td->ading_pr, td->adinglen_pr))
++ goto err;
++
++ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
++ goto err2;
++ }
++ /* All OK, test complete */
++ rv = 1;
++
++ err:
++ if (rv == 0)
++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
++ err2:
++ FIPS_drbg_uninstantiate(dctx);
++
++ return rv;
++
++}
++
++/* Initialise a DRBG based on selftest data */
++
++static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
++{
++
++ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++ return 0;
++
++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++ return 0;
++
++ FIPS_drbg_set_app_data(dctx, t);
++
++ t->ent = td->ent;
++ t->entlen = td->entlen;
++ t->nonce = td->nonce;
++ t->noncelen = td->noncelen;
++ t->entcnt = 0;
++ t->noncecnt = 0;
++ return 1;
++}
++
++/* Initialise and instantiate DRBG based on selftest data */
++static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++ TEST_ENT * t)
++{
++ if (!do_drbg_init(dctx, td, t))
++ return 0;
++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++ return 0;
++
++ return 1;
++}
++
++/* This function performs extensive error checking as required by SP800-90.
++ * Induce several failure modes and check an error condition is set.
++ * This function along with fips_drbg_single_kat peforms the health checking
++ * operation.
++ */
++
++static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
++{
++ unsigned char randout[1024];
++ TEST_ENT t;
++ size_t i;
++ unsigned int reseed_counter_tmp;
++ unsigned char *p = (unsigned char *)dctx;
++
++ /* Initialise DRBG */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ /* Don't report induced errors */
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Personalisation string tests */
++
++ /* Test detection of too large personlisation string */
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Entropy source tests */
++
++ /* Test entropy source failure detecion: i.e. returns no data */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try to generate output from uninstantiated DRBG */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_GENERATE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Test insufficient entropy */
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Nonce tests */
++
++ /* Test too small nonce */
++
++ if (dctx->min_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->min_nonce - 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Test too large nonce */
++
++ if (dctx->max_nonce) {
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.noncelen = dctx->max_nonce + 1;
++
++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_NONCE_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ }
++
++ /* Instantiate with valid data. */
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++
++ /* Check generation is now OK */
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ /* Request too much data for one request */
++ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Try too large additional input */
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, dctx->max_adin + 1)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Instantiate again with valid data */
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Check prediction resistance request fails if entropy source
++ * failure.
++ */
++
++ t.entlen = 0;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++ td->adin, td->adinlen)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ if (!do_drbg_instantiate(dctx, td, &t))
++ goto err;
++ /* Test reseed counter works */
++ /* Save initial reseed counter */
++ reseed_counter_tmp = dctx->reseed_counter;
++ /* Set reseed counter to beyond interval */
++ dctx->reseed_counter = dctx->reseed_interval;
++
++ /* Generate output and check entropy has been requested for reseed */
++ t.entcnt = 0;
++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++ td->adin, td->adinlen))
++ goto err;
++ if (t.entcnt != 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++ goto err;
++ }
++ /* Check reseed counter has been reset */
++ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++ goto err;
++ }
++
++ dctx->iflags &= ~DRBG_FLAG_NOERR;
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Explicit reseed tests */
++
++ /* Test explicit reseed with too large additional input */
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ /* Test explicit reseed with entropy source failure */
++
++ t.entlen = 0;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too much entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->max_entropy + 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ /* Test explicit reseed with too little entropy */
++
++ if (!do_drbg_init(dctx, td, &t))
++ goto err;
++
++ dctx->iflags |= DRBG_FLAG_NOERR;
++
++ t.entlen = dctx->min_entropy - 1;
++
++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_ENTROPY_ERROR_UNDETECTED);
++ goto err;
++ }
++
++ if (!FIPS_drbg_uninstantiate(dctx)) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++ goto err;
++ }
++
++ p = (unsigned char *)&dctx->d;
++ /* Standard says we have to check uninstantiate really zeroes
++ * the data...
++ */
++ for (i = 0; i < sizeof(dctx->d); i++) {
++ if (*p != 0) {
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
++ goto err;
++ }
++ p++;
++ }
++
++ return 1;
++
++ err:
++ /* A real error as opposed to an induced one: underlying function will
++ * indicate the error.
++ */
++ if (!(dctx->iflags & DRBG_FLAG_NOERR))
++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
++ FIPS_drbg_uninstantiate(dctx);
++ return 0;
++
++}
++
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
++{
++ DRBG_SELFTEST_DATA *td;
++ flags |= DRBG_FLAG_TEST;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->nid == nid && td->flags == flags) {
++ if (!fips_drbg_single_kat(dctx, td, 0))
++ return 0;
++ return fips_drbg_error_check(dctx, td);
++ }
++ }
++ return 0;
++}
++
++int FIPS_drbg_health_check(DRBG_CTX *dctx)
++{
++ int rv;
++ DRBG_CTX *tctx = NULL;
++ tctx = FIPS_drbg_new(0, 0);
++ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!tctx)
++ return 0;
++ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
++ if (tctx)
++ FIPS_drbg_free(tctx);
++ if (rv)
++ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ else
++ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++ if (!rv)
++ dctx->status = DRBG_STATUS_ERROR;
++ else
++ dctx->health_check_cnt = 0;
++ return rv;
++}
++
++int FIPS_selftest_drbg(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (td->post != 1)
++ continue;
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 1)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
++
++int FIPS_selftest_drbg_all(void)
++{
++ DRBG_CTX *dctx;
++ DRBG_SELFTEST_DATA *td;
++ int rv = 1;
++ dctx = FIPS_drbg_new(0, 0);
++ if (!dctx)
++ return 0;
++ for (td = drbg_test; td->nid != 0; td++) {
++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 1;
++ if (!fips_drbg_single_kat(dctx, td, 0)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_drbg_error_check(dctx, td)) {
++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++ rv = 0;
++ continue;
++ }
++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++ return 0;
++ }
++ FIPS_drbg_free(dctx);
++ return rv;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h.fips openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h
+--- openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h.fips 2015-06-15 17:30:00.008283982 +0200
++++ openssl-1.0.2c/crypto/fips/fips_drbg_selftest.h 2015-06-15 17:30:00.008283982 +0200
+@@ -0,0 +1,1791 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/* Selftest and health check data for the SP800-90 DRBG */
++
++#define __fips_constseg
++
++/* AES-128 use df PR */
++__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
++ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
++ 0xc8, 0xdb, 0xff, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
++ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
++ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
++ 0xd7, 0xd7, 0x01, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
++ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
++ 0x9a, 0x47, 0x08, 0x76
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
++ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
++ 0x09, 0xfb, 0xa3, 0xb6
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
++ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
++ 0x66, 0x1c, 0xea, 0x5b
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
++ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
++ 0x3f, 0x5e, 0x31, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
++ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
++ 0xa7, 0xe3, 0xa8, 0x67
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
++ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
++ 0x0f, 0x38, 0x43, 0xc6
++};
++
++/* AES-128 use df No PR */
++__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
++ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
++ 0x9d, 0x7d, 0x1c, 0x9b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
++ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_personalizationstring[] = {
++ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
++ 0x38, 0x66, 0xba, 0x1b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
++ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
++ 0xb5, 0xe2, 0xb2, 0x41
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
++ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
++ 0xe7, 0x57, 0x11, 0xb4
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
++ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
++ 0xc7, 0xc4, 0x9e, 0x39
++};
++
++__fips_constseg
++ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
++ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
++ 0xc8, 0x93, 0xfa, 0x84
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
++ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
++ 0x06, 0x0c, 0x15, 0x2c
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
++ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
++ 0x46, 0x81, 0xc7, 0x19
++};
++
++/* AES-192 use df PR */
++__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
++ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
++ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
++ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
++ 0xd1, 0x80, 0x78, 0xfa
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
++ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
++ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
++ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
++ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
++ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
++ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
++ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
++ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
++ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
++ 0x19, 0x30, 0x6b, 0x67
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
++ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
++ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
++ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
++ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
++ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
++ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
++ 0x7e, 0x1a, 0x2b, 0x83
++};
++
++/* AES-192 use df No PR */
++__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
++ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
++ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
++ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
++ 0x77, 0xd7, 0x41, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_personalizationstring[] = {
++ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
++ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
++ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
++ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
++ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
++ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
++ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
++ 0xb7, 0xed, 0xe9, 0xea
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
++ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
++ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
++};
++
++__fips_constseg
++ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
++ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
++ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
++ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
++ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
++ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
++ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
++ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
++ 0x1a, 0xf9, 0x13, 0x28
++};
++
++/* AES-256 use df PR */
++__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
++ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
++ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
++ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
++ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
++ 0x2b, 0x36, 0xff, 0xa4
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
++ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
++ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
++ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
++ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
++ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
++ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
++ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
++ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
++ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
++ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
++ 0x17, 0xab, 0x3c, 0x7a
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
++ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
++ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
++ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
++ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
++ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
++ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
++ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
++ 0xd9, 0xe2, 0x97, 0x00
++};
++
++/* AES-256 use df No PR */
++__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
++ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
++ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
++ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
++ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
++ 0x4c, 0x44, 0x84, 0x40
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_personalizationstring[] = {
++ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
++ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
++ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
++ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
++ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
++ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
++ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
++ 0x28, 0x0c, 0x3b, 0xc1
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
++ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
++ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
++ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
++ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
++ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
++ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
++ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
++ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
++ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
++ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
++ 0xfa, 0xfd, 0x35, 0x5e
++};
++
++/* AES-128 no df PR */
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
++ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
++ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
++ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
++ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
++ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
++ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
++ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
++ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
++ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
++ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
++ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
++ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
++ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
++ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
++ 0xaf, 0x19, 0x32, 0x16
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
++ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
++ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
++ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
++ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
++ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
++ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
++ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
++ 0x57, 0x82, 0x33, 0xaf
++};
++
++/* AES-128 no df No PR */
++__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
++ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
++ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
++ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
++ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_personalizationstring[] = {
++ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
++ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
++ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
++ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
++ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
++ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
++ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
++ 0xed, 0x3e, 0x65, 0xc2
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
++ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
++ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
++ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
++};
++
++__fips_constseg
++ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
++ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
++ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
++ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
++ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
++ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
++ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
++ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
++ 0x81, 0x37, 0x19, 0xd4
++};
++
++/* AES-192 no df PR */
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
++ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
++ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
++ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
++ 0x17, 0x1f, 0x8d, 0x9a
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
++ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
++ 0x61, 0x5c, 0xee, 0x0f
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
++ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
++ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
++ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
++ 0x57, 0x2e, 0xe7, 0x55
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
++ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
++ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
++ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
++ 0xe2, 0xd0, 0x0c, 0x2f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
++ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
++ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
++ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
++ 0x1d, 0x30, 0xb3, 0x78
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
++ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
++ 0x7e, 0x3e, 0x0c, 0x26
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
++ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
++ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
++ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
++ 0x0c, 0x4b, 0xee, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
++ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
++ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
++ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
++ 0x8e, 0x0a, 0x83, 0xdf
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
++ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
++ 0xb9, 0xa1, 0x21, 0x68
++};
++
++/* AES-192 no df No PR */
++__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
++ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
++ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
++ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
++ 0x94, 0xc3, 0x59, 0x63
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
++ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
++ 0x29, 0xfd, 0x45, 0x71
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_personalizationstring[] = {
++ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
++ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
++ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
++ 0x3b, 0x88, 0xce, 0x35
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
++ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
++ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
++ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
++ 0x3e, 0xbe, 0xd4, 0x8e
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
++ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
++ 0x45, 0xe7, 0x4a, 0xc5
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
++ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
++ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
++ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
++ 0x9b, 0xcb, 0x7e, 0x75
++};
++
++__fips_constseg
++ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
++ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
++ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
++ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
++ 0x5d, 0x7a, 0x25, 0x79
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
++ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
++ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
++ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
++ 0x91, 0x6a, 0xe3, 0x5f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
++ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
++ 0x66, 0x67, 0x2c, 0x92
++};
++
++/* AES-256 no df PR */
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
++ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
++ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
++ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
++ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
++ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
++ 0xcc, 0x4b, 0xee, 0x2e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
++ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
++ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
++ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
++ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
++ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
++ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
++ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
++ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
++ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
++ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
++ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
++ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
++ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
++ 0x79, 0x60, 0x93, 0xcf
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
++ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
++ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
++ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
++ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
++ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
++ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
++ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
++ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
++ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
++ 0x2d, 0x5f, 0x4a, 0x46
++};
++
++/* AES-256 no df No PR */
++__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
++ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
++ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
++ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
++ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
++ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
++ 0x43, 0x96, 0xb9, 0xf0
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_personalizationstring[] = {
++ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
++ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
++ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
++ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
++ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
++ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
++ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
++ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
++ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
++ 0xd2, 0x25, 0x75, 0x0e
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
++ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
++ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
++ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
++ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
++};
++
++__fips_constseg
++ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
++ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
++ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
++ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
++ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
++ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
++ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
++ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
++ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
++ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
++ 0xf6, 0x02, 0x32, 0xe2
++};
++
++/* SHA-1 PR */
++__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
++ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
++ 0x31, 0xa5, 0x91, 0x13
++};
++
++__fips_constseg static const unsigned char sha1_pr_nonce[] = {
++ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
++};
++
++__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
++ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
++ 0xda, 0xea, 0x77, 0x52
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
++ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
++ 0x6a, 0x51, 0xe3, 0xf8
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
++ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
++ 0xcb, 0xa9, 0x36, 0x7a
++};
++
++__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
++ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
++ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
++ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
++ 0x16, 0x03, 0x19, 0x47
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
++ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
++ 0xae, 0xcd, 0x8c, 0xc4
++};
++
++__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
++ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
++ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
++};
++
++/* SHA-1 No PR */
++__fips_constseg static const unsigned char sha1_entropyinput[] = {
++ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
++ 0xe2, 0x7f, 0x4c, 0x7b
++};
++
++__fips_constseg static const unsigned char sha1_nonce[] = {
++ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
++};
++
++__fips_constseg static const unsigned char sha1_personalizationstring[] = {
++ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
++ 0x28, 0xec, 0x6d, 0xca
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput[] = {
++ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
++ 0xc0, 0x72, 0xca, 0x28
++};
++
++__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
++ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
++ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
++};
++
++__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
++ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
++ 0xd6, 0x99, 0x27, 0xed
++};
++
++__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
++ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
++ 0x84, 0x3d, 0xd4, 0xc0
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput2[] = {
++ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
++ 0x52, 0x65, 0xcd, 0x96
++};
++
++__fips_constseg static const unsigned char sha1_returnedbits[] = {
++ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
++ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
++};
++
++/* SHA-224 PR */
++__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
++ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
++ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
++};
++
++__fips_constseg static const unsigned char sha224_pr_nonce[] = {
++ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
++};
++
++__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
++ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
++ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
++ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
++ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
++ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
++ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
++};
++
++__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
++ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
++ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
++ 0x54, 0x60, 0xee, 0x6a
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
++ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
++ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
++ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
++ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
++};
++
++__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
++ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
++ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
++ 0xdd, 0x11, 0x4c, 0xc4
++};
++
++/* SHA-224 No PR */
++__fips_constseg static const unsigned char sha224_entropyinput[] = {
++ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
++ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
++};
++
++__fips_constseg static const unsigned char sha224_nonce[] = {
++ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
++};
++
++__fips_constseg static const unsigned char sha224_personalizationstring[] = {
++ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
++ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput[] = {
++ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
++ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
++};
++
++__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
++ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
++ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
++ 0x55, 0x22, 0x9a, 0xad
++};
++
++__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
++ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
++ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
++};
++
++__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
++ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
++ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput2[] = {
++ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
++ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
++};
++
++__fips_constseg static const unsigned char sha224_returnedbits[] = {
++ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
++ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
++ 0x3b, 0xa7, 0x5c, 0x93
++};
++
++/* SHA-256 PR */
++__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
++ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
++ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
++ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
++};
++
++__fips_constseg static const unsigned char sha256_pr_nonce[] = {
++ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
++ 0x2b, 0x91, 0x4d, 0x38
++};
++
++__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
++ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
++ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
++ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
++ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
++ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
++ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
++ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
++ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
++ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
++};
++
++__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
++ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
++ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
++ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
++ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
++ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
++ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
++ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
++ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
++ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
++};
++
++__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
++ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
++ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
++ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
++};
++
++/* SHA-256 No PR */
++__fips_constseg static const unsigned char sha256_entropyinput[] = {
++ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
++ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
++ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
++};
++
++__fips_constseg static const unsigned char sha256_nonce[] = {
++ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
++ 0x5d, 0x6f, 0x6d, 0x35
++};
++
++__fips_constseg static const unsigned char sha256_personalizationstring[] = {
++ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
++ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
++ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput[] = {
++ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
++ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
++ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
++};
++
++__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
++ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
++ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
++ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
++ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
++ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
++ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
++};
++
++__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
++ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
++ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
++ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput2[] = {
++ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
++ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
++ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
++};
++
++__fips_constseg static const unsigned char sha256_returnedbits[] = {
++ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
++ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
++ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
++};
++
++/* SHA-384 PR */
++__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
++ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
++ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
++ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
++};
++
++__fips_constseg static const unsigned char sha384_pr_nonce[] = {
++ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
++ 0x38, 0x3e, 0x2e, 0x56
++};
++
++__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
++ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
++ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
++ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
++ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
++ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
++ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
++ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
++ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
++ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
++};
++
++__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
++ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
++ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
++ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
++ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
++ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
++ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
++ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
++ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
++ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
++ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
++};
++
++__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
++ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
++ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
++ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
++ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
++};
++
++/* SHA-384 No PR */
++__fips_constseg static const unsigned char sha384_entropyinput[] = {
++ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
++ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
++ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
++};
++
++__fips_constseg static const unsigned char sha384_nonce[] = {
++ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
++ 0x44, 0xaf, 0x2f, 0x09
++};
++
++__fips_constseg static const unsigned char sha384_personalizationstring[] = {
++ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
++ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
++ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput[] = {
++ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
++ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
++ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
++};
++
++__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
++ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
++ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
++ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
++ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
++};
++
++__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
++ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
++ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
++ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
++};
++
++__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
++ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
++ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
++ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput2[] = {
++ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
++ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
++ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
++};
++
++__fips_constseg static const unsigned char sha384_returnedbits[] = {
++ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
++ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
++ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
++ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
++};
++
++/* SHA-512 PR */
++__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
++ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
++ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
++ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
++};
++
++__fips_constseg static const unsigned char sha512_pr_nonce[] = {
++ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
++ 0x88, 0xc7, 0xa2, 0xc4
++};
++
++__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
++ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
++ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
++ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
++ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
++ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
++ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
++ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
++ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
++ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
++};
++
++__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
++ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
++ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
++ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
++ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
++ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
++ 0xe2, 0xc6, 0x8b, 0xc3
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
++ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
++ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
++ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
++ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
++ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
++ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
++};
++
++__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
++ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
++ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
++ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
++ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
++ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
++ 0x67, 0xf7, 0x68, 0xdd
++};
++
++/* SHA-512 No PR */
++__fips_constseg static const unsigned char sha512_entropyinput[] = {
++ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
++ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
++ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
++};
++
++__fips_constseg static const unsigned char sha512_nonce[] = {
++ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
++ 0x5a, 0x64, 0xf0, 0xf7
++};
++
++__fips_constseg static const unsigned char sha512_personalizationstring[] = {
++ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
++ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
++ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput[] = {
++ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
++ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
++ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
++};
++
++__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
++ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
++ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
++ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
++ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
++ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
++ 0x28, 0xd4, 0x39, 0x9a
++};
++
++__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
++ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
++ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
++ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
++};
++
++__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
++ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
++ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
++ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput2[] = {
++ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
++ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
++ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
++};
++
++__fips_constseg static const unsigned char sha512_returnedbits[] = {
++ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
++ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
++ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
++ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
++ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
++ 0x68, 0xde, 0x42, 0xb5
++};
++
++/* HMAC SHA-1 PR */
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
++ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
++ 0x2c, 0x18, 0x17, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
++ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
++ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
++ 0x80, 0xe2, 0x7f, 0x2a
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
++ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
++ 0xd7, 0xbb, 0x42, 0x09
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
++ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
++ 0x23, 0x87, 0x2a, 0xed
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
++ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
++ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
++ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
++ 0xa0, 0x4b, 0x93, 0x6e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
++ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
++ 0x0f, 0xff, 0x2e, 0xaf
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
++ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
++ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
++};
++
++/* HMAC SHA-1 No PR */
++__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
++ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
++ 0x17, 0xfe, 0x47, 0x70
++};
++
++__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
++ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
++};
++
++__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
++ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
++ 0x72, 0xf7, 0xd3, 0x5e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
++ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
++ 0xbb, 0xe3, 0xaa, 0xea
++};
++
++__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
++ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
++ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
++};
++
++__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
++ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
++ 0x86, 0x52, 0x6d, 0x9c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
++ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
++ 0x79, 0xc5, 0x82, 0x28
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
++ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
++ 0x8a, 0xca, 0xa4, 0x7f
++};
++
++__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
++ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
++ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
++};
++
++/* HMAC SHA-224 PR */
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
++ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
++ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
++ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
++ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
++ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
++ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
++ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
++ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
++ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
++ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
++ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
++ 0x41, 0xfe, 0x99, 0xf2
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
++ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
++ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
++ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
++ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
++ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
++ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
++ 0x6d, 0xd8, 0x9e, 0x72
++};
++
++/* HMAC SHA-224 No PR */
++__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
++ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
++ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
++};
++
++__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
++ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_personalizationstring[] = {
++ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
++ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
++ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
++ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
++ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
++ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
++ 0xcd, 0xd6, 0xa9, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
++ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
++ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha224_additionalinputreseed[] = {
++ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
++ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
++ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
++ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
++};
++
++__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
++ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
++ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
++ 0x45, 0x84, 0xa8, 0x94
++};
++
++/* HMAC SHA-256 PR */
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
++ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
++ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
++ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
++ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
++ 0xaa, 0xd3, 0x30, 0x9a
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
++ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
++ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
++ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
++ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
++ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
++ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
++ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
++ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
++ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
++ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
++ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
++ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
++ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
++ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
++ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
++ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
++ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
++ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
++ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
++ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
++ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
++};
++
++/* HMAC SHA-256 No PR */
++__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
++ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
++ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
++ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
++ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
++ 0xc7, 0xfc, 0xc2, 0x01
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_personalizationstring[] = {
++ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
++ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
++ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
++ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
++ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
++ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
++};
++
++__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
++ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
++ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
++ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
++ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
++ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
++ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha256_additionalinputreseed[] = {
++ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
++ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
++ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
++ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
++ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
++ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
++};
++
++__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
++ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
++ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
++ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
++};
++
++/* HMAC SHA-384 PR */
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
++ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
++ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
++ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
++ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
++ 0xee, 0x16, 0xc9, 0xde
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
++ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
++ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
++ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
++ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
++ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
++ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
++ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
++ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
++ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
++ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
++ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
++ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
++ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
++ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
++ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
++ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
++ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
++ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
++ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
++ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
++ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
++ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
++ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
++};
++
++/* HMAC SHA-384 No PR */
++__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
++ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
++ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
++ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
++};
++
++__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
++ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
++ 0x38, 0xe3, 0xeb, 0x62
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_personalizationstring[] = {
++ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
++ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
++ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
++ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
++ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
++ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
++};
++
++__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
++ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
++ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
++ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
++ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
++ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
++ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
++ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha384_additionalinputreseed[] = {
++ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
++ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
++ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
++ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
++ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
++ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
++ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
++ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
++ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
++ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
++};
++
++/* HMAC SHA-512 PR */
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
++ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
++ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
++ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
++ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
++ 0x86, 0xea, 0xaf, 0xa2
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
++ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
++ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
++ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
++ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
++ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
++ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
++ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
++ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
++ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
++ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
++ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
++ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
++ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
++ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
++ 0x05, 0x17, 0xbe, 0x0d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
++ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
++ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
++ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
++ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
++ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
++ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
++ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
++ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
++ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
++ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
++ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
++ 0xb6, 0xaf, 0xbc, 0xd3
++};
++
++/* HMAC SHA-512 No PR */
++__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
++ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
++ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
++ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
++};
++
++__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
++ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
++ 0xd9, 0xaf, 0x43, 0x3c
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_personalizationstring[] = {
++ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
++ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
++ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
++ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
++ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
++ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
++};
++
++__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
++ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
++ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
++ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
++ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
++ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
++ 0xb1, 0x57, 0x69, 0xe8
++};
++
++__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
++ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
++ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
++ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
++};
++
++__fips_constseg
++ static const unsigned char hmac_sha512_additionalinputreseed[] = {
++ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
++ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
++ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
++ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
++ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
++ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
++};
++
++__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
++ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
++ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
++ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
++ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
++ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
++ 0xc2, 0xd6, 0xfd, 0xa5
++};
+diff -up openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c.fips 2015-06-15 17:30:00.008283982 +0200
++++ openssl-1.0.2c/crypto/fips/fips_dsa_selftest.c 2015-06-15 17:30:00.008283982 +0200
+@@ -0,0 +1,192 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dsa.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dsa_test_2048_p[] = {
++ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
++ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
++ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
++ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
++ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
++ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
++ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
++ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
++ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
++ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
++ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
++ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
++ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
++ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
++ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
++ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
++ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
++ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
++ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
++ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
++ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
++ 0xdb, 0xa0, 0x69, 0xe9
++};
++
++static const unsigned char dsa_test_2048_q[] = {
++ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
++ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
++ 0x74, 0x41, 0xa0, 0xa5
++};
++
++static const unsigned char dsa_test_2048_g[] = {
++ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
++ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
++ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
++ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
++ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
++ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
++ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
++ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
++ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
++ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
++ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
++ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
++ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
++ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
++ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
++ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
++ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
++ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
++ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
++ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
++ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
++ 0xb3, 0xc2, 0xa9, 0x66
++};
++
++static const unsigned char dsa_test_2048_pub_key[] = {
++ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
++ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
++ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
++ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
++ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
++ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
++ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
++ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
++ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
++ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
++ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
++ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
++ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
++ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
++ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
++ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
++ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
++ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
++ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
++ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
++ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
++ 0xf7, 0xda, 0xb1, 0x4f
++};
++
++static const unsigned char dsa_test_2048_priv_key[] = {
++ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
++ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
++ 0xec, 0x55, 0xf6, 0xcc
++};
++
++static int corrupt_dsa;
++
++void FIPS_corrupt_dsa()
++{
++ corrupt_dsa = 1;
++}
++
++int FIPS_selftest_dsa()
++{
++ DSA *dsa = NULL;
++ EVP_PKEY *pk = NULL;
++ int ret = 0;
++
++ dsa = DSA_new();
++
++ if (dsa == NULL)
++ goto err;
++
++ fips_load_key_component(dsa, p, dsa_test_2048);
++ fips_load_key_component(dsa, q, dsa_test_2048);
++ fips_load_key_component(dsa, g, dsa_test_2048);
++ fips_load_key_component(dsa, pub_key, dsa_test_2048);
++ fips_load_key_component(dsa, priv_key, dsa_test_2048);
++
++ if (corrupt_dsa)
++ BN_set_bit(dsa->pub_key, 2047);
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_DSA(pk, dsa);
++
++ if (!fips_pkey_signature_test(pk, NULL, 0,
++ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
++ goto err;
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (dsa)
++ DSA_free(dsa);
++ return ret;
++}
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_enc.c.fips openssl-1.0.2c/crypto/fips/fips_enc.c
+--- openssl-1.0.2c/crypto/fips/fips_enc.c.fips 2015-06-15 17:30:00.009284005 +0200
++++ openssl-1.0.2c/crypto/fips/fips_enc.c 2015-06-15 17:30:00.009284005 +0200
+@@ -0,0 +1,189 @@
++/* fipe/evp/fips_enc.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_CIPHER *FIPS_get_cipherbynid(int nid)
++{
++ switch (nid) {
++ case NID_aes_128_cbc:
++ return EVP_aes_128_cbc();
++
++ case NID_aes_128_ccm:
++ return EVP_aes_128_ccm();
++
++ case NID_aes_128_cfb1:
++ return EVP_aes_128_cfb1();
++
++ case NID_aes_128_cfb128:
++ return EVP_aes_128_cfb128();
++
++ case NID_aes_128_cfb8:
++ return EVP_aes_128_cfb8();
++
++ case NID_aes_128_ctr:
++ return EVP_aes_128_ctr();
++
++ case NID_aes_128_ecb:
++ return EVP_aes_128_ecb();
++
++ case NID_aes_128_gcm:
++ return EVP_aes_128_gcm();
++
++ case NID_aes_128_ofb128:
++ return EVP_aes_128_ofb();
++
++ case NID_aes_128_xts:
++ return EVP_aes_128_xts();
++
++ case NID_aes_192_cbc:
++ return EVP_aes_192_cbc();
++
++ case NID_aes_192_ccm:
++ return EVP_aes_192_ccm();
++
++ case NID_aes_192_cfb1:
++ return EVP_aes_192_cfb1();
++
++ case NID_aes_192_cfb128:
++ return EVP_aes_192_cfb128();
++
++ case NID_aes_192_cfb8:
++ return EVP_aes_192_cfb8();
++
++ case NID_aes_192_ctr:
++ return EVP_aes_192_ctr();
++
++ case NID_aes_192_ecb:
++ return EVP_aes_192_ecb();
++
++ case NID_aes_192_gcm:
++ return EVP_aes_192_gcm();
++
++ case NID_aes_192_ofb128:
++ return EVP_aes_192_ofb();
++
++ case NID_aes_256_cbc:
++ return EVP_aes_256_cbc();
++
++ case NID_aes_256_ccm:
++ return EVP_aes_256_ccm();
++
++ case NID_aes_256_cfb1:
++ return EVP_aes_256_cfb1();
++
++ case NID_aes_256_cfb128:
++ return EVP_aes_256_cfb128();
++
++ case NID_aes_256_cfb8:
++ return EVP_aes_256_cfb8();
++
++ case NID_aes_256_ctr:
++ return EVP_aes_256_ctr();
++
++ case NID_aes_256_ecb:
++ return EVP_aes_256_ecb();
++
++ case NID_aes_256_gcm:
++ return EVP_aes_256_gcm();
++
++ case NID_aes_256_ofb128:
++ return EVP_aes_256_ofb();
++
++ case NID_aes_256_xts:
++ return EVP_aes_256_xts();
++
++ case NID_des_ede_ecb:
++ return EVP_des_ede();
++
++ case NID_des_ede3_ecb:
++ return EVP_des_ede3();
++
++ case NID_des_ede3_cbc:
++ return EVP_des_ede3_cbc();
++
++ case NID_des_ede3_cfb1:
++ return EVP_des_ede3_cfb1();
++
++ case NID_des_ede3_cfb64:
++ return EVP_des_ede3_cfb64();
++
++ case NID_des_ede3_cfb8:
++ return EVP_des_ede3_cfb8();
++
++ case NID_des_ede3_ofb64:
++ return EVP_des_ede3_ofb();
++
++ case NID_des_ede_cbc:
++ return EVP_des_ede_cbc();
++
++ case NID_des_ede_cfb64:
++ return EVP_des_ede_cfb64();
++
++ case NID_des_ede_ofb64:
++ return EVP_des_ede_ofb();
++
++ default:
++ return NULL;
++
++ }
++}
+diff -up openssl-1.0.2c/crypto/fips/fips.h.fips openssl-1.0.2c/crypto/fips/fips.h
+--- openssl-1.0.2c/crypto/fips/fips.h.fips 2015-06-15 17:30:00.009284005 +0200
++++ openssl-1.0.2c/crypto/fips/fips.h 2015-06-15 17:30:00.009284005 +0200
+@@ -0,0 +1,278 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
++#include <stdarg.h>
++
++#ifndef OPENSSL_FIPS
++# error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++ struct dsa_st;
++ struct rsa_st;
++ struct evp_pkey_st;
++ struct env_md_st;
++ struct env_md_ctx_st;
++ struct evp_cipher_st;
++ struct evp_cipher_ctx_st;
++ struct dh_method;
++ struct CMAC_CTX_st;
++ struct hmac_ctx_st;
++
++ int FIPS_module_mode_set(int onoff, const char *auth);
++ int FIPS_module_mode(void);
++ const void *FIPS_rand_check(void);
++ int FIPS_selftest(void);
++ int FIPS_selftest_failed(void);
++ void FIPS_corrupt_sha1(void);
++ int FIPS_selftest_sha1(void);
++ int FIPS_selftest_sha2(void);
++ void FIPS_corrupt_aes(void);
++ int FIPS_selftest_aes_ccm(void);
++ int FIPS_selftest_aes_gcm(void);
++ int FIPS_selftest_aes_xts(void);
++ int FIPS_selftest_aes(void);
++ void FIPS_corrupt_des(void);
++ int FIPS_selftest_des(void);
++ void FIPS_corrupt_rsa(void);
++ void FIPS_corrupt_rsa_keygen(void);
++ int FIPS_selftest_rsa(void);
++ void FIPS_corrupt_dsa(void);
++ void FIPS_corrupt_dsa_keygen(void);
++ int FIPS_selftest_dsa(void);
++ void FIPS_corrupt_rng(void);
++ void FIPS_rng_stick(void);
++ void FIPS_x931_stick(int onoff);
++ void FIPS_drbg_stick(int onoff);
++ int FIPS_selftest_rng(void);
++ int FIPS_selftest_x931(void);
++ int FIPS_selftest_hmac(void);
++ int FIPS_selftest_drbg(void);
++ int FIPS_selftest_drbg_all(void);
++ int FIPS_selftest_cmac(void);
++
++ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
++
++# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
++ alg " previous FIPS forbidden algorithm error ignored");
++
++ int fips_pkey_signature_test(struct evp_pkey_st *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat,
++ unsigned int katlen,
++ const struct env_md_st *digest,
++ unsigned int md_flags, const char *fail_str);
++
++ int fips_cipher_test(struct evp_cipher_ctx_st *ctx,
++ const struct evp_cipher_st *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len);
++
++ void fips_set_selftest_fail(void);
++
++ const struct env_md_st *FIPS_get_digestbynid(int nid);
++
++ const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
++
++/* BEGIN ERROR CODES */
++/* The following lines are auto generated by the script mkerr.pl. Any changes
++ * made after this point may be overwritten when the script is next run.
++ */
++ void ERR_load_FIPS_strings(void);
++
++/* Error codes for the FIPS functions. */
++
++/* Function codes. */
++# define FIPS_F_DH_BUILTIN_GENPARAMS 100
++# define FIPS_F_DH_INIT 148
++# define FIPS_F_DRBG_RESEED 162
++# define FIPS_F_DSA_BUILTIN_PARAMGEN 101
++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
++# define FIPS_F_DSA_DO_SIGN 102
++# define FIPS_F_DSA_DO_VERIFY 103
++# define FIPS_F_ECDH_COMPUTE_KEY 163
++# define FIPS_F_ECDSA_DO_SIGN 164
++# define FIPS_F_ECDSA_DO_VERIFY 165
++# define FIPS_F_EC_KEY_GENERATE_KEY 166
++# define FIPS_F_EVP_CIPHERINIT_EX 124
++# define FIPS_F_EVP_DIGESTINIT_EX 125
++# define FIPS_F_FIPS_CHECK_DSA 104
++# define FIPS_F_FIPS_CHECK_DSA_PRNG 151
++# define FIPS_F_FIPS_CHECK_EC 142
++# define FIPS_F_FIPS_CHECK_EC_PRNG 152
++# define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105
++# define FIPS_F_FIPS_CHECK_RSA 106
++# define FIPS_F_FIPS_CHECK_RSA_PRNG 150
++# define FIPS_F_FIPS_CIPHER 160
++# define FIPS_F_FIPS_CIPHERINIT 143
++# define FIPS_F_FIPS_CIPHER_CTX_CTRL 161
++# define FIPS_F_FIPS_DIGESTFINAL 158
++# define FIPS_F_FIPS_DIGESTINIT 128
++# define FIPS_F_FIPS_DIGESTUPDATE 159
++# define FIPS_F_FIPS_DRBG_BYTES 131
++# define FIPS_F_FIPS_DRBG_CHECK 146
++# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
++# define FIPS_F_FIPS_DRBG_GENERATE 134
++# define FIPS_F_FIPS_DRBG_INIT 135
++# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
++# define FIPS_F_FIPS_DRBG_NEW 139
++# define FIPS_F_FIPS_DRBG_RESEED 140
++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
++# define FIPS_F_FIPS_DSA_CHECK /* unused */ 107
++# define FIPS_F_FIPS_DSA_SIGN_DIGEST 154
++# define FIPS_F_FIPS_DSA_VERIFY_DIGEST 155
++# define FIPS_F_FIPS_GET_ENTROPY 147
++# define FIPS_F_FIPS_MODE_SET /* unused */ 108
++# define FIPS_F_FIPS_MODULE_MODE_SET 108
++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
++# define FIPS_F_FIPS_RAND_ADD 137
++# define FIPS_F_FIPS_RAND_BYTES 122
++# define FIPS_F_FIPS_RAND_PSEUDO_BYTES 167
++# define FIPS_F_FIPS_RAND_SEED 168
++# define FIPS_F_FIPS_RAND_SET_METHOD 126
++# define FIPS_F_FIPS_RAND_STATUS 127
++# define FIPS_F_FIPS_RSA_SIGN_DIGEST 156
++# define FIPS_F_FIPS_RSA_VERIFY_DIGEST 157
++# define FIPS_F_FIPS_SELFTEST_AES 110
++# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
++# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
++# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
++# define FIPS_F_FIPS_SELFTEST_CMAC 130
++# define FIPS_F_FIPS_SELFTEST_DES 111
++# define FIPS_F_FIPS_SELFTEST_DSA 112
++# define FIPS_F_FIPS_SELFTEST_ECDSA 133
++# define FIPS_F_FIPS_SELFTEST_HMAC 113
++# define FIPS_F_FIPS_SELFTEST_RNG /* unused */ 114
++# define FIPS_F_FIPS_SELFTEST_SHA1 115
++# define FIPS_F_FIPS_SELFTEST_X931 114
++# define FIPS_F_FIPS_SET_PRNG_KEY 153
++# define FIPS_F_HASH_FINAL 123
++# define FIPS_F_RSA_BUILTIN_KEYGEN 116
++# define FIPS_F_RSA_EAY_INIT 149
++# define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117
++# define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118
++# define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119
++# define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120
++# define FIPS_F_RSA_X931_GENERATE_KEY_EX 121
++# define FIPS_F_SSLEAY_RAND_BYTES /* unused */ 122
++
++/* Reason codes. */
++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
++# define FIPS_R_ALREADY_INSTANTIATED 134
++# define FIPS_R_AUTHENTICATION_FAILURE 151
++# define FIPS_R_CANNOT_READ_EXE /* unused */ 103
++# define FIPS_R_CANNOT_READ_EXE_DIGEST /* unused */ 104
++# define FIPS_R_CONTRADICTING_EVIDENCE 114
++# define FIPS_R_DRBG_NOT_INITIALISED 152
++# define FIPS_R_DRBG_STUCK 103
++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
++# define FIPS_R_ENTROPY_SOURCE_STUCK 142
++# define FIPS_R_ERROR_INITIALISING_DRBG 115
++# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
++# define FIPS_R_ERROR_RETRIEVING_NONCE 140
++# define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH /* unused */ 105
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112
++# define FIPS_R_FIPS_MODE_ALREADY_SET 102
++# define FIPS_R_FIPS_SELFTEST_FAILED 106
++# define FIPS_R_FUNCTION_ERROR 116
++# define FIPS_R_GENERATE_ERROR 137
++# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
++# define FIPS_R_INSTANTIATE_ERROR 119
++# define FIPS_R_INSUFFICIENT_SECURITY_STRENGTH 120
++# define FIPS_R_INTERNAL_ERROR 121
++# define FIPS_R_INVALID_KEY_LENGTH 109
++# define FIPS_R_INVALID_PARAMETERS 144
++# define FIPS_R_IN_ERROR_STATE 123
++# define FIPS_R_KEY_TOO_SHORT 108
++# define FIPS_R_NONCE_ERROR_UNDETECTED 149
++# define FIPS_R_NON_FIPS_METHOD 100
++# define FIPS_R_NOPR_TEST1_FAILURE 145
++# define FIPS_R_NOPR_TEST2_FAILURE 146
++# define FIPS_R_NOT_INSTANTIATED 126
++# define FIPS_R_PAIRWISE_TEST_FAILED 107
++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
++# define FIPS_R_PRNG_STRENGTH_TOO_LOW 143
++# define FIPS_R_PR_TEST1_FAILURE 147
++# define FIPS_R_PR_TEST2_FAILURE 148
++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
++# define FIPS_R_RESEED_COUNTER_ERROR 132
++# define FIPS_R_RESEED_ERROR 133
++# define FIPS_R_RSA_DECRYPT_ERROR /* unused */ 115
++# define FIPS_R_RSA_ENCRYPT_ERROR /* unused */ 116
++# define FIPS_R_SELFTEST_FAILED 101
++# define FIPS_R_SELFTEST_FAILURE 135
++# define FIPS_R_STRENGTH_ERROR_UNDETECTED 136
++# define FIPS_R_TEST_FAILURE 117
++# define FIPS_R_UNINSTANTIATE_ERROR 141
++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
++# define FIPS_R_UNSUPPORTED_PLATFORM 113
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c.fips 2015-06-15 17:30:00.009284005 +0200
++++ openssl-1.0.2c/crypto/fips/fips_hmac_selftest.c 2015-06-15 17:30:00.009284005 +0200
+@@ -0,0 +1,134 @@
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/hmac.h>
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++ const EVP_MD *(*alg) (void);
++ const char *key, *iv;
++ unsigned char kaval[EVP_MAX_MD_SIZE];
++} HMAC_KAT;
++
++static const HMAC_KAT vector[] = {
++ {EVP_sha1,
++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
++ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
++ 0xc6, 0xc7, 0x5d, 0x24}
++ },
++ {EVP_sha224,
++ /* just keep extending the above... */
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
++ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
++ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
++ 0x8c, 0x8d, 0x12, 0xc7}
++ },
++ {EVP_sha256,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
++ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
++ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
++ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
++ },
++ {EVP_sha384,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
++ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
++ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
++ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
++ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
++ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
++ },
++ {EVP_sha512,
++ "0123456789:;<=>?@ABC",
++ "Sample #2",
++ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
++ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
++ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
++ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
++ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
++ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
++ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
++ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
++ },
++};
++
++int FIPS_selftest_hmac()
++{
++ int n;
++ unsigned int outlen;
++ unsigned char out[EVP_MAX_MD_SIZE];
++ const EVP_MD *md;
++ const HMAC_KAT *t;
++
++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++ md = (*t->alg) ();
++ HMAC(md, t->key, strlen(t->key),
++ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
++
++ if (memcmp(out, t->kaval, outlen)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_locl.h.fips openssl-1.0.2c/crypto/fips/fips_locl.h
+--- openssl-1.0.2c/crypto/fips/fips_locl.h.fips 2015-06-15 17:30:00.009284005 +0200
++++ openssl-1.0.2c/crypto/fips/fips_locl.h 2015-06-15 17:30:00.009284005 +0200
+@@ -0,0 +1,71 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_MAX_CIPHER_TEST_SIZE 32
++# define fips_load_key_component(key, comp, pre) \
++ key->comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), key->comp); \
++ if (!key->comp) \
++ goto err
++
++# define fips_post_started(id, subid, ex) 1
++# define fips_post_success(id, subid, ex) 1
++# define fips_post_failed(id, subid, ex) 1
++# define fips_post_corrupt(id, subid, ex) 1
++# define fips_post_status() 1
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_md.c.fips openssl-1.0.2c/crypto/fips/fips_md.c
+--- openssl-1.0.2c/crypto/fips/fips_md.c.fips 2015-06-15 17:30:00.009284005 +0200
++++ openssl-1.0.2c/crypto/fips/fips_md.c 2015-06-15 17:30:00.009284005 +0200
+@@ -0,0 +1,144 @@
++/* fips/evp/fips_md.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay at cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh at cryptsoft.com).
++ *
++ */
++
++/* Minimal standalone FIPS versions of Digest operations */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdio.h>
++#include <string.h>
++#include <openssl/objects.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++const EVP_MD *FIPS_get_digestbynid(int nid)
++{
++ switch (nid) {
++ case NID_sha1:
++ return EVP_sha1();
++
++ case NID_sha224:
++ return EVP_sha224();
++
++ case NID_sha256:
++ return EVP_sha256();
++
++ case NID_sha384:
++ return EVP_sha384();
++
++ case NID_sha512:
++ return EVP_sha512();
++
++ default:
++ return NULL;
++ }
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_post.c.fips openssl-1.0.2c/crypto/fips/fips_post.c
+--- openssl-1.0.2c/crypto/fips/fips_post.c.fips 2015-06-15 17:30:00.009284005 +0200
++++ openssl-1.0.2c/crypto/fips/fips_post.c 2015-06-15 17:30:00.009284005 +0200
+@@ -0,0 +1,201 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <string.h>
++#include <limits.h>
++
++#ifdef OPENSSL_FIPS
++
++/* Power on self test (POST) support functions */
++
++# include <openssl/fips.h>
++# include "fips_locl.h"
++
++/* Run all selftests */
++int FIPS_selftest(void)
++{
++ int rv = 1;
++ if (!FIPS_selftest_drbg())
++ rv = 0;
++ if (!FIPS_selftest_x931())
++ rv = 0;
++ if (!FIPS_selftest_sha1())
++ rv = 0;
++ if (!FIPS_selftest_sha2())
++ rv = 0;
++ if (!FIPS_selftest_hmac())
++ rv = 0;
++ if (!FIPS_selftest_cmac())
++ rv = 0;
++ if (!FIPS_selftest_aes())
++ rv = 0;
++ if (!FIPS_selftest_aes_ccm())
++ rv = 0;
++ if (!FIPS_selftest_aes_gcm())
++ rv = 0;
++ if (!FIPS_selftest_aes_xts())
++ rv = 0;
++ if (!FIPS_selftest_des())
++ rv = 0;
++ if (!FIPS_selftest_rsa())
++ rv = 0;
++ if (!FIPS_selftest_dsa())
++ rv = 0;
++ return rv;
++}
++
++/* Generalized public key test routine. Signs and verifies the data
++ * supplied in tbs using mesage digest md and setting option digest
++ * flags md_flags. If the 'kat' parameter is not NULL it will
++ * additionally check the signature matches it: a known answer test
++ * The string "fail_str" is used for identification purposes in case
++ * of failure. If "pkey" is NULL just perform a message digest check.
++ */
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++ const unsigned char *tbs, int tbslen,
++ const unsigned char *kat, unsigned int katlen,
++ const EVP_MD *digest, unsigned int md_flags,
++ const char *fail_str)
++{
++ int ret = 0;
++ unsigned char sigtmp[256], *sig = sigtmp;
++ unsigned int siglen;
++ EVP_MD_CTX mctx;
++ EVP_MD_CTX_init(&mctx);
++
++ if (digest == NULL)
++ digest = EVP_sha256();
++
++ if ((pkey->type == EVP_PKEY_RSA)
++ && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) {
++ sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa));
++ if (!sig) {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ }
++
++ if (tbslen == -1)
++ tbslen = strlen((char *)tbs);
++
++ if (md_flags)
++ EVP_MD_CTX_set_flags(&mctx, md_flags);
++
++ if (!EVP_SignInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_SignUpdate(&mctx, tbs, tbslen))
++ goto error;
++ if (!EVP_SignFinal(&mctx, sig, &siglen, pkey))
++ goto error;
++
++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
++ goto error;
++
++ if (!EVP_VerifyInit_ex(&mctx, digest, NULL))
++ goto error;
++ if (!EVP_VerifyUpdate(&mctx, tbs, tbslen))
++ goto error;
++ ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey);
++
++ error:
++ if (sig != sigtmp)
++ OPENSSL_free(sig);
++ EVP_MD_CTX_cleanup(&mctx);
++ if (ret != 1) {
++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
++ if (fail_str)
++ ERR_add_error_data(2, "Type=", fail_str);
++ return 0;
++ }
++ return 1;
++}
++
++/* Generalized symmetric cipher test routine. Encrypt data, verify result
++ * against known answer, decrypt and compare with original plaintext.
++ */
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
++ const unsigned char *key,
++ const unsigned char *iv,
++ const unsigned char *plaintext,
++ const unsigned char *ciphertext, int len)
++{
++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
++
++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
++ return 0;
++ if (memcmp(citmp, ciphertext, len))
++ return 0;
++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
++ return 0;
++ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
++ return 0;
++ if (memcmp(pltmp, plaintext, len))
++ return 0;
++ return 1;
++}
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_rand.c.fips openssl-1.0.2c/crypto/fips/fips_rand.c
+--- openssl-1.0.2c/crypto/fips/fips_rand.c.fips 2015-06-15 17:30:00.010284028 +0200
++++ openssl-1.0.2c/crypto/fips/fips_rand.c 2015-06-15 17:30:00.010284028 +0200
+@@ -0,0 +1,428 @@
++/* ====================================================================
++ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/*
++ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
++ */
++#include <openssl/crypto.h>
++#include "e_os.h"
++
++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
++ be defined and gettimeofday() won't be declared with strict compilers
++ like DEC C in ANSI C mode. */
++#ifndef _XOPEN_SOURCE_EXTENDED
++# define _XOPEN_SOURCE_EXTENDED 1
++#endif
++
++#include <openssl/rand.h>
++#include <openssl/aes.h>
++#include <openssl/err.h>
++#include <openssl/fips_rand.h>
++#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
++# include <sys/time.h>
++#endif
++#if defined(OPENSSL_SYS_VXWORKS)
++# include <time.h>
++#endif
++#include <assert.h>
++#ifndef OPENSSL_SYS_WIN32
++# ifdef OPENSSL_UNISTD
++# include OPENSSL_UNISTD
++# else
++# include <unistd.h>
++# endif
++#endif
++#include <string.h>
++#include <openssl/fips.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++void *OPENSSL_stderr(void);
++
++# define AES_BLOCK_LENGTH 16
++
++/* AES FIPS PRNG implementation */
++
++typedef struct {
++ int seeded;
++ int keyed;
++ int test_mode;
++ int second;
++ int error;
++ unsigned long counter;
++ AES_KEY ks;
++ int vpos;
++ /* Temporary storage for key if it equals seed length */
++ unsigned char tmp_key[AES_BLOCK_LENGTH];
++ unsigned char V[AES_BLOCK_LENGTH];
++ unsigned char DT[AES_BLOCK_LENGTH];
++ unsigned char last[AES_BLOCK_LENGTH];
++} FIPS_PRNG_CTX;
++
++static FIPS_PRNG_CTX sctx;
++
++static int fips_prng_fail = 0;
++
++void FIPS_x931_stick(int onoff)
++{
++ fips_prng_fail = onoff;
++}
++
++void FIPS_rng_stick(void)
++{
++ FIPS_x931_stick(1);
++}
++
++static void fips_rand_prng_reset(FIPS_PRNG_CTX * ctx)
++{
++ ctx->seeded = 0;
++ ctx->keyed = 0;
++ ctx->test_mode = 0;
++ ctx->counter = 0;
++ ctx->second = 0;
++ ctx->error = 0;
++ ctx->vpos = 0;
++ OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
++ OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
++}
++
++static int fips_set_prng_key(FIPS_PRNG_CTX * ctx,
++ const unsigned char *key, unsigned int keylen)
++{
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_FIPS_SET_PRNG_KEY, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ if (keylen != 16 && keylen != 24 && keylen != 32) {
++ /* error: invalid key size */
++ return 0;
++ }
++ AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
++ if (keylen == 16) {
++ memcpy(ctx->tmp_key, key, 16);
++ ctx->keyed = 2;
++ } else
++ ctx->keyed = 1;
++ ctx->seeded = 0;
++ ctx->second = 0;
++ return 1;
++}
++
++static int fips_set_prng_seed(FIPS_PRNG_CTX * ctx,
++ const unsigned char *seed, unsigned int seedlen)
++{
++ unsigned int i;
++ if (!ctx->keyed)
++ return 0;
++ /* In test mode seed is just supplied data */
++ if (ctx->test_mode) {
++ if (seedlen != AES_BLOCK_LENGTH)
++ return 0;
++ memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
++ ctx->seeded = 1;
++ return 1;
++ }
++ /* Outside test mode XOR supplied data with existing seed */
++ for (i = 0; i < seedlen; i++) {
++ ctx->V[ctx->vpos++] ^= seed[i];
++ if (ctx->vpos == AES_BLOCK_LENGTH) {
++ ctx->vpos = 0;
++ /* Special case if first seed and key length equals
++ * block size check key and seed do not match.
++ */
++ if (ctx->keyed == 2) {
++ if (!memcmp(ctx->tmp_key, ctx->V, 16)) {
++ RANDerr(RAND_F_FIPS_SET_PRNG_SEED,
++ RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY);
++ return 0;
++ }
++ OPENSSL_cleanse(ctx->tmp_key, 16);
++ ctx->keyed = 1;
++ }
++ ctx->seeded = 1;
++ }
++ }
++ return 1;
++}
++
++static int fips_set_test_mode(FIPS_PRNG_CTX * ctx)
++{
++ if (ctx->keyed) {
++ RANDerr(RAND_F_FIPS_SET_TEST_MODE, RAND_R_PRNG_KEYED);
++ return 0;
++ }
++ ctx->test_mode = 1;
++ return 1;
++}
++
++int FIPS_x931_test_mode(void)
++{
++ return fips_set_test_mode(&sctx);
++}
++
++int FIPS_rand_test_mode(void)
++{
++ return fips_set_test_mode(&sctx);
++}
++
++int FIPS_x931_set_dt(unsigned char *dt)
++{
++ if (!sctx.test_mode) {
++ RANDerr(RAND_F_FIPS_X931_SET_DT, RAND_R_NOT_IN_TEST_MODE);
++ return 0;
++ }
++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
++ return 1;
++}
++
++int FIPS_rand_set_dt(unsigned char *dt)
++{
++ if (!sctx.test_mode) {
++ RANDerr(RAND_F_FIPS_RAND_SET_DT, RAND_R_NOT_IN_TEST_MODE);
++ return 0;
++ }
++ memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
++ return 1;
++}
++
++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
++{
++# ifdef OPENSSL_SYS_WIN32
++ FILETIME ft;
++# elif defined(OPENSSL_SYS_VXWORKS)
++ struct timespec ts;
++# else
++ struct timeval tv;
++# endif
++
++# ifndef GETPID_IS_MEANINGLESS
++ unsigned long pid;
++# endif
++
++# ifdef OPENSSL_SYS_WIN32
++ GetSystemTimeAsFileTime(&ft);
++ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
++ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
++ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
++ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
++ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
++ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
++ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
++ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
++# elif defined(OPENSSL_SYS_VXWORKS)
++ clock_gettime(CLOCK_REALTIME, &ts);
++ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
++ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
++ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
++ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
++ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
++# else
++ gettimeofday(&tv, NULL);
++ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
++ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
++ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
++ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
++ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
++ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
++ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
++ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
++# endif
++ buf[8] = (unsigned char)(*pctr & 0xff);
++ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
++ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
++ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
++
++ (*pctr)++;
++
++# ifndef GETPID_IS_MEANINGLESS
++ pid = (unsigned long)getpid();
++ buf[12] = (unsigned char)(pid & 0xff);
++ buf[13] = (unsigned char)((pid >> 8) & 0xff);
++ buf[14] = (unsigned char)((pid >> 16) & 0xff);
++ buf[15] = (unsigned char)((pid >> 24) & 0xff);
++# endif
++}
++
++static int fips_rand(FIPS_PRNG_CTX * ctx,
++ unsigned char *out, unsigned int outlen)
++{
++ unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
++ unsigned char tmp[AES_BLOCK_LENGTH];
++ int i;
++ if (ctx->error) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_ERROR);
++ return 0;
++ }
++ if (!ctx->keyed) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_NO_KEY_SET);
++ return 0;
++ }
++ if (!ctx->seeded) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_NOT_SEEDED);
++ return 0;
++ }
++ for (;;) {
++ if (!ctx->test_mode)
++ FIPS_get_timevec(ctx->DT, &ctx->counter);
++ AES_encrypt(ctx->DT, I, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = I[i] ^ ctx->V[i];
++ AES_encrypt(tmp, R, &ctx->ks);
++ for (i = 0; i < AES_BLOCK_LENGTH; i++)
++ tmp[i] = R[i] ^ I[i];
++ AES_encrypt(tmp, ctx->V, &ctx->ks);
++ /* Continuous PRNG test */
++ if (ctx->second) {
++ if (fips_prng_fail)
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) {
++ RANDerr(RAND_F_FIPS_RAND, RAND_R_PRNG_STUCK);
++ ctx->error = 1;
++ fips_set_selftest_fail();
++ return 0;
++ }
++ }
++ memcpy(ctx->last, R, AES_BLOCK_LENGTH);
++ if (!ctx->second) {
++ ctx->second = 1;
++ if (!ctx->test_mode)
++ continue;
++ }
++
++ if (outlen <= AES_BLOCK_LENGTH) {
++ memcpy(out, R, outlen);
++ break;
++ }
++
++ memcpy(out, R, AES_BLOCK_LENGTH);
++ out += AES_BLOCK_LENGTH;
++ outlen -= AES_BLOCK_LENGTH;
++ }
++ return 1;
++}
++
++int FIPS_x931_set_key(const unsigned char *key, int keylen)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_key(&sctx, key, keylen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
++{
++ return FIPS_x931_set_key(key, keylen);
++}
++
++int FIPS_x931_seed(const void *seed, int seedlen)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_set_prng_seed(&sctx, seed, seedlen);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_x931_bytes(unsigned char *out, int count)
++{
++ int ret;
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ ret = fips_rand(&sctx, out, count);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++int FIPS_x931_status(void)
++{
++ int ret;
++ CRYPTO_r_lock(CRYPTO_LOCK_RAND);
++ ret = sctx.seeded;
++ CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
++ return ret;
++}
++
++void FIPS_x931_reset(void)
++{
++ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
++ fips_rand_prng_reset(&sctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
++}
++
++static int fips_do_rand_seed(const void *seed, int seedlen)
++{
++ FIPS_x931_seed(seed, seedlen);
++ return 1;
++}
++
++static int fips_do_rand_add(const void *seed, int seedlen, double add_entropy)
++{
++ FIPS_x931_seed(seed, seedlen);
++ return 1;
++}
++
++static const RAND_METHOD rand_x931_meth = {
++ fips_do_rand_seed,
++ FIPS_x931_bytes,
++ FIPS_x931_reset,
++ fips_do_rand_add,
++ FIPS_x931_bytes,
++ FIPS_x931_status
++};
++
++const RAND_METHOD *FIPS_x931_method(void)
++{
++ return &rand_x931_meth;
++}
++
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_rand.h.fips openssl-1.0.2c/crypto/fips/fips_rand.h
+--- openssl-1.0.2c/crypto/fips/fips_rand.h.fips 2015-06-15 17:30:00.010284028 +0200
++++ openssl-1.0.2c/crypto/fips/fips_rand.h 2015-06-15 17:30:00.010284028 +0200
+@@ -0,0 +1,163 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifndef HEADER_FIPS_RAND_H
++# define HEADER_FIPS_RAND_H
++
++# include <openssl/aes.h>
++# include <openssl/evp.h>
++# include <openssl/hmac.h>
++# include <openssl/rand.h>
++
++# ifdef OPENSSL_FIPS
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++ int FIPS_x931_set_key(const unsigned char *key, int keylen);
++ int FIPS_x931_seed(const void *buf, int num);
++ int FIPS_x931_bytes(unsigned char *out, int outlen);
++
++ int FIPS_x931_test_mode(void);
++ void FIPS_x931_reset(void);
++ int FIPS_x931_set_dt(unsigned char *dt);
++
++ int FIPS_x931_status(void);
++
++ const RAND_METHOD *FIPS_x931_method(void);
++
++ typedef struct drbg_ctx_st DRBG_CTX;
++/* DRBG external flags */
++/* Flag for CTR mode only: use derivation function ctr_df */
++# define DRBG_FLAG_CTR_USE_DF 0x1
++/* PRNG is in test state */
++# define DRBG_FLAG_TEST 0x2
++
++ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
++ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
++ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++ const unsigned char *pers, size_t perslen);
++ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
++ size_t adinlen);
++ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++ int prediction_resistance,
++ const unsigned char *adin, size_t adinlen);
++
++ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
++ void FIPS_drbg_free(DRBG_CTX *dctx);
++
++ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++ size_t (*get_entropy) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_entropy) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ size_t entropy_blocklen,
++ size_t (*get_nonce) (DRBG_CTX *ctx,
++ unsigned char **pout,
++ int entropy,
++ size_t min_len,
++ size_t max_len),
++ void (*cleanup_nonce) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen));
++
++ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++ size_t (*get_adin) (DRBG_CTX *ctx,
++ unsigned char
++ **pout),
++ void (*cleanup_adin) (DRBG_CTX *ctx,
++ unsigned char *out,
++ size_t olen),
++ int (*rand_seed_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num),
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf,
++ int num,
++ double entropy));
++
++ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
++ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
++ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
++ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
++ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
++ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
++
++ int FIPS_drbg_health_check(DRBG_CTX *dctx);
++
++ DRBG_CTX *FIPS_get_default_drbg(void);
++ const RAND_METHOD *FIPS_drbg_method(void);
++
++ int FIPS_rand_set_method(const RAND_METHOD *meth);
++ const RAND_METHOD *FIPS_rand_get_method(void);
++
++ void FIPS_rand_set_bits(int nbits);
++
++ int FIPS_rand_strength(void);
++
++/* 1.0.0 compat functions */
++ int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
++ int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
++ int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
++ int FIPS_rand_test_mode(void);
++ void FIPS_rand_reset(void);
++ int FIPS_rand_set_dt(unsigned char *dt);
++ int FIPS_rand_status(void);
++ const RAND_METHOD *FIPS_rand_method(void);
++
++# ifdef __cplusplus
++}
++# endif
++# endif
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_rand_lcl.h.fips openssl-1.0.2c/crypto/fips/fips_rand_lcl.h
+--- openssl-1.0.2c/crypto/fips/fips_rand_lcl.h.fips 2015-06-15 17:30:00.010284028 +0200
++++ openssl-1.0.2c/crypto/fips/fips_rand_lcl.h 2015-06-15 17:30:00.010284028 +0200
+@@ -0,0 +1,213 @@
++/* fips/rand/fips_rand_lcl.h */
++/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
++typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
++typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
++
++/* 888 bits from 10.1 table 2 */
++#define HASH_PRNG_MAX_SEEDLEN 111
++
++struct drbg_hash_ctx_st {
++ const EVP_MD *md;
++ EVP_MD_CTX mctx;
++ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
++ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
++ /* Temporary value storage: should always exceed max digest length */
++ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
++};
++
++struct drbg_hmac_ctx_st {
++ const EVP_MD *md;
++ HMAC_CTX hctx;
++ unsigned char K[EVP_MAX_MD_SIZE];
++ unsigned char V[EVP_MAX_MD_SIZE];
++};
++
++struct drbg_ctr_ctx_st {
++ AES_KEY ks;
++ size_t keylen;
++ unsigned char K[32];
++ unsigned char V[16];
++ /* Temp variables used by derivation function */
++ AES_KEY df_ks;
++ AES_KEY df_kxks;
++ /* Temporary block storage used by ctr_df */
++ unsigned char bltmp[16];
++ size_t bltmp_pos;
++ unsigned char KX[48];
++};
++
++/* DRBG internal flags */
++
++/* Functions shouldn't call err library */
++#define DRBG_FLAG_NOERR 0x1
++/* Custom reseed checking */
++#define DRBG_CUSTOM_RESEED 0x2
++
++/* DRBG status values */
++/* not initialised */
++#define DRBG_STATUS_UNINITIALISED 0
++/* ok and ready to generate random bits */
++#define DRBG_STATUS_READY 1
++/* reseed required */
++#define DRBG_STATUS_RESEED 2
++/* fatal error condition */
++#define DRBG_STATUS_ERROR 3
++
++/* A default maximum length: larger than any reasonable value used in pratice */
++
++#define DRBG_MAX_LENGTH 0x7ffffff0
++/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
++ * so use max digest length.
++ */
++#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
++
++#define DRBG_HEALTH_INTERVAL (1 << 24)
++
++/* DRBG context structure */
++
++struct drbg_ctx_st {
++ /* First types common to all implementations */
++ /* DRBG type: a NID for the underlying algorithm */
++ int type;
++ /* Various external flags */
++ unsigned int xflags;
++ /* Various internal use only flags */
++ unsigned int iflags;
++ /* Used for periodic health checks */
++ int health_check_cnt, health_check_interval;
++
++ /* The following parameters are setup by mechanism drbg_init() call */
++ int strength;
++ size_t blocklength;
++ size_t max_request;
++
++ size_t min_entropy, max_entropy;
++ size_t min_nonce, max_nonce;
++ size_t max_pers, max_adin;
++ unsigned int reseed_counter;
++ unsigned int reseed_interval;
++ size_t seedlen;
++ int status;
++ /* Application data: typically used by test get_entropy */
++ void *app_data;
++ /* Implementation specific structures */
++ union {
++ DRBG_HASH_CTX hash;
++ DRBG_HMAC_CTX hmac;
++ DRBG_CTR_CTX ctr;
++ } d;
++ /* Initialiase PRNG and setup callbacks below */
++ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
++ /* Intantiate PRNG */
++ int (*instantiate) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *nonce, size_t noncelen,
++ const unsigned char *pers, size_t perslen);
++ /* reseed */
++ int (*reseed) (DRBG_CTX *ctx,
++ const unsigned char *ent, size_t entlen,
++ const unsigned char *adin, size_t adinlen);
++ /* generat output */
++ int (*generate) (DRBG_CTX *ctx,
++ unsigned char *out, size_t outlen,
++ const unsigned char *adin, size_t adinlen);
++ /* uninstantiate */
++ int (*uninstantiate) (DRBG_CTX *ctx);
++
++ /* Entropy source block length */
++ size_t entropy_blocklen;
++
++ /* entropy gathering function */
++ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with entropy buffer */
++ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* nonce gathering function */
++ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
++ int entropy, size_t min_len, size_t max_len);
++ /* Indicates we have finished with nonce buffer */
++ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++ /* Continuous random number test temporary area */
++ /* Last block */
++ unsigned char lb[EVP_MAX_MD_SIZE];
++ /* set if lb is valid */
++ int lb_valid;
++
++ /* Callbacks used when called through RAND interface */
++ /* Get any additional input for generate */
++ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
++ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++ /* Callback for RAND_seed(), RAND_add() */
++ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
++ int (*rand_add_cb) (DRBG_CTX *ctx,
++ const void *buf, int num, double entropy);
++};
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx);
++int fips_drbg_hash_init(DRBG_CTX *dctx);
++int fips_drbg_hmac_init(DRBG_CTX *dctx);
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
++
++const struct env_md_st *FIPS_get_digestbynid(int nid);
++
++const struct evp_cipher_st *FIPS_get_cipherbynid(int nid);
++
++#define FIPS_digestinit EVP_DigestInit
++#define FIPS_digestupdate EVP_DigestUpdate
++#define FIPS_digestfinal EVP_DigestFinal
++#define M_EVP_MD_size EVP_MD_size
+diff -up openssl-1.0.2c/crypto/fips/fips_rand_lib.c.fips openssl-1.0.2c/crypto/fips/fips_rand_lib.c
+--- openssl-1.0.2c/crypto/fips/fips_rand_lib.c.fips 2015-06-15 17:30:00.010284028 +0200
++++ openssl-1.0.2c/crypto/fips/fips_rand_lib.c 2015-06-15 17:30:00.010284028 +0200
+@@ -0,0 +1,181 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "e_os.h"
++
++/* FIPS API for PRNG use. Similar to RAND functionality but without
++ * ENGINE and additional checking for non-FIPS rand methods.
++ */
++
++static const RAND_METHOD *fips_rand_meth = NULL;
++static int fips_approved_rand_meth = 0;
++static int fips_rand_bits = 0;
++
++/* Allows application to override number of bits and uses non-FIPS methods */
++void FIPS_rand_set_bits(int nbits)
++{
++ fips_rand_bits = nbits;
++}
++
++int FIPS_rand_set_method(const RAND_METHOD *meth)
++{
++ if (!fips_rand_bits) {
++ if (meth == FIPS_drbg_method())
++ fips_approved_rand_meth = 1;
++ else if (meth == FIPS_x931_method())
++ fips_approved_rand_meth = 2;
++ else {
++ fips_approved_rand_meth = 0;
++ if (FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ }
++ }
++ fips_rand_meth = meth;
++ return 1;
++}
++
++const RAND_METHOD *FIPS_rand_get_method(void)
++{
++ return fips_rand_meth;
++}
++
++const RAND_METHOD *FIPS_rand_method(void)
++{
++ return FIPS_rand_get_method();
++}
++
++void FIPS_rand_reset(void)
++{
++ if (fips_rand_meth && fips_rand_meth->cleanup)
++ fips_rand_meth->cleanup();
++}
++
++int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->seed)
++ fips_rand_meth->seed(buf, num);
++ return 1;
++}
++
++void FIPS_rand_add(const void *buf, int num, double entropy)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_ADD, FIPS_R_NON_FIPS_METHOD);
++ return;
++ }
++ if (fips_rand_meth && fips_rand_meth->add)
++ fips_rand_meth->add(buf, num, entropy);
++}
++
++int FIPS_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->bytes)
++ return fips_rand_meth->bytes(buf, num);
++ return 0;
++}
++
++int FIPS_rand_pseudo_bytes(unsigned char *buf, int num)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_PSEUDO_BYTES, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->pseudorand)
++ return fips_rand_meth->pseudorand(buf, num);
++ return -1;
++}
++
++int FIPS_rand_status(void)
++{
++ if (!fips_approved_rand_meth && FIPS_module_mode()) {
++ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
++ return 0;
++ }
++ if (fips_rand_meth && fips_rand_meth->status)
++ return fips_rand_meth->status();
++ return 0;
++}
++
++/* Return instantiated strength of PRNG. For DRBG this is an internal
++ * parameter. For X9.31 PRNG it is 80 bits (from SP800-131). Any other
++ * type of PRNG is not approved and returns 0 in FIPS mode and maximum
++ * 256 outside FIPS mode.
++ */
++
++int FIPS_rand_strength(void)
++{
++ if (fips_rand_bits)
++ return fips_rand_bits;
++ if (fips_approved_rand_meth == 1)
++ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
++ else if (fips_approved_rand_meth == 2)
++ return 80;
++ else if (fips_approved_rand_meth == 0) {
++ if (FIPS_module_mode())
++ return 0;
++ else
++ return 256;
++ }
++ return 0;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_rand_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_rand_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_rand_selftest.c.fips 2015-06-15 17:30:00.010284028 +0200
++++ openssl-1.0.2c/crypto/fips/fips_rand_selftest.c 2015-06-15 17:30:00.010284028 +0200
+@@ -0,0 +1,176 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++typedef struct {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++} AES_PRNG_TV;
++
++/* The following test vectors are taken directly from the RGNVS spec */
++
++static unsigned char aes_128_key[16] =
++ { 0xf3, 0xb1, 0x66, 0x6d, 0x13, 0x60, 0x72, 0x42,
++ 0xed, 0x06, 0x1c, 0xab, 0xb8, 0xd4, 0x62, 0x02
++};
++
++static AES_PRNG_TV aes_128_tv = {
++ /* DT */
++ {0xe6, 0xb3, 0xbe, 0x78, 0x2a, 0x23, 0xfa, 0x62,
++ 0xd7, 0x1d, 0x4a, 0xfb, 0xb0, 0xe9, 0x22, 0xf9},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x59, 0x53, 0x1e, 0xd1, 0x3b, 0xb0, 0xc0, 0x55,
++ 0x84, 0x79, 0x66, 0x85, 0xc1, 0x2f, 0x76, 0x41}
++};
++
++static unsigned char aes_192_key[24] =
++ { 0x15, 0xd8, 0x78, 0x0d, 0x62, 0xd3, 0x25, 0x6e,
++ 0x44, 0x64, 0x10, 0x13, 0x60, 0x2b, 0xa9, 0xbc,
++ 0x4a, 0xfb, 0xca, 0xeb, 0x4c, 0x8b, 0x99, 0x3b
++};
++
++static AES_PRNG_TV aes_192_tv = {
++ /* DT */
++ {0x3f, 0xd8, 0xff, 0xe8, 0x80, 0x69, 0x8b, 0xc1,
++ 0xbf, 0x99, 0x7d, 0xa4, 0x24, 0x78, 0xf3, 0x4b},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x17, 0x07, 0xd5, 0x28, 0x19, 0x79, 0x1e, 0xef,
++ 0xa5, 0x0c, 0xbf, 0x25, 0xe5, 0x56, 0xb4, 0x93}
++};
++
++static unsigned char aes_256_key[32] =
++ { 0x6d, 0x14, 0x06, 0x6c, 0xb6, 0xd8, 0x21, 0x2d,
++ 0x82, 0x8d, 0xfa, 0xf2, 0x7a, 0x03, 0xb7, 0x9f,
++ 0x0c, 0xc7, 0x3e, 0xcd, 0x76, 0xeb, 0xee, 0xb5,
++ 0x21, 0x05, 0x8c, 0x4f, 0x31, 0x7a, 0x80, 0xbb
++};
++
++static AES_PRNG_TV aes_256_tv = {
++ /* DT */
++ {0xda, 0x3a, 0x41, 0xec, 0x1d, 0xa3, 0xb0, 0xd5,
++ 0xf2, 0xa9, 0x4e, 0x34, 0x74, 0x8e, 0x9e, 0x88},
++ /* V */
++ {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
++ /* R */
++ {0x35, 0xc7, 0xef, 0xa7, 0x78, 0x4d, 0x29, 0xbc,
++ 0x82, 0x79, 0x99, 0xfb, 0xd0, 0xb3, 0x3b, 0x72}
++};
++
++void FIPS_corrupt_rng()
++{
++ aes_192_tv.V[0]++;
++}
++
++# define fips_x931_test(key, tv) \
++ do_x931_test(key, sizeof key, &tv)
++
++static int do_x931_test(unsigned char *key, int keylen, AES_PRNG_TV * tv)
++{
++ unsigned char R[16], V[16];
++ int rv = 1;
++ memcpy(V, tv->V, sizeof(V));
++ if (!FIPS_x931_set_key(key, keylen))
++ return 0;
++ if (!fips_post_started(FIPS_TEST_X931, keylen, NULL))
++ return 1;
++ if (!fips_post_corrupt(FIPS_TEST_X931, keylen, NULL))
++ V[0]++;
++ FIPS_x931_seed(V, 16);
++ FIPS_x931_set_dt(tv->DT);
++ FIPS_x931_bytes(R, 16);
++ if (memcmp(R, tv->R, 16)) {
++ fips_post_failed(FIPS_TEST_X931, keylen, NULL);
++ rv = 0;
++ } else if (!fips_post_success(FIPS_TEST_X931, keylen, NULL))
++ return 0;
++ return rv;
++}
++
++int FIPS_selftest_x931()
++{
++ int rv = 1;
++ FIPS_x931_reset();
++ if (!FIPS_x931_test_mode()) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ if (!fips_x931_test(aes_128_key, aes_128_tv))
++ rv = 0;
++ if (!fips_x931_test(aes_192_key, aes_192_tv))
++ rv = 0;
++ if (!fips_x931_test(aes_256_key, aes_256_tv))
++ rv = 0;
++ FIPS_x931_reset();
++ if (!rv)
++ FIPSerr(FIPS_F_FIPS_SELFTEST_X931, FIPS_R_SELFTEST_FAILED);
++ return rv;
++}
++
++int FIPS_selftest_rng(void)
++{
++ return FIPS_selftest_x931();
++}
++
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_randtest.c.fips openssl-1.0.2c/crypto/fips/fips_randtest.c
+--- openssl-1.0.2c/crypto/fips/fips_randtest.c.fips 2015-06-15 17:30:00.010284028 +0200
++++ openssl-1.0.2c/crypto/fips/fips_randtest.c 2015-06-15 17:30:00.010284028 +0200
+@@ -0,0 +1,247 @@
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++
++#include "e_os.h"
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS RAND support\n");
++ return (0);
++}
++
++#else
++
++# include "fips_utl.h"
++# include <openssl/fips.h>
++
++typedef struct {
++ unsigned char DT[16];
++ unsigned char V[16];
++ unsigned char R[16];
++} AES_PRNG_MCT;
++
++static const unsigned char aes_128_mct_key[16] =
++ { 0x9f, 0x5b, 0x51, 0x20, 0x0b, 0xf3, 0x34, 0xb5,
++ 0xd8, 0x2b, 0xe8, 0xc3, 0x72, 0x55, 0xc8, 0x48
++};
++
++static const AES_PRNG_MCT aes_128_mct_tv = {
++ /* DT */
++ {0x63, 0x76, 0xbb, 0xe5, 0x29, 0x02, 0xba, 0x3b,
++ 0x67, 0xc9, 0x25, 0xfa, 0x70, 0x1f, 0x11, 0xac},
++ /* V */
++ {0x57, 0x2c, 0x8e, 0x76, 0x87, 0x26, 0x47, 0x97,
++ 0x7e, 0x74, 0xfb, 0xdd, 0xc4, 0x95, 0x01, 0xd1},
++ /* R */
++ {0x48, 0xe9, 0xbd, 0x0d, 0x06, 0xee, 0x18, 0xfb,
++ 0xe4, 0x57, 0x90, 0xd5, 0xc3, 0xfc, 0x9b, 0x73}
++};
++
++static const unsigned char aes_192_mct_key[24] =
++ { 0xb7, 0x6c, 0x34, 0xd1, 0x09, 0x67, 0xab, 0x73,
++ 0x4d, 0x5a, 0xd5, 0x34, 0x98, 0x16, 0x0b, 0x91,
++ 0xbc, 0x35, 0x51, 0x16, 0x6b, 0xae, 0x93, 0x8a
++};
++
++static const AES_PRNG_MCT aes_192_mct_tv = {
++ /* DT */
++ {0x84, 0xce, 0x22, 0x7d, 0x91, 0x5a, 0xa3, 0xc9,
++ 0x84, 0x3c, 0x0a, 0xb3, 0xa9, 0x63, 0x15, 0x52},
++ /* V */
++ {0xb6, 0xaf, 0xe6, 0x8f, 0x99, 0x9e, 0x90, 0x64,
++ 0xdd, 0xc7, 0x7a, 0xc1, 0xbb, 0x90, 0x3a, 0x6d},
++ /* R */
++ {0xfc, 0x85, 0x60, 0x9a, 0x29, 0x6f, 0xef, 0x21,
++ 0xdd, 0x86, 0x20, 0x32, 0x8a, 0x29, 0x6f, 0x47}
++};
++
++static const unsigned char aes_256_mct_key[32] =
++ { 0x9b, 0x05, 0xc8, 0x68, 0xff, 0x47, 0xf8, 0x3a,
++ 0xa6, 0x3a, 0xa8, 0xcb, 0x4e, 0x71, 0xb2, 0xe0,
++ 0xb8, 0x7e, 0xf1, 0x37, 0xb6, 0xb4, 0xf6, 0x6d,
++ 0x86, 0x32, 0xfc, 0x1f, 0x5e, 0x1d, 0x1e, 0x50
++};
++
++static const AES_PRNG_MCT aes_256_mct_tv = {
++ /* DT */
++ {0x31, 0x6e, 0x35, 0x9a, 0xb1, 0x44, 0xf0, 0xee,
++ 0x62, 0x6d, 0x04, 0x46, 0xe0, 0xa3, 0x92, 0x4c},
++ /* V */
++ {0x4f, 0xcd, 0xc1, 0x87, 0x82, 0x1f, 0x4d, 0xa1,
++ 0x3e, 0x0e, 0x56, 0x44, 0x59, 0xe8, 0x83, 0xca},
++ /* R */
++ {0xc8, 0x87, 0xc2, 0x61, 0x5b, 0xd0, 0xb9, 0xe1,
++ 0xe7, 0xf3, 0x8b, 0xd7, 0x5b, 0xd5, 0xf1, 0x8d}
++};
++
++static void dump(const unsigned char *b, int n)
++{
++ while (n-- > 0) {
++ printf(" %02x", *b++);
++ }
++}
++
++static void compare(const unsigned char *result,
++ const unsigned char *expected, int n)
++{
++ int i;
++
++ for (i = 0; i < n; ++i)
++ if (result[i] != expected[i]) {
++ puts("Random test failed, got:");
++ dump(result, n);
++ puts("\n expected:");
++ dump(expected, n);
++ putchar('\n');
++ EXIT(1);
++ }
++}
++
++static void run_test(const unsigned char *key, int keylen,
++ const AES_PRNG_MCT * tv)
++{
++ unsigned char buf[16], dt[16];
++ int i, j;
++ FIPS_x931_reset();
++ FIPS_x931_test_mode();
++ FIPS_x931_set_key(key, keylen);
++ FIPS_x931_seed(tv->V, 16);
++ memcpy(dt, tv->DT, 16);
++ for (i = 0; i < 10000; i++) {
++ FIPS_x931_set_dt(dt);
++ FIPS_x931_bytes(buf, 16);
++ /* Increment DT */
++ for (j = 15; j >= 0; j--) {
++ dt[j]++;
++ if (dt[j])
++ break;
++ }
++ }
++
++ compare(buf, tv->R, 16);
++}
++
++int main()
++{
++ run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
++ printf("FIPS PRNG test 1 done\n");
++ run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
++ printf("FIPS PRNG test 2 done\n");
++ run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
++ printf("FIPS PRNG test 3 done\n");
++ return 0;
++}
++
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c.fips 2015-06-15 17:30:00.011284051 +0200
++++ openssl-1.0.2c/crypto/fips/fips_rsa_selftest.c 2015-06-15 17:30:00.011284051 +0200
+@@ -0,0 +1,444 @@
++/* ====================================================================
++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/rsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char n[] =
++ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
++ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
++ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
++ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
++ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
++ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
++ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
++ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" "\xCB";
++
++static int corrupt_rsa;
++
++static int setrsakey(RSA *key)
++{
++ static const unsigned char e[] = "\x11";
++
++ static const unsigned char d[] =
++ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
++ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
++ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
++ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
++ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
++ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
++ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
++ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
++ "\xC1";
++
++ static const unsigned char p[] =
++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
++ "\x99";
++
++ static const unsigned char q[] =
++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
++ "\x03";
++
++ static const unsigned char dmp1[] =
++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
++
++ static const unsigned char dmq1[] =
++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
++
++ static const unsigned char iqmp[] =
++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
++ "\xF7";
++
++ key->n = BN_bin2bn(n, sizeof(n) - 1, key->n);
++ if (corrupt_rsa)
++ BN_set_bit(key->n, 1024);
++ key->e = BN_bin2bn(e, sizeof(e) - 1, key->e);
++ key->d = BN_bin2bn(d, sizeof(d) - 1, key->d);
++ key->p = BN_bin2bn(p, sizeof(p) - 1, key->p);
++ key->q = BN_bin2bn(q, sizeof(q) - 1, key->q);
++ key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1) - 1, key->dmp1);
++ key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1) - 1, key->dmq1);
++ key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp) - 1, key->iqmp);
++ return 1;
++}
++
++void FIPS_corrupt_rsa()
++{
++ corrupt_rsa = 1;
++}
++
++/* Known Answer Test (KAT) data for the above RSA private key signing
++ * kat_tbs.
++ */
++
++static const unsigned char kat_tbs[] =
++ "OpenSSL FIPS 140-2 Public Key RSA KAT";
++
++static const unsigned char kat_RSA_PSS_SHA1[] = {
++ 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F,
++ 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB,
++ 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3,
++ 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C,
++ 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7,
++ 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5,
++ 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45,
++ 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31,
++ 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8,
++ 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84,
++ 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9
++};
++
++static const unsigned char kat_RSA_PSS_SHA224[] = {
++ 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7,
++ 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA,
++ 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57,
++ 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89,
++ 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE,
++ 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22,
++ 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5,
++ 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49,
++ 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D,
++ 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00,
++ 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0
++};
++
++static const unsigned char kat_RSA_PSS_SHA256[] = {
++ 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89,
++ 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F,
++ 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28,
++ 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E,
++ 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05,
++ 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA,
++ 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6,
++ 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F,
++ 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D,
++ 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6,
++ 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C
++};
++
++static const unsigned char kat_RSA_PSS_SHA384[] = {
++ 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2,
++ 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E,
++ 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD,
++ 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F,
++ 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C,
++ 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB,
++ 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F,
++ 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89,
++ 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F,
++ 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55,
++ 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1
++};
++
++static const unsigned char kat_RSA_PSS_SHA512[] = {
++ 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C,
++ 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A,
++ 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD,
++ 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39,
++ 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7,
++ 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61,
++ 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13,
++ 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63,
++ 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE,
++ 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88,
++ 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B
++};
++
++static const unsigned char kat_RSA_SHA1[] = {
++ 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C,
++ 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B,
++ 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF,
++ 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8,
++ 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1,
++ 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA,
++ 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E,
++ 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F,
++ 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F,
++ 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95,
++ 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4
++};
++
++static const unsigned char kat_RSA_SHA224[] = {
++ 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9,
++ 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D,
++ 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89,
++ 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD,
++ 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5,
++ 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC,
++ 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B,
++ 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2,
++ 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35,
++ 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC,
++ 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D
++};
++
++static const unsigned char kat_RSA_SHA256[] = {
++ 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23,
++ 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23,
++ 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35,
++ 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E,
++ 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18,
++ 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30,
++ 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A,
++ 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38,
++ 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA,
++ 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90,
++ 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A
++};
++
++static const unsigned char kat_RSA_SHA384[] = {
++ 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F,
++ 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7,
++ 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C,
++ 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55,
++ 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF,
++ 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2,
++ 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C,
++ 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD,
++ 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1,
++ 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04,
++ 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF
++};
++
++static const unsigned char kat_RSA_SHA512[] = {
++ 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF,
++ 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A,
++ 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1,
++ 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8,
++ 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5,
++ 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B,
++ 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6,
++ 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05,
++ 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D,
++ 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91,
++ 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84
++};
++
++static const unsigned char kat_RSA_X931_SHA1[] = {
++ 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF,
++ 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75,
++ 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC,
++ 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97,
++ 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6,
++ 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19,
++ 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7,
++ 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99,
++ 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76,
++ 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67,
++ 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49
++};
++
++static const unsigned char kat_RSA_X931_SHA256[] = {
++ 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89,
++ 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD,
++ 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF,
++ 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B,
++ 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B,
++ 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98,
++ 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC,
++ 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C,
++ 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD,
++ 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC,
++ 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80
++};
++
++static const unsigned char kat_RSA_X931_SHA384[] = {
++ 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B,
++ 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB,
++ 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3,
++ 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6,
++ 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31,
++ 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1,
++ 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79,
++ 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF,
++ 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35,
++ 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D,
++ 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28
++};
++
++static const unsigned char kat_RSA_X931_SHA512[] = {
++ 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63,
++ 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC,
++ 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7,
++ 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28,
++ 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5,
++ 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF,
++ 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0,
++ 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09,
++ 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C,
++ 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B,
++ 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
++};
++
++int FIPS_selftest_rsa()
++{
++ int ret = 0;
++ RSA *key;
++ EVP_PKEY *pk = NULL;
++
++ if ((key = RSA_new()) == NULL)
++ goto err;
++ setrsakey(key);
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_assign_RSA(pk, key);
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA1, sizeof(kat_RSA_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA1 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA224, sizeof(kat_RSA_SHA224),
++ EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA224 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA256 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA384, sizeof(kat_RSA_SHA384),
++ EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA384 PKCS#1"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_SHA512, sizeof(kat_RSA_SHA512),
++ EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++ "RSA SHA512 PKCS#1"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1),
++ EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS,
++ "RSA SHA1 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA224,
++ sizeof(kat_RSA_PSS_SHA224), EVP_sha224(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA224 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA256,
++ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA384,
++ sizeof(kat_RSA_PSS_SHA384), EVP_sha384(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA384 PSS"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_PSS_SHA512,
++ sizeof(kat_RSA_PSS_SHA512), EVP_sha512(),
++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA512 PSS"))
++ goto err;
++
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA1,
++ sizeof(kat_RSA_X931_SHA1), EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_X931, "RSA SHA1 X931"))
++ goto err;
++ /* NB: SHA224 not supported in X9.31 */
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA256,
++ sizeof(kat_RSA_X931_SHA256), EVP_sha256(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA256 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA384,
++ sizeof(kat_RSA_X931_SHA384), EVP_sha384(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA384 X931"))
++ goto err;
++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++ kat_RSA_X931_SHA512,
++ sizeof(kat_RSA_X931_SHA512), EVP_sha512(),
++ EVP_MD_CTX_FLAG_PAD_X931,
++ "RSA SHA512 X931"))
++ goto err;
++
++ ret = 1;
++
++ err:
++ if (pk)
++ EVP_PKEY_free(pk);
++ else if (key)
++ RSA_free(key);
++ return ret;
++}
++
++#endif /* def OPENSSL_FIPS */
+diff -up openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c.fips openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c
+--- openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c.fips 2015-06-15 17:30:00.011284051 +0200
++++ openssl-1.0.2c/crypto/fips/fips_rsa_x931g.c 2015-06-15 17:30:00.011284051 +0200
+@@ -0,0 +1,273 @@
++/* crypto/rsa/rsa_gen.c */
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <time.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/rsa.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++
++extern int fips_check_rsa(RSA *rsa);
++#endif
++
++/* X9.31 RSA key derivation and generation */
++
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
++ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
++ const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb)
++{
++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
++ BN_CTX *ctx = NULL, *ctx2 = NULL;
++
++ if (!rsa)
++ goto err;
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto err;
++ BN_CTX_start(ctx);
++
++ r0 = BN_CTX_get(ctx);
++ r1 = BN_CTX_get(ctx);
++ r2 = BN_CTX_get(ctx);
++ r3 = BN_CTX_get(ctx);
++
++ if (r3 == NULL)
++ goto err;
++ if (!rsa->e) {
++ rsa->e = BN_dup(e);
++ if (!rsa->e)
++ goto err;
++ } else
++ e = rsa->e;
++
++ /* If not all parameters present only calculate what we can.
++ * This allows test programs to output selective parameters.
++ */
++
++ if (Xp && !rsa->p) {
++ rsa->p = BN_new();
++ if (!rsa->p)
++ goto err;
++
++ if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
++ Xp, Xp1, Xp2, e, ctx, cb))
++ goto err;
++ }
++
++ if (Xq && !rsa->q) {
++ rsa->q = BN_new();
++ if (!rsa->q)
++ goto err;
++ if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
++ Xq, Xq1, Xq2, e, ctx, cb))
++ goto err;
++ }
++
++ if (!rsa->p || !rsa->q) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ return 2;
++ }
++
++ /* Since both primes are set we can now calculate all remaining
++ * components.
++ */
++
++ /* calculate n */
++ rsa->n = BN_new();
++ if (rsa->n == NULL)
++ goto err;
++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
++ goto err;
++
++ /* calculate d */
++ if (!BN_sub(r1, rsa->p, BN_value_one()))
++ goto err; /* p-1 */
++ if (!BN_sub(r2, rsa->q, BN_value_one()))
++ goto err; /* q-1 */
++ if (!BN_mul(r0, r1, r2, ctx))
++ goto err; /* (p-1)(q-1) */
++
++ if (!BN_gcd(r3, r1, r2, ctx))
++ goto err;
++
++ if (!BN_div(r0, NULL, r0, r3, ctx))
++ goto err; /* LCM((p-1)(q-1)) */
++
++ ctx2 = BN_CTX_new();
++ if (!ctx2)
++ goto err;
++
++ rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */
++ if (rsa->d == NULL)
++ goto err;
++
++ /* calculate d mod (p-1) */
++ rsa->dmp1 = BN_new();
++ if (rsa->dmp1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx))
++ goto err;
++
++ /* calculate d mod (q-1) */
++ rsa->dmq1 = BN_new();
++ if (rsa->dmq1 == NULL)
++ goto err;
++ if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx))
++ goto err;
++
++ /* calculate inverse of q mod p */
++ rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
++
++ err:
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++ if (ctx2)
++ BN_CTX_free(ctx2);
++ /* If this is set all calls successful */
++ if (rsa && rsa->iqmp != NULL)
++ return 1;
++
++ return 0;
++
++}
++
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
++ BN_GENCB *cb)
++{
++ int ok = 0;
++ BIGNUM *Xp = NULL, *Xq = NULL;
++ BN_CTX *ctx = NULL;
++
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) &&
++ (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++
++ if (bits & 0xff) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++#endif
++
++ ctx = BN_CTX_new();
++ if (!ctx)
++ goto error;
++
++ BN_CTX_start(ctx);
++ Xp = BN_CTX_get(ctx);
++ Xq = BN_CTX_get(ctx);
++ if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
++ goto error;
++
++ rsa->p = BN_new();
++ rsa->q = BN_new();
++ if (!rsa->p || !rsa->q)
++ goto error;
++
++ /* Generate two primes from Xp, Xq */
++
++ if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
++ e, ctx, cb))
++ goto error;
++
++ if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
++ e, ctx, cb))
++ goto error;
++
++ /* Since rsa->p and rsa->q are valid this call will just derive
++ * remaining RSA components.
++ */
++
++ if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
++ goto error;
++
++#ifdef OPENSSL_FIPS
++ if (!fips_check_rsa(rsa))
++ goto error;
++#endif
++
++ ok = 1;
++
++ error:
++ if (ctx) {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
++
++ if (ok)
++ return 1;
++
++ return 0;
++
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_sha_selftest.c.fips openssl-1.0.2c/crypto/fips/fips_sha_selftest.c
+--- openssl-1.0.2c/crypto/fips/fips_sha_selftest.c.fips 2015-06-15 17:30:00.011284051 +0200
++++ openssl-1.0.2c/crypto/fips/fips_sha_selftest.c 2015-06-15 17:30:00.011284051 +0200
+@@ -0,0 +1,145 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++
++#ifdef OPENSSL_FIPS
++static const char test[][60] = {
++ "",
++ "abc",
++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
++};
++
++static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
++ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
++ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
++ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
++ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
++ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
++ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
++};
++
++static int corrupt_sha;
++
++void FIPS_corrupt_sha1()
++{
++ corrupt_sha = 1;
++}
++
++int FIPS_selftest_sha1()
++{
++ int n;
++
++ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ EVP_Digest(test[n], strlen(test[n]) + corrupt_sha, md, NULL,
++ EVP_sha1(), NULL);
++ if (memcmp(md, ret[n], sizeof md)) {
++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++ }
++ return 1;
++}
++
++static const unsigned char msg_sha256[] =
++ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
++ 0xfc
++};
++
++static const unsigned char dig_sha256[] =
++ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
++};
++
++static const unsigned char msg_sha512[] =
++ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
++};
++
++static const unsigned char dig_sha512[] =
++ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
++};
++
++int FIPS_selftest_sha2(void)
++{
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
++ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
++ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED);
++ return 0;
++ }
++
++ return 1;
++}
++
++#endif
+diff -up openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c.fips openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c
+--- openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c.fips 2015-06-15 17:30:00.011284051 +0200
++++ openssl-1.0.2c/crypto/fips/fips_standalone_hmac.c 2015-06-15 17:30:00.011284051 +0200
+@@ -0,0 +1,268 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * openssl-core at openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
++
++#ifndef FIPSCANISTER_O
++int FIPS_selftest_failed()
++{
++ return 0;
++}
++
++void FIPS_selftest_check()
++{
++}
++#endif
++
++#ifdef OPENSSL_FIPS
++int bn_mul_mont_fpu64(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
++ const BN_ULONG *np, const BN_ULONG *n0, int num)
++{
++ return 0;
++};
++
++int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
++ const BN_ULONG *np, const BN_ULONG *n0, int num)
++{
++ return 0;
++};
++
++# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
++ defined(__INTEL__) || \
++ defined(__x86_64) || defined(__x86_64__) || \
++ defined(_M_AMD64) || defined(_M_X64)
++
++unsigned int OPENSSL_ia32cap_P[4];
++unsigned long *OPENSSL_ia32cap_loc(void)
++{
++ if (sizeof(long) == 4)
++ /*
++ * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
++ * clear second element to maintain the illusion that vector
++ * is 32-bit.
++ */
++ OPENSSL_ia32cap_P[1] = 0;
++
++ OPENSSL_ia32cap_P[2] = 0;
++
++ return (unsigned long *)OPENSSL_ia32cap_P;
++}
++
++# if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
++# define OPENSSL_CPUID_SETUP
++# if defined(_WIN32)
++typedef unsigned __int64 IA32CAP;
++# else
++typedef unsigned long long IA32CAP;
++# endif
++void OPENSSL_cpuid_setup(void)
++{
++ static int trigger = 0;
++ IA32CAP OPENSSL_ia32_cpuid(unsigned int *);
++ IA32CAP vec;
++ char *env;
++
++ if (trigger)
++ return;
++
++ trigger = 1;
++ if ((env = getenv("OPENSSL_ia32cap"))) {
++ int off = (env[0] == '~') ? 1 : 0;
++# if defined(_WIN32)
++ if (!sscanf(env + off, "%I64i", &vec))
++ vec = strtoul(env + off, NULL, 0);
++# else
++ if (!sscanf(env + off, "%lli", (long long *)&vec))
++ vec = strtoul(env + off, NULL, 0);
++# endif
++ if (off)
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~vec;
++ else if (env[0] == ':')
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
++
++ OPENSSL_ia32cap_P[2] = 0;
++ if ((env = strchr(env, ':'))) {
++ unsigned int vecx;
++ env++;
++ off = (env[0] == '~') ? 1 : 0;
++ vecx = strtoul(env + off, NULL, 0);
++ if (off)
++ OPENSSL_ia32cap_P[2] &= ~vecx;
++ else
++ OPENSSL_ia32cap_P[2] = vecx;
++ }
++ } else
++ vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P);
++
++ /*
++ * |(1<<10) sets a reserved bit to signal that variable
++ * was initialized already... This is to avoid interference
++ * with cpuid snippets in ELF .init segment.
++ */
++ OPENSSL_ia32cap_P[0] = (unsigned int)vec | (1 << 10);
++ OPENSSL_ia32cap_P[1] = (unsigned int)(vec >> 32);
++}
++# else
++unsigned int OPENSSL_ia32cap_P[4];
++# endif
++
++# else
++unsigned long *OPENSSL_ia32cap_loc(void)
++{
++ return NULL;
++}
++# endif
++int OPENSSL_NONPIC_relocated = 0;
++# if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
++void OPENSSL_cpuid_setup(void)
++{
++}
++# endif
++
++static void hmac_init(SHA256_CTX *md_ctx, SHA256_CTX *o_ctx, const char *key)
++{
++ size_t len = strlen(key);
++ int i;
++ unsigned char keymd[HMAC_MAX_MD_CBLOCK];
++ unsigned char pad[HMAC_MAX_MD_CBLOCK];
++
++ if (len > SHA_CBLOCK) {
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx, key, len);
++ SHA256_Final(keymd, md_ctx);
++ len = SHA256_DIGEST_LENGTH;
++ } else
++ memcpy(keymd, key, len);
++ memset(&keymd[len], '\0', HMAC_MAX_MD_CBLOCK - len);
++
++ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
++ pad[i] = 0x36 ^ keymd[i];
++ SHA256_Init(md_ctx);
++ SHA256_Update(md_ctx, pad, SHA256_CBLOCK);
++
++ for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
++ pad[i] = 0x5c ^ keymd[i];
++ SHA256_Init(o_ctx);
++ SHA256_Update(o_ctx, pad, SHA256_CBLOCK);
++}
++
++static void hmac_final(unsigned char *md, SHA256_CTX *md_ctx,
++ SHA256_CTX *o_ctx)
++{
++ unsigned char buf[SHA256_DIGEST_LENGTH];
++
++ SHA256_Final(buf, md_ctx);
++ SHA256_Update(o_ctx, buf, sizeof buf);
++ SHA256_Final(md, o_ctx);
++}
++
++#endif
++
++int main(int argc, char **argv)
++{
++#ifdef OPENSSL_FIPS
++ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
++ int n, binary = 0;
++
++ if (argc < 2) {
++ fprintf(stderr, "%s [<file>]+\n", argv[0]);
++ exit(1);
++ }
++
++ n = 1;
++ if (!strcmp(argv[n], "-binary")) {
++ n++;
++ binary = 1; /* emit binary fingerprint... */
++ }
++
++ for (; n < argc; ++n) {
++ FILE *f = fopen(argv[n], "rb");
++ SHA256_CTX md_ctx, o_ctx;
++ unsigned char md[SHA256_DIGEST_LENGTH];
++ int i;
++
++ if (!f) {
++ perror(argv[n]);
++ exit(2);
++ }
++
++ hmac_init(&md_ctx, &o_ctx, key);
++ for (;;) {
++ char buf[1024];
++ size_t l = fread(buf, 1, sizeof buf, f);
++
++ if (l == 0) {
++ if (ferror(f)) {
++ perror(argv[n]);
++ exit(3);
++ } else
++ break;
++ }
++ SHA256_Update(&md_ctx, buf, l);
++ }
++ hmac_final(md, &md_ctx, &o_ctx);
++
++ if (binary) {
++ fwrite(md, SHA256_DIGEST_LENGTH, 1, stdout);
++ break; /* ... for single(!) file */
++ }
++
++/* printf("HMAC-SHA1(%s)= ",argv[n]); */
++ for (i = 0; i < SHA256_DIGEST_LENGTH; ++i)
++ printf("%02x", md[i]);
++ printf("\n");
++ }
++#endif
++ return 0;
++}
+diff -up openssl-1.0.2c/crypto/fips/fips_test_suite.c.fips openssl-1.0.2c/crypto/fips/fips_test_suite.c
+--- openssl-1.0.2c/crypto/fips/fips_test_suite.c.fips 2015-06-15 17:30:00.012284074 +0200
++++ openssl-1.0.2c/crypto/fips/fips_test_suite.c 2015-06-15 17:30:00.012284074 +0200
+@@ -0,0 +1,639 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
++ *
++ *
++ * This command is intended as a test driver for the FIPS-140 testing
++ * lab performing FIPS-140 validation. It demonstrates the use of the
++ * OpenSSL library ito perform a variety of common cryptographic
++ * functions. A power-up self test is demonstrated by deliberately
++ * pointing to an invalid executable hash
++ *
++ * Contributed by Steve Marquess.
++ *
++ */
++#include <stdio.h>
++#include <assert.h>
++#include <ctype.h>
++#include <string.h>
++#include <stdlib.h>
++#include <openssl/aes.h>
++#include <openssl/des.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <openssl/dh.h>
++#include <openssl/hmac.h>
++#include <openssl/err.h>
++
++#include <openssl/bn.h>
++#include <openssl/rand.h>
++#include <openssl/sha.h>
++
++#ifndef OPENSSL_FIPS
++int main(int argc, char *argv[])
++{
++ printf("No FIPS support\n");
++ return (0);
++}
++#else
++
++# include <openssl/fips.h>
++# include "fips_utl.h"
++
++/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext
++*/
++static int FIPS_aes_test(void)
++{
++ int ret = 0;
++ unsigned char pltmp[16];
++ unsigned char citmp[16];
++ unsigned char key[16] =
++ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
++ unsigned char plaintext[16] = "etaonrishdlcu";
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 16);
++ if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 16);
++ if (memcmp(pltmp, plaintext, 16))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++}
++
++static int FIPS_des3_test(void)
++{
++ int ret = 0;
++ unsigned char pltmp[8];
++ unsigned char citmp[8];
++ unsigned char key[] =
++ { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
++ 19, 20, 21, 22, 23, 24
++ };
++ unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' };
++ EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX_init(&ctx);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 1) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, citmp, plaintext, 8);
++ if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(), NULL, key, NULL, 0) <= 0)
++ goto err;
++ EVP_Cipher(&ctx, pltmp, citmp, 8);
++ if (memcmp(pltmp, plaintext, 8))
++ goto err;
++ ret = 1;
++ err:
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return ret;
++}
++
++/*
++ * DSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_dsa_test(int bad)
++{
++ DSA *dsa = NULL;
++ EVP_PKEY pk;
++ unsigned char dgst[] = "etaonrishdlc";
++ unsigned char buf[60];
++ unsigned int slen;
++ int r = 0;
++ EVP_MD_CTX mctx;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ dsa = DSA_new();
++ if (!dsa)
++ goto end;
++ if (!DSA_generate_parameters_ex(dsa, 1024, NULL, 0, NULL, NULL, NULL))
++ goto end;
++ if (!DSA_generate_key(dsa))
++ goto end;
++ if (bad)
++ BN_add_word(dsa->pub_key, 1);
++
++ pk.type = EVP_PKEY_DSA;
++ pk.pkey.dsa = dsa;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (dsa)
++ DSA_free(dsa);
++ if (r != 1)
++ return 0;
++ return 1;
++}
++
++/*
++ * RSA: generate keys and sign, verify input plaintext.
++ */
++static int FIPS_rsa_test(int bad)
++{
++ RSA *key;
++ unsigned char input_ptext[] = "etaonrishdlc";
++ unsigned char buf[256];
++ unsigned int slen;
++ BIGNUM *bn;
++ EVP_MD_CTX mctx;
++ EVP_PKEY pk;
++ int r = 0;
++
++ ERR_clear_error();
++ EVP_MD_CTX_init(&mctx);
++ key = RSA_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
++ return 0;
++ BN_free(bn);
++ if (bad)
++ BN_add_word(key->n, 1);
++
++ pk.type = EVP_PKEY_RSA;
++ pk.pkey.rsa = key;
++
++ if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ if (!EVP_SignFinal(&mctx, buf, &slen, &pk))
++ goto end;
++
++ if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL))
++ goto end;
++ if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1))
++ goto end;
++ r = EVP_VerifyFinal(&mctx, buf, slen, &pk);
++ end:
++ EVP_MD_CTX_cleanup(&mctx);
++ if (key)
++ RSA_free(key);
++ if (r != 1)
++ return 0;
++ return 1;
++}
++
++/* SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha1_test()
++{
++ unsigned char digest[SHA_DIGEST_LENGTH] =
++ { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a,
++0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha1(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha256_test()
++{
++ unsigned char digest[SHA256_DIGEST_LENGTH] =
++ { 0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9,
++0x68, 0xc0, 0xea, 0x40, 0x91,
++ 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6,
++ 0x50, 0x4f, 0x47, 0x57
++ };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA256_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha256(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_sha512_test()
++{
++ unsigned char digest[SHA512_DIGEST_LENGTH] =
++ { 0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f,
++0x94, 0x71, 0x64, 0x28, 0xca,
++ 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2,
++ 0xd0, 0xe7, 0x0b, 0x94, 0x4a,
++ 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f,
++ 0x24, 0xb1, 0xd9, 0x40, 0x22,
++ 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6,
++ 0xeb, 0x2d, 0x42, 0x1d, 0xa3
++ };
++ unsigned char str[] = "etaonrishd";
++
++ unsigned char md[SHA512_DIGEST_LENGTH];
++
++ ERR_clear_error();
++ if (!EVP_Digest(str, sizeof(str) - 1, md, NULL, EVP_sha512(), NULL))
++ return 0;
++ if (memcmp(md, digest, sizeof(md)))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA1: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha1_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea,
++0x56, 0x1b, 0x61, 0x2e, 0x70,
++ 0xb2, 0xfb, 0xec, 0xc6
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha1(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out, &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA224: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha224_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe,
++0x1c, 0xb2, 0xf0, 0x20, 0x35,
++ 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha224(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA256: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha256_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36,
++0x02, 0xf5, 0x72, 0x33, 0x87,
++ 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee,
++ 0x51, 0xff, 0xda, 0x24, 0xf4
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha256(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA384: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha384_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08,
++0x26, 0x99, 0xef, 0x3b, 0x10,
++ 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b,
++ 0xac, 0xb0, 0x07, 0x39, 0x08,
++ 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3,
++ 0xf3, 0xb8, 0x9b, 0x88, 0x1c
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha384(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* HMAC-SHA512: generate hash of known digest value and compare to known
++ precomputed correct hash
++*/
++static int FIPS_hmac_sha512_test()
++{
++ unsigned char key[] = "etaonrishd";
++ unsigned char iv[] = "Sample text";
++ unsigned char kaval[EVP_MAX_MD_SIZE] =
++ { 0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3,
++0x77, 0x59, 0x85, 0xa9, 0xe6,
++ 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1,
++ 0xad, 0x7e, 0x24, 0xca, 0xb1,
++ 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52,
++ 0x6b, 0x61, 0x7f, 0xeb, 0x9c,
++ 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96,
++ 0x3d, 0xa6, 0xd9, 0x2a, 0x53
++ };
++
++ unsigned char out[EVP_MAX_MD_SIZE];
++ unsigned int outlen;
++
++ ERR_clear_error();
++ if (!HMAC
++ (EVP_sha512(), key, sizeof(key) - 1, iv, sizeof(iv) - 1, out,
++ &outlen))
++ return 0;
++ if (memcmp(out, kaval, outlen))
++ return 0;
++ return 1;
++}
++
++/* DH: generate shared parameters
++*/
++static int dh_test()
++{
++ DH *dh;
++ ERR_clear_error();
++ dh = FIPS_dh_new();
++ if (!dh)
++ return 0;
++ if (!DH_generate_parameters_ex(dh, 1024, 2, NULL))
++ return 0;
++ FIPS_dh_free(dh);
++ return 1;
++}
++
++/* Zeroize
++*/
++static int Zeroize()
++{
++ RSA *key;
++ BIGNUM *bn;
++ unsigned char userkey[16] =
++ { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f,
++0x83, 0x02, 0xb1, 0x09, 0x68 };
++ int i, n;
++
++ key = FIPS_rsa_new();
++ bn = BN_new();
++ if (!key || !bn)
++ return 0;
++ BN_set_word(bn, 65537);
++ if (!RSA_generate_key_ex(key, 1024, bn, NULL))
++ return 0;
++ BN_free(bn);
++
++ n = BN_num_bytes(key->d);
++ printf(" Generated %d byte RSA private key\n", n);
++ printf("\tBN key before overwriting:\n");
++ do_bn_print(stdout, key->d);
++ BN_rand(key->d, n * 8, -1, 0);
++ printf("\tBN key after overwriting:\n");
++ do_bn_print(stdout, key->d);
++
++ printf("\tchar buffer key before overwriting: \n\t\t");
++ for (i = 0; i < sizeof(userkey); i++)
++ printf("%02x", userkey[i]);
++ printf("\n");
++ RAND_bytes(userkey, sizeof userkey);
++ printf("\tchar buffer key after overwriting: \n\t\t");
++ for (i = 0; i < sizeof(userkey); i++)
++ printf("%02x", userkey[i]);
++ printf("\n");
++
++ return 1;
++}
++
++static int Error;
++const char *Fail(const char *msg)
++{
++ do_print_errors();
++ Error++;
++ return msg;
++}
++
++int main(int argc, char **argv)
++{
++
++ int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0;
++ int bad_rsa = 0, bad_dsa = 0;
++ int do_rng_stick = 0;
++ int no_exit = 0;
++
++ printf("\tFIPS-mode test application\n\n");
++
++ /* Load entropy from external file, if any */
++ RAND_load_file(".rnd", 1024);
++
++ if (argv[1]) {
++ /* Corrupted KAT tests */
++ if (!strcmp(argv[1], "aes")) {
++ FIPS_corrupt_aes();
++ printf("AES encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "des")) {
++ FIPS_corrupt_des();
++ printf("DES3-ECB encryption/decryption with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "dsa")) {
++ FIPS_corrupt_dsa();
++ printf
++ ("DSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsa")) {
++ FIPS_corrupt_rsa();
++ printf
++ ("RSA key generation and signature validation with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rsakey")) {
++ printf
++ ("RSA key generation and signature validation with corrupted key...\n");
++ bad_rsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "rsakeygen")) {
++ do_corrupt_rsa_keygen = 1;
++ no_exit = 1;
++ printf
++ ("RSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "dsakey")) {
++ printf
++ ("DSA key generation and signature validation with corrupted key...\n");
++ bad_dsa = 1;
++ no_exit = 1;
++ } else if (!strcmp(argv[1], "dsakeygen")) {
++ do_corrupt_dsa_keygen = 1;
++ no_exit = 1;
++ printf
++ ("DSA key generation and signature validation with corrupted keygen...\n");
++ } else if (!strcmp(argv[1], "sha1")) {
++ FIPS_corrupt_sha1();
++ printf("SHA-1 hash with corrupted KAT...\n");
++ } else if (!strcmp(argv[1], "rng")) {
++ FIPS_corrupt_rng();
++ } else if (!strcmp(argv[1], "rngstick")) {
++ do_rng_stick = 1;
++ no_exit = 1;
++ printf("RNG test with stuck continuous test...\n");
++ } else {
++ printf("Bad argument \"%s\"\n", argv[1]);
++ exit(1);
++ }
++ if (!no_exit) {
++ if (!FIPS_mode_set(1)) {
++ do_print_errors();
++ printf("Power-up self test failed\n");
++ exit(1);
++ }
++ printf("Power-up self test successful\n");
++ exit(0);
++ }
++ }
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("1. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf(dh_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* Power-up self test
++ */
++ ERR_clear_error();
++ printf("2. Automatic power-up self test...");
++ if (!FIPS_mode_set(1)) {
++ do_print_errors();
++ printf(Fail("FAILED!\n"));
++ exit(1);
++ }
++ printf("successful\n");
++ if (do_corrupt_dsa_keygen)
++ FIPS_corrupt_dsa_keygen();
++ if (do_corrupt_rsa_keygen)
++ FIPS_corrupt_rsa_keygen();
++ if (do_rng_stick)
++ FIPS_rng_stick();
++
++ /* AES encryption/decryption
++ */
++ printf("3. AES encryption/decryption...");
++ printf(FIPS_aes_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* RSA key generation and encryption/decryption
++ */
++ printf("4. RSA key generation and encryption/decryption...");
++ printf(FIPS_rsa_test(bad_rsa) ? "successful\n" : Fail("FAILED!\n"));
++
++ /* DES-CBC encryption/decryption
++ */
++ printf("5. DES-ECB encryption/decryption...");
++ printf(FIPS_des3_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* DSA key generation and signature validation
++ */
++ printf("6. DSA key generation and signature validation...");
++ printf(FIPS_dsa_test(bad_dsa) ? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-1 hash
++ */
++ printf("7a. SHA-1 hash...");
++ printf(FIPS_sha1_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-256 hash
++ */
++ printf("7b. SHA-256 hash...");
++ printf(FIPS_sha256_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* SHA-512 hash
++ */
++ printf("7c. SHA-512 hash...");
++ printf(FIPS_sha512_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-1 hash
++ */
++ printf("7d. HMAC-SHA-1 hash...");
++ printf(FIPS_hmac_sha1_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-224 hash
++ */
++ printf("7e. HMAC-SHA-224 hash...");
++ printf(FIPS_hmac_sha224_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-256 hash
++ */
++ printf("7f. HMAC-SHA-256 hash...");
++ printf(FIPS_hmac_sha256_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-384 hash
++ */
++ printf("7g. HMAC-SHA-384 hash...");
++ printf(FIPS_hmac_sha384_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* HMAC-SHA-512 hash
++ */
++ printf("7h. HMAC-SHA-512 hash...");
++ printf(FIPS_hmac_sha512_test()? "successful\n" : Fail("FAILED!\n"));
++
++ /* Non-Approved cryptographic operation
++ */
++ printf("8. Non-Approved cryptographic operation test...\n");
++ printf("\ta. Included algorithm (D-H)...");
++ printf(dh_test()? "successful as expected\n"
++ : Fail("failed INCORRECTLY!\n"));
++
++ /* Zeroization
++ */
++ printf("9. Zero-ization...\n");
++ printf(Zeroize()? "\tsuccessful as expected\n"
++ : Fail("\tfailed INCORRECTLY!\n"));
++
++ printf("\nAll tests completed with %d errors\n", Error);
++ return Error ? 1 : 0;
++}
++
++#endif
+diff -up openssl-1.0.2c/crypto/fips/Makefile.fips openssl-1.0.2c/crypto/fips/Makefile
+--- openssl-1.0.2c/crypto/fips/Makefile.fips 2015-06-15 17:30:00.012284074 +0200
++++ openssl-1.0.2c/crypto/fips/Makefile 2015-06-15 17:30:00.012284074 +0200
+@@ -0,0 +1,341 @@
++#
++# OpenSSL/crypto/fips/Makefile
++#
++
++DIR= fips
++TOP= ../..
++CC= cc
++INCLUDES=
++CFLAG=-g
++MAKEFILE= Makefile
++AR= ar r
++
++CFLAGS= $(INCLUDES) $(CFLAG)
++
++GENERAL=Makefile
++TEST=fips_test_suite.c fips_randtest.c
++APPS=
++
++PROGRAM= fips_standalone_hmac
++EXE= $(PROGRAM)$(EXE_EXT)
++
++LIB=$(TOP)/libcrypto.a
++LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
++ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
++ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
++ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
++ fips_cmac_selftest.c fips_enc.c fips_md.c
++
++LIBOBJ=fips_aes_selftest.o fips_des_selftest.o fips_hmac_selftest.o fips_rand_selftest.o \
++ fips_rsa_selftest.o fips_sha_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
++ fips_rsa_x931g.o fips_post.o fips_drbg_ctr.o fips_drbg_hash.o fips_drbg_hmac.o \
++ fips_drbg_lib.o fips_drbg_rand.o fips_drbg_selftest.o fips_rand_lib.o \
++ fips_cmac_selftest.o fips_enc.o fips_md.o
++
++LIBCRYPTO=-L.. -lcrypto
++
++SRC= $(LIBSRC) fips_standalone_hmac.c
++
++EXHEADER= fips.h fips_rand.h
++HEADER= $(EXHEADER)
++
++ALL= $(GENERAL) $(SRC) $(HEADER)
++
++top:
++ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
++
++all: lib exe
++
++lib: $(LIBOBJ)
++ $(AR) $(LIB) $(LIBOBJ)
++ $(RANLIB) $(LIB) || echo Never mind.
++ @touch lib
++
++exe: $(EXE)
++
++files:
++ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
++
++links:
++ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
++ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
++ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
++
++install:
++ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
++ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
++ do \
++ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
++ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
++ done;
++
++tags:
++ ctags $(SRC)
++
++tests:
++
++lint:
++ lint -DLINT $(INCLUDES) $(SRC)>fluff
++
++depend:
++ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
++ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
++
++dclean:
++ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
++ mv -f Makefile.new $(MAKEFILE)
++
++clean:
++ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
++
++$(EXE): $(PROGRAM).o
++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
++ for i in $(CPUID_OBJ); do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../$$i" ; done; \
++ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
++
++# DO NOT DELETE THIS LINE -- make depend depends on it.
++
++fips.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
++fips.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
++fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
++fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips.o: ../../include/openssl/symhacks.h fips.c fips_locl.h
++fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_aes_selftest.o: ../../include/openssl/crypto.h
++fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_aes_selftest.o: ../../include/openssl/lhash.h
++fips_aes_selftest.o: ../../include/openssl/obj_mac.h
++fips_aes_selftest.o: ../../include/openssl/objects.h
++fips_aes_selftest.o: ../../include/openssl/opensslconf.h
++fips_aes_selftest.o: ../../include/openssl/opensslv.h
++fips_aes_selftest.o: ../../include/openssl/ossl_typ.h
++fips_aes_selftest.o: ../../include/openssl/safestack.h
++fips_aes_selftest.o: ../../include/openssl/stack.h
++fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
++fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_des_selftest.o: ../../include/openssl/crypto.h
++fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_des_selftest.o: ../../include/openssl/lhash.h
++fips_des_selftest.o: ../../include/openssl/obj_mac.h
++fips_des_selftest.o: ../../include/openssl/objects.h
++fips_des_selftest.o: ../../include/openssl/opensslconf.h
++fips_des_selftest.o: ../../include/openssl/opensslv.h
++fips_des_selftest.o: ../../include/openssl/ossl_typ.h
++fips_des_selftest.o: ../../include/openssl/safestack.h
++fips_des_selftest.o: ../../include/openssl/stack.h
++fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c
++fips_drbg_ctr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_ctr.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_ctr.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_ctr.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_drbg_ctr.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_ctr.o: ../../include/openssl/objects.h
++fips_drbg_ctr.o: ../../include/openssl/opensslconf.h
++fips_drbg_ctr.o: ../../include/openssl/opensslv.h
++fips_drbg_ctr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_ctr.o: ../../include/openssl/safestack.h
++fips_drbg_ctr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_drbg_ctr.o: fips_drbg_ctr.c fips_rand_lcl.h
++fips_drbg_hash.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_hash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_hash.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_hash.o: ../../include/openssl/fips.h
++fips_drbg_hash.o: ../../include/openssl/fips_rand.h
++fips_drbg_hash.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_hash.o: ../../include/openssl/objects.h
++fips_drbg_hash.o: ../../include/openssl/opensslconf.h
++fips_drbg_hash.o: ../../include/openssl/opensslv.h
++fips_drbg_hash.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_hash.o: ../../include/openssl/safestack.h
++fips_drbg_hash.o: ../../include/openssl/stack.h
++fips_drbg_hash.o: ../../include/openssl/symhacks.h fips_drbg_hash.c
++fips_drbg_hash.o: fips_rand_lcl.h
++fips_drbg_hmac.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_hmac.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
++fips_drbg_hmac.o: ../../include/openssl/fips.h
++fips_drbg_hmac.o: ../../include/openssl/fips_rand.h
++fips_drbg_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
++fips_drbg_hmac.o: ../../include/openssl/objects.h
++fips_drbg_hmac.o: ../../include/openssl/opensslconf.h
++fips_drbg_hmac.o: ../../include/openssl/opensslv.h
++fips_drbg_hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_hmac.o: ../../include/openssl/safestack.h
++fips_drbg_hmac.o: ../../include/openssl/stack.h
++fips_drbg_hmac.o: ../../include/openssl/symhacks.h fips_drbg_hmac.c
++fips_drbg_hmac.o: fips_rand_lcl.h
++fips_drbg_lib.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_lib.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_lib.o: ../../include/openssl/fips_rand.h ../../include/openssl/hmac.h
++fips_drbg_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
++fips_drbg_lib.o: ../../include/openssl/objects.h
++fips_drbg_lib.o: ../../include/openssl/opensslconf.h
++fips_drbg_lib.o: ../../include/openssl/opensslv.h
++fips_drbg_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_lib.o: ../../include/openssl/safestack.h
++fips_drbg_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_drbg_lib.o: fips_drbg_lib.c fips_locl.h fips_rand_lcl.h
++fips_drbg_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_drbg_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_rand.o: ../../include/openssl/fips_rand.h
++fips_drbg_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_drbg_rand.o: ../../include/openssl/obj_mac.h
++fips_drbg_rand.o: ../../include/openssl/objects.h
++fips_drbg_rand.o: ../../include/openssl/opensslconf.h
++fips_drbg_rand.o: ../../include/openssl/opensslv.h
++fips_drbg_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_drbg_rand.o: ../../include/openssl/safestack.h
++fips_drbg_rand.o: ../../include/openssl/stack.h
++fips_drbg_rand.o: ../../include/openssl/symhacks.h fips_drbg_rand.c
++fips_drbg_rand.o: fips_rand_lcl.h
++fips_drbg_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_drbg_selftest.o: ../../include/openssl/bio.h
++fips_drbg_selftest.o: ../../include/openssl/crypto.h
++fips_drbg_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_drbg_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_drbg_selftest.o: ../../include/openssl/fips_rand.h
++fips_drbg_selftest.o: ../../include/openssl/hmac.h
++fips_drbg_selftest.o: ../../include/openssl/lhash.h
++fips_drbg_selftest.o: ../../include/openssl/obj_mac.h
++fips_drbg_selftest.o: ../../include/openssl/objects.h
++fips_drbg_selftest.o: ../../include/openssl/opensslconf.h
++fips_drbg_selftest.o: ../../include/openssl/opensslv.h
++fips_drbg_selftest.o: ../../include/openssl/ossl_typ.h
++fips_drbg_selftest.o: ../../include/openssl/rand.h
++fips_drbg_selftest.o: ../../include/openssl/safestack.h
++fips_drbg_selftest.o: ../../include/openssl/stack.h
++fips_drbg_selftest.o: ../../include/openssl/symhacks.h fips_drbg_selftest.c
++fips_drbg_selftest.o: fips_drbg_selftest.h fips_locl.h fips_rand_lcl.h
++fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
++fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_dsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_dsa_selftest.o: ../../include/openssl/objects.h
++fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_dsa_selftest.o: ../../include/openssl/opensslv.h
++fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_dsa_selftest.o: ../../include/openssl/safestack.h
++fips_dsa_selftest.o: ../../include/openssl/stack.h
++fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
++fips_dsa_selftest.o: fips_locl.h
++fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_hmac_selftest.o: ../../include/openssl/crypto.h
++fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_hmac_selftest.o: ../../include/openssl/hmac.h
++fips_hmac_selftest.o: ../../include/openssl/lhash.h
++fips_hmac_selftest.o: ../../include/openssl/obj_mac.h
++fips_hmac_selftest.o: ../../include/openssl/objects.h
++fips_hmac_selftest.o: ../../include/openssl/opensslconf.h
++fips_hmac_selftest.o: ../../include/openssl/opensslv.h
++fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h
++fips_hmac_selftest.o: ../../include/openssl/safestack.h
++fips_hmac_selftest.o: ../../include/openssl/stack.h
++fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c
++fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
++fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
++fips_post.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_post.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_post.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_post.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_post.o: ../../include/openssl/opensslconf.h
++fips_post.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_post.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
++fips_post.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
++fips_post.o: ../../include/openssl/symhacks.h fips_locl.h fips_post.c
++fips_rand.o: ../../e_os.h ../../include/openssl/aes.h
++fips_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_rand.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
++fips_rand.o: ../../include/openssl/opensslconf.h
++fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
++fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
++fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_rand.o: fips_locl.h fips_rand.c
++fips_rand_lib.o: ../../e_os.h ../../include/openssl/aes.h
++fips_rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
++fips_rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
++fips_rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
++fips_rand_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
++fips_rand_lib.o: ../../include/openssl/obj_mac.h
++fips_rand_lib.o: ../../include/openssl/objects.h
++fips_rand_lib.o: ../../include/openssl/opensslconf.h
++fips_rand_lib.o: ../../include/openssl/opensslv.h
++fips_rand_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
++fips_rand_lib.o: ../../include/openssl/safestack.h
++fips_rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
++fips_rand_lib.o: fips_rand_lib.c
++fips_rand_selftest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
++fips_rand_selftest.o: ../../include/openssl/bio.h
++fips_rand_selftest.o: ../../include/openssl/crypto.h
++fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rand_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_rand_selftest.o: ../../include/openssl/fips_rand.h
++fips_rand_selftest.o: ../../include/openssl/hmac.h
++fips_rand_selftest.o: ../../include/openssl/lhash.h
++fips_rand_selftest.o: ../../include/openssl/obj_mac.h
++fips_rand_selftest.o: ../../include/openssl/objects.h
++fips_rand_selftest.o: ../../include/openssl/opensslconf.h
++fips_rand_selftest.o: ../../include/openssl/opensslv.h
++fips_rand_selftest.o: ../../include/openssl/ossl_typ.h
++fips_rand_selftest.o: ../../include/openssl/rand.h
++fips_rand_selftest.o: ../../include/openssl/safestack.h
++fips_rand_selftest.o: ../../include/openssl/stack.h
++fips_rand_selftest.o: ../../include/openssl/symhacks.h fips_locl.h
++fips_rand_selftest.o: fips_rand_selftest.c
++fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_rsa_selftest.o: ../../include/openssl/lhash.h
++fips_rsa_selftest.o: ../../include/openssl/obj_mac.h
++fips_rsa_selftest.o: ../../include/openssl/objects.h
++fips_rsa_selftest.o: ../../include/openssl/opensslconf.h
++fips_rsa_selftest.o: ../../include/openssl/opensslv.h
++fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h
++fips_rsa_selftest.o: ../../include/openssl/rsa.h
++fips_rsa_selftest.o: ../../include/openssl/safestack.h
++fips_rsa_selftest.o: ../../include/openssl/stack.h
++fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
++fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
++fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
++fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
++fips_rsa_x931g.o: ../../include/openssl/opensslv.h
++fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
++fips_rsa_x931g.o: ../../include/openssl/safestack.h
++fips_rsa_x931g.o: ../../include/openssl/stack.h
++fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
++fips_sha_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++fips_sha_selftest.o: ../../include/openssl/crypto.h
++fips_sha_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
++fips_sha_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
++fips_sha_selftest.o: ../../include/openssl/lhash.h
++fips_sha_selftest.o: ../../include/openssl/obj_mac.h
++fips_sha_selftest.o: ../../include/openssl/objects.h
++fips_sha_selftest.o: ../../include/openssl/opensslconf.h
++fips_sha_selftest.o: ../../include/openssl/opensslv.h
++fips_sha_selftest.o: ../../include/openssl/ossl_typ.h
++fips_sha_selftest.o: ../../include/openssl/safestack.h
++fips_sha_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
++fips_sha_selftest.o: ../../include/openssl/symhacks.h fips_sha_selftest.c
+diff -up openssl-1.0.2c/crypto/hmac/hmac.c.fips openssl-1.0.2c/crypto/hmac/hmac.c
+--- openssl-1.0.2c/crypto/hmac/hmac.c.fips 2015-06-12 16:51:27.000000000 +0200
++++ openssl-1.0.2c/crypto/hmac/hmac.c 2015-06-15 17:33:11.707682908 +0200
+@@ -89,12 +89,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+- /*
+- * Other algorithm blocking will be done in FIPS_cmac_init, via
+- * FIPS_hmac_init_ex().
+- */
+- if (!impl && !ctx->i_ctx.engine)
+- return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
+ }
+ #endif
+ /* If we are changing MD then we must have a key */
+@@ -111,6 +105,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+ }
+
+ if (key != NULL) {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS)
++ && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++ || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
++ goto err;
++#endif
+ reset = 1;
+ j = EVP_MD_block_size(md);
+ OPENSSL_assert(j <= (int)sizeof(ctx->key));
+@@ -164,10 +165,6 @@ int HMAC_Init(HMAC_CTX *ctx, const void
+
+ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine)
+- return FIPS_hmac_update(ctx, data, len);
+-#endif
+ if (!ctx->md)
+ return 0;
+
+@@ -178,10 +175,6 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
+ {
+ unsigned int i;
+ unsigned char buf[EVP_MAX_MD_SIZE];
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine)
+- return FIPS_hmac_final(ctx, md, len);
+-#endif
+
+ if (!ctx->md)
+ goto err;
+@@ -225,12 +218,6 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
+
+ void HMAC_CTX_cleanup(HMAC_CTX *ctx)
+ {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !ctx->i_ctx.engine) {
+- FIPS_hmac_ctx_cleanup(ctx);
+- return;
+- }
+-#endif
+ EVP_MD_CTX_cleanup(&ctx->i_ctx);
+ EVP_MD_CTX_cleanup(&ctx->o_ctx);
+ EVP_MD_CTX_cleanup(&ctx->md_ctx);
+diff -up openssl-1.0.2c/crypto/mdc2/mdc2dgst.c.fips openssl-1.0.2c/crypto/mdc2/mdc2dgst.c
+--- openssl-1.0.2c/crypto/mdc2/mdc2dgst.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/mdc2/mdc2dgst.c 2015-06-15 17:30:00.012284074 +0200
+@@ -76,7 +76,7 @@
+ *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+ static void mdc2_body(MDC2_CTX *c, const unsigned char *in, size_t len);
+-fips_md_init(MDC2)
++nonfips_md_init(MDC2)
+ {
+ c->num = 0;
+ c->pad_type = 1;
+diff -up openssl-1.0.2c/crypto/md2/md2_dgst.c.fips openssl-1.0.2c/crypto/md2/md2_dgst.c
+--- openssl-1.0.2c/crypto/md2/md2_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/md2/md2_dgst.c 2015-06-15 17:30:00.012284074 +0200
+@@ -62,6 +62,11 @@
+ #include <openssl/md2.h>
+ #include <openssl/opensslv.h>
+ #include <openssl/crypto.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
++#include <openssl/err.h>
+
+ const char MD2_version[] = "MD2" OPENSSL_VERSION_PTEXT;
+
+@@ -119,7 +124,7 @@ const char *MD2_options(void)
+ return ("md2(int)");
+ }
+
+-fips_md_init(MD2)
++nonfips_md_init(MD2)
+ {
+ c->num = 0;
+ memset(c->state, 0, sizeof c->state);
+diff -up openssl-1.0.2c/crypto/md4/md4_dgst.c.fips openssl-1.0.2c/crypto/md4/md4_dgst.c
+--- openssl-1.0.2c/crypto/md4/md4_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/md4/md4_dgst.c 2015-06-15 17:30:00.013284097 +0200
+@@ -72,7 +72,7 @@ const char MD4_version[] = "MD4" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-fips_md_init(MD4)
++nonfips_md_init(MD4)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
+diff -up openssl-1.0.2c/crypto/md5/md5_dgst.c.fips openssl-1.0.2c/crypto/md5/md5_dgst.c
+--- openssl-1.0.2c/crypto/md5/md5_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/md5/md5_dgst.c 2015-06-15 17:30:00.013284097 +0200
+@@ -72,7 +72,7 @@ const char MD5_version[] = "MD5" OPENSSL
+ #define INIT_DATA_C (unsigned long)0x98badcfeL
+ #define INIT_DATA_D (unsigned long)0x10325476L
+
+-fips_md_init(MD5)
++nonfips_md_init(MD5)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = INIT_DATA_A;
+diff -up openssl-1.0.2c/crypto/o_fips.c.fips openssl-1.0.2c/crypto/o_fips.c
+--- openssl-1.0.2c/crypto/o_fips.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/o_fips.c 2015-06-15 17:30:00.013284097 +0200
+@@ -80,6 +80,8 @@ int FIPS_mode_set(int r)
+ # ifndef FIPS_AUTH_USER_PASS
+ # define FIPS_AUTH_USER_PASS "Default FIPS Crypto User Password"
+ # endif
++ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
++ return 1;
+ if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
+ return 0;
+ if (r)
+diff -up openssl-1.0.2c/crypto/o_init.c.fips openssl-1.0.2c/crypto/o_init.c
+--- openssl-1.0.2c/crypto/o_init.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/o_init.c 2015-06-15 17:30:00.013284097 +0200
+@@ -56,8 +56,37 @@
+ #include <e_os.h>
+ #include <openssl/err.h>
+ #ifdef OPENSSL_FIPS
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <errno.h>
++# include <stdlib.h>
+ # include <openssl/fips.h>
+ # include <openssl/rand.h>
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++{
++ char buf[2] = "0";
++ int fd;
++
++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++ buf[0] = '1';
++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++ close(fd);
++ }
++ /* Failure reading the fips mode switch file means just not
++ * switching into FIPS mode. We would break too many things
++ * otherwise..
++ */
++
++ if (buf[0] == '1') {
++ FIPS_mode_set(1);
++ }
++}
+ #endif
+
+ /*
+@@ -65,19 +94,26 @@
+ * sets FIPS callbacks
+ */
+
+-void OPENSSL_init(void)
++void OPENSSL_init_library(void)
+ {
+ static int done = 0;
+ if (done)
+ return;
+ done = 1;
+ #ifdef OPENSSL_FIPS
+- FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
+- FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
+- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
+ RAND_init_fips();
++ init_fips_mode();
++ if (!FIPS_mode()) {
++ /* Clean up prematurely set default rand method */
++ RAND_set_rand_method(NULL);
++ }
+ #endif
+ #if 0
+ fprintf(stderr, "Called OPENSSL_init\n");
+ #endif
+ }
++
++void OPENSSL_init(void)
++{
++ OPENSSL_init_library();
++}
+diff -up openssl-1.0.2c/crypto/opensslconf.h.in.fips openssl-1.0.2c/crypto/opensslconf.h.in
+--- openssl-1.0.2c/crypto/opensslconf.h.in.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/opensslconf.h.in 2015-06-15 17:30:00.013284097 +0200
+@@ -1,5 +1,20 @@
+ /* crypto/opensslconf.h.in */
+
++#ifdef OPENSSL_DOING_MAKEDEPEND
++
++/* Include any symbols here that have to be explicitly set to enable a feature
++ * that should be visible to makedepend.
++ *
++ * [Our "make depend" doesn't actually look at this, we use actual build settings
++ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
++ */
++
++#ifndef OPENSSL_FIPS
++#define OPENSSL_FIPS
++#endif
++
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+
+diff -up openssl-1.0.2c/crypto/rand/md_rand.c.fips openssl-1.0.2c/crypto/rand/md_rand.c
+--- openssl-1.0.2c/crypto/rand/md_rand.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rand/md_rand.c 2015-06-15 17:30:00.013284097 +0200
+@@ -391,7 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
+ crypto_lock_rand = 1;
+
+- if (!initialized) {
++ /* always poll for external entropy in FIPS mode, drbg provides the
++ * expansion
++ */
++ if (!initialized || FIPS_module_mode()) {
+ RAND_poll();
+ initialized = 1;
+ }
+diff -up openssl-1.0.2c/crypto/rand/rand.h.fips openssl-1.0.2c/crypto/rand/rand.h
+--- openssl-1.0.2c/crypto/rand/rand.h.fips 2015-06-15 17:29:59.773278601 +0200
++++ openssl-1.0.2c/crypto/rand/rand.h 2015-06-15 17:30:00.013284097 +0200
+@@ -133,16 +133,34 @@ void ERR_load_RAND_strings(void);
+ /* Error codes for the RAND functions. */
+
+ /* Function codes. */
++# define RAND_F_ENG_RAND_GET_RAND_METHOD 108
++# define RAND_F_FIPS_RAND 103
++# define RAND_F_FIPS_RAND_BYTES 102
++# define RAND_F_FIPS_RAND_SET_DT 106
++# define RAND_F_FIPS_X931_SET_DT 106
++# define RAND_F_FIPS_SET_DT 104
++# define RAND_F_FIPS_SET_PRNG_SEED 107
++# define RAND_F_FIPS_SET_TEST_MODE 105
+ # define RAND_F_RAND_GET_RAND_METHOD 101
+-# define RAND_F_RAND_INIT_FIPS 102
++# define RAND_F_RAND_INIT_FIPS 109
+ # define RAND_F_SSLEAY_RAND_BYTES 100
+
+ /* Reason codes. */
+-# define RAND_R_DUAL_EC_DRBG_DISABLED 104
+-# define RAND_R_ERROR_INITIALISING_DRBG 102
+-# define RAND_R_ERROR_INSTANTIATING_DRBG 103
+-# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
++# define RAND_R_DUAL_EC_DRBG_DISABLED 114
++# define RAND_R_ERROR_INITIALISING_DRBG 112
++# define RAND_R_ERROR_INSTANTIATING_DRBG 113
++# define RAND_R_NON_FIPS_METHOD 105
++# define RAND_R_NOT_IN_TEST_MODE 106
++# define RAND_R_NO_FIPS_RANDOM_METHOD_SET 111
++# define RAND_R_NO_KEY_SET 107
++# define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 101
++# define RAND_R_PRNG_ERROR 108
++# define RAND_R_PRNG_KEYED 109
++# define RAND_R_PRNG_NOT_REKEYED 102
++# define RAND_R_PRNG_NOT_RESEEDED 103
+ # define RAND_R_PRNG_NOT_SEEDED 100
++# define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY 110
++# define RAND_R_PRNG_STUCK 104
+
+ #ifdef __cplusplus
+ }
+diff -up openssl-1.0.2c/crypto/ripemd/rmd_dgst.c.fips openssl-1.0.2c/crypto/ripemd/rmd_dgst.c
+--- openssl-1.0.2c/crypto/ripemd/rmd_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/ripemd/rmd_dgst.c 2015-06-15 17:30:00.014284119 +0200
+@@ -70,7 +70,7 @@ void ripemd160_block_x86(RIPEMD160_CTX *
+ void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p, size_t num);
+ #endif
+
+-fips_md_init(RIPEMD160)
++nonfips_md_init(RIPEMD160)
+ {
+ memset(c, 0, sizeof(*c));
+ c->A = RIPEMD160_A;
+diff -up openssl-1.0.2c/crypto/rsa/rsa_crpt.c.fips openssl-1.0.2c/crypto/rsa/rsa_crpt.c
+--- openssl-1.0.2c/crypto/rsa/rsa_crpt.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa_crpt.c 2015-06-15 17:30:00.014284119 +0200
+@@ -89,9 +89,9 @@ int RSA_private_encrypt(int flen, const
+ unsigned char *to, RSA *rsa, int padding)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+- RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+ #endif
+@@ -115,9 +115,9 @@ int RSA_public_decrypt(int flen, const u
+ RSA *rsa, int padding)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+- && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+- RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+ #endif
+diff -up openssl-1.0.2c/crypto/rsa/rsa_eay.c.fips openssl-1.0.2c/crypto/rsa/rsa_eay.c
+--- openssl-1.0.2c/crypto/rsa/rsa_eay.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa_eay.c 2015-06-15 17:30:00.014284119 +0200
+@@ -114,6 +114,10 @@
+ #include <openssl/bn.h>
+ #include <openssl/rsa.h>
+ #include <openssl/rand.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+
+ #ifndef RSA_NULL
+
+@@ -140,7 +144,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
+ * if e == 3 */
+ RSA_eay_init,
+ RSA_eay_finish,
+- 0, /* flags */
++ RSA_FLAG_FIPS_METHOD, /* flags */
+ NULL,
+ 0, /* rsa_sign */
+ 0, /* rsa_verify */
+@@ -160,6 +164,22 @@ static int RSA_eay_public_encrypt(int fl
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+@@ -361,6 +381,22 @@ static int RSA_eay_private_encrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -497,6 +533,22 @@ static int RSA_eay_private_decrypt(int f
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ return -1;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if ((ctx = BN_CTX_new()) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -623,6 +675,22 @@ static int RSA_eay_public_decrypt(int fl
+ unsigned char *buf = NULL;
+ BN_CTX *ctx = NULL;
+
++# ifdef OPENSSL_FIPS
++ if (FIPS_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,
++ FIPS_R_FIPS_SELFTEST_FAILED);
++ goto err;
++ }
++
++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++ return -1;
++ }
++ }
++# endif
++
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+ return -1;
+@@ -886,6 +954,9 @@ static int RSA_eay_mod_exp(BIGNUM *r0, c
+
+ static int RSA_eay_init(RSA *rsa)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
+ return (1);
+ }
+diff -up openssl-1.0.2c/crypto/rsa/rsa_err.c.fips openssl-1.0.2c/crypto/rsa/rsa_err.c
+--- openssl-1.0.2c/crypto/rsa/rsa_err.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa_err.c 2015-06-15 17:30:00.014284119 +0200
+@@ -136,6 +136,8 @@ static ERR_STRING_DATA RSA_str_functs[]
+ {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
+ {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
+ {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
++ {ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD), "RSA_set_default_method"},
++ {ERR_FUNC(RSA_F_RSA_SET_METHOD), "RSA_set_method"},
+ {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
+ {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),
+ "RSA_sign_ASN1_OCTET_STRING"},
+diff -up openssl-1.0.2c/crypto/rsa/rsa_gen.c.fips openssl-1.0.2c/crypto/rsa/rsa_gen.c
+--- openssl-1.0.2c/crypto/rsa/rsa_gen.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa_gen.c 2015-06-15 17:30:00.014284119 +0200
+@@ -69,6 +69,80 @@
+ #include <openssl/rsa.h>
+ #ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
++# include <openssl/err.h>
++# include <openssl/evp.h>
++
++static int fips_rsa_pairwise_fail = 0;
++
++void FIPS_corrupt_rsa_keygen(void)
++{
++ fips_rsa_pairwise_fail = 1;
++}
++
++int fips_check_rsa(RSA *rsa)
++{
++ const unsigned char tbs[] = "RSA Pairwise Check Data";
++ unsigned char *ctbuf = NULL, *ptbuf = NULL;
++ int len, ret = 0;
++ EVP_PKEY *pk;
++
++ if ((pk = EVP_PKEY_new()) == NULL)
++ goto err;
++
++ EVP_PKEY_set1_RSA(pk, rsa);
++
++ /* Perform pairwise consistency signature test */
++ if (!fips_pkey_signature_test(pk, tbs, -1,
++ NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_X931, NULL)
++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha1(),
++ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
++ goto err;
++ /* Now perform pairwise consistency encrypt/decrypt test */
++ ctbuf = OPENSSL_malloc(RSA_size(rsa));
++ if (!ctbuf)
++ goto err;
++
++ len =
++ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
++ RSA_PKCS1_PADDING);
++ if (len <= 0)
++ goto err;
++ /* Check ciphertext doesn't match plaintext */
++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
++ goto err;
++ ptbuf = OPENSSL_malloc(RSA_size(rsa));
++
++ if (!ptbuf)
++ goto err;
++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++ if (len != (sizeof(tbs) - 1))
++ goto err;
++ if (memcmp(ptbuf, tbs, len))
++ goto err;
++
++ ret = 1;
++
++ if (!ptbuf)
++ goto err;
++
++ err:
++ if (ret == 0) {
++ fips_set_selftest_fail();
++ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
++ }
++
++ if (ctbuf)
++ OPENSSL_free(ctbuf);
++ if (ptbuf)
++ OPENSSL_free(ptbuf);
++ if (pk)
++ EVP_PKEY_free(pk);
++
++ return ret;
++}
+ #endif
+
+ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+@@ -84,7 +158,7 @@ static int rsa_builtin_keygen(RSA *rsa,
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+ {
+ #ifdef OPENSSL_FIPS
+- if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++ if (FIPS_module_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+@@ -92,10 +166,6 @@ int RSA_generate_key_ex(RSA *rsa, int bi
+ #endif
+ if (rsa->meth->rsa_keygen)
+ return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
+-#endif
+ return rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+
+@@ -108,6 +178,20 @@ static int rsa_builtin_keygen(RSA *rsa,
+ int bitsp, bitsq, ok = -1, n = 0;
+ BN_CTX *ctx = NULL;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_module_mode()) {
++ if (FIPS_selftest_failed()) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++ return 0;
++ }
++
++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++ FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
++ return 0;
++ }
++ }
++#endif
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+@@ -233,6 +317,16 @@ static int rsa_builtin_keygen(RSA *rsa,
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ goto err;
+
++#ifdef OPENSSL_FIPS
++ if (FIPS_module_mode()) {
++ if (fips_rsa_pairwise_fail)
++ BN_add_word(rsa->n, 1);
++
++ if (!fips_check_rsa(rsa))
++ goto err;
++ }
++#endif
++
+ ok = 1;
+ err:
+ if (ok == -1) {
+diff -up openssl-1.0.2c/crypto/rsa/rsa.h.fips openssl-1.0.2c/crypto/rsa/rsa.h
+--- openssl-1.0.2c/crypto/rsa/rsa.h.fips 2015-06-15 17:29:59.903281578 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa.h 2015-06-15 17:30:00.014284119 +0200
+@@ -168,6 +168,8 @@ struct rsa_st {
+ # define OPENSSL_RSA_MAX_MODULUS_BITS 16384
+ # endif
+
++# define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
++
+ # ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
+ # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
+ # endif
+@@ -329,6 +331,13 @@ RSA *RSA_generate_key(int bits, unsigned
+
+ /* New version */
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
++ BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
++ const BIGNUM *Xp, const BIGNUM *Xq1,
++ const BIGNUM *Xq2, const BIGNUM *Xq,
++ const BIGNUM *e, BN_GENCB *cb);
++int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
++ BN_GENCB *cb);
+
+ int RSA_check_key(const RSA *);
+ /* next 4 return -1 on error */
+@@ -538,7 +547,7 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_ALGOR_TO_MD 157
+ # define RSA_F_RSA_BUILTIN_KEYGEN 129
+ # define RSA_F_RSA_CHECK_KEY 123
+-# define RSA_F_RSA_CMS_DECRYPT 158
++# define RSA_F_RSA_CMS_DECRYPT 258
+ # define RSA_F_RSA_EAY_PRIVATE_DECRYPT 101
+ # define RSA_F_RSA_EAY_PRIVATE_ENCRYPT 102
+ # define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
+@@ -559,7 +568,7 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1 160
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
+-# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
++# define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 158
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
+ # define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
+ # define RSA_F_RSA_PADDING_ADD_SSLV23 110
+@@ -573,21 +582,23 @@ void ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PADDING_CHECK_X931 128
+ # define RSA_F_RSA_PRINT 115
+ # define RSA_F_RSA_PRINT_FP 116
+-# define RSA_F_RSA_PRIVATE_DECRYPT 150
+-# define RSA_F_RSA_PRIVATE_ENCRYPT 151
++# define RSA_F_RSA_PRIVATE_DECRYPT 157
++# define RSA_F_RSA_PRIVATE_ENCRYPT 148
+ # define RSA_F_RSA_PRIV_DECODE 137
+ # define RSA_F_RSA_PRIV_ENCODE 138
+ # define RSA_F_RSA_PSS_TO_CTX 162
+-# define RSA_F_RSA_PUBLIC_DECRYPT 152
++# define RSA_F_RSA_PUBLIC_DECRYPT 149
+ # define RSA_F_RSA_PUBLIC_ENCRYPT 153
+ # define RSA_F_RSA_PUB_DECODE 139
+ # define RSA_F_RSA_SETUP_BLINDING 136
++# define RSA_F_RSA_SET_DEFAULT_METHOD 150
++# define RSA_F_RSA_SET_METHOD 151
+ # define RSA_F_RSA_SIGN 117
+ # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
+ # define RSA_F_RSA_VERIFY 119
+ # define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
+ # define RSA_F_RSA_VERIFY_PKCS1_PSS 126
+-# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
++# define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 152
+
+ /* Reason codes. */
+ # define RSA_R_ALGORITHM_MISMATCH 100
+@@ -620,21 +631,22 @@ void ERR_load_RSA_strings(void);
+ # define RSA_R_INVALID_OAEP_PARAMETERS 162
+ # define RSA_R_INVALID_PADDING 138
+ # define RSA_R_INVALID_PADDING_MODE 141
+-# define RSA_R_INVALID_PSS_PARAMETERS 149
++# define RSA_R_INVALID_PSS_PARAMETERS 157
+ # define RSA_R_INVALID_PSS_SALTLEN 146
+-# define RSA_R_INVALID_SALT_LENGTH 150
++# define RSA_R_INVALID_SALT_LENGTH 158
+ # define RSA_R_INVALID_TRAILER 139
+ # define RSA_R_INVALID_X931_DIGEST 142
+ # define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
+ # define RSA_R_KEY_SIZE_TOO_SMALL 120
+ # define RSA_R_LAST_OCTET_INVALID 134
+ # define RSA_R_MODULUS_TOO_LARGE 105
+-# define RSA_R_NON_FIPS_RSA_METHOD 157
++# define RSA_R_NON_FIPS_RSA_METHOD 149
++# define RSA_R_NON_FIPS_METHOD 149
+ # define RSA_R_NO_PUBLIC_EXPONENT 140
+ # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
+ # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
+ # define RSA_R_OAEP_DECODING_ERROR 121
+-# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 150
+ # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
+ # define RSA_R_PADDING_CHECK_FAILED 114
+ # define RSA_R_PKCS_DECODING_ERROR 159
+diff -up openssl-1.0.2c/crypto/rsa/rsa_lib.c.fips openssl-1.0.2c/crypto/rsa/rsa_lib.c
+--- openssl-1.0.2c/crypto/rsa/rsa_lib.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa_lib.c 2015-06-15 17:30:00.015284142 +0200
+@@ -84,23 +84,22 @@ RSA *RSA_new(void)
+
+ void RSA_set_default_method(const RSA_METHOD *meth)
+ {
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_METHOD);
++ return;
++ }
++#endif
+ default_RSA_meth = meth;
+ }
+
+ const RSA_METHOD *RSA_get_default_method(void)
+ {
+ if (default_RSA_meth == NULL) {
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return FIPS_rsa_pkcs1_ssleay();
+- else
+- return RSA_PKCS1_SSLeay();
+-#else
+-# ifdef RSA_NULL
++#ifdef RSA_NULL
+ default_RSA_meth = RSA_null_method();
+-# else
++#else
+ default_RSA_meth = RSA_PKCS1_SSLeay();
+-# endif
+ #endif
+ }
+
+@@ -119,6 +118,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
+ * to deal with which ENGINE it comes from.
+ */
+ const RSA_METHOD *mtmp;
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_METHOD);
++ return 0;
++ }
++#endif
+ mtmp = rsa->meth;
+ if (mtmp->finish)
+ mtmp->finish(rsa);
+@@ -165,6 +170,17 @@ RSA *RSA_new_method(ENGINE *engine)
+ }
+ }
+ #endif
++#ifdef OPENSSL_FIPS
++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_METHOD);
++# ifndef OPENSSL_NO_ENGINE
++ if (ret->engine)
++ ENGINE_finish(ret->engine);
++# endif
++ OPENSSL_free(ret);
++ return NULL;
++ }
++#endif
+
+ ret->pad = 0;
+ ret->version = 0;
+@@ -183,7 +199,7 @@ RSA *RSA_new_method(ENGINE *engine)
+ ret->blinding = NULL;
+ ret->mt_blinding = NULL;
+ ret->bignum_data = NULL;
+- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
++ ret->flags = ret->meth->flags;
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
+ #ifndef OPENSSL_NO_ENGINE
+ if (ret->engine)
+diff -up openssl-1.0.2c/crypto/rsa/rsa_pmeth.c.fips openssl-1.0.2c/crypto/rsa/rsa_pmeth.c
+--- openssl-1.0.2c/crypto/rsa/rsa_pmeth.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa_pmeth.c 2015-06-15 17:30:00.015284142 +0200
+@@ -228,20 +228,6 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
+ RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
+ return -1;
+ }
+-#ifdef OPENSSL_FIPS
+- if (ret > 0) {
+- unsigned int slen;
+- ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
+- rctx->pad_mode,
+- rctx->saltlen,
+- rctx->mgf1md, sig, &slen);
+- if (ret > 0)
+- *siglen = slen;
+- else
+- *siglen = 0;
+- return ret;
+- }
+-#endif
+
+ if (EVP_MD_type(rctx->md) == NID_mdc2) {
+ unsigned int sltmp;
+@@ -359,17 +345,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
+ }
+ #endif
+ if (rctx->md) {
+-#ifdef OPENSSL_FIPS
+- if (rv > 0) {
+- return FIPS_rsa_verify_digest(rsa,
+- tbs, tbslen,
+- rctx->md,
+- rctx->pad_mode,
+- rctx->saltlen,
+- rctx->mgf1md, sig, siglen);
+-
+- }
+-#endif
+ if (rctx->pad_mode == RSA_PKCS1_PADDING)
+ return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
+ sig, siglen, rsa);
+diff -up openssl-1.0.2c/crypto/rsa/rsa_sign.c.fips openssl-1.0.2c/crypto/rsa/rsa_sign.c
+--- openssl-1.0.2c/crypto/rsa/rsa_sign.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/rsa/rsa_sign.c 2015-06-15 17:30:00.015284142 +0200
+@@ -132,7 +132,10 @@ int RSA_sign(int type, const unsigned ch
+ i2d_X509_SIG(&sig, &p);
+ s = tmps;
+ }
+- i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(i, s, sigret, rsa,
++ RSA_PKCS1_PADDING) :
++ 0;
+ if (i <= 0)
+ ret = 0;
+ else
+@@ -188,8 +191,10 @@ int int_rsa_verify(int dtype, const unsi
+ }
+
+ if ((dtype == NID_md5_sha1) && rm) {
+- i = RSA_public_decrypt((int)siglen,
+- sigbuf, rm, rsa, RSA_PKCS1_PADDING);
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen,
++ sigbuf, rm, rsa,
++ RSA_PKCS1_PADDING)
++ : 0;
+ if (i <= 0)
+ return 0;
+ *prm_len = i;
+@@ -205,7 +210,11 @@ int int_rsa_verify(int dtype, const unsi
+ RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
+ goto err;
+ }
+- i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
++ /* NB: call underlying method directly to avoid FIPS blocking */
++ i = rsa->meth->rsa_pub_dec ? rsa->meth->rsa_pub_dec((int)siglen, sigbuf,
++ s, rsa,
++ RSA_PKCS1_PADDING) :
++ 0;
+
+ if (i <= 0)
+ goto err;
+diff -up openssl-1.0.2c/crypto/sha/sha.h.fips openssl-1.0.2c/crypto/sha/sha.h
+--- openssl-1.0.2c/crypto/sha/sha.h.fips 2015-06-15 17:29:59.697276860 +0200
++++ openssl-1.0.2c/crypto/sha/sha.h 2015-06-15 17:30:00.015284142 +0200
+@@ -105,9 +105,6 @@ typedef struct SHAstate_st {
+ } SHA_CTX;
+
+ # ifndef OPENSSL_NO_SHA0
+-# ifdef OPENSSL_FIPS
+-int private_SHA_Init(SHA_CTX *c);
+-# endif
+ int SHA_Init(SHA_CTX *c);
+ int SHA_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA_Final(unsigned char *md, SHA_CTX *c);
+@@ -115,9 +112,6 @@ unsigned char *SHA(const unsigned char *
+ void SHA_Transform(SHA_CTX *c, const unsigned char *data);
+ # endif
+ # ifndef OPENSSL_NO_SHA1
+-# ifdef OPENSSL_FIPS
+-int private_SHA1_Init(SHA_CTX *c);
+-# endif
+ int SHA1_Init(SHA_CTX *c);
+ int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
+ int SHA1_Final(unsigned char *md, SHA_CTX *c);
+@@ -139,10 +133,6 @@ typedef struct SHA256state_st {
+ } SHA256_CTX;
+
+ # ifndef OPENSSL_NO_SHA256
+-# ifdef OPENSSL_FIPS
+-int private_SHA224_Init(SHA256_CTX *c);
+-int private_SHA256_Init(SHA256_CTX *c);
+-# endif
+ int SHA224_Init(SHA256_CTX *c);
+ int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
+ int SHA224_Final(unsigned char *md, SHA256_CTX *c);
+@@ -192,10 +182,6 @@ typedef struct SHA512state_st {
+ # endif
+
+ # ifndef OPENSSL_NO_SHA512
+-# ifdef OPENSSL_FIPS
+-int private_SHA384_Init(SHA512_CTX *c);
+-int private_SHA512_Init(SHA512_CTX *c);
+-# endif
+ int SHA384_Init(SHA512_CTX *c);
+ int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
+ int SHA384_Final(unsigned char *md, SHA512_CTX *c);
+diff -up openssl-1.0.2c/crypto/sha/sha_locl.h.fips openssl-1.0.2c/crypto/sha/sha_locl.h
+--- openssl-1.0.2c/crypto/sha/sha_locl.h.fips 2015-06-15 17:29:59.699276906 +0200
++++ openssl-1.0.2c/crypto/sha/sha_locl.h 2015-06-15 17:30:00.015284142 +0200
+@@ -123,11 +123,14 @@ void sha1_block_data_order(SHA_CTX *c, c
+ #define INIT_DATA_h4 0xc3d2e1f0UL
+
+ #ifdef SHA_0
+-fips_md_init(SHA)
++nonfips_md_init(SHA)
+ #else
+ fips_md_init_ctx(SHA1, SHA)
+ #endif
+ {
++#if defined(SHA_1) && defined(OPENSSL_FIPS)
++ FIPS_selftest_check();
++#endif
+ memset(c, 0, sizeof(*c));
+ c->h0 = INIT_DATA_h0;
+ c->h1 = INIT_DATA_h1;
+diff -up openssl-1.0.2c/crypto/sha/sha256.c.fips openssl-1.0.2c/crypto/sha/sha256.c
+--- openssl-1.0.2c/crypto/sha/sha256.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/sha/sha256.c 2015-06-15 17:30:00.015284142 +0200
+@@ -12,12 +12,19 @@
+
+ # include <openssl/crypto.h>
+ # include <openssl/sha.h>
++# ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# endif
++
+ # include <openssl/opensslv.h>
+
+ const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
+
+ fips_md_init_ctx(SHA224, SHA256)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0xc1059ed8UL;
+ c->h[1] = 0x367cd507UL;
+@@ -33,6 +40,9 @@ fips_md_init_ctx(SHA224, SHA256)
+
+ fips_md_init(SHA256)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ memset(c, 0, sizeof(*c));
+ c->h[0] = 0x6a09e667UL;
+ c->h[1] = 0xbb67ae85UL;
+diff -up openssl-1.0.2c/crypto/sha/sha512.c.fips openssl-1.0.2c/crypto/sha/sha512.c
+--- openssl-1.0.2c/crypto/sha/sha512.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/sha/sha512.c 2015-06-15 17:30:00.016284165 +0200
+@@ -5,6 +5,10 @@
+ * ====================================================================
+ */
+ #include <openssl/opensslconf.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
+ /*-
+ * IMPLEMENTATION NOTES.
+@@ -62,6 +66,9 @@ const char SHA512_version[] = "SHA-512"
+
+ fips_md_init_ctx(SHA384, SHA512)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0xcbbb9d5dc1059ed8);
+ c->h[1] = U64(0x629a292a367cd507);
+ c->h[2] = U64(0x9159015a3070dd17);
+@@ -80,6 +87,9 @@ fips_md_init_ctx(SHA384, SHA512)
+
+ fips_md_init(SHA512)
+ {
++# ifdef OPENSSL_FIPS
++ FIPS_selftest_check();
++# endif
+ c->h[0] = U64(0x6a09e667f3bcc908);
+ c->h[1] = U64(0xbb67ae8584caa73b);
+ c->h[2] = U64(0x3c6ef372fe94f82b);
+diff -up openssl-1.0.2c/crypto/whrlpool/wp_dgst.c.fips openssl-1.0.2c/crypto/whrlpool/wp_dgst.c
+--- openssl-1.0.2c/crypto/whrlpool/wp_dgst.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/crypto/whrlpool/wp_dgst.c 2015-06-15 17:30:00.016284165 +0200
+@@ -55,7 +55,7 @@
+ #include <openssl/crypto.h>
+ #include <string.h>
+
+-fips_md_init(WHIRLPOOL)
++nonfips_md_init(WHIRLPOOL)
+ {
+ memset(c, 0, sizeof(*c));
+ return (1);
+diff -up openssl-1.0.2c/Makefile.org.fips openssl-1.0.2c/Makefile.org
+--- openssl-1.0.2c/Makefile.org.fips 2015-06-15 17:29:59.986283478 +0200
++++ openssl-1.0.2c/Makefile.org 2015-06-15 17:30:00.016284165 +0200
+@@ -137,6 +137,9 @@ FIPSCANLIB=
+
+ BASEADDR=
+
++# Non-empty if FIPS enabled
++FIPS=
++
+ DIRS= crypto ssl engines apps test tools
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+@@ -149,7 +152,7 @@ SDIRS= \
+ bn ec rsa dsa ecdsa dh ecdh dso engine \
+ buffer bio stack lhash rand err \
+ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+- cms pqueue ts jpake srp store cmac
++ cms pqueue ts jpake srp store cmac fips
+ # keep in mind that the above list is adjusted by ./Configure
+ # according to no-xxx arguments...
+
+@@ -238,6 +241,7 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESS
+ FIPSLIBDIR='${FIPSLIBDIR}' \
+ FIPSDIR='${FIPSDIR}' \
+ FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
++ FIPS="$${FIPS:-$(FIPS)}" \
+ THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
+ # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
+ # which in turn eliminates ambiguities in variable treatment with -e.
+diff -up openssl-1.0.2c/ssl/ssl_algs.c.fips openssl-1.0.2c/ssl/ssl_algs.c
+--- openssl-1.0.2c/ssl/ssl_algs.c.fips 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/ssl/ssl_algs.c 2015-06-15 17:30:00.016284165 +0200
+@@ -64,6 +64,11 @@
+ int SSL_library_init(void)
+ {
+
++#ifdef OPENSSL_FIPS
++ OPENSSL_init_library();
++ if (!FIPS_mode()) {
++#endif
++
+ #ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+@@ -142,6 +147,48 @@ int SSL_library_init(void)
+ EVP_add_digest(EVP_sha());
+ EVP_add_digest(EVP_dss());
+ #endif
++#ifdef OPENSSL_FIPS
++ } else {
++# ifndef OPENSSL_NO_DES
++ EVP_add_cipher(EVP_des_ede3_cbc());
++# endif
++# ifndef OPENSSL_NO_AES
++ EVP_add_cipher(EVP_aes_128_cbc());
++ EVP_add_cipher(EVP_aes_192_cbc());
++ EVP_add_cipher(EVP_aes_256_cbc());
++ EVP_add_cipher(EVP_aes_128_gcm());
++ EVP_add_cipher(EVP_aes_256_gcm());
++# endif
++# ifndef OPENSSL_NO_MD5
++ /* needed even in the FIPS mode for TLS MAC */
++ EVP_add_digest(EVP_md5());
++ EVP_add_digest_alias(SN_md5, "ssl2-md5");
++ EVP_add_digest_alias(SN_md5, "ssl3-md5");
++# endif
++# ifndef OPENSSL_NO_SHA
++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++# endif
++# ifndef OPENSSL_NO_SHA256
++ EVP_add_digest(EVP_sha224());
++ EVP_add_digest(EVP_sha256());
++# endif
++# ifndef OPENSSL_NO_SHA512
++ EVP_add_digest(EVP_sha384());
++ EVP_add_digest(EVP_sha512());
++# endif
++# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
++ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
++ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
++ EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
++ EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
++# endif
++# ifndef OPENSSL_NO_ECDSA
++ EVP_add_digest(EVP_ecdsa());
++# endif
++ }
++#endif
+ #ifndef OPENSSL_NO_COMP
+ /*
+ * This will initialise the built-in compression algorithms. The value
diff --git a/openssl-1.0.2c-rpmbuild.patch b/openssl-1.0.2c-rpmbuild.patch
new file mode 100644
index 0000000..555010c
--- /dev/null
+++ b/openssl-1.0.2c-rpmbuild.patch
@@ -0,0 +1,114 @@
+diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
+--- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200
+@@ -365,8 +365,8 @@ my %table=(
+ ####
+ # *-generic* is endian-neutral target, but ./config is free to
+ # throw in -D[BL]_ENDIAN, whichever appropriate...
+-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+
+ #######################################################################
+ # Note that -march is not among compiler options in below linux-armv4
+@@ -395,30 +395,30 @@ my %table=(
+ #
+ # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
+ #
+-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # Configure script adds minimally required -march for assembly support,
+ # if no -march was specified at command line. mips32 and mips64 below
+ # refer to contemporary MIPS Architecture specifications, MIPS32 and
+ # MIPS64, rather than to kernel bitness.
+-"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
+-"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
++"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
+ ####
+-"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
+-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
++"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
+-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### So called "highgprs" target for z/Architecture CPUs
+ # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
+ # /proc/cpuinfo. The idea is to preserve most significant bits of
+@@ -436,12 +436,12 @@ my %table=(
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller at computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # it's a real mess with -mcpu=ultrasparc option under Linux, but
+ # -Wa,-Av8plus should do the trick no matter what.
+-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+ # GCC 3.1 is a requirement
+-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
++"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+ #### Alpha Linux with GNU C and Compaq C setups
+ # Special notes:
+ # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
+@@ -1764,7 +1764,7 @@ while (<IN>)
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
+ {
+ my $sotmp = $1;
+- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
+ }
+ elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+ {
+diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
+--- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200
+@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=
+ SHLIB_MINOR=
+ SHLIB_EXT=
++SHLIB_SONAMEVER=10
+ PLATFORM=dist
+ OPTIONS=
+ CONFIGURE_ARGS=
+@@ -338,10 +339,9 @@ clean-shared:
+ link-shared:
+ @ set -e; for i in $(SHLIBDIRS); do \
+ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ symlink.$(SHLIB_TARGET); \
+- libs="$$libs -l$$i"; \
+ done
+
+ build-shared: do_$(SHLIB_TARGET) link-shared
+@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
+ libs="$(LIBKRB5) $$libs"; \
+ fi; \
+ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
++ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
+ LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
+ LIBDEPS="$$libs $(EX_LIBS)" \
+ link_a.$(SHLIB_TARGET); \
diff --git a/openssl-1.0.2c-trusted-first-doc.patch b/openssl-1.0.2c-trusted-first-doc.patch
new file mode 100644
index 0000000..63e1076
--- /dev/null
+++ b/openssl-1.0.2c-trusted-first-doc.patch
@@ -0,0 +1,288 @@
+diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c
+--- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
++++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200
+@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c
+--- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
++++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200
+@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err,
+ "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-VAfile file validator certificates file\n");
+diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c
+--- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
++++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200
+@@ -333,6 +333,8 @@ static void sc_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ " -reconnect - Drop and re-make the connection with the same Session-ID\n");
+diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c
+--- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
++++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200
+@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
+ "-CApath dir trusted certificates directory\n");
+ BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
++ "-trusted_first use trusted certificates first when building the trust chain\n");
++ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c
+--- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
++++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200
+@@ -572,6 +572,8 @@ static void sv_usage(void)
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
++ " -trusted_first - Use trusted CA's first when building the trust chain\n");
++ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
+ " -nocert - Don't use any certificates (Anon-DH)\n");
+diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c
+--- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200
++++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200
+@@ -182,6 +182,7 @@ static void s_time_usage(void)
+ file if not specified by this option\n\
+ -CApath arg - PEM format directory of CA's\n\
+ -CAfile arg - PEM format file of CA's\n\
++-trusted_first - Use trusted CA's first when building the trust chain\n\
+ -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
+
+ printf("usage: s_time <args>\n\n");
+diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c
+--- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200
++++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200
+@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
+ "ts -verify [-data file_to_hash] [-digest digest_bytes] "
+ "[-queryfile request.tsq] "
+ "-in response.tsr [-token_in] "
+- "-CApath ca_path -CAfile ca_file.pem "
++ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
+ "-untrusted cert_file.pem\n");
+ cleanup:
+ /* Clean up. */
+diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c
+--- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
++++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200
+@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
+ end:
+ if (ret == 1) {
+ BIO_printf(bio_err,
+- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
++ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
+ #ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, " [-engine e]");
+diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod
+--- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200
+@@ -35,6 +35,7 @@ B<openssl> B<cms>
+ [B<-print>]
+ [B<-CAfile file>]
+ [B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-md digest>]
+ [B<-[cipher]>]
+@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before untrusted certificates
++from the message when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod
+--- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
++++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200
+@@ -29,7 +29,8 @@ B<openssl> B<ocsp>
+ [B<-path>]
+ [B<-CApath dir>]
+ [B<-CAfile file>]
+-[B<-no_alt_chains>]]
++[B<-trusted_first>]
++[B<-no_alt_chains>]
+ [B<-VAfile file>]
+ [B<-validity_period n>]
+ [B<-status_age n>]
+@@ -144,6 +145,13 @@ connection timeout to the OCSP responder
+ file or pathname containing trusted CA certificates. These are used to verify
+ the signature on the OCSP response.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the response or residing in other certificates file when building the trust
++chain to verify responder certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-no_alt_chains>
+
+ See L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod
+--- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
++++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200
+@@ -19,6 +19,7 @@ B<openssl> B<s_client>
+ [B<-pass arg>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-reconnect>]
+ [B<-pause>]
+@@ -124,7 +125,7 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
+-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
+
+ Set various certificate chain valiadition option. See the
+ L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod
+--- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200
+@@ -15,6 +15,9 @@ B<openssl> B<smime>
+ [B<-pk7out>]
+ [B<-[cipher]>]
+ [B<-in file>]
++[B<-CAfile file>]
++[B<-CApath dir>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-certfile file>]
+ [B<-signer file>]
+@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta
+ is a hash of each subject name (using B<x509 -hash>) should be linked
+ to each certificate.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over certificates provided
++in the message when building the trust chain to verify a certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-md digest>
+
+ digest algorithm to use when signing or resigning. If not present then the
+diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod
+--- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200
++++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200
+@@ -33,6 +33,7 @@ B<openssl> B<s_server>
+ [B<-state>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-no_alt_chains>]
+ [B<-nocert>]
+ [B<-cipher cipherlist>]
+@@ -175,6 +176,12 @@ and to use when attempting to build the
+ is also used in the list of acceptable client CAs passed to the client when
+ a certificate is requested.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before other certificates
++when building the trust chain to verify client certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-no_alt_chains>
+
+ See the L<B<verify>|verify(1)> manual page for details.
+diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod
+--- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/doc/apps/s_time.pod 2015-06-15 17:45:13.116279853 +0200
+@@ -14,6 +14,7 @@ B<openssl> B<s_time>
+ [B<-key filename>]
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
++[B<-trusted_first>]
+ [B<-reuse>]
+ [B<-new>]
+ [B<-verify depth>]
+@@ -76,6 +77,12 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory over the certificates provided
++by the server when building the trust chain to verify server certificate.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-new>
+
+ performs the timing test using a new session ID for each connection.
+diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod
+--- openssl-1.0.2c/doc/apps/ts.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/doc/apps/ts.pod 2015-06-15 17:45:13.116279853 +0200
+@@ -46,6 +46,7 @@ B<-verify>
+ [B<-token_in>]
+ [B<-CApath> trusted_cert_path]
+ [B<-CAfile> trusted_certs.pem]
++[B<-trusted_first>]
+ [B<-untrusted> cert_file.pem]
+
+ =head1 DESCRIPTION
+@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
+ or B<-CApath> must be specified.
+ (Optional)
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before other certificates
++when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-untrusted> cert_file.pem
+
+ Set of additional untrusted certificates in PEM format which may be
+diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod
+--- openssl-1.0.2c/doc/apps/verify.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
++++ openssl-1.0.2c/doc/apps/verify.pod 2015-06-15 17:45:13.116279853 +0200
+@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
+ B<openssl> B<verify>
+ [B<-CApath directory>]
+ [B<-CAfile file>]
++[B<-trusted_first>]
+ [B<-purpose purpose>]
+ [B<-policy arg>]
+ [B<-ignore_critical>]
+@@ -79,6 +80,12 @@ If a valid CRL cannot be found an error
+ A file of untrusted certificates. The file should contain multiple certificates
+ in PEM format concatenated together.
+
++=item B<-trusted_first>
++
++Use certificates in CA file or CA directory before the certificates in the untrusted
++file when building the trust chain to verify certificates.
++This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
++
+ =item B<-purpose purpose>
+
+ The intended use for the certificate. If this option is not specified,
diff --git a/openssl.spec b/openssl.spec
index 324fa09..78def87 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,8 +22,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 1.0.2a
-Release: 4%{?dist}
+Version: 1.0.2c
+Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -40,7 +40,7 @@ Source11: README.FIPS
Source12: ec_curve.c
Source13: ectest.c
# Build changes
-Patch1: openssl-1.0.2a-rpmbuild.patch
+Patch1: openssl-1.0.2c-rpmbuild.patch
Patch2: openssl-1.0.2a-defaults.patch
Patch4: openssl-1.0.2a-enginesdir.patch
Patch5: openssl-1.0.2a-no-rpath.patch
@@ -49,14 +49,14 @@ Patch7: openssl-1.0.0-timezone.patch
Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes
-Patch23: openssl-1.0.2a-default-paths.patch
+Patch23: openssl-1.0.2c-default-paths.patch
Patch24: openssl-1.0.2a-issuer-hash.patch
# Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch
-Patch40: openssl-1.0.2a-fips.patch
+Patch40: openssl-1.0.2c-fips.patch
Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch
@@ -69,11 +69,10 @@ Patch63: openssl-1.0.2a-xmpp-starttls.patch
Patch65: openssl-1.0.2a-chil-fixes.patch
Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
Patch68: openssl-1.0.2a-secure-getenv.patch
-Patch69: openssl-1.0.2a-dh-1024.patch
Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2a-manfix.patch
Patch72: openssl-1.0.2a-fips-ctor.patch
-Patch73: openssl-1.0.2a-ecc-suiteb.patch
+Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2a-no-md5-verify.patch
Patch75: openssl-1.0.2a-compat-symbols.patch
Patch76: openssl-1.0.2a-new-fips-reqs.patch
@@ -85,8 +84,7 @@ Patch93: openssl-1.0.2a-disable-sslv2v3.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2a-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
-Patch82: openssl-1.0.2a-trusted-first-doc.patch
-Patch83: openssl-1.0.2a-alt-chains.patch
+Patch82: openssl-1.0.2c-trusted-first-doc.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -190,7 +188,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch65 -p1 -b .chil
%patch66 -p1 -b .krb5
%patch68 -p1 -b .secure-getenv
-%patch69 -p1 -b .dh1024
%patch70 -p1 -b .fips-ec
%patch71 -p1 -b .manfix
%patch72 -p1 -b .fips-ctor
@@ -207,7 +204,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first
-%patch83 -p1 -b .alt-chains
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@@ -478,6 +474,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Mon Jun 15 2015 Tomáš Mráz <tmraz at redhat.com> 1.0.2c-1
+- minor upstream release 1.0.2c fixing multiple security issues
+
* Thu May 7 2015 Peter Robinson <pbrobinson at fedoraproject.org> 1.0.2a-4
- Add aarch64 sslarch details
diff --git a/sources b/sources
index 24b2c95..c5a84d6 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f51c4df95c3d53fc82a0885fd169225a openssl-1.0.2a-hobbled.tar.xz
+178792e60274974ec47aedc6dc5eba7a openssl-1.0.2c-hobbled.tar.xz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?h=master&id=837dd048828c9c49a51fb70b7f0e8af43947fde4
More information about the scm-commits
mailing list